--- /dev/null
+commit e440e3aa4b4662f8d811120a87f51d8ab48d9c90
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 20 23:16:11 2014 -0400
+
+ convert hvc tty driver to proper refcounted atomics on port.count, fixes ppc64 allyesconfig compilation
+
+ drivers/tty/hvc/hvsi.c | 10 +++++-----
+ 1 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 013c6d73e4a4ae358ee180b40428f3dd04dd3aa8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 20 22:53:31 2014 -0400
+
+ add local_unchecked_t accessors to fix ppc64 compilation
+
+ arch/powerpc/include/asm/local.h | 15 +++++++++++++++
+ 1 files changed, 15 insertions(+), 0 deletions(-)
+
+commit 1cffa7895513b754c95673b12a8c638797e5b7e2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 20 22:25:47 2014 -0400
+
+ add access_ok_noprefault macro to fix ppc64+kvm compilation, patch
+ from pipacs
+
+ arch/arm/include/asm/uaccess.h | 1 +
+ arch/arm64/include/asm/uaccess.h | 1 +
+ arch/ia64/include/asm/uaccess.h | 1 +
+ arch/mips/include/asm/uaccess.h | 1 +
+ arch/powerpc/include/asm/uaccess.h | 1 +
+ arch/s390/include/asm/uaccess.h | 1 +
+ arch/x86/include/asm/uaccess.h | 2 +-
+ arch/x86/include/asm/uaccess_64.h | 12 ++++++------
+ arch/x86/mm/gup.c | 4 ++--
+ virt/kvm/kvm_main.c | 2 +-
+ 10 files changed, 16 insertions(+), 10 deletions(-)
+
+commit 58bdcb9b494eb7ab916ead7944e444d0a6af5002
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 20 21:53:32 2014 -0400
+
+ correct function definition for kvm_arch_init() to fix compilation on ppc64
+
+ arch/powerpc/kvm/powerpc.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit e3eb6820bfec5b4a4bfbb0056c057d50b8df4997
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 20 21:47:35 2014 -0400
+
+ fix ppc64 allyesconfig compilation with RANDSTRUCT
+
+ arch/powerpc/platforms/cell/celleb_scc_pciex.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit fb017032977cb38d750fe9b9a11d22fc565e576f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 20 21:36:39 2014 -0400
+
+ use $(LATENT_ENTROPY_PLUGIN_CFLAGS)
+
+ arch/powerpc/kernel/Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit e795367c8c4d750c3900f6546365ca27b9a8aad5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 20 21:24:01 2014 -0400
+
+ move REMOVE_CFLAGS
+
+ arch/powerpc/kernel/Makefile | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit f80a67cf62542dbab790fcad2395c00e6534c26d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 20 20:30:35 2014 -0400
+
+ fix compilation by removing the latent entropy plugin from prom_init.c -- there's
+ a script for ppc64 that checks the object file for a whitelisted set of
+ exported symbols, code is very fragile
+
+ arch/powerpc/kernel/Makefile | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit cafe563e6cc19e3510c2f341c12440fdbd77a2aa
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 20 20:28:07 2014 -0400
+
+ export LATENT_ENTROPY_PLUGIN_CFLAGS so we can remove it from prom_init.c on ppc64
+
+ Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 90330189b37110d8343edd37147bb5c666feede4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 20 20:24:53 2014 -0400
+
+ fix ppc64 compilation, pass mm_struct through from arch_pick_mmap_layout
+
+ arch/powerpc/mm/mmap.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 765a84b5300316d57eb9b82f7d941750d9ddf9ec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 19 21:53:12 2014 -0400
+
+ add ktla_ktva/ktva_ktla to sparc to fix compilation
+
+ arch/sparc/include/asm/pgtable.h | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 896004e18909d7de9ffe295180e12c275a623990
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 19 21:32:20 2014 -0400
+
+ remove __read_mostly on ip_vs_genl_ops[], it's const so the attribute is bogus and causes compilation failure on MIPS
+
+ net/netfilter/ipvs/ip_vs_ctl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 143dcb4ff8b259163f978c468663dcaebfe573b4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 19 21:18:46 2014 -0400
+
+ Include second patch needed for compilation, not yet included by
+ upstream (so MIPS compilation is broken there):
+ http://patchwork.linux-mips.org/patch/6585/
+
+ arch/mips/include/asm/ftrace.h | 20 ++++++++++----------
+ 1 files changed, 10 insertions(+), 10 deletions(-)
+
+commit b464eb7ac1132953ab99ff25826478e32690844f
+Author: Markos Chandras <markos.chandras@imgtec.com>
+Date: Wed Jan 22 14:39:57 2014 +0000
+
+ Upstream commit: a8031d2ce15bdb90baeae02d7a231ccece73da8b
+
+ MIPS: asm: syscall: Fix copying system call arguments
+
+ The syscall_get_arguments function expects the arguments to be copied
+ to the '*args' argument but instead a local variable was used to hold
+ the system call argument. As a result of which, this variable was
+ never passed to the filter and any filter testing the system call
+ arguments would fail. This is fixed by passing the '*args' variable
+ as the destination memory for the system call arguments.
+
+ Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
+ Reviewed-by: Paul Burton <paul.burton@imgtec.com>
+ Reviewed-by: James Hogan <james.hogan@imgtec.com>
+ Cc: linux-mips@linux-mips.org
+ Patchwork: https://patchwork.linux-mips.org/patch/6402/
+ Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+
+ arch/mips/include/asm/syscall.h | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+commit b8f9d6f82e2fb814be37391109623d79e297571d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 19 21:01:40 2014 -0400
+
+ add ktla_ktva/ktva_ktla macros to MIPS
+
+ arch/mips/include/asm/pgtable.h | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit f0f660649f3b2cf1d448940ca8b7f4ab4249d8ce
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 19 20:46:38 2014 -0400
+
+ include linux/prefetch.h to fix mips compilation
+
+ grsecurity/gracl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 514ec7617daa1a925a0ec0fa910335396213ef45
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 19 20:45:59 2014 -0400
+
+ Revert "fix compiler warning in hugetlbfs code"
+
+ This reverts commit 2c325ed37fe35aa85b4ca6deb67e6ca091704ed0.
+
+ fs/hugetlbfs/inode.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 6da49b57e2795853a453f596e0b874aece27aa4b
+Author: Viller Hsiao <villerhsiao@gmail.com>
+Date: Sat Feb 22 15:46:49 2014 +0800
+
+ Upstream commit: a4671094227d11985c06ee1178d7205c5fd39f8a
+
+ MIPS: ftrace: Fix icache flush range error
+
+ In 32-bit mode, the start address passed to flush_icache_range is
+ shifted by 4 bytes before the second safe_store_code() call.
+
+ This causes system crash from time to time because the first 4 bytes
+ might not be flushed properly. This bug exists since linux-3.8.
+
+ Also remove obsoleted comment while at it.
+
+ Signed-off-by: Viller Hsiao <villerhsiao@gmail.com>
+ Cc: linux-mips@linux-mips.org
+ Cc: rostedt@goodmis.org
+ Cc: fweisbec@gmail.com
+ Cc: mingo@redhat.com
+ Cc: Qais.Yousef@imgtec.com
+ Patchwork: https://patchwork.linux-mips.org/patch/6586/
+ Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+
+ arch/mips/kernel/ftrace.c | 5 ++---
+ 1 files changed, 2 insertions(+), 3 deletions(-)
+
+commit 624ddea7bbda3535b7c9a779b6ff149e93863321
+Author: Lars Persson <lars.persson@axis.com>
+Date: Mon Mar 17 12:14:13 2014 +0100
+
+ Upstream commit: 86ca57b5a5525dbf89fc2a3285781fae807276b0
+
+ MIPS: Fix syscall tracing interface
+
+ Fix pointer computation for stack-based arguments.
+
+ Signed-off-by: Lars Persson <larper@axis.com>
+ Cc: linux-mips@linux-mips.org
+ Patchwork: https://patchwork.linux-mips.org/patch/6620/
+ Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+
+ arch/mips/include/asm/syscall.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 7bf3daf307906cd7d03cb6eb64559ee98cdf3182
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 19 20:28:16 2014 -0400
+
+ fix octeon compilation, add __maybe_unused to usp local var
+
+ arch/mips/include/asm/syscall.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 2c325ed37fe35aa85b4ca6deb67e6ca091704ed0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 19 19:46:52 2014 -0400
+
+ fix compiler warning in hugetlbfs code
+
+ fs/hugetlbfs/inode.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 43783f55374fe9bafc064ceacf915920ca45a6c5
+Merge: e018f0a aae8b87
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 17 19:51:01 2014 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/gpio/gpio-rcar.c
+
+commit aae8b8720beec7c79d17ddd4f7d55bac0e83d5c6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 17 19:48:43 2014 -0400
+
+ Update to pax-linux-3.13.6-test14.patch:
+ - fixed several compilation problems on arm all*configs, by spender
+ - small update to gcc-common.h
+ - Emese fixed a compile time infinite loop in the size overflow plugin (triggered by the upcoming 3.14 kernel only)
+
+ arch/arm/include/asm/page.h | 1 +
+ drivers/base/power/domain.c | 4 +-
+ drivers/gpio/gpio-em.c | 2 +-
+ drivers/gpio/gpio-rcar.c | 2 +-
+ drivers/mfd/ab8500-debugfs.c | 2 +-
+ drivers/net/can/Kconfig | 2 +-
+ drivers/staging/imx-drm/imx-drm-core.c | 6 +-
+ include/linux/pm_domain.h | 2 +-
+ tools/gcc/gcc-common.h | 12 +++
+ tools/gcc/size_overflow_plugin.c | 116 +++++++++++++++++++++++---------
+ 10 files changed, 106 insertions(+), 43 deletions(-)
+
+commit e018f0a38370496abe4289911eb67f1816cdc65d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 17 19:12:04 2014 -0400
+
+ move the location of the include to suit pipacs' OCD
+
+ arch/arm/include/asm/page.h | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+commit bb6742b0e35d1ee42ec643ea921a340d672ec3bc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 17 18:01:11 2014 -0400
+
+ revert lustre change, we'll include compiler.h from asm/page.h instead
+
+ .../lustre/include/linux/lnet/linux/lib-lnet.h | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit a39c965db54a571780b9844d93cfec71265b2c5e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 17 18:00:13 2014 -0400
+
+ fix ARM compilation with constify plugin
+
+ arch/arm/include/asm/page.h | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 721fb83dc182e1442311b8ca3a986963f9cf2b76
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 17 17:18:04 2014 -0400
+
+ move header ordering
+
+ .../lustre/include/linux/lnet/linux/lib-lnet.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 985afa44870e690fce35adf47979a99855db3323
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 17 17:02:24 2014 -0400
+
+ compile fix for lustre on ARM with constify plugin
+
+ .../lustre/include/linux/lnet/linux/lib-lnet.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit e5c4fe3e8fb7e1a64f1ab29887b7f787cc989c24
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 17 16:04:34 2014 -0400
+
+ fix compiler error caused by constify plugin on ARM
+
+ drivers/mfd/ab8500-debugfs.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b6e2f644cf05a858d3988fb9bb8a8ca6c0beeff4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 17 15:46:53 2014 -0400
+
+ fix more compile errors caused by RANDSTRUCT and constify plugins on ARM
+
+ drivers/base/power/domain.c | 4 ++--
+ include/linux/pm_domain.h | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 2d33f0f25f7ee45412728f8bad6ef97b5bf40a66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 17 15:34:17 2014 -0400
+
+ fix another compile error caused by constify plugin on ARM
+
+ drivers/gpio/gpio-rcar.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 05b33c660567d4dc74ebcd06e996bf0656146757
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 17 15:08:49 2014 -0400
+
+ fix compile error caused by constify plugin on ARM
+
+ drivers/gpio/gpio-em.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b9c8e0a83ba19e0228317675ffb4e1c1fb175b31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 16 21:17:20 2014 -0400
+
+ fix allyesconfig compilation with PAX_REFCOUNT
+
+ drivers/staging/imx-drm/imx-drm-core.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit b855bafd2e8d4b50c13586e5a00905fb9c03ed5a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 16 21:04:10 2014 -0400
+
+ fix arm allmodconfig
+
+ drivers/net/can/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 611bf735a4def802205cc83a131ec9c77c194662
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 14 20:12:02 2014 -0400
+
+ add /usr/share/apport/apport to the allowed userland exec paths --
+ because apparently some distros have no problem just throwing
+ critical binaries around anywhere.
+
+ kernel/kmod.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 51692fc9a6be048dd0500f78f97aed4db87bc359
+Merge: 54fa0d5 7fcc1d0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 14 20:09:56 2014 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/mips/mm/mmap.c
+
+commit 7fcc1d01537c3e4d4cb3494b4e19890864473376
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 14 20:08:19 2014 -0400
+
+ Update to pax-linux-3.13.6-test13.patch:
+ - fixed a few compilation errors on MIPS, by Hinnerk van Bruinehsen <h.v.bruinehsen@fu-berlin.de>
+
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/kernel/setup.c | 4 ++--
+ arch/arm/mm/mmu.c | 2 +-
+ arch/mips/cavium-octeon/dma-octeon.c | 2 +-
+ arch/mips/include/asm/hw_irq.h | 2 +-
+ arch/mips/kernel/i8259.c | 2 +-
+ arch/mips/kernel/irq-gt641xx.c | 2 +-
+ arch/mips/kernel/reset.c | 4 ++++
+ arch/mips/mm/mmap.c | 2 +-
+ arch/mips/pci/pci-octeon.c | 4 ++--
+ arch/mips/pci/pcie-octeon.c | 12 ++++++------
+ arch/mips/sni/rm200.c | 2 +-
+ arch/mips/vr41xx/common/icu.c | 2 +-
+ arch/mips/vr41xx/common/irq.c | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 2 +-
+ ipc/mq_sysctl.c | 2 +-
+ kernel/panic.c | 2 +-
+ 18 files changed, 29 insertions(+), 25 deletions(-)
+
+commit 54fa0d51929173d4eb6c060ea966ec5abe32faaf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 12 22:54:32 2014 -0400
+
+ add support for PAX_EMUTRAMP by default in the autoconfig
+
+ security/Kconfig | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+commit 1a3518d87b5faa66b5684569bfe84024edc955ce
+Author: Laura Abbott <lauraa@codeaurora.org>
+Date: Mon Mar 10 15:49:44 2014 -0700
+
+ Upstream commit: 2af120bc040c5ebcda156df6be6a66610ab6957f
+
+ mm/compaction: break out of loop on !PageBuddy in isolate_freepages_block
+
+ We received several reports of bad page state when freeing CMA pages
+ previously allocated with alloc_contig_range:
+
+ BUG: Bad page state in process Binder_A pfn:63202
+ page:d21130b0 count:0 mapcount:1 mapping: (null) index:0x7dfbf
+ page flags: 0x40080068(uptodate|lru|active|swapbacked)
+
+ Based on the page state, it looks like the page was still in use. The
+ page flags do not make sense for the use case though. Further debugging
+ showed that despite alloc_contig_range returning success, at least one
+ page in the range still remained in the buddy allocator.
+
+ There is an issue with isolate_freepages_block. In strict mode (which
+ CMA uses), if any pages in the range cannot be isolated,
+ isolate_freepages_block should return failure 0. The current check
+ keeps track of the total number of isolated pages and compares against
+ the size of the range:
+
+ if (strict && nr_strict_required > total_isolated)
+ total_isolated = 0;
+
+ After taking the zone lock, if one of the pages in the range is not in
+ the buddy allocator, we continue through the loop and do not increment
+ total_isolated. If in the last iteration of the loop we isolate more
+ than one page (e.g. last page needed is a higher order page), the check
+ for total_isolated may pass and we fail to detect that a page was
+ skipped. The fix is to bail out if the loop immediately if we are in
+ strict mode. There's no benfit to continuing anyway since we need all
+ pages to be isolated. Additionally, drop the error checking based on
+ nr_strict_required and just check the pfn ranges. This matches with
+ what isolate_freepages_range does.
+
+ Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
+ Acked-by: Minchan Kim <minchan@kernel.org>
+ Cc: Mel Gorman <mgorman@suse.de>
+ Acked-by: Vlastimil Babka <vbabka@suse.cz>
+ Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+ Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+ Acked-by: Michal Nazarewicz <mina86@mina86.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/compaction.c | 20 +++++++++++++-------
+ 1 files changed, 13 insertions(+), 7 deletions(-)
+
+commit 6c2a0937a7bb61db66b01160334fa83c93c05c7b
+Author: Artem Fetishev <artem_fetishev@epam.com>
+Date: Mon Mar 10 15:49:45 2014 -0700
+
+ Upstream commit: 70335abb2689c8cd5df91bf2d95a65649addf50b
+
+ fs/proc/base.c: fix GPF in /proc/$PID/map_files
+
+ The expected logic of proc_map_files_get_link() is either to return 0
+ and initialize 'path' or return an error and leave 'path' uninitialized.
+
+ By the time dname_to_vma_addr() returns 0 the corresponding vma may have
+ already be gone. In this case the path is not initialized but the
+ return value is still 0. This results in 'general protection fault'
+ inside d_path().
+
+ Steps to reproduce:
+
+ CONFIG_CHECKPOINT_RESTORE=y
+
+ fd = open(...);
+ while (1) {
+ mmap(fd, ...);
+ munmap(fd, ...);
+ }
+
+ ls -la /proc/$PID/map_files
+
+ Addresses https://bugzilla.kernel.org/show_bug.cgi?id=68991
+
+ Signed-off-by: Artem Fetishev <artem_fetishev@epam.com>
+ Signed-off-by: Aleksandr Terekhov <aleksandr_terekhov@epam.com>
+ Reported-by: <wiebittewas@gmail.com>
+ Acked-by: Pavel Emelyanov <xemul@parallels.com>
+ Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
+ Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/proc/base.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 34d22047e821cdae1d31beb2fdda8e6e9fe40cdf
+Author: Matthew Leach <matthew.leach@arm.com>
+Date: Tue Mar 11 11:58:27 2014 +0000
+
+ Upstream commit: dbb490b96584d4e958533fb637f08b557f505657
+
+ net: socket: error on a negative msg_namelen
+
+ When copying in a struct msghdr from the user, if the user has set the
+ msg_namelen parameter to a negative value it gets clamped to a valid
+ size due to a comparison between signed and unsigned values.
+
+ Ensure the syscall errors when the user passes in a negative value.
+
+ Signed-off-by: Matthew Leach <matthew.leach@arm.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/socket.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit a28f7e3e1ec4d26bf7734c70ca3b6107e54597ca
+Author: Alexei Starovoitov <ast@plumgrid.com>
+Date: Mon Mar 10 15:56:51 2014 -0700
+
+ Upstream commit: fdfaf64e75397567257e1051931f9a3377360665
+
+ x86: bpf_jit: support negative offsets
+
+ Commit a998d4342337 claimed to introduce negative offset support to x86 jit,
+ but it couldn't be working, since at the time of the execution
+ of LD+ABS or LD+IND instructions via call into
+ bpf_internal_load_pointer_neg_helper() the %edx (3rd argument of this func)
+ had junk value instead of access size in bytes (1 or 2 or 4).
+
+ Store size into %edx instead of %ecx (what original commit intended to do)
+
+ Fixes: a998d4342337 ("bpf jit: Let the x86 jit handle negative offsets")
+ Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
+ Cc: Jan Seiffert <kaffeemonster@googlemail.com>
+ Cc: Eric Dumazet <edumazet@google.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/x86/net/bpf_jit.S | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 977ee3909139082a57a04afbb8e9ee202475aa27
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 12 19:21:43 2014 -0400
+
+ Improve GRKERNSEC_JIT_HARDEN against a theoretical attack I dreamed up --
+ if an attacker had an arbitrary read vuln and ability to redirect control flow,
+ he could, in ~2,000,000,000 attempts have a 50% chance of pre-selecting a
+ 32bit random key which the attacker has XORed with his desired immediates to
+ cause the constant blinding to produce a potentially useful instruction stream
+ (which he could verify by abusing the infoleak). Instead of using one key
+ per instruction stream, generate a new key for each instruction using prandom_u32().
+
+ The downside is some performance impact during JIT compilation, though this
+ shouldn't be so common an event for anyone to notice.
+
+ arch/x86/net/bpf_jit_comp.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 1b3f7f8f68d05143c0d55e8ceba0904c21007ad4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 7 20:44:22 2014 -0500
+
+ fix typo
+
+ ipc/mq_sysctl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 90c31e93dc4eb2045775930cacbb64318cabafad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 7 20:25:53 2014 -0500
+
+ add no_const to ctl_table located on stack
+
+ ipc/mq_sysctl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 098fd10b3af4ef61b2edc60314ef18991b2f6f71
+Author: Sabrina Dubroca <sd@queasysnail.net>
+Date: Thu Mar 6 17:51:57 2014 +0100
+
+ Upstream commit: c88507fbad8055297c1d1e21e599f46960cbee39
+
+ ipv6: don't set DST_NOCOUNT for remotely added routes
+
+ DST_NOCOUNT should only be used if an authorized user adds routes
+ locally. In case of routes which are added on behalf of router
+ advertisments this flag must not get used as it allows an unlimited
+ number of routes getting added remotely.
+
+ Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+ Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/route.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c4bd306f576cc03b5f0f9e56253e3f0a3be5d3bd
+Merge: 71ed8ef a2aac72
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 7 20:10:30 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a2aac72603c2309d560a606493bb3003e2abe6c7
+Merge: 96545e3 404df65
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 7 20:10:13 2014 -0500
+
+ Merge branch 'linux-3.13.y' into pax-test
+
+ Conflicts:
+ arch/arm/mm/mmu.c
+ mm/memory.c
+
+commit 71ed8ef8e7d2ffcc57b5ffacef3a9262ed8781c7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 4 18:08:29 2014 -0500
+
+ Backport security fix: http://seclists.org/oss-sec/2014/q1/477
+
+ net/ipv4/inet_fragment.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit d752f1f1704ddbec282d7eb2150c75e05b9bcdd3
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Mon Mar 3 17:23:04 2014 +0100
+
+ Upstream commit: ec0223ec48a90cb605244b45f7c62de856403729
+ Remote DoS fix
+
+ net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable
+
+ RFC4895 introduced AUTH chunks for SCTP; during the SCTP
+ handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS
+ being optional though):
+
+ ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
+ <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
+ -------------------- COOKIE-ECHO -------------------->
+ <-------------------- COOKIE-ACK ---------------------
+
+ A special case is when an endpoint requires COOKIE-ECHO
+ chunks to be authenticated:
+
+ ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
+ <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
+ ------------------ AUTH; COOKIE-ECHO ---------------->
+ <-------------------- COOKIE-ACK ---------------------
+
+ RFC4895, section 6.3. Receiving Authenticated Chunks says:
+
+ The receiver MUST use the HMAC algorithm indicated in
+ the HMAC Identifier field. If this algorithm was not
+ specified by the receiver in the HMAC-ALGO parameter in
+ the INIT or INIT-ACK chunk during association setup, the
+ AUTH chunk and all the chunks after it MUST be discarded
+ and an ERROR chunk SHOULD be sent with the error cause
+ defined in Section 4.1. [...] If no endpoint pair shared
+ key has been configured for that Shared Key Identifier,
+ all authenticated chunks MUST be silently discarded. [...]
+
+ When an endpoint requires COOKIE-ECHO chunks to be
+ authenticated, some special procedures have to be followed
+ because the reception of a COOKIE-ECHO chunk might result
+ in the creation of an SCTP association. If a packet arrives
+ containing an AUTH chunk as a first chunk, a COOKIE-ECHO
+ chunk as the second chunk, and possibly more chunks after
+ them, and the receiver does not have an STCB for that
+ packet, then authentication is based on the contents of
+ the COOKIE-ECHO chunk. In this situation, the receiver MUST
+ authenticate the chunks in the packet by using the RANDOM
+ parameters, CHUNKS parameters and HMAC_ALGO parameters
+ obtained from the COOKIE-ECHO chunk, and possibly a local
+ shared secret as inputs to the authentication procedure
+ specified in Section 6.3. If authentication fails, then
+ the packet is discarded. If the authentication is successful,
+ the COOKIE-ECHO and all the chunks after the COOKIE-ECHO
+ MUST be processed. If the receiver has an STCB, it MUST
+ process the AUTH chunk as described above using the STCB
+ from the existing association to authenticate the
+ COOKIE-ECHO chunk and all the chunks after it. [...]
+
+ Commit bbd0d59809f9 introduced the possibility to receive
+ and verification of AUTH chunk, including the edge case for
+ authenticated COOKIE-ECHO. On reception of COOKIE-ECHO,
+ the function sctp_sf_do_5_1D_ce() handles processing,
+ unpacks and creates a new association if it passed sanity
+ checks and also tests for authentication chunks being
+ present. After a new association has been processed, it
+ invokes sctp_process_init() on the new association and
+ walks through the parameter list it received from the INIT
+ chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO
+ and SCTP_PARAM_CHUNKS, and copies them into asoc->peer
+ meta data (peer_random, peer_hmacs, peer_chunks) in case
+ sysctl -w net.sctp.auth_enable=1 is set. If in INIT's
+ SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set,
+ peer_random != NULL and peer_hmacs != NULL the peer is to be
+ assumed asoc->peer.auth_capable=1, in any other case
+ asoc->peer.auth_capable=0.
+
+ Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is
+ available, we set up a fake auth chunk and pass that on to
+ sctp_sf_authenticate(), which at latest in
+ sctp_auth_calculate_hmac() reliably dereferences a NULL pointer
+ at position 0..0008 when setting up the crypto key in
+ crypto_hash_setkey() by using asoc->asoc_shared_key that is
+ NULL as condition key_id == asoc->active_key_id is true if
+ the AUTH chunk was injected correctly from remote. This
+ happens no matter what net.sctp.auth_enable sysctl says.
+
+ The fix is to check for net->sctp.auth_enable and for
+ asoc->peer.auth_capable before doing any operations like
+ sctp_sf_authenticate() as no key is activated in
+ sctp_auth_asoc_init_active_key() for each case.
+
+ Now as RFC4895 section 6.3 states that if the used HMAC-ALGO
+ passed from the INIT chunk was not used in the AUTH chunk, we
+ SHOULD send an error; however in this case it would be better
+ to just silently discard such a maliciously prepared handshake
+ as we didn't even receive a parameter at all. Also, as our
+ endpoint has no shared key configured, section 6.3 says that
+ MUST silently discard, which we are doing from now onwards.
+
+ Before calling sctp_sf_pdiscard(), we need not only to free
+ the association, but also the chunk->auth_chunk skb, as
+ commit bbd0d59809f9 created a skb clone in that case.
+
+ I have tested this locally by using netfilter's nfqueue and
+ re-injecting packets into the local stack after maliciously
+ modifying the INIT chunk (removing RANDOM; HMAC-ALGO param)
+ and the SCTP packet containing the COOKIE_ECHO (injecting
+ AUTH chunk before COOKIE_ECHO). Fixed with this patch applied.
+
+ Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk")
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Cc: Vlad Yasevich <yasevich@gmail.com>
+ Cc: Neil Horman <nhorman@tuxdriver.com>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/sm_statefuns.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit 855c02e8cb1af9b40752258060af547805881899
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 4 18:05:10 2014 -0500
+
+ Backport local DoS fix: http://seclists.org/oss-sec/2014/q1/494
+
+ security/keys/keyring.c | 6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+commit 4877e98529649880ac76ade11e5529403a40ea73
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 3 14:42:58 2014 -0500
+
+ mark 'processor' as __read_only instead of forcing constify on it
+ to avoid a GCC constant propagation that will cause a NULL deref on boot
+ on ARM MULTI_CPU configs
+
+ Thanks to Arnaud Fontaine and Arnaud Ebalard for the report, fix is from
+ the PaX Team
+
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/kernel/setup.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 9c8d2926262f0345af454da45b41c6259bdc89e8
+Author: Andrew Honig <ahonig@google.com>
+Date: Thu Feb 27 19:35:14 2014 +0100
+
+ Upstream commit: a08d3b3b99efd509133946056531cdf8f3a0c09b
+
+ kvm: x86: fix emulator buffer overflow (CVE-2014-0049)
+
+ The problem occurs when the guest performs a pusha with the stack
+ address pointing to an mmio address (or an invalid guest physical
+ address) to start with, but then extending into an ordinary guest
+ physical address. When doing repeated emulated pushes
+ emulator_read_write sets mmio_needed to 1 on the first one. On a
+ later push when the stack points to regular memory,
+ mmio_nr_fragments is set to 0, but mmio_is_needed is not set to 0.
+
+ As a result, KVM exits to userspace, and then returns to
+ complete_emulated_mmio. In complete_emulated_mmio
+ vcpu->mmio_cur_fragment is incremented. The termination condition of
+ vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments is never achieved.
+ The code bounces back and fourth to userspace incrementing
+ mmio_cur_fragment past it's buffer. If the guest does nothing else it
+ eventually leads to a a crash on a memcpy from invalid memory address.
+
+ However if a guest code can cause the vm to be destroyed in another
+ vcpu with excellent timing, then kvm_clear_async_pf_completion_queue
+ can be used by the guest to control the data that's pointed to by the
+ call to cancel_work_item, which can be used to gain execution.
+
+ Fixes: f78146b0f9230765c6315b2e14f56112513389ad
+ Signed-off-by: Andrew Honig <ahonig@google.com>
+ Cc: stable@vger.kernel.org (3.5+)
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+ arch/x86/kvm/x86.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 40051b60939861d365baf66d95dadd3f090542ac
+Author: Mike Pecovnik <mike.pecovnik@gmail.com>
+Date: Mon Feb 24 21:11:16 2014 +0100
+
+ Upstream commit: 46833a86f7ab30101096d81117dd250bfae74c6f
+
+ net: Fix permission check in netlink_connect()
+
+ netlink_sendmsg() was changed to prevent non-root processes from sending
+ messages with dst_pid != 0.
+ netlink_connect() however still only checks if nladdr->nl_groups is set.
+ This patch modifies netlink_connect() to check for the same condition.
+
+ Signed-off-by: Mike Pecovnik <mike.pecovnik@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/netlink/af_netlink.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit a3be34042aa8d3eccb476cb240d8cdc85024b18a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 1 23:17:33 2014 -0500
+
+ Apply role_umask RBAC restrictions to POSIX ACLs as well
+
+ fs/posix_acl.c | 7 +++++--
+ fs/xattr_acl.c | 9 +++++++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+commit 652b798b80f39815b94fc9b7192d648ad6b6cf64
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 24 21:57:37 2014 -0500
+
+ mention in config help that gcc 4.6.4 or higher is needed for RANDSTRUCT
+
+ grsecurity/Kconfig | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 5ffde76a88cb5dadc307cabc33d7ad253158b608
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 24 18:54:34 2014 -0500
+
+ use current_umask() helper in lustre instead of current->fs->umask
+
+ drivers/staging/lustre/lustre/llite/dir.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 49761e88b63e2771f09aa16cb4e98c681515cf31
+Merge: daf0afa 96545e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 24 17:43:09 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/x86/kernel/cpu/common.c
+
+commit 96545e3f1c4df86c1d9b74a1916d1b712138345f
+Merge: 1ea0c4a dc0ead5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 24 17:37:59 2014 -0500
+
+ Update to pax-linux-3.13.5-test11.patch:
+ - fixed a mismerge in atomic64_sub_return on arm, reported by Arnaud Fontaine
+ - the latent entropy plugin can now initialize structure variables as well
+
+ Merge branch 'linux-3.13.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/ftrace.c
+ include/linux/compiler-gcc4.h
+
+commit daf0afa64695bd49bf6be19450fea0a533edc3ab
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 24 17:16:47 2014 -0500
+
+ when IPC hardening is disabled via sysctl, we shouldn't be imposing
+ any additional restrictions
+ thanks to Mathias Krause (minipli) for the report
+
+ grsecurity/grsec_ipc.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 179bf20a88510350fc86383c7d1b8e7d422cc604
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 21 12:06:41 2014 -0500
+
+ add missing return in the ARM refcount code.
+
+ Thanks to Arnaud Fontaine for the report and patch!
+
+ arch/arm/include/asm/atomic.h | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 5eecd26548fa8462296745eedf66858bf83532c9
+Merge: d32875c 1ea0c4a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 20 21:39:25 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1ea0c4ab7114838fb5f7b320c5c4bee6269c2f99
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 20 21:39:02 2014 -0500
+
+ Update to pax-linux-3.13.4-test10.patch
+
+ tools/gcc/latent_entropy_plugin.c | 10 +++++-----
+ 1 files changed, 5 insertions(+), 5 deletions(-)
+
+commit d32875ccf8800fd9b458907fbd9f08e74847012b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 20 18:42:11 2014 -0500
+
+ work around pipacs' latent_entropy plugin
+
+ tools/gcc/randomize_layout_plugin.c | 6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+commit 91ea54c68a7f728341371d3ca8c6208acc885706
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 20 17:57:36 2014 -0500
+
+ .data takes the address of the ints, not their values
+
+ net/core/neighbour.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit bc41258c48ca6acae51d191e914556ab37ca7c92
+Merge: 3051292 0ce19d4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 20 17:45:07 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ include/linux/compiler-gcc4.h
+
+commit 0ce19d411496f0ab77a86c1c5091b909fd720665
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 20 17:43:26 2014 -0500
+
+ Update to pax-linux-3.13.4-test10.patch:
+ - fixed asm goto for all gcc versions, backport from upstream (https://git.kernel.org/linus/a9f180345f5378ac87)
+ - fixed a size overflow false positive in the ELF loader (needs a non-0 based PIE to trigger), reported by spender
+ - the latent entropy plugin will now insert some entropy at compile time into the random pools
+
+ drivers/char/random.c | 6 +-
+ fs/binfmt_elf.c | 2 +-
+ include/linux/compiler-gcc4.h | 4 --
+ tools/gcc/gcc-common.h | 10 ++++-
+ tools/gcc/latent_entropy_plugin.c | 84 +++++++++++++++++++++++++++++++++----
+ tools/gcc/stackleak_plugin.c | 5 +-
+ 6 files changed, 90 insertions(+), 21 deletions(-)
+
+commit 3051292e84bf30c218e447a105ab898e8c509b44
+Merge: 71d207d 8a3ecf6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 20 17:19:54 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a3ecf6d2b7e6304d259608e77a7259daeeeab9b
+Merge: 98242db 93ee5dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 20 17:17:30 2014 -0500
+
+ Merge branch 'linux-3.13.y' into pax-test
+
+commit 71d207d2df0cc95b1cf26d1499317d5b010c4033
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 20 16:59:26 2014 -0500
+
+ Fix a 16+ year old hack in Linux that exposed itself when RANDSTRUCT was
+ enabled, reported by jacekalex on the forums
+
+ include/net/neighbour.h | 1 -
+ net/core/neighbour.c | 9 +++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 6d3beec0d1c79dfad2ba060c4d06ebf65ce39d15
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 19 22:01:38 2014 -0500
+
+ Backport CIFS vuln fix: http://article.gmane.org/gmane.linux.kernel.cifs/9401
+
+ fs/cifs/file.c | 37 ++++++++++++++++++++++++++++++++++---
+ 1 files changed, 34 insertions(+), 3 deletions(-)
+
+commit 20eb03803ea2fea3f8c420b69097058122de32f6
+Author: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Tue Feb 11 09:15:54 2014 -0500
+
+ Upstream commit: 06ea0bfe6e6043cb56a78935a19f6f8ebc636226
+
+ SUNRPC: Fix races in xs_nospace()
+
+ When a send failure occurs due to the socket being out of buffer space,
+ we call xs_nospace() in order to have the RPC task wait until the
+ socket has drained enough to make it worth while trying again.
+ The current patch fixes a race in which the socket is drained before
+ we get round to setting up the machinery in xs_nospace(), and which
+ is reported to cause hangs.
+
+ Link: http://lkml.kernel.org/r/20140210170315.33dfc621@notabene.brown
+ Fixes: a9a6b52ee1ba (SUNRPC: Don't start the retransmission timer...)
+ Reported-by: Neil Brown <neilb@suse.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+
+ net/sunrpc/xprtsock.c | 6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+commit 9fff690287df8c389126420e1dab2608ddb4be75
+Author: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Tue Feb 11 13:56:54 2014 -0500
+
+ Upstream commit: 628356791b04ea988fee070f66a748a823d001bb
+
+ SUNRPC: Fix potential memory scribble in xprt_free_bc_request()
+
+ The call to xprt_free_allocation() will call list_del() on
+ req->rq_bc_pa_list, which is not attached to a list.
+ This patch moves the list_del() out of xprt_free_allocation()
+ and into those callers that need it.
+
+ Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+
+ net/sunrpc/backchannel_rqst.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 5382ae56cf22adf34d2dd9da03b3a44af0c846f1
+Author: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Sun Feb 16 12:14:13 2014 -0500
+
+ Upstream commit: 9eb2ddb48ce3a7bd745c14a933112994647fa3cd
+
+ SUNRPC: Ensure that gss_auth isn't freed before its upcall messages
+
+ Fix a race in which the RPC client is shutting down while the
+ gss daemon is processing a downcall. If the RPC client manages to
+ shut down before the gss daemon is done, then the struct gss_auth
+ used in gss_release_msg() may have already been freed.
+
+ Link: http://lkml.kernel.org/r/1392494917.71728.YahooMailNeo@web140002.mail.bf1.yahoo.com
+ Reported-by: John <da_audiophile@yahoo.com>
+ Reported-by: Borislav Petkov <bp@alien8.de>
+ Cc: stable@vger.kernel.org # 3.12+
+ Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+
+ net/sunrpc/auth_gss/auth_gss.c | 13 +++++++++++--
+ 1 files changed, 11 insertions(+), 2 deletions(-)
+
+commit 76e2d40cfc26bc44ba2ff4604c1f0ff4821ec13b
+Author: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Sun Feb 16 13:28:01 2014 -0500
+
+ Upstream commit: e9776d0f4adee8877145672f6416b06b57f2dc27
+
+ SUNRPC: Fix a pipe_version reference leak
+
+ In gss_alloc_msg(), if the call to gss_encode_v1_msg() fails, we
+ want to release the reference to the pipe_version that was obtained
+ earlier in the function.
+
+ Fixes: 9d3a2260f0f4b (SUNRPC: Fix buffer overflow checking in...)
+ Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+
+ net/sunrpc/auth_gss/auth_gss.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit 715c3e4109210d090282b360463aa474c978dcf5
+Author: Christoffer Dall <christoffer.dall@linaro.org>
+Date: Sun Feb 2 22:21:31 2014 +0100
+
+ Upstream commit: 4d9c5b89cf3605bbc39c6e274351ff25f0d83e6a
+
+ ARM: 7950/1: mm: Fix stage-2 device memory attributes
+
+ The stage-2 memory attributes are distinct from the Hyp memory
+ attributes and the Stage-1 memory attributes. We were using the stage-1
+ memory attributes for stage-2 mappings causing device mappings to be
+ mapped as normal memory. Add the S2 equivalent defines for memory
+ attributes and fix the comments explaining the defines while at it.
+
+ Add a prot_pte_s2 field to the mem_type struct and fill out the field
+ for device mappings accordingly.
+
+ Cc: <stable@vger.kernel.org> [3.9+]
+ Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+ Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+ Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+ Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+
+ Conflicts:
+
+ arch/arm/mm/mmu.c
+
+ arch/arm/include/asm/pgtable-3level.h | 15 +++++++++------
+ arch/arm/mm/mm.h | 1 +
+ arch/arm/mm/mmu.c | 7 ++++++-
+ 3 files changed, 16 insertions(+), 7 deletions(-)
+
+commit 49f25f2842b5e567ca45d5648460ad7cfd2af7ab
+Author: Will Deacon <will.deacon@arm.com>
+Date: Fri Feb 7 19:12:20 2014 +0100
+
+ Upstream commit: bae0ca2bc550d1ec6a118fb8f2696f18c4da3d8e
+
+ ARM: 7953/1: mm: ensure TLB invalidation is complete before enabling MMU
+
+ During __v{6,7}_setup, we invalidate the TLBs since we are about to
+ enable the MMU on return to head.S. Unfortunately, without a subsequent
+ dsb instruction, the invalidation is not guaranteed to have completed by
+ the time we write to the sctlr, potentially exposing us to junk/stale
+ translations cached in the TLB.
+
+ This patch reworks the init functions so that the dsb used to ensure
+ completion of cache/predictor maintenance is also used to ensure
+ completion of the TLB invalidation.
+
+ Cc: <stable@vger.kernel.org>
+ Reported-by: Albin Tonnerre <Albin.Tonnerre@arm.com>
+ Signed-off-by: Will Deacon <will.deacon@arm.com>
+ Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+
+ arch/arm/mm/proc-v6.S | 3 ++-
+ arch/arm/mm/proc-v7.S | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+commit fa4b67556529451bd4489b07472f58feec35d51d
+Author: Will Deacon <will.deacon@arm.com>
+Date: Fri Feb 7 19:12:32 2014 +0100
+
+ Upstream commit: 7c8746a9eb287642deaad0e7c2cdf482dce5e4be
+
+ ARM: 7955/1: spinlock: ensure we have a compiler barrier before sev
+
+ When unlocking a spinlock, we require the following, strictly ordered
+ sequence of events:
+
+ <barrier> /* dmb */
+ <unlock>
+ <barrier> /* dsb */
+ <sev>
+
+ Whilst the code does indeed reflect this in terms of the architecture,
+ the final <barrier> + <sev> have been contracted into a single inline
+ asm without a "memory" clobber, therefore the compiler is at liberty to
+ reorder the unlock to the end of the above sequence. In such a case,
+ a waiting CPU may be woken up before the lock has been unlocked, leading
+ to extremely poor performance.
+
+ This patch reworks the dsb_sev() function to make use of the dsb()
+ macro and ensure ordering against the unlock.
+
+ Cc: <stable@vger.kernel.org>
+ Reported-by: Mark Rutland <mark.rutland@arm.com>
+ Signed-off-by: Will Deacon <will.deacon@arm.com>
+ Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+
+ arch/arm/include/asm/spinlock.h | 15 +++------------
+ 1 files changed, 3 insertions(+), 12 deletions(-)
+
+commit f3efaba9e0a1d5d96fc0783ae8ec8e733e113bfa
+Author: Russell King <rmk+kernel@arm.linux.org.uk>
+Date: Tue Feb 11 17:11:04 2014 +0000
+
+ Upstream commit: e83b366487b5582274374f8226e489cb214ae5a6
+
+ Fix uses of dma_max_pfn() when converting to a limiting address
+
+ We must use a 64-bit for this, otherwise overflowed bits get lost, and
+ that can result in a lower than intended value set.
+
+ Fixes: 8e0cb8a1f6ac ("ARM: 7797/1: mmc: Use dma_max_pfn(dev) helper for bounce_limit calculations")
+ Fixes: 7d35496dd982 ("ARM: 7796/1: scsi: Use dma_max_pfn(dev) helper for bounce_limit calculations")
+ Tested-Acked-by: Santosh Shilimkar <santosh.shilimkar@ti.com>
+ Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+ Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+
+ drivers/mmc/card/queue.c | 2 +-
+ drivers/scsi/scsi_lib.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 5a3e8a10d439ba8bcd893bf2159618908fe80384
+Author: Vinayak Kale <vkale@apm.com>
+Date: Wed Feb 12 07:30:01 2014 +0100
+
+ Upstream commit: 39544ac9df20f73e49fc6b9ac19ff533388c82c0
+
+ ARM: 7957/1: add DSB after icache flush in __flush_icache_all()
+
+ Add DSB after icache flush to complete the cache maintenance operation.
+
+ Signed-off-by: Vinayak Kale <vkale@apm.com>
+ Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+
+ arch/arm/include/asm/cacheflush.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 26d22a6946dfbb4f4a760038816c43ba49504863
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon Feb 17 12:24:45 2014 -0800
+
+ Upstream commit: e4178d809fdaee32a56833fff1f5056c99e90a1a
+
+ printk: fix syslog() overflowing user buffer
+
+ This is not a buffer overflow in the traditional sense: we don't
+ overflow any *kernel* buffers, but we do mis-count the amount of data we
+ copy back to user space for the SYSLOG_ACTION_READ_ALL case.
+
+ In particular, if the user buffer is too small to hold everything, and
+ *if* there is a continuation line at just the right place, we can end up
+ giving the user more data than he asked for.
+
+ The reason is that we first count up the number of bytes all the log
+ records contains, then we walk the records again until we've skipped the
+ records at the beginning that won't fit, and then we walk the rest of
+ the records and copy them to the user space buffer.
+
+ And in between that "skip the initial records that won't fit" and the
+ "copy the records that *will* fit to user space", we reset the 'prev'
+ variable that contained the record information for the last record not
+ copied. That meant that when we started copying to user space, we now
+ had a different character count than what we had originally calculated
+ in the first record walk-through.
+
+ The fix is to simply not clear the 'prev' flags value (in both cases
+ where we had the same logic: syslog_print_all and kmsg_dump_get_buffer:
+ the latter is used for pstore-like dumping)
+
+ Reported-and-tested-by: Debabrata Banerjee <dbanerje@akamai.com>
+ Acked-by: Kay Sievers <kay@vrfy.org>
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Cc: Jeff Mahoney <jeffm@suse.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/printk/printk.c | 2 --
+ 1 files changed, 0 insertions(+), 2 deletions(-)
+
+commit 88d5fdac3aa7813d963ab5a3325c2f15c36c97cf
+Author: Rafael Aquini <aquini@redhat.com>
+Date: Mon Feb 10 14:25:48 2014 -0800
+
+ Upstream commit: a0b54adda3fe4b4cc6d28f2a9217cd35d1aa888c
+
+ mm: fix page leak at nfs_symlink()
+
+ Changes in commit a0b8cab3b9b2 ("mm: remove lru parameter from
+ __pagevec_lru_add and remove parts of pagevec API") have introduced a
+ call to add_to_page_cache_lru() which causes a leak in nfs_symlink() as
+ now the page gets an extra refcount that is not dropped.
+
+ Jan Stancek observed and reported the leak effect while running test8
+ from Connectathon Testsuite. After several iterations over the test
+ case, which creates several symlinks on a NFS mountpoint, the test
+ system was quickly getting into an out-of-memory scenario.
+
+ This patch fixes the page leak by dropping that extra refcount
+ add_to_page_cache_lru() is grabbing.
+
+ Signed-off-by: Jan Stancek <jstancek@redhat.com>
+ Signed-off-by: Rafael Aquini <aquini@redhat.com>
+ Acked-by: Mel Gorman <mgorman@suse.de>
+ Acked-by: Rik van Riel <riel@redhat.com>
+ Cc: Jeff Layton <jlayton@redhat.com>
+ Cc: Trond Myklebust <trond.myklebust@primarydata.com>
+ Cc: <stable@vger.kernel.org> [3.11.x+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/nfs/dir.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit bf53635ba34d0ef231a89dd30aa9954b0fa3d87b
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon Feb 17 20:33:01 2014 -0500
+
+ Upstream commit: 92e3b40537707001d17bbad800d150ab04e53bf4
+
+ jbd2: fix use after free in jbd2_journal_start_reserved()
+
+ If start_this_handle() fails then it leads to a use after free of
+ "handle".
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+ Cc: stable@vger.kernel.org
+
+ fs/jbd2/transaction.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 7eb9d6b170b2d83e9a59d8d5e9c3eaec76b3e1a2
+Author: Theodore Ts'o <tytso@mit.edu>
+Date: Sat Feb 15 22:42:25 2014 -0500
+
+ Upstream commit: 3d2660d0c9c2f296837078c189b68a47f6b2e3b5
+
+ ext4: fix online resize with a non-standard blocks per group setting
+
+ The set_flexbg_block_bitmap() function assumed that the number of
+ blocks in a blockgroup was sb->blocksize * 8, which is normally true,
+ but not always! Use EXT4_BLOCKS_PER_GROUP(sb) instead, to fix block
+ bitmap corruption after:
+
+ mke2fs -t ext4 -g 3072 -i 4096 /dev/vdd 1G
+ mount -t ext4 /dev/vdd /vdd
+ resize2fs /dev/vdd 8G
+
+ Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+ Reported-by: Jon Bernard <jbernard@tuxion.com>
+ Cc: stable@vger.kernel.org
+
+ fs/ext4/resize.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 588500229af3505116b0fe05c4e54a06cabd64e4
+Author: Theodore Ts'o <tytso@mit.edu>
+Date: Sat Feb 15 21:33:13 2014 -0500
+
+ Upstream commit: b93c95353413041a8cebad915a8109619f66bcc6
+
+ ext4: fix online resize with very large inode tables
+
+ If a file system has a large number of inodes per block group, all of
+ the metadata blocks in a flex_bg may be larger than what can fit in a
+ single block group. Unfortunately, ext4_alloc_group_tables() in
+ resize.c was never tested to see if it would handle this case
+ correctly, and there were a large number of bugs which caused the
+ following sequence to result in a BUG_ON:
+
+ kernel bug at fs/ext4/resize.c:409!
+ ...
+ call trace:
+ [<ffffffff81256768>] ext4_flex_group_add+0x1448/0x1830
+ [<ffffffff81257de2>] ext4_resize_fs+0x7b2/0xe80
+ [<ffffffff8123ac50>] ext4_ioctl+0xbf0/0xf00
+ [<ffffffff811c111d>] do_vfs_ioctl+0x2dd/0x4b0
+ [<ffffffff811b9df2>] ? final_putname+0x22/0x50
+ [<ffffffff811c1371>] sys_ioctl+0x81/0xa0
+ [<ffffffff81676aa9>] system_call_fastpath+0x16/0x1b
+ code: c8 4c 89 df e8 41 96 f8 ff 44 89 e8 49 01 c4 44 29 6d d4 0
+ rip [<ffffffff81254fa1>] set_flexbg_block_bitmap+0x171/0x180
+
+ This can be reproduced with the following command sequence:
+
+ mke2fs -t ext4 -i 4096 /dev/vdd 1G
+ mount -t ext4 /dev/vdd /vdd
+ resize2fs /dev/vdd 8G
+
+ To fix this, we need to make sure the right thing happens when a block
+ group's inode table straddles two block groups, which means the
+ following bugs had to be fixed:
+
+ 1) Not clearing the BLOCK_UNINIT flag in the second block group in
+ ext4_alloc_group_tables --- the was proximate cause of the BUG_ON.
+
+ 2) Incorrectly determining how many block groups contained contiguous
+ free blocks in ext4_alloc_group_tables().
+
+ 3) Incorrectly setting the start of the next block range to be marked
+ in use after a discontinuity in setup_new_flex_group_blocks().
+
+ Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+ Cc: stable@vger.kernel.org
+
+ fs/ext4/resize.c | 32 ++++++++++++++++++++------------
+ 1 files changed, 20 insertions(+), 12 deletions(-)
+
+commit dfb5654f8a9946e06f67d0481c907fa9ae4c6b04
+Author: Theodore Ts'o <tytso@mit.edu>
+Date: Wed Feb 12 12:16:04 2014 -0500
+
+ Upstream commit: 23301410972330c0ae9a8afc379ba2005e249cc6
+
+ ext4: don't try to modify s_flags if the the file system is read-only
+
+ If an ext4 file system is created by some tool other than mke2fs
+ (perhaps by someone who has a pathalogical fear of the GPL) that
+ doesn't set one or the other of the EXT2_FLAGS_{UN}SIGNED_HASH flags,
+ and that file system is then mounted read-only, don't try to modify
+ the s_flags field. Otherwise, if dm_verity is in use, the superblock
+ will change, causing an dm_verity failure.
+
+ Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+ Cc: stable@vger.kernel.org
+
+ fs/ext4/super.c | 20 +++++++++++++-------
+ 1 files changed, 13 insertions(+), 7 deletions(-)
+
+commit d2a631f973d3cff9a1c015cb64b08bb9cc52de8b
+Author: Eric Whitney <enwlinux@gmail.com>
+Date: Wed Feb 12 10:42:45 2014 -0500
+
+ Upstream commit: 15cc17678547676c82a5da9ccf357447333fc342
+
+ ext4: fix xfstest generic/299 block validity failures
+
+ Commit a115f749c1 (ext4: remove wait for unwritten extent conversion from
+ ext4_truncate) exposed a bug in ext4_ext_handle_uninitialized_extents().
+ It can be triggered by xfstest generic/299 when run on a test file
+ system created without a journal. This test continuously fallocates and
+ truncates files to which random dio/aio writes are simultaneously
+ performed by a separate process. The test completes successfully, but
+ if the test filesystem is mounted with the block_validity option, a
+ warning message stating that a logical block has been mapped to an
+ illegal physical block is posted in the kernel log.
+
+ The bug occurs when an extent is being converted to the written state
+ by ext4_end_io_dio() and ext4_ext_handle_uninitialized_extents()
+ discovers a mapping for an existing uninitialized extent. Although it
+ sets EXT4_MAP_MAPPED in map->m_flags, it fails to set map->m_pblk to
+ the discovered physical block number. Because map->m_pblk is not
+ otherwise initialized or set by this function or its callers, its
+ uninitialized value is returned to ext4_map_blocks(), where it is
+ stored as a bogus mapping in the extent status tree.
+
+ Since map->m_pblk can accidentally contain illegal values that are
+ larger than the physical size of the file system, calls to
+ check_block_validity() in ext4_map_blocks() that are enabled if the
+ block_validity mount option is used can fail, resulting in the logged
+ warning message.
+
+ Signed-off-by: Eric Whitney <enwlinux@gmail.com>
+ Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+ Cc: stable@vger.kernel.org # 3.11+
+
+ fs/ext4/extents.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 7eb52392ee886f01a5c944f35fbe95edc2169877
+Author: Zheng Liu <wenqing.lz@taobao.com>
+Date: Wed Feb 12 11:48:31 2014 -0500
+
+ Upstream commit: 30d29b119ef01776e0a301444ab24defe8d8bef3
+
+ ext4: fix error paths in swap_inode_boot_loader()
+
+ In swap_inode_boot_loader() we forgot to release ->i_mutex and resume
+ unlocked dio for inode and inode_bl if there is an error starting the
+ journal handle. This commit fixes this issue.
+
+ Reported-by: Ahmed Tamrawi <ahmedtamrawi@gmail.com>
+ Cc: Andreas Dilger <adilger.kernel@dilger.ca>
+ Cc: Dr. Tilmann Bubeck <t.bubeck@reinform.de>
+ Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
+ Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+ Cc: stable@vger.kernel.org # v3.10+
+
+ fs/ext4/ioctl.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 4dc90c1991032c483b11690717ba07952f4fef07
+Author: Theodore Ts'o <tytso@mit.edu>
+Date: Sun Feb 16 19:29:32 2014 -0500
+
+ Upstream commit: 19ea80603715d473600cd993b9987bc97d042e02
+
+ ext4: don't leave i_crtime.tv_sec uninitialized
+
+ If the i_crtime field is not present in the inode, don't leave the
+ field uninitialized.
+
+ Fixes: ef7f38359 ("ext4: Add nanosecond timestamps")
+ Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
+ Tested-by: Vegard Nossum <vegard.nossum@oracle.com>
+ Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+ Cc: stable@vger.kernel.org
+
+ fs/ext4/ext4.h | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 9d8aa319cfbfdb4bdf7a5d4adc4b93fe028bec12
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 19 20:39:37 2014 -0500
+
+ While a Xen dom0 is technically a guest, it's perceived as a host by many
+ and there's really no Linux "host" for Xen, so allow PARAVIRT to be
+ enabled on "host" kernels only when Xen is selected
+
+ Thanks to gaima on the forums for the report
+
+ Conflicts:
+
+ arch/x86/Kconfig
+
+ arch/x86/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8ef15c34cb044db1ae729a53327e5b848631fbee
+Author: Petr PÃsaÅ™ <petr.pisar@atlas.cz>
+Date: Thu Feb 6 21:01:23 2014 +0100
+
+ Upstream commit: 0930b0950a8996aa88b0d2ba4bb2bab27cc36bc7
+
+ vt: Fix secure clear screen
+
+ \E[3J console code (secure clear screen) needs to update_screen(vc)
+ in order to write-through blanks into off-screen video memory.
+
+ This has been removed accidentally in 3.6 by:
+
+ commit 81732c3b2fede049a692e58a7ceabb6d18ffb18c
+ Author: Jean-François Moine <moinejf@free.fr>
+ Date: Thu Sep 6 19:24:13 2012 +0200
+
+ tty vt: Fix line garbage in virtual console on command line edition
+
+ Signed-off-by: Petr PÃsaÅ™ <petr.pisar@atlas.cz>
+ Cc: stable <stable@vger.kernel.org> # 3.6
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ drivers/tty/vt/vt.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 8568da92bd738464772c24fd68a9b300d22985b5
+Author: H. Peter Anvin <hpa@linux.intel.com>
+Date: Thu Feb 13 07:46:04 2014 -0800
+
+ Upstream commit: 4640c7ee9b8953237d05a61ea3ea93981d1bc961
+
+ x86, smap: smap_violation() is bogus if CONFIG_X86_SMAP is off
+
+ If CONFIG_X86_SMAP is disabled, smap_violation() tests for conditions
+ which are incorrect (as the AC flag doesn't matter), causing spurious
+ faults.
+
+ The dynamic disabling of SMAP (nosmap on the command line) is fine
+ because it disables X86_FEATURE_SMAP, therefore causing the
+ static_cpu_has() to return false.
+
+ Found by Fengguang Wu's test system.
+
+ [ v3: move all predicates into smap_violation() ]
+ [ v2: use IS_ENABLED() instead of #ifdef ]
+
+ Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+ Link: http://lkml.kernel.org/r/20140213124550.GA30497@localhost
+ Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+ Cc: <stable@vger.kernel.org> # v3.7+
+
+ arch/x86/mm/fault.c | 14 +++++++++-----
+ 1 files changed, 9 insertions(+), 5 deletions(-)
+
+commit dc68abaa1208e66be3bc07eb57855d4ab413373c
+Author: H. Peter Anvin <hpa@linux.intel.com>
+Date: Thu Feb 13 07:34:30 2014 -0800
+
+ Upstream commit: 03bbd596ac04fef47ce93a730b8f086d797c3021
+
+ x86, smap: Don't enable SMAP if CONFIG_X86_SMAP is disabled
+
+ If SMAP support is not compiled into the kernel, don't enable SMAP in
+ CR4 -- in fact, we should clear it, because the kernel doesn't contain
+ the proper STAC/CLAC instructions for SMAP support.
+
+ Found by Fengguang Wu's test system.
+
+ Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+ Link: http://lkml.kernel.org/r/20140213124550.GA30497@localhost
+ Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+ Cc: <stable@vger.kernel.org> # v3.7+
+
+ arch/x86/kernel/cpu/common.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 6d804df770568f2d41f36cc446dc2c4b9ddbdc66
+Author: Steven Noonan <steven@uplinklabs.net>
+Date: Wed Feb 12 23:01:07 2014 -0800
+
+ Upstream commit: a9f180345f5378ac87d80ed0bea55ba421d83859
+
+ compiler/gcc4: Make quirk for asm_volatile_goto() unconditional
+
+ I started noticing problems with KVM guest destruction on Linux
+ 3.12+, where guest memory wasn't being cleaned up. I bisected it
+ down to the commit introducing the new 'asm goto'-based atomics,
+ and found this quirk was later applied to those.
+
+ Unfortunately, even with GCC 4.8.2 (which ostensibly fixed the
+ known 'asm goto' bug) I am still getting some kind of
+ miscompilation. If I enable the asm_volatile_goto quirk for my
+ compiler, KVM guests are destroyed correctly and the memory is
+ cleaned up.
+
+ So make the quirk unconditional for now, until bug is found
+ and fixed.
+
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Signed-off-by: Steven Noonan <steven@uplinklabs.net>
+ Cc: Peter Zijlstra <peterz@infradead.org>
+ Cc: Steven Rostedt <rostedt@goodmis.org>
+ Cc: Jakub Jelinek <jakub@redhat.com>
+ Cc: Richard Henderson <rth@twiddle.net>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Cc: Oleg Nesterov <oleg@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Link: http://lkml.kernel.org/r/1392274867-15236-1-git-send-email-steven@uplinklabs.net
+ Link: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+ include/linux/compiler-gcc4.h | 6 +-----
+ 1 files changed, 1 insertions(+), 5 deletions(-)
+
+commit df681ad2079c8b443dd98a66daa49a96f6803118
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 15 14:43:58 2014 -0500
+
+ add note on how to disable rate limiting on log messages
+
+ grsecurity/Kconfig | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit 247661801d1a9904eac479770aac8c31adfb3a03
+Merge: 294e38e 98242db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 13 20:17:09 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 98242dba193affafa9996207af8aaee0a58e237c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 13 20:16:39 2014 -0500
+
+ Update to pax-linux-3.13.3-test9.patch:
+ - forward port to 3.13.3
+ - updated hash table from Emese, missing entries reported by Adam Chyła and Matthew Thode
+
+ kernel/sched/core.c | 2 +-
+ kernel/trace/ftrace.c | 8 ++++----
+ tools/gcc/size_overflow_hash.data | 6 ++++++
+ 3 files changed, 11 insertions(+), 5 deletions(-)
+
+commit 294e38ee2ac097654f11df09cfe8c5584a573b6c
+Merge: d1fd1fc 990a904
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 13 18:11:12 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 990a9041b296c2afe56f7c5ff4bb2e2e0ed6298f
+Merge: d32ab3c 7955a48
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 13 18:11:01 2014 -0500
+
+ Merge branch 'linux-3.13.y' into pax-test
+
+ Conflicts:
+ kernel/trace/ftrace.c
+
+commit d1fd1fc0d4c9d07cd6f2f2dad040db0f1c433b5d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 13 16:50:39 2014 -0500
+
+ Force off all virtualization guest options if the autoconfig choice
+ was not for the kernel to be used for vm guests
+ likewise force off Xen if it wasn't mentioned in the autoconfig
+
+ arch/x86/Kconfig | 1 +
+ arch/x86/xen/Kconfig | 1 +
+ 2 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 6f7fd76856916bda9145d3fb89b3462b18630c75
+Merge: 32aa9fa d32ab3c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 13 15:25:21 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d32ab3c04e157fd34738846fc1cbdbed5eab1147
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 13 15:24:57 2014 -0500
+
+ Update to pax-linux-3.13.2-test9.patch:
+ - fixed some gcc plugins to work in low-memory environments as well, reported by many, big thanks to niv <n@e-ix.net> for help
+
+ tools/gcc/Makefile | 2 +-
+ tools/gcc/latent_entropy_plugin.c | 18 +++++++++--
+ tools/gcc/size_overflow_plugin.c | 19 +++++++++--
+ tools/gcc/stackleak_plugin.c | 58 ++++++++++++++++++++++++++++--------
+ 4 files changed, 76 insertions(+), 21 deletions(-)
+
+commit 32aa9fa0174969476774c472226d304f122291a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 13 12:35:16 2014 -0500
+
+ add missing header
+
+ grsecurity/grsec_mem.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit d48d8d3b1b527d8dc7a9162bda44d32608906632
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 13 12:04:44 2014 -0500
+
+ export msr_write logging function and convert all exported symbols to EXPORT_SYMBOL_GPL
+
+ Conflicts:
+
+ grsecurity/gracl.c
+ grsecurity/grsec_disabled.c
+ grsecurity/grsec_exec.c
+
+ grsecurity/gracl.c | 8 ++++----
+ grsecurity/grsec_chroot.c | 2 +-
+ grsecurity/grsec_disabled.c | 4 ++--
+ grsecurity/grsec_exec.c | 8 ++++----
+ grsecurity/grsec_init.c | 2 +-
+ grsecurity/grsec_mem.c | 1 +
+ grsecurity/grsec_sock.c | 12 ++++++------
+ grsecurity/grsec_time.c | 2 +-
+ 8 files changed, 20 insertions(+), 19 deletions(-)
+
+commit 3c05c8568522f6a660debeaacf536a99a0212342
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 13 11:28:26 2014 -0500
+
+ add missing header
+
+ arch/x86/kernel/msr.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit e68254d468db8b3a28fa549606136fdba9276a75
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 13 11:12:36 2014 -0500
+
+ fix typo
+
+ arch/x86/kernel/msr.c | 4 ++--
+ include/linux/grsecurity.h | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 2845d9e8598070db65f7429ecf2ac1803077ed9e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 13 10:57:06 2014 -0500
+
+ PLUGIN_FINISH_DECL is an enum, so use explicit gcc version checking instead
+
+ tools/gcc/randomize_layout_plugin.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 1cd63e6169739aa7881796ac74b43b83bdbd8626
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 13 09:23:29 2014 -0500
+
+ Relax MSR restrictions under GRKERNSEC_KMEM, allow MSR reads but not writes. Log all writing attempts.
+
+ arch/x86/Kconfig | 1 -
+ arch/x86/kernel/msr.c | 9 +++++++++
+ grsecurity/grsec_mem.c | 6 ++++++
+ include/linux/grmsg.h | 1 +
+ include/linux/grsecurity.h | 1 +
+ 5 files changed, 17 insertions(+), 1 deletions(-)
+
+commit a750206a1934759fc0da5ab831852a22ce720862
+Author: Richard Yao <ryao@gentoo.org>
+Date: Sat Feb 8 19:32:01 2014 -0500
+
+ Upstream commit: b6f52ae2f0d32387bde2b89883e3b64d88b9bfe8
+
+ 9p/trans_virtio.c: Fix broken zero-copy on vmalloc() buffers
+
+ The 9p-virtio transport does zero copy on things larger than 1024 bytes
+ in size. It accomplishes this by returning the physical addresses of
+ pages to the virtio-pci device. At present, the translation is usually a
+ bit shift.
+
+ That approach produces an invalid page address when we read/write to
+ vmalloc buffers, such as those used for Linux kernel modules. Any
+ attempt to load a Linux kernel module from 9p-virtio produces the
+ following stack.
+
+ [<ffffffff814878ce>] p9_virtio_zc_request+0x45e/0x510
+ [<ffffffff814814ed>] p9_client_zc_rpc.constprop.16+0xfd/0x4f0
+ [<ffffffff814839dd>] p9_client_read+0x15d/0x240
+ [<ffffffff811c8440>] v9fs_fid_readn+0x50/0xa0
+ [<ffffffff811c84a0>] v9fs_file_readn+0x10/0x20
+ [<ffffffff811c84e7>] v9fs_file_read+0x37/0x70
+ [<ffffffff8114e3fb>] vfs_read+0x9b/0x160
+ [<ffffffff81153571>] kernel_read+0x41/0x60
+ [<ffffffff810c83ab>] copy_module_from_fd.isra.34+0xfb/0x180
+
+ Subsequently, QEMU will die printing:
+
+ qemu-system-x86_64: virtio: trying to map MMIO memory
+
+ This patch enables 9p-virtio to correctly handle this case. This not
+ only enables us to load Linux kernel modules off virtfs, but also
+ enables ZFS file-based vdevs on virtfs to be used without killing QEMU.
+
+ Special thanks to both Avi Kivity and Alexander Graf for their
+ interpretation of QEMU backtraces. Without their guidence, tracking down
+ this bug would have taken much longer. Also, special thanks to Linus
+ Torvalds for his insightful explanation of why this should use
+ is_vmalloc_addr() instead of is_vmalloc_or_module_addr():
+
+ https://lkml.org/lkml/2014/2/8/272
+
+ Signed-off-by: Richard Yao <ryao@gentoo.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/9p/trans_virtio.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 6f3de18441f63778b664f2815cfc0d2af0d22f4f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 13 08:38:14 2014 -0500
+
+ rename finish_decl function to fix compat with gcc 4.7.2 that exposed too much of its internals
+ add a useful compile error if we try building with < gcc 4.6.4
+
+ tools/gcc/randomize_layout_plugin.c | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+commit 596b24936ed3687455327c3d26a8a820263a1f88
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Feb 11 17:33:49 2014 -0500
+
+ [PATCH] random: fix overflow for big nbits values in credit_entropy_bits()
+
+ Commit 30e37ec516ae "random: account for entropy loss due to overwrites"
+ introduced an overflow in the arithmetics of credit_entropy_bits() when
+ CONFIG_GRKERNSEC_RANDNET is enabled as the latter quadruples the pool
+ size and therefore invalidates the assumptions of the "nifty" formula.
+
+ Fix the overflow by using 64bit arithmetics.
+
+ Reported-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+ Signed-off-by: Mathias Krause <mathias.krause@secunet.com>
+
+ This bug is at worst a privileged DoS -- with RANDNET enabled, an admin
+ with CAP_SYS_ADMIN feeding large amounts of entropy into the pool at once
+ can cause less than expected entropy to be credited (but this doesn't
+ affect how much is actually added). For specific buffer sizes, this
+ can result in 0 entropy being credited and end in a situation in which
+ the kernel can't recover, causing future reads from /dev/random to stall.
+
+ Many thanks to Torsten and Mathias for the report!
+
+ drivers/char/random.c | 5 +----
+ 1 files changed, 1 insertions(+), 4 deletions(-)
+
+commit 04f9fc1040b96a623cca444b330a3a96c104d3af
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 9 11:30:53 2014 -0500
+
+ just ignore the seed file, the hash is in a different dir
+
+ tools/gcc/.gitignore | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit eaddc3f039b57731d04d90e334cf75c6cdde895d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 9 11:27:22 2014 -0500
+
+ Don't pass the hashed seed via build commandline, generate a header to include in vermagic.h instead
+
+ Documentation/dontdiff | 2 +-
+ Makefile | 4 +---
+ include/linux/vermagic.h | 1 +
+ tools/gcc/.gitignore | 4 ++--
+ tools/gcc/Makefile | 9 ++++-----
+ tools/gcc/gen-random-seed.sh | 3 ++-
+ 6 files changed, 11 insertions(+), 12 deletions(-)
+
+commit d3fcb6991a09d163867dd6e7e04ad5675f9c3202
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 8 22:03:25 2014 -0500
+
+ update dontdiff and .gitignore to reflect new seed/hash filenames for RANDSTRUCT
+
+ Documentation/dontdiff | 4 ++--
+ tools/gcc/.gitignore | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 3e96d2ad6f7e3373a978767099f3b3bb12890644
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 8 20:02:12 2014 -0500
+
+ don't divide cputime by HZ as some architectures can't handle this
+ use proper task_cputime and cputime_to_secs wrappers
+ Thanks to Michael Tremer for the report
+
+ grsecurity/gracl.c | 23 ++++++++++++-----------
+ 1 files changed, 12 insertions(+), 11 deletions(-)
+
+commit bff837da26077ae243118561da6e31e8d2ef83b7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 6 21:26:51 2014 -0500
+
+ gcc 4.9 update for RANDSTRUCT plugin part 1
+
+ tools/gcc/randomize_layout_plugin.c | 7 +------
+ 1 files changed, 1 insertions(+), 6 deletions(-)
+
+commit 58eee46f846245affdc86a1fd057bc7802bfef63
+Merge: 954a136 2b56794
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 6 20:36:18 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 2b56794a375594b35d2984d0950059977624a5ed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 6 20:35:40 2014 -0500
+
+ Update to pax-linux-3.13.2-test8.patch:
+ - fixed compile errors on arm due to constification, reported by Michael Tremer <michael.tremer@ipfire.org>
+ - fixed the PLUGIN_START_UNIT callback names in the latent entropy and size overflow plugins, reported by spender
+ - added a new header to gcc-common.h, reported by spender
+ - some useful backports from upstream 3.14:
+ - debug info for .S: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7db436325db821b400328563ed693b09f8c4c46c
+ - make v4 -s handling: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e36aaea28972c57a32a3ba5365e61633739719b9
+
+ Makefile | 8 +++++++-
+ arch/arm/mach-omap2/powerdomains43xx_data.c | 5 ++++-
+ arch/x86/include/asm/tlbflush.h | 1 -
+ drivers/gpu/drm/armada/armada_drv.c | 10 +---------
+ drivers/gpu/drm/tegra/hdmi.c | 2 +-
+ drivers/misc/eeprom/sunxi_sid.c | 4 +++-
+ drivers/mmc/host/sdhci-esdhc-imx.c | 7 +++++--
+ include/drm/drmP.h | 1 +
+ include/drm/ttm/ttm_page_alloc.h | 1 +
+ tools/gcc/gcc-common.h | 1 +
+ 10 files changed, 24 insertions(+), 16 deletions(-)
+
+commit 954a136c7f2ce3a76f9a8b148c49614092554b5b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 6 20:20:41 2014 -0500
+
+ Backport SELinux DoS fix from http://marc.info/?l=selinux&m=139110025203759&w=2
+
+ security/selinux/ss/services.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit a16066ea179a4f15b368cd5003d9c3638aa7f48e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 6 20:16:57 2014 -0500
+
+ don't pass the seed via build commandline, store it in a header file instead
+ and build it into the RANDSTRUCT plugin.
+ set up proper dependencies for the generated files used by the RANDSTRUCT plugin,
+ fixing some race conditions in the build process
+ support O= argument to make and place generated files in the target directory tree
+ update RANDSTRUCT documentation
+
+ Makefile | 6 ++----
+ grsecurity/Kconfig | 2 +-
+ scripts/gen-random-seed.sh | 8 --------
+ tools/gcc/Makefile | 10 +++++++++-
+ tools/gcc/gen-random-seed.sh | 7 +++++++
+ tools/gcc/randomize_layout_plugin.c | 23 ++++++++---------------
+ 6 files changed, 27 insertions(+), 29 deletions(-)
+
+commit 79cb2972d4d5e61a831e8eae996b286f433afd10
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 6 18:15:24 2014 -0500
+
+ make GRKERNSEC_HIDESYM also protect the target directory specified with the O= arg to 'make'
+
+ grsecurity/Makefile | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 10a483b7ae687f15e3836234175920518ec50fa7
+Merge: 95e6c94 5a87ea7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 6 17:21:02 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5a87ea74aab86c3c211612d1ae7cac26694b736d
+Merge: 1554390 fd82174
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 6 17:19:50 2014 -0500
+
+ Merge branch 'linux-3.13.y' into pax-test
+
+ Conflicts:
+ net/compat.c
+
+commit 95e6c94d6945ce8acfb56997feada8fde8aab8a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 5 23:43:27 2014 -0500
+
+ avoid printing jibberish in some instances with RANDSTRUCT and modules
+ built with other seeds, as the kernel's module loader trusts the
+ module layout
+
+ kernel/module.c | 25 +++++++++++++++++++++++++
+ 1 files changed, 25 insertions(+), 0 deletions(-)
+
+commit 71ff747386915adda2113b08c47b0ccb1683dea5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 5 23:32:26 2014 -0500
+
+ Introduce the non-performance mode -- the performance mode had previously been
+ inadvertently forced on regardless of config setting
+
+ Resolve an issue with gcc completing declarations for recently finished
+ types *before* the plugin's finish_type being called to randomize that structure.
+ This resulted in too small a structure size being emitted for this_module
+ and generally crashes whenever modules were loaded.
+
+ Makefile | 2 +-
+ tools/gcc/randomize_layout_plugin.c | 23 +++++++++++++++++++++++
+ 2 files changed, 24 insertions(+), 1 deletions(-)
+
+commit e17b47e4f837bb769f5159b928f5accce5131514
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 3 17:30:32 2014 -0500
+
+ select DEBUG_KERNEL in addition to DEBUG_LIST
+
+ security/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 1a4fd0231e9cee0203dd7f10faf89d721883b6a4
+Merge: 5fb88fe 1554390
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 2 21:25:11 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1554390d0c012ebcbe8734216913fcb94681db2b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 2 21:24:45 2014 -0500
+
+ update plugin start_unit names
+
+ tools/gcc/latent_entropy_plugin.c | 2 +-
+ tools/gcc/size_overflow_plugin.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 5fb88febacff2f061c9aad406d107177acc3f950
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 2 21:23:30 2014 -0500
+
+ update copyright date
+
+ grsecurity/Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit f4d392661ab08166ed1aa81d4f1d90fec146f761
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 2 21:23:08 2014 -0500
+
+ update copyright message
+
+ grsecurity/Makefile | 22 ++++++++++++++++------
+ 1 files changed, 16 insertions(+), 6 deletions(-)
+
+commit 7bd6dcd5823155b1948fe0815a7aa173da6bea35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 1 19:53:04 2014 -0500
+
+ update RANDSTRUCT plugin to eliminate false posities on struct type mismatches
+ resulting from an IS_ERR() sequence
+ add checks for bad casts in local and global variable initializers
+ use the main variant when comparing types
+
+ tools/gcc/randomize_layout_plugin.c | 150 +++++++++++++++++++++++++++++++++--
+ 1 files changed, 144 insertions(+), 6 deletions(-)
+
+commit 5349795dd080969318409078672c2c53c0645354
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 1 15:13:06 2014 -0500
+
+ remove unnecessary TODO_* flags for our passive bad cast gimple pass
+
+ tools/gcc/randomize_layout_plugin.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a22b89b09d12e3db4b464d3b26e45c7b3a65c0ba
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 1 10:55:36 2014 -0500
+
+ fix RANDSTRUCT plugin compatibility with gcc 4.9
+
+ tools/gcc/randomize_layout_plugin.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b3d5d360931c93bdeaf6fa199e29f47e7f70b17b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 31 21:52:14 2014 -0500
+
+ sanity check to make sure we never randomize a struct in include/uapi/*
+
+ scripts/gen-random-seed.sh | 2 +-
+ tools/gcc/randomize_layout_plugin.c | 7 +++++++
+ 2 files changed, 8 insertions(+), 1 deletions(-)
+
+commit d2057f02e759a707a700bc9c80d1f7f55afa89f1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 31 18:11:51 2014 -0500
+
+ force on modversion support if RANDSTRUCT is enabled so that we're sure
+ no modules can be loaded that were built with a different seed
+
+ grsecurity/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 5e1f8e0b67af1f2876f1906eab828914a1c2670b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 30 16:47:31 2014 -0500
+
+ Fix an extremely serious vulnerability (it's nearly an arbitrary write) introduced
+ in 3.4 with the addition of X32 support. Hopefully most users haven't enabled this
+ option, but as it's enabled now in some distros (e.g. Ubuntu, which is affected)
+ the chance is more likely for those importing base configs from such a distro.
+
+ I would recommend you disable X32 support, especially if you're not using it. As
+ this bug could have been discovered with even a completely dumb syscall fuzzer, it
+ should be clear what level of testing went into X32 support.
+
+ Normally we would have fixed this immediately, announced it, and moved on, but
+ this was not my bug and not my choice. So I got to wait for the likes of linux-distros
+ and security@kernel.org to decide when it could be fixed, while I had to continue
+ releasing grsecurity patches without the fix for a serious vulnerability I was aware
+ of for two days. I'm not happy at all about this, and this is exactly why I refuse
+ to work in any kind of situation where I would become aware of something that I
+ couldn't fix immediately. Hopefully this is the last time this will happen.
+
+ Credits to the PaX Team for finding the bug and writing the fix. This is CVE-2014-0038.
+
+ net/compat.c | 9 ++-------
+ 1 files changed, 2 insertions(+), 7 deletions(-)
+
+commit 9d599455aa9fb272a7160c3f8276771a5af7c74a
+Merge: 6aeb51b f93afd1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 29 21:49:00 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f93afd1627ef450a96e96bdb2b984aefb66cb531
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 29 21:48:24 2014 -0500
+
+ Update to pax-linux-3.13.1-test6.patch:
+ - forward port to 3.13.1
+ - fixed a weak UDEREF regression resulting in a kernel hang on boot, reported by Negres
+
+ arch/x86/include/asm/uaccess_64.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 18727190851782d5ee2b5fe579e4a4c379303a34
+Merge: b9c766b 07ecf16
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 29 21:41:57 2014 -0500
+
+ Merge branch 'linux-3.13.y' into pax-test
+
+commit 6aeb51bccfcad549c3b39235df08aa043cdfa9bc
+Author: Weston Andros Adamson <dros@netapp.com>
+Date: Tue Dec 17 12:16:11 2013 -0500
+
+ Upstream commit: 6ff33b7dd0228b7d7ed44791bbbc98b03fd15d9d
+
+ sunrpc: Fix infinite loop in RPC state machine
+
+ When a task enters call_refreshresult with status 0 from call_refresh and
+ !rpcauth_uptodatecred(task) it enters call_refresh again with no rate-limiting
+ or max number of retries.
+
+ Instead of trying forever, make use of the retry path that other errors use.
+
+ This only seems to be possible when the crrefresh callback is gss_refresh_null,
+ which only happens when destroying the context.
+
+ To reproduce:
+
+ 1) mount with sec=krb5 (or sec=sys with krb5 negotiated for non FSID specific
+ operations).
+
+ 2) reboot - the client will be stuck and will need to be hard rebooted
+
+ BUG: soft lockup - CPU#0 stuck for 22s! [kworker/0:2:46]
+ Modules linked in: rpcsec_gss_krb5 nfsv4 nfs fscache ppdev crc32c_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd serio_raw i2c_piix4 i2c_core e1000 parport_pc parport shpchp nfsd auth_rpcgss oid_registry exportfs nfs_acl lockd sunrpc autofs4 mptspi scsi_transport_spi mptscsih mptbase ata_generic floppy
+ irq event stamp: 195724
+ hardirqs last enabled at (195723): [<ffffffff814a925c>] restore_args+0x0/0x30
+ hardirqs last disabled at (195724): [<ffffffff814b0a6a>] apic_timer_interrupt+0x6a/0x80
+ softirqs last enabled at (195722): [<ffffffff8103f583>] __do_softirq+0x1df/0x276
+ softirqs last disabled at (195717): [<ffffffff8103f852>] irq_exit+0x53/0x9a
+ CPU: 0 PID: 46 Comm: kworker/0:2 Not tainted 3.13.0-rc3-branch-dros_testing+ #4
+ Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013
+ Workqueue: rpciod rpc_async_schedule [sunrpc]
+ task: ffff8800799c4260 ti: ffff880079002000 task.ti: ffff880079002000
+ RIP: 0010:[<ffffffffa0064fd4>] [<ffffffffa0064fd4>] __rpc_execute+0x8a/0x362 [sunrpc]
+ RSP: 0018:ffff880079003d18 EFLAGS: 00000246
+ RAX: 0000000000000005 RBX: 0000000000000007 RCX: 0000000000000007
+ RDX: 0000000000000007 RSI: ffff88007aecbae8 RDI: ffff8800783d8900
+ RBP: ffff880079003d78 R08: ffff88006e30e9f8 R09: ffffffffa005a3d7
+ R10: ffff88006e30e7b0 R11: ffff8800783d8900 R12: ffffffffa006675e
+ R13: ffff880079003ce8 R14: ffff88006e30e7b0 R15: ffff8800783d8900
+ FS: 0000000000000000(0000) GS:ffff88007f200000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f3072333000 CR3: 0000000001a0b000 CR4: 00000000001407f0
+ Stack:
+ ffff880079003d98 0000000000000246 0000000000000000 ffff88007a9a4830
+ ffff880000000000 ffffffff81073f47 ffff88007f212b00 ffff8800799c4260
+ ffff8800783d8988 ffff88007f212b00 ffffe8ffff604800 0000000000000000
+ Call Trace:
+ [<ffffffff81073f47>] ? trace_hardirqs_on_caller+0x145/0x1a1
+ [<ffffffffa00652d3>] rpc_async_schedule+0x27/0x32 [sunrpc]
+ [<ffffffff81052974>] process_one_work+0x211/0x3a5
+ [<ffffffff810528d5>] ? process_one_work+0x172/0x3a5
+ [<ffffffff81052eeb>] worker_thread+0x134/0x202
+ [<ffffffff81052db7>] ? rescuer_thread+0x280/0x280
+ [<ffffffff81052db7>] ? rescuer_thread+0x280/0x280
+ [<ffffffff810584a0>] kthread+0xc9/0xd1
+ [<ffffffff810583d7>] ? __kthread_parkme+0x61/0x61
+ [<ffffffff814afd6c>] ret_from_fork+0x7c/0xb0
+ [<ffffffff810583d7>] ? __kthread_parkme+0x61/0x61
+ Code: e8 87 63 fd e0 c6 05 10 dd 01 00 01 48 8b 43 70 4c 8d 6b 70 45 31 e4 a8 02 0f 85 d5 02 00 00 4c 8b 7b 48 48 c7 43 48 00 00 00 00 <4c> 8b 4b 50 4d 85 ff 75 0c 4d 85 c9 4d 89 cf 0f 84 32 01 00 00
+
+ And the output of "rpcdebug -m rpc -s all":
+
+ RPC: 61 call_refresh (status 0)
+ RPC: 61 call_refresh (status 0)
+ RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
+ RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
+ RPC: 61 call_refreshresult (status 0)
+ RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
+ RPC: 61 call_refreshresult (status 0)
+ RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
+ RPC: 61 call_refresh (status 0)
+ RPC: 61 call_refreshresult (status 0)
+ RPC: 61 call_refresh (status 0)
+ RPC: 61 call_refresh (status 0)
+ RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
+ RPC: 61 call_refreshresult (status 0)
+ RPC: 61 call_refresh (status 0)
+ RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
+ RPC: 61 call_refresh (status 0)
+ RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
+ RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
+ RPC: 61 call_refreshresult (status 0)
+ RPC: 61 call_refresh (status 0)
+ RPC: 61 call_refresh (status 0)
+ RPC: 61 call_refresh (status 0)
+ RPC: 61 call_refresh (status 0)
+ RPC: 61 call_refreshresult (status 0)
+ RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0
+
+ Signed-off-by: Weston Andros Adamson <dros@netapp.com>
+ Cc: stable@vger.kernel.org # 2.6.37+
+ Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+
+ net/sunrpc/clnt.c | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+commit 9ad04e13872458b4883e9f8f087cad538ae8f3e3
+Author: Scott Mayhew <smayhew@redhat.com>
+Date: Fri Jan 17 15:12:05 2014 -0500
+
+ Upstream commit: 263b4509ec4d47e0da3e753f85a39ea12d1eff24
+
+ nfs: always make sure page is up-to-date before extending a write to cover the entire page
+
+ We should always make sure the cached page is up-to-date when we're
+ determining whether we can extend a write to cover the full page -- even
+ if we've received a write delegation from the server.
+
+ Commit c7559663 added logic to skip this check if we have a write
+ delegation, which can lead to data corruption such as the following
+ scenario if client B receives a write delegation from the NFS server:
+
+ Client A:
+ # echo 123456789 > /mnt/file
+
+ Client B:
+ # echo abcdefghi >> /mnt/file
+ # cat /mnt/file
+ 0�D0�abcdefghi
+
+ Just because we hold a write delegation doesn't mean that we've read in
+ the entire page contents.
+
+ Cc: <stable@vger.kernel.org> # v3.11+
+ Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+ Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+
+ fs/nfs/write.c | 11 ++++++-----
+ 1 files changed, 6 insertions(+), 5 deletions(-)
+
+commit d6a427afc951e705a45d18fe513b4a9644b54586
+Author: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Fri Jan 17 17:03:41 2014 -0500
+
+ Upstream commit: 64590daa9e0dfb3aad89e3ab9230683b76211d5b
+
+ NFSv4.1: Handle errors correctly in nfs41_walk_client_list
+
+ Both nfs41_walk_client_list and nfs40_walk_client_list expect the
+ 'status' variable to be set to the value -NFS4ERR_STALE_CLIENTID
+ if the loop fails to find a match.
+ The problem is that the 'pos->cl_cons_state > NFS_CS_READY' changes
+ the value of 'status', and sets it either to the value '0' (which
+ indicates success), or to the value EINTR.
+
+ Cc: stable@vger.kernel.org # 3.7.x: 7b1f1fd1842e6: NFSv4/4.1: Fix bugs in
+ Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+
+ fs/nfs/nfs4client.c | 8 +++++---
+ 1 files changed, 5 insertions(+), 3 deletions(-)
+
+commit f7c465156fdef12a66d0a59114582dc4d4d7f406
+Author: Weston Andros Adamson <dros@primarydata.com>
+Date: Sun Jan 19 22:45:36 2014 -0500
+
+ Upstream commit: abad2fa5ba67725a3f9c376c8cfe76fbe94a3041
+
+ nfs4: fix discover_server_trunking use after free
+
+ If clp is new (cl_count = 1) and it matches another client in
+ nfs4_discover_server_trunking, the nfs_put_client will free clp before
+ ->cl_preserve_clid is set.
+
+ Cc: stable@vger.kernel.org # 3.7+
+ Signed-off-by: Weston Andros Adamson <dros@primarydata.com>
+ Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+
+ fs/nfs/nfs4client.c | 10 ++++------
+ 1 files changed, 4 insertions(+), 6 deletions(-)
+
+commit d3737c02af42ac32da97dc30dac94ae7343cec14
+Author: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Mon Jan 27 17:07:19 2014 -0800
+
+ Upstream commit: 592f6b842f64e416c7598a1b97c649b34241e22d
+
+ compat: fix sys_fanotify_mark
+
+ Commit 91c2e0bcae72 ("unify compat fanotify_mark(2), switch to
+ COMPAT_SYSCALL_DEFINE") added a new unified compat fanotify_mark syscall
+ to be used by all architectures.
+
+ Unfortunately the unified version merges the split mask parameter in a
+ wrong way: the lower and higher word got swapped.
+
+ This was discovered with glibc's tst-fanotify test case.
+
+ Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Reported-by: Andreas Krebbel <krebbel@linux.vnet.ibm.com>
+ Cc: "James E.J. Bottomley" <jejb@parisc-linux.org>
+ Acked-by: "David S. Miller" <davem@davemloft.net>
+ Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+ Cc: Ingo Molnar <mingo@redhat.com>
+ Cc: Ralf Baechle <ralf@linux-mips.org>
+ Cc: <stable@vger.kernel.org> [3.10+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/notify/fanotify/fanotify_user.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit ae72596a96d46255c781f07ee2de05abe57d43ff
+Merge: 5254ff7 b9c766b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 28 18:23:25 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b9c766bc9706fcfe5bbe0df099178e8eaa643327
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 28 18:22:46 2014 -0500
+
+ Update to pax-linux-3.13-test6.patch:
+ - fixed the TRACE_IRQFLAGS/KERNEXEC problem for real, 3rd time's a charm, by minipli
+ - fixed a size overflow false positive in skb_network_offset due to an intentional overflow, by Emese Revfy, reported by Nikita Matovs
+
+ arch/x86/kernel/entry_64.S | 22 ++++++++++++----------
+ include/linux/skbuff.h | 2 +-
+ 2 files changed, 13 insertions(+), 11 deletions(-)
+
+commit 5254ff73f13759d893213092da5fd654ca22960f
+Merge: 7e5aad2 c956349
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 27 22:52:22 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c956349a3335c72308d1bce7524f2e0f521ff709
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 27 22:51:57 2014 -0500
+
+ Update to pax-linux-3.13-test5.patch:
+ - new size overflow hash table from spender
+ - backported http://git.kernel.org/linus/34228d473ef
+ - fixed CONFIG_MEM_SOFT_DIRTY interference with _PAGE_NX on x86
+ - fixed the size overflow plugin for gcc 4.9, by Emese Revfy
+
+ arch/x86/include/asm/pgtable_types.h | 2 +-
+ mm/mmap.c | 12 +++++++++-
+ tools/gcc/gcc-common.h | 2 +
+ tools/gcc/size_overflow_hash.data | 33 ++++++++++++++++++++++++++--
+ tools/gcc/size_overflow_plugin.c | 38 +++++++++++++++++-----------------
+ 5 files changed, 62 insertions(+), 25 deletions(-)
+
+commit 7e5aad2c98c49f82bdd6a6949133c0393b743e4a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 27 21:12:59 2014 -0500
+
+ update size_overflow hash table
+
+ tools/gcc/size_overflow_hash.data | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit 9583ac30e401a97397c5a4a30564521bc2d8afeb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 27 20:33:30 2014 -0500
+
+ Relicense RANDSTRUCT plugin as GPLv2, removing the GPLv3 option
+
+ tools/gcc/randomize_layout_plugin.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit f4afefdb6f09d22d5c0a74cf2a3ff4f44a67a8c8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 27 20:30:10 2014 -0500
+
+ Make all grsecurity code GPLv2 only for future releases. Not really
+ important as grsecurity is a derivative work of the Linux kernel and
+ thus forced to be GPLv2, the "or higher" was superfluous.
+
+ grsecurity/Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 718e2b2400f29a7fa414c6c5d383f82658a3457f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 26 22:22:52 2014 -0500
+
+ update size_overflow hash table
+
+ tools/gcc/size_overflow_hash.data | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit a4369fd780e658a9d26bedc53415261286caefe5
+Merge: c93ceb8 f3b1213
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 26 21:24:43 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f3b12134d032b0bfc2a9fc2183a50fabcaabdbf5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 26 21:24:17 2014 -0500
+
+ Update to pax-linux-3.13-test4.patch:
+ - fixed a constify plugin regression, reported by spender
+ - updated gcc-common.h
+
+ tools/gcc/constify_plugin.c | 4 +-
+ tools/gcc/gcc-common.h | 68 +++++++++++++++++++++++++++++++++++++++---
+ 2 files changed, 65 insertions(+), 7 deletions(-)
+
+commit 962a3acff3d42cf360932f438a666224b8597012
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 26 21:24:01 2014 -0500
+
+ Revert "fix an assert triggering in constify plugin update, real fix coming later"
+
+ This reverts commit 899baaf06fdd79f9b9b410a414695ba7b80f6203.
+
+ tools/gcc/constify_plugin.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit c93ceb8d5ed604ddd5580de9a764fc411824c5c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 26 21:18:31 2014 -0500
+
+ update size_overflow hash table
+
+ tools/gcc/size_overflow_hash.data | 19 ++++++++++++++++++-
+ 1 files changed, 18 insertions(+), 1 deletions(-)
+
+commit b42c965a52f58915c8fd048749c1dc5bcf373339
+Merge: 663306e 899baaf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 26 20:35:52 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 899baaf06fdd79f9b9b410a414695ba7b80f6203
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 26 20:34:49 2014 -0500
+
+ fix an assert triggering in constify plugin update, real fix coming later
+
+ tools/gcc/constify_plugin.c | 2 --
+ 1 files changed, 0 insertions(+), 2 deletions(-)
+
+commit 663306edb8f76d8be46c39ba6aafcdec3e000ab1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 26 18:24:44 2014 -0500
+
+ fix typo
+
+ tools/gcc/randomize_layout_plugin.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4539e5f2729719d07095cf267ea426524f7dc8f9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 26 18:22:33 2014 -0500
+
+ Update RANDSTRUCT plugin for gcc 4.9 and gcc-common.h
+
+ tools/gcc/randomize_layout_plugin.c | 77 +++++++++++++++++++----------------
+ 1 files changed, 42 insertions(+), 35 deletions(-)
+
+commit 3344ccde1ca59e4e0a4105f25ffbab561e5ee582
+Merge: ff96162 0b83e85
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 26 18:04:38 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0b83e85c64c9e6e4328cac45d980cdd7e088f157
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 26 18:03:50 2014 -0500
+
+ Update to pax-linux-3.13-test3.patch:
+ - gcc plugin updates
+ - ported them to gcc trunk (future 4.9)
+ - introduced gcc-common.h to simplify gcc version dependencies
+ - updated size overflow hash table from spender
+ - fixed kallocstat to detect constant size arguments early
+ - fixed constify to preserve type qualifiers on pointer-to-self fields
+ - added a few sparse/checker annotations and changes to satisfy gcc's address space logic
+ - fixed the TRACE_IRQFLAGS problem reported by minipli again
+
+ arch/x86/ia32/ia32_signal.c | 6 +-
+ arch/x86/include/asm/uaccess_64.h | 4 +-
+ arch/x86/kernel/entry_64.S | 112 ++++----
+ arch/x86/kernel/preempt.S | 3 +
+ arch/x86/kernel/tboot.c | 2 +-
+ arch/x86/kernel/xsave.c | 8 +-
+ arch/x86/lib/thunk_64.S | 2 +-
+ block/compat_ioctl.c | 2 +-
+ drivers/gpu/drm/drm_crtc.c | 2 +-
+ drivers/gpu/drm/qxl/qxl_ioctl.c | 6 +-
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 10 +-
+ drivers/media/v4l2-core/v4l2-ctrls.c | 4 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 2 +-
+ drivers/mmc/card/block.c | 2 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/vhost/vringh.c | 18 +-
+ drivers/video/fbmem.c | 2 +-
+ fs/compat_ioctl.c | 2 +-
+ fs/exec.c | 2 +-
+ fs/proc/vmcore.c | 4 +-
+ include/uapi/linux/videodev2.h | 2 +-
+ ipc/compat.c | 2 +-
+ kernel/compat.c | 2 +-
+ kernel/kmod.c | 4 +-
+ net/9p/client.c | 6 +-
+ net/compat.c | 2 +-
+ net/core/filter.c | 2 +-
+ net/netfilter/nft_compat.c | 4 +-
+ net/socket.c | 6 +-
+ net/tipc/subscr.c | 2 +-
+ sound/pci/hda/hda_codec.c | 2 +-
+ tools/gcc/Makefile | 2 +-
+ tools/gcc/checker_plugin.c | 30 +--
+ tools/gcc/colorize_plugin.c | 62 +++--
+ tools/gcc/constify_plugin.c | 105 ++++----
+ tools/gcc/gcc-common.h | 207 +++++++++++++++
+ tools/gcc/kallocstat_plugin.c | 164 +++++++------
+ tools/gcc/kernexec_plugin.c | 333 ++++++++++++++----------
+ tools/gcc/latent_entropy_plugin.c | 146 +++++------
+ tools/gcc/size_overflow_hash.data | 68 +++++-
+ tools/gcc/size_overflow_plugin.c | 348 +++++++++++--------------
+ tools/gcc/stackleak_plugin.c | 236 +++++++++--------
+ tools/gcc/structleak_plugin.c | 90 +++----
+ 43 files changed, 1149 insertions(+), 871 deletions(-)
+
+commit ff9616214c2e875db763bd395dce11df378df896
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 26 13:35:44 2014 -0500
+
+ pass hashed seed define as a string
+
+ Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 39961e3ad1abacccc8a2de280868bcfe52a1edff
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 26 12:44:21 2014 -0500
+
+ add a sha256-hashed version of the seed to modversion to ensure no
+ modules compiled with another seed can be loaded
+
+ Documentation/dontdiff | 1 +
+ Makefile | 4 +++-
+ include/linux/vermagic.h | 8 +++++++-
+ scripts/gen-random-seed.sh | 2 +-
+ tools/gcc/.gitignore | 1 +
+ 5 files changed, 13 insertions(+), 3 deletions(-)
+
+commit 1df9ff15112f3713997ac10e915b99ad99d2e33a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 26 11:26:44 2014 -0500
+
+ Force HIDESYM on if RANDSTRUCT is used, just in case there is a user
+ who already isn't enabling it (to prevent the seed from potentially being
+ visible to other users if compiled on the same machine).
+ Suggested by minipli
+
+ grsecurity/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 5ee75cac712d37f79de1e6f509a18749258b2085
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 26 01:01:31 2014 -0500
+
+ Update size_overflow hash table
+
+ tools/gcc/size_overflow_hash.data | 19 +++++++++++++++++--
+ 1 files changed, 17 insertions(+), 2 deletions(-)
+
+commit d87a88e0b3298c9d39bb7b3257dabb8fc17b8e9c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 22:19:55 2014 -0500
+
+ update to new mount_lock
+
+ grsecurity/gracl.c | 24 +++++++++++-------------
+ 1 files changed, 11 insertions(+), 13 deletions(-)
+
+commit 677d1d169912d98b7a139563ab7f7fb82ee6c3c5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 19:05:59 2014 -0500
+
+ compile fix
+
+ init/main.c | 4 ----
+ 1 files changed, 0 insertions(+), 4 deletions(-)
+
+commit c8496c1e0bb5cbed7aff11ee208a7a89ffd80b40
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 19:00:50 2014 -0500
+
+ resync random code with 3.13
+
+ include/linux/random.h | 4 ++++
+ include/uapi/linux/random.h | 7 -------
+ 2 files changed, 4 insertions(+), 7 deletions(-)
+
+commit 3d168ee50cb706276c805ae1d6a5e8417a91067a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 14:54:11 2014 -0500
+
+ Fix another compiler error caught by RANDSTRUCT
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ sound/isa/sb/emu8000_synth.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit bc4a5595404b985a2b17e84d29765b7af7e968ca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 14:34:12 2014 -0500
+
+ Fix another compiler error caught by RANDSTRUCT
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/net/wan/z85230.c | 24 ++++++++++++------------
+ 1 files changed, 12 insertions(+), 12 deletions(-)
+
+commit 0f0da7cb40431fe816aa356499bff026452cfc44
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 14:30:46 2014 -0500
+
+ fix compilation with RANDSTRUCT plugin
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ sound/drivers/opl4/opl4_seq.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 97d6cc865b9cf64fada1fcaabfa923fecee54ef7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 14:16:18 2014 -0500
+
+ avoid problems by just building our fake field decl node from scratch
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ tools/gcc/randomize_layout_plugin.c | 10 +++++-----
+ 1 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 6455dfb41e9c0d3f26f00ef2f505bd0f74aa8dca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 13:45:18 2014 -0500
+
+ while in non-debug mode, don't emit notes for non-randomized struct types
+
+ clear all signs from our fake field decl of being a bitfield
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ tools/gcc/randomize_layout_plugin.c | 11 +++++++++++
+ 1 files changed, 11 insertions(+), 0 deletions(-)
+
+commit 35909486eebb6c1ab27956ef6cc35e19e19282a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 12:56:05 2014 -0500
+
+ revert change to read-only marking of fake struct field
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ tools/gcc/randomize_layout_plugin.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit bbd5d12c912390e0bdb6ddde81279b579fc94edb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 12:42:48 2014 -0500
+
+ Update RANDSTRUCT plugin help
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ tools/gcc/randomize_layout_plugin.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 0d829e61f501ae59387a6e1d0f9060d5555ac588
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 12:25:43 2014 -0500
+
+ Introduce GRKERNSEC_RANDSTRUCT: automatic structure layout randomization of pure ops structs randomization of marked sensitive kernel structures
+
+ automatically enabled by GRKERNSEC_CONFIG_AUTO
+ performance mode is activated if the config priority is set to performance
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ Documentation/dontdiff | 1 +
+ Makefile | 12 +-
+ arch/x86/include/asm/floppy.h | 20 +-
+ arch/x86/include/asm/paravirt_types.h | 23 +-
+ arch/x86/include/asm/processor.h | 2 +-
+ drivers/acpi/acpica/hwxfsleep.c | 11 +-
+ drivers/block/cciss.h | 30 +-
+ drivers/block/drbd/drbd_interval.c | 6 +-
+ drivers/block/smart1,2.h | 40 +-
+ drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +-
+ drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +-
+ drivers/infiniband/hw/ipath/ipath_dma.c | 26 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 22 +-
+ drivers/isdn/gigaset/bas-gigaset.c | 32 +-
+ drivers/isdn/gigaset/ser-gigaset.c | 32 +-
+ drivers/isdn/gigaset/usb-gigaset.c | 32 +-
+ drivers/isdn/i4l/isdn_concap.c | 6 +-
+ drivers/isdn/i4l/isdn_x25iface.c | 16 +-
+ drivers/misc/sgi-xp/xp_main.c | 12 +-
+ drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +-
+ drivers/net/wan/lmc/lmc_media.c | 97 ++--
+ drivers/scsi/bfa/bfa_fcs.c | 19 +-
+ drivers/scsi/bfa/bfa_fcs_lport.c | 29 +-
+ drivers/scsi/bfa/bfa_modules.h | 12 +-
+ drivers/scsi/hpsa.h | 20 +-
+ drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +-
+ drivers/staging/lustre/lustre/libcfs/module.c | 10 +-
+ drivers/staging/media/solo6x10/solo6x10-g723.c | 2 +-
+ drivers/video/matrox/matroxfb_DAC1064.c | 10 +-
+ drivers/video/matrox/matroxfb_Ti3026.c | 5 +-
+ fs/mount.h | 4 +-
+ fs/proc/internal.h | 4 +-
+ fs/reiserfs/item_ops.c | 24 +-
+ grsecurity/Kconfig | 31 +-
+ include/linux/compiler-gcc4.h | 5 +
+ include/linux/compiler.h | 8 +
+ include/linux/cred.h | 4 +-
+ include/linux/dcache.h | 2 +-
+ include/linux/fs.h | 14 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/ipc_namespace.h | 2 +-
+ include/linux/kobject.h | 2 +-
+ include/linux/mm_types.h | 4 +-
+ include/linux/module.h | 4 +-
+ include/linux/mount.h | 2 +-
+ include/linux/pid_namespace.h | 2 +-
+ include/linux/proc_ns.h | 2 +-
+ include/linux/rbtree_augmented.h | 4 +-
+ include/linux/sched.h | 6 +-
+ include/linux/sysctl.h | 2 +-
+ include/linux/tty.h | 2 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/user_namespace.h | 2 +-
+ include/linux/utsname.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 2 +-
+ lib/rbtree.c | 4 +-
+ net/atm/lec.c | 6 +-
+ net/atm/mpoa_caches.c | 42 +-
+ net/decnet/dn_dev.c | 2 +-
+ net/vmw_vsock/vmci_transport_notify.c | 30 +-
+ net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +-
+ net/x25/sysctl_net_x25.c | 2 +-
+ scripts/Makefile | 2 +
+ scripts/gen-random-seed.sh | 8 +
+ sound/core/seq/oss/seq_oss.c | 4 +-
+ sound/core/seq/seq_midi.c | 4 +-
+ sound/drivers/opl3/opl3_seq.c | 4 +-
+ sound/pci/emu10k1/emu10k1_synth.c | 4 +-
+ sound/synth/emux/emux_seq.c | 14 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 2 +
+ tools/gcc/randomize_layout_plugin.c | 726 +++++++++++++++++++++++
+ 74 files changed, 1222 insertions(+), 390 deletions(-)
+
+commit 301f9fc40e1bed50d31034a192bc95874d5bf3b6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 19 09:00:56 2014 -0500
+
+ compile fix
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/random.h | 4 ----
+ include/uapi/linux/random.h | 7 +++++++
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+commit b79910431008b8ce731d45aa3aecc75fe33c928c
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Nov 11 12:20:34 2013 +0100
+
+ Upstream commit: 4af712e8df998475736f3e2727701bd31e3751a9
+
+ random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized
+
+ The Tausworthe PRNG is initialized at late_initcall time. At that time the
+ entropy pool serving get_random_bytes is not filled sufficiently. This
+ patch adds an additional reseeding step as soon as the nonblocking pool
+ gets marked as initialized.
+
+ On some machines it might be possible that late_initcall gets called after
+ the pool has been initialized. In this situation we won't reseed again.
+
+ (A call to prandom_seed_late blocks later invocations of early reseed
+ attempts.)
+
+ Joint work with Daniel Borkmann.
+
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Cc: Theodore Ts'o <tytso@mit.edu>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Acked-by: "Theodore Ts'o" <tytso@mit.edu>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ lib/random32.c
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/char/random.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 31dee23268ac47eaaafacb186229bc14fb84fa9b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 18 20:43:43 2014 -0500
+
+ Since the reworking of recvmsg handlers by Hannes Frederic Sowa, it should be safe to revert our workaround for large number of infoleaks the previous interface made possible, restoring some performance to these syscalls
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/socket.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit ffccf022adef560230b6a641c612f33600ce0e6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 8 20:24:27 2014 -0500
+
+ zeroing out btime from /proc/stat breaks ps aux, it's the seconds of uptime for the system, information which is also available elsewhere (/proc/uptime), so there's no reason to limit it
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/proc/stat.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit a96a6e3b96ffa8c96fa3939c109dc783de2110e0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 8 18:13:15 2014 -0500
+
+ fix typo
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ mm/vmstat.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4c084ac8468cdd4bbb8458fae4d0b6d2d1d5afd1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 8 18:06:53 2014 -0500
+
+ provide a zeroed out /proc/vmstat to unprivileged users instead of denied access, some poorly-written desktop apps bail out completely when it can't be opened
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ mm/vmstat.c | 21 +++++++++++++++------
+ 1 files changed, 15 insertions(+), 6 deletions(-)
+
+commit e0d003dfd4911828f08fa93da2138c9f3be4f352
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 8 17:46:46 2014 -0500
+
+ back out recently-added capability checks to various pci write methods as they break Xorg radeon drivers
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/pci/pci-sysfs.c | 9 ---------
+ drivers/pci/proc.c | 3 ---
+ 2 files changed, 0 insertions(+), 12 deletions(-)
+
+commit 0a0823fe85e85b9ad92131a35fe57e9aebc30260
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 2 17:05:39 2014 -0500
+
+ add missing #include
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/proc/stat.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 867c7a59c12374d99c59b9c99a1bf8214583baad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 2 17:02:24 2014 -0500
+
+ Back off recent PCI BAR restrictions as they break various existing necessary functionality (Xorg with VMware video driver, etc)
+
+ Add CAP_SYS_RAWIO checks instead to code operating off just uid == 0
+ checks currently
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/pci/pci-sysfs.c | 17 +++++++----------
+ drivers/pci/proc.c | 13 ++-----------
+ drivers/pci/syscall.c | 4 ----
+ 3 files changed, 9 insertions(+), 25 deletions(-)
+
+commit e9075cc0c4bab695e2eea8e8ba8f8acfa3cef2ed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 31 10:30:20 2013 -0500
+
+ Resolve compatibility with libgtop and recent restriction of /proc/stat, reported by KacKurx. We now provide a properly-formatted but zeroed /proc/stat instead of denying unpriv access to the entry
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/proc/stat.c | 34 ++++++++++++++++++++++++----------
+ 1 files changed, 24 insertions(+), 10 deletions(-)
+
+commit 7a559ce128070d9d79bf4490a258dba677fa741e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 30 11:19:53 2013 -0500
+
+ Restrict access to /proc/interrupts and /proc/stat as suggested by Vasiliy Kulikov: http://www.openwall.com/lists/kernel-hardening/2011/11/07/1
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/proc/interrupts.c | 4 ++++
+ fs/proc/stat.c | 4 ++++
+ 2 files changed, 8 insertions(+), 0 deletions(-)
+
+commit 3898c8157466ff87ef613785f207c019ba8174cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 30 11:13:49 2013 -0500
+
+ Update to phase two of the IPC hardening. I've heard no complaints about the patch I released, but including it here will generate better information.
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 16 ++++++++++------
+ grsecurity/grsec_ipc.c | 32 +++++++++++++++++++++++++++++---
+ include/linux/grmsg.h | 2 +-
+ ipc/util.c | 3 ++-
+ 4 files changed, 42 insertions(+), 11 deletions(-)
+
+commit 2a5eb70e0981fd24168be9e5d1c30735a922edca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 26 19:20:26 2013 -0500
+
+ add missing #include
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_mount.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 7d66c996e754d41be945e7a2997b364643a13977
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 26 15:51:51 2013 -0500
+
+ Update config help to reflect requirements for proper security, similar to what we mention for GRKERNSEC_KMEM or GRKERNSEC_HIDESYM
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit bc9b4fe1db97c913b2c1163a90805c52c0f0df65
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 26 15:35:31 2013 -0500
+
+ Whenever we perform checks against block devices we should also test for raw character devices provided by CONFIG_RAW_DRIVER. Unlike other OSes, Linux's raw device support has been obsoleted many years ago and is unlikely to be present in a given kernel config (modulo an allyesconfig).
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 2 +-
+ grsecurity/grsec_mount.c | 4 +++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 2b5ad27e4a323648a0db99a9fa3f27b042dd70f0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 25 16:37:02 2013 -0500
+
+ Add some of the more obscure, config-dependent kernel modification defenses to GRKERNSEC_KMEM, to be split out into a separate option if this causes any compatibility problems. From Matthew Garrett: https://lkml.org/lkml/2013/9/9/532
+
+ Also make make hibernation depend on !PAX_MEMORY_SANITIZE and not
+ the other way around (to produce more secure settings when distro
+ configs are used as a base)
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/acpi/custom_method.c | 4 ++++
+ drivers/pci/pci-sysfs.c | 12 ++++++++++++
+ drivers/pci/proc.c | 12 ++++++++++++
+ drivers/pci/syscall.c | 4 ++++
+ drivers/platform/x86/asus-wmi.c | 12 ++++++++++++
+ kernel/power/Kconfig | 2 ++
+ security/Kconfig | 1 -
+ 7 files changed, 46 insertions(+), 1 deletions(-)
+
+commit c70c49f956beb3d785ca20466c4e5c1d84d7356b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 25 15:11:51 2013 -0500
+
+ remove unused 'dentry' variable
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/xattr.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit cb20fb467591aa2a85a8c12a1bc215a01ed75b18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 25 15:03:13 2013 -0500
+
+ Add RBAC mediation of *removexattr(), as this has security implications in the case of PaX with softmode enabled or the rare case of RBAC+SELinux use.
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/xattr.c | 18 +++++++++++-------
+ grsecurity/gracl_fs.c | 6 ++++++
+ grsecurity/grsec_disabled.c | 6 ++++++
+ include/linux/grmsg.h | 3 ++-
+ include/linux/grsecurity.h | 2 ++
+ 5 files changed, 27 insertions(+), 8 deletions(-)
+
+commit 482ec0da63b38a9c20cc2205bc7ea87a3985d164
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Dec 20 20:18:56 2013 -0500
+
+ compile fix
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/stat.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 038cc5994b483905c9c0b9e6259a84f7333becc2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Dec 13 19:39:54 2013 -0500
+
+ Fix a use-after-free on fakefs_obj_rw/fakefs_obj_rwx introduced by the recent atomic reload improvement. These two objects are used only for "files" private to the kernel which don't exist on any mounted filesystem and have no visible path. Only the mode field of these objects is ever used, and we would never attempt to free these objects a second time (due to their being allocated into the memory manager associated with the initial policy)
+
+ In practice this causes bogus auditing messages for / and could potentially
+ cause a subject without executable shared memory support to permit executable
+ shared memory (if PaX is disabled on the binary).
+
+ Instead just allocate these two special objects with kzalloc at enable time
+ and free them at disable time.
+
+ Thanks to nyt@countercultured.net for the report
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_policy.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit b67b5e4666934693bb1fc4804ca60724f98a54d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 4 18:15:02 2013 -0500
+
+ Don't duplicate __get_dumpable, also make sure we check against SUID_DUMP_USER, otherwise we wouldn't trigger suid bruteforcing detection when suid_dumpable was set to 2
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/coredump.c | 7 +++++--
+ grsecurity/grsec_sig.c | 14 ++------------
+ include/linux/grsecurity.h | 2 +-
+ 3 files changed, 8 insertions(+), 15 deletions(-)
+
+commit ad3f9d56b43c4c448d5ba55d4e073e66a59898d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 3 19:39:04 2013 -0500
+
+ Update documentation for GRKERNSEC_KMEM and GRKERNSEC_IO, see: http://forums.grsecurity.net/viewtopic.php?f=3&t=3879 The previous info was many years outdated.
+
+ Disable KEXEC when GRKERNSEC_KMEM is enabled:
+ http://mjg59.dreamwidth.org/28746.html
+
+ Also workaround the GRKERNSEC_IO incompatibility with Xorg by returning
+ -ENODEV instead of -EPERM in the cases where CAP_SYS_RAWIO is present
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/arm/Kconfig | 1 +
+ arch/ia64/Kconfig | 1 +
+ arch/mips/Kconfig | 1 +
+ arch/powerpc/Kconfig | 1 +
+ arch/tile/Kconfig | 1 +
+ arch/x86/Kconfig | 1 +
+ arch/x86/kernel/ioport.c | 12 ++++++------
+ grsecurity/Kconfig | 27 +++++++++++----------------
+ 8 files changed, 23 insertions(+), 22 deletions(-)
+
+commit 7044221d2d6e8d8e8fa26d5c30c72bd6e1d9b599
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Nov 26 15:16:48 2013 -0500
+
+ Fix null deref on application of the shutdown role, reported by zakalwe
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 58 ++++++++++++++++++++++++++++++++++++++++++++-
+ grsecurity/gracl_policy.c | 58 ++++-----------------------------------------
+ 2 files changed, 62 insertions(+), 54 deletions(-)
+
+commit 1f894d3a1357fa9c7b2f849079546115fc797fd8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Nov 26 13:04:07 2013 -0500
+
+ Add system library paths to allowed areas for usermode helper calls, later we will also add checks to ensure the file is owned by root
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ kernel/kmod.c | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+commit aa561a3ad4b30e8c03837ff96bbcd868e363cb21
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Nov 26 12:59:00 2013 -0500
+
+ Fix gr_policy_state -> gr_reload_state typo that clobbered the oldalloc pointer causing a NULL deref on RBAC reload, reported by zakalwe
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_policy.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b031d4f071e25462e94f742166b0ea6b8874dae4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 25 22:33:33 2013 -0500
+
+ compile fix
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ kernel/kmod.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 00a30755e85c7dbfd1042a0f4c5d911e288c8cc9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 25 12:01:21 2013 -0500
+
+ Conventions exist for a reason -- systemd knows better though and decides to put security-sensitive system administration utilities into /usr/lib/systemd in contrast to *every* other user of usermode helpers. Work around this stupidity
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ kernel/kmod.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 7177ab477fcc5d670718dafba3f6a454ed2e121e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 22:49:05 2013 -0500
+
+ Revert "HID: multitouch: validate feature report details"
+
+ This reverts commit 8aeb7645473b408fc6b2bd78a72671351fc8e684.
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-multitouch.c | 25 +++++--------------------
+ 1 files changed, 5 insertions(+), 20 deletions(-)
+
+commit f0d33fb85de097278d1ae605c3d98fc99b578d56
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 22:48:49 2013 -0500
+
+ Revert "HID: lenovo-tpkbd: validate output report details"
+
+ This reverts commit 91bfda18a5711db32c984c632f47fa57458d993a.
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-lenovo-tpkbd.c | 5 -----
+ 1 files changed, 0 insertions(+), 5 deletions(-)
+
+commit 0c2a1258705b5c90732c2895664965da6a16bebc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 22:48:33 2013 -0500
+
+ Revert "HID: steelseries: validate output report details"
+
+ This reverts commit 0996966348dc3c3f7515567d3245292785d484fc.
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-steelseries.c | 5 -----
+ 1 files changed, 0 insertions(+), 5 deletions(-)
+
+commit b17b436bd1781a43866931ce6b6ba2811882ade5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 22:08:33 2013 -0500
+
+ add missing header
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/proc/proc_sysctl.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 45eefce5c5dc37368ed21d2b22a2d15973b7c06b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 22:04:55 2013 -0500
+
+ Replace nsown_capable with an ns_capable check against the user_ns associated with the net namespace
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/proc/proc_sysctl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 804611c10dcd6e9486cf374fcbfb2053a80f918d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 17:50:21 2013 -0500
+
+ remove unnecessary code/comments after new reload method
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 4 ----
+ grsecurity/gracl_policy.c | 13 -------------
+ 2 files changed, 0 insertions(+), 17 deletions(-)
+
+commit 4aeb0dc39f03db1c2c55ebc0cb7797289948a872
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 16:05:01 2013 -0500
+
+ Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then)
+
+ Introduce new atomic RBAC reload method, developed as part of sponsorship
+ by EIG
+
+ This is accompanied by an updated 3.0 gradm which will use the new reload
+ method when -R is passed to gradm. The old method will still be available
+ via gradm -r (which is what a 2.9.1 gradm will continue to use).
+
+ The new RBAC reload method is atomic in the sense that at no point in the
+ reload process will the system not be covered by a coherent full policy.
+ In contrast to previous reload behavior, it also preserves inherited subjects
+ and special roles.
+
+ The old RBAC reload method has also been made atomic. Both methods have
+ been updated to perform role_allowed_ip checks only against the IP tagged
+ to the task at the time its role was first applied or changed. This resolves
+ long-standing usability problems with the use of role_allowed_ip and matches
+ the policies created by learning.
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Makefile | 2 +-
+ grsecurity/gracl.c | 3903 +++++++++++++------------------------------
+ grsecurity/gracl_alloc.c | 42 +-
+ grsecurity/gracl_compat.c | 3 +-
+ grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++
+ grsecurity/gracl_segv.c | 12 +-
+ grsecurity/grsec_disabled.c | 7 -
+ grsecurity/grsec_init.c | 15 -
+ include/linux/gracl.h | 43 +-
+ include/linux/grinternal.h | 1 -
+ include/linux/grsecurity.h | 1 -
+ include/linux/sched.h | 2 +
+ 12 files changed, 3082 insertions(+), 2787 deletions(-)
+
+commit cdfd01e44815f0e0cb700b5597b3b2eb44352903
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 15:08:28 2013 -0500
+
+ compile fix for recent GRKERNSEC_CHROOT_INITRD change
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ init/main.c | 8 +++-----
+ 1 files changed, 3 insertions(+), 5 deletions(-)
+
+commit 3ac09de20b5b3967c77a59ed064cd05e607ecca8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 18:27:37 2013 -0500
+
+ Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/kmod.h | 3 +++
+ kernel/kmod.c | 13 +++++++++++++
+ 2 files changed, 16 insertions(+), 0 deletions(-)
+
+commit 7fc979f0a8ffdc501b57e0c9c8b5251b8458d98e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 17:20:15 2013 -0500
+
+ Produce a UDEREF message when faulting on kernel access to a non-present page in the userland range. This is purely for consistency of logs, due to there being no domain present to fault based on. An "Unable to handle kernel fault.." oops would already (and still is) generated for these cases, triggering grsec's bruteforce prevention.
+
+ Reported by acez on IRC
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/arm/mm/fault.c | 11 ++++++++---
+ 1 files changed, 8 insertions(+), 3 deletions(-)
+
+commit 9b5ffb45694e2381a73275b029d1cde3ba090555
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 16:56:46 2013 -0500
+
+ Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically.
+
+ Conflicts:
+
+ init/main.c
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 2 +-
+ grsecurity/grsec_chroot.c | 2 +-
+ init/main.c | 15 +++++++++++++++
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+
+commit 71ea2cc2fb940a4eaa6a4f6e5084efc91197bed1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 16:33:20 2013 -0500
+
+ limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ kernel/kmod.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+commit 36895fdbcf3b528221475a894076611c6340bc6f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 16:02:01 2013 -0500
+
+ perform USERCOPY kernel text checks against the linear mapping on amd64 as well
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/exec.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+commit 47474491a88a18956b3c23a0f8ea5a793aeaaf0b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Nov 22 20:31:37 2013 -0500
+
+ Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69"
+
+ This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df.
+
+ It caused errors with traceroute, reported to upstream and fixed with
+ http://patchwork.ozlabs.org/patch/293614/
+ But there's no reason for us to maintain this backport as we're
+ already impervious to recvmsg/msg_name infoleaks
+
+ Conflicts:
+
+ net/ipv4/ping.c
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/ieee802154/dgram.c | 3 ++-
+ net/ipv4/ping.c | 11 +++++++++--
+ net/ipv4/raw.c | 4 +++-
+ net/ipv4/udp.c | 7 ++++++-
+ net/ipv6/raw.c | 4 +++-
+ net/ipv6/udp.c | 5 ++++-
+ net/l2tp/l2tp_ip.c | 4 +++-
+ net/phonet/datagram.c | 9 +++++----
+ 8 files changed, 35 insertions(+), 12 deletions(-)
+
+commit 8aeb360164c3165b8d843b90776f92748cb0826f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 20:15:51 2013 -0500
+
+ GRKERNSEC_HARDEN_IPC should depend on SYSVIPC
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 65982aa12f534a722a92dd211e9b2461cac099cd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 19:07:11 2013 -0500
+
+ Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps make it more obvious that while we make use of domains, CPU_USE_DOMAINS is disabled as far as the kernel knows
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/arm/mm/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c07ac5819bfcbb29fe75896f409517acc95f09d0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 19:01:59 2013 -0500
+
+ Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
+
+ Will let this sit in -test for a while to weed out any app incompatibilities
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 17 +++++++++++++++++
+ grsecurity/Makefile | 2 +-
+ grsecurity/grsec_init.c | 4 ++++
+ grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++
+ grsecurity/grsec_sysctl.c | 9 +++++++++
+ include/linux/grinternal.h | 1 +
+ include/linux/grmsg.h | 1 +
+ ipc/util.c | 5 +++++
+ 8 files changed, 60 insertions(+), 1 deletions(-)
+
+commit 7a03cf3e714a075ce6d1b1c4e2cbe269968c32d9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 11 10:48:10 2013 -0500
+
+ Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/video/arcfb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 1822dec9af44fef43a2092fbb98d986d40688e92
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 10 22:01:33 2013 -0500
+
+ Add missing include
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/proc/proc_sysctl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 252aafc936113beb2c4b654c51ca4f69e34e7ece
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 10 17:50:12 2013 -0500
+
+ add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS option: GRKERNSEC_OLD_ARM_USERLAND
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/arm/mm/Kconfig | 2 +-
+ grsecurity/Kconfig | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+), 1 deletions(-)
+
+commit d91a8c0aac4fd7d52d861fa389d094b0dbe69d8b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 10 15:19:27 2013 -0500
+
+ On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr.
+
+ Thanks to acez from IRC for debugging.
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ mm/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 521a19248a7f3ae875854835be586208d7e94362
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 10 13:54:25 2013 -0500
+
+ Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own
+
+ This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's
+ networking
+
+ Thanks to ncopa from IRC for testing
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/proc/proc_sysctl.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit 88abc9f686cef116d741924e96c8264c6feeb280
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 6 16:23:36 2013 -0500
+
+ Force on DEBUG_LIST so all users can benefit from safe linking/unlinking
+
+ Conflicts:
+
+ security/Kconfig
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ security/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit ca2e0bc771e1868a1b993013d725ab602d8e0454
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 6 16:19:21 2013 -0500
+
+ change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence
+
+ Conflicts:
+
+ lib/list_debug.c
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++-------------------
+ 1 files changed, 42 insertions(+), 23 deletions(-)
+
+commit 9f9fda5bdad944095d49943719343439cebceb34
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue Oct 29 10:21:34 2013 -0700
+
+ Fixed a little differently than Linus...
+
+ Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1
+
+ Fix a few incorrectly checked [io_]remap_pfn_range() calls
+
+ Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that
+ really should use the vm_iomap_memory() helper. This trivially converts
+ two of them to the helper, and comments about why the third one really
+ needs to continue to use remap_pfn_range(), and adds the missing size
+ check.
+
+ Reported-by: Nico Golde <nico@ngolde.de>
+ Cc: stable@kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org.
+
+ Conflicts:
+
+ drivers/uio/uio.c
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/uio/uio.c | 6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+commit 0f332bf501f3c2035c63fc3e58f07be9cc96924b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Sep 27 21:06:17 2013 -0400
+
+ Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_ip.c | 7 +++----
+ net/socket.c | 26 +++++++++++++++-----------
+ 2 files changed, 18 insertions(+), 15 deletions(-)
+
+commit d6aeef5cb3bbaa011f74eb38133043965302cc32
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 22 18:14:07 2013 -0400
+
+ Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db"
+
+ This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf.
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/netlink/genetlink.c | 7 -------
+ 1 files changed, 0 insertions(+), 7 deletions(-)
+
+commit 02b18c56607ff93f00659ee100517bba70972aca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 15 09:19:21 2013 -0400
+
+ remove unnecessary check from when protocol was signed
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/phonet/af_phonet.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c8991fc98b032a2338b9fda708d2dad227fbcd83
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 21:12:45 2013 -0400
+
+ Fix invalid dependency causing warning: warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN)
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ lib/Kconfig.debug | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c63230b915355cea2649fac21c9469a8c3f88876
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 19:16:48 2013 -0400
+
+ Fix a bad git merge, re-applied a previously reverted patch
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 0dcfe7e8eac4751d2bbabc48fb63a0118bb353eb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 16:56:37 2013 -0400
+
+ finish porting namei.c
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/namei.c | 12 +++++++++++-
+ 1 files changed, 11 insertions(+), 1 deletions(-)
+
+commit 89d5374f91319363bb79c916764c747f3229759c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 16:44:08 2013 -0400
+
+ cred->user -> current_user()
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/exec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit fefeb37bc66cf8e1b8c32a1f1e9776f6b701b245
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 16:36:24 2013 -0400
+
+ Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit e4a184da44ae23ab3ee9e250d4bc38050e4a3533
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 19:36:23 2013 -0400
+
+ fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit c96e77a4ec0b7045e4e3e8f6d33937c078a79cb6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 19:17:02 2013 -0400
+
+ Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc)
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_sysctl.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit 600c8f5a6a7b57e4ecbb16d10eab3bdfae399299
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 18:41:49 2013 -0400
+
+ Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts
+
+ Also eliminate reset_security_ops() as a ROP target when
+ SECURITY_SELINUX_DISABLE is disabled as it's the only user
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 17 ++++++++++++++++-
+ grsecurity/grsec_init.c | 3 +++
+ grsecurity/grsec_sysctl.c | 2 +-
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+
+commit 979cb67c276ef34486ed64bb58ed30020bc8a53f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 30 17:11:11 2013 -0400
+
+ fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_sysctl.c | 7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+commit d259a636db5500db5e3ddacab82857db244bf46f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 20:42:39 2013 -0400
+
+ add export of gr_handle_new_usb()
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_usb.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 73872d212f992833add967be12de9628941bdd5b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 19:24:47 2013 -0400
+
+ Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/usb/core/hub.c | 5 +++++
+ grsecurity/Kconfig | 20 ++++++++++++++++++++
+ grsecurity/Makefile | 3 ++-
+ grsecurity/grsec_init.c | 1 +
+ grsecurity/grsec_sysctl.c | 11 +++++++++++
+ grsecurity/grsec_usb.c | 13 +++++++++++++
+ include/linux/grinternal.h | 1 +
+ include/linux/grsecurity.h | 2 ++
+ 8 files changed, 55 insertions(+), 1 deletions(-)
+
+commit 57a621395b231025d33da789f7593da0e9c591a4
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 09:14:34 2013 -0700
+
+ HID: steelseries: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ steelseries HID driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
+ ...
+ [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2891
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-steelseries.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 6261da1c18366e4b2e0ff28781e0a769a2d31d1b
+Author: Kees Cook <keescook@chromium.org>
+Date: Thu Aug 15 23:21:23 2013 -0700
+
+ HID: lenovo-tpkbd: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ lenovo-tpkbd HID driver to write just beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
+ ...
+ [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2894
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 9a7678270debd6b7c14ed1e91fb502d73bfaee08
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 00:11:32 2013 -0700
+
+ HID: multitouch: validate feature report details
+
+ When working on report indexes, always validate that they are in bounds.
+ Without this, a HID device could report a malicious feature report that
+ could trick the driver into a heap overflow:
+
+ [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
+ ...
+ [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2897
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
+ 1 files changed, 20 insertions(+), 5 deletions(-)
+
+commit efb7731d700d5b4568871670ac0841a84f003029
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 19 22:10:04 2013 -0400
+
+ fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/x86/kernel/smpboot.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+commit 3469d59da7f6bd0c5838764e5b06bad97193f628
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 12:00:20 2013 -0400
+
+ make kallsyms_lookup_size_offset available to approved source files
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/kallsyms.h | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 03b91bfc983379670fd439b2b3fbec633ea6468d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 11:18:09 2013 -0400
+
+ allow use of kallsyms_lookup_name to approved source files
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/kallsyms.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 2e9828b85e2ab096affe9e8b52cd68d7a0d8839d
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Tue Aug 13 09:04:05 2013 +0200
+
+ Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
+
+ genetlink: fix family dump race
+
+ When dumping generic netlink families, only the first dump call
+ is locked with genl_lock(), which protects the list of families,
+ and thus subsequent calls can access the data without locking,
+ racing against family addition/removal. This can cause a crash.
+ Fix it - the locking needs to be conditional because the first
+ time around it's already locked.
+
+ A similar bug was reported to me on an old kernel (3.4.47) but
+ the exact scenario that happened there is no longer possible,
+ on those kernels the first round wasn't locked either. Looking
+ at the current code I found the race described above, which had
+ also existed on the old kernel.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/netlink/genetlink.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit aeddd9080b145f520dfdba52e07ffe7ac5c2940a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 08:58:34 2013 -0400
+
+ Fix two harmless compiler warnings
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/arm/kernel/process.c | 4 ++--
+ fs/exec.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 8953b010e785f55d35e96de6d7913b7e6791d9f9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 22:46:01 2013 -0400
+
+ Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/kallsyms.h | 2 +-
+ kernel/kprobes.c | 3 +++
+ 2 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 346b6fb51f351bc8a2e52c158794c863b88c730b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 10 09:41:40 2013 -0400
+
+ propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/sparc/mm/hugetlbpage.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+commit 5a95c583a8e74e8b980ae810c3755d7490f9f208
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 17:58:42 2013 -0400
+
+ Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit be64e6e8a615622f5c8b8feefdbae24dfe1eb13a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 17:26:40 2013 -0400
+
+ Move user namespace capability check to shared create_user_ns code so we cover unshare() as well.
+
+ Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
+ user namespaces!
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ kernel/fork.c | 17 -----------------
+ kernel/user_namespace.c | 15 +++++++++++++++
+ 2 files changed, 15 insertions(+), 17 deletions(-)
+
+commit bf41ff82977f5629d76e58b4eec76e78b6e0794c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 16:05:41 2013 -0400
+
+ silence a warning on older gcc
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 80c4d845fa846426a226c1807310670fdc3f4fb9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 3 08:31:08 2013 -0400
+
+ we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ mm/mmap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 29f82c7cc74a11260863cea855cb7bb7b79506db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:54:51 2013 -0400
+
+ add include
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_log.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit b313d3d863fe87ecf4f79f61e9670955df66685e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:49:13 2013 -0400
+
+ fix compilation
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/grinternal.h | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit e0b580d61744ac72ba2275fb5211de2bfc570058
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:34:35 2013 -0400
+
+ Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++
+ fs/exec.c | 4 ++++
+ grsecurity/Kconfig | 21 +++++----------------
+ grsecurity/grsec_init.c | 4 ----
+ grsecurity/grsec_log.c | 14 ++++++++++++++
+ grsecurity/grsec_pax.c | 19 ++++++++++++++-----
+ grsecurity/grsec_sysctl.c | 9 ---------
+ include/linux/binfmts.h | 1 +
+ include/linux/grinternal.h | 2 +-
+ include/linux/grmsg.h | 3 ++-
+ include/linux/grsecurity.h | 3 ++-
+ mm/mmap.c | 7 +++++++
+ mm/mprotect.c | 2 +-
+ 13 files changed, 88 insertions(+), 38 deletions(-)
+
+commit 2860f00640ffc0745e102fc8eea1b4787747a34f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 1 18:52:02 2013 -0400
+
+ add missing #define
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 271a28185b48e1c659c497837e26350f0b98b56b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 1 18:43:53 2013 -0400
+
+ fix compilation for !COMPAT as reported on the forums
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 195 ++++++++++++++++++++++++++--------------------------
+ 1 files changed, 97 insertions(+), 98 deletions(-)
+
+commit c7b8b1a6d33fb9f2f33b6661d98ccf034bc4fa88
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 17:47:20 2013 -0400
+
+ Revert "revert recent PaX change that causes boot failures with 32bit userland"
+
+ This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 506d84be8c4e9db0b655d3f6da2cec92482b610f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 16:26:58 2013 -0400
+
+ compile fix for !COMPAT as mentioned on forums
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 7b7d053d1c9209c6810ee0e82d902d633df55114
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:33:14 2013 -0400
+
+ perform compat conversion of rlimit infinity
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit f9503913fa6c0b461e5a6c991eb04b8e369e0dd2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:21:40 2013 -0400
+
+ remove debugging
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 44 +++++++++++---------------------------------
+ 1 files changed, 11 insertions(+), 33 deletions(-)
+
+commit 4d203a112c51248189db81e89926ed2ccbbf3727
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:20:32 2013 -0400
+
+ eliminate compat_dev_t
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/gracl_compat.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 98cc5ab35c0f012765475db240189e0d72e9e936
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:13:22 2013 -0400
+
+ fix compat rlimit size
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++-------------
+ include/linux/gracl_compat.h | 4 +-
+ 2 files changed, 49 insertions(+), 23 deletions(-)
+
+commit aa8d1edbfb648b1b942996d59fa446fd830df989
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 21:20:18 2013 -0400
+
+ compile fix
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 28b7a6a844d93d88bb83383bb6273cdc22c595ad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 21:14:29 2013 -0400
+
+ copy correct pointer size in new compat code
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 8 ++++----
+ grsecurity/gracl_compat.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 9490ca70e30846522d28b6f9ca7caf28cdb7b9e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:15:50 2013 -0400
+
+ compile fix
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit 5f7d6c7e7e4ef41577b73936595ed1f28649e9e9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:12:46 2013 -0400
+
+ remove BUILD_BUG_ONs
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 20 --------------------
+ 1 files changed, 0 insertions(+), 20 deletions(-)
+
+commit 91c416711e2e713d870dc52ce17af0607a82cb75
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:18:36 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 8 ++++----
+ include/linux/gracl_compat.h | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 99cad551389634d849387cf5e2054d9aa2c1c1b4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:16:42 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 4 ++--
+ grsecurity/gracl_compat.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 9ec58c4629d5aba15d09d4a740b83bf4cdb6da90
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:13:51 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit dd368be2aef36cae4f997fc798087069fb64d442
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:11:03 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 8970e77a91e35ddac604cf96462c600651e94baa
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:08:21 2013 -0400
+
+ more compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 28 ++++++++++++++--------------
+ 1 files changed, 14 insertions(+), 14 deletions(-)
+
+commit d5711d44bf668cdc5d29383e5e16ff884f1991ee
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:59:50 2013 -0400
+
+ more compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 10 +++++++++-
+ 1 files changed, 9 insertions(+), 1 deletions(-)
+
+commit f9bf16c3f73ff249219c1a7d457f10b5f5448da1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:56:47 2013 -0400
+
+ additional compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++--------
+ 1 files changed, 49 insertions(+), 10 deletions(-)
+
+commit afb88b8065edeb572c4d7992c6916d19a8bbc483
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:47:15 2013 -0400
+
+ fix typo
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 981fbde7260e575f99c7c9fc83239fca752cb543
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:46:59 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++-------------
+ 1 files changed, 39 insertions(+), 14 deletions(-)
+
+commit c3ebfc69b7c5c12f54ee8b2c34776c503eb825f5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:22:44 2013 -0400
+
+ Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel
+
+ Also removed code duplication for copying strings into the kernel
+
+ Work performed as part of sponsorship
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Makefile | 4 +
+ grsecurity/gracl.c | 315 +++++++++++++++++++++++-------------------
+ grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++
+ include/linux/gracl_compat.h | 156 +++++++++++++++++++++
+ 4 files changed, 603 insertions(+), 142 deletions(-)
+
+commit 5f3672544ae20bb1a595a849b304d1c168254e2b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 16 20:40:24 2013 -0400
+
+ allow viewing of ecryptfs version under SYSFS_RESTRICT
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/sysfs/dir.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit f892f6cf3070e516828ef6b81c39abdec77d7e93
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:49:17 2013 -0400
+
+ Update PaX fix, just return the error
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ mm/madvise.c | 11 +++++------
+ 1 files changed, 5 insertions(+), 6 deletions(-)
+
+commit bacca56a4c5ce1734004a310588d710ab642c14d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:36:00 2013 -0400
+
+ Fix madvise oops reported by Peter Keel
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ mm/madvise.c | 11 ++++++-----
+ 1 files changed, 6 insertions(+), 5 deletions(-)
+
+commit bb802e55264979a3517687cc4e3ea4043187a4d6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 22:04:59 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/exec.c | 2 +-
+ mm/mmap.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 80af0d78732fcd1345751765d6bdba75e4453096
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 16:15:10 2013 -0400
+
+ Initial port of grsecurity to 3.11 using new git method
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ Documentation/kernel-parameters.txt | 4 +
+ Makefile | 8 +-
+ arch/alpha/include/asm/cache.h | 4 +-
+ arch/alpha/kernel/osf_sys.c | 12 +-
+ arch/arm/include/asm/thread_info.h | 3 +-
+ arch/arm/kernel/ptrace.c | 9 +
+ arch/arm/kernel/traps.c | 7 +-
+ arch/arm/mm/fault.c | 29 +-
+ arch/arm/mm/mmap.c | 8 +-
+ arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/include/asm/cache.h | 3 +-
+ arch/cris/include/arch-v10/arch/cache.h | 3 +-
+ arch/cris/include/arch-v32/arch/cache.h | 3 +-
+ arch/frv/include/asm/cache.h | 3 +-
+ arch/frv/mm/elf-fdpic.c | 4 +-
+ arch/hexagon/include/asm/cache.h | 6 +-
+ arch/ia64/include/asm/cache.h | 3 +-
+ arch/ia64/kernel/sys_ia64.c | 2 +
+ arch/ia64/mm/hugetlbpage.c | 2 +
+ arch/m32r/include/asm/cache.h | 4 +-
+ arch/m68k/include/asm/cache.h | 4 +-
+ arch/metag/mm/hugetlbpage.c | 1 +
+ arch/microblaze/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/thread_info.h | 9 +-
+ arch/mips/kernel/ptrace.c | 9 +
+ arch/mips/mm/mmap.c | 4 +-
+ arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
+ arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
+ arch/openrisc/include/asm/cache.h | 4 +-
+ arch/parisc/include/asm/cache.h | 5 +-
+ arch/parisc/kernel/sys_parisc.c | 13 +-
+ arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/kernel/process.c | 10 +-
+ arch/powerpc/kernel/ptrace.c | 14 +
+ arch/powerpc/kernel/traps.c | 5 +
+ arch/s390/include/asm/cache.h | 4 +-
+ arch/score/include/asm/cache.h | 4 +-
+ arch/sh/include/asm/cache.h | 3 +-
+ arch/sh/mm/mmap.c | 6 +-
+ arch/sparc/include/asm/cache.h | 4 +-
+ arch/sparc/include/asm/thread_info_64.h | 9 +-
+ arch/sparc/kernel/process_32.c | 6 +-
+ arch/sparc/kernel/process_64.c | 4 +-
+ arch/sparc/kernel/ptrace_64.c | 14 +
+ arch/sparc/kernel/sys_sparc_64.c | 8 +-
+ arch/sparc/kernel/syscalls.S | 8 +-
+ arch/sparc/kernel/traps_32.c | 8 +-
+ arch/sparc/kernel/traps_64.c | 28 +-
+ arch/sparc/kernel/unaligned_64.c | 2 +-
+ arch/sparc/mm/fault_64.c | 2 +-
+ arch/sparc/mm/hugetlbpage.c | 3 +-
+ arch/tile/include/asm/cache.h | 3 +-
+ arch/tile/mm/hugetlbpage.c | 2 +
+ arch/um/include/asm/cache.h | 3 +-
+ arch/unicore32/include/asm/cache.h | 6 +-
+ arch/x86/Kconfig | 5 +-
+ arch/x86/ia32/ia32_aout.c | 2 +
+ arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/kernel/dumpstack.c | 8 +
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 2 +-
+ arch/x86/kernel/ioport.c | 13 +
+ arch/x86/kernel/ptrace.c | 14 +
+ arch/x86/kernel/signal.c | 9 +-
+ arch/x86/kernel/smpboot.c | 3 +
+ arch/x86/kernel/sys_i386_32.c | 9 +-
+ arch/x86/kernel/sys_x86_64.c | 8 +-
+ arch/x86/kernel/verify_cpu.S | 1 +
+ arch/x86/kernel/vm86_32.c | 1 +
+ arch/x86/mm/fault.c | 12 +-
+ arch/x86/mm/hugetlbpage.c | 15 +-
+ arch/x86/mm/init.c | 66 +-
+ arch/x86/net/bpf_jit_comp.c | 126 +-
+ arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
+ arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
+ drivers/cdrom/cdrom.c | 2 +-
+ drivers/char/Kconfig | 4 +-
+ drivers/char/genrtc.c | 1 +
+ drivers/char/mem.c | 17 +
+ drivers/char/random.c | 14 +
+ drivers/gpu/drm/drm_info.c | 4 +
+ drivers/hid/hid-wiimote-debug.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +-
+ drivers/message/fusion/mptbase.c | 9 +
+ drivers/net/bonding/bond_main.c | 1 +
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ drivers/pci/proc.c | 9 +
+ drivers/rtc/rtc-dev.c | 3 +
+ drivers/tty/sysrq.c | 2 +-
+ drivers/tty/vt/keyboard.c | 22 +-
+ drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++++++------------
+ drivers/xen/xenfs/xenstored.c | 5 +
+ fs/attr.c | 1 +
+ fs/autofs4/waitq.c | 9 +
+ fs/binfmt_aout.c | 7 +
+ fs/binfmt_elf.c | 3 +-
+ fs/btrfs/ioctl.c | 6 +-
+ fs/compat.c | 20 +-
+ fs/coredump.c | 11 +-
+ fs/debugfs/inode.c | 4 +
+ fs/exec.c | 184 ++-
+ fs/ext2/balloc.c | 4 +-
+ fs/ext3/balloc.c | 4 +-
+ fs/fcntl.c | 5 +
+ fs/file.c | 4 +
+ fs/filesystems.c | 4 +
+ fs/fs_struct.c | 13 +-
+ fs/hugetlbfs/inode.c | 5 +-
+ fs/namei.c | 218 ++-
+ fs/namespace.c | 16 +
+ fs/open.c | 38 +
+ fs/proc/Kconfig | 10 +-
+ fs/proc/array.c | 59 +-
+ fs/proc/base.c | 166 ++-
+ fs/proc/cmdline.c | 4 +
+ fs/proc/devices.c | 4 +
+ fs/proc/fd.c | 17 +-
+ fs/proc/inode.c | 4 +
+ fs/proc/kcore.c | 3 +
+ fs/proc/proc_net.c | 12 +
+ fs/proc/proc_sysctl.c | 43 +-
+ fs/proc/root.c | 8 +
+ fs/proc/task_mmu.c | 75 +-
+ fs/readdir.c | 19 +
+ fs/select.c | 2 +
+ fs/seq_file.c | 12 +-
+ fs/stat.c | 19 +-
+ fs/sysfs/dir.c | 12 +
+ fs/utimes.c | 7 +
+ fs/xattr.c | 19 +-
+ grsecurity/Kconfig | 2 +-
+ grsecurity/gracl_fs.c | 6 +-
+ include/linux/capability.h | 5 +
+ include/linux/cred.h | 3 +
+ include/linux/fs.h | 10 +
+ include/linux/fsnotify.h | 6 +
+ include/linux/kallsyms.h | 14 +-
+ include/linux/kmod.h | 2 +
+ include/linux/mm.h | 1 +
+ include/linux/perf_event.h | 13 +-
+ include/linux/printk.h | 3 +-
+ include/linux/sched.h | 24 +-
+ include/linux/security.h | 1 +
+ include/linux/seq_file.h | 3 +
+ include/linux/shm.h | 4 +
+ include/linux/skbuff.h | 3 +
+ include/linux/slab.h | 9 -
+ include/linux/sysctl.h | 2 +
+ include/linux/thread_info.h | 2 +
+ include/linux/uidgid.h | 5 +
+ include/linux/vermagic.h | 9 +-
+ include/uapi/linux/personality.h | 1 +
+ init/Kconfig | 3 +-
+ init/main.c | 14 +
+ ipc/mqueue.c | 1 +
+ ipc/shm.c | 28 +
+ kernel/capability.c | 40 +-
+ kernel/cgroup.c | 2 +-
+ kernel/compat.c | 1 +
+ kernel/configs.c | 11 +
+ kernel/cred.c | 110 +-
+ kernel/events/core.c | 14 +-
+ kernel/exit.c | 10 +-
+ kernel/fork.c | 41 +-
+ kernel/futex.c | 1 +
+ kernel/kallsyms.c | 9 +
+ kernel/kcmp.c | 4 +
+ kernel/kmod.c | 64 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +
+ kernel/locking/lockdep_proc.c | 10 +-
+ kernel/module.c | 81 +-
+ kernel/panic.c | 2 +-
+ kernel/pid.c | 19 +-
+ kernel/posix-timers.c | 7 +
+ kernel/printk/printk.c | 5 +
+ kernel/ptrace.c | 20 +-
+ kernel/resource.c | 10 +
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 37 +-
+ kernel/sys.c | 45 +-
+ kernel/sysctl.c | 69 +-
+ kernel/taskstats.c | 6 +
+ kernel/time.c | 5 +
+ kernel/time/timekeeping.c | 1 +
+ kernel/time/timer_list.c | 12 +
+ kernel/time/timer_stats.c | 10 +-
+ lib/Kconfig.debug | 5 +-
+ lib/is_single_threaded.c | 3 +
+ mm/Kconfig | 4 +-
+ mm/filemap.c | 1 +
+ mm/kmemleak.c | 4 +-
+ mm/mempolicy.c | 12 +-
+ mm/migrate.c | 3 +-
+ mm/mlock.c | 3 +
+ mm/mmap.c | 63 +-
+ mm/mprotect.c | 8 +
+ mm/process_vm_access.c | 6 +
+ mm/slab.c | 2 +-
+ mm/slub.c | 14 +-
+ mm/vmalloc.c | 4 +
+ mm/vmstat.c | 18 +-
+ net/core/dev_ioctl.c | 4 +
+ net/core/sock_diag.c | 7 +
+ net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/ip_sockglue.c | 3 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_minisocks.c | 9 +-
+ net/ipv4/tcp_timer.c | 11 +
+ net/ipv4/udp.c | 24 +
+ net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/udp.c | 4 +
+ net/netfilter/Kconfig | 10 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 8 +
+ net/netrom/af_netrom.c | 1 -
+ net/phonet/af_phonet.c | 2 +-
+ net/socket.c | 66 +-
+ net/sysctl_net.c | 2 +-
+ net/unix/af_unix.c | 31 +-
+ security/Kconfig | 341 +++-
+ security/commoncap.c | 29 +
+ security/min_addr.c | 2 +
+ security/tomoyo/mount.c | 4 +
+ security/yama/Kconfig | 2 +-
+ 229 files changed, 4100 insertions(+), 2025 deletions(-)
+
+commit 75586073addae35174967d77e1b985e6b534e3f8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 20:57:40 2013 -0400
+
+ Commit merge of new files and rejected patches
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/kernel/process.c | 4 +-
+ arch/powerpc/include/asm/thread_info.h | 7 +-
+ arch/powerpc/mm/slice.c | 2 +-
+ arch/sparc/kernel/process_64.c | 4 +-
+ arch/x86/kernel/vm86_32.c | 15 +
+ fs/coredump.c | 1 +
+ fs/ext4/balloc.c | 4 +-
+ fs/namei.c | 7 +
+ fs/namespace.c | 8 +
+ fs/pipe.c | 2 +-
+ fs/proc/inode.c | 13 +
+ fs/proc/internal.h | 3 +
+ grsecurity/Kconfig | 1054 +++++++++
+ grsecurity/Makefile | 38 +
+ grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++
+ grsecurity/gracl_alloc.c | 105 +
+ grsecurity/gracl_cap.c | 110 +
+ grsecurity/gracl_fs.c | 431 ++++
+ grsecurity/gracl_ip.c | 387 +++
+ grsecurity/gracl_learn.c | 207 ++
+ grsecurity/gracl_res.c | 68 +
+ grsecurity/gracl_segv.c | 305 +++
+ grsecurity/gracl_shm.c | 40 +
+ grsecurity/grsec_chdir.c | 19 +
+ grsecurity/grsec_chroot.c | 370 +++
+ grsecurity/grsec_disabled.c | 434 ++++
+ grsecurity/grsec_exec.c | 187 ++
+ grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_fork.c | 23 +
+ grsecurity/grsec_init.c | 283 +++
+ grsecurity/grsec_link.c | 58 +
+ grsecurity/grsec_log.c | 326 +++
+ grsecurity/grsec_mem.c | 40 +
+ grsecurity/grsec_mount.c | 62 +
+ grsecurity/grsec_pax.c | 36 +
+ grsecurity/grsec_ptrace.c | 30 +
+ grsecurity/grsec_sig.c | 246 ++
+ grsecurity/grsec_sock.c | 244 ++
+ grsecurity/grsec_sysctl.c | 469 ++++
+ grsecurity/grsec_time.c | 16 +
+ grsecurity/grsec_tpe.c | 73 +
+ grsecurity/grsum.c | 61 +
+ include/linux/gracl.h | 319 +++
+ include/linux/gralloc.h | 9 +
+ include/linux/grdefs.h | 140 ++
+ include/linux/grinternal.h | 227 ++
+ include/linux/grmsg.h | 112 +
+ include/linux/grsecurity.h | 241 ++
+ include/linux/grsock.h | 19 +
+ include/linux/netfilter/xt_gradm.h | 9 +
+ include/linux/proc_fs.h | 13 +
+ include/linux/sched.h | 48 +-
+ include/trace/events/fs.h | 53 +
+ kernel/kmod.c | 7 +-
+ kernel/panic.c | 2 +-
+ kernel/posix-timers.c | 1 +
+ kernel/time/timekeeping.c | 2 +
+ lib/Kconfig.debug | 2 +-
+ lib/vsprintf.c | 31 +
+ localversion-grsec | 1 +
+ mm/mmap.c | 13 +-
+ mm/shmem.c | 2 +-
+ net/core/net-procfs.c | 5 +
+ net/ipv6/udp.c | 3 +
+ net/netfilter/xt_gradm.c | 51 +
+ 66 files changed, 11184 insertions(+), 21 deletions(-)
+
+commit 0100435c11a01cfbedea13ac5aebd38fb03309b4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 17:32:18 2014 -0500
+
+ Initial import of pax-linux-3.13-test2.patch
+
+ Documentation/dontdiff | 47 +-
+ Documentation/kernel-parameters.txt | 23 +
+ Makefile | 102 +-
+ arch/alpha/include/asm/atomic.h | 10 +
+ arch/alpha/include/asm/elf.h | 7 +
+ arch/alpha/include/asm/pgalloc.h | 6 +
+ arch/alpha/include/asm/pgtable.h | 11 +
+ arch/alpha/kernel/module.c | 2 +-
+ arch/alpha/kernel/osf_sys.c | 8 +-
+ arch/alpha/mm/fault.c | 141 +-
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/atomic.h | 442 ++-
+ arch/arm/include/asm/cache.h | 5 +-
+ arch/arm/include/asm/cacheflush.h | 2 +-
+ arch/arm/include/asm/checksum.h | 14 +-
+ arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/domain.h | 33 +-
+ arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/fncpy.h | 2 +
+ arch/arm/include/asm/futex.h | 10 +
+ arch/arm/include/asm/kmap_types.h | 2 +-
+ arch/arm/include/asm/mach/dma.h | 2 +-
+ arch/arm/include/asm/mach/map.h | 7 +-
+ arch/arm/include/asm/outercache.h | 2 +-
+ arch/arm/include/asm/page.h | 2 +-
+ arch/arm/include/asm/pgalloc.h | 22 +-
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgtable-2level.h | 3 +
+ arch/arm/include/asm/pgtable-3level-hwdef.h | 1 +
+ arch/arm/include/asm/pgtable-3level.h | 2 +
+ arch/arm/include/asm/pgtable.h | 54 +-
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/include/asm/psci.h | 2 +-
+ arch/arm/include/asm/smp.h | 2 +-
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/include/asm/uaccess.h | 95 +-
+ arch/arm/include/uapi/asm/ptrace.h | 2 +-
+ arch/arm/kernel/armksyms.c | 8 +-
+ arch/arm/kernel/entry-armv.S | 110 +-
+ arch/arm/kernel/entry-common.S | 40 +-
+ arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/fiq.c | 3 +
+ arch/arm/kernel/head.S | 6 +-
+ arch/arm/kernel/module.c | 31 +-
+ arch/arm/kernel/patch.c | 2 +
+ arch/arm/kernel/process.c | 42 +-
+ arch/arm/kernel/psci.c | 2 +-
+ arch/arm/kernel/setup.c | 22 +-
+ arch/arm/kernel/signal.c | 35 +-
+ arch/arm/kernel/smp.c | 2 +-
+ arch/arm/kernel/traps.c | 8 +-
+ arch/arm/kernel/vmlinux.lds.S | 24 +-
+ arch/arm/kvm/arm.c | 8 +-
+ arch/arm/lib/clear_user.S | 6 +-
+ arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/lib/copy_page.S | 1 +
+ arch/arm/lib/copy_to_user.S | 6 +-
+ arch/arm/lib/csumpartialcopyuser.S | 4 +-
+ arch/arm/lib/delay.c | 2 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 4 +-
+ arch/arm/mach-kirkwood/common.c | 19 +-
+ arch/arm/mach-omap2/board-n8x0.c | 2 +-
+ arch/arm/mach-omap2/gpmc.c | 22 +-
+ arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
+ arch/arm/mach-omap2/omap_device.c | 4 +-
+ arch/arm/mach-omap2/omap_device.h | 4 +-
+ arch/arm/mach-omap2/omap_hwmod.c | 4 +-
+ arch/arm/mach-omap2/wd_timer.c | 6 +-
+ arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
+ arch/arm/mach-ux500/setup.h | 7 -
+ arch/arm/mm/Kconfig | 6 +-
+ arch/arm/mm/alignment.c | 8 +
+ arch/arm/mm/cache-l2x0.c | 2 +-
+ arch/arm/mm/context.c | 10 +-
+ arch/arm/mm/fault.c | 140 +
+ arch/arm/mm/fault.h | 12 +
+ arch/arm/mm/init.c | 41 +
+ arch/arm/mm/ioremap.c | 4 +-
+ arch/arm/mm/mmap.c | 30 +-
+ arch/arm/mm/mmu.c | 185 +-
+ arch/arm/plat-omap/sram.c | 2 +
+ arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/avr32/include/asm/elf.h | 8 +-
+ arch/avr32/include/asm/kmap_types.h | 4 +-
+ arch/avr32/mm/fault.c | 27 +
+ arch/frv/include/asm/atomic.h | 10 +
+ arch/frv/include/asm/kmap_types.h | 2 +-
+ arch/frv/mm/elf-fdpic.c | 3 +-
+ arch/ia64/include/asm/atomic.h | 10 +
+ arch/ia64/include/asm/elf.h | 7 +
+ arch/ia64/include/asm/pgalloc.h | 12 +
+ arch/ia64/include/asm/pgtable.h | 13 +-
+ arch/ia64/include/asm/spinlock.h | 2 +-
+ arch/ia64/include/asm/uaccess.h | 26 +-
+ arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/palinfo.c | 2 +-
+ arch/ia64/kernel/sys_ia64.c | 7 +
+ arch/ia64/kernel/vmlinux.lds.S | 2 +-
+ arch/ia64/mm/fault.c | 32 +-
+ arch/ia64/mm/init.c | 13 +
+ arch/m32r/lib/usercopy.c | 6 +
+ arch/mips/include/asm/atomic.h | 728 +++-
+ arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/exec.h | 2 +-
+ arch/mips/include/asm/local.h | 57 +
+ arch/mips/include/asm/page.h | 2 +-
+ arch/mips/include/asm/pgalloc.h | 5 +
+ arch/mips/include/asm/smtc_proc.h | 2 +-
+ arch/mips/kernel/binfmt_elfn32.c | 7 +
+ arch/mips/kernel/binfmt_elfo32.c | 7 +
+ arch/mips/kernel/irq.c | 6 +-
+ arch/mips/kernel/process.c | 12 -
+ arch/mips/kernel/smtc-proc.c | 6 +-
+ arch/mips/kernel/smtc.c | 2 +-
+ arch/mips/kernel/sync-r4k.c | 24 +-
+ arch/mips/kernel/traps.c | 13 +-
+ arch/mips/mm/fault.c | 25 +
+ arch/mips/mm/mmap.c | 51 +-
+ arch/mips/sgi-ip27/ip27-nmi.c | 6 +-
+ arch/parisc/include/asm/atomic.h | 10 +
+ arch/parisc/include/asm/elf.h | 7 +
+ arch/parisc/include/asm/pgalloc.h | 6 +
+ arch/parisc/include/asm/pgtable.h | 11 +
+ arch/parisc/include/asm/uaccess.h | 4 +-
+ arch/parisc/kernel/module.c | 50 +-
+ arch/parisc/kernel/sys_parisc.c | 9 +-
+ arch/parisc/kernel/traps.c | 4 +-
+ arch/parisc/mm/fault.c | 140 +-
+ arch/powerpc/include/asm/atomic.h | 10 +
+ arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/exec.h | 2 +-
+ arch/powerpc/include/asm/kmap_types.h | 2 +-
+ arch/powerpc/include/asm/mman.h | 2 +-
+ arch/powerpc/include/asm/page.h | 8 +-
+ arch/powerpc/include/asm/page_64.h | 7 +-
+ arch/powerpc/include/asm/pgalloc-64.h | 7 +
+ arch/powerpc/include/asm/pgtable.h | 1 +
+ arch/powerpc/include/asm/pte-hash32.h | 1 +
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/include/asm/smp.h | 2 +-
+ arch/powerpc/include/asm/uaccess.h | 140 +-
+ arch/powerpc/kernel/exceptions-64e.S | 4 +-
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/module_32.c | 15 +-
+ arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/signal_32.c | 2 +-
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ arch/powerpc/kernel/vdso.c | 5 +-
+ arch/powerpc/lib/usercopy_64.c | 18 -
+ arch/powerpc/mm/fault.c | 54 +-
+ arch/powerpc/mm/mmap.c | 16 +
+ arch/powerpc/mm/slice.c | 13 +-
+ arch/powerpc/platforms/cell/spufs/file.c | 4 +-
+ arch/s390/include/asm/atomic.h | 10 +
+ arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/exec.h | 2 +-
+ arch/s390/include/asm/uaccess.h | 15 +-
+ arch/s390/kernel/module.c | 22 +-
+ arch/s390/kernel/process.c | 36 -
+ arch/s390/mm/mmap.c | 24 +
+ arch/score/include/asm/exec.h | 2 +-
+ arch/score/kernel/process.c | 5 -
+ arch/sh/mm/mmap.c | 22 +-
+ arch/sparc/include/asm/atomic_64.h | 106 +-
+ arch/sparc/include/asm/cache.h | 2 +-
+ arch/sparc/include/asm/elf_32.h | 7 +
+ arch/sparc/include/asm/elf_64.h | 7 +
+ arch/sparc/include/asm/pgalloc_32.h | 1 +
+ arch/sparc/include/asm/pgalloc_64.h | 1 +
+ arch/sparc/include/asm/pgtable_32.h | 15 +-
+ arch/sparc/include/asm/pgtsrmmu.h | 5 +
+ arch/sparc/include/asm/spinlock_64.h | 35 +-
+ arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_64.h | 2 +
+ arch/sparc/include/asm/uaccess.h | 1 +
+ arch/sparc/include/asm/uaccess_32.h | 27 +-
+ arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/kernel/Makefile | 2 +-
+ arch/sparc/kernel/prom_common.c | 2 +-
+ arch/sparc/kernel/smp_64.c | 12 +-
+ arch/sparc/kernel/sys_sparc_32.c | 2 +-
+ arch/sparc/kernel/sys_sparc_64.c | 52 +-
+ arch/sparc/kernel/traps_64.c | 27 +-
+ arch/sparc/lib/Makefile | 2 +-
+ arch/sparc/lib/atomic_64.S | 136 +-
+ arch/sparc/lib/ksyms.c | 6 +
+ arch/sparc/mm/Makefile | 2 +-
+ arch/sparc/mm/fault_32.c | 292 +
+ arch/sparc/mm/fault_64.c | 486 ++
+ arch/sparc/mm/hugetlbpage.c | 21 +-
+ arch/sparc/mm/init_64.c | 10 +-
+ arch/tile/include/asm/atomic_64.h | 10 +
+ arch/tile/include/asm/uaccess.h | 4 +-
+ arch/um/Makefile | 4 +
+ arch/um/include/asm/kmap_types.h | 2 +-
+ arch/um/include/asm/page.h | 3 +
+ arch/um/include/asm/pgtable-3level.h | 1 +
+ arch/um/kernel/process.c | 16 -
+ arch/x86/Kconfig | 10 +-
+ arch/x86/Kconfig.cpu | 6 +-
+ arch/x86/Kconfig.debug | 4 +-
+ arch/x86/Makefile | 16 +-
+ arch/x86/boot/Makefile | 3 +
+ arch/x86/boot/bitops.h | 4 +-
+ arch/x86/boot/boot.h | 4 +-
+ arch/x86/boot/compressed/Makefile | 3 +
+ arch/x86/boot/compressed/efi_stub_32.S | 16 +-
+ arch/x86/boot/compressed/head_32.S | 2 +-
+ arch/x86/boot/compressed/head_64.S | 8 +-
+ arch/x86/boot/compressed/misc.c | 6 +-
+ arch/x86/boot/cpucheck.c | 28 +-
+ arch/x86/boot/header.S | 6 +-
+ arch/x86/boot/memory.c | 2 +-
+ arch/x86/boot/video-vesa.c | 1 +
+ arch/x86/boot/video.c | 2 +-
+ arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/aesni-intel_asm.S | 106 +-
+ arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 +
+ arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 +
+ arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 51 +-
+ arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 25 +-
+ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
+ arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 +
+ arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/serpent-avx2-asm_64.S | 9 +
+ arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/sha1_ssse3_asm.S | 10 +-
+ arch/x86/crypto/sha256-avx-asm.S | 2 +
+ arch/x86/crypto/sha256-avx2-asm.S | 2 +
+ arch/x86/crypto/sha256-ssse3-asm.S | 2 +
+ arch/x86/crypto/sha512-avx-asm.S | 2 +
+ arch/x86/crypto/sha512-avx2-asm.S | 2 +
+ arch/x86/crypto/sha512-ssse3-asm.S | 2 +
+ arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 25 +-
+ arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
+ arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/ia32/ia32_signal.c | 14 +-
+ arch/x86/ia32/ia32entry.S | 173 +-
+ arch/x86/ia32/sys_ia32.c | 4 +-
+ arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/include/asm/alternative.h | 4 +-
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/include/asm/apm.h | 4 +-
+ arch/x86/include/asm/atomic.h | 269 +-
+ arch/x86/include/asm/atomic64_32.h | 100 +
+ arch/x86/include/asm/atomic64_64.h | 166 +-
+ arch/x86/include/asm/bitops.h | 18 +-
+ arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/cache.h | 5 +-
+ arch/x86/include/asm/cacheflush.h | 2 +-
+ arch/x86/include/asm/calling.h | 118 +-
+ arch/x86/include/asm/checksum_32.h | 12 +-
+ arch/x86/include/asm/cmpxchg.h | 35 +
+ arch/x86/include/asm/compat.h | 2 +-
+ arch/x86/include/asm/cpufeature.h | 16 +-
+ arch/x86/include/asm/desc.h | 78 +-
+ arch/x86/include/asm/desc_defs.h | 6 +
+ arch/x86/include/asm/div64.h | 2 +-
+ arch/x86/include/asm/elf.h | 31 +-
+ arch/x86/include/asm/emergency-restart.h | 2 +-
+ arch/x86/include/asm/fpu-internal.h | 8 +-
+ arch/x86/include/asm/futex.h | 20 +-
+ arch/x86/include/asm/hw_irq.h | 4 +-
+ arch/x86/include/asm/i8259.h | 2 +-
+ arch/x86/include/asm/io.h | 21 +-
+ arch/x86/include/asm/irqflags.h | 5 +
+ arch/x86/include/asm/kprobes.h | 9 +-
+ arch/x86/include/asm/local.h | 106 +-
+ arch/x86/include/asm/mman.h | 15 +
+ arch/x86/include/asm/mmu.h | 16 +-
+ arch/x86/include/asm/mmu_context.h | 136 +-
+ arch/x86/include/asm/module.h | 17 +-
+ arch/x86/include/asm/nmi.h | 6 +-
+ arch/x86/include/asm/page.h | 1 +
+ arch/x86/include/asm/page_64.h | 4 +-
+ arch/x86/include/asm/paravirt.h | 46 +-
+ arch/x86/include/asm/paravirt_types.h | 15 +-
+ arch/x86/include/asm/pgalloc.h | 23 +
+ arch/x86/include/asm/pgtable-2level.h | 2 +
+ arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable.h | 124 +-
+ arch/x86/include/asm/pgtable_32.h | 14 +-
+ arch/x86/include/asm/pgtable_32_types.h | 15 +-
+ arch/x86/include/asm/pgtable_64.h | 19 +-
+ arch/x86/include/asm/pgtable_64_types.h | 5 +
+ arch/x86/include/asm/pgtable_types.h | 36 +-
+ arch/x86/include/asm/preempt.h | 2 +-
+ arch/x86/include/asm/processor.h | 79 +-
+ arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/realmode.h | 4 +-
+ arch/x86/include/asm/reboot.h | 10 +-
+ arch/x86/include/asm/rmwcc.h | 84 +-
+ arch/x86/include/asm/rwsem.h | 60 +-
+ arch/x86/include/asm/segment.h | 29 +-
+ arch/x86/include/asm/smap.h | 64 +-
+ arch/x86/include/asm/smp.h | 14 +-
+ arch/x86/include/asm/spinlock.h | 36 +-
+ arch/x86/include/asm/stackprotector.h | 4 +-
+ arch/x86/include/asm/stacktrace.h | 32 +-
+ arch/x86/include/asm/switch_to.h | 4 +-
+ arch/x86/include/asm/thread_info.h | 83 +-
+ arch/x86/include/asm/tlbflush.h | 74 +-
+ arch/x86/include/asm/uaccess.h | 162 +-
+ arch/x86/include/asm/uaccess_32.h | 24 +-
+ arch/x86/include/asm/uaccess_64.h | 177 +-
+ arch/x86/include/asm/word-at-a-time.h | 2 +-
+ arch/x86/include/asm/x86_init.h | 10 +-
+ arch/x86/include/asm/xen/page.h | 2 +-
+ arch/x86/include/asm/xsave.h | 14 +-
+ arch/x86/include/uapi/asm/e820.h | 2 +-
+ arch/x86/include/uapi/asm/ptrace-abi.h | 1 -
+ arch/x86/kernel/Makefile | 2 +-
+ arch/x86/kernel/acpi/boot.c | 4 +-
+ arch/x86/kernel/acpi/sleep.c | 4 +
+ arch/x86/kernel/acpi/wakeup_32.S | 6 +-
+ arch/x86/kernel/alternative.c | 69 +-
+ arch/x86/kernel/apic/apic.c | 4 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/apic_noop.c | 2 +-
+ arch/x86/kernel/apic/bigsmp_32.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 5 +-
+ arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/numaq_32.c | 3 +-
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/summit_32.c | 2 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_phys.c | 2 +-
+ arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
+ arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/asm-offsets.c | 20 +
+ arch/x86/kernel/asm-offsets_64.c | 1 +
+ arch/x86/kernel/cpu/Makefile | 4 -
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/common.c | 132 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
+ arch/x86/kernel/cpu/mcheck/p5.c | 3 +
+ arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
+ arch/x86/kernel/cpu/mtrr/main.c | 2 +-
+ arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 8 +-
+ arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
+ arch/x86/kernel/cpuid.c | 2 +-
+ arch/x86/kernel/crash.c | 4 +-
+ arch/x86/kernel/crash_dump_64.c | 2 +-
+ arch/x86/kernel/doublefault.c | 8 +-
+ arch/x86/kernel/dumpstack.c | 30 +-
+ arch/x86/kernel/dumpstack_32.c | 34 +-
+ arch/x86/kernel/dumpstack_64.c | 61 +-
+ arch/x86/kernel/e820.c | 4 +-
+ arch/x86/kernel/early_printk.c | 1 +
+ arch/x86/kernel/entry_32.S | 356 ++-
+ arch/x86/kernel/entry_64.S | 736 +++-
+ arch/x86/kernel/ftrace.c | 14 +-
+ arch/x86/kernel/head64.c | 13 +-
+ arch/x86/kernel/head_32.S | 228 +-
+ arch/x86/kernel/head_64.S | 136 +-
+ arch/x86/kernel/i386_ksyms_32.c | 12 +
+ arch/x86/kernel/i387.c | 2 +-
+ arch/x86/kernel/i8259.c | 10 +-
+ arch/x86/kernel/io_delay.c | 2 +-
+ arch/x86/kernel/ioport.c | 2 +-
+ arch/x86/kernel/irq.c | 8 +-
+ arch/x86/kernel/irq_32.c | 67 +-
+ arch/x86/kernel/irq_64.c | 2 +-
+ arch/x86/kernel/jump_label.c | 8 +-
+ arch/x86/kernel/kgdb.c | 25 +-
+ arch/x86/kernel/kprobes/core.c | 30 +-
+ arch/x86/kernel/kprobes/opt.c | 16 +-
+ arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/machine_kexec_32.c | 6 +-
+ arch/x86/kernel/microcode_core.c | 2 +-
+ arch/x86/kernel/microcode_intel.c | 4 +-
+ arch/x86/kernel/module.c | 76 +-
+ arch/x86/kernel/msr.c | 2 +-
+ arch/x86/kernel/nmi.c | 19 +-
+ arch/x86/kernel/nmi_selftest.c | 4 +-
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/kernel/paravirt.c | 43 +-
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ arch/x86/kernel/pci-iommu_table.c | 2 +-
+ arch/x86/kernel/pci-swiotlb.c | 2 +-
+ arch/x86/kernel/process.c | 55 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 20 +-
+ arch/x86/kernel/ptrace.c | 25 +-
+ arch/x86/kernel/pvclock.c | 8 +-
+ arch/x86/kernel/reboot.c | 42 +-
+ arch/x86/kernel/reboot_fixups_32.c | 2 +-
+ arch/x86/kernel/relocate_kernel_64.S | 5 +-
+ arch/x86/kernel/setup.c | 63 +-
+ arch/x86/kernel/setup_percpu.c | 29 +-
+ arch/x86/kernel/signal.c | 15 +-
+ arch/x86/kernel/smp.c | 2 +-
+ arch/x86/kernel/smpboot.c | 28 +-
+ arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/sys_i386_32.c | 184 +
+ arch/x86/kernel/sys_x86_64.c | 22 +-
+ arch/x86/kernel/tboot.c | 12 +-
+ arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tls.c | 7 +-
+ arch/x86/kernel/tracepoint.c | 4 +-
+ arch/x86/kernel/traps.c | 62 +-
+ arch/x86/kernel/uprobes.c | 4 +-
+ arch/x86/kernel/vm86_32.c | 6 +-
+ arch/x86/kernel/vmlinux.lds.S | 147 +-
+ arch/x86/kernel/vsyscall_64.c | 12 +-
+ arch/x86/kernel/x8664_ksyms_64.c | 6 +-
+ arch/x86/kernel/x86_init.c | 6 +-
+ arch/x86/kernel/xsave.c | 2 +
+ arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/lapic.c | 2 +-
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ arch/x86/kvm/svm.c | 8 +
+ arch/x86/kvm/vmx.c | 63 +-
+ arch/x86/kvm/x86.c | 8 +-
+ arch/x86/lguest/boot.c | 3 +-
+ arch/x86/lib/atomic64_386_32.S | 164 +
+ arch/x86/lib/atomic64_cx8_32.S | 103 +-
+ arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/cmpxchg16b_emu.S | 2 +
+ arch/x86/lib/copy_page_64.S | 20 +-
+ arch/x86/lib/copy_user_64.S | 81 +-
+ arch/x86/lib/copy_user_nocache_64.S | 14 +
+ arch/x86/lib/csum-copy_64.S | 18 +-
+ arch/x86/lib/csum-wrappers_64.c | 8 +-
+ arch/x86/lib/getuser.S | 74 +-
+ arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/iomap_copy_64.S | 2 +
+ arch/x86/lib/memcpy_64.S | 10 +-
+ arch/x86/lib/memmove_64.S | 4 +-
+ arch/x86/lib/memset_64.S | 7 +-
+ arch/x86/lib/mmx_32.c | 243 +-
+ arch/x86/lib/msr-reg.S | 2 +
+ arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/rwlock.S | 42 +
+ arch/x86/lib/rwsem.S | 6 +-
+ arch/x86/lib/thunk_64.S | 12 +-
+ arch/x86/lib/usercopy_32.c | 357 +-
+ arch/x86/lib/usercopy_64.c | 18 +-
+ arch/x86/mm/Makefile | 4 +
+ arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/fault.c | 564 ++-
+ arch/x86/mm/gup.c | 6 +-
+ arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/hugetlbpage.c | 30 +-
+ arch/x86/mm/init.c | 101 +-
+ arch/x86/mm/init_32.c | 111 +-
+ arch/x86/mm/init_64.c | 45 +-
+ arch/x86/mm/iomap_32.c | 4 +
+ arch/x86/mm/ioremap.c | 15 +-
+ arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
+ arch/x86/mm/mmap.c | 36 +-
+ arch/x86/mm/mmio-mod.c | 10 +-
+ arch/x86/mm/numa.c | 2 +-
+ arch/x86/mm/pageattr-test.c | 2 +-
+ arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pat.c | 12 +-
+ arch/x86/mm/pat_rbtree.c | 2 +-
+ arch/x86/mm/pf_in.c | 10 +-
+ arch/x86/mm/pgtable.c | 151 +-
+ arch/x86/mm/pgtable_32.c | 3 +
+ arch/x86/mm/physaddr.c | 4 +-
+ arch/x86/mm/setup_nx.c | 7 +
+ arch/x86/mm/tlb.c | 4 +
+ arch/x86/mm/uderef_64.c | 37 +
+ arch/x86/net/bpf_jit.S | 14 +
+ arch/x86/net/bpf_jit_comp.c | 38 +-
+ arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/oprofile/nmi_int.c | 8 +-
+ arch/x86/oprofile/op_model_amd.c | 8 +-
+ arch/x86/oprofile/op_model_ppro.c | 7 +-
+ arch/x86/oprofile/op_x86_model.h | 2 +-
+ arch/x86/pci/intel_mid_pci.c | 2 +-
+ arch/x86/pci/irq.c | 8 +-
+ arch/x86/pci/pcbios.c | 144 +-
+ arch/x86/platform/efi/efi_32.c | 24 +
+ arch/x86/platform/efi/efi_64.c | 10 +
+ arch/x86/platform/efi/efi_stub_32.S | 64 +-
+ arch/x86/platform/efi/efi_stub_64.S | 8 +
+ arch/x86/platform/intel-mid/intel-mid.c | 3 +-
+ arch/x86/platform/olpc/olpc_dt.c | 2 +-
+ arch/x86/power/cpu.c | 11 +-
+ arch/x86/realmode/init.c | 10 +-
+ arch/x86/realmode/rm/Makefile | 3 +
+ arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/trampoline_32.S | 12 +-
+ arch/x86/realmode/rm/trampoline_64.S | 3 +-
+ arch/x86/tools/Makefile | 2 +-
+ arch/x86/tools/relocs.c | 94 +-
+ arch/x86/um/tls_32.c | 2 +-
+ arch/x86/vdso/Makefile | 2 +-
+ arch/x86/vdso/vdso32-setup.c | 23 +-
+ arch/x86/vdso/vma.c | 29 +-
+ arch/x86/xen/enlighten.c | 45 +-
+ arch/x86/xen/mmu.c | 11 +-
+ arch/x86/xen/smp.c | 21 +-
+ arch/x86/xen/xen-asm_32.S | 12 +-
+ arch/x86/xen/xen-head.S | 11 +
+ arch/x86/xen/xen-ops.h | 2 -
+ block/blk-cgroup.c | 4 +-
+ block/blk-iopoll.c | 2 +-
+ block/blk-map.c | 2 +-
+ block/blk-softirq.c | 2 +-
+ block/bsg.c | 12 +-
+ block/compat_ioctl.c | 2 +-
+ block/genhd.c | 9 +-
+ block/partitions/efi.c | 8 +-
+ block/scsi_ioctl.c | 29 +-
+ crypto/cryptd.c | 4 +-
+ crypto/pcrypt.c | 2 +-
+ drivers/acpi/apei/apei-internal.h | 2 +-
+ drivers/acpi/apei/ghes.c | 4 +-
+ drivers/acpi/bgrt.c | 6 +-
+ drivers/acpi/blacklist.c | 4 +-
+ drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/sysfs.c | 4 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/ata/libata-core.c | 12 +-
+ drivers/ata/libata-scsi.c | 2 +-
+ drivers/ata/libata.h | 2 +-
+ drivers/ata/pata_arasan_cf.c | 4 +-
+ drivers/atm/adummy.c | 2 +-
+ drivers/atm/ambassador.c | 8 +-
+ drivers/atm/atmtcp.c | 14 +-
+ drivers/atm/eni.c | 10 +-
+ drivers/atm/firestream.c | 8 +-
+ drivers/atm/fore200e.c | 14 +-
+ drivers/atm/he.c | 18 +-
+ drivers/atm/horizon.c | 4 +-
+ drivers/atm/idt77252.c | 36 +-
+ drivers/atm/iphase.c | 34 +-
+ drivers/atm/lanai.c | 12 +-
+ drivers/atm/nicstar.c | 46 +-
+ drivers/atm/solos-pci.c | 4 +-
+ drivers/atm/suni.c | 4 +-
+ drivers/atm/uPD98402.c | 16 +-
+ drivers/atm/zatm.c | 6 +-
+ drivers/base/bus.c | 4 +-
+ drivers/base/devtmpfs.c | 8 +-
+ drivers/base/node.c | 2 +-
+ drivers/base/power/domain.c | 4 +-
+ drivers/base/power/sysfs.c | 2 +-
+ drivers/base/power/wakeup.c | 8 +-
+ drivers/base/syscore.c | 4 +-
+ drivers/block/cciss.c | 28 +-
+ drivers/block/cciss.h | 2 +-
+ drivers/block/cpqarray.c | 28 +-
+ drivers/block/cpqarray.h | 2 +-
+ drivers/block/drbd/drbd_int.h | 6 +-
+ drivers/block/drbd/drbd_main.c | 8 +-
+ drivers/block/drbd/drbd_nl.c | 4 +-
+ drivers/block/drbd/drbd_receiver.c | 22 +-
+ drivers/block/loop.c | 2 +-
+ drivers/block/null_blk.c | 27 +-
+ drivers/block/pktcdvd.c | 4 +-
+ drivers/bluetooth/btwilink.c | 2 +-
+ drivers/bus/arm-cci.c | 2 +-
+ drivers/cdrom/cdrom.c | 11 +-
+ drivers/cdrom/gdrom.c | 1 -
+ drivers/char/agp/compat_ioctl.c | 2 +-
+ drivers/char/agp/frontend.c | 4 +-
+ drivers/char/hpet.c | 2 +-
+ drivers/char/hw_random/intel-rng.c | 2 +-
+ drivers/char/ipmi/ipmi_msghandler.c | 8 +-
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
+ drivers/char/mem.c | 43 +-
+ drivers/char/nvram.c | 2 +-
+ drivers/char/pcmcia/synclink_cs.c | 18 +-
+ drivers/char/random.c | 12 +-
+ drivers/char/sonypi.c | 9 +-
+ drivers/char/tpm/tpm_acpi.c | 3 +-
+ drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/virtio_console.c | 4 +-
+ drivers/clk/clk-composite.c | 2 +-
+ drivers/clk/socfpga/clk.c | 9 +-
+ drivers/cpufreq/acpi-cpufreq.c | 13 +-
+ drivers/cpufreq/cpufreq.c | 11 +-
+ drivers/cpufreq/cpufreq_governor.c | 6 +-
+ drivers/cpufreq/cpufreq_governor.h | 4 +-
+ drivers/cpufreq/cpufreq_ondemand.c | 10 +-
+ drivers/cpufreq/cpufreq_stats.c | 2 +-
+ drivers/cpufreq/intel_pstate.c | 25 +-
+ drivers/cpufreq/p4-clockmod.c | 12 +-
+ drivers/cpufreq/sparc-us3-cpufreq.c | 70 +-
+ drivers/cpufreq/speedstep-centrino.c | 7 +-
+ drivers/cpuidle/driver.c | 2 +-
+ drivers/cpuidle/governor.c | 2 +-
+ drivers/cpuidle/sysfs.c | 2 +-
+ drivers/crypto/hifn_795x.c | 4 +-
+ drivers/devfreq/devfreq.c | 4 +-
+ drivers/dma/sh/shdmac.c | 2 +-
+ drivers/edac/edac_device.c | 4 +-
+ drivers/edac/edac_mc_sysfs.c | 12 +-
+ drivers/edac/edac_pci.c | 4 +-
+ drivers/edac/edac_pci_sysfs.c | 22 +-
+ drivers/edac/mce_amd.h | 2 +-
+ drivers/firewire/core-card.c | 6 +-
+ drivers/firewire/core-device.c | 2 +-
+ drivers/firewire/core-transaction.c | 1 +
+ drivers/firewire/core.h | 1 +
+ drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/dmi_scan.c | 2 +-
+ drivers/firmware/efi/cper.c | 8 +-
+ drivers/firmware/efi/efi.c | 12 +-
+ drivers/firmware/efi/efivars.c | 2 +-
+ drivers/firmware/google/memconsole.c | 4 +-
+ drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpio/gpio-vr41xx.c | 2 +-
+ drivers/gpu/drm/drm_crtc_helper.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 4 +-
+ drivers/gpu/drm/drm_fops.c | 12 +-
+ drivers/gpu/drm/drm_global.c | 14 +-
+ drivers/gpu/drm/drm_info.c | 14 +-
+ drivers/gpu/drm/drm_ioc32.c | 13 +-
+ drivers/gpu/drm/drm_stub.c | 2 +-
+ drivers/gpu/drm/drm_sysfs.c | 2 +-
+ drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.h | 2 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/i915_irq.c | 26 +-
+ drivers/gpu/drm/i915/intel_display.c | 26 +-
+ drivers/gpu/drm/mga/mga_drv.h | 4 +-
+ drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/mga/mga_irq.c | 8 +-
+ drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.h | 1 -
+ drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/qxl/qxl_cmd.c | 12 +-
+ drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +-
+ drivers/gpu/drm/qxl/qxl_drv.h | 8 +-
+ drivers/gpu/drm/qxl/qxl_irq.c | 16 +-
+ drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
+ drivers/gpu/drm/r128/r128_cce.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.h | 4 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/r128/r128_irq.c | 4 +-
+ drivers/gpu/drm/r128/r128_state.c | 4 +-
+ drivers/gpu/drm/radeon/mkregtable.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
+ drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 61 +-
+ drivers/gpu/drm/tegra/dc.c | 2 +-
+ drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
+ drivers/gpu/drm/udl/udl_fb.c | 1 -
+ drivers/gpu/drm/via/via_drv.h | 4 +-
+ drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
+ drivers/gpu/vga/vga_switcheroo.c | 4 +-
+ drivers/hid/hid-core.c | 4 +-
+ drivers/hid/uhid.c | 6 +-
+ drivers/hv/channel.c | 4 +-
+ drivers/hv/hv.c | 2 +-
+ drivers/hv/hv_balloon.c | 18 +-
+ drivers/hv/hyperv_vmbus.h | 2 +-
+ drivers/hv/vmbus_drv.c | 4 +-
+ drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/asus_atk0110.c | 10 +-
+ drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/ibmaem.c | 2 +-
+ drivers/hwmon/iio_hwmon.c | 2 +-
+ drivers/hwmon/nct6775.c | 6 +-
+ drivers/hwmon/pmbus/pmbus_core.c | 10 +-
+ drivers/hwmon/sht15.c | 12 +-
+ drivers/hwmon/via-cputemp.c | 2 +-
+ drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
+ drivers/i2c/busses/i2c-diolan-u2c.c | 2 +-
+ drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
+ drivers/i2c/i2c-dev.c | 2 +-
+ drivers/ide/ide-cd.c | 2 +-
+ drivers/iio/industrialio-core.c | 2 +-
+ drivers/infiniband/core/cm.c | 32 +-
+ drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/hw/cxgb4/mem.c | 4 +-
+ drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
+ drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
+ drivers/infiniband/hw/mlx4/mad.c | 2 +-
+ drivers/infiniband/hw/mlx4/mcg.c | 2 +-
+ drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 8 +-
+ drivers/infiniband/hw/mthca/mthca_main.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_mr.c | 6 +-
+ drivers/infiniband/hw/mthca/mthca_provider.c | 2 +-
+ drivers/infiniband/hw/nes/nes.c | 4 +-
+ drivers/infiniband/hw/nes/nes.h | 40 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 62 +-
+ drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
+ drivers/infiniband/hw/nes/nes_nic.c | 40 +-
+ drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/input/gameport/gameport.c | 4 +-
+ drivers/input/input.c | 4 +-
+ drivers/input/joystick/sidewinder.c | 1 +
+ drivers/input/joystick/xpad.c | 4 +-
+ drivers/input/misc/ims-pcu.c | 4 +-
+ drivers/input/mouse/psmouse.h | 2 +-
+ drivers/input/mousedev.c | 2 +-
+ drivers/input/serio/serio.c | 4 +-
+ drivers/input/serio/serio_raw.c | 4 +-
+ drivers/iommu/iommu.c | 2 +-
+ drivers/iommu/irq_remapping.c | 12 +-
+ drivers/irqchip/irq-gic.c | 4 +-
+ drivers/isdn/capi/capi.c | 10 +-
+ drivers/isdn/gigaset/interface.c | 8 +-
+ drivers/isdn/gigaset/usb-gigaset.c | 2 +-
+ drivers/isdn/hardware/avm/b1.c | 4 +-
+ drivers/isdn/i4l/isdn_common.c | 2 +
+ drivers/isdn/i4l/isdn_tty.c | 22 +-
+ drivers/isdn/icn/icn.c | 2 +-
+ drivers/isdn/mISDN/dsp_cmx.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/lguest/core.c | 10 +-
+ drivers/lguest/page_tables.c | 2 +-
+ drivers/lguest/x86/core.c | 12 +-
+ drivers/lguest/x86/switcher_32.S | 27 +-
+ drivers/md/bcache/closure.h | 2 +-
+ drivers/md/bitmap.c | 2 +-
+ drivers/md/dm-ioctl.c | 2 +-
+ drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-stats.c | 6 +-
+ drivers/md/dm-stripe.c | 10 +-
+ drivers/md/dm-table.c | 4 +-
+ drivers/md/dm-thin-metadata.c | 4 +-
+ drivers/md/dm.c | 16 +-
+ drivers/md/md.c | 26 +-
+ drivers/md/md.h | 6 +-
+ drivers/md/persistent-data/dm-space-map.h | 1 +
+ drivers/md/raid1.c | 4 +-
+ drivers/md/raid10.c | 16 +-
+ drivers/md/raid5.c | 10 +-
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ drivers/media/dvb-frontends/dib3000.h | 2 +-
+ drivers/media/pci/cx88/cx88-video.c | 6 +-
+ drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
+ drivers/media/platform/omap/omap_vout.c | 11 +-
+ drivers/media/platform/s5p-tv/mixer.h | 2 +-
+ drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
+ drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
+ drivers/media/platform/vivi.c | 4 +-
+ drivers/media/radio/radio-cadet.c | 2 +
+ drivers/media/radio/radio-maxiradio.c | 2 +-
+ drivers/media/radio/radio-shark.c | 2 +-
+ drivers/media/radio/radio-shark2.c | 2 +-
+ drivers/media/radio/radio-si476x.c | 2 +-
+ drivers/media/rc/rc-main.c | 4 +-
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +-
+ drivers/media/v4l2-core/v4l2-device.c | 4 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 11 +-
+ drivers/message/fusion/mptsas.c | 34 +-
+ drivers/message/fusion/mptscsih.c | 19 +-
+ drivers/message/i2o/i2o_proc.c | 67 +-
+ drivers/message/i2o/iop.c | 8 +-
+ drivers/mfd/janz-cmodio.c | 1 +
+ drivers/mfd/max8925-i2c.c | 2 +-
+ drivers/mfd/tps65910.c | 2 +-
+ drivers/mfd/twl4030-irq.c | 9 +-
+ drivers/misc/c2port/core.c | 4 +-
+ drivers/misc/kgdbts.c | 4 +-
+ drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
+ drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/sgi-gru/gruhandles.c | 4 +-
+ drivers/misc/sgi-gru/gruprocfs.c | 8 +-
+ drivers/misc/sgi-gru/grutables.h | 154 +-
+ drivers/misc/sgi-xp/xp.h | 2 +-
+ drivers/misc/sgi-xp/xpc.h | 3 +-
+ drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ drivers/mmc/host/dw_mmc.h | 2 +-
+ drivers/mmc/host/mmci.c | 4 +-
+ drivers/mmc/host/sdhci-s3c.c | 8 +-
+ drivers/mtd/chips/cfi_cmdset_0020.c | 2 +-
+ drivers/mtd/nand/denali.c | 1 +
+ drivers/mtd/nftlmount.c | 1 +
+ drivers/mtd/sm_ftl.c | 2 +-
+ drivers/net/bonding/bond_netlink.c | 2 +-
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
+ drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +-
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +-
+ drivers/net/ethernet/realtek/r8169.c | 8 +-
+ drivers/net/ethernet/sfc/ptp.c | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/hyperv/hyperv_net.h | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 +-
+ drivers/net/ieee802154/fakehard.c | 2 +-
+ drivers/net/macvlan.c | 18 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/ppp/ppp_generic.c | 4 +-
+ drivers/net/slip/slhc.c | 2 +-
+ drivers/net/team/team.c | 2 +-
+ drivers/net/tun.c | 5 +-
+ drivers/net/usb/hso.c | 23 +-
+ drivers/net/usb/sierra_net.c | 4 +-
+ drivers/net/vxlan.c | 2 +-
+ drivers/net/wimax/i2400m/rx.c | 2 +-
+ drivers/net/wireless/airo.c | 2 +-
+ drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/net/wireless/ath/ath10k/htc.c | 7 +-
+ drivers/net/wireless/ath/ath10k/htc.h | 4 +-
+ drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
+ drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
+ drivers/net/wireless/ath/ath9k/hw.h | 4 +-
+ drivers/net/wireless/b43/phy_lp.c | 2 +-
+ drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +-
+ drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
+ drivers/net/wireless/mac80211_hwsim.c | 32 +-
+ drivers/net/wireless/rndis_wlan.c | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 8 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 6 +-
+ drivers/nfc/nfcwilink.c | 2 +-
+ drivers/oprofile/buffer_sync.c | 8 +-
+ drivers/oprofile/event_buffer.c | 2 +-
+ drivers/oprofile/oprof.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/oprofile/oprofile_stats.c | 10 +-
+ drivers/oprofile/oprofile_stats.h | 10 +-
+ drivers/oprofile/oprofilefs.c | 6 +-
+ drivers/oprofile/timer_int.c | 2 +-
+ drivers/parport/procfs.c | 4 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
+ drivers/pci/hotplug/cpcihp_generic.c | 6 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
+ drivers/pci/hotplug/cpqphp_nvram.c | 4 +
+ drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/pci-sysfs.c | 6 +-
+ drivers/pci/pci.h | 2 +-
+ drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/probe.c | 2 +-
+ drivers/platform/chrome/chromeos_laptop.c | 2 +-
+ drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/msi-wmi.c | 2 +-
+ drivers/platform/x86/sony-laptop.c | 2 +-
+ drivers/platform/x86/thinkpad_acpi.c | 70 +-
+ drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/resource.c | 4 +-
+ drivers/power/pda_power.c | 7 +-
+ drivers/power/power_supply.h | 4 +-
+ drivers/power/power_supply_core.c | 7 +-
+ drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/powercap/powercap_sys.c | 136 +-
+ drivers/regulator/core.c | 4 +-
+ drivers/regulator/max8660.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/rtc/rtc-cmos.c | 4 +-
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +-
+ drivers/scsi/bfa/bfa_fcpim.h | 2 +-
+ drivers/scsi/bfa/bfa_ioc.h | 4 +-
+ drivers/scsi/fcoe/fcoe_sysfs.c | 12 +-
+ drivers/scsi/hosts.c | 4 +-
+ drivers/scsi/hpsa.c | 30 +-
+ drivers/scsi/hpsa.h | 2 +-
+ drivers/scsi/libfc/fc_exch.c | 50 +-
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ drivers/scsi/lpfc/lpfc.h | 8 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
+ drivers/scsi/lpfc/lpfc_init.c | 6 +-
+ drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
+ drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +-
+ drivers/scsi/pmcraid.c | 20 +-
+ drivers/scsi/pmcraid.h | 8 +-
+ drivers/scsi/qla2xxx/qla_attr.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 6 +-
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +-
+ drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ drivers/scsi/scsi_tgt_lib.c | 2 +-
+ drivers/scsi/scsi_transport_fc.c | 8 +-
+ drivers/scsi/scsi_transport_iscsi.c | 6 +-
+ drivers/scsi/scsi_transport_srp.c | 6 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sg.c | 2 +-
+ drivers/spi/spi.c | 2 +-
+ drivers/staging/android/timed_output.c | 6 +-
+ drivers/staging/gdm724x/gdm_tty.c | 2 +-
+ drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +-
+ drivers/staging/lustre/lnet/selftest/framework.c | 4 -
+ drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +-
+ drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +-
+ drivers/staging/lustre/lustre/include/obd.h | 2 +-
+ .../lustre/lustre/libcfs/linux/linux-proc.c | 6 +-
+ drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10.h | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/rtl8188eu/include/hal_intf.h | 2 +-
+ drivers/staging/rtl8188eu/include/rtw_io.h | 2 +-
+ drivers/staging/rtl8712/rtl871x_io.h | 2 +-
+ drivers/staging/sbe-2t3e3/netdev.c | 2 +-
+ drivers/staging/usbip/vhci.h | 2 +-
+ drivers/staging/usbip/vhci_hcd.c | 6 +-
+ drivers/staging/usbip/vhci_rx.c | 2 +-
+ drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/vt6656/hostap.c | 7 +-
+ drivers/target/sbp/sbp_target.c | 4 +-
+ drivers/target/target_core_device.c | 2 +-
+ drivers/target/target_core_transport.c | 2 +-
+ drivers/tty/cyclades.c | 6 +-
+ drivers/tty/hvc/hvc_console.c | 14 +-
+ drivers/tty/hvc/hvcs.c | 21 +-
+ drivers/tty/hvc/hvsi.c | 12 +-
+ drivers/tty/hvc/hvsi_lib.c | 4 +-
+ drivers/tty/ipwireless/tty.c | 27 +-
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/n_gsm.c | 4 +-
+ drivers/tty/n_tty.c | 5 +-
+ drivers/tty/pty.c | 4 +-
+ drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/ioc4_serial.c | 6 +-
+ drivers/tty/serial/kgdboc.c | 32 +-
+ drivers/tty/serial/msm_serial.c | 4 +-
+ drivers/tty/serial/samsung.c | 9 +-
+ drivers/tty/serial/serial_core.c | 8 +-
+ drivers/tty/synclink.c | 34 +-
+ drivers/tty/synclink_gt.c | 28 +-
+ drivers/tty/synclinkmp.c | 34 +-
+ drivers/tty/tty_io.c | 2 +-
+ drivers/tty/tty_ldisc.c | 8 +-
+ drivers/tty/tty_port.c | 22 +-
+ drivers/uio/uio.c | 15 +-
+ drivers/usb/atm/cxacru.c | 2 +-
+ drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/core/devices.c | 6 +-
+ drivers/usb/core/devio.c | 10 +-
+ drivers/usb/core/hcd.c | 4 +-
+ drivers/usb/core/message.c | 6 +-
+ drivers/usb/core/sysfs.c | 2 +-
+ drivers/usb/core/usb.c | 2 +-
+ drivers/usb/dwc3/gadget.c | 2 -
+ drivers/usb/early/ehci-dbgp.c | 16 +-
+ drivers/usb/gadget/u_serial.c | 22 +-
+ drivers/usb/host/ehci-hub.c | 4 +-
+ drivers/usb/misc/appledisplay.c | 4 +-
+ drivers/usb/serial/console.c | 8 +-
+ drivers/usb/storage/usb.h | 2 +-
+ drivers/usb/wusbcore/wa-hc.h | 4 +-
+ drivers/usb/wusbcore/wa-xfer.c | 2 +-
+ drivers/vfio/vfio.c | 2 +-
+ drivers/vhost/vringh.c | 2 +-
+ drivers/video/aty/aty128fb.c | 2 +-
+ drivers/video/aty/atyfb_base.c | 8 +-
+ drivers/video/aty/mach64_cursor.c | 5 +-
+ drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/fb_defio.c | 6 +-
+ drivers/video/fbmem.c | 6 +-
+ drivers/video/hyperv_fb.c | 4 +-
+ drivers/video/i810/i810_accel.c | 1 +
+ drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
+ drivers/video/nvidia/nvidia.c | 27 +-
+ drivers/video/omap2/dss/display.c | 8 +-
+ drivers/video/s1d13xxxfb.c | 6 +-
+ drivers/video/smscufx.c | 4 +-
+ drivers/video/udlfb.c | 36 +-
+ drivers/video/uvesafb.c | 53 +-
+ drivers/video/vesafb.c | 58 +-
+ drivers/video/via/via_clock.h | 2 +-
+ fs/9p/vfs_addr.c | 2 +-
+ fs/9p/vfs_inode.c | 2 +-
+ fs/Kconfig.binfmt | 2 +-
+ fs/afs/inode.c | 4 +-
+ fs/aio.c | 2 +-
+ fs/autofs4/waitq.c | 2 +-
+ fs/befs/endian.h | 6 +-
+ fs/binfmt_aout.c | 23 +-
+ fs/binfmt_elf.c | 678 +++-
+ fs/binfmt_flat.c | 6 +
+ fs/bio.c | 6 +-
+ fs/block_dev.c | 2 +-
+ fs/btrfs/ctree.c | 9 +-
+ fs/btrfs/delayed-inode.c | 6 +-
+ fs/btrfs/delayed-inode.h | 4 +-
+ fs/btrfs/super.c | 2 +-
+ fs/buffer.c | 2 +-
+ fs/cachefiles/bind.c | 6 +-
+ fs/cachefiles/daemon.c | 8 +-
+ fs/cachefiles/internal.h | 12 +-
+ fs/cachefiles/namei.c | 2 +-
+ fs/cachefiles/proc.c | 12 +-
+ fs/cachefiles/rdwr.c | 2 +-
+ fs/ceph/dir.c | 2 +-
+ fs/ceph/super.c | 4 +-
+ fs/cifs/cifs_debug.c | 12 +-
+ fs/cifs/cifsfs.c | 8 +-
+ fs/cifs/cifsglob.h | 54 +-
+ fs/cifs/file.c | 10 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb1ops.c | 80 +-
+ fs/cifs/smb2ops.c | 84 +-
+ fs/cifs/smb2pdu.c | 3 +-
+ fs/coda/cache.c | 10 +-
+ fs/compat.c | 4 +-
+ fs/compat_binfmt_elf.c | 2 +
+ fs/compat_ioctl.c | 12 +-
+ fs/configfs/dir.c | 10 +-
+ fs/coredump.c | 16 +-
+ fs/dcache.c | 5 +-
+ fs/ecryptfs/inode.c | 2 +-
+ fs/ecryptfs/miscdev.c | 2 +-
+ fs/exec.c | 362 ++-
+ fs/ext2/xattr.c | 5 +-
+ fs/ext3/xattr.c | 5 +-
+ fs/ext4/ext4.h | 20 +-
+ fs/ext4/mballoc.c | 44 +-
+ fs/ext4/mmp.c | 2 +-
+ fs/ext4/super.c | 4 +-
+ fs/ext4/xattr.c | 5 +-
+ fs/fhandle.c | 3 +-
+ fs/file.c | 4 +-
+ fs/fs_struct.c | 8 +-
+ fs/fscache/cookie.c | 40 +-
+ fs/fscache/internal.h | 200 +-
+ fs/fscache/object.c | 26 +-
+ fs/fscache/operation.c | 30 +-
+ fs/fscache/page.c | 110 +-
+ fs/fscache/stats.c | 344 +-
+ fs/fuse/cuse.c | 10 +-
+ fs/fuse/dev.c | 4 +-
+ fs/fuse/dir.c | 2 +-
+ fs/hostfs/hostfs_kern.c | 2 +-
+ fs/hugetlbfs/inode.c | 13 +-
+ fs/inode.c | 4 +-
+ fs/jffs2/erase.c | 3 +-
+ fs/jffs2/wbuf.c | 3 +-
+ fs/jfs/super.c | 2 +-
+ fs/libfs.c | 12 +-
+ fs/lockd/clntproc.c | 4 +-
+ fs/locks.c | 8 +-
+ fs/namei.c | 15 +-
+ fs/namespace.c | 16 +-
+ fs/nfs/callback_xdr.c | 2 +-
+ fs/nfs/inode.c | 6 +-
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfs4xdr.c | 2 +-
+ fs/nfsd/nfscache.c | 9 +-
+ fs/nfsd/vfs.c | 6 +-
+ fs/nls/nls_base.c | 18 +-
+ fs/nls/nls_euc-jp.c | 6 +-
+ fs/nls/nls_koi8-ru.c | 6 +-
+ fs/notify/fanotify/fanotify_user.c | 4 +-
+ fs/notify/notification.c | 4 +-
+ fs/ntfs/dir.c | 2 +-
+ fs/ntfs/file.c | 2 +-
+ fs/ntfs/super.c | 6 +-
+ fs/ocfs2/localalloc.c | 2 +-
+ fs/ocfs2/ocfs2.h | 10 +-
+ fs/ocfs2/suballoc.c | 12 +-
+ fs/ocfs2/super.c | 20 +-
+ fs/pipe.c | 59 +-
+ fs/proc/array.c | 20 +
+ fs/proc/base.c | 4 +-
+ fs/proc/kcore.c | 32 +-
+ fs/proc/meminfo.c | 2 +-
+ fs/proc/nommu.c | 2 +-
+ fs/proc/proc_sysctl.c | 18 +-
+ fs/proc/task_mmu.c | 39 +-
+ fs/proc/task_nommu.c | 4 +-
+ fs/proc/vmcore.c | 12 +-
+ fs/qnx6/qnx6.h | 4 +-
+ fs/quota/netlink.c | 4 +-
+ fs/read_write.c | 2 +-
+ fs/reiserfs/do_balan.c | 2 +-
+ fs/reiserfs/procfs.c | 2 +-
+ fs/reiserfs/reiserfs.h | 4 +-
+ fs/seq_file.c | 4 +-
+ fs/splice.c | 41 +-
+ fs/sysfs/dir.c | 2 +-
+ fs/sysfs/file.c | 16 +-
+ fs/sysfs/symlink.c | 2 +-
+ fs/sysv/sysv.h | 2 +-
+ fs/ubifs/io.c | 2 +-
+ fs/udf/misc.c | 2 +-
+ fs/ufs/swab.h | 4 +-
+ fs/xattr.c | 21 +
+ fs/xattr_acl.c | 4 +-
+ fs/xfs/xfs_bmap.c | 2 +-
+ fs/xfs/xfs_dir2_readdir.c | 7 +-
+ fs/xfs/xfs_ioctl.c | 2 +-
+ fs/xfs/xfs_iops.c | 2 +-
+ include/asm-generic/4level-fixup.h | 2 +
+ include/asm-generic/atomic-long.h | 212 +-
+ include/asm-generic/atomic.h | 2 +-
+ include/asm-generic/atomic64.h | 12 +
+ include/asm-generic/bitops/__fls.h | 2 +-
+ include/asm-generic/bitops/fls.h | 2 +-
+ include/asm-generic/bitops/fls64.h | 4 +-
+ include/asm-generic/cache.h | 4 +-
+ include/asm-generic/emergency-restart.h | 2 +-
+ include/asm-generic/kmap_types.h | 4 +-
+ include/asm-generic/local.h | 13 +
+ include/asm-generic/pgtable-nopmd.h | 18 +-
+ include/asm-generic/pgtable-nopud.h | 15 +-
+ include/asm-generic/pgtable.h | 16 +
+ include/asm-generic/uaccess.h | 16 +
+ include/asm-generic/vmlinux.lds.h | 10 +-
+ include/crypto/algapi.h | 2 +-
+ include/drm/drmP.h | 15 +-
+ include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/i915_pciids.h | 2 +-
+ include/drm/ttm/ttm_memory.h | 2 +-
+ include/keys/asymmetric-subtype.h | 2 +-
+ include/linux/atmdev.h | 4 +-
+ include/linux/audit.h | 2 +-
+ include/linux/binfmts.h | 3 +-
+ include/linux/bitops.h | 6 +-
+ include/linux/blkdev.h | 2 +-
+ include/linux/blktrace_api.h | 2 +-
+ include/linux/cache.h | 8 +
+ include/linux/cdrom.h | 1 -
+ include/linux/cleancache.h | 2 +-
+ include/linux/clk-provider.h | 1 +
+ include/linux/compat.h | 4 +-
+ include/linux/compiler-gcc4.h | 20 +
+ include/linux/compiler.h | 65 +-
+ include/linux/completion.h | 12 +-
+ include/linux/configfs.h | 2 +-
+ include/linux/cpufreq.h | 3 +-
+ include/linux/cpuidle.h | 5 +-
+ include/linux/cpumask.h | 12 +-
+ include/linux/crypto.h | 6 +-
+ include/linux/ctype.h | 2 +-
+ include/linux/decompress/mm.h | 2 +-
+ include/linux/devfreq.h | 2 +-
+ include/linux/device.h | 7 +-
+ include/linux/dma-mapping.h | 2 +-
+ include/linux/dmaengine.h | 4 +-
+ include/linux/efi.h | 1 +
+ include/linux/elf.h | 2 +
+ include/linux/err.h | 4 +-
+ include/linux/extcon.h | 2 +-
+ include/linux/fb.h | 2 +-
+ include/linux/fdtable.h | 2 +-
+ include/linux/frontswap.h | 2 +-
+ include/linux/fs.h | 3 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/fscache-cache.h | 4 +-
+ include/linux/fscache.h | 2 +-
+ include/linux/fsnotify.h | 2 +-
+ include/linux/genhd.h | 4 +-
+ include/linux/genl_magic_func.h | 2 +-
+ include/linux/gfp.h | 12 +-
+ include/linux/highmem.h | 12 +
+ include/linux/hwmon-sysfs.h | 6 +-
+ include/linux/i2c.h | 1 +
+ include/linux/i2o.h | 2 +-
+ include/linux/if_pppox.h | 2 +-
+ include/linux/init.h | 12 +-
+ include/linux/init_task.h | 7 +
+ include/linux/interrupt.h | 8 +-
+ include/linux/iommu.h | 2 +-
+ include/linux/ioport.h | 2 +-
+ include/linux/irq.h | 3 +-
+ include/linux/irqchip/arm-gic.h | 4 +-
+ include/linux/jiffies.h | 12 +-
+ include/linux/key-type.h | 2 +-
+ include/linux/kgdb.h | 6 +-
+ include/linux/kobject.h | 3 +-
+ include/linux/kobject_ns.h | 2 +-
+ include/linux/kref.h | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ include/linux/libata.h | 2 +-
+ include/linux/linkage.h | 1 +
+ include/linux/list.h | 15 +
+ include/linux/math64.h | 10 +-
+ include/linux/mempolicy.h | 7 +
+ include/linux/mm.h | 118 +-
+ include/linux/mm_types.h | 20 +
+ include/linux/mmiotrace.h | 4 +-
+ include/linux/mmzone.h | 2 +-
+ include/linux/mod_devicetable.h | 6 +-
+ include/linux/module.h | 60 +-
+ include/linux/moduleloader.h | 16 +
+ include/linux/moduleparam.h | 4 +-
+ include/linux/namei.h | 6 +-
+ include/linux/net.h | 2 +-
+ include/linux/netdevice.h | 3 +-
+ include/linux/netfilter.h | 2 +-
+ include/linux/netfilter/nfnetlink.h | 2 +-
+ include/linux/nls.h | 2 +-
+ include/linux/notifier.h | 3 +-
+ include/linux/oprofile.h | 4 +-
+ include/linux/padata.h | 2 +-
+ include/linux/pci_hotplug.h | 3 +-
+ include/linux/perf_event.h | 10 +-
+ include/linux/pipe_fs_i.h | 8 +-
+ include/linux/pm.h | 1 +
+ include/linux/pm_domain.h | 2 +-
+ include/linux/pm_runtime.h | 2 +-
+ include/linux/pnp.h | 2 +-
+ include/linux/poison.h | 4 +-
+ include/linux/power/smartreflex.h | 2 +-
+ include/linux/ppp-comp.h | 2 +-
+ include/linux/preempt.h | 19 +
+ include/linux/proc_ns.h | 2 +-
+ include/linux/quota.h | 2 +-
+ include/linux/random.h | 23 +-
+ include/linux/rculist.h | 20 +-
+ include/linux/reboot.h | 14 +-
+ include/linux/regset.h | 3 +-
+ include/linux/relay.h | 2 +-
+ include/linux/rio.h | 2 +-
+ include/linux/rmap.h | 4 +-
+ include/linux/sched.h | 68 +-
+ include/linux/sched/sysctl.h | 1 +
+ include/linux/security.h | 2 -
+ include/linux/semaphore.h | 2 +-
+ include/linux/seq_file.h | 1 +
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 48 +-
+ include/linux/slab_def.h | 14 +-
+ include/linux/slub_def.h | 2 +-
+ include/linux/smp.h | 2 +
+ include/linux/sock_diag.h | 2 +-
+ include/linux/sonet.h | 2 +-
+ include/linux/sunrpc/addr.h | 8 +-
+ include/linux/sunrpc/clnt.h | 2 +-
+ include/linux/sunrpc/svc.h | 2 +-
+ include/linux/sunrpc/svc_rdma.h | 18 +-
+ include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swiotlb.h | 3 +-
+ include/linux/syscalls.h | 18 +-
+ include/linux/syscore_ops.h | 2 +-
+ include/linux/sysctl.h | 6 +-
+ include/linux/sysfs.h | 9 +-
+ include/linux/sysrq.h | 3 +-
+ include/linux/thread_info.h | 7 +
+ include/linux/tty.h | 4 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/tty_ldisc.h | 2 +-
+ include/linux/types.h | 16 +
+ include/linux/uaccess.h | 6 +-
+ include/linux/unaligned/access_ok.h | 24 +-
+ include/linux/usb.h | 4 +-
+ include/linux/usb/renesas_usbhs.h | 2 +-
+ include/linux/vermagic.h | 21 +-
+ include/linux/vga_switcheroo.h | 8 +-
+ include/linux/vmalloc.h | 7 +-
+ include/linux/vmstat.h | 24 +-
+ include/linux/xattr.h | 5 +-
+ include/linux/zlib.h | 3 +-
+ include/media/v4l2-dev.h | 2 +-
+ include/media/v4l2-device.h | 2 +-
+ include/net/9p/transport.h | 2 +-
+ include/net/bluetooth/l2cap.h | 2 +-
+ include/net/caif/cfctrl.h | 6 +-
+ include/net/flow.h | 2 +-
+ include/net/genetlink.h | 2 +-
+ include/net/gro_cells.h | 2 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/inetpeer.h | 17 +-
+ include/net/ip.h | 2 +-
+ include/net/ip_fib.h | 2 +-
+ include/net/ip_vs.h | 8 +-
+ include/net/irda/ircomm_tty.h | 1 +
+ include/net/iucv/af_iucv.h | 2 +-
+ include/net/llc_c_ac.h | 2 +-
+ include/net/llc_c_ev.h | 4 +-
+ include/net/llc_c_st.h | 2 +-
+ include/net/llc_s_ac.h | 2 +-
+ include/net/llc_s_st.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 20 +-
+ include/net/netdma.h | 2 +-
+ include/net/netlink.h | 2 +-
+ include/net/netns/conntrack.h | 6 +-
+ include/net/netns/ipv4.h | 4 +-
+ include/net/netns/ipv6.h | 4 +-
+ include/net/ping.h | 2 +-
+ include/net/protocol.h | 4 +-
+ include/net/rtnetlink.h | 2 +-
+ include/net/sctp/checksum.h | 4 +-
+ include/net/sctp/sm.h | 4 +-
+ include/net/sctp/structs.h | 2 +-
+ include/net/sock.h | 8 +-
+ include/net/tcp.h | 8 +-
+ include/net/xfrm.h | 13 +-
+ include/rdma/iw_cm.h | 2 +-
+ include/scsi/libfc.h | 3 +-
+ include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_transport_fc.h | 3 +-
+ include/sound/compress_driver.h | 2 +-
+ include/sound/soc.h | 4 +-
+ include/target/target_core_base.h | 2 +-
+ include/trace/events/irq.h | 4 +-
+ include/uapi/linux/a.out.h | 8 +
+ include/uapi/linux/byteorder/little_endian.h | 28 +-
+ include/uapi/linux/elf.h | 28 +
+ include/uapi/linux/screen_info.h | 3 +-
+ include/uapi/linux/swab.h | 6 +-
+ include/uapi/linux/sysctl.h | 2 -
+ include/uapi/linux/xattr.h | 4 +
+ include/video/udlfb.h | 8 +-
+ include/video/uvesafb.h | 1 +
+ init/Kconfig | 2 +-
+ init/Makefile | 3 +
+ init/do_mounts.c | 14 +-
+ init/do_mounts.h | 8 +-
+ init/do_mounts_initrd.c | 30 +-
+ init/do_mounts_md.c | 6 +-
+ init/init_task.c | 4 +
+ init/initramfs.c | 42 +-
+ init/main.c | 78 +-
+ ipc/ipc_sysctl.c | 10 +-
+ ipc/mq_sysctl.c | 2 +-
+ ipc/msg.c | 11 +-
+ ipc/sem.c | 11 +-
+ ipc/shm.c | 17 +-
+ kernel/acct.c | 2 +-
+ kernel/audit.c | 10 +-
+ kernel/auditsc.c | 4 +-
+ kernel/capability.c | 3 +
+ kernel/compat.c | 38 +-
+ kernel/debug/debug_core.c | 16 +-
+ kernel/debug/kdb/kdb_main.c | 4 +-
+ kernel/events/core.c | 28 +-
+ kernel/events/internal.h | 10 +-
+ kernel/events/uprobes.c | 2 +-
+ kernel/exit.c | 4 +-
+ kernel/fork.c | 166 +-
+ kernel/futex.c | 11 +-
+ kernel/futex_compat.c | 2 +-
+ kernel/gcov/base.c | 7 +-
+ kernel/hrtimer.c | 2 +-
+ kernel/irq_work.c | 7 +-
+ kernel/jump_label.c | 5 +
+ kernel/kallsyms.c | 39 +-
+ kernel/kexec.c | 3 +-
+ kernel/kmod.c | 4 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +-
+ kernel/locking/lockdep.c | 7 +-
+ kernel/locking/mutex-debug.c | 12 +-
+ kernel/locking/mutex-debug.h | 4 +-
+ kernel/locking/mutex.c | 10 +-
+ kernel/locking/rtmutex-tester.c | 24 +-
+ kernel/module.c | 337 +-
+ kernel/notifier.c | 17 +-
+ kernel/padata.c | 4 +-
+ kernel/panic.c | 3 +-
+ kernel/pid.c | 2 +-
+ kernel/pid_namespace.c | 2 +-
+ kernel/posix-cpu-timers.c | 4 +-
+ kernel/posix-timers.c | 24 +-
+ kernel/power/process.c | 12 +-
+ kernel/profile.c | 14 +-
+ kernel/ptrace.c | 8 +-
+ kernel/rcu/srcu.c | 4 +-
+ kernel/rcu/tiny.c | 4 +-
+ kernel/rcu/torture.c | 56 +-
+ kernel/rcu/tree.c | 76 +-
+ kernel/rcu/tree.h | 26 +-
+ kernel/rcu/tree_plugin.h | 40 +-
+ kernel/rcu/tree_trace.c | 22 +-
+ kernel/rcu/update.c | 4 +-
+ kernel/sched/auto_group.c | 4 +-
+ kernel/sched/completion.c | 6 +-
+ kernel/sched/core.c | 43 +-
+ kernel/sched/fair.c | 4 +-
+ kernel/sched/sched.h | 2 +-
+ kernel/signal.c | 12 +-
+ kernel/smpboot.c | 4 +-
+ kernel/softirq.c | 14 +-
+ kernel/sys.c | 10 +-
+ kernel/sysctl.c | 34 +-
+ kernel/time/alarmtimer.c | 2 +-
+ kernel/time/timer_stats.c | 10 +-
+ kernel/timer.c | 4 +-
+ kernel/trace/blktrace.c | 6 +-
+ kernel/trace/ftrace.c | 18 +-
+ kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/trace.c | 2 +-
+ kernel/trace/trace.h | 2 +-
+ kernel/trace/trace_clock.c | 4 +-
+ kernel/trace/trace_events.c | 1 -
+ kernel/trace/trace_mmiotrace.c | 8 +-
+ kernel/trace/trace_output.c | 12 +-
+ kernel/trace/trace_stack.c | 2 +-
+ kernel/user_namespace.c | 2 +-
+ kernel/utsname_sysctl.c | 2 +-
+ kernel/watchdog.c | 2 +-
+ kernel/workqueue.c | 2 +-
+ lib/Kconfig.debug | 8 +-
+ lib/Makefile | 2 +-
+ lib/bitmap.c | 8 +-
+ lib/bug.c | 2 +
+ lib/debugobjects.c | 2 +-
+ lib/devres.c | 4 +-
+ lib/div64.c | 4 +-
+ lib/dma-debug.c | 4 +-
+ lib/inflate.c | 2 +-
+ lib/ioremap.c | 4 +-
+ lib/kobject.c | 4 +-
+ lib/list_debug.c | 126 +-
+ lib/percpu-refcount.c | 2 +-
+ lib/radix-tree.c | 2 +-
+ lib/strncpy_from_user.c | 2 +-
+ lib/strnlen_user.c | 2 +-
+ lib/swiotlb.c | 2 +-
+ lib/usercopy.c | 6 +
+ lib/vsprintf.c | 12 +-
+ mm/Kconfig | 6 +-
+ mm/backing-dev.c | 4 +-
+ mm/filemap.c | 10 +-
+ mm/fremap.c | 5 +
+ mm/highmem.c | 7 +-
+ mm/hugetlb.c | 70 +-
+ mm/internal.h | 3 +-
+ mm/maccess.c | 4 +-
+ mm/madvise.c | 41 +
+ mm/memory-failure.c | 28 +-
+ mm/memory.c | 424 ++-
+ mm/mempolicy.c | 25 +
+ mm/mlock.c | 15 +-
+ mm/mmap.c | 583 ++-
+ mm/mprotect.c | 139 +-
+ mm/mremap.c | 44 +-
+ mm/nommu.c | 21 +-
+ mm/page-writeback.c | 2 +-
+ mm/page_alloc.c | 42 +-
+ mm/page_io.c | 2 +-
+ mm/percpu.c | 2 +-
+ mm/process_vm_access.c | 14 +-
+ mm/rmap.c | 44 +-
+ mm/shmem.c | 19 +-
+ mm/slab.c | 106 +-
+ mm/slab.h | 15 +-
+ mm/slab_common.c | 60 +-
+ mm/slob.c | 206 +-
+ mm/slub.c | 88 +-
+ mm/sparse-vmemmap.c | 4 +-
+ mm/sparse.c | 2 +-
+ mm/swap.c | 2 +
+ mm/swapfile.c | 12 +-
+ mm/util.c | 6 +
+ mm/vmalloc.c | 75 +-
+ mm/vmstat.c | 12 +-
+ net/8021q/vlan.c | 5 +-
+ net/9p/mod.c | 4 +-
+ net/9p/trans_fd.c | 2 +-
+ net/atm/atm_misc.c | 8 +-
+ net/atm/lec.h | 2 +-
+ net/atm/proc.c | 6 +-
+ net/atm/resources.c | 4 +-
+ net/ax25/sysctl_net_ax25.c | 2 +-
+ net/batman-adv/bat_iv_ogm.c | 8 +-
+ net/batman-adv/fragmentation.c | 2 +-
+ net/batman-adv/soft-interface.c | 6 +-
+ net/batman-adv/types.h | 6 +-
+ net/bluetooth/hci_sock.c | 2 +-
+ net/bluetooth/l2cap_core.c | 6 +-
+ net/bluetooth/l2cap_sock.c | 12 +-
+ net/bluetooth/rfcomm/sock.c | 4 +-
+ net/bluetooth/rfcomm/tty.c | 4 +-
+ net/bridge/netfilter/ebtables.c | 6 +-
+ net/caif/cfctrl.c | 11 +-
+ net/can/af_can.c | 2 +-
+ net/can/gw.c | 6 +-
+ net/ceph/messenger.c | 4 +-
+ net/compat.c | 34 +-
+ net/core/datagram.c | 2 +-
+ net/core/dev.c | 16 +-
+ net/core/flow.c | 8 +-
+ net/core/iovec.c | 4 +-
+ net/core/neighbour.c | 2 +-
+ net/core/net-sysfs.c | 2 +-
+ net/core/net_namespace.c | 8 +-
+ net/core/netpoll.c | 4 +-
+ net/core/rtnetlink.c | 13 +-
+ net/core/scm.c | 8 +-
+ net/core/skbuff.c | 8 +-
+ net/core/sock.c | 28 +-
+ net/core/sock_diag.c | 9 +-
+ net/core/sysctl_net_core.c | 20 +-
+ net/decnet/af_decnet.c | 1 +
+ net/decnet/sysctl_net_decnet.c | 4 +-
+ net/ipv4/af_inet.c | 8 +-
+ net/ipv4/devinet.c | 18 +-
+ net/ipv4/fib_frontend.c | 6 +-
+ net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inet_connection_sock.c | 2 +-
+ net/ipv4/inetpeer.c | 4 +-
+ net/ipv4/ip_fragment.c | 15 +-
+ net/ipv4/ip_gre.c | 6 +-
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ip_vti.c | 4 +-
+ net/ipv4/ipconfig.c | 6 +-
+ net/ipv4/ipip.c | 4 +-
+ net/ipv4/netfilter/arp_tables.c | 12 +-
+ net/ipv4/netfilter/ip_tables.c | 12 +-
+ net/ipv4/ping.c | 14 +-
+ net/ipv4/raw.c | 14 +-
+ net/ipv4/route.c | 20 +-
+ net/ipv4/sysctl_net_ipv4.c | 37 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_probe.c | 2 +-
+ net/ipv4/udp.c | 10 +-
+ net/ipv4/xfrm4_policy.c | 18 +-
+ net/ipv6/addrconf.c | 12 +-
+ net/ipv6/af_inet6.c | 2 +-
+ net/ipv6/datagram.c | 2 +-
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_gre.c | 8 +-
+ net/ipv6/ip6_tunnel.c | 4 +-
+ net/ipv6/ip6_vti.c | 4 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 12 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
+ net/ipv6/output_core.c | 15 +-
+ net/ipv6/ping.c | 28 +-
+ net/ipv6/raw.c | 17 +-
+ net/ipv6/reassembly.c | 13 +-
+ net/ipv6/route.c | 2 +-
+ net/ipv6/sit.c | 4 +-
+ net/ipv6/sysctl_net_ipv6.c | 2 +-
+ net/ipv6/udp.c | 6 +-
+ net/ipv6/xfrm6_policy.c | 17 +-
+ net/irda/ircomm/ircomm_tty.c | 18 +-
+ net/iucv/af_iucv.c | 4 +-
+ net/iucv/iucv.c | 2 +-
+ net/key/af_key.c | 4 +-
+ net/mac80211/cfg.c | 8 +-
+ net/mac80211/ieee80211_i.h | 3 +-
+ net/mac80211/iface.c | 16 +-
+ net/mac80211/main.c | 2 +-
+ net/mac80211/pm.c | 6 +-
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/rc80211_pid_debugfs.c | 2 +-
+ net/mac80211/util.c | 4 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/ipvs/ip_vs_conn.c | 6 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ net/netfilter/ipvs/ip_vs_sync.c | 6 +-
+ net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
+ net/netfilter/nf_conntrack_acct.c | 2 +-
+ net/netfilter/nf_conntrack_ecache.c | 2 +-
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ net/netfilter/nf_conntrack_proto_dccp.c | 10 +-
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nf_conntrack_timestamp.c | 2 +-
+ net/netfilter/nf_log.c | 10 +-
+ net/netfilter/nf_sockopt.c | 4 +-
+ net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/xt_statistic.c | 8 +-
+ net/netlink/af_netlink.c | 4 +-
+ net/packet/af_packet.c | 8 +-
+ net/phonet/pep.c | 6 +-
+ net/phonet/socket.c | 2 +-
+ net/phonet/sysctl.c | 2 +-
+ net/rds/cong.c | 6 +-
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 4 +-
+ net/rds/iw.h | 2 +-
+ net/rds/iw_cm.c | 2 +-
+ net/rds/iw_recv.c | 4 +-
+ net/rds/rds.h | 2 +-
+ net/rds/tcp.c | 2 +-
+ net/rds/tcp_send.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/rxrpc/ar-ack.c | 14 +-
+ net/rxrpc/ar-call.c | 2 +-
+ net/rxrpc/ar-connection.c | 2 +-
+ net/rxrpc/ar-connevent.c | 2 +-
+ net/rxrpc/ar-input.c | 4 +-
+ net/rxrpc/ar-internal.h | 8 +-
+ net/rxrpc/ar-local.c | 2 +-
+ net/rxrpc/ar-output.c | 4 +-
+ net/rxrpc/ar-peer.c | 2 +-
+ net/rxrpc/ar-proc.c | 4 +-
+ net/rxrpc/ar-transport.c | 2 +-
+ net/rxrpc/rxkad.c | 4 +-
+ net/sctp/ipv6.c | 6 +-
+ net/sctp/protocol.c | 10 +-
+ net/sctp/sm_sideeffect.c | 2 +-
+ net/sctp/socket.c | 21 +-
+ net/sctp/sysctl.c | 8 +-
+ net/socket.c | 18 +-
+ net/sunrpc/auth_gss/svcauth_gss.c | 4 +-
+ net/sunrpc/clnt.c | 4 +-
+ net/sunrpc/sched.c | 4 +-
+ net/sunrpc/svc.c | 4 +-
+ net/sunrpc/svcauth_unix.c | 4 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/subscr.c | 2 +-
+ net/unix/sysctl_net_unix.c | 2 +-
+ net/wireless/wext-core.c | 19 +-
+ net/xfrm/xfrm_policy.c | 22 +-
+ net/xfrm/xfrm_state.c | 33 +-
+ net/xfrm/xfrm_sysctl.c | 2 +-
+ scripts/Makefile.build | 2 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.host | 28 +-
+ scripts/basic/fixdep.c | 12 +-
+ scripts/gcc-plugin.sh | 17 +
+ scripts/headers_install.sh | 1 +
+ scripts/link-vmlinux.sh | 2 +-
+ scripts/mod/file2alias.c | 14 +-
+ scripts/mod/modpost.c | 25 +-
+ scripts/mod/modpost.h | 6 +-
+ scripts/mod/sumversion.c | 2 +-
+ scripts/module-common.lds | 4 +
+ scripts/package/builddeb | 1 +
+ scripts/pnmtologo.c | 6 +-
+ scripts/sortextable.h | 6 +-
+ security/Kconfig | 689 +++-
+ security/apparmor/lsm.c | 2 +-
+ security/integrity/ima/ima.h | 4 +-
+ security/integrity/ima/ima_api.c | 2 +-
+ security/integrity/ima/ima_fs.c | 4 +-
+ security/integrity/ima/ima_queue.c | 2 +-
+ security/keys/compat.c | 2 +-
+ security/keys/internal.h | 2 +-
+ security/keys/key.c | 18 +-
+ security/keys/keyctl.c | 8 +-
+ security/security.c | 9 +-
+ security/selinux/avc.c | 6 +-
+ security/selinux/hooks.c | 11 +-
+ security/selinux/include/xfrm.h | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ security/tomoyo/tomoyo.c | 2 +-
+ security/yama/yama_lsm.c | 22 +-
+ sound/aoa/codecs/onyx.c | 7 +-
+ sound/aoa/codecs/onyx.h | 1 +
+ sound/core/oss/pcm_oss.c | 18 +-
+ sound/core/pcm_compat.c | 2 +-
+ sound/core/pcm_native.c | 4 +-
+ sound/core/seq/seq_device.c | 8 +-
+ sound/core/sound.c | 2 +-
+ sound/drivers/mts64.c | 14 +-
+ sound/drivers/opl4/opl4_lib.c | 2 +-
+ sound/drivers/portman2x4.c | 3 +-
+ sound/firewire/amdtp.c | 4 +-
+ sound/firewire/amdtp.h | 2 +-
+ sound/firewire/isight.c | 10 +-
+ sound/firewire/scs1x.c | 8 +-
+ sound/oss/sb_audio.c | 2 +-
+ sound/oss/swarm_cs4297a.c | 6 +-
+ sound/pci/hda/hda_codec.c | 8 +-
+ sound/pci/ymfpci/ymfpci.h | 2 +-
+ sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ sound/soc/fsl/fsl_ssi.c | 2 +-
+ sound/soc/soc-core.c | 6 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 45 +
+ tools/gcc/checker_plugin.c | 172 +
+ tools/gcc/colorize_plugin.c | 151 +
+ tools/gcc/constify_plugin.c | 557 ++
+ tools/gcc/generate_size_overflow_hash.sh | 94 +
+ tools/gcc/kallocstat_plugin.c | 170 +
+ tools/gcc/kernexec_plugin.c | 474 ++
+ tools/gcc/latent_entropy_plugin.c | 335 ++
+ tools/gcc/size_overflow_hash.data | 5618 ++++++++++++++++++++
+ tools/gcc/size_overflow_plugin.c | 4072 ++++++++++++++
+ tools/gcc/stackleak_plugin.c | 327 ++
+ tools/gcc/structleak_plugin.c | 277 +
+ tools/lib/lk/Makefile | 2 +-
+ tools/perf/util/include/asm/alternative-asm.h | 3 +
+ tools/perf/util/include/linux/compiler.h | 8 +
+ virt/kvm/kvm_main.c | 44 +-
+ 1716 files changed, 34523 insertions(+), 8024 deletions(-)
+commit 512ab625d6d34c2f8602a044454bb1366b80b98e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 14:54:11 2014 -0500
+
+ Fix another compiler error caught by RANDSTRUCT
+
+ sound/isa/sb/emu8000_synth.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 43bd0a97d977b78f2a54045bbf98ee967209c144
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 14:34:12 2014 -0500
+
+ Fix another compiler error caught by RANDSTRUCT
+
+ drivers/net/wan/z85230.c | 24 ++++++++++++------------
+ 1 files changed, 12 insertions(+), 12 deletions(-)
+
+commit e833f51aa919e2c94bb7ac6979a68cf3f4fcc131
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 14:30:46 2014 -0500
+
+ fix compilation with RANDSTRUCT plugin
+
+ sound/drivers/opl4/opl4_seq.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 743f2ccb4dc72e6366e0cf0b371d37951c67ce0d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 14:16:18 2014 -0500
+
+ avoid problems by just building our fake field decl node from scratch
+
+ tools/gcc/randomize_layout_plugin.c | 10 +++++-----
+ 1 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 9345145bb31148c2fb4918fe989d45bbf1219373
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 13:45:18 2014 -0500
+
+ while in non-debug mode, don't emit notes for non-randomized struct types
+
+ clear all signs from our fake field decl of being a bitfield
+
+ tools/gcc/randomize_layout_plugin.c | 11 +++++++++++
+ 1 files changed, 11 insertions(+), 0 deletions(-)
+
+commit 946d2d5cafa4f123f6ee36596f67cf8571e461b4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 12:56:05 2014 -0500
+
+ revert change to read-only marking of fake struct field
+
+ tools/gcc/randomize_layout_plugin.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c947104c6a4c0e05ed6440287ad8872e2cbdb2f3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 12:42:48 2014 -0500
+
+ Update RANDSTRUCT plugin help
+
+ tools/gcc/randomize_layout_plugin.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 3757914c9c5d2278f93a3a8dc7d19847c6ee8e3a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 25 12:25:43 2014 -0500
+
+ Introduce GRKERNSEC_RANDSTRUCT:
+ automatic structure layout randomization of pure ops structs
+ randomization of marked sensitive kernel structures
+
+ automatically enabled by GRKERNSEC_CONFIG_AUTO
+ performance mode is activated if the config priority is set to performance
+
+ Documentation/dontdiff | 1 +
+ Makefile | 12 +-
+ arch/x86/include/asm/floppy.h | 20 +-
+ arch/x86/include/asm/paravirt_types.h | 23 +-
+ arch/x86/include/asm/processor.h | 2 +-
+ drivers/acpi/acpica/hwxfsleep.c | 11 +-
+ drivers/block/cciss.h | 30 +-
+ drivers/block/drbd/drbd_interval.c | 6 +-
+ drivers/block/smart1,2.h | 40 +-
+ drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +-
+ drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +-
+ drivers/infiniband/hw/ipath/ipath_dma.c | 26 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 22 +-
+ drivers/isdn/gigaset/bas-gigaset.c | 32 +-
+ drivers/isdn/gigaset/ser-gigaset.c | 32 +-
+ drivers/isdn/gigaset/usb-gigaset.c | 32 +-
+ drivers/isdn/i4l/isdn_concap.c | 6 +-
+ drivers/isdn/i4l/isdn_x25iface.c | 16 +-
+ drivers/misc/sgi-xp/xp_main.c | 12 +-
+ drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +-
+ drivers/net/wan/lmc/lmc_media.c | 97 ++--
+ drivers/scsi/bfa/bfa_fcs.c | 19 +-
+ drivers/scsi/bfa/bfa_fcs_lport.c | 29 +-
+ drivers/scsi/bfa/bfa_modules.h | 12 +-
+ drivers/scsi/hpsa.h | 20 +-
+ drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +-
+ drivers/staging/lustre/lustre/libcfs/module.c | 10 +-
+ drivers/staging/media/solo6x10/solo6x10-g723.c | 2 +-
+ drivers/video/matrox/matroxfb_DAC1064.c | 10 +-
+ drivers/video/matrox/matroxfb_Ti3026.c | 5 +-
+ fs/mount.h | 4 +-
+ fs/proc/internal.h | 4 +-
+ fs/reiserfs/item_ops.c | 24 +-
+ grsecurity/Kconfig | 31 +-
+ include/linux/compiler-gcc4.h | 5 +
+ include/linux/compiler.h | 8 +
+ include/linux/cred.h | 4 +-
+ include/linux/dcache.h | 2 +-
+ include/linux/fs.h | 14 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/ipc_namespace.h | 2 +-
+ include/linux/kobject.h | 2 +-
+ include/linux/mm_types.h | 4 +-
+ include/linux/module.h | 4 +-
+ include/linux/mount.h | 2 +-
+ include/linux/pid_namespace.h | 2 +-
+ include/linux/proc_ns.h | 2 +-
+ include/linux/rbtree_augmented.h | 4 +-
+ include/linux/sched.h | 6 +-
+ include/linux/sysctl.h | 2 +-
+ include/linux/tty.h | 2 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/user_namespace.h | 2 +-
+ include/linux/utsname.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 2 +-
+ lib/rbtree.c | 4 +-
+ net/atm/lec.c | 6 +-
+ net/atm/mpoa_caches.c | 42 +-
+ net/decnet/dn_dev.c | 2 +-
+ net/vmw_vsock/vmci_transport_notify.c | 30 +-
+ net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +-
+ net/x25/sysctl_net_x25.c | 2 +-
+ scripts/Makefile | 2 +
+ scripts/gen-random-seed.sh | 8 +
+ sound/core/seq/oss/seq_oss.c | 4 +-
+ sound/core/seq/seq_midi.c | 4 +-
+ sound/drivers/opl3/opl3_seq.c | 4 +-
+ sound/pci/emu10k1/emu10k1_synth.c | 4 +-
+ sound/synth/emux/emux_seq.c | 14 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 2 +
+ tools/gcc/randomize_layout_plugin.c | 726 +++++++++++++++++++++++
+ 74 files changed, 1222 insertions(+), 390 deletions(-)
+
+commit 44ebc77fd9886fdebf8e3942a935cbe2f3272c3d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 19 09:27:31 2014 -0500
+
+ add PRNG self-tests
+
+ lib/random32.c | 207 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 files changed, 197 insertions(+), 10 deletions(-)
+
+commit 7780c290ada57bac294c5a7e5b0286dd604920c5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 19 09:00:56 2014 -0500
+
+ compile fix
+
+ include/linux/random.h | 4 ----
+ include/uapi/linux/random.h | 2 +-
+ 2 files changed, 1 insertions(+), 5 deletions(-)
+
+commit 4c4359a96c7b208513eb3563c90558cd5d2ca1a0
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Mon Nov 11 12:20:36 2013 +0100
+
+ Upstream commit: a98814cef87946d2708812ad9f8b1e03b8366b6f
+
+ random32: upgrade taus88 generator to taus113 from errata paper
+
+ Since we use prandom*() functions quite often in networking code
+ i.e. in UDP port selection, netfilter code, etc, upgrade the PRNG
+ from Pierre L'Ecuyer's original paper "Maximally Equidistributed
+ Combined Tausworthe Generators", Mathematics of Computation, 65,
+ 213 (1996), 203--213 to the version published in his errata paper [1].
+
+ The Tausworthe generator is a maximally-equidistributed generator,
+ that is fast and has good statistical properties [1].
+
+ The version presented there upgrades the 3 state LFSR to a 4 state
+ LFSR with increased periodicity from about 2^88 to 2^113. The
+ algorithm is presented in [1] by the very same author who also
+ designed the original algorithm in [2].
+
+ Also, by increasing the state, we make it a bit harder for attackers
+ to "guess" the PRNGs internal state. See also discussion in [3].
+
+ Now, as we use this sort of weak initialization discussed in [3]
+ only between core_initcall() until late_initcall() time [*] for
+ prandom32*() users, namely in prandom_init(), it is less relevant
+ from late_initcall() onwards as we overwrite seeds through
+ prandom_reseed() anyways with a seed source of higher entropy, that
+ is, get_random_bytes(). In other words, a exhaustive keysearch of
+ 96 bit would be needed. Now, with the help of this patch, this
+ state-search increases further to 128 bit. Initialization needs
+ to make sure that s1 > 1, s2 > 7, s3 > 15, s4 > 127.
+
+ taus88 and taus113 algorithm is also part of GSL. I added a test
+ case in the next patch to verify internal behaviour of this patch
+ with GSL and ran tests with the dieharder 3.31.1 RNG test suite:
+
+ $ dieharder -g 052 -a -m 10 -s 1 -S 4137730333 #taus88
+ $ dieharder -g 054 -a -m 10 -s 1 -S 4137730333 #taus113
+
+ With this seed configuration, in order to compare both, we get
+ the following differences:
+
+ algorithm taus88 taus113
+ rands/second [**] 1.61e+08 1.37e+08
+ sts_serial(4, 1st run) WEAK PASSED
+ sts_serial(9, 2nd run) WEAK PASSED
+ rgb_lagged_sum(31) WEAK PASSED
+
+ We took out diehard_sums test as according to the authors it is
+ considered broken and unusable [4]. Despite that and the slight
+ decrease in performance (which is acceptable), taus113 here passes
+ all 113 tests (only rgb_minimum_distance_5 in WEAK, the rest PASSED).
+ In general, taus/taus113 is considered "very good" by the authors
+ of dieharder [5].
+
+ The papers [1][2] states a single warm-up step is sufficient by
+ running quicktaus once on each state to ensure proper initialization
+ of ~s_{0}:
+
+ Our selection of (s) according to Table 1 of [1] row 1 holds the
+ condition L - k <= r - s, that is,
+
+ (32 32 32 32) - (31 29 28 25) <= (25 27 15 22) - (18 2 7 13)
+
+ with r = k - q and q = (6 2 13 3) as also stated by the paper.
+ So according to [2] we are safe with one round of quicktaus for
+ initialization. However we decided to include the warm-up phase
+ of the PRNG as done in GSL in every case as a safety net. We also
+ use the warm up phase to make the output of the RNG easier to
+ verify by the GSL output.
+
+ In prandom_init(), we also mix random_get_entropy() into it, just
+ like drivers/char/random.c does it, jiffies ^ random_get_entropy().
+ random-get_entropy() is get_cycles(). xor is entropy preserving so
+ it is fine if it is not implemented by some architectures.
+
+ Note, this PRNG is *not* used for cryptography in the kernel, but
+ rather as a fast PRNG for various randomizations i.e. in the
+ networking code, or elsewhere for debugging purposes, for example.
+
+ [*]: In order to generate some "sort of pseduo-randomness", since
+ get_random_bytes() is not yet available for us, we use jiffies and
+ initialize states s1 - s3 with a simple linear congruential generator
+ (LCG), that is x <- x * 69069; and derive s2, s3, from the 32bit
+ initialization from s1. So the above quote from [3] accounts only
+ for the time from core to late initcall, not afterwards.
+ [**] Single threaded run on MacBook Air w/ Intel Core i5-3317U
+
+ [1] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme2.ps
+ [2] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme.ps
+ [3] http://thread.gmane.org/gmane.comp.encryption.general/12103/
+ [4] http://code.google.com/p/dieharder/source/browse/trunk/libdieharder/diehard_sums.c?spec=svn490&r=490#20
+ [5] http://www.phy.duke.edu/~rgb/General/dieharder.php
+
+ Joint work with Hannes Frederic Sowa.
+
+ Cc: Florian Weimer <fweimer@redhat.com>
+ Cc: Theodore Ts'o <tytso@mit.edu>
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ include/linux/random.h
+
+ include/linux/random.h | 13 +++++--
+ lib/random32.c | 80 +++++++++++++++++++++++++++--------------------
+ 2 files changed, 55 insertions(+), 38 deletions(-)
+
+commit 53dd59a26859c9b98cadcad65791c951b162e91e
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Nov 11 12:20:33 2013 +0100
+
+ Upstream commit: 6d31920246a9fc80be4f16acd27c0bbe8d7b8494
+
+ random32: add periodic reseeding
+
+ The current Tausworthe PRNG is never reseeded with truly random data after
+ the first attempt in late_initcall. As this PRNG is used for some critical
+ random data as e.g. UDP port randomization we should try better and reseed
+ the PRNG once in a while with truly random data from get_random_bytes().
+
+ When we reseed with prandom_seed we now make also sure to throw the first
+ output away. This suffices the reseeding procedure.
+
+ The delay calculation is based on a proposal from Eric Dumazet.
+
+ Joint work with Daniel Borkmann.
+
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Cc: Theodore Ts'o <tytso@mit.edu>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ lib/random32.c
+
+ lib/random32.c | 22 ++++++++++++++++++++++
+ 1 files changed, 22 insertions(+), 0 deletions(-)
+
+commit 9deef5d021000495e04a730ba1880fb4b8951d45
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Nov 11 12:20:34 2013 +0100
+
+ Upstream commit: 4af712e8df998475736f3e2727701bd31e3751a9
+
+ random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized
+
+ The Tausworthe PRNG is initialized at late_initcall time. At that time the
+ entropy pool serving get_random_bytes is not filled sufficiently. This
+ patch adds an additional reseeding step as soon as the nonblocking pool
+ gets marked as initialized.
+
+ On some machines it might be possible that late_initcall gets called after
+ the pool has been initialized. In this situation we won't reseed again.
+
+ (A call to prandom_seed_late blocks later invocations of early reseed
+ attempts.)
+
+ Joint work with Daniel Borkmann.
+
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Cc: Theodore Ts'o <tytso@mit.edu>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Acked-by: "Theodore Ts'o" <tytso@mit.edu>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ lib/random32.c
+
+ drivers/char/random.c | 5 ++++-
+ include/linux/random.h | 1 +
+ lib/random32.c | 24 +++++++++++++++++++++++-
+ 3 files changed, 28 insertions(+), 2 deletions(-)
+
+commit 7445d45f81df0b84bbb7fc6cc598e6b70522c286
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 18 20:43:43 2014 -0500
+
+ Since the reworking of recvmsg handlers by Hannes Frederic Sowa,
+ it should be safe to revert our workaround for large number of
+ infoleaks the previous interface made possible, restoring some
+ performance to these syscalls
+
+ net/socket.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 2c18c01da2a59df2cdaa0d99e0ed2f781c3cbf4e
+Author: Eric Dumazet <edumazet@google.com>
+Date: Wed Jan 15 06:50:07 2014 -0800
+
+ Upstream commit: aee636c4809fa54848ff07a899b326eb1f9987a2
+
+ bpf: do not use reciprocal divide
+
+ At first Jakub Zawadzki noticed that some divisions by reciprocal_divide
+ were not correct. (off by one in some cases)
+ http://www.wireshark.org/~darkjames/reciprocal-buggy.c
+
+ He could also show this with BPF:
+ http://www.wireshark.org/~darkjames/set-and-dump-filter-k-bug.c
+
+ The reciprocal divide in linux kernel is not generic enough,
+ lets remove its use in BPF, as it is not worth the pain with
+ current cpus.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Reported-by: Jakub Zawadzki <darkjames-ws@darkjames.pl>
+ Cc: Mircea Gherzan <mgherzan@gmail.com>
+ Cc: Daniel Borkmann <dxchgb@gmail.com>
+ Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Cc: Matt Evans <matt@ozlabs.org>
+ Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+ Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Cc: David S. Miller <davem@davemloft.net>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ arch/x86/net/bpf_jit_comp.c
+
+ arch/arm/net/bpf_jit_32.c | 6 +++---
+ arch/powerpc/net/bpf_jit_comp.c | 7 ++++---
+ arch/s390/net/bpf_jit_comp.c | 17 ++++++++++++-----
+ arch/sparc/net/bpf_jit_comp.c | 17 ++++++++++++++---
+ arch/x86/net/bpf_jit_comp.c | 16 ++++++++++------
+ net/core/filter.c | 30 ++----------------------------
+ 6 files changed, 45 insertions(+), 48 deletions(-)
+
+commit 6986871c84f81084d5c8723538ccefc5c401b31c
+Author: Jie Liu <jeff.liu@oracle.com>
+Date: Wed Jan 1 19:28:03 2014 +0800
+
+ Upstream commit: bba719b5004234e55737e7074b81b337210c511d
+
+ xfs: fix off-by-one error in xfs_attr3_rmt_verify
+
+ With CRC check is enabled, if trying to set an attributes value just
+ equal to the maximum size of XATTR_SIZE_MAX would cause the v3 remote
+ attr write verification procedure failure, which would yield the back
+ trace like below:
+
+ <snip>
+ XFS (sda7): Internal error xfs_attr3_rmt_write_verify at line 191 of file fs/xfs/xfs_attr_remote.c
+ <snip>
+ Call Trace:
+ [<ffffffff816f0042>] dump_stack+0x45/0x56
+ [<ffffffffa0d99c8b>] xfs_error_report+0x3b/0x40 [xfs]
+ [<ffffffffa0d96edd>] ? _xfs_buf_ioapply+0x6d/0x390 [xfs]
+ [<ffffffffa0d99ce5>] xfs_corruption_error+0x55/0x80 [xfs]
+ [<ffffffffa0dbef6b>] xfs_attr3_rmt_write_verify+0x14b/0x1a0 [xfs]
+ [<ffffffffa0d96edd>] ? _xfs_buf_ioapply+0x6d/0x390 [xfs]
+ [<ffffffffa0d97315>] ? xfs_bdstrat_cb+0x55/0xb0 [xfs]
+ [<ffffffffa0d96edd>] _xfs_buf_ioapply+0x6d/0x390 [xfs]
+ [<ffffffff81184cda>] ? vm_map_ram+0x31a/0x460
+ [<ffffffff81097230>] ? wake_up_state+0x20/0x20
+ [<ffffffffa0d97315>] ? xfs_bdstrat_cb+0x55/0xb0 [xfs]
+ [<ffffffffa0d9726b>] xfs_buf_iorequest+0x6b/0xc0 [xfs]
+ [<ffffffffa0d97315>] xfs_bdstrat_cb+0x55/0xb0 [xfs]
+ [<ffffffffa0d97906>] xfs_bwrite+0x46/0x80 [xfs]
+ [<ffffffffa0dbfa94>] xfs_attr_rmtval_set+0x334/0x490 [xfs]
+ [<ffffffffa0db84aa>] xfs_attr_leaf_addname+0x24a/0x410 [xfs]
+ [<ffffffffa0db8893>] xfs_attr_set_int+0x223/0x470 [xfs]
+ [<ffffffffa0db8b76>] xfs_attr_set+0x96/0xb0 [xfs]
+ [<ffffffffa0db13b2>] xfs_xattr_set+0x42/0x70 [xfs]
+ [<ffffffff811df9b2>] generic_setxattr+0x62/0x80
+ [<ffffffff811e0213>] __vfs_setxattr_noperm+0x63/0x1b0
+ [<ffffffff81307afe>] ? evm_inode_setxattr+0xe/0x10
+ [<ffffffff811e0415>] vfs_setxattr+0xb5/0xc0
+ [<ffffffff811e054e>] setxattr+0x12e/0x1c0
+ [<ffffffff811c6e82>] ? final_putname+0x22/0x50
+ [<ffffffff811c708b>] ? putname+0x2b/0x40
+ [<ffffffff811cc4bf>] ? user_path_at_empty+0x5f/0x90
+ [<ffffffff811bdfd9>] ? __sb_start_write+0x49/0xe0
+ [<ffffffff81168589>] ? vm_mmap_pgoff+0x99/0xc0
+ [<ffffffff811e07df>] SyS_setxattr+0x8f/0xe0
+ [<ffffffff81700c2d>] system_call_fastpath+0x1a/0x1f
+
+ Tests:
+ setfattr -n user.longxattr -v `perl -e 'print "A"x65536'` testfile
+
+ This patch fix it to check the remote EA size is greater than the
+ XATTR_SIZE_MAX rather than more than or equal to it, because it's
+ valid if the specified EA value size is equal to the limitation as
+ per VFS setxattr interface.
+
+ Signed-off-by: Jie Liu <jeff.liu@oracle.com>
+ Reviewed-by: Mark Tinguely <tinguely@sgi.com>
+ Signed-off-by: Ben Myers <bpm@sgi.com>
+
+ (cherry picked from commit 85dd0707f0cad26d60f2dc574d17a5ab948d10f7)
+
+ fs/xfs/xfs_attr_remote.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit e8aa7f8223cf2bc0893c6bec7ada0b13edc07703
+Author: Steven Rostedt <rostedt@goodmis.org>
+Date: Thu Jan 9 21:46:34 2014 -0500
+
+ Upstream commit: 3dc91d4338d698ce77832985f9cb183d8eeaf6be
+
+ SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()
+
+ While running stress tests on adding and deleting ftrace instances I hit
+ this bug:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
+ IP: selinux_inode_permission+0x85/0x160
+ PGD 63681067 PUD 7ddbe067 PMD 0
+ Oops: 0000 [#1] PREEMPT
+ CPU: 0 PID: 5634 Comm: ftrace-test-mki Not tainted 3.13.0-rc4-test-00033-gd2a6dde-dirty #20
+ Hardware name: /DG965MQ, BIOS MQ96510J.86A.0372.2006.0605.1717 06/05/2006
+ task: ffff880078375800 ti: ffff88007ddb0000 task.ti: ffff88007ddb0000
+ RIP: 0010:[<ffffffff812d8bc5>] [<ffffffff812d8bc5>] selinux_inode_permission+0x85/0x160
+ RSP: 0018:ffff88007ddb1c48 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000800000 RCX: ffff88006dd43840
+ RDX: 0000000000000001 RSI: 0000000000000081 RDI: ffff88006ee46000
+ RBP: ffff88007ddb1c88 R08: 0000000000000000 R09: ffff88007ddb1c54
+ R10: 6e6576652f6f6f66 R11: 0000000000000003 R12: 0000000000000000
+ R13: 0000000000000081 R14: ffff88006ee46000 R15: 0000000000000000
+ FS: 00007f217b5b6700(0000) GS:ffffffff81e21000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M
+ CR2: 0000000000000020 CR3: 000000006a0fe000 CR4: 00000000000007f0
+ Call Trace:
+ security_inode_permission+0x1c/0x30
+ __inode_permission+0x41/0xa0
+ inode_permission+0x18/0x50
+ link_path_walk+0x66/0x920
+ path_openat+0xa6/0x6c0
+ do_filp_open+0x43/0xa0
+ do_sys_open+0x146/0x240
+ SyS_open+0x1e/0x20
+ system_call_fastpath+0x16/0x1b
+ Code: 84 a1 00 00 00 81 e3 00 20 00 00 89 d8 83 c8 02 40 f6 c6 04 0f 45 d8 40 f6 c6 08 74 71 80 cf 02 49 8b 46 38 4c 8d 4d cc 45 31 c0 <0f> b7 50 20 8b 70 1c 48 8b 41 70 89 d9 8b 78 04 e8 36 cf ff ff
+ RIP selinux_inode_permission+0x85/0x160
+ CR2: 0000000000000020
+
+ Investigating, I found that the inode->i_security was NULL, and the
+ dereference of it caused the oops.
+
+ in selinux_inode_permission():
+
+ isec = inode->i_security;
+
+ rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
+
+ Note, the crash came from stressing the deletion and reading of debugfs
+ files. I was not able to recreate this via normal files. But I'm not
+ sure they are safe. It may just be that the race window is much harder
+ to hit.
+
+ What seems to have happened (and what I have traced), is the file is
+ being opened at the same time the file or directory is being deleted.
+ As the dentry and inode locks are not held during the path walk, nor is
+ the inodes ref counts being incremented, there is nothing saving these
+ structures from being discarded except for an rcu_read_lock().
+
+ The rcu_read_lock() protects against freeing of the inode, but it does
+ not protect freeing of the inode_security_struct. Now if the freeing of
+ the i_security happens with a call_rcu(), and the i_security field of
+ the inode is not changed (it gets freed as the inode gets freed) then
+ there will be no issue here. (Linus Torvalds suggested not setting the
+ field to NULL such that we do not need to check if it is NULL in the
+ permission check).
+
+ Note, this is a hack, but it fixes the problem at hand. A real fix is
+ to restructure the destroy_inode() to call all the destructor handlers
+ from the RCU callback. But that is a major job to do, and requires a
+ lot of work. For now, we just band-aid this bug with this fix (it
+ works), and work on a more maintainable solution in the future.
+
+ Link: http://lkml.kernel.org/r/20140109101932.0508dec7@gandalf.local.home
+ Link: http://lkml.kernel.org/r/20140109182756.17abaaa8@gandalf.local.home
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ security/selinux/hooks.c | 20 ++++++++++++++++++--
+ security/selinux/include/objsec.h | 5 ++++-
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+commit e19ed2ef10ac8fb5539ff49890f149230ba504a2
+Author: Hugh Dickins <hughd@google.com>
+Date: Sun Jan 12 01:25:21 2014 -0800
+
+ Upstream commit: eecc1e426d681351a6026a7d3e7d225f38955b6c
+
+ thp: fix copy_page_rep GPF by testing is_huge_zero_pmd once only
+
+ We see General Protection Fault on RSI in copy_page_rep: that RSI is
+ what you get from a NULL struct page pointer.
+
+ RIP: 0010:[<ffffffff81154955>] [<ffffffff81154955>] copy_page_rep+0x5/0x10
+ RSP: 0000:ffff880136e15c00 EFLAGS: 00010286
+ RAX: ffff880000000000 RBX: ffff880136e14000 RCX: 0000000000000200
+ RDX: 6db6db6db6db6db7 RSI: db73880000000000 RDI: ffff880dd0c00000
+ RBP: ffff880136e15c18 R08: 0000000000000200 R09: 000000000005987c
+ R10: 000000000005987c R11: 0000000000000200 R12: 0000000000000001
+ R13: ffffea00305aa000 R14: 0000000000000000 R15: 0000000000000000
+ FS: 00007f195752f700(0000) GS:ffff880c7fc20000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000093010000 CR3: 00000001458e1000 CR4: 00000000000027e0
+ Call Trace:
+ copy_user_huge_page+0x93/0xab
+ do_huge_pmd_wp_page+0x710/0x815
+ handle_mm_fault+0x15d8/0x1d70
+ __do_page_fault+0x14d/0x840
+ do_page_fault+0x2f/0x90
+ page_fault+0x22/0x30
+
+ do_huge_pmd_wp_page() tests is_huge_zero_pmd(orig_pmd) four times: but
+ since shrink_huge_zero_page() can free the huge_zero_page, and we have
+ no hold of our own on it here (except where the fourth test holds
+ page_table_lock and has checked pmd_same), it's possible for it to
+ answer yes the first time, but no to the second or third test. Change
+ all those last three to tests for NULL page.
+
+ (Note: this is not the same issue as trinity's DEBUG_PAGEALLOC BUG
+ in copy_page_rep with RSI: ffff88009c422000, reported by Sasha Levin
+ in https://lkml.org/lkml/2013/3/29/103. I believe that one is due
+ to the source page being split, and a tail page freed, while copy
+ is in progress; and not a problem without DEBUG_PAGEALLOC, since
+ the pmd_same check will prevent a miscopy from being made visible.)
+
+ Fixes: 97ae17497e99 ("thp: implement refcounting for huge zero page")
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Cc: stable@vger.kernel.org # v3.10 v3.11 v3.12
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/huge_memory.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 49bf1cc12db4954afc0a3e9a4506325a53259c13
+Author: Christian Engelmayer <cengelma@gmx.at>
+Date: Sat Jan 11 22:19:30 2014 +0100
+
+ Upstream commit: 267d29a69c6af39445f36102a832b25ed483f299
+
+ ieee802154: Fix memory leak in ieee802154_add_iface()
+
+ Fix a memory leak in the ieee802154_add_iface() error handling path.
+ Detected by Coverity: CID 710490.
+
+ Signed-off-by: Christian Engelmayer <cengelma@gmx.at>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ieee802154/nl-phy.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 4e2493507f0d3a43a3c9562a4e75ae806f993d84
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Jan 13 02:45:22 2014 +0100
+
+ Upstream commit: 95f4a45de1a0f172b35451fc52283290adb21f6e
+
+ net: avoid reference counter overflows on fib_rules in multicast forwarding
+
+ Bob Falken reported that after 4G packets, multicast forwarding stopped
+ working. This was because of a rule reference counter overflow which
+ freed the rule as soon as the overflow happend.
+
+ This patch solves this by adding the FIB_LOOKUP_NOREF flag to
+ fib_rules_lookup calls. This is safe even from non-rcu locked sections
+ as in this case the flag only implies not taking a reference to the rule,
+ which we don't need at all.
+
+ Rules only hold references to the namespace, which are guaranteed to be
+ available during the call of the non-rcu protected function reg_vif_xmit
+ because of the interface reference which itself holds a reference to
+ the net namespace.
+
+ Fixes: f0ad0860d01e47 ("ipv4: ipmr: support multiple tables")
+ Fixes: d1db275dd3f6e4 ("ipv6: ip6mr: support multiple tables")
+ Reported-by: Bob Falken <NetFestivalHaveFun@gmx.com>
+ Cc: Patrick McHardy <kaber@trash.net>
+ Cc: Thomas Graf <tgraf@suug.ch>
+ Cc: Julian Anastasov <ja@ssi.bg>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ipmr.c | 7 +++++--
+ net/ipv6/ip6mr.c | 7 +++++--
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+commit 427e1a47ccd092da8d3834ec889bbf899bf02994
+Author: NeilBrown <neilb@suse.de>
+Date: Mon Jan 6 10:35:34 2014 +1100
+
+ Upstream commit: e8b849158508565e0cd6bc80061124afc5879160
+
+ md/raid10: fix bug when raid10 recovery fails to recover a block.
+
+ commit e875ecea266a543e643b19e44cf472f1412708f9
+ md/raid10 record bad blocks as needed during recovery.
+
+ added code to the "cannot recover this block" path to record a bad
+ block rather than fail the whole recovery.
+ Unfortunately this new case was placed *after* r10bio was freed rather
+ than *before*, yet it still uses r10bio.
+ This is will crash with a null dereference.
+
+ So move the freeing of r10bio down where it is safe.
+
+ Cc: stable@vger.kernel.org (v3.1+)
+ Fixes: e875ecea266a543e643b19e44cf472f1412708f9
+ Reported-by: Damian Nowak <spam@nowaker.net>
+ URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181
+ Signed-off-by: NeilBrown <neilb@suse.de>
+
+ drivers/md/raid10.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 528bc79bf4b9414269c3468527a1fb93992888ec
+Author: NeilBrown <neilb@suse.de>
+Date: Mon Jan 6 13:19:42 2014 +1100
+
+ Upstream commit: 1cc03eb93245e63b0b7a7832165efdc52e25b4e6
+
+ md/raid5: Fix possible confusion when multiple write errors occur.
+
+ commit 5d8c71f9e5fbdd95650be00294d238e27a363b5c
+ md: raid5 crash during degradation
+
+ Fixed a crash in an overly simplistic way which could leave
+ R5_WriteError or R5_MadeGood set in the stripe cache for devices
+ for which it is no longer relevant.
+ When those devices are removed and spares added the flags are still
+ set and can cause incorrect behaviour.
+
+ commit 14a75d3e07c784c004b4b44b34af996b8e4ac453
+ md/raid5: preferentially read from replacement device if possible.
+
+ Fixed the same bug if a more effective way, so we can now revert
+ the original commit.
+
+ Reported-and-tested-by: Alexander Lyakas <alex.bolshoy@gmail.com>
+ Cc: stable@vger.kernel.org (3.2+ - 3.2 will need a different fix though)
+ Fixes: 5d8c71f9e5fbdd95650be00294d238e27a363b5c
+ Signed-off-by: NeilBrown <neilb@suse.de>
+
+ drivers/md/raid5.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 65e365f661bcc034ce8da73be4521dde4088cbc6
+Author: NeilBrown <neilb@suse.de>
+Date: Tue Jan 14 10:38:09 2014 +1100
+
+ Upstream commit: b50c259e25d9260b9108dc0c2964c26e5ecbe1c1
+
+ md/raid10: fix two bugs in handling of known-bad-blocks.
+
+ If we discover a bad block when reading we split the request and
+ potentially read some of it from a different device.
+
+ The code path of this has two bugs in RAID10.
+ 1/ we get a spin_lock with _irq, but unlock without _irq!!
+ 2/ The calculation of 'sectors_handled' is wrong, as can be clearly
+ seen by comparison with raid1.c
+
+ This leads to at least 2 warnings and a probable crash is a RAID10
+ ever had known bad blocks.
+
+ Cc: stable@vger.kernel.org (v3.1+)
+ Fixes: 856e08e23762dfb92ffc68fd0a8d228f9e152160
+ Reported-by: Damian Nowak <spam@nowaker.net>
+ URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181
+ Signed-off-by: NeilBrown <neilb@suse.de>
+
+ drivers/md/raid10.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 648634ea6eaa98407d5cee468eea365addf784d7
+Author: Andreas Rohner <andreas.rohner@gmx.net>
+Date: Tue Jan 14 17:56:36 2014 -0800
+
+ Upstream commit: 70f2fe3a26248724d8a5019681a869abdaf3e89a
+
+ nilfs2: fix segctor bug that causes file system corruption
+
+ There is a bug in the function nilfs_segctor_collect, which results in
+ active data being written to a segment, that is marked as clean. It is
+ possible, that this segment is selected for a later segment
+ construction, whereby the old data is overwritten.
+
+ The problem shows itself with the following kernel log message:
+
+ nilfs_sufile_do_cancel_free: segment 6533 must be clean
+
+ Usually a few hours later the file system gets corrupted:
+
+ NILFS: bad btree node (blocknr=8748107): level = 0, flags = 0x0, nchildren = 0
+ NILFS error (device sdc1): nilfs_bmap_last_key: broken bmap (inode number=114660)
+
+ The issue can be reproduced with a file system that is nearly full and
+ with the cleaner running, while some IO intensive task is running.
+ Although it is quite hard to reproduce.
+
+ This is what happens:
+
+ 1. The cleaner starts the segment construction
+ 2. nilfs_segctor_collect is called
+ 3. sc_stage is on NILFS_ST_SUFILE and segments are freed
+ 4. sc_stage is on NILFS_ST_DAT current segment is full
+ 5. nilfs_segctor_extend_segments is called, which
+ allocates a new segment
+ 6. The new segment is one of the segments freed in step 3
+ 7. nilfs_sufile_cancel_freev is called and produces an error message
+ 8. Loop around and the collection starts again
+ 9. sc_stage is on NILFS_ST_SUFILE and segments are freed
+ including the newly allocated segment, which will contain active
+ data and can be allocated at a later time
+ 10. A few hours later another segment construction allocates the
+ segment and causes file system corruption
+
+ This can be prevented by simply reordering the statements. If
+ nilfs_sufile_cancel_freev is called before nilfs_segctor_extend_segments
+ the freed segments are marked as dirty and cannot be allocated any more.
+
+ Signed-off-by: Andreas Rohner <andreas.rohner@gmx.net>
+ Reviewed-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Tested-by: Andreas Rohner <andreas.rohner@gmx.net>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/nilfs2/segment.c | 10 ++++++----
+ 1 files changed, 6 insertions(+), 4 deletions(-)
+
+commit 380b201967bbe5769291311e5195a603006d391c
+Author: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue Jan 14 17:56:40 2014 -0800
+
+ Upstream commit: 03e5ac2fc3bf6f4140db0371e8bb4243b24e3e02
+
+ mm: fix crash when using XFS on loopback
+
+ Commit 8456a648cf44 ("slab: use struct page for slab management") causes
+ a crash in the LVM2 testsuite on PA-RISC (the crashing test is
+ fsadm.sh). The testsuite doesn't crash on 3.12, crashes on 3.13-rc1 and
+ later.
+
+ Bad Address (null pointer deref?): Code=15 regs=000000413edd89a0 (Addr=000006202224647d)
+ CPU: 3 PID: 24008 Comm: loop0 Not tainted 3.13.0-rc6 #5
+ task: 00000001bf3c0048 ti: 000000413edd8000 task.ti: 000000413edd8000
+
+ YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
+ PSW: 00001000000001101111100100001110 Not tainted
+ r00-03 000000ff0806f90e 00000000405c8de0 000000004013e6c0 000000413edd83f0
+ r04-07 00000000405a95e0 0000000000000200 00000001414735f0 00000001bf349e40
+ r08-11 0000000010fe3d10 0000000000000001 00000040829c7778 000000413efd9000
+ r12-15 0000000000000000 000000004060d800 0000000010fe3000 0000000010fe3000
+ r16-19 000000413edd82a0 00000041078ddbc0 0000000000000010 0000000000000001
+ r20-23 0008f3d0d83a8000 0000000000000000 00000040829c7778 0000000000000080
+ r24-27 00000001bf349e40 00000001bf349e40 202d66202224640d 00000000405a95e0
+ r28-31 202d662022246465 000000413edd88f0 000000413edd89a0 0000000000000001
+ sr00-03 000000000532c000 0000000000000000 0000000000000000 000000000532c000
+ sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+
+ IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000401fe42c 00000000401fe430
+ IIR: 539c0030 ISR: 00000000202d6000 IOR: 000006202224647d
+ CPU: 3 CR30: 000000413edd8000 CR31: 0000000000000000
+ ORIG_R28: 00000000405a95e0
+ IAOQ[0]: vma_interval_tree_iter_first+0x14/0x48
+ IAOQ[1]: vma_interval_tree_iter_first+0x18/0x48
+ RP(r2): flush_dcache_page+0x128/0x388
+ Backtrace:
+ flush_dcache_page+0x128/0x388
+ lo_splice_actor+0x90/0x148 [loop]
+ splice_from_pipe_feed+0xc0/0x1d0
+ __splice_from_pipe+0xac/0xc0
+ lo_direct_splice_actor+0x1c/0x70 [loop]
+ splice_direct_to_actor+0xec/0x228
+ lo_receive+0xe4/0x298 [loop]
+ loop_thread+0x478/0x640 [loop]
+ kthread+0x134/0x168
+ end_fault_vector+0x20/0x28
+ xfs_setsize_buftarg+0x0/0x90 [xfs]
+
+ Kernel panic - not syncing: Bad Address (null pointer deref?)
+
+ Commit 8456a648cf44 changes the page structure so that the slab
+ subsystem reuses the page->mapping field.
+
+ The crash happens in the following way:
+ * XFS allocates some memory from slab and issues a bio to read data
+ into it.
+ * the bio is sent to the loopback device.
+ * lo_receive creates an actor and calls splice_direct_to_actor.
+ * lo_splice_actor copies data to the target page.
+ * lo_splice_actor calls flush_dcache_page because the page may be
+ mapped by userspace. In that case we need to flush the kernel cache.
+ * flush_dcache_page asks for the list of userspace mappings, however
+ that page->mapping field is reused by the slab subsystem for a
+ different purpose. This causes the crash.
+
+ Note that other architectures without coherent caches (sparc, arm, mips)
+ also call page_mapping from flush_dcache_page, so they may crash in the
+ same way.
+
+ This patch fixes this bug by testing if the page is a slab page in
+ page_mapping and returning NULL if it is.
+
+ The patch also fixes VM_BUG_ON(PageSlab(page)) that could happen in
+ earlier kernels in the same scenario on architectures without cache
+ coherence when CONFIG_DEBUG_VM is enabled - so it should be backported
+ to stable kernels.
+
+ In the old kernels, the function page_mapping is placed in
+ include/linux/mm.h, so you should modify the patch accordingly when
+ backporting it.
+
+ Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+ Cc: John David Anglin <dave.anglin@bell.net>]
+ Cc: Andi Kleen <ak@linux.intel.com>
+ Cc: Christoph Lameter <cl@linux.com>
+ Acked-by: Pekka Enberg <penberg@kernel.org>
+ Reviewed-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+ Cc: Helge Deller <deller@gmx.de>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/util.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit e71bfbceaa0246366fe3753a893c660f22568bb9
+Merge: 83b84f4 e8219cf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 18 17:30:14 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 83b84f4f7b950eeddc319df9dabeca8df99c19e7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 18 17:30:05 2014 -0500
+
+ Revert "Revert recent PaX marking change that broke a significant number"
+
+ This reverts commit 59672b779a7ef3857bb9335c668f671ea04c8a19.
+
+ fs/binfmt_elf.c | 53 ++++++++++++++++++++++++++++++-----------------------
+ 1 files changed, 30 insertions(+), 23 deletions(-)
+
+commit e8219cf65fbb6e3763c4298831239929d1c1f9fa
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 18 17:29:19 2014 -0500
+
+ Update to pax-linux-3.12.8-test15.patch:
+ - reworked the interaction between the various PaX control flag mechanisms for better consistency
+ - fixed type attribute handling in the constify plugin, reported by spender
+
+ fs/binfmt_elf.c | 144 +++++++++++++++++++++++-------------------
+ include/linux/sched.h | 1 +
+ include/uapi/linux/sysctl.h | 6 --
+ tools/gcc/constify_plugin.c | 20 +++---
+ 4 files changed, 89 insertions(+), 82 deletions(-)
+
+commit 88474da15f3f3f5d93848102d03bb4983b9a0b78
+Merge: 59672b7 dbe1b0b28
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 16 07:00:51 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit dbe1b0b28973953b8919fbfc479054d527066737
+Merge: 229fa99 97f15f1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 16 07:00:16 2014 -0500
+
+ Update to pax-linux-3.12.8-test14.patch:
+ - added a generated file to dontdiff, reported by Emese
+ - removed duplicated code due to a mismerge
+
+ Merge branch 'linux-3.12.y' into pax-test
+
+ Conflicts:
+ arch/x86/include/asm/fpu-internal.h
+
+commit 59672b779a7ef3857bb9335c668f671ea04c8a19
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 26 19:23:25 2013 -0500
+
+ Revert recent PaX marking change that broke a significant number
+ of existing systems. The marking system will be revamped in a later
+ patch to fix softmode support while making XT markings more usable.
+
+ fs/binfmt_elf.c | 53 +++++++++++++++++++++++------------------------------
+ 1 files changed, 23 insertions(+), 30 deletions(-)
+
+commit 528d5554e49536241bdf98c59ac3daedf2855a11
+Merge: f17b6ff 229fa99
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 12 07:56:10 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 229fa990d096324284db79ed69b336d19df28afb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 12 07:55:36 2014 -0500
+
+ update to newer size_overflow hash table
+
+ tools/gcc/size_overflow_hash.data | 150 +++++++++++++++++++++----------------
+ 1 files changed, 84 insertions(+), 66 deletions(-)
+
+commit f17b6ff4817c57c0aaae76c2c1cf2ee759773292
+Merge: 93e7728 6e027b9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 11 17:38:57 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 6e027b9f1196ed76313c256f8f962afd334d999f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 11 17:38:28 2014 -0500
+
+ Update to pax-linux-3.12.7-test12.patch:
+ - new size overflow plugin and hash table from Emese, should really fix the canon_copy_from_read_buf problem
+ - fixed incorrent module parameter type in vivi, caught by the size overflow plugin
+
+ drivers/media/platform/vivi.c | 4 +-
+ tools/gcc/size_overflow_hash.data | 120 ++++++++++++++++++------------------
+ tools/gcc/size_overflow_plugin.c | 64 +++++++++++++-------
+ 3 files changed, 105 insertions(+), 83 deletions(-)
+
+commit 93e7728fe0c37e00421e82cc43f8d467d5161751
+Merge: 41ac3ff eadfb9b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 9 17:47:29 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit eadfb9b1066d32ee537369fd67683297eb791ed0
+Merge: bccc569 4301b7a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 9 17:46:48 2014 -0500
+
+ Update to pax-linux-3.12.7-test11.patch:
+ - fixed powerpc compilation, by Purushothama Siddaiah <psiddaiah@mvista.com>
+ - updated size overflow hash table from Emese, reported by Brian Haslett
+
+ Merge branch 'linux-3.12.y' into pax-test
+
+ Conflicts:
+ include/linux/reboot.h
+ mm/fremap.c
+ mm/memory-failure.c
+ scripts/link-vmlinux.sh
+
+commit 41ac3ff0c57f5b8bc2e32fd6ee58d618a6c8feec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 8 20:24:27 2014 -0500
+
+ zeroing out btime from /proc/stat breaks ps aux, it's the seconds of
+ uptime for the system, information which is also available elsewhere
+ (/proc/uptime), so there's no reason to limit it
+
+ fs/proc/stat.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit a1c966be13a8cfa254a6814c8a79caed3b421f0a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 8 18:13:15 2014 -0500
+
+ fix typo
+
+ mm/vmstat.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit f1b3c3eec89cd91474518f7fbd6ffe11c0cf22c7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 8 18:06:53 2014 -0500
+
+ provide a zeroed out /proc/vmstat to unprivileged users instead of
+ denied access, some poorly-written desktop apps bail out completely
+ when it can't be opened
+
+ mm/vmstat.c | 21 +++++++++++++++------
+ 1 files changed, 15 insertions(+), 6 deletions(-)
+
+commit 4e7ac33a7cf3cb6387d69a4d9ba248a2a2c95c52
+Merge: ecdc265 bccc569
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 8 17:55:50 2014 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit bccc5691fbe71245abd1e39c4387c1c0146bb3fd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 8 17:55:08 2014 -0500
+
+ Update to pax-linux-3.12.6-test10.patch:
+ - removed config reference to EXT4_FS_XATTR, reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3904)
+ - Emese worked around a few intentional overflows that triggered the size overflow plugin
+ - in cpuset_common_file_read, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=496490) and boris64 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3907)
+ - in canon_copy_from_read_buf, reported by dwokfur (http://forums.grsecurity.net/viewtopic.php?f=3&t=3905)
+
+ drivers/tty/n_tty.c | 2 +-
+ drivers/usb/core/devio.c | 2 +-
+ security/Kconfig | 1 -
+ tools/gcc/size_overflow_plugin.c | 173 ++++++++++++++++++++++++++++++++------
+ 4 files changed, 150 insertions(+), 28 deletions(-)
+
+commit ecdc2658f89f545acbfddbcef93c04a5bd3c9ce2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 8 17:46:46 2014 -0500
+
+ back out recently-added capability checks to various pci write methods
+ as they break Xorg radeon drivers
+
+ drivers/pci/pci-sysfs.c | 9 ---------
+ drivers/pci/proc.c | 3 ---
+ 2 files changed, 0 insertions(+), 12 deletions(-)
+
+commit 3b9532bcc2f2fda37c6316047764e65d05cfc0d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 2 17:05:39 2014 -0500
+
+ add missing #include
+
+ fs/proc/stat.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 44c29b5b08a4475bcd7ca653abe5ed172fa1f8a0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 2 17:02:24 2014 -0500
+
+ Back off recent PCI BAR restrictions as they break various existing
+ necessary functionality (Xorg with VMware video driver, etc)
+
+ Add CAP_SYS_RAWIO checks instead to code operating off just uid == 0
+ checks currently
+
+ drivers/pci/pci-sysfs.c | 17 +++++++----------
+ drivers/pci/proc.c | 13 ++-----------
+ drivers/pci/syscall.c | 4 ----
+ 3 files changed, 9 insertions(+), 25 deletions(-)
+
+commit 5d6ce67e5ed3913c105cf2fc7c9db1d6e2a9f84a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 31 10:30:20 2013 -0500
+
+ Resolve compatibility with libgtop and recent restriction of
+ /proc/stat, reported by KacKurx. We now provide a properly-formatted
+ but zeroed /proc/stat instead of denying unpriv access to the entry
+
+ fs/proc/stat.c | 34 ++++++++++++++++++++++++----------
+ 1 files changed, 24 insertions(+), 10 deletions(-)
+
+commit fb5263307b4892bbaefc83427412b54c12a4e422
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 30 11:19:53 2013 -0500
+
+ Restrict access to /proc/interrupts and /proc/stat as suggested by Vasiliy
+ Kulikov:
+ http://www.openwall.com/lists/kernel-hardening/2011/11/07/1
+
+ fs/proc/interrupts.c | 4 ++++
+ fs/proc/stat.c | 4 ++++
+ 2 files changed, 8 insertions(+), 0 deletions(-)
+
+commit e5f67af1a42dbde9aae812c25e2498b908919689
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 30 11:13:49 2013 -0500
+
+ Update to phase two of the IPC hardening. I've heard no complaints about
+ the patch I released, but including it here will generate better information.
+
+ grsecurity/Kconfig | 16 ++++++++++------
+ grsecurity/grsec_ipc.c | 32 +++++++++++++++++++++++++++++---
+ include/linux/grmsg.h | 2 +-
+ ipc/util.c | 3 ++-
+ 4 files changed, 42 insertions(+), 11 deletions(-)
+
+commit a5a7395ebf9054496b21fd84978daba0a9bfde5d
+Merge: b07a1fc bfce0d4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 26 19:24:39 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit bfce0d4c8f94977de165b9a559c531759d031b4b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 26 19:23:25 2013 -0500
+
+ Revert recent PaX marking change that broke a significant number
+ of existing systems. The marking system will be revamped in a later
+ patch to fix softmode support while making XT markings more usable.
+
+ fs/binfmt_elf.c | 53 +++++++++++++++++++++++------------------------------
+ 1 files changed, 23 insertions(+), 30 deletions(-)
+
+commit b07a1fc3ab37cf27f8e7b56193a08adfadd569b6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 26 19:20:26 2013 -0500
+
+ add missing #include
+
+ grsecurity/grsec_mount.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 5fbe9de8e020fdf6b911a2368e41ba88df554343
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 26 15:51:51 2013 -0500
+
+ Update config help to reflect requirements for proper security, similar
+ to what we mention for GRKERNSEC_KMEM or GRKERNSEC_HIDESYM
+
+ grsecurity/Kconfig | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit d26ce94a15a14d44494fd3e307baebc2511a09b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 26 15:35:31 2013 -0500
+
+ Whenever we perform checks against block devices we should also test for
+ raw character devices provided by CONFIG_RAW_DRIVER. Unlike other OSes,
+ Linux's raw device support has been obsoleted many years ago and is unlikely
+ to be present in a given kernel config (modulo an allyesconfig).
+
+ grsecurity/gracl.c | 2 +-
+ grsecurity/grsec_mount.c | 4 +++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 4bbb922e6241dad03e37919f66e9f422743f5b5e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 25 16:37:02 2013 -0500
+
+ Add some of the more obscure, config-dependent kernel modification
+ defenses to GRKERNSEC_KMEM, to be split out into a separate option
+ if this causes any compatibility problems. From Matthew Garrett:
+ https://lkml.org/lkml/2013/9/9/532
+
+ Also make make hibernation depend on !PAX_MEMORY_SANITIZE and not
+ the other way around (to produce more secure settings when distro
+ configs are used as a base)
+
+ drivers/acpi/custom_method.c | 4 ++++
+ drivers/pci/pci-sysfs.c | 12 ++++++++++++
+ drivers/pci/proc.c | 12 ++++++++++++
+ drivers/pci/syscall.c | 4 ++++
+ drivers/platform/x86/asus-wmi.c | 12 ++++++++++++
+ kernel/power/Kconfig | 2 ++
+ security/Kconfig | 1 -
+ 7 files changed, 46 insertions(+), 1 deletions(-)
+
+commit 3ae9170407e5782e6a7b2bd796b60149864e6c3e
+Author: Chad Hanson <chanson@trustedcs.com>
+Date: Mon Dec 23 17:45:01 2013 -0500
+
+ Upstream commit: 46d01d63221c3508421dd72ff9c879f61053cffc
+
+ selinux: fix broken peer recv check
+
+ Fix a broken networking check. Return an error if peer recv fails. If
+ secmark is active and the packet recv succeeds the peer recv error is
+ ignored.
+
+ Signed-off-by: Chad Hanson <chanson@trustedcs.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Paul Moore <pmoore@redhat.com>
+
+ security/selinux/hooks.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit c870e769c2d34bff7a0eba239c092bb115bb9d71
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Mon Dec 23 17:45:01 2013 -0500
+
+ Upstream commit: c0c1439541f5305b57a83d599af32b74182933fe
+
+ selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock()
+
+ selinux_setprocattr() does ptrace_parent(p) under task_lock(p),
+ but task_struct->alloc_lock doesn't pin ->parent or ->ptrace,
+ this looks confusing and triggers the "suspicious RCU usage"
+ warning because ptrace_parent() does rcu_dereference_check().
+
+ And in theory this is wrong, spin_lock()->preempt_disable()
+ doesn't necessarily imply rcu_read_lock() we need to access
+ the ->parent.
+
+ Reported-by: Evan McNabb <emcnabb@redhat.com>
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Paul Moore <pmoore@redhat.com>
+
+ security/selinux/hooks.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 717544da98db68da8cf1b902e33eefc098170128
+Author: Benjamin LaHaise <bcrl@kvack.org>
+Date: Sat Dec 21 15:49:28 2013 -0500
+
+ Upstream commit: 1881686f842065d2f92ec9c6424830ffc17d23b0
+
+ aio: fix kioctx leak introduced by "aio: Fix a trinity splat"
+
+ e34ecee2ae791df674dfb466ce40692ca6218e43 reworked the percpu reference
+ counting to correct a bug trinity found. Unfortunately, the change lead
+ to kioctxes being leaked because there was no final reference count to
+ put. Add that reference count back in to fix things.
+
+ Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
+ Cc: stable@vger.kernel.org
+
+ fs/aio.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 21649f0e322166802adf5872f2affc38a0d6eb18
+Author: Jianguo Wu <wujianguo@huawei.com>
+Date: Wed Dec 18 17:08:59 2013 -0800
+
+ Upstream commit: 98398c32f6687ee1e1f3ae084effb4b75adb0747
+
+ mm/hugetlb: check for pte NULL pointer in __page_check_address()
+
+ In __page_check_address(), if address's pud is not present,
+ huge_pte_offset() will return NULL, we should check the return value.
+
+ Signed-off-by: Jianguo Wu <wujianguo@huawei.com>
+ Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+ Cc: Mel Gorman <mgorman@suse.de>
+ Cc: qiuxishi <qiuxishi@huawei.com>
+ Cc: Hanjun Guo <guohanjun@huawei.com>
+ Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ mm/rmap.c
+
+ mm/rmap.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 184b047d4bc06f058aadb07393270e5d972af3aa
+Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Date: Fri Dec 20 15:10:03 2013 +0200
+
+ Upstream commit: ee53664bda169f519ce3c6a22d378f0b946c8178
+
+ mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support
+
+ Sasha Levin found a NULL pointer dereference that is due to a missing
+ page table lock, which in turn is due to the pmd entry in question being
+ a transparent huge-table entry.
+
+ The code - introduced in commit 1998cc048901 ("mm: make
+ madvise(MADV_WILLNEED) support swap file prefetch") - correctly checks
+ for this situation using pmd_none_or_trans_huge_or_clear_bad(), but it
+ turns out that that function doesn't work correctly.
+
+ pmd_none_or_trans_huge_or_clear_bad() expected that pmd_bad() would
+ trigger if the transparent hugepage bit was set, but it doesn't do that
+ if pmd_numa() is also set. Note that the NUMA bit only gets set on real
+ NUMA machines, so people trying to reproduce this on most normal
+ development systems would never actually trigger this.
+
+ Fix it by removing the very subtle (and subtly incorrect) expectation,
+ and instead just checking pmd_trans_huge() explicitly.
+
+ Reported-by: Sasha Levin <sasha.levin@oracle.com>
+ Acked-by: Andrea Arcangeli <aarcange@redhat.com>
+ [ Additionally remove the now stale test for pmd_trans_huge() inside the
+ pmd_bad() case - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ include/asm-generic/pgtable.h | 5 ++---
+ 1 files changed, 2 insertions(+), 3 deletions(-)
+
+commit 1d769ef5d57f3bb616929c7e3c600852e20d575e
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Tue Dec 17 00:38:39 2013 +0100
+
+ Upstream commit: b1aac815c0891fe4a55a6b0b715910142227700f
+
+ net: inet_diag: zero out uninitialized idiag_{src,dst} fields
+
+ Jakub reported while working with nlmon netlink sniffer that parts of
+ the inet_diag_sockid are not initialized when r->idiag_family != AF_INET6.
+ That is, fields of r->id.idiag_src[1 ... 3], r->id.idiag_dst[1 ... 3].
+
+ In fact, it seems that we can leak 6 * sizeof(u32) byte of kernel [slab]
+ memory through this. At least, in udp_dump_one(), we allocate a skb in ...
+
+ rep = nlmsg_new(sizeof(struct inet_diag_msg) + ..., GFP_KERNEL);
+
+ ... and then pass that to inet_sk_diag_fill() that puts the whole struct
+ inet_diag_msg into the skb, where we only fill out r->id.idiag_src[0],
+ r->id.idiag_dst[0] and leave the rest untouched:
+
+ r->id.idiag_src[0] = inet->inet_rcv_saddr;
+ r->id.idiag_dst[0] = inet->inet_daddr;
+
+ struct inet_diag_msg embeds struct inet_diag_sockid that is correctly /
+ fully filled out in IPv6 case, but for IPv4 not.
+
+ So just zero them out by using plain memset (for this little amount of
+ bytes it's probably not worth the extra check for idiag_family == AF_INET).
+
+ Similarly, fix also other places where we fill that out.
+
+ Reported-by: Jakub Zawadzki <darkjames-ws@darkjames.pl>
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ net/ipv4/inet_diag.c
+
+ net/ipv4/inet_diag.c | 16 ++++++++++++++++
+ 1 files changed, 16 insertions(+), 0 deletions(-)
+
+commit 11093b2d02f7bba2c9085b2d2d020b9ee34f8737
+Author: Wenliang Fan <fanwlexca@gmail.com>
+Date: Tue Dec 17 11:25:28 2013 +0800
+
+ Upstream commit: e9db5c21d3646a6454fcd04938dd215ac3ab620a
+
+ drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()
+
+ The local variable 'bi' comes from userspace. If userspace passed a
+ large number to 'bi.data.calibrate', there would be an integer overflow
+ in the following line:
+ s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
+
+ Signed-off-by: Wenliang Fan <fanwlexca@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/hamradio/hdlcdrv.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit e162be84a9971452943c1d85a59c866a5486222b
+Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Mon Dec 23 18:49:30 2013 +0100
+
+ Upstream commit: f60900f2609e893c7f8d0bccc7ada4947dac4cd5
+
+ auxvec.h: account for AT_HWCAP2 in AT_VECTOR_SIZE_BASE
+
+ Commit 2171364d1a92 ("powerpc: Add HWCAP2 aux entry") introduced a new
+ AT_ auxv entry type AT_HWCAP2 but failed to update AT_VECTOR_SIZE_BASE
+ accordingly.
+
+ Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+ Fixes: 2171364d1a92 (powerpc: Add HWCAP2 aux entry)
+ Cc: stable@vger.kernel.org
+ Acked-by: Michael Neuling <michael@neuling.org>
+ Cc: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
+ Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ include/linux/auxvec.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a60029d4fb8d62b6dd3617a8ab4031fd79b89fe3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 25 15:11:51 2013 -0500
+
+ remove unused 'dentry' variable
+
+ fs/xattr.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit d6e290d23c8c47c19536ed84f403eb81f224ed67
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 25 15:03:13 2013 -0500
+
+ Add RBAC mediation of *removexattr(), as this has security implications
+ in the case of PaX with softmode enabled or the rare case of RBAC+SELinux
+ use.
+
+ fs/xattr.c | 18 +++++++++++-------
+ grsecurity/gracl_fs.c | 6 ++++++
+ grsecurity/grsec_disabled.c | 6 ++++++
+ include/linux/grmsg.h | 3 ++-
+ include/linux/grsecurity.h | 2 ++
+ 5 files changed, 27 insertions(+), 8 deletions(-)
+
+commit 848b9c1e52382f446a2db679d6ee68c0a8cbc52e
+Merge: e45d1dd 846d19a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 22 10:36:48 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 846d19aa4207282ce5ac54237517e54324eda092
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 22 10:35:16 2013 -0500
+
+ Update to pax-linux-3.12.6-test9.patch:
+ - updated size overflow hash table from spender
+ - fixed silly code in kvm_clear_guest_page detected by USERCOPY, reported by remnix (http://forums.grsecurity.net/viewtopic.php?f=3&t=3899)
+
+ virt/kvm/kvm_main.c | 13 +++++++++++--
+ 1 files changed, 11 insertions(+), 2 deletions(-)
+
+commit e45d1ddcd3c8005889acc55fbf9e57171339fbb4
+Merge: b5c87f6 6754393
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 21 07:53:42 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 6754393ea42b9fb1d6d8e4635e8364674cee2bbd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 21 07:53:22 2013 -0500
+
+ Update size_overflow hash table
+
+ tools/gcc/size_overflow_hash.data | 119 +++++++++++++++++++------------------
+ 1 files changed, 60 insertions(+), 59 deletions(-)
+
+commit b5c87f632d1cf19639a94c36276f96955221c77a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Dec 20 20:18:56 2013 -0500
+
+ compile fix
+
+ fs/stat.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 47618a93b003d648b5704040d1e502f76de07093
+Merge: ba0eeed 37eeb47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Dec 20 20:18:18 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 37eeb473486a08e3beae62841b19169aef36564d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Dec 20 20:17:46 2013 -0500
+
+ Update to pax-linux-3.12.6-test8.patch:
+ - fixed an inconsistency in handling softmode and user.pax.flags, reported by jacekalex (http://forums.grsecurity.net/viewtopic.php?f=3&t=3877)
+ - updated size overflow hash table from spender
+
+ fs/binfmt_elf.c | 53 ++++++++++++++++++++++++++++++-----------------------
+ 1 files changed, 30 insertions(+), 23 deletions(-)
+
+commit ba0eeed0532b602905d87e9bf25aad3664c3f36b
+Merge: 453a7f1 9dda34c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Dec 20 19:17:33 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9dda34cba200c6eadcbbbccbb4729627fd82e6be
+Merge: 63ebe2d2 d0266db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Dec 20 19:17:18 2013 -0500
+
+ Merge branch 'linux-3.12.y' into pax-test
+
+ Conflicts:
+ arch/x86/boot/Makefile
+
+commit 453a7f1e18d89056fa27a9fdc777cea1a6fd7fe5
+Merge: bb777f5 63ebe2d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 19 22:48:02 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 63ebe2d2adf8f5ebc1639c1b8d8577fbe5813fcd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 19 22:47:35 2013 -0500
+
+ add 42 functions to the size_overflow hash table
+
+ tools/gcc/size_overflow_hash.data | 59 +++++++++++++++++++++++++++++-------
+ 1 files changed, 47 insertions(+), 12 deletions(-)
+
+commit bb777f517e6c2a53909351245d7d2009d8ad4c5b
+Merge: cc59b1f a03d29c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 19 17:12:01 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a03d29c1eead36d4f9eac27b3a5d4b4266360a81
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 19 17:11:19 2013 -0500
+
+ Update to pax-linux-3.12.5-test7.patch:
+ - fixed some more size overflow reports
+ - gratuitous int/uint conversion in expand_files and expand_fdtable, reported by wizeman (http://forums.grsecurity.net/viewtopic.php?f=3&t=3898)
+ - better fix for the gcc induced intentional overflow in usbdev_read
+
+ arch/x86/include/asm/atomic.h | 6 +++---
+ arch/x86/include/asm/atomic64_32.h | 2 +-
+ arch/x86/include/asm/atomic64_64.h | 2 +-
+ drivers/usb/core/devio.c | 2 +-
+ fs/file.c | 4 ++--
+ include/asm-generic/atomic-long.h | 2 +-
+ tools/gcc/size_overflow_hash.data | 3 ---
+ 7 files changed, 9 insertions(+), 12 deletions(-)
+
+commit cc59b1fbe8989a6f99d229b34653e40a84d871f4
+Merge: 44842d2 6ffdbdf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 15 10:40:14 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 6ffdbdf295f56e22ce8626b555a03e4d2b8c6a61
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 15 10:38:59 2013 -0500
+
+ Update to pax-linux-3.12.5-test6.patch:
+ - Emese fixed a bug in the size overflow plugin resulting in false positives on downcasts from 64 bit variables on i386, reported by Huub Reuver
+
+ tools/gcc/size_overflow_plugin.c | 11 ++++++++---
+ 1 files changed, 8 insertions(+), 3 deletions(-)
+
+commit 44842d2f32b7fd6f325a90b15bd0a094f08feab9
+Merge: c2c9b35 f85d978
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 14 10:58:46 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f85d978a63b7388c6ab97b54808992fe2ee4ac8c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 14 10:58:14 2013 -0500
+
+ Update to pax-linux-3.12.5-test5.patch:
+ - properly fix the use-after-free in sys_remap_file_pages, by Rik van Riel (http://www.spinics.net/lists/linux-mm/msg66710.html)
+
+ mm/fremap.c | 10 +++++-----
+ 1 files changed, 5 insertions(+), 5 deletions(-)
+
+commit c2c9b35fca510f7e29f80efa2999695448083b52
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu Dec 12 09:38:42 2013 -0800
+
+ Upstream commit: f12d5bfceb7e1f9051563381ec047f7f13956c3c
+
+ futex: fix handling of read-only-mapped hugepages
+
+ The hugepage code had the exact same bug that regular pages had in
+ commit 7485d0d3758e ("futexes: Remove rw parameter from
+ get_futex_key()").
+
+ The regular page case was fixed by commit 9ea71503a8ed ("futex: Fix
+ regression with read only mappings"), but the transparent hugepage case
+ (added in a5b338f2b0b1: "thp: update futex compound knowledge") case
+ remained broken.
+
+ Found by Dave Jones and his trinity tool.
+
+ Reported-and-tested-by: Dave Jones <davej@fedoraproject.org>
+ Cc: stable@kernel.org # v2.6.38+
+ Acked-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: Mel Gorman <mgorman@suse.de>
+ Cc: Darren Hart <dvhart@linux.intel.com>
+ Cc: Andrea Arcangeli <aarcange@redhat.com>
+ Cc: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/futex.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 7fe4be2ce4c49484298f71455cdcac08149985cb
+Author: Andy Honig <ahonig@google.com>
+Date: Mon Nov 18 16:09:22 2013 -0800
+
+ Upstream commit: 338c7dbadd2671189cec7faf64c84d01071b3f96
+
+ KVM: Improve create VCPU parameter (CVE-2013-4587)
+
+ In multiple functions the vcpu_id is used as an offset into a bitfield. Ag
+ malicious user could specify a vcpu_id greater than 255 in order to set or
+ clear bits in kernel memory. This could be used to elevate priveges in the
+ kernel. This patch verifies that the vcpu_id provided is less than 255.
+ The api documentation already specifies that the vcpu_id must be less than
+ max_vcpus, but this is currently not checked.
+
+ Reported-by: Andrew Honig <ahonig@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Andrew Honig <ahonig@google.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+ virt/kvm/kvm_main.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit e3a3b7a0010abaf6f28afb8521fcb29cee6b3c4c
+Author: Andy Honig <ahonig@google.com>
+Date: Tue Nov 19 14:12:18 2013 -0800
+
+ Upstream commit: b963a22e6d1a266a67e9eecc88134713fd54775c
+
+ KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
+
+ Under guest controllable circumstances apic_get_tmcct will execute a
+ divide by zero and cause a crash. If the guest cpuid support
+ tsc deadline timers and performs the following sequence of requests
+ the host will crash.
+ - Set the mode to periodic
+ - Set the TMICT to 0
+ - Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
+ - Set the TMICT to non-zero.
+ Then the lapic_timer.period will be 0, but the TMICT will not be. If the
+ guest then reads from the TMCCT then the host will perform a divide by 0.
+
+ This patch ensures that if the lapic_timer.period is 0, then the division
+ does not occur.
+
+ Reported-by: Andrew Honig <ahonig@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Andrew Honig <ahonig@google.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+ arch/x86/kvm/lapic.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 2b8e6adf070a8938133e318e9a6e2f633095f038
+Author: Andy Honig <ahonig@google.com>
+Date: Wed Nov 20 10:23:22 2013 -0800
+
+ Upstream commit: fda4e2e85589191b123d31cdc21fd33ee70f50fd
+
+ KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368)
+
+ In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the
+ potential to corrupt kernel memory if userspace provides an address that
+ is at the end of a page. This patches concerts those functions to use
+ kvm_write_guest_cached and kvm_read_guest_cached. It also checks the
+ vapic_address specified by userspace during ioctl processing and returns
+ an error to userspace if the address is not a valid GPA.
+
+ This is generally not guest triggerable, because the required write is
+ done by firmware that runs before the guest. Also, it only affects AMD
+ processors and oldish Intel that do not have the FlexPriority feature
+ (unless you disable FlexPriority, of course; then newer processors are
+ also affected).
+
+ Fixes: b93463aa59d6 ('KVM: Accelerated apic support')
+
+ Reported-by: Andrew Honig <ahonig@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Andrew Honig <ahonig@google.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+ arch/x86/kvm/lapic.c | 27 +++++++++++++++------------
+ arch/x86/kvm/lapic.h | 4 ++--
+ arch/x86/kvm/x86.c | 40 +---------------------------------------
+ 3 files changed, 18 insertions(+), 53 deletions(-)
+
+commit 6261a034c2cc7f34b4c7663ace10d74f9c1fe479
+Author: Gleb Natapov <gleb@redhat.com>
+Date: Thu Dec 12 21:20:08 2013 +0100
+
+ Upstream commit: 17d68b763f09a9ce824ae23eb62c9efc57b69271
+
+ KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)
+
+ A guest can cause a BUG_ON() leading to a host kernel crash.
+ When the guest writes to the ICR to request an IPI, while in x2apic
+ mode the following things happen, the destination is read from
+ ICR2, which is a register that the guest can control.
+
+ kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the
+ cluster id. A BUG_ON is triggered, which is a protection against
+ accessing map->logical_map with an out-of-bounds access and manages
+ to avoid that anything really unsafe occurs.
+
+ The logic in the code is correct from real HW point of view. The problem
+ is that KVM supports only one cluster with ID 0 in clustered mode, but
+ the code that has the bug does not take this into account.
+
+ Reported-by: Lars Bull <larsbull@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Gleb Natapov <gleb@redhat.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+ arch/x86/kvm/lapic.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit beb27f127ef300b52f8c20402d053b05bab7f4e3
+Merge: 82c673f b8daf53
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Dec 13 20:11:22 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/parisc/kernel/sys_parisc.c
+
+commit b8daf537ab923daf14f38d283ca5361424154fa8
+Merge: 7689612 156c758
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Dec 13 20:07:08 2013 -0500
+
+ Update to pax-linux-3.12.5-test4.patch:
+ - fixed 32 bit apps executing certain 64 bit ones, reported by Ronny Meeus
+ - fixed underallocation in __d_alloc that would cause an out-of-bounds read later, reported by Dmitry Vyukov and Kees Cook, not understood by Al Viro
+ (http://lkml.org/lkml/2013/10/3/493 and http://lkml.org/lkml/2013/10/11/293)
+ - fixed use-after-free in sys_remap_file_pages, reported by Dmitry Vyukov (http://lkml.org/lkml/2013/9/17/30)
+ - updated size oveflow plugin from Emese, fixes some false positives reported by Tim Harman and Huub Reuver
+ - fixed a btrfs bug caught by the size overflow plugin, reported by Jens Binnewies (http://forums.grsecurity.net/viewtopic.php?f=1&t=3887)
+ turns out that it was fixed upstream already but never marked for stable backport:
+ - https://bugzilla.kernel.org/show_bug.cgi?id=66661
+ - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/fs/btrfs/tree-log.c?id=ed9e8af88e2551aaa6bf51d8063a2493e2d71597
+ - fixed bad interactions between the KERNEXEC plugin and some gcc features, reported by Amadeusz Sławiński (https://bugs.gentoo.org/show_bug.cgi?id=487938)
+ - the mask register has been changed from r10 (used by DRAP) to r12
+ - all kernel entry points now allocate a full pt_regs area (it required some non-trivial surgery, some fallout is possible)
+
+ Merge branch 'linux-3.12.y' into pax-test
+
+ Conflicts:
+ arch/parisc/kernel/sys_parisc.c
+ fs/pipe.c
+
+commit 82c673fdfd9925cda2e94b67f775be70b8ef4cca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Dec 13 19:39:54 2013 -0500
+
+ Fix a use-after-free on fakefs_obj_rw/fakefs_obj_rwx introduced by the recent
+ atomic reload improvement. These two objects are used only for "files" private
+ to the kernel which don't exist on any mounted filesystem and have no visible
+ path. Only the mode field of these objects is ever used, and we would never
+ attempt to free these objects a second time (due to their being allocated
+ into the memory manager associated with the initial policy)
+
+ In practice this causes bogus auditing messages for / and could potentially
+ cause a subject without executable shared memory support to permit executable
+ shared memory (if PaX is disabled on the binary).
+
+ Instead just allocate these two special objects with kzalloc at enable time
+ and free them at disable time.
+
+ Thanks to nyt@countercultured.net for the report
+
+ grsecurity/gracl_policy.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit b0be33b9efb31e2cb745d1b33eee4f89b315d5bf
+Merge: 4c60da7 7689612
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 8 17:07:04 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ net/ipv4/ping.c
+
+commit 7689612bef2f353f37a2fe94ff0ef8c72634b522
+Merge: 2f004b8 289b6c7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 8 17:05:58 2013 -0500
+
+ Merge branch 'linux-3.12.y' into pax-test
+
+ Conflicts:
+ net/compat.c
+ net/ipv4/ping.c
+ net/ipv6/sit.c
+ net/socket.c
+
+commit 4c60da771d2fba442fe7831d590277e6fe80e908
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 8 16:12:01 2013 -0500
+
+ Backport of:
+
+ If we allocate less than sizeof(struct attrlist) then we end up
+ corrupting memory or doing a ZERO_PTR_SIZE dereference.
+
+ This can only be triggered with CAP_SYS_ADMIN.
+
+ Reported-by: Nico Golde <nico@xxxxxxxxx>
+ Reported-by: Fabian Yamaguchi <fabs@xxxxxxxxx>
+ Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
+
+ fs/xfs/xfs_ioctl.c | 3 ++-
+ fs/xfs/xfs_ioctl32.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+commit bd50af2c306bfe6287631e0e1745cc5d2fbad0c2
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Thu Dec 5 23:29:19 2013 +0100
+
+ Upstream commit: 239c78db9c41a8f524cce60507440d72229d73bc
+
+ net: clear local_df when passing skb between namespaces
+
+ We must clear local_df when passing the skb between namespaces as the
+ packet is not local to the new namespace any more and thus may not get
+ fragmented by local rules. Fred Templin noticed that other namespaces
+ do fragment IPv6 packets while forwarding. Instead they should have send
+ back a PTB.
+
+ The same problem should be present when forwarding DF-IPv4 packets
+ between namespaces.
+
+ Reported-by: Templin, Fred L <Fred.L.Templin@boeing.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/skbuff.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 7803212c99050491bd0a2618e039f62c825f82e5
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon Dec 2 11:50:37 2013 -0800
+
+ Upstream commit: b65502879556d041b45104c6a35abbbba28c8f2d
+
+ uio: we cannot mmap unaligned page contents
+
+ In commit 7314e613d5ff ("Fix a few incorrectly checked
+ [io_]remap_pfn_range() calls") the uio driver started more properly
+ checking the passed-in user mapping arguments against the size of the
+ actual uio driver data.
+
+ That in turn exposed that some driver authors apparently didn't realize
+ that mmap can only work on a page granularity, and had tried to use it
+ with smaller mappings, with the new size check catching that out.
+
+ So since it's not just the user mmap() arguments that can be confused,
+ make the uio mmap code also verify that the uio driver has the memory
+ allocated at page boundaries in order for mmap to work. If the device
+ memory isn't properly aligned, we return
+
+ [ENODEV]
+ The fildes argument refers to a file whose type is not supported by mmap().
+
+ as per the open group documentation on mmap.
+
+ Reported-by: Holger Brunck <holger.brunck@keymile.com>
+ Acked-by: Greg KH <gregkh@linuxfoundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/uio/uio.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit e5fb91d26cb825c36042d62373c0a32a176cfe2d
+Merge: 6b9d9e2 2f004b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 8 10:18:49 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ mm/mmap.c
+
+commit 2f004b87204d113e467ba360ac8b0a9cbfcf01cb
+Merge: c04a09b 81605d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 8 10:16:53 2013 -0500
+
+ Update to pax-linux-3.12.3-test2.patch:
+ - forward port to 3.12.3
+ - fixed incorrect ACCESS_ONCE accessors in rcutree, reported by mcp
+ - fixed the usual arm/CONSTIFY fallout, reported by Michael Tremer <michael.tremer@ipfire.org>
+ - changed the constify plugin to give better error messages
+ - worked around a gcc induced intentional integer overflow in usbdev_read, reported by quasar366 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3889)
+ - better fix for http://forums.grsecurity.net/viewtopic.php?f=3&t=3885
+ - fixed crash under qemu when INVPCID was enabled (say, on -cpu Haswell) but PCID itself wasn't, reported by spender
+ - updated size overflow plugin from Emese, coverage will increase further
+
+ Merge branch 'linux-3.12.y' into pax-test
+
+ Conflicts:
+ kernel/trace/ftrace.c
+ mm/mmap.c
+
+commit 6b9d9e2fe7cd30598a4c22c159ff3b06339e23c8
+Author: David Herrmann <dh.herrmann@gmail.com>
+Date: Tue Nov 26 13:58:18 2013 +0100
+
+ Upstream commit: 80897aa787ecd58eabb29deab7cbec9249c9b7e6
+
+ HID: uhid: fix leak for 64/32 UHID_CREATE
+
+ UHID allows short writes so user-space can omit unused fields. We
+ automatically set them to 0 in the kernel. However, the 64/32 bit
+ compat-handler didn't do that in the UHID_CREATE fallback. This will
+ reveal random kernel heap data (of random size, even) to user-space.
+
+ Fixes: befde0226a59 ('HID: uhid: make creating devices work on 64/32 systems')
+
+ Reported-by: Ben Hutchings <ben@decadent.org.uk>
+ Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+
+ drivers/hid/uhid.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a06981f0117d614ba4d30f6b5dd6eff7d418ffae
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 4 18:15:02 2013 -0500
+
+ Don't duplicate __get_dumpable, also make sure we check against
+ SUID_DUMP_USER, otherwise we wouldn't trigger suid bruteforcing
+ detection when suid_dumpable was set to 2
+
+ fs/coredump.c | 7 +++++--
+ grsecurity/grsec_sig.c | 14 ++------------
+ include/linux/grsecurity.h | 2 +-
+ 3 files changed, 8 insertions(+), 15 deletions(-)
+
+commit fc706a922b49e3157cac848fb0c8d1dcf4f360bb
+Merge: 0f023d5 c04a09b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 3 21:41:57 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c04a09b7dbfafdbee85e09c224e90ebc665ce4f5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 3 21:41:20 2013 -0500
+
+ fix up ACCESS_ONCE -> ACCESS_ONCE_RW, as reported by mcp
+
+ kernel/rcutree_plugin.h | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 0f023d59d361b9880155dd8ddb0c1e19a48437c6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 3 19:39:04 2013 -0500
+
+ Update documentation for GRKERNSEC_KMEM and GRKERNSEC_IO,
+ see: http://forums.grsecurity.net/viewtopic.php?f=3&t=3879
+ The previous info was many years outdated.
+
+ Disable KEXEC when GRKERNSEC_KMEM is enabled:
+ http://mjg59.dreamwidth.org/28746.html
+
+ Also workaround the GRKERNSEC_IO incompatibility with Xorg by returning
+ -ENODEV instead of -EPERM in the cases where CAP_SYS_RAWIO is present
+
+ arch/arm/Kconfig | 1 +
+ arch/ia64/Kconfig | 1 +
+ arch/mips/Kconfig | 1 +
+ arch/powerpc/Kconfig | 1 +
+ arch/tile/Kconfig | 1 +
+ arch/x86/Kconfig | 1 +
+ arch/x86/kernel/ioport.c | 12 ++++++------
+ grsecurity/Kconfig | 27 +++++++++++----------------
+ 8 files changed, 23 insertions(+), 22 deletions(-)
+
+commit 9f610c9c398e7e61183feb7fec6b91b9f2223b61
+Merge: fed624e 1395b8f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 2 17:33:01 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1395b8f8832d179a0c73e890754534c9d5442201
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 2 17:31:35 2013 -0500
+
+ Forward-ported the following fix from 3.2:
+ - worked around a false positive int truncation in xlog_grant_push_ail, reported by jorgus (http://forums.grsecurity.net/viewtopic.php?f=3&t=3885)
+
+ This caused filesystem corruption in the reported XFS case, problem
+ introduced with Nov 24th patch (IPA-based size overflow plugin)
+
+ arch/x86/include/asm/atomic64_32.h | 2 +-
+ arch/x86/include/asm/atomic64_64.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit fed624ebfd1d08ee6db247733cdb44df0e1be8b0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 2 17:20:00 2013 -0500
+
+ Fix qemu -cpu Haswell booting with pax_nouderef on the kernel cmdline
+
+ init/main.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit a72ed588cbbda00d356529507b6bdca56c19d4c3
+Merge: 3f201fe db6d69f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 30 10:46:15 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/dcache.c
+ ipc/shm.c
+ net/sunrpc/clnt.c
+
+commit db6d69f61412f929242423f92d52f4c2c74bab5d
+Merge: 1f411d7 050dcf4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 30 10:40:33 2013 -0500
+
+ Merge branch 'linux-3.12.y' into pax-test
+
+commit 3f201fe9a368a4b0339a2f3cf1259b785ae8374c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Nov 26 15:16:48 2013 -0500
+
+ Fix null deref on application of the shutdown role, reported by zakalwe
+
+ grsecurity/gracl.c | 58 ++++++++++++++++++++++++++++++++++++++++++++-
+ grsecurity/gracl_policy.c | 58 ++++-----------------------------------------
+ 2 files changed, 62 insertions(+), 54 deletions(-)
+
+commit f5648d16a7cc79abe6de7ae62e284fa511bb750a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Nov 26 13:04:07 2013 -0500
+
+ Add system library paths to allowed areas for usermode helper calls,
+ later we will also add checks to ensure the file is owned by root
+
+ kernel/kmod.c | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+commit c610c1f0f580069a1dc9d58c0eb0bddd33cbc25c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Nov 26 12:59:00 2013 -0500
+
+ Fix gr_policy_state -> gr_reload_state typo that clobbered the oldalloc pointer
+ causing a NULL deref on RBAC reload, reported by zakalwe
+
+ grsecurity/gracl_policy.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4026c926f19d7642c1f89895b556fe2addaef239
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed Nov 13 07:45:40 2013 -0500
+
+ Upstream commit: ede4cebce16f5643c61aedd6d88d9070a1d23a68
+
+ prepend_path() needs to reinitialize dentry/vfsmount/mnt on restarts
+
+ ... and equivalent is needed in 3.12; it's broken there as well
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/dcache.c
+
+ fs/dcache.c | 10 +++++++---
+ 1 files changed, 7 insertions(+), 3 deletions(-)
+
+commit c68d27fa66951166bff79a5c1bcc26985ac3f8bc
+Merge: 94b560b 1f411d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 25 23:09:47 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1f411d73c56904d2be9cde1f78aaec7f4554dab1
+Merge: 5f17cd8 6beb1be
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 25 23:09:34 2013 -0500
+
+ Merge branch 'linux-3.12.y' into pax-test
+
+commit 94b560b0163a20b9eab9ec77b83f0bff853fe601
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 25 22:33:33 2013 -0500
+
+ compile fix
+
+ kernel/kmod.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 58c014d37769d384c2e3c06ce5f60fe54f855b24
+Merge: 48ac6ac 5f17cd8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 25 22:27:00 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/mm/fault.c
+
+commit 5f17cd87d5c7faf606255f061dd394f6761e38df
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 25 22:25:42 2013 -0500
+
+ Update to pax-linux-3.12.1-test2.patch:
+ - made arm/UDEREF violation reports more consistent, reported by acez and spender
+ - added a bit more amd64 kernel page table hardening
+ - fixed some constify related compiler errors
+ - fixed stack trace reports under i386/KERNEXEC, reported by ncopa and minipli
+ - updated the size overflow hash table
+
+ arch/arm/mm/fault.c | 16 ++-
+ arch/x86/include/asm/paravirt_types.h | 2 +-
+ arch/x86/kernel/head_64.S | 18 ++-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 2 +-
+ drivers/gpu/vga/vga_switcheroo.c | 4 +-
+ drivers/hwmon/nct6775.c | 6 +-
+ drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +-
+ drivers/staging/lustre/lnet/selftest/framework.c | 4 -
+ drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +-
+ drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +-
+ drivers/staging/lustre/lustre/include/obd.h | 2 +-
+ .../lustre/lustre/libcfs/linux/linux-proc.c | 6 +-
+ drivers/staging/rtl8188eu/include/hal_intf.h | 2 +-
+ drivers/staging/rtl8188eu/include/rtw_io.h | 2 +-
+ include/linux/hwmon-sysfs.h | 1 +
+ include/linux/pm.h | 1 +
+ include/linux/vga_switcheroo.h | 8 +-
+ net/core/sysctl_net_core.c | 2 +-
+ scripts/link-vmlinux.sh | 4 +-
+ sound/soc/soc-core.c | 6 +-
+ tools/gcc/size_overflow_hash.data | 142 ++++++++++++--------
+ 21 files changed, 145 insertions(+), 111 deletions(-)
+
+commit 48ac6ac8a1fd55f2b276bf5326ce52782b7c554f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 25 12:01:21 2013 -0500
+
+ Conventions exist for a reason -- systemd knows better though
+ and decides to put security-sensitive system administration utilities
+ into /usr/lib/systemd in contrast to *every* other user of usermode
+ helpers. Work around this stupidity
+
+ kernel/kmod.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 9ed081196dcaa72bae91d5a31329e35bd480d92b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 22:49:05 2013 -0500
+
+ Revert "HID: multitouch: validate feature report details"
+
+ This reverts commit 8aeb7645473b408fc6b2bd78a72671351fc8e684.
+
+ drivers/hid/hid-multitouch.c | 25 +++++--------------------
+ 1 files changed, 5 insertions(+), 20 deletions(-)
+
+commit 801d69b26655ea7240df45ad14f96054e4d9803a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 22:48:49 2013 -0500
+
+ Revert "HID: lenovo-tpkbd: validate output report details"
+
+ This reverts commit 91bfda18a5711db32c984c632f47fa57458d993a.
+
+ drivers/hid/hid-lenovo-tpkbd.c | 5 -----
+ 1 files changed, 0 insertions(+), 5 deletions(-)
+
+commit 1f70f596dd47ca9467a06b19ffc341c147ea4a23
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 22:48:33 2013 -0500
+
+ Revert "HID: steelseries: validate output report details"
+
+ This reverts commit 0996966348dc3c3f7515567d3245292785d484fc.
+
+ drivers/hid/hid-steelseries.c | 5 -----
+ 1 files changed, 0 insertions(+), 5 deletions(-)
+
+commit 8101ee4167c83f850cc2366088e3f60d01dcb9f7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 22:22:03 2013 -0500
+
+ remove __no_const from pv_lock_ops as it's not constified by the plugin
+
+ arch/x86/include/asm/paravirt_types.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a94e46e08a9d8236544f881faa9cccecfe9c702b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 22:08:33 2013 -0500
+
+ add missing header
+
+ fs/proc/proc_sysctl.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit f0018c34f5ef840fffac10eb60fed9048317832f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 22:04:55 2013 -0500
+
+ Replace nsown_capable with an ns_capable check against the user_ns associated with the net namespace
+
+ fs/proc/proc_sysctl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 99a6a515bf625395fa31892f46311c3877a3fa93
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 17:50:21 2013 -0500
+
+ remove unnecessary code/comments after new reload method
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 4 ----
+ grsecurity/gracl_policy.c | 13 -------------
+ 2 files changed, 0 insertions(+), 17 deletions(-)
+
+commit 10b6650a259b9a5911a33fc9aaf6677920830eee
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 16:05:01 2013 -0500
+
+ Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then)
+
+ Introduce new atomic RBAC reload method, developed as part of sponsorship
+ by EIG
+
+ This is accompanied by an updated 3.0 gradm which will use the new reload
+ method when -R is passed to gradm. The old method will still be available
+ via gradm -r (which is what a 2.9.1 gradm will continue to use).
+
+ The new RBAC reload method is atomic in the sense that at no point in the
+ reload process will the system not be covered by a coherent full policy.
+ In contrast to previous reload behavior, it also preserves inherited subjects
+ and special roles.
+
+ The old RBAC reload method has also been made atomic. Both methods have
+ been updated to perform role_allowed_ip checks only against the IP tagged
+ to the task at the time its role was first applied or changed. This resolves
+ long-standing usability problems with the use of role_allowed_ip and matches
+ the policies created by learning.
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Makefile | 2 +-
+ grsecurity/gracl.c | 3903 +++++++++++++------------------------------
+ grsecurity/gracl_alloc.c | 42 +-
+ grsecurity/gracl_compat.c | 3 +-
+ grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++
+ grsecurity/gracl_segv.c | 12 +-
+ grsecurity/grsec_disabled.c | 7 -
+ grsecurity/grsec_init.c | 15 -
+ include/linux/gracl.h | 43 +-
+ include/linux/grinternal.h | 1 -
+ include/linux/grsecurity.h | 1 -
+ include/linux/sched.h | 2 +
+ 12 files changed, 3082 insertions(+), 2787 deletions(-)
+
+commit b035ba537ccc7dc58b9643ab58a2f5a7b4e6738e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 15:08:28 2013 -0500
+
+ compile fix for recent GRKERNSEC_CHROOT_INITRD change
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ init/main.c | 12 +++---------
+ 1 files changed, 3 insertions(+), 9 deletions(-)
+
+commit a898fff136a97e265c63375a2a03ebd91c9c1286
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 18:27:37 2013 -0500
+
+ Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/kmod.h | 3 +++
+ kernel/kmod.c | 13 +++++++++++++
+ 2 files changed, 16 insertions(+), 0 deletions(-)
+
+commit 1ae8347eb782c4e961210052e2de554bfdb52980
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 17:20:15 2013 -0500
+
+ Produce a UDEREF message when faulting on kernel access to a non-present page in the userland range. This is purely for consistency of logs, due to there being no domain present to fault based on. An "Unable to handle kernel fault.." oops would already (and still is) generated for these cases, triggering grsec's bruteforce prevention.
+
+ Reported by acez on IRC
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/arm/mm/fault.c | 11 +++++++++++
+ 1 files changed, 11 insertions(+), 0 deletions(-)
+
+commit 71643b46e6b67e76e52153559d0dc4004c402141
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 16:56:46 2013 -0500
+
+ Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically.
+
+ Conflicts:
+
+ init/main.c
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 2 +-
+ grsecurity/grsec_chroot.c | 2 +-
+ init/main.c | 15 +++++++++++++++
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+
+commit e357e72d769e5c35167e2bf934c722fc825ee2cd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 16:33:20 2013 -0500
+
+ limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ kernel/kmod.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+commit 4ed2dc55aa2344b9ade6cddbe5ee8b51b6239c54
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 16:02:01 2013 -0500
+
+ perform USERCOPY kernel text checks against the linear mapping on amd64 as well
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/exec.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+commit 211bbd408a1d7bc2e9ef72df07aa7ce0cbd6c49d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Nov 22 20:31:37 2013 -0500
+
+ Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69"
+
+ This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df.
+
+ It caused errors with traceroute, reported to upstream and fixed with
+ http://patchwork.ozlabs.org/patch/293614/
+ But there's no reason for us to maintain this backport as we're
+ already impervious to recvmsg/msg_name infoleaks
+
+ Conflicts:
+
+ net/ipv4/ping.c
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/ieee802154/dgram.c | 3 ++-
+ net/ipv4/ping.c | 11 +++++++++--
+ net/ipv4/raw.c | 4 +++-
+ net/ipv4/udp.c | 7 ++++++-
+ net/ipv6/raw.c | 4 +++-
+ net/ipv6/udp.c | 5 ++++-
+ net/l2tp/l2tp_ip.c | 4 +++-
+ net/phonet/datagram.c | 9 +++++----
+ 8 files changed, 35 insertions(+), 12 deletions(-)
+
+commit 4bd8414bb148cf8681c8f1d2deda5739cafb6917
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Nov 18 07:07:45 2013 +0100
+
+ Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0
+
+ ping: prevent NULL pointer dereference on write to msg_name
+
+ A plain read() on a socket does set msg->msg_name to NULL. So check for
+ NULL pointer first.
+
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/ipv4/ping.c | 34 +++++++++++++++++++---------------
+ 1 files changed, 19 insertions(+), 15 deletions(-)
+
+commit ccc6e0dd63fc36c5c7fd1bbe4f8fed6533d188a1
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Nov 18 04:20:45 2013 +0100
+
+ Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69
+
+ inet: prevent leakage of uninitialized memory to user in recv syscalls
+
+ Only update *addr_len when we actually fill in sockaddr, otherwise we
+ can return uninitialized memory from the stack to the caller in the
+ recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)
+ checks because we only get called with a valid addr_len pointer either
+ from sock_common_recvmsg or inet_recvmsg.
+
+ If a blocking read waits on a socket which is concurrently shut down we
+ now return zero and set msg_msgnamelen to 0.
+
+ Reported-by: mpb <mpb.mail@gmail.com>
+ Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/ieee802154/dgram.c | 3 +--
+ net/ipv4/ping.c | 19 +++++++------------
+ net/ipv4/raw.c | 4 +---
+ net/ipv4/udp.c | 7 +------
+ net/ipv6/raw.c | 4 +---
+ net/ipv6/udp.c | 5 +----
+ net/l2tp/l2tp_ip.c | 4 +---
+ net/phonet/datagram.c | 9 ++++-----
+ 8 files changed, 17 insertions(+), 38 deletions(-)
+
+commit 0db1e136415d5696b2342b953361ef7c3017247d
+Author: Jeff Layton <jlayton@redhat.com>
+Date: Wed Nov 13 09:08:21 2013 -0500
+
+ Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545
+
+ nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once
+
+ Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or
+ NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again.
+ There is no guarantee that doing so will work however, so we can end up
+ retrying the call in an infinite loop.
+
+ Worse yet, we create the new client using rpc_clone_client_set_auth,
+ which creates the new client as a child of the old one. Thus, we can end
+ up with a *very* long lineage of rpc_clnts. When we go to put all of the
+ references to them, we can end up with a long call chain that can smash
+ the stack as each rpc_free_client() call can recurse back into itself.
+
+ This patch fixes this by simply ensuring that the SETCLIENTID call will
+ only be retried in this situation if the last attempt did not use
+ RPC_AUTH_UNIX.
+
+ Note too that with this change, we don't need the (i > 2) check in the
+ -EACCES case since we now have a more reliable test as to whether we
+ should reattempt.
+
+ Cc: stable@vger.kernel.org # v3.10+
+ Cc: Chuck Lever <chuck.lever@oracle.com>
+ Tested-by/Acked-by: Weston Andros Adamson <dros@netapp.com>
+ Signed-off-by: Jeff Layton <jlayton@redhat.com>
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/nfs/nfs4state.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 74d59ef1b28635f588c47b270777cd69b0e8291f
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Tue Nov 12 17:24:36 2013 -0500
+
+ Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b
+
+ SUNRPC: Avoid deep recursion in rpc_release_client
+
+ In cases where an rpc client has a parent hierarchy, then
+ rpc_free_client may end up calling rpc_release_client() on the
+ parent, thus recursing back into rpc_free_client. If the hierarchy
+ is deep enough, then we can get into situations where the stack
+ simply overflows.
+
+ The fix is to have rpc_release_client() loop so that it can take
+ care of the parent rpc client hierarchy without needing to
+ recurse.
+
+ Reported-by: Jeff Layton <jlayton@redhat.com>
+ Reported-by: Weston Andros Adamson <dros@netapp.com>
+ Reported-by: Bruce Fields <bfields@fieldses.org>
+ Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/sunrpc/clnt.c | 29 +++++++++++++++++------------
+ 1 files changed, 17 insertions(+), 12 deletions(-)
+
+commit 8ae59cf66f3a302d45578171337df2d8fe35458c
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Fri Nov 8 16:03:50 2013 -0500
+
+ Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73
+
+ SUNRPC: Fix a data corruption issue when retransmitting RPC calls
+
+ The following scenario can cause silent data corruption when doing
+ NFS writes. It has mainly been observed when doing database writes
+ using O_DIRECT.
+
+ 1) The RPC client uses sendpage() to do zero-copy of the page data.
+ 2) Due to networking issues, the reply from the server is delayed,
+ and so the RPC client times out.
+
+ 3) The client issues a second sendpage of the page data as part of
+ an RPC call retransmission.
+
+ 4) The reply to the first transmission arrives from the server
+ _before_ the client hardware has emptied the TCP socket send
+ buffer.
+ 5) After processing the reply, the RPC state machine rules that
+ the call to be done, and triggers the completion callbacks.
+ 6) The application notices the RPC call is done, and reuses the
+ pages to store something else (e.g. a new write).
+
+ 7) The client NIC drains the TCP socket send buffer. Since the
+ page data has now changed, it reads a corrupted version of the
+ initial RPC call, and puts it on the wire.
+
+ This patch fixes the problem in the following manner:
+
+ The ordering guarantees of TCP ensure that when the server sends a
+ reply, then we know that the _first_ transmission has completed. Using
+ zero-copy in that situation is therefore safe.
+ If a time out occurs, we then send the retransmission using sendmsg()
+ (i.e. no zero-copy), We then know that the socket contains a full copy of
+ the data, and so it will retransmit a faithful reproduction even if the
+ RPC call completes, and the application reuses the O_DIRECT buffer in
+ the meantime.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/sunrpc/xprtsock.c | 28 +++++++++++++++++++++-------
+ 1 files changed, 21 insertions(+), 7 deletions(-)
+
+commit 1a40aeaa23860a26df02c9c8729937b6da2bcdd6
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Nov 14 11:21:10 2013 +0300
+
+ Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796
+
+ isdnloop: use strlcpy() instead of strcpy()
+
+ These strings come from a copy_from_user() and there is no way to be
+ sure they are NUL terminated.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/isdn/isdnloop/isdnloop.c | 8 +++++---
+ 1 files changed, 5 insertions(+), 3 deletions(-)
+
+commit a7a1549064b332e878efa22fdebed32035cc8f07
+Author: Eric Dumazet <edumazet@google.com>
+Date: Thu Nov 14 13:37:54 2013 -0800
+
+ Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf
+
+ ipv4: fix possible seqlock deadlock
+
+ ip4_datagram_connect() being called from process context,
+ it should use IP_INC_STATS() instead of IP_INC_STATS_BH()
+ otherwise we can deadlock on 32bit arches, or get corruptions of
+ SNMP counters.
+
+ Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP")
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Reported-by: Dave Jones <davej@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/ipv4/datagram.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 96b7719c933229c8619f8ad207c141dcc70d546e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 20:15:51 2013 -0500
+
+ GRKERNSEC_HARDEN_IPC should depend on SYSVIPC
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 0001071fa9ff6ef9370a370bea51bef2f1e3c2ab
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 19:07:11 2013 -0500
+
+ Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps make it more obvious that while we make use of domains, CPU_USE_DOMAINS is disabled as far as the kernel knows
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/arm/mm/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 05ae94add600530e3ae98f9a153cb6423b91e46a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 19:01:59 2013 -0500
+
+ Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
+
+ Will let this sit in -test for a while to weed out any app incompatibilities
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 17 +++++++++++++++++
+ grsecurity/Makefile | 2 +-
+ grsecurity/grsec_init.c | 4 ++++
+ grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++
+ grsecurity/grsec_sysctl.c | 9 +++++++++
+ include/linux/grinternal.h | 1 +
+ include/linux/grmsg.h | 1 +
+ ipc/util.c | 5 +++++
+ 8 files changed, 60 insertions(+), 1 deletions(-)
+
+commit f5be6d902d5b36c0fb40aabb61f686e510a2d887
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 11 10:48:10 2013 -0500
+
+ Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/video/arcfb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit e60c412c422f72a52c819465db8b81991d861390
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 10 22:01:33 2013 -0500
+
+ Add missing include
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/proc/proc_sysctl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 17d5ff67a76aab404c8cbe13576d492a7a8b342a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 10 17:50:12 2013 -0500
+
+ add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS option: GRKERNSEC_OLD_ARM_USERLAND
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/arm/mm/Kconfig | 2 +-
+ grsecurity/Kconfig | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+), 1 deletions(-)
+
+commit b4aa2136272e6b1cdbb285a74ee17471dd679dfa
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 10 15:19:27 2013 -0500
+
+ On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr.
+
+ Thanks to acez from IRC for debugging.
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ mm/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 197a69f1783917091d60db2a3ffd7ff14d41489d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 10 13:54:25 2013 -0500
+
+ Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own
+
+ This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's
+ networking
+
+ Thanks to ncopa from IRC for testing
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/proc/proc_sysctl.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit 010702a965acb2aea4d81510f99d788ab6564123
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 6 16:23:36 2013 -0500
+
+ Force on DEBUG_LIST so all users can benefit from safe linking/unlinking
+
+ Conflicts:
+
+ security/Kconfig
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ security/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 09ce0d45a4fc86ca1389260bf28a62f98ccff362
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 6 16:19:21 2013 -0500
+
+ change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence
+
+ Conflicts:
+
+ lib/list_debug.c
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++-------------------
+ 1 files changed, 42 insertions(+), 23 deletions(-)
+
+commit 60a1f79d72bdfc2c6aed1be9537559959a0b8b55
+Author: Jason Wang <jasowang@redhat.com>
+Date: Fri Nov 1 15:01:10 2013 +0800
+
+ Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd
+
+ net: flow_dissector: fail on evil iph->ihl
+
+ We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
+ skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
+ is evil (less than 5).
+
+ This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae
+ (rps: support IPIP encapsulation).
+
+ Cc: Eric Dumazet <edumazet@google.com>
+ Cc: Petr Matousek <pmatouse@redhat.com>
+ Cc: Michael S. Tsirkin <mst@redhat.com>
+ Cc: Daniel Borkmann <dborkman@redhat.com>
+ Signed-off-by: Jason Wang <jasowang@redhat.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/core/flow_dissector.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 9743a1eca0b0172da4ec07bc07fa30fcccb9fba7
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue Oct 29 10:21:34 2013 -0700
+
+ Fixed a little differently than Linus...
+
+ Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1
+
+ Fix a few incorrectly checked [io_]remap_pfn_range() calls
+
+ Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that
+ really should use the vm_iomap_memory() helper. This trivially converts
+ two of them to the helper, and comments about why the third one really
+ needs to continue to use remap_pfn_range(), and adds the missing size
+ check.
+
+ Reported-by: Nico Golde <nico@ngolde.de>
+ Cc: stable@kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org.
+
+ Conflicts:
+
+ drivers/uio/uio.c
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/uio/uio.c | 6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+commit 187b4936fbaaafd087556919bae3b719e67536b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 18:36:25 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com> To: linux-audit@redhat.com Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com> Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests
+
+ We leak 4 bytes of kernel stack in response to an AUDIT_GET request as
+ we miss to initialize the mask member of status_set. Fix that.
+
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: stable@vger.kernel.org # v2.6.6+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ kernel/audit.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 0e48ab30113de43958987e9f0d20fb816892c090
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 19:02:32 2013 -0400
+
+ add 2nd chunk of audit nlmsg_len() fix from minipli
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ kernel/audit.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b5e6b4bcb3a38c94605e9fa68d6c5936438fb0d8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 18:37:59 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com> To: linux-audit@redhat.com Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com> Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length
+
+ Using the nlmsg_len member of the netlink header to test if the message
+ is valid is wrong as it includes the size of the netlink header itself.
+ Thereby allowing to send short netlink messages that pass those checks.
+
+ Use nlmsg_len() instead to test for the right message length. The result
+ of nlmsg_len() is guaranteed to be non-negative as the netlink message
+ already passed the checks of nlmsg_ok().
+
+ Also switch to min_t() to please checkpatch.pl.
+
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ kernel/audit.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit dfb491ad409ee7efadcb00041cd31e9e411efebb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 18:41:01 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com> To: netfilter-devel@vger.kernel.org Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>, Bart De Schuymer <bart.de.schuymer@pandora.be> Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks
+
+ The ulog messages leak heap bytes by the means of padding bytes and
+ incompletely filled string arrays. Fix those by memset(0)'ing the
+ whole struct before filling it.
+
+ Cc: Bart De Schuymer <bart.de.schuymer@pandora.be>
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ Conflicts:
+
+ net/bridge/netfilter/ebt_ulog.c
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/bridge/netfilter/ebt_ulog.c | 9 +++------
+ 1 files changed, 3 insertions(+), 6 deletions(-)
+
+commit 637ef6f911201af0136b794b5b602eb14efb6b7c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 18:43:01 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com> To: netfilter-devel@vger.kernel.org Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks
+
+ The ulog messages leak heap bytes by the means of padding bytes and
+ incompletely filled string arrays. Fix those by memset(0)'ing the
+ whole struct before filling it.
+
+ Cc: Pablo Neira Ayuso <pablo@netfilter.org>
+ Cc: Patrick McHardy <kaber@trash.net>
+ Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ Conflicts:
+
+ net/ipv4/netfilter/ipt_ULOG.c
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/ipv4/netfilter/ipt_ULOG.c | 7 +------
+ 1 files changed, 1 insertions(+), 6 deletions(-)
+
+commit 103af82880576436f1fceafec93da69f0d55d019
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Sep 27 21:06:17 2013 -0400
+
+ Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_ip.c | 7 +++----
+ net/socket.c | 26 +++++++++++++++-----------
+ 2 files changed, 18 insertions(+), 15 deletions(-)
+
+commit 7749496c3667613ea505823948c0f4f4d9c1d90c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 22 18:14:07 2013 -0400
+
+ Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db"
+
+ This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf.
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/netlink/genetlink.c | 7 -------
+ 1 files changed, 0 insertions(+), 7 deletions(-)
+
+commit 4463e68a60d4fb557d37f993f42e3039041550fc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 15 09:19:21 2013 -0400
+
+ remove unnecessary check from when protocol was signed
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/phonet/af_phonet.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit efafe8039b3287f73e0abcb4f7be18e83a5c9a2e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 15 08:53:27 2013 -0400
+
+ resync with PaX
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ security/selinux/hooks.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 79b41d988ecb86d7dd46f3319b50f4c4d46e65a7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 21:12:45 2013 -0400
+
+ Fix invalid dependency causing warning: warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN)
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ lib/Kconfig.debug | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 0f3840d1103e4bf77d4e2098afc4750bb6440ecc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 19:16:48 2013 -0400
+
+ Fix a bad git merge, re-applied a previously reverted patch
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+commit c5f66cfeabad4b64a521d1442f7ea9149c011320
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 16:56:37 2013 -0400
+
+ finish porting namei.c
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/namei.c | 50 +++++++++++---------------------------------------
+ 1 files changed, 11 insertions(+), 39 deletions(-)
+
+commit c264c5b4c33c462b41d224091602fe5c9acb163b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 16:44:08 2013 -0400
+
+ cred->user -> current_user()
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/exec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit af7bdc7d41a1a8b631802772088968ceacd0d6b4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 16:36:24 2013 -0400
+
+ Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 00eb4028fcc737e2451332e3177705913c9b1bb1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 19:36:23 2013 -0400
+
+ fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 7adc4a28e2a0ef38f89bbd648a2e1ba70cad852e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 19:17:02 2013 -0400
+
+ Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc)
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_sysctl.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit 472e0e1d1516b3002ce1e256dfcd58701358d5f8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 18:41:49 2013 -0400
+
+ Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts
+
+ Also eliminate reset_security_ops() as a ROP target when
+ SECURITY_SELINUX_DISABLE is disabled as it's the only user
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 17 ++++++++++++++++-
+ grsecurity/grsec_init.c | 3 +++
+ grsecurity/grsec_sysctl.c | 2 +-
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+
+commit 92745146ec948d5761ac00f98c4a1612c8e6037e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 30 17:11:11 2013 -0400
+
+ fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_sysctl.c | 7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+commit eac5b7076235de7b21757cab257415ab779cc7c8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 20:42:39 2013 -0400
+
+ add export of gr_handle_new_usb()
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_usb.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 8e4ea40613a9763d1dc128fdf29c0279001b5e04
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 19:24:47 2013 -0400
+
+ Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/usb/core/hub.c | 5 +++++
+ grsecurity/Kconfig | 20 ++++++++++++++++++++
+ grsecurity/Makefile | 3 ++-
+ grsecurity/grsec_init.c | 1 +
+ grsecurity/grsec_sysctl.c | 11 +++++++++++
+ grsecurity/grsec_usb.c | 13 +++++++++++++
+ include/linux/grinternal.h | 1 +
+ include/linux/grsecurity.h | 2 ++
+ 8 files changed, 55 insertions(+), 1 deletions(-)
+
+commit 0996966348dc3c3f7515567d3245292785d484fc
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 09:14:34 2013 -0700
+
+ HID: steelseries: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ steelseries HID driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
+ ...
+ [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2891
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-steelseries.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 91bfda18a5711db32c984c632f47fa57458d993a
+Author: Kees Cook <keescook@chromium.org>
+Date: Thu Aug 15 23:21:23 2013 -0700
+
+ HID: lenovo-tpkbd: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ lenovo-tpkbd HID driver to write just beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
+ ...
+ [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2894
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 8aeb7645473b408fc6b2bd78a72671351fc8e684
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 00:11:32 2013 -0700
+
+ HID: multitouch: validate feature report details
+
+ When working on report indexes, always validate that they are in bounds.
+ Without this, a HID device could report a malicious feature report that
+ could trick the driver into a heap overflow:
+
+ [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
+ ...
+ [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2897
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
+ 1 files changed, 20 insertions(+), 5 deletions(-)
+
+commit 1a624940a4733c04c0f997820c1dcd1eebfcd5bc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 19 22:10:04 2013 -0400
+
+ fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/x86/kernel/smpboot.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+commit acca67efb4aeee03672b5d2947da311dcfc2a1d6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 12:00:20 2013 -0400
+
+ make kallsyms_lookup_size_offset available to approved source files
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/kallsyms.h | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit cb33df1c5ce5f74fcb7d4a2f5b2d07d54d4e1fd8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 11:18:09 2013 -0400
+
+ allow use of kallsyms_lookup_name to approved source files
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/kallsyms.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 72e55282becb58c925f9034fe717cad96f7fc51d
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Tue Aug 13 09:04:05 2013 +0200
+
+ Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
+
+ genetlink: fix family dump race
+
+ When dumping generic netlink families, only the first dump call
+ is locked with genl_lock(), which protects the list of families,
+ and thus subsequent calls can access the data without locking,
+ racing against family addition/removal. This can cause a crash.
+ Fix it - the locking needs to be conditional because the first
+ time around it's already locked.
+
+ A similar bug was reported to me on an old kernel (3.4.47) but
+ the exact scenario that happened there is no longer possible,
+ on those kernels the first round wasn't locked either. Looking
+ at the current code I found the race described above, which had
+ also existed on the old kernel.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/netlink/genetlink.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit 2f8d8b1de901cce7ac5a5dc4f3b8731ba58653d9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 08:58:34 2013 -0400
+
+ Fix two harmless compiler warnings
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/arm/kernel/process.c | 4 ++--
+ fs/exec.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit c414e04ef91fca7dfd260ae307272b1b9a29d1bd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 22:46:01 2013 -0400
+
+ Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/kallsyms.h | 2 +-
+ kernel/kprobes.c | 3 +++
+ 2 files changed, 4 insertions(+), 1 deletions(-)
+
+commit b11ccf0d90b1244a91e0422ecd1a1b4918384ff7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 10 09:41:40 2013 -0400
+
+ propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/sparc/mm/hugetlbpage.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+commit 81c244a4d186918eb5bde824945878803fb5aeeb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 17:58:42 2013 -0400
+
+ Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 0f32f992d91442e87628fa805f488c2431930df7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 17:26:40 2013 -0400
+
+ Move user namespace capability check to shared create_user_ns code so we cover unshare() as well.
+
+ Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
+ user namespaces!
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ kernel/fork.c | 17 -----------------
+ kernel/user_namespace.c | 15 +++++++++++++++
+ 2 files changed, 15 insertions(+), 17 deletions(-)
+
+commit b570e8d61ff1670d0737acd9919316ac32fce732
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 16:05:41 2013 -0400
+
+ silence a warning on older gcc
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit f580da3b1ddbecc3f65a7957986742bea34c5851
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 3 08:31:08 2013 -0400
+
+ we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ mm/mmap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a2b23c36d322e9ebea5621652b77ad2569a3826d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:54:51 2013 -0400
+
+ add include
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_log.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit ecb7724fd1bcd4fa57059d6297d4f74d4ec93fe6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:49:13 2013 -0400
+
+ fix compilation
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/grinternal.h | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit a2d7b00383303a5d537e64519dbd31d51645d28e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:34:35 2013 -0400
+
+ Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++
+ fs/exec.c | 4 ++++
+ grsecurity/Kconfig | 21 +++++----------------
+ grsecurity/grsec_init.c | 4 ----
+ grsecurity/grsec_log.c | 14 ++++++++++++++
+ grsecurity/grsec_pax.c | 19 ++++++++++++++-----
+ grsecurity/grsec_sysctl.c | 9 ---------
+ include/linux/binfmts.h | 1 +
+ include/linux/grinternal.h | 2 +-
+ include/linux/grmsg.h | 3 ++-
+ include/linux/grsecurity.h | 3 ++-
+ mm/mmap.c | 7 +++++++
+ mm/mprotect.c | 2 +-
+ 13 files changed, 88 insertions(+), 38 deletions(-)
+
+commit 9513c974076339e5b4ba8974b50fd3e9fe18a0d8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 1 18:52:02 2013 -0400
+
+ add missing #define
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 97af65d0dbfaf8680a7f9a17c45a10892fe907d0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 1 18:43:53 2013 -0400
+
+ fix compilation for !COMPAT as reported on the forums
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 195 ++++++++++++++++++++++++++--------------------------
+ 1 files changed, 97 insertions(+), 98 deletions(-)
+
+commit b2362a07aecb8b86d3dd5e0696ea6dc546ea3144
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 17:47:20 2013 -0400
+
+ Revert "revert recent PaX change that causes boot failures with 32bit userland"
+
+ This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 9c0a788e099e0a78bb83961bf02d82ac2c32e21c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 16:26:58 2013 -0400
+
+ compile fix for !COMPAT as mentioned on forums
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 1975575638ae15faba25f749a9040345a73e12e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:33:14 2013 -0400
+
+ perform compat conversion of rlimit infinity
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit 1282e76e8da58821760a5519cd7bd2510ad7deaf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:21:40 2013 -0400
+
+ remove debugging
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 44 +++++++++++---------------------------------
+ 1 files changed, 11 insertions(+), 33 deletions(-)
+
+commit 6aa728a7c77d5fe62dd0b731e76b518f85db7808
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:20:32 2013 -0400
+
+ eliminate compat_dev_t
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/gracl_compat.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 176f65b9498eb83576294934d94bb80f3830e99a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:13:22 2013 -0400
+
+ fix compat rlimit size
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++-------------
+ include/linux/gracl_compat.h | 4 +-
+ 2 files changed, 49 insertions(+), 23 deletions(-)
+
+commit f039eddf22e143d336421325eb689a76227956b3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 21:20:18 2013 -0400
+
+ compile fix
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 4594be163c41c9a400f0b377e6c35d8fb5599387
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 21:14:29 2013 -0400
+
+ copy correct pointer size in new compat code
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 8 ++++----
+ grsecurity/gracl_compat.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 54a18c9ea152b14381ed3fb4b0a86ef78bd611af
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:15:50 2013 -0400
+
+ compile fix
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit 166e0c9ff369a931bec65abda32811bb0b548506
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:12:46 2013 -0400
+
+ remove BUILD_BUG_ONs
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 20 --------------------
+ 1 files changed, 0 insertions(+), 20 deletions(-)
+
+commit ee1e4712f5b32f43da0130efedbeb158d7f63562
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:18:36 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 8 ++++----
+ include/linux/gracl_compat.h | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit a629a151f557380fed415b226fe5e0e234a285eb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:16:42 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 4 ++--
+ grsecurity/gracl_compat.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 218c33ffd6a34fe09037784138dda02b817c1c20
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:13:51 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit e7291feaff2e3dd3d4d01016419cc1dd16ab9658
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:11:03 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 527c8e008b6729ad595c652119128c0a858c0f7e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:08:21 2013 -0400
+
+ more compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 28 ++++++++++++++--------------
+ 1 files changed, 14 insertions(+), 14 deletions(-)
+
+commit 0a6c24237be46318780bd5aa0a0c37837336e40a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:59:50 2013 -0400
+
+ more compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 10 +++++++++-
+ 1 files changed, 9 insertions(+), 1 deletions(-)
+
+commit 0c11bf85db37db5667cfb61caf0c72e8437e4197
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:56:47 2013 -0400
+
+ additional compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++--------
+ 1 files changed, 49 insertions(+), 10 deletions(-)
+
+commit c32fb26e578c2b1b98654e72ceeafc58906acf06
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:47:15 2013 -0400
+
+ fix typo
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 80bb153435dac25476b0da4a61238b229ba2b631
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:46:59 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++-------------
+ 1 files changed, 39 insertions(+), 14 deletions(-)
+
+commit d7f8a40e0fc1dc1466a271ac33074b6f90226a1a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:22:44 2013 -0400
+
+ Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel
+
+ Also removed code duplication for copying strings into the kernel
+
+ Work performed as part of sponsorship
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Makefile | 4 +
+ grsecurity/gracl.c | 315 +++++++++++++++++++++++-------------------
+ grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++
+ include/linux/gracl_compat.h | 156 +++++++++++++++++++++
+ 4 files changed, 603 insertions(+), 142 deletions(-)
+
+commit 00e035016762dfa49b15cf310ab57fc7011fb4dd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 16 20:40:24 2013 -0400
+
+ allow viewing of ecryptfs version under SYSFS_RESTRICT
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/sysfs/dir.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a144fc9f2f2f6a1d5999b6bd226d964b8b551e31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:49:17 2013 -0400
+
+ Update PaX fix, just return the error
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ mm/madvise.c | 11 +++++------
+ 1 files changed, 5 insertions(+), 6 deletions(-)
+
+commit 26dd795769f903add193b605f051bed55bf95507
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:36:00 2013 -0400
+
+ Fix madvise oops reported by Peter Keel
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ mm/madvise.c | 11 ++++++-----
+ 1 files changed, 6 insertions(+), 5 deletions(-)
+
+commit c441e54c74284d2dac3aaaf282391f6572239e24
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 22:04:59 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/exec.c | 2 +-
+ mm/mmap.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit ecea885713f4d818032182d839c86dc74ac95b04
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 16:15:10 2013 -0400
+
+ Initial port of grsecurity to 3.11 using new git method
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ Documentation/kernel-parameters.txt | 4 +
+ Makefile | 8 +-
+ arch/alpha/include/asm/cache.h | 4 +-
+ arch/alpha/kernel/osf_sys.c | 12 +-
+ arch/arm/include/asm/thread_info.h | 3 +-
+ arch/arm/kernel/ptrace.c | 9 +
+ arch/arm/kernel/traps.c | 7 +-
+ arch/arm/mm/fault.c | 29 +-
+ arch/arm/mm/mmap.c | 8 +-
+ arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/include/asm/cache.h | 3 +-
+ arch/cris/include/arch-v10/arch/cache.h | 3 +-
+ arch/cris/include/arch-v32/arch/cache.h | 3 +-
+ arch/frv/include/asm/cache.h | 3 +-
+ arch/frv/mm/elf-fdpic.c | 4 +-
+ arch/hexagon/include/asm/cache.h | 6 +-
+ arch/ia64/include/asm/cache.h | 3 +-
+ arch/ia64/kernel/sys_ia64.c | 2 +
+ arch/ia64/mm/hugetlbpage.c | 2 +
+ arch/m32r/include/asm/cache.h | 4 +-
+ arch/m68k/include/asm/cache.h | 4 +-
+ arch/metag/mm/hugetlbpage.c | 1 +
+ arch/microblaze/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/thread_info.h | 12 +-
+ arch/mips/kernel/ptrace.c | 9 +
+ arch/mips/mm/mmap.c | 4 +-
+ arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
+ arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
+ arch/openrisc/include/asm/cache.h | 4 +-
+ arch/parisc/include/asm/cache.h | 5 +-
+ arch/parisc/kernel/sys_parisc.c | 17 +-
+ arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/kernel/process.c | 10 +-
+ arch/powerpc/kernel/ptrace.c | 14 +
+ arch/powerpc/kernel/traps.c | 5 +
+ arch/s390/include/asm/cache.h | 4 +-
+ arch/score/include/asm/cache.h | 4 +-
+ arch/sh/include/asm/cache.h | 3 +-
+ arch/sh/mm/mmap.c | 6 +-
+ arch/sparc/include/asm/cache.h | 4 +-
+ arch/sparc/include/asm/thread_info_64.h | 9 +-
+ arch/sparc/kernel/process_32.c | 6 +-
+ arch/sparc/kernel/process_64.c | 4 +-
+ arch/sparc/kernel/ptrace_64.c | 14 +
+ arch/sparc/kernel/sys_sparc_64.c | 8 +-
+ arch/sparc/kernel/syscalls.S | 8 +-
+ arch/sparc/kernel/traps_32.c | 8 +-
+ arch/sparc/kernel/traps_64.c | 28 +-
+ arch/sparc/kernel/unaligned_64.c | 2 +-
+ arch/sparc/mm/fault_64.c | 2 +-
+ arch/sparc/mm/hugetlbpage.c | 3 +-
+ arch/tile/include/asm/cache.h | 3 +-
+ arch/tile/mm/hugetlbpage.c | 2 +
+ arch/um/defconfig | 1 -
+ arch/um/include/asm/cache.h | 3 +-
+ arch/unicore32/include/asm/cache.h | 6 +-
+ arch/x86/Kconfig | 5 +-
+ arch/x86/ia32/ia32_aout.c | 2 +
+ arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/kernel/dumpstack.c | 8 +
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 2 +-
+ arch/x86/kernel/ioport.c | 13 +
+ arch/x86/kernel/ptrace.c | 14 +
+ arch/x86/kernel/signal.c | 9 +-
+ arch/x86/kernel/smpboot.c | 3 +
+ arch/x86/kernel/sys_i386_32.c | 9 +-
+ arch/x86/kernel/sys_x86_64.c | 8 +-
+ arch/x86/kernel/verify_cpu.S | 1 +
+ arch/x86/kernel/vm86_32.c | 1 +
+ arch/x86/mm/fault.c | 12 +-
+ arch/x86/mm/hugetlbpage.c | 15 +-
+ arch/x86/mm/init.c | 66 +-
+ arch/x86/net/bpf_jit_comp.c | 128 +-
+ arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
+ arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
+ drivers/cdrom/cdrom.c | 2 +-
+ drivers/char/Kconfig | 4 +-
+ drivers/char/genrtc.c | 1 +
+ drivers/char/mem.c | 17 +
+ drivers/char/random.c | 12 +
+ drivers/gpu/drm/drm_info.c | 4 +
+ drivers/hid/hid-wiimote-debug.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +-
+ drivers/message/fusion/mptbase.c | 9 +
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ drivers/pci/proc.c | 9 +
+ drivers/rtc/rtc-dev.c | 3 +
+ drivers/tty/sysrq.c | 2 +-
+ drivers/tty/vt/keyboard.c | 22 +-
+ drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++++++------------
+ drivers/xen/xenfs/xenstored.c | 5 +
+ fs/attr.c | 1 +
+ fs/autofs4/waitq.c | 9 +
+ fs/binfmt_aout.c | 7 +
+ fs/binfmt_elf.c | 8 +-
+ fs/btrfs/ioctl.c | 6 +-
+ fs/compat.c | 20 +-
+ fs/coredump.c | 9 +-
+ fs/debugfs/inode.c | 4 +
+ fs/exec.c | 184 ++-
+ fs/ext2/balloc.c | 4 +-
+ fs/ext3/balloc.c | 4 +-
+ fs/fcntl.c | 5 +
+ fs/file.c | 4 +
+ fs/filesystems.c | 4 +
+ fs/fs_struct.c | 13 +-
+ fs/hugetlbfs/inode.c | 5 +-
+ fs/namei.c | 256 ++-
+ fs/namespace.c | 16 +
+ fs/open.c | 38 +
+ fs/proc/Kconfig | 10 +-
+ fs/proc/array.c | 59 +-
+ fs/proc/base.c | 166 ++-
+ fs/proc/cmdline.c | 4 +
+ fs/proc/devices.c | 4 +
+ fs/proc/fd.c | 17 +-
+ fs/proc/inode.c | 4 +
+ fs/proc/kcore.c | 3 +
+ fs/proc/proc_net.c | 12 +
+ fs/proc/proc_sysctl.c | 43 +-
+ fs/proc/root.c | 8 +
+ fs/proc/task_mmu.c | 75 +-
+ fs/readdir.c | 19 +
+ fs/select.c | 2 +
+ fs/seq_file.c | 12 +-
+ fs/stat.c | 19 +-
+ fs/sysfs/dir.c | 12 +
+ fs/utimes.c | 7 +
+ fs/xattr.c | 19 +-
+ include/linux/capability.h | 5 +
+ include/linux/cred.h | 3 +
+ include/linux/fs.h | 10 +
+ include/linux/fsnotify.h | 6 +
+ include/linux/kallsyms.h | 14 +-
+ include/linux/kmod.h | 2 +
+ include/linux/mm.h | 1 +
+ include/linux/perf_event.h | 13 +-
+ include/linux/printk.h | 3 +-
+ include/linux/sched.h | 24 +-
+ include/linux/security.h | 1 +
+ include/linux/seq_file.h | 3 +
+ include/linux/shm.h | 4 +
+ include/linux/skbuff.h | 3 +
+ include/linux/slab.h | 9 -
+ include/linux/sysctl.h | 2 +
+ include/linux/thread_info.h | 2 +
+ include/linux/uidgid.h | 5 +
+ include/linux/vermagic.h | 9 +-
+ include/uapi/linux/personality.h | 1 +
+ init/Kconfig | 3 +-
+ init/main.c | 14 +
+ ipc/mqueue.c | 1 +
+ ipc/shm.c | 29 +
+ kernel/capability.c | 40 +-
+ kernel/cgroup.c | 2 +-
+ kernel/compat.c | 1 +
+ kernel/configs.c | 11 +
+ kernel/cred.c | 110 +-
+ kernel/events/core.c | 14 +-
+ kernel/exit.c | 10 +-
+ kernel/fork.c | 41 +-
+ kernel/futex.c | 1 +
+ kernel/kallsyms.c | 9 +
+ kernel/kcmp.c | 4 +
+ kernel/kmod.c | 64 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +
+ kernel/lockdep_proc.c | 10 +-
+ kernel/module.c | 81 +-
+ kernel/panic.c | 2 +-
+ kernel/pid.c | 19 +-
+ kernel/posix-timers.c | 7 +
+ kernel/printk/printk.c | 5 +
+ kernel/ptrace.c | 20 +-
+ kernel/resource.c | 10 +
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 37 +-
+ kernel/sys.c | 45 +-
+ kernel/sysctl.c | 69 +-
+ kernel/taskstats.c | 6 +
+ kernel/time.c | 5 +
+ kernel/time/timekeeping.c | 1 +
+ kernel/time/timer_list.c | 12 +
+ kernel/time/timer_stats.c | 10 +-
+ lib/Kconfig.debug | 5 +-
+ lib/is_single_threaded.c | 3 +
+ mm/Kconfig | 4 +-
+ mm/filemap.c | 1 +
+ mm/kmemleak.c | 4 +-
+ mm/mempolicy.c | 12 +-
+ mm/migrate.c | 3 +-
+ mm/mlock.c | 3 +
+ mm/mmap.c | 63 +-
+ mm/mprotect.c | 8 +
+ mm/process_vm_access.c | 6 +
+ mm/slab.c | 2 +-
+ mm/slub.c | 14 +-
+ mm/vmalloc.c | 4 +
+ mm/vmstat.c | 18 +-
+ net/core/dev_ioctl.c | 4 +
+ net/core/sock_diag.c | 7 +
+ net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/ip_sockglue.c | 3 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_minisocks.c | 9 +-
+ net/ipv4/tcp_timer.c | 11 +
+ net/ipv4/udp.c | 24 +
+ net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/udp.c | 4 +
+ net/netfilter/Kconfig | 10 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 8 +
+ net/netrom/af_netrom.c | 1 -
+ net/phonet/af_phonet.c | 2 +-
+ net/socket.c | 66 +-
+ net/sysctl_net.c | 2 +-
+ net/unix/af_unix.c | 31 +-
+ security/Kconfig | 341 +++-
+ security/commoncap.c | 29 +
+ security/min_addr.c | 2 +
+ security/tomoyo/mount.c | 4 +
+ security/yama/Kconfig | 2 +-
+ 228 files changed, 4141 insertions(+), 2027 deletions(-)
+
+commit 62c18efae524d4cd41939c1d63989d3582b1131a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 20:57:40 2013 -0400
+
+ Commit merge of new files and rejected patches
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/kernel/process.c | 4 +-
+ arch/powerpc/include/asm/thread_info.h | 7 +-
+ arch/powerpc/mm/slice.c | 2 +-
+ arch/sparc/kernel/process_64.c | 4 +-
+ arch/x86/kernel/vm86_32.c | 15 +
+ fs/coredump.c | 1 +
+ fs/ext4/balloc.c | 4 +-
+ fs/namei.c | 7 +
+ fs/namespace.c | 8 +
+ fs/pipe.c | 2 +-
+ fs/proc/inode.c | 13 +
+ fs/proc/internal.h | 3 +
+ grsecurity/Kconfig | 1054 +++++++++
+ grsecurity/Makefile | 38 +
+ grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++
+ grsecurity/gracl_alloc.c | 105 +
+ grsecurity/gracl_cap.c | 110 +
+ grsecurity/gracl_fs.c | 431 ++++
+ grsecurity/gracl_ip.c | 387 +++
+ grsecurity/gracl_learn.c | 207 ++
+ grsecurity/gracl_res.c | 68 +
+ grsecurity/gracl_segv.c | 305 +++
+ grsecurity/gracl_shm.c | 40 +
+ grsecurity/grsec_chdir.c | 19 +
+ grsecurity/grsec_chroot.c | 370 +++
+ grsecurity/grsec_disabled.c | 434 ++++
+ grsecurity/grsec_exec.c | 187 ++
+ grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_fork.c | 23 +
+ grsecurity/grsec_init.c | 283 +++
+ grsecurity/grsec_link.c | 58 +
+ grsecurity/grsec_log.c | 326 +++
+ grsecurity/grsec_mem.c | 40 +
+ grsecurity/grsec_mount.c | 62 +
+ grsecurity/grsec_pax.c | 36 +
+ grsecurity/grsec_ptrace.c | 30 +
+ grsecurity/grsec_sig.c | 246 ++
+ grsecurity/grsec_sock.c | 244 ++
+ grsecurity/grsec_sysctl.c | 469 ++++
+ grsecurity/grsec_time.c | 16 +
+ grsecurity/grsec_tpe.c | 73 +
+ grsecurity/grsum.c | 61 +
+ include/linux/gracl.h | 319 +++
+ include/linux/gralloc.h | 9 +
+ include/linux/grdefs.h | 140 ++
+ include/linux/grinternal.h | 227 ++
+ include/linux/grmsg.h | 112 +
+ include/linux/grsecurity.h | 241 ++
+ include/linux/grsock.h | 19 +
+ include/linux/netfilter/xt_gradm.h | 9 +
+ include/linux/proc_fs.h | 13 +
+ include/linux/sched.h | 48 +-
+ include/trace/events/fs.h | 53 +
+ kernel/kmod.c | 7 +-
+ kernel/panic.c | 2 +-
+ kernel/posix-timers.c | 1 +
+ kernel/time/timekeeping.c | 2 +
+ lib/Kconfig.debug | 2 +-
+ lib/vsprintf.c | 31 +
+ localversion-grsec | 1 +
+ mm/mmap.c | 13 +-
+ mm/shmem.c | 2 +-
+ net/core/net-procfs.c | 5 +
+ net/ipv6/udp.c | 3 +
+ net/netfilter/xt_gradm.c | 51 +
+ 66 files changed, 11184 insertions(+), 21 deletions(-)
+
+commit 718ed34658f4e4716ff3c9e6d098552d357d19f1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 20:58:05 2013 -0500
+
+ Initial import of pax-linux-3.12.1-test1.patch
+
+ Documentation/dontdiff | 46 +-
+ Documentation/kernel-parameters.txt | 23 +
+ Makefile | 100 +-
+ arch/alpha/include/asm/atomic.h | 10 +
+ arch/alpha/include/asm/elf.h | 7 +
+ arch/alpha/include/asm/pgalloc.h | 6 +
+ arch/alpha/include/asm/pgtable.h | 11 +
+ arch/alpha/kernel/module.c | 2 +-
+ arch/alpha/kernel/osf_sys.c | 8 +-
+ arch/alpha/mm/fault.c | 141 +-
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/atomic.h | 444 ++-
+ arch/arm/include/asm/cache.h | 5 +-
+ arch/arm/include/asm/cacheflush.h | 2 +-
+ arch/arm/include/asm/checksum.h | 14 +-
+ arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/domain.h | 33 +-
+ arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/fncpy.h | 2 +
+ arch/arm/include/asm/futex.h | 10 +
+ arch/arm/include/asm/kmap_types.h | 2 +-
+ arch/arm/include/asm/mach/dma.h | 2 +-
+ arch/arm/include/asm/mach/map.h | 7 +-
+ arch/arm/include/asm/outercache.h | 2 +-
+ arch/arm/include/asm/page.h | 2 +-
+ arch/arm/include/asm/pgalloc.h | 22 +-
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgtable-2level.h | 3 +
+ arch/arm/include/asm/pgtable-3level-hwdef.h | 1 +
+ arch/arm/include/asm/pgtable-3level.h | 2 +
+ arch/arm/include/asm/pgtable.h | 54 +-
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/include/asm/psci.h | 2 +-
+ arch/arm/include/asm/smp.h | 2 +-
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/include/asm/uaccess.h | 95 +-
+ arch/arm/include/uapi/asm/ptrace.h | 2 +-
+ arch/arm/kernel/armksyms.c | 8 +-
+ arch/arm/kernel/entry-armv.S | 110 +-
+ arch/arm/kernel/entry-common.S | 40 +-
+ arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/fiq.c | 3 +
+ arch/arm/kernel/head.S | 6 +-
+ arch/arm/kernel/module.c | 31 +-
+ arch/arm/kernel/patch.c | 2 +
+ arch/arm/kernel/process.c | 42 +-
+ arch/arm/kernel/psci.c | 2 +-
+ arch/arm/kernel/setup.c | 22 +-
+ arch/arm/kernel/signal.c | 35 +-
+ arch/arm/kernel/smp.c | 2 +-
+ arch/arm/kernel/traps.c | 8 +-
+ arch/arm/kernel/vmlinux.lds.S | 24 +-
+ arch/arm/kvm/arm.c | 8 +-
+ arch/arm/lib/clear_user.S | 6 +-
+ arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/lib/copy_page.S | 1 +
+ arch/arm/lib/copy_to_user.S | 6 +-
+ arch/arm/lib/csumpartialcopyuser.S | 4 +-
+ arch/arm/lib/delay.c | 2 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 4 +-
+ arch/arm/mach-kirkwood/common.c | 19 +-
+ arch/arm/mach-omap2/board-n8x0.c | 2 +-
+ arch/arm/mach-omap2/gpmc.c | 22 +-
+ arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
+ arch/arm/mach-omap2/omap_device.c | 4 +-
+ arch/arm/mach-omap2/omap_device.h | 4 +-
+ arch/arm/mach-omap2/omap_hwmod.c | 4 +-
+ arch/arm/mach-omap2/wd_timer.c | 6 +-
+ arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
+ arch/arm/mach-ux500/setup.h | 7 -
+ arch/arm/mm/Kconfig | 6 +-
+ arch/arm/mm/alignment.c | 8 +
+ arch/arm/mm/context.c | 10 +-
+ arch/arm/mm/fault.c | 134 +
+ arch/arm/mm/fault.h | 12 +
+ arch/arm/mm/init.c | 41 +
+ arch/arm/mm/ioremap.c | 4 +-
+ arch/arm/mm/mmap.c | 30 +-
+ arch/arm/mm/mmu.c | 185 +-
+ arch/arm/plat-omap/sram.c | 2 +
+ arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/avr32/include/asm/elf.h | 8 +-
+ arch/avr32/include/asm/kmap_types.h | 4 +-
+ arch/avr32/mm/fault.c | 27 +
+ arch/frv/include/asm/atomic.h | 10 +
+ arch/frv/include/asm/kmap_types.h | 2 +-
+ arch/frv/mm/elf-fdpic.c | 3 +-
+ arch/ia64/include/asm/atomic.h | 10 +
+ arch/ia64/include/asm/elf.h | 7 +
+ arch/ia64/include/asm/pgalloc.h | 12 +
+ arch/ia64/include/asm/pgtable.h | 13 +-
+ arch/ia64/include/asm/spinlock.h | 2 +-
+ arch/ia64/include/asm/uaccess.h | 26 +-
+ arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/palinfo.c | 2 +-
+ arch/ia64/kernel/sys_ia64.c | 7 +
+ arch/ia64/kernel/vmlinux.lds.S | 2 +-
+ arch/ia64/mm/fault.c | 32 +-
+ arch/ia64/mm/init.c | 13 +
+ arch/m32r/lib/usercopy.c | 6 +
+ arch/mips/include/asm/atomic.h | 728 ++-
+ arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/exec.h | 2 +-
+ arch/mips/include/asm/local.h | 57 +
+ arch/mips/include/asm/page.h | 2 +-
+ arch/mips/include/asm/pgalloc.h | 5 +
+ arch/mips/include/asm/smtc_proc.h | 2 +-
+ arch/mips/kernel/binfmt_elfn32.c | 7 +
+ arch/mips/kernel/binfmt_elfo32.c | 7 +
+ arch/mips/kernel/irq.c | 6 +-
+ arch/mips/kernel/process.c | 12 -
+ arch/mips/kernel/smtc-proc.c | 6 +-
+ arch/mips/kernel/smtc.c | 2 +-
+ arch/mips/kernel/sync-r4k.c | 24 +-
+ arch/mips/kernel/traps.c | 13 +-
+ arch/mips/mm/fault.c | 25 +
+ arch/mips/mm/mmap.c | 51 +-
+ arch/mips/sgi-ip27/ip27-nmi.c | 6 +-
+ arch/parisc/include/asm/atomic.h | 10 +
+ arch/parisc/include/asm/elf.h | 7 +
+ arch/parisc/include/asm/pgalloc.h | 6 +
+ arch/parisc/include/asm/pgtable.h | 11 +
+ arch/parisc/include/asm/uaccess.h | 4 +-
+ arch/parisc/kernel/module.c | 50 +-
+ arch/parisc/kernel/sys_parisc.c | 9 +-
+ arch/parisc/kernel/traps.c | 4 +-
+ arch/parisc/mm/fault.c | 140 +-
+ arch/powerpc/include/asm/atomic.h | 10 +
+ arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/exec.h | 2 +-
+ arch/powerpc/include/asm/kmap_types.h | 2 +-
+ arch/powerpc/include/asm/mman.h | 2 +-
+ arch/powerpc/include/asm/page.h | 8 +-
+ arch/powerpc/include/asm/page_64.h | 7 +-
+ arch/powerpc/include/asm/pgalloc-64.h | 7 +
+ arch/powerpc/include/asm/pgtable.h | 1 +
+ arch/powerpc/include/asm/pte-hash32.h | 1 +
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/include/asm/smp.h | 2 +-
+ arch/powerpc/include/asm/uaccess.h | 140 +-
+ arch/powerpc/kernel/exceptions-64e.S | 4 +-
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/module_32.c | 13 +-
+ arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/signal_32.c | 2 +-
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ arch/powerpc/kernel/vdso.c | 5 +-
+ arch/powerpc/lib/usercopy_64.c | 18 -
+ arch/powerpc/mm/fault.c | 54 +-
+ arch/powerpc/mm/mmap.c | 16 +
+ arch/powerpc/mm/slice.c | 13 +-
+ arch/powerpc/platforms/cell/spufs/file.c | 4 +-
+ arch/s390/include/asm/atomic.h | 10 +
+ arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/exec.h | 2 +-
+ arch/s390/include/asm/uaccess.h | 15 +-
+ arch/s390/kernel/module.c | 22 +-
+ arch/s390/kernel/process.c | 36 -
+ arch/s390/mm/mmap.c | 24 +
+ arch/score/include/asm/exec.h | 2 +-
+ arch/score/kernel/process.c | 5 -
+ arch/sh/mm/mmap.c | 22 +-
+ arch/sparc/include/asm/atomic_64.h | 106 +-
+ arch/sparc/include/asm/cache.h | 2 +-
+ arch/sparc/include/asm/elf_32.h | 7 +
+ arch/sparc/include/asm/elf_64.h | 7 +
+ arch/sparc/include/asm/pgalloc_32.h | 1 +
+ arch/sparc/include/asm/pgalloc_64.h | 1 +
+ arch/sparc/include/asm/pgtable_32.h | 15 +-
+ arch/sparc/include/asm/pgtsrmmu.h | 5 +
+ arch/sparc/include/asm/spinlock_64.h | 35 +-
+ arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_64.h | 2 +
+ arch/sparc/include/asm/uaccess.h | 1 +
+ arch/sparc/include/asm/uaccess_32.h | 27 +-
+ arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/kernel/Makefile | 2 +-
+ arch/sparc/kernel/prom_common.c | 2 +-
+ arch/sparc/kernel/smp_64.c | 12 +-
+ arch/sparc/kernel/sys_sparc_32.c | 2 +-
+ arch/sparc/kernel/sys_sparc_64.c | 52 +-
+ arch/sparc/kernel/traps_64.c | 27 +-
+ arch/sparc/lib/Makefile | 2 +-
+ arch/sparc/lib/atomic_64.S | 136 +-
+ arch/sparc/lib/ksyms.c | 6 +
+ arch/sparc/mm/Makefile | 2 +-
+ arch/sparc/mm/fault_32.c | 292 +
+ arch/sparc/mm/fault_64.c | 486 ++
+ arch/sparc/mm/hugetlbpage.c | 21 +-
+ arch/sparc/mm/init_64.c | 10 +-
+ arch/tile/include/asm/atomic_64.h | 10 +
+ arch/tile/include/asm/uaccess.h | 4 +-
+ arch/um/Makefile | 4 +
+ arch/um/include/asm/kmap_types.h | 2 +-
+ arch/um/include/asm/page.h | 3 +
+ arch/um/include/asm/pgtable-3level.h | 1 +
+ arch/um/kernel/process.c | 16 -
+ arch/x86/Kconfig | 10 +-
+ arch/x86/Kconfig.cpu | 6 +-
+ arch/x86/Kconfig.debug | 4 +-
+ arch/x86/Makefile | 16 +-
+ arch/x86/boot/Makefile | 3 +
+ arch/x86/boot/bitops.h | 4 +-
+ arch/x86/boot/boot.h | 4 +-
+ arch/x86/boot/compressed/Makefile | 3 +
+ arch/x86/boot/compressed/eboot.c | 2 -
+ arch/x86/boot/compressed/efi_stub_32.S | 16 +-
+ arch/x86/boot/compressed/head_32.S | 2 +-
+ arch/x86/boot/compressed/head_64.S | 8 +-
+ arch/x86/boot/compressed/misc.c | 6 +-
+ arch/x86/boot/cpucheck.c | 28 +-
+ arch/x86/boot/header.S | 6 +-
+ arch/x86/boot/memory.c | 2 +-
+ arch/x86/boot/video-vesa.c | 1 +
+ arch/x86/boot/video.c | 2 +-
+ arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/aesni-intel_asm.S | 22 +
+ arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 +
+ arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 +
+ arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
+ arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 +
+ arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/serpent-avx2-asm_64.S | 9 +
+ arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/sha1_ssse3_asm.S | 2 +
+ arch/x86/crypto/sha256-avx-asm.S | 2 +
+ arch/x86/crypto/sha256-avx2-asm.S | 2 +
+ arch/x86/crypto/sha256-ssse3-asm.S | 2 +
+ arch/x86/crypto/sha512-avx-asm.S | 2 +
+ arch/x86/crypto/sha512-avx2-asm.S | 2 +
+ arch/x86/crypto/sha512-ssse3-asm.S | 2 +
+ arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
+ arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/ia32/ia32_signal.c | 14 +-
+ arch/x86/ia32/ia32entry.S | 157 +-
+ arch/x86/ia32/sys_ia32.c | 4 +-
+ arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/include/asm/alternative.h | 4 +-
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/include/asm/apm.h | 4 +-
+ arch/x86/include/asm/atomic.h | 307 +-
+ arch/x86/include/asm/atomic64_32.h | 100 +
+ arch/x86/include/asm/atomic64_64.h | 202 +-
+ arch/x86/include/asm/bitops.h | 8 +-
+ arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/cache.h | 5 +-
+ arch/x86/include/asm/cacheflush.h | 2 +-
+ arch/x86/include/asm/checksum_32.h | 12 +-
+ arch/x86/include/asm/cmpxchg.h | 35 +
+ arch/x86/include/asm/compat.h | 2 +-
+ arch/x86/include/asm/cpufeature.h | 16 +-
+ arch/x86/include/asm/desc.h | 74 +-
+ arch/x86/include/asm/desc_defs.h | 6 +
+ arch/x86/include/asm/div64.h | 2 +-
+ arch/x86/include/asm/elf.h | 31 +-
+ arch/x86/include/asm/emergency-restart.h | 2 +-
+ arch/x86/include/asm/fpu-internal.h | 8 +-
+ arch/x86/include/asm/futex.h | 20 +-
+ arch/x86/include/asm/hw_irq.h | 4 +-
+ arch/x86/include/asm/i8259.h | 2 +-
+ arch/x86/include/asm/io.h | 21 +-
+ arch/x86/include/asm/irqflags.h | 5 +
+ arch/x86/include/asm/kprobes.h | 9 +-
+ arch/x86/include/asm/local.h | 142 +-
+ arch/x86/include/asm/mman.h | 15 +
+ arch/x86/include/asm/mmu.h | 16 +-
+ arch/x86/include/asm/mmu_context.h | 136 +-
+ arch/x86/include/asm/module.h | 17 +-
+ arch/x86/include/asm/nmi.h | 6 +-
+ arch/x86/include/asm/page.h | 1 +
+ arch/x86/include/asm/page_64.h | 4 +-
+ arch/x86/include/asm/paravirt.h | 46 +-
+ arch/x86/include/asm/paravirt_types.h | 17 +-
+ arch/x86/include/asm/pgalloc.h | 23 +
+ arch/x86/include/asm/pgtable-2level.h | 2 +
+ arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable.h | 124 +-
+ arch/x86/include/asm/pgtable_32.h | 14 +-
+ arch/x86/include/asm/pgtable_32_types.h | 15 +-
+ arch/x86/include/asm/pgtable_64.h | 19 +-
+ arch/x86/include/asm/pgtable_64_types.h | 5 +
+ arch/x86/include/asm/pgtable_types.h | 36 +-
+ arch/x86/include/asm/processor.h | 79 +-
+ arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/realmode.h | 4 +-
+ arch/x86/include/asm/reboot.h | 10 +-
+ arch/x86/include/asm/rwsem.h | 60 +-
+ arch/x86/include/asm/segment.h | 29 +-
+ arch/x86/include/asm/smap.h | 64 +-
+ arch/x86/include/asm/smp.h | 14 +-
+ arch/x86/include/asm/spinlock.h | 36 +-
+ arch/x86/include/asm/stackprotector.h | 4 +-
+ arch/x86/include/asm/stacktrace.h | 32 +-
+ arch/x86/include/asm/switch_to.h | 4 +-
+ arch/x86/include/asm/thread_info.h | 83 +-
+ arch/x86/include/asm/tlbflush.h | 74 +-
+ arch/x86/include/asm/uaccess.h | 108 +-
+ arch/x86/include/asm/uaccess_32.h | 96 +-
+ arch/x86/include/asm/uaccess_64.h | 232 +-
+ arch/x86/include/asm/word-at-a-time.h | 2 +-
+ arch/x86/include/asm/x86_init.h | 10 +-
+ arch/x86/include/asm/xen/page.h | 2 +-
+ arch/x86/include/asm/xsave.h | 14 +-
+ arch/x86/include/uapi/asm/e820.h | 2 +-
+ arch/x86/kernel/Makefile | 2 +-
+ arch/x86/kernel/acpi/boot.c | 4 +-
+ arch/x86/kernel/acpi/sleep.c | 4 +
+ arch/x86/kernel/acpi/wakeup_32.S | 6 +-
+ arch/x86/kernel/alternative.c | 69 +-
+ arch/x86/kernel/apic/apic.c | 4 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/apic_noop.c | 2 +-
+ arch/x86/kernel/apic/bigsmp_32.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 5 +-
+ arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/numaq_32.c | 3 +-
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/summit_32.c | 2 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_phys.c | 2 +-
+ arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
+ arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/asm-offsets.c | 20 +
+ arch/x86/kernel/asm-offsets_64.c | 1 +
+ arch/x86/kernel/cpu/Makefile | 4 -
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/common.c | 130 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
+ arch/x86/kernel/cpu/mcheck/p5.c | 3 +
+ arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
+ arch/x86/kernel/cpu/mtrr/main.c | 2 +-
+ arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 8 +-
+ arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
+ arch/x86/kernel/cpuid.c | 2 +-
+ arch/x86/kernel/crash.c | 4 +-
+ arch/x86/kernel/crash_dump_64.c | 2 +-
+ arch/x86/kernel/doublefault.c | 8 +-
+ arch/x86/kernel/dumpstack.c | 30 +-
+ arch/x86/kernel/dumpstack_32.c | 34 +-
+ arch/x86/kernel/dumpstack_64.c | 61 +-
+ arch/x86/kernel/e820.c | 4 +-
+ arch/x86/kernel/early_printk.c | 1 +
+ arch/x86/kernel/entry_32.S | 356 +-
+ arch/x86/kernel/entry_64.S | 666 ++-
+ arch/x86/kernel/ftrace.c | 14 +-
+ arch/x86/kernel/head64.c | 13 +-
+ arch/x86/kernel/head_32.S | 228 +-
+ arch/x86/kernel/head_64.S | 138 +-
+ arch/x86/kernel/i386_ksyms_32.c | 12 +
+ arch/x86/kernel/i387.c | 2 +-
+ arch/x86/kernel/i8259.c | 10 +-
+ arch/x86/kernel/io_delay.c | 2 +-
+ arch/x86/kernel/ioport.c | 2 +-
+ arch/x86/kernel/irq.c | 8 +-
+ arch/x86/kernel/irq_32.c | 67 +-
+ arch/x86/kernel/irq_64.c | 2 +-
+ arch/x86/kernel/jump_label.c | 6 +-
+ arch/x86/kernel/kgdb.c | 25 +-
+ arch/x86/kernel/kprobes/core.c | 30 +-
+ arch/x86/kernel/kprobes/opt.c | 16 +-
+ arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/machine_kexec_32.c | 6 +-
+ arch/x86/kernel/microcode_core.c | 2 +-
+ arch/x86/kernel/microcode_intel.c | 4 +-
+ arch/x86/kernel/module.c | 76 +-
+ arch/x86/kernel/msr.c | 2 +-
+ arch/x86/kernel/nmi.c | 19 +-
+ arch/x86/kernel/nmi_selftest.c | 4 +-
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/kernel/paravirt.c | 43 +-
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ arch/x86/kernel/pci-iommu_table.c | 2 +-
+ arch/x86/kernel/pci-swiotlb.c | 2 +-
+ arch/x86/kernel/process.c | 55 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 20 +-
+ arch/x86/kernel/ptrace.c | 25 +-
+ arch/x86/kernel/pvclock.c | 8 +-
+ arch/x86/kernel/reboot.c | 42 +-
+ arch/x86/kernel/reboot_fixups_32.c | 2 +-
+ arch/x86/kernel/relocate_kernel_64.S | 5 +-
+ arch/x86/kernel/setup.c | 63 +-
+ arch/x86/kernel/setup_percpu.c | 29 +-
+ arch/x86/kernel/signal.c | 15 +-
+ arch/x86/kernel/smp.c | 2 +-
+ arch/x86/kernel/smpboot.c | 28 +-
+ arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/sys_i386_32.c | 184 +
+ arch/x86/kernel/sys_x86_64.c | 22 +-
+ arch/x86/kernel/tboot.c | 12 +-
+ arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tls.c | 7 +-
+ arch/x86/kernel/tracepoint.c | 4 +-
+ arch/x86/kernel/traps.c | 62 +-
+ arch/x86/kernel/uprobes.c | 4 +-
+ arch/x86/kernel/vm86_32.c | 6 +-
+ arch/x86/kernel/vmlinux.lds.S | 147 +-
+ arch/x86/kernel/vsyscall_64.c | 12 +-
+ arch/x86/kernel/x8664_ksyms_64.c | 6 +-
+ arch/x86/kernel/x86_init.c | 6 +-
+ arch/x86/kernel/xsave.c | 2 +
+ arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/lapic.c | 2 +-
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ arch/x86/kvm/svm.c | 8 +
+ arch/x86/kvm/vmx.c | 63 +-
+ arch/x86/kvm/x86.c | 8 +-
+ arch/x86/lguest/boot.c | 3 +-
+ arch/x86/lib/atomic64_386_32.S | 164 +
+ arch/x86/lib/atomic64_cx8_32.S | 103 +-
+ arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/cmpxchg16b_emu.S | 2 +
+ arch/x86/lib/copy_page_64.S | 24 +-
+ arch/x86/lib/copy_user_64.S | 89 +-
+ arch/x86/lib/copy_user_nocache_64.S | 22 +-
+ arch/x86/lib/csum-copy_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 8 +-
+ arch/x86/lib/getuser.S | 74 +-
+ arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/iomap_copy_64.S | 2 +
+ arch/x86/lib/memcpy_64.S | 22 +-
+ arch/x86/lib/memmove_64.S | 36 +-
+ arch/x86/lib/memset_64.S | 11 +-
+ arch/x86/lib/mmx_32.c | 243 +-
+ arch/x86/lib/msr-reg.S | 18 +-
+ arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/rwlock.S | 42 +
+ arch/x86/lib/rwsem.S | 6 +-
+ arch/x86/lib/thunk_64.S | 2 +
+ arch/x86/lib/usercopy_32.c | 359 +-
+ arch/x86/lib/usercopy_64.c | 18 +-
+ arch/x86/mm/Makefile | 4 +
+ arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/fault.c | 564 ++-
+ arch/x86/mm/gup.c | 2 +-
+ arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/hugetlbpage.c | 30 +-
+ arch/x86/mm/init.c | 101 +-
+ arch/x86/mm/init_32.c | 111 +-
+ arch/x86/mm/init_64.c | 45 +-
+ arch/x86/mm/iomap_32.c | 4 +
+ arch/x86/mm/ioremap.c | 15 +-
+ arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
+ arch/x86/mm/mmap.c | 36 +-
+ arch/x86/mm/mmio-mod.c | 10 +-
+ arch/x86/mm/numa.c | 2 +-
+ arch/x86/mm/pageattr-test.c | 2 +-
+ arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pat.c | 12 +-
+ arch/x86/mm/pat_rbtree.c | 2 +-
+ arch/x86/mm/pf_in.c | 10 +-
+ arch/x86/mm/pgtable.c | 139 +-
+ arch/x86/mm/pgtable_32.c | 3 +
+ arch/x86/mm/physaddr.c | 4 +-
+ arch/x86/mm/setup_nx.c | 7 +
+ arch/x86/mm/tlb.c | 4 +
+ arch/x86/mm/uderef_64.c | 37 +
+ arch/x86/net/bpf_jit.S | 14 +
+ arch/x86/net/bpf_jit_comp.c | 38 +-
+ arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/oprofile/nmi_int.c | 8 +-
+ arch/x86/oprofile/op_model_amd.c | 8 +-
+ arch/x86/oprofile/op_model_ppro.c | 7 +-
+ arch/x86/oprofile/op_x86_model.h | 2 +-
+ arch/x86/pci/irq.c | 8 +-
+ arch/x86/pci/mrst.c | 4 +-
+ arch/x86/pci/pcbios.c | 144 +-
+ arch/x86/platform/efi/efi_32.c | 24 +
+ arch/x86/platform/efi/efi_64.c | 10 +
+ arch/x86/platform/efi/efi_stub_32.S | 64 +-
+ arch/x86/platform/efi/efi_stub_64.S | 8 +
+ arch/x86/platform/mrst/mrst.c | 6 +-
+ arch/x86/platform/olpc/olpc_dt.c | 2 +-
+ arch/x86/power/cpu.c | 11 +-
+ arch/x86/realmode/init.c | 10 +-
+ arch/x86/realmode/rm/Makefile | 3 +
+ arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/trampoline_32.S | 12 +-
+ arch/x86/realmode/rm/trampoline_64.S | 3 +-
+ arch/x86/tools/Makefile | 2 +-
+ arch/x86/tools/relocs.c | 94 +-
+ arch/x86/um/tls_32.c | 2 +-
+ arch/x86/vdso/Makefile | 2 +-
+ arch/x86/vdso/vdso32-setup.c | 23 +-
+ arch/x86/vdso/vma.c | 29 +-
+ arch/x86/xen/enlighten.c | 45 +-
+ arch/x86/xen/mmu.c | 11 +-
+ arch/x86/xen/smp.c | 21 +-
+ arch/x86/xen/xen-asm_32.S | 12 +-
+ arch/x86/xen/xen-head.S | 11 +
+ arch/x86/xen/xen-ops.h | 2 -
+ block/blk-cgroup.c | 4 +-
+ block/blk-iopoll.c | 2 +-
+ block/blk-map.c | 2 +-
+ block/blk-softirq.c | 2 +-
+ block/bsg.c | 12 +-
+ block/compat_ioctl.c | 2 +-
+ block/genhd.c | 9 +-
+ block/partitions/efi.c | 8 +-
+ block/scsi_ioctl.c | 29 +-
+ crypto/cryptd.c | 4 +-
+ crypto/pcrypt.c | 2 +-
+ drivers/acpi/apei/apei-internal.h | 2 +-
+ drivers/acpi/apei/cper.c | 8 +-
+ drivers/acpi/apei/ghes.c | 4 +-
+ drivers/acpi/bgrt.c | 6 +-
+ drivers/acpi/blacklist.c | 4 +-
+ drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/sysfs.c | 4 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/ata/libata-core.c | 12 +-
+ drivers/ata/libata-scsi.c | 2 +-
+ drivers/ata/libata.h | 2 +-
+ drivers/ata/pata_arasan_cf.c | 4 +-
+ drivers/atm/adummy.c | 2 +-
+ drivers/atm/ambassador.c | 8 +-
+ drivers/atm/atmtcp.c | 14 +-
+ drivers/atm/eni.c | 10 +-
+ drivers/atm/firestream.c | 8 +-
+ drivers/atm/fore200e.c | 14 +-
+ drivers/atm/he.c | 18 +-
+ drivers/atm/horizon.c | 4 +-
+ drivers/atm/idt77252.c | 36 +-
+ drivers/atm/iphase.c | 34 +-
+ drivers/atm/lanai.c | 12 +-
+ drivers/atm/nicstar.c | 46 +-
+ drivers/atm/solos-pci.c | 4 +-
+ drivers/atm/suni.c | 4 +-
+ drivers/atm/uPD98402.c | 16 +-
+ drivers/atm/zatm.c | 6 +-
+ drivers/base/bus.c | 4 +-
+ drivers/base/devtmpfs.c | 8 +-
+ drivers/base/node.c | 2 +-
+ drivers/base/power/domain.c | 4 +-
+ drivers/base/power/sysfs.c | 2 +-
+ drivers/base/power/wakeup.c | 8 +-
+ drivers/base/syscore.c | 4 +-
+ drivers/block/cciss.c | 28 +-
+ drivers/block/cciss.h | 2 +-
+ drivers/block/cpqarray.c | 28 +-
+ drivers/block/cpqarray.h | 2 +-
+ drivers/block/drbd/drbd_int.h | 6 +-
+ drivers/block/drbd/drbd_main.c | 8 +-
+ drivers/block/drbd/drbd_nl.c | 4 +-
+ drivers/block/drbd/drbd_receiver.c | 22 +-
+ drivers/block/loop.c | 2 +-
+ drivers/block/pktcdvd.c | 4 +-
+ drivers/bluetooth/btwilink.c | 2 +-
+ drivers/bus/arm-cci.c | 2 +-
+ drivers/cdrom/cdrom.c | 11 +-
+ drivers/cdrom/gdrom.c | 1 -
+ drivers/char/agp/compat_ioctl.c | 2 +-
+ drivers/char/agp/frontend.c | 4 +-
+ drivers/char/hpet.c | 2 +-
+ drivers/char/hw_random/intel-rng.c | 2 +-
+ drivers/char/ipmi/ipmi_msghandler.c | 8 +-
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
+ drivers/char/mem.c | 43 +-
+ drivers/char/nvram.c | 2 +-
+ drivers/char/pcmcia/synclink_cs.c | 18 +-
+ drivers/char/random.c | 10 +-
+ drivers/char/sonypi.c | 9 +-
+ drivers/char/tpm/tpm_acpi.c | 3 +-
+ drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/virtio_console.c | 4 +-
+ drivers/clk/clk-composite.c | 2 +-
+ drivers/clk/socfpga/clk.c | 9 +-
+ drivers/cpufreq/acpi-cpufreq.c | 13 +-
+ drivers/cpufreq/cpufreq.c | 9 +-
+ drivers/cpufreq/cpufreq_governor.c | 6 +-
+ drivers/cpufreq/cpufreq_governor.h | 4 +-
+ drivers/cpufreq/cpufreq_ondemand.c | 10 +-
+ drivers/cpufreq/cpufreq_stats.c | 2 +-
+ drivers/cpufreq/p4-clockmod.c | 12 +-
+ drivers/cpufreq/sparc-us3-cpufreq.c | 67 +-
+ drivers/cpufreq/speedstep-centrino.c | 7 +-
+ drivers/cpuidle/cpuidle.c | 2 +-
+ drivers/cpuidle/governor.c | 4 +-
+ drivers/cpuidle/sysfs.c | 2 +-
+ drivers/crypto/hifn_795x.c | 4 +-
+ drivers/devfreq/devfreq.c | 4 +-
+ drivers/dma/sh/shdmac.c | 2 +-
+ drivers/edac/edac_device.c | 4 +-
+ drivers/edac/edac_mc_sysfs.c | 12 +-
+ drivers/edac/edac_pci.c | 4 +-
+ drivers/edac/edac_pci_sysfs.c | 22 +-
+ drivers/edac/mce_amd.h | 2 +-
+ drivers/firewire/core-card.c | 6 +-
+ drivers/firewire/core-device.c | 2 +-
+ drivers/firewire/core-transaction.c | 1 +
+ drivers/firewire/core.h | 1 +
+ drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/dmi_scan.c | 2 +-
+ drivers/firmware/efi/efi.c | 12 +-
+ drivers/firmware/efi/efivars.c | 2 +-
+ drivers/firmware/google/memconsole.c | 4 +-
+ drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpio/gpio-vr41xx.c | 2 +-
+ drivers/gpu/drm/drm_crtc_helper.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 8 +-
+ drivers/gpu/drm/drm_fops.c | 16 +-
+ drivers/gpu/drm/drm_global.c | 14 +-
+ drivers/gpu/drm/drm_info.c | 14 +-
+ drivers/gpu/drm/drm_ioc32.c | 13 +-
+ drivers/gpu/drm/drm_lock.c | 4 +-
+ drivers/gpu/drm/drm_stub.c | 2 +-
+ drivers/gpu/drm/drm_sysfs.c | 2 +-
+ drivers/gpu/drm/i810/i810_dma.c | 8 +-
+ drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.h | 2 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/i915_irq.c | 20 +-
+ drivers/gpu/drm/i915/intel_display.c | 26 +-
+ drivers/gpu/drm/mga/mga_drv.h | 4 +-
+ drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/mga/mga_irq.c | 8 +-
+ drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.h | 1 -
+ drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/qxl/qxl_cmd.c | 12 +-
+ drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +-
+ drivers/gpu/drm/qxl/qxl_drv.h | 8 +-
+ drivers/gpu/drm/qxl/qxl_irq.c | 16 +-
+ drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
+ drivers/gpu/drm/r128/r128_cce.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.h | 4 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/r128/r128_irq.c | 4 +-
+ drivers/gpu/drm/r128/r128_state.c | 4 +-
+ drivers/gpu/drm/radeon/mkregtable.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
+ drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 57 +-
+ drivers/gpu/drm/radeon/rs690.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
+ drivers/gpu/drm/udl/udl_fb.c | 1 -
+ drivers/gpu/drm/via/via_drv.h | 4 +-
+ drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
+ drivers/gpu/host1x/drm/dc.c | 2 +-
+ drivers/hid/hid-core.c | 4 +-
+ drivers/hid/uhid.c | 6 +-
+ drivers/hv/channel.c | 4 +-
+ drivers/hv/hv.c | 2 +-
+ drivers/hv/hv_balloon.c | 18 +-
+ drivers/hv/hyperv_vmbus.h | 2 +-
+ drivers/hv/vmbus_drv.c | 4 +-
+ drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/asus_atk0110.c | 10 +-
+ drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/ibmaem.c | 2 +-
+ drivers/hwmon/iio_hwmon.c | 2 +-
+ drivers/hwmon/pmbus/pmbus_core.c | 10 +-
+ drivers/hwmon/sht15.c | 12 +-
+ drivers/hwmon/via-cputemp.c | 2 +-
+ drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
+ drivers/i2c/busses/i2c-diolan-u2c.c | 2 +-
+ drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
+ drivers/i2c/i2c-dev.c | 2 +-
+ drivers/ide/ide-cd.c | 2 +-
+ drivers/iio/industrialio-core.c | 2 +-
+ drivers/infiniband/core/cm.c | 32 +-
+ drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/hw/cxgb4/mem.c | 4 +-
+ drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
+ drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
+ drivers/infiniband/hw/mlx4/mad.c | 2 +-
+ drivers/infiniband/hw/mlx4/mcg.c | 2 +-
+ drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 8 +-
+ drivers/infiniband/hw/mthca/mthca_main.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_mr.c | 6 +-
+ drivers/infiniband/hw/mthca/mthca_provider.c | 2 +-
+ drivers/infiniband/hw/nes/nes.c | 4 +-
+ drivers/infiniband/hw/nes/nes.h | 40 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 62 +-
+ drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
+ drivers/infiniband/hw/nes/nes_nic.c | 40 +-
+ drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/input/gameport/gameport.c | 4 +-
+ drivers/input/input.c | 4 +-
+ drivers/input/joystick/sidewinder.c | 1 +
+ drivers/input/joystick/xpad.c | 4 +-
+ drivers/input/misc/ims-pcu.c | 4 +-
+ drivers/input/mouse/psmouse.h | 2 +-
+ drivers/input/mousedev.c | 2 +-
+ drivers/input/serio/serio.c | 4 +-
+ drivers/input/serio/serio_raw.c | 4 +-
+ drivers/iommu/iommu.c | 2 +-
+ drivers/iommu/irq_remapping.c | 12 +-
+ drivers/irqchip/irq-gic.c | 4 +-
+ drivers/isdn/capi/capi.c | 10 +-
+ drivers/isdn/gigaset/interface.c | 8 +-
+ drivers/isdn/gigaset/usb-gigaset.c | 2 +-
+ drivers/isdn/hardware/avm/b1.c | 4 +-
+ drivers/isdn/i4l/isdn_common.c | 2 +
+ drivers/isdn/i4l/isdn_tty.c | 22 +-
+ drivers/isdn/icn/icn.c | 2 +-
+ drivers/isdn/mISDN/dsp_cmx.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/lguest/core.c | 10 +-
+ drivers/lguest/page_tables.c | 2 +-
+ drivers/lguest/x86/core.c | 12 +-
+ drivers/lguest/x86/switcher_32.S | 27 +-
+ drivers/md/bcache/closure.h | 2 +-
+ drivers/md/bcache/super.c | 2 +-
+ drivers/md/bitmap.c | 2 +-
+ drivers/md/dm-ioctl.c | 2 +-
+ drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-stats.c | 6 +-
+ drivers/md/dm-stripe.c | 10 +-
+ drivers/md/dm-table.c | 4 +-
+ drivers/md/dm-thin-metadata.c | 4 +-
+ drivers/md/dm.c | 16 +-
+ drivers/md/md.c | 26 +-
+ drivers/md/md.h | 6 +-
+ drivers/md/persistent-data/dm-space-map.h | 1 +
+ drivers/md/raid1.c | 4 +-
+ drivers/md/raid10.c | 16 +-
+ drivers/md/raid5.c | 10 +-
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ drivers/media/dvb-frontends/dib3000.h | 2 +-
+ drivers/media/pci/cx88/cx88-video.c | 6 +-
+ drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
+ drivers/media/platform/omap/omap_vout.c | 11 +-
+ drivers/media/platform/s5p-tv/mixer.h | 2 +-
+ drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
+ drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +
+ drivers/media/radio/radio-maxiradio.c | 2 +-
+ drivers/media/radio/radio-shark.c | 2 +-
+ drivers/media/radio/radio-shark2.c | 2 +-
+ drivers/media/radio/radio-si476x.c | 2 +-
+ drivers/media/rc/rc-main.c | 4 +-
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +-
+ drivers/media/v4l2-core/v4l2-device.c | 4 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 11 +-
+ drivers/message/fusion/mptsas.c | 34 +-
+ drivers/message/fusion/mptscsih.c | 19 +-
+ drivers/message/i2o/i2o_proc.c | 67 +-
+ drivers/message/i2o/iop.c | 8 +-
+ drivers/mfd/janz-cmodio.c | 1 +
+ drivers/mfd/max8925-i2c.c | 2 +-
+ drivers/mfd/tps65910.c | 2 +-
+ drivers/mfd/twl4030-irq.c | 9 +-
+ drivers/misc/c2port/core.c | 4 +-
+ drivers/misc/kgdbts.c | 4 +-
+ drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
+ drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/sgi-gru/gruhandles.c | 4 +-
+ drivers/misc/sgi-gru/gruprocfs.c | 8 +-
+ drivers/misc/sgi-gru/grutables.h | 154 +-
+ drivers/misc/sgi-xp/xp.h | 2 +-
+ drivers/misc/sgi-xp/xpc.h | 3 +-
+ drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ drivers/mmc/host/dw_mmc.h | 2 +-
+ drivers/mmc/host/mmci.c | 4 +-
+ drivers/mmc/host/sdhci-s3c.c | 8 +-
+ drivers/mtd/chips/cfi_cmdset_0020.c | 2 +-
+ drivers/mtd/nand/denali.c | 1 +
+ drivers/mtd/nftlmount.c | 1 +
+ drivers/mtd/sm_ftl.c | 2 +-
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
+ drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +-
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +-
+ drivers/net/ethernet/realtek/r8169.c | 8 +-
+ drivers/net/ethernet/sfc/ptp.c | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/hyperv/hyperv_net.h | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 +-
+ drivers/net/ieee802154/fakehard.c | 2 +-
+ drivers/net/macvlan.c | 18 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/ppp/ppp_generic.c | 4 +-
+ drivers/net/slip/slhc.c | 2 +-
+ drivers/net/team/team.c | 2 +-
+ drivers/net/tun.c | 5 +-
+ drivers/net/usb/hso.c | 23 +-
+ drivers/net/usb/sierra_net.c | 4 +-
+ drivers/net/vxlan.c | 2 +-
+ drivers/net/wimax/i2400m/rx.c | 2 +-
+ drivers/net/wireless/airo.c | 2 +-
+ drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/net/wireless/ath/ath10k/htc.c | 7 +-
+ drivers/net/wireless/ath/ath10k/htc.h | 4 +-
+ drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
+ drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
+ drivers/net/wireless/ath/ath9k/hw.h | 4 +-
+ drivers/net/wireless/b43/phy_lp.c | 2 +-
+ drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +-
+ drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
+ drivers/net/wireless/mac80211_hwsim.c | 32 +-
+ drivers/net/wireless/rndis_wlan.c | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 8 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 6 +-
+ drivers/nfc/nfcwilink.c | 2 +-
+ drivers/oprofile/buffer_sync.c | 8 +-
+ drivers/oprofile/event_buffer.c | 2 +-
+ drivers/oprofile/oprof.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/oprofile/oprofile_stats.c | 10 +-
+ drivers/oprofile/oprofile_stats.h | 10 +-
+ drivers/oprofile/oprofilefs.c | 6 +-
+ drivers/oprofile/timer_int.c | 2 +-
+ drivers/parport/procfs.c | 4 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
+ drivers/pci/hotplug/cpcihp_generic.c | 6 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
+ drivers/pci/hotplug/cpqphp_nvram.c | 4 +
+ drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/pci-sysfs.c | 6 +-
+ drivers/pci/pci.h | 2 +-
+ drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/probe.c | 2 +-
+ drivers/platform/x86/chromeos_laptop.c | 2 +-
+ drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/msi-wmi.c | 2 +-
+ drivers/platform/x86/sony-laptop.c | 2 +-
+ drivers/platform/x86/thinkpad_acpi.c | 70 +-
+ drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/resource.c | 4 +-
+ drivers/power/pda_power.c | 7 +-
+ drivers/power/power_supply.h | 4 +-
+ drivers/power/power_supply_core.c | 7 +-
+ drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/regulator/core.c | 4 +-
+ drivers/regulator/max8660.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/rtc/rtc-cmos.c | 4 +-
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +-
+ drivers/scsi/bfa/bfa_fcpim.h | 2 +-
+ drivers/scsi/bfa/bfa_ioc.h | 4 +-
+ drivers/scsi/fcoe/fcoe_sysfs.c | 12 +-
+ drivers/scsi/hosts.c | 4 +-
+ drivers/scsi/hpsa.c | 30 +-
+ drivers/scsi/hpsa.h | 2 +-
+ drivers/scsi/libfc/fc_exch.c | 50 +-
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ drivers/scsi/lpfc/lpfc.h | 8 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
+ drivers/scsi/lpfc/lpfc_init.c | 6 +-
+ drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
+ drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +-
+ drivers/scsi/pmcraid.c | 20 +-
+ drivers/scsi/pmcraid.h | 8 +-
+ drivers/scsi/qla2xxx/qla_attr.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 6 +-
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +-
+ drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ drivers/scsi/scsi_tgt_lib.c | 2 +-
+ drivers/scsi/scsi_transport_fc.c | 8 +-
+ drivers/scsi/scsi_transport_iscsi.c | 6 +-
+ drivers/scsi/scsi_transport_srp.c | 6 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sg.c | 2 +-
+ drivers/spi/spi.c | 2 +-
+ drivers/staging/android/timed_output.c | 6 +-
+ drivers/staging/gdm724x/gdm_tty.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10.h | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/rtl8712/rtl871x_io.h | 2 +-
+ drivers/staging/sbe-2t3e3/netdev.c | 2 +-
+ drivers/staging/usbip/vhci.h | 2 +-
+ drivers/staging/usbip/vhci_hcd.c | 6 +-
+ drivers/staging/usbip/vhci_rx.c | 2 +-
+ drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/vt6656/hostap.c | 7 +-
+ drivers/target/sbp/sbp_target.c | 4 +-
+ drivers/target/target_core_device.c | 2 +-
+ drivers/target/target_core_transport.c | 2 +-
+ drivers/tty/cyclades.c | 6 +-
+ drivers/tty/hvc/hvc_console.c | 14 +-
+ drivers/tty/hvc/hvcs.c | 21 +-
+ drivers/tty/hvc/hvsi.c | 12 +-
+ drivers/tty/hvc/hvsi_lib.c | 6 +-
+ drivers/tty/ipwireless/tty.c | 27 +-
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/n_gsm.c | 4 +-
+ drivers/tty/n_tty.c | 3 +-
+ drivers/tty/pty.c | 4 +-
+ drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/ioc4_serial.c | 6 +-
+ drivers/tty/serial/kgdboc.c | 32 +-
+ drivers/tty/serial/msm_serial.c | 4 +-
+ drivers/tty/serial/samsung.c | 9 +-
+ drivers/tty/serial/serial_core.c | 8 +-
+ drivers/tty/synclink.c | 34 +-
+ drivers/tty/synclink_gt.c | 28 +-
+ drivers/tty/synclinkmp.c | 34 +-
+ drivers/tty/tty_io.c | 2 +-
+ drivers/tty/tty_ldisc.c | 8 +-
+ drivers/tty/tty_port.c | 22 +-
+ drivers/uio/uio.c | 15 +-
+ drivers/usb/atm/cxacru.c | 2 +-
+ drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/core/devices.c | 6 +-
+ drivers/usb/core/hcd.c | 4 +-
+ drivers/usb/core/message.c | 6 +-
+ drivers/usb/core/sysfs.c | 2 +-
+ drivers/usb/core/usb.c | 2 +-
+ drivers/usb/dwc3/gadget.c | 2 -
+ drivers/usb/early/ehci-dbgp.c | 16 +-
+ drivers/usb/gadget/u_serial.c | 22 +-
+ drivers/usb/host/ehci-hub.c | 4 +-
+ drivers/usb/misc/appledisplay.c | 4 +-
+ drivers/usb/serial/console.c | 8 +-
+ drivers/usb/storage/usb.h | 2 +-
+ drivers/usb/wusbcore/wa-hc.h | 4 +-
+ drivers/usb/wusbcore/wa-xfer.c | 2 +-
+ drivers/vfio/vfio.c | 2 +-
+ drivers/vhost/vringh.c | 2 +-
+ drivers/video/aty/aty128fb.c | 2 +-
+ drivers/video/aty/atyfb_base.c | 8 +-
+ drivers/video/aty/mach64_cursor.c | 5 +-
+ drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/fb_defio.c | 6 +-
+ drivers/video/fbmem.c | 6 +-
+ drivers/video/hyperv_fb.c | 4 +-
+ drivers/video/i810/i810_accel.c | 1 +
+ drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
+ drivers/video/nvidia/nvidia.c | 27 +-
+ drivers/video/s1d13xxxfb.c | 6 +-
+ drivers/video/smscufx.c | 4 +-
+ drivers/video/udlfb.c | 36 +-
+ drivers/video/uvesafb.c | 53 +-
+ drivers/video/vesafb.c | 58 +-
+ drivers/video/via/via_clock.h | 2 +-
+ fs/9p/vfs_addr.c | 2 +-
+ fs/9p/vfs_inode.c | 2 +-
+ fs/Kconfig.binfmt | 2 +-
+ fs/afs/inode.c | 4 +-
+ fs/aio.c | 2 +-
+ fs/autofs4/waitq.c | 2 +-
+ fs/befs/endian.h | 6 +-
+ fs/befs/linuxvfs.c | 2 +-
+ fs/binfmt_aout.c | 23 +-
+ fs/binfmt_elf.c | 656 ++-
+ fs/binfmt_flat.c | 6 +
+ fs/bio.c | 6 +-
+ fs/block_dev.c | 2 +-
+ fs/btrfs/ctree.c | 9 +-
+ fs/btrfs/delayed-inode.c | 6 +-
+ fs/btrfs/delayed-inode.h | 4 +-
+ fs/btrfs/super.c | 2 +-
+ fs/buffer.c | 2 +-
+ fs/cachefiles/bind.c | 6 +-
+ fs/cachefiles/daemon.c | 8 +-
+ fs/cachefiles/internal.h | 12 +-
+ fs/cachefiles/namei.c | 2 +-
+ fs/cachefiles/proc.c | 12 +-
+ fs/cachefiles/rdwr.c | 2 +-
+ fs/ceph/dir.c | 2 +-
+ fs/ceph/super.c | 4 +-
+ fs/cifs/cifs_debug.c | 12 +-
+ fs/cifs/cifsfs.c | 8 +-
+ fs/cifs/cifsglob.h | 54 +-
+ fs/cifs/link.c | 2 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb1ops.c | 80 +-
+ fs/cifs/smb2ops.c | 84 +-
+ fs/cifs/smb2pdu.c | 3 +-
+ fs/coda/cache.c | 10 +-
+ fs/compat.c | 4 +-
+ fs/compat_binfmt_elf.c | 2 +
+ fs/compat_ioctl.c | 12 +-
+ fs/configfs/dir.c | 10 +-
+ fs/coredump.c | 18 +-
+ fs/dcache.c | 3 +-
+ fs/ecryptfs/inode.c | 4 +-
+ fs/ecryptfs/miscdev.c | 2 +-
+ fs/exec.c | 362 +-
+ fs/ext2/xattr.c | 5 +-
+ fs/ext3/xattr.c | 5 +-
+ fs/ext4/ext4.h | 20 +-
+ fs/ext4/mballoc.c | 44 +-
+ fs/ext4/mmp.c | 2 +-
+ fs/ext4/super.c | 4 +-
+ fs/ext4/xattr.c | 5 +-
+ fs/fhandle.c | 3 +-
+ fs/fs_struct.c | 8 +-
+ fs/fscache/cookie.c | 40 +-
+ fs/fscache/internal.h | 200 +-
+ fs/fscache/object.c | 26 +-
+ fs/fscache/operation.c | 30 +-
+ fs/fscache/page.c | 110 +-
+ fs/fscache/stats.c | 344 +-
+ fs/fuse/cuse.c | 10 +-
+ fs/fuse/dev.c | 4 +-
+ fs/fuse/dir.c | 2 +-
+ fs/gfs2/inode.c | 2 +-
+ fs/hostfs/hostfs_kern.c | 2 +-
+ fs/hugetlbfs/inode.c | 13 +-
+ fs/inode.c | 4 +-
+ fs/jffs2/erase.c | 3 +-
+ fs/jffs2/wbuf.c | 3 +-
+ fs/jfs/super.c | 2 +-
+ fs/libfs.c | 10 +-
+ fs/lockd/clntproc.c | 4 +-
+ fs/locks.c | 8 +-
+ fs/namei.c | 15 +-
+ fs/namespace.c | 16 +-
+ fs/nfs/callback_xdr.c | 2 +-
+ fs/nfs/inode.c | 6 +-
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfs4xdr.c | 6 +-
+ fs/nfsd/nfscache.c | 9 +-
+ fs/nfsd/vfs.c | 6 +-
+ fs/nls/nls_base.c | 18 +-
+ fs/nls/nls_euc-jp.c | 6 +-
+ fs/nls/nls_koi8-ru.c | 6 +-
+ fs/notify/fanotify/fanotify_user.c | 4 +-
+ fs/notify/notification.c | 4 +-
+ fs/ntfs/dir.c | 2 +-
+ fs/ntfs/file.c | 2 +-
+ fs/ntfs/super.c | 6 +-
+ fs/ocfs2/localalloc.c | 2 +-
+ fs/ocfs2/ocfs2.h | 10 +-
+ fs/ocfs2/suballoc.c | 12 +-
+ fs/ocfs2/super.c | 20 +-
+ fs/pipe.c | 61 +-
+ fs/proc/array.c | 20 +
+ fs/proc/base.c | 4 +-
+ fs/proc/kcore.c | 32 +-
+ fs/proc/meminfo.c | 2 +-
+ fs/proc/nommu.c | 2 +-
+ fs/proc/proc_sysctl.c | 18 +-
+ fs/proc/self.c | 2 +-
+ fs/proc/task_mmu.c | 39 +-
+ fs/proc/task_nommu.c | 4 +-
+ fs/proc/vmcore.c | 12 +-
+ fs/qnx6/qnx6.h | 4 +-
+ fs/quota/netlink.c | 4 +-
+ fs/read_write.c | 2 +-
+ fs/reiserfs/do_balan.c | 2 +-
+ fs/reiserfs/procfs.c | 2 +-
+ fs/reiserfs/reiserfs.h | 4 +-
+ fs/seq_file.c | 4 +-
+ fs/splice.c | 41 +-
+ fs/sysfs/bin.c | 6 +-
+ fs/sysfs/dir.c | 2 +-
+ fs/sysfs/file.c | 10 +-
+ fs/sysfs/symlink.c | 2 +-
+ fs/sysv/sysv.h | 2 +-
+ fs/ubifs/io.c | 2 +-
+ fs/udf/misc.c | 2 +-
+ fs/ufs/swab.h | 4 +-
+ fs/xattr.c | 21 +
+ fs/xattr_acl.c | 4 +-
+ fs/xfs/xfs_bmap.c | 2 +-
+ fs/xfs/xfs_dir2_readdir.c | 7 +-
+ fs/xfs/xfs_ioctl.c | 2 +-
+ fs/xfs/xfs_iops.c | 2 +-
+ include/asm-generic/4level-fixup.h | 2 +
+ include/asm-generic/atomic-long.h | 210 +
+ include/asm-generic/atomic.h | 2 +-
+ include/asm-generic/atomic64.h | 12 +
+ include/asm-generic/cache.h | 4 +-
+ include/asm-generic/emergency-restart.h | 2 +-
+ include/asm-generic/kmap_types.h | 4 +-
+ include/asm-generic/local.h | 13 +
+ include/asm-generic/pgtable-nopmd.h | 18 +-
+ include/asm-generic/pgtable-nopud.h | 15 +-
+ include/asm-generic/pgtable.h | 16 +
+ include/asm-generic/uaccess.h | 16 +
+ include/asm-generic/vmlinux.lds.h | 10 +-
+ include/crypto/algapi.h | 2 +-
+ include/drm/drmP.h | 17 +-
+ include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/i915_pciids.h | 2 +-
+ include/drm/ttm/ttm_memory.h | 2 +-
+ include/keys/asymmetric-subtype.h | 2 +-
+ include/linux/atmdev.h | 4 +-
+ include/linux/audit.h | 2 +-
+ include/linux/binfmts.h | 3 +-
+ include/linux/bitops.h | 4 +-
+ include/linux/blkdev.h | 2 +-
+ include/linux/blktrace_api.h | 2 +-
+ include/linux/cache.h | 8 +
+ include/linux/cdrom.h | 1 -
+ include/linux/cleancache.h | 2 +-
+ include/linux/clk-provider.h | 1 +
+ include/linux/compat.h | 4 +-
+ include/linux/compiler-gcc4.h | 20 +
+ include/linux/compiler.h | 65 +-
+ include/linux/completion.h | 12 +-
+ include/linux/configfs.h | 2 +-
+ include/linux/cpufreq.h | 3 +-
+ include/linux/cpuidle.h | 5 +-
+ include/linux/cpumask.h | 12 +-
+ include/linux/crypto.h | 6 +-
+ include/linux/ctype.h | 2 +-
+ include/linux/decompress/mm.h | 2 +-
+ include/linux/devfreq.h | 2 +-
+ include/linux/device.h | 7 +-
+ include/linux/dma-mapping.h | 2 +-
+ include/linux/dmaengine.h | 4 +-
+ include/linux/efi.h | 1 +
+ include/linux/elf.h | 2 +
+ include/linux/err.h | 4 +-
+ include/linux/extcon.h | 2 +-
+ include/linux/fb.h | 2 +-
+ include/linux/fdtable.h | 2 +-
+ include/linux/frontswap.h | 2 +-
+ include/linux/fs.h | 3 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/fscache-cache.h | 4 +-
+ include/linux/fscache.h | 2 +-
+ include/linux/fsnotify.h | 2 +-
+ include/linux/genhd.h | 4 +-
+ include/linux/genl_magic_func.h | 2 +-
+ include/linux/gfp.h | 12 +-
+ include/linux/highmem.h | 12 +
+ include/linux/hwmon-sysfs.h | 5 +-
+ include/linux/i2c.h | 1 +
+ include/linux/i2o.h | 2 +-
+ include/linux/if_pppox.h | 2 +-
+ include/linux/init.h | 12 +-
+ include/linux/init_task.h | 7 +
+ include/linux/interrupt.h | 8 +-
+ include/linux/iommu.h | 2 +-
+ include/linux/ioport.h | 2 +-
+ include/linux/irq.h | 3 +-
+ include/linux/irqchip/arm-gic.h | 4 +-
+ include/linux/jiffies.h | 12 +-
+ include/linux/key-type.h | 2 +-
+ include/linux/kgdb.h | 6 +-
+ include/linux/kobject.h | 3 +-
+ include/linux/kobject_ns.h | 2 +-
+ include/linux/kref.h | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ include/linux/libata.h | 2 +-
+ include/linux/linkage.h | 1 +
+ include/linux/list.h | 15 +
+ include/linux/math64.h | 10 +-
+ include/linux/mempolicy.h | 7 +
+ include/linux/mm.h | 118 +-
+ include/linux/mm_types.h | 20 +
+ include/linux/mmiotrace.h | 4 +-
+ include/linux/mmzone.h | 2 +-
+ include/linux/mod_devicetable.h | 6 +-
+ include/linux/module.h | 60 +-
+ include/linux/moduleloader.h | 16 +
+ include/linux/moduleparam.h | 4 +-
+ include/linux/namei.h | 6 +-
+ include/linux/net.h | 2 +-
+ include/linux/netdevice.h | 3 +-
+ include/linux/netfilter.h | 2 +-
+ include/linux/netfilter/ipset/ip_set.h | 2 +-
+ include/linux/netfilter/nfnetlink.h | 2 +-
+ include/linux/nls.h | 2 +-
+ include/linux/notifier.h | 3 +-
+ include/linux/oprofile.h | 4 +-
+ include/linux/pci_hotplug.h | 3 +-
+ include/linux/perf_event.h | 10 +-
+ include/linux/pipe_fs_i.h | 8 +-
+ include/linux/platform_data/usb-ehci-s5p.h | 2 +-
+ include/linux/platform_data/usb-ohci-exynos.h | 2 +-
+ include/linux/pm_domain.h | 2 +-
+ include/linux/pm_runtime.h | 2 +-
+ include/linux/pnp.h | 2 +-
+ include/linux/poison.h | 4 +-
+ include/linux/power/smartreflex.h | 2 +-
+ include/linux/ppp-comp.h | 2 +-
+ include/linux/preempt.h | 19 +
+ include/linux/proc_ns.h | 2 +-
+ include/linux/quota.h | 2 +-
+ include/linux/random.h | 19 +-
+ include/linux/rculist.h | 16 +
+ include/linux/reboot.h | 14 +-
+ include/linux/regset.h | 3 +-
+ include/linux/relay.h | 2 +-
+ include/linux/rio.h | 2 +-
+ include/linux/rmap.h | 4 +-
+ include/linux/sched.h | 67 +-
+ include/linux/sched/sysctl.h | 1 +
+ include/linux/security.h | 2 -
+ include/linux/semaphore.h | 2 +-
+ include/linux/seq_file.h | 1 +
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 48 +-
+ include/linux/slab_def.h | 14 +-
+ include/linux/slub_def.h | 2 +-
+ include/linux/smp.h | 2 +
+ include/linux/sock_diag.h | 2 +-
+ include/linux/sonet.h | 2 +-
+ include/linux/sunrpc/addr.h | 8 +-
+ include/linux/sunrpc/clnt.h | 2 +-
+ include/linux/sunrpc/svc.h | 2 +-
+ include/linux/sunrpc/svc_rdma.h | 18 +-
+ include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swiotlb.h | 3 +-
+ include/linux/syscalls.h | 18 +-
+ include/linux/syscore_ops.h | 2 +-
+ include/linux/sysctl.h | 6 +-
+ include/linux/sysfs.h | 9 +-
+ include/linux/sysrq.h | 3 +-
+ include/linux/thread_info.h | 7 +
+ include/linux/tty.h | 4 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/tty_ldisc.h | 2 +-
+ include/linux/types.h | 16 +
+ include/linux/uaccess.h | 6 +-
+ include/linux/unaligned/access_ok.h | 24 +-
+ include/linux/usb.h | 4 +-
+ include/linux/usb/renesas_usbhs.h | 2 +-
+ include/linux/vermagic.h | 21 +-
+ include/linux/vmalloc.h | 9 +-
+ include/linux/vmstat.h | 20 +-
+ include/linux/xattr.h | 5 +-
+ include/linux/zlib.h | 3 +-
+ include/media/v4l2-dev.h | 2 +-
+ include/media/v4l2-device.h | 2 +-
+ include/net/9p/transport.h | 2 +-
+ include/net/bluetooth/l2cap.h | 2 +-
+ include/net/caif/cfctrl.h | 6 +-
+ include/net/flow.h | 2 +-
+ include/net/genetlink.h | 2 +-
+ include/net/gro_cells.h | 2 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/inetpeer.h | 17 +-
+ include/net/ip.h | 2 +-
+ include/net/ip_fib.h | 2 +-
+ include/net/ip_vs.h | 8 +-
+ include/net/irda/ircomm_tty.h | 1 +
+ include/net/iucv/af_iucv.h | 2 +-
+ include/net/llc_c_ac.h | 2 +-
+ include/net/llc_c_ev.h | 4 +-
+ include/net/llc_c_st.h | 2 +-
+ include/net/llc_s_ac.h | 2 +-
+ include/net/llc_s_st.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 20 +-
+ include/net/netdma.h | 2 +-
+ include/net/netlink.h | 2 +-
+ include/net/netns/conntrack.h | 6 +-
+ include/net/netns/ipv4.h | 4 +-
+ include/net/netns/ipv6.h | 4 +-
+ include/net/ping.h | 2 +-
+ include/net/protocol.h | 4 +-
+ include/net/rtnetlink.h | 2 +-
+ include/net/sctp/sm.h | 4 +-
+ include/net/sctp/structs.h | 2 +-
+ include/net/sock.h | 6 +-
+ include/net/tcp.h | 8 +-
+ include/net/xfrm.h | 13 +-
+ include/rdma/iw_cm.h | 2 +-
+ include/scsi/libfc.h | 3 +-
+ include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_transport_fc.h | 3 +-
+ include/sound/compress_driver.h | 2 +-
+ include/sound/soc.h | 4 +-
+ include/target/target_core_base.h | 2 +-
+ include/trace/events/irq.h | 4 +-
+ include/uapi/linux/a.out.h | 8 +
+ include/uapi/linux/byteorder/little_endian.h | 28 +-
+ include/uapi/linux/elf.h | 28 +
+ include/uapi/linux/screen_info.h | 3 +-
+ include/uapi/linux/swab.h | 6 +-
+ include/uapi/linux/sysctl.h | 6 +-
+ include/uapi/linux/xattr.h | 4 +
+ include/video/udlfb.h | 8 +-
+ include/video/uvesafb.h | 1 +
+ init/Kconfig | 2 +-
+ init/Makefile | 3 +
+ init/do_mounts.c | 14 +-
+ init/do_mounts.h | 8 +-
+ init/do_mounts_initrd.c | 30 +-
+ init/do_mounts_md.c | 6 +-
+ init/init_task.c | 4 +
+ init/initramfs.c | 42 +-
+ init/main.c | 77 +-
+ ipc/ipc_sysctl.c | 10 +-
+ ipc/mq_sysctl.c | 2 +-
+ ipc/msg.c | 11 +-
+ ipc/sem.c | 11 +-
+ ipc/shm.c | 17 +-
+ kernel/acct.c | 2 +-
+ kernel/audit.c | 10 +-
+ kernel/auditsc.c | 4 +-
+ kernel/capability.c | 3 +
+ kernel/compat.c | 38 +-
+ kernel/debug/debug_core.c | 16 +-
+ kernel/debug/kdb/kdb_main.c | 4 +-
+ kernel/events/core.c | 30 +-
+ kernel/events/internal.h | 12 +-
+ kernel/events/uprobes.c | 2 +-
+ kernel/exit.c | 4 +-
+ kernel/fork.c | 166 +-
+ kernel/futex.c | 11 +-
+ kernel/futex_compat.c | 2 +-
+ kernel/gcov/base.c | 7 +-
+ kernel/hrtimer.c | 2 +-
+ kernel/irq_work.c | 7 +-
+ kernel/jump_label.c | 5 +
+ kernel/kallsyms.c | 39 +-
+ kernel/kexec.c | 3 +-
+ kernel/kmod.c | 4 +-
+ kernel/kprobes.c | 8 +-
+ kernel/ksysfs.c | 2 +-
+ kernel/lockdep.c | 7 +-
+ kernel/module.c | 337 +-
+ kernel/mutex-debug.c | 12 +-
+ kernel/mutex-debug.h | 4 +-
+ kernel/mutex.c | 10 +-
+ kernel/notifier.c | 17 +-
+ kernel/panic.c | 3 +-
+ kernel/pid.c | 2 +-
+ kernel/pid_namespace.c | 2 +-
+ kernel/posix-cpu-timers.c | 4 +-
+ kernel/posix-timers.c | 24 +-
+ kernel/power/process.c | 12 +-
+ kernel/profile.c | 14 +-
+ kernel/ptrace.c | 8 +-
+ kernel/rcupdate.c | 4 +-
+ kernel/rcutiny.c | 4 +-
+ kernel/rcutorture.c | 56 +-
+ kernel/rcutree.c | 76 +-
+ kernel/rcutree.h | 26 +-
+ kernel/rcutree_plugin.h | 30 +-
+ kernel/rcutree_trace.c | 22 +-
+ kernel/rtmutex-tester.c | 24 +-
+ kernel/sched/auto_group.c | 4 +-
+ kernel/sched/core.c | 49 +-
+ kernel/sched/fair.c | 4 +-
+ kernel/sched/sched.h | 2 +-
+ kernel/signal.c | 12 +-
+ kernel/smpboot.c | 4 +-
+ kernel/softirq.c | 14 +-
+ kernel/srcu.c | 4 +-
+ kernel/sys.c | 10 +-
+ kernel/sysctl.c | 39 +-
+ kernel/time/alarmtimer.c | 2 +-
+ kernel/time/timer_stats.c | 10 +-
+ kernel/timer.c | 4 +-
+ kernel/trace/blktrace.c | 6 +-
+ kernel/trace/ftrace.c | 18 +-
+ kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/trace.c | 2 +-
+ kernel/trace/trace.h | 2 +-
+ kernel/trace/trace_clock.c | 4 +-
+ kernel/trace/trace_events.c | 1 -
+ kernel/trace/trace_mmiotrace.c | 8 +-
+ kernel/trace/trace_output.c | 12 +-
+ kernel/trace/trace_stack.c | 2 +-
+ kernel/user_namespace.c | 2 +-
+ kernel/utsname_sysctl.c | 2 +-
+ kernel/watchdog.c | 2 +-
+ kernel/workqueue.c | 2 +-
+ lib/Kconfig.debug | 8 +-
+ lib/Makefile | 2 +-
+ lib/bitmap.c | 8 +-
+ lib/bug.c | 2 +
+ lib/debugobjects.c | 2 +-
+ lib/devres.c | 4 +-
+ lib/div64.c | 4 +-
+ lib/dma-debug.c | 4 +-
+ lib/inflate.c | 2 +-
+ lib/ioremap.c | 4 +-
+ lib/kobject.c | 4 +-
+ lib/list_debug.c | 126 +-
+ lib/percpu-refcount.c | 2 +-
+ lib/radix-tree.c | 2 +-
+ lib/strncpy_from_user.c | 2 +-
+ lib/strnlen_user.c | 2 +-
+ lib/swiotlb.c | 2 +-
+ lib/usercopy.c | 6 +
+ lib/vsprintf.c | 12 +-
+ mm/Kconfig | 6 +-
+ mm/backing-dev.c | 4 +-
+ mm/filemap.c | 10 +-
+ mm/fremap.c | 5 +
+ mm/highmem.c | 7 +-
+ mm/hugetlb.c | 70 +-
+ mm/internal.h | 3 +-
+ mm/maccess.c | 4 +-
+ mm/madvise.c | 41 +
+ mm/memory-failure.c | 26 +-
+ mm/memory.c | 424 +-
+ mm/mempolicy.c | 25 +
+ mm/mlock.c | 15 +-
+ mm/mmap.c | 591 ++-
+ mm/mprotect.c | 139 +-
+ mm/mremap.c | 44 +-
+ mm/nommu.c | 21 +-
+ mm/page-writeback.c | 2 +-
+ mm/page_alloc.c | 42 +-
+ mm/page_io.c | 2 +-
+ mm/percpu.c | 2 +-
+ mm/process_vm_access.c | 14 +-
+ mm/rmap.c | 44 +-
+ mm/shmem.c | 19 +-
+ mm/slab.c | 108 +-
+ mm/slab.h | 15 +-
+ mm/slab_common.c | 60 +-
+ mm/slob.c | 206 +-
+ mm/slub.c | 88 +-
+ mm/sparse-vmemmap.c | 4 +-
+ mm/sparse.c | 2 +-
+ mm/swap.c | 2 +
+ mm/swapfile.c | 12 +-
+ mm/util.c | 6 +
+ mm/vmalloc.c | 75 +-
+ mm/vmstat.c | 12 +-
+ net/8021q/vlan.c | 5 +-
+ net/9p/mod.c | 4 +-
+ net/9p/trans_fd.c | 2 +-
+ net/atm/atm_misc.c | 8 +-
+ net/atm/lec.h | 2 +-
+ net/atm/proc.c | 6 +-
+ net/atm/resources.c | 4 +-
+ net/ax25/sysctl_net_ax25.c | 2 +-
+ net/batman-adv/bat_iv_ogm.c | 8 +-
+ net/batman-adv/hard-interface.c | 2 +-
+ net/batman-adv/soft-interface.c | 4 +-
+ net/batman-adv/types.h | 6 +-
+ net/batman-adv/unicast.c | 2 +-
+ net/bluetooth/hci_sock.c | 2 +-
+ net/bluetooth/l2cap_core.c | 6 +-
+ net/bluetooth/l2cap_sock.c | 12 +-
+ net/bluetooth/rfcomm/sock.c | 4 +-
+ net/bluetooth/rfcomm/tty.c | 4 +-
+ net/bridge/netfilter/ebtables.c | 6 +-
+ net/caif/cfctrl.c | 11 +-
+ net/can/af_can.c | 2 +-
+ net/can/gw.c | 6 +-
+ net/ceph/messenger.c | 4 +-
+ net/compat.c | 34 +-
+ net/core/datagram.c | 2 +-
+ net/core/dev.c | 16 +-
+ net/core/flow.c | 8 +-
+ net/core/iovec.c | 4 +-
+ net/core/neighbour.c | 2 +-
+ net/core/net-sysfs.c | 2 +-
+ net/core/net_namespace.c | 8 +-
+ net/core/netpoll.c | 4 +-
+ net/core/rtnetlink.c | 13 +-
+ net/core/scm.c | 8 +-
+ net/core/skbuff.c | 6 +-
+ net/core/sock.c | 28 +-
+ net/core/sock_diag.c | 9 +-
+ net/core/sysctl_net_core.c | 18 +-
+ net/decnet/af_decnet.c | 1 +
+ net/decnet/sysctl_net_decnet.c | 4 +-
+ net/ieee802154/6lowpan.c | 2 +-
+ net/ipv4/af_inet.c | 8 +-
+ net/ipv4/devinet.c | 18 +-
+ net/ipv4/fib_frontend.c | 6 +-
+ net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inet_connection_sock.c | 2 +-
+ net/ipv4/inetpeer.c | 4 +-
+ net/ipv4/ip_fragment.c | 15 +-
+ net/ipv4/ip_gre.c | 6 +-
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ip_vti.c | 4 +-
+ net/ipv4/ipconfig.c | 6 +-
+ net/ipv4/ipip.c | 4 +-
+ net/ipv4/netfilter/arp_tables.c | 12 +-
+ net/ipv4/netfilter/ip_tables.c | 12 +-
+ net/ipv4/ping.c | 14 +-
+ net/ipv4/raw.c | 14 +-
+ net/ipv4/route.c | 20 +-
+ net/ipv4/sysctl_net_ipv4.c | 45 +-
+ net/ipv4/tcp_input.c | 2 +-
+ net/ipv4/tcp_probe.c | 2 +-
+ net/ipv4/udp.c | 10 +-
+ net/ipv4/xfrm4_policy.c | 18 +-
+ net/ipv6/addrconf.c | 12 +-
+ net/ipv6/af_inet6.c | 2 +-
+ net/ipv6/datagram.c | 2 +-
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_gre.c | 8 +-
+ net/ipv6/ip6_tunnel.c | 4 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 12 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
+ net/ipv6/output_core.c | 15 +-
+ net/ipv6/ping.c | 28 +-
+ net/ipv6/raw.c | 17 +-
+ net/ipv6/reassembly.c | 13 +-
+ net/ipv6/route.c | 2 +-
+ net/ipv6/sit.c | 4 +-
+ net/ipv6/sysctl_net_ipv6.c | 2 +-
+ net/ipv6/udp.c | 6 +-
+ net/ipv6/xfrm6_policy.c | 17 +-
+ net/irda/ircomm/ircomm_tty.c | 18 +-
+ net/iucv/af_iucv.c | 4 +-
+ net/iucv/iucv.c | 2 +-
+ net/key/af_key.c | 4 +-
+ net/mac80211/cfg.c | 8 +-
+ net/mac80211/ieee80211_i.h | 3 +-
+ net/mac80211/iface.c | 16 +-
+ net/mac80211/main.c | 2 +-
+ net/mac80211/pm.c | 6 +-
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/rc80211_pid_debugfs.c | 2 +-
+ net/mac80211/util.c | 4 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/ipvs/ip_vs_conn.c | 6 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ net/netfilter/ipvs/ip_vs_sync.c | 6 +-
+ net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
+ net/netfilter/nf_conntrack_acct.c | 2 +-
+ net/netfilter/nf_conntrack_ecache.c | 2 +-
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ net/netfilter/nf_conntrack_proto_dccp.c | 10 +-
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nf_conntrack_timestamp.c | 2 +-
+ net/netfilter/nf_log.c | 10 +-
+ net/netfilter/nf_sockopt.c | 4 +-
+ net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/xt_statistic.c | 8 +-
+ net/netlink/af_netlink.c | 4 +-
+ net/netlink/genetlink.c | 16 +-
+ net/packet/af_packet.c | 8 +-
+ net/phonet/pep.c | 6 +-
+ net/phonet/socket.c | 2 +-
+ net/phonet/sysctl.c | 2 +-
+ net/rds/cong.c | 6 +-
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 4 +-
+ net/rds/iw.h | 2 +-
+ net/rds/iw_cm.c | 2 +-
+ net/rds/iw_recv.c | 4 +-
+ net/rds/rds.h | 2 +-
+ net/rds/tcp.c | 2 +-
+ net/rds/tcp_send.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/rxrpc/ar-ack.c | 14 +-
+ net/rxrpc/ar-call.c | 2 +-
+ net/rxrpc/ar-connection.c | 2 +-
+ net/rxrpc/ar-connevent.c | 2 +-
+ net/rxrpc/ar-input.c | 4 +-
+ net/rxrpc/ar-internal.h | 8 +-
+ net/rxrpc/ar-local.c | 2 +-
+ net/rxrpc/ar-output.c | 4 +-
+ net/rxrpc/ar-peer.c | 2 +-
+ net/rxrpc/ar-proc.c | 4 +-
+ net/rxrpc/ar-transport.c | 2 +-
+ net/rxrpc/rxkad.c | 4 +-
+ net/sctp/ipv6.c | 6 +-
+ net/sctp/protocol.c | 10 +-
+ net/sctp/sm_sideeffect.c | 2 +-
+ net/sctp/socket.c | 21 +-
+ net/sctp/sysctl.c | 4 +-
+ net/socket.c | 18 +-
+ net/sunrpc/auth_gss/svcauth_gss.c | 4 +-
+ net/sunrpc/clnt.c | 4 +-
+ net/sunrpc/sched.c | 4 +-
+ net/sunrpc/svc.c | 4 +-
+ net/sunrpc/svcauth_unix.c | 4 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/link.c | 4 +-
+ net/tipc/msg.c | 2 +-
+ net/tipc/subscr.c | 2 +-
+ net/unix/sysctl_net_unix.c | 2 +-
+ net/wireless/wext-core.c | 19 +-
+ net/xfrm/xfrm_policy.c | 22 +-
+ net/xfrm/xfrm_state.c | 33 +-
+ net/xfrm/xfrm_sysctl.c | 2 +-
+ scripts/Makefile.build | 2 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.host | 28 +-
+ scripts/basic/fixdep.c | 12 +-
+ scripts/gcc-plugin.sh | 17 +
+ scripts/headers_install.sh | 1 +
+ scripts/link-vmlinux.sh | 2 +-
+ scripts/mod/file2alias.c | 14 +-
+ scripts/mod/modpost.c | 25 +-
+ scripts/mod/modpost.h | 6 +-
+ scripts/mod/sumversion.c | 2 +-
+ scripts/module-common.lds | 4 +
+ scripts/package/builddeb | 1 +
+ scripts/pnmtologo.c | 6 +-
+ scripts/sortextable.h | 6 +-
+ security/Kconfig | 690 ++-
+ security/apparmor/lsm.c | 2 +-
+ security/integrity/ima/ima.h | 4 +-
+ security/integrity/ima/ima_api.c | 2 +-
+ security/integrity/ima/ima_fs.c | 4 +-
+ security/integrity/ima/ima_queue.c | 2 +-
+ security/keys/compat.c | 2 +-
+ security/keys/internal.h | 2 +-
+ security/keys/key.c | 18 +-
+ security/keys/keyctl.c | 8 +-
+ security/keys/keyring.c | 6 +-
+ security/security.c | 9 +-
+ security/selinux/avc.c | 6 +-
+ security/selinux/hooks.c | 11 +-
+ security/selinux/include/xfrm.h | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ security/tomoyo/tomoyo.c | 2 +-
+ security/yama/yama_lsm.c | 22 +-
+ sound/aoa/codecs/onyx.c | 7 +-
+ sound/aoa/codecs/onyx.h | 1 +
+ sound/core/oss/pcm_oss.c | 18 +-
+ sound/core/pcm_compat.c | 2 +-
+ sound/core/pcm_native.c | 4 +-
+ sound/core/seq/seq_device.c | 8 +-
+ sound/core/sound.c | 2 +-
+ sound/drivers/mts64.c | 14 +-
+ sound/drivers/opl4/opl4_lib.c | 2 +-
+ sound/drivers/portman2x4.c | 3 +-
+ sound/firewire/amdtp.c | 4 +-
+ sound/firewire/amdtp.h | 2 +-
+ sound/firewire/isight.c | 10 +-
+ sound/firewire/scs1x.c | 8 +-
+ sound/oss/sb_audio.c | 2 +-
+ sound/oss/swarm_cs4297a.c | 6 +-
+ sound/pci/hda/hda_codec.c | 8 +-
+ sound/pci/ymfpci/ymfpci.h | 2 +-
+ sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ sound/soc/fsl/fsl_ssi.c | 2 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 45 +
+ tools/gcc/checker_plugin.c | 172 +
+ tools/gcc/colorize_plugin.c | 151 +
+ tools/gcc/constify_plugin.c | 560 ++
+ tools/gcc/generate_size_overflow_hash.sh | 94 +
+ tools/gcc/kallocstat_plugin.c | 170 +
+ tools/gcc/kernexec_plugin.c | 471 ++
+ tools/gcc/latent_entropy_plugin.c | 335 +
+ tools/gcc/size_overflow_hash.data | 7613 ++++++++++++++++++++
+ tools/gcc/size_overflow_plugin.c | 3840 ++++++++++
+ tools/gcc/stackleak_plugin.c | 327 +
+ tools/gcc/structleak_plugin.c | 277 +
+ tools/lib/lk/Makefile | 2 +-
+ tools/perf/util/include/asm/alternative-asm.h | 3 +
+ tools/perf/util/include/linux/compiler.h | 8 +
+ virt/kvm/kvm_main.c | 32 +-
+ 1701 files changed, 36050 insertions(+), 7719 deletions(-)
+commit 9a7168e3d96ba81ab00bde22d38f7a035cc25466
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 17:50:21 2013 -0500
+
+ remove unnecessary code/comments after new reload method
+
+ grsecurity/gracl.c | 4 ----
+ grsecurity/gracl_policy.c | 13 -------------
+ 2 files changed, 0 insertions(+), 17 deletions(-)
+
+commit 4e61142788b54cbbc4e0d3418987ee892b34ee7d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 16:05:01 2013 -0500
+
+ Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous
+ features have been added since then)
+
+ Introduce new atomic RBAC reload method, developed as part of sponsorship
+ by EIG
+
+ This is accompanied by an updated 3.0 gradm which will use the new reload
+ method when -R is passed to gradm. The old method will still be available
+ via gradm -r (which is what a 2.9.1 gradm will continue to use).
+
+ The new RBAC reload method is atomic in the sense that at no point in the
+ reload process will the system not be covered by a coherent full policy.
+ In contrast to previous reload behavior, it also preserves inherited subjects
+ and special roles.
+
+ The old RBAC reload method has also been made atomic. Both methods have
+ been updated to perform role_allowed_ip checks only against the IP tagged
+ to the task at the time its role was first applied or changed. This resolves
+ long-standing usability problems with the use of role_allowed_ip and matches
+ the policies created by learning.
+
+ grsecurity/Makefile | 2 +-
+ grsecurity/gracl.c | 3903 +++++++++++++------------------------------
+ grsecurity/gracl_alloc.c | 42 +-
+ grsecurity/gracl_compat.c | 3 +-
+ grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++
+ grsecurity/gracl_segv.c | 12 +-
+ grsecurity/grsec_disabled.c | 7 -
+ grsecurity/grsec_init.c | 15 -
+ include/linux/gracl.h | 43 +-
+ include/linux/grinternal.h | 1 -
+ include/linux/grsecurity.h | 1 -
+ include/linux/sched.h | 2 +
+ 12 files changed, 3082 insertions(+), 2787 deletions(-)
+
+commit d8981a4fd03025434a466fd87a0eaea93755bc70
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 15:08:28 2013 -0500
+
+ compile fix for recent GRKERNSEC_CHROOT_INITRD change
+
+ init/main.c | 12 +++---------
+ 1 files changed, 3 insertions(+), 9 deletions(-)
+
+commit c3f95fe9875bea3eeb61cad1586b3f9b6226a42f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 18:27:37 2013 -0500
+
+ Make the recent usermode_helper protection race-free as far as userland
+ is concerned by creating a copy of the path to be executed, then check against
+ that copied path instead of the still-mutable original path
+
+ include/linux/kmod.h | 3 +++
+ kernel/kmod.c | 13 +++++++++++++
+ 2 files changed, 16 insertions(+), 0 deletions(-)
+
+commit ecdd0610bef058fd33fee50b489d949c1a0db07a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 17:20:15 2013 -0500
+
+ Produce a UDEREF message when faulting on kernel access to a non-present
+ page in the userland range. This is purely for consistency of logs,
+ due to there being no domain present to fault based on. An
+ "Unable to handle kernel fault.." oops would already (and still is)
+ generated for these cases, triggering grsec's bruteforce prevention.
+
+ Reported by acez on IRC
+
+ arch/arm/mm/fault.c | 11 +++++++++++
+ 1 files changed, 11 insertions(+), 0 deletions(-)
+
+commit 3f4adfade80bba0d865b5c603bd58da555ca4553
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 16:56:46 2013 -0500
+
+ Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option,
+ Also make sure we mark init as run if no initrd was used. Though this
+ should already be enforced in grsec_chroot.c, this should future-proof
+ the feature a bit in case userland somehow changes drastically.
+
+ Conflicts:
+
+ init/main.c
+
+ grsecurity/Kconfig | 2 +-
+ grsecurity/grsec_chroot.c | 2 +-
+ init/main.c | 15 +++++++++++++++
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+
+commit d4a9bb63091852b5b49ebd216796b374e5c0dc71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 16:33:20 2013 -0500
+
+ limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected
+
+ kernel/kmod.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+commit e727db195f8bed17c65d050e1772643d730fe565
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 16:02:01 2013 -0500
+
+ perform USERCOPY kernel text checks against the linear mapping on amd64 as well
+
+ fs/exec.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+commit 7e0e0cf6d81af9c7901e16345737157fd563ccfb
+Merge: 2fcc3a5 2d1263b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Nov 22 21:11:44 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 2d1263be436ef0c7c964a2028dec3fc7e90205a1
+Merge: d52f291 e0cd057
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Nov 22 21:11:33 2013 -0500
+
+ Merge branch 'linux-3.11.y' into pax-test
+
+ Conflicts:
+ drivers/net/ethernet/chelsio/cxgb3/sge.c
+
+commit 2fcc3a573d2b676c6cdb1aa0c9f61ce723189972
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Nov 22 20:31:37 2013 -0500
+
+ Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69"
+
+ This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df.
+
+ It caused errors with traceroute, reported to upstream and fixed with
+ http://patchwork.ozlabs.org/patch/293614/
+ But there's no reason for us to maintain this backport as we're
+ already impervious to recvmsg/msg_name infoleaks
+
+ Conflicts:
+
+ net/ipv4/ping.c
+
+ net/ieee802154/dgram.c | 3 ++-
+ net/ipv4/ping.c | 11 +++++++++--
+ net/ipv4/raw.c | 4 +++-
+ net/ipv4/udp.c | 7 ++++++-
+ net/ipv6/raw.c | 4 +++-
+ net/ipv6/udp.c | 5 ++++-
+ net/l2tp/l2tp_ip.c | 4 +++-
+ net/phonet/datagram.c | 9 +++++----
+ 8 files changed, 35 insertions(+), 12 deletions(-)
+
+commit 5a0b39755f07014ed0d34a432b89cfbb38b82e0b
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Nov 18 07:07:45 2013 +0100
+
+ Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0
+
+ ping: prevent NULL pointer dereference on write to msg_name
+
+ A plain read() on a socket does set msg->msg_name to NULL. So check for
+ NULL pointer first.
+
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ping.c | 34 +++++++++++++++++++---------------
+ 1 files changed, 19 insertions(+), 15 deletions(-)
+
+commit 8bb32f2682953e1b748a59c4a4363b237c3510df
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Nov 18 04:20:45 2013 +0100
+
+ Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69
+
+ inet: prevent leakage of uninitialized memory to user in recv syscalls
+
+ Only update *addr_len when we actually fill in sockaddr, otherwise we
+ can return uninitialized memory from the stack to the caller in the
+ recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)
+ checks because we only get called with a valid addr_len pointer either
+ from sock_common_recvmsg or inet_recvmsg.
+
+ If a blocking read waits on a socket which is concurrently shut down we
+ now return zero and set msg_msgnamelen to 0.
+
+ Reported-by: mpb <mpb.mail@gmail.com>
+ Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ieee802154/dgram.c | 3 +--
+ net/ipv4/ping.c | 19 +++++++------------
+ net/ipv4/raw.c | 4 +---
+ net/ipv4/udp.c | 7 +------
+ net/ipv6/raw.c | 4 +---
+ net/ipv6/udp.c | 5 +----
+ net/l2tp/l2tp_ip.c | 4 +---
+ net/phonet/datagram.c | 9 ++++-----
+ 8 files changed, 17 insertions(+), 38 deletions(-)
+
+commit 642d754081c130a151e7df27e5c07edf2f368106
+Author: Jeff Layton <jlayton@redhat.com>
+Date: Wed Nov 13 09:08:21 2013 -0500
+
+ Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545
+
+ nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once
+
+ Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or
+ NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again.
+ There is no guarantee that doing so will work however, so we can end up
+ retrying the call in an infinite loop.
+
+ Worse yet, we create the new client using rpc_clone_client_set_auth,
+ which creates the new client as a child of the old one. Thus, we can end
+ up with a *very* long lineage of rpc_clnts. When we go to put all of the
+ references to them, we can end up with a long call chain that can smash
+ the stack as each rpc_free_client() call can recurse back into itself.
+
+ This patch fixes this by simply ensuring that the SETCLIENTID call will
+ only be retried in this situation if the last attempt did not use
+ RPC_AUTH_UNIX.
+
+ Note too that with this change, we don't need the (i > 2) check in the
+ -EACCES case since we now have a more reliable test as to whether we
+ should reattempt.
+
+ Cc: stable@vger.kernel.org # v3.10+
+ Cc: Chuck Lever <chuck.lever@oracle.com>
+ Tested-by/Acked-by: Weston Andros Adamson <dros@netapp.com>
+ Signed-off-by: Jeff Layton <jlayton@redhat.com>
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+ fs/nfs/nfs4state.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit a96ee20d2e099c56fd89b91ee309551e7b50b8f2
+Author: Chuck Lever <chuck.lever@oracle.com>
+Date: Wed Jul 24 12:28:28 2013 -0400
+
+ Upstream commit: d688f7b8f62857c252b886fa16e8b38b83cfaf7e
+
+ NFS: Use root's credential for lease management when keytab is missing
+
+ Commit 05f4c350 "NFS: Discover NFSv4 server trunking when mounting"
+ Fri Sep 14 17:24:32 2012 introduced Uniform Client String support,
+ which forces our NFS client to establish a client ID immediately
+ during a mount operation rather than waiting until a user wants to
+ open a file.
+
+ Normally machine credentials (eg. from a keytab) are used to perform
+ a mount operation that is protected by Kerberos. Before 05fc350,
+ SETCLIENTID used a machine credential, or fell back to a regular
+ user's credential if no keytab is available.
+
+ On clients that don't have a keytab, performing SETCLIENTID early
+ means there's no user credential to fall back on, since no regular
+ user has kinit'd yet. 05f4c350 seems to have broken the ability
+ to mount with sec=krb5 on clients that don't have a keytab in
+ kernels 3.7 - 3.10.
+
+ To address this regression, commit 4edaa308 (NFS: Use "krb5i" to
+ establish NFSv4 state whenever possible), Sat Mar 16 15:56:20 2013,
+ was merged in 3.10. This commit forces the NFS client to fall back
+ to AUTH_SYS for lease management operations if no keytab is
+ available.
+
+ Neil Brown noticed that, since root is required to kinit to do a
+ sec=krb5 mount when a client doesn't have a keytab, we can try to
+ use root's Kerberos credential before AUTH_SYS.
+
+ Now, when determining a principal and flavor to use for lease
+ management, the NFS client tries in this order:
+
+ 1. Flavor: AUTH_GSS, krb5i
+ Principal: service principal (via keytab)
+
+ 2. Flavor: AUTH_GSS, krb5i
+ Principal: user principal established for UID 0 (via kinit)
+
+ 3. Flavor: AUTH_SYS
+ Principal: UID 0 / GID 0
+
+ Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+ fs/nfs/nfs4state.c | 19 ++++++++++++++++++-
+ 1 files changed, 18 insertions(+), 1 deletions(-)
+
+commit 6ebab64904f37af82e950b0c6d321437e810b248
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Tue Nov 12 17:24:36 2013 -0500
+
+ Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b
+
+ SUNRPC: Avoid deep recursion in rpc_release_client
+
+ In cases where an rpc client has a parent hierarchy, then
+ rpc_free_client may end up calling rpc_release_client() on the
+ parent, thus recursing back into rpc_free_client. If the hierarchy
+ is deep enough, then we can get into situations where the stack
+ simply overflows.
+
+ The fix is to have rpc_release_client() loop so that it can take
+ care of the parent rpc client hierarchy without needing to
+ recurse.
+
+ Reported-by: Jeff Layton <jlayton@redhat.com>
+ Reported-by: Weston Andros Adamson <dros@netapp.com>
+ Reported-by: Bruce Fields <bfields@fieldses.org>
+ Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+ net/sunrpc/clnt.c | 29 +++++++++++++++++------------
+ 1 files changed, 17 insertions(+), 12 deletions(-)
+
+commit fcb4306973aed105cc6d042077bf31e21b812008
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Fri Nov 8 16:03:50 2013 -0500
+
+ Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73
+
+ SUNRPC: Fix a data corruption issue when retransmitting RPC calls
+
+ The following scenario can cause silent data corruption when doing
+ NFS writes. It has mainly been observed when doing database writes
+ using O_DIRECT.
+
+ 1) The RPC client uses sendpage() to do zero-copy of the page data.
+ 2) Due to networking issues, the reply from the server is delayed,
+ and so the RPC client times out.
+
+ 3) The client issues a second sendpage of the page data as part of
+ an RPC call retransmission.
+
+ 4) The reply to the first transmission arrives from the server
+ _before_ the client hardware has emptied the TCP socket send
+ buffer.
+ 5) After processing the reply, the RPC state machine rules that
+ the call to be done, and triggers the completion callbacks.
+ 6) The application notices the RPC call is done, and reuses the
+ pages to store something else (e.g. a new write).
+
+ 7) The client NIC drains the TCP socket send buffer. Since the
+ page data has now changed, it reads a corrupted version of the
+ initial RPC call, and puts it on the wire.
+
+ This patch fixes the problem in the following manner:
+
+ The ordering guarantees of TCP ensure that when the server sends a
+ reply, then we know that the _first_ transmission has completed. Using
+ zero-copy in that situation is therefore safe.
+ If a time out occurs, we then send the retransmission using sendmsg()
+ (i.e. no zero-copy), We then know that the socket contains a full copy of
+ the data, and so it will retransmit a faithful reproduction even if the
+ RPC call completes, and the application reuses the O_DIRECT buffer in
+ the meantime.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Cc: stable@vger.kernel.org
+
+ net/sunrpc/xprtsock.c | 28 +++++++++++++++++++++-------
+ 1 files changed, 21 insertions(+), 7 deletions(-)
+
+commit 2c59d4080ae744532dbe595f6923dcba72279977
+Merge: b2b99c6 d52f291
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 18 19:07:55 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d52f291621da9227cda5fd647e82dfe9bfc11265
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 18 19:07:14 2013 -0500
+
+ Update to pax-linux-3.11.8-test14.patch:
+ - fixed a gcc-4.6 crash caused by a recent change in the latent entropy plugin, reported by Marko Randjelovic and mckinney (http://forums.grsecurity.net/viewtopic.php?f=3&t=3878)
+
+ mm/page_alloc.c | 2 +-
+ tools/gcc/latent_entropy_plugin.c | 34 ++++++++++++++++++++++++----------
+ 2 files changed, 25 insertions(+), 11 deletions(-)
+
+commit b2b99c6972e345565d561b722de210f071e5e259
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 20:47:37 2013 -0500
+
+ Upstream commit: 0e033e04c2678dbbe74a46b23fffb7bb918c288e
+
+ ipv6: fix headroom calculation in udp6_ufo_fragment
+ Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
+ fragmentation for tunnel traffic.") changed the calculation if
+ there is enough space to include a fragment header in the skb from a
+ skb->mac_header dervived one to skb_headroom. Because we already peeled
+ off the skb to transport_header this is wrong. Change this back to check
+ if we have enough room before the mac_header.
+
+ This fixes a panic Saran Neti reported. He used the tbf scheduler which
+ skb_gso_segments the skb. The offsets get negative and we panic in memcpy
+ because the skb was erroneously not expanded at the head.
+
+ Reported-by: Saran Neti <Saran.Neti@telus.com>
+ Cc: Pravin B Shelar <pshelar@nicira.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/udp_offload.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 012ee7647e16f464f8d1ad004e28eac2ba778158
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Nov 14 11:21:10 2013 +0300
+
+ Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796
+
+ isdnloop: use strlcpy() instead of strcpy()
+
+ These strings come from a copy_from_user() and there is no way to be
+ sure they are NUL terminated.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/isdn/isdnloop/isdnloop.c | 8 +++++---
+ 1 files changed, 5 insertions(+), 3 deletions(-)
+
+commit 2a897c9870257c3cd6dd17ec6ff453331dc71a4f
+Author: Eric Dumazet <edumazet@google.com>
+Date: Thu Nov 14 13:37:54 2013 -0800
+
+ Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf
+
+ ipv4: fix possible seqlock deadlock
+
+ ip4_datagram_connect() being called from process context,
+ it should use IP_INC_STATS() instead of IP_INC_STATS_BH()
+ otherwise we can deadlock on 32bit arches, or get corruptions of
+ SNMP counters.
+
+ Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP")
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Reported-by: Dave Jones <davej@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/datagram.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 1a642170613ae336331f2df38aa8f2c1227d3c96
+Merge: 60c6423 84d78c7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 20:28:51 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 84d78c7b2f5d1517e8c9d5ef2ca178c90e80a730
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 20:28:07 2013 -0500
+
+ Update to pax-linux-3.11.8-test13.patch:
+ - forward port to 3.11.8
+ - removed some no longer used code from bpf jit
+ - fixed some atomic_unchecked_t usage in oprofile and uio
+ - fixed a few incorrect uses of static local variables based on an analysis plugin written by Emese Revfy
+
+ arch/x86/include/asm/mmu_context.h | 8 ++++++++
+ arch/x86/kernel/setup.c | 2 +-
+ drivers/bluetooth/btwilink.c | 2 +-
+ drivers/md/dm-table.c | 2 +-
+ drivers/message/i2o/i2o_proc.c | 16 ++++++++--------
+ drivers/mfd/max8925-i2c.c | 2 +-
+ drivers/mfd/tps65910.c | 2 +-
+ drivers/mtd/chips/cfi_cmdset_0020.c | 2 +-
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +-
+ drivers/net/wireless/airo.c | 2 +-
+ drivers/net/wireless/b43/phy_lp.c | 2 +-
+ drivers/nfc/nfcwilink.c | 2 +-
+ drivers/oprofile/oprofilefs.c | 4 ++--
+ drivers/platform/x86/msi-wmi.c | 2 +-
+ drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +++++-------------
+ drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 ++++----
+ drivers/usb/serial/console.c | 2 +-
+ include/linux/filter.h | 4 ----
+ kernel/audit.c | 2 +-
+ 20 files changed, 41 insertions(+), 45 deletions(-)
+
+commit 60c642339ceb814688d1fdfa9bf3f9bc4cd0a38c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 20:15:51 2013 -0500
+
+ GRKERNSEC_HARDEN_IPC should depend on SYSVIPC
+
+ grsecurity/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit a5bc567fc9cea02e7e0146d4d25bbc25d9903f43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 19:07:11 2013 -0500
+
+ Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS
+ and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps
+ make it more obvious that while we make use of domains, CPU_USE_DOMAINS is
+ disabled as far as the kernel knows
+
+ arch/arm/mm/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a2568c19e361c8599fb9bb0a58ba758f5cb40dba
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 19:01:59 2013 -0500
+
+ Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research
+ on overly-permissive shared memory found in hundreds of areas in Linux
+ distros:
+ http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
+
+ Will let this sit in -test for a while to weed out any app incompatibilities
+
+ grsecurity/Kconfig | 17 +++++++++++++++++
+ grsecurity/Makefile | 2 +-
+ grsecurity/grsec_init.c | 4 ++++
+ grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++
+ grsecurity/grsec_sysctl.c | 9 +++++++++
+ include/linux/grinternal.h | 1 +
+ include/linux/grmsg.h | 1 +
+ ipc/util.c | 5 +++++
+ 8 files changed, 60 insertions(+), 1 deletions(-)
+
+commit 27c3b43bd5ad9c9b877016f26192dbc30da54018
+Merge: 08e883f d0a09ad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 13 22:27:13 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d0a09ad6430008135b98da6e1941e98a6110b59e
+Merge: 4e826ac 02709ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 13 22:27:03 2013 -0500
+
+ Merge branch 'linux-3.11.y' into pax-test
+
+commit 08e883f3159b541ec8b2740a4b3f35fb25629fd1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 11 10:48:10 2013 -0500
+
+ Fix the overflowable range check just to be correct.
+ Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt
+ but I believe this to be unexploitable due to bounds checks on 'count'
+ from rw_verify_area() in fs/read_write.c
+
+ drivers/video/arcfb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 094c08532f9877a287ffac7a87b05841a56b4e5d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 10 22:01:33 2013 -0500
+
+ Add missing include
+
+ fs/proc/proc_sysctl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit e383790f8252620f52895e202cc057c4318da3f4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 10 17:50:12 2013 -0500
+
+ add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS
+ option: GRKERNSEC_OLD_ARM_USERLAND
+
+ arch/arm/mm/Kconfig | 2 +-
+ grsecurity/Kconfig | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+), 1 deletions(-)
+
+commit 9b2775742dbcfcc004f02e5cc6bed6dcd9d73d26
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 10 15:19:27 2013 -0500
+
+ On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr
+ was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF
+ loading). Fix this by setting a proper default on these architectures like set on the LSM-based
+ mmap_min_addr.
+
+ Thanks to acez from IRC for debugging.
+
+ mm/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 17f832897194f46c4759aa02e048ad5623a04eed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 10 13:54:25 2013 -0500
+
+ Compatibility fix for LXC:
+ Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values,
+ use a CAP_NET_ADMIN check within the user namespace of the process performing the modification
+ CAP_SYS_ADMIN is still required for any other sysctl modification, including modification
+ of sysctls of a net namespace other than our own
+
+ This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's
+ networking
+
+ Thanks to ncopa from IRC for testing
+
+ fs/proc/proc_sysctl.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit b374a895f9ecfccbf3c8536a5a1a51b359a66a20
+Merge: fb281bd 4e826ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 6 17:27:16 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ net/l2tp/l2tp_core.c
+
+commit 4e826ac763867707352d93b7d23ed86e4c6829cf
+Merge: e309bfb 39773be
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 6 17:26:23 2013 -0500
+
+ Merge branch 'linux-3.11.y' into pax-test
+
+ Conflicts:
+ net/compat.c
+
+commit fb281bdee5ccb76facfe1172318a867b624011f4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 6 16:23:36 2013 -0500
+
+ Force on DEBUG_LIST so all users can benefit from safe linking/unlinking
+
+ Conflicts:
+
+ security/Kconfig
+
+ security/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit e249a2a0ee333a6ec0234de20d17670fe0d2b64a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 6 16:19:21 2013 -0500
+
+ change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel
+ bruteforce deterrence
+
+ Conflicts:
+
+ lib/list_debug.c
+
+ lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++-------------------
+ 1 files changed, 42 insertions(+), 23 deletions(-)
+
+commit 61f8b4eb5c8b11ff11d28372a44d6e0f3b9b68ba
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Oct 29 23:01:43 2013 +0300
+
+ Upstream commit: a8b33654b1e3b0c74d4a1fed041c9aae50b3c427
+
+ Staging: sb105x: info leak in mp_get_count()
+
+ The icount.reserved[] array isn't initialized so it leaks stack
+ information to userspace.
+
+ Reported-by: Nico Golde <nico@ngolde.de>
+ Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/staging/sb105x/sb_pci_mp.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 731cf7d12aa699cc30c18e5fe25b8c72b97df3de
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Oct 29 22:06:04 2013 +0300
+
+ Upstream commit: 201f99f170df14ba52ea4c52847779042b7a623b
+
+ uml: check length in exitcode_proc_write()
+
+ We don't cap the size of buffer from the user so we could write past the
+ end of the array here. Only root can write to this file.
+
+ Reported-by: Nico Golde <nico@ngolde.de>
+ Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/um/kernel/exitcode.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit 1285d10ec38f216f3c5de7ce085ce43447c78916
+Author: Jason Wang <jasowang@redhat.com>
+Date: Fri Nov 1 15:01:10 2013 +0800
+
+ Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd
+
+ net: flow_dissector: fail on evil iph->ihl
+
+ We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
+ skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
+ is evil (less than 5).
+
+ This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae
+ (rps: support IPIP encapsulation).
+
+ Cc: Eric Dumazet <edumazet@google.com>
+ Cc: Petr Matousek <pmatouse@redhat.com>
+ Cc: Michael S. Tsirkin <mst@redhat.com>
+ Cc: Daniel Borkmann <dborkman@redhat.com>
+ Signed-off-by: Jason Wang <jasowang@redhat.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/flow_dissector.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 3afa8cd39a80620059d7de6c382c853afe1ab4cc
+Author: Ming Lei <ming.lei@canonical.com>
+Date: Thu Oct 31 16:34:17 2013 -0700
+
+ Upstream commit: 3d77b50c5874b7e923be946ba793644f82336b75
+
+ lib/scatterlist.c: don't flush_kernel_dcache_page on slab page
+
+ Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper
+ functions") introduces two sg buffer copy helpers, and calls
+ flush_kernel_dcache_page() on pages in SG list after these pages are
+ written to.
+
+ Unfortunately, the commit may introduce a potential bug:
+
+ - Before sending some SCSI commands, kmalloc() buffer may be passed to
+ block layper, so flush_kernel_dcache_page() can see a slab page
+ finally
+
+ - According to cachetlb.txt, flush_kernel_dcache_page() is only called
+ on "a user page", which surely can't be a slab page.
+
+ - ARCH's implementation of flush_kernel_dcache_page() may use page
+ mapping information to do optimization so page_mapping() will see the
+ slab page, then VM_BUG_ON() is triggered.
+
+ Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled,
+ and this patch fixes the bug by adding test of '!PageSlab(miter->page)'
+ before calling flush_kernel_dcache_page().
+
+ Signed-off-by: Ming Lei <ming.lei@canonical.com>
+ Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+ Tested-by: Simon Baatz <gmbnomis@gmail.com>
+ Cc: Russell King - ARM Linux <linux@arm.linux.org.uk>
+ Cc: Will Deacon <will.deacon@arm.com>
+ Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
+ Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+ Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
+ Cc: Tejun Heo <tj@kernel.org>
+ Cc: "James E.J. Bottomley" <JBottomley@parallels.com>
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: <stable@vger.kernel.org> [3.2+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ lib/scatterlist.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 54a2d1367d37e6ff23e91e81e8a293f6db3572c4
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Oct 29 23:01:11 2013 +0300
+
+ Upstream commit: 8d1e72250c847fa96498ec029891de4dc638a5ba
+
+ Staging: bcm: info leak in ioctl
+
+ The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel
+ information to user space.
+
+ Reported-by: Nico Golde <nico@ngolde.de>
+ Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/staging/bcm/Bcmchar.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit a2ab9d69265a08280241a2f2152e535316d02f53
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Oct 29 22:11:06 2013 +0300
+
+ Upstream commit: f856567b930dfcdbc3323261bf77240ccdde01f5
+
+ aacraid: missing capable() check in compat ioctl
+
+ In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we
+ added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the
+ check as well.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/scsi/aacraid/linit.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 45be53b2583e3c3d9eb0bad55f22e03ad7943b3e
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Oct 29 23:00:15 2013 +0300
+
+ Upstream commit: b5e2f339865fb443107e5b10603e53bbc92dc054
+
+ staging: wlags49_h2: buffer overflow setting station name
+
+ We need to check the length parameter before doing the memcpy(). I've
+ actually changed it to strlcpy() as well so that it's NUL terminated.
+
+ You need CAP_NET_ADMIN to trigger these so it's not the end of the
+ world.
+
+ Reported-by: Nico Golde <nico@ngolde.de>
+ Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++---
+ 1 files changed, 6 insertions(+), 3 deletions(-)
+
+commit afd645c1684265260b64ec8189cbc2703b91f6ab
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Oct 29 22:07:47 2013 +0300
+
+ Upstream commit: c2c65cd2e14ada6de44cb527e7f1990bede24e15
+
+ staging: ozwpan: prevent overflow in oz_cdev_write()
+
+ We need to check "count" so we don't overflow the ei->data buffer.
+
+ Reported-by: Nico Golde <nico@ngolde.de>
+ Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/staging/ozwpan/ozcdev.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 4a907baeb462b7e0f50923be5a9d842aec93c97a
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue Oct 29 10:21:34 2013 -0700
+
+ Fixed a little differently than Linus...
+
+ Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1
+
+ Fix a few incorrectly checked [io_]remap_pfn_range() calls
+
+ Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that
+ really should use the vm_iomap_memory() helper. This trivially converts
+ two of them to the helper, and comments about why the third one really
+ needs to continue to use remap_pfn_range(), and adds the missing size
+ check.
+
+ Reported-by: Nico Golde <nico@ngolde.de>
+ Cc: stable@kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org.
+
+ Conflicts:
+
+ drivers/uio/uio.c
+
+ drivers/uio/uio.c | 19 +++++++++++++++++--
+ drivers/video/au1100fb.c | 26 +-------------------------
+ drivers/video/au1200fb.c | 23 +----------------------
+ 3 files changed, 19 insertions(+), 49 deletions(-)
+
+commit e68e94ddd03cf81d875b30a5e7b0e1bb4682e61f
+Merge: 0970b16 e309bfb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Oct 27 15:17:05 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e309bfbf7b506b2294b30233f7a3299173a75cf7
+Author: Hugh Dickins <hughd@google.com>
+Date: Wed Oct 16 13:47:09 2013 -0700
+
+ Upstream commit: 57a8f0cdb87da776bf0e4ce7554a9133854fa779
+
+ mm: revert mremap pud_free anti-fix
+
+ Revert commit 1ecfd533f4c5 ("mm/mremap.c: call pud_free() after fail
+ calling pmd_alloc()").
+
+ The original code was correct: pud_alloc(), pmd_alloc(), pte_alloc_map()
+ ensure that the pud, pmd, pt is already allocated, and seldom do they
+ need to allocate; on failure, upper levels are freed if appropriate by
+ the subsequent do_munmap(). Whereas commit 1ecfd533f4c5 did an
+ unconditional pud_free() of a most-likely still-in-use pud: saved only
+ by the near-impossiblity of pmd_alloc() failing.
+
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Cc: Chen Gang <gang.chen@asianux.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mremap.c | 5 +----
+ 1 files changed, 1 insertions(+), 4 deletions(-)
+
+commit 0970b16a9df08b8cca6929b6443f67df432ac3e5
+Author: Eric Dumazet <edumazet@google.com>
+Date: Tue Oct 1 21:04:11 2013 -0700
+
+ Upstream commit: 80ad1d61e72d626e30ebe8529a0455e660ca4693
+
+ net: do not call sock_put() on TIMEWAIT sockets
+
+ commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU /
+ hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets.
+
+ We should instead use inet_twsk_put()
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/inet_hashtables.c | 2 +-
+ net/ipv6/inet6_hashtables.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit ed0c9c47bc3468ad88b45b8ec55d0ad335214d28
+Author: Andi Kleen <ak@linux.intel.com>
+Date: Mon Sep 30 13:29:08 2013 -0700
+
+ Upstream commit: 58e4e1f6cacddb7823c44bcfb272174553f6c645
+
+ igb: Avoid uninitialized advertised variable in eee_set_cur
+
+ eee_get_cur assumes that the output data is already zeroed. It can
+ read-modify-write the advertised field:
+
+ if (ipcnfg & E1000_IPCNFG_EEE_100M_AN)
+ 2594 edata->advertised |= ADVERTISED_100baseT_Full;
+
+ This is ok for the normal ethtool eee_get call, which always
+ zeroes the input data before.
+
+ But eee_set_cur also calls eee_get_cur and it did not zero the input
+ field. Later on it then compares agsinst the field, which can contain partial
+ stack garbage.
+
+ Zero the input field in eee_set_cur() too.
+
+ Cc: jeffrey.t.kirsher@intel.com
+ Cc: netdev@vger.kernel.org
+ Signed-off-by: Andi Kleen <ak@linux.intel.com>
+ Acked-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 651730a8caabce37f78d8e6c84283b96e434d19f
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Oct 3 00:27:20 2013 +0300
+
+ Upstream commit: 1661bf364ae9c506bc8795fef70d1532931be1e8
+
+ net: heap overflow in __audit_sockaddr()
+
+ We need to cap ->msg_namelen or it leads to a buffer overflow when we
+ to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to
+ exploit this bug.
+
+ The call tree is:
+ ___sys_recvmsg()
+ move_addr_to_user()
+ audit_sockaddr()
+ __audit_sockaddr()
+
+ Reported-by: Jüri Aedla <juri.aedla@gmail.com>
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ net/compat.c
+
+ net/compat.c | 2 ++
+ net/socket.c | 24 ++++++++++++++++++++----
+ 2 files changed, 22 insertions(+), 4 deletions(-)
+
+commit b52e008aa27ecec1ca4a2d92ffe2fe874c47fcfc
+Author: Salva Peiró <speiro@ai2.upv.es>
+Date: Wed Oct 16 12:46:50 2013 +0200
+
+ Upstream commit: 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1
+
+ wanxl: fix info leak in ioctl
+
+ The wanxl_ioctl() code fails to initialize the two padding bytes of
+ struct sync_serial_settings after the ->loopback member. Add an explicit
+ memset(0) before filling the structure to avoid the info leak.
+
+ Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/wan/wanxl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit d7e5b4f97fbdd06c03433939efe0e444d877ab4f
+Author: Geyslan G. Bem <geyslan@gmail.com>
+Date: Fri Oct 11 16:49:16 2013 -0300
+
+ Upstream commit: 3edc8376c06133e3386265a824869cad03a4efd4
+
+ ecryptfs: Fix memory leakage in keystore.c
+
+ In 'decrypt_pki_encrypted_session_key' function:
+
+ Initializes 'payload' pointer and releases it on exit.
+
+ Signed-off-by: Geyslan G. Bem <geyslan@gmail.com>
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: stable@vger.kernel.org # v2.6.28+
+
+ fs/ecryptfs/keystore.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 0ccb7b191245318a36bbd1f59a1846dda72cb738
+Author: Colin Ian King <colin.king@canonical.com>
+Date: Thu Oct 24 14:08:07 2013 +0000
+
+ Upstream commit: 43b7c6c6a4e3916edd186ceb61be0c67d1e0969e
+
+ eCryptfs: fix 32 bit corruption issue
+
+ Shifting page->index on 32 bit systems was overflowing, causing
+ data corruption of > 4GB files. Fix this by casting it first.
+
+ https://launchpad.net/bugs/1243636
+
+ Signed-off-by: Colin Ian King <colin.king@canonical.com>
+ Reported-by: Lars Duesing <lars.duesing@camelotsweb.de>
+ Cc: stable@vger.kernel.org # v3.11+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+
+ fs/ecryptfs/crypto.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit eeb8d56181a3fa3cdfbc106156d4f60cf3a386d4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Oct 27 13:29:49 2013 -0400
+
+ This is a replacement patch only for stable which does fix the problems
+ handled by the following two commits in -net:
+
+ "ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9)
+ "ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b)
+
+ Three frames are written on a corked udp socket for which the output
+ netdevice has UFO enabled. If the first and third frame are smaller than
+ the mtu and the second one is bigger, we enqueue the second frame with
+ skb_append_datato_frags without initializing the gso fields. This leads
+ to the third frame appended regulary and thus constructing an invalid skb.
+
+ This fixes the problem by always using skb_append_datato_frags as soon
+ as the first frag got enqueued to the skb without marking the packet
+ as SKB_GSO_UDP.
+
+ The problem with only two frames for ipv6 was fixed by "ipv6: udp
+ packets following an UFO enqueued packet need also be handled by UFO"
+ (2811ebac2521ceac84f2bdae402455baa6a7fb47).
+
+ Cc: Jiri Pirko <jiri@resnulli.us>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Cc: David Miller <davem@davemloft.net>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+ include/linux/skbuff.h | 5 +++++
+ net/ipv4/ip_output.c | 2 +-
+ net/ipv6/ip6_output.c | 2 +-
+ 3 files changed, 7 insertions(+), 2 deletions(-)
+
+commit aead8ff29424c6a5d25eb4614be91a01f9f6af00
+Merge: 5cf8361 ddadc82
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Oct 26 08:42:26 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit ddadc822a1de40d3992a5c58ca2f970b5fee57ec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Oct 26 08:41:24 2013 -0400
+
+ - fixed miscompilation caused by a kernexec plugin related change in copy_user_generic, by Timo Teräs <timo.teras@iki.f> and Natanael Copa <ncopa@alpinelinux.org> (https://github.com/ncopa/linux-stable-grsec/commit/b8bf456d13988fb38cfe248676327f44a2d2ed2e)
+ - updated config help for latent entropy to reflect recent changes
+
+ arch/x86/include/asm/uaccess_64.h | 4 ++--
+ security/Kconfig | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 5cf8361c2a7762aa1cdd3d75655361058ad451ad
+Author: Johannes Weiner <hannes@cmpxchg.org>
+Date: Wed Oct 16 13:47:00 2013 -0700
+
+ Upstream commit: 84235de394d9775bfaa7fa9762a59d91fef0c1fc
+
+ fs: buffer: move allocation failure loop into the allocator
+
+ Buffer allocation has a very crude indefinite loop around waking the
+ flusher threads and performing global NOFS direct reclaim because it can
+ not handle allocation failures.
+
+ The most immediate problem with this is that the allocation may fail due
+ to a memory cgroup limit, where flushers + direct reclaim might not make
+ any progress towards resolving the situation at all. Because unlike the
+ global case, a memory cgroup may not have any cache at all, only
+ anonymous pages but no swap. This situation will lead to a reclaim
+ livelock with insane IO from waking the flushers and thrashing unrelated
+ filesystem cache in a tight loop.
+
+ Use __GFP_NOFAIL allocations for buffers for now. This makes sure that
+ any looping happens in the page allocator, which knows how to
+ orchestrate kswapd, direct reclaim, and the flushers sensibly. It also
+ allows memory cgroups to detect allocations that can't handle failure
+ and will allow them to ultimately bypass the limit if reclaim can not
+ make progress.
+
+ Reported-by: azurIt <azurit@pobox.sk>
+ Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: Michal Hocko <mhocko@suse.cz>
+ Cc: <stable@kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/buffer.c | 14 ++++++++++++--
+ mm/memcontrol.c | 2 ++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+commit 799326c8683d8d70b2035b1e5ab913c159112b6b
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Thu Oct 10 16:48:19 2013 +0200
+
+ Upstream commit: 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06
+
+ ext[34]: fix double put in tmpfile
+
+ d_tmpfile() already swallowed the inode ref.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/ext3/namei.c | 5 ++---
+ fs/ext4/namei.c | 5 ++---
+ 2 files changed, 4 insertions(+), 6 deletions(-)
+
+commit 799651db9a3b5b08eac1de0ee05f406df7a9a2e3
+Author: Jan Klos <honza.klos@gmail.com>
+Date: Sun Oct 6 21:08:20 2013 +0200
+
+ Upstream commit: 2f6c9479633780ba4a3484bba7eba5a721a5cf20
+
+ cifs: Fix inability to write files >2GB to SMB2/3 shares
+
+ When connecting to SMB2/3 shares, maximum file size is set to non-LFS maximum in superblock. This is due to cap_large_files bit being different for SMB1 and SMB2/3 (where it is just an internal flag that is not negotiated and the SMB1 one corresponds to multichannel capability, so maybe LFS works correctly if server sends 0x08 flag) while capabilities are checked always for the SMB1 bit in cifs_read_super().
+
+ The patch fixes this by checking for the correct bit according to the protocol version.
+
+ CC: Stable <stable@kernel.org>
+ Signed-off-by: Jan Klos <honza.klos@gmail.com>
+ Reviewed-by: Jeff Layton <jlayton@redhat.com>
+ Signed-off-by: Steve French <smfrench@gmail.com>
+
+ fs/cifs/cifsfs.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 549fe4c5bb5e67cb1351bb09455b1d77abe5ab22
+Author: Tim Gardner <tim.gardner@canonical.com>
+Date: Sun Oct 13 13:29:03 2013 -0600
+
+ Upstream commit: 0c26606cbe4937f2228a27bb0c2cad19855be87a
+
+ cifs: ntstatus_to_dos_map[] is not terminated
+
+ Functions that walk the ntstatus_to_dos_map[] array could
+ run off the end. For example, ntstatus_to_dos() loops
+ while ntstatus_to_dos_map[].ntstatus is not 0. Granted,
+ this is mostly theoretical, but could be used as a DOS attack
+ if the error code in the SMB header is bogus.
+
+ [Might consider adding to stable, as this patch is low risk - Steve]
+
+ Reviewed-by: Jeff Layton <jlayton@redhat.com>
+ Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
+ Signed-off-by: Steve French <smfrench@gmail.com>
+
+ fs/cifs/netmisc.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit ed8c09a96fa260e1864c632e1dd91b1320876305
+Author: Eric Dumazet <edumazet@google.com>
+Date: Tue Oct 15 11:54:30 2013 -0700
+
+ Upstream commit: c52e2421f7368fd36cbe330d2cf41b10452e39a9
+
+ tcp: must unclone packets before mangling them
+
+ TCP stack should make sure it owns skbs before mangling them.
+
+ We had various crashes using bnx2x, and it turned out gso_size
+ was cleared right before bnx2x driver was populating TC descriptor
+ of the _previous_ packet send. TCP stack can sometime retransmit
+ packets that are still in Qdisc.
+
+ Of course we could make bnx2x driver more robust (using
+ ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack.
+
+ We have identified two points where skb_unclone() was needed.
+
+ This patch adds a WARN_ON_ONCE() to warn us if we missed another
+ fix of this kind.
+
+ Kudos to Neal for finding the root cause of this bug. Its visible
+ using small MSS.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: Neal Cardwell <ncardwell@google.com>
+ Cc: Yuchung Cheng <ycheng@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/tcp_output.c | 9 ++++++---
+ 1 files changed, 6 insertions(+), 3 deletions(-)
+
+commit e5dcf1772ca2a85952da10a21d0650507dc061d3
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon Oct 14 15:28:38 2013 +0300
+
+ Upstream commit: 9e5f1721907fcfbd4b575bcafa0314188f7330a5
+
+ yam: integer underflow in yam_ioctl()
+
+ We cap bitrate at YAM_MAXBITRATE in yam_ioctl(), but it could also be
+ negative. I don't know the impact of using a negative bitrate but let's
+ prevent it.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/linux/yam.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 1f5d72d633f317248bba25158c326a61394aebf2
+Merge: 7ca4328 4df1b96
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Oct 18 19:36:17 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ ipc/shm.c
+
+commit 4df1b965687831808af2548487e0f35a2ccc5c29
+Merge: e41125e 5070441
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Oct 18 19:35:31 2013 -0400
+
+ Merge branch 'linux-3.11.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/setup.c
+
+commit 7ca43282302f7777ca3ae48d2552dbd0a6cef525
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 18:35:00 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: Evgeniy Polyakov <zbr@ioremap.net>
+ Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org
+ Subject: [PATCH 2/4] connector: use nlmsg_len() to check message length
+
+ The current code tests the length of the whole netlink message to be
+ at least as long to fit a cn_msg. This is wrong as nlmsg_len includes
+ the length of the netlink message header. Use nlmsg_len() instead to
+ fix this "off-by-NLMSG_HDRLEN" size check.
+
+ Cc: stable@vger.kernel.org # v2.6.14+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ drivers/connector/connector.c | 7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+commit 6c495f94e2f002ed19fb8e265e2746fd6ee08489
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 18:36:25 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: linux-audit@redhat.com
+ Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>
+ Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests
+
+ We leak 4 bytes of kernel stack in response to an AUDIT_GET request as
+ we miss to initialize the mask member of status_set. Fix that.
+
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: stable@vger.kernel.org # v2.6.6+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ kernel/audit.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 9557a8727fd46e68f092dec0830a982e85b231f7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 19:02:32 2013 -0400
+
+ add 2nd chunk of audit nlmsg_len() fix from minipli
+
+ kernel/audit.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit ceb5f8bae05f3321af941eddb9d2bbe264e0d2cd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 18:37:59 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: linux-audit@redhat.com
+ Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>
+ Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length
+
+ Using the nlmsg_len member of the netlink header to test if the message
+ is valid is wrong as it includes the size of the netlink header itself.
+ Thereby allowing to send short netlink messages that pass those checks.
+
+ Use nlmsg_len() instead to test for the right message length. The result
+ of nlmsg_len() is guaranteed to be non-negative as the netlink message
+ already passed the checks of nlmsg_ok().
+
+ Also switch to min_t() to please checkpatch.pl.
+
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd
+
+ kernel/audit.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 7547b29750381c776dfd47f4b1277a492d5b0f72
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 18:41:01 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: netfilter-devel@vger.kernel.org
+ Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik
+ <kadlec@blackhole.kfki.hu>, Bart De Schuymer <bart.de.schuymer@pandora.be>
+ Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks
+
+ The ulog messages leak heap bytes by the means of padding bytes and
+ incompletely filled string arrays. Fix those by memset(0)'ing the
+ whole struct before filling it.
+
+ Cc: Bart De Schuymer <bart.de.schuymer@pandora.be>
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ Conflicts:
+
+ net/bridge/netfilter/ebt_ulog.c
+
+ net/bridge/netfilter/ebt_ulog.c | 9 +++------
+ 1 files changed, 3 insertions(+), 6 deletions(-)
+
+commit c1da6a5ba1b529d70214142de4eaa7f1b9d62528
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 18:43:01 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: netfilter-devel@vger.kernel.org
+ Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik
+ <kadlec@blackhole.kfki.hu>
+ Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks
+
+ The ulog messages leak heap bytes by the means of padding bytes and
+ incompletely filled string arrays. Fix those by memset(0)'ing the
+ whole struct before filling it.
+
+ Cc: Pablo Neira Ayuso <pablo@netfilter.org>
+ Cc: Patrick McHardy <kaber@trash.net>
+ Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ Conflicts:
+
+ net/ipv4/netfilter/ipt_ULOG.c
+
+ net/ipv4/netfilter/ipt_ULOG.c | 7 +------
+ 1 files changed, 1 insertions(+), 6 deletions(-)
+
+commit 2965f6e6122325a18e69296ad3817c66ca59b7e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 18:49:45 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: "David S. Miller" <davem@davemloft.net>
+ Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org
+ Subject: [PATCH net] unix_diag: fix info leak
+
+ When filling the netlink message we miss to wipe the pad field,
+ therefore leak one byte of heap memory to userland. Fix this by
+ setting pad to 0.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ net/unix/diag.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit c6bc48165dc213ad8b24fbd872d5c01deb4508bc
+Author: Mathias Krause <minipli@googlemail.com>
+Date: Mon Sep 30 22:03:06 2013 +0200
+
+ Upstream commit: e727ca82e0e9616ab4844301e6bae60ca7327682
+
+ proc connector: fix info leaks
+
+ Initialize event_data for all possible message types to prevent leaking
+ kernel stack contents to userland (up to 20 bytes). Also set the flags
+ member of the connector message to 0 to prevent leaking two more stack
+ bytes this way.
+
+ Cc: stable@vger.kernel.org # v2.6.15+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/connector/cn_proc.c | 18 ++++++++++++++++++
+ 1 files changed, 18 insertions(+), 0 deletions(-)
+
+commit 6398c8e93f1f8fcf80ae2f024a8cca9ea84ccd04
+Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Date: Wed Oct 9 15:58:29 2013 +0100
+
+ Upstream commit: 3c1532df5c1b54b5f6246cdef94eeb73a39fe43a
+
+ ARM: 7851/1: check for number of arguments in syscall_get/set_arguments()
+
+ In ftrace_syscall_enter(),
+ syscall_get_arguments(..., 0, n, ...)
+ if (i == 0) { <handle ORIG_r0> ...; n--;}
+ memcpy(..., n * sizeof(args[0]));
+ If 'number of arguments(n)' is zero and 'argument index(i)' is also zero in
+ syscall_get_arguments(), none of arguments should be copied by memcpy().
+ Otherwise 'n--' can be a big positive number and unexpected amount of data
+ will be copied. Tracing system calls which take no argument, say sync(void),
+ may hit this case and eventually make the system corrupted.
+ This patch fixes the issue both in syscall_get_arguments() and
+ syscall_set_arguments().
+
+ Cc: <stable@vger.kernel.org>
+ Acked-by: Will Deacon <will.deacon@arm.com>
+ Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+ Signed-off-by: Will Deacon <will.deacon@arm.com>
+ Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+
+ arch/arm/include/asm/syscall.h | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit c062c6b6774efea3e8b21dc5262f8bf9b34609c2
+Author: Dave Jones <davej@redhat.com>
+Date: Thu Oct 10 20:05:35 2013 -0400
+
+ Upstream commit: 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc
+
+ ext4: fix memory leak in xattr
+
+ If we take the 2nd retry path in ext4_expand_extra_isize_ea, we
+ potentionally return from the function without having freed these
+ allocations. If we don't do the return, we over-write the previous
+ allocation pointers, so we leak either way.
+
+ Spotted with Coverity.
+
+ [ Fixed by tytso to set is and bs to NULL after freeing these
+ pointers, in case in the retry loop we later end up triggering an
+ error causing a jump to cleanup, at which point we could have a double
+ free bug. -- Ted ]
+
+ Signed-off-by: Dave Jones <davej@fedoraproject.org>
+ Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+ Reviewed-by: Eric Sandeen <sandeen@redhat.com>
+ Cc: stable@vger.kernel.org
+
+ fs/ext4/xattr.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 224e55268fbd4f81fca479e315c9483df591411d
+Author: Salva Peiró <speiro@ai2.upv.es>
+Date: Fri Oct 11 12:50:03 2013 +0300
+
+ Upstream commit: 96b340406724d87e4621284ebac5e059d67b2194
+
+ farsync: fix info leak in ioctl
+
+ The fst_get_iface() code fails to initialize the two padding bytes of
+ struct sync_serial_settings after the ->loopback member. Add an explicit
+ memset(0) before filling the structure to avoid the info leak.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/wan/farsync.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 2df2f7f9ca7c383331795980a56a2f47a0d0dfd9
+Author: James Hogan <james.hogan@imgtec.com>
+Date: Mon Oct 7 12:14:26 2013 +0100
+
+ Upstream commit: 8b3c569a3999a8fd5a819f892525ab5520777c92
+
+ MIPS: stack protector: Fix per-task canary switch
+
+ Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary
+ per task) was merged in v3.11 and introduced assembly in the MIPS resume
+ functions to update the value of the current canary in
+ __stack_chk_guard. However it used PTR_L resulting in a load of the
+ canary value, instead of PTR_LA to construct its address. The value is
+ intended to be random but is then treated as an address in the
+ subsequent LONG_S (store).
+
+ This was observed to cause a fault and panic:
+
+ CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4
+ Oops[#1]:
+ ...
+ $24 : 139fea20 1e1f7cb6
+ ...
+ Call Trace:
+ [<8000cc0c>] resume+0xac/0x118
+ [<8034f2a4>] __schedule+0x5f8/0x78c
+ [<8034f4e0>] schedule_preempt_disabled+0x20/0x2c
+ [<80348eec>] rest_init+0x74/0x84
+ [<804dc990>] start_kernel+0x43c/0x454
+ Code: 3c18804b 8f184030 8cb901f8 <af190000> 00c0e021 8cb002f0 8cb102f4 8cb202f8 8cb302fc
+
+ This can also be forced by modifying
+ arch/mips/include/asm/stackprotector.h so that the default
+ __stack_chk_guard value is more likely to be a bad (or unaligned)
+ pointer.
+
+ Fix it to use PTR_LA instead, to load the address of the canary value,
+ which the LONG_S can then use to write into it.
+
+ Reported-by: bobjones (via #mipslinux on IRC)
+ Signed-off-by: James Hogan <james.hogan@imgtec.com>
+ Cc: Ralf Baechle <ralf@linux-mips.org>
+ Cc: Gregory Fong <gregory.0xf0@gmail.com>
+ Cc: linux-mips@linux-mips.org
+ Cc: stable@vger.kernel.org
+ Patchwork: https://patchwork.linux-mips.org/patch/6026/
+ Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+
+ arch/mips/kernel/octeon_switch.S | 2 +-
+ arch/mips/kernel/r2300_switch.S | 2 +-
+ arch/mips/kernel/r4k_switch.S | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 4541f6c6871c1cffa3637ccbc817a37d6f093d1c
+Author: Fan Du <fan.du@windriver.com>
+Date: Tue Sep 17 15:14:13 2013 +0800
+
+ Upstream commit: 33fce60d6a6e137035f8e23a89d7fd55f3a24cda
+
+ xfrm: Guard IPsec anti replay window against replay bitmap
+
+ For legacy IPsec anti replay mechanism:
+
+ bitmap in struct xfrm_replay_state could only provide a 32 bits
+ window size limit in current design, thus user level parameter
+ sadb_sa_replay should honor this limit, otherwise misleading
+ outputs("replay=244") by setkey -D will be:
+
+ 192.168.25.2 192.168.22.2
+ esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000)
+ E: aes-cbc 9a8d7468 7655cf0b 719d27be b0ddaac2
+ A: hmac-sha1 2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331
+ seq=0x00000000 replay=244 flags=0x00000000 state=mature
+ created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013
+ diff: 22(s) hard: 30(s) soft: 26(s)
+ last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s)
+ current: 1408(bytes) hard: 0(bytes) soft: 0(bytes)
+ allocated: 22 hard: 0 soft: 0
+ sadb_seq=1 pid=4854 refcnt=0
+ 192.168.22.2 192.168.25.2
+ esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000)
+ E: aes-cbc 6485d990 f61a6bd5 e5660252 608ad282
+ A: hmac-sha1 0cca811a eb4fa893 c47ae56c 98f6e413 87379a88
+ seq=0x00000000 replay=244 flags=0x00000000 state=mature
+ created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013
+ diff: 22(s) hard: 30(s) soft: 26(s)
+ last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s)
+ current: 1408(bytes) hard: 0(bytes) soft: 0(bytes)
+ allocated: 22 hard: 0 soft: 0
+ sadb_seq=0 pid=4854 refcnt=0
+
+ And also, optimizing xfrm_replay_check window checking by setting the
+ desirable x->props.replay_window with only doing the comparison once
+ for all when xfrm_state is first born.
+
+ Signed-off-by: Fan Du <fan.du@windriver.com>
+ Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+
+ net/key/af_key.c | 3 ++-
+ net/xfrm/xfrm_replay.c | 3 +--
+ net/xfrm/xfrm_user.c | 3 ++-
+ 3 files changed, 5 insertions(+), 4 deletions(-)
+
+commit 3853002f1fb21ca8e23784e9eaeb971eaebc7541
+Author: Thomas Egerer <thomas.egerer@secunet.com>
+Date: Thu Sep 19 13:19:19 2013 +0200
+
+ Upstream commit: cd808fc9a6c7cd3a4311d9d2cffc4adbeaef5f6c
+
+ xfrm: Fix aevent generation for each received packet
+
+ If asynchronous events are enabled for a particular netlink socket,
+ the notify function is called by the advance function. The notify
+ function creates and dispatches a km_event if a replay timeout occurred,
+ or at least replay_maxdiff packets have been received since the last
+ asynchronous event has been sent. The function is supposed to return if
+ neither of the two events were detected for a state, or replay_maxdiff
+ is equal to zero.
+ Replay_maxdiff is initialized in xfrm_state_construct to the value of
+ the xfrm.sysctl_aevent_rseqth (2 by default), and updated if for a state
+ if the netlink attribute XFRMA_REPLAY_THRESH is set.
+ If, however, replay_maxdiff is set to zero, then all of the three notify
+ implementations perform a break from the switch statement instead of
+ checking whether a timeout occurred, and -- if not -- return. As a
+ result an asynchronous event is generated for every replay update of a
+ state that has a zero replay_maxdiff value.
+ This patch modifies the notify functions such that they immediately
+ return if replay_maxdiff has the value zero, unless a timeout occurred.
+
+ Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
+ Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+
+ net/xfrm/xfrm_replay.c | 51 +++++++++++++++++++++++++----------------------
+ 1 files changed, 27 insertions(+), 24 deletions(-)
+
+commit dafbbf04fb91cc92c049dcf7cabcc92fd5d29cb8
+Author: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Tue Oct 8 10:49:45 2013 +0200
+
+ Upstream commit: e7d8f6cb2f8735693396872f4608bbe305e8baee
+
+ xfrm: Add refcount handling to queued policies
+
+ We need to ensure that policies can't go away as long as the hold timer
+ is armed, so take a refcont when we arm the timer and drop one if we
+ delete it.
+
+ Bug was introduced with git commit a0073fe18 ("xfrm: Add a state
+ resolution packet queue")
+
+ Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+
+ net/xfrm/xfrm_policy.c | 24 +++++++++++++++++-------
+ 1 files changed, 17 insertions(+), 7 deletions(-)
+
+commit b4948dc963442682534b3a039664b564c764e4f8
+Author: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Tue Oct 8 10:49:51 2013 +0200
+
+ Upstream commit: 2bb53e2557964c2c5368a0392cf3b3b63a288cd0
+
+ xfrm: check for a vaild skb in xfrm_policy_queue_process
+
+ We might dreference a NULL pointer if the hold_queue is empty,
+ so add a check to avoid this.
+
+ Bug was introduced with git commit a0073fe18 ("xfrm: Add a state
+ resolution packet queue")
+
+ Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+
+ net/xfrm/xfrm_policy.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit fad7f264b264b0b17a307aa16162cb43c7688a30
+Author: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Mon Oct 7 23:19:58 2013 +0200
+
+ Upstream commit: c33a39c575068c2ea9bffb22fd6de2df19c74b89
+
+ net: vlan: fix nlmsg size calculation in vlan_get_size()
+
+ This patch fixes the calculation of the nlmsg size, by adding the missing
+ nla_total_size().
+
+ Cc: Patrick McHardy <kaber@trash.net>
+ Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/8021q/vlan_netlink.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 675e5611464fe6b4d41e7d8ba56ed845286b28dd
+Author: François Cachereul <f.cachereul@alphalink.fr>
+Date: Wed Oct 2 10:16:02 2013 +0200
+
+ Upstream commit: e18503f41f9b12132c95d7c31ca6ee5155e44e5c
+
+ l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses
+
+ IPv4 mapped addresses cause kernel panic.
+ The patch juste check whether the IPv6 address is an IPv4 mapped
+ address. If so, use IPv4 API instead of IPv6.
+
+ [ 940.026915] general protection fault: 0000 [#1]
+ [ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse
+ [ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1
+ [ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
+ [ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000
+ [ 940.026915] RIP: 0010:[<ffffffff81333780>] [<ffffffff81333780>] ip6_xmit+0x276/0x326
+ [ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286
+ [ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000
+ [ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40
+ [ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90
+ [ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0
+ [ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580
+ [ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000
+ [ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0
+ [ 940.026915] Stack:
+ [ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020
+ [ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800
+ [ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020
+ [ 940.026915] Call Trace:
+ [ 940.026915] [<ffffffff81356cc3>] ? inet6_csk_xmit+0xa4/0xc4
+ [ 940.026915] [<ffffffffa0038535>] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core]
+ [ 940.026915] [<ffffffff812b8d3b>] ? pskb_expand_head+0x161/0x214
+ [ 940.026915] [<ffffffffa003e91d>] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp]
+ [ 940.026915] [<ffffffffa00292e0>] ? ppp_channel_push+0x36/0x8b [ppp_generic]
+ [ 940.026915] [<ffffffffa00293fe>] ? ppp_write+0xaf/0xc5 [ppp_generic]
+ [ 940.026915] [<ffffffff8110ead4>] ? vfs_write+0xa2/0x106
+ [ 940.026915] [<ffffffff8110edd6>] ? SyS_write+0x56/0x8a
+ [ 940.026915] [<ffffffff81378ac0>] ? system_call_fastpath+0x16/0x1b
+ [ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49
+ 8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02
+ 00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51
+ [ 940.026915] RIP [<ffffffff81333780>] ip6_xmit+0x276/0x326
+ [ 940.026915] RSP <ffff88000737fd28>
+ [ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]---
+ [ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt
+
+ Signed-off-by: François CACHEREUL <f.cachereul@alphalink.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++++----
+ net/l2tp/l2tp_core.h | 3 +++
+ 2 files changed, 26 insertions(+), 4 deletions(-)
+
+commit 2db6fe58460d400bc8b995fa2328be03e27e55e1
+Merge: 28f9622 e41125e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 15 10:00:52 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/sparc/kernel/ds.c
+ net/sysctl_net.c
+
+commit e41125e4742f332cd8cd8cf0c00cb189dba0e037
+Merge: 740e5ec a145cb9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 15 09:58:29 2013 -0400
+
+ Merge branch 'linux-3.11.y' into pax-test
+
+commit 28f9622091224541efadf3ae006f0e5651c7fa45
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 1 22:48:34 2013 -0400
+
+ Fix this strlcpy crap properly
+
+ arch/sparc/kernel/ds.c | 7 +++----
+ 1 files changed, 3 insertions(+), 4 deletions(-)
+
+commit 837193210e4125fe4e9e554b28d7bc33985f3554
+Author: David S. Miller <davem@davemloft.net>
+Date: Fri Sep 27 13:46:04 2013 -0700
+
+ Upstream commit: 2bd161a605f1f84a5fc8a4fe8410113a94f79355
+
+ sparc64: Fix buggy strlcpy() conversion in ldom_reboot().
+
+ Commit 117a0c5fc9c2d06045bd217385b2b39ea426b5a6 ("sparc: kernel: using
+ strlcpy() instead of strcpy()") added a bug to ldom_reboot in
+ arch/sparc/kernel/ds.c
+
+ - strcpy(full_boot_str + strlen("boot "), boot_command);
+ + strlcpy(full_boot_str + strlen("boot "), boot_command,
+ + sizeof(full_boot_str + strlen("boot ")));
+
+ That last sizeof() expression evaluates to sizeof(size_t) which is
+ not what was intended.
+
+ Also even the corrected:
+
+ sizeof(full_boot_str) + strlen("boot ")
+
+ is not right as the destination buffer length is just plain
+ "sizeof(full_boot_str)" and that's what the final argument
+ should be.
+
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/sparc/kernel/ds.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit fc25f7a8bc9f268e659f0265bcdb4dcac648c249
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Sun Sep 29 05:40:50 2013 +0200
+
+ Upstream commit: 3da812d860755925da890e8c713f2d2e2d7b1bae
+
+ ipv6: gre: correct calculation of max_headroom
+
+ gre_hlen already accounts for sizeof(struct ipv6_hdr) + gre header,
+ so initialize max_headroom to zero. Otherwise the
+
+ if (encap_limit >= 0) {
+ max_headroom += 8;
+ mtu -= 8;
+ }
+
+ increments an uninitialized variable before max_headroom was reset.
+
+ Found with coverity: 728539
+
+ Cc: Dmitry Kozlov <xeb@mail.ru>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ net/ipv6/ip6_gre.c
+
+ net/ipv6/ip6_gre.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 0d68ac550952d0eaf60851497ceee68dbba24516
+Merge: 64257ad 740e5ec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 1 18:11:52 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/hid/hid-core.c
+ drivers/hid/hid-lg2ff.c
+ drivers/hid/hid-lg3ff.c
+ drivers/hid/hid-lg4ff.c
+ drivers/hid/hid-lgff.c
+ drivers/hid/hid-logitech-dj.c
+ drivers/hid/hid-steelseries.c
+ drivers/hid/hid-zpff.c
+ include/linux/hid.h
+
+commit 740e5ec087969afd43ae0b552b4e05914437ed32
+Merge: c38c6b0 db20388
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 1 17:40:46 2013 -0400
+
+ Merge branch 'linux-3.11.y' into pax-test
+
+commit 64257ad95c51285d415f93ebdd486fae6bb9415d
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Sat Sep 21 06:27:00 2013 +0200
+
+ Upstream commit: 2811ebac2521ceac84f2bdae402455baa6a7fb47
+
+ ipv6: udp packets following an UFO enqueued packet need also be handled by UFO
+
+ In the following scenario the socket is corked:
+ If the first UDP packet is larger then the mtu we try to append it to the
+ write queue via ip6_ufo_append_data. A following packet, which is smaller
+ than the mtu would be appended to the already queued up gso-skb via
+ plain ip6_append_data. This causes random memory corruptions.
+
+ In ip6_ufo_append_data we also have to be careful to not queue up the
+ same skb multiple times. So setup the gso frame only when no first skb
+ is available.
+
+ This also fixes a shortcoming where we add the current packet's length to
+ cork->length but return early because of a packet > mtu with dontfrag set
+ (instead of sutracting it again).
+
+ Found with trinity.
+
+ Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_output.c | 53 ++++++++++++++++++++----------------------------
+ 1 files changed, 22 insertions(+), 31 deletions(-)
+
+commit ee4ab63f6dfd57e8c5d67e1e154b86d1139937f6
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Sep 24 15:27:45 2013 -0700
+
+ Just a whitespace fix to sync with upstream as we already applied this fix
+ via Vasiliy Kulikov in 2010. It fell through the cracks upstream
+
+ cciss: fix info leak in cciss_ioctl32_passthru()
+
+ The arg64 struct has a hole after ->buf_size which isn't cleared. Or if
+ any of the calls to copy_from_user() fail then that would cause an
+ information leak as well.
+
+ This was assigned CVE-2013-2147.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Mike Miller <mike.miller@hp.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ drivers/block/cciss.c
+
+ drivers/block/cciss.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit 2a5d630a83f5ddd2ab0ce9cb32a93ad3e1f6dc3e
+Author: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Date: Tue Sep 24 18:29:11 2013 -0700
+
+ Upstream commit: 22356f447ceb8d97a4885792e7d9e4607f712e1b
+
+ mm: Place preemption point in do_mlockall() loop
+
+ There is a loop in do_mlockall() that lacks a preemption point, which
+ means that the following can happen on non-preemptible builds of the
+ kernel. Dave Jones reports:
+
+ "My fuzz tester keeps hitting this. Every instance shows the non-irq
+ stack came in from mlockall. I'm only seeing this on one box, but
+ that has more ram (8gb) than my other machines, which might explain
+ it.
+
+ INFO: rcu_preempt self-detected stall on CPU { 3} (t=6500 jiffies g=470344 c=470343 q=0)
+ sending NMI to all CPUs:
+ NMI backtrace for cpu 3
+ CPU: 3 PID: 29664 Comm: trinity-child2 Not tainted 3.11.0-rc1+ #32
+ Call Trace:
+ lru_add_drain_all+0x15/0x20
+ SyS_mlockall+0xa5/0x1a0
+ tracesys+0xdd/0xe2"
+
+ This commit addresses this problem by inserting the required preemption
+ point.
+
+ Reported-by: Dave Jones <davej@redhat.com>
+ Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@gmail.com>
+ Cc: Michel Lespinasse <walken@google.com>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mlock.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 042ecff756f1246abb9c84dd20ad9f6e9c429ed9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Sep 27 21:06:17 2013 -0400
+
+ Don't log attempts to create a socket with a family that the kernel doesn't
+ support
+ Further, if the kernel doesn't support the socket family, instead of returning
+ -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6
+ sockets in RBAC policy despite a kernel that doesn't support ipv6
+ observed during a Debian userland update necessitating a policy change
+
+ grsecurity/gracl_ip.c | 7 +++----
+ net/socket.c | 26 +++++++++++++++-----------
+ 2 files changed, 18 insertions(+), 15 deletions(-)
+
+commit 55f1e409275973513a3314fe5bfa76a4781c0db7
+Merge: 2eac654 c38c6b0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Sep 27 20:35:04 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/hid/hid-picolcd_core.c
+
+commit c38c6b0bbbe53bd528aeeb4a059764abc028c276
+Merge: 115bf6a a3308b5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Sep 27 20:34:15 2013 -0400
+
+ Merge branch 'linux-3.11.y' into pax-test
+
+ Conflicts:
+ arch/x86/ia32/ia32_signal.c
+ arch/x86/include/asm/checksum_32.h
+ arch/x86/include/asm/mmu_context.h
+ arch/x86/kernel/signal.c
+ arch/x86/lib/csum-wrappers_64.c
+ include/linux/compat.h
+
+commit 2eac65435fdffca548a56e5187840908438fc95c
+Merge: ba0ebde 115bf6a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 26 20:00:00 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 115bf6af0083ea28c751d551a39cfdba1798e9dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 26 19:59:14 2013 -0400
+
+ Update to pax-linux-3.11.1-test10.patch:
+ - added missing exports for module_alloc_exec/module_free_exec on arm, by Arnaud Fontaine
+ - fixed potential .exit.text section reference problem with REFCOUNT on arm, reported by Corey Minyard
+ - fixed REFCOUNT false positive in the new percpu refcount code, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=486040)
+ - fixed an integer overflow in the ELF loader that happens to be harmless due to another overflow, found by Emese Revfy's new size overflow plugin (not yet released)
+ - beefed up latent entropy extraction
+ - latent_entropy itself will be initialized to a compile-time random value (instead of 0)
+ - entropy will be collected from various irq and softirq handlers
+
+ arch/arm/kernel/module.c | 2 ++
+ arch/arm/kernel/vmlinux.lds.S | 2 +-
+ block/blk-iopoll.c | 2 +-
+ block/blk-softirq.c | 2 +-
+ fs/binfmt_elf.c | 8 +++++---
+ include/linux/genhd.h | 2 +-
+ include/linux/random.h | 4 ++--
+ kernel/hrtimer.c | 2 +-
+ kernel/rcutiny.c | 2 +-
+ kernel/rcutree.c | 2 +-
+ kernel/sched/fair.c | 2 +-
+ kernel/softirq.c | 4 ++--
+ kernel/timer.c | 2 +-
+ lib/percpu-refcount.c | 2 +-
+ net/core/dev.c | 4 ++--
+ tools/gcc/latent_entropy_plugin.c | 2 +-
+ 16 files changed, 24 insertions(+), 20 deletions(-)
+
+commit ba0ebdedeb2e128654dac48641bdc9d8b34530d6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 22 18:14:07 2013 -0400
+
+ Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db"
+
+ This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf.
+
+ net/netlink/genetlink.c | 7 -------
+ 1 files changed, 0 insertions(+), 7 deletions(-)
+
+commit ca27c99c4f2df039e21ec15c52824d84e2cd2f35
+Merge: f1e4228 90db383
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Sep 18 17:34:37 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 90db383fd7d650172d52229b0116ad7604c9bec1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Sep 18 17:32:42 2013 -0400
+
+ Update to pax-linux-3.11.1-test9.patch:
+ - fixed some arm compile regressions, reported by Arnaud Ebalard and Michael Tremer
+ - better implementation of __read_only for modules
+ - fixed a regression and an apparently needed kuser emulation on arm, reported by Arnaud Ebalard
+
+ arch/arm/kernel/entry-common.S | 12 ++++++------
+ arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 ++--
+ arch/arm/mm/fault.c | 26 +++++++++++++++++++++++++-
+ arch/x86/include/asm/cache.h | 4 ----
+ drivers/bus/arm-cci.c | 2 +-
+ drivers/clk/socfpga/clk.c | 2 +-
+ drivers/mmc/host/mmci.c | 4 +++-
+ drivers/net/ethernet/chelsio/cxgb3/sge.c | 2 +-
+ include/linux/cache.h | 4 ++++
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ scripts/module-common.lds | 4 ++++
+ 12 files changed, 49 insertions(+), 19 deletions(-)
+
+commit 43fd6b476981f2b72f1fcb7dd4de6b04643e0810
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Sep 18 17:32:25 2013 -0400
+
+ Revert "mark sctp_af_inet forward declaration as __read_only to fix compile error"
+
+ This reverts commit 5e30989102e2d0df166ab6ff915b90f675f8786f.
+
+ net/sctp/protocol.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit f1e42285e17479067b6cbcffc43916720e6dedd3
+Merge: 456ca17 5e30989
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Sep 16 21:42:34 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5e30989102e2d0df166ab6ff915b90f675f8786f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Sep 16 21:41:44 2013 -0400
+
+ mark sctp_af_inet forward declaration as __read_only to fix compile error
+
+ net/sctp/protocol.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 456ca176141f10355c1569b29225c9ce4b7db18e
+Merge: b406eac 5df8f36
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Sep 16 20:02:05 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5df8f36fbb39fbd47e04945001d11e52c16fc0b6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Sep 16 20:01:38 2013 -0400
+
+ Update to pax-linux-3.11.1-test7.patch:
+ - fixed arm compile error, reported by Arnaud Ebalard
+ - fixed NULL deref due to some xfrm constification, reported by marcin1j (http://forums.grsecurity.net/viewtopic.php?f=3&t=3743)
+ - fixed od_ops constification, fixes cpufreq ondemand on AMD
+ - latent entropy will now be gathered from module init code as well (i.e., at module load/init time)
+ - __read_only will now be enforced in modules as well
+ - removed unneccessary __read_only from ntfs
+
+ arch/arm/lib/uaccess_with_memcpy.c | 2 +-
+ arch/x86/include/asm/cache.h | 4 ++++
+ drivers/cpufreq/cpufreq_governor.h | 2 +-
+ drivers/cpufreq/cpufreq_ondemand.c | 2 +-
+ fs/ntfs/file.c | 4 ++--
+ include/linux/init.h | 5 -----
+ include/net/xfrm.h | 5 ++++-
+ init/main.c | 9 +++------
+ mm/page_alloc.c | 1 +
+ net/ipv4/xfrm4_policy.c | 4 ++--
+ net/ipv6/xfrm6_policy.c | 4 ++--
+ net/xfrm/xfrm_policy.c | 11 ++---------
+ 12 files changed, 23 insertions(+), 30 deletions(-)
+
+commit b406eac579bb3a5faa1c9d73b8af5530f942009a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Sep 16 12:53:22 2013 -0400
+
+ Backport commit from https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec.git/commit/?h=testing&id=4479ff76c43607b680f9349128d8493228b49dce
+
+ author Steffen Klassert <steffen.klassert@secunet.com> 2013-09-09 07:39:01 (GMT)
+ committer Steffen Klassert <steffen.klassert@secunet.com> 2013-09-16 07:39:37 (GMT)
+
+ xfrm: Fix replay size checking on async events
+ We pass the wrong netlink attribute to xfrm_replay_verify_len().
+ It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as
+ we currently doing. This causes memory corruptions if the
+ replay esn attribute has incorrect length. Fix this by passing
+ the right attribute to xfrm_replay_verify_len().
+
+ Reported-by: Michael Rossberg <michael.rossberg@tu-ilmenau.de>
+ Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+
+ net/xfrm/xfrm_user.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 9eeb1f53a99068a1f2a77e4d250e334165b789c9
+Merge: 84843a3 0a0ced6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 15 11:24:30 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/net/wireless/ath/ath10k/core.c
+ drivers/net/wireless/ath/ath10k/htc.c
+
+commit 0a0ced69ec737fc1abe5bc1c5a66579a22e9bb1d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 15 11:21:43 2013 -0400
+
+ Update to pax-linux-3.11.1-test6.patch:
+ - forward port to 3.11.1
+ - fixed some CONSTIFY fallout, reported by spender
+ - fixed INVPCID on i386, reported by spender
+ - simplified/consolidated the recent security_ops change
+
+ arch/x86/include/asm/mmu_context.h | 4 ++--
+ arch/x86/include/asm/tlbflush.h | 6 +++---
+ arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +-
+ drivers/net/wireless/ath/ath10k/core.c | 6 +++---
+ drivers/net/wireless/ath/ath10k/htc.c | 7 ++++---
+ include/linux/security.h | 2 --
+ security/security.c | 3 ---
+ security/selinux/hooks.c | 5 +++--
+ 8 files changed, 16 insertions(+), 19 deletions(-)
+
+commit 84843a394cde0578be728cb5fd34da9859dcf110
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 15 09:19:21 2013 -0400
+
+ remove unnecessary check from when protocol was signed
+
+ net/phonet/af_phonet.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit cc7c916cac4c2eb0ec243690627e2b6a13234fef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 15 08:53:27 2013 -0400
+
+ resync with PaX
+
+ security/selinux/hooks.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit fdeadf7ba061242685e07a2504c6be99161f292c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 23:04:53 2013 -0400
+
+ Fix constification of ath10k_hif_cb struct located on stack
+
+ drivers/net/wireless/ath/ath10k/hif.h | 1 +
+ drivers/net/wireless/ath/ath10k/htc.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 73c6875760e610cb636f86566a1be7a744d89b82
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 22:41:06 2013 -0400
+
+ use a no_const typedef for ath10k_htc_ops, which is located on the stack
+
+ drivers/net/wireless/ath/ath10k/core.c | 6 +++---
+ drivers/net/wireless/ath/ath10k/htc.h | 1 +
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+commit bffb0279b95b717c739365a5a25ca0391e7479b1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 22:13:46 2013 -0400
+
+ fix compilation error under constify
+
+ drivers/net/wireless/ath/ath10k/core.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 1044c726fd98de89a711c6655f811600d4051e46
+Merge: ffc8003 e39d12a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 21:57:25 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e39d12a3b877293ba677bf7642c8887144ae1576
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 21:56:56 2013 -0400
+
+ Update to pax-linux-3.11-test5.patch:
+ - backported 1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (pud leak in alloc_new_pmd)
+ - build_string doesn't need to account for the null terminator, fix some usage in the kernexec plugin
+
+ mm/mremap.c | 5 ++++-
+ tools/gcc/kernexec_plugin.c | 4 ++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+commit ffc8003e9c6d9a26c92ca83a8cdc48f1bf0d7a4b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 21:48:03 2013 -0400
+
+ fix compile error introduced by pipacs
+
+ security/selinux/hooks.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 874e80f445b1325df45f04cc317f67587e241218
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 21:12:45 2013 -0400
+
+ Fix invalid dependency causing warning:
+ warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN)
+
+ lib/Kconfig.debug | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 76675229b0398d812bd885c2ea9ebdc66cd5d74a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 19:53:56 2013 -0400
+
+ change unsigned long descriptor array to u64, for 32bit kernels on Haswell CPUs
+
+ arch/x86/include/asm/tlbflush.h | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit b6dd7c7dd3e78d549c4c0e18f7803aa918d3a838
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Sat Sep 7 16:44:59 2013 +0200
+
+ Upstream commit: a0fb05d1aef0f5df936f80b726d1b3bfd4275f95
+
+ net: sctp: fix bug in sctp_poll for SOCK_SELECT_ERR_QUEUE
+
+ If we do not add braces around ...
+
+ mask |= POLLERR |
+ sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0;
+
+ ... then this condition always evaluates to true as POLLERR is
+ defined as 8 and binary or'd with whatever result comes out of
+ sock_flag(). Hence instead of (X | Y) ? A : B, transform it into
+ X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix
+ smatch warnings inside datagram_poll") forgot about SCTP. :-(
+
+ Introduced by 7d4c04fc170 ("net: add option to enable error queue
+ packets waking select").
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Cc: Jacob Keller <jacob.e.keller@intel.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Acked-by: Jacob Keller <jacob.e.keller@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/socket.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4ad458cf887df99b3de3ce11fb83cd27bd13d986
+Author: Jason Wang <jasowang@redhat.com>
+Date: Wed Sep 11 18:09:48 2013 +0800
+
+ Upstream commit: 662ca437e714caaab855b12415d6ffd815985bc0
+
+ tuntap: correctly handle error in tun_set_iff()
+
+ Commit c8d68e6be1c3b242f1c598595830890b65cea64a
+ (tuntap: multiqueue support) only call free_netdev() on error in
+ tun_set_iff(). This causes several issues:
+
+ - memory of tun security were leaked
+ - use after free since the flow gc timer was not deleted and the tfile
+ were not detached
+
+ This patch solves the above issues.
+
+ Reported-by: Wannes Rombouts <wannes.rombouts@epitech.eu>
+ Cc: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: Jason Wang <jasowang@redhat.com>
+ Acked-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 11 ++++++++---
+ 1 files changed, 8 insertions(+), 3 deletions(-)
+
+commit b504140d8590bd67ed481ea84824a9846dde2d74
+Author: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Sun Sep 8 14:33:50 2013 +1000
+
+ Upstream commit: 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa
+
+ crypto: api - Fix race condition in larval lookup
+
+ crypto_larval_lookup should only return a larval if it created one.
+ Any larval created by another entity must be processed through
+ crypto_larval_wait before being returned.
+
+ Otherwise this will lead to a larval being killed twice, which
+ will most likely lead to a crash.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Kees Cook <keescook@chromium.org>
+ Tested-by: Kees Cook <keescook@chromium.org>
+ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+
+ crypto/api.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit f4212fa9ec1c34c59fabc43904e16112b776b6b2
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Wed Sep 11 16:58:36 2013 +0200
+
+ Upstream commit: 95ee62083cb6453e056562d91f597552021e6ae7
+
+ net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit
+
+ Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not
+ being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport
+ does not seem to have the desired effect:
+
+ SCTP + IPv4:
+
+ 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116)
+ 192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72
+ 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340)
+ 192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1):
+
+ SCTP + IPv6:
+
+ 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364)
+ fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp
+ 1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10]
+
+ Moreover, Alan says:
+
+ This problem was seen with both Racoon and Racoon2. Other people have seen
+ this with OpenSwan. When IPsec is configured to encrypt all upper layer
+ protocols the SCTP connection does not initialize. After using Wireshark to
+ follow packets, this is because the SCTP packet leaves Box A unencrypted and
+ Box B believes all upper layer protocols are to be encrypted so it drops
+ this packet, causing the SCTP connection to fail to initialize. When IPsec
+ is configured to encrypt just SCTP, the SCTP packets are observed unencrypted.
+
+ In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext"
+ string on the other end, results in cleartext on the wire where SCTP eventually
+ does not report any errors, thus in the latter case that Alan reports, the
+ non-paranoid user might think he's communicating over an encrypted transport on
+ SCTP although he's not (tcpdump ... -X):
+
+ ...
+ 0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l....
+ 0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext...
+
+ Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the
+ receiver side. Initial follow-up analysis from Alan's bug report was done by
+ Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this.
+
+ SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit().
+ This has the implication that it probably never really got updated along with
+ changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers.
+
+ SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since
+ a call to inet6_csk_xmit() would solve this problem, but result in unecessary
+ route lookups, let us just use the cached flowi6 instead that we got through
+ sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(),
+ we do the route lookup / flow caching in sctp_transport_route(), hold it in
+ tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in
+ sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect
+ of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst()
+ instead to get the correct source routed dst entry, which we assign to the skb.
+
+ Also source address routing example from 625034113 ("sctp: fix sctp to work with
+ ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095
+ it is actually 'recommended' to not use that anyway due to traffic amplification [1].
+ So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if
+ we overwrite the flow destination here, the lower IPv6 layer will be unable to
+ put the correct destination address into IP header, as routing header is added in
+ ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside,
+ result of this patch is that we do not have any XfrmInTmplMismatch increase plus on
+ the wire with this patch it now looks like:
+
+ SCTP + IPv6:
+
+ 08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba:
+ AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72
+ 08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a:
+ AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296
+
+ This fixes Kernel Bugzilla 24412. This security issue seems to be present since
+ 2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have
+ its fun with that. lksctp-tools IPv6 regression test suite passes as well with
+ this patch.
+
+ [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
+
+ Reported-by: Alan Chester <alan.chester@tekelec.com>
+ Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Cc: Steffen Klassert <steffen.klassert@secunet.com>
+ Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/ipv6.c | 42 +++++++++++++-----------------------------
+ 1 files changed, 13 insertions(+), 29 deletions(-)
+
+commit 726915e42b1a23b88cd420029003d82208a30006
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Sep 13 14:52:04 2013 -0700
+
+ Upstream commit: 35a4a5733b0a8290de39558b82896ab795b108a7
+
+ isdn: clean up debug format string usage
+
+ Avoid unneeded local string buffers for constructing debug output. Also
+ cleans up debug calls that contain a single parameter so that they cannot
+ be accidentally parsed as format strings.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: Karsten Keil <isdn@linux-pingi.de>
+ Cc: David Miller <davem@davemloft.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/isdn/hisax/amd7930_fn.c | 4 +-
+ drivers/isdn/hisax/avm_pci.c | 4 +-
+ drivers/isdn/hisax/config.c | 2 +-
+ drivers/isdn/hisax/diva.c | 4 +-
+ drivers/isdn/hisax/elsa.c | 2 +-
+ drivers/isdn/hisax/elsa_ser.c | 2 +-
+ drivers/isdn/hisax/hfc_pci.c | 2 +-
+ drivers/isdn/hisax/hfc_sx.c | 2 +-
+ drivers/isdn/hisax/hscx_irq.c | 4 +-
+ drivers/isdn/hisax/icc.c | 4 +-
+ drivers/isdn/hisax/ipacx.c | 8 +++---
+ drivers/isdn/hisax/isac.c | 4 +-
+ drivers/isdn/hisax/isar.c | 6 ++--
+ drivers/isdn/hisax/jade.c | 18 ++++----------
+ drivers/isdn/hisax/jade_irq.c | 4 +-
+ drivers/isdn/hisax/l3_1tr6.c | 50 ++++++++++++++-------------------------
+ drivers/isdn/hisax/netjet.c | 2 +-
+ drivers/isdn/hisax/q931.c | 6 ++--
+ drivers/isdn/hisax/w6692.c | 8 +++---
+ 19 files changed, 57 insertions(+), 79 deletions(-)
+
+commit 4c90e693066a984f2c3a05bd2b75fe2273906eb3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 19:16:48 2013 -0400
+
+ Fix a bad git merge, re-applied a previously reverted patch
+
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 5dea4b212b0405d6bcbea57516d77b21035d1178
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 16:56:37 2013 -0400
+
+ finish porting namei.c
+
+ fs/namei.c | 50 +++++++++++---------------------------------------
+ 1 files changed, 11 insertions(+), 39 deletions(-)
+
+commit a7d5c5e2d0fd4831df19247e41c73c362809b00f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 16:44:08 2013 -0400
+
+ cred->user -> current_user()
+
+ fs/exec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit be3db5fa6532557384fb66d2d9297d77666912cf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 16:36:24 2013 -0400
+
+ Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux
+
+ grsecurity/Kconfig | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit ce9afc12137b65991bfc7cce70e28d86bbb76956
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Tue Sep 3 19:29:12 2013 +0200
+
+ Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
+
+ net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
+
+ In tcp_v6_do_rcv() code, when processing pkt options, we soley work
+ on our skb clone opt_skb that we've created earlier before entering
+ tcp_rcv_established() on our way. However, only in condition ...
+
+ if (np->rxopt.bits.rxtclass)
+ np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
+
+ ... we work on skb itself. As we extract every other information out
+ of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
+ already be released by tcp_rcv_established() earlier on. When we try
+ to access it in ipv6_hdr(), we will dereference freed skb.
+
+ [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
+ IP_PKTOPTIONS") ]
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Jiri Benc <jbenc@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/ipv6/tcp_ipv6.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 84aa149aa0f178516f5784d028522d60d35696c9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 19:36:23 2013 -0400
+
+ fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 1145b56059535549be226da9891b56ab2d902b2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 19:17:02 2013 -0400
+
+ Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc)
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_sysctl.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit cc604c1c66e7034ad7ddc7fb3cec749e0e5828a3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 18:41:49 2013 -0400
+
+ Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts
+
+ Also eliminate reset_security_ops() as a ROP target when
+ SECURITY_SELINUX_DISABLE is disabled as it's the only user
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 17 ++++++++++++++++-
+ grsecurity/grsec_init.c | 3 +++
+ grsecurity/grsec_sysctl.c | 2 +-
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+
+commit 06f8e6fe41a0de311b0c94bf853cb2c15aee67d4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 30 17:11:11 2013 -0400
+
+ fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_sysctl.c | 7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+commit 74dc00678ec84a254617b500a2880974dac95220
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 20:42:39 2013 -0400
+
+ add export of gr_handle_new_usb()
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_usb.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit f9b60ffe6e67563faa8d207fa6d00bd04252cf4f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 19:24:47 2013 -0400
+
+ Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/usb/core/hub.c | 5 +++++
+ grsecurity/Kconfig | 20 ++++++++++++++++++++
+ grsecurity/Makefile | 3 ++-
+ grsecurity/grsec_init.c | 1 +
+ grsecurity/grsec_sysctl.c | 11 +++++++++++
+ grsecurity/grsec_usb.c | 13 +++++++++++++
+ include/linux/grinternal.h | 1 +
+ include/linux/grsecurity.h | 2 ++
+ 8 files changed, 55 insertions(+), 1 deletions(-)
+
+commit 889852764d245f44e416da4eb203fda0bd327584
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 09:35:07 2013 -0700
+
+ HID: zeroplus: validate output report details
+
+ The zeroplus HID driver was not checking the size of allocated values
+ in fields it used. A HID device could send a malicious output report
+ that would cause the driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
+ ...
+ [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2889
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-zpff.c | 14 ++------------
+ 1 files changed, 2 insertions(+), 12 deletions(-)
+
+commit f30e932a87f25b53779d1f92b49923f8a2dc9834
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 14:36:15 2013 -0700
+
+ HID: provide a helper for validating hid reports
+
+ Many drivers need to validate the characteristics of their HID report
+ during initialization to avoid misusing the reports. This adds a common
+ helper to perform validation of the report, its field count, and the
+ value count within the fields.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
+ include/linux/hid.h | 4 +++
+ 2 files changed, 54 insertions(+), 0 deletions(-)
+
+commit f9eac59133855befee23d0c899e0d0e6ebcd3d44
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 09:14:34 2013 -0700
+
+ HID: steelseries: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ steelseries HID driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
+ ...
+ [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2891
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-steelseries.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 9f5ae466957014bc300929374ebb7afdd9d116d6
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 08:49:21 2013 -0700
+
+ HID: pantherlord: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ pantherlord HID driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
+ ...
+ [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2892
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-pl.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit b643b8f8af23488d92f16a817bf16c162d612ce1
+Author: Kees Cook <keescook@chromium.org>
+Date: Tue Aug 13 16:49:01 2013 -0700
+
+ HID: LG: validate HID output report details
+
+ A HID device could send a malicious output report that would cause the
+ lg, lg3, and lg4 HID drivers to write beyond the output report allocation
+ during an event, causing a heap overflow:
+
+ [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
+ ...
+ [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
+
+ Additionally, while lg2 did correctly validate the report details, it was
+ cleaned up and shortened.
+
+ CVE-2013-2893
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-lg2ff.c | 19 +++----------------
+ drivers/hid/hid-lg3ff.c | 29 ++++++-----------------------
+ drivers/hid/hid-lg4ff.c | 20 +-------------------
+ drivers/hid/hid-lgff.c | 17 ++---------------
+ 4 files changed, 12 insertions(+), 73 deletions(-)
+
+commit 975723a41239b1befae172e88082ff4422753508
+Author: Kees Cook <keescook@chromium.org>
+Date: Thu Aug 15 23:21:23 2013 -0700
+
+ HID: lenovo-tpkbd: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ lenovo-tpkbd HID driver to write just beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
+ ...
+ [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2894
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 54b39084efe20a3f10fcb58ee8327d7b6250b7cd
+Author: Kees Cook <keescook@chromium.org>
+Date: Thu Aug 15 23:45:03 2013 -0700
+
+ HID: logitech-dj: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ logitech-dj HID driver to leak kernel memory contents to the device, or
+ trigger a NULL dereference during initialization:
+
+ [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
+ ...
+ [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
+ [ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
+
+ CVE-2013-2895
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-logitech-dj.c | 12 ++++++++++--
+ 1 files changed, 10 insertions(+), 2 deletions(-)
+
+commit 05c3db7daee82d79c628c15b304f8621159e14f3
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 00:18:15 2013 -0700
+
+ HID: ntrig: validate feature report details
+
+ A HID device could send a malicious feature report that would cause the
+ ntrig HID driver to trigger a NULL dereference during initialization:
+
+ [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
+ ...
+ [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+ [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
+
+ CVE-2013-2896
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-ntrig.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit a79f25f59fdd0abaf4ecfab93017aa49de089498
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 00:11:32 2013 -0700
+
+ HID: multitouch: validate feature report details
+
+ When working on report indexes, always validate that they are in bounds.
+ Without this, a HID device could report a malicious feature report that
+ could trick the driver into a heap overflow:
+
+ [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
+ ...
+ [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2897
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
+ 1 files changed, 20 insertions(+), 5 deletions(-)
+
+commit 6fe8eb06e432f165872d3486fdce0d09de1515b3
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:12:45 2013 -0700
+
+ HID: sensor-hub: validate feature report details
+
+ A HID device could send a malicious feature report that would cause the
+ sensor-hub HID driver to read past the end of heap allocation, leaking
+ kernel memory contents to the caller.
+
+ CVE-2013-2898
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-sensor-hub.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit cd5ea45deb4aae3a6ca7b99e261d771792c2e8bf
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:05:10 2013 -0700
+
+ HID: picolcd_core: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ picolcd HID driver to trigger a NULL dereference during attr file writing.
+
+ CVE-2013-2899
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-picolcd_core.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c147e32922dd91edf1969b8a6eb333aafb4abb79
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:09:54 2013 -0700
+
+ HID: check for NULL field when setting values
+
+ Defensively check that the field to be worked on is not NULL.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-core.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 51b66e0a8cfd2eedb4f3275c7ffc2f7a831b4683
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 28 18:09:18 2013 -0400
+
+ http://marc.info/?l=linux-input&m=137772180514608&q=raw
+
+ The "Report ID" field of a HID report is used to build indexes of
+ reports. The kernel's index of these is limited to 256 entries, so any
+ malicious device that sets a Report ID greater than 255 will trigger
+ memory corruption on the host:
+
+ [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
+ [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
+
+ CVE-2013-2888
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-core.c | 10 +++++++---
+ include/linux/hid.h | 4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+commit 4ab7b9ed96612f5621898cead7163b6eecf30c7c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 19 22:10:04 2013 -0400
+
+ fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/x86/kernel/smpboot.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+commit 8a6f59dd3e43d20d8e999d50001b85ba605a4dac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 12:00:20 2013 -0400
+
+ make kallsyms_lookup_size_offset available to approved source files
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/kallsyms.h | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit abde07f6c047c0331f511318cb49a36d49218dfc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 11:18:09 2013 -0400
+
+ allow use of kallsyms_lookup_name to approved source files
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/kallsyms.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Tue Aug 13 09:04:05 2013 +0200
+
+ Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
+
+ genetlink: fix family dump race
+
+ When dumping generic netlink families, only the first dump call
+ is locked with genl_lock(), which protects the list of families,
+ and thus subsequent calls can access the data without locking,
+ racing against family addition/removal. This can cause a crash.
+ Fix it - the locking needs to be conditional because the first
+ time around it's already locked.
+
+ A similar bug was reported to me on an old kernel (3.4.47) but
+ the exact scenario that happened there is no longer possible,
+ on those kernels the first round wasn't locked either. Looking
+ at the current code I found the race described above, which had
+ also existed on the old kernel.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/netlink/genetlink.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit ab0fc298348a3fce6c8aaf4bef11f388b1bf4782
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 08:58:34 2013 -0400
+
+ Fix two harmless compiler warnings
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/arm/kernel/process.c | 4 ++--
+ fs/exec.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit d502375416b17270008ebdf11f1c3be7837f7c50
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 22:46:01 2013 -0400
+
+ Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/kallsyms.h | 2 +-
+ kernel/kprobes.c | 3 +++
+ 2 files changed, 4 insertions(+), 1 deletions(-)
+
+commit f6c363aba68cccff2815a488a7e9ed68990100d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 10 09:41:40 2013 -0400
+
+ propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/sparc/mm/hugetlbpage.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+commit 279d4c6643931d6488b2d5f1e7d29db8a3c3a347
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 17:58:42 2013 -0400
+
+ Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 55ee7adc9d4cd900fd86a4cfad7e0841b4373ee1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 17:26:40 2013 -0400
+
+ Move user namespace capability check to shared create_user_ns code so we cover unshare() as well.
+
+ Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
+ user namespaces!
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ kernel/fork.c | 17 -----------------
+ kernel/user_namespace.c | 15 +++++++++++++++
+ 2 files changed, 15 insertions(+), 17 deletions(-)
+
+commit 5c0737b045d057152a39154746d8c8e5d59185ed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 16:05:41 2013 -0400
+
+ silence a warning on older gcc
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b9cb48614b154a4c9a4caec48f5c6a391c7b4eb8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 3 08:31:08 2013 -0400
+
+ we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ mm/mmap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit abc10b7630ee1a61c18e7b03b3cbbc9849a346c6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:54:51 2013 -0400
+
+ add include
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_log.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 448fdce6e5e32cc5dc8f6a649d58104c11cbe2f5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:49:13 2013 -0400
+
+ fix compilation
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/grinternal.h | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit d4d49138661d5cb646f0dd012178447380b79956
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:34:35 2013 -0400
+
+ Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++
+ fs/exec.c | 4 ++++
+ grsecurity/Kconfig | 21 +++++----------------
+ grsecurity/grsec_init.c | 4 ----
+ grsecurity/grsec_log.c | 14 ++++++++++++++
+ grsecurity/grsec_pax.c | 19 ++++++++++++++-----
+ grsecurity/grsec_sysctl.c | 9 ---------
+ include/linux/binfmts.h | 1 +
+ include/linux/grinternal.h | 2 +-
+ include/linux/grmsg.h | 3 ++-
+ include/linux/grsecurity.h | 3 ++-
+ mm/mmap.c | 7 +++++++
+ mm/mprotect.c | 2 +-
+ 13 files changed, 88 insertions(+), 38 deletions(-)
+
+commit cfa6b85e91c7e8e7f00eeaf1908d22cbec4b0a15
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 1 18:52:02 2013 -0400
+
+ add missing #define
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 4a307f7d3ff3ab232c0b6341415088e7618c494e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 1 18:43:53 2013 -0400
+
+ fix compilation for !COMPAT as reported on the forums
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 195 ++++++++++++++++++++++++++--------------------------
+ 1 files changed, 97 insertions(+), 98 deletions(-)
+
+commit 78011eb5c2454b8afc96b98bd86ac172e589b13c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 17:47:20 2013 -0400
+
+ Revert "revert recent PaX change that causes boot failures with 32bit userland"
+
+ This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 17cdb36c3bee85c0985f7cc18aa8405fc7838cad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 16:26:58 2013 -0400
+
+ compile fix for !COMPAT as mentioned on forums
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit e670dc535e4501fd12d8bf00f1e1306c44266fe7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:33:14 2013 -0400
+
+ perform compat conversion of rlimit infinity
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit 2834fe28e69176da6ac4989c6e3dc713faafefe5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:21:40 2013 -0400
+
+ remove debugging
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 44 +++++++++++---------------------------------
+ 1 files changed, 11 insertions(+), 33 deletions(-)
+
+commit 2669672647f6955f0e5154596492c73cd4fda330
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:20:32 2013 -0400
+
+ eliminate compat_dev_t
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/gracl_compat.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 75de5da79f5e03936a79ffe2c827462000001985
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:13:22 2013 -0400
+
+ fix compat rlimit size
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++-------------
+ include/linux/gracl_compat.h | 4 +-
+ 2 files changed, 49 insertions(+), 23 deletions(-)
+
+commit 9055a8feb8493a30d1ad0fcef25eb496630d223f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 21:20:18 2013 -0400
+
+ compile fix
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 080577d5a71de3d2700c4c17e1d13c67bc9b6720
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 21:14:29 2013 -0400
+
+ copy correct pointer size in new compat code
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 8 ++++----
+ grsecurity/gracl_compat.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 129b6204587740fd082e731a54d00e8a9fc35f8b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:15:50 2013 -0400
+
+ compile fix
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit 1a8481118c2da1cf9610ec5ba9ad950358e8cd3f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:12:46 2013 -0400
+
+ remove BUILD_BUG_ONs
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 20 --------------------
+ 1 files changed, 0 insertions(+), 20 deletions(-)
+
+commit 67fc73af0876d311c0d01d3b16fa429f44af12b9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:18:36 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 8 ++++----
+ include/linux/gracl_compat.h | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 32f9c3609f8d6c5c893c848e0bd76e0d8d3fa096
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:16:42 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 4 ++--
+ grsecurity/gracl_compat.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 798adb5cab6c3a8056e1b415e6f34a270f369721
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:13:51 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 4d4945ce90d83784634b898f83cb5a7699537733
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:11:03 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 2e0b7505d92a89b872d9ebccae57720e3c00e4a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:08:21 2013 -0400
+
+ more compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 28 ++++++++++++++--------------
+ 1 files changed, 14 insertions(+), 14 deletions(-)
+
+commit 6db464f72eff84f77335b69dc2748a3759e151d1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:59:50 2013 -0400
+
+ more compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 10 +++++++++-
+ 1 files changed, 9 insertions(+), 1 deletions(-)
+
+commit c5c54a2490dd8ec3fcad322d5c64b8cdfc6ce8d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:56:47 2013 -0400
+
+ additional compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++--------
+ 1 files changed, 49 insertions(+), 10 deletions(-)
+
+commit e78a78dcfc089142273243b54509840d3b50c538
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:47:15 2013 -0400
+
+ fix typo
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b27005e62bebc09e6604a6f5dc099742bb6b4434
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:46:59 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++-------------
+ 1 files changed, 39 insertions(+), 14 deletions(-)
+
+commit 101b84a778c254dfd7399f5bcd6264ff437f1176
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:22:44 2013 -0400
+
+ Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel
+
+ Also removed code duplication for copying strings into the kernel
+
+ Work performed as part of sponsorship
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Makefile | 4 +
+ grsecurity/gracl.c | 315 +++++++++++++++++++++++-------------------
+ grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++
+ include/linux/gracl_compat.h | 156 +++++++++++++++++++++
+ 4 files changed, 603 insertions(+), 142 deletions(-)
+
+commit 9b2b2be730d058a2bac5ded5b51d087aa65eed9e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 16 20:40:24 2013 -0400
+
+ allow viewing of ecryptfs version under SYSFS_RESTRICT
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/sysfs/dir.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 3e182e4da46de4c6b9a9f45d41030bef19260954
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:49:17 2013 -0400
+
+ Update PaX fix, just return the error
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ mm/madvise.c | 11 +++++------
+ 1 files changed, 5 insertions(+), 6 deletions(-)
+
+commit 0e4d6c92225be5ed70eb4d826d020c1e49fb4870
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:36:00 2013 -0400
+
+ Fix madvise oops reported by Peter Keel
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ mm/madvise.c | 11 ++++++-----
+ 1 files changed, 6 insertions(+), 5 deletions(-)
+
+commit 32537d92b8da84f38bf45eb85b6953f452064936
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 22:04:59 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/exec.c | 2 +-
+ mm/mmap.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit a03302441afb0f56cccc9648a5d5e3c4c4d0db70
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 16:15:10 2013 -0400
+
+ Initial port of grsecurity to 3.11 using new git method
+
+ Documentation/kernel-parameters.txt | 4 +
+ Makefile | 8 +-
+ arch/alpha/include/asm/cache.h | 4 +-
+ arch/alpha/kernel/osf_sys.c | 12 +-
+ arch/arm/include/asm/thread_info.h | 3 +-
+ arch/arm/kernel/ptrace.c | 9 +
+ arch/arm/kernel/traps.c | 7 +-
+ arch/arm/mm/fault.c | 29 +-
+ arch/arm/mm/mmap.c | 8 +-
+ arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/include/asm/cache.h | 3 +-
+ arch/cris/include/arch-v10/arch/cache.h | 3 +-
+ arch/cris/include/arch-v32/arch/cache.h | 3 +-
+ arch/frv/include/asm/cache.h | 3 +-
+ arch/frv/mm/elf-fdpic.c | 4 +-
+ arch/hexagon/include/asm/cache.h | 6 +-
+ arch/ia64/include/asm/cache.h | 3 +-
+ arch/ia64/kernel/sys_ia64.c | 2 +
+ arch/ia64/mm/hugetlbpage.c | 2 +
+ arch/m32r/include/asm/cache.h | 4 +-
+ arch/m68k/include/asm/cache.h | 4 +-
+ arch/metag/mm/hugetlbpage.c | 1 +
+ arch/microblaze/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/thread_info.h | 12 +-
+ arch/mips/kernel/ptrace.c | 9 +
+ arch/mips/mm/mmap.c | 4 +-
+ arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
+ arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
+ arch/openrisc/include/asm/cache.h | 4 +-
+ arch/parisc/include/asm/cache.h | 5 +-
+ arch/parisc/kernel/sys_parisc.c | 17 +-
+ arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/kernel/process.c | 10 +-
+ arch/powerpc/kernel/ptrace.c | 14 +
+ arch/powerpc/kernel/traps.c | 5 +
+ arch/s390/include/asm/cache.h | 4 +-
+ arch/score/include/asm/cache.h | 4 +-
+ arch/sh/include/asm/cache.h | 3 +-
+ arch/sh/mm/mmap.c | 6 +-
+ arch/sparc/include/asm/cache.h | 4 +-
+ arch/sparc/include/asm/thread_info_64.h | 9 +-
+ arch/sparc/kernel/process_32.c | 6 +-
+ arch/sparc/kernel/process_64.c | 4 +-
+ arch/sparc/kernel/ptrace_64.c | 14 +
+ arch/sparc/kernel/sys_sparc_64.c | 8 +-
+ arch/sparc/kernel/syscalls.S | 8 +-
+ arch/sparc/kernel/traps_32.c | 8 +-
+ arch/sparc/kernel/traps_64.c | 28 +-
+ arch/sparc/kernel/unaligned_64.c | 2 +-
+ arch/sparc/mm/fault_64.c | 2 +-
+ arch/sparc/mm/hugetlbpage.c | 3 +-
+ arch/tile/include/asm/cache.h | 3 +-
+ arch/tile/mm/hugetlbpage.c | 2 +
+ arch/um/defconfig | 1 -
+ arch/um/include/asm/cache.h | 3 +-
+ arch/unicore32/include/asm/cache.h | 6 +-
+ arch/x86/Kconfig | 5 +-
+ arch/x86/ia32/ia32_aout.c | 2 +
+ arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/kernel/dumpstack.c | 8 +
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 2 +-
+ arch/x86/kernel/ioport.c | 13 +
+ arch/x86/kernel/ptrace.c | 14 +
+ arch/x86/kernel/signal.c | 9 +-
+ arch/x86/kernel/smpboot.c | 3 +
+ arch/x86/kernel/sys_i386_32.c | 9 +-
+ arch/x86/kernel/sys_x86_64.c | 8 +-
+ arch/x86/kernel/verify_cpu.S | 1 +
+ arch/x86/kernel/vm86_32.c | 1 +
+ arch/x86/mm/fault.c | 12 +-
+ arch/x86/mm/hugetlbpage.c | 15 +-
+ arch/x86/mm/init.c | 66 +-
+ arch/x86/net/bpf_jit_comp.c | 128 ++-
+ arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
+ arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
+ drivers/block/cciss.c | 2 +
+ drivers/block/cpqarray.c | 1 +
+ drivers/cdrom/cdrom.c | 2 +-
+ drivers/char/Kconfig | 4 +-
+ drivers/char/genrtc.c | 1 +
+ drivers/char/mem.c | 17 +
+ drivers/char/random.c | 12 +
+ drivers/gpu/drm/drm_info.c | 4 +
+ drivers/hid/hid-wiimote-debug.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +-
+ drivers/message/fusion/mptbase.c | 9 +
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ drivers/pci/proc.c | 9 +
+ drivers/rtc/rtc-dev.c | 3 +
+ drivers/tty/sysrq.c | 2 +-
+ drivers/tty/vt/keyboard.c | 22 +-
+ drivers/video/logo/logo_linux_clut224.ppm | 2000 +++++++++++---------
+ drivers/xen/xenfs/xenstored.c | 5 +
+ fs/attr.c | 1 +
+ fs/autofs4/waitq.c | 9 +
+ fs/binfmt_aout.c | 7 +
+ fs/binfmt_elf.c | 8 +-
+ fs/btrfs/ioctl.c | 6 +-
+ fs/compat.c | 20 +-
+ fs/coredump.c | 9 +-
+ fs/debugfs/inode.c | 4 +
+ fs/exec.c | 184 ++-
+ fs/ext2/balloc.c | 4 +-
+ fs/ext3/balloc.c | 4 +-
+ fs/fcntl.c | 5 +
+ fs/file.c | 4 +
+ fs/filesystems.c | 4 +
+ fs/fs_struct.c | 13 +-
+ fs/hugetlbfs/inode.c | 5 +-
+ fs/namei.c | 256 +++-
+ fs/namespace.c | 16 +
+ fs/open.c | 38 +
+ fs/proc/Kconfig | 10 +-
+ fs/proc/array.c | 59 +-
+ fs/proc/base.c | 166 ++-
+ fs/proc/cmdline.c | 4 +
+ fs/proc/devices.c | 4 +
+ fs/proc/fd.c | 17 +-
+ fs/proc/inode.c | 4 +
+ fs/proc/kcore.c | 3 +
+ fs/proc/proc_net.c | 12 +
+ fs/proc/proc_sysctl.c | 43 +-
+ fs/proc/root.c | 8 +
+ fs/proc/task_mmu.c | 75 +-
+ fs/readdir.c | 19 +
+ fs/select.c | 2 +
+ fs/seq_file.c | 12 +-
+ fs/stat.c | 19 +-
+ fs/sysfs/dir.c | 12 +
+ fs/utimes.c | 7 +
+ fs/xattr.c | 19 +-
+ include/linux/capability.h | 5 +
+ include/linux/cred.h | 3 +
+ include/linux/fs.h | 10 +
+ include/linux/fsnotify.h | 6 +
+ include/linux/kallsyms.h | 14 +-
+ include/linux/kmod.h | 2 +
+ include/linux/mm.h | 1 +
+ include/linux/perf_event.h | 13 +-
+ include/linux/printk.h | 3 +-
+ include/linux/sched.h | 24 +-
+ include/linux/security.h | 1 +
+ include/linux/seq_file.h | 3 +
+ include/linux/shm.h | 4 +
+ include/linux/skbuff.h | 3 +
+ include/linux/slab.h | 9 -
+ include/linux/sysctl.h | 2 +
+ include/linux/thread_info.h | 2 +
+ include/linux/uidgid.h | 5 +
+ include/linux/vermagic.h | 9 +-
+ include/uapi/linux/personality.h | 1 +
+ init/Kconfig | 3 +-
+ init/main.c | 14 +
+ ipc/mqueue.c | 1 +
+ ipc/shm.c | 28 +
+ kernel/capability.c | 39 +-
+ kernel/cgroup.c | 2 +-
+ kernel/compat.c | 1 +
+ kernel/configs.c | 11 +
+ kernel/cred.c | 110 ++-
+ kernel/events/core.c | 14 +-
+ kernel/exit.c | 10 +-
+ kernel/fork.c | 41 +-
+ kernel/futex.c | 1 +
+ kernel/kallsyms.c | 9 +
+ kernel/kcmp.c | 4 +
+ kernel/kmod.c | 64 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +
+ kernel/lockdep_proc.c | 10 +-
+ kernel/module.c | 81 +-
+ kernel/panic.c | 2 +-
+ kernel/pid.c | 19 +-
+ kernel/posix-timers.c | 7 +
+ kernel/printk/printk.c | 5 +
+ kernel/ptrace.c | 20 +-
+ kernel/resource.c | 10 +
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 37 +-
+ kernel/sys.c | 45 +-
+ kernel/sysctl.c | 69 +-
+ kernel/taskstats.c | 6 +
+ kernel/time.c | 5 +
+ kernel/time/timekeeping.c | 1 +
+ kernel/time/timer_list.c | 12 +
+ kernel/time/timer_stats.c | 10 +-
+ lib/Kconfig.debug | 5 +-
+ lib/is_single_threaded.c | 3 +
+ mm/Kconfig | 4 +-
+ mm/filemap.c | 1 +
+ mm/kmemleak.c | 4 +-
+ mm/mempolicy.c | 12 +-
+ mm/migrate.c | 3 +-
+ mm/mlock.c | 3 +
+ mm/mmap.c | 63 +-
+ mm/mprotect.c | 8 +
+ mm/process_vm_access.c | 6 +
+ mm/slab.c | 2 +-
+ mm/slub.c | 14 +-
+ mm/vmalloc.c | 4 +
+ mm/vmstat.c | 18 +-
+ net/core/dev_ioctl.c | 4 +
+ net/core/sock_diag.c | 7 +
+ net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/ip_sockglue.c | 3 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_minisocks.c | 9 +-
+ net/ipv4/tcp_timer.c | 11 +
+ net/ipv4/udp.c | 24 +
+ net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/udp.c | 4 +
+ net/netfilter/Kconfig | 10 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 8 +
+ net/netrom/af_netrom.c | 1 -
+ net/phonet/af_phonet.c | 2 +-
+ net/sctp/proc.c | 3 +-
+ net/socket.c | 66 +-
+ net/sysctl_net.c | 2 +-
+ net/unix/af_unix.c | 31 +-
+ security/Kconfig | 341 +++-
+ security/apparmor/Kconfig | 9 +
+ security/apparmor/apparmorfs.c | 231 +++
+ security/commoncap.c | 29 +
+ security/min_addr.c | 2 +
+ security/security.c | 2 -
+ security/selinux/hooks.c | 2 -
+ security/tomoyo/mount.c | 4 +
+ security/yama/Kconfig | 2 +-
+ 235 files changed, 4384 insertions(+), 1312 deletions(-)
+
+commit a76b033c58b4886552911442f1b89e0cee041dae
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 20:57:40 2013 -0400
+
+ Commit merge of new files and rejected patches
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/kernel/process.c | 4 +-
+ arch/powerpc/include/asm/thread_info.h | 7 +-
+ arch/powerpc/mm/slice.c | 2 +-
+ arch/sparc/kernel/process_64.c | 4 +-
+ arch/x86/kernel/vm86_32.c | 15 +
+ fs/coredump.c | 1 +
+ fs/ext4/balloc.c | 4 +-
+ fs/namei.c | 7 +
+ fs/namespace.c | 8 +
+ fs/pipe.c | 2 +-
+ fs/proc/inode.c | 13 +
+ fs/proc/internal.h | 3 +
+ grsecurity/Kconfig | 1054 +++++++++
+ grsecurity/Makefile | 38 +
+ grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++
+ grsecurity/gracl_alloc.c | 105 +
+ grsecurity/gracl_cap.c | 110 +
+ grsecurity/gracl_fs.c | 431 ++++
+ grsecurity/gracl_ip.c | 387 +++
+ grsecurity/gracl_learn.c | 207 ++
+ grsecurity/gracl_res.c | 68 +
+ grsecurity/gracl_segv.c | 305 +++
+ grsecurity/gracl_shm.c | 40 +
+ grsecurity/grsec_chdir.c | 19 +
+ grsecurity/grsec_chroot.c | 370 +++
+ grsecurity/grsec_disabled.c | 434 ++++
+ grsecurity/grsec_exec.c | 187 ++
+ grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_fork.c | 23 +
+ grsecurity/grsec_init.c | 283 +++
+ grsecurity/grsec_link.c | 58 +
+ grsecurity/grsec_log.c | 326 +++
+ grsecurity/grsec_mem.c | 40 +
+ grsecurity/grsec_mount.c | 62 +
+ grsecurity/grsec_pax.c | 36 +
+ grsecurity/grsec_ptrace.c | 30 +
+ grsecurity/grsec_sig.c | 246 ++
+ grsecurity/grsec_sock.c | 244 ++
+ grsecurity/grsec_sysctl.c | 469 ++++
+ grsecurity/grsec_time.c | 16 +
+ grsecurity/grsec_tpe.c | 73 +
+ grsecurity/grsum.c | 61 +
+ include/linux/gracl.h | 319 +++
+ include/linux/gralloc.h | 9 +
+ include/linux/grdefs.h | 140 ++
+ include/linux/grinternal.h | 227 ++
+ include/linux/grmsg.h | 112 +
+ include/linux/grsecurity.h | 241 ++
+ include/linux/grsock.h | 19 +
+ include/linux/netfilter/xt_gradm.h | 9 +
+ include/linux/proc_fs.h | 13 +
+ include/linux/sched.h | 48 +-
+ include/trace/events/fs.h | 53 +
+ kernel/kmod.c | 7 +-
+ kernel/panic.c | 2 +-
+ kernel/posix-timers.c | 1 +
+ kernel/time/timekeeping.c | 2 +
+ lib/Kconfig.debug | 2 +-
+ lib/vsprintf.c | 31 +
+ localversion-grsec | 1 +
+ mm/mmap.c | 13 +-
+ mm/shmem.c | 2 +-
+ net/core/net-procfs.c | 5 +
+ net/ipv6/udp.c | 3 +
+ net/netfilter/xt_gradm.c | 51 +
+ 66 files changed, 11184 insertions(+), 21 deletions(-)
+
+commit d1cf217118e0750f54aca9136d8c6a41f0ae439c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 14:36:40 2013 -0400
+
+ Initial import of pax-linux-3.11-test4.patch
+
+ Documentation/dontdiff | 46 +-
+ Documentation/kernel-parameters.txt | 23 +
+ Makefile | 100 +-
+ arch/alpha/include/asm/atomic.h | 10 +
+ arch/alpha/include/asm/elf.h | 7 +
+ arch/alpha/include/asm/pgalloc.h | 6 +
+ arch/alpha/include/asm/pgtable.h | 11 +
+ arch/alpha/kernel/module.c | 2 +-
+ arch/alpha/kernel/osf_sys.c | 8 +-
+ arch/alpha/mm/fault.c | 141 +-
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/atomic.h | 444 ++-
+ arch/arm/include/asm/cache.h | 5 +-
+ arch/arm/include/asm/cacheflush.h | 2 +-
+ arch/arm/include/asm/checksum.h | 14 +-
+ arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/domain.h | 33 +-
+ arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/fncpy.h | 2 +
+ arch/arm/include/asm/futex.h | 10 +
+ arch/arm/include/asm/kmap_types.h | 2 +-
+ arch/arm/include/asm/mach/dma.h | 2 +-
+ arch/arm/include/asm/mach/map.h | 7 +-
+ arch/arm/include/asm/outercache.h | 2 +-
+ arch/arm/include/asm/page.h | 2 +-
+ arch/arm/include/asm/pgalloc.h | 22 +-
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgtable-2level.h | 3 +
+ arch/arm/include/asm/pgtable-3level-hwdef.h | 1 +
+ arch/arm/include/asm/pgtable-3level.h | 2 +
+ arch/arm/include/asm/pgtable.h | 54 +-
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/include/asm/psci.h | 2 +-
+ arch/arm/include/asm/smp.h | 2 +-
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/include/asm/uaccess.h | 95 +-
+ arch/arm/include/uapi/asm/ptrace.h | 2 +-
+ arch/arm/kernel/armksyms.c | 8 +-
+ arch/arm/kernel/entry-armv.S | 110 +-
+ arch/arm/kernel/entry-common.S | 40 +-
+ arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/fiq.c | 3 +
+ arch/arm/kernel/head.S | 6 +-
+ arch/arm/kernel/module.c | 29 +-
+ arch/arm/kernel/patch.c | 2 +
+ arch/arm/kernel/process.c | 42 +-
+ arch/arm/kernel/psci.c | 2 +-
+ arch/arm/kernel/setup.c | 22 +-
+ arch/arm/kernel/signal.c | 35 +-
+ arch/arm/kernel/smp.c | 2 +-
+ arch/arm/kernel/traps.c | 8 +-
+ arch/arm/kernel/vmlinux.lds.S | 22 +-
+ arch/arm/kvm/arm.c | 8 +-
+ arch/arm/lib/clear_user.S | 6 +-
+ arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/lib/copy_page.S | 1 +
+ arch/arm/lib/copy_to_user.S | 6 +-
+ arch/arm/lib/csumpartialcopyuser.S | 4 +-
+ arch/arm/lib/delay.c | 2 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 2 +-
+ arch/arm/mach-kirkwood/common.c | 19 +-
+ arch/arm/mach-omap2/board-n8x0.c | 2 +-
+ arch/arm/mach-omap2/gpmc.c | 22 +-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
+ arch/arm/mach-omap2/omap_device.c | 4 +-
+ arch/arm/mach-omap2/omap_device.h | 4 +-
+ arch/arm/mach-omap2/omap_hwmod.c | 4 +-
+ arch/arm/mach-omap2/wd_timer.c | 6 +-
+ arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
+ arch/arm/mach-ux500/setup.h | 7 -
+ arch/arm/mm/Kconfig | 6 +-
+ arch/arm/mm/alignment.c | 8 +
+ arch/arm/mm/context.c | 10 +-
+ arch/arm/mm/fault.c | 104 +
+ arch/arm/mm/fault.h | 12 +
+ arch/arm/mm/init.c | 41 +
+ arch/arm/mm/ioremap.c | 4 +-
+ arch/arm/mm/mmap.c | 30 +-
+ arch/arm/mm/mmu.c | 185 +-
+ arch/arm/plat-omap/sram.c | 2 +
+ arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/avr32/include/asm/elf.h | 8 +-
+ arch/avr32/include/asm/kmap_types.h | 4 +-
+ arch/avr32/mm/fault.c | 27 +
+ arch/frv/include/asm/atomic.h | 10 +
+ arch/frv/include/asm/kmap_types.h | 2 +-
+ arch/frv/mm/elf-fdpic.c | 3 +-
+ arch/ia64/include/asm/atomic.h | 10 +
+ arch/ia64/include/asm/elf.h | 7 +
+ arch/ia64/include/asm/pgalloc.h | 12 +
+ arch/ia64/include/asm/pgtable.h | 13 +-
+ arch/ia64/include/asm/spinlock.h | 2 +-
+ arch/ia64/include/asm/uaccess.h | 26 +-
+ arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/palinfo.c | 2 +-
+ arch/ia64/kernel/sys_ia64.c | 7 +
+ arch/ia64/kernel/vmlinux.lds.S | 2 +-
+ arch/ia64/mm/fault.c | 32 +-
+ arch/ia64/mm/init.c | 13 +
+ arch/m32r/lib/usercopy.c | 6 +
+ arch/mips/include/asm/atomic.h | 728 +++-
+ arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/exec.h | 2 +-
+ arch/mips/include/asm/local.h | 57 +
+ arch/mips/include/asm/page.h | 2 +-
+ arch/mips/include/asm/pgalloc.h | 5 +
+ arch/mips/include/asm/smtc_proc.h | 2 +-
+ arch/mips/kernel/binfmt_elfn32.c | 7 +
+ arch/mips/kernel/binfmt_elfo32.c | 7 +
+ arch/mips/kernel/irq.c | 6 +-
+ arch/mips/kernel/process.c | 12 -
+ arch/mips/kernel/smtc-proc.c | 6 +-
+ arch/mips/kernel/smtc.c | 2 +-
+ arch/mips/kernel/sync-r4k.c | 24 +-
+ arch/mips/kernel/traps.c | 13 +-
+ arch/mips/mm/fault.c | 25 +
+ arch/mips/mm/mmap.c | 51 +-
+ arch/mips/sgi-ip27/ip27-nmi.c | 6 +-
+ arch/parisc/include/asm/atomic.h | 10 +
+ arch/parisc/include/asm/elf.h | 7 +
+ arch/parisc/include/asm/pgalloc.h | 6 +
+ arch/parisc/include/asm/pgtable.h | 11 +
+ arch/parisc/include/asm/uaccess.h | 4 +-
+ arch/parisc/kernel/module.c | 50 +-
+ arch/parisc/kernel/sys_parisc.c | 9 +-
+ arch/parisc/kernel/traps.c | 4 +-
+ arch/parisc/mm/fault.c | 140 +-
+ arch/powerpc/include/asm/atomic.h | 10 +
+ arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/exec.h | 2 +-
+ arch/powerpc/include/asm/kmap_types.h | 2 +-
+ arch/powerpc/include/asm/mman.h | 2 +-
+ arch/powerpc/include/asm/page.h | 8 +-
+ arch/powerpc/include/asm/page_64.h | 7 +-
+ arch/powerpc/include/asm/pgalloc-64.h | 7 +
+ arch/powerpc/include/asm/pgtable.h | 1 +
+ arch/powerpc/include/asm/pte-hash32.h | 1 +
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/include/asm/smp.h | 2 +-
+ arch/powerpc/include/asm/uaccess.h | 140 +-
+ arch/powerpc/kernel/exceptions-64e.S | 4 +-
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/module_32.c | 13 +-
+ arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/signal_32.c | 2 +-
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ arch/powerpc/kernel/vdso.c | 5 +-
+ arch/powerpc/lib/usercopy_64.c | 18 -
+ arch/powerpc/mm/fault.c | 54 +-
+ arch/powerpc/mm/mmap.c | 16 +
+ arch/powerpc/mm/slice.c | 13 +-
+ arch/powerpc/platforms/cell/spufs/file.c | 4 +-
+ arch/s390/include/asm/atomic.h | 10 +
+ arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/exec.h | 2 +-
+ arch/s390/include/asm/uaccess.h | 15 +-
+ arch/s390/kernel/module.c | 22 +-
+ arch/s390/kernel/process.c | 36 -
+ arch/s390/mm/mmap.c | 24 +
+ arch/score/include/asm/exec.h | 2 +-
+ arch/score/kernel/process.c | 5 -
+ arch/sh/mm/mmap.c | 22 +-
+ arch/sparc/include/asm/atomic_64.h | 106 +-
+ arch/sparc/include/asm/cache.h | 2 +-
+ arch/sparc/include/asm/elf_32.h | 7 +
+ arch/sparc/include/asm/elf_64.h | 7 +
+ arch/sparc/include/asm/pgalloc_32.h | 1 +
+ arch/sparc/include/asm/pgalloc_64.h | 1 +
+ arch/sparc/include/asm/pgtable_32.h | 15 +-
+ arch/sparc/include/asm/pgtsrmmu.h | 5 +
+ arch/sparc/include/asm/spinlock_64.h | 35 +-
+ arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_64.h | 2 +
+ arch/sparc/include/asm/uaccess.h | 1 +
+ arch/sparc/include/asm/uaccess_32.h | 27 +-
+ arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/kernel/Makefile | 2 +-
+ arch/sparc/kernel/prom_common.c | 2 +-
+ arch/sparc/kernel/smp_64.c | 12 +-
+ arch/sparc/kernel/sys_sparc_32.c | 2 +-
+ arch/sparc/kernel/sys_sparc_64.c | 52 +-
+ arch/sparc/kernel/traps_64.c | 27 +-
+ arch/sparc/lib/Makefile | 2 +-
+ arch/sparc/lib/atomic_64.S | 136 +-
+ arch/sparc/lib/ksyms.c | 6 +
+ arch/sparc/mm/Makefile | 2 +-
+ arch/sparc/mm/fault_32.c | 292 +
+ arch/sparc/mm/fault_64.c | 486 ++
+ arch/sparc/mm/hugetlbpage.c | 21 +-
+ arch/sparc/mm/init_64.c | 10 +-
+ arch/tile/include/asm/atomic_64.h | 10 +
+ arch/tile/include/asm/uaccess.h | 4 +-
+ arch/um/Makefile | 4 +
+ arch/um/include/asm/kmap_types.h | 2 +-
+ arch/um/include/asm/page.h | 3 +
+ arch/um/include/asm/pgtable-3level.h | 1 +
+ arch/um/kernel/process.c | 16 -
+ arch/x86/Kconfig | 10 +-
+ arch/x86/Kconfig.cpu | 6 +-
+ arch/x86/Kconfig.debug | 4 +-
+ arch/x86/Makefile | 10 +
+ arch/x86/boot/Makefile | 3 +
+ arch/x86/boot/bitops.h | 4 +-
+ arch/x86/boot/boot.h | 4 +-
+ arch/x86/boot/compressed/Makefile | 3 +
+ arch/x86/boot/compressed/eboot.c | 2 -
+ arch/x86/boot/compressed/efi_stub_32.S | 16 +-
+ arch/x86/boot/compressed/head_32.S | 7 +-
+ arch/x86/boot/compressed/head_64.S | 8 +-
+ arch/x86/boot/compressed/misc.c | 4 +-
+ arch/x86/boot/cpucheck.c | 28 +-
+ arch/x86/boot/header.S | 6 +-
+ arch/x86/boot/memory.c | 2 +-
+ arch/x86/boot/video-vesa.c | 1 +
+ arch/x86/boot/video.c | 2 +-
+ arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/aesni-intel_asm.S | 22 +
+ arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 +
+ arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 +
+ arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
+ arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 +
+ arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/serpent-avx2-asm_64.S | 9 +
+ arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/sha1_ssse3_asm.S | 2 +
+ arch/x86/crypto/sha256-avx-asm.S | 2 +
+ arch/x86/crypto/sha256-avx2-asm.S | 2 +
+ arch/x86/crypto/sha256-ssse3-asm.S | 2 +
+ arch/x86/crypto/sha512-avx-asm.S | 2 +
+ arch/x86/crypto/sha512-avx2-asm.S | 2 +
+ arch/x86/crypto/sha512-ssse3-asm.S | 2 +
+ arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
+ arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/ia32/ia32_signal.c | 16 +-
+ arch/x86/ia32/ia32entry.S | 157 +-
+ arch/x86/ia32/sys_ia32.c | 4 +-
+ arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/include/asm/alternative.h | 4 +-
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/include/asm/apm.h | 4 +-
+ arch/x86/include/asm/atomic.h | 307 +-
+ arch/x86/include/asm/atomic64_32.h | 100 +
+ arch/x86/include/asm/atomic64_64.h | 202 +-
+ arch/x86/include/asm/bitops.h | 4 +-
+ arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/cache.h | 5 +-
+ arch/x86/include/asm/cacheflush.h | 2 +-
+ arch/x86/include/asm/checksum_32.h | 12 +-
+ arch/x86/include/asm/cmpxchg.h | 35 +
+ arch/x86/include/asm/compat.h | 2 +-
+ arch/x86/include/asm/cpufeature.h | 16 +-
+ arch/x86/include/asm/desc.h | 74 +-
+ arch/x86/include/asm/desc_defs.h | 6 +
+ arch/x86/include/asm/div64.h | 2 +-
+ arch/x86/include/asm/elf.h | 31 +-
+ arch/x86/include/asm/emergency-restart.h | 2 +-
+ arch/x86/include/asm/fpu-internal.h | 8 +-
+ arch/x86/include/asm/futex.h | 20 +-
+ arch/x86/include/asm/hw_irq.h | 4 +-
+ arch/x86/include/asm/i8259.h | 2 +-
+ arch/x86/include/asm/io.h | 21 +-
+ arch/x86/include/asm/irqflags.h | 5 +
+ arch/x86/include/asm/kprobes.h | 9 +-
+ arch/x86/include/asm/local.h | 142 +-
+ arch/x86/include/asm/mman.h | 15 +
+ arch/x86/include/asm/mmu.h | 16 +-
+ arch/x86/include/asm/mmu_context.h | 128 +-
+ arch/x86/include/asm/module.h | 17 +-
+ arch/x86/include/asm/nmi.h | 6 +-
+ arch/x86/include/asm/page.h | 1 +
+ arch/x86/include/asm/page_64.h | 4 +-
+ arch/x86/include/asm/paravirt.h | 46 +-
+ arch/x86/include/asm/paravirt_types.h | 17 +-
+ arch/x86/include/asm/pgalloc.h | 23 +
+ arch/x86/include/asm/pgtable-2level.h | 2 +
+ arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable.h | 124 +-
+ arch/x86/include/asm/pgtable_32.h | 14 +-
+ arch/x86/include/asm/pgtable_32_types.h | 15 +-
+ arch/x86/include/asm/pgtable_64.h | 19 +-
+ arch/x86/include/asm/pgtable_64_types.h | 5 +
+ arch/x86/include/asm/pgtable_types.h | 36 +-
+ arch/x86/include/asm/processor.h | 82 +-
+ arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/realmode.h | 4 +-
+ arch/x86/include/asm/reboot.h | 10 +-
+ arch/x86/include/asm/rwsem.h | 60 +-
+ arch/x86/include/asm/segment.h | 29 +-
+ arch/x86/include/asm/smap.h | 64 +-
+ arch/x86/include/asm/smp.h | 14 +-
+ arch/x86/include/asm/spinlock.h | 36 +-
+ arch/x86/include/asm/stackprotector.h | 4 +-
+ arch/x86/include/asm/stacktrace.h | 32 +-
+ arch/x86/include/asm/switch_to.h | 4 +-
+ arch/x86/include/asm/thread_info.h | 83 +-
+ arch/x86/include/asm/tlbflush.h | 74 +-
+ arch/x86/include/asm/uaccess.h | 112 +-
+ arch/x86/include/asm/uaccess_32.h | 106 +-
+ arch/x86/include/asm/uaccess_64.h | 232 +-
+ arch/x86/include/asm/word-at-a-time.h | 2 +-
+ arch/x86/include/asm/x86_init.h | 10 +-
+ arch/x86/include/asm/xsave.h | 14 +-
+ arch/x86/include/uapi/asm/e820.h | 2 +-
+ arch/x86/kernel/Makefile | 2 +-
+ arch/x86/kernel/acpi/boot.c | 4 +-
+ arch/x86/kernel/acpi/sleep.c | 4 +
+ arch/x86/kernel/acpi/wakeup_32.S | 6 +-
+ arch/x86/kernel/alternative.c | 65 +-
+ arch/x86/kernel/apic/apic.c | 4 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/apic_noop.c | 2 +-
+ arch/x86/kernel/apic/bigsmp_32.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 5 +-
+ arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/numaq_32.c | 3 +-
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/summit_32.c | 2 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_phys.c | 2 +-
+ arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
+ arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/asm-offsets.c | 20 +
+ arch/x86/kernel/asm-offsets_64.c | 1 +
+ arch/x86/kernel/cpu/Makefile | 4 -
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/common.c | 130 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
+ arch/x86/kernel/cpu/mcheck/p5.c | 3 +
+ arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
+ arch/x86/kernel/cpu/mtrr/main.c | 2 +-
+ arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 8 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
+ arch/x86/kernel/cpuid.c | 2 +-
+ arch/x86/kernel/crash.c | 4 +-
+ arch/x86/kernel/crash_dump_64.c | 2 +-
+ arch/x86/kernel/doublefault.c | 8 +-
+ arch/x86/kernel/dumpstack.c | 30 +-
+ arch/x86/kernel/dumpstack_32.c | 34 +-
+ arch/x86/kernel/dumpstack_64.c | 61 +-
+ arch/x86/kernel/e820.c | 4 +-
+ arch/x86/kernel/early_printk.c | 1 +
+ arch/x86/kernel/entry_32.S | 356 +-
+ arch/x86/kernel/entry_64.S | 669 ++-
+ arch/x86/kernel/ftrace.c | 14 +-
+ arch/x86/kernel/head64.c | 13 +-
+ arch/x86/kernel/head_32.S | 228 +-
+ arch/x86/kernel/head_64.S | 138 +-
+ arch/x86/kernel/i386_ksyms_32.c | 12 +
+ arch/x86/kernel/i387.c | 2 +-
+ arch/x86/kernel/i8259.c | 10 +-
+ arch/x86/kernel/io_delay.c | 2 +-
+ arch/x86/kernel/ioport.c | 2 +-
+ arch/x86/kernel/irq.c | 8 +-
+ arch/x86/kernel/irq_32.c | 67 +-
+ arch/x86/kernel/irq_64.c | 2 +-
+ arch/x86/kernel/kdebugfs.c | 2 +-
+ arch/x86/kernel/kgdb.c | 25 +-
+ arch/x86/kernel/kprobes/core.c | 30 +-
+ arch/x86/kernel/kprobes/opt.c | 16 +-
+ arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/machine_kexec_32.c | 6 +-
+ arch/x86/kernel/microcode_core.c | 2 +-
+ arch/x86/kernel/microcode_intel.c | 4 +-
+ arch/x86/kernel/module.c | 76 +-
+ arch/x86/kernel/msr.c | 2 +-
+ arch/x86/kernel/nmi.c | 19 +-
+ arch/x86/kernel/nmi_selftest.c | 4 +-
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/kernel/paravirt.c | 43 +-
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ arch/x86/kernel/pci-iommu_table.c | 2 +-
+ arch/x86/kernel/pci-swiotlb.c | 2 +-
+ arch/x86/kernel/process.c | 55 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 20 +-
+ arch/x86/kernel/ptrace.c | 25 +-
+ arch/x86/kernel/pvclock.c | 8 +-
+ arch/x86/kernel/reboot.c | 42 +-
+ arch/x86/kernel/reboot_fixups_32.c | 2 +-
+ arch/x86/kernel/relocate_kernel_64.S | 5 +-
+ arch/x86/kernel/setup.c | 65 +-
+ arch/x86/kernel/setup_percpu.c | 29 +-
+ arch/x86/kernel/signal.c | 19 +-
+ arch/x86/kernel/smp.c | 2 +-
+ arch/x86/kernel/smpboot.c | 28 +-
+ arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/sys_i386_32.c | 184 +
+ arch/x86/kernel/sys_x86_64.c | 22 +-
+ arch/x86/kernel/tboot.c | 12 +-
+ arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tls.c | 7 +-
+ arch/x86/kernel/tracepoint.c | 4 +-
+ arch/x86/kernel/traps.c | 62 +-
+ arch/x86/kernel/uprobes.c | 4 +-
+ arch/x86/kernel/vm86_32.c | 6 +-
+ arch/x86/kernel/vmlinux.lds.S | 147 +-
+ arch/x86/kernel/vsyscall_64.c | 12 +-
+ arch/x86/kernel/x8664_ksyms_64.c | 6 +-
+ arch/x86/kernel/x86_init.c | 6 +-
+ arch/x86/kernel/xsave.c | 2 +
+ arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/lapic.c | 2 +-
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ arch/x86/kvm/svm.c | 8 +
+ arch/x86/kvm/vmx.c | 61 +-
+ arch/x86/kvm/x86.c | 8 +-
+ arch/x86/lguest/boot.c | 3 +-
+ arch/x86/lib/atomic64_386_32.S | 164 +
+ arch/x86/lib/atomic64_cx8_32.S | 103 +-
+ arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/cmpxchg16b_emu.S | 2 +
+ arch/x86/lib/copy_page_64.S | 24 +-
+ arch/x86/lib/copy_user_64.S | 89 +-
+ arch/x86/lib/copy_user_nocache_64.S | 22 +-
+ arch/x86/lib/csum-copy_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 13 +-
+ arch/x86/lib/getuser.S | 74 +-
+ arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/iomap_copy_64.S | 2 +
+ arch/x86/lib/memcpy_64.S | 22 +-
+ arch/x86/lib/memmove_64.S | 36 +-
+ arch/x86/lib/memset_64.S | 11 +-
+ arch/x86/lib/mmx_32.c | 243 +-
+ arch/x86/lib/msr-reg.S | 18 +-
+ arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/rwlock.S | 42 +
+ arch/x86/lib/rwsem.S | 6 +-
+ arch/x86/lib/thunk_64.S | 2 +
+ arch/x86/lib/usercopy_32.c | 363 +-
+ arch/x86/lib/usercopy_64.c | 18 +-
+ arch/x86/mm/Makefile | 4 +
+ arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/fault.c | 571 ++-
+ arch/x86/mm/gup.c | 2 +-
+ arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/hugetlbpage.c | 30 +-
+ arch/x86/mm/init.c | 101 +-
+ arch/x86/mm/init_32.c | 111 +-
+ arch/x86/mm/init_64.c | 45 +-
+ arch/x86/mm/iomap_32.c | 4 +
+ arch/x86/mm/ioremap.c | 15 +-
+ arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
+ arch/x86/mm/mmap.c | 36 +-
+ arch/x86/mm/mmio-mod.c | 10 +-
+ arch/x86/mm/numa.c | 2 +-
+ arch/x86/mm/pageattr-test.c | 2 +-
+ arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pat.c | 12 +-
+ arch/x86/mm/pat_rbtree.c | 2 +-
+ arch/x86/mm/pf_in.c | 10 +-
+ arch/x86/mm/pgtable.c | 139 +-
+ arch/x86/mm/pgtable_32.c | 3 +
+ arch/x86/mm/physaddr.c | 4 +-
+ arch/x86/mm/setup_nx.c | 7 +
+ arch/x86/mm/tlb.c | 4 +
+ arch/x86/mm/uderef_64.c | 37 +
+ arch/x86/net/bpf_jit.S | 14 +
+ arch/x86/net/bpf_jit_comp.c | 39 +-
+ arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/oprofile/nmi_int.c | 8 +-
+ arch/x86/oprofile/op_model_amd.c | 8 +-
+ arch/x86/oprofile/op_model_ppro.c | 7 +-
+ arch/x86/oprofile/op_x86_model.h | 2 +-
+ arch/x86/pci/irq.c | 8 +-
+ arch/x86/pci/mrst.c | 4 +-
+ arch/x86/pci/pcbios.c | 144 +-
+ arch/x86/platform/efi/efi_32.c | 24 +
+ arch/x86/platform/efi/efi_64.c | 10 +
+ arch/x86/platform/efi/efi_stub_32.S | 64 +-
+ arch/x86/platform/efi/efi_stub_64.S | 8 +
+ arch/x86/platform/mrst/mrst.c | 6 +-
+ arch/x86/platform/olpc/olpc_dt.c | 2 +-
+ arch/x86/power/cpu.c | 11 +-
+ arch/x86/realmode/init.c | 10 +-
+ arch/x86/realmode/rm/Makefile | 3 +
+ arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/trampoline_32.S | 12 +-
+ arch/x86/realmode/rm/trampoline_64.S | 3 +-
+ arch/x86/tools/Makefile | 2 +-
+ arch/x86/tools/relocs.c | 94 +-
+ arch/x86/um/tls_32.c | 2 +-
+ arch/x86/vdso/Makefile | 2 +-
+ arch/x86/vdso/vdso32-setup.c | 23 +-
+ arch/x86/vdso/vma.c | 29 +-
+ arch/x86/xen/enlighten.c | 45 +-
+ arch/x86/xen/mmu.c | 9 +
+ arch/x86/xen/smp.c | 18 +-
+ arch/x86/xen/xen-asm_32.S | 12 +-
+ arch/x86/xen/xen-head.S | 11 +
+ arch/x86/xen/xen-ops.h | 2 -
+ block/blk-cgroup.c | 4 +-
+ block/blk-iopoll.c | 2 +-
+ block/blk-map.c | 2 +-
+ block/blk-softirq.c | 2 +-
+ block/bsg.c | 12 +-
+ block/compat_ioctl.c | 2 +-
+ block/genhd.c | 9 +-
+ block/partitions/efi.c | 8 +-
+ block/scsi_ioctl.c | 27 +-
+ crypto/cryptd.c | 4 +-
+ crypto/pcrypt.c | 2 +-
+ drivers/acpi/apei/apei-internal.h | 2 +-
+ drivers/acpi/apei/cper.c | 8 +-
+ drivers/acpi/apei/ghes.c | 4 +-
+ drivers/acpi/bgrt.c | 6 +-
+ drivers/acpi/blacklist.c | 4 +-
+ drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/sysfs.c | 4 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/ata/libata-core.c | 12 +-
+ drivers/ata/libata-scsi.c | 2 +-
+ drivers/ata/libata.h | 2 +-
+ drivers/ata/pata_arasan_cf.c | 4 +-
+ drivers/atm/adummy.c | 2 +-
+ drivers/atm/ambassador.c | 8 +-
+ drivers/atm/atmtcp.c | 14 +-
+ drivers/atm/eni.c | 10 +-
+ drivers/atm/firestream.c | 8 +-
+ drivers/atm/fore200e.c | 14 +-
+ drivers/atm/he.c | 18 +-
+ drivers/atm/horizon.c | 4 +-
+ drivers/atm/idt77252.c | 36 +-
+ drivers/atm/iphase.c | 34 +-
+ drivers/atm/lanai.c | 12 +-
+ drivers/atm/nicstar.c | 46 +-
+ drivers/atm/solos-pci.c | 4 +-
+ drivers/atm/suni.c | 4 +-
+ drivers/atm/uPD98402.c | 16 +-
+ drivers/atm/zatm.c | 6 +-
+ drivers/base/bus.c | 4 +-
+ drivers/base/devtmpfs.c | 8 +-
+ drivers/base/node.c | 2 +-
+ drivers/base/power/domain.c | 4 +-
+ drivers/base/power/sysfs.c | 2 +-
+ drivers/base/power/wakeup.c | 8 +-
+ drivers/base/syscore.c | 4 +-
+ drivers/block/cciss.c | 28 +-
+ drivers/block/cciss.h | 2 +-
+ drivers/block/cpqarray.c | 28 +-
+ drivers/block/cpqarray.h | 2 +-
+ drivers/block/drbd/drbd_int.h | 6 +-
+ drivers/block/drbd/drbd_main.c | 8 +-
+ drivers/block/drbd/drbd_nl.c | 4 +-
+ drivers/block/drbd/drbd_receiver.c | 22 +-
+ drivers/block/loop.c | 2 +-
+ drivers/block/pktcdvd.c | 2 +-
+ drivers/cdrom/cdrom.c | 11 +-
+ drivers/cdrom/gdrom.c | 1 -
+ drivers/char/agp/compat_ioctl.c | 2 +-
+ drivers/char/agp/frontend.c | 4 +-
+ drivers/char/hpet.c | 2 +-
+ drivers/char/hw_random/intel-rng.c | 2 +-
+ drivers/char/ipmi/ipmi_msghandler.c | 8 +-
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
+ drivers/char/mem.c | 43 +-
+ drivers/char/nvram.c | 2 +-
+ drivers/char/pcmcia/synclink_cs.c | 18 +-
+ drivers/char/random.c | 10 +-
+ drivers/char/sonypi.c | 9 +-
+ drivers/char/tpm/tpm_acpi.c | 3 +-
+ drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/virtio_console.c | 4 +-
+ drivers/clk/clk-composite.c | 2 +-
+ drivers/clk/socfpga/clk.c | 7 +-
+ drivers/cpufreq/acpi-cpufreq.c | 20 +-
+ drivers/cpufreq/cpufreq.c | 9 +-
+ drivers/cpufreq/cpufreq_governor.c | 6 +-
+ drivers/cpufreq/cpufreq_governor.h | 2 +-
+ drivers/cpufreq/cpufreq_ondemand.c | 8 +-
+ drivers/cpufreq/cpufreq_stats.c | 2 +-
+ drivers/cpufreq/p4-clockmod.c | 12 +-
+ drivers/cpufreq/sparc-us3-cpufreq.c | 69 +-
+ drivers/cpufreq/speedstep-centrino.c | 7 +-
+ drivers/cpuidle/cpuidle.c | 2 +-
+ drivers/cpuidle/governor.c | 4 +-
+ drivers/cpuidle/sysfs.c | 2 +-
+ drivers/crypto/hifn_795x.c | 4 +-
+ drivers/devfreq/devfreq.c | 4 +-
+ drivers/dma/sh/shdma.c | 2 +-
+ drivers/edac/edac_device.c | 4 +-
+ drivers/edac/edac_mc_sysfs.c | 12 +-
+ drivers/edac/edac_pci.c | 4 +-
+ drivers/edac/edac_pci_sysfs.c | 22 +-
+ drivers/edac/mce_amd.h | 2 +-
+ drivers/firewire/core-card.c | 6 +-
+ drivers/firewire/core-device.c | 2 +-
+ drivers/firewire/core-transaction.c | 1 +
+ drivers/firewire/core.h | 1 +
+ drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/dmi_scan.c | 7 +-
+ drivers/firmware/efi/efi.c | 12 +-
+ drivers/firmware/efi/efivars.c | 2 +-
+ drivers/firmware/google/memconsole.c | 4 +-
+ drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpio/gpio-vr41xx.c | 2 +-
+ drivers/gpu/drm/drm_crtc_helper.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 6 +-
+ drivers/gpu/drm/drm_fops.c | 18 +-
+ drivers/gpu/drm/drm_global.c | 14 +-
+ drivers/gpu/drm/drm_info.c | 14 +-
+ drivers/gpu/drm/drm_ioc32.c | 13 +-
+ drivers/gpu/drm/drm_ioctl.c | 2 +-
+ drivers/gpu/drm/drm_lock.c | 4 +-
+ drivers/gpu/drm/drm_stub.c | 2 +-
+ drivers/gpu/drm/drm_sysfs.c | 2 +-
+ drivers/gpu/drm/i810/i810_dma.c | 8 +-
+ drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.h | 2 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/i915_irq.c | 24 +-
+ drivers/gpu/drm/i915/intel_display.c | 26 +-
+ drivers/gpu/drm/mga/mga_drv.h | 4 +-
+ drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/mga/mga_irq.c | 8 +-
+ drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.h | 1 -
+ drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
+ drivers/gpu/drm/r128/r128_cce.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.h | 4 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/r128/r128_irq.c | 4 +-
+ drivers/gpu/drm/r128/r128_state.c | 4 +-
+ drivers/gpu/drm/radeon/mkregtable.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
+ drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 57 +-
+ drivers/gpu/drm/radeon/rs690.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
+ drivers/gpu/drm/udl/udl_fb.c | 1 -
+ drivers/gpu/drm/via/via_drv.h | 4 +-
+ drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
+ drivers/gpu/host1x/drm/dc.c | 2 +-
+ drivers/hid/hid-core.c | 4 +-
+ drivers/hid/uhid.c | 6 +-
+ drivers/hv/channel.c | 4 +-
+ drivers/hv/hv.c | 2 +-
+ drivers/hv/hv_balloon.c | 18 +-
+ drivers/hv/hyperv_vmbus.h | 2 +-
+ drivers/hv/vmbus_drv.c | 4 +-
+ drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/asus_atk0110.c | 10 +-
+ drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/ibmaem.c | 2 +-
+ drivers/hwmon/iio_hwmon.c | 2 +-
+ drivers/hwmon/pmbus/pmbus_core.c | 10 +-
+ drivers/hwmon/sht15.c | 12 +-
+ drivers/hwmon/via-cputemp.c | 2 +-
+ drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
+ drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
+ drivers/i2c/i2c-dev.c | 2 +-
+ drivers/ide/ide-cd.c | 2 +-
+ drivers/iio/industrialio-core.c | 2 +-
+ drivers/infiniband/core/cm.c | 32 +-
+ drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/hw/cxgb4/mem.c | 4 +-
+ drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
+ drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
+ drivers/infiniband/hw/mlx4/mad.c | 2 +-
+ drivers/infiniband/hw/mlx4/mcg.c | 2 +-
+ drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
+ drivers/infiniband/hw/nes/nes.c | 4 +-
+ drivers/infiniband/hw/nes/nes.h | 40 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 62 +-
+ drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
+ drivers/infiniband/hw/nes/nes_nic.c | 40 +-
+ drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/input/gameport/gameport.c | 4 +-
+ drivers/input/input.c | 4 +-
+ drivers/input/joystick/sidewinder.c | 1 +
+ drivers/input/joystick/xpad.c | 4 +-
+ drivers/input/misc/ims-pcu.c | 4 +-
+ drivers/input/mouse/psmouse.h | 2 +-
+ drivers/input/mousedev.c | 2 +-
+ drivers/input/serio/serio.c | 4 +-
+ drivers/input/serio/serio_raw.c | 4 +-
+ drivers/iommu/iommu.c | 2 +-
+ drivers/iommu/irq_remapping.c | 12 +-
+ drivers/irqchip/irq-gic.c | 4 +-
+ drivers/isdn/capi/capi.c | 10 +-
+ drivers/isdn/gigaset/interface.c | 8 +-
+ drivers/isdn/gigaset/usb-gigaset.c | 2 +-
+ drivers/isdn/hardware/avm/b1.c | 4 +-
+ drivers/isdn/i4l/isdn_common.c | 2 +
+ drivers/isdn/i4l/isdn_tty.c | 22 +-
+ drivers/isdn/icn/icn.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/lguest/core.c | 10 +-
+ drivers/lguest/page_tables.c | 2 +-
+ drivers/lguest/x86/core.c | 12 +-
+ drivers/lguest/x86/switcher_32.S | 27 +-
+ drivers/md/bcache/closure.h | 2 +-
+ drivers/md/bcache/super.c | 2 +-
+ drivers/md/bitmap.c | 2 +-
+ drivers/md/dm-ioctl.c | 2 +-
+ drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-stripe.c | 10 +-
+ drivers/md/dm-table.c | 2 +-
+ drivers/md/dm-thin-metadata.c | 4 +-
+ drivers/md/dm.c | 16 +-
+ drivers/md/md.c | 26 +-
+ drivers/md/md.h | 6 +-
+ drivers/md/persistent-data/dm-space-map.h | 1 +
+ drivers/md/raid1.c | 4 +-
+ drivers/md/raid10.c | 16 +-
+ drivers/md/raid5.c | 10 +-
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ drivers/media/dvb-frontends/dib3000.h | 2 +-
+ drivers/media/pci/cx88/cx88-video.c | 6 +-
+ drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
+ drivers/media/platform/omap/omap_vout.c | 11 +-
+ drivers/media/platform/s5p-tv/mixer.h | 2 +-
+ drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
+ drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +
+ drivers/media/radio/radio-maxiradio.c | 2 +-
+ drivers/media/radio/radio-shark.c | 2 +-
+ drivers/media/radio/radio-shark2.c | 2 +-
+ drivers/media/radio/radio-si476x.c | 2 +-
+ drivers/media/rc/rc-main.c | 4 +-
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +-
+ drivers/media/v4l2-core/v4l2-device.c | 4 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 11 +-
+ drivers/message/fusion/mptsas.c | 34 +-
+ drivers/message/fusion/mptscsih.c | 19 +-
+ drivers/message/i2o/i2o_proc.c | 51 +-
+ drivers/message/i2o/iop.c | 8 +-
+ drivers/mfd/janz-cmodio.c | 1 +
+ drivers/mfd/twl4030-irq.c | 9 +-
+ drivers/mfd/twl6030-irq.c | 10 +-
+ drivers/misc/c2port/core.c | 4 +-
+ drivers/misc/kgdbts.c | 4 +-
+ drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
+ drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/sgi-gru/gruhandles.c | 4 +-
+ drivers/misc/sgi-gru/gruprocfs.c | 8 +-
+ drivers/misc/sgi-gru/grutables.h | 154 +-
+ drivers/misc/sgi-xp/xp.h | 2 +-
+ drivers/misc/sgi-xp/xpc.h | 3 +-
+ drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ drivers/mmc/host/dw_mmc.h | 2 +-
+ drivers/mmc/host/sdhci-s3c.c | 8 +-
+ drivers/mtd/nand/denali.c | 1 +
+ drivers/mtd/nftlmount.c | 1 +
+ drivers/mtd/sm_ftl.c | 2 +-
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
+ drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
+ drivers/net/ethernet/realtek/r8169.c | 8 +-
+ drivers/net/ethernet/sfc/ptp.c | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/hyperv/hyperv_net.h | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 +-
+ drivers/net/ieee802154/fakehard.c | 2 +-
+ drivers/net/macvlan.c | 18 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/ppp/ppp_generic.c | 4 +-
+ drivers/net/slip/slhc.c | 2 +-
+ drivers/net/team/team.c | 2 +-
+ drivers/net/tun.c | 5 +-
+ drivers/net/usb/hso.c | 23 +-
+ drivers/net/usb/sierra_net.c | 4 +-
+ drivers/net/vxlan.c | 2 +-
+ drivers/net/wimax/i2400m/rx.c | 2 +-
+ drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
+ drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
+ drivers/net/wireless/ath/ath9k/hw.h | 4 +-
+ drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +-
+ drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
+ drivers/net/wireless/mac80211_hwsim.c | 32 +-
+ drivers/net/wireless/rndis_wlan.c | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 8 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 6 +-
+ drivers/oprofile/buffer_sync.c | 8 +-
+ drivers/oprofile/event_buffer.c | 2 +-
+ drivers/oprofile/oprof.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/oprofile/oprofile_stats.c | 10 +-
+ drivers/oprofile/oprofile_stats.h | 10 +-
+ drivers/oprofile/oprofilefs.c | 2 +-
+ drivers/oprofile/timer_int.c | 2 +-
+ drivers/parport/procfs.c | 4 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
+ drivers/pci/hotplug/cpcihp_generic.c | 6 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
+ drivers/pci/hotplug/cpqphp_nvram.c | 4 +
+ drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/pci-sysfs.c | 6 +-
+ drivers/pci/pci.h | 2 +-
+ drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/probe.c | 2 +-
+ drivers/platform/x86/chromeos_laptop.c | 2 +-
+ drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/sony-laptop.c | 2 +-
+ drivers/platform/x86/thinkpad_acpi.c | 70 +-
+ drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/resource.c | 4 +-
+ drivers/power/pda_power.c | 7 +-
+ drivers/power/power_supply.h | 4 +-
+ drivers/power/power_supply_core.c | 7 +-
+ drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/regulator/core.c | 4 +-
+ drivers/regulator/max8660.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/rtc/rtc-cmos.c | 4 +-
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/scsi/bfa/bfa_fcpim.h | 2 +-
+ drivers/scsi/bfa/bfa_ioc.h | 4 +-
+ drivers/scsi/fcoe/fcoe_sysfs.c | 12 +-
+ drivers/scsi/hosts.c | 4 +-
+ drivers/scsi/hpsa.c | 30 +-
+ drivers/scsi/hpsa.h | 2 +-
+ drivers/scsi/libfc/fc_exch.c | 50 +-
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ drivers/scsi/lpfc/lpfc.h | 8 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
+ drivers/scsi/lpfc/lpfc_init.c | 6 +-
+ drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
+ drivers/scsi/pmcraid.c | 20 +-
+ drivers/scsi/pmcraid.h | 8 +-
+ drivers/scsi/qla2xxx/qla_attr.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 6 +-
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +-
+ drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ drivers/scsi/scsi_tgt_lib.c | 2 +-
+ drivers/scsi/scsi_transport_fc.c | 8 +-
+ drivers/scsi/scsi_transport_iscsi.c | 6 +-
+ drivers/scsi/scsi_transport_srp.c | 6 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sg.c | 2 +-
+ drivers/spi/spi.c | 2 +-
+ drivers/staging/android/timed_output.c | 6 +-
+ drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10.h | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/rtl8712/rtl871x_io.h | 2 +-
+ drivers/staging/sbe-2t3e3/netdev.c | 2 +-
+ drivers/staging/usbip/vhci.h | 2 +-
+ drivers/staging/usbip/vhci_hcd.c | 6 +-
+ drivers/staging/usbip/vhci_rx.c | 2 +-
+ drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/vt6656/hostap.c | 7 +-
+ drivers/staging/zcache/tmem.h | 4 +-
+ drivers/target/sbp/sbp_target.c | 4 +-
+ drivers/target/target_core_device.c | 2 +-
+ drivers/target/target_core_transport.c | 2 +-
+ drivers/tty/cyclades.c | 6 +-
+ drivers/tty/hvc/hvc_console.c | 14 +-
+ drivers/tty/hvc/hvcs.c | 21 +-
+ drivers/tty/hvc/hvsi.c | 12 +-
+ drivers/tty/hvc/hvsi_lib.c | 6 +-
+ drivers/tty/ipwireless/tty.c | 27 +-
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/n_gsm.c | 4 +-
+ drivers/tty/n_tty.c | 3 +-
+ drivers/tty/pty.c | 4 +-
+ drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/ioc4_serial.c | 6 +-
+ drivers/tty/serial/kgdboc.c | 32 +-
+ drivers/tty/serial/msm_serial.c | 4 +-
+ drivers/tty/serial/samsung.c | 9 +-
+ drivers/tty/serial/serial_core.c | 8 +-
+ drivers/tty/synclink.c | 34 +-
+ drivers/tty/synclink_gt.c | 28 +-
+ drivers/tty/synclinkmp.c | 34 +-
+ drivers/tty/tty_io.c | 2 +-
+ drivers/tty/tty_ldisc.c | 10 +-
+ drivers/tty/tty_port.c | 22 +-
+ drivers/uio/uio.c | 21 +-
+ drivers/usb/atm/cxacru.c | 2 +-
+ drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/core/devices.c | 6 +-
+ drivers/usb/core/hcd.c | 4 +-
+ drivers/usb/core/message.c | 2 +-
+ drivers/usb/core/sysfs.c | 2 +-
+ drivers/usb/core/usb.c | 2 +-
+ drivers/usb/dwc3/gadget.c | 2 -
+ drivers/usb/early/ehci-dbgp.c | 16 +-
+ drivers/usb/gadget/u_serial.c | 22 +-
+ drivers/usb/misc/appledisplay.c | 4 +-
+ drivers/usb/serial/console.c | 6 +-
+ drivers/usb/storage/usb.h | 2 +-
+ drivers/usb/wusbcore/wa-hc.h | 4 +-
+ drivers/usb/wusbcore/wa-xfer.c | 2 +-
+ drivers/vfio/vfio.c | 2 +-
+ drivers/vhost/vringh.c | 2 +-
+ drivers/video/aty/aty128fb.c | 2 +-
+ drivers/video/aty/atyfb_base.c | 8 +-
+ drivers/video/aty/mach64_cursor.c | 5 +-
+ drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/fb_defio.c | 6 +-
+ drivers/video/fbcmap.c | 3 +-
+ drivers/video/fbmem.c | 6 +-
+ drivers/video/hyperv_fb.c | 4 +-
+ drivers/video/i810/i810_accel.c | 1 +
+ drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
+ drivers/video/nvidia/nvidia.c | 27 +-
+ drivers/video/s1d13xxxfb.c | 6 +-
+ drivers/video/smscufx.c | 4 +-
+ drivers/video/udlfb.c | 36 +-
+ drivers/video/uvesafb.c | 53 +-
+ drivers/video/vesafb.c | 58 +-
+ drivers/video/via/via_clock.h | 2 +-
+ fs/9p/vfs_addr.c | 2 +-
+ fs/9p/vfs_inode.c | 2 +-
+ fs/Kconfig.binfmt | 2 +-
+ fs/afs/inode.c | 4 +-
+ fs/aio.c | 12 +-
+ fs/autofs4/waitq.c | 2 +-
+ fs/befs/endian.h | 4 +-
+ fs/befs/linuxvfs.c | 2 +-
+ fs/binfmt_aout.c | 23 +-
+ fs/binfmt_elf.c | 648 ++-
+ fs/binfmt_flat.c | 6 +
+ fs/bio.c | 6 +-
+ fs/block_dev.c | 2 +-
+ fs/btrfs/ctree.c | 9 +-
+ fs/btrfs/delayed-inode.c | 6 +-
+ fs/btrfs/delayed-inode.h | 4 +-
+ fs/btrfs/super.c | 2 +-
+ fs/buffer.c | 2 +-
+ fs/cachefiles/bind.c | 6 +-
+ fs/cachefiles/daemon.c | 8 +-
+ fs/cachefiles/internal.h | 12 +-
+ fs/cachefiles/namei.c | 2 +-
+ fs/cachefiles/proc.c | 12 +-
+ fs/cachefiles/rdwr.c | 2 +-
+ fs/ceph/dir.c | 2 +-
+ fs/ceph/super.c | 4 +-
+ fs/cifs/cifs_debug.c | 12 +-
+ fs/cifs/cifsfs.c | 8 +-
+ fs/cifs/cifsglob.h | 54 +-
+ fs/cifs/link.c | 2 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb1ops.c | 80 +-
+ fs/cifs/smb2ops.c | 84 +-
+ fs/cifs/smb2pdu.c | 3 +-
+ fs/coda/cache.c | 10 +-
+ fs/compat.c | 4 +-
+ fs/compat_binfmt_elf.c | 2 +
+ fs/compat_ioctl.c | 12 +-
+ fs/configfs/dir.c | 10 +-
+ fs/coredump.c | 18 +-
+ fs/dcache.c | 3 +-
+ fs/ecryptfs/inode.c | 4 +-
+ fs/ecryptfs/miscdev.c | 2 +-
+ fs/exec.c | 362 +-
+ fs/ext4/ext4.h | 20 +-
+ fs/ext4/mballoc.c | 44 +-
+ fs/ext4/mmp.c | 2 +-
+ fs/ext4/super.c | 4 +-
+ fs/fhandle.c | 3 +-
+ fs/fs_struct.c | 8 +-
+ fs/fscache/cookie.c | 38 +-
+ fs/fscache/internal.h | 196 +-
+ fs/fscache/object.c | 26 +-
+ fs/fscache/operation.c | 30 +-
+ fs/fscache/page.c | 110 +-
+ fs/fscache/stats.c | 344 +-
+ fs/fuse/cuse.c | 10 +-
+ fs/fuse/dev.c | 4 +-
+ fs/fuse/dir.c | 2 +-
+ fs/gfs2/inode.c | 2 +-
+ fs/hugetlbfs/inode.c | 13 +-
+ fs/inode.c | 4 +-
+ fs/jffs2/erase.c | 3 +-
+ fs/jffs2/wbuf.c | 3 +-
+ fs/jfs/super.c | 2 +-
+ fs/libfs.c | 10 +-
+ fs/lockd/clntproc.c | 4 +-
+ fs/locks.c | 8 +-
+ fs/namei.c | 15 +-
+ fs/namespace.c | 16 +-
+ fs/nfs/callback_xdr.c | 2 +-
+ fs/nfs/inode.c | 6 +-
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfs4xdr.c | 6 +-
+ fs/nfsd/nfscache.c | 9 +-
+ fs/nfsd/vfs.c | 6 +-
+ fs/nls/nls_base.c | 18 +-
+ fs/nls/nls_euc-jp.c | 6 +-
+ fs/nls/nls_koi8-ru.c | 6 +-
+ fs/notify/fanotify/fanotify_user.c | 4 +-
+ fs/notify/notification.c | 4 +-
+ fs/ntfs/dir.c | 2 +-
+ fs/ntfs/file.c | 6 +-
+ fs/ntfs/super.c | 6 +-
+ fs/ocfs2/localalloc.c | 2 +-
+ fs/ocfs2/ocfs2.h | 10 +-
+ fs/ocfs2/suballoc.c | 12 +-
+ fs/ocfs2/super.c | 20 +-
+ fs/pipe.c | 61 +-
+ fs/proc/array.c | 20 +
+ fs/proc/base.c | 4 +-
+ fs/proc/kcore.c | 32 +-
+ fs/proc/meminfo.c | 2 +-
+ fs/proc/nommu.c | 2 +-
+ fs/proc/proc_sysctl.c | 18 +-
+ fs/proc/self.c | 2 +-
+ fs/proc/task_mmu.c | 39 +-
+ fs/proc/task_nommu.c | 4 +-
+ fs/proc/vmcore.c | 12 +-
+ fs/qnx6/qnx6.h | 4 +-
+ fs/quota/netlink.c | 4 +-
+ fs/read_write.c | 2 +-
+ fs/reiserfs/do_balan.c | 2 +-
+ fs/reiserfs/procfs.c | 2 +-
+ fs/reiserfs/reiserfs.h | 4 +-
+ fs/seq_file.c | 2 +-
+ fs/splice.c | 41 +-
+ fs/sysfs/bin.c | 6 +-
+ fs/sysfs/dir.c | 2 +-
+ fs/sysfs/file.c | 10 +-
+ fs/sysfs/symlink.c | 2 +-
+ fs/sysv/sysv.h | 2 +-
+ fs/ubifs/io.c | 2 +-
+ fs/udf/misc.c | 2 +-
+ fs/ufs/swab.h | 4 +-
+ fs/xattr.c | 21 +
+ fs/xattr_acl.c | 4 +-
+ fs/xfs/xfs_bmap.c | 2 +-
+ fs/xfs/xfs_dir2_sf.c | 7 +-
+ fs/xfs/xfs_ioctl.c | 2 +-
+ fs/xfs/xfs_iops.c | 2 +-
+ include/asm-generic/4level-fixup.h | 2 +
+ include/asm-generic/atomic-long.h | 210 +
+ include/asm-generic/atomic.h | 2 +-
+ include/asm-generic/atomic64.h | 12 +
+ include/asm-generic/cache.h | 4 +-
+ include/asm-generic/emergency-restart.h | 2 +-
+ include/asm-generic/kmap_types.h | 4 +-
+ include/asm-generic/local.h | 13 +
+ include/asm-generic/pgtable-nopmd.h | 18 +-
+ include/asm-generic/pgtable-nopud.h | 15 +-
+ include/asm-generic/pgtable.h | 16 +
+ include/asm-generic/uaccess.h | 16 +
+ include/asm-generic/vmlinux.lds.h | 10 +-
+ include/crypto/algapi.h | 2 +-
+ include/drm/drmP.h | 17 +-
+ include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/ttm/ttm_memory.h | 2 +-
+ include/keys/asymmetric-subtype.h | 2 +-
+ include/linux/atmdev.h | 4 +-
+ include/linux/binfmts.h | 3 +-
+ include/linux/blkdev.h | 2 +-
+ include/linux/blktrace_api.h | 2 +-
+ include/linux/cache.h | 4 +
+ include/linux/cdrom.h | 1 -
+ include/linux/cleancache.h | 2 +-
+ include/linux/clk-provider.h | 1 +
+ include/linux/compat.h | 5 +-
+ include/linux/compiler-gcc4.h | 20 +
+ include/linux/compiler.h | 65 +-
+ include/linux/completion.h | 6 +-
+ include/linux/configfs.h | 2 +-
+ include/linux/cpufreq.h | 3 +-
+ include/linux/cpuidle.h | 5 +-
+ include/linux/cpumask.h | 12 +-
+ include/linux/crypto.h | 6 +-
+ include/linux/ctype.h | 2 +-
+ include/linux/decompress/mm.h | 2 +-
+ include/linux/devfreq.h | 2 +-
+ include/linux/device.h | 7 +-
+ include/linux/dma-mapping.h | 2 +-
+ include/linux/dmaengine.h | 4 +-
+ include/linux/efi.h | 1 +
+ include/linux/elf.h | 2 +
+ include/linux/err.h | 4 +-
+ include/linux/extcon.h | 2 +-
+ include/linux/fb.h | 2 +-
+ include/linux/fdtable.h | 2 +-
+ include/linux/filter.h | 4 +
+ include/linux/frontswap.h | 2 +-
+ include/linux/fs.h | 3 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/fscache-cache.h | 4 +-
+ include/linux/fscache.h | 2 +-
+ include/linux/fsnotify.h | 2 +-
+ include/linux/genhd.h | 2 +-
+ include/linux/genl_magic_func.h | 2 +-
+ include/linux/gfp.h | 12 +-
+ include/linux/highmem.h | 12 +
+ include/linux/hwmon-sysfs.h | 5 +-
+ include/linux/i2c.h | 1 +
+ include/linux/i2o.h | 2 +-
+ include/linux/if_pppox.h | 2 +-
+ include/linux/init.h | 17 +-
+ include/linux/init_task.h | 7 +
+ include/linux/interrupt.h | 8 +-
+ include/linux/iommu.h | 2 +-
+ include/linux/ioport.h | 2 +-
+ include/linux/irq.h | 3 +-
+ include/linux/irqchip/arm-gic.h | 4 +-
+ include/linux/key-type.h | 2 +-
+ include/linux/kgdb.h | 6 +-
+ include/linux/kobject.h | 3 +-
+ include/linux/kobject_ns.h | 2 +-
+ include/linux/kref.h | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ include/linux/libata.h | 2 +-
+ include/linux/linkage.h | 1 +
+ include/linux/list.h | 15 +
+ include/linux/math64.h | 8 +-
+ include/linux/mm.h | 116 +-
+ include/linux/mm_types.h | 20 +
+ include/linux/mmiotrace.h | 4 +-
+ include/linux/mmzone.h | 2 +-
+ include/linux/mod_devicetable.h | 6 +-
+ include/linux/module.h | 60 +-
+ include/linux/moduleloader.h | 16 +
+ include/linux/moduleparam.h | 4 +-
+ include/linux/namei.h | 6 +-
+ include/linux/net.h | 2 +-
+ include/linux/netdevice.h | 3 +-
+ include/linux/netfilter.h | 2 +-
+ include/linux/netfilter/ipset/ip_set.h | 2 +-
+ include/linux/netfilter/nfnetlink.h | 2 +-
+ include/linux/nls.h | 2 +-
+ include/linux/notifier.h | 3 +-
+ include/linux/oprofile.h | 4 +-
+ include/linux/pci_hotplug.h | 3 +-
+ include/linux/perf_event.h | 10 +-
+ include/linux/pipe_fs_i.h | 8 +-
+ include/linux/platform_data/usb-ehci-s5p.h | 2 +-
+ include/linux/platform_data/usb-ohci-exynos.h | 2 +-
+ include/linux/pm_domain.h | 2 +-
+ include/linux/pm_runtime.h | 2 +-
+ include/linux/pnp.h | 2 +-
+ include/linux/poison.h | 4 +-
+ include/linux/power/smartreflex.h | 2 +-
+ include/linux/ppp-comp.h | 2 +-
+ include/linux/preempt.h | 19 +
+ include/linux/proc_ns.h | 2 +-
+ include/linux/random.h | 15 +
+ include/linux/rculist.h | 16 +
+ include/linux/reboot.h | 14 +-
+ include/linux/regset.h | 3 +-
+ include/linux/relay.h | 2 +-
+ include/linux/rio.h | 2 +-
+ include/linux/rmap.h | 4 +-
+ include/linux/sched.h | 67 +-
+ include/linux/sched/sysctl.h | 1 +
+ include/linux/security.h | 2 +-
+ include/linux/seq_file.h | 1 +
+ include/linux/signal.h | 1 +
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 48 +-
+ include/linux/slab_def.h | 32 +-
+ include/linux/slob_def.h | 4 +-
+ include/linux/slub_def.h | 8 +-
+ include/linux/smp.h | 2 +
+ include/linux/sock_diag.h | 2 +-
+ include/linux/sonet.h | 2 +-
+ include/linux/sunrpc/addr.h | 8 +-
+ include/linux/sunrpc/clnt.h | 2 +-
+ include/linux/sunrpc/svc.h | 2 +-
+ include/linux/sunrpc/svc_rdma.h | 18 +-
+ include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swiotlb.h | 3 +-
+ include/linux/syscalls.h | 18 +-
+ include/linux/syscore_ops.h | 2 +-
+ include/linux/sysctl.h | 6 +-
+ include/linux/sysfs.h | 9 +-
+ include/linux/sysrq.h | 3 +-
+ include/linux/thread_info.h | 7 +
+ include/linux/tty.h | 4 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/tty_ldisc.h | 2 +-
+ include/linux/types.h | 16 +
+ include/linux/uaccess.h | 6 +-
+ include/linux/unaligned/access_ok.h | 24 +-
+ include/linux/usb.h | 4 +-
+ include/linux/usb/renesas_usbhs.h | 2 +-
+ include/linux/vermagic.h | 21 +-
+ include/linux/vmalloc.h | 11 +-
+ include/linux/vmstat.h | 20 +-
+ include/linux/xattr.h | 5 +-
+ include/linux/zlib.h | 3 +-
+ include/media/v4l2-dev.h | 2 +-
+ include/media/v4l2-device.h | 2 +-
+ include/net/9p/transport.h | 2 +-
+ include/net/bluetooth/l2cap.h | 2 +-
+ include/net/caif/cfctrl.h | 6 +-
+ include/net/flow.h | 2 +-
+ include/net/genetlink.h | 2 +-
+ include/net/gro_cells.h | 2 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/inetpeer.h | 17 +-
+ include/net/ip.h | 2 +-
+ include/net/ip_fib.h | 2 +-
+ include/net/ip_vs.h | 8 +-
+ include/net/irda/ircomm_tty.h | 1 +
+ include/net/iucv/af_iucv.h | 2 +-
+ include/net/llc_c_ac.h | 2 +-
+ include/net/llc_c_ev.h | 4 +-
+ include/net/llc_c_st.h | 2 +-
+ include/net/llc_s_ac.h | 2 +-
+ include/net/llc_s_st.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 18 +-
+ include/net/netdma.h | 2 +-
+ include/net/netlink.h | 2 +-
+ include/net/netns/conntrack.h | 6 +-
+ include/net/netns/ipv4.h | 2 +-
+ include/net/netns/ipv6.h | 2 +-
+ include/net/ping.h | 2 +-
+ include/net/protocol.h | 4 +-
+ include/net/rtnetlink.h | 2 +-
+ include/net/sctp/sm.h | 4 +-
+ include/net/sctp/structs.h | 2 +-
+ include/net/sock.h | 6 +-
+ include/net/tcp.h | 8 +-
+ include/net/xfrm.h | 8 +-
+ include/rdma/iw_cm.h | 2 +-
+ include/scsi/libfc.h | 3 +-
+ include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_transport_fc.h | 3 +-
+ include/sound/compress_driver.h | 2 +-
+ include/sound/soc.h | 4 +-
+ include/target/target_core_base.h | 2 +-
+ include/trace/events/irq.h | 4 +-
+ include/uapi/linux/a.out.h | 8 +
+ include/uapi/linux/byteorder/little_endian.h | 28 +-
+ include/uapi/linux/elf.h | 28 +
+ include/uapi/linux/screen_info.h | 3 +-
+ include/uapi/linux/swab.h | 6 +-
+ include/uapi/linux/sysctl.h | 6 +-
+ include/uapi/linux/xattr.h | 4 +
+ include/video/udlfb.h | 8 +-
+ include/video/uvesafb.h | 1 +
+ init/Kconfig | 2 +-
+ init/Makefile | 3 +
+ init/do_mounts.c | 14 +-
+ init/do_mounts.h | 8 +-
+ init/do_mounts_initrd.c | 30 +-
+ init/do_mounts_md.c | 6 +-
+ init/init_task.c | 4 +
+ init/initramfs.c | 42 +-
+ init/main.c | 84 +-
+ ipc/ipc_sysctl.c | 10 +-
+ ipc/mq_sysctl.c | 2 +-
+ ipc/msg.c | 11 +-
+ ipc/sem.c | 11 +-
+ ipc/shm.c | 17 +-
+ kernel/acct.c | 2 +-
+ kernel/audit.c | 8 +-
+ kernel/auditsc.c | 4 +-
+ kernel/capability.c | 3 +
+ kernel/compat.c | 38 +-
+ kernel/debug/debug_core.c | 16 +-
+ kernel/debug/kdb/kdb_main.c | 4 +-
+ kernel/events/core.c | 30 +-
+ kernel/events/internal.h | 12 +-
+ kernel/events/uprobes.c | 2 +-
+ kernel/exit.c | 4 +-
+ kernel/fork.c | 170 +-
+ kernel/futex.c | 11 +-
+ kernel/futex_compat.c | 2 +-
+ kernel/gcov/base.c | 7 +-
+ kernel/hrtimer.c | 2 +-
+ kernel/irq_work.c | 7 +-
+ kernel/jump_label.c | 5 +
+ kernel/kallsyms.c | 39 +-
+ kernel/kexec.c | 3 +-
+ kernel/kmod.c | 4 +-
+ kernel/kprobes.c | 8 +-
+ kernel/ksysfs.c | 2 +-
+ kernel/lockdep.c | 7 +-
+ kernel/module.c | 337 +-
+ kernel/mutex-debug.c | 12 +-
+ kernel/mutex-debug.h | 4 +-
+ kernel/mutex.c | 10 +-
+ kernel/notifier.c | 17 +-
+ kernel/panic.c | 3 +-
+ kernel/pid.c | 2 +-
+ kernel/pid_namespace.c | 2 +-
+ kernel/posix-cpu-timers.c | 4 +-
+ kernel/posix-timers.c | 24 +-
+ kernel/power/process.c | 12 +-
+ kernel/profile.c | 14 +-
+ kernel/ptrace.c | 8 +-
+ kernel/rcupdate.c | 4 +-
+ kernel/rcutiny.c | 4 +-
+ kernel/rcutorture.c | 56 +-
+ kernel/rcutree.c | 74 +-
+ kernel/rcutree.h | 24 +-
+ kernel/rcutree_plugin.h | 20 +-
+ kernel/rcutree_trace.c | 22 +-
+ kernel/rtmutex-tester.c | 24 +-
+ kernel/sched/auto_group.c | 4 +-
+ kernel/sched/core.c | 49 +-
+ kernel/sched/fair.c | 4 +-
+ kernel/sched/sched.h | 2 +-
+ kernel/signal.c | 32 +-
+ kernel/smpboot.c | 4 +-
+ kernel/softirq.c | 14 +-
+ kernel/srcu.c | 4 +-
+ kernel/sys.c | 10 +-
+ kernel/sysctl.c | 39 +-
+ kernel/time.c | 2 +-
+ kernel/time/alarmtimer.c | 2 +-
+ kernel/time/timer_stats.c | 10 +-
+ kernel/timer.c | 4 +-
+ kernel/trace/blktrace.c | 6 +-
+ kernel/trace/ftrace.c | 18 +-
+ kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/trace.c | 2 +-
+ kernel/trace/trace.h | 2 +-
+ kernel/trace/trace_clock.c | 4 +-
+ kernel/trace/trace_events.c | 25 +-
+ kernel/trace/trace_mmiotrace.c | 8 +-
+ kernel/trace/trace_output.c | 12 +-
+ kernel/trace/trace_stack.c | 2 +-
+ kernel/user_namespace.c | 2 +-
+ kernel/utsname_sysctl.c | 2 +-
+ kernel/watchdog.c | 2 +-
+ kernel/workqueue.c | 2 +-
+ lib/Kconfig.debug | 8 +-
+ lib/Makefile | 2 +-
+ lib/bitmap.c | 8 +-
+ lib/bug.c | 2 +
+ lib/debugobjects.c | 2 +-
+ lib/devres.c | 4 +-
+ lib/div64.c | 4 +-
+ lib/dma-debug.c | 4 +-
+ lib/inflate.c | 2 +-
+ lib/ioremap.c | 4 +-
+ lib/kobject.c | 4 +-
+ lib/list_debug.c | 126 +-
+ lib/radix-tree.c | 2 +-
+ lib/strncpy_from_user.c | 2 +-
+ lib/strnlen_user.c | 2 +-
+ lib/swiotlb.c | 2 +-
+ lib/usercopy.c | 6 +
+ lib/vsprintf.c | 12 +-
+ mm/Kconfig | 6 +-
+ mm/backing-dev.c | 4 +-
+ mm/filemap.c | 10 +-
+ mm/fremap.c | 5 +
+ mm/highmem.c | 7 +-
+ mm/hugetlb.c | 70 +-
+ mm/internal.h | 3 +-
+ mm/maccess.c | 4 +-
+ mm/madvise.c | 41 +
+ mm/memory-failure.c | 26 +-
+ mm/memory.c | 424 ++-
+ mm/mempolicy.c | 25 +
+ mm/mlock.c | 15 +-
+ mm/mmap.c | 588 ++-
+ mm/mprotect.c | 139 +-
+ mm/mremap.c | 44 +-
+ mm/nommu.c | 21 +-
+ mm/page-writeback.c | 2 +-
+ mm/page_alloc.c | 41 +-
+ mm/page_io.c | 2 +-
+ mm/percpu.c | 2 +-
+ mm/process_vm_access.c | 14 +-
+ mm/rmap.c | 44 +-
+ mm/shmem.c | 19 +-
+ mm/slab.c | 108 +-
+ mm/slab.h | 15 +-
+ mm/slab_common.c | 60 +-
+ mm/slob.c | 206 +-
+ mm/slub.c | 88 +-
+ mm/sparse-vmemmap.c | 4 +-
+ mm/sparse.c | 2 +-
+ mm/swap.c | 3 +
+ mm/swapfile.c | 12 +-
+ mm/util.c | 6 +
+ mm/vmalloc.c | 77 +-
+ mm/vmstat.c | 10 +-
+ net/8021q/vlan.c | 5 +-
+ net/9p/mod.c | 4 +-
+ net/9p/trans_fd.c | 2 +-
+ net/atm/atm_misc.c | 8 +-
+ net/atm/lec.h | 2 +-
+ net/atm/proc.c | 6 +-
+ net/atm/resources.c | 4 +-
+ net/ax25/sysctl_net_ax25.c | 2 +-
+ net/batman-adv/bat_iv_ogm.c | 8 +-
+ net/batman-adv/hard-interface.c | 2 +-
+ net/batman-adv/soft-interface.c | 4 +-
+ net/batman-adv/types.h | 6 +-
+ net/batman-adv/unicast.c | 2 +-
+ net/bluetooth/hci_sock.c | 2 +-
+ net/bluetooth/l2cap_core.c | 6 +-
+ net/bluetooth/l2cap_sock.c | 12 +-
+ net/bluetooth/rfcomm/sock.c | 4 +-
+ net/bluetooth/rfcomm/tty.c | 10 +-
+ net/bridge/netfilter/ebtables.c | 6 +-
+ net/caif/cfctrl.c | 11 +-
+ net/can/af_can.c | 2 +-
+ net/can/gw.c | 6 +-
+ net/ceph/messenger.c | 4 +-
+ net/compat.c | 34 +-
+ net/core/datagram.c | 2 +-
+ net/core/dev.c | 16 +-
+ net/core/flow.c | 8 +-
+ net/core/iovec.c | 4 +-
+ net/core/neighbour.c | 2 +-
+ net/core/net-sysfs.c | 2 +-
+ net/core/net_namespace.c | 8 +-
+ net/core/netpoll.c | 4 +-
+ net/core/rtnetlink.c | 13 +-
+ net/core/scm.c | 8 +-
+ net/core/skbuff.c | 6 +-
+ net/core/sock.c | 24 +-
+ net/core/sock_diag.c | 9 +-
+ net/core/sysctl_net_core.c | 18 +-
+ net/decnet/af_decnet.c | 1 +
+ net/decnet/sysctl_net_decnet.c | 4 +-
+ net/ieee802154/6lowpan.c | 2 +-
+ net/ipv4/af_inet.c | 8 +-
+ net/ipv4/devinet.c | 18 +-
+ net/ipv4/fib_frontend.c | 6 +-
+ net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inet_connection_sock.c | 2 +-
+ net/ipv4/inetpeer.c | 4 +-
+ net/ipv4/ip_fragment.c | 15 +-
+ net/ipv4/ip_gre.c | 6 +-
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ip_vti.c | 4 +-
+ net/ipv4/ipconfig.c | 6 +-
+ net/ipv4/ipip.c | 4 +-
+ net/ipv4/netfilter/arp_tables.c | 12 +-
+ net/ipv4/netfilter/ip_tables.c | 12 +-
+ net/ipv4/ping.c | 14 +-
+ net/ipv4/raw.c | 14 +-
+ net/ipv4/route.c | 20 +-
+ net/ipv4/sysctl_net_ipv4.c | 45 +-
+ net/ipv4/tcp_input.c | 2 +-
+ net/ipv4/tcp_probe.c | 2 +-
+ net/ipv4/udp.c | 10 +-
+ net/ipv4/xfrm4_policy.c | 14 +-
+ net/ipv6/addrconf.c | 12 +-
+ net/ipv6/datagram.c | 2 +-
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_gre.c | 8 +-
+ net/ipv6/ip6_tunnel.c | 4 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 12 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
+ net/ipv6/output_core.c | 15 +-
+ net/ipv6/ping.c | 28 +-
+ net/ipv6/raw.c | 19 +-
+ net/ipv6/reassembly.c | 13 +-
+ net/ipv6/route.c | 2 +-
+ net/ipv6/sit.c | 4 +-
+ net/ipv6/sysctl_net_ipv6.c | 2 +-
+ net/ipv6/udp.c | 6 +-
+ net/ipv6/xfrm6_policy.c | 13 +-
+ net/irda/ircomm/ircomm_tty.c | 18 +-
+ net/iucv/af_iucv.c | 4 +-
+ net/iucv/iucv.c | 2 +-
+ net/key/af_key.c | 4 +-
+ net/mac80211/cfg.c | 8 +-
+ net/mac80211/ieee80211_i.h | 3 +-
+ net/mac80211/iface.c | 16 +-
+ net/mac80211/main.c | 2 +-
+ net/mac80211/pm.c | 6 +-
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/rc80211_pid_debugfs.c | 2 +-
+ net/mac80211/util.c | 4 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/ipvs/ip_vs_conn.c | 6 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ net/netfilter/ipvs/ip_vs_sync.c | 6 +-
+ net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
+ net/netfilter/nf_conntrack_acct.c | 2 +-
+ net/netfilter/nf_conntrack_ecache.c | 2 +-
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ net/netfilter/nf_conntrack_proto_dccp.c | 10 +-
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nf_conntrack_timestamp.c | 2 +-
+ net/netfilter/nf_log.c | 10 +-
+ net/netfilter/nf_sockopt.c | 4 +-
+ net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/xt_statistic.c | 8 +-
+ net/netlink/af_netlink.c | 4 +-
+ net/netlink/genetlink.c | 16 +-
+ net/packet/af_packet.c | 12 +-
+ net/phonet/pep.c | 6 +-
+ net/phonet/socket.c | 2 +-
+ net/phonet/sysctl.c | 2 +-
+ net/rds/cong.c | 6 +-
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 4 +-
+ net/rds/iw.h | 2 +-
+ net/rds/iw_cm.c | 2 +-
+ net/rds/iw_recv.c | 4 +-
+ net/rds/rds.h | 2 +-
+ net/rds/tcp.c | 2 +-
+ net/rds/tcp_send.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/rxrpc/ar-ack.c | 14 +-
+ net/rxrpc/ar-call.c | 2 +-
+ net/rxrpc/ar-connection.c | 2 +-
+ net/rxrpc/ar-connevent.c | 2 +-
+ net/rxrpc/ar-input.c | 4 +-
+ net/rxrpc/ar-internal.h | 8 +-
+ net/rxrpc/ar-local.c | 2 +-
+ net/rxrpc/ar-output.c | 4 +-
+ net/rxrpc/ar-peer.c | 2 +-
+ net/rxrpc/ar-proc.c | 4 +-
+ net/rxrpc/ar-transport.c | 2 +-
+ net/rxrpc/rxkad.c | 4 +-
+ net/sctp/ipv6.c | 6 +-
+ net/sctp/protocol.c | 10 +-
+ net/sctp/sm_sideeffect.c | 2 +-
+ net/sctp/socket.c | 21 +-
+ net/sctp/sysctl.c | 4 +-
+ net/socket.c | 18 +-
+ net/sunrpc/auth_gss/svcauth_gss.c | 4 +-
+ net/sunrpc/clnt.c | 4 +-
+ net/sunrpc/sched.c | 4 +-
+ net/sunrpc/svc.c | 4 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/link.c | 4 +-
+ net/tipc/msg.c | 2 +-
+ net/tipc/subscr.c | 2 +-
+ net/unix/sysctl_net_unix.c | 2 +-
+ net/wireless/wext-core.c | 19 +-
+ net/xfrm/xfrm_policy.c | 27 +-
+ net/xfrm/xfrm_state.c | 33 +-
+ net/xfrm/xfrm_sysctl.c | 2 +-
+ scripts/Makefile.build | 2 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.host | 28 +-
+ scripts/basic/fixdep.c | 12 +-
+ scripts/gcc-plugin.sh | 17 +
+ scripts/headers_install.sh | 1 +
+ scripts/link-vmlinux.sh | 2 +-
+ scripts/mod/file2alias.c | 14 +-
+ scripts/mod/modpost.c | 25 +-
+ scripts/mod/modpost.h | 6 +-
+ scripts/mod/sumversion.c | 2 +-
+ scripts/package/builddeb | 1 +
+ scripts/pnmtologo.c | 6 +-
+ scripts/sortextable.h | 6 +-
+ security/Kconfig | 690 +++-
+ security/apparmor/lsm.c | 2 +-
+ security/integrity/ima/ima.h | 4 +-
+ security/integrity/ima/ima_api.c | 2 +-
+ security/integrity/ima/ima_fs.c | 4 +-
+ security/integrity/ima/ima_queue.c | 2 +-
+ security/keys/compat.c | 2 +-
+ security/keys/internal.h | 2 +-
+ security/keys/key.c | 18 +-
+ security/keys/keyctl.c | 8 +-
+ security/keys/keyring.c | 6 +-
+ security/security.c | 12 +-
+ security/selinux/avc.c | 6 +-
+ security/selinux/hooks.c | 6 +-
+ security/selinux/include/xfrm.h | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ security/tomoyo/tomoyo.c | 2 +-
+ security/yama/yama_lsm.c | 22 +-
+ sound/aoa/codecs/onyx.c | 7 +-
+ sound/aoa/codecs/onyx.h | 1 +
+ sound/core/oss/pcm_oss.c | 18 +-
+ sound/core/pcm_compat.c | 2 +-
+ sound/core/pcm_native.c | 4 +-
+ sound/core/seq/seq_device.c | 8 +-
+ sound/core/sound.c | 2 +-
+ sound/drivers/mts64.c | 14 +-
+ sound/drivers/opl4/opl4_lib.c | 2 +-
+ sound/drivers/portman2x4.c | 3 +-
+ sound/firewire/amdtp.c | 4 +-
+ sound/firewire/amdtp.h | 2 +-
+ sound/firewire/isight.c | 10 +-
+ sound/firewire/scs1x.c | 8 +-
+ sound/oss/sb_audio.c | 2 +-
+ sound/oss/swarm_cs4297a.c | 6 +-
+ sound/pci/hda/hda_codec.c | 8 +-
+ sound/pci/ymfpci/ymfpci.h | 2 +-
+ sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ sound/soc/fsl/fsl_ssi.c | 2 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 45 +
+ tools/gcc/checker_plugin.c | 172 +
+ tools/gcc/colorize_plugin.c | 151 +
+ tools/gcc/constify_plugin.c | 560 ++
+ tools/gcc/generate_size_overflow_hash.sh | 94 +
+ tools/gcc/kallocstat_plugin.c | 170 +
+ tools/gcc/kernexec_plugin.c | 471 ++
+ tools/gcc/latent_entropy_plugin.c | 321 +
+ tools/gcc/size_overflow_hash.data | 6350 ++++++++++++++++++++
+ tools/gcc/size_overflow_plugin.c | 2113 +++++++
+ tools/gcc/stackleak_plugin.c | 327 +
+ tools/gcc/structleak_plugin.c | 277 +
+ tools/lib/lk/Makefile | 2 +-
+ tools/perf/util/include/asm/alternative-asm.h | 3 +
+ tools/perf/util/include/linux/compiler.h | 8 +
+ virt/kvm/kvm_main.c | 32 +-
+ 1664 files changed, 32957 insertions(+), 7636 deletions(-)
+commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c
+Merge: c3ccfb2 777e08c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 8 19:49:04 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 777e08c6a87ef43439f4431d8d458732ca5e17c6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 8 19:47:32 2013 -0400
+
+ Update to pax-linux-3.10.11-test26.patch:
+ - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger
+ - fixed an uninitialized read in splice, reported by hunger
+
+ fs/splice.c | 1 +
+ include/linux/syscalls.h | 14 +-
+ tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++----------------
+ 3 files changed, 247 insertions(+), 194 deletions(-)
+
+commit 5c3161364270c842d901789faac731f79a9f9cd6
+Merge: cf9c476 85cdabb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 8 19:24:25 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit c3ccfb29794a03413095422100ce90d40ef7df0f
+Author: Jakob Bornecrantz <jakob@vmware.com>
+Date: Thu Aug 29 02:32:53 2013 +0200
+
+ Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f
+
+ drm/vmwgfx: Split GMR2_REMAP commands if they are to large
+
+ This fixes the piglit test texturing/max-texture-size
+ causing the VM to die due to a too large SVGA command.
+
+ Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
+ Reviewed-by: Biran Paul <brianp@vmware.com>
+ Reviewed-by: Zack Rusin <zackr@vmware.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Dave Airlie <airlied@gmail.com>
+
+ drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++-----------
+ 1 files changed, 39 insertions(+), 19 deletions(-)
+
+commit d260badf708d6aa16c44f56f54727532dcae826e
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Tue Sep 3 19:29:12 2013 +0200
+
+ Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
+
+ net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
+
+ In tcp_v6_do_rcv() code, when processing pkt options, we soley work
+ on our skb clone opt_skb that we've created earlier before entering
+ tcp_rcv_established() on our way. However, only in condition ...
+
+ if (np->rxopt.bits.rxtclass)
+ np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
+
+ ... we work on skb itself. As we extract every other information out
+ of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
+ already be released by tcp_rcv_established() earlier on. When we try
+ to access it in ipv6_hdr(), we will dereference freed skb.
+
+ [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
+ IP_PKTOPTIONS") ]
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Jiri Benc <jbenc@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/tcp_ipv6.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Aug 29 11:47:00 2013 +0300
+
+ Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46
+
+ mISDN: return -EINVAL on error in dsp_control_req()
+
+ If skb->len is too short then we should return an error. Otherwise we
+ read beyond the end of skb->data for several bytes.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/isdn/mISDN/dsp_core.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 19:36:23 2013 -0400
+
+ fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
+
+ grsecurity/Kconfig | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit da68dbcd96c617923a0aedb177d36b2701f9c858
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 19:17:02 2013 -0400
+
+ Allow the deny_new_usb sysctl to be toggled off by a user with
+ CAP_SYS_ADMIN. This allows for more inventive uses of the feature
+ that would be impossible otherwise (like toggling it while the screen is
+ locked, etc)
+
+ grsecurity/grsec_sysctl.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit ce0e893adc830ee110f97071cc17e661fb35ae3d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 18:41:49 2013 -0400
+
+ Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what
+ GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for
+ users who know they want the functionality but don't want to bother
+ with modifying init scripts
+
+ Also eliminate reset_security_ops() as a ROP target when
+ SECURITY_SELINUX_DISABLE is disabled as it's the only user
+
+ grsecurity/Kconfig | 17 ++++++++++++++++-
+ grsecurity/grsec_init.c | 3 +++
+ grsecurity/grsec_sysctl.c | 2 +-
+ security/security.c | 4 ++++
+ 4 files changed, 24 insertions(+), 2 deletions(-)
+
+commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd
+Merge: 7ee3899 cf9c476
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 1 13:56:57 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit cf9c47690fa0f3da590de766ea8c6a543984ee3c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 1 13:56:16 2013 -0400
+
+ Update to pax-linux-3.10.10-test25.patch:
+ - fixed a few more REFCOUNT false positives, by Mathias Krause <minipli@googlemail.com>
+ - got inet_getid and ipv6_select_ident rid of the cmpxchg loop
+
+ block/blk-cgroup.c | 4 ++--
+ drivers/video/hyperv_fb.c | 4 ++--
+ fs/namespace.c | 4 ++--
+ include/net/inetpeer.h | 13 +++++--------
+ kernel/trace/trace_clock.c | 4 ++--
+ net/ipv6/output_core.c | 15 ++++++---------
+ net/sunrpc/auth_gss/svcauth_gss.c | 4 ++--
+ 7 files changed, 21 insertions(+), 27 deletions(-)
+
+commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa
+Merge: fd0338c 2bdeae7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 31 22:07:38 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 31 22:06:55 2013 -0400
+
+ Update to pax-linux-3.10.10-test24.patch:
+ - fixed a REFCOUNT false positive, by Mathias Krause <minipli@googlemail.com>
+ - fixed a bunch more after a quick audit of atomic_inc_return users
+
+ drivers/acpi/apei/ghes.c | 4 ++--
+ drivers/ata/libata-core.c | 4 ++--
+ drivers/ata/libata-scsi.c | 2 +-
+ drivers/ata/libata.h | 2 +-
+ drivers/block/drbd/drbd_nl.c | 4 ++--
+ drivers/crypto/hifn_795x.c | 4 ++--
+ drivers/edac/edac_device.c | 4 ++--
+ drivers/edac/edac_pci.c | 4 ++--
+ drivers/firewire/core-card.c | 4 ++--
+ drivers/hv/hv_balloon.c | 18 +++++++++---------
+ drivers/infiniband/hw/mlx4/mad.c | 2 +-
+ drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
+ drivers/input/misc/ims-pcu.c | 4 ++--
+ drivers/input/serio/serio_raw.c | 4 ++--
+ drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
+ drivers/media/radio/radio-maxiradio.c | 2 +-
+ drivers/media/radio/radio-shark.c | 2 +-
+ drivers/media/radio/radio-shark2.c | 2 +-
+ drivers/media/radio/radio-si476x.c | 2 +-
+ drivers/media/rc/rc-main.c | 4 ++--
+ drivers/media/v4l2-core/v4l2-device.c | 4 ++--
+ drivers/net/usb/sierra_net.c | 4 ++--
+ drivers/pci/hotplug/pciehp_hpc.c | 4 +---
+ drivers/regulator/core.c | 4 ++--
+ drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------
+ drivers/staging/android/timed_output.c | 6 +++---
+ drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10.h | 2 +-
+ drivers/target/sbp/sbp_target.c | 4 ++--
+ drivers/tty/hvc/hvsi.c | 12 ++++++------
+ drivers/tty/hvc/hvsi_lib.c | 6 +++---
+ drivers/tty/serial/ioc4_serial.c | 6 +++---
+ drivers/tty/serial/msm_serial.c | 4 ++--
+ drivers/usb/misc/appledisplay.c | 4 ++--
+ fs/afs/inode.c | 4 ++--
+ fs/btrfs/delayed-inode.c | 6 +++---
+ fs/btrfs/delayed-inode.h | 4 ++--
+ fs/fscache/cookie.c | 4 ++--
+ include/media/v4l2-device.h | 2 +-
+ net/ceph/messenger.c | 4 ++--
+ net/core/netpoll.c | 4 ++--
+ net/xfrm/xfrm_state.c | 4 ++--
+ security/selinux/avc.c | 6 +++---
+ 43 files changed, 93 insertions(+), 95 deletions(-)
+
+commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37
+Merge: 1bdf7ec 85099d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 31 21:07:29 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 31 21:06:55 2013 -0400
+
+ Update to pax-linux-3.10.10-test23.patch:
+ - added the necessary atomic_unchecked_t conversion for mips
+ - audited and fixed arm and sparc for proper atomic_unchecked_t usage
+
+ arch/arm/kvm/arm.c | 8 ++++----
+ arch/arm/mm/context.c | 10 +++++-----
+ arch/mips/kernel/irq.c | 6 +++---
+ arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------
+ arch/mips/sgi-ip27/ip27-nmi.c | 6 +++---
+ arch/sparc/kernel/smp_64.c | 12 ++++++------
+ arch/sparc/kernel/traps_64.c | 14 +++++++-------
+ arch/sparc/mm/init_64.c | 10 +++++-----
+ 8 files changed, 45 insertions(+), 45 deletions(-)
+
+commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34
+Merge: 995a168 38ee86c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 30 19:23:36 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 38ee86c05df0f8db582df8776b9f23f317d42bbb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 30 19:23:11 2013 -0400
+
+ Update to pax-linux-3.10.10-test22.patch:
+ - fixed !REFCOUNT/mips compilation, by Corey Minyard <cminyard@mvista.com>
+ - fixed a few more format strings
+
+ arch/mips/include/asm/atomic.h | 20 ++++++++++++++++----
+ drivers/md/bcache/super.c | 2 +-
+ drivers/net/wireless/iwlwifi/dvm/main.c | 3 +--
+ drivers/pci/hotplug/pciehp_hpc.c | 2 +-
+ drivers/platform/x86/wmi.c | 2 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/vfio/vfio.c | 4 ++--
+ fs/ntfs/super.c | 6 +++---
+ include/linux/workqueue.h | 6 +++---
+ net/mac80211/main.c | 2 +-
+ sound/pci/hda/hda_codec.c | 8 ++------
+ 11 files changed, 32 insertions(+), 25 deletions(-)
+
+commit 995a16841e2097c3a9dfc652e856469679c4a0ba
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 30 17:11:11 2013 -0400
+
+ fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
+
+ grsecurity/grsec_sysctl.c | 7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57
+Merge: be2497c 1052971
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 29 20:44:29 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ include/linux/sched.h
+
+commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2
+Merge: e902dad 8bf3379
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 29 20:39:50 2013 -0400
+
+ Update to pax-linux-3.10.10-test21.patch
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/sys_x86_64.c
+ arch/x86/mm/mmap.c
+ include/linux/sched.h
+
+commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8
+Merge: 081c22b e902dad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 20:52:44 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e902dad6b609a176f58c1b9393b3a98f14bd4b74
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 20:51:21 2013 -0400
+
+ Update to pax-linux-3.10.9-test21.patch:
+ - removed unnecessary type cast in do_PrefetchAbort, noticed by spender
+ - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov
+ - fixed a REFCOUNT false positive in UHID
+ - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9)
+ Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout
+ (come to the 10th H2HC if you want to learn about the magic behind this and other plugins):
+ - icmpv6_filter: no memory corruption, probably just some logical error in the caller
+ - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable)
+ - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come)
+ - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now
+ - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless
+ - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network
+
+ arch/arm/mm/fault.c | 2 +-
+ arch/mips/kernel/traps.c | 2 --
+ drivers/hid/uhid.c | 6 +++---
+ drivers/isdn/gigaset/usb-gigaset.c | 2 +-
+ drivers/isdn/i4l/isdn_common.c | 2 ++
+ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
+ drivers/usb/dwc3/gadget.c | 2 --
+ net/ieee802154/6lowpan.c | 2 +-
+ net/ipv6/raw.c | 2 +-
+ net/netfilter/nf_conntrack_proto_dccp.c | 6 +++---
+ 10 files changed, 14 insertions(+), 16 deletions(-)
+
+commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 20:42:39 2013 -0400
+
+ add export of gr_handle_new_usb()
+
+ grsecurity/grsec_usb.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 19:24:47 2013 -0400
+
+ Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit
+ Kees' recent findings are motivation enough to publish it
+
+ drivers/usb/core/hub.c | 5 +++++
+ grsecurity/Kconfig | 20 ++++++++++++++++++++
+ grsecurity/Makefile | 3 ++-
+ grsecurity/grsec_init.c | 1 +
+ grsecurity/grsec_sysctl.c | 11 +++++++++++
+ grsecurity/grsec_usb.c | 13 +++++++++++++
+ include/linux/grinternal.h | 1 +
+ include/linux/grsecurity.h | 2 ++
+ 8 files changed, 55 insertions(+), 1 deletions(-)
+
+commit 8044382257ec75a03f3d784ce048ef14e94b90ca
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 09:35:07 2013 -0700
+
+ HID: zeroplus: validate output report details
+
+ The zeroplus HID driver was not checking the size of allocated values
+ in fields it used. A HID device could send a malicious output report
+ that would cause the driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
+ ...
+ [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2889
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-zpff.c | 14 ++------------
+ 1 files changed, 2 insertions(+), 12 deletions(-)
+
+commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 14:36:15 2013 -0700
+
+ HID: provide a helper for validating hid reports
+
+ Many drivers need to validate the characteristics of their HID report
+ during initialization to avoid misusing the reports. This adds a common
+ helper to perform validation of the report, its field count, and the
+ value count within the fields.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
+ include/linux/hid.h | 4 +++
+ 2 files changed, 54 insertions(+), 0 deletions(-)
+
+commit 270ba9096ddecdc3cf6c4d76e6892184820116be
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 09:14:34 2013 -0700
+
+ HID: steelseries: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ steelseries HID driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
+ ...
+ [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2891
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-steelseries.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 08:49:21 2013 -0700
+
+ HID: pantherlord: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ pantherlord HID driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
+ ...
+ [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2892
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-pl.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit 60115e8108e508060815bce5ef9504233c81898c
+Author: Kees Cook <keescook@chromium.org>
+Date: Tue Aug 13 16:49:01 2013 -0700
+
+ HID: LG: validate HID output report details
+
+ A HID device could send a malicious output report that would cause the
+ lg, lg3, and lg4 HID drivers to write beyond the output report allocation
+ during an event, causing a heap overflow:
+
+ [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
+ ...
+ [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
+
+ Additionally, while lg2 did correctly validate the report details, it was
+ cleaned up and shortened.
+
+ CVE-2013-2893
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-lg2ff.c | 19 +++----------------
+ drivers/hid/hid-lg3ff.c | 29 ++++++-----------------------
+ drivers/hid/hid-lg4ff.c | 20 +-------------------
+ drivers/hid/hid-lgff.c | 17 ++---------------
+ 4 files changed, 12 insertions(+), 73 deletions(-)
+
+commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f
+Author: Kees Cook <keescook@chromium.org>
+Date: Thu Aug 15 23:21:23 2013 -0700
+
+ HID: lenovo-tpkbd: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ lenovo-tpkbd HID driver to write just beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
+ ...
+ [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2894
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 38627769bb2b9a550e251b2caf1babda7566fb4a
+Author: Kees Cook <keescook@chromium.org>
+Date: Thu Aug 15 23:45:03 2013 -0700
+
+ HID: logitech-dj: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ logitech-dj HID driver to leak kernel memory contents to the device, or
+ trigger a NULL dereference during initialization:
+
+ [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
+ ...
+ [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
+ [ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
+
+ CVE-2013-2895
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-logitech-dj.c | 12 ++++++++++--
+ 1 files changed, 10 insertions(+), 2 deletions(-)
+
+commit db334388c9d3f95aeb6aacdcec72169b6edd6f07
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 00:18:15 2013 -0700
+
+ HID: ntrig: validate feature report details
+
+ A HID device could send a malicious feature report that would cause the
+ ntrig HID driver to trigger a NULL dereference during initialization:
+
+ [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
+ ...
+ [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+ [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
+
+ CVE-2013-2896
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-ntrig.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 86adcfe96ceefd7d64593a493abe07c155bb8f88
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 00:11:32 2013 -0700
+
+ HID: multitouch: validate feature report details
+
+ When working on report indexes, always validate that they are in bounds.
+ Without this, a HID device could report a malicious feature report that
+ could trick the driver into a heap overflow:
+
+ [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
+ ...
+ [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2897
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
+ 1 files changed, 20 insertions(+), 5 deletions(-)
+
+commit 813f51e0881e4ea6d221da828b1cced02ad9694d
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:12:45 2013 -0700
+
+ HID: sensor-hub: validate feature report details
+
+ A HID device could send a malicious feature report that would cause the
+ sensor-hub HID driver to read past the end of heap allocation, leaking
+ kernel memory contents to the caller.
+
+ CVE-2013-2898
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-sensor-hub.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:05:10 2013 -0700
+
+ HID: picolcd_core: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ picolcd HID driver to trigger a NULL dereference during attr file writing.
+
+ CVE-2013-2899
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-picolcd_core.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 95e3cfb5a995dabe45b98cafb77e59d074de151f
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:09:54 2013 -0700
+
+ HID: check for NULL field when setting values
+
+ Defensively check that the field to be worked on is not NULL.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-core.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 96a55ce1b2f3af376c400a02059174e79ce4399c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 18:09:18 2013 -0400
+
+ http://marc.info/?l=linux-input&m=137772180514608&q=raw
+
+ From: Kees Cook <keescook@chromium.org>
+
+ The "Report ID" field of a HID report is used to build indexes of
+ reports. The kernel's index of these is limited to 256 entries, so any
+ malicious device that sets a Report ID greater than 255 will trigger
+ memory corruption on the host:
+
+ [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
+ [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
+
+ CVE-2013-2888
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ ---
+ drivers/hid/hid-core.c | 10 +++++++---
+ include/linux/hid.h | 4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+ drivers/hid/hid-core.c | 10 +++++++---
+ include/linux/hid.h | 4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+commit eb1106eef5f17bfda833ca3cf89e315919173257
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Aug 9 12:52:31 2013 +0300
+
+ Upstream commit: 909bd5926d474e275599094acad986af79671ac9
+
+ Hostap: copying wrong data prism2_ioctl_giwaplist()
+
+ We want the data stored in "addr" and "qual", but the extra ampersands
+ mean we are copying stack data instead.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 17:01:21 2013 -0400
+
+ fix typo in ipv6 backport
+
+ net/ipv6/addrconf.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4
+Author: Andy Lutomirski <luto@amacapital.net>
+Date: Thu Aug 22 11:39:15 2013 -0700
+
+ Upstream commit: d661684cf6820331feae71146c35da83d794467e
+
+ net: Check the correct namespace when spoofing pid over SCM_RIGHTS
+
+ This is a security bug.
+
+ The follow-up will fix nsproxy to discourage this type of issue from
+ happening again.
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+ Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/scm.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri Aug 16 13:02:27 2013 +0200
+
+ Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52
+
+ ipv6: remove max_addresses check from ipv6_create_tempaddr
+
+ Because of the max_addresses check attackers were able to disable privacy
+ extensions on an interface by creating enough autoconfigured addresses:
+
+ <http://seclists.org/oss-sec/2012/q4/292>
+
+ But the check is not actually needed: max_addresses protects the
+ kernel to install too many ipv6 addresses on an interface and guards
+ addrconf_prefix_rcv to install further addresses as soon as this limit
+ is reached. We only generate temporary addresses in direct response of
+ a new address showing up. As soon as we filled up the maximum number of
+ addresses of an interface, we stop installing more addresses and thus
+ also stop generating more temp addresses.
+
+ Even if the attacker tries to generate a lot of temporary addresses
+ by announcing a prefix and removing it again (lifetime == 0) we won't
+ install more temp addresses, because the temporary addresses do count
+ to the maximum number of addresses, thus we would stop installing new
+ autoconfigured addresses when the limit is reached.
+
+ This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
+ possible).
+
+ Thanks to Ding Tianhong to bring this topic up again.
+
+ Cc: Ding Tianhong <dingtianhong@huawei.com>
+ Cc: George Kargiotakis <kargig@void.gr>
+ Cc: P J P <ppandit@redhat.com>
+ Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Acked-by: Ding Tianhong <dingtianhong@huawei.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ net/ipv6/addrconf.c
+
+ net/ipv6/addrconf.c | 10 ++++------
+ 1 files changed, 4 insertions(+), 6 deletions(-)
+
+commit 8333e0981469a226a47d0142ff31090a48db95a4
+Author: David Vrabel <david.vrabel@citrix.com>
+Date: Thu Aug 15 13:21:06 2013 +0100
+
+ Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17
+
+ xen/events: initialize local per-cpu mask for all possible events
+
+ The sizeof() argument in init_evtchn_cpu_bindings() is incorrect
+ resulting in only the first 64 (or 32 in 32-bit guests) ports having
+ their bindings being initialized to VCPU 0.
+
+ In most cases this does not cause a problem as request_irq() will set
+ the irq affinity which will set the correct local per-cpu mask.
+ However, if the request_irq() is called on a VCPU other than 0, there
+ is a window between the unmasking of the event and the affinity being
+ set were an event may be lost because it is not locally unmasked on
+ any VCPU. If request_irq() is called on VCPU 0 then local irqs are
+ disabled during the window and the race does not occur.
+
+ Fix this by initializing all NR_EVENT_CHANNEL bits in the local
+ per-cpu masks.
+
+ Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+ Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+ CC: stable@vger.kernel.org
+
+ drivers/xen/events.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 2a9a83768433937a2b7a97001ba1627156c0efed
+Author: Roland Dreier <roland@purestorage.com>
+Date: Mon Aug 5 17:55:01 2013 -0700
+
+ Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091
+
+ [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
+
+ There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances
+ leads to one process writing data into the address space of some other
+ random unrelated process if the ioctl is interrupted by a signal.
+ What happens is the following:
+
+ - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the
+ underlying SCSI command will transfer data from the SCSI device to
+ the buffer provided in the ioctl)
+
+ - Before the command finishes, a signal is sent to the process waiting
+ in the ioctl. This will end up waking up the sg_ioctl() code:
+
+ result = wait_event_interruptible(sfp->read_wait,
+ (srp_done(sfp, srp) || sdp->detached));
+
+ but neither srp_done() nor sdp->detached is true, so we end up just
+ setting srp->orphan and returning to userspace:
+
+ srp->orphan = 1;
+ write_unlock_irq(&sfp->rq_list_lock);
+ return result; /* -ERESTARTSYS because signal hit process */
+
+ At this point the original process is done with the ioctl and
+ blithely goes ahead handling the signal, reissuing the ioctl, etc.
+
+ - Eventually, the SCSI command issued by the first ioctl finishes and
+ ends up in sg_rq_end_io(). At the end of that function, we run through:
+
+ write_lock_irqsave(&sfp->rq_list_lock, iflags);
+ if (unlikely(srp->orphan)) {
+ if (sfp->keep_orphan)
+ srp->sg_io_owned = 0;
+ else
+ done = 0;
+ }
+ srp->done = done;
+ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
+
+ if (likely(done)) {
+ /* Now wake up any sg_read() that is waiting for this
+ * packet.
+ */
+ wake_up_interruptible(&sfp->read_wait);
+ kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
+ kref_put(&sfp->f_ref, sg_remove_sfp);
+ } else {
+ INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
+ schedule_work(&srp->ew.work);
+ }
+
+ Since srp->orphan *is* set, we set done to 0 (assuming the
+ userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN
+ ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext()
+ to run in a workqueue.
+
+ - In workqueue context we go through sg_rq_end_io_usercontext() ->
+ sg_finish_rem_req() -> blk_rq_unmap_user() -> ... ->
+ bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user().
+
+ The key point here is that we are doing copy_to_user() on a
+ workqueue -- that is, we're on a kernel thread with current->mm
+ equal to whatever random previous user process was scheduled before
+ this kernel thread. So we end up copying whatever data the SCSI
+ command returned to the virtual address of the buffer passed into
+ the original ioctl, but it's quite likely we do this copying into a
+ different address space!
+
+ As suggested by James Bottomley <James.Bottomley@hansenpartnership.com>,
+ add a check for current->mm (which is NULL if we're on a kernel thread
+ without a real userspace address space) in bio_uncopy_user(), and skip
+ the copy if we're on a kernel thread.
+
+ There's no reason that I can think of for any caller of bio_uncopy_user()
+ to want to do copying on a kernel thread with a random active userspace
+ address space.
+
+ Huge thanks to Costa Sapuntzakis <costa@purestorage.com> for the
+ original pointer to this bug in the sg code.
+
+ Signed-off-by: Roland Dreier <roland@purestorage.com>
+ Tested-by: David Milburn <dmilburn@redhat.com>
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+
+ fs/bio.c | 20 +++++++++++++++-----
+ 1 files changed, 15 insertions(+), 5 deletions(-)
+
+commit e6fe57dee152671afd618d6bc8cbf23155be6c34
+Merge: cdc8f7d f2095a4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 27 18:13:35 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/mm/fault.c
+ security/Kconfig
+
+commit f2095a4787f7d332e5919f0bd00f8de6021ad612
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 27 18:08:23 2013 -0400
+
+ Update to pax-linux-3.10.9-test20.patch:
+ - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy
+ - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard <cminyard@mvista.com>
+ - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard <cminyard@mvista.com>
+ - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do
+ - added REFCOUNT support for mips, by Corey Minyard <cminyard@mvista.com>
+ - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720)
+ - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010)
+
+ arch/arm/mm/fault.c | 11 +-
+ arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++--
+ arch/mips/kernel/traps.c | 14 +-
+ arch/x86/include/asm/tlbflush.h | 4 +
+ arch/x86/include/asm/uaccess_64.h | 2 +-
+ fs/ntfs/file.c | 2 +-
+ kernel/events/internal.h | 4 +-
+ kernel/events/uprobes.c | 2 +-
+ kernel/futex.c | 2 +-
+ mm/filemap.c | 8 +-
+ security/Kconfig | 2 +-
+ tools/gcc/kernexec_plugin.c | 18 +-
+ tools/gcc/latent_entropy_plugin.c | 26 +-
+ tools/gcc/size_overflow_plugin.c | 3 +-
+ 14 files changed, 750 insertions(+), 70 deletions(-)
+
+commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9
+Merge: 5a9ae57 745975e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 26 20:27:33 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 745975e3b3b74b64e00e85778f9a22714d1274f2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 26 20:26:33 2013 -0400
+
+ Fix compilation when UDEREF is enabled and KERNEXEC is disabled,
+ as reported by fabled on the forums:
+ http://forums.grsecurity.net/viewtopic.php?f=1&t=3720
+
+ arch/arm/include/asm/pgtable.h | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36
+Merge: 486ec00 f68df21
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 20:15:20 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 20:14:50 2013 -0400
+
+ Update to pax-linux-3.10.9-test18.patch:
+ - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786)
+ - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790)
+ - forward port to 3.10.9
+
+ arch/x86/kernel/entry_64.S | 18 +++++++++---------
+ arch/x86/kernel/i386_ksyms_32.c | 4 ++++
+ arch/x86/kernel/x8664_ksyms_64.c | 4 ++++
+ 3 files changed, 17 insertions(+), 9 deletions(-)
+
+commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f
+Merge: f47a293 d8fed0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 20:12:47 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d8fed0eba89a7607afe296c0caf17bc72311d6e9
+Merge: f6ace8e 0a4b6d4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 20:12:33 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit f47a293a1440da2a3e2c239d43d636e37ca74f10
+Merge: f1e8ec7 f6ace8e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 18:20:05 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/kernel/perf_event.c
+ include/linux/sched.h
+
+commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72
+Merge: b4fa847 6f54059
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 18:18:02 2013 -0400
+
+ Update to pax-linux-3.10.8-test18.patch
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/sys_x86_64.c
+ arch/x86/mm/mmap.c
+ include/linux/sched.h
+
+commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca
+Merge: 6f88011 b4fa847
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 18:05:12 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b4fa84790ec760430818ab9b74a8b5acc6b40e63
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 18:04:14 2013 -0400
+
+ Update to pax-linux-3.10.7-test18.patch:
+ - reverted constification of zcache, problem reported by Marcin Mirosław (https://bugs.gentoo.org/show_bug.cgi?id=481752)
+ - fixed a UDEREF resume regression due to the constification of clone_pgd_mask
+ - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause
+
+ arch/arm/kernel/process.c | 2 +-
+ arch/x86/include/asm/processor.h | 25 ++-----------------------
+ arch/x86/kernel/cpu/common.c | 4 ++++
+ arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++
+ drivers/staging/zcache/tmem.c | 4 ++--
+ drivers/staging/zcache/tmem.h | 6 ++----
+ 6 files changed, 47 insertions(+), 30 deletions(-)
+
+commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 19 22:10:04 2013 -0400
+
+ fix bad git merge (call to __cpu_disable_lazy_restore was duplicated)
+ as reported by pipacs
+
+ arch/x86/kernel/smpboot.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3
+Merge: 6eba999 5de93c8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 22:03:19 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 22:02:47 2013 -0400
+
+ Update to pax-linux-3.10.7-test15.patch:
+ - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705)
+ - fixed some new REFCOUNT false positives, caught by inspection
+
+ arch/x86/kernel/cpu/common.c | 5 +++--
+ arch/x86/kernel/entry_64.S | 11 +++++++----
+ fs/ceph/super.c | 4 ++--
+ mm/backing-dev.c | 4 ++--
+ 4 files changed, 14 insertions(+), 10 deletions(-)
+
+commit 94c119587c76723c1072237b98fff9886ccb7689
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 20:49:39 2013 -0400
+
+ fix pipacs' DEMORGAN typo
+
+ arch/x86/include/asm/tlbflush.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00
+Merge: df347f6 64a293e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 18:13:04 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 18:12:37 2013 -0400
+
+ Update to pax-linux-3.10.7-test14.patch:
+ - fixed compile error introduced by the previous PCID change
+ - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214)
+
+ arch/x86/include/asm/tlbflush.h | 2 +-
+ kernel/posix-timers.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685
+Merge: d8efbc5 e11b314
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 08:15:00 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e11b314734c5b7317f5468be75305ad812e78c2b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 08:14:26 2013 -0400
+
+ Update to pax-linux-3.10.7-test13.patch:
+ - always enable the use of PCID and INVPCID when available in the CPU
+ - kvm guest kernels can use these features even if the host kernel lacks UDEREF
+
+ arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++----------------
+ arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++----------
+ 2 files changed, 70 insertions(+), 47 deletions(-)
+
+commit d8efbc54f5c8aba589d4d12eed9257a754a67de8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 12:00:20 2013 -0400
+
+ make kallsyms_lookup_size_offset available to approved source files
+
+ include/linux/kallsyms.h | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 6c8feffa95ce2db280160015027b52bb41a344c8
+Merge: dbf6930 0bb1c2b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 11:57:50 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 11:56:43 2013 -0400
+
+ Update to pax-linux-3.10.7-test12.patch:
+ - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause
+ - fixed some arm compile problems
+
+ arch/x86/include/asm/tlbflush.h | 2 +-
+ drivers/clocksource/bcm_kona_timer.c | 2 +-
+ kernel/signal.c | 4 ++++
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+
+commit dbf69305ad4f8a037aae95af90f9201f556dcb48
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 11:18:09 2013 -0400
+
+ allow use of kallsyms_lookup_name to approved source files
+
+ include/linux/kallsyms.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit a566c5f4dec33f410678c257e95ab6726ce8e4f9
+Merge: 68bd16f f562e3e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 10:35:02 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f562e3ef7737ea8d80431a722479b36a12504ace
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 10:34:51 2013 -0400
+
+ add uderef_64.c
+
+ arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++
+ 1 files changed, 37 insertions(+), 0 deletions(-)
+
+commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622
+Author: Asbjoern Sloth Toennesen <ast@fiberby.net>
+Date: Mon Aug 12 16:30:09 2013 +0000
+
+ Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504
+
+ rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header
+
+ Fix the iproute2 command `bridge vlan show`, after switching from
+ rtgenmsg to ifinfomsg.
+
+ Let's start with a little history:
+
+ Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in
+ the 3.9 merge window.
+ In the kernel commit 6cbdceeb, he added attribute support to
+ bridge GETLINK requests sent with rtgenmsg.
+
+ Mar 6th: Vlad got this iproute2 reference implementation of the bridge
+ vlan netlink interface accepted (iproute2 9eff0e5c)
+
+ Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca)
+ http://patchwork.ozlabs.org/patch/239602/
+ http://marc.info/?t=136680900700007
+
+ Apr 28th: Linus released 3.9
+
+ Apr 30th: Stephen released iproute2 3.9.0
+
+ The `bridge vlan show` command haven't been working since the switch to
+ ifinfomsg, or in a released version of iproute2. Since the kernel side
+ only supports rtgenmsg, which iproute2 switched away from just prior to
+ the iproute2 3.9.0 release.
+
+ I haven't been able to find any documentation, about neither rtgenmsg
+ nor ifinfomsg, and in which situation to use which, but kernel commit
+ 88c5b5ce seams to suggest that ifinfomsg should be used.
+
+ Fixing this in kernel will break compatibility, but I doubt that anybody
+ have been using it due to this bug in the user space reference
+ implementation, at least not without noticing this bug. That said the
+ functionality is still fully functional in 3.9, when reversing iproute2
+ commit 63338dca.
+
+ This could also be fixed in iproute2, but thats an ugly patch that would
+ reintroduce rtgenmsg in iproute2, and from searching in netdev it seams
+ like rtgenmsg usage is discouraged. I'm assuming that the only reason
+ that Vlad implemented the kernel side to use rtgenmsg, was because
+ iproute2 was using it at the time.
+
+ Signed-off-by: Asbjoern Sloth Toennesen <ast@fiberby.net>
+ Reviewed-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/rtnetlink.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8c7bc5bafddddff55ed4687203a977e96f72540a
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Tue Aug 13 09:04:05 2013 +0200
+
+ Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
+
+ genetlink: fix family dump race
+
+ When dumping generic netlink families, only the first dump call
+ is locked with genl_lock(), which protects the list of families,
+ and thus subsequent calls can access the data without locking,
+ racing against family addition/removal. This can cause a crash.
+ Fix it - the locking needs to be conditional because the first
+ time around it's already locked.
+
+ A similar bug was reported to me on an old kernel (3.4.47) but
+ the exact scenario that happened there is no longer possible,
+ on those kernels the first round wasn't locked either. Looking
+ at the current code I found the race described above, which had
+ also existed on the old kernel.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/netlink/genetlink.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Fri Aug 9 16:25:21 2013 +0200
+
+ Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e
+
+ net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption
+
+ Probably this one is quite unlikely to be triggered, but it's more safe
+ to do the call_rcu() at the end after we have dropped the reference on
+ the asoc and freed sctp packet chunks. The reason why is because in
+ sctp_transport_destroy_rcu() the transport is being kfree()'d, and if
+ we're unlucky enough we could run into corrupted pointers. Probably
+ that's more of theoretical nature, but it's safer to have this simple fix.
+
+ Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings
+ for deferred call_rcu's"). I also did the 8c98653f regression test and
+ it's fine that way.
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/transport.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 3925eab5483946fd746575a46f97bee9d566bb77
+Author: Stephane Grosjean <s.grosjean@peak-system.com>
+Date: Fri Aug 9 11:44:06 2013 +0200
+
+ Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e
+
+ can: pcan_usb: fix wrong memcpy() bytes length
+
+ Fix possibly wrong memcpy() bytes length since some CAN records received from
+ PCAN-USB could define a DLC field in range [9..15].
+ In that case, the real DLC value MUST be used to move forward the record pointer
+ but, only 8 bytes max. MUST be copied into the data field of the struct
+ can_frame object of the skb given to the network core.
+
+ Cc: linux-stable <stable@vger.kernel.org>
+ Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
+ Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c1ac6642baae4a400d1f87115024d1bb1ef53598
+Author: Linus Lüssing <linus.luessing@web.de>
+Date: Tue Aug 6 20:21:15 2013 +0200
+
+ Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929
+
+ batman-adv: fix potential kernel paging errors for unicast transmissions
+
+ There are several functions which might reallocate skb data. Currently
+ some places keep reusing their old ethhdr pointer regardless of whether
+ they became invalid after such a reallocation or not. This potentially
+ leads to kernel paging errors.
+
+ This patch fixes these by refetching the ethdr pointer after the
+ potential reallocations.
+
+ Signed-off-by: Linus Lüssing <linus.luessing@web.de>
+ Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
+
+ net/batman-adv/bridge_loop_avoidance.c | 2 ++
+ net/batman-adv/gateway_client.c | 13 ++++++++++++-
+ net/batman-adv/gateway_client.h | 3 +--
+ net/batman-adv/soft-interface.c | 9 ++++++++-
+ net/batman-adv/unicast.c | 13 ++++++++++---
+ 5 files changed, 33 insertions(+), 7 deletions(-)
+
+commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb
+Author: Yuchung Cheng <ycheng@google.com>
+Date: Fri Aug 9 17:21:27 2013 -0700
+
+ Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296
+
+ netfilter: nf_conntrack: fix tcp_in_window for Fast Open
+
+ Currently the conntrack checks if the ending sequence of a packet
+ falls within the observed receive window. However it does so even
+ if it has not observe any packet from the remote yet and uses an
+ uninitialized receive window (td_maxwin).
+
+ If a connection uses Fast Open to send a SYN-data packet which is
+ dropped afterward in the network. The subsequent SYNs retransmits
+ will all fail this check and be discarded, leading to a connection
+ timeout. This is because the SYN retransmit does not contain data
+ payload so
+
+ end == initial sequence number (isn) + 1
+ sender->td_end == isn + syn_data_len
+ receiver->td_maxwin == 0
+
+ The fix is to only apply this check after td_maxwin is initialized.
+
+ Reported-by: Michael Chan <mcfchan@stanford.edu>
+ Signed-off-by: Yuchung Cheng <ycheng@google.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Aug 1 12:36:57 2013 +0300
+
+ Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981
+
+ netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message
+
+ These structs have a "_pad" member. Also the "phw" structs have an 8
+ byte "hw_addr[]" array but sometimes only the first 6 bytes are
+ initialized.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nfnetlink_log.c | 6 +++++-
+ net/netfilter/nfnetlink_queue_core.c | 5 ++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f
+Author: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu Jul 25 10:46:46 2013 +0200
+
+ Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05
+
+ netfilter: xt_TCPOPTSTRIP: fix possible off by one access
+
+ Fix a possible off by one access since optlen()
+ touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1.
+
+ This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen
+ that stores the TCP header length, to save some cycles.
+
+ Reported-by: Julian Anastasov <ja@ssi.bg>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++----
+ 1 files changed, 6 insertions(+), 4 deletions(-)
+
+commit 4634def261cf5f635bc60afe8a6ad436b3ec151e
+Author: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu Jul 25 10:37:49 2013 +0200
+
+ Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd
+
+ netfilter: xt_TCPMSS: fix handling of malformed TCP header and options
+
+ Make sure the packet has enough room for the TCP header and
+ that it is not malformed.
+
+ While at it, store tcph->doff*4 in a variable, as it is used
+ several times.
+
+ This patch also fixes a possible off by one in case of malformed
+ TCP options.
+
+ Reported-by: Julian Anastasov <ja@ssi.bg>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------
+ 1 files changed, 16 insertions(+), 12 deletions(-)
+
+commit dc552b7b377b8b0cba23513ee09a2341d6714ae8
+Author: Dave Jones <davej@redhat.com>
+Date: Fri Aug 9 11:16:34 2013 -0700
+
+ Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e
+
+ 8139cp: Fix skb leak in rx_status_loop failure path.
+
+ Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96
+ ("8139cp: Add dma_mapping_error checking")
+
+ Signed-off-by: Dave Jones <davej@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/realtek/8139cp.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 227b279491a0bbcc70ca3654f34903282c378600
+Author: Timo Teräs <timo.teras@iki.fi>
+Date: Tue Aug 6 13:45:43 2013 +0300
+
+ Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b
+
+ ip_gre: fix ipgre_header to return correct offset
+
+ Fix ipgre_header() (header_ops->create) to return the correct
+ amount of bytes pushed. Most callers of dev_hard_header() seem
+ to care only if it was success, but af_packet.c uses it as
+ offset to the skb to copy from userspace only once. In practice
+ this fixes packet socket sendto()/sendmsg() to gre tunnels.
+
+ Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5
+ ("GRE: Refactor GRE tunneling code.")
+
+ Cc: Pravin B Shelar <pshelar@nicira.com>
+ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ip_gre.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb
+Author: Eric Dumazet <edumazet@google.com>
+Date: Mon Aug 5 11:18:49 2013 -0700
+
+ Upstream commit: aab515d7c32a34300312416c50314e755ea6f765
+
+ fib_trie: remove potential out of bound access
+
+ AddressSanitizer [1] dynamic checker pointed a potential
+ out of bound access in leaf_walk_rcu()
+
+ We could allocate one more slot in tnode_new() to leave the prefetch()
+ in-place but it looks not worth the pain.
+
+ Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode")
+
+ [1] :
+ https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
+
+ Reported-by: Andrey Konovalov <andreyknvl@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/fib_trie.c | 5 +----
+ 1 files changed, 1 insertions(+), 4 deletions(-)
+
+commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Mon Aug 5 12:49:35 2013 +0200
+
+ Upstream commit: 7921895a5e852fc99de347bc0600659997de9298
+
+ net: esp{4,6}: fix potential MTU calculation overflows
+
+ Commit 91657eafb ("xfrm: take net hdr len into account for esp payload
+ size calculation") introduced a possible interger overflow in
+ esp{4,6}_get_mtu() handlers in case of x->props.mode equals
+ XFRM_MODE_TUNNEL. Thus, the following expression will overflow
+
+ unsigned int net_adj;
+ ...
+ <case ipv{4,6} XFRM_MODE_TUNNEL>
+ net_adj = 0;
+ ...
+ return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
+ net_adj) & ~(align - 1)) + (net_adj - 2);
+
+ where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
+ context. Fix it by simply removing brackets as those operations here
+ do not need to have special precedence.
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Cc: Benjamin Poirier <bpoirier@suse.de>
+ Cc: Steffen Klassert <steffen.klassert@secunet.com>
+ Acked-by: Benjamin Poirier <bpoirier@suse.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/esp4.c | 2 +-
+ net/ipv6/esp6.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit f02bce292d1c2fe610be509c96593e70b3de387b
+Author: Julia Lawall <Julia.Lawall@lip6.fr>
+Date: Mon Aug 5 16:47:38 2013 +0200
+
+ Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142
+
+ net/vmw_vsock/af_vsock.c: drop unneeded semicolon
+
+ Drop the semicolon at the end of the list_for_each_entry loop header.
+
+ Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/vmw_vsock/af_vsock.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049
+Author: Tiger Yang <tiger.yang@oracle.com>
+Date: Tue Aug 13 16:00:58 2013 -0700
+
+ Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678
+
+ ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page
+
+ Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as
+ the struct file pointer, it finally result in a null pointer dereference
+ in ocfs2_duplicate_clusters_by_page.
+
+ This patch replace file pointer with inode pointer in
+ cow_duplicate_clusters to fix this issue.
+
+ [jeff.liu@oracle.com: rebased patch against linux-next tree]
+ Signed-off-by: Tiger Yang <tiger.yang@oracle.com>
+ Signed-off-by: Jie Liu <jeff.liu@oracle.com>
+ Cc: Joel Becker <jlbec@evilplan.org>
+ Cc: Mark Fasheh <mfasheh@suse.com>
+ Acked-by: Tao Ma <tm@tao.ma>
+ Tested-by: David Weber <wb@munzinger.de>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/ocfs2/aops.c | 2 +-
+ fs/ocfs2/file.c | 6 ++--
+ fs/ocfs2/move_extents.c | 2 +-
+ fs/ocfs2/refcounttree.c | 53 +++++++---------------------------------------
+ fs/ocfs2/refcounttree.h | 6 ++--
+ 5 files changed, 16 insertions(+), 53 deletions(-)
+
+commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Aug 15 15:52:57 2013 +0300
+
+ Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e
+
+ tun: signedness bug in tun_get_user()
+
+ The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
+ not totally correct. Because "len" and "sizeof()" are size_t type, that
+ means they are never less than zero.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Michael S. Tsirkin <mst@redhat.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 26ad267ddda451919357965a0cf271ca24d1bcf2
+Author: Weiping Pan <wpan@redhat.com>
+Date: Tue Aug 13 21:46:56 2013 +0800
+
+ Upstream commit: d9bf5f130946695063469749bfd190087b7fad39
+
+ tun: compare with 0 instead of total_len
+
+ Since we set "len = total_len" in the beginning of tun_get_user(),
+ so we should compare the new len with 0, instead of total_len,
+ or the if statement always returns false.
+
+ Signed-off-by: Weiping Pan <wpan@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9
+Author: Guenter Roeck <linux@roeck-us.net>
+Date: Fri Aug 16 20:50:55 2013 -0700
+
+ Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92
+
+ s390: Fix broken build
+
+ Fix this build error:
+
+ In file included from fs/exec.c:61:0:
+ arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned'
+ arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default]
+ arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu':
+ arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end'
+
+ Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range
+ invalidation corner cases").
+
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+ [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/s390/include/asm/tlb.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4e57312c2de2a25ddb181d129dafbc0251062c33
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu Aug 15 11:42:25 2013 -0700
+
+ Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce
+
+ Fix TLB gather virtual address range invalidation corner cases
+
+ Ben Tebulin reported:
+
+ "Since v3.7.2 on two independent machines a very specific Git
+ repository fails in 9/10 cases on git-fsck due to an SHA1/memory
+ failures. This only occurs on a very specific repository and can be
+ reproduced stably on two independent laptops. Git mailing list ran
+ out of ideas and for me this looks like some very exotic kernel issue"
+
+ and bisected the failure to the backport of commit 53a59fc67f97 ("mm:
+ limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT").
+
+ That commit itself is not actually buggy, but what it does is to make it
+ much more likely to hit the partial TLB invalidation case, since it
+ introduces a new case in tlb_next_batch() that previously only ever
+ happened when running out of memory.
+
+ The real bug is that the TLB gather virtual memory range setup is subtly
+ buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather:
+ enable tlb flush range in generic mmu_gather"), and the range handling
+ was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB
+ range flushed when __tlb_remove_page() runs out of slots"), but that fix
+ was not complete.
+
+ The problem with the TLB gather virtual address range is that it isn't
+ set up by the initial tlb_gather_mmu() initialization (which didn't get
+ the TLB range information), but it is set up ad-hoc later by the
+ functions that actually flush the TLB. And so any such case that forgot
+ to update the TLB range entries would potentially miss TLB invalidates.
+
+ Rather than try to figure out exactly which particular ad-hoc range
+ setup was missing (I personally suspect it's the hugetlb case in
+ zap_huge_pmd(), which didn't have the same logic as zap_pte_range()
+ did), this patch just gets rid of the problem at the source: make the
+ TLB range information available to tlb_gather_mmu(), and initialize it
+ when initializing all the other tlb gather fields.
+
+ This makes the patch larger, but conceptually much simpler. And the end
+ result is much more understandable; even if you want to play games with
+ partial ranges when invalidating the TLB contents in chunks, now the
+ range information is always there, and anybody who doesn't want to
+ bother with it won't introduce subtle bugs.
+
+ Ben verified that this fixes his problem.
+
+ Reported-bisected-and-tested-by: Ben Tebulin <tebulin@googlemail.com>
+ Build-testing-by: Stephen Rothwell <sfr@canb.auug.org.au>
+ Build-testing-by: Richard Weinberger <richard.weinberger@gmail.com>
+ Reviewed-by: Michal Hocko <mhocko@suse.cz>
+ Acked-by: Peter Zijlstra <peterz@infradead.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/arm/include/asm/tlb.h | 7 +++++--
+ arch/arm64/include/asm/tlb.h | 7 +++++--
+ arch/ia64/include/asm/tlb.h | 9 ++++++---
+ arch/s390/include/asm/tlb.h | 8 ++++++--
+ arch/sh/include/asm/tlb.h | 6 ++++--
+ arch/um/include/asm/tlb.h | 6 ++++--
+ fs/exec.c | 4 ++--
+ include/asm-generic/tlb.h | 2 +-
+ mm/hugetlb.c | 2 +-
+ mm/memory.c | 36 +++++++++++++++++++++---------------
+ mm/mmap.c | 4 ++--
+ 11 files changed, 57 insertions(+), 34 deletions(-)
+
+commit 771ed01c6027772eca1a0df8de65043e7f0d94f8
+Merge: 5568c80 ffceabf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 09:11:41 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ffceabfcc65c60109ba5fca694d78d4dc7047809
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 09:10:44 2013 -0400
+
+ Update to pax-linux-3.10.7-test11.patch:
+ - simplified some arm code
+ - disabled preemption when calling show_regs, reported by Corey Minyard
+ - added PCID based support for UDEREF on amd64 (blog will have more details)
+ - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc
+ - nopcid turns it off
+ - by default a strong form of UDEREF is used under PCID
+ - pax_weakuderef switches to the older, less secure UDEREF
+ - fixed several bugs that would also have manifested under SMAP
+ - INVPCID is used when available (Haswell)
+ - added a few more return insn instrumentation in new amd64 crypto code
+
+ Documentation/kernel-parameters.txt | 7 +
+ arch/arm/include/asm/uaccess.h | 3 +
+ arch/x86/crypto/blowfish-avx2-asm_64.S | 6 +
+ arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++
+ arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++
+ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
+ arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 +
+ arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++
+ arch/x86/crypto/sha256-avx-asm.S | 2 +
+ arch/x86/crypto/sha256-avx2-asm.S | 2 +
+ arch/x86/crypto/sha256-ssse3-asm.S | 2 +
+ arch/x86/crypto/sha512-avx-asm.S | 2 +
+ arch/x86/crypto/sha512-avx2-asm.S | 2 +
+ arch/x86/crypto/sha512-ssse3-asm.S | 2 +
+ arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++
+ arch/x86/ia32/ia32_signal.c | 2 +-
+ arch/x86/ia32/ia32entry.S | 24 ++++-
+ arch/x86/include/asm/cpufeature.h | 3 +-
+ arch/x86/include/asm/fpu-internal.h | 2 +
+ arch/x86/include/asm/futex.h | 4 +
+ arch/x86/include/asm/mmu_context.h | 80 +++++++++++---
+ arch/x86/include/asm/pgtable.h | 10 +-
+ arch/x86/include/asm/processor.h | 15 +++-
+ arch/x86/include/asm/segment.h | 5 +-
+ arch/x86/include/asm/smap.h | 64 +++++++++++-
+ arch/x86/include/asm/tlbflush.h | 63 +++++++++--
+ arch/x86/include/asm/uaccess.h | 18 +++-
+ arch/x86/include/asm/xsave.h | 4 +
+ arch/x86/kernel/cpu/common.c | 38 +++++++
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++---
+ arch/x86/kernel/head_32.S | 2 +-
+ arch/x86/kernel/head_64.S | 8 +-
+ arch/x86/kernel/process_64.c | 5 +
+ arch/x86/kernel/setup.c | 8 +-
+ arch/x86/kernel/signal.c | 4 +-
+ arch/x86/kernel/smpboot.c | 15 ++-
+ arch/x86/lib/copy_user_64.S | 50 +--------
+ arch/x86/lib/copy_user_nocache_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 11 ++-
+ arch/x86/lib/memcpy_64.S | 4 +-
+ arch/x86/lib/memmove_64.S | 2 +-
+ arch/x86/lib/memset_64.S | 4 +-
+ arch/x86/lib/usercopy_64.c | 5 +-
+ arch/x86/mm/Makefile | 4 +
+ arch/x86/mm/fault.c | 29 ++++--
+ arch/x86/mm/init.c | 7 +-
+ arch/x86/mm/init_64.c | 9 ++-
+ arch/x86/mm/pageattr.c | 2 +-
+ arch/x86/mm/pgtable.c | 3 +
+ arch/x86/platform/efi/efi_32.c | 2 +-
+ arch/x86/platform/efi/efi_64.c | 2 +-
+ arch/x86/realmode/rm/trampoline_64.S | 1 +
+ fs/exec.c | 2 +
+ include/asm-generic/uaccess.h | 8 ++
+ include/linux/compat.h | 1 +
+ include/linux/preempt.h | 19 +++
+ include/linux/signal.h | 1 +
+ include/linux/smp.h | 2 +
+ init/main.c | 14 ++-
+ kernel/signal.c | 16 +++
+ security/Kconfig | 5 +
+ tools/lib/lk/Makefile | 2 +-
+ tools/perf/Makefile | 2 +-
+ 64 files changed, 673 insertions(+), 136 deletions(-)
+
+commit 5568c8059e78d6d002815409df4e90c83b3b08a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 08:58:34 2013 -0400
+
+ Fix two harmless compiler warnings
+
+ arch/arm/kernel/process.c | 4 ++--
+ fs/exec.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 22:55:24 2013 -0400
+
+ Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b
+
+ arch/arm/kernel/perf_event.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 3637bc893b57a227b01852fe34685ab237285b10
+Author: Stephen Boyd <sboyd@codeaurora.org>
+Date: Wed Aug 7 16:18:08 2013 -0700
+
+ Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb
+
+ perf/arm: Fix armpmu_map_hw_event()
+
+ Fix constraint check in armpmu_map_hw_event().
+
+ Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
+ Cc: <stable@kernel.org>
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/arm/kernel/perf_event.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 11802e1f961a088c39af58d1c1b14d861eedfb35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 22:53:30 2013 -0400
+
+ More ARM backports
+
+ arch/arm/kernel/entry-armv.S | 3 ++-
+ arch/arm/kernel/fiq.c | 8 ++------
+ 2 files changed, 4 insertions(+), 7 deletions(-)
+
+commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 22:46:01 2013 -0400
+
+ Fix HIDESYM compatibility with kprobes, as reported by feandil at:
+ http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
+
+ include/linux/kallsyms.h | 2 +-
+ kernel/kprobes.c | 3 +++
+ 2 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7
+Author: yonghua zheng <younghua.zheng@gmail.com>
+Date: Tue Aug 13 16:01:03 2013 -0700
+
+ fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
+
+ Recently we met quite a lot of random kernel panic issues after enabling
+ CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something
+ to do with following bug in pagemap:
+
+ In struct pagemapread:
+
+ struct pagemapread {
+ int pos, len;
+ pagemap_entry_t *buffer;
+ bool v2;
+ };
+
+ pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
+ buffer, it is a mistake to compare pos and len in add_page_map() for
+ checking buffer is full or not, and this can lead to buffer overflow and
+ random kernel panic issue.
+
+ Correct len to be total number of PM_ENTRY_BYTES in buffer.
+
+ [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
+ Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/task_mmu.c
+
+ fs/proc/task_mmu.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 0a3dac834746de241c10d4978bf61b4f146ba89d
+Merge: dc19474 e12de30
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 17:39:01 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e12de30aa6b575fc3c9f5cd098dd03623598cb33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 17:34:47 2013 -0400
+
+ Update to pax-linux-3.10.7-test9.patch:
+ - Emese fixed a size overflow false positive reported by Sven Vermeulen
+ - fixed some arm compile problems reported by spender
+ - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard <cminyard@mvista.com>
+ eventually we'll have full REFCOUNT support on mips
+
+ arch/arm/kernel/process.c | 5 ++-
+ arch/arm/mm/Kconfig | 2 +-
+ arch/arm/mm/fault.c | 3 ++
+ arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++
+ mm/internal.h | 2 +-
+ 5 files changed, 65 insertions(+), 4 deletions(-)
+
+commit dc19474d0ea6ea3c939544ae5f906067b1784a10
+Merge: 51b78c0 82266f9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 15 21:47:37 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 82266f90a3f87ab5017329fb539aebf94c42253a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 15 21:14:47 2013 -0400
+
+ Update to pax-linux-3.10.7-test9.patch
+
+ arch/arm/kernel/process.c | 6 ++----
+ 1 files changed, 2 insertions(+), 4 deletions(-)
+
+commit 51b78c06d1f41614f593cd36456b4af559e9d7fa
+Merge: e32d904 cb77ead
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 15 20:53:45 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit cb77ead0eccb5abb75f7e437a3725d0254558ccd
+Merge: 13675b8 519be45
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 15 20:50:47 2013 -0400
+
+ Update to pax-linux-3.10.7-test8.patch
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit e32d904b87292288e74e2637b900fd1115687b8e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 10 09:41:40 2013 -0400
+
+ propagate the threadstack offset through to the topdown/bottomup allocators
+ on sparc64 hugepages
+
+ arch/sparc/mm/hugetlbpage.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Thu Aug 8 18:55:32 2013 +0200
+
+ Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8
+
+ another local DoS found in reaction to the one I reported,
+ we don't allow unpriv user ns use so this doesn't matter much to us
+
+ userns: limit the maximum depth of user_namespace->parent chain
+
+ Ensure that user_namespace->parent chain can't grow too much.
+ Currently we use the hardroded 32 as limit.
+
+ Reported-by: Andy Lutomirski <luto@amacapital.net>
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ include/linux/user_namespace.h | 1 +
+ kernel/user_namespace.c | 4 ++++
+ 2 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 223ac007ef18bf3a5095ba0a56675c1f16200149
+Merge: 1c92de4 13675b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 8 20:45:24 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 13675b848cf02bffd26924b2b84d927095bc253d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 8 20:43:52 2013 -0400
+
+ Update to pax-linux-3.10.5-test8.patch:
+ - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692)
+ - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard <cminyard@mvista.com>
+ - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard <cminyard@mvista.com>
+
+ arch/arm/include/asm/pgtable-2level.h | 4 +++-
+ arch/arm/mm/proc-v7-2level.S | 3 ---
+ arch/mips/mm/fault.c | 8 ++++++++
+ arch/x86/include/asm/processor.h | 3 ++-
+ include/linux/math64.h | 2 +-
+ security/Kconfig | 2 --
+ 6 files changed, 14 insertions(+), 8 deletions(-)
+
+commit 1c92de4b8811c330af033c31d83c9c45e3d064b2
+Merge: e65aa3d 1660f49
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 18:50:45 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1660f496848b8400d263f7920989dae15e72185a
+Merge: 7f91ba1 dc51cd2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 18:50:12 2013 -0400
+
+ Update to pax-linux-3.10.5-test7.patch
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/head_64.S
+ mm/mempolicy.c
+
+commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 17:58:42 2013 -0400
+
+ Disable RANDKSTACK for a VirtualBox host as mentioned on the
+ gentoo-hardened bugzilla:
+ https://bugs.gentoo.org/show_bug.cgi?id=382793
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 60d8cffd7740fd1d527790caf9a24a35d8c45858
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Jul 30 13:23:39 2013 +0300
+
+ Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20
+
+ net_sched: info leak in atm_tc_dump_class()
+
+ The "pvc" struct has a hole after pvc.sap_family which is not cleared.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Reviewed-by: Jiri Pirko <jiri@resnulli.us>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sched/sch_atm.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 50d20ebce56b6e0b9622685930e007e46c7c04bb
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Fri Aug 2 11:32:43 2013 +0200
+
+ Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86
+
+ net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails
+
+ Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa
+ resource that was allocated via inet_alloc_ifa() unfreed when returning
+ the function with -EINVAL. Thus, free it first via inet_free_ifa().
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Reviewed-by: Jiri Pirko <jiri@resnulli.us>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/devinet.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260
+Author: Himanshu Madhani <himanshu.madhani@qlogic.com>
+Date: Fri Aug 2 23:15:56 2013 -0400
+
+ Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1
+
+ qlcnic: Free up memory in error path.
+
+ Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
+ Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a
+Author: Shahed Shaikh <shahed.shaikh@qlogic.com>
+Date: Fri Aug 2 23:15:54 2013 -0400
+
+ Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f
+
+ qlcnic: Fix MAC address filter issue on 82xx adapter
+
+ Driver was passing the address of a pointer instead of
+ the pointer itself.
+
+ Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5570df953d6c143e05f1d60d9c23210e60dbbe81
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 17:26:40 2013 -0400
+
+ Move user namespace capability check to shared create_user_ns code so we
+ cover unshare() as well.
+
+ Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
+ user namespaces!
+
+ kernel/fork.c | 17 -----------------
+ kernel/user_namespace.c | 24 ++++++++++++++++++++++--
+ 2 files changed, 22 insertions(+), 19 deletions(-)
+
+commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 16:05:41 2013 -0400
+
+ silence a warning on older gcc
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b8966a5d577e9220fbc63306eee978f819f24e2e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 3 08:31:08 2013 -0400
+
+ we only care about mmaps of the beginning of an ELF, filter out
+ all others as suggested by pipacs
+
+ mm/mmap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:54:51 2013 -0400
+
+ add include
+
+ grsecurity/grsec_log.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:49:13 2013 -0400
+
+ fix compilation
+
+ include/linux/grinternal.h | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 1704c23fdc55b68f512dc9927940e72237f3f43e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:34:35 2013 -0400
+
+ Improve PaX reporting (tells when anon mapping is stack or heap)
+ Remove textrel logging option, combine into rwx logging option
+ Enhance RWX logging option to display when PT_GNU_STACK-enabled library
+ is loaded under an MPROTECTed binary
+ Enhance RWX mprotect logging to display stack/heap instead of just
+ anon mapping
+
+ fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++
+ fs/exec.c | 4 ++++
+ grsecurity/Kconfig | 21 +++++----------------
+ grsecurity/grsec_init.c | 4 ----
+ grsecurity/grsec_log.c | 14 ++++++++++++++
+ grsecurity/grsec_pax.c | 19 ++++++++++++++-----
+ grsecurity/grsec_sysctl.c | 9 ---------
+ include/linux/binfmts.h | 1 +
+ include/linux/grinternal.h | 2 +-
+ include/linux/grmsg.h | 3 ++-
+ include/linux/grsecurity.h | 3 ++-
+ mm/mmap.c | 7 +++++++
+ mm/mprotect.c | 2 +-
+ 13 files changed, 88 insertions(+), 38 deletions(-)
+
+commit faf81c100c8565524e21c9af780a0ad2ce3fd925
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 1 18:52:02 2013 -0400
+
+ add missing #define
+
+ grsecurity/gracl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit e87232d1fcb4da72df971cbc623aac6c9b3871a0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 1 18:43:53 2013 -0400
+
+ fix compilation for !COMPAT as reported on the forums
+
+ grsecurity/gracl.c | 195 ++++++++++++++++++++++++++--------------------------
+ 1 files changed, 97 insertions(+), 98 deletions(-)
+
+commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c
+Merge: 65019c9 7f91ba1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 17:47:31 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 65019c9bd05f860437071cbf00e2027fd2d68615
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 17:47:20 2013 -0400
+
+ Revert "revert recent PaX change that causes boot failures with 32bit userland"
+
+ This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
+
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 17:46:00 2013 -0400
+
+ Update to pax-linux-3.10.4-test7.patch:
+ - added a few more missing format strings
+ - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable
+ - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time
+ - fixed a UDEREF/i386 regression, __get_user_8 would always fail
+
+ arch/x86/include/asm/processor.h | 4 +-
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/dumpstack.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/reboot_fixups_32.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/lib/getuser.S | 4 +-
+ arch/x86/xen/smp.c | 2 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++--
+ drivers/video/backlight/backlight.c | 2 +-
+ drivers/video/backlight/lcd.c | 2 +-
+ fs/binfmt_elf.c | 51 +++++++++++++++++++++++++---
+ fs/exec.c | 50 +++++++++++++--------------
+ include/linux/sched.h | 2 +
+ 14 files changed, 88 insertions(+), 47 deletions(-)
+
+commit 043130da54cb7cc8dc44e0ce889d426e889a0532
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 16:26:58 2013 -0400
+
+ compile fix for !COMPAT as mentioned on forums
+
+ grsecurity/gracl.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit ed0a195abd4e41c2449a020a53a19c74dc866d78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:33:14 2013 -0400
+
+ perform compat conversion of rlimit infinity
+
+ grsecurity/gracl_compat.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit a99c1b9f31678c1c72a63bea65aed1b2d3205259
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:21:40 2013 -0400
+
+ remove debugging
+
+ grsecurity/gracl_compat.c | 44 +++++++++++---------------------------------
+ 1 files changed, 11 insertions(+), 33 deletions(-)
+
+commit e75b3f504692b97960a7530ad0855d91441d79c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:20:32 2013 -0400
+
+ eliminate compat_dev_t
+
+ include/linux/gracl_compat.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit e5abbaf95313066a724e1a843d4fc902a9a6450e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:13:22 2013 -0400
+
+ fix compat rlimit size
+
+ grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++-------------
+ include/linux/gracl_compat.h | 4 +-
+ 2 files changed, 49 insertions(+), 23 deletions(-)
+
+commit 877d6c2f8b3518ff39601084560bb33c58d35a1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 21:20:18 2013 -0400
+
+ compile fix
+
+ grsecurity/gracl.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit a2062eae8d1dc48d338480e599fedee2dc5e2f98
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 21:14:29 2013 -0400
+
+ copy correct pointer size in new compat code
+
+ grsecurity/gracl.c | 8 ++++----
+ grsecurity/gracl_compat.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 23278a1ee1c7738dd1e7005241394d32b82196e4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:48:58 2013 -0400
+
+ revert recent PaX change that causes boot failures with 32bit userland
+
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+commit ec27f71a813656fea8ab37faecb2b485fe99d08e
+Merge: 3a11bcf 05f0a61
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:42:21 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:41:44 2013 -0400
+
+ Update to pax-linux-3.10.4-test6.patch:
+ - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender
+
+ include/linux/syscalls.h | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:15:50 2013 -0400
+
+ compile fix
+
+ grsecurity/gracl_compat.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:12:46 2013 -0400
+
+ remove BUILD_BUG_ONs
+
+ grsecurity/gracl_compat.c | 20 --------------------
+ 1 files changed, 0 insertions(+), 20 deletions(-)
+
+commit a283b21cbd77622383a1dcb1f7bf1080db3bae88
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:18:36 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl_compat.c | 8 ++++----
+ include/linux/gracl_compat.h | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 8b744005f8bae565e24c1fd88af77e6e619b9434
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:16:42 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl.c | 4 ++--
+ grsecurity/gracl_compat.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:13:51 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit b93b829afcc98b6108b18d99ff63c53642d0b951
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:11:03 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl_compat.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:08:21 2013 -0400
+
+ more compile fixes
+
+ grsecurity/gracl.c | 28 ++++++++++++++--------------
+ 1 files changed, 14 insertions(+), 14 deletions(-)
+
+commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:59:50 2013 -0400
+
+ more compile fixes
+
+ grsecurity/gracl.c | 10 +++++++++-
+ 1 files changed, 9 insertions(+), 1 deletions(-)
+
+commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:56:47 2013 -0400
+
+ additional compile fixes
+
+ grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++--------
+ 1 files changed, 49 insertions(+), 10 deletions(-)
+
+commit ac695a081d1124fb28bec46814535d34c5e40611
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:47:15 2013 -0400
+
+ fix typo
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:46:59 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++-------------
+ 1 files changed, 39 insertions(+), 14 deletions(-)
+
+commit 82631f451cc7432b6c5578cf8d24155473feb25c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:22:44 2013 -0400
+
+ Initial commit of compat RBAC loading
+ Permits 32bit gradm to load policy for a 64bit kernel
+
+ Also removed code duplication for copying strings into the kernel
+
+ Work performed as part of sponsorship
+
+ grsecurity/Makefile | 4 +
+ grsecurity/gracl.c | 315 +++++++++++++++++++++++-------------------
+ grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++
+ include/linux/gracl_compat.h | 156 +++++++++++++++++++++
+ 4 files changed, 603 insertions(+), 142 deletions(-)
+
+commit 84c4a433dfb096e4a1162ee5e68025122c70b421
+Merge: c9d3ed3 9fe5897
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 17:08:56 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9fe58978938e357642885866ca48090a7753d403
+Merge: 8f693ad 6f7bb6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 17:08:43 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775
+Merge: d5e5bfd 8f693ad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 28 10:03:08 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8f693ade9b3e448f92706d34148b00a087637f70
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 28 10:02:16 2013 -0400
+
+ Update to pax-linux-3.10.3-test5.patch:
+ - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm)
+ - fixed handling of faulting userland accesses for UDEREF/arm, from spender
+ - updated the size overflow hash table, from Emese
+
+ arch/arm/kernel/entry-armv.S | 3 +-
+ arch/x86/include/asm/processor.h | 4 +-
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++----
+ 7 files changed, 513 insertions(+), 55 deletions(-)
+
+commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558
+Merge: 19e077b 8a8a0d0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 25 21:05:18 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 25 21:04:09 2013 -0400
+
+ Update to pax-linux-3.10.3-test4.patch:
+ - introduced per-slab object sanitization, contributed by Mathias Krause and secunet.
+ this is finer grained sanitization than the existing per-page based approach (which
+ is still done) at a somewhat higher performance cost. the pax_sanitize_slab command
+ line option can be used to enable/disable it on boot (it's enabled by default when
+ CONFIG_PAX_MEMORY_SANITIZE is enabled).
+
+ Documentation/kernel-parameters.txt | 4 ++++
+ fs/buffer.c | 2 +-
+ fs/dcache.c | 3 ++-
+ include/linux/slab.h | 7 +++++++
+ include/linux/slab_def.h | 4 ++++
+ kernel/fork.c | 2 +-
+ mm/rmap.c | 6 ++++--
+ mm/slab.c | 27 +++++++++++++++++++++++++++
+ mm/slab.h | 12 +++++++++++-
+ mm/slab_common.c | 14 ++++++++++++++
+ mm/slob.c | 5 +++++
+ mm/slub.c | 11 +++++++++++
+ net/core/skbuff.c | 6 ++++--
+ security/Kconfig | 23 +++++++++++++++++------
+ 14 files changed, 112 insertions(+), 14 deletions(-)
+
+commit 19e077bfff54ca211d0142c07cb6dd88069a390c
+Merge: 960ec51 c8f7f51
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 25 19:53:34 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c8f7f51591207b82530214300e86277028919286
+Merge: d5142e3 81a4648
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 25 19:52:29 2013 -0400
+
+ Update to pax-linux-3.10.3-test3.patch:
+ - fixed some compile issues reported by Michael Tremer and spender
+ - fixed an i386 regression with the lower address space gap on i386, reported by cnu
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ kernel/time/tick-broadcast.c
+
+commit 960ec51ab2142544fbae563d4fd5744775408965
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Jul 20 03:13:55 2013 +0400
+
+ Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2
+
+ livelock avoidance in sget()
+
+ Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about
+ to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive,
+ ->s_active is 1. Along comes two more processes, trying to mount the same
+ thing; sget() in each is picking that superblock, bumping ->s_count and
+ trying to grab ->s_umount. ->s_active is 3 now. Original mount(2)
+ finally gets to deactivate_locked_super() on failure; ->s_active is 2,
+ superblock is still ->fs_supers because shutdown will *not* happen until
+ ->s_active hits 0. ->s_umount is dropped and now we have two processes
+ chasing each other:
+ s_active = 2, A acquired ->s_umount, B blocked
+ A sees that the damn thing is stillborn, does deactivate_locked_super()
+ s_active = 1, A drops ->s_umount, B gets it
+ A restarts the search and finds the same superblock. And bumps it ->s_active.
+ s_active = 2, B holds ->s_umount, A blocked on trying to get it
+ ... and we are in the earlier situation with A and B switched places.
+
+ The root cause, of course, is that ->s_active should not grow until we'd
+ got MS_BORN. Then failing ->mount() will have deactivate_locked_super()
+ shut the damn thing down. Fortunately, it's easy to do - the key point
+ is that grab_super() is called only for superblocks currently on ->fs_supers,
+ so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and
+ bump ->s_active; we must never increment ->s_count for superblocks past
+ ->kill_sb(), but grab_super() is never called for those.
+
+ The bug is pretty old; we would've caught it by now, if not for accidental
+ exclusion between sget() for block filesystems; the things like cgroup or
+ e.g. mtd-based filesystems don't have anything of that sort, so they get
+ bitten. The right way to deal with that is obviously to fix sget()...
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/super.c | 25 ++++++++++---------------
+ 1 files changed, 10 insertions(+), 15 deletions(-)
+
+commit 3540cebbbfa4aef94527ad3e0e49097848147fb9
+Merge: ab95b58 d5142e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 21 22:47:46 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d5142e31785f8c32c7338c51fcc27313bdd4a84e
+Merge: f36ae8c 0f4a56e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 21 22:47:34 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit ab95b5842899d61ff5c30f4582e72029b3155be8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 21 22:28:40 2013 -0400
+
+ compile fix with constification reported by Michael Tremer
+
+ drivers/gpu/host1x/drm/dc.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 817cd2d1e7a55720326599dd8f542578eef30927
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri Jul 12 23:46:33 2013 +0200
+
+ Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494
+
+ ipv6: only static routes qualify for equal cost multipathing
+
+ Static routes in this case are non-expiring routes which did not get
+ configured by autoconf or by icmpv6 redirects.
+
+ To make sure we actually get an ecmp route while searching for the first
+ one in this fib6_node's leafs, also make sure it matches the ecmp route
+ assumptions.
+
+ v2:
+ a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF
+ already ensures that this route, even if added again without
+ RTF_EXPIRES (in case of a RA announcement with infinite timeout),
+ does not cause the rt6i_nsiblings logic to go wrong if a later RA
+ updates the expiration time later.
+
+ v3:
+ a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so,
+ because an pmtu event could update the RTF_EXPIRES flag and we would
+ not count this route, if another route joins this set. We now filter
+ only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that
+ don't get changed after rt6_info construction.
+
+ Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_fib.c | 15 +++++++++++----
+ 1 files changed, 11 insertions(+), 4 deletions(-)
+
+commit 77db8196d51b043e2e2d124094da101b0f01bccb
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Jul 12 09:39:03 2013 +0300
+
+ Upstream commit: b2781e1021525649c0b33fffd005ef219da33926
+
+ svcrdma: underflow issue in decode_write_list()
+
+ My static checker marks everything from ntohl() as untrusted and it
+ complains we could have an underflow problem doing:
+
+ return (u32 *)&ary->wc_array[nchunks];
+
+ Also on 32 bit systems the upper bound check could overflow.
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+
+ net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------
+ 1 files changed, 14 insertions(+), 6 deletions(-)
+
+commit 926473317fd7953137ef97835edd36dabc584b01
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 17 21:29:02 2013 -0400
+
+ add missing asm/pgtable.h include, reported by Michael Tremer
+
+ drivers/clk/socfpga/clk.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit c592ae0001b31932ef1491784dfa374058797c66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 16 20:40:24 2013 -0400
+
+ allow viewing of ecryptfs version under SYSFS_RESTRICT
+
+ fs/sysfs/dir.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 36db325ef3b07ea8cdb47f549e706e5d71398e14
+Merge: 9c96441 f36ae8c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 19:23:13 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f36ae8c741ae32b1caff10825be12c327792c925
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 19:22:15 2013 -0400
+
+ Update to pax-linux-3.10-test2.patch:
+ - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer
+ - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer
+ - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer
+ - spender fixed an madvise regression, reported by Peter Keel
+ - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616)
+ - fixed a headers_install regression, reported by Mathias Krause
+ - fixed a SLOB compile regression, reported by Mathias Krause
+
+ arch/arm/include/asm/uaccess.h | 4 ++--
+ arch/arm/mm/mmu.c | 15 +++++++++++++--
+ drivers/clk/socfpga/clk.c | 6 ++++--
+ mm/madvise.c | 4 ++--
+ mm/slab.c | 4 ++--
+ mm/slob.c | 4 ++--
+ scripts/headers_install.sh | 2 +-
+ 7 files changed, 26 insertions(+), 13 deletions(-)
+
+commit 9c9644156a49637050741d9165df79174e59b0ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 19:19:54 2013 -0400
+
+ Fix sparc64 compilation, reported by Blake Self
+
+ arch/sparc/kernel/sys_sparc_64.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 7bcd3db081454768542c3d741bcf32cd61a50cf5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:49:17 2013 -0400
+
+ Update PaX fix, just return the error
+
+ mm/madvise.c | 15 +++++++--------
+ 1 files changed, 7 insertions(+), 8 deletions(-)
+
+commit a10e377d0eddd37e8a3665b135e546ab03d9d171
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:36:00 2013 -0400
+
+ Fix madvise oops reported by Peter Keel
+
+ mm/madvise.c | 11 ++++++-----
+ 1 files changed, 6 insertions(+), 5 deletions(-)
+
+commit 08c5adca34d408772255b313f90d82c250c1d967
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:26:34 2013 -0400
+
+ don't make high vector mapping non-present on old ARM architectures, no
+ point in emulating some vector entries when the processor doesn't even support XN
+
+ arch/arm/mm/mmu.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit 2b40781d4197a89a003616af584884e36361c5b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 09:51:58 2013 -0400
+
+ Temporary compile fix for code incorrectly modifying const data
+ Wrap a cast version of the code with open/close
+
+ Thanks to Michael Tremer for the report
+
+ drivers/clk/socfpga/clk.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit a8258c1b4098c396cd4ea719e20858182feac1c1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 09:41:16 2013 -0400
+
+ Fix missing right parens in pipacs' "improvement" of my ARM code ;)
+ Thanks to Michael Tremer for reporting
+
+ arch/arm/include/asm/uaccess.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 8542e1e973be7cc9a009d2ada8033576b2890e6f
+Merge: 86f446e 2577f8e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jul 13 20:46:58 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ mm/memcontrol.c
+
+commit 2577f8e4ec41efb347706a59c6838de20f0c90da
+Merge: 75a36f0 cb5d8be
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jul 13 20:43:42 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ crypto/algapi.c
+ drivers/block/nbd.c
+
+commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jul 12 23:02:11 2013 -0400
+
+ we always want the vector page to be noaccess for userland
+ therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY
+ which turns into supervisor rwx, userland rx, we instead omit that entirely,
+ leaving it as supervisor rwx only
+
+ Fixes booting on ARMv5 and earlier, which need to write directly
+ to the high vector mapping via set_tls when context switching
+
+ Thanks to Michael Tremer for the bugreport
+
+ arch/arm/mm/mmu.c | 12 ++++++++++--
+ 1 files changed, 10 insertions(+), 2 deletions(-)
+
+commit 90cd0827eef656ec884f19c977873fefe2f2e47d
+Author: Cong Wang <amwang@redhat.com>
+Date: Sat Jun 29 12:02:59 2013 +0800
+
+ Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759
+
+ gre: fix a regression in ioctl
+
+ When testing GRE tunnel, I got:
+
+ # ip tunnel show
+ get tunnel gre0 failed: Invalid argument
+ get tunnel gre1 failed: Invalid argument
+
+ This is a regression introduced by commit c54419321455631079c7d
+ ("GRE: Refactor GRE tunneling code.") because previously we
+ only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL,
+ after that commit, the check is moved for all commands.
+
+ So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL.
+
+ After this patch I got:
+
+ # ip tunnel show
+ gre0: gre/ip remote any local any ttl inherit nopmtudisc
+ gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit
+
+ Cc: Pravin B Shelar <pshelar@nicira.com>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ip_gre.c | 9 +++++----
+ 1 files changed, 5 insertions(+), 4 deletions(-)
+
+commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5
+Author: Cong Wang <amwang@redhat.com>
+Date: Sat Jun 29 13:00:57 2013 +0800
+
+ Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7
+
+ vti: remove duplicated code to fix a memory leak
+
+ vti module allocates dev->tstats twice: in vti_fb_tunnel_init()
+ and in vti_tunnel_init(), this lead to a memory leak of
+ dev->tstats.
+
+ Just remove the duplicated operations in vti_fb_tunnel_init().
+
+ (candidate for -stable)
+
+ Cc: Stephen Hemminger <stephen@networkplumber.org>
+ Cc: Saurabh Mohan <saurabh.mohan@vyatta.com>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Acked-by: Stephen Hemminger <stephen@networkplumber.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ip_vti.c | 7 -------
+ 1 files changed, 0 insertions(+), 7 deletions(-)
+
+commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd
+Author: Michal Schmidt <mschmidt@redhat.com>
+Date: Mon Jul 1 17:23:05 2013 +0200
+
+ Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a
+
+ bnx2x: remove zeroing of dump data buffer
+
+ There is no need to initialize the dump data with zeros.
+ data is allocated with vzalloc, so it's already zero-filled.
+
+ More importantly, the memset is harmful, because dump->len (the length
+ requested by userspace) can be bigger than the allocated buffer (whose
+ size is determined by asking the driver's .get_dump_flag method).
+
+ Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 --
+ 1 files changed, 0 insertions(+), 2 deletions(-)
+
+commit c771072b72c261f9bddd6734dca6979c1b96e7df
+Author: Michal Schmidt <mschmidt@redhat.com>
+Date: Mon Jul 1 17:23:06 2013 +0200
+
+ Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318
+
+ bnx2x: fix dump flag handling
+
+ bnx2x interprets the dump flag as an index of a register preset.
+ It is important to validate the index to avoid out of bounds
+ memory accesses.
+
+ Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++
+ 2 files changed, 5 insertions(+), 0 deletions(-)
+
+commit aed315c8fad9b2044143b46b239574b1b72135ce
+Author: Michal Schmidt <mschmidt@redhat.com>
+Date: Mon Jul 1 17:23:30 2013 +0200
+
+ Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599
+
+ ethtool: make .get_dump_data() harder to misuse by drivers
+
+ As the patch "bnx2x: remove zeroing of dump data buffer" showed,
+ it is too easy implement .get_dump_data incorrectly in a driver.
+
+ Let's make sure drivers cannot get confused by userspace requesting
+ a too big dump.
+
+ Also WARN if the driver sets dump->len to something weird and make
+ sure the length reported to userspace is the actual length of data
+ copied to userspace.
+
+ Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+ Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/ethtool.c | 21 ++++++++++++++++++++-
+ 1 files changed, 20 insertions(+), 1 deletions(-)
+
+commit 5c57991e66216e386dcc875d34c33f0edd038569
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Jul 2 09:02:07 2013 +0800
+
+ Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd
+
+ l2tp: add missing .owner to struct pppox_proto
+
+ Add missing .owner of struct pppox_proto. This prevents the
+ module from being removed from underneath its users.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_ppp.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4
+Author: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Sun Jun 30 14:37:11 2013 +1000
+
+ Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423
+
+ cxgb3: Missing rtnl lock in error recovery
+
+ When exercising error injection on IBM pseries machine, I hit the
+ following warning:
+
+ [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2
+ [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142)
+ [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100
+ [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031)
+ [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19
+ [ 254.895474] Call Trace:
+ [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable)
+ [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c
+ [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230
+ [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3]
+ [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3]
+ [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0
+ [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190
+ [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330
+ [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0
+ [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0
+ [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80
+
+ It appears that t3_resume_ports() is called with the rtnl_lock held from
+ the fatal error task but not from the PCI error callbacks. This fixes it.
+
+ Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit ea8f4222cddf3250dbcfc7db0437ebf74c352370
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Jul 1 20:21:30 2013 +0200
+
+ Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1
+
+ ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
+
+ We accidentally call down to ip6_push_pending_frames when uncorking
+ pending AF_INET data on a ipv6 socket. This results in the following
+ splat (from Dave Jones):
+
+ skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
+ ------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:126!
+ invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
+ Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
+ +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
+ CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
+ task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
+ RIP: 0010:[<ffffffff816e759c>] [<ffffffff816e759c>] skb_panic+0x63/0x65
+ RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282
+ RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
+ RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
+ RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
+ R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
+ FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
+ Stack:
+ ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
+ ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
+ ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
+ Call Trace:
+ [<ffffffff8159a9aa>] skb_push+0x3a/0x40
+ [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
+ [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
+ [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
+ [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
+ [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
+ [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
+ [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
+ [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
+ [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
+ [<ffffffff816f5d54>] tracesys+0xdd/0xe2
+ Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
+ RIP [<ffffffff816e759c>] skb_panic+0x63/0x65
+ RSP <ffff8801e6431de8>
+
+ This patch adds a check if the pending data is of address family AF_INET
+ and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
+ if that is the case.
+
+ This bug was found by Dave Jones with trinity.
+
+ (Also move the initialization of fl6 below the AF_INET check, even if
+ not strictly necessary.)
+
+ Cc: Dave Jones <davej@redhat.com>
+ Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/udp.h | 1 +
+ net/ipv4/udp.c | 3 ++-
+ net/ipv6/udp.c | 7 ++++++-
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+commit cd83094a85d9bbd5a67332156407d53cf8835432
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue Jul 2 08:04:05 2013 +0200
+
+ Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be
+
+ ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
+
+ If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
+ of this when appending the second frame on a corked socket. This results
+ in the following splat:
+
+ [37598.993962] ------------[ cut here ]------------
+ [37598.994008] kernel BUG at net/core/skbuff.c:2064!
+ [37598.994008] invalid opcode: 0000 [#1] SMP
+ [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
+ +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
+ +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
+ [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
+ +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
+ [37598.994008] CPU 0
+ [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
+ [37598.994008] RIP: 0010:[<ffffffff815443a5>] [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
+ [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202
+ [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
+ [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
+ [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
+ [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
+ [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
+ [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
+ [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
+ [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
+ [37598.994008] Stack:
+ [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
+ [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
+ [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
+ [37598.994008] Call Trace:
+ [37598.994008] [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
+ [37598.994008] [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
+ [37598.994008] [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
+ [37598.994008] [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
+ [37598.994008] [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
+ [37598.994008] [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
+ [37598.994008] [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
+ [37598.994008] [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
+ [37598.994008] [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
+ [37598.994008] [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
+ [37598.994008] [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
+ [37598.994008] [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
+ [37598.994008] [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
+ [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
+ [37598.994008] RIP [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
+ [37598.994008] RSP <ffff88003670da18>
+ [37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
+
+ While there, also check if path mtu discovery is activated for this
+ socket. The logic was adapted from ip6_append_data when first writing
+ on the corked socket.
+
+ This bug was introduced with commit
+ 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
+ fragment").
+
+ v2:
+ a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
+ b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
+ feng, thanks!).
+ c) Change mtu to unsigned int, else we get a warning about
+ non-matching types because of the min()-macro type-check.
+
+ Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
+ Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_output.c | 16 ++++++++++------
+ 1 files changed, 10 insertions(+), 6 deletions(-)
+
+commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c
+Author: Michael S. Tsirkin <mst@redhat.com>
+Date: Sun Jul 7 14:26:53 2013 +0300
+
+ Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5
+
+ vhost-net: fix use-after-free in vhost_net_flush
+
+ vhost_net_ubuf_put_and_wait has a confusing name:
+ it will actually also free it's argument.
+ Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
+ "vhost-net: flush outstanding DMAs on memory change"
+ vhost_net_flush tries to use the argument after passing it
+ to vhost_net_ubuf_put_and_wait, this results
+ in use after free.
+ To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
+ add an new API for callers that want to free ubufs.
+
+ Acked-by: Asias He <asias@redhat.com>
+ Acked-by: Jason Wang <jasowang@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/vhost/net.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit 088806db74ac2f08c106202bc5498585a9ee529f
+Author: Michal Hocko <mhocko@suse.cz>
+Date: Mon Jul 8 16:00:29 2013 -0700
+
+ Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b
+
+ memcg, kmem: fix reference count handling on the error path
+
+ mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails.
+ This is not correct because only memcg_propagate_kmem takes an
+ additional reference while mem_cgroup_sockets_init is allowed to fail as
+ well (although no current implementation fails) but it doesn't take any
+ reference. This all suggests that it should be memcg_propagate_kmem
+ that should clean up after itself so this patch moves mem_cgroup_put
+ over there.
+
+ Unfortunately this is not that easy (as pointed out by Li Zefan) because
+ memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is
+ marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if
+ memcg_propagate_kmem fails so the additional reference is dropped in
+ that case in kmem_cgroup_destroy which means that the reference would be
+ dropped two times.
+
+ The easiest way then would be to simply remove mem_cgrroup_put from
+ mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right
+ thing.
+
+ Signed-off-by: Michal Hocko <mhocko@suse.cz>
+ Signed-off-by: Li Zefan <lizefan@huawei.com>
+ Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Tejun Heo <tj@kernel.org>
+ Cc: Glauber Costa <glommer@openvz.org>
+ Cc: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: <stable@vger.kernel.org> [3.8]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/memcontrol.c | 8 --------
+ 1 files changed, 0 insertions(+), 8 deletions(-)
+
+commit 08bfb6e700d13886ed722c2236e1ec10f03a95df
+Author: Michal Hocko <mhocko@suse.cz>
+Date: Mon Jul 8 16:00:27 2013 -0700
+
+ Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0
+
+ Revert "memcg: avoid dangling reference count in creation failure"
+
+ This reverts commit e4715f01be697a.
+
+ mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops
+ an additional reference from all parents so the additional
+ mem_cgrroup_put(parent) potentially causes use-after-free.
+
+ Signed-off-by: Michal Hocko <mhocko@suse.cz>
+ Signed-off-by: Li Zefan <lizefan@huawei.com>
+ Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Tejun Heo <tj@kernel.org>
+ Cc: Glauber Costa <glommer@openvz.org>
+ Cc: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: <stable@vger.kernel.org> [3.9+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/memcontrol.c | 2 --
+ 1 files changed, 0 insertions(+), 2 deletions(-)
+
+commit 3267ec559f48327a1836eccecd53215afc5810d0
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jun 20 13:13:59 2013 -0700
+
+ Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e
+
+ libceph: Fix NULL pointer dereference in auth client code
+
+ A malicious monitor can craft an auth reply message that could cause a
+ NULL function pointer dereference in the client's kernel.
+
+ To prevent this, the auth_none protocol handler needs an empty
+ ceph_auth_client_ops->build_request() function.
+
+ CVE-2013-1059
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Chanam Park <chanam.park@hkpco.kr>
+ Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
+ Reviewed-by: Sage Weil <sage@inktank.com>
+ Cc: stable@vger.kernel.org
+
+ net/ceph/auth_none.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit cdfeb4049e7cb38702215b2c356ce0407974ac79
+Author: Eric Paris <eparis@redhat.com>
+Date: Wed Jul 3 15:08:29 2013 -0700
+
+ Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53
+
+ fork: reorder permissions when violating number of processes limits
+
+ When a task is attempting to violate the RLIMIT_NPROC limit we have a
+ check to see if the task is sufficiently priviledged. The check first
+ looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0.
+
+ A result is that tasks which are allowed by the uid=0 check are first
+ checked against the security subsystem. This results in the security
+ subsystem auditting a denial for sys_admin and sys_resource and then the
+ task passing the uid=0 check.
+
+ This patch rearranges the code to first check uid=0, since if we pass that
+ we shouldn't hit the security system at all. We then check sys_resource,
+ since it is the smallest capability which will solve the problem. Lastly
+ we check the fallback everything cap_sysadmin. We don't want to give this
+ capability many places since it is so powerful.
+
+ This will eliminate many of the false positive/needless denial messages we
+ get when a root task tries to violate the nproc limit. (note that
+ kthreads count against root, so on a sufficiently large machine we can
+ actually get past the default limits before any userspace tasks are
+ launched.)
+
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/fork.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 08c87e049c8a50707908785d950fd48c334f4c09
+Author: Chen Gang <gang.chen@asianux.com>
+Date: Sat Jun 22 13:26:09 2013 +0800
+
+ Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6
+
+ arch: sparc: kernel: check the memory length before use strcpy().
+
+ For the related next strcpy(), the destination length is less than 512,
+ but the source maximize length may be 'OPROMMAXPARAM' (4096) which is
+ more than 512.
+
+ One work flow may:
+ openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT)
+ getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'.
+ opromsetopt() -> devide the buffer into 'var' and 'value'
+ of_set_property() -> pass
+ prom_setprop() -> pass
+ ldom_set_var()
+
+ And do not mind the additional 4 alignment buffer increasing, since
+ 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least.
+
+ Signed-off-by: Chen Gang <gang.chen@asianux.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/sparc/kernel/ds.c | 10 ++++++++++
+ 1 files changed, 10 insertions(+), 0 deletions(-)
+
+commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jul 12 20:38:45 2013 -0400
+
+ Fix SLAB boot errors due to PAX_USERCOPY reported on the forums
+
+ Unlike slub, slab can initally create two of the kmalloc_caches
+ which will be used later for generic kmallocs of their particular
+ aligned size (since the later loop in the unified allocator code
+ skips any already-existing kmalloc_caches)
+
+ mm/slab.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 22:04:59 2013 -0400
+
+ compile fixes
+
+ fs/exec.c | 2 +-
+ mm/mmap.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit e2d027c7e0f106be683c0c72482b8285daefcbe6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 20:58:40 2013 -0400
+
+ commit successful merges
+
+ Documentation/kernel-parameters.txt | 4 +
+ Makefile | 8 +-
+ arch/alpha/include/asm/cache.h | 4 +-
+ arch/alpha/kernel/osf_sys.c | 12 +-
+ arch/arm/include/asm/thread_info.h | 3 +-
+ arch/arm/kernel/ptrace.c | 9 +
+ arch/arm/kernel/traps.c | 7 +-
+ arch/arm/mm/fault.c | 29 +-
+ arch/arm/mm/mmap.c | 8 +-
+ arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/include/asm/cache.h | 3 +-
+ arch/cris/include/arch-v10/arch/cache.h | 3 +-
+ arch/cris/include/arch-v32/arch/cache.h | 3 +-
+ arch/frv/include/asm/cache.h | 3 +-
+ arch/frv/mm/elf-fdpic.c | 4 +-
+ arch/hexagon/include/asm/cache.h | 6 +-
+ arch/ia64/include/asm/cache.h | 3 +-
+ arch/ia64/kernel/sys_ia64.c | 2 +
+ arch/ia64/mm/hugetlbpage.c | 2 +
+ arch/m32r/include/asm/cache.h | 4 +-
+ arch/m68k/include/asm/cache.h | 4 +-
+ arch/metag/mm/hugetlbpage.c | 1 +
+ arch/microblaze/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/thread_info.h | 9 +-
+ arch/mips/kernel/ptrace.c | 9 +
+ arch/mips/kernel/scall32-o32.S | 2 +-
+ arch/mips/kernel/scall64-64.S | 2 +-
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ arch/mips/mm/mmap.c | 4 +-
+ arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
+ arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
+ arch/openrisc/include/asm/cache.h | 4 +-
+ arch/parisc/include/asm/cache.h | 5 +-
+ arch/parisc/kernel/sys_parisc.c | 17 +-
+ arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/kernel/process.c | 10 +-
+ arch/powerpc/kernel/ptrace.c | 14 +
+ arch/powerpc/kernel/traps.c | 5 +
+ arch/s390/include/asm/cache.h | 4 +-
+ arch/score/include/asm/cache.h | 4 +-
+ arch/sh/include/asm/cache.h | 3 +-
+ arch/sh/mm/mmap.c | 6 +-
+ arch/sparc/include/asm/cache.h | 4 +-
+ arch/sparc/include/asm/thread_info_64.h | 9 +-
+ arch/sparc/kernel/process_32.c | 6 +-
+ arch/sparc/kernel/process_64.c | 4 +-
+ arch/sparc/kernel/ptrace_64.c | 14 +
+ arch/sparc/kernel/sys_sparc_64.c | 8 +-
+ arch/sparc/kernel/syscalls.S | 8 +-
+ arch/sparc/kernel/traps_32.c | 8 +-
+ arch/sparc/kernel/traps_64.c | 28 +-
+ arch/sparc/kernel/unaligned_64.c | 2 +-
+ arch/sparc/mm/fault_64.c | 2 +-
+ arch/sparc/mm/hugetlbpage.c | 3 +-
+ arch/tile/include/asm/cache.h | 3 +-
+ arch/tile/mm/hugetlbpage.c | 2 +
+ arch/um/defconfig | 1 -
+ arch/um/include/asm/cache.h | 3 +-
+ arch/unicore32/include/asm/cache.h | 6 +-
+ arch/x86/Kconfig | 5 +-
+ arch/x86/ia32/ia32_aout.c | 2 +
+ arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/kernel/dumpstack.c | 8 +
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 2 +-
+ arch/x86/kernel/ioport.c | 13 +
+ arch/x86/kernel/ptrace.c | 14 +
+ arch/x86/kernel/signal.c | 9 +-
+ arch/x86/kernel/smpboot.c | 3 +
+ arch/x86/kernel/sys_i386_32.c | 9 +-
+ arch/x86/kernel/sys_x86_64.c | 8 +-
+ arch/x86/kernel/verify_cpu.S | 1 +
+ arch/x86/kernel/vm86_32.c | 1 +
+ arch/x86/mm/fault.c | 12 +-
+ arch/x86/mm/hugetlbpage.c | 15 +-
+ arch/x86/mm/init.c | 66 +-
+ arch/x86/net/bpf_jit_comp.c | 129 +-
+ arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
+ arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
+ drivers/block/cciss.c | 2 +
+ drivers/block/cpqarray.c | 1 +
+ drivers/cdrom/cdrom.c | 4 +-
+ drivers/char/Kconfig | 4 +-
+ drivers/char/genrtc.c | 1 +
+ drivers/char/mem.c | 17 +
+ drivers/char/mwave/tp3780i.c | 1 +
+ drivers/char/random.c | 12 +
+ drivers/gpu/drm/drm_info.c | 4 +
+ drivers/hid/hid-wiimote-debug.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +-
+ drivers/message/fusion/mptbase.c | 9 +
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ drivers/pci/proc.c | 9 +
+ drivers/rtc/rtc-dev.c | 3 +
+ drivers/tty/sysrq.c | 2 +-
+ drivers/tty/vt/keyboard.c | 22 +-
+ drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------
+ drivers/xen/xenfs/xenstored.c | 5 +
+ fs/attr.c | 1 +
+ fs/autofs4/waitq.c | 9 +
+ fs/binfmt_aout.c | 7 +
+ fs/binfmt_elf.c | 8 +-
+ fs/btrfs/ioctl.c | 6 +-
+ fs/compat.c | 20 +-
+ fs/coredump.c | 9 +-
+ fs/debugfs/inode.c | 4 +
+ fs/exec.c | 184 ++-
+ fs/ext2/balloc.c | 4 +-
+ fs/ext3/balloc.c | 4 +-
+ fs/ext4/resize.c | 17 +-
+ fs/fcntl.c | 5 +
+ fs/file.c | 4 +
+ fs/filesystems.c | 4 +
+ fs/fs_struct.c | 13 +-
+ fs/hugetlbfs/inode.c | 5 +-
+ fs/namei.c | 234 ++-
+ fs/namespace.c | 16 +
+ fs/notify/fanotify/fanotify_user.c | 1 +
+ fs/open.c | 38 +
+ fs/proc/Kconfig | 10 +-
+ fs/proc/array.c | 59 +-
+ fs/proc/base.c | 168 ++-
+ fs/proc/cmdline.c | 4 +
+ fs/proc/devices.c | 4 +
+ fs/proc/fd.c | 17 +-
+ fs/proc/inode.c | 4 +
+ fs/proc/kcore.c | 3 +
+ fs/proc/proc_net.c | 12 +
+ fs/proc/proc_sysctl.c | 43 +-
+ fs/proc/root.c | 8 +
+ fs/proc/task_mmu.c | 75 +-
+ fs/readdir.c | 19 +
+ fs/select.c | 2 +
+ fs/seq_file.c | 12 +-
+ fs/stat.c | 19 +-
+ fs/sysfs/dir.c | 12 +
+ fs/utimes.c | 7 +
+ fs/xattr.c | 19 +-
+ include/linux/capability.h | 5 +
+ include/linux/cred.h | 3 +
+ include/linux/fs.h | 10 +
+ include/linux/fsnotify.h | 6 +
+ include/linux/kallsyms.h | 14 +-
+ include/linux/kmod.h | 2 +
+ include/linux/mm.h | 1 +
+ include/linux/perf_event.h | 13 +-
+ include/linux/printk.h | 3 +-
+ include/linux/sched.h | 24 +-
+ include/linux/security.h | 1 +
+ include/linux/seq_file.h | 3 +
+ include/linux/shm.h | 4 +
+ include/linux/skbuff.h | 3 +
+ include/linux/slab.h | 9 -
+ include/linux/sysctl.h | 2 +
+ include/linux/thread_info.h | 2 +
+ include/linux/uidgid.h | 5 +
+ include/linux/vermagic.h | 9 +-
+ include/uapi/linux/personality.h | 1 +
+ init/Kconfig | 3 +-
+ init/main.c | 14 +
+ ipc/mqueue.c | 1 +
+ ipc/shm.c | 28 +
+ kernel/capability.c | 39 +-
+ kernel/cgroup.c | 2 +-
+ kernel/compat.c | 1 +
+ kernel/configs.c | 11 +
+ kernel/cred.c | 110 +-
+ kernel/events/core.c | 14 +-
+ kernel/exit.c | 10 +-
+ kernel/fork.c | 41 +-
+ kernel/futex.c | 1 +
+ kernel/kallsyms.c | 9 +
+ kernel/kcmp.c | 4 +
+ kernel/kmod.c | 64 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +
+ kernel/lockdep_proc.c | 10 +-
+ kernel/module.c | 81 +-
+ kernel/panic.c | 2 +-
+ kernel/pid.c | 19 +-
+ kernel/posix-timers.c | 7 +
+ kernel/printk.c | 5 +
+ kernel/ptrace.c | 20 +-
+ kernel/resource.c | 10 +
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 37 +-
+ kernel/sys.c | 45 +-
+ kernel/sysctl.c | 70 +-
+ kernel/taskstats.c | 6 +
+ kernel/time.c | 5 +
+ kernel/time/timekeeping.c | 1 +
+ kernel/time/timer_list.c | 12 +
+ kernel/time/timer_stats.c | 10 +-
+ lib/Kconfig.debug | 5 +-
+ lib/is_single_threaded.c | 3 +
+ mm/Kconfig | 4 +-
+ mm/filemap.c | 1 +
+ mm/kmemleak.c | 4 +-
+ mm/mempolicy.c | 12 +-
+ mm/migrate.c | 3 +-
+ mm/mlock.c | 3 +
+ mm/mmap.c | 63 +-
+ mm/mprotect.c | 8 +
+ mm/process_vm_access.c | 6 +
+ mm/slab.c | 2 +-
+ mm/slub.c | 14 +-
+ mm/vmalloc.c | 4 +
+ mm/vmstat.c | 18 +-
+ net/core/dev_ioctl.c | 4 +
+ net/core/sock_diag.c | 7 +
+ net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/ip_sockglue.c | 3 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_minisocks.c | 9 +-
+ net/ipv4/tcp_timer.c | 11 +
+ net/ipv4/udp.c | 24 +
+ net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/udp.c | 4 +
+ net/netfilter/Kconfig | 10 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 8 +
+ net/netrom/af_netrom.c | 1 -
+ net/phonet/af_phonet.c | 2 +-
+ net/sctp/proc.c | 3 +-
+ net/socket.c | 66 +-
+ net/sysctl_net.c | 2 +-
+ net/unix/af_unix.c | 31 +-
+ security/Kconfig | 343 +++-
+ security/apparmor/Kconfig | 9 +
+ security/apparmor/apparmorfs.c | 231 ++
+ security/commoncap.c | 29 +
+ security/min_addr.c | 2 +
+ security/security.c | 2 -
+ security/selinux/hooks.c | 2 -
+ security/tomoyo/mount.c | 4 +
+ security/yama/Kconfig | 2 +-
+ 242 files changed, 4385 insertions(+), 2042 deletions(-)
+
+commit 043a378c0f72ed92cc30182c48abce39867ac93f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 20:57:40 2013 -0400
+
+ Commit merge of new files and rejected patches
+
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/kernel/process.c | 4 +-
+ arch/powerpc/include/asm/thread_info.h | 7 +-
+ arch/powerpc/mm/slice.c | 2 +-
+ arch/sparc/kernel/process_64.c | 4 +-
+ arch/x86/kernel/vm86_32.c | 15 +
+ fs/coredump.c | 1 +
+ fs/ext4/balloc.c | 4 +-
+ fs/namei.c | 7 +
+ fs/namespace.c | 8 +
+ fs/pipe.c | 2 +-
+ fs/proc/inode.c | 13 +
+ fs/proc/internal.h | 3 +
+ grsecurity/Kconfig | 1054 +++++++++
+ grsecurity/Makefile | 38 +
+ grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++
+ grsecurity/gracl_alloc.c | 105 +
+ grsecurity/gracl_cap.c | 110 +
+ grsecurity/gracl_fs.c | 431 ++++
+ grsecurity/gracl_ip.c | 387 +++
+ grsecurity/gracl_learn.c | 207 ++
+ grsecurity/gracl_res.c | 68 +
+ grsecurity/gracl_segv.c | 305 +++
+ grsecurity/gracl_shm.c | 40 +
+ grsecurity/grsec_chdir.c | 19 +
+ grsecurity/grsec_chroot.c | 370 +++
+ grsecurity/grsec_disabled.c | 434 ++++
+ grsecurity/grsec_exec.c | 187 ++
+ grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_fork.c | 23 +
+ grsecurity/grsec_init.c | 283 +++
+ grsecurity/grsec_link.c | 58 +
+ grsecurity/grsec_log.c | 326 +++
+ grsecurity/grsec_mem.c | 40 +
+ grsecurity/grsec_mount.c | 62 +
+ grsecurity/grsec_pax.c | 36 +
+ grsecurity/grsec_ptrace.c | 30 +
+ grsecurity/grsec_sig.c | 246 ++
+ grsecurity/grsec_sock.c | 244 ++
+ grsecurity/grsec_sysctl.c | 469 ++++
+ grsecurity/grsec_time.c | 16 +
+ grsecurity/grsec_tpe.c | 73 +
+ grsecurity/grsum.c | 61 +
+ include/linux/gracl.h | 319 +++
+ include/linux/gralloc.h | 9 +
+ include/linux/grdefs.h | 140 ++
+ include/linux/grinternal.h | 227 ++
+ include/linux/grmsg.h | 112 +
+ include/linux/grsecurity.h | 241 ++
+ include/linux/grsock.h | 19 +
+ include/linux/netfilter/xt_gradm.h | 9 +
+ include/linux/proc_fs.h | 13 +
+ include/linux/sched.h | 48 +-
+ include/trace/events/fs.h | 53 +
+ kernel/kmod.c | 7 +-
+ kernel/panic.c | 2 +-
+ kernel/posix-timers.c | 1 +
+ kernel/time/timekeeping.c | 2 +
+ lib/Kconfig.debug | 2 +-
+ lib/vsprintf.c | 31 +
+ localversion-grsec | 1 +
+ mm/mmap.c | 13 +-
+ mm/shmem.c | 2 +-
+ net/core/net-procfs.c | 5 +
+ net/ipv6/udp.c | 3 +
+ net/netfilter/xt_gradm.c | 51 +
+ 66 files changed, 11184 insertions(+), 21 deletions(-)
+
+commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 17:35:47 2013 -0400
+
+ Initial import of pax-linux-3.10-test1.patch
+
+ Documentation/dontdiff | 46 +-
+ Documentation/kernel-parameters.txt | 12 +
+ Makefile | 100 +-
+ arch/alpha/include/asm/atomic.h | 10 +
+ arch/alpha/include/asm/elf.h | 7 +
+ arch/alpha/include/asm/pgalloc.h | 6 +
+ arch/alpha/include/asm/pgtable.h | 11 +
+ arch/alpha/kernel/module.c | 2 +-
+ arch/alpha/kernel/osf_sys.c | 8 +-
+ arch/alpha/mm/fault.c | 141 +-
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/atomic.h | 444 ++-
+ arch/arm/include/asm/cache.h | 5 +-
+ arch/arm/include/asm/cacheflush.h | 2 +-
+ arch/arm/include/asm/checksum.h | 14 +-
+ arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/domain.h | 33 +-
+ arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/fncpy.h | 2 +
+ arch/arm/include/asm/futex.h | 10 +
+ arch/arm/include/asm/kmap_types.h | 2 +-
+ arch/arm/include/asm/mach/dma.h | 2 +-
+ arch/arm/include/asm/mach/map.h | 7 +-
+ arch/arm/include/asm/outercache.h | 2 +-
+ arch/arm/include/asm/page.h | 2 +-
+ arch/arm/include/asm/pgalloc.h | 22 +-
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgtable-2level.h | 1 +
+ arch/arm/include/asm/pgtable-3level-hwdef.h | 2 +
+ arch/arm/include/asm/pgtable-3level.h | 2 +
+ arch/arm/include/asm/pgtable.h | 56 +-
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/include/asm/processor.h | 5 +-
+ arch/arm/include/asm/psci.h | 2 +-
+ arch/arm/include/asm/smp.h | 2 +-
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/include/asm/uaccess.h | 92 +-
+ arch/arm/include/uapi/asm/ptrace.h | 2 +-
+ arch/arm/kernel/armksyms.c | 8 +-
+ arch/arm/kernel/entry-armv.S | 107 +-
+ arch/arm/kernel/entry-common.S | 41 +-
+ arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/fiq.c | 2 +
+ arch/arm/kernel/head.S | 6 +-
+ arch/arm/kernel/hw_breakpoint.c | 2 +-
+ arch/arm/kernel/module.c | 29 +-
+ arch/arm/kernel/patch.c | 2 +
+ arch/arm/kernel/perf_event_cpu.c | 2 +-
+ arch/arm/kernel/process.c | 14 +-
+ arch/arm/kernel/psci.c | 2 +-
+ arch/arm/kernel/setup.c | 22 +-
+ arch/arm/kernel/signal.c | 24 +-
+ arch/arm/kernel/smp.c | 2 +-
+ arch/arm/kernel/traps.c | 15 +-
+ arch/arm/kernel/vmlinux.lds.S | 22 +-
+ arch/arm/lib/clear_user.S | 6 +-
+ arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/lib/copy_page.S | 1 +
+ arch/arm/lib/copy_to_user.S | 6 +-
+ arch/arm/lib/csumpartialcopyuser.S | 4 +-
+ arch/arm/lib/delay.c | 2 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 2 +-
+ arch/arm/mach-kirkwood/common.c | 19 +-
+ arch/arm/mach-omap2/board-n8x0.c | 2 +-
+ arch/arm/mach-omap2/gpmc.c | 22 +-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
+ arch/arm/mach-omap2/omap_device.c | 4 +-
+ arch/arm/mach-omap2/omap_device.h | 4 +-
+ arch/arm/mach-omap2/omap_hwmod.c | 4 +-
+ arch/arm/mach-omap2/wd_timer.c | 6 +-
+ arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
+ arch/arm/mach-ux500/setup.h | 7 -
+ arch/arm/mm/Kconfig | 3 +-
+ arch/arm/mm/alignment.c | 8 +
+ arch/arm/mm/fault.c | 91 +
+ arch/arm/mm/fault.h | 12 +
+ arch/arm/mm/init.c | 41 +
+ arch/arm/mm/ioremap.c | 4 +-
+ arch/arm/mm/mmap.c | 30 +-
+ arch/arm/mm/mmu.c | 187 +-
+ arch/arm/mm/proc-v7-2level.S | 3 +
+ arch/arm/plat-omap/sram.c | 2 +
+ arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/arm64/kernel/debug-monitors.c | 2 +-
+ arch/arm64/kernel/hw_breakpoint.c | 2 +-
+ arch/avr32/include/asm/elf.h | 8 +-
+ arch/avr32/include/asm/kmap_types.h | 4 +-
+ arch/avr32/mm/fault.c | 27 +
+ arch/frv/include/asm/atomic.h | 10 +
+ arch/frv/include/asm/kmap_types.h | 2 +-
+ arch/frv/mm/elf-fdpic.c | 3 +-
+ arch/ia64/include/asm/atomic.h | 10 +
+ arch/ia64/include/asm/elf.h | 7 +
+ arch/ia64/include/asm/pgalloc.h | 12 +
+ arch/ia64/include/asm/pgtable.h | 13 +-
+ arch/ia64/include/asm/spinlock.h | 2 +-
+ arch/ia64/include/asm/uaccess.h | 26 +-
+ arch/ia64/kernel/err_inject.c | 2 +-
+ arch/ia64/kernel/mca.c | 2 +-
+ arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/palinfo.c | 2 +-
+ arch/ia64/kernel/salinfo.c | 2 +-
+ arch/ia64/kernel/sys_ia64.c | 7 +
+ arch/ia64/kernel/topology.c | 2 +-
+ arch/ia64/kernel/vmlinux.lds.S | 2 +-
+ arch/ia64/mm/fault.c | 32 +-
+ arch/ia64/mm/init.c | 13 +
+ arch/m32r/lib/usercopy.c | 6 +
+ arch/mips/include/asm/atomic.h | 14 +
+ arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/exec.h | 2 +-
+ arch/mips/include/asm/page.h | 2 +-
+ arch/mips/include/asm/pgalloc.h | 5 +
+ arch/mips/kernel/binfmt_elfn32.c | 7 +
+ arch/mips/kernel/binfmt_elfo32.c | 7 +
+ arch/mips/kernel/process.c | 12 -
+ arch/mips/mm/fault.c | 17 +
+ arch/mips/mm/mmap.c | 51 +-
+ arch/parisc/include/asm/atomic.h | 10 +
+ arch/parisc/include/asm/elf.h | 7 +
+ arch/parisc/include/asm/pgalloc.h | 6 +
+ arch/parisc/include/asm/pgtable.h | 11 +
+ arch/parisc/include/asm/uaccess.h | 4 +-
+ arch/parisc/kernel/module.c | 50 +-
+ arch/parisc/kernel/sys_parisc.c | 9 +-
+ arch/parisc/kernel/traps.c | 4 +-
+ arch/parisc/mm/fault.c | 140 +-
+ arch/powerpc/include/asm/atomic.h | 10 +
+ arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/exec.h | 2 +-
+ arch/powerpc/include/asm/kmap_types.h | 2 +-
+ arch/powerpc/include/asm/mman.h | 2 +-
+ arch/powerpc/include/asm/page.h | 8 +-
+ arch/powerpc/include/asm/page_64.h | 7 +-
+ arch/powerpc/include/asm/pgalloc-64.h | 7 +
+ arch/powerpc/include/asm/pgtable.h | 1 +
+ arch/powerpc/include/asm/pte-hash32.h | 1 +
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/include/asm/smp.h | 2 +-
+ arch/powerpc/include/asm/uaccess.h | 140 +-
+ arch/powerpc/kernel/exceptions-64e.S | 4 +-
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/module_32.c | 13 +-
+ arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/signal_32.c | 2 +-
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ arch/powerpc/kernel/sysfs.c | 2 +-
+ arch/powerpc/kernel/vdso.c | 5 +-
+ arch/powerpc/lib/usercopy_64.c | 18 -
+ arch/powerpc/mm/fault.c | 54 +-
+ arch/powerpc/mm/mmap_64.c | 16 +
+ arch/powerpc/mm/mmu_context_nohash.c | 2 +-
+ arch/powerpc/mm/numa.c | 2 +-
+ arch/powerpc/mm/slice.c | 13 +-
+ arch/powerpc/platforms/cell/spufs/file.c | 4 +-
+ arch/powerpc/platforms/powermac/smp.c | 2 +-
+ arch/s390/include/asm/atomic.h | 10 +
+ arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/exec.h | 2 +-
+ arch/s390/include/asm/uaccess.h | 15 +-
+ arch/s390/kernel/module.c | 22 +-
+ arch/s390/kernel/process.c | 36 -
+ arch/s390/mm/mmap.c | 24 +
+ arch/score/include/asm/exec.h | 2 +-
+ arch/score/kernel/process.c | 5 -
+ arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
+ arch/sh/mm/mmap.c | 22 +-
+ arch/sparc/include/asm/atomic_64.h | 106 +-
+ arch/sparc/include/asm/cache.h | 2 +-
+ arch/sparc/include/asm/elf_32.h | 7 +
+ arch/sparc/include/asm/elf_64.h | 7 +
+ arch/sparc/include/asm/pgalloc_32.h | 1 +
+ arch/sparc/include/asm/pgalloc_64.h | 1 +
+ arch/sparc/include/asm/pgtable_32.h | 15 +-
+ arch/sparc/include/asm/pgtsrmmu.h | 5 +
+ arch/sparc/include/asm/spinlock_64.h | 35 +-
+ arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_64.h | 2 +
+ arch/sparc/include/asm/uaccess.h | 1 +
+ arch/sparc/include/asm/uaccess_32.h | 27 +-
+ arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/kernel/Makefile | 2 +-
+ arch/sparc/kernel/prom_common.c | 2 +-
+ arch/sparc/kernel/sys_sparc_32.c | 2 +-
+ arch/sparc/kernel/sys_sparc_64.c | 48 +-
+ arch/sparc/kernel/sysfs.c | 2 +-
+ arch/sparc/kernel/traps_64.c | 13 +-
+ arch/sparc/lib/Makefile | 2 +-
+ arch/sparc/lib/atomic_64.S | 136 +-
+ arch/sparc/lib/ksyms.c | 6 +
+ arch/sparc/mm/Makefile | 2 +-
+ arch/sparc/mm/fault_32.c | 292 +
+ arch/sparc/mm/fault_64.c | 486 ++
+ arch/sparc/mm/hugetlbpage.c | 21 +-
+ arch/tile/include/asm/atomic_64.h | 10 +
+ arch/tile/include/asm/uaccess.h | 4 +-
+ arch/um/Makefile | 4 +
+ arch/um/include/asm/kmap_types.h | 2 +-
+ arch/um/include/asm/page.h | 3 +
+ arch/um/include/asm/pgtable-3level.h | 1 +
+ arch/um/kernel/process.c | 16 -
+ arch/x86/Kconfig | 10 +-
+ arch/x86/Kconfig.cpu | 6 +-
+ arch/x86/Kconfig.debug | 4 +-
+ arch/x86/Makefile | 10 +
+ arch/x86/boot/Makefile | 3 +
+ arch/x86/boot/bitops.h | 4 +-
+ arch/x86/boot/boot.h | 4 +-
+ arch/x86/boot/compressed/Makefile | 3 +
+ arch/x86/boot/compressed/eboot.c | 2 -
+ arch/x86/boot/compressed/efi_stub_32.S | 16 +-
+ arch/x86/boot/compressed/head_32.S | 7 +-
+ arch/x86/boot/compressed/head_64.S | 8 +-
+ arch/x86/boot/compressed/misc.c | 4 +-
+ arch/x86/boot/cpucheck.c | 28 +-
+ arch/x86/boot/header.S | 6 +-
+ arch/x86/boot/memory.c | 2 +-
+ arch/x86/boot/video-vesa.c | 1 +
+ arch/x86/boot/video.c | 2 +-
+ arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/aesni-intel_asm.S | 22 +
+ arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/sha1_ssse3_asm.S | 2 +
+ arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
+ arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/ia32/ia32_signal.c | 14 +-
+ arch/x86/ia32/ia32entry.S | 141 +-
+ arch/x86/ia32/sys_ia32.c | 4 +-
+ arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/include/asm/alternative.h | 4 +-
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/include/asm/apm.h | 4 +-
+ arch/x86/include/asm/atomic.h | 307 +-
+ arch/x86/include/asm/atomic64_32.h | 100 +
+ arch/x86/include/asm/atomic64_64.h | 202 +-
+ arch/x86/include/asm/bitops.h | 4 +-
+ arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/cache.h | 5 +-
+ arch/x86/include/asm/cacheflush.h | 2 +-
+ arch/x86/include/asm/checksum_32.h | 12 +-
+ arch/x86/include/asm/cmpxchg.h | 35 +
+ arch/x86/include/asm/compat.h | 2 +-
+ arch/x86/include/asm/cpufeature.h | 4 +-
+ arch/x86/include/asm/desc.h | 67 +-
+ arch/x86/include/asm/desc_defs.h | 6 +
+ arch/x86/include/asm/div64.h | 2 +-
+ arch/x86/include/asm/elf.h | 31 +-
+ arch/x86/include/asm/emergency-restart.h | 2 +-
+ arch/x86/include/asm/fpu-internal.h | 6 +-
+ arch/x86/include/asm/futex.h | 16 +-
+ arch/x86/include/asm/hw_irq.h | 4 +-
+ arch/x86/include/asm/i8259.h | 2 +-
+ arch/x86/include/asm/io.h | 21 +-
+ arch/x86/include/asm/irqflags.h | 5 +
+ arch/x86/include/asm/kprobes.h | 9 +-
+ arch/x86/include/asm/local.h | 142 +-
+ arch/x86/include/asm/mman.h | 15 +
+ arch/x86/include/asm/mmu.h | 16 +-
+ arch/x86/include/asm/mmu_context.h | 76 +-
+ arch/x86/include/asm/module.h | 17 +-
+ arch/x86/include/asm/nmi.h | 6 +-
+ arch/x86/include/asm/page.h | 1 +
+ arch/x86/include/asm/page_64.h | 4 +-
+ arch/x86/include/asm/paravirt.h | 46 +-
+ arch/x86/include/asm/paravirt_types.h | 17 +-
+ arch/x86/include/asm/pgalloc.h | 23 +
+ arch/x86/include/asm/pgtable-2level.h | 2 +
+ arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable.h | 122 +-
+ arch/x86/include/asm/pgtable_32.h | 14 +-
+ arch/x86/include/asm/pgtable_32_types.h | 15 +-
+ arch/x86/include/asm/pgtable_64.h | 19 +-
+ arch/x86/include/asm/pgtable_64_types.h | 5 +
+ arch/x86/include/asm/pgtable_types.h | 36 +-
+ arch/x86/include/asm/processor.h | 39 +-
+ arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/realmode.h | 4 +-
+ arch/x86/include/asm/reboot.h | 10 +-
+ arch/x86/include/asm/rwsem.h | 60 +-
+ arch/x86/include/asm/segment.h | 24 +-
+ arch/x86/include/asm/smp.h | 14 +-
+ arch/x86/include/asm/spinlock.h | 36 +-
+ arch/x86/include/asm/stackprotector.h | 4 +-
+ arch/x86/include/asm/stacktrace.h | 32 +-
+ arch/x86/include/asm/switch_to.h | 4 +-
+ arch/x86/include/asm/thread_info.h | 83 +-
+ arch/x86/include/asm/uaccess.h | 96 +-
+ arch/x86/include/asm/uaccess_32.h | 106 +-
+ arch/x86/include/asm/uaccess_64.h | 232 +-
+ arch/x86/include/asm/word-at-a-time.h | 2 +-
+ arch/x86/include/asm/x86_init.h | 10 +-
+ arch/x86/include/asm/xsave.h | 10 +-
+ arch/x86/include/uapi/asm/e820.h | 2 +-
+ arch/x86/kernel/Makefile | 2 +-
+ arch/x86/kernel/acpi/boot.c | 4 +-
+ arch/x86/kernel/acpi/sleep.c | 4 +
+ arch/x86/kernel/acpi/wakeup_32.S | 6 +-
+ arch/x86/kernel/alternative.c | 65 +-
+ arch/x86/kernel/apic/apic.c | 4 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/apic_noop.c | 2 +-
+ arch/x86/kernel/apic/bigsmp_32.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 5 +-
+ arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/numaq_32.c | 3 +-
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/summit_32.c | 2 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_phys.c | 2 +-
+ arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
+ arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/asm-offsets.c | 20 +
+ arch/x86/kernel/asm-offsets_64.c | 1 +
+ arch/x86/kernel/cpu/Makefile | 4 -
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/common.c | 75 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 33 +-
+ arch/x86/kernel/cpu/mcheck/p5.c | 3 +
+ arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
+ arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
+ arch/x86/kernel/cpu/mtrr/main.c | 2 +-
+ arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 8 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
+ arch/x86/kernel/cpuid.c | 2 +-
+ arch/x86/kernel/crash.c | 4 +-
+ arch/x86/kernel/crash_dump_64.c | 2 +-
+ arch/x86/kernel/doublefault_32.c | 8 +-
+ arch/x86/kernel/dumpstack.c | 28 +-
+ arch/x86/kernel/dumpstack_32.c | 34 +-
+ arch/x86/kernel/dumpstack_64.c | 61 +-
+ arch/x86/kernel/e820.c | 4 +-
+ arch/x86/kernel/early_printk.c | 1 +
+ arch/x86/kernel/entry_32.S | 354 +-
+ arch/x86/kernel/entry_64.S | 548 ++-
+ arch/x86/kernel/ftrace.c | 14 +-
+ arch/x86/kernel/head64.c | 13 +-
+ arch/x86/kernel/head_32.S | 237 +-
+ arch/x86/kernel/head_64.S | 143 +-
+ arch/x86/kernel/i386_ksyms_32.c | 8 +
+ arch/x86/kernel/i387.c | 2 +-
+ arch/x86/kernel/i8259.c | 10 +-
+ arch/x86/kernel/io_delay.c | 2 +-
+ arch/x86/kernel/ioport.c | 2 +-
+ arch/x86/kernel/irq.c | 8 +-
+ arch/x86/kernel/irq_32.c | 69 +-
+ arch/x86/kernel/irq_64.c | 2 +-
+ arch/x86/kernel/kdebugfs.c | 2 +-
+ arch/x86/kernel/kgdb.c | 25 +-
+ arch/x86/kernel/kprobes/core.c | 30 +-
+ arch/x86/kernel/kprobes/opt.c | 16 +-
+ arch/x86/kernel/kvm.c | 2 +-
+ arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/machine_kexec_32.c | 6 +-
+ arch/x86/kernel/microcode_core.c | 2 +-
+ arch/x86/kernel/microcode_intel.c | 4 +-
+ arch/x86/kernel/module.c | 76 +-
+ arch/x86/kernel/msr.c | 2 +-
+ arch/x86/kernel/nmi.c | 19 +-
+ arch/x86/kernel/nmi_selftest.c | 4 +-
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/kernel/paravirt.c | 43 +-
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ arch/x86/kernel/pci-iommu_table.c | 2 +-
+ arch/x86/kernel/pci-swiotlb.c | 2 +-
+ arch/x86/kernel/process.c | 55 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 15 +-
+ arch/x86/kernel/ptrace.c | 25 +-
+ arch/x86/kernel/pvclock.c | 8 +-
+ arch/x86/kernel/reboot.c | 44 +-
+ arch/x86/kernel/relocate_kernel_64.S | 2 +
+ arch/x86/kernel/setup.c | 21 +-
+ arch/x86/kernel/setup_percpu.c | 29 +-
+ arch/x86/kernel/signal.c | 15 +-
+ arch/x86/kernel/smp.c | 2 +-
+ arch/x86/kernel/smpboot.c | 15 +-
+ arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/sys_i386_32.c | 184 +
+ arch/x86/kernel/sys_x86_64.c | 22 +-
+ arch/x86/kernel/tboot.c | 14 +-
+ arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tls.c | 7 +-
+ arch/x86/kernel/traps.c | 64 +-
+ arch/x86/kernel/uprobes.c | 4 +-
+ arch/x86/kernel/vm86_32.c | 6 +-
+ arch/x86/kernel/vmlinux.lds.S | 148 +-
+ arch/x86/kernel/vsyscall_64.c | 12 +-
+ arch/x86/kernel/x8664_ksyms_64.c | 2 -
+ arch/x86/kernel/x86_init.c | 8 +-
+ arch/x86/kernel/xsave.c | 2 +
+ arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ arch/x86/kvm/lapic.c | 2 +-
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ arch/x86/kvm/svm.c | 8 +
+ arch/x86/kvm/vmx.c | 61 +-
+ arch/x86/kvm/x86.c | 8 +-
+ arch/x86/lguest/boot.c | 3 +-
+ arch/x86/lib/atomic64_386_32.S | 164 +
+ arch/x86/lib/atomic64_cx8_32.S | 103 +-
+ arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/cmpxchg16b_emu.S | 2 +
+ arch/x86/lib/copy_page_64.S | 24 +-
+ arch/x86/lib/copy_user_64.S | 47 +-
+ arch/x86/lib/copy_user_nocache_64.S | 20 +-
+ arch/x86/lib/csum-copy_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 4 +-
+ arch/x86/lib/getuser.S | 70 +-
+ arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/iomap_copy_64.S | 2 +
+ arch/x86/lib/memcpy_64.S | 18 +-
+ arch/x86/lib/memmove_64.S | 34 +-
+ arch/x86/lib/memset_64.S | 7 +-
+ arch/x86/lib/mmx_32.c | 243 +-
+ arch/x86/lib/msr-reg.S | 18 +-
+ arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/rwlock.S | 42 +
+ arch/x86/lib/rwsem.S | 6 +-
+ arch/x86/lib/thunk_64.S | 2 +
+ arch/x86/lib/usercopy_32.c | 363 +-
+ arch/x86/lib/usercopy_64.c | 13 +-
+ arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/fault.c | 556 ++-
+ arch/x86/mm/gup.c | 2 +-
+ arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/hugetlbpage.c | 30 +-
+ arch/x86/mm/init.c | 98 +-
+ arch/x86/mm/init_32.c | 113 +-
+ arch/x86/mm/init_64.c | 38 +-
+ arch/x86/mm/iomap_32.c | 4 +
+ arch/x86/mm/ioremap.c | 15 +-
+ arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
+ arch/x86/mm/mmap.c | 41 +-
+ arch/x86/mm/mmio-mod.c | 10 +-
+ arch/x86/mm/numa.c | 2 +-
+ arch/x86/mm/pageattr-test.c | 2 +-
+ arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pat.c | 12 +-
+ arch/x86/mm/pat_rbtree.c | 2 +-
+ arch/x86/mm/pf_in.c | 10 +-
+ arch/x86/mm/pgtable.c | 137 +-
+ arch/x86/mm/pgtable_32.c | 3 +
+ arch/x86/mm/physaddr.c | 4 +-
+ arch/x86/mm/setup_nx.c | 7 +
+ arch/x86/mm/tlb.c | 4 +
+ arch/x86/net/bpf_jit.S | 14 +
+ arch/x86/net/bpf_jit_comp.c | 37 +-
+ arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/oprofile/nmi_int.c | 8 +-
+ arch/x86/oprofile/op_model_amd.c | 8 +-
+ arch/x86/oprofile/op_model_ppro.c | 7 +-
+ arch/x86/oprofile/op_x86_model.h | 2 +-
+ arch/x86/pci/amd_bus.c | 2 +-
+ arch/x86/pci/irq.c | 8 +-
+ arch/x86/pci/mrst.c | 4 +-
+ arch/x86/pci/pcbios.c | 144 +-
+ arch/x86/platform/efi/efi_32.c | 24 +
+ arch/x86/platform/efi/efi_64.c | 10 +
+ arch/x86/platform/efi/efi_stub_32.S | 64 +-
+ arch/x86/platform/efi/efi_stub_64.S | 8 +
+ arch/x86/platform/mrst/mrst.c | 6 +-
+ arch/x86/platform/olpc/olpc_dt.c | 2 +-
+ arch/x86/power/cpu.c | 11 +-
+ arch/x86/realmode/init.c | 10 +-
+ arch/x86/realmode/rm/Makefile | 3 +
+ arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/trampoline_32.S | 12 +-
+ arch/x86/realmode/rm/trampoline_64.S | 2 +-
+ arch/x86/tools/Makefile | 2 +-
+ arch/x86/tools/relocs.c | 94 +-
+ arch/x86/um/tls_32.c | 2 +-
+ arch/x86/vdso/Makefile | 2 +-
+ arch/x86/vdso/vdso32-setup.c | 23 +-
+ arch/x86/vdso/vma.c | 29 +-
+ arch/x86/xen/enlighten.c | 47 +-
+ arch/x86/xen/mmu.c | 9 +
+ arch/x86/xen/smp.c | 18 +-
+ arch/x86/xen/xen-asm_32.S | 12 +-
+ arch/x86/xen/xen-head.S | 11 +
+ arch/x86/xen/xen-ops.h | 2 -
+ block/blk-iopoll.c | 4 +-
+ block/blk-map.c | 2 +-
+ block/blk-softirq.c | 4 +-
+ block/bsg.c | 12 +-
+ block/compat_ioctl.c | 2 +-
+ block/genhd.c | 11 +-
+ block/partitions/efi.c | 8 +-
+ block/scsi_ioctl.c | 27 +-
+ crypto/algapi.c | 2 +-
+ crypto/cryptd.c | 4 +-
+ crypto/pcrypt.c | 6 +-
+ drivers/acpi/apei/apei-internal.h | 2 +-
+ drivers/acpi/apei/cper.c | 8 +-
+ drivers/acpi/bgrt.c | 6 +-
+ drivers/acpi/blacklist.c | 4 +-
+ drivers/acpi/ec_sys.c | 12 +-
+ drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/sysfs.c | 4 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/ata/libata-core.c | 8 +-
+ drivers/ata/pata_arasan_cf.c | 4 +-
+ drivers/atm/adummy.c | 2 +-
+ drivers/atm/ambassador.c | 8 +-
+ drivers/atm/atmtcp.c | 14 +-
+ drivers/atm/eni.c | 10 +-
+ drivers/atm/firestream.c | 8 +-
+ drivers/atm/fore200e.c | 14 +-
+ drivers/atm/he.c | 18 +-
+ drivers/atm/horizon.c | 4 +-
+ drivers/atm/idt77252.c | 36 +-
+ drivers/atm/iphase.c | 34 +-
+ drivers/atm/lanai.c | 12 +-
+ drivers/atm/nicstar.c | 46 +-
+ drivers/atm/solos-pci.c | 4 +-
+ drivers/atm/suni.c | 4 +-
+ drivers/atm/uPD98402.c | 16 +-
+ drivers/atm/zatm.c | 6 +-
+ drivers/base/attribute_container.c | 2 +-
+ drivers/base/bus.c | 4 +-
+ drivers/base/devtmpfs.c | 8 +-
+ drivers/base/node.c | 2 +-
+ drivers/base/power/domain.c | 4 +-
+ drivers/base/power/sysfs.c | 2 +-
+ drivers/base/power/wakeup.c | 8 +-
+ drivers/base/syscore.c | 4 +-
+ drivers/block/cciss.c | 28 +-
+ drivers/block/cciss.h | 2 +-
+ drivers/block/cpqarray.c | 28 +-
+ drivers/block/cpqarray.h | 2 +-
+ drivers/block/drbd/drbd_int.h | 6 +-
+ drivers/block/drbd/drbd_main.c | 8 +-
+ drivers/block/drbd/drbd_receiver.c | 22 +-
+ drivers/block/loop.c | 2 +-
+ drivers/block/nbd.c | 2 +-
+ drivers/block/pktcdvd.c | 2 +-
+ drivers/cdrom/cdrom.c | 11 +-
+ drivers/cdrom/gdrom.c | 1 -
+ drivers/char/agp/compat_ioctl.c | 2 +-
+ drivers/char/agp/frontend.c | 4 +-
+ drivers/char/hpet.c | 2 +-
+ drivers/char/hw_random/intel-rng.c | 2 +-
+ drivers/char/ipmi/ipmi_msghandler.c | 8 +-
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
+ drivers/char/mem.c | 45 +-
+ drivers/char/nvram.c | 2 +-
+ drivers/char/pcmcia/synclink_cs.c | 18 +-
+ drivers/char/random.c | 10 +-
+ drivers/char/sonypi.c | 9 +-
+ drivers/char/tpm/tpm_acpi.c | 3 +-
+ drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/virtio_console.c | 4 +-
+ drivers/clk/clk-composite.c | 2 +-
+ drivers/clocksource/arm_arch_timer.c | 2 +-
+ drivers/clocksource/metag_generic.c | 2 +-
+ drivers/cpufreq/acpi-cpufreq.c | 20 +-
+ drivers/cpufreq/cpufreq.c | 9 +-
+ drivers/cpufreq/cpufreq_governor.c | 6 +-
+ drivers/cpufreq/cpufreq_governor.h | 2 +-
+ drivers/cpufreq/cpufreq_ondemand.c | 8 +-
+ drivers/cpufreq/cpufreq_stats.c | 2 +-
+ drivers/cpufreq/p4-clockmod.c | 12 +-
+ drivers/cpufreq/sparc-us3-cpufreq.c | 69 +-
+ drivers/cpufreq/speedstep-centrino.c | 7 +-
+ drivers/cpuidle/cpuidle.c | 2 +-
+ drivers/cpuidle/governor.c | 4 +-
+ drivers/cpuidle/sysfs.c | 2 +-
+ drivers/devfreq/devfreq.c | 6 +-
+ drivers/dma/sh/shdma.c | 2 +-
+ drivers/edac/edac_mc_sysfs.c | 12 +-
+ drivers/edac/edac_pci_sysfs.c | 22 +-
+ drivers/edac/mce_amd.h | 2 +-
+ drivers/firewire/core-card.c | 2 +-
+ drivers/firewire/core-device.c | 2 +-
+ drivers/firewire/core-transaction.c | 1 +
+ drivers/firewire/core.h | 1 +
+ drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/dmi_scan.c | 7 +-
+ drivers/firmware/efi/efi.c | 12 +-
+ drivers/firmware/efi/efivars.c | 2 +-
+ drivers/firmware/google/memconsole.c | 4 +-
+ drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpio/gpio-vr41xx.c | 2 +-
+ drivers/gpu/drm/drm_crtc_helper.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 6 +-
+ drivers/gpu/drm/drm_fops.c | 18 +-
+ drivers/gpu/drm/drm_global.c | 14 +-
+ drivers/gpu/drm/drm_info.c | 14 +-
+ drivers/gpu/drm/drm_ioc32.c | 13 +-
+ drivers/gpu/drm/drm_ioctl.c | 2 +-
+ drivers/gpu/drm/drm_lock.c | 4 +-
+ drivers/gpu/drm/drm_stub.c | 2 +-
+ drivers/gpu/drm/drm_sysfs.c | 2 +-
+ drivers/gpu/drm/i810/i810_dma.c | 8 +-
+ drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/i915_irq.c | 22 +-
+ drivers/gpu/drm/i915/intel_display.c | 26 +-
+ drivers/gpu/drm/mga/mga_drv.h | 4 +-
+ drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/mga/mga_irq.c | 8 +-
+ drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
+ drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
+ drivers/gpu/drm/r128/r128_cce.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.h | 4 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/r128/r128_irq.c | 4 +-
+ drivers/gpu/drm/r128/r128_state.c | 4 +-
+ drivers/gpu/drm/radeon/mkregtable.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
+ drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 57 +-
+ drivers/gpu/drm/radeon/rs690.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
+ drivers/gpu/drm/udl/udl_fb.c | 1 -
+ drivers/gpu/drm/via/via_drv.h | 4 +-
+ drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
+ drivers/hid/hid-core.c | 4 +-
+ drivers/hv/channel.c | 4 +-
+ drivers/hv/hv.c | 2 +-
+ drivers/hv/hyperv_vmbus.h | 2 +-
+ drivers/hv/vmbus_drv.c | 4 +-
+ drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/asus_atk0110.c | 10 +-
+ drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/ibmaem.c | 2 +-
+ drivers/hwmon/iio_hwmon.c | 2 +-
+ drivers/hwmon/pmbus/pmbus_core.c | 10 +-
+ drivers/hwmon/sht15.c | 12 +-
+ drivers/hwmon/via-cputemp.c | 2 +-
+ drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
+ drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
+ drivers/i2c/i2c-dev.c | 2 +-
+ drivers/ide/ide-cd.c | 2 +-
+ drivers/iio/industrialio-core.c | 2 +-
+ drivers/infiniband/core/cm.c | 32 +-
+ drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/hw/cxgb4/mem.c | 4 +-
+ drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
+ drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
+ drivers/infiniband/hw/nes/nes.c | 4 +-
+ drivers/infiniband/hw/nes/nes.h | 40 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 62 +-
+ drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
+ drivers/infiniband/hw/nes/nes_nic.c | 40 +-
+ drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/input/gameport/gameport.c | 4 +-
+ drivers/input/input.c | 4 +-
+ drivers/input/joystick/sidewinder.c | 1 +
+ drivers/input/joystick/xpad.c | 4 +-
+ drivers/input/mouse/psmouse.h | 2 +-
+ drivers/input/mousedev.c | 2 +-
+ drivers/input/serio/serio.c | 4 +-
+ drivers/iommu/iommu.c | 2 +-
+ drivers/iommu/irq_remapping.c | 12 +-
+ drivers/irqchip/irq-gic.c | 4 +-
+ drivers/isdn/capi/capi.c | 10 +-
+ drivers/isdn/gigaset/interface.c | 8 +-
+ drivers/isdn/hardware/avm/b1.c | 4 +-
+ drivers/isdn/i4l/isdn_tty.c | 22 +-
+ drivers/isdn/icn/icn.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/lguest/core.c | 10 +-
+ drivers/lguest/page_tables.c | 2 +-
+ drivers/lguest/x86/core.c | 12 +-
+ drivers/lguest/x86/switcher_32.S | 27 +-
+ drivers/md/bcache/closure.h | 2 +-
+ drivers/md/bitmap.c | 2 +-
+ drivers/md/dm-ioctl.c | 2 +-
+ drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-stripe.c | 10 +-
+ drivers/md/dm-table.c | 2 +-
+ drivers/md/dm-thin-metadata.c | 4 +-
+ drivers/md/dm.c | 16 +-
+ drivers/md/md.c | 26 +-
+ drivers/md/md.h | 6 +-
+ drivers/md/persistent-data/dm-space-map.h | 1 +
+ drivers/md/raid1.c | 4 +-
+ drivers/md/raid10.c | 16 +-
+ drivers/md/raid5.c | 10 +-
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ drivers/media/dvb-frontends/dib3000.h | 2 +-
+ drivers/media/pci/cx88/cx88-video.c | 6 +-
+ drivers/media/platform/omap/omap_vout.c | 11 +-
+ drivers/media/platform/s5p-tv/mixer.h | 2 +-
+ drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
+ drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 11 +-
+ drivers/message/fusion/mptsas.c | 34 +-
+ drivers/message/fusion/mptscsih.c | 19 +-
+ drivers/message/i2o/i2o_proc.c | 51 +-
+ drivers/message/i2o/iop.c | 8 +-
+ drivers/mfd/janz-cmodio.c | 1 +
+ drivers/mfd/twl4030-irq.c | 9 +-
+ drivers/mfd/twl6030-irq.c | 10 +-
+ drivers/misc/c2port/core.c | 4 +-
+ drivers/misc/kgdbts.c | 4 +-
+ drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
+ drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/sgi-gru/gruhandles.c | 4 +-
+ drivers/misc/sgi-gru/gruprocfs.c | 8 +-
+ drivers/misc/sgi-gru/grutables.h | 154 +-
+ drivers/misc/sgi-xp/xp.h | 2 +-
+ drivers/misc/sgi-xp/xpc.h | 3 +-
+ drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ drivers/mmc/host/dw_mmc.h | 2 +-
+ drivers/mmc/host/sdhci-s3c.c | 8 +-
+ drivers/mtd/nand/denali.c | 1 +
+ drivers/mtd/nftlmount.c | 1 +
+ drivers/mtd/sm_ftl.c | 2 +-
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
+ drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
+ drivers/net/ethernet/realtek/r8169.c | 8 +-
+ drivers/net/ethernet/sfc/ptp.c | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/hyperv/hyperv_net.h | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 +-
+ drivers/net/ieee802154/fakehard.c | 2 +-
+ drivers/net/macvlan.c | 18 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/ppp/ppp_generic.c | 4 +-
+ drivers/net/slip/slhc.c | 2 +-
+ drivers/net/team/team.c | 2 +-
+ drivers/net/tun.c | 5 +-
+ drivers/net/usb/hso.c | 23 +-
+ drivers/net/vxlan.c | 2 +-
+ drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
+ drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
+ drivers/net/wireless/ath/ath9k/hw.h | 4 +-
+ drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
+ drivers/net/wireless/mac80211_hwsim.c | 32 +-
+ drivers/net/wireless/rndis_wlan.c | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 8 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 6 +-
+ drivers/oprofile/buffer_sync.c | 8 +-
+ drivers/oprofile/event_buffer.c | 2 +-
+ drivers/oprofile/oprof.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/oprofile/oprofile_stats.c | 10 +-
+ drivers/oprofile/oprofile_stats.h | 10 +-
+ drivers/oprofile/oprofilefs.c | 2 +-
+ drivers/oprofile/timer_int.c | 2 +-
+ drivers/parport/procfs.c | 4 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
+ drivers/pci/hotplug/cpcihp_generic.c | 6 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
+ drivers/pci/hotplug/cpqphp_nvram.c | 4 +
+ drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/pci-sysfs.c | 6 +-
+ drivers/pci/pci.h | 2 +-
+ drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/probe.c | 2 +-
+ drivers/platform/x86/chromeos_laptop.c | 2 +-
+ drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/sony-laptop.c | 2 +-
+ drivers/platform/x86/thinkpad_acpi.c | 70 +-
+ drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/resource.c | 4 +-
+ drivers/power/pda_power.c | 7 +-
+ drivers/power/power_supply.h | 4 +-
+ drivers/power/power_supply_core.c | 7 +-
+ drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/regulator/max8660.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/rtc/rtc-cmos.c | 4 +-
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/scsi/bfa/bfa_fcpim.h | 2 +-
+ drivers/scsi/bfa/bfa_ioc.h | 4 +-
+ drivers/scsi/hosts.c | 4 +-
+ drivers/scsi/hpsa.c | 30 +-
+ drivers/scsi/hpsa.h | 2 +-
+ drivers/scsi/libfc/fc_exch.c | 50 +-
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ drivers/scsi/lpfc/lpfc.h | 8 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
+ drivers/scsi/lpfc/lpfc_init.c | 6 +-
+ drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
+ drivers/scsi/pmcraid.c | 20 +-
+ drivers/scsi/pmcraid.h | 8 +-
+ drivers/scsi/qla2xxx/qla_attr.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 6 +-
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +-
+ drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ drivers/scsi/scsi_tgt_lib.c | 2 +-
+ drivers/scsi/scsi_transport_fc.c | 8 +-
+ drivers/scsi/scsi_transport_iscsi.c | 6 +-
+ drivers/scsi/scsi_transport_srp.c | 6 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sg.c | 2 +-
+ drivers/spi/spi.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/rtl8712/rtl871x_io.h | 2 +-
+ drivers/staging/sbe-2t3e3/netdev.c | 2 +-
+ drivers/staging/usbip/vhci.h | 2 +-
+ drivers/staging/usbip/vhci_hcd.c | 6 +-
+ drivers/staging/usbip/vhci_rx.c | 2 +-
+ drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/vt6656/hostap.c | 7 +-
+ drivers/staging/zcache/tmem.c | 4 +-
+ drivers/staging/zcache/tmem.h | 2 +
+ drivers/target/target_core_device.c | 2 +-
+ drivers/target/target_core_transport.c | 2 +-
+ drivers/tty/cyclades.c | 6 +-
+ drivers/tty/hvc/hvc_console.c | 14 +-
+ drivers/tty/hvc/hvcs.c | 21 +-
+ drivers/tty/ipwireless/tty.c | 27 +-
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/n_gsm.c | 4 +-
+ drivers/tty/n_tty.c | 3 +-
+ drivers/tty/pty.c | 4 +-
+ drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/kgdboc.c | 32 +-
+ drivers/tty/serial/samsung.c | 9 +-
+ drivers/tty/serial/serial_core.c | 8 +-
+ drivers/tty/synclink.c | 34 +-
+ drivers/tty/synclink_gt.c | 28 +-
+ drivers/tty/synclinkmp.c | 34 +-
+ drivers/tty/tty_io.c | 2 +-
+ drivers/tty/tty_ldisc.c | 10 +-
+ drivers/tty/tty_port.c | 22 +-
+ drivers/uio/uio.c | 21 +-
+ drivers/usb/atm/cxacru.c | 2 +-
+ drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/core/devices.c | 6 +-
+ drivers/usb/core/hcd.c | 4 +-
+ drivers/usb/core/message.c | 2 +-
+ drivers/usb/core/sysfs.c | 2 +-
+ drivers/usb/core/usb.c | 2 +-
+ drivers/usb/early/ehci-dbgp.c | 16 +-
+ drivers/usb/gadget/u_serial.c | 22 +-
+ drivers/usb/serial/console.c | 6 +-
+ drivers/usb/storage/usb.h | 2 +-
+ drivers/usb/wusbcore/wa-hc.h | 4 +-
+ drivers/usb/wusbcore/wa-xfer.c | 2 +-
+ drivers/vhost/vringh.c | 2 +-
+ drivers/video/aty/aty128fb.c | 2 +-
+ drivers/video/aty/atyfb_base.c | 8 +-
+ drivers/video/aty/mach64_cursor.c | 5 +-
+ drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/fb_defio.c | 6 +-
+ drivers/video/fbcmap.c | 3 +-
+ drivers/video/fbmem.c | 6 +-
+ drivers/video/i810/i810_accel.c | 1 +
+ drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
+ drivers/video/nvidia/nvidia.c | 27 +-
+ drivers/video/output.c | 2 +-
+ drivers/video/s1d13xxxfb.c | 6 +-
+ drivers/video/smscufx.c | 4 +-
+ drivers/video/udlfb.c | 36 +-
+ drivers/video/uvesafb.c | 53 +-
+ drivers/video/vesafb.c | 58 +-
+ drivers/video/via/via_clock.h | 2 +-
+ fs/9p/vfs_addr.c | 2 +-
+ fs/9p/vfs_inode.c | 2 +-
+ fs/Kconfig.binfmt | 2 +-
+ fs/aio.c | 12 +-
+ fs/autofs4/waitq.c | 2 +-
+ fs/befs/endian.h | 4 +-
+ fs/befs/linuxvfs.c | 2 +-
+ fs/binfmt_aout.c | 23 +-
+ fs/binfmt_elf.c | 607 ++-
+ fs/binfmt_flat.c | 6 +
+ fs/bio.c | 6 +-
+ fs/block_dev.c | 2 +-
+ fs/btrfs/ctree.c | 9 +-
+ fs/btrfs/super.c | 2 +-
+ fs/cachefiles/bind.c | 6 +-
+ fs/cachefiles/daemon.c | 8 +-
+ fs/cachefiles/internal.h | 12 +-
+ fs/cachefiles/namei.c | 2 +-
+ fs/cachefiles/proc.c | 12 +-
+ fs/cachefiles/rdwr.c | 2 +-
+ fs/ceph/dir.c | 2 +-
+ fs/cifs/cifs_debug.c | 12 +-
+ fs/cifs/cifsfs.c | 8 +-
+ fs/cifs/cifsglob.h | 54 +-
+ fs/cifs/link.c | 2 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb1ops.c | 80 +-
+ fs/cifs/smb2ops.c | 84 +-
+ fs/cifs/smb2pdu.c | 3 +-
+ fs/coda/cache.c | 10 +-
+ fs/compat.c | 6 +-
+ fs/compat_binfmt_elf.c | 2 +
+ fs/compat_ioctl.c | 12 +-
+ fs/configfs/dir.c | 10 +-
+ fs/coredump.c | 24 +-
+ fs/dcache.c | 2 +-
+ fs/ecryptfs/inode.c | 4 +-
+ fs/ecryptfs/miscdev.c | 2 +-
+ fs/exec.c | 362 ++-
+ fs/ext4/ext4.h | 20 +-
+ fs/ext4/mballoc.c | 44 +-
+ fs/ext4/mmp.c | 2 +-
+ fs/ext4/super.c | 4 +-
+ fs/fhandle.c | 3 +-
+ fs/fs_struct.c | 8 +-
+ fs/fscache/cookie.c | 36 +-
+ fs/fscache/internal.h | 196 +-
+ fs/fscache/object.c | 28 +-
+ fs/fscache/operation.c | 30 +-
+ fs/fscache/page.c | 110 +-
+ fs/fscache/stats.c | 344 +-
+ fs/fuse/cuse.c | 10 +-
+ fs/fuse/dev.c | 4 +-
+ fs/fuse/dir.c | 2 +-
+ fs/gfs2/inode.c | 2 +-
+ fs/hugetlbfs/inode.c | 13 +-
+ fs/inode.c | 4 +-
+ fs/jffs2/erase.c | 3 +-
+ fs/jffs2/wbuf.c | 3 +-
+ fs/jfs/super.c | 2 +-
+ fs/libfs.c | 10 +-
+ fs/lockd/clntproc.c | 4 +-
+ fs/lockd/svc.c | 2 +-
+ fs/locks.c | 8 +-
+ fs/namei.c | 15 +-
+ fs/namespace.c | 10 +-
+ fs/nfs/callback.c | 4 +-
+ fs/nfs/callback_xdr.c | 2 +-
+ fs/nfs/inode.c | 6 +-
+ fs/nfs/nfs4state.c | 2 +-
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfs4xdr.c | 6 +-
+ fs/nfsd/nfscache.c | 9 +-
+ fs/nfsd/vfs.c | 6 +-
+ fs/nls/nls_base.c | 18 +-
+ fs/nls/nls_euc-jp.c | 6 +-
+ fs/nls/nls_koi8-ru.c | 6 +-
+ fs/notify/fanotify/fanotify_user.c | 4 +-
+ fs/notify/notification.c | 4 +-
+ fs/ntfs/dir.c | 2 +-
+ fs/ntfs/file.c | 4 +-
+ fs/ocfs2/localalloc.c | 2 +-
+ fs/ocfs2/ocfs2.h | 10 +-
+ fs/ocfs2/suballoc.c | 12 +-
+ fs/ocfs2/super.c | 20 +-
+ fs/pipe.c | 61 +-
+ fs/proc/array.c | 20 +
+ fs/proc/base.c | 4 +-
+ fs/proc/kcore.c | 32 +-
+ fs/proc/meminfo.c | 2 +-
+ fs/proc/nommu.c | 2 +-
+ fs/proc/proc_sysctl.c | 18 +-
+ fs/proc/self.c | 2 +-
+ fs/proc/task_mmu.c | 39 +-
+ fs/proc/task_nommu.c | 4 +-
+ fs/proc/vmcore.c | 12 +-
+ fs/qnx6/qnx6.h | 4 +-
+ fs/quota/netlink.c | 4 +-
+ fs/read_write.c | 2 +-
+ fs/readdir.c | 2 +-
+ fs/reiserfs/do_balan.c | 2 +-
+ fs/reiserfs/procfs.c | 2 +-
+ fs/reiserfs/reiserfs.h | 4 +-
+ fs/seq_file.c | 2 +-
+ fs/splice.c | 40 +-
+ fs/sysfs/bin.c | 6 +-
+ fs/sysfs/dir.c | 2 +-
+ fs/sysfs/file.c | 10 +-
+ fs/sysfs/symlink.c | 2 +-
+ fs/sysv/sysv.h | 2 +-
+ fs/ubifs/io.c | 2 +-
+ fs/udf/misc.c | 2 +-
+ fs/ufs/swab.h | 4 +-
+ fs/xattr.c | 21 +
+ fs/xattr_acl.c | 4 +-
+ fs/xfs/xfs_bmap.c | 2 +-
+ fs/xfs/xfs_dir2_sf.c | 10 +-
+ fs/xfs/xfs_ioctl.c | 2 +-
+ fs/xfs/xfs_iops.c | 2 +-
+ include/asm-generic/4level-fixup.h | 2 +
+ include/asm-generic/atomic-long.h | 210 +
+ include/asm-generic/atomic.h | 2 +-
+ include/asm-generic/atomic64.h | 12 +
+ include/asm-generic/cache.h | 4 +-
+ include/asm-generic/emergency-restart.h | 2 +-
+ include/asm-generic/kmap_types.h | 4 +-
+ include/asm-generic/local.h | 13 +
+ include/asm-generic/pgtable-nopmd.h | 18 +-
+ include/asm-generic/pgtable-nopud.h | 15 +-
+ include/asm-generic/pgtable.h | 8 +
+ include/asm-generic/vmlinux.lds.h | 10 +-
+ include/crypto/algapi.h | 2 +-
+ include/drm/drmP.h | 17 +-
+ include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/ttm/ttm_memory.h | 2 +-
+ include/keys/asymmetric-subtype.h | 2 +-
+ include/linux/atmdev.h | 4 +-
+ include/linux/binfmts.h | 3 +-
+ include/linux/blkdev.h | 2 +-
+ include/linux/blktrace_api.h | 2 +-
+ include/linux/cache.h | 4 +
+ include/linux/cdrom.h | 1 -
+ include/linux/cleancache.h | 2 +-
+ include/linux/clk-provider.h | 1 +
+ include/linux/compat.h | 4 +-
+ include/linux/compiler-gcc4.h | 20 +
+ include/linux/compiler.h | 65 +-
+ include/linux/completion.h | 6 +-
+ include/linux/configfs.h | 2 +-
+ include/linux/cpu.h | 2 +-
+ include/linux/cpufreq.h | 3 +-
+ include/linux/cpuidle.h | 5 +-
+ include/linux/cpumask.h | 12 +-
+ include/linux/crypto.h | 6 +-
+ include/linux/ctype.h | 2 +-
+ include/linux/decompress/mm.h | 2 +-
+ include/linux/devfreq.h | 2 +-
+ include/linux/device.h | 7 +-
+ include/linux/dma-mapping.h | 2 +-
+ include/linux/dmaengine.h | 4 +-
+ include/linux/efi.h | 1 +
+ include/linux/elf.h | 2 +
+ include/linux/err.h | 4 +-
+ include/linux/extcon.h | 2 +-
+ include/linux/fb.h | 2 +-
+ include/linux/filter.h | 4 +
+ include/linux/frontswap.h | 2 +-
+ include/linux/fs.h | 3 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/fscache-cache.h | 4 +-
+ include/linux/fscache.h | 2 +-
+ include/linux/fsnotify.h | 2 +-
+ include/linux/genhd.h | 2 +-
+ include/linux/genl_magic_func.h | 2 +-
+ include/linux/gfp.h | 12 +-
+ include/linux/highmem.h | 12 +
+ include/linux/hwmon-sysfs.h | 5 +-
+ include/linux/i2c.h | 1 +
+ include/linux/i2o.h | 2 +-
+ include/linux/if_pppox.h | 2 +-
+ include/linux/init.h | 33 +-
+ include/linux/init_task.h | 7 +
+ include/linux/interrupt.h | 8 +-
+ include/linux/iommu.h | 2 +-
+ include/linux/ioport.h | 2 +-
+ include/linux/irq.h | 3 +-
+ include/linux/irqchip/arm-gic.h | 4 +-
+ include/linux/key-type.h | 2 +-
+ include/linux/kgdb.h | 6 +-
+ include/linux/kobject.h | 3 +-
+ include/linux/kobject_ns.h | 2 +-
+ include/linux/kref.h | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ include/linux/libata.h | 2 +-
+ include/linux/list.h | 15 +
+ include/linux/math64.h | 6 +-
+ include/linux/mm.h | 116 +-
+ include/linux/mm_types.h | 20 +
+ include/linux/mmiotrace.h | 4 +-
+ include/linux/mmzone.h | 2 +-
+ include/linux/mod_devicetable.h | 6 +-
+ include/linux/module.h | 60 +-
+ include/linux/moduleloader.h | 16 +
+ include/linux/moduleparam.h | 4 +-
+ include/linux/namei.h | 6 +-
+ include/linux/net.h | 2 +-
+ include/linux/netdevice.h | 3 +-
+ include/linux/netfilter.h | 2 +-
+ include/linux/netfilter/ipset/ip_set.h | 2 +-
+ include/linux/netfilter/nfnetlink.h | 2 +-
+ include/linux/nls.h | 2 +-
+ include/linux/notifier.h | 3 +-
+ include/linux/oprofile.h | 4 +-
+ include/linux/pci_hotplug.h | 3 +-
+ include/linux/perf_event.h | 12 +-
+ include/linux/pipe_fs_i.h | 8 +-
+ include/linux/platform_data/usb-ehci-s5p.h | 2 +-
+ include/linux/platform_data/usb-ohci-exynos.h | 2 +-
+ include/linux/pm_domain.h | 2 +-
+ include/linux/pm_runtime.h | 2 +-
+ include/linux/pnp.h | 2 +-
+ include/linux/poison.h | 4 +-
+ include/linux/power/smartreflex.h | 2 +-
+ include/linux/ppp-comp.h | 2 +-
+ include/linux/proc_ns.h | 2 +-
+ include/linux/random.h | 5 +
+ include/linux/rculist.h | 16 +
+ include/linux/reboot.h | 14 +-
+ include/linux/regset.h | 3 +-
+ include/linux/relay.h | 2 +-
+ include/linux/rio.h | 2 +-
+ include/linux/rmap.h | 4 +-
+ include/linux/sched.h | 65 +-
+ include/linux/sched/sysctl.h | 1 +
+ include/linux/seq_file.h | 1 +
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 42 +-
+ include/linux/slab_def.h | 28 +-
+ include/linux/slob_def.h | 4 +-
+ include/linux/slub_def.h | 8 +-
+ include/linux/sock_diag.h | 2 +-
+ include/linux/sonet.h | 2 +-
+ include/linux/sunrpc/addr.h | 8 +-
+ include/linux/sunrpc/clnt.h | 2 +-
+ include/linux/sunrpc/svc.h | 2 +-
+ include/linux/sunrpc/svc_rdma.h | 18 +-
+ include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swiotlb.h | 3 +-
+ include/linux/syscalls.h | 10 +-
+ include/linux/syscore_ops.h | 2 +-
+ include/linux/sysctl.h | 6 +-
+ include/linux/sysfs.h | 10 +-
+ include/linux/sysrq.h | 3 +-
+ include/linux/thread_info.h | 7 +
+ include/linux/tty.h | 4 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/tty_ldisc.h | 2 +-
+ include/linux/types.h | 16 +
+ include/linux/uaccess.h | 6 +-
+ include/linux/unaligned/access_ok.h | 24 +-
+ include/linux/usb.h | 4 +-
+ include/linux/usb/renesas_usbhs.h | 2 +-
+ include/linux/vermagic.h | 21 +-
+ include/linux/vmalloc.h | 11 +-
+ include/linux/vmstat.h | 20 +-
+ include/linux/xattr.h | 5 +-
+ include/linux/zlib.h | 3 +-
+ include/media/v4l2-dev.h | 2 +-
+ include/net/9p/transport.h | 2 +-
+ include/net/bluetooth/l2cap.h | 2 +-
+ include/net/caif/cfctrl.h | 6 +-
+ include/net/flow.h | 2 +-
+ include/net/genetlink.h | 2 +-
+ include/net/gro_cells.h | 2 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/inetpeer.h | 8 +-
+ include/net/ip.h | 2 +-
+ include/net/ip_fib.h | 2 +-
+ include/net/ip_vs.h | 8 +-
+ include/net/irda/ircomm_tty.h | 1 +
+ include/net/iucv/af_iucv.h | 2 +-
+ include/net/llc_c_ac.h | 2 +-
+ include/net/llc_c_ev.h | 4 +-
+ include/net/llc_c_st.h | 2 +-
+ include/net/llc_s_ac.h | 2 +-
+ include/net/llc_s_st.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 12 +-
+ include/net/netdma.h | 2 +-
+ include/net/netlink.h | 2 +-
+ include/net/netns/conntrack.h | 6 +-
+ include/net/netns/ipv4.h | 2 +-
+ include/net/netns/ipv6.h | 2 +-
+ include/net/protocol.h | 4 +-
+ include/net/rtnetlink.h | 2 +-
+ include/net/sctp/sctp.h | 6 +-
+ include/net/sctp/sm.h | 4 +-
+ include/net/sctp/structs.h | 2 +-
+ include/net/sock.h | 6 +-
+ include/net/tcp.h | 8 +-
+ include/net/xfrm.h | 8 +-
+ include/rdma/iw_cm.h | 2 +-
+ include/scsi/libfc.h | 3 +-
+ include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_transport_fc.h | 3 +-
+ include/sound/compress_driver.h | 2 +-
+ include/sound/soc.h | 4 +-
+ include/target/target_core_base.h | 2 +-
+ include/trace/events/irq.h | 4 +-
+ include/uapi/linux/a.out.h | 8 +
+ include/uapi/linux/byteorder/little_endian.h | 28 +-
+ include/uapi/linux/elf.h | 28 +
+ include/uapi/linux/screen_info.h | 3 +-
+ include/uapi/linux/swab.h | 6 +-
+ include/uapi/linux/sysctl.h | 6 +-
+ include/uapi/linux/xattr.h | 4 +
+ include/video/udlfb.h | 8 +-
+ include/video/uvesafb.h | 1 +
+ init/Kconfig | 2 +-
+ init/Makefile | 3 +
+ init/do_mounts.c | 14 +-
+ init/do_mounts.h | 8 +-
+ init/do_mounts_initrd.c | 30 +-
+ init/do_mounts_md.c | 6 +-
+ init/init_task.c | 4 +
+ init/initramfs.c | 42 +-
+ init/main.c | 83 +-
+ ipc/ipc_sysctl.c | 10 +-
+ ipc/mq_sysctl.c | 2 +-
+ ipc/msg.c | 11 +-
+ ipc/sem.c | 11 +-
+ ipc/shm.c | 17 +-
+ kernel/acct.c | 2 +-
+ kernel/audit.c | 8 +-
+ kernel/auditfilter.c | 2 +-
+ kernel/auditsc.c | 4 +-
+ kernel/capability.c | 3 +
+ kernel/compat.c | 38 +-
+ kernel/debug/debug_core.c | 16 +-
+ kernel/debug/kdb/kdb_main.c | 4 +-
+ kernel/events/core.c | 30 +-
+ kernel/events/internal.h | 10 +-
+ kernel/exit.c | 4 +-
+ kernel/fork.c | 167 +-
+ kernel/futex.c | 9 +
+ kernel/futex_compat.c | 2 +-
+ kernel/gcov/base.c | 7 +-
+ kernel/hrtimer.c | 4 +-
+ kernel/irq_work.c | 7 +-
+ kernel/jump_label.c | 5 +
+ kernel/kallsyms.c | 39 +-
+ kernel/kexec.c | 3 +-
+ kernel/kmod.c | 4 +-
+ kernel/kprobes.c | 8 +-
+ kernel/ksysfs.c | 2 +-
+ kernel/lockdep.c | 7 +-
+ kernel/module.c | 337 +-
+ kernel/mutex-debug.c | 12 +-
+ kernel/mutex-debug.h | 4 +-
+ kernel/mutex.c | 11 +-
+ kernel/notifier.c | 17 +-
+ kernel/panic.c | 3 +-
+ kernel/pid.c | 2 +-
+ kernel/pid_namespace.c | 2 +-
+ kernel/posix-cpu-timers.c | 4 +-
+ kernel/posix-timers.c | 22 +-
+ kernel/power/process.c | 12 +-
+ kernel/profile.c | 14 +-
+ kernel/ptrace.c | 8 +-
+ kernel/rcupdate.c | 4 +-
+ kernel/rcutiny.c | 4 +-
+ kernel/rcutiny_plugin.h | 2 +-
+ kernel/rcutorture.c | 56 +-
+ kernel/rcutree.c | 76 +-
+ kernel/rcutree.h | 24 +-
+ kernel/rcutree_plugin.h | 20 +-
+ kernel/rcutree_trace.c | 22 +-
+ kernel/rtmutex-tester.c | 24 +-
+ kernel/sched/auto_group.c | 4 +-
+ kernel/sched/core.c | 51 +-
+ kernel/sched/fair.c | 4 +-
+ kernel/sched/sched.h | 2 +-
+ kernel/signal.c | 12 +-
+ kernel/smp.c | 2 +-
+ kernel/smpboot.c | 4 +-
+ kernel/softirq.c | 18 +-
+ kernel/srcu.c | 4 +-
+ kernel/sys.c | 10 +-
+ kernel/sysctl.c | 39 +-
+ kernel/time.c | 2 +-
+ kernel/time/alarmtimer.c | 2 +-
+ kernel/time/tick-broadcast.c | 2 +-
+ kernel/time/timer_stats.c | 10 +-
+ kernel/timer.c | 6 +-
+ kernel/trace/blktrace.c | 6 +-
+ kernel/trace/ftrace.c | 18 +-
+ kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/trace.c | 2 +-
+ kernel/trace/trace.h | 2 +-
+ kernel/trace/trace_events.c | 25 +-
+ kernel/trace/trace_mmiotrace.c | 8 +-
+ kernel/trace/trace_output.c | 12 +-
+ kernel/trace/trace_stack.c | 2 +-
+ kernel/user_namespace.c | 2 +-
+ kernel/utsname_sysctl.c | 2 +-
+ kernel/watchdog.c | 2 +-
+ kernel/workqueue.c | 2 +-
+ lib/Kconfig.debug | 8 +-
+ lib/Makefile | 2 +-
+ lib/bitmap.c | 8 +-
+ lib/bug.c | 2 +
+ lib/debugobjects.c | 2 +-
+ lib/devres.c | 4 +-
+ lib/div64.c | 4 +-
+ lib/dma-debug.c | 4 +-
+ lib/inflate.c | 2 +-
+ lib/ioremap.c | 4 +-
+ lib/kobject.c | 6 +-
+ lib/list_debug.c | 126 +-
+ lib/radix-tree.c | 2 +-
+ lib/strncpy_from_user.c | 2 +-
+ lib/strnlen_user.c | 2 +-
+ lib/swiotlb.c | 2 +-
+ lib/usercopy.c | 6 +
+ lib/vsprintf.c | 12 +-
+ mm/Kconfig | 6 +-
+ mm/backing-dev.c | 4 +-
+ mm/filemap.c | 2 +-
+ mm/fremap.c | 5 +
+ mm/highmem.c | 7 +-
+ mm/hugetlb.c | 70 +-
+ mm/internal.h | 1 +
+ mm/maccess.c | 4 +-
+ mm/madvise.c | 41 +
+ mm/memory-failure.c | 26 +-
+ mm/memory.c | 424 ++-
+ mm/mempolicy.c | 26 +
+ mm/mlock.c | 15 +-
+ mm/mmap.c | 606 ++-
+ mm/mprotect.c | 139 +-
+ mm/mremap.c | 44 +-
+ mm/nommu.c | 21 +-
+ mm/page-writeback.c | 4 +-
+ mm/page_alloc.c | 41 +-
+ mm/page_io.c | 2 +-
+ mm/percpu.c | 2 +-
+ mm/process_vm_access.c | 14 +-
+ mm/rmap.c | 38 +-
+ mm/shmem.c | 19 +-
+ mm/slab.c | 79 +-
+ mm/slab.h | 5 +-
+ mm/slab_common.c | 46 +-
+ mm/slob.c | 201 +-
+ mm/slub.c | 79 +-
+ mm/sparse-vmemmap.c | 4 +-
+ mm/sparse.c | 2 +-
+ mm/swap.c | 3 +
+ mm/swapfile.c | 12 +-
+ mm/util.c | 6 +
+ mm/vmalloc.c | 77 +-
+ mm/vmstat.c | 12 +-
+ net/8021q/vlan.c | 5 +-
+ net/9p/mod.c | 4 +-
+ net/9p/trans_fd.c | 2 +-
+ net/atm/atm_misc.c | 8 +-
+ net/atm/lec.h | 2 +-
+ net/atm/proc.c | 6 +-
+ net/atm/resources.c | 4 +-
+ net/ax25/sysctl_net_ax25.c | 2 +-
+ net/batman-adv/bat_iv_ogm.c | 8 +-
+ net/batman-adv/hard-interface.c | 4 +-
+ net/batman-adv/soft-interface.c | 4 +-
+ net/batman-adv/types.h | 6 +-
+ net/batman-adv/unicast.c | 2 +-
+ net/bluetooth/hci_core.c | 8 +-
+ net/bluetooth/hci_sock.c | 2 +-
+ net/bluetooth/l2cap_core.c | 6 +-
+ net/bluetooth/l2cap_sock.c | 12 +-
+ net/bluetooth/rfcomm/sock.c | 4 +-
+ net/bluetooth/rfcomm/tty.c | 10 +-
+ net/bridge/netfilter/ebtables.c | 6 +-
+ net/caif/cfctrl.c | 11 +-
+ net/can/af_can.c | 2 +-
+ net/can/gw.c | 6 +-
+ net/compat.c | 34 +-
+ net/core/datagram.c | 2 +-
+ net/core/dev.c | 16 +-
+ net/core/flow.c | 8 +-
+ net/core/iovec.c | 4 +-
+ net/core/neighbour.c | 2 +-
+ net/core/net-sysfs.c | 2 +-
+ net/core/net_namespace.c | 8 +-
+ net/core/rtnetlink.c | 13 +-
+ net/core/scm.c | 8 +-
+ net/core/sock.c | 24 +-
+ net/core/sock_diag.c | 9 +-
+ net/core/sysctl_net_core.c | 18 +-
+ net/decnet/af_decnet.c | 1 +
+ net/decnet/sysctl_net_decnet.c | 4 +-
+ net/ipv4/af_inet.c | 8 +-
+ net/ipv4/ah4.c | 2 +-
+ net/ipv4/devinet.c | 18 +-
+ net/ipv4/esp4.c | 2 +-
+ net/ipv4/fib_frontend.c | 6 +-
+ net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inet_connection_sock.c | 2 +-
+ net/ipv4/inetpeer.c | 4 +-
+ net/ipv4/ip_fragment.c | 15 +-
+ net/ipv4/ip_gre.c | 6 +-
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ip_vti.c | 4 +-
+ net/ipv4/ipcomp.c | 2 +-
+ net/ipv4/ipconfig.c | 6 +-
+ net/ipv4/ipip.c | 4 +-
+ net/ipv4/netfilter/arp_tables.c | 12 +-
+ net/ipv4/netfilter/ip_tables.c | 12 +-
+ net/ipv4/ping.c | 2 +-
+ net/ipv4/raw.c | 14 +-
+ net/ipv4/route.c | 18 +-
+ net/ipv4/sysctl_net_ipv4.c | 45 +-
+ net/ipv4/tcp_input.c | 2 +-
+ net/ipv4/tcp_probe.c | 2 +-
+ net/ipv4/udp.c | 10 +-
+ net/ipv4/xfrm4_policy.c | 14 +-
+ net/ipv6/addrconf.c | 12 +-
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_gre.c | 8 +-
+ net/ipv6/ip6_tunnel.c | 4 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 12 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
+ net/ipv6/raw.c | 19 +-
+ net/ipv6/reassembly.c | 13 +-
+ net/ipv6/route.c | 2 +-
+ net/ipv6/sit.c | 4 +-
+ net/ipv6/sysctl_net_ipv6.c | 2 +-
+ net/ipv6/udp.c | 8 +-
+ net/ipv6/xfrm6_policy.c | 13 +-
+ net/irda/ircomm/ircomm_tty.c | 18 +-
+ net/iucv/af_iucv.c | 4 +-
+ net/iucv/iucv.c | 2 +-
+ net/key/af_key.c | 4 +-
+ net/mac80211/cfg.c | 8 +-
+ net/mac80211/ieee80211_i.h | 3 +-
+ net/mac80211/iface.c | 16 +-
+ net/mac80211/main.c | 2 +-
+ net/mac80211/pm.c | 6 +-
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/rc80211_pid_debugfs.c | 2 +-
+ net/mac80211/util.c | 4 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/ipvs/ip_vs_conn.c | 6 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ net/netfilter/ipvs/ip_vs_sync.c | 6 +-
+ net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
+ net/netfilter/nf_conntrack_acct.c | 2 +-
+ net/netfilter/nf_conntrack_ecache.c | 2 +-
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nf_conntrack_timestamp.c | 2 +-
+ net/netfilter/nf_log.c | 10 +-
+ net/netfilter/nf_sockopt.c | 4 +-
+ net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/xt_statistic.c | 8 +-
+ net/netlink/af_netlink.c | 4 +-
+ net/netlink/genetlink.c | 16 +-
+ net/packet/af_packet.c | 12 +-
+ net/phonet/pep.c | 6 +-
+ net/phonet/socket.c | 2 +-
+ net/phonet/sysctl.c | 2 +-
+ net/rds/cong.c | 6 +-
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 4 +-
+ net/rds/iw.h | 2 +-
+ net/rds/iw_cm.c | 2 +-
+ net/rds/iw_recv.c | 4 +-
+ net/rds/rds.h | 2 +-
+ net/rds/tcp.c | 2 +-
+ net/rds/tcp_send.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/rxrpc/ar-ack.c | 14 +-
+ net/rxrpc/ar-call.c | 2 +-
+ net/rxrpc/ar-connection.c | 2 +-
+ net/rxrpc/ar-connevent.c | 2 +-
+ net/rxrpc/ar-input.c | 4 +-
+ net/rxrpc/ar-internal.h | 8 +-
+ net/rxrpc/ar-local.c | 2 +-
+ net/rxrpc/ar-output.c | 4 +-
+ net/rxrpc/ar-peer.c | 2 +-
+ net/rxrpc/ar-proc.c | 4 +-
+ net/rxrpc/ar-transport.c | 2 +-
+ net/rxrpc/rxkad.c | 4 +-
+ net/sctp/ipv6.c | 6 +-
+ net/sctp/protocol.c | 10 +-
+ net/sctp/sm_sideeffect.c | 2 +-
+ net/sctp/socket.c | 21 +-
+ net/sctp/sysctl.c | 4 +-
+ net/socket.c | 18 +-
+ net/sunrpc/clnt.c | 4 +-
+ net/sunrpc/sched.c | 4 +-
+ net/sunrpc/svc.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/link.c | 6 +-
+ net/tipc/msg.c | 2 +-
+ net/tipc/subscr.c | 2 +-
+ net/unix/sysctl_net_unix.c | 2 +-
+ net/wireless/wext-core.c | 19 +-
+ net/xfrm/xfrm_policy.c | 27 +-
+ net/xfrm/xfrm_state.c | 29 +-
+ net/xfrm/xfrm_sysctl.c | 2 +-
+ scripts/Makefile.build | 2 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.host | 28 +-
+ scripts/basic/fixdep.c | 12 +-
+ scripts/gcc-plugin.sh | 17 +
+ scripts/headers_install.sh | 1 +
+ scripts/link-vmlinux.sh | 2 +-
+ scripts/mod/file2alias.c | 14 +-
+ scripts/mod/modpost.c | 25 +-
+ scripts/mod/modpost.h | 6 +-
+ scripts/mod/sumversion.c | 2 +-
+ scripts/package/builddeb | 1 +
+ scripts/pnmtologo.c | 6 +-
+ scripts/sortextable.h | 6 +-
+ security/Kconfig | 676 +++-
+ security/apparmor/lsm.c | 2 +-
+ security/integrity/ima/ima.h | 4 +-
+ security/integrity/ima/ima_api.c | 2 +-
+ security/integrity/ima/ima_fs.c | 4 +-
+ security/integrity/ima/ima_queue.c | 2 +-
+ security/keys/compat.c | 2 +-
+ security/keys/internal.h | 2 +-
+ security/keys/key.c | 18 +-
+ security/keys/keyctl.c | 8 +-
+ security/keys/keyring.c | 6 +-
+ security/security.c | 9 +-
+ security/selinux/hooks.c | 2 +-
+ security/selinux/include/xfrm.h | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ security/tomoyo/tomoyo.c | 2 +-
+ security/yama/yama_lsm.c | 22 +-
+ sound/aoa/codecs/onyx.c | 7 +-
+ sound/aoa/codecs/onyx.h | 1 +
+ sound/core/oss/pcm_oss.c | 18 +-
+ sound/core/pcm_compat.c | 2 +-
+ sound/core/pcm_native.c | 4 +-
+ sound/core/seq/seq_device.c | 8 +-
+ sound/core/sound.c | 2 +-
+ sound/drivers/mts64.c | 14 +-
+ sound/drivers/opl4/opl4_lib.c | 2 +-
+ sound/drivers/portman2x4.c | 3 +-
+ sound/firewire/amdtp.c | 4 +-
+ sound/firewire/amdtp.h | 2 +-
+ sound/firewire/isight.c | 10 +-
+ sound/firewire/scs1x.c | 8 +-
+ sound/oss/sb_audio.c | 2 +-
+ sound/oss/swarm_cs4297a.c | 6 +-
+ sound/pci/ymfpci/ymfpci.h | 2 +-
+ sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ sound/soc/fsl/fsl_ssi.c | 2 +-
+ sound/sound_core.c | 2 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 45 +
+ tools/gcc/checker_plugin.c | 172 +
+ tools/gcc/colorize_plugin.c | 151 +
+ tools/gcc/constify_plugin.c | 560 ++
+ tools/gcc/generate_size_overflow_hash.sh | 94 +
+ tools/gcc/kallocstat_plugin.c | 170 +
+ tools/gcc/kernexec_plugin.c | 465 ++
+ tools/gcc/latent_entropy_plugin.c | 327 ++
+ tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++
+ tools/gcc/size_overflow_plugin.c | 2114 +++++++
+ tools/gcc/stackleak_plugin.c | 327 ++
+ tools/gcc/structleak_plugin.c | 277 +
+ tools/perf/util/include/asm/alternative-asm.h | 3 +
+ tools/perf/util/include/linux/compiler.h | 8 +
+ virt/kvm/kvm_main.c | 32 +-
+ 1607 files changed, 30734 insertions(+), 7318 deletions(-)
+commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
+Merge: 0949bd4 fc53d63
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:03:44 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fc53d6338964741b368070ec5c935bc579b8c2a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:02:45 2012 -0400
+
+ Update to pax-linux-3.2.12-test33.patch
+
+commit 0949bd46a6455b308f66ad7c993bfee62412db35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 16:56:09 2012 -0400
+
+ Use current_umask() instead of current->fs->umask
+
+commit 22f6432d0fe733619cfcb523782ed7d80c46d645
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:42:42 2012 -0400
+
+ compile fix
+
+commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:34:56 2012 -0400
+
+ Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
+ uses of domains with particular hash collisions
+
+commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 20:25:49 2012 -0400
+
+ zero kernel_role
+
+commit b00953b43c69238d181d21121ef1577c988d5f6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:29:34 2012 -0400
+
+ zero real_root after releasing it
+
+commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
+Merge: b724f59 273f98e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:11:26 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 273f98e58cdac555d3b5dce5c1ca168349f95878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:10:52 2012 -0400
+
+ Temporary workaround for (most) size_overflow plugin false-positives
+ Increase randomization for brk-managed heap to 21 bits
+ Update to pax-linux-3.2.12-test32.patch
+
+commit b724f59125304460c2af8bd4b02921993afbb5d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:58:53 2012 -0400
+
+ compile fix
+
+commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:52:23 2012 -0400
+
+ Require default and kernel role
+
+commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:47:28 2012 -0400
+
+ Allow policies without special roles
+ don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
+
+commit 402ec3d24d66d38403dc543c84851f5e72d39e22
+Merge: 8e012dc f14661a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:06:59 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/namei.c
+
+commit f14661aaf202155c97f66626cea0269017bb7775
+Merge: eae671f 058b017
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:05:44 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
+Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Date: Fri Mar 16 17:08:39 2012 -0700
+
+ nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
+
+ According to the report from Slicky Devil, nilfs caused kernel oops at
+ nilfs_load_super_block function during mount after he shrank the
+ partition without resizing the filesystem:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000048
+ IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
+ *pde = 00000000
+ Oops: 0000 [#1] PREEMPT SMP
+ ...
+ Call Trace:
+ [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
+ [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
+ [<c0226636>] mount_fs+0x36/0x180
+ [<c023d961>] vfs_kern_mount+0x51/0xa0
+ [<c023ddae>] do_kern_mount+0x3e/0xe0
+ [<c023f189>] do_mount+0x169/0x700
+ [<c023fa9b>] sys_mount+0x6b/0xa0
+ [<c04abd1f>] sysenter_do_call+0x12/0x28
+ Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
+ 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
+ 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
+ EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
+ CR2: 0000000000000048
+
+ This turned out due to a defect in an error path which runs if the
+ calculated location of the secondary super block was invalid.
+
+ This patch fixes it and eliminates the reported oops.
+
+ Reported-by: Slicky Devil <slicky.dvl@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Tested-by: Slicky Devil <slicky.dvl@gmail.com>
+ Cc: <stable@vger.kernel.org> [2.6.30+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Fri Mar 16 17:08:38 2012 -0700
+
+ nilfs2: clamp ns_r_segments_percentage to [1, 99]
+
+ ns_r_segments_percentage is read from the disk. Bogus or malicious
+ value could cause integer overflow and malfunction due to meaningless
+ disk usage calculation. This patch reports error when mounting such
+ bogus volumes.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e1a90645643f9b0194a5984ec8febd06360d5c8b
+Author: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Sat Mar 10 09:20:21 2012 +0000
+
+ tcp: fix syncookie regression
+
+ commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
+ added a serious regression on synflood handling.
+
+ Simon Kirby discovered a successful connection was delayed by 20 seconds
+ before being responsive.
+
+ In my tests, I discovered that xmit frames were lost, and needed ~4
+ retransmits and a socket dst rebuild before being really sent.
+
+ In case of syncookie initiated connection, we use a different path to
+ initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
+
+ As ip_queue_xmit() now depends on inet flow being setup, fix this by
+ copying the temp flowi4 we use in cookie_v4_check().
+
+ Reported-by: Simon Kirby <sim@netnation.com>
+ Bisected-by: Simon Kirby <sim@netnation.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
+Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Mon Mar 12 02:59:41 2012 +0000
+
+ tun: don't hold network namespace by tun sockets
+
+ v3: added previously removed sock_put() to the tun_release() callback, because
+ sk_release_kernel() doesn't drop the socket reference.
+
+ v2: sk_release_kernel() used for socket release. Dummy tun_release() is
+ required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
+ call.
+
+ TUN was designed to destroy it's socket on network namesapce shutdown. But this
+ will never happen for persistent device, because it's socket holds network
+ namespace.
+ This patch removes of holding network namespace by TUN socket and replaces it
+ by creating socket in init_net and then changing it's net it to desired one. On
+ shutdown socket is moved back to init_net prior to final put.
+
+ Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon Dec 12 10:02:30 2011 -0600
+
+ vfs: Correctly set the dir i_mutex lockdep class
+
+ 9a7aa12f3911853a introduced additional logic around setting the i_mutex
+ lockdep class for directory inodes. The idea was that some filesystems
+ may want their own special lockdep class for different directory
+ inodes and calling unlock_new_inode() should not clobber one of
+ those special classes.
+
+ I believe that the added conditional, around the *negated* return value
+ of lockdep_match_class(), caused directory inodes to be placed in the
+ wrong lockdep class.
+
+ inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
+ all inodes. If the filesystem did not change the class during inode
+ initialization, then the conditional mentioned above was false and the
+ directory inode was incorrectly left in the non-directory lockdep class.
+ If the filesystem did set a special lockdep class, then the conditional
+ mentioned above was true and that class was clobbered with
+ i_mutex_dir_key.
+
+ This patch removes the negation from the conditional so that the i_mutex
+ lockdep class is properly set for directory inodes. Special classes are
+ preserved and directory inodes with unmodified classes are set with
+ i_mutex_dir_key.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 603590b0d2eca61ce26499eac9c563bc567a18c9
+Author: Jan Kara <jack@suse.cz>
+Date: Mon Feb 20 17:54:00 2012 +0100
+
+ udf: Fix deadlock in udf_release_file()
+
+ udf_release_file() can be called from munmap() path with mmap_sem held. Thus
+ we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
+ i_mutex is not needed in udf_release_file() anymore since protection by
+ i_data_sem is enough to protect from races with write and truncate.
+
+ Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:33 2012 +0100
+
+ vfs: fix double put after complete_walk()
+
+ complete_walk() already puts nd->path, no need to do it again at cleanup time.
+
+ This would result in Oopses if triggered, apparently the codepath is not too
+ well exercised.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 13885ba2b18400f3ef6540497d30f1af896605e5
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:34 2012 +0100
+
+ vfs: fix return value from do_last()
+
+ complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
+ ECHILD unconditionally. If not in RCU mode, this error will reach userspace
+ which is complete nonsense.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/namei.c
+
+commit f5ab7572c99ffb58953eb1070622307e904c3b7f
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Mar 10 17:07:28 2012 -0500
+
+ restore smp_mb() in unlock_new_inode()
+
+ wait_on_inode() doesn't have ->i_lock
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
+Author: David S. Miller <davem@davemloft.net>
+Date: Tue Mar 13 18:19:51 2012 -0700
+
+ sparc32: Add -Av8 to assembler command line.
+
+ Newer version of binutils are more strict about specifying the
+ correct options to enable certain classes of instructions.
+
+ The sparc32 build is done for v7 in order to support sun4c systems
+ which lack hardware integer multiply and divide instructions.
+
+ So we have to pass -Av8 when building the assembler routines that
+ use these instructions and get patched into the kernel when we find
+ out that we have a v8 capable cpu.
+
+ Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
+Author: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri Mar 9 20:55:10 2012 +0100
+
+ x86: Derandom delay_tsc for 64 bit
+
+ Commit f0fbf0abc093 ("x86: integrate delay functions") converted
+ delay_tsc() into a random delay generator for 64 bit. The reason is
+ that it merged the mostly identical versions of delay_32.c and
+ delay_64.c. Though the subtle difference of the result was:
+
+ static void delay_tsc(unsigned long loops)
+ {
+ - unsigned bclock, now;
+ + unsigned long bclock, now;
+
+ Now the function uses rdtscl() which returns the lower 32bit of the
+ TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
+ bit this fails when the lower 32bit are close to wrap around when
+ bclock is read, because the following check
+
+ if ((now - bclock) >= loops)
+ break;
+
+ evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
+ because the unsigned long (now - bclock) of these values results in
+ 0xffffffff00000001 which is definitely larger than the loops
+ value. That explains Tvortkos observation:
+
+ "Because I am seeing udelay(500) (_occasionally_) being short, and
+ that by delaying for some duration between 0us (yep) and 491us."
+
+ Make those variables explicitely u32 again, so this works for both 32
+ and 64 bit.
+
+ Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: stable@vger.kernel.org # >= 2.6.27
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu Mar 8 17:51:19 2012 +0000
+
+ aio: fix the "too late munmap()" race
+
+ Current code has put_ioctx() called asynchronously from aio_fput_routine();
+ that's done *after* we have killed the request that used to pin ioctx,
+ so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
+ from progressing. As the result, we can end up with async call of
+ put_ioctx() being the last one and possibly happening during exit_mmap()
+ or elf_core_dump(), neither of which expects stray munmap() being done
+ to them...
+
+ We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
+ with that, but that's all we care about - neither io_destroy() nor
+ exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
+ does really_put_req(), so the ioctx teardown won't be done until then
+ and we don't care about the contents of ioctx past that point.
+
+ Since actual freeing of these suckers is RCU-delayed, we don't need to
+ bump ioctx refcount when request goes into list for async removal.
+ All we need is rcu_read_lock held just over the ->ctx_lock-protected
+ area in aio_fput_routine().
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 002124c055afbf09b52226af65621999e8316448
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Wed Mar 7 05:16:35 2012 +0000
+
+ aio: fix io_setup/io_destroy race
+
+ Have ioctx_alloc() return an extra reference, so that caller would drop it
+ on success and not bother with re-grabbing it on failure exit. The current
+ code is obviously broken - io_destroy() from another thread that managed
+ to guess the address io_setup() would've returned would free ioctx right
+ under us; gets especially interesting if aio_context_t * we pass to
+ io_setup() points to PROT_READ mapping, so put_user() fails and we end
+ up doing io_destroy() on kioctx another thread has just got freed...
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Mar 15 15:17:12 2012 -0700
+
+ drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
+
+ strict_strtoul() writes a long but ->gamma_mode only has space to store an
+ int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
+ well. I've changed it to use kstrtouint() instead.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Inki Dae <inki.dae@samsung.com>
+ Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
+Merge: e4b05b6 eae671f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 21:04:27 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit eae671fafe93f04685c04a089cc13efebc05d600
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 20:58:01 2012 -0400
+
+ Update to pax-linux-3.2.11-test31.patch
+ Introduction of the size_overflow plugin from Emese Revfy
+ Many thanks to Emese for her hard work :)
+
+commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
+Merge: e55aa68 258c015
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:19 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:05 2012 -0400
+
+ fix ARM compilation
+
+commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
+Merge: 8f95ea9 55b7573
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:41 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:15 2012 -0400
+
+ Update to pax-linux-3.2.10-test28.patch
+
+commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
+Merge: c8786a2 886ac5e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:38:13 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
+
+commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:37:44 2012 -0400
+
+ Update to pax-linux-3.2.10-test26.patch
+
+commit c8786a2abed5e5327f68efa520c04db99bb6a63a
+Merge: 219c982 c061fcf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:06 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
+Merge: 89373d2 3f4b3b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:02 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
+Merge: 54e19a3 89373d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:57 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
+Merge: a778588 7459f11
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:49 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
+Merge: c4650f1 a778588
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:25 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:12 2012 -0400
+
+ Update to pax-linux-3.2.9-test24.patch
+
+commit c4650f14b13f84735fe3de06a1f3ff5776473eff
+Merge: fb2abee 1015790
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:08:28 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 101579028a736c224e590c7e12a7357018c424e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:07:27 2012 -0400
+
+ Update to pax-linux-3.2.9-test22.patch
+
+commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 11:02:17 2012 -0400
+
+ Allow 4096 CPUs
+
+commit 96bae28cbe6a41d48e3b56e5904814096e956000
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 10:25:58 2012 -0400
+
+ Use a per-cpu 48-bit counter instead of a global atomic64
+ Initialize each counter to have the cpu number in the lower 16 bits
+ instead of incrementing the counter each time by 1, perform the increments
+ above the cpu number so that wrapping/exhausting the counter doesn't corrupt
+ any state
+ idea from PaX Team
+
+commit b975688101da6e966aebb1bc6b8c5c5983974f9c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 20:33:12 2012 -0500
+
+ Special vnsec edition! :)
+ Further reduce argv/env allowance for suid/sgid apps to 512KB
+ Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
+ Clear 3GB personality on suid/sgid binaries
+ Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
+ with the main purpose of throwing off program stack -> arg/env alignment
+ Update documentation
+
+commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 19:54:47 2012 -0500
+
+ Resolve skbuff.h warnings that turn into errors during compilation in
+ the grsecurity directory with -Werror
+
+commit 2023210ad43a944033fcacc660ce410888f562ee
+Merge: ece4383 5f66adf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:48:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:47:06 2012 -0500
+
+ Add colorize plugin
+
+commit ece4383e5e91c92d138c4df84225a70b552f4d69
+Merge: a366d0e ab4a5a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:46 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:26 2012 -0500
+
+ Update to pax-linux-3.2.9-test21.patch
+
+commit a366d0ed963ce93fce10121c1100989d5f064e75
+Author: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun Mar 4 19:52:03 2012 -0500
+
+ mm: fix find_vma_prev
+
+ Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
+ management on PA-RISC.
+
+ After application of the patch, programs that allocate big arrays on the
+ stack crash with segfault, for example, this will crash if compiled
+ without optimization:
+
+ int main()
+ {
+ char array[200000];
+ array[199999] = 0;
+ return 0;
+ }
+
+ The reason is that PA-RISC has up-growing stack and the stack is usually
+ the last memory area. In the above example, a page fault happens above
+ the stack.
+
+ Previously, if we passed too high address to find_vma_prev, it returned
+ NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
+ change, it stores NULL in *pprev. Consequently, the stack area is not
+ found and it is not expanded, as it used to be before the change.
+
+ This patch restores the old behavior and makes it return the last VMA in
+ *pprev if the requested address is higher than address of any other VMA.
+
+ Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+ Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
+Author: Hugh Dickins <hughd@google.com>
+Date: Tue Mar 6 12:28:52 2012 -0800
+
+ mmap: EINVAL not ENOMEM when rejecting VM_GROWS
+
+ Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
+ from shared anonymous: hoist the file case's -EINVAL up for both.
+
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:38:42 2012 +0000
+
+ aout: move setup_arg_pages() prior to reading/mapping the binary
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Mon Mar 5 16:49:24 2012 +0000
+
+ vsprintf: make %pV handling compatible with kasprintf()
+
+ kasprintf() (and potentially other functions that I didn't run across so
+ far) want to evaluate argument lists twice. Caring to do so for the
+ primary list is obviously their job, but they can't reasonably be
+ expected to check the format string for instances of %pV, which however
+ need special handling too: On architectures like x86-64 (as opposed to
+ e.g. ix86), using the same argument list twice doesn't produce the
+ expected results, as an internally managed cursor gets updated during
+ the first run.
+
+ Fix the problem by always acting on a copy of the original list when
+ handling %pV.
+
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:39:47 2012 +0000
+
+ VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a831bd53764695ea680cc1fa3c98759a610ed2ac
+Author: Christian König <deathsimple@vodafone.de>
+Date: Tue Feb 28 23:19:20 2012 +0100
+
+ drm/radeon: fix uninitialized variable
+
+ Without this fix the driver randomly treats
+ textures as arrays and I'm really wondering
+ why gcc isn't complaining about it.
+
+ Signed-off-by: Christian König <deathsimple@vodafone.de>
+ Reviewed-by: Jerome Glisse <jglisse@redhat.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
+Author: H. Peter Anvin <hpa@zytor.com>
+Date: Fri Mar 2 10:43:48 2012 -0800
+
+ regset: Prevent null pointer reference on readonly regsets
+
+ The regset common infrastructure assumed that regsets would always
+ have .get and .set methods, but not necessarily .active methods.
+ Unfortunately people have since written regsets without .set methods.
+
+ Rather than putting in stub functions everywhere, handle regsets with
+ null .get or .set methods explicitly.
+
+ Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+ Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+ Acked-by: Roland McGrath <roland@hack.frob.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 072ddd99401c79b53c6bf6bff9deb93022124c79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 18:12:57 2012 -0500
+
+ Fix compiler errors reported on forums
+
+commit 1606774b48af24e6f99d99c624c0e447d4b66474
+Merge: 3127bd5 4ca2ffd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:35 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:21 2012 -0500
+
+ Update to pax-linux-3.2.9-test20.patch
+
+commit 3127bd581a292966b1057c7433219dac188c3720
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 21:30:37 2012 -0500
+
+ Fix memory leak on logged exec_id check failure in /proc/pid/statm
+ Thanks to Djalal Harouni for the report
+
+commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
+Merge: 0a56be8 9aa8288
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:38:22 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:37:43 2012 -0500
+
+ Update to pax-linux-3.2.9-test19.patch
+
+commit 0a56be884bbd7ce733cac0b879c45383494d73b0
+Merge: 9e66745 3f5c52a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:18:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:16:56 2012 -0500
+
+ Update to pax-linux-3.2.9-test18.patch
+
+commit ae53ec231d12719a36bf871f8c5841020ed692ee
+Merge: b255baf 44fb317
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:15:31 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 9e667456c03eadea2f305be761abe4de9a5877a3
+Merge: 5e4e200 b255baf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:59 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b255baf50365d39b406f43aab2c64745607baaa2
+Merge: 340ce90 1de504e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:29 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+ Update to pax-linux-3.2.8-test17.patch
+
+ Conflicts:
+ arch/x86/include/asm/i387.h
+ arch/x86/kernel/process_32.c
+ arch/x86/kernel/traps.c
+
+commit 5e4e200ac530452884b625cb75de240e1e98c731
+Merge: 44306d7 340ce90
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:02:13 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:01:48 2012 -0500
+
+ Update to pax-linux-3.2.7-test17.patch
+
+commit 44306d7b3097f77e73040dd25f4f6750751bae7a
+Merge: 29d0b07 521c411
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:04:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ Makefile
+
+commit 521c411bb4ca66ce01146fde8bac9dd22414076d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:03:33 2012 -0500
+
+ Update to pax-linux-3.2.7-test16.patch
+
+commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 17:12:44 2012 -0500
+
+ fix typo
+
+commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
+Merge: f45b3be caa8f83
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:27 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit caa8f83456c4d0b204beefffaa1d1993f2348d08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:12 2012 -0500
+
+ Update to pax-linux-3.2.7-test15.patch
+
+commit f45b3be34a345502a302e736af9a65742ddef7cb
+Merge: 62f35fd 9f1309b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:40:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:39:57 2012 -0500
+
+ Update to pax-linux-3.2.7-test14.patch
+
+commit 62f35fdbecc58f2988fe13638d907b87a15776bb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 09:08:55 2012 -0500
+
+ We could log on attempted exploits of writing /proc/self/mem, but the current
+ log function declares the access a read, so just swap the ordering for now
+
+commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:46:14 2012 -0500
+
+ Log /proc/pid/mem attempts
+
+commit 674471e581893a94d475acac3e3c4496209b3ac9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:15:00 2012 -0500
+
+ Make use of f_version for protecting /proc file structs (fine since we're not a directory
+ or seq_file)
+
+commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 20:02:19 2012 -0500
+
+ Fix ia64 compilation
+
+commit 50dfea412fd395e0183c2ade368efa525d38b267
+Merge: 12db845 4c6f99b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:53 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4c6f99bf338e03966356b147d0360cb3b522a44f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:36 2012 -0500
+
+ (6:57:09 PM) pipacs: but you can be proactive
+ (Fix other-arch atomic64/REFCOUNT compilation failures)
+
+commit 12db8453f6bb0a756f369c9151668ba1249bc478
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 21:10:12 2012 -0500
+
+ Remove unnecessary copies, as suggested by solar
+
+commit cc02cab84368467ea03cb35f861a8a7092d91ab4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 20:59:35 2012 -0500
+
+ Make global_exec_counter static, as suggested by solar
+
+commit e642091a475ebb3a30e81f85e7751233d0c2af43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 19:00:26 2012 -0500
+
+ sync with stable tree
+
+commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:48:47 2012 -0500
+
+ Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
+ Remove handling of old kludge in chmod/fchmod
+
+commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:18:49 2012 -0500
+
+ Apply umask checks to chmod/fchmod as well, as requested by sponsor
+ Union the enforced umask with the existing one to produce minimal privilege
+ Change umask type to u16
+
+commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 22 18:16:11 2012 -0500
+
+ Add per-role umask enforcement to RBAC, requested by a sponsor
+
+commit ad5ac943fe58199f1cc475912a39edb157acb77b
+Merge: dda0bb5 41722e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:42 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 41722e342e116d95f3d3556d66c97c888d752d39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:00 2012 -0500
+
+ Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
+ KERNEXEC plugin
+
+commit dda0bb57137846a476a866c60db2681aaf6052c0
+Merge: 4fd554e d70927a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:41 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d70927afec977d489a54c106a3c3ddc32e953050
+Merge: 1daebf1 9d0231c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:33 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 4fd554e3a097b22c5049fcdc423897477deff5ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 09:17:57 2012 -0500
+
+ Fix wrong logic on capability checks for switching roles, broke policies
+ Thanks to Richard Kojedzinszky for reporting
+
+commit 12f97d52ac603f24344f8d71569c412a307e9422
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 21:20:10 2012 -0500
+
+ sparc64 compile fix
+
+commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:38:32 2012 -0500
+
+ Update configuration help and name for GRKERNSEC_PROC_MEMMAP
+
+commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:18:01 2012 -0500
+
+ optimize the check a bit
+
+commit 03159050f64989be44ae03be769cbed62a7cd2e5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:00:45 2012 -0500
+
+ smile VUPEN :D
+ (limit argv+env to 1MB for suid/sgid binaries)
+
+commit dd759d8800d225a397e4de49fe729c7d601298d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:49:33 2012 -0500
+
+ Address Space Protection -> Memory Protections (suggested on IRC for consistency)
+
+commit 4de635bda8ebfb85312e3bf851bdbff93de400da
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:45:06 2012 -0500
+
+ Change the long long type for exec_id to the proper u64
+
+commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Feb 9 00:46:47 2012 +0000
+
+ isdn: type bug in isdn_net_header()
+
+ We use len to store the return value from eth_header(). eth_header()
+ can return -ETH_HLEN (-14). We want to pass this back instead of
+ truncating it to 65522 and returning that.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
+Author: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Sat Feb 4 10:47:10 2012 +0100
+
+ exec: fix use-after-free bug in setup_new_exec()
+
+ Setting the task name is done within setup_new_exec() by accessing
+ bprm->filename. However this happens after flush_old_exec().
+ This may result in a use after free bug, flush_old_exec() may
+ "complete" vfork_done, which will wake up the parent which in turn
+ may free the passed in filename.
+ To fix this add a new tcomm field in struct linux_binprm which
+ contains the now early generated task name until it is used.
+
+ Fixes this bug on s390:
+
+ Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
+ Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
+ Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
+ Call Trace:
+ ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
+ [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
+ [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
+ [<0000000000282b6c>] do_execve_common+0x410/0x514
+ [<0000000000282cb6>] do_execve+0x46/0x58
+ [<00000000005bce58>] kernel_execve+0x28/0x70
+ [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
+ [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
+ [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
+ Last Breaking-Event-Address:
+ [<00000000002830f0>] setup_new_exec+0x2fc/0x374
+
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+ Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+ Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d758ee9f5230893dabb5aab737b3109684bde196
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Feb 10 09:03:58 2012 +0100
+
+ relay: prevent integer overflow in relay_open()
+
+ "subbuf_size" and "n_subbufs" come from the user and they need to be
+ capped to prevent an integer overflow.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
+Merge: b1baadf 1daebf1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:47:04 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/proc/base.c
+
+commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
+Merge: 1413df2 c2db2e2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:45:54 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:44:05 2012 -0500
+
+ add missing declaration
+
+commit 3981059c35e8463002517935c28f3d74b8e3703c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:36:04 2012 -0500
+
+ Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
+ in addition to existing checks (this handles the setresuid ruid = euid case)
+
+commit 0beab03263c773f463412c350ad9064b44b6ede0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:13:40 2012 -0500
+
+ Revert setreuid changes when RBAC is enabled, breaks freeradius
+ I'll fix the learning issue Lavish reported a different way through
+ gradm modifications
+
+ This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
+
+commit 0c61cb1cfbbfec7d07647268c922d51434d22621
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 11 14:22:46 2012 -0500
+
+ copy exec_id on fork
+
+commit 000c08e0890630086b2ed04084050ed856a7ec31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 20:00:36 2012 -0500
+
+ compile fix
+
+commit 54b8c8f54484e5ee18040657827158bc4b63bccc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 19:19:52 2012 -0500
+
+ Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
+ denies reading of sensitive /proc/pid entries where the file descriptor
+ was opened in a different task than the one performing the read
+
+commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 17:43:24 2012 -0500
+
+ Remove duplicate signal check
+
+commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
+Merge: 4eba97e 1413df2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:34 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:08 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test11.patch
+
+commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
+Merge: 0e058dd 8dd90a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:50:12 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:49:07 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
+
+commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
+Merge: 7e4169c 6133971
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:48:57 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 19:24:45 2012 -0500
+
+ We now allow configurations with no PaX markings, giving the system no way to override the defaults
+
+commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 10:01:23 2012 -0500
+
+ Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
+
+commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 4 21:01:16 2012 -0500
+
+ Improve security of ptrace-based monitoring/sandboxing
+ See:
+ http://article.gmane.org/gmane.linux.kernel.lsm/15156
+
+commit ca4ca5a1027b41f9528794e52a53ce9c47926101
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:42:55 2012 -0500
+
+ fix typo
+
+commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:25:38 2012 -0500
+
+ Reported by lavish on IRC:
+ If a suid/sgid binary did not learn any setuid/setgid call during learning,
+ we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
+ any restrictions on uid/gid changes. uid and gid can however be changed
+ within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
+ euid/egid.
+
+ My fix:
+ POSIX doesn't specify whether unprivileged users can perform the above
+ setresuid/setresgid as an unprivileged user, though Linux has historically
+ permitted them. Modify this behavior when RBAC is enabled to require
+ CAP_SETUID/CAP_SETGID for these operations.
+
+ Thanks to Lavish for the report!
+
+ Conflicts:
+
+ kernel/sys.c
+
+commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
+Merge: ba586eb 7e4169c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:21 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:05 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test9.patch
+
+commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
+Author: Christopher Yeoh <cyeoh@au1.ibm.com>
+Date: Thu Feb 2 11:34:09 2012 +1030
+
+ Fix race in process_vm_rw_core
+
+ This fixes the race in process_vm_core found by Oleg (see
+
+ http://article.gmane.org/gmane.linux.kernel/1235667/
+
+ for details).
+
+ This has been updated since I last sent it as the creation of the new
+ mm_access() function did almost exactly the same thing as parts of the
+ previous version of this patch did.
+
+ In order to use mm_access() even when /proc isn't enabled, we move it to
+ kernel/fork.c where other related process mm access functions already
+ are.
+
+ Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+ mm/process_vm_access.c
+
+commit b9194d60fb9fe579f5c34817ed822abde18939a0
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:15:11 2012 +0100
+
+ proc: make sure mem_open() doesn't pin the target's memory
+
+ Once /proc/pid/mem is opened, the memory can't be released until
+ mem_release() even if its owner exits.
+
+ Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
+ pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
+ before access_remote_vm(), this verifies that this mm is still alive.
+
+ I am not sure what should mem_rw() return if atomic_inc_not_zero()
+ fails. With this patch it returns zero to match the "mm == NULL" case,
+ may be it should return -EINVAL like it did before e268337d.
+
+ Perhaps it makes sense to add the additional fatal_signal_pending()
+ check into the main loop, to ensure we do not hold this memory if
+ the target task was oom-killed.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:38 2012 +0100
+
+ proc: mem_release() should check mm != NULL
+
+ mem_release() can hit mm == NULL, add the necessary check.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:54 2012 +0100
+
+ note: redisabled mem_write
+
+ proc: unify mem_read() and mem_write()
+
+ No functional changes, cleanup and preparation.
+
+ mem_read() and mem_write() are very similar. Move this code into the
+ new common helper, mem_rw(), which takes the additional "int write"
+ argument.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+
+commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
+Merge: 3903f01 01fee18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:50:40 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 01fee1851aef26b898ccba5312cabf1f919b74cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:46 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test8.patch
+
+commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
+Merge: 201c0db 141936c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:01 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 3903f0172ecadf7a575ba3535402a1506133640a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 30 23:26:44 2012 -0500
+
+ Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
+
+ We'll whitelist required directories for compatibility instead of requiring
+ that people disable the feature entirely if they use SELinux, fuse, etc
+
+ Conflicts:
+
+ fs/sysfs/mount.c
+
+commit e3618feaa7e63807f1b88c199882075b3ec9bd05
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 29 01:12:19 2012 -0500
+
+ perform RBAC check if TPE is on but match fails, matches previous behavior
+
+commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 28 13:17:06 2012 -0500
+
+ log more information about the reason for a TPE denial for novice users, requested by a sponsor
+
+commit efefd67008cbad8a8591e2484410966a300a39a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:58:53 2012 -0500
+
+ merge upstream sha512 changes
+
+commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:49:07 2012 -0500
+
+ drop lock on error in xfs_readlink
+
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
+
+commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
+Author: Li Wang <liwang@nudt.edu.cn>
+Date: Thu Jan 19 09:44:36 2012 +0800
+
+ eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+
+ ecryptfs_write() can enter an infinite loop when truncating a file to a
+ size larger than 4G. This only happens on architectures where size_t is
+ represented by 32 bits.
+
+ This was caused by a size_t overflow due to it incorrectly being used to
+ store the result of a calculation which uses potentially large values of
+ type loff_t.
+
+ [tyhicks@canonical.com: rewrite subject and commit message]
+ Signed-off-by: Li Wang <liwang@nudt.edu.cn>
+ Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
+ Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+
+commit a7607747d0f74f357d78bb796d70635dd05f46e8
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 19 20:33:44 2012 -0600
+
+ eCryptfs: Check inode changes in setattr
+
+ Most filesystems call inode_change_ok() very early in ->setattr(), but
+ eCryptfs didn't call it at all. It allowed the lower filesystem to make
+ the call in its ->setattr() function. Then, eCryptfs would copy the
+ appropriate inode attributes from the lower inode to the eCryptfs inode.
+
+ This patch changes that and actually calls inode_change_ok() on the
+ eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
+ would happen earlier in ecryptfs_setattr(), but there are some possible
+ inode initialization steps that must happen first.
+
+ Since the call was already being made on the lower inode, the change in
+ functionality should be minimal, except for the case of a file extending
+ truncate call. In that case, inode_newsize_ok() was never being
+ called on the eCryptfs inode. Rather than inode_newsize_ok() catching
+ maximum file size errors early on, eCryptfs would encrypt zeroed pages
+ and write them to the lower filesystem until the lower filesystem's
+ write path caught the error in generic_write_checks(). This patch
+ introduces a new function, called ecryptfs_inode_newsize_ok(), which
+ checks if the new lower file size is within the appropriate limits when
+ the truncate operation will be growing the lower file.
+
+ In summary this change prevents eCryptfs truncate operations (and the
+ resulting page encryptions), which would exceed the lower filesystem
+ limits or FSIZE rlimits, from ever starting.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Li Wang <liwang@nudt.edu.cn>
+ Cc: <stable@vger.kernel.org>
+
+commit 0d96f190a39505254ace4e9330219aaeda9b64e3
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Wed Jan 18 18:30:04 2012 -0600
+
+ eCryptfs: Make truncate path killable
+
+ ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
+ page, zeroes out the appropriate portions, and then encrypts the page
+ before writing it to the lower filesystem. It was unkillable and due to
+ the lack of sparse file support could result in tying up a large portion
+ of system resources, while encrypting pages of zeros, with no way for
+ the truncate operation to be stopped from userspace.
+
+ This patch adds the ability for ecryptfs_write() to detect a pending
+ fatal signal and return as gracefully as possible. The intent is to
+ leave the lower file in a useable state, while still allowing a user to
+ break out of the encryption loop. If a pending fatal signal is detected,
+ the eCryptfs inode size is updated to reflect the modified inode size
+ and then -EINTR is returned.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: <stable@vger.kernel.org>
+
+commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Tue Jan 24 10:02:22 2012 -0600
+
+ eCryptfs: Fix oops when printing debug info in extent crypto functions
+
+ If pages passed to the eCryptfs extent-based crypto functions are not
+ mapped and the module parameter ecryptfs_verbosity=1 was specified at
+ loading time, a NULL pointer dereference will occur.
+
+ Note that this wouldn't happen on a production system, as you wouldn't
+ pass ecryptfs_verbosity=1 on a production system. It leaks private
+ information to the system logs and is for debugging only.
+
+ The debugging info printed in these messages is no longer very useful
+ and rather than doing a kmap() in these debugging paths, it will be
+ better to simply remove the debugging paths completely.
+
+ https://launchpad.net/bugs/913651
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Daniel DeFreez
+ Cc: <stable@vger.kernel.org>
+
+commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 12 11:30:44 2012 +0100
+
+ eCryptfs: Sanitize write counts of /dev/ecryptfs
+
+ A malicious count value specified when writing to /dev/ecryptfs may
+ result in a a very large kernel memory allocation.
+
+ This patch peeks at the specified packet payload size, adds that to the
+ size of the packet headers and compares the result with the write count
+ value. The resulting maximum memory allocation size is approximately 532
+ bytes.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Sasha Levin <levinsasha928@gmail.com>
+ Cc: <stable@vger.kernel.org>
+
+commit 96dcb7282d323813181a1791f51c0ab7696b675b
+Merge: 6c09fa5 201c0db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:44:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 201c0dbf177527367676028151e36d340923f033
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:43:24 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
+ on loading modules with empty sections
+
+commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:42:13 2012 -0500
+
+ compile fix
+
+commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:39:28 2012 -0500
+
+ use LSM flags instead of duplicating checks
+
+commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
+Merge: 44b9f11 558718b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:23 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 558718b2217beff69edf60f34a6f9893d910e9ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:04 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch
+
+commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:53:55 2012 -0500
+
+ don't increase the size of task_struct when unnecessary
+ change ptrace_readexec log message
+
+commit a9c9626e054adb885883aa64f85506852894dd33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:16:28 2012 -0500
+
+ Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
+ the protection applies to all unreadable binaries.
+
+commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
+Merge: 7b3f3af 05a1349
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:52:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ block/scsi_ioctl.c
+ drivers/scsi/sd.c
+ fs/proc/base.c
+
+commit 05a134966efb9cb9346ad3422888969ffc79ac1d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:47:36 2012 -0500
+
+ Resync with pax-linux-3.2.2-test5.patch
+
+commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
+Merge: c6d443d 3499d64
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:45:16 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
+
+ Conflicts:
+ ipc/shm.c
+
+commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 24 19:42:01 2012 -0500
+
+ Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
+ (may be changed if it breaks some userland), the other has its own
+ config option
+
+ First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
+ the syscall or /proc/sys.
+
+ Second feature requires read access to a suid/sgid binary in order
+ to ptrace it, preventing infoleaking of binaries in situations where
+ the admin has specified 4711 or 2711 perms. Feature has been
+ given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
+ a sysctl entry of ptrace_readexec
+
+commit 11a7bb25c411c9dccfdca5718639b4becdffd388
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:37:10 2012 -0500
+
+ Compilation fixes
+
+commit cd400e21c7c352baba47d6f375297a7847afb33a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:20:27 2012 -0500
+
+ Initial port of grsecurity 2.2.2 for Linux 3.2.1
+ Note that the new syscalls added to this kernel for remote process read/write
+ are subject to ptrace hardening/other relevant RBAC features
+ /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
+ as well
+ pax_track_stack has been removed from support for this kernel -- if you're running this kernel
+ you should be using a version of gcc with plugin support
+
+commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:47:31 2012 -0500
+
+ Import pax-linux-3.2.1-test5.patch
+commit bfd7db842f835f9837cd43644459b3a95b0b488d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:02:02 2012 -0500
+
+ Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
+ instead of returning -EACCES
+ thanks to Wraith from irc for the report
+
+commit 873ac13576506cd48ddb527c2540f274e249da50
+Merge: 34083dd 8a44fcc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:04:02 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:02:15 2012 -0500
+
+ Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
+ Denies executable shared memory when MPROTECT is active
+ Fixes ia32 emulation crash on 64bit host introduced in a recent patch
+
+commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 20:23:14 2012 -0500
+
+ Introduce new GRKERNSEC_SETXID implementation
+ We're not able to change the credentials of other threads in the process until at most
+ one syscall after the first thread does it, since we mark the threads as needing rescheduling
+ and such work occurs on syscall exit.
+ This does however ensure that we're only modifying the current task's credentials
+ which upholds RCU expectations
+
+ Many thanks to corsac for testing
+
+commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:42:48 2012 -0500
+
+ Simplify backport
+
+commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:08:16 2012 -0500
+
+ Commit the latest silent fix for a local privilege escalation from Linus
+ Also disable writing to /proc/pid/mem
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
+
+commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
+Merge: 0394a3f 7e6299b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:22:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e6299b4733c082dde930375dd207b63237751ec
+Merge: 83555fb 9bb1282
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:21:37 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
+Author: Jesper Juhl <jj@chaosbits.net>
+Date: Sun Jan 8 22:44:29 2012 +0100
+
+ audit: always follow va_copy() with va_end()
+
+ A call to va_copy() should always be followed by a call to va_end() in
+ the same function. In kernel/autit.c::audit_log_vformat() this is not
+ always done. This patch makes sure va_end() is always called.
+
+ Signed-off-by: Jesper Juhl <jj@chaosbits.net>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
+Author: Andi Kleen <ak@linux.intel.com>
+Date: Thu Jan 12 17:20:30 2012 -0800
+
+ panic: don't print redundant backtraces on oops
+
+ When an oops causes a panic and panic prints another backtrace it's pretty
+ common to have the original oops data be scrolled away on a 80x50 screen.
+
+ The second backtrace is quite redundant and not needed anyways.
+
+ So don't print the panic backtrace when oops_in_progress is true.
+
+ [akpm@linux-foundation.org: add comment]
+ Signed-off-by: Andi Kleen <ak@linux.intel.com>
+ Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Thu Jan 12 17:59:46 2012 +0100
+
+ fsnotify: don't BUG in fsnotify_destroy_mark()
+
+ Removing the parent of a watched file results in "kernel BUG at
+ fs/notify/mark.c:139".
+
+ To reproduce
+
+ add "-w /tmp/audit/dir/watched_file" to audit.rules
+ rm -rf /tmp/audit/dir
+
+ This is caused by fsnotify_destroy_mark() being called without an
+ extra reference taken by the caller.
+
+ Reported by Francesco Cosoleto here:
+
+ https://bugzilla.novell.com/show_bug.cgi?id=689860
+
+ Fix by removing the BUG_ON and adding a comment about not accessing mark after
+ the iput.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:28 2012 +0100
+
+ block: fail SCSI passthrough ioctls on partition devices
+
+ Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+ will pass the command to the underlying block device. This is
+ well-known, but it is also a large security problem when (via Unix
+ permissions, ACLs, SELinux or a combination thereof) a program or user
+ needs to be granted access only to part of the disk.
+
+ This patch lets partitions forward a small set of harmless ioctls;
+ others are logged with printk so that we can see which ioctls are
+ actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
+ Of course it was being sent to a (partition on a) hard disk, so it would
+ have failed with ENOTTY and the patch isn't changing anything in
+ practice. Still, I'm treating it specially to avoid spamming the logs.
+
+ In principle, this restriction should include programs running with
+ CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
+ /dev/sdb, it still should not be able to read/write outside the
+ boundaries of /dev/sda2 independent of the capabilities. However, for
+ now programs with CAP_SYS_RAWIO will still be allowed to send the
+ ioctls. Their actions will still be logged.
+
+ This patch does not affect the non-libata IDE driver. That driver
+ however already tests for bd != bd->bd_contains before issuing some
+ ioctl; it could be restricted further to forbid these ioctls even for
+ programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ [ Make it also print the command name when warning - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:27 2012 +0100
+
+ block: add and use scsi_blk_cmd_ioctl
+
+ Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
+
+ The function will then be enhanced to detect partition block devices
+ and, in that case, subject the ioctls to whitelisting.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97a79814903fc350e1d13704ea31528a42705401
+Author: Kees Cook <keescook@chromium.org>
+Date: Sat Jan 7 10:41:04 2012 -0800
+
+ audit: treat s_id as an untrusted string
+
+ The use of s_id should go through the untrusted string path, just to be
+ extra careful.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Acked-by: Mimi Zohar <zohar@us.ibm.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Dec 20 18:39:41 2011 -0500
+
+ audit: fix signedness bug in audit_log_execve_info()
+
+ In the loop, a size_t "len" is used to hold the return value of
+ audit_log_single_execve_arg(), which returns -1 on error. In that
+ case the error handling (len <= 0) will be bypassed since "len" is
+ unsigned, and the loop continues with (p += len) being wrapped.
+ Change the type of "len" to signed int to fix the error handling.
+
+ size_t len;
+ ...
+ for (...) {
+ len = audit_log_single_execve_arg(...);
+ if (len <= 0)
+ break;
+ p += len;
+ }
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Jan 17 03:28:51 2012 -0300
+
+ [media] ds3000: using logical && instead of bitwise &
+
+ The intent here was to test if the FE_HAS_LOCK was set. The current
+ test is equivalent to "if (status) { ..."
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit 36522330dc59d2fc70c042f3f081d75c32b6259a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 13:10:38 2012 -0500
+
+ Ignore the 0 signal for protected task RBAC checks
+
+commit d513acd55f7a683f6e146a4f570cdb63300479ab
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 11:56:13 2012 -0500
+
+ whitespace cleanup
+
+commit ced261c4b82818c700aff8487f647f6f3e5b5122
+Merge: d48751f 83555fb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:54 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
+Merge: fcd8129 93dad39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:43 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit d48751f3919ae855fda0ff6c149db82442329253
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 11 19:05:47 2012 -0500
+
+ Call our own set_user when forcing change to new id
+
+commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
+Merge: e6578ff fcd8129
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 16:00:10 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 15:58:43 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test23.patch
+
+commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
+Merge: 8859ec3 a120549
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:56 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a12054967a77090de1caa07c41e694a77db4e237
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:30 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test22.patch
+
+commit 8859ec32f9815c274df65448f9f2960176c380d3
+Merge: a5016b4 ddd4114
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:26:08 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/binfmt_elf.c
+ security/Kconfig
+
+commit ddd41147e158a79704983a409b7433eba797cf66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:12:42 2012 -0500
+
+ Resync with PaX patch (whitespace difference)
+
+commit 29e569df8205c5f0e043fe4803aa984406c8b118
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:09:47 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test21.patch
+
+commit a5016b4f9c09c337b17e063a7f369af1e86d944d
+Merge: 0124c92 04231d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:52:20 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
+Merge: 7bdddeb a919904
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:51:50 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ include/net/flow.h
+
+commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:33:05 2012 -0500
+
+ Make GRKERNSEC_SETXID option compatible with credential debugging
+
+commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
+Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Date: Wed Dec 28 15:57:11 2011 -0800
+
+ mm/mempolicy.c: refix mbind_range() vma issue
+
+ commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
+ slightly incorrect fix.
+
+ Why? Think following case.
+
+ 1. map 4 pages of a file at offset 0
+
+ [0123]
+
+ 2. map 2 pages just after the first mapping of the same file but with
+ page offset 2
+
+ [0123][23]
+
+ 3. mbind() 2 pages from the first mapping at offset 2.
+ mbind_range() should treat new vma is,
+
+ [0123][23]
+ |23|
+ mbind vma
+
+ but it does
+
+ [0123][23]
+ |01|
+ mbind vma
+
+ Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
+
+ This patch fixes it.
+
+ [testcase]
+ test result - before the patch
+
+ case4: 126: test failed. expect '2,4', actual '2,2,2'
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: 246: test failed. expect '4,2', actual '1,4'
+
+ ------------[ cut here ]------------
+ kernel BUG at mm/filemap.c:135!
+ invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
+
+ (snip long bug on messages)
+
+ test result - after the patch
+
+ case4: passed
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: passed
+
+ source: mbind_vma_test.c
+ ============================================================
+ #include <numaif.h>
+ #include <numa.h>
+ #include <sys/mman.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+ static unsigned long pagesize;
+ void* mmap_addr;
+ struct bitmask *nmask;
+ char buf[1024];
+ FILE *file;
+ char retbuf[10240] = "";
+ int mapped_fd;
+
+ char *rubysrc = "ruby -e '\
+ pid = %d; \
+ vstart = 0x%llx; \
+ vend = 0x%llx; \
+ s = `pmap -q #{pid}`; \
+ rary = []; \
+ s.each_line {|line|; \
+ ary=line.split(\" \"); \
+ addr = ary[0].to_i(16); \
+ if(vstart <= addr && addr < vend) then \
+ rary.push(ary[1].to_i()/4); \
+ end; \
+ }; \
+ print rary.join(\",\"); \
+ '";
+
+ void init(void)
+ {
+ void* addr;
+ char buf[128];
+
+ nmask = numa_allocate_nodemask();
+ numa_bitmask_setbit(nmask, 0);
+
+ pagesize = getpagesize();
+
+ sprintf(buf, "%s", "mbind_vma_XXXXXX");
+ mapped_fd = mkstemp(buf);
+ if (mapped_fd == -1)
+ perror("mkstemp "), exit(1);
+ unlink(buf);
+
+ if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
+ perror("lseek "), exit(1);
+ if (write(mapped_fd, "\0", 1) < 0)
+ perror("write "), exit(1);
+
+ addr = mmap(NULL, pagesize*8, PROT_NONE,
+ MAP_SHARED, mapped_fd, 0);
+ if (addr == MAP_FAILED)
+ perror("mmap "), exit(1);
+
+ if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
+ perror("mprotect "), exit(1);
+
+ mmap_addr = addr + pagesize;
+
+ /* make page populate */
+ memset(mmap_addr, 0, pagesize*6);
+ }
+
+ void fin(void)
+ {
+ void* addr = mmap_addr - pagesize;
+ munmap(addr, pagesize*8);
+
+ memset(buf, 0, sizeof(buf));
+ memset(retbuf, 0, sizeof(retbuf));
+ }
+
+ void mem_bind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_BIND, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_interleave(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_unbind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_DEFAULT, NULL, 0, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void Assert(char *expected, char *value, char *name, int line)
+ {
+ if (strcmp(expected, value) == 0) {
+ fprintf(stderr, "%s: passed\n", name);
+ return;
+ }
+ else {
+ fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
+ name, line,
+ expected, value);
+ // exit(1);
+ }
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPNNNNNNNNNN
+ case 4 below
+ */
+ void case4(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 4);
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case4", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPPPPPPPPPNN
+ case 5 below
+ */
+ void case5(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case5", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPPPPP 6
+ */
+ void case6(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("6", retbuf, "case6", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPXXXX 7
+ */
+ void case7(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case7", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPNNNNNNNN 8
+ */
+ void case8(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_interleave(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case8", __LINE__);
+
+ fin();
+ }
+
+ void case_n(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ /* make redundunt mappings [0][1234][34][7] */
+ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
+ MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
+
+ /* Expect to do nothing. */
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case_n", __LINE__);
+
+ fin();
+ }
+
+ int main(int argc, char** argv)
+ {
+ case4();
+ case5();
+ case6();
+ case7();
+ case8();
+ case_n();
+
+ return 0;
+ }
+ =============================================================
+
+ Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: Minchan Kim <minchan.kim@gmail.com>
+ Cc: Caspar Zhang <caspar@casparzhang.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Cc: Christoph Lameter <cl@linux.com>
+ Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
+ Cc: Mel Gorman <mel@csn.ul.ie>
+ Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+ Cc: <stable@vger.kernel.org> [3.1.x]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit f3a1082005781777086df235049f8c0b7efe524e
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Dec 27 22:32:41 2011 -0500
+
+ packet: fix possible dev refcnt leak when bind fail
+
+ If bind is fail when bind is called after set PACKET_FANOUT
+ sock option, the dev refcnt will leak.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 915f8b08dac68839dc7204ee81cf9852fda16d24
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Mon Dec 19 17:11:56 2011 -0800
+
+ nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
+
+ There is a potential integer overflow in nilfs_ioctl_clean_segments().
+ When a large argv[n].v_nmembs is passed from the userspace, the subsequent
+ call to vmalloc() will allocate a buffer smaller than expected, which
+ leads to out-of-bound access in nilfs_ioctl_move_blocks() and
+ lfs_clean_segments().
+
+ The following check does not prevent the overflow because nsegs is also
+ controlled by the userspace and could be very large.
+
+ if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
+ goto out_free;
+
+ This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
+ returns -EINVAL when overflow.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
+Author: Kautuk Consul <consul.kautuk@gmail.com>
+Date: Mon Dec 19 17:12:04 2011 -0800
+
+ mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
+
+ Static storage is not required for the struct vmap_area in
+ __get_vm_area_node.
+
+ Removing "static" to store this variable on the stack instead.
+
+ Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
+ Acked-by: David Rientjes <rientjes@google.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
+Author: Michel Lespinasse <walken@google.com>
+Date: Mon Dec 19 17:12:06 2011 -0800
+
+ binary_sysctl(): fix memory leak
+
+ binary_sysctl() calls sysctl_getname() which allocates from names_cache
+ slab usin __getname()
+
+ The matching function to free the name is __putname(), and not putname()
+ which should be used only to match getname() allocations.
+
+ This is because when auditing is enabled, putname() calls audit_putname
+ *instead* (not in addition) to __putname(). Then, if a syscall is in
+ progress, audit_putname does not release the name - instead, it expects
+ the name to get released when the syscall completes, but that will happen
+ only if audit_getname() was called previously, i.e. if the name was
+ allocated with getname() rather than the naked __getname(). So,
+ __getname() followed by putname() ends up leaking memory.
+
+ Signed-off-by: Michel Lespinasse <walken@google.com>
+ Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
+Author: Sean Hefty <sean.hefty@intel.com>
+Date: Tue Dec 6 21:17:11 2011 +0000
+
+ RDMA/cma: Verify private data length
+
+ private_data_len is defined as a u8. If the user specifies a large
+ private_data size (> 220 bytes), we will calculate a total length that
+ exceeds 255, resulting in private_data_len wrapping back to 0. This
+ can lead to overwriting random kernel memory. Avoid this by verifying
+ that the resulting size fits into a u8.
+
+ Reported-by: B. Thery <benjamin.thery@bull.net>
+ Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
+ Signed-off-by: Sean Hefty <sean.hefty@intel.com>
+ Signed-off-by: Roland Dreier <roland@purestorage.com>
+
+commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Sun Dec 11 23:40:56 2011 -0800
+
+ Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
+
+ The error check (intr_status < 0) didn't work because intr_status is
+ a u8. Change its type to signed int.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+
+commit e27f34e383d7863b2528a63b81b23db09781f6b6
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 16 12:44:15 2011 +0000
+
+ sctp: fix incorrect overflow check on autoclose
+
+ Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
+ limiting the autoclose value. If userspace passes in -1 on 32-bit
+ platform, the overflow check didn't work and autoclose would be set
+ to 0xffffffff.
+
+ This patch defines a max_autoclose (in seconds) for limiting the value
+ and exposes it through sysctl, with the following intentions.
+
+ 1) Avoid overflowing autoclose * HZ.
+
+ 2) Keep the default autoclose bound consistent across 32- and 64-bit
+ platforms (INT_MAX / HZ in this patch).
+
+ 3) Keep the autoclose value consistent between setsockopt() and
+ getsockopt() calls.
+
+ Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Wed Dec 21 05:18:33 2011 -0500
+
+ vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
+
+ Commit e133e737 didn't correctly fix the integer overflow issue.
+
+ - unsigned int required_size;
+ + u64 required_size;
+ ...
+ required_size = mode_cmd->pitch * mode_cmd->height;
+ - if (unlikely(required_size > dev_priv->vram_size)) {
+ + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
+
+ Note that both pitch and height are u32. Their product is still u32 and
+ would overflow before being assigned to required_size. A correct way is
+ to convert pitch and height to u64 before the multiplication.
+
+ required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
+
+ This patch calls the existing vmw_kms_validate_mode_vram() for
+ validation.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+ Conflicts:
+
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+
+commit eb8f0bd01fb994c9abc77dc84729794cd841753d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Thu Dec 22 13:35:22 2011 +0000
+
+ rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
+
+ Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
+ cause a kernel oops due to insufficient bounds checking.
+
+ if (count > 1<<30) {
+ /* Enforce a limit to prevent overflow */
+ return -EINVAL;
+ }
+ count = roundup_pow_of_two(count);
+ table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
+
+ Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
+
+ ... + (count * sizeof(struct rps_dev_flow))
+
+ where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
+ 32 bits.
+
+ This patch replaces the magic number (1 << 30) with a symbolic bound.
+
+ Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 648188958672024b616c42c1f6c98c8cfc85619d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 30 10:40:17 2011 -0500
+
+ netfilter: ctnetlink: fix timeout calculation
+
+ The sanity check (timeout < 0) never works; the dividend is unsigned
+ and so is the division, which should have been a signed division.
+
+ long timeout = (ct->timeout.expires - jiffies) / HZ;
+ if (timeout < 0)
+ timeout = 0;
+
+ This patch converts the time values to signed for the division.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit ab03a0973cee73f88655ff4981812ad316a6cd59
+Merge: 76f82df 7bdddeb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:50 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
+Merge: 3e59cb5 55cc81a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:36 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 20:15:02 2011 -0500
+
+ Only further restrict futex targeting another process -- our modified
+ permission check also happened to allow a case where a process retaining
+ uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
+ being non-zero (reported on forums by ben_w)
+
+commit 6b235a4450a5fea41663ec35fa0608988b6078c6
+Merge: 97c16f0 3e59cb5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:11:06 2011 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/hfs/btree.c
+
+commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
+Merge: 285eb4e c26f60b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:09:57 2011 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/process.c
+
+commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 19 21:54:01 2011 -0500
+
+ Add new option: "Enforce consistent multithreaded privileges"
+
+commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:58:31 2011 -0500
+
+ Remove harmless duplicate code -- exec_file would be null already so the
+ second check would never pass.
+
+commit 4e3304e94aa72737810bc50169519af157dce4ce
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:50:39 2011 -0500
+
+ Revert back to (possibly?) undocumented /proc/pid behavior that gdb
+ depended on for attaching to a thread. Entries exist in /proc for
+ threads, but are not visible in a readdir.
+
+commit 1bd899335f23815cfe8deac44c6b346398f3b95e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 18:03:28 2011 -0500
+
+ Put the already-walked path if in RCU-walk mode
+
+commit ec7ae36b7159f10649709779443a988662965d66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 17:35:21 2011 -0500
+
+ Fix memory leak introduced by recent (unpublished) commit
+ 75ab998b94a29d464518d6d501bdde3fbfcbfa14
+
+commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:56:10 2011 -0500
+
+ Explicitly check size copied to userland in override_release to silence gcc
+
+commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:54:02 2011 -0500
+
+ Initialize variable to silence erroneous gcc warning
+
+commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:47:47 2011 -0500
+
+ Future-proof other potential RCU-aware locations where we can log.
+
+commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:02:54 2011 -0500
+
+ Fix freeze reported by 'vs' on the forums. Bug occurred due to
+ MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
+ in generic_permission() was in the task's effective set but disallowed by
+ RBAC, would block when acquiring locks resulting in the freeze.
+
+ Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
+ as being required when CAP_DAC_OVERRIDE is present (consistent with
+ older patches).
+
+commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Nov 29 09:26:30 2011 +0000
+
+ sctp: better integer overflow check in sctp_auth_create_key()
+
+ The check from commit 30c2235c is incomplete and cannot prevent
+ cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
+ left-hand side of the check (INT_MAX - key_len), which is unsigned,
+ becomes 0xffffffff (UINT_MAX) and bypasses the check.
+
+ However this shouldn't be a security issue. The function is called
+ from the following two code paths:
+
+ 1) setsockopt()
+
+ 2) sctp_auth_asoc_set_secret()
+
+ In case (1), sca_keylength is never going to exceed 65535 since it's
+ bounded by a u16 from the user API. As such, the key length will
+ never overflow.
+
+ In case (2), sca_keylength is computed based on the user key (1 short)
+ and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
+ will not overflow.
+
+ In other words, this overflow check is not really necessary. Just
+ make it more correct.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit e565e28c3635a1d50f80541fbf6b606d742fec76
+Author: Josh Boyer <jwboyer@redhat.com>
+Date: Fri Aug 19 14:50:26 2011 -0400
+
+ fs/minix: Verify bitmap block counts before mounting
+
+ Newer versions of MINIX can create filesystems that allocate an extra
+ bitmap block. Mounting of this succeeds, but doing a statfs call will
+ result in an oops in count_free because of a negative number being used
+ for the bh index.
+
+ Avoid this by verifying the number of allocated blocks at mount time,
+ erroring out if there are not enough and make statfs ignore the extras
+ if there are too many.
+
+ This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
+
+ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6e134e398ec1a3f428261680e83df4319e64bed9
+Author: Julia Lawall <julia@diku.dk>
+Date: Tue Nov 15 14:53:11 2011 -0800
+
+ drivers/gpu/vga/vgaarb.c: add missing kfree
+
+ kbuf is a buffer that is local to this function, so all of the error paths
+ leaving the function should release it.
+
+ Signed-off-by: Julia Lawall <julia@diku.dk>
+ Cc: Jesper Juhl <jj@chaosbits.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit 2b9057b321e36860e8d63985b5c4e496f254b717
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:33:28 2011 -0500
+
+ Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
+
+commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+
+commit 285eb4ea45d853ae00426b3315a61c1368080dad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 10 18:33:46 2011 -0500
+
+ Import changes from pax-linux-3.1.5-test20.patch
+
+commit a6bda918fc90ec1d5c387e978d147ad2044153f1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 8 20:55:54 2011 -0500
+
+ Import changes from pax-linux-3.1.4-test19.patch
+
+commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 23:05:14 2013 -0400
+
+ always enforce a non-zero gap for RAND_THREADSTACK
+
+ mm/mmap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 40d67e38a42d4e94b43b3d7400addc662b9857dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 16:09:28 2013 -0400
+
+ fix up file comparisons
+
+ grsecurity/gracl_segv.c | 2 +-
+ grsecurity/grsec_sig.c | 4 ++--
+ include/linux/grinternal.h | 12 ++++++++++++
+ 3 files changed, 15 insertions(+), 3 deletions(-)
+
+commit a1fff2c95162314626dd96bec71d951a8c1c4708
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 15:33:18 2013 -0400
+
+ fix suid binary matching
+
+ grsecurity/grsec_sig.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 00131c458eea5200971c8fc326e90fdb6c2d0baa
+Merge: 37b97a9 47beb61
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 15:02:31 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 15:01:37 2013 -0400
+
+ Update to pax-linux-3.9.9-test13.patch:
+ - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626)
+ - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587)
+
+ arch/arm/include/asm/uaccess.h | 20 ++++++++++----------
+ arch/arm/kernel/armksyms.c | 2 +-
+ arch/arm/kernel/entry-armv.S | 4 ++--
+ arch/arm/mm/Kconfig | 2 +-
+ arch/x86/ia32/ia32entry.S | 4 ++--
+ arch/x86/include/asm/page.h | 1 +
+ arch/x86/kernel/entry_32.S | 4 ++--
+ arch/x86/kernel/entry_64.S | 8 ++++----
+ arch/x86/kernel/head64.c | 12 ++++++------
+ arch/x86/kernel/head_64.S | 16 ++++++++++++----
+ arch/x86/mm/init.c | 8 ++++++++
+ arch/x86/mm/init_32.c | 6 ------
+ arch/x86/mm/init_64.c | 6 ------
+ arch/x86/platform/efi/efi_32.c | 5 +++++
+ arch/x86/platform/efi/efi_64.c | 10 ++++++++++
+ 15 files changed, 64 insertions(+), 44 deletions(-)
+
+commit 89085d2d0643813a62f23d1199a335dc1e129bc0
+Merge: 963af7f 0adf2e7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 14:55:44 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 13:46:02 2013 -0400
+
+ fix typo
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 32538dba4959a290a1de81a7f8eeaba99f952aa6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 13:29:51 2013 -0400
+
+ update log arguments
+
+ grsecurity/grsec_sig.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 13:20:23 2013 -0400
+
+ Update logging of suid exec ban
+
+ Conflicts:
+
+ grsecurity/grsec_sig.c
+
+ grsecurity/grsec_sig.c | 3 +--
+ include/linux/grmsg.h | 1 +
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit ef808866c070aa1901bd2224521baaf5d145a3a7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 12:58:33 2013 -0400
+
+ Additional improvements to the user banning code:
+
+ Separate the kernel-bruteforcing case from the suid bruteforcing case
+ In the suid bruteforcing case, only kill existing copies of the bruteforced
+ binary. Instead of preventing all future execs by this user, prevent them
+ from executing any suid/sgid binaries for the next 15 minutes.
+
+ Kernel case is mostly unchanged from before, except the task trying to change
+ real uid to the banned user will be terminated instead of failing the setuid
+ call.
+
+ Configuration help has been updated to reflect the new changes.
+
+ fs/exec.c | 13 +++++---
+ grsecurity/Kconfig | 5 ++-
+ grsecurity/gracl.c | 6 ++--
+ grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------
+ include/linux/grsecurity.h | 1 -
+ include/linux/sched.h | 9 +++--
+ 6 files changed, 65 insertions(+), 45 deletions(-)
+
+commit 0f0b6c9d67d429364621b8784ef4a048b7e40736
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 3 16:14:09 2013 -0400
+
+ fix renamed export of csum_partial_copy_from_user, as reported by fabled
+ on the forums
+
+ arch/arm/kernel/armksyms.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 318235973c2a548c3d25562645d6b69f66e85934
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 3 16:09:16 2013 -0400
+
+ make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error
+ reported on the forums by fabled
+
+ arch/arm/mm/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b569a7f60fab7a522d8c142765c8b847bbce8a1e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 3 15:53:12 2013 -0400
+
+ Revise the user ban code to kill the process issuing a banned
+ set*id instead of returning an error. For the sake of keeping
+ unified user banning between the suid and kernel bruteforce case,
+ we will apply this killing to the suid bruteforce case, despite
+ a check just at exec time (that already existed) being sufficient.
+
+ Returning an error could enable exploitation of the "failure to check
+ setuid return value" case which was recently effectively closed
+ upstream, albeit in a rare situation with a suitable binary and
+ two colluding users.
+
+ Many thanks to stealth for reviewing the user ban code.
+
+ grsecurity/gracl.c | 4 ++--
+ grsecurity/grsec_sig.c | 16 +++++++++++++---
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f
+Author: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Date: Fri Jun 28 14:15:15 2013 +0300
+
+ Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d
+
+ UBIFS: fix a horrid bug
+
+ Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
+ mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
+ in the middle of 'ubifs_readdir()'.
+
+ This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
+ it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
+ but this may corrupt memory and lead to all kinds of problems like crashes an
+ security holes.
+
+ This patch fixes the problem by using the 'file->f_version' field, which
+ '->llseek()' always unconditionally sets to zero. We set it to 1 in
+ 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
+ seek and it is time to clear the state saved in 'file->private_data'.
+
+ I tested this patch by writing a user-space program which runds readdir and
+ seek in parallell. I could easily crash the kernel without these patches, but
+ could not crash it with these patches.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+ Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+ Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++---
+ 1 files changed, 27 insertions(+), 3 deletions(-)
+
+commit c22280b85088978bd8b45bd23096879459b48008
+Author: Stephane Eranian <eranian@google.com>
+Date: Thu Jun 20 11:36:28 2013 +0200
+
+ Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89
+
+ perf: Disable monitoring on setuid processes for regular users
+
+ There was a a bug in setup_new_exec(), whereby
+ the test to disabled perf monitoring was not
+ correct because the new credentials for the
+ process were not yet committed and therefore
+ the get_dumpable() test was never firing.
+
+ The patch fixes the problem by moving the
+ perf_event test until after the credentials
+ are committed.
+
+ Signed-off-by: Stephane Eranian <eranian@google.com>
+ Tested-by: Jiri Olsa <jolsa@redhat.com>
+ Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+ Cc: <stable@kernel.org>
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+ fs/exec.c | 16 +++++++++-------
+ 1 files changed, 9 insertions(+), 7 deletions(-)
+
+commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 29 13:10:02 2013 -0400
+
+ on context switch, make sure we switch DACR when domain support and
+ KERNEXEC is disabled but UDEREF is enabled
+
+ arch/arm/kernel/entry-armv.S | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 08d017fa51370921694ce087b28c96fec92993d4
+Author: Michael S. Tsirkin <mst@redhat.com>
+Date: Sun Jun 23 17:26:58 2013 +0300
+
+ Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2
+
+ macvtap: fix recovery from gup errors
+
+ get user pages might fail partially in macvtap zero copy
+ mode. To recover we need to put all pages that we got,
+ but code used a wrong index resulting in double-free
+ errors.
+
+ Reported-by: Brad Hubbard <bhubbard@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+ Acked-by: Jason Wang <jasowang@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/macvtap.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be
+Author: Michael S. Tsirkin <mst@redhat.com>
+Date: Sun Jun 23 17:19:03 2013 +0300
+
+ Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86
+
+ tun: fix recovery from gup errors
+
+ get user pages might fail partially in tun zero copy
+ mode. To recover we need to put all pages that we got,
+ but code used a wrong index resulting in double-free
+ errors.
+
+ Reported-by: Brad Hubbard <bhubbard@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+ Acked-by: Jason Wang <jasowang@redhat.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28
+Author: Balazs Peter Odor <balazs@obiserver.hu>
+Date: Sat Jun 22 19:24:43 2013 +0200
+
+ Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773
+
+ netfilter: nf_nat_sip: fix mangling
+
+ In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets)
+ there were some missing brackets around the logging information, thus
+ always returning drop.
+
+ Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061
+
+ Signed-off-by: Balazs Peter Odor <balazs@obiserver.hu>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nf_nat_sip.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 87c18924aecb841586b8972fabb20c5b75ca2fc9
+Author: Anderson Lizardo <anderson.lizardo@openbossa.org>
+Date: Sun Jun 2 16:30:40 2013 -0400
+
+ Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d
+
+ Bluetooth: Fix crash in l2cap_build_cmd() with small MTU
+
+ If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
+ controller, memory corruption happens due to a memcpy() call with
+ negative length.
+
+ Fix this crash on either incoming or outgoing connections with a MTU
+ smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:
+
+ [ 46.885433] BUG: unable to handle kernel paging request at f56ad000
+ [ 46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40
+ [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
+ [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
+ [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
+ [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
+ [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
+ [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
+ [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
+ [ 46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0
+ [ 46.888037] EIP is at memcpy+0x1d/0x40
+ [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
+ [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
+ [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
+ [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
+ [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
+ [ 46.888037] DR6: ffff0ff0 DR7: 00000400
+ [ 46.888037] Stack:
+ [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
+ [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
+ [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
+ [ 46.888037] Call Trace:
+ [ 46.888037] [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
+ [ 46.888037] [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
+ [ 46.888037] [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth]
+ [ 46.888037] [<c019b37b>] ? trace_hardirqs_off+0xb/0x10
+ [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
+ [ 46.888037] [<c064ad20>] ? mutex_lock_nested+0x280/0x360
+ [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
+ [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
+ [ 46.888037] [<c064ad08>] ? mutex_lock_nested+0x268/0x360
+ [ 46.888037] [<c01a125b>] ? trace_hardirqs_on+0xb/0x10
+ [ 46.888037] [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
+ [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
+ [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
+ [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
+ [ 46.888037] [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
+ [ 46.888037] [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth]
+ [ 46.888037] [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth]
+ [ 46.888037] [<c0158979>] process_one_work+0x1a9/0x600
+ [ 46.888037] [<c01588fb>] ? process_one_work+0x12b/0x600
+ [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
+ [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
+ [ 46.888037] [<c0159187>] worker_thread+0xf7/0x320
+ [ 46.888037] [<c0159090>] ? rescuer_thread+0x290/0x290
+ [ 46.888037] [<c01602f8>] kthread+0xa8/0xb0
+ [ 46.888037] [<c0656777>] ret_from_kernel_thread+0x1b/0x28
+ [ 46.888037] [<c0160250>] ? flush_kthread_worker+0x120/0x120
+ [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
+ [ 46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
+ [ 46.888037] CR2: 00000000f56ad000
+ [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]---
+
+ Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ net/bluetooth/l2cap_core.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit b0471b6c1160858fc646d8e94628fd1299f61692
+Author: Jaganath Kanakkassery <jaganath.k@samsung.com>
+Date: Fri Jun 21 19:55:11 2013 +0530
+
+ Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112
+
+ Bluetooth: Fix invalid length check in l2cap_information_rsp()
+
+ The length check is invalid since the length varies with type of
+ info response.
+
+ This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
+
+ Because of this, l2cap info rsp is not handled and command reject is sent.
+
+ > ACL data: handle 11 flags 0x02 dlen 16
+ L2CAP(s): Info rsp: type 2 result 0
+ Extended feature mask 0x00b8
+ Enhanced Retransmission mode
+ Streaming mode
+ FCS Option
+ Fixed Channels
+ < ACL data: handle 11 flags 0x00 dlen 10
+ L2CAP(s): Command rej: reason 0
+ Command not understood
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
+ Signed-off-by: Chan-Yeol Park <chanyeol.park@samsung.com>
+ Acked-by: Johan Hedberg <johan.hedberg@intel.com>
+ Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+
+ net/bluetooth/l2cap_core.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4184af98c360d825e638b268b1a9847232e8d299
+Author: Eric Dumazet <edumazet@google.com>
+Date: Wed Jun 26 04:15:07 2013 -0700
+
+ Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3
+
+ ipv6: ip6_sk_dst_check() must not assume ipv6 dst
+
+ It's possible to use AF_INET6 sockets and to connect to an IPv4
+ destination. After this, socket dst cache is a pointer to a rtable,
+ not rt6_info.
+
+ ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
+ various corruptions/crashes can happen.
+
+ Dave Jones can reproduce immediate crash with
+ trinity -q -l off -n -c sendmsg -c connect
+
+ With help from Hannes Frederic Sowa
+
+ Reported-by: Dave Jones <davej@redhat.com>
+ Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_output.c | 8 +++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2
+Author: Zefan Li <lizefan@huawei.com>
+Date: Wed Jun 26 15:29:54 2013 +0800
+
+ Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5
+
+ dlci: acquire rtnl_lock before calling __dev_get_by_name()
+
+ Otherwise the net device returned can be freed at anytime.
+
+ Signed-off-by: Li Zefan <lizefan@huawei.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/wan/dlci.c | 14 +++++++++-----
+ 1 files changed, 9 insertions(+), 5 deletions(-)
+
+commit 1fe6f23c9acd14d832d056909ff326bde418e645
+Author: Zefan Li <lizefan@huawei.com>
+Date: Wed Jun 26 15:31:58 2013 +0800
+
+ Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a
+
+ dlci: validate the net device in dlci_del()
+
+ We triggered an oops while running trinity with 3.4 kernel:
+
+ BUG: unable to handle kernel paging request at 0000000100000d07
+ IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
+ PGD 640c0d067 PUD 0
+ Oops: 0000 [#1] PREEMPT SMP
+ CPU 3
+ ...
+ Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA
+ RIP: 0010:[<ffffffffa0109738>] [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
+ ...
+ Call Trace:
+ [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
+ [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
+ [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
+ [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
+ [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
+ ...
+
+ It's because the net device is not a dlci device.
+
+ Reported-by: Li Jinyue <lijinyue@huawei.com>
+ Signed-off-by: Li Zefan <lizefan@huawei.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/wan/dlci.c | 12 ++++++++++++
+ 1 files changed, 12 insertions(+), 0 deletions(-)
+
+commit 4d4464407611527ef6b6b5475cfcab6121b3da66
+Merge: 59571a9 963af7f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 27 18:54:52 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 963af7f7f591759b731ce6325ceb583a72fcf423
+Merge: c51e25a 55db48a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 27 18:54:42 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 59571a9db7485f530a1e865a13cacc4c991ec41f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 26 18:39:08 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: Steffen Klassert <steffen.klassert@secunet.com>,
+ "David S. Miller" <davem@davemloft.net>
+ Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org,
+ Herbert Xu <herbert@gondor.apana.org.au>
+ Subject: [PATCH] af_key: fix info leaks in notify messages
+
+ key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
+ the sadb_msg_reserved member of the broadcasted message and thereby
+ leak 2 bytes of heap memory to listeners. Fix that.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+ Cc: Steffen Klassert <steffen.klassert@secunet.com>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Cc: Herbert Xu <herbert@gondor.apana.org.au>
+
+ net/key/af_key.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 26 18:33:06 2013 -0400
+
+ update rand_threadstack code to continue the search for a gap if the first
+ choice doesn't have enough space, instead of returning ENOMEM
+
+ mm/mmap.c | 17 ++++++++++-------
+ 1 files changed, 10 insertions(+), 7 deletions(-)
+
+commit 87020d4a4d83038d65ff1fd519938840f6888b9e
+Merge: 2682346 c51e25a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 26 18:25:32 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c51e25a23f30a1198076bd085f19b2073caf164d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 26 18:24:54 2013 -0400
+
+ Update to pax-linux-3.9.7-test12.patch:
+ - fixed a regression on PARAVIRT/amd64 kernels
+ - simplified the recent vm_unmapped_area_info based change
+
+ arch/x86/kernel/entry_64.S | 8 ++++----
+ mm/mmap.c | 22 ++++++++++++----------
+ 2 files changed, 16 insertions(+), 14 deletions(-)
+
+commit 26823469a08e59cb67bea18d448d9e8c65f82e08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 25 21:26:51 2013 -0400
+
+ re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX
+ vm_unmapped_area code is complete
+
+ arch/x86/kernel/sys_i386_32.c | 5 +++++
+ grsecurity/Kconfig | 2 +-
+ mm/mmap.c | 11 ++++++++++-
+ 3 files changed, 16 insertions(+), 2 deletions(-)
+
+commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7
+Merge: e58fe8c c4e0704
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 25 19:08:52 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/x86/kernel/sys_i386_32.c
+
+commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 25 19:05:39 2013 -0400
+
+ Update to pax-linux-3.9.7-test11.patch:
+ - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111)
+ - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure
+ - fixed the recent nested nmi related fixes some more
+ - fixed a regression in kernel memory initialization on relocatable i386 kernels
+ - empty_zero_page can be read-only on amd64 as well
+
+ arch/arm/mm/mmap.c | 6 --
+ arch/x86/kernel/entry_64.S | 8 +--
+ arch/x86/kernel/head_64.S | 1 -
+ arch/x86/kernel/setup.c | 2 +-
+ arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++----------------------------
+ drivers/lguest/core.c | 2 +-
+ include/linux/mm.h | 6 +-
+ include/linux/vmalloc.h | 2 +-
+ mm/mmap.c | 30 +++++++-
+ 9 files changed, 83 insertions(+), 134 deletions(-)
+
+commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 23 14:37:14 2013 -0400
+
+ second compile fix, reported by forsaken on forums
+
+ include/linux/vmalloc.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 23 14:36:35 2013 -0400
+
+ compile fix, reported by KDE on forums
+
+ kernel/printk.c | 7 -------
+ 1 files changed, 0 insertions(+), 7 deletions(-)
+
+commit 1fc9a5e2e267205d28302e1e86ca0da434561111
+Author: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun Jun 16 21:27:12 2013 +0100
+
+ Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d
+
+ x86/efi: Fix dummy variable buffer allocation
+
+ 1. Check for allocation failure
+ 2. Clear the buffer contents, as they may actually be written to flash
+ 3. Don't leak the buffer
+
+ Compile-tested only.
+
+ [ Tested successfully on my buggy ASUS machine - Matt ]
+
+ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Matt Fleming <matt.fleming@intel.com>
+
+ arch/x86/platform/efi/efi.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 83e15c8baaa620d8c777e84aa037b4302f0487c5
+Author: Dave Kleikamp <dave.kleikamp@oracle.com>
+Date: Tue Jun 18 09:05:36 2013 -0500
+
+ Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441
+
+ sparc: tsb must be flushed before tlb
+
+ This fixes a race where a cpu may re-load a tlb from a stale tsb right
+ after it has been flushed by a remote function call.
+
+ I still see some instability when stressing the system with parallel
+ kernel builds while creating memory pressure by writing to
+ /proc/sys/vm/nr_hugepages, but this patch improves the stability
+ significantly.
+
+ Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+ Acked-by: Bob Picco <bob.picco@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/sparc/mm/tlb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d93b62f6485db9aadda34322a6867868db07f56f
+Merge: 4ef62f5 71d83e9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 21 16:52:55 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 71d83e97c936563913bcfb5a25c45b2021a331eb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 21 16:48:42 2013 -0400
+
+ Update to pax-linux-3.9.7-test10.patch:
+ - fixed a few format string problems uncovered by -Wformat-nonliteral
+ - another attempt at fixing the nested nmi/cr0.wp problem
+ - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866)
+ - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274)
+ - fixed a locking issue with track_exec_limit reported by spender
+ - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/)
+
+ Documentation/dontdiff | 1 +
+ arch/x86/boot/compressed/efi_stub_32.S | 16 ++-----
+ arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
+ arch/x86/kernel/e820.c | 4 +-
+ arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------
+ arch/x86/kernel/vmlinux.lds.S | 2 +-
+ block/genhd.c | 11 +++--
+ crypto/algapi.c | 2 +-
+ crypto/pcrypt.c | 6 +-
+ drivers/base/attribute_container.c | 2 +-
+ drivers/base/power/sysfs.c | 2 +-
+ drivers/block/nbd.c | 2 +-
+ drivers/cdrom/cdrom.c | 2 +-
+ drivers/char/hw_random/intel-rng.c | 2 +-
+ drivers/char/mem.c | 2 +-
+ drivers/devfreq/devfreq.c | 2 +-
+ drivers/gpu/drm/drm_encoder_slave.c | 6 +--
+ drivers/gpu/drm/drm_sysfs.c | 2 +-
+ drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
+ drivers/iommu/irq_remapping.c | 2 +-
+ drivers/video/output.c | 2 +-
+ fs/ext4/mmp.c | 2 +-
+ fs/ext4/super.c | 2 +-
+ fs/lockd/svc.c | 2 +-
+ fs/nfs/callback.c | 4 +-
+ fs/nfs/nfs4state.c | 2 +-
+ fs/nfsd/nfscache.c | 3 +-
+ init/initramfs.c | 2 +-
+ kernel/rcutree.c | 2 +-
+ lib/kobject.c | 2 +-
+ mm/backing-dev.c | 4 +-
+ mm/mmap.c | 4 +-
+ mm/slub.c | 2 +-
+ mm/vmalloc.c | 15 +++----
+ net/bluetooth/hci_core.c | 8 ++--
+ net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
+ net/sunrpc/svc.c | 2 +-
+ security/Kconfig | 15 +++---
+ sound/core/sound.c | 2 +-
+ sound/sound_core.c | 2 +-
+ 40 files changed, 116 insertions(+), 111 deletions(-)
+
+commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c
+Merge: 39efd8f 256eff7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 21 16:45:15 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ kernel/printk.c
+
+commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6
+Merge: e6e3059 485f25f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 20 22:14:24 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 18 17:20:18 2013 -0400
+
+ add apparmor compat patch
+
+ security/apparmor/Kconfig | 9 ++
+ security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 240 insertions(+), 0 deletions(-)
+
+commit 49bee3c5341687504669bf62becf4a419a226ba0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 17 18:48:04 2013 -0400
+
+ Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db"
+
+ This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444.
+
+ kernel/sys.c | 29 +++--------------------------
+ 1 files changed, 3 insertions(+), 26 deletions(-)
+
+commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Sun Jun 16 18:06:06 2013 +0100
+
+ Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5
+
+ lseek(fd, n, SEEK_END) does *not* go to eof - n
+
+ When you copy some code, you are supposed to read it. If nothing else,
+ there's a chance to spot and fix an obvious bug instead of sharing it...
+
+ X-Song: "I Got It From Agnes", by Tom Lehrer
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ [ Tom Lehrer? You're dating yourself, Al ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +-
+ drivers/scsi/bfa/bfad_debugfs.c | 2 +-
+ drivers/scsi/fnic/fnic_debugfs.c | 2 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 5a450f1c46f0c84379518aee878993d3f4a331b6
+Author: Theodore Ts'o <tytso@mit.edu>
+Date: Thu Jun 6 11:14:31 2013 -0400
+
+ Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50
+
+ ext4: verify group number in verify_group_input() before using it
+
+ Check the group number for sanity earilier, before calling routines
+ such as ext4_bg_has_super() or ext4_group_overhead_blocks().
+
+ Reported-by: Jonathan Salwan <jonathan.salwan@gmail.com>
+ Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+
+ fs/ext4/resize.c | 17 +++++++++++------
+ 1 files changed, 11 insertions(+), 6 deletions(-)
+
+commit e2700ce1305cc746d2d9000392f00d96fdf28fb8
+Author: Neil Horman <nhorman@tuxdriver.com>
+Date: Wed Jun 12 14:26:44 2013 -0400
+
+ Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69
+
+ sctp: fully initialize sctp_outq in sctp_outq_init
+
+ In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86
+ (refactor sctp_outq_teardown to insure proper re-initalization)
+ we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the
+ outq structure. Steve West recently asked me why I removed the q->error = 0
+ initalization from sctp_outq_teardown. I did so because I was operating under
+ the impression that sctp_outq_init would properly initalize that value for us,
+ but it doesn't. sctp_outq_init operates under the assumption that the outq
+ struct is all 0's (as it is when called from sctp_association_init), but using
+ it in __sctp_outq_teardown violates that assumption. We should do a memset in
+ sctp_outq_init to ensure that the entire structure is in a known state there
+ instead.
+
+ Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+ Reported-by: "West, Steve (NSN - US/Fort Worth)" <steve.west@nsn.com>
+ CC: Vlad Yasevich <vyasevich@gmail.com>
+ CC: netdev@vger.kernel.org
+ CC: davem@davemloft.net
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ net/sctp/outqueue.c
+
+ net/sctp/outqueue.c | 8 ++------
+ 1 files changed, 2 insertions(+), 6 deletions(-)
+
+commit e13515ad7a9c7634599a105b2527752e527a905d
+Author: Saurabh Mohan <saurabh@vyatta.com>
+Date: Mon Jun 10 17:45:10 2013 -0700
+
+ Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817
+
+ net/ipv4: ip_vti clear skb cb before tunneling.
+
+ If users apply shaper to vti tunnel then it will cause a kernel crash. The
+ problem seems to be due to the vti_tunnel_xmit function not clearing
+ skb->opt field before passing the packet to xfrm tunneling code.
+
+ Signed-off-by: Saurabh Mohan <saurabh@vyatta.com>
+ Acked-by: Stephen Hemminger <stephen@networkplumber.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ip_vti.c | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4
+Author: Guillaume Nault <g.nault@alphalink.fr>
+Date: Wed Jun 12 16:07:36 2013 +0200
+
+ Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984
+
+ l2tp: Fix sendmsg() return value
+
+ PPPoL2TP sockets should comply with the standard send*() return values
+ (i.e. return number of bytes sent instead of 0 upon success).
+
+ Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_ppp.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit af361b412e816e894fb42ddff7a0545b7def64c0
+Author: Guillaume Nault <g.nault@alphalink.fr>
+Date: Wed Jun 12 16:07:23 2013 +0200
+
+ Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64
+
+ l2tp: Fix PPP header erasure and memory leak
+
+ Copy user data after PPP framing header. This prevents erasure of the
+ added PPP header and avoids leaking two bytes of uninitialised memory
+ at the end of skb's data buffer.
+
+ Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_ppp.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 1f43aca088c35dda35abf76e08544e534c71fed4
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Wed Jun 12 16:02:27 2013 +0200
+
+ Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe
+
+ packet: packet_getname_spkt: make sure string is always 0-terminated
+
+ uaddr->sa_data is exactly of size 14, which is hard-coded here and
+ passed as a size argument to strncpy(). A device name can be of size
+ IFNAMSIZ (== 16), meaning we might leave the destination string
+ unterminated. Thus, use strlcpy() and also sizeof() while we're
+ at it. We need to memset the data area beforehand, since strlcpy
+ does not padd the remaining buffer with zeroes for user space, so
+ that we do not possibly leak anything.
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/packet/af_packet.c | 5 ++---
+ 1 files changed, 2 insertions(+), 3 deletions(-)
+
+commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f
+Author: Andy Lutomirski <luto@amacapital.net>
+Date: Wed Jun 5 19:38:26 2013 +0000
+
+ Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab
+
+ net: Unbreak compat_sys_{send,recv}msg
+
+ I broke them in this commit:
+
+ commit 1be374a0518a288147c6a7398792583200a67261
+ Author: Andy Lutomirski <luto@amacapital.net>
+ Date: Wed May 22 14:07:44 2013 -0700
+
+ net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
+
+ This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept
+ MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It
+ also reverts some unnecessary checks in sys_socketcall.
+
+ Apparently I was suffering from underscore blindness the first time around.
+
+ Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+ Tested-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/linux/socket.h | 3 ++
+ net/compat.c | 13 +++++++-
+ net/socket.c | 72 ++++++++++++++++++++++--------------------------
+ 3 files changed, 47 insertions(+), 41 deletions(-)
+
+commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f
+Author: Andy Lutomirski <luto@amacapital.net>
+Date: Wed May 22 14:07:44 2013 -0700
+
+ Upstream commit: 1be374a0518a288147c6a7398792583200a67261
+
+ net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
+
+ To: linux-kernel@vger.kernel.org
+ Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski <luto@amacapital.net>, netdev@vger.kernel.org, "David S.
+ Miller" <davem@davemloft.net>
+ Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
+
+ MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API --
+ it's a hack that steals a bit to indicate to other networking code
+ that a compat entry was used. So don't allow it from a non-compat
+ syscall.
+
+ This prevents an oops when running this code:
+
+ int main()
+ {
+ int s;
+ struct sockaddr_in addr;
+ struct msghdr *hdr;
+
+ char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096,
+ PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
+ if (highpage == MAP_FAILED)
+ err(1, "mmap");
+
+ s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ if (s == -1)
+ err(1, "socket");
+
+ addr.sin_family = AF_INET;
+ addr.sin_port = htons(1);
+ addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0)
+ err(1, "connect");
+
+ void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE;
+ printf("Evil address is %p\n", evil);
+
+ if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0)
+ err(1, "sendmmsg");
+
+ return 0;
+ }
+
+ Cc: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/socket.c | 33 +++++++++++++++++++++++++++++++--
+ 1 files changed, 31 insertions(+), 2 deletions(-)
+
+commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri May 10 14:48:21 2013 -0700
+
+ Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c
+
+ b43: stop format string leaking into error msgs
+
+ The module parameter "fwpostfix" is userspace controllable, unfiltered,
+ and is used to define the firmware filename. b43_do_request_fw() populates
+ ctx->errors[] on error, containing the firmware filename. b43err()
+ parses its arguments as a format string. For systems with b43 hardware,
+ this could lead to a uid-0 to ring-0 escalation.
+
+ CVE-2013-2852
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ drivers/net/wireless/b43/main.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit dfb67a67049ace7b94ad7e2febfac69816d50d85
+Author: Mark A. Greer <mgreer@animalcreek.com>
+Date: Wed May 29 12:25:34 2013 -0700
+
+ Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5
+
+ mwifiex: debugfs: Fix out of bounds array access
+
+ When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
+ the following panic occurs:
+
+ $ cat /sys/kernel/debug/mwifiex/p2p0/info
+ Unable to handle kernel paging request at virtual address 74706164
+ pgd = de530000
+ [74706164] *pgd=00000000
+ Internal error: Oops: 5 [#1] SMP ARM
+ Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
+ CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
+ task: de16b6c0 ti: de048000 task.ti: de048000
+ PC is at strnlen+0xc/0x4c
+ LR is at string+0x3c/0xf8
+ pc : [<c02c123c>] lr : [<c02c2d1c>] psr: a0000013
+ sp : de049e10 ip : c06efba0 fp : de6d2092
+ r10: bf01a260 r9 : ffffffff r8 : 74706164
+ r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000
+ r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164
+ Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+ Control: 10c5387d Table: 9e530019 DAC: 00000015
+ Process cat (pid: 1635, stack limit = 0xde048240)
+ Stack: (0xde049e10 to 0xde04a000)
+ 9e00: de6d2092 00000002 bf01a25e de6d209c
+ 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
+ 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
+ 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
+ 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
+ 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
+ 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
+ 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
+ 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
+ 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
+ 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
+ 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
+ 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
+ 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
+ [<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
+ [<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
+ [<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
+ [<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
+ [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
+ [<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
+ [<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
+ Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
+ ---[ end trace ca98273dc605a04f ]---
+
+ The panic is caused by the mwifiex_info_read() routine assuming that
+ there can only be four modes (0-3) which is an invalid assumption.
+ For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
+ code accesses data beyond the bounds of the bss_modes[] array which
+ causes the panic. Fix this by updating bss_modes[] to support the
+ current list of modes and adding a check to prevent the out-of-bounds
+ access from occuring in the future when more modes are added.
+
+ Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
+ Acked-by: Bing Zhao <bzhao@marvell.com>
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++-----
+ 1 files changed, 17 insertions(+), 5 deletions(-)
+
+commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52
+Author: Johan Hedberg <johan.hedberg@intel.com>
+Date: Tue May 28 13:46:30 2013 +0300
+
+ Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888
+
+ Bluetooth: Fix missing length checks for L2CAP signalling PDUs
+
+ There has been code in place to check that the L2CAP length header
+ matches the amount of data received, but many PDU handlers have not been
+ checking that the data received actually matches that expected by the
+ specific PDU. This patch adds passing the length header to the specific
+ handler functions and ensures that those functions fail cleanly in the
+ case of an incorrect amount of data.
+
+ Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++-----------
+ 1 files changed, 52 insertions(+), 18 deletions(-)
+
+commit 628be2427afb241b5a1aa24bc5907d05287e1f25
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon Jun 3 12:00:49 2013 +0300
+
+ Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1
+
+ ipvs: info leak in __ip_vs_get_dest_entries()
+
+ The entry struct has a 2 byte hole after ->port and another 4 byte
+ hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your
+ namespace to hit this information leak.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Julian Anastasov <ja@ssi.bg>
+ Signed-off-by: Simon Horman <horms@verge.net.au>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/ipvs/ip_vs_ctl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 066d9226bc6c569d5f420c978b758e0bddd23444
+Author: Robin Holt <holt@sgi.com>
+Date: Wed Jun 12 14:04:37 2013 -0700
+
+ Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db
+
+ reboot: rigrate shutdown/reboot to boot cpu
+
+ We recently noticed that reboot of a 1024 cpu machine takes approx 16
+ minutes of just stopping the cpus. The slowdown was tracked to commit
+ f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in
+ kernel_restart()").
+
+ The current implementation does all the work of hot removing the cpus
+ before halting the system. We are switching to just migrating to the
+ boot cpu and then continuing with shutdown/reboot.
+
+ This also has the effect of not breaking x86's command line parameter
+ for specifying the reboot cpu. Note, this code was shamelessly copied
+ from arch/x86/kernel/reboot.c with bits removed pertaining to the
+ reboot_cpu command line parameter.
+
+ Signed-off-by: Robin Holt <holt@sgi.com>
+ Tested-by: Shawn Guo <shawn.guo@linaro.org>
+ Cc: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
+ Cc: H. Peter Anvin <hpa@zytor.com>
+ Cc: Thomas Gleixner <tglx@linutronix.de>
+ Cc: Ingo Molnar <mingo@elte.hu>
+ Cc: Russ Anderson <rja@sgi.com>
+ Cc: Robin Holt <holt@sgi.com>
+ Cc: Russell King <linux@arm.linux.org.uk>
+ Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/sys.c | 29 ++++++++++++++++++++++++++---
+ 1 files changed, 26 insertions(+), 3 deletions(-)
+
+commit 94e2a91600b07d39825e7059195f35eb611a39a2
+Merge: 20cc761 e6e3059
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 13 16:23:46 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a
+Merge: c6aadb1 4b73feb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 13 16:23:39 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 20cc7613e38cde07adc73179a91d6c15292e8d43
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Thu Jun 6 15:53:47 2013 +0200
+
+ Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c
+
+ net: sctp: fix NULL pointer dereference in socket destruction
+
+ While stress testing sctp sockets, I hit the following panic:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
+ IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
+ PGD 7cead067 PUD 7ce76067 PMD 0
+ Oops: 0000 [#1] SMP
+ Modules linked in: sctp(F) libcrc32c(F) [...]
+ CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1
+ Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
+ task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000
+ RIP: 0010:[<ffffffffa0490c4e>] [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
+ RSP: 0018:ffff88007b569e08 EFLAGS: 00010292
+ RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200
+ RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000
+ RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001
+ R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+ R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00
+ FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ Stack:
+ ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded
+ ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e
+ 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e
+ Call Trace:
+ [<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp]
+ [<ffffffff8145b60e>] sk_common_release+0x1e/0xf0
+ [<ffffffff814df36e>] inet_create+0x2ae/0x350
+ [<ffffffff81455a6f>] __sock_create+0x11f/0x240
+ [<ffffffff81455bf0>] sock_create+0x30/0x40
+ [<ffffffff8145696c>] SyS_socket+0x4c/0xc0
+ [<ffffffff815403be>] ? do_page_fault+0xe/0x10
+ [<ffffffff8153cb32>] ? page_fault+0x22/0x30
+ [<ffffffff81544e02>] system_call_fastpath+0x16/0x1b
+ Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f
+ 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48>
+ 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48
+ RIP [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
+ RSP <ffff88007b569e08>
+ CR2: 0000000000000020
+ ---[ end trace e0d71ec1108c1dd9 ]---
+
+ I did not hit this with the lksctp-tools functional tests, but with a
+ small, multi-threaded test program, that heavily allocates, binds,
+ listens and waits in accept on sctp sockets, and then randomly kills
+ some of them (no need for an actual client in this case to hit this).
+ Then, again, allocating, binding, etc, and then killing child processes.
+
+ This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable''
+ is set. The cause for that is actually very simple: in sctp_endpoint_init()
+ we enter the path of sctp_auth_init_hmacs(). There, we try to allocate
+ our crypto transforms through crypto_alloc_hash(). In our scenario,
+ it then can happen that crypto_alloc_hash() fails with -EINTR from
+ crypto_larval_wait(), thus we bail out and release the socket via
+ sk_common_release(), sctp_destroy_sock() and hit the NULL pointer
+ dereference as soon as we try to access members in the endpoint during
+ sctp_endpoint_free(), since endpoint at that time is still NULL. Now,
+ if we have that case, we do not need to do any cleanup work and just
+ leave the destruction handler.
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/socket.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit 386ba837978cc8a1111440bdcd8600f2df4634a4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 12 20:37:48 2013 -0400
+
+ fix deadlock when booting i386 kernel without NX
+
+ mm/mmap.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 11 22:18:07 2013 -0400
+
+ fix elif / elif defined() typo in recent change
+
+ kernel/events/core.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit bc43377e1e757cd37a06be0187884a42af718aab
+Merge: 3cdea63 c6aadb1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 11 18:50:39 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 11 18:49:36 2013 -0400
+
+ Update to pax-linux-3.9.4-test9.patch:
+ - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506)
+ - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort
+
+ arch/x86/kernel/setup.c | 2 +-
+ mm/mlock.c | 1 -
+ 2 files changed, 1 insertions(+), 2 deletions(-)
+
+commit 3cdea63e90607d8d55820b101854091623feedb8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 21:21:44 2013 -0400
+
+ Fix fanotify infoleak reported by Dan Carpenter at:
+ https://lkml.org/lkml/2013/6/3/128
+
+ Requires CAP_SYS_ADMIN, so this is about as low priority as it gets
+
+ fs/notify/fanotify/fanotify_user.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 373a2b5df78f82b9d3db72bd6577e29a71591323
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 21:16:46 2013 -0400
+
+ Backport infoleak fix by Dan Carpenter in cpqarray:
+ https://lkml.org/lkml/2013/6/3/131
+
+ drivers/block/cpqarray.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 251e84b9b05e063981b20be154c9389862f94759
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 21:04:17 2013 -0400
+
+ Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2
+
+ drivers/cdrom/cdrom.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 383d89bf95818b05a485a6e8b118963b5bcbc83e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 18:34:32 2013 -0400
+
+ change const to __read_only
+
+ kernel/sysctl.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
+
+commit 8f08f803f605649e63f0857a1b9a9805b629eaa4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 17:34:13 2013 -0400
+
+ compile fix, make const values const
+
+ kernel/sysctl.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
+
+commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 17:37:13 2013 -0400
+
+ Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a
+
+ drivers/char/mwave/tp3780i.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 1c590aa70c95ebd76ba9672aa23d800b81780615
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 9 19:50:35 2013 -0400
+
+ allow -1 perf_event_paranoid
+
+ kernel/sysctl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584
+Merge: 4e85539 117c3fa
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 9 17:30:12 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 117c3fa8d26c3806103123560f807d99071b60b6
+Merge: ed9b427 5dd2e98
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 9 17:30:00 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42
+Author: Eric Dumazet <edumazet@google.com>
+Date: Mon May 13 21:25:52 2013 +0000
+
+ Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e
+
+ tcp: fix tcp_md5_hash_skb_data()
+
+ TCP md5 communications fail [1] for some devices, because sg/crypto code
+ assume page offsets are below PAGE_SIZE.
+
+ This was discovered using mlx4 driver [2], but I suspect loopback
+ might trigger the same bug now we use order-3 pages in tcp_sendmsg()
+
+ [1] Failure is giving following messages.
+
+ huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100,
+ exited with 00000101?
+
+ [2] mlx4 driver uses order-2 pages to allocate RX frags
+
+ Reported-by: Matt Schnall <mischnal@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Bernhard Beck <bbeck@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/tcp.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb
+Author: Eric Dumazet <edumazet@google.com>
+Date: Fri May 17 04:53:13 2013 +0000
+
+ Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a
+
+ ipv6: fix possible crashes in ip6_cork_release()
+
+ commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data")
+ added some code duplication and bad error recovery, leading to potential
+ crash in ip6_cork_release() as kfree() could be called with garbage.
+
+ use kzalloc() to make sure this wont happen.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Cc: Herbert Xu <herbert@gondor.apana.org.au>
+ Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
+ Cc: Neal Cardwell <ncardwell@google.com>
+
+ net/ipv6/ip6_output.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5771263fe368cd384127dd17d7596a7e1a4e2eec
+Author: Chen Gang <gang.chen@asianux.com>
+Date: Thu May 16 23:13:04 2013 +0000
+
+ Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211
+
+ net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue.
+
+ 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the
+ strncpy() will always left the last byte of 'discovery->data.info'
+ uninitialized.
+
+ When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left
+ the last byte of 'discovery->data.info' uninitialized, the next
+ strlen() will cause issue.
+
+ Also 'discovery->data' is 'struct irda_device_info' which defined in
+ "include/uapi/...", it may copy to user mode, so need whole initialized.
+
+ All together, need use kzalloc() instead of kmalloc() to initialize all
+ members firstly.
+
+ Signed-off-by: Chen Gang <gang.chen@asianux.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/irda/irlap_frame.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c01c9af268cb066f240aec53454b8b74d8d01688
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sun May 19 08:36:36 2013 +0000
+
+ Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5
+
+ isdn/kcapi: fix a small underflow
+
+ In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes
+ from skb->data. The current code can underflow to one space before the
+ start of the array.
+
+ The sanity check isn't needed in __get_capi_appl_by_nr() but I changed
+ it to match the others.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/isdn/capi/kcapi.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66
+Author: Timo Teräs <timo.teras@iki.fi>
+Date: Wed May 22 01:40:47 2013 +0000
+
+ Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0
+
+ xfrm: properly handle invalid states as an error
+
+ The error exit path needs err explicitly set. Otherwise it
+ returns success and the only caller, xfrm_output_resume(),
+ would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is
+ NULL.
+
+ Bug introduced in commit bb65a9cb (xfrm: removes a superfluous
+ check and add a statistic).
+
+ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+ Cc: Li RongQing <roy.qing.li@gmail.com>
+ Cc: Steffen Klassert <steffen.klassert@secunet.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/xfrm/xfrm_output.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd
+Author: Jeff Mahoney <jeffm@jeffreymahoney.com>
+Date: Fri May 31 15:07:52 2013 -0400
+
+ Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab
+
+ reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry
+
+ After sleeping for filldir(), we check to see if the file system has
+ changed and research. The next_pos pointer is updated but its value
+ isn't pushed into the key used for the search itself. As a result,
+ the search returns the same item that the last cycle of the loop did
+ and filldir() is called multiple times with the same data.
+
+ The end result is that the buffer can contain the same name multiple
+ times. This can be returned to userspace or used internally in the
+ xattr code where it can manifest with the following warning:
+
+ jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2)
+
+ reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over
+ the xattr names and ends up trying to unlink the same name twice. The
+ second attempt fails with -ENOENT and the error is returned. At some
+ point I'll need to add support into reiserfsck to remove the orphaned
+ directories left behind when this occurs.
+
+ The fix is to push the value into the key before researching.
+
+ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+
+ fs/reiserfs/dir.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit ca0746bf380eec77d75d1741ac4742ded0e55ec7
+Author: Jeff Mahoney <jeffm@suse.com>
+Date: Fri May 31 15:51:17 2013 -0400
+
+ Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc
+
+ reiserfs: fix deadlock with nfs racing on create/lookup
+
+ Reiserfs is currently able to be deadlocked by having two NFS clients
+ where one has removed and recreated a file and another is accessing the
+ file with an open file handle.
+
+ If one client deletes and recreates a file with timing such that the
+ recreated file obtains the same [dirid, objectid] pair as the original
+ file while another client accesses the file via file handle, the create
+ and lookup can race and deadlock if the lookup manages to create the
+ in-memory inode first.
+
+ The create thread, in insert_inode_locked4, will hold the write lock
+ while waiting on the other inode to be unlocked. The lookup thread,
+ anywhere in the iget path, will release and reacquire the write lock while
+ it schedules. If it needs to reacquire the lock while the create thread
+ has it, it will never be able to make forward progress because it needs
+ to reacquire the lock before ultimately unlocking the inode.
+
+ This patch drops the write lock across the insert_inode_locked4 call so
+ that the ordering of inode_wait -> write lock is retained. Since this
+ would have been the case before the BKL push-down, this is safe.
+
+ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+
+ fs/reiserfs/inode.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit cd21c0eb4950498be46a07257426c0cea4aa2bf1
+Author: Jeff Mahoney <jeffm@suse.com>
+Date: Fri May 31 15:54:17 2013 -0400
+
+ Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b
+
+ reiserfs: fix problems with chowning setuid file w/ xattrs
+
+ reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr
+ and uses it to iterate over all the attrs associated with a file to change
+ ownership of xattrs (and transfer quota associated with the xattr files).
+
+ When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode
+ are passed to all the xattrs as well. This means that the xattr directory
+ will have S_IFREG added to its mode bits.
+
+ This has been prevented in practice by a missing IS_PRIVATE check
+ in reiserfs_acl_chmod, which caused a double-lock to occur while holding
+ the write lock. Since the file system was completely locked up, the
+ writeout of the corrupted mode never happened.
+
+ This patch temporarily clears everything but ATTR_UID|ATTR_GID for the
+ calls to reiserfs_setattr and adds the missing IS_PRIVATE check.
+
+ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+
+ fs/reiserfs/xattr.c | 14 +++++++++++++-
+ fs/reiserfs/xattr_acl.c | 3 +++
+ 2 files changed, 16 insertions(+), 1 deletions(-)
+
+commit c18cef940310c06bdf86d64d8cb227e56e165300
+Author: Dave Chinner <dchinner@redhat.com>
+Date: Mon May 27 16:38:25 2013 +1000
+
+ Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b
+
+ xfs: kill suid/sgid through the truncate path.
+
+ XFS has failed to kill suid/sgid bits correctly when truncating
+ files of non-zero size since commit c4ed4243 ("xfs: split
+ xfs_setattr") introduced in the 3.1 kernel. Fix it.
+
+ Fix it.
+
+ cc: stable kernel <stable@vger.kernel.org>
+ Signed-off-by: Dave Chinner <dchinner@redhat.com>
+ Reviewed-by: Brian Foster <bfoster@redhat.com>
+ Signed-off-by: Ben Myers <bpm@sgi.com>
+
+ (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6)
+
+ fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++---------------
+ 1 files changed, 32 insertions(+), 15 deletions(-)
+
+commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Wed May 29 15:36:40 2013 -0400
+
+ Upstream commit: f448badd34700ae728a32ba024249626d49c10e1
+
+ NFSv4: Fix a thinko in nfs4_try_open_cached
+
+ We need to pass the full open mode flags to nfs_may_open() when doing
+ a delegated open.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Cc: stable@vger.kernel.org
+
+ fs/nfs/nfs4proc.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c47de62893a9f269be0a272c2840aac1e2a35c68
+Author: Chen Gang <gang.chen@asianux.com>
+Date: Thu May 30 01:18:43 2013 +0000
+
+ Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8
+
+ parisc: kernel: using strlcpy() instead of strcpy()
+
+ 'boot_args' is an input args, and 'boot_command_line' has a fix length.
+ So use strlcpy() instead of strcpy() to avoid memory overflow.
+
+ Signed-off-by: Chen Gang <gang.chen@asianux.com>
+ Acked-by: Kyle McMartin <kyle@mcmartin.ca>
+ Signed-off-by: Helge Deller <deller@gmx.de>
+
+ arch/parisc/kernel/setup.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit ce869e6f799f95fcac340420ba3612503df80dbf
+Author: Chen Gang <gang.chen@asianux.com>
+Date: Mon May 27 04:57:09 2013 +0000
+
+ Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95
+
+ parisc: memory overflow, 'name' length is too short for using
+
+ 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6
+ * "%u:" + "%u" + '\0') may be 21.
+
+ Since 'name' length is 20, it may be memory overflow.
+
+ And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the
+ max length of 'name' must be less than 28.
+
+ So simplify thinking, we can use 28 instead of 20 directly, and do not
+ think of whether 'patchc.bc[i]' can '> 100'.
+
+ Signed-off-by: Chen Gang <gang.chen@asianux.com>
+ Signed-off-by: Helge Deller <deller@gmx.de>
+
+ arch/parisc/kernel/drivers.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5dc65cd34d442783118a17c518e2daedb90a31d0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 4 17:52:23 2013 -0400
+
+ add PERF_HARDEN recommendation
+
+ grsecurity/Kconfig | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 4 17:22:44 2013 -0400
+
+ Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN
+
+ grsecurity/Kconfig | 19 +++++++++++++++++++
+ include/linux/perf_event.h | 5 +++++
+ kernel/events/core.c | 10 +++++++++-
+ kernel/sysctl.c | 9 ++++++++-
+ 4 files changed, 41 insertions(+), 2 deletions(-)
+
+commit 84619a3501fd38285a72d9e963f58d1827beedd6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 1 14:23:31 2013 -0400
+
+ remove user-triggerable BUG_ON in do_munlockall()
+
+ mm/mlock.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit f4bcf6087bd7b9a5b9c9021790396865c5362da0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 1 13:44:05 2013 -0400
+
+ Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456
+
+ From: Kees Cook <keescook@chromium.org>
+ Date: Thu, 23 May 2013 17:32:17 +0000
+ Subject: iscsi-target: fix heap buffer overflow on error
+
+ If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
+ error response packet, generated by iscsi_add_notunderstood_response(),
+ would still attempt to copy the entire key into the packet, overflowing
+ the structure on the heap.
+
+ Remote preauthentication kernel memory corruption was possible if a
+ target was configured and listening on the network.
+
+ CVE-2013-2850
+
+ Embargo-screwup-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+
+ drivers/target/iscsi/iscsi_target_parameters.c | 8 +++-----
+ drivers/target/iscsi/iscsi_target_parameters.h | 4 +++-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 1 13:43:26 2013 -0400
+
+ Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters"
+ Applying upstream fix instead
+
+ This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291.
+
+ drivers/target/iscsi/iscsi_target_parameters.c | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sun May 19 21:52:20 2013 +0300
+
+ Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431
+
+ USB: cxacru: potential underflow in cxacru_cm_get_array()
+
+ commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream.
+
+ The value of "offd" comes off the instance->rcv_buf[] and we used it as
+ the offset into an array. The problem is that we check the upper bound
+ but not for negative values.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+
+ drivers/usb/atm/cxacru.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 1 11:30:17 2013 -0400
+
+ Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters
+
+ drivers/target/iscsi/iscsi_target_parameters.c | 5 ++---
+ 1 files changed, 2 insertions(+), 3 deletions(-)
+
+commit 8578566969d91678a3d7d5251b4eafc6d7775314
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 30 17:44:15 2013 -0400
+
+ Apply compatibility fix to previous RLIMIT_NPROC change
+ don't enforce the rlimit check at exec time if the user is root
+ Prevents problems with sudo if root is listed as part of a group
+ in limits.conf with process limits enforced
+
+ kernel/sys.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7
+Merge: 643b294 ed9b427
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 19:19:28 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ed9b4276488528d0c3803df1dc0df804238241e0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 19:18:45 2013 -0400
+
+ Updated to pax-linux-3.9.4-test8.patch:
+ - fixed some fallout detected by the checker plugin
+
+ arch/x86/kernel/crash_dump_64.c | 2 +-
+ drivers/base/devtmpfs.c | 6 +++---
+ drivers/char/agp/compat_ioctl.c | 2 +-
+ drivers/char/agp/frontend.c | 2 +-
+ drivers/char/mem.c | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++--
+ drivers/i2c/i2c-dev.c | 2 +-
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++---
+ drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++--------
+ fs/9p/vfs_addr.c | 2 +-
+ fs/binfmt_elf.c | 4 ++--
+ fs/compat_ioctl.c | 4 ++--
+ fs/exec.c | 2 +-
+ fs/namespace.c | 8 ++++----
+ fs/proc/vmcore.c | 12 ++++++++----
+ fs/read_write.c | 2 +-
+ include/linux/syscalls.h | 8 ++++----
+ init/do_mounts_initrd.c | 8 ++++----
+ init/main.c | 4 ++--
+ kernel/events/core.c | 2 +-
+ kernel/events/internal.h | 10 +++++-----
+ mm/page_io.c | 2 +-
+ security/keys/internal.h | 2 +-
+ tools/gcc/checker_plugin.c | 1 +
+ 24 files changed, 63 insertions(+), 54 deletions(-)
+
+commit 643b294b41c6adcad1cf107efe4ae52a834e6f15
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 18:51:31 2013 -0400
+
+ eliminate gcc warning
+
+ fs/exec.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 18:30:20 2013 -0400
+
+ use BUILD_BUG() instead of BUILD_BUG_ON(1)
+
+ arch/x86/net/bpf_jit_comp.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 5343410354267368e5809f3ad8d9a264f141be18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 17:57:41 2013 -0400
+
+ defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON
+ for unknown opcodes
+
+ arch/x86/net/bpf_jit_comp.c | 11 +++++++----
+ 1 files changed, 7 insertions(+), 4 deletions(-)
+
+commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d
+Author: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
+Date: Fri May 24 15:55:11 2013 -0700
+
+ Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83
+
+ mm: mmu_notifier: re-fix freed page still mapped in secondary MMU
+
+ Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and
+ multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier:
+ fix freed page still mapped in secondary MMU").
+
+ Since hlist_for_each_entry_rcu() is changed now, we can not revert that
+ patch directly, so this patch reverts the commit and simply fix the bug
+ spotted by that patch
+
+ This bug spotted by commit 751efd8610d3 is:
+
+ There is a race condition between mmu_notifier_unregister() and
+ __mmu_notifier_release().
+
+ Assume two tasks, one calling mmu_notifier_unregister() as a result
+ of a filp_close() ->flush() callout (task A), and the other calling
+ mmu_notifier_release() from an mmput() (task B).
+
+ A B
+ t1 srcu_read_lock()
+ t2 if (!hlist_unhashed())
+ t3 srcu_read_unlock()
+ t4 srcu_read_lock()
+ t5 hlist_del_init_rcu()
+ t6 synchronize_srcu()
+ t7 srcu_read_unlock()
+ t8 hlist_del_rcu() <--- NULL pointer deref.
+
+ This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu.
+
+ The another issue spotted in the commit is "multiple ->release()
+ callouts", we needn't care it too much because it is really rare (e.g,
+ can not happen on kvm since mmu-notify is unregistered after
+ exit_mmap()) and the later call of multiple ->release should be fast
+ since all the pages have already been released by the first call.
+ Anyway, this issue should be fixed in a separate patch.
+
+ -stable suggestions: Any version that has commit 751efd8610d3 need to be
+ backported. I find the oldest version has this commit is 3.0-stable.
+
+ [akpm@linux-foundation.org: tweak comments]
+ Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
+ Tested-by: Robin Holt <holt@sgi.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++---------------------------
+ 1 files changed, 39 insertions(+), 40 deletions(-)
+
+commit 163a5539b36247865d39b2bcfa8efc03a62124a6
+Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Date: Fri May 24 15:55:21 2013 -0700
+
+ Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18
+
+ mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
+
+ We should not use set_pmd_at to update pmd_t with pgtable_t pointer.
+ set_pmd_at is used to set pmd with huge pte entries and architectures
+ like ppc64, clear few flags from the pte when saving a new entry.
+ Without this change we observe bad pte errors like below on ppc64 with
+ THP enabled.
+
+ BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000
+
+ Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+ Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/huge_memory.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 3e54faf888d324d5f362dcba16173ea7bba61e8a
+Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Date: Fri May 24 15:55:08 2013 -0700
+
+ Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995
+
+ fat: fix possible overflow for fat_clusters
+
+ Intermediate value of fat_clusters can be overflowed on 32bits arch.
+
+ Reported-by: Krzysztof Strasburger <strasbur@chkw386.ch.pwr.wroc.pl>
+ Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/fat/inode.c | 15 ++++++++++++++-
+ 1 files changed, 14 insertions(+), 1 deletions(-)
+
+commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d
+Author: Jarod Wilson <jarod@redhat.com>
+Date: Fri May 24 15:55:31 2013 -0700
+
+ Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53
+
+ drivers/char/random.c: fix priming of last_data
+
+ Commit ec8f02da9ea5 ("random: prime last_data value per fips
+ requirements") added priming of last_data per fips requirements.
+
+ Unfortuantely, it did so in a way that can lead to multiple threads all
+ incrementing nbytes, but only one actually doing anything with the extra
+ data, which leads to some fun random corruption and panics.
+
+ The fix is to simply do everything needed to prime last_data in a single
+ shot, so there's no window for multiple cpus to increment nbytes -- in
+ fact, we won't even increment or decrement nbytes anymore, we'll just
+ extract the needed EXTRACT_SIZE one time per pool and then carry on with
+ the normal routine.
+
+ All these changes have been tested across multiple hosts and
+ architectures where panics were previously encoutered. The code changes
+ are are strictly limited to areas only touched when when booted in fips
+ mode.
+
+ This change should also go into 3.8-stable, to make the myriads of fips
+ users on 3.8.x happy.
+
+ Signed-off-by: Jarod Wilson <jarod@redhat.com>
+ Tested-by: Jan Stancek <jstancek@redhat.com>
+ Tested-by: Jan Stodola <jstodola@redhat.com>
+ Cc: Herbert Xu <herbert@gondor.apana.org.au>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Cc: Matt Mackall <mpm@selenic.com>
+ Cc: "Theodore Ts'o" <tytso@mit.edu>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/char/random.c | 30 +++++++++++++++---------------
+ 1 files changed, 15 insertions(+), 15 deletions(-)
+
+commit 2d74639040ba6ce47f57ec010714ec06529c4b42
+Author: Jiri Kosina <jkosina@suse.cz>
+Date: Fri May 24 15:55:33 2013 -0700
+
+ Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68
+
+ random: fix accounting race condition with lockless irq entropy_count update
+
+ Commit 902c098a3663 ("random: use lockless techniques in the interrupt
+ path") turned IRQ path from being spinlock protected into lockless
+ cmpxchg-retry update.
+
+ That commit removed r->lock serialization between crediting entropy bits
+ from IRQ context and accounting when extracting entropy on userspace
+ read path, but didn't turn the r->entropy_count reads/updates in
+ account() to use cmpxchg as well.
+
+ It has been observed, that under certain circumstances this leads to
+ read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets
+ corrupted and becomes negative, which in turn results in propagating 0
+ all the way from account() to the actual read() call.
+
+ Convert the accounting code to be the proper lockless counterpart of
+ what has been partially done by 902c098a3663.
+
+ Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+ Cc: Theodore Ts'o <tytso@mit.edu>
+ Cc: Greg KH <greg@kroah.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/char/random.c | 26 +++++++++++++++++---------
+ 1 files changed, 17 insertions(+), 9 deletions(-)
+
+commit 65d05c7ea468c23c175105526dd4f163302a92cf
+Merge: 1a98d0a 6ce3a135
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat May 25 07:48:15 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/x86/kernel/vm86_32.c
+
+commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166
+Merge: 79bdd65 0bfd8ff
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat May 25 07:46:55 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 23 18:42:23 2013 -0400
+
+ use existing local variable
+
+ fs/exec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b2b80ef8586061e32e986b31608717c25d1e7c54
+Merge: cb45fbd 79bdd65
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 23 17:58:53 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 79bdd65dac68267bc1b201c6b4a99966a373c305
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 23 17:57:46 2013 -0400
+
+ Update to pax-linux-3.9.3-test7.patch:
+ - fixed some size overflow related warnings (hash table, attributes)
+ - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html
+
+ arch/x86/include/asm/page_64.h | 2 +-
+ arch/x86/kernel/head64.c | 2 +-
+ tools/gcc/constify_plugin.c | 48 ++-
+ tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------
+ 4 files changed, 651 insertions(+), 592 deletions(-)
+
+commit cb45fbda4967b1b544a754fbdc92d73283379522
+Merge: 62588fa 57c11b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 20 17:32:17 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 57c11b85acd841a088aa4df8e60be337880df8cd
+Merge: 0598b37 4bb0869
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 20 17:32:08 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53
+Merge: e261c7b 0598b37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 17 22:57:36 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0598b3778624dbc6c3887af025c040dbd6e92ba5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 17 22:57:07 2013 -0400
+
+ Update to pax-linux-3.9.2-test6.patch:
+ - fixed a gcc assert in the structleak plugin, reported by Emese Revfy
+ - fixed pfn extraction from pud/pgd entries, reported by ousado
+
+ arch/x86/include/asm/pgtable.h | 9 +++++++--
+ tools/gcc/structleak_plugin.c | 3 ++-
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+commit e261c7bc611e9127bbb7bd95cddd51524bf255ae
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 22:54:12 2013 -0400
+
+ add offset to topdown check, fixes compilation
+
+ arch/x86/kernel/sys_x86_64.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 455c5ed5279cf546f5d5c3844fb16f17300b2219
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 20:57:41 2013 -0400
+
+ CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY,
+ reported by lulzh3ad on irc
+
+ security/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 0d4593e84707cdf6deb6b925c18c676a476b1613
+Merge: 43cd0c0 39a877f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 20:39:11 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 39a877f192ed305d88edac10a14a9e8e1e161f3f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 20:37:35 2013 -0400
+
+ Update to pax-linux-3.9.2-test105.patch:
+ - fixed !EFI boot problem, reported by spender
+ - fixed a few compile warnings
+ - fixed some more compile errors due to constification
+ - fixed some arm fallout, reported by Michael Tremer
+
+ arch/arm/include/asm/psci.h | 2 +-
+ arch/arm/kernel/psci.c | 2 +-
+ arch/x86/kernel/sys_x86_64.c | 3 +--
+ arch/x86/realmode/init.c | 2 +-
+ drivers/hwmon/pmbus/pmbus_core.c | 10 +++++-----
+ drivers/irqchip/irq-gic.c | 2 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++---
+ drivers/platform/x86/chromeos_laptop.c | 2 +-
+ fs/jfs/super.c | 4 ++--
+ include/linux/irqchip/arm-gic.h | 2 ++
+ include/sound/compress_driver.h | 2 +-
+ net/mac80211/cfg.c | 4 ++--
+ sound/soc/fsl/fsl_ssi.c | 2 +-
+ 14 files changed, 31 insertions(+), 22 deletions(-)
+
+commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 20:35:22 2013 -0400
+
+ Fix usercopy false positive under gcc 4.1
+
+ arch/x86/kernel/signal.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit 56a166129d817f6634c8c230e6ec497669bdfaca
+Author: Amerigo Wang <amwang@redhat.com>
+Date: Thu May 9 21:56:37 2013 +0000
+
+ Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f
+
+ ipv6,gre: do not leak info to user-space
+
+ There is a hole in struct ip6_tnl_parm2, so we have to
+ zero the struct on stack before copying it to user-space.
+
+ Cc: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_gre.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit d6f50dae2653ad912952da40417a8ccbd59c7699
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue May 14 16:52:35 2013 -0400
+
+ disable unprivileged kernel profiling under HIDESYM, rename
+ the variable to something more appropriate
+
+ include/linux/perf_event.h | 8 ++++----
+ kernel/events/core.c | 6 +++++-
+ kernel/sysctl.c | 4 ++--
+ 3 files changed, 11 insertions(+), 7 deletions(-)
+
+commit 01322c6951bed4eedefbd2178dbd99292b365d99
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 17:19:57 2013 -0400
+
+ mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its
+ existing stack-heap gap code for the new unified vm_unmapped_area
+
+ grsecurity/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 15:40:32 2013 -0400
+
+ fix NX fault on early boot
+
+ arch/x86/realmode/init.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:48:13 2013 -0400
+
+ compile fix, we weren't using %pa anyway and it's now being used
+ by upstream for physical address printing
+
+ lib/vsprintf.c | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:39:52 2013 -0400
+
+ compile fix
+
+ grsecurity/grsec_chroot.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:35:36 2013 -0400
+
+ compile fixes
+
+ grsecurity/grsec_chroot.c | 2 +-
+ include/linux/grinternal.h | 8 ++++----
+ include/linux/grsecurity.h | 4 ++--
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+commit f92047409f0a843ec0b44033ca4c37e539f9a1d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:27:18 2013 -0400
+
+ compile fix
+
+ fs/exec.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:23:17 2013 -0400
+
+ Initial port of grsecurity for 3.9.2
+
+ Documentation/kernel-parameters.txt | 4 +
+ Makefile | 8 +-
+ arch/alpha/include/asm/cache.h | 4 +-
+ arch/alpha/kernel/osf_sys.c | 12 +-
+ arch/arm/include/asm/thread_info.h | 9 +-
+ arch/arm/kernel/process.c | 4 +-
+ arch/arm/kernel/ptrace.c | 9 +
+ arch/arm/kernel/traps.c | 7 +-
+ arch/arm/mm/fault.c | 29 +-
+ arch/arm/mm/mmap.c | 8 +-
+ arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/include/asm/cache.h | 3 +-
+ arch/cris/include/arch-v10/arch/cache.h | 3 +-
+ arch/cris/include/arch-v32/arch/cache.h | 3 +-
+ arch/frv/include/asm/cache.h | 3 +-
+ arch/frv/mm/elf-fdpic.c | 4 +-
+ arch/hexagon/include/asm/cache.h | 6 +-
+ arch/ia64/include/asm/cache.h | 3 +-
+ arch/ia64/kernel/sys_ia64.c | 2 +
+ arch/ia64/mm/hugetlbpage.c | 2 +
+ arch/m32r/include/asm/cache.h | 4 +-
+ arch/m68k/include/asm/cache.h | 4 +-
+ arch/metag/mm/hugetlbpage.c | 1 +
+ arch/microblaze/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/thread_info.h | 9 +-
+ arch/mips/kernel/ptrace.c | 9 +
+ arch/mips/kernel/scall32-o32.S | 2 +-
+ arch/mips/kernel/scall64-64.S | 2 +-
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ arch/mips/mm/mmap.c | 4 +-
+ arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
+ arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
+ arch/openrisc/include/asm/cache.h | 4 +-
+ arch/parisc/include/asm/cache.h | 5 +-
+ arch/parisc/kernel/sys_parisc.c | 17 +-
+ arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/include/asm/thread_info.h | 8 +-
+ arch/powerpc/kernel/process.c | 10 +-
+ arch/powerpc/kernel/ptrace.c | 14 +
+ arch/powerpc/kernel/traps.c | 5 +
+ arch/powerpc/mm/slice.c | 8 +-
+ arch/s390/include/asm/cache.h | 4 +-
+ arch/score/include/asm/cache.h | 4 +-
+ arch/sh/include/asm/cache.h | 3 +-
+ arch/sh/mm/mmap.c | 6 +-
+ arch/sparc/include/asm/cache.h | 4 +-
+ arch/sparc/include/asm/thread_info_64.h | 9 +-
+ arch/sparc/kernel/process_32.c | 6 +-
+ arch/sparc/kernel/process_64.c | 8 +-
+ arch/sparc/kernel/ptrace_64.c | 14 +
+ arch/sparc/kernel/sys_sparc_64.c | 8 +-
+ arch/sparc/kernel/syscalls.S | 8 +-
+ arch/sparc/kernel/traps_32.c | 8 +-
+ arch/sparc/kernel/traps_64.c | 28 +-
+ arch/sparc/kernel/unaligned_64.c | 2 +-
+ arch/sparc/mm/fault_64.c | 2 +-
+ arch/sparc/mm/hugetlbpage.c | 3 +-
+ arch/tile/include/asm/cache.h | 3 +-
+ arch/tile/mm/hugetlbpage.c | 2 +
+ arch/um/defconfig | 1 -
+ arch/um/include/asm/cache.h | 3 +-
+ arch/unicore32/include/asm/cache.h | 6 +-
+ arch/x86/Kconfig | 5 +-
+ arch/x86/Kconfig.debug | 2 +-
+ arch/x86/ia32/ia32_aout.c | 2 +
+ arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/kernel/dumpstack.c | 8 +
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 2 +-
+ arch/x86/kernel/ioport.c | 13 +
+ arch/x86/kernel/ptrace.c | 14 +
+ arch/x86/kernel/smpboot.c | 3 +
+ arch/x86/kernel/sys_i386_32.c | 14 +-
+ arch/x86/kernel/sys_x86_64.c | 6 +-
+ arch/x86/kernel/verify_cpu.S | 1 +
+ arch/x86/kernel/vm86_32.c | 16 +
+ arch/x86/mm/fault.c | 12 +-
+ arch/x86/mm/hugetlbpage.c | 15 +-
+ arch/x86/mm/init.c | 66 +-
+ arch/x86/net/bpf_jit_comp.c | 126 +-
+ arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
+ arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
+ drivers/block/cciss.c | 2 +
+ drivers/char/Kconfig | 4 +-
+ drivers/char/genrtc.c | 1 +
+ drivers/char/mem.c | 17 +
+ drivers/char/random.c | 12 +
+ drivers/gpu/drm/drm_info.c | 4 +
+ drivers/hid/hid-wiimote-debug.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +-
+ drivers/message/fusion/mptbase.c | 9 +
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ drivers/pci/proc.c | 9 +
+ drivers/rtc/rtc-dev.c | 3 +
+ drivers/tty/sysrq.c | 2 +-
+ drivers/tty/vt/keyboard.c | 22 +-
+ drivers/usb/storage/realtek_cr.c | 2 +-
+ drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
+ drivers/xen/xenfs/xenstored.c | 5 +
+ fs/attr.c | 1 +
+ fs/autofs4/waitq.c | 9 +
+ fs/binfmt_aout.c | 7 +
+ fs/binfmt_elf.c | 8 +-
+ fs/btrfs/ioctl.c | 6 +-
+ fs/compat.c | 20 +-
+ fs/coredump.c | 10 +-
+ fs/debugfs/inode.c | 4 +
+ fs/exec.c | 181 +-
+ fs/ext2/balloc.c | 4 +-
+ fs/ext3/balloc.c | 4 +-
+ fs/ext4/balloc.c | 4 +-
+ fs/fcntl.c | 5 +
+ fs/file.c | 4 +
+ fs/filesystems.c | 4 +
+ fs/fs_struct.c | 13 +-
+ fs/hugetlbfs/inode.c | 5 +-
+ fs/namei.c | 241 ++-
+ fs/namespace.c | 24 +
+ fs/open.c | 38 +
+ fs/pipe.c | 2 +-
+ fs/proc/Kconfig | 10 +-
+ fs/proc/array.c | 59 +-
+ fs/proc/base.c | 168 +-
+ fs/proc/cmdline.c | 4 +
+ fs/proc/devices.c | 4 +
+ fs/proc/fd.c | 17 +-
+ fs/proc/inode.c | 17 +
+ fs/proc/internal.h | 3 +
+ fs/proc/kcore.c | 3 +
+ fs/proc/proc_net.c | 12 +
+ fs/proc/proc_sysctl.c | 43 +-
+ fs/proc/root.c | 8 +
+ fs/proc/task_mmu.c | 75 +-
+ fs/readdir.c | 19 +
+ fs/select.c | 2 +
+ fs/seq_file.c | 12 +-
+ fs/stat.c | 19 +-
+ fs/sysfs/dir.c | 12 +
+ fs/utimes.c | 7 +
+ fs/xattr.c | 19 +-
+ grsecurity/Kconfig | 1031 +++++
+ grsecurity/Makefile | 38 +
+ grsecurity/gracl.c | 4073 ++++++++++++++++++++
+ grsecurity/gracl_alloc.c | 105 +
+ grsecurity/gracl_cap.c | 110 +
+ grsecurity/gracl_fs.c | 431 +++
+ grsecurity/gracl_ip.c | 387 ++
+ grsecurity/gracl_learn.c | 207 +
+ grsecurity/gracl_res.c | 68 +
+ grsecurity/gracl_segv.c | 305 ++
+ grsecurity/gracl_shm.c | 40 +
+ grsecurity/grsec_chdir.c | 19 +
+ grsecurity/grsec_chroot.c | 370 ++
+ grsecurity/grsec_disabled.c | 434 +++
+ grsecurity/grsec_exec.c | 187 +
+ grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_fork.c | 23 +
+ grsecurity/grsec_init.c | 283 ++
+ grsecurity/grsec_link.c | 58 +
+ grsecurity/grsec_log.c | 326 ++
+ grsecurity/grsec_mem.c | 40 +
+ grsecurity/grsec_mount.c | 62 +
+ grsecurity/grsec_pax.c | 36 +
+ grsecurity/grsec_ptrace.c | 30 +
+ grsecurity/grsec_sig.c | 222 ++
+ grsecurity/grsec_sock.c | 244 ++
+ grsecurity/grsec_sysctl.c | 469 +++
+ grsecurity/grsec_time.c | 16 +
+ grsecurity/grsec_tpe.c | 73 +
+ grsecurity/grsum.c | 61 +
+ include/linux/capability.h | 5 +
+ include/linux/cred.h | 3 +
+ include/linux/fs.h | 10 +
+ include/linux/fsnotify.h | 6 +
+ include/linux/gracl.h | 319 ++
+ include/linux/gralloc.h | 9 +
+ include/linux/grdefs.h | 140 +
+ include/linux/grinternal.h | 215 +
+ include/linux/grmsg.h | 111 +
+ include/linux/grsecurity.h | 242 ++
+ include/linux/grsock.h | 19 +
+ include/linux/kallsyms.h | 14 +-
+ include/linux/kmod.h | 2 +
+ include/linux/mm.h | 1 +
+ include/linux/netfilter/xt_gradm.h | 9 +
+ include/linux/printk.h | 3 +-
+ include/linux/proc_fs.h | 12 +
+ include/linux/sched.h | 68 +-
+ include/linux/security.h | 1 +
+ include/linux/seq_file.h | 3 +
+ include/linux/shm.h | 4 +
+ include/linux/skbuff.h | 3 +
+ include/linux/slab.h | 9 -
+ include/linux/sysctl.h | 2 +
+ include/linux/thread_info.h | 2 +
+ include/linux/uidgid.h | 5 +
+ include/linux/vermagic.h | 9 +-
+ include/net/secure_seq.h | 1 +
+ include/trace/events/fs.h | 53 +
+ include/uapi/linux/personality.h | 1 +
+ init/Kconfig | 3 +-
+ init/main.c | 14 +
+ ipc/mqueue.c | 1 +
+ ipc/shm.c | 28 +
+ kernel/capability.c | 39 +-
+ kernel/cgroup.c | 2 +-
+ kernel/compat.c | 1 +
+ kernel/configs.c | 11 +
+ kernel/cred.c | 110 +-
+ kernel/exit.c | 10 +-
+ kernel/fork.c | 41 +-
+ kernel/futex.c | 1 +
+ kernel/kallsyms.c | 9 +
+ kernel/kcmp.c | 4 +
+ kernel/kmod.c | 71 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +
+ kernel/lockdep_proc.c | 10 +-
+ kernel/module.c | 81 +-
+ kernel/panic.c | 4 +-
+ kernel/pid.c | 19 +-
+ kernel/posix-timers.c | 8 +
+ kernel/printk.c | 13 +-
+ kernel/ptrace.c | 20 +-
+ kernel/resource.c | 10 +
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 37 +-
+ kernel/sys.c | 45 +-
+ kernel/sysctl.c | 39 +-
+ kernel/taskstats.c | 6 +
+ kernel/time.c | 5 +
+ kernel/time/timekeeping.c | 3 +
+ kernel/time/timer_list.c | 12 +
+ kernel/time/timer_stats.c | 10 +-
+ lib/Kconfig.debug | 5 +-
+ lib/is_single_threaded.c | 3 +
+ lib/vsprintf.c | 35 +-
+ localversion-grsec | 1 +
+ mm/Kconfig | 4 +-
+ mm/filemap.c | 1 +
+ mm/kmemleak.c | 4 +-
+ mm/mempolicy.c | 12 +-
+ mm/migrate.c | 3 +-
+ mm/mlock.c | 3 +
+ mm/mmap.c | 64 +-
+ mm/mprotect.c | 8 +
+ mm/process_vm_access.c | 6 +
+ mm/shmem.c | 2 +-
+ mm/slab.c | 2 +-
+ mm/slub.c | 14 +-
+ mm/vmalloc.c | 4 +
+ mm/vmstat.c | 18 +-
+ net/8021q/vlan.c | 7 +
+ net/core/dev_ioctl.c | 4 +
+ net/core/net-procfs.c | 5 +
+ net/core/secure_seq.c | 4 +-
+ net/core/sock_diag.c | 7 +
+ net/ipv4/af_inet.c | 5 +-
+ net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/ip_sockglue.c | 3 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_minisocks.c | 9 +-
+ net/ipv4/tcp_timer.c | 11 +
+ net/ipv4/udp.c | 24 +
+ net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/udp.c | 7 +
+ net/netfilter/Kconfig | 10 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 8 +
+ net/netfilter/xt_gradm.c | 51 +
+ net/netrom/af_netrom.c | 2 +-
+ net/phonet/af_phonet.c | 2 +-
+ net/sctp/probe.c | 2 +-
+ net/sctp/proc.c | 3 +-
+ net/socket.c | 66 +-
+ net/sysctl_net.c | 2 +-
+ net/tipc/link.c | 11 +-
+ net/unix/af_unix.c | 31 +-
+ security/Kconfig | 342 ++-
+ security/commoncap.c | 29 +
+ security/min_addr.c | 2 +
+ security/security.c | 2 -
+ security/selinux/hooks.c | 2 -
+ security/tomoyo/mount.c | 4 +
+ security/yama/Kconfig | 2 +-
+ 291 files changed, 15221 insertions(+), 2052 deletions(-)
+
+commit 88854c350c899bceca4a94598c42bed44d0dc91b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 07:37:47 2013 -0400
+
+ Initial import of pax-linux-3.9.2-test2.patch
+
+ Documentation/dontdiff | 45 +-
+ Documentation/kernel-parameters.txt | 12 +
+ Makefile | 100 +-
+ arch/alpha/include/asm/atomic.h | 10 +
+ arch/alpha/include/asm/elf.h | 7 +
+ arch/alpha/include/asm/pgalloc.h | 6 +
+ arch/alpha/include/asm/pgtable.h | 11 +
+ arch/alpha/kernel/module.c | 2 +-
+ arch/alpha/kernel/osf_sys.c | 8 +-
+ arch/alpha/mm/fault.c | 141 +-
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/atomic.h | 421 ++-
+ arch/arm/include/asm/cache.h | 5 +-
+ arch/arm/include/asm/cacheflush.h | 2 +-
+ arch/arm/include/asm/checksum.h | 14 +-
+ arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/domain.h | 33 +-
+ arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/fncpy.h | 2 +
+ arch/arm/include/asm/futex.h | 10 +
+ arch/arm/include/asm/kmap_types.h | 2 +-
+ arch/arm/include/asm/mach/dma.h | 2 +-
+ arch/arm/include/asm/mach/map.h | 7 +-
+ arch/arm/include/asm/outercache.h | 2 +-
+ arch/arm/include/asm/page.h | 2 +-
+ arch/arm/include/asm/pgalloc.h | 22 +-
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgtable-2level.h | 1 +
+ arch/arm/include/asm/pgtable-3level-hwdef.h | 2 +
+ arch/arm/include/asm/pgtable-3level.h | 2 +
+ arch/arm/include/asm/pgtable.h | 56 +-
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/include/asm/processor.h | 5 +-
+ arch/arm/include/asm/smp.h | 2 +-
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/include/asm/uaccess.h | 92 +-
+ arch/arm/include/uapi/asm/ptrace.h | 2 +-
+ arch/arm/kernel/armksyms.c | 6 +-
+ arch/arm/kernel/entry-armv.S | 107 +-
+ arch/arm/kernel/entry-common.S | 41 +-
+ arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/fiq.c | 2 +
+ arch/arm/kernel/head.S | 6 +-
+ arch/arm/kernel/hw_breakpoint.c | 2 +-
+ arch/arm/kernel/module.c | 29 +-
+ arch/arm/kernel/patch.c | 2 +
+ arch/arm/kernel/perf_event_cpu.c | 2 +-
+ arch/arm/kernel/process.c | 15 +-
+ arch/arm/kernel/setup.c | 22 +-
+ arch/arm/kernel/signal.c | 24 +-
+ arch/arm/kernel/smp.c | 2 +-
+ arch/arm/kernel/traps.c | 15 +-
+ arch/arm/kernel/vmlinux.lds.S | 22 +-
+ arch/arm/lib/clear_user.S | 6 +-
+ arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/lib/copy_page.S | 1 +
+ arch/arm/lib/copy_to_user.S | 6 +-
+ arch/arm/lib/csumpartialcopyuser.S | 4 +-
+ arch/arm/lib/delay.c | 2 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 2 +-
+ arch/arm/mach-kirkwood/common.c | 19 +-
+ arch/arm/mach-omap2/board-n8x0.c | 2 +-
+ arch/arm/mach-omap2/gpmc.c | 22 +-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
+ arch/arm/mach-omap2/omap_device.c | 4 +-
+ arch/arm/mach-omap2/omap_device.h | 4 +-
+ arch/arm/mach-omap2/omap_hwmod.c | 4 +-
+ arch/arm/mach-omap2/wd_timer.c | 6 +-
+ arch/arm/mach-ux500/include/mach/setup.h | 7 -
+ arch/arm/mm/Kconfig | 3 +-
+ arch/arm/mm/alignment.c | 8 +
+ arch/arm/mm/fault.c | 91 +
+ arch/arm/mm/fault.h | 12 +
+ arch/arm/mm/init.c | 41 +
+ arch/arm/mm/ioremap.c | 4 +-
+ arch/arm/mm/mmap.c | 36 +-
+ arch/arm/mm/mmu.c | 187 +-
+ arch/arm/mm/proc-v7-2level.S | 3 +
+ arch/arm/plat-omap/sram.c | 2 +
+ arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/arm64/kernel/debug-monitors.c | 2 +-
+ arch/arm64/kernel/hw_breakpoint.c | 2 +-
+ arch/avr32/include/asm/elf.h | 8 +-
+ arch/avr32/include/asm/kmap_types.h | 4 +-
+ arch/avr32/mm/fault.c | 27 +
+ arch/frv/include/asm/atomic.h | 10 +
+ arch/frv/include/asm/kmap_types.h | 2 +-
+ arch/frv/mm/elf-fdpic.c | 3 +-
+ arch/ia64/include/asm/atomic.h | 10 +
+ arch/ia64/include/asm/elf.h | 7 +
+ arch/ia64/include/asm/pgalloc.h | 12 +
+ arch/ia64/include/asm/pgtable.h | 13 +-
+ arch/ia64/include/asm/spinlock.h | 2 +-
+ arch/ia64/include/asm/uaccess.h | 26 +-
+ arch/ia64/kernel/err_inject.c | 2 +-
+ arch/ia64/kernel/mca.c | 2 +-
+ arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/palinfo.c | 2 +-
+ arch/ia64/kernel/salinfo.c | 2 +-
+ arch/ia64/kernel/sys_ia64.c | 7 +
+ arch/ia64/kernel/topology.c | 2 +-
+ arch/ia64/kernel/vmlinux.lds.S | 2 +-
+ arch/ia64/mm/fault.c | 32 +-
+ arch/ia64/mm/init.c | 13 +
+ arch/m32r/lib/usercopy.c | 6 +
+ arch/mips/include/asm/atomic.h | 14 +
+ arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/exec.h | 2 +-
+ arch/mips/include/asm/page.h | 2 +-
+ arch/mips/include/asm/pgalloc.h | 5 +
+ arch/mips/kernel/binfmt_elfn32.c | 7 +
+ arch/mips/kernel/binfmt_elfo32.c | 7 +
+ arch/mips/kernel/process.c | 12 -
+ arch/mips/mm/fault.c | 17 +
+ arch/mips/mm/mmap.c | 51 +-
+ arch/parisc/include/asm/atomic.h | 10 +
+ arch/parisc/include/asm/elf.h | 7 +
+ arch/parisc/include/asm/pgalloc.h | 6 +
+ arch/parisc/include/asm/pgtable.h | 11 +
+ arch/parisc/include/asm/uaccess.h | 4 +-
+ arch/parisc/kernel/module.c | 50 +-
+ arch/parisc/kernel/sys_parisc.c | 9 +-
+ arch/parisc/kernel/traps.c | 4 +-
+ arch/parisc/mm/fault.c | 140 +-
+ arch/powerpc/include/asm/atomic.h | 10 +
+ arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/exec.h | 2 +-
+ arch/powerpc/include/asm/kmap_types.h | 2 +-
+ arch/powerpc/include/asm/mman.h | 2 +-
+ arch/powerpc/include/asm/page.h | 8 +-
+ arch/powerpc/include/asm/page_64.h | 7 +-
+ arch/powerpc/include/asm/pgalloc-64.h | 7 +
+ arch/powerpc/include/asm/pgtable.h | 1 +
+ arch/powerpc/include/asm/pte-hash32.h | 1 +
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/include/asm/smp.h | 2 +-
+ arch/powerpc/include/asm/uaccess.h | 140 +-
+ arch/powerpc/kernel/exceptions-64e.S | 4 +-
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/module_32.c | 13 +-
+ arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/signal_32.c | 2 +-
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ arch/powerpc/kernel/sysfs.c | 2 +-
+ arch/powerpc/kernel/vdso.c | 5 +-
+ arch/powerpc/lib/usercopy_64.c | 18 -
+ arch/powerpc/mm/fault.c | 54 +-
+ arch/powerpc/mm/mmap_64.c | 16 +
+ arch/powerpc/mm/mmu_context_nohash.c | 2 +-
+ arch/powerpc/mm/numa.c | 2 +-
+ arch/powerpc/mm/slice.c | 23 +-
+ arch/powerpc/platforms/cell/spufs/file.c | 4 +-
+ arch/powerpc/platforms/powermac/smp.c | 2 +-
+ arch/s390/include/asm/atomic.h | 10 +
+ arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/exec.h | 2 +-
+ arch/s390/include/asm/uaccess.h | 15 +-
+ arch/s390/kernel/module.c | 22 +-
+ arch/s390/kernel/process.c | 36 -
+ arch/s390/mm/mmap.c | 24 +
+ arch/score/include/asm/exec.h | 2 +-
+ arch/score/kernel/process.c | 5 -
+ arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
+ arch/sh/mm/mmap.c | 22 +-
+ arch/sparc/include/asm/atomic_64.h | 106 +-
+ arch/sparc/include/asm/cache.h | 2 +-
+ arch/sparc/include/asm/elf_32.h | 7 +
+ arch/sparc/include/asm/elf_64.h | 7 +
+ arch/sparc/include/asm/pgalloc_32.h | 1 +
+ arch/sparc/include/asm/pgalloc_64.h | 1 +
+ arch/sparc/include/asm/pgtable_32.h | 15 +-
+ arch/sparc/include/asm/pgtsrmmu.h | 5 +
+ arch/sparc/include/asm/spinlock_64.h | 35 +-
+ arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_64.h | 2 +
+ arch/sparc/include/asm/uaccess.h | 1 +
+ arch/sparc/include/asm/uaccess_32.h | 27 +-
+ arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/kernel/Makefile | 2 +-
+ arch/sparc/kernel/prom_common.c | 2 +-
+ arch/sparc/kernel/sys_sparc_32.c | 2 +-
+ arch/sparc/kernel/sys_sparc_64.c | 48 +-
+ arch/sparc/kernel/sysfs.c | 2 +-
+ arch/sparc/kernel/traps_64.c | 13 +-
+ arch/sparc/kernel/us3_cpufreq.c | 69 +-
+ arch/sparc/lib/Makefile | 2 +-
+ arch/sparc/lib/atomic_64.S | 136 +-
+ arch/sparc/lib/ksyms.c | 6 +
+ arch/sparc/mm/Makefile | 2 +-
+ arch/sparc/mm/fault_32.c | 292 ++
+ arch/sparc/mm/fault_64.c | 486 ++
+ arch/sparc/mm/hugetlbpage.c | 21 +-
+ arch/tile/include/asm/atomic_64.h | 10 +
+ arch/tile/include/asm/uaccess.h | 4 +-
+ arch/um/Makefile | 4 +
+ arch/um/include/asm/kmap_types.h | 2 +-
+ arch/um/include/asm/page.h | 3 +
+ arch/um/include/asm/pgtable-3level.h | 1 +
+ arch/um/kernel/process.c | 16 -
+ arch/x86/Kconfig | 10 +-
+ arch/x86/Kconfig.cpu | 6 +-
+ arch/x86/Kconfig.debug | 6 +-
+ arch/x86/Makefile | 10 +
+ arch/x86/boot/Makefile | 3 +
+ arch/x86/boot/bitops.h | 4 +-
+ arch/x86/boot/boot.h | 4 +-
+ arch/x86/boot/compressed/Makefile | 3 +
+ arch/x86/boot/compressed/eboot.c | 2 -
+ arch/x86/boot/compressed/head_32.S | 7 +-
+ arch/x86/boot/compressed/head_64.S | 8 +-
+ arch/x86/boot/compressed/misc.c | 4 +-
+ arch/x86/boot/cpucheck.c | 28 +-
+ arch/x86/boot/header.S | 6 +-
+ arch/x86/boot/memory.c | 2 +-
+ arch/x86/boot/video-vesa.c | 1 +
+ arch/x86/boot/video.c | 2 +-
+ arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/aesni-intel_asm.S | 21 +
+ arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/sha1_ssse3_asm.S | 2 +
+ arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
+ arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/ia32/ia32_signal.c | 14 +-
+ arch/x86/ia32/ia32entry.S | 141 +-
+ arch/x86/ia32/sys_ia32.c | 6 +-
+ arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/include/asm/alternative.h | 4 +-
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/include/asm/apm.h | 4 +-
+ arch/x86/include/asm/atomic.h | 307 ++-
+ arch/x86/include/asm/atomic64_32.h | 100 +
+ arch/x86/include/asm/atomic64_64.h | 202 +-
+ arch/x86/include/asm/bitops.h | 4 +-
+ arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/cache.h | 5 +-
+ arch/x86/include/asm/cacheflush.h | 2 +-
+ arch/x86/include/asm/checksum_32.h | 12 +-
+ arch/x86/include/asm/cmpxchg.h | 35 +
+ arch/x86/include/asm/compat.h | 2 +-
+ arch/x86/include/asm/cpufeature.h | 4 +-
+ arch/x86/include/asm/desc.h | 67 +-
+ arch/x86/include/asm/desc_defs.h | 6 +
+ arch/x86/include/asm/div64.h | 2 +-
+ arch/x86/include/asm/elf.h | 31 +-
+ arch/x86/include/asm/emergency-restart.h | 2 +-
+ arch/x86/include/asm/fpu-internal.h | 6 +-
+ arch/x86/include/asm/futex.h | 16 +-
+ arch/x86/include/asm/hw_irq.h | 4 +-
+ arch/x86/include/asm/i8259.h | 2 +-
+ arch/x86/include/asm/io.h | 21 +-
+ arch/x86/include/asm/irqflags.h | 5 +
+ arch/x86/include/asm/kprobes.h | 9 +-
+ arch/x86/include/asm/local.h | 142 +-
+ arch/x86/include/asm/mman.h | 15 +
+ arch/x86/include/asm/mmu.h | 16 +-
+ arch/x86/include/asm/mmu_context.h | 76 +-
+ arch/x86/include/asm/module.h | 17 +-
+ arch/x86/include/asm/nmi.h | 6 +-
+ arch/x86/include/asm/page_64.h | 2 +-
+ arch/x86/include/asm/paravirt.h | 46 +-
+ arch/x86/include/asm/paravirt_types.h | 17 +-
+ arch/x86/include/asm/pgalloc.h | 23 +
+ arch/x86/include/asm/pgtable-2level.h | 2 +
+ arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable.h | 113 +-
+ arch/x86/include/asm/pgtable_32.h | 14 +-
+ arch/x86/include/asm/pgtable_32_types.h | 15 +-
+ arch/x86/include/asm/pgtable_64.h | 19 +-
+ arch/x86/include/asm/pgtable_64_types.h | 5 +
+ arch/x86/include/asm/pgtable_types.h | 36 +-
+ arch/x86/include/asm/processor.h | 39 +-
+ arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/realmode.h | 4 +-
+ arch/x86/include/asm/reboot.h | 10 +-
+ arch/x86/include/asm/rwsem.h | 60 +-
+ arch/x86/include/asm/segment.h | 24 +-
+ arch/x86/include/asm/smp.h | 14 +-
+ arch/x86/include/asm/spinlock.h | 36 +-
+ arch/x86/include/asm/stackprotector.h | 4 +-
+ arch/x86/include/asm/stacktrace.h | 32 +-
+ arch/x86/include/asm/switch_to.h | 4 +-
+ arch/x86/include/asm/thread_info.h | 83 +-
+ arch/x86/include/asm/uaccess.h | 96 +-
+ arch/x86/include/asm/uaccess_32.h | 106 +-
+ arch/x86/include/asm/uaccess_64.h | 232 +-
+ arch/x86/include/asm/word-at-a-time.h | 2 +-
+ arch/x86/include/asm/x86_init.h | 10 +-
+ arch/x86/include/asm/xsave.h | 10 +-
+ arch/x86/include/uapi/asm/e820.h | 2 +-
+ arch/x86/kernel/Makefile | 2 +-
+ arch/x86/kernel/acpi/boot.c | 4 +-
+ arch/x86/kernel/acpi/sleep.c | 4 +
+ arch/x86/kernel/acpi/wakeup_32.S | 6 +-
+ arch/x86/kernel/alternative.c | 65 +-
+ arch/x86/kernel/apic/apic.c | 4 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/apic_noop.c | 2 +-
+ arch/x86/kernel/apic/bigsmp_32.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 5 +-
+ arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/numaq_32.c | 3 +-
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/summit_32.c | 2 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_phys.c | 2 +-
+ arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
+ arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/asm-offsets.c | 20 +
+ arch/x86/kernel/asm-offsets_64.c | 1 +
+ arch/x86/kernel/cpu/Makefile | 4 -
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/common.c | 75 +-
+ arch/x86/kernel/cpu/intel.c | 2 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
+ arch/x86/kernel/cpu/mcheck/p5.c | 3 +
+ arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
+ arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
+ arch/x86/kernel/cpu/mtrr/main.c | 2 +-
+ arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 8 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
+ arch/x86/kernel/cpuid.c | 2 +-
+ arch/x86/kernel/crash.c | 4 +-
+ arch/x86/kernel/doublefault_32.c | 8 +-
+ arch/x86/kernel/dumpstack.c | 30 +-
+ arch/x86/kernel/dumpstack_32.c | 34 +-
+ arch/x86/kernel/dumpstack_64.c | 63 +-
+ arch/x86/kernel/early_printk.c | 1 +
+ arch/x86/kernel/entry_32.S | 354 ++-
+ arch/x86/kernel/entry_64.S | 530 ++-
+ arch/x86/kernel/ftrace.c | 14 +-
+ arch/x86/kernel/head64.c | 1 -
+ arch/x86/kernel/head_32.S | 237 +-
+ arch/x86/kernel/head_64.S | 120 +-
+ arch/x86/kernel/i386_ksyms_32.c | 8 +
+ arch/x86/kernel/i387.c | 2 +-
+ arch/x86/kernel/i8259.c | 10 +-
+ arch/x86/kernel/io_delay.c | 2 +-
+ arch/x86/kernel/ioport.c | 2 +-
+ arch/x86/kernel/irq.c | 8 +-
+ arch/x86/kernel/irq_32.c | 69 +-
+ arch/x86/kernel/irq_64.c | 2 +-
+ arch/x86/kernel/kdebugfs.c | 2 +-
+ arch/x86/kernel/kgdb.c | 25 +-
+ arch/x86/kernel/kprobes/core.c | 30 +-
+ arch/x86/kernel/kprobes/opt.c | 16 +-
+ arch/x86/kernel/kvm.c | 2 +-
+ arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/machine_kexec_32.c | 6 +-
+ arch/x86/kernel/microcode_core.c | 2 +-
+ arch/x86/kernel/microcode_intel.c | 4 +-
+ arch/x86/kernel/module.c | 76 +-
+ arch/x86/kernel/msr.c | 2 +-
+ arch/x86/kernel/nmi.c | 19 +-
+ arch/x86/kernel/nmi_selftest.c | 4 +-
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/kernel/paravirt.c | 43 +-
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ arch/x86/kernel/pci-iommu_table.c | 2 +-
+ arch/x86/kernel/pci-swiotlb.c | 2 +-
+ arch/x86/kernel/process.c | 57 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 15 +-
+ arch/x86/kernel/ptrace.c | 25 +-
+ arch/x86/kernel/pvclock.c | 8 +-
+ arch/x86/kernel/reboot.c | 44 +-
+ arch/x86/kernel/relocate_kernel_64.S | 4 +-
+ arch/x86/kernel/setup.c | 19 +-
+ arch/x86/kernel/setup_percpu.c | 29 +-
+ arch/x86/kernel/signal.c | 15 +-
+ arch/x86/kernel/smp.c | 2 +-
+ arch/x86/kernel/smpboot.c | 15 +-
+ arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/sys_i386_32.c | 248 +
+ arch/x86/kernel/sys_x86_64.c | 19 +-
+ arch/x86/kernel/tboot.c | 14 +-
+ arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tls.c | 7 +-
+ arch/x86/kernel/traps.c | 64 +-
+ arch/x86/kernel/uprobes.c | 2 +-
+ arch/x86/kernel/vm86_32.c | 6 +-
+ arch/x86/kernel/vmlinux.lds.S | 148 +-
+ arch/x86/kernel/vsyscall_64.c | 12 +-
+ arch/x86/kernel/x8664_ksyms_64.c | 2 -
+ arch/x86/kernel/x86_init.c | 8 +-
+ arch/x86/kernel/xsave.c | 2 +
+ arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ arch/x86/kvm/lapic.c | 2 +-
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ arch/x86/kvm/svm.c | 8 +
+ arch/x86/kvm/vmx.c | 57 +-
+ arch/x86/kvm/x86.c | 10 +-
+ arch/x86/lguest/boot.c | 3 +-
+ arch/x86/lib/atomic64_386_32.S | 164 +
+ arch/x86/lib/atomic64_cx8_32.S | 103 +-
+ arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/cmpxchg16b_emu.S | 2 +
+ arch/x86/lib/copy_page_64.S | 24 +-
+ arch/x86/lib/copy_user_64.S | 47 +-
+ arch/x86/lib/copy_user_nocache_64.S | 20 +-
+ arch/x86/lib/csum-copy_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 4 +-
+ arch/x86/lib/getuser.S | 70 +-
+ arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/iomap_copy_64.S | 2 +
+ arch/x86/lib/memcpy_64.S | 18 +-
+ arch/x86/lib/memmove_64.S | 34 +-
+ arch/x86/lib/memset_64.S | 7 +-
+ arch/x86/lib/mmx_32.c | 243 +-
+ arch/x86/lib/msr-reg.S | 18 +-
+ arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/rwlock.S | 42 +
+ arch/x86/lib/rwsem.S | 6 +-
+ arch/x86/lib/thunk_64.S | 2 +
+ arch/x86/lib/usercopy_32.c | 376 +-
+ arch/x86/lib/usercopy_64.c | 25 +-
+ arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/fault.c | 556 ++-
+ arch/x86/mm/gup.c | 2 +-
+ arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/hugetlbpage.c | 30 +-
+ arch/x86/mm/init.c | 90 +-
+ arch/x86/mm/init_32.c | 119 +-
+ arch/x86/mm/init_64.c | 44 +-
+ arch/x86/mm/iomap_32.c | 4 +
+ arch/x86/mm/ioremap.c | 15 +-
+ arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
+ arch/x86/mm/mmap.c | 41 +-
+ arch/x86/mm/mmio-mod.c | 10 +-
+ arch/x86/mm/numa.c | 2 +-
+ arch/x86/mm/pageattr-test.c | 2 +-
+ arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pat.c | 12 +-
+ arch/x86/mm/pf_in.c | 10 +-
+ arch/x86/mm/pgtable.c | 137 +-
+ arch/x86/mm/pgtable_32.c | 3 +
+ arch/x86/mm/physaddr.c | 4 +-
+ arch/x86/mm/setup_nx.c | 7 +
+ arch/x86/mm/tlb.c | 4 +
+ arch/x86/net/bpf_jit.S | 14 +
+ arch/x86/net/bpf_jit_comp.c | 37 +-
+ arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/oprofile/nmi_int.c | 8 +-
+ arch/x86/oprofile/op_model_amd.c | 8 +-
+ arch/x86/oprofile/op_model_ppro.c | 7 +-
+ arch/x86/oprofile/op_x86_model.h | 2 +-
+ arch/x86/pci/amd_bus.c | 2 +-
+ arch/x86/pci/irq.c | 8 +-
+ arch/x86/pci/mrst.c | 4 +-
+ arch/x86/pci/pcbios.c | 144 +-
+ arch/x86/platform/efi/efi_32.c | 19 +
+ arch/x86/platform/efi/efi_stub_32.S | 64 +-
+ arch/x86/platform/efi/efi_stub_64.S | 8 +
+ arch/x86/platform/mrst/mrst.c | 6 +-
+ arch/x86/platform/olpc/olpc_dt.c | 2 +-
+ arch/x86/power/cpu.c | 4 +-
+ arch/x86/realmode/init.c | 8 +-
+ arch/x86/realmode/rm/Makefile | 3 +
+ arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/trampoline_32.S | 12 +-
+ arch/x86/realmode/rm/trampoline_64.S | 2 +-
+ arch/x86/tools/relocs.c | 95 +-
+ arch/x86/vdso/Makefile | 2 +-
+ arch/x86/vdso/vdso32-setup.c | 23 +-
+ arch/x86/vdso/vma.c | 29 +-
+ arch/x86/xen/enlighten.c | 47 +-
+ arch/x86/xen/mmu.c | 9 +
+ arch/x86/xen/smp.c | 18 +-
+ arch/x86/xen/xen-asm_32.S | 12 +-
+ arch/x86/xen/xen-head.S | 11 +
+ arch/x86/xen/xen-ops.h | 2 -
+ block/blk-iopoll.c | 4 +-
+ block/blk-map.c | 2 +-
+ block/blk-softirq.c | 4 +-
+ block/bsg.c | 12 +-
+ block/compat_ioctl.c | 2 +-
+ block/partitions/efi.c | 8 +-
+ block/scsi_ioctl.c | 27 +-
+ crypto/cryptd.c | 4 +-
+ drivers/acpi/apei/apei-internal.h | 2 +-
+ drivers/acpi/apei/cper.c | 8 +-
+ drivers/acpi/bgrt.c | 6 +-
+ drivers/acpi/blacklist.c | 4 +-
+ drivers/acpi/ec_sys.c | 12 +-
+ drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/sysfs.c | 4 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/ata/libata-core.c | 8 +-
+ drivers/ata/pata_arasan_cf.c | 4 +-
+ drivers/atm/adummy.c | 2 +-
+ drivers/atm/ambassador.c | 8 +-
+ drivers/atm/atmtcp.c | 14 +-
+ drivers/atm/eni.c | 10 +-
+ drivers/atm/firestream.c | 8 +-
+ drivers/atm/fore200e.c | 14 +-
+ drivers/atm/he.c | 18 +-
+ drivers/atm/horizon.c | 4 +-
+ drivers/atm/idt77252.c | 36 +-
+ drivers/atm/iphase.c | 34 +-
+ drivers/atm/lanai.c | 12 +-
+ drivers/atm/nicstar.c | 46 +-
+ drivers/atm/solos-pci.c | 4 +-
+ drivers/atm/suni.c | 4 +-
+ drivers/atm/uPD98402.c | 16 +-
+ drivers/atm/zatm.c | 6 +-
+ drivers/base/bus.c | 4 +-
+ drivers/base/devtmpfs.c | 2 +-
+ drivers/base/node.c | 2 +-
+ drivers/base/power/domain.c | 4 +-
+ drivers/base/power/wakeup.c | 8 +-
+ drivers/base/syscore.c | 4 +-
+ drivers/block/cciss.c | 28 +-
+ drivers/block/cciss.h | 2 +-
+ drivers/block/cpqarray.c | 28 +-
+ drivers/block/cpqarray.h | 2 +-
+ drivers/block/drbd/drbd_int.h | 6 +-
+ drivers/block/drbd/drbd_main.c | 8 +-
+ drivers/block/drbd/drbd_receiver.c | 22 +-
+ drivers/block/loop.c | 2 +-
+ drivers/block/pktcdvd.c | 2 +-
+ drivers/cdrom/cdrom.c | 9 +-
+ drivers/cdrom/gdrom.c | 1 -
+ drivers/char/agp/frontend.c | 2 +-
+ drivers/char/hpet.c | 2 +-
+ drivers/char/ipmi/ipmi_msghandler.c | 8 +-
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
+ drivers/char/mem.c | 41 +-
+ drivers/char/nvram.c | 2 +-
+ drivers/char/pcmcia/synclink_cs.c | 18 +-
+ drivers/char/random.c | 10 +-
+ drivers/char/sonypi.c | 9 +-
+ drivers/char/tpm/tpm_acpi.c | 3 +-
+ drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/virtio_console.c | 4 +-
+ drivers/clocksource/arm_arch_timer.c | 2 +-
+ drivers/clocksource/metag_generic.c | 2 +-
+ drivers/cpufreq/acpi-cpufreq.c | 20 +-
+ drivers/cpufreq/cpufreq.c | 9 +-
+ drivers/cpufreq/cpufreq_governor.c | 4 +-
+ drivers/cpufreq/cpufreq_governor.h | 2 +-
+ drivers/cpufreq/cpufreq_stats.c | 2 +-
+ drivers/cpufreq/p4-clockmod.c | 12 +-
+ drivers/cpufreq/speedstep-centrino.c | 7 +-
+ drivers/cpuidle/cpuidle.c | 2 +-
+ drivers/cpuidle/governor.c | 4 +-
+ drivers/cpuidle/sysfs.c | 2 +-
+ drivers/devfreq/devfreq.c | 4 +-
+ drivers/dma/sh/shdma.c | 2 +-
+ drivers/edac/edac_mc_sysfs.c | 12 +-
+ drivers/edac/edac_pci_sysfs.c | 22 +-
+ drivers/edac/mce_amd.h | 2 +-
+ drivers/firewire/core-card.c | 2 +-
+ drivers/firewire/core-cdev.c | 3 +-
+ drivers/firewire/core-device.c | 2 +-
+ drivers/firewire/core-transaction.c | 1 +
+ drivers/firewire/core.h | 1 +
+ drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/dmi_scan.c | 7 +-
+ drivers/firmware/efivars.c | 4 +-
+ drivers/firmware/google/memconsole.c | 4 +-
+ drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpio/gpio-vr41xx.c | 2 +-
+ drivers/gpu/drm/drm_crtc_helper.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 6 +-
+ drivers/gpu/drm/drm_fops.c | 18 +-
+ drivers/gpu/drm/drm_global.c | 14 +-
+ drivers/gpu/drm/drm_info.c | 14 +-
+ drivers/gpu/drm/drm_ioc32.c | 13 +-
+ drivers/gpu/drm/drm_ioctl.c | 2 +-
+ drivers/gpu/drm/drm_lock.c | 4 +-
+ drivers/gpu/drm/drm_stub.c | 2 +-
+ drivers/gpu/drm/i810/i810_dma.c | 8 +-
+ drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/i915_irq.c | 22 +-
+ drivers/gpu/drm/i915/intel_display.c | 26 +-
+ drivers/gpu/drm/mga/mga_drv.h | 4 +-
+ drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/mga/mga_irq.c | 8 +-
+ drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
+ drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/r128/r128_cce.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.h | 4 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/r128/r128_irq.c | 4 +-
+ drivers/gpu/drm/r128/r128_state.c | 4 +-
+ drivers/gpu/drm/radeon/mkregtable.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
+ drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 37 +-
+ drivers/gpu/drm/radeon/rs690.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
+ drivers/gpu/drm/udl/udl_fb.c | 1 -
+ drivers/gpu/drm/via/via_drv.h | 4 +-
+ drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
+ drivers/hid/hid-core.c | 4 +-
+ drivers/hv/channel.c | 4 +-
+ drivers/hv/hv.c | 2 +-
+ drivers/hv/hyperv_vmbus.h | 2 +-
+ drivers/hv/vmbus_drv.c | 4 +-
+ drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/asus_atk0110.c | 10 +-
+ drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/ibmaem.c | 2 +-
+ drivers/hwmon/sht15.c | 12 +-
+ drivers/hwmon/via-cputemp.c | 2 +-
+ drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
+ drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
+ drivers/ide/ide-cd.c | 2 +-
+ drivers/iio/industrialio-core.c | 2 +-
+ drivers/infiniband/core/cm.c | 32 +-
+ drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/hw/cxgb4/mem.c | 4 +-
+ drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
+ drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
+ drivers/infiniband/hw/nes/nes.c | 4 +-
+ drivers/infiniband/hw/nes/nes.h | 40 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 62 +-
+ drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
+ drivers/infiniband/hw/nes/nes_nic.c | 40 +-
+ drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/input/gameport/gameport.c | 4 +-
+ drivers/input/input.c | 4 +-
+ drivers/input/joystick/sidewinder.c | 1 +
+ drivers/input/joystick/xpad.c | 4 +-
+ drivers/input/mouse/psmouse.h | 2 +-
+ drivers/input/mousedev.c | 2 +-
+ drivers/input/serio/serio.c | 4 +-
+ drivers/iommu/iommu.c | 2 +-
+ drivers/iommu/irq_remapping.c | 10 +-
+ drivers/irqchip/irq-gic.c | 4 +-
+ drivers/isdn/capi/capi.c | 10 +-
+ drivers/isdn/gigaset/interface.c | 8 +-
+ drivers/isdn/hardware/avm/b1.c | 4 +-
+ drivers/isdn/i4l/isdn_tty.c | 22 +-
+ drivers/isdn/icn/icn.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/lguest/core.c | 10 +-
+ drivers/lguest/page_tables.c | 2 +-
+ drivers/lguest/x86/core.c | 12 +-
+ drivers/lguest/x86/switcher_32.S | 27 +-
+ drivers/md/bitmap.c | 2 +-
+ drivers/md/dm-ioctl.c | 2 +-
+ drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-stripe.c | 10 +-
+ drivers/md/dm-table.c | 2 +-
+ drivers/md/dm-thin-metadata.c | 4 +-
+ drivers/md/dm.c | 16 +-
+ drivers/md/md.c | 26 +-
+ drivers/md/md.h | 6 +-
+ drivers/md/persistent-data/dm-space-map.h | 1 +
+ drivers/md/raid1.c | 4 +-
+ drivers/md/raid10.c | 16 +-
+ drivers/md/raid5.c | 10 +-
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ drivers/media/dvb-frontends/dib3000.h | 2 +-
+ drivers/media/pci/cx88/cx88-video.c | 6 +-
+ drivers/media/platform/omap/omap_vout.c | 11 +-
+ drivers/media/platform/s5p-tv/mixer.h | 2 +-
+ drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
+ drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
+ drivers/message/fusion/mptsas.c | 34 +-
+ drivers/message/fusion/mptscsih.c | 19 +-
+ drivers/message/i2o/i2o_proc.c | 51 +-
+ drivers/message/i2o/iop.c | 8 +-
+ drivers/mfd/janz-cmodio.c | 1 +
+ drivers/mfd/twl4030-irq.c | 9 +-
+ drivers/mfd/twl6030-irq.c | 10 +-
+ drivers/misc/c2port/core.c | 4 +-
+ drivers/misc/kgdbts.c | 4 +-
+ drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
+ drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/sgi-gru/gruhandles.c | 4 +-
+ drivers/misc/sgi-gru/gruprocfs.c | 8 +-
+ drivers/misc/sgi-gru/grutables.h | 154 +-
+ drivers/misc/sgi-xp/xp.h | 2 +-
+ drivers/misc/sgi-xp/xpc.h | 3 +-
+ drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ drivers/mmc/host/dw_mmc.h | 2 +-
+ drivers/mmc/host/sdhci-s3c.c | 8 +-
+ drivers/mtd/devices/doc2000.c | 2 +-
+ drivers/mtd/nand/denali.c | 1 +
+ drivers/mtd/nftlmount.c | 1 +
+ drivers/mtd/sm_ftl.c | 2 +-
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
+ drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
+ drivers/net/ethernet/realtek/r8169.c | 8 +-
+ drivers/net/ethernet/sfc/ptp.c | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/hyperv/hyperv_net.h | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 +-
+ drivers/net/ieee802154/fakehard.c | 2 +-
+ drivers/net/macvlan.c | 18 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/ppp/ppp_generic.c | 4 +-
+ drivers/net/slip/slhc.c | 2 +-
+ drivers/net/team/team.c | 2 +-
+ drivers/net/tun.c | 5 +-
+ drivers/net/usb/hso.c | 23 +-
+ drivers/net/vxlan.c | 2 +-
+ drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
+ drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
+ drivers/net/wireless/ath/ath9k/hw.h | 4 +-
+ drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
+ drivers/net/wireless/mac80211_hwsim.c | 32 +-
+ drivers/net/wireless/rndis_wlan.c | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 8 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 6 +-
+ drivers/oprofile/buffer_sync.c | 8 +-
+ drivers/oprofile/event_buffer.c | 2 +-
+ drivers/oprofile/oprof.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/oprofile/oprofile_stats.c | 10 +-
+ drivers/oprofile/oprofile_stats.h | 10 +-
+ drivers/oprofile/oprofilefs.c | 2 +-
+ drivers/oprofile/timer_int.c | 2 +-
+ drivers/parport/procfs.c | 4 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
+ drivers/pci/hotplug/cpcihp_generic.c | 6 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
+ drivers/pci/hotplug/cpqphp_nvram.c | 4 +
+ drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/pci-sysfs.c | 6 +-
+ drivers/pci/pci.h | 2 +-
+ drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/probe.c | 2 +-
+ drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/sony-laptop.c | 2 +-
+ drivers/platform/x86/thinkpad_acpi.c | 70 +-
+ drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/resource.c | 4 +-
+ drivers/power/pda_power.c | 7 +-
+ drivers/power/power_supply.h | 4 +-
+ drivers/power/power_supply_core.c | 7 +-
+ drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/regulator/max8660.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/rtc/rtc-cmos.c | 4 +-
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/scsi/bfa/bfa_fcpim.h | 2 +-
+ drivers/scsi/bfa/bfa_ioc.h | 4 +-
+ drivers/scsi/hosts.c | 4 +-
+ drivers/scsi/hpsa.c | 30 +-
+ drivers/scsi/hpsa.h | 2 +-
+ drivers/scsi/libfc/fc_exch.c | 50 +-
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ drivers/scsi/lpfc/lpfc.h | 8 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
+ drivers/scsi/lpfc/lpfc_init.c | 6 +-
+ drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
+ drivers/scsi/pmcraid.c | 20 +-
+ drivers/scsi/pmcraid.h | 8 +-
+ drivers/scsi/qla2xxx/qla_attr.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 6 +-
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +-
+ drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ drivers/scsi/scsi_tgt_lib.c | 2 +-
+ drivers/scsi/scsi_transport_fc.c | 8 +-
+ drivers/scsi/scsi_transport_iscsi.c | 6 +-
+ drivers/scsi/scsi_transport_srp.c | 6 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sg.c | 2 +-
+ drivers/spi/spi.c | 2 +-
+ drivers/staging/iio/iio_hwmon.c | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/rtl8712/rtl871x_io.h | 2 +-
+ drivers/staging/sbe-2t3e3/netdev.c | 2 +-
+ drivers/staging/usbip/vhci.h | 2 +-
+ drivers/staging/usbip/vhci_hcd.c | 6 +-
+ drivers/staging/usbip/vhci_rx.c | 2 +-
+ drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/vt6656/hostap.c | 7 +-
+ drivers/staging/zcache/tmem.c | 4 +-
+ drivers/staging/zcache/tmem.h | 2 +
+ drivers/target/target_core_device.c | 2 +-
+ drivers/target/target_core_transport.c | 2 +-
+ drivers/tty/cyclades.c | 6 +-
+ drivers/tty/hvc/hvc_console.c | 14 +-
+ drivers/tty/hvc/hvcs.c | 21 +-
+ drivers/tty/ipwireless/tty.c | 27 +-
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/n_gsm.c | 4 +-
+ drivers/tty/n_tty.c | 3 +-
+ drivers/tty/pty.c | 4 +-
+ drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/kgdboc.c | 32 +-
+ drivers/tty/serial/samsung.c | 9 +-
+ drivers/tty/serial/serial_core.c | 8 +-
+ drivers/tty/synclink.c | 34 +-
+ drivers/tty/synclink_gt.c | 28 +-
+ drivers/tty/synclinkmp.c | 34 +-
+ drivers/tty/tty_io.c | 2 +-
+ drivers/tty/tty_ldisc.c | 10 +-
+ drivers/tty/tty_port.c | 22 +-
+ drivers/uio/uio.c | 21 +-
+ drivers/usb/atm/cxacru.c | 2 +-
+ drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/core/devices.c | 6 +-
+ drivers/usb/core/hcd.c | 4 +-
+ drivers/usb/core/message.c | 2 +-
+ drivers/usb/core/sysfs.c | 2 +-
+ drivers/usb/core/usb.c | 2 +-
+ drivers/usb/early/ehci-dbgp.c | 16 +-
+ drivers/usb/gadget/u_serial.c | 22 +-
+ drivers/usb/serial/console.c | 6 +-
+ drivers/usb/storage/usb.h | 2 +-
+ drivers/usb/wusbcore/wa-hc.h | 4 +-
+ drivers/usb/wusbcore/wa-xfer.c | 2 +-
+ drivers/video/aty/aty128fb.c | 2 +-
+ drivers/video/aty/atyfb_base.c | 8 +-
+ drivers/video/aty/mach64_cursor.c | 5 +-
+ drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/fb_defio.c | 6 +-
+ drivers/video/fbcmap.c | 3 +-
+ drivers/video/fbmem.c | 6 +-
+ drivers/video/i810/i810_accel.c | 1 +
+ drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
+ drivers/video/nvidia/nvidia.c | 27 +-
+ drivers/video/s1d13xxxfb.c | 6 +-
+ drivers/video/smscufx.c | 4 +-
+ drivers/video/udlfb.c | 36 +-
+ drivers/video/uvesafb.c | 53 +-
+ drivers/video/vesafb.c | 58 +-
+ drivers/video/via/via_clock.h | 2 +-
+ fs/9p/vfs_inode.c | 2 +-
+ fs/Kconfig.binfmt | 2 +-
+ fs/aio.c | 11 +-
+ fs/autofs4/waitq.c | 2 +-
+ fs/befs/endian.h | 4 +-
+ fs/befs/linuxvfs.c | 2 +-
+ fs/binfmt_aout.c | 23 +-
+ fs/binfmt_elf.c | 605 +++-
+ fs/binfmt_flat.c | 6 +
+ fs/bio.c | 6 +-
+ fs/block_dev.c | 2 +-
+ fs/btrfs/ctree.c | 9 +-
+ fs/btrfs/super.c | 2 +-
+ fs/cachefiles/bind.c | 6 +-
+ fs/cachefiles/daemon.c | 8 +-
+ fs/cachefiles/internal.h | 12 +-
+ fs/cachefiles/namei.c | 2 +-
+ fs/cachefiles/proc.c | 12 +-
+ fs/cachefiles/rdwr.c | 2 +-
+ fs/ceph/dir.c | 2 +-
+ fs/cifs/cifs_debug.c | 12 +-
+ fs/cifs/cifsfs.c | 8 +-
+ fs/cifs/cifsglob.h | 54 +-
+ fs/cifs/link.c | 2 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb1ops.c | 80 +-
+ fs/cifs/smb2ops.c | 84 +-
+ fs/cifs/smb2pdu.c | 3 +-
+ fs/coda/cache.c | 10 +-
+ fs/compat.c | 6 +-
+ fs/compat_binfmt_elf.c | 2 +
+ fs/compat_ioctl.c | 8 +-
+ fs/configfs/dir.c | 10 +-
+ fs/coredump.c | 24 +-
+ fs/dcache.c | 2 +-
+ fs/ecryptfs/inode.c | 4 +-
+ fs/ecryptfs/miscdev.c | 2 +-
+ fs/ecryptfs/read_write.c | 2 +-
+ fs/exec.c | 362 ++-
+ fs/ext4/ext4.h | 20 +-
+ fs/ext4/mballoc.c | 44 +-
+ fs/ext4/super.c | 2 +-
+ fs/fhandle.c | 3 +-
+ fs/fifo.c | 22 +-
+ fs/fs_struct.c | 8 +-
+ fs/fscache/cookie.c | 36 +-
+ fs/fscache/internal.h | 196 +-
+ fs/fscache/object.c | 28 +-
+ fs/fscache/operation.c | 30 +-
+ fs/fscache/page.c | 110 +-
+ fs/fscache/stats.c | 344 +-
+ fs/fuse/cuse.c | 10 +-
+ fs/fuse/dev.c | 2 +-
+ fs/fuse/dir.c | 2 +-
+ fs/gfs2/inode.c | 2 +-
+ fs/hugetlbfs/inode.c | 13 +-
+ fs/inode.c | 4 +-
+ fs/jffs2/erase.c | 3 +-
+ fs/jffs2/wbuf.c | 3 +-
+ fs/jfs/super.c | 6 +-
+ fs/libfs.c | 10 +-
+ fs/lockd/clntproc.c | 4 +-
+ fs/locks.c | 8 +-
+ fs/namei.c | 15 +-
+ fs/namespace.c | 2 +-
+ fs/nfs/callback_xdr.c | 2 +-
+ fs/nfs/inode.c | 6 +-
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfs4xdr.c | 6 +-
+ fs/nfsd/nfscache.c | 8 +-
+ fs/nfsd/vfs.c | 6 +-
+ fs/nls/nls_base.c | 18 +-
+ fs/nls/nls_euc-jp.c | 6 +-
+ fs/nls/nls_koi8-ru.c | 6 +-
+ fs/notify/fanotify/fanotify_user.c | 4 +-
+ fs/notify/notification.c | 4 +-
+ fs/ntfs/dir.c | 2 +-
+ fs/ntfs/file.c | 4 +-
+ fs/ocfs2/localalloc.c | 2 +-
+ fs/ocfs2/ocfs2.h | 10 +-
+ fs/ocfs2/suballoc.c | 12 +-
+ fs/ocfs2/super.c | 20 +-
+ fs/pipe.c | 33 +-
+ fs/proc/array.c | 20 +
+ fs/proc/base.c | 4 +-
+ fs/proc/kcore.c | 32 +-
+ fs/proc/meminfo.c | 2 +-
+ fs/proc/nommu.c | 2 +-
+ fs/proc/proc_sysctl.c | 18 +-
+ fs/proc/self.c | 2 +-
+ fs/proc/task_mmu.c | 39 +-
+ fs/proc/task_nommu.c | 4 +-
+ fs/qnx6/qnx6.h | 4 +-
+ fs/quota/netlink.c | 4 +-
+ fs/readdir.c | 2 +-
+ fs/reiserfs/do_balan.c | 2 +-
+ fs/reiserfs/procfs.c | 2 +-
+ fs/reiserfs/reiserfs.h | 4 +-
+ fs/seq_file.c | 2 +-
+ fs/splice.c | 36 +-
+ fs/sysfs/bin.c | 6 +-
+ fs/sysfs/dir.c | 2 +-
+ fs/sysfs/file.c | 10 +-
+ fs/sysfs/symlink.c | 2 +-
+ fs/sysv/sysv.h | 2 +-
+ fs/ubifs/io.c | 2 +-
+ fs/udf/misc.c | 2 +-
+ fs/ufs/swab.h | 4 +-
+ fs/xattr.c | 21 +
+ fs/xattr_acl.c | 4 +-
+ fs/xfs/xfs_bmap.c | 2 +-
+ fs/xfs/xfs_dir2_sf.c | 10 +-
+ fs/xfs/xfs_ioctl.c | 2 +-
+ fs/xfs/xfs_iops.c | 2 +-
+ include/asm-generic/4level-fixup.h | 2 +
+ include/asm-generic/atomic-long.h | 210 +
+ include/asm-generic/atomic.h | 2 +-
+ include/asm-generic/atomic64.h | 12 +
+ include/asm-generic/cache.h | 4 +-
+ include/asm-generic/emergency-restart.h | 2 +-
+ include/asm-generic/kmap_types.h | 4 +-
+ include/asm-generic/local.h | 13 +
+ include/asm-generic/pgtable-nopmd.h | 18 +-
+ include/asm-generic/pgtable-nopud.h | 15 +-
+ include/asm-generic/pgtable.h | 8 +
+ include/asm-generic/vmlinux.lds.h | 10 +-
+ include/crypto/algapi.h | 2 +-
+ include/drm/drmP.h | 17 +-
+ include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/ttm/ttm_memory.h | 2 +-
+ include/keys/asymmetric-subtype.h | 2 +-
+ include/linux/atmdev.h | 4 +-
+ include/linux/binfmts.h | 3 +-
+ include/linux/blkdev.h | 2 +-
+ include/linux/blktrace_api.h | 2 +-
+ include/linux/cache.h | 4 +
+ include/linux/cdrom.h | 1 -
+ include/linux/cleancache.h | 2 +-
+ include/linux/compat.h | 6 +-
+ include/linux/compiler-gcc4.h | 20 +
+ include/linux/compiler.h | 65 +-
+ include/linux/completion.h | 6 +-
+ include/linux/configfs.h | 2 +-
+ include/linux/cpu.h | 2 +-
+ include/linux/cpufreq.h | 3 +-
+ include/linux/cpuidle.h | 5 +-
+ include/linux/cpumask.h | 12 +-
+ include/linux/crypto.h | 6 +-
+ include/linux/ctype.h | 2 +-
+ include/linux/decompress/mm.h | 2 +-
+ include/linux/devfreq.h | 2 +-
+ include/linux/device.h | 7 +-
+ include/linux/dma-mapping.h | 2 +-
+ include/linux/dmaengine.h | 4 +-
+ include/linux/efi.h | 1 +
+ include/linux/elf.h | 2 +
+ include/linux/err.h | 4 +-
+ include/linux/extcon.h | 2 +-
+ include/linux/fb.h | 2 +-
+ include/linux/filter.h | 4 +
+ include/linux/frontswap.h | 2 +-
+ include/linux/fs.h | 3 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/fscache-cache.h | 4 +-
+ include/linux/fscache.h | 2 +-
+ include/linux/fsnotify.h | 2 +-
+ include/linux/ftrace_event.h | 2 +-
+ include/linux/genhd.h | 2 +-
+ include/linux/genl_magic_func.h | 2 +-
+ include/linux/gfp.h | 12 +-
+ include/linux/highmem.h | 12 +
+ include/linux/hwmon-sysfs.h | 5 +-
+ include/linux/i2c.h | 1 +
+ include/linux/i2o.h | 2 +-
+ include/linux/if_pppox.h | 2 +-
+ include/linux/init.h | 33 +-
+ include/linux/init_task.h | 7 +
+ include/linux/interrupt.h | 8 +-
+ include/linux/iommu.h | 2 +-
+ include/linux/ioport.h | 2 +-
+ include/linux/irq.h | 3 +-
+ include/linux/irqchip/arm-gic.h | 2 +-
+ include/linux/key-type.h | 2 +-
+ include/linux/kgdb.h | 6 +-
+ include/linux/kobject.h | 3 +-
+ include/linux/kobject_ns.h | 2 +-
+ include/linux/kref.h | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ include/linux/libata.h | 2 +-
+ include/linux/list.h | 15 +
+ include/linux/math64.h | 6 +-
+ include/linux/mm.h | 110 +-
+ include/linux/mm_types.h | 20 +
+ include/linux/mmiotrace.h | 4 +-
+ include/linux/mmzone.h | 2 +-
+ include/linux/mod_devicetable.h | 6 +-
+ include/linux/module.h | 60 +-
+ include/linux/moduleloader.h | 16 +
+ include/linux/moduleparam.h | 4 +-
+ include/linux/namei.h | 6 +-
+ include/linux/net.h | 2 +-
+ include/linux/netdevice.h | 3 +-
+ include/linux/netfilter.h | 2 +-
+ include/linux/netfilter/ipset/ip_set.h | 2 +-
+ include/linux/netfilter/nfnetlink.h | 2 +-
+ include/linux/nls.h | 2 +-
+ include/linux/notifier.h | 3 +-
+ include/linux/oprofile.h | 4 +-
+ include/linux/pci_hotplug.h | 3 +-
+ include/linux/perf_event.h | 12 +-
+ include/linux/pipe_fs_i.h | 6 +-
+ include/linux/platform_data/usb-ehci-s5p.h | 2 +-
+ include/linux/platform_data/usb-exynos.h | 2 +-
+ include/linux/pm_domain.h | 2 +-
+ include/linux/pm_runtime.h | 2 +-
+ include/linux/pnp.h | 2 +-
+ include/linux/poison.h | 4 +-
+ include/linux/power/smartreflex.h | 2 +-
+ include/linux/ppp-comp.h | 2 +-
+ include/linux/proc_fs.h | 2 +-
+ include/linux/random.h | 5 +
+ include/linux/rculist.h | 16 +
+ include/linux/reboot.h | 14 +-
+ include/linux/regset.h | 3 +-
+ include/linux/relay.h | 2 +-
+ include/linux/rio.h | 2 +-
+ include/linux/rmap.h | 4 +-
+ include/linux/sched.h | 67 +-
+ include/linux/sched/sysctl.h | 1 +
+ include/linux/seq_file.h | 1 +
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 36 +-
+ include/linux/slab_def.h | 33 +-
+ include/linux/slob_def.h | 4 +-
+ include/linux/slub_def.h | 10 +-
+ include/linux/sock_diag.h | 2 +-
+ include/linux/sonet.h | 2 +-
+ include/linux/sunrpc/addr.h | 8 +-
+ include/linux/sunrpc/clnt.h | 2 +-
+ include/linux/sunrpc/svc.h | 2 +-
+ include/linux/sunrpc/svc_rdma.h | 18 +-
+ include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swiotlb.h | 3 +-
+ include/linux/syscalls.h | 2 +-
+ include/linux/syscore_ops.h | 2 +-
+ include/linux/sysctl.h | 6 +-
+ include/linux/sysfs.h | 10 +-
+ include/linux/sysrq.h | 3 +-
+ include/linux/thread_info.h | 7 +
+ include/linux/tty.h | 4 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/tty_ldisc.h | 2 +-
+ include/linux/types.h | 16 +
+ include/linux/uaccess.h | 6 +-
+ include/linux/unaligned/access_ok.h | 24 +-
+ include/linux/usb.h | 4 +-
+ include/linux/usb/renesas_usbhs.h | 2 +-
+ include/linux/vermagic.h | 21 +-
+ include/linux/vmalloc.h | 11 +-
+ include/linux/vmstat.h | 20 +-
+ include/linux/xattr.h | 5 +-
+ include/linux/zlib.h | 3 +-
+ include/media/v4l2-dev.h | 2 +-
+ include/media/v4l2-ioctl.h | 1 -
+ include/net/9p/transport.h | 2 +-
+ include/net/bluetooth/l2cap.h | 2 +-
+ include/net/caif/cfctrl.h | 6 +-
+ include/net/flow.h | 2 +-
+ include/net/genetlink.h | 2 +-
+ include/net/gro_cells.h | 2 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/inetpeer.h | 8 +-
+ include/net/ip.h | 2 +-
+ include/net/ip_fib.h | 2 +-
+ include/net/ip_vs.h | 8 +-
+ include/net/irda/ircomm_tty.h | 1 +
+ include/net/iucv/af_iucv.h | 2 +-
+ include/net/llc_c_ac.h | 2 +-
+ include/net/llc_c_ev.h | 4 +-
+ include/net/llc_c_st.h | 2 +-
+ include/net/llc_s_ac.h | 2 +-
+ include/net/llc_s_st.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 12 +-
+ include/net/netdma.h | 2 +-
+ include/net/netlink.h | 2 +-
+ include/net/netns/conntrack.h | 6 +-
+ include/net/netns/ipv4.h | 2 +-
+ include/net/protocol.h | 4 +-
+ include/net/rtnetlink.h | 2 +-
+ include/net/sctp/sctp.h | 6 +-
+ include/net/sctp/sm.h | 4 +-
+ include/net/sctp/structs.h | 2 +-
+ include/net/sock.h | 6 +-
+ include/net/tcp.h | 8 +-
+ include/net/xfrm.h | 8 +-
+ include/rdma/iw_cm.h | 2 +-
+ include/scsi/libfc.h | 3 +-
+ include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_transport_fc.h | 3 +-
+ include/sound/soc.h | 4 +-
+ include/target/target_core_base.h | 2 +-
+ include/trace/events/irq.h | 4 +-
+ include/uapi/linux/a.out.h | 8 +
+ include/uapi/linux/byteorder/little_endian.h | 28 +-
+ include/uapi/linux/elf.h | 28 +
+ include/uapi/linux/screen_info.h | 3 +-
+ include/uapi/linux/swab.h | 6 +-
+ include/uapi/linux/sysctl.h | 6 +-
+ include/uapi/linux/xattr.h | 4 +
+ include/video/udlfb.h | 8 +-
+ include/video/uvesafb.h | 1 +
+ init/Kconfig | 2 +-
+ init/Makefile | 3 +
+ init/do_mounts.c | 14 +-
+ init/do_mounts.h | 8 +-
+ init/do_mounts_initrd.c | 22 +-
+ init/do_mounts_md.c | 6 +-
+ init/init_task.c | 4 +
+ init/initramfs.c | 40 +-
+ init/main.c | 77 +-
+ ipc/ipc_sysctl.c | 10 +-
+ ipc/mq_sysctl.c | 2 +-
+ ipc/msg.c | 11 +-
+ ipc/sem.c | 11 +-
+ ipc/shm.c | 17 +-
+ kernel/acct.c | 2 +-
+ kernel/audit.c | 8 +-
+ kernel/auditsc.c | 4 +-
+ kernel/capability.c | 3 +
+ kernel/compat.c | 40 +-
+ kernel/debug/debug_core.c | 16 +-
+ kernel/debug/kdb/kdb_main.c | 4 +-
+ kernel/events/core.c | 28 +-
+ kernel/exit.c | 4 +-
+ kernel/fork.c | 167 +-
+ kernel/futex.c | 9 +
+ kernel/futex_compat.c | 2 +-
+ kernel/gcov/base.c | 7 +-
+ kernel/hrtimer.c | 4 +-
+ kernel/irq_work.c | 7 +-
+ kernel/jump_label.c | 5 +
+ kernel/kallsyms.c | 39 +-
+ kernel/kexec.c | 3 +-
+ kernel/kmod.c | 4 +-
+ kernel/kprobes.c | 8 +-
+ kernel/ksysfs.c | 2 +-
+ kernel/lockdep.c | 7 +-
+ kernel/module.c | 337 +-
+ kernel/mutex-debug.c | 12 +-
+ kernel/mutex-debug.h | 4 +-
+ kernel/mutex.c | 7 +-
+ kernel/notifier.c | 17 +-
+ kernel/panic.c | 3 +-
+ kernel/pid.c | 2 +-
+ kernel/pid_namespace.c | 2 +-
+ kernel/posix-cpu-timers.c | 4 +-
+ kernel/posix-timers.c | 20 +-
+ kernel/power/process.c | 12 +-
+ kernel/profile.c | 14 +-
+ kernel/ptrace.c | 8 +-
+ kernel/rcupdate.c | 4 +-
+ kernel/rcutiny.c | 4 +-
+ kernel/rcutiny_plugin.h | 2 +-
+ kernel/rcutorture.c | 56 +-
+ kernel/rcutree.c | 68 +-
+ kernel/rcutree.h | 24 +-
+ kernel/rcutree_plugin.h | 20 +-
+ kernel/rcutree_trace.c | 22 +-
+ kernel/rtmutex-tester.c | 24 +-
+ kernel/sched/auto_group.c | 4 +-
+ kernel/sched/core.c | 51 +-
+ kernel/sched/fair.c | 4 +-
+ kernel/signal.c | 12 +-
+ kernel/smp.c | 2 +-
+ kernel/smpboot.c | 4 +-
+ kernel/softirq.c | 18 +-
+ kernel/srcu.c | 4 +-
+ kernel/sys.c | 10 +-
+ kernel/sysctl.c | 39 +-
+ kernel/time.c | 2 +-
+ kernel/time/alarmtimer.c | 2 +-
+ kernel/time/tick-broadcast.c | 2 +-
+ kernel/time/timer_stats.c | 10 +-
+ kernel/timer.c | 6 +-
+ kernel/trace/blktrace.c | 6 +-
+ kernel/trace/ftrace.c | 20 +-
+ kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/trace.c | 8 +-
+ kernel/trace/trace.h | 2 +-
+ kernel/trace/trace_events.c | 25 +-
+ kernel/trace/trace_mmiotrace.c | 8 +-
+ kernel/trace/trace_output.c | 12 +-
+ kernel/trace/trace_stack.c | 2 +-
+ kernel/user_namespace.c | 2 +-
+ kernel/utsname_sysctl.c | 2 +-
+ kernel/watchdog.c | 2 +-
+ lib/Kconfig.debug | 6 +-
+ lib/Makefile | 2 +-
+ lib/bitmap.c | 8 +-
+ lib/bug.c | 2 +
+ lib/debugobjects.c | 2 +-
+ lib/devres.c | 4 +-
+ lib/div64.c | 4 +-
+ lib/dma-debug.c | 4 +-
+ lib/inflate.c | 2 +-
+ lib/ioremap.c | 4 +-
+ lib/kobject.c | 4 +-
+ lib/list_debug.c | 126 +-
+ lib/radix-tree.c | 2 +-
+ lib/strncpy_from_user.c | 2 +-
+ lib/strnlen_user.c | 2 +-
+ lib/swiotlb.c | 2 +-
+ lib/vsprintf.c | 12 +-
+ mm/Kconfig | 6 +-
+ mm/filemap.c | 2 +-
+ mm/fremap.c | 5 +
+ mm/highmem.c | 7 +-
+ mm/hugetlb.c | 70 +-
+ mm/internal.h | 1 +
+ mm/maccess.c | 4 +-
+ mm/madvise.c | 41 +
+ mm/memory-failure.c | 26 +-
+ mm/memory.c | 424 ++-
+ mm/mempolicy.c | 26 +
+ mm/mlock.c | 16 +-
+ mm/mmap.c | 576 ++-
+ mm/mprotect.c | 139 +-
+ mm/mremap.c | 44 +-
+ mm/nommu.c | 21 +-
+ mm/page-writeback.c | 4 +-
+ mm/page_alloc.c | 41 +-
+ mm/percpu.c | 2 +-
+ mm/process_vm_access.c | 14 +-
+ mm/rmap.c | 38 +-
+ mm/shmem.c | 19 +-
+ mm/slab.c | 105 +-
+ mm/slab.h | 5 +-
+ mm/slab_common.c | 11 +-
+ mm/slob.c | 201 +-
+ mm/slub.c | 99 +-
+ mm/sparse-vmemmap.c | 4 +-
+ mm/sparse.c | 2 +-
+ mm/swap.c | 3 +
+ mm/swapfile.c | 12 +-
+ mm/util.c | 6 +
+ mm/vmalloc.c | 82 +-
+ mm/vmstat.c | 12 +-
+ net/8021q/vlan.c | 5 +-
+ net/9p/mod.c | 4 +-
+ net/9p/trans_fd.c | 2 +-
+ net/atm/atm_misc.c | 8 +-
+ net/atm/lec.h | 2 +-
+ net/atm/proc.c | 6 +-
+ net/atm/resources.c | 4 +-
+ net/ax25/sysctl_net_ax25.c | 2 +-
+ net/batman-adv/bat_iv_ogm.c | 8 +-
+ net/batman-adv/hard-interface.c | 4 +-
+ net/batman-adv/soft-interface.c | 4 +-
+ net/batman-adv/types.h | 6 +-
+ net/batman-adv/unicast.c | 2 +-
+ net/bluetooth/hci_sock.c | 2 +-
+ net/bluetooth/l2cap_core.c | 6 +-
+ net/bluetooth/l2cap_sock.c | 12 +-
+ net/bluetooth/rfcomm/sock.c | 4 +-
+ net/bluetooth/rfcomm/tty.c | 10 +-
+ net/bridge/netfilter/ebtables.c | 6 +-
+ net/caif/cfctrl.c | 11 +-
+ net/can/af_can.c | 2 +-
+ net/can/gw.c | 6 +-
+ net/compat.c | 34 +-
+ net/core/datagram.c | 2 +-
+ net/core/dev.c | 16 +-
+ net/core/flow.c | 8 +-
+ net/core/iovec.c | 4 +-
+ net/core/neighbour.c | 2 +-
+ net/core/net-sysfs.c | 2 +-
+ net/core/net_namespace.c | 8 +-
+ net/core/rtnetlink.c | 13 +-
+ net/core/scm.c | 8 +-
+ net/core/sock.c | 24 +-
+ net/core/sock_diag.c | 9 +-
+ net/core/sysctl_net_core.c | 18 +-
+ net/decnet/af_decnet.c | 1 +
+ net/decnet/sysctl_net_decnet.c | 4 +-
+ net/ipv4/af_inet.c | 8 +-
+ net/ipv4/ah4.c | 2 +-
+ net/ipv4/devinet.c | 14 +-
+ net/ipv4/esp4.c | 2 +-
+ net/ipv4/fib_frontend.c | 6 +-
+ net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inet_connection_sock.c | 2 +-
+ net/ipv4/inetpeer.c | 4 +-
+ net/ipv4/ip_fragment.c | 15 +-
+ net/ipv4/ip_gre.c | 6 +-
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ip_vti.c | 4 +-
+ net/ipv4/ipcomp.c | 2 +-
+ net/ipv4/ipconfig.c | 6 +-
+ net/ipv4/ipip.c | 4 +-
+ net/ipv4/netfilter/arp_tables.c | 12 +-
+ net/ipv4/netfilter/ip_tables.c | 12 +-
+ net/ipv4/ping.c | 2 +-
+ net/ipv4/raw.c | 14 +-
+ net/ipv4/route.c | 18 +-
+ net/ipv4/sysctl_net_ipv4.c | 45 +-
+ net/ipv4/tcp_input.c | 2 +-
+ net/ipv4/tcp_probe.c | 2 +-
+ net/ipv4/udp.c | 10 +-
+ net/ipv4/xfrm4_policy.c | 14 +-
+ net/ipv6/addrconf.c | 6 +-
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_gre.c | 8 +-
+ net/ipv6/ip6_tunnel.c | 4 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 12 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
+ net/ipv6/raw.c | 19 +-
+ net/ipv6/reassembly.c | 13 +-
+ net/ipv6/route.c | 2 +-
+ net/ipv6/sit.c | 4 +-
+ net/ipv6/sysctl_net_ipv6.c | 2 +-
+ net/ipv6/udp.c | 8 +-
+ net/ipv6/xfrm6_policy.c | 13 +-
+ net/irda/ircomm/ircomm_tty.c | 18 +-
+ net/iucv/af_iucv.c | 4 +-
+ net/iucv/iucv.c | 2 +-
+ net/key/af_key.c | 4 +-
+ net/mac80211/cfg.c | 8 +-
+ net/mac80211/ieee80211_i.h | 3 +-
+ net/mac80211/iface.c | 14 +-
+ net/mac80211/main.c | 2 +-
+ net/mac80211/pm.c | 6 +-
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/rc80211_pid_debugfs.c | 2 +-
+ net/mac80211/util.c | 2 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/ipvs/ip_vs_conn.c | 6 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ net/netfilter/ipvs/ip_vs_sync.c | 6 +-
+ net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
+ net/netfilter/nf_conntrack_acct.c | 2 +-
+ net/netfilter/nf_conntrack_ecache.c | 2 +-
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nf_conntrack_timestamp.c | 2 +-
+ net/netfilter/nf_log.c | 10 +-
+ net/netfilter/nf_sockopt.c | 4 +-
+ net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/xt_statistic.c | 8 +-
+ net/netlink/af_netlink.c | 4 +-
+ net/netlink/genetlink.c | 16 +-
+ net/packet/af_packet.c | 12 +-
+ net/phonet/pep.c | 6 +-
+ net/phonet/socket.c | 2 +-
+ net/phonet/sysctl.c | 2 +-
+ net/rds/cong.c | 6 +-
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 4 +-
+ net/rds/iw.h | 2 +-
+ net/rds/iw_cm.c | 2 +-
+ net/rds/iw_recv.c | 4 +-
+ net/rds/rds.h | 2 +-
+ net/rds/tcp.c | 2 +-
+ net/rds/tcp_send.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/rxrpc/ar-ack.c | 14 +-
+ net/rxrpc/ar-call.c | 2 +-
+ net/rxrpc/ar-connection.c | 2 +-
+ net/rxrpc/ar-connevent.c | 2 +-
+ net/rxrpc/ar-input.c | 4 +-
+ net/rxrpc/ar-internal.h | 8 +-
+ net/rxrpc/ar-local.c | 2 +-
+ net/rxrpc/ar-output.c | 4 +-
+ net/rxrpc/ar-peer.c | 2 +-
+ net/rxrpc/ar-proc.c | 4 +-
+ net/rxrpc/ar-transport.c | 2 +-
+ net/rxrpc/rxkad.c | 4 +-
+ net/sctp/ipv6.c | 6 +-
+ net/sctp/protocol.c | 10 +-
+ net/sctp/sm_sideeffect.c | 2 +-
+ net/sctp/socket.c | 21 +-
+ net/sctp/sysctl.c | 4 +-
+ net/socket.c | 18 +-
+ net/sunrpc/clnt.c | 4 +-
+ net/sunrpc/sched.c | 4 +-
+ net/sunrpc/svc.c | 4 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/link.c | 6 +-
+ net/tipc/msg.c | 2 +-
+ net/tipc/subscr.c | 2 +-
+ net/unix/sysctl_net_unix.c | 2 +-
+ net/wireless/wext-core.c | 19 +-
+ net/xfrm/xfrm_policy.c | 27 +-
+ net/xfrm/xfrm_state.c | 29 +-
+ net/xfrm/xfrm_sysctl.c | 2 +-
+ scripts/Makefile.build | 2 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.host | 28 +-
+ scripts/basic/fixdep.c | 12 +-
+ scripts/gcc-plugin.sh | 17 +
+ scripts/headers_install.pl | 1 +
+ scripts/link-vmlinux.sh | 2 +-
+ scripts/mod/file2alias.c | 14 +-
+ scripts/mod/modpost.c | 25 +-
+ scripts/mod/modpost.h | 6 +-
+ scripts/mod/sumversion.c | 2 +-
+ scripts/package/builddeb | 1 +
+ scripts/pnmtologo.c | 6 +-
+ scripts/sortextable.h | 6 +-
+ security/Kconfig | 675 +++-
+ security/apparmor/lsm.c | 2 +-
+ security/integrity/ima/ima.h | 4 +-
+ security/integrity/ima/ima_api.c | 2 +-
+ security/integrity/ima/ima_fs.c | 4 +-
+ security/integrity/ima/ima_queue.c | 2 +-
+ security/keys/compat.c | 2 +-
+ security/keys/key.c | 18 +-
+ security/keys/keyctl.c | 8 +-
+ security/keys/keyring.c | 6 +-
+ security/security.c | 9 +-
+ security/selinux/hooks.c | 2 +-
+ security/selinux/include/xfrm.h | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ security/tomoyo/tomoyo.c | 2 +-
+ security/yama/yama_lsm.c | 22 +-
+ sound/aoa/codecs/onyx.c | 7 +-
+ sound/aoa/codecs/onyx.h | 1 +
+ sound/core/oss/pcm_oss.c | 18 +-
+ sound/core/pcm_compat.c | 2 +-
+ sound/core/pcm_native.c | 4 +-
+ sound/core/seq/seq_device.c | 8 +-
+ sound/drivers/mts64.c | 14 +-
+ sound/drivers/opl4/opl4_lib.c | 2 +-
+ sound/drivers/portman2x4.c | 3 +-
+ sound/firewire/amdtp.c | 4 +-
+ sound/firewire/amdtp.h | 2 +-
+ sound/firewire/isight.c | 10 +-
+ sound/firewire/scs1x.c | 8 +-
+ sound/oss/sb_audio.c | 2 +-
+ sound/oss/swarm_cs4297a.c | 6 +-
+ sound/pci/ymfpci/ymfpci.h | 2 +-
+ sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 45 +
+ tools/gcc/checker_plugin.c | 171 +
+ tools/gcc/colorize_plugin.c | 151 +
+ tools/gcc/constify_plugin.c | 518 ++
+ tools/gcc/generate_size_overflow_hash.sh | 94 +
+ tools/gcc/kallocstat_plugin.c | 170 +
+ tools/gcc/kernexec_plugin.c | 465 ++
+ tools/gcc/latent_entropy_plugin.c | 327 ++
+ tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++
+ tools/gcc/size_overflow_plugin.c | 2114 ++++++++
+ tools/gcc/stackleak_plugin.c | 327 ++
+ tools/gcc/structleak_plugin.c | 276 +
+ tools/perf/util/include/asm/alternative-asm.h | 3 +
+ tools/perf/util/include/linux/compiler.h | 8 +
+ virt/kvm/kvm_main.c | 32 +-
+ 1555 files changed, 30474 insertions(+), 7126 deletions(-)
+commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
+Merge: 0949bd4 fc53d63
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:03:44 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fc53d6338964741b368070ec5c935bc579b8c2a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:02:45 2012 -0400
+
+ Update to pax-linux-3.2.12-test33.patch
+
+commit 0949bd46a6455b308f66ad7c993bfee62412db35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 16:56:09 2012 -0400
+
+ Use current_umask() instead of current->fs->umask
+
+commit 22f6432d0fe733619cfcb523782ed7d80c46d645
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:42:42 2012 -0400
+
+ compile fix
+
+commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:34:56 2012 -0400
+
+ Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
+ uses of domains with particular hash collisions
+
+commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 20:25:49 2012 -0400
+
+ zero kernel_role
+
+commit b00953b43c69238d181d21121ef1577c988d5f6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:29:34 2012 -0400
+
+ zero real_root after releasing it
+
+commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
+Merge: b724f59 273f98e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:11:26 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 273f98e58cdac555d3b5dce5c1ca168349f95878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:10:52 2012 -0400
+
+ Temporary workaround for (most) size_overflow plugin false-positives
+ Increase randomization for brk-managed heap to 21 bits
+ Update to pax-linux-3.2.12-test32.patch
+
+commit b724f59125304460c2af8bd4b02921993afbb5d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:58:53 2012 -0400
+
+ compile fix
+
+commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:52:23 2012 -0400
+
+ Require default and kernel role
+
+commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:47:28 2012 -0400
+
+ Allow policies without special roles
+ don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
+
+commit 402ec3d24d66d38403dc543c84851f5e72d39e22
+Merge: 8e012dc f14661a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:06:59 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/namei.c
+
+commit f14661aaf202155c97f66626cea0269017bb7775
+Merge: eae671f 058b017
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:05:44 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
+Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Date: Fri Mar 16 17:08:39 2012 -0700
+
+ nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
+
+ According to the report from Slicky Devil, nilfs caused kernel oops at
+ nilfs_load_super_block function during mount after he shrank the
+ partition without resizing the filesystem:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000048
+ IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
+ *pde = 00000000
+ Oops: 0000 [#1] PREEMPT SMP
+ ...
+ Call Trace:
+ [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
+ [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
+ [<c0226636>] mount_fs+0x36/0x180
+ [<c023d961>] vfs_kern_mount+0x51/0xa0
+ [<c023ddae>] do_kern_mount+0x3e/0xe0
+ [<c023f189>] do_mount+0x169/0x700
+ [<c023fa9b>] sys_mount+0x6b/0xa0
+ [<c04abd1f>] sysenter_do_call+0x12/0x28
+ Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
+ 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
+ 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
+ EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
+ CR2: 0000000000000048
+
+ This turned out due to a defect in an error path which runs if the
+ calculated location of the secondary super block was invalid.
+
+ This patch fixes it and eliminates the reported oops.
+
+ Reported-by: Slicky Devil <slicky.dvl@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Tested-by: Slicky Devil <slicky.dvl@gmail.com>
+ Cc: <stable@vger.kernel.org> [2.6.30+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Fri Mar 16 17:08:38 2012 -0700
+
+ nilfs2: clamp ns_r_segments_percentage to [1, 99]
+
+ ns_r_segments_percentage is read from the disk. Bogus or malicious
+ value could cause integer overflow and malfunction due to meaningless
+ disk usage calculation. This patch reports error when mounting such
+ bogus volumes.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e1a90645643f9b0194a5984ec8febd06360d5c8b
+Author: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Sat Mar 10 09:20:21 2012 +0000
+
+ tcp: fix syncookie regression
+
+ commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
+ added a serious regression on synflood handling.
+
+ Simon Kirby discovered a successful connection was delayed by 20 seconds
+ before being responsive.
+
+ In my tests, I discovered that xmit frames were lost, and needed ~4
+ retransmits and a socket dst rebuild before being really sent.
+
+ In case of syncookie initiated connection, we use a different path to
+ initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
+
+ As ip_queue_xmit() now depends on inet flow being setup, fix this by
+ copying the temp flowi4 we use in cookie_v4_check().
+
+ Reported-by: Simon Kirby <sim@netnation.com>
+ Bisected-by: Simon Kirby <sim@netnation.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
+Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Mon Mar 12 02:59:41 2012 +0000
+
+ tun: don't hold network namespace by tun sockets
+
+ v3: added previously removed sock_put() to the tun_release() callback, because
+ sk_release_kernel() doesn't drop the socket reference.
+
+ v2: sk_release_kernel() used for socket release. Dummy tun_release() is
+ required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
+ call.
+
+ TUN was designed to destroy it's socket on network namesapce shutdown. But this
+ will never happen for persistent device, because it's socket holds network
+ namespace.
+ This patch removes of holding network namespace by TUN socket and replaces it
+ by creating socket in init_net and then changing it's net it to desired one. On
+ shutdown socket is moved back to init_net prior to final put.
+
+ Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon Dec 12 10:02:30 2011 -0600
+
+ vfs: Correctly set the dir i_mutex lockdep class
+
+ 9a7aa12f3911853a introduced additional logic around setting the i_mutex
+ lockdep class for directory inodes. The idea was that some filesystems
+ may want their own special lockdep class for different directory
+ inodes and calling unlock_new_inode() should not clobber one of
+ those special classes.
+
+ I believe that the added conditional, around the *negated* return value
+ of lockdep_match_class(), caused directory inodes to be placed in the
+ wrong lockdep class.
+
+ inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
+ all inodes. If the filesystem did not change the class during inode
+ initialization, then the conditional mentioned above was false and the
+ directory inode was incorrectly left in the non-directory lockdep class.
+ If the filesystem did set a special lockdep class, then the conditional
+ mentioned above was true and that class was clobbered with
+ i_mutex_dir_key.
+
+ This patch removes the negation from the conditional so that the i_mutex
+ lockdep class is properly set for directory inodes. Special classes are
+ preserved and directory inodes with unmodified classes are set with
+ i_mutex_dir_key.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 603590b0d2eca61ce26499eac9c563bc567a18c9
+Author: Jan Kara <jack@suse.cz>
+Date: Mon Feb 20 17:54:00 2012 +0100
+
+ udf: Fix deadlock in udf_release_file()
+
+ udf_release_file() can be called from munmap() path with mmap_sem held. Thus
+ we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
+ i_mutex is not needed in udf_release_file() anymore since protection by
+ i_data_sem is enough to protect from races with write and truncate.
+
+ Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:33 2012 +0100
+
+ vfs: fix double put after complete_walk()
+
+ complete_walk() already puts nd->path, no need to do it again at cleanup time.
+
+ This would result in Oopses if triggered, apparently the codepath is not too
+ well exercised.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 13885ba2b18400f3ef6540497d30f1af896605e5
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:34 2012 +0100
+
+ vfs: fix return value from do_last()
+
+ complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
+ ECHILD unconditionally. If not in RCU mode, this error will reach userspace
+ which is complete nonsense.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/namei.c
+
+commit f5ab7572c99ffb58953eb1070622307e904c3b7f
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Mar 10 17:07:28 2012 -0500
+
+ restore smp_mb() in unlock_new_inode()
+
+ wait_on_inode() doesn't have ->i_lock
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
+Author: David S. Miller <davem@davemloft.net>
+Date: Tue Mar 13 18:19:51 2012 -0700
+
+ sparc32: Add -Av8 to assembler command line.
+
+ Newer version of binutils are more strict about specifying the
+ correct options to enable certain classes of instructions.
+
+ The sparc32 build is done for v7 in order to support sun4c systems
+ which lack hardware integer multiply and divide instructions.
+
+ So we have to pass -Av8 when building the assembler routines that
+ use these instructions and get patched into the kernel when we find
+ out that we have a v8 capable cpu.
+
+ Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
+Author: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri Mar 9 20:55:10 2012 +0100
+
+ x86: Derandom delay_tsc for 64 bit
+
+ Commit f0fbf0abc093 ("x86: integrate delay functions") converted
+ delay_tsc() into a random delay generator for 64 bit. The reason is
+ that it merged the mostly identical versions of delay_32.c and
+ delay_64.c. Though the subtle difference of the result was:
+
+ static void delay_tsc(unsigned long loops)
+ {
+ - unsigned bclock, now;
+ + unsigned long bclock, now;
+
+ Now the function uses rdtscl() which returns the lower 32bit of the
+ TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
+ bit this fails when the lower 32bit are close to wrap around when
+ bclock is read, because the following check
+
+ if ((now - bclock) >= loops)
+ break;
+
+ evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
+ because the unsigned long (now - bclock) of these values results in
+ 0xffffffff00000001 which is definitely larger than the loops
+ value. That explains Tvortkos observation:
+
+ "Because I am seeing udelay(500) (_occasionally_) being short, and
+ that by delaying for some duration between 0us (yep) and 491us."
+
+ Make those variables explicitely u32 again, so this works for both 32
+ and 64 bit.
+
+ Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: stable@vger.kernel.org # >= 2.6.27
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu Mar 8 17:51:19 2012 +0000
+
+ aio: fix the "too late munmap()" race
+
+ Current code has put_ioctx() called asynchronously from aio_fput_routine();
+ that's done *after* we have killed the request that used to pin ioctx,
+ so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
+ from progressing. As the result, we can end up with async call of
+ put_ioctx() being the last one and possibly happening during exit_mmap()
+ or elf_core_dump(), neither of which expects stray munmap() being done
+ to them...
+
+ We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
+ with that, but that's all we care about - neither io_destroy() nor
+ exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
+ does really_put_req(), so the ioctx teardown won't be done until then
+ and we don't care about the contents of ioctx past that point.
+
+ Since actual freeing of these suckers is RCU-delayed, we don't need to
+ bump ioctx refcount when request goes into list for async removal.
+ All we need is rcu_read_lock held just over the ->ctx_lock-protected
+ area in aio_fput_routine().
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 002124c055afbf09b52226af65621999e8316448
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Wed Mar 7 05:16:35 2012 +0000
+
+ aio: fix io_setup/io_destroy race
+
+ Have ioctx_alloc() return an extra reference, so that caller would drop it
+ on success and not bother with re-grabbing it on failure exit. The current
+ code is obviously broken - io_destroy() from another thread that managed
+ to guess the address io_setup() would've returned would free ioctx right
+ under us; gets especially interesting if aio_context_t * we pass to
+ io_setup() points to PROT_READ mapping, so put_user() fails and we end
+ up doing io_destroy() on kioctx another thread has just got freed...
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Mar 15 15:17:12 2012 -0700
+
+ drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
+
+ strict_strtoul() writes a long but ->gamma_mode only has space to store an
+ int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
+ well. I've changed it to use kstrtouint() instead.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Inki Dae <inki.dae@samsung.com>
+ Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
+Merge: e4b05b6 eae671f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 21:04:27 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit eae671fafe93f04685c04a089cc13efebc05d600
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 20:58:01 2012 -0400
+
+ Update to pax-linux-3.2.11-test31.patch
+ Introduction of the size_overflow plugin from Emese Revfy
+ Many thanks to Emese for her hard work :)
+
+commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
+Merge: e55aa68 258c015
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:19 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:05 2012 -0400
+
+ fix ARM compilation
+
+commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
+Merge: 8f95ea9 55b7573
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:41 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:15 2012 -0400
+
+ Update to pax-linux-3.2.10-test28.patch
+
+commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
+Merge: c8786a2 886ac5e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:38:13 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
+
+commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:37:44 2012 -0400
+
+ Update to pax-linux-3.2.10-test26.patch
+
+commit c8786a2abed5e5327f68efa520c04db99bb6a63a
+Merge: 219c982 c061fcf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:06 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
+Merge: 89373d2 3f4b3b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:02 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
+Merge: 54e19a3 89373d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:57 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
+Merge: a778588 7459f11
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:49 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
+Merge: c4650f1 a778588
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:25 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:12 2012 -0400
+
+ Update to pax-linux-3.2.9-test24.patch
+
+commit c4650f14b13f84735fe3de06a1f3ff5776473eff
+Merge: fb2abee 1015790
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:08:28 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 101579028a736c224e590c7e12a7357018c424e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:07:27 2012 -0400
+
+ Update to pax-linux-3.2.9-test22.patch
+
+commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 11:02:17 2012 -0400
+
+ Allow 4096 CPUs
+
+commit 96bae28cbe6a41d48e3b56e5904814096e956000
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 10:25:58 2012 -0400
+
+ Use a per-cpu 48-bit counter instead of a global atomic64
+ Initialize each counter to have the cpu number in the lower 16 bits
+ instead of incrementing the counter each time by 1, perform the increments
+ above the cpu number so that wrapping/exhausting the counter doesn't corrupt
+ any state
+ idea from PaX Team
+
+commit b975688101da6e966aebb1bc6b8c5c5983974f9c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 20:33:12 2012 -0500
+
+ Special vnsec edition! :)
+ Further reduce argv/env allowance for suid/sgid apps to 512KB
+ Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
+ Clear 3GB personality on suid/sgid binaries
+ Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
+ with the main purpose of throwing off program stack -> arg/env alignment
+ Update documentation
+
+commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 19:54:47 2012 -0500
+
+ Resolve skbuff.h warnings that turn into errors during compilation in
+ the grsecurity directory with -Werror
+
+commit 2023210ad43a944033fcacc660ce410888f562ee
+Merge: ece4383 5f66adf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:48:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:47:06 2012 -0500
+
+ Add colorize plugin
+
+commit ece4383e5e91c92d138c4df84225a70b552f4d69
+Merge: a366d0e ab4a5a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:46 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:26 2012 -0500
+
+ Update to pax-linux-3.2.9-test21.patch
+
+commit a366d0ed963ce93fce10121c1100989d5f064e75
+Author: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun Mar 4 19:52:03 2012 -0500
+
+ mm: fix find_vma_prev
+
+ Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
+ management on PA-RISC.
+
+ After application of the patch, programs that allocate big arrays on the
+ stack crash with segfault, for example, this will crash if compiled
+ without optimization:
+
+ int main()
+ {
+ char array[200000];
+ array[199999] = 0;
+ return 0;
+ }
+
+ The reason is that PA-RISC has up-growing stack and the stack is usually
+ the last memory area. In the above example, a page fault happens above
+ the stack.
+
+ Previously, if we passed too high address to find_vma_prev, it returned
+ NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
+ change, it stores NULL in *pprev. Consequently, the stack area is not
+ found and it is not expanded, as it used to be before the change.
+
+ This patch restores the old behavior and makes it return the last VMA in
+ *pprev if the requested address is higher than address of any other VMA.
+
+ Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+ Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
+Author: Hugh Dickins <hughd@google.com>
+Date: Tue Mar 6 12:28:52 2012 -0800
+
+ mmap: EINVAL not ENOMEM when rejecting VM_GROWS
+
+ Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
+ from shared anonymous: hoist the file case's -EINVAL up for both.
+
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:38:42 2012 +0000
+
+ aout: move setup_arg_pages() prior to reading/mapping the binary
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Mon Mar 5 16:49:24 2012 +0000
+
+ vsprintf: make %pV handling compatible with kasprintf()
+
+ kasprintf() (and potentially other functions that I didn't run across so
+ far) want to evaluate argument lists twice. Caring to do so for the
+ primary list is obviously their job, but they can't reasonably be
+ expected to check the format string for instances of %pV, which however
+ need special handling too: On architectures like x86-64 (as opposed to
+ e.g. ix86), using the same argument list twice doesn't produce the
+ expected results, as an internally managed cursor gets updated during
+ the first run.
+
+ Fix the problem by always acting on a copy of the original list when
+ handling %pV.
+
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:39:47 2012 +0000
+
+ VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a831bd53764695ea680cc1fa3c98759a610ed2ac
+Author: Christian König <deathsimple@vodafone.de>
+Date: Tue Feb 28 23:19:20 2012 +0100
+
+ drm/radeon: fix uninitialized variable
+
+ Without this fix the driver randomly treats
+ textures as arrays and I'm really wondering
+ why gcc isn't complaining about it.
+
+ Signed-off-by: Christian König <deathsimple@vodafone.de>
+ Reviewed-by: Jerome Glisse <jglisse@redhat.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
+Author: H. Peter Anvin <hpa@zytor.com>
+Date: Fri Mar 2 10:43:48 2012 -0800
+
+ regset: Prevent null pointer reference on readonly regsets
+
+ The regset common infrastructure assumed that regsets would always
+ have .get and .set methods, but not necessarily .active methods.
+ Unfortunately people have since written regsets without .set methods.
+
+ Rather than putting in stub functions everywhere, handle regsets with
+ null .get or .set methods explicitly.
+
+ Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+ Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+ Acked-by: Roland McGrath <roland@hack.frob.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 072ddd99401c79b53c6bf6bff9deb93022124c79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 18:12:57 2012 -0500
+
+ Fix compiler errors reported on forums
+
+commit 1606774b48af24e6f99d99c624c0e447d4b66474
+Merge: 3127bd5 4ca2ffd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:35 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:21 2012 -0500
+
+ Update to pax-linux-3.2.9-test20.patch
+
+commit 3127bd581a292966b1057c7433219dac188c3720
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 21:30:37 2012 -0500
+
+ Fix memory leak on logged exec_id check failure in /proc/pid/statm
+ Thanks to Djalal Harouni for the report
+
+commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
+Merge: 0a56be8 9aa8288
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:38:22 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:37:43 2012 -0500
+
+ Update to pax-linux-3.2.9-test19.patch
+
+commit 0a56be884bbd7ce733cac0b879c45383494d73b0
+Merge: 9e66745 3f5c52a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:18:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:16:56 2012 -0500
+
+ Update to pax-linux-3.2.9-test18.patch
+
+commit ae53ec231d12719a36bf871f8c5841020ed692ee
+Merge: b255baf 44fb317
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:15:31 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 9e667456c03eadea2f305be761abe4de9a5877a3
+Merge: 5e4e200 b255baf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:59 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b255baf50365d39b406f43aab2c64745607baaa2
+Merge: 340ce90 1de504e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:29 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+ Update to pax-linux-3.2.8-test17.patch
+
+ Conflicts:
+ arch/x86/include/asm/i387.h
+ arch/x86/kernel/process_32.c
+ arch/x86/kernel/traps.c
+
+commit 5e4e200ac530452884b625cb75de240e1e98c731
+Merge: 44306d7 340ce90
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:02:13 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:01:48 2012 -0500
+
+ Update to pax-linux-3.2.7-test17.patch
+
+commit 44306d7b3097f77e73040dd25f4f6750751bae7a
+Merge: 29d0b07 521c411
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:04:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ Makefile
+
+commit 521c411bb4ca66ce01146fde8bac9dd22414076d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:03:33 2012 -0500
+
+ Update to pax-linux-3.2.7-test16.patch
+
+commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 17:12:44 2012 -0500
+
+ fix typo
+
+commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
+Merge: f45b3be caa8f83
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:27 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit caa8f83456c4d0b204beefffaa1d1993f2348d08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:12 2012 -0500
+
+ Update to pax-linux-3.2.7-test15.patch
+
+commit f45b3be34a345502a302e736af9a65742ddef7cb
+Merge: 62f35fd 9f1309b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:40:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:39:57 2012 -0500
+
+ Update to pax-linux-3.2.7-test14.patch
+
+commit 62f35fdbecc58f2988fe13638d907b87a15776bb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 09:08:55 2012 -0500
+
+ We could log on attempted exploits of writing /proc/self/mem, but the current
+ log function declares the access a read, so just swap the ordering for now
+
+commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:46:14 2012 -0500
+
+ Log /proc/pid/mem attempts
+
+commit 674471e581893a94d475acac3e3c4496209b3ac9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:15:00 2012 -0500
+
+ Make use of f_version for protecting /proc file structs (fine since we're not a directory
+ or seq_file)
+
+commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 20:02:19 2012 -0500
+
+ Fix ia64 compilation
+
+commit 50dfea412fd395e0183c2ade368efa525d38b267
+Merge: 12db845 4c6f99b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:53 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4c6f99bf338e03966356b147d0360cb3b522a44f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:36 2012 -0500
+
+ (6:57:09 PM) pipacs: but you can be proactive
+ (Fix other-arch atomic64/REFCOUNT compilation failures)
+
+commit 12db8453f6bb0a756f369c9151668ba1249bc478
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 21:10:12 2012 -0500
+
+ Remove unnecessary copies, as suggested by solar
+
+commit cc02cab84368467ea03cb35f861a8a7092d91ab4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 20:59:35 2012 -0500
+
+ Make global_exec_counter static, as suggested by solar
+
+commit e642091a475ebb3a30e81f85e7751233d0c2af43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 19:00:26 2012 -0500
+
+ sync with stable tree
+
+commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:48:47 2012 -0500
+
+ Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
+ Remove handling of old kludge in chmod/fchmod
+
+commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:18:49 2012 -0500
+
+ Apply umask checks to chmod/fchmod as well, as requested by sponsor
+ Union the enforced umask with the existing one to produce minimal privilege
+ Change umask type to u16
+
+commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 22 18:16:11 2012 -0500
+
+ Add per-role umask enforcement to RBAC, requested by a sponsor
+
+commit ad5ac943fe58199f1cc475912a39edb157acb77b
+Merge: dda0bb5 41722e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:42 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 41722e342e116d95f3d3556d66c97c888d752d39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:00 2012 -0500
+
+ Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
+ KERNEXEC plugin
+
+commit dda0bb57137846a476a866c60db2681aaf6052c0
+Merge: 4fd554e d70927a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:41 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d70927afec977d489a54c106a3c3ddc32e953050
+Merge: 1daebf1 9d0231c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:33 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 4fd554e3a097b22c5049fcdc423897477deff5ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 09:17:57 2012 -0500
+
+ Fix wrong logic on capability checks for switching roles, broke policies
+ Thanks to Richard Kojedzinszky for reporting
+
+commit 12f97d52ac603f24344f8d71569c412a307e9422
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 21:20:10 2012 -0500
+
+ sparc64 compile fix
+
+commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:38:32 2012 -0500
+
+ Update configuration help and name for GRKERNSEC_PROC_MEMMAP
+
+commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:18:01 2012 -0500
+
+ optimize the check a bit
+
+commit 03159050f64989be44ae03be769cbed62a7cd2e5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:00:45 2012 -0500
+
+ smile VUPEN :D
+ (limit argv+env to 1MB for suid/sgid binaries)
+
+commit dd759d8800d225a397e4de49fe729c7d601298d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:49:33 2012 -0500
+
+ Address Space Protection -> Memory Protections (suggested on IRC for consistency)
+
+commit 4de635bda8ebfb85312e3bf851bdbff93de400da
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:45:06 2012 -0500
+
+ Change the long long type for exec_id to the proper u64
+
+commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Feb 9 00:46:47 2012 +0000
+
+ isdn: type bug in isdn_net_header()
+
+ We use len to store the return value from eth_header(). eth_header()
+ can return -ETH_HLEN (-14). We want to pass this back instead of
+ truncating it to 65522 and returning that.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
+Author: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Sat Feb 4 10:47:10 2012 +0100
+
+ exec: fix use-after-free bug in setup_new_exec()
+
+ Setting the task name is done within setup_new_exec() by accessing
+ bprm->filename. However this happens after flush_old_exec().
+ This may result in a use after free bug, flush_old_exec() may
+ "complete" vfork_done, which will wake up the parent which in turn
+ may free the passed in filename.
+ To fix this add a new tcomm field in struct linux_binprm which
+ contains the now early generated task name until it is used.
+
+ Fixes this bug on s390:
+
+ Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
+ Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
+ Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
+ Call Trace:
+ ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
+ [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
+ [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
+ [<0000000000282b6c>] do_execve_common+0x410/0x514
+ [<0000000000282cb6>] do_execve+0x46/0x58
+ [<00000000005bce58>] kernel_execve+0x28/0x70
+ [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
+ [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
+ [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
+ Last Breaking-Event-Address:
+ [<00000000002830f0>] setup_new_exec+0x2fc/0x374
+
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+ Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+ Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d758ee9f5230893dabb5aab737b3109684bde196
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Feb 10 09:03:58 2012 +0100
+
+ relay: prevent integer overflow in relay_open()
+
+ "subbuf_size" and "n_subbufs" come from the user and they need to be
+ capped to prevent an integer overflow.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
+Merge: b1baadf 1daebf1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:47:04 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/proc/base.c
+
+commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
+Merge: 1413df2 c2db2e2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:45:54 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:44:05 2012 -0500
+
+ add missing declaration
+
+commit 3981059c35e8463002517935c28f3d74b8e3703c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:36:04 2012 -0500
+
+ Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
+ in addition to existing checks (this handles the setresuid ruid = euid case)
+
+commit 0beab03263c773f463412c350ad9064b44b6ede0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:13:40 2012 -0500
+
+ Revert setreuid changes when RBAC is enabled, breaks freeradius
+ I'll fix the learning issue Lavish reported a different way through
+ gradm modifications
+
+ This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
+
+commit 0c61cb1cfbbfec7d07647268c922d51434d22621
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 11 14:22:46 2012 -0500
+
+ copy exec_id on fork
+
+commit 000c08e0890630086b2ed04084050ed856a7ec31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 20:00:36 2012 -0500
+
+ compile fix
+
+commit 54b8c8f54484e5ee18040657827158bc4b63bccc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 19:19:52 2012 -0500
+
+ Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
+ denies reading of sensitive /proc/pid entries where the file descriptor
+ was opened in a different task than the one performing the read
+
+commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 17:43:24 2012 -0500
+
+ Remove duplicate signal check
+
+commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
+Merge: 4eba97e 1413df2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:34 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:08 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test11.patch
+
+commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
+Merge: 0e058dd 8dd90a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:50:12 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:49:07 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
+
+commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
+Merge: 7e4169c 6133971
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:48:57 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 19:24:45 2012 -0500
+
+ We now allow configurations with no PaX markings, giving the system no way to override the defaults
+
+commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 10:01:23 2012 -0500
+
+ Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
+
+commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 4 21:01:16 2012 -0500
+
+ Improve security of ptrace-based monitoring/sandboxing
+ See:
+ http://article.gmane.org/gmane.linux.kernel.lsm/15156
+
+commit ca4ca5a1027b41f9528794e52a53ce9c47926101
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:42:55 2012 -0500
+
+ fix typo
+
+commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:25:38 2012 -0500
+
+ Reported by lavish on IRC:
+ If a suid/sgid binary did not learn any setuid/setgid call during learning,
+ we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
+ any restrictions on uid/gid changes. uid and gid can however be changed
+ within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
+ euid/egid.
+
+ My fix:
+ POSIX doesn't specify whether unprivileged users can perform the above
+ setresuid/setresgid as an unprivileged user, though Linux has historically
+ permitted them. Modify this behavior when RBAC is enabled to require
+ CAP_SETUID/CAP_SETGID for these operations.
+
+ Thanks to Lavish for the report!
+
+ Conflicts:
+
+ kernel/sys.c
+
+commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
+Merge: ba586eb 7e4169c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:21 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:05 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test9.patch
+
+commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
+Author: Christopher Yeoh <cyeoh@au1.ibm.com>
+Date: Thu Feb 2 11:34:09 2012 +1030
+
+ Fix race in process_vm_rw_core
+
+ This fixes the race in process_vm_core found by Oleg (see
+
+ http://article.gmane.org/gmane.linux.kernel/1235667/
+
+ for details).
+
+ This has been updated since I last sent it as the creation of the new
+ mm_access() function did almost exactly the same thing as parts of the
+ previous version of this patch did.
+
+ In order to use mm_access() even when /proc isn't enabled, we move it to
+ kernel/fork.c where other related process mm access functions already
+ are.
+
+ Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+ mm/process_vm_access.c
+
+commit b9194d60fb9fe579f5c34817ed822abde18939a0
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:15:11 2012 +0100
+
+ proc: make sure mem_open() doesn't pin the target's memory
+
+ Once /proc/pid/mem is opened, the memory can't be released until
+ mem_release() even if its owner exits.
+
+ Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
+ pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
+ before access_remote_vm(), this verifies that this mm is still alive.
+
+ I am not sure what should mem_rw() return if atomic_inc_not_zero()
+ fails. With this patch it returns zero to match the "mm == NULL" case,
+ may be it should return -EINVAL like it did before e268337d.
+
+ Perhaps it makes sense to add the additional fatal_signal_pending()
+ check into the main loop, to ensure we do not hold this memory if
+ the target task was oom-killed.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:38 2012 +0100
+
+ proc: mem_release() should check mm != NULL
+
+ mem_release() can hit mm == NULL, add the necessary check.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:54 2012 +0100
+
+ note: redisabled mem_write
+
+ proc: unify mem_read() and mem_write()
+
+ No functional changes, cleanup and preparation.
+
+ mem_read() and mem_write() are very similar. Move this code into the
+ new common helper, mem_rw(), which takes the additional "int write"
+ argument.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+
+commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
+Merge: 3903f01 01fee18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:50:40 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 01fee1851aef26b898ccba5312cabf1f919b74cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:46 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test8.patch
+
+commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
+Merge: 201c0db 141936c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:01 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 3903f0172ecadf7a575ba3535402a1506133640a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 30 23:26:44 2012 -0500
+
+ Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
+
+ We'll whitelist required directories for compatibility instead of requiring
+ that people disable the feature entirely if they use SELinux, fuse, etc
+
+ Conflicts:
+
+ fs/sysfs/mount.c
+
+commit e3618feaa7e63807f1b88c199882075b3ec9bd05
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 29 01:12:19 2012 -0500
+
+ perform RBAC check if TPE is on but match fails, matches previous behavior
+
+commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 28 13:17:06 2012 -0500
+
+ log more information about the reason for a TPE denial for novice users, requested by a sponsor
+
+commit efefd67008cbad8a8591e2484410966a300a39a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:58:53 2012 -0500
+
+ merge upstream sha512 changes
+
+commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:49:07 2012 -0500
+
+ drop lock on error in xfs_readlink
+
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
+
+commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
+Author: Li Wang <liwang@nudt.edu.cn>
+Date: Thu Jan 19 09:44:36 2012 +0800
+
+ eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+
+ ecryptfs_write() can enter an infinite loop when truncating a file to a
+ size larger than 4G. This only happens on architectures where size_t is
+ represented by 32 bits.
+
+ This was caused by a size_t overflow due to it incorrectly being used to
+ store the result of a calculation which uses potentially large values of
+ type loff_t.
+
+ [tyhicks@canonical.com: rewrite subject and commit message]
+ Signed-off-by: Li Wang <liwang@nudt.edu.cn>
+ Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
+ Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+
+commit a7607747d0f74f357d78bb796d70635dd05f46e8
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 19 20:33:44 2012 -0600
+
+ eCryptfs: Check inode changes in setattr
+
+ Most filesystems call inode_change_ok() very early in ->setattr(), but
+ eCryptfs didn't call it at all. It allowed the lower filesystem to make
+ the call in its ->setattr() function. Then, eCryptfs would copy the
+ appropriate inode attributes from the lower inode to the eCryptfs inode.
+
+ This patch changes that and actually calls inode_change_ok() on the
+ eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
+ would happen earlier in ecryptfs_setattr(), but there are some possible
+ inode initialization steps that must happen first.
+
+ Since the call was already being made on the lower inode, the change in
+ functionality should be minimal, except for the case of a file extending
+ truncate call. In that case, inode_newsize_ok() was never being
+ called on the eCryptfs inode. Rather than inode_newsize_ok() catching
+ maximum file size errors early on, eCryptfs would encrypt zeroed pages
+ and write them to the lower filesystem until the lower filesystem's
+ write path caught the error in generic_write_checks(). This patch
+ introduces a new function, called ecryptfs_inode_newsize_ok(), which
+ checks if the new lower file size is within the appropriate limits when
+ the truncate operation will be growing the lower file.
+
+ In summary this change prevents eCryptfs truncate operations (and the
+ resulting page encryptions), which would exceed the lower filesystem
+ limits or FSIZE rlimits, from ever starting.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Li Wang <liwang@nudt.edu.cn>
+ Cc: <stable@vger.kernel.org>
+
+commit 0d96f190a39505254ace4e9330219aaeda9b64e3
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Wed Jan 18 18:30:04 2012 -0600
+
+ eCryptfs: Make truncate path killable
+
+ ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
+ page, zeroes out the appropriate portions, and then encrypts the page
+ before writing it to the lower filesystem. It was unkillable and due to
+ the lack of sparse file support could result in tying up a large portion
+ of system resources, while encrypting pages of zeros, with no way for
+ the truncate operation to be stopped from userspace.
+
+ This patch adds the ability for ecryptfs_write() to detect a pending
+ fatal signal and return as gracefully as possible. The intent is to
+ leave the lower file in a useable state, while still allowing a user to
+ break out of the encryption loop. If a pending fatal signal is detected,
+ the eCryptfs inode size is updated to reflect the modified inode size
+ and then -EINTR is returned.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: <stable@vger.kernel.org>
+
+commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Tue Jan 24 10:02:22 2012 -0600
+
+ eCryptfs: Fix oops when printing debug info in extent crypto functions
+
+ If pages passed to the eCryptfs extent-based crypto functions are not
+ mapped and the module parameter ecryptfs_verbosity=1 was specified at
+ loading time, a NULL pointer dereference will occur.
+
+ Note that this wouldn't happen on a production system, as you wouldn't
+ pass ecryptfs_verbosity=1 on a production system. It leaks private
+ information to the system logs and is for debugging only.
+
+ The debugging info printed in these messages is no longer very useful
+ and rather than doing a kmap() in these debugging paths, it will be
+ better to simply remove the debugging paths completely.
+
+ https://launchpad.net/bugs/913651
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Daniel DeFreez
+ Cc: <stable@vger.kernel.org>
+
+commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 12 11:30:44 2012 +0100
+
+ eCryptfs: Sanitize write counts of /dev/ecryptfs
+
+ A malicious count value specified when writing to /dev/ecryptfs may
+ result in a a very large kernel memory allocation.
+
+ This patch peeks at the specified packet payload size, adds that to the
+ size of the packet headers and compares the result with the write count
+ value. The resulting maximum memory allocation size is approximately 532
+ bytes.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Sasha Levin <levinsasha928@gmail.com>
+ Cc: <stable@vger.kernel.org>
+
+commit 96dcb7282d323813181a1791f51c0ab7696b675b
+Merge: 6c09fa5 201c0db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:44:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 201c0dbf177527367676028151e36d340923f033
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:43:24 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
+ on loading modules with empty sections
+
+commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:42:13 2012 -0500
+
+ compile fix
+
+commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:39:28 2012 -0500
+
+ use LSM flags instead of duplicating checks
+
+commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
+Merge: 44b9f11 558718b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:23 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 558718b2217beff69edf60f34a6f9893d910e9ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:04 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch
+
+commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:53:55 2012 -0500
+
+ don't increase the size of task_struct when unnecessary
+ change ptrace_readexec log message
+
+commit a9c9626e054adb885883aa64f85506852894dd33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:16:28 2012 -0500
+
+ Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
+ the protection applies to all unreadable binaries.
+
+commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
+Merge: 7b3f3af 05a1349
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:52:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ block/scsi_ioctl.c
+ drivers/scsi/sd.c
+ fs/proc/base.c
+
+commit 05a134966efb9cb9346ad3422888969ffc79ac1d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:47:36 2012 -0500
+
+ Resync with pax-linux-3.2.2-test5.patch
+
+commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
+Merge: c6d443d 3499d64
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:45:16 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
+
+ Conflicts:
+ ipc/shm.c
+
+commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 24 19:42:01 2012 -0500
+
+ Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
+ (may be changed if it breaks some userland), the other has its own
+ config option
+
+ First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
+ the syscall or /proc/sys.
+
+ Second feature requires read access to a suid/sgid binary in order
+ to ptrace it, preventing infoleaking of binaries in situations where
+ the admin has specified 4711 or 2711 perms. Feature has been
+ given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
+ a sysctl entry of ptrace_readexec
+
+commit 11a7bb25c411c9dccfdca5718639b4becdffd388
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:37:10 2012 -0500
+
+ Compilation fixes
+
+commit cd400e21c7c352baba47d6f375297a7847afb33a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:20:27 2012 -0500
+
+ Initial port of grsecurity 2.2.2 for Linux 3.2.1
+ Note that the new syscalls added to this kernel for remote process read/write
+ are subject to ptrace hardening/other relevant RBAC features
+ /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
+ as well
+ pax_track_stack has been removed from support for this kernel -- if you're running this kernel
+ you should be using a version of gcc with plugin support
+
+commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:47:31 2012 -0500
+
+ Import pax-linux-3.2.1-test5.patch
+commit bfd7db842f835f9837cd43644459b3a95b0b488d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:02:02 2012 -0500
+
+ Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
+ instead of returning -EACCES
+ thanks to Wraith from irc for the report
+
+commit 873ac13576506cd48ddb527c2540f274e249da50
+Merge: 34083dd 8a44fcc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:04:02 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:02:15 2012 -0500
+
+ Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
+ Denies executable shared memory when MPROTECT is active
+ Fixes ia32 emulation crash on 64bit host introduced in a recent patch
+
+commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 20:23:14 2012 -0500
+
+ Introduce new GRKERNSEC_SETXID implementation
+ We're not able to change the credentials of other threads in the process until at most
+ one syscall after the first thread does it, since we mark the threads as needing rescheduling
+ and such work occurs on syscall exit.
+ This does however ensure that we're only modifying the current task's credentials
+ which upholds RCU expectations
+
+ Many thanks to corsac for testing
+
+commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:42:48 2012 -0500
+
+ Simplify backport
+
+commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:08:16 2012 -0500
+
+ Commit the latest silent fix for a local privilege escalation from Linus
+ Also disable writing to /proc/pid/mem
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
+
+commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
+Merge: 0394a3f 7e6299b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:22:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e6299b4733c082dde930375dd207b63237751ec
+Merge: 83555fb 9bb1282
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:21:37 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
+Author: Jesper Juhl <jj@chaosbits.net>
+Date: Sun Jan 8 22:44:29 2012 +0100
+
+ audit: always follow va_copy() with va_end()
+
+ A call to va_copy() should always be followed by a call to va_end() in
+ the same function. In kernel/autit.c::audit_log_vformat() this is not
+ always done. This patch makes sure va_end() is always called.
+
+ Signed-off-by: Jesper Juhl <jj@chaosbits.net>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
+Author: Andi Kleen <ak@linux.intel.com>
+Date: Thu Jan 12 17:20:30 2012 -0800
+
+ panic: don't print redundant backtraces on oops
+
+ When an oops causes a panic and panic prints another backtrace it's pretty
+ common to have the original oops data be scrolled away on a 80x50 screen.
+
+ The second backtrace is quite redundant and not needed anyways.
+
+ So don't print the panic backtrace when oops_in_progress is true.
+
+ [akpm@linux-foundation.org: add comment]
+ Signed-off-by: Andi Kleen <ak@linux.intel.com>
+ Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Thu Jan 12 17:59:46 2012 +0100
+
+ fsnotify: don't BUG in fsnotify_destroy_mark()
+
+ Removing the parent of a watched file results in "kernel BUG at
+ fs/notify/mark.c:139".
+
+ To reproduce
+
+ add "-w /tmp/audit/dir/watched_file" to audit.rules
+ rm -rf /tmp/audit/dir
+
+ This is caused by fsnotify_destroy_mark() being called without an
+ extra reference taken by the caller.
+
+ Reported by Francesco Cosoleto here:
+
+ https://bugzilla.novell.com/show_bug.cgi?id=689860
+
+ Fix by removing the BUG_ON and adding a comment about not accessing mark after
+ the iput.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:28 2012 +0100
+
+ block: fail SCSI passthrough ioctls on partition devices
+
+ Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+ will pass the command to the underlying block device. This is
+ well-known, but it is also a large security problem when (via Unix
+ permissions, ACLs, SELinux or a combination thereof) a program or user
+ needs to be granted access only to part of the disk.
+
+ This patch lets partitions forward a small set of harmless ioctls;
+ others are logged with printk so that we can see which ioctls are
+ actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
+ Of course it was being sent to a (partition on a) hard disk, so it would
+ have failed with ENOTTY and the patch isn't changing anything in
+ practice. Still, I'm treating it specially to avoid spamming the logs.
+
+ In principle, this restriction should include programs running with
+ CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
+ /dev/sdb, it still should not be able to read/write outside the
+ boundaries of /dev/sda2 independent of the capabilities. However, for
+ now programs with CAP_SYS_RAWIO will still be allowed to send the
+ ioctls. Their actions will still be logged.
+
+ This patch does not affect the non-libata IDE driver. That driver
+ however already tests for bd != bd->bd_contains before issuing some
+ ioctl; it could be restricted further to forbid these ioctls even for
+ programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ [ Make it also print the command name when warning - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:27 2012 +0100
+
+ block: add and use scsi_blk_cmd_ioctl
+
+ Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
+
+ The function will then be enhanced to detect partition block devices
+ and, in that case, subject the ioctls to whitelisting.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97a79814903fc350e1d13704ea31528a42705401
+Author: Kees Cook <keescook@chromium.org>
+Date: Sat Jan 7 10:41:04 2012 -0800
+
+ audit: treat s_id as an untrusted string
+
+ The use of s_id should go through the untrusted string path, just to be
+ extra careful.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Acked-by: Mimi Zohar <zohar@us.ibm.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Dec 20 18:39:41 2011 -0500
+
+ audit: fix signedness bug in audit_log_execve_info()
+
+ In the loop, a size_t "len" is used to hold the return value of
+ audit_log_single_execve_arg(), which returns -1 on error. In that
+ case the error handling (len <= 0) will be bypassed since "len" is
+ unsigned, and the loop continues with (p += len) being wrapped.
+ Change the type of "len" to signed int to fix the error handling.
+
+ size_t len;
+ ...
+ for (...) {
+ len = audit_log_single_execve_arg(...);
+ if (len <= 0)
+ break;
+ p += len;
+ }
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Jan 17 03:28:51 2012 -0300
+
+ [media] ds3000: using logical && instead of bitwise &
+
+ The intent here was to test if the FE_HAS_LOCK was set. The current
+ test is equivalent to "if (status) { ..."
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit 36522330dc59d2fc70c042f3f081d75c32b6259a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 13:10:38 2012 -0500
+
+ Ignore the 0 signal for protected task RBAC checks
+
+commit d513acd55f7a683f6e146a4f570cdb63300479ab
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 11:56:13 2012 -0500
+
+ whitespace cleanup
+
+commit ced261c4b82818c700aff8487f647f6f3e5b5122
+Merge: d48751f 83555fb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:54 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
+Merge: fcd8129 93dad39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:43 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit d48751f3919ae855fda0ff6c149db82442329253
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 11 19:05:47 2012 -0500
+
+ Call our own set_user when forcing change to new id
+
+commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
+Merge: e6578ff fcd8129
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 16:00:10 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 15:58:43 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test23.patch
+
+commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
+Merge: 8859ec3 a120549
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:56 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a12054967a77090de1caa07c41e694a77db4e237
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:30 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test22.patch
+
+commit 8859ec32f9815c274df65448f9f2960176c380d3
+Merge: a5016b4 ddd4114
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:26:08 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/binfmt_elf.c
+ security/Kconfig
+
+commit ddd41147e158a79704983a409b7433eba797cf66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:12:42 2012 -0500
+
+ Resync with PaX patch (whitespace difference)
+
+commit 29e569df8205c5f0e043fe4803aa984406c8b118
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:09:47 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test21.patch
+
+commit a5016b4f9c09c337b17e063a7f369af1e86d944d
+Merge: 0124c92 04231d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:52:20 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
+Merge: 7bdddeb a919904
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:51:50 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ include/net/flow.h
+
+commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:33:05 2012 -0500
+
+ Make GRKERNSEC_SETXID option compatible with credential debugging
+
+commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
+Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Date: Wed Dec 28 15:57:11 2011 -0800
+
+ mm/mempolicy.c: refix mbind_range() vma issue
+
+ commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
+ slightly incorrect fix.
+
+ Why? Think following case.
+
+ 1. map 4 pages of a file at offset 0
+
+ [0123]
+
+ 2. map 2 pages just after the first mapping of the same file but with
+ page offset 2
+
+ [0123][23]
+
+ 3. mbind() 2 pages from the first mapping at offset 2.
+ mbind_range() should treat new vma is,
+
+ [0123][23]
+ |23|
+ mbind vma
+
+ but it does
+
+ [0123][23]
+ |01|
+ mbind vma
+
+ Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
+
+ This patch fixes it.
+
+ [testcase]
+ test result - before the patch
+
+ case4: 126: test failed. expect '2,4', actual '2,2,2'
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: 246: test failed. expect '4,2', actual '1,4'
+
+ ------------[ cut here ]------------
+ kernel BUG at mm/filemap.c:135!
+ invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
+
+ (snip long bug on messages)
+
+ test result - after the patch
+
+ case4: passed
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: passed
+
+ source: mbind_vma_test.c
+ ============================================================
+ #include <numaif.h>
+ #include <numa.h>
+ #include <sys/mman.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+ static unsigned long pagesize;
+ void* mmap_addr;
+ struct bitmask *nmask;
+ char buf[1024];
+ FILE *file;
+ char retbuf[10240] = "";
+ int mapped_fd;
+
+ char *rubysrc = "ruby -e '\
+ pid = %d; \
+ vstart = 0x%llx; \
+ vend = 0x%llx; \
+ s = `pmap -q #{pid}`; \
+ rary = []; \
+ s.each_line {|line|; \
+ ary=line.split(\" \"); \
+ addr = ary[0].to_i(16); \
+ if(vstart <= addr && addr < vend) then \
+ rary.push(ary[1].to_i()/4); \
+ end; \
+ }; \
+ print rary.join(\",\"); \
+ '";
+
+ void init(void)
+ {
+ void* addr;
+ char buf[128];
+
+ nmask = numa_allocate_nodemask();
+ numa_bitmask_setbit(nmask, 0);
+
+ pagesize = getpagesize();
+
+ sprintf(buf, "%s", "mbind_vma_XXXXXX");
+ mapped_fd = mkstemp(buf);
+ if (mapped_fd == -1)
+ perror("mkstemp "), exit(1);
+ unlink(buf);
+
+ if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
+ perror("lseek "), exit(1);
+ if (write(mapped_fd, "\0", 1) < 0)
+ perror("write "), exit(1);
+
+ addr = mmap(NULL, pagesize*8, PROT_NONE,
+ MAP_SHARED, mapped_fd, 0);
+ if (addr == MAP_FAILED)
+ perror("mmap "), exit(1);
+
+ if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
+ perror("mprotect "), exit(1);
+
+ mmap_addr = addr + pagesize;
+
+ /* make page populate */
+ memset(mmap_addr, 0, pagesize*6);
+ }
+
+ void fin(void)
+ {
+ void* addr = mmap_addr - pagesize;
+ munmap(addr, pagesize*8);
+
+ memset(buf, 0, sizeof(buf));
+ memset(retbuf, 0, sizeof(retbuf));
+ }
+
+ void mem_bind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_BIND, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_interleave(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_unbind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_DEFAULT, NULL, 0, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void Assert(char *expected, char *value, char *name, int line)
+ {
+ if (strcmp(expected, value) == 0) {
+ fprintf(stderr, "%s: passed\n", name);
+ return;
+ }
+ else {
+ fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
+ name, line,
+ expected, value);
+ // exit(1);
+ }
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPNNNNNNNNNN
+ case 4 below
+ */
+ void case4(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 4);
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case4", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPPPPPPPPPNN
+ case 5 below
+ */
+ void case5(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case5", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPPPPP 6
+ */
+ void case6(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("6", retbuf, "case6", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPXXXX 7
+ */
+ void case7(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case7", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPNNNNNNNN 8
+ */
+ void case8(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_interleave(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case8", __LINE__);
+
+ fin();
+ }
+
+ void case_n(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ /* make redundunt mappings [0][1234][34][7] */
+ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
+ MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
+
+ /* Expect to do nothing. */
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case_n", __LINE__);
+
+ fin();
+ }
+
+ int main(int argc, char** argv)
+ {
+ case4();
+ case5();
+ case6();
+ case7();
+ case8();
+ case_n();
+
+ return 0;
+ }
+ =============================================================
+
+ Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: Minchan Kim <minchan.kim@gmail.com>
+ Cc: Caspar Zhang <caspar@casparzhang.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Cc: Christoph Lameter <cl@linux.com>
+ Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
+ Cc: Mel Gorman <mel@csn.ul.ie>
+ Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+ Cc: <stable@vger.kernel.org> [3.1.x]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit f3a1082005781777086df235049f8c0b7efe524e
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Dec 27 22:32:41 2011 -0500
+
+ packet: fix possible dev refcnt leak when bind fail
+
+ If bind is fail when bind is called after set PACKET_FANOUT
+ sock option, the dev refcnt will leak.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 915f8b08dac68839dc7204ee81cf9852fda16d24
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Mon Dec 19 17:11:56 2011 -0800
+
+ nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
+
+ There is a potential integer overflow in nilfs_ioctl_clean_segments().
+ When a large argv[n].v_nmembs is passed from the userspace, the subsequent
+ call to vmalloc() will allocate a buffer smaller than expected, which
+ leads to out-of-bound access in nilfs_ioctl_move_blocks() and
+ lfs_clean_segments().
+
+ The following check does not prevent the overflow because nsegs is also
+ controlled by the userspace and could be very large.
+
+ if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
+ goto out_free;
+
+ This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
+ returns -EINVAL when overflow.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
+Author: Kautuk Consul <consul.kautuk@gmail.com>
+Date: Mon Dec 19 17:12:04 2011 -0800
+
+ mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
+
+ Static storage is not required for the struct vmap_area in
+ __get_vm_area_node.
+
+ Removing "static" to store this variable on the stack instead.
+
+ Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
+ Acked-by: David Rientjes <rientjes@google.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
+Author: Michel Lespinasse <walken@google.com>
+Date: Mon Dec 19 17:12:06 2011 -0800
+
+ binary_sysctl(): fix memory leak
+
+ binary_sysctl() calls sysctl_getname() which allocates from names_cache
+ slab usin __getname()
+
+ The matching function to free the name is __putname(), and not putname()
+ which should be used only to match getname() allocations.
+
+ This is because when auditing is enabled, putname() calls audit_putname
+ *instead* (not in addition) to __putname(). Then, if a syscall is in
+ progress, audit_putname does not release the name - instead, it expects
+ the name to get released when the syscall completes, but that will happen
+ only if audit_getname() was called previously, i.e. if the name was
+ allocated with getname() rather than the naked __getname(). So,
+ __getname() followed by putname() ends up leaking memory.
+
+ Signed-off-by: Michel Lespinasse <walken@google.com>
+ Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
+Author: Sean Hefty <sean.hefty@intel.com>
+Date: Tue Dec 6 21:17:11 2011 +0000
+
+ RDMA/cma: Verify private data length
+
+ private_data_len is defined as a u8. If the user specifies a large
+ private_data size (> 220 bytes), we will calculate a total length that
+ exceeds 255, resulting in private_data_len wrapping back to 0. This
+ can lead to overwriting random kernel memory. Avoid this by verifying
+ that the resulting size fits into a u8.
+
+ Reported-by: B. Thery <benjamin.thery@bull.net>
+ Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
+ Signed-off-by: Sean Hefty <sean.hefty@intel.com>
+ Signed-off-by: Roland Dreier <roland@purestorage.com>
+
+commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Sun Dec 11 23:40:56 2011 -0800
+
+ Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
+
+ The error check (intr_status < 0) didn't work because intr_status is
+ a u8. Change its type to signed int.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+
+commit e27f34e383d7863b2528a63b81b23db09781f6b6
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 16 12:44:15 2011 +0000
+
+ sctp: fix incorrect overflow check on autoclose
+
+ Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
+ limiting the autoclose value. If userspace passes in -1 on 32-bit
+ platform, the overflow check didn't work and autoclose would be set
+ to 0xffffffff.
+
+ This patch defines a max_autoclose (in seconds) for limiting the value
+ and exposes it through sysctl, with the following intentions.
+
+ 1) Avoid overflowing autoclose * HZ.
+
+ 2) Keep the default autoclose bound consistent across 32- and 64-bit
+ platforms (INT_MAX / HZ in this patch).
+
+ 3) Keep the autoclose value consistent between setsockopt() and
+ getsockopt() calls.
+
+ Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Wed Dec 21 05:18:33 2011 -0500
+
+ vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
+
+ Commit e133e737 didn't correctly fix the integer overflow issue.
+
+ - unsigned int required_size;
+ + u64 required_size;
+ ...
+ required_size = mode_cmd->pitch * mode_cmd->height;
+ - if (unlikely(required_size > dev_priv->vram_size)) {
+ + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
+
+ Note that both pitch and height are u32. Their product is still u32 and
+ would overflow before being assigned to required_size. A correct way is
+ to convert pitch and height to u64 before the multiplication.
+
+ required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
+
+ This patch calls the existing vmw_kms_validate_mode_vram() for
+ validation.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+ Conflicts:
+
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+
+commit eb8f0bd01fb994c9abc77dc84729794cd841753d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Thu Dec 22 13:35:22 2011 +0000
+
+ rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
+
+ Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
+ cause a kernel oops due to insufficient bounds checking.
+
+ if (count > 1<<30) {
+ /* Enforce a limit to prevent overflow */
+ return -EINVAL;
+ }
+ count = roundup_pow_of_two(count);
+ table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
+
+ Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
+
+ ... + (count * sizeof(struct rps_dev_flow))
+
+ where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
+ 32 bits.
+
+ This patch replaces the magic number (1 << 30) with a symbolic bound.
+
+ Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 648188958672024b616c42c1f6c98c8cfc85619d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 30 10:40:17 2011 -0500
+
+ netfilter: ctnetlink: fix timeout calculation
+
+ The sanity check (timeout < 0) never works; the dividend is unsigned
+ and so is the division, which should have been a signed division.
+
+ long timeout = (ct->timeout.expires - jiffies) / HZ;
+ if (timeout < 0)
+ timeout = 0;
+
+ This patch converts the time values to signed for the division.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit ab03a0973cee73f88655ff4981812ad316a6cd59
+Merge: 76f82df 7bdddeb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:50 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
+Merge: 3e59cb5 55cc81a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:36 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 20:15:02 2011 -0500
+
+ Only further restrict futex targeting another process -- our modified
+ permission check also happened to allow a case where a process retaining
+ uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
+ being non-zero (reported on forums by ben_w)
+
+commit 6b235a4450a5fea41663ec35fa0608988b6078c6
+Merge: 97c16f0 3e59cb5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:11:06 2011 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/hfs/btree.c
+
+commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
+Merge: 285eb4e c26f60b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:09:57 2011 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/process.c
+
+commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 19 21:54:01 2011 -0500
+
+ Add new option: "Enforce consistent multithreaded privileges"
+
+commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:58:31 2011 -0500
+
+ Remove harmless duplicate code -- exec_file would be null already so the
+ second check would never pass.
+
+commit 4e3304e94aa72737810bc50169519af157dce4ce
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:50:39 2011 -0500
+
+ Revert back to (possibly?) undocumented /proc/pid behavior that gdb
+ depended on for attaching to a thread. Entries exist in /proc for
+ threads, but are not visible in a readdir.
+
+commit 1bd899335f23815cfe8deac44c6b346398f3b95e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 18:03:28 2011 -0500
+
+ Put the already-walked path if in RCU-walk mode
+
+commit ec7ae36b7159f10649709779443a988662965d66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 17:35:21 2011 -0500
+
+ Fix memory leak introduced by recent (unpublished) commit
+ 75ab998b94a29d464518d6d501bdde3fbfcbfa14
+
+commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:56:10 2011 -0500
+
+ Explicitly check size copied to userland in override_release to silence gcc
+
+commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:54:02 2011 -0500
+
+ Initialize variable to silence erroneous gcc warning
+
+commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:47:47 2011 -0500
+
+ Future-proof other potential RCU-aware locations where we can log.
+
+commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:02:54 2011 -0500
+
+ Fix freeze reported by 'vs' on the forums. Bug occurred due to
+ MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
+ in generic_permission() was in the task's effective set but disallowed by
+ RBAC, would block when acquiring locks resulting in the freeze.
+
+ Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
+ as being required when CAP_DAC_OVERRIDE is present (consistent with
+ older patches).
+
+commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Nov 29 09:26:30 2011 +0000
+
+ sctp: better integer overflow check in sctp_auth_create_key()
+
+ The check from commit 30c2235c is incomplete and cannot prevent
+ cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
+ left-hand side of the check (INT_MAX - key_len), which is unsigned,
+ becomes 0xffffffff (UINT_MAX) and bypasses the check.
+
+ However this shouldn't be a security issue. The function is called
+ from the following two code paths:
+
+ 1) setsockopt()
+
+ 2) sctp_auth_asoc_set_secret()
+
+ In case (1), sca_keylength is never going to exceed 65535 since it's
+ bounded by a u16 from the user API. As such, the key length will
+ never overflow.
+
+ In case (2), sca_keylength is computed based on the user key (1 short)
+ and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
+ will not overflow.
+
+ In other words, this overflow check is not really necessary. Just
+ make it more correct.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit e565e28c3635a1d50f80541fbf6b606d742fec76
+Author: Josh Boyer <jwboyer@redhat.com>
+Date: Fri Aug 19 14:50:26 2011 -0400
+
+ fs/minix: Verify bitmap block counts before mounting
+
+ Newer versions of MINIX can create filesystems that allocate an extra
+ bitmap block. Mounting of this succeeds, but doing a statfs call will
+ result in an oops in count_free because of a negative number being used
+ for the bh index.
+
+ Avoid this by verifying the number of allocated blocks at mount time,
+ erroring out if there are not enough and make statfs ignore the extras
+ if there are too many.
+
+ This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
+
+ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6e134e398ec1a3f428261680e83df4319e64bed9
+Author: Julia Lawall <julia@diku.dk>
+Date: Tue Nov 15 14:53:11 2011 -0800
+
+ drivers/gpu/vga/vgaarb.c: add missing kfree
+
+ kbuf is a buffer that is local to this function, so all of the error paths
+ leaving the function should release it.
+
+ Signed-off-by: Julia Lawall <julia@diku.dk>
+ Cc: Jesper Juhl <jj@chaosbits.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit 2b9057b321e36860e8d63985b5c4e496f254b717
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:33:28 2011 -0500
+
+ Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
+
+commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+
+commit 285eb4ea45d853ae00426b3315a61c1368080dad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 10 18:33:46 2011 -0500
+
+ Import changes from pax-linux-3.1.5-test20.patch
+
+commit a6bda918fc90ec1d5c387e978d147ad2044153f1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 8 20:55:54 2011 -0500
+
+ Import changes from pax-linux-3.1.4-test19.patch
+
+commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7
+Merge: 814820a 3a59a59
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 21:51:18 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 21:50:07 2013 -0400
+
+ Update to pax-linux-3.8.13-test24.patch:
+ - fixed sparc/constification compile error, reported by blake
+ - UDEREF/amd64 should be a bit more efficient when disabled at boot time
+ - fixed some unnecessary integer truncations that could trip up the size overflow plugin
+
+ arch/arm/kernel/vmlinux.lds.S | 4 ++--
+ arch/sparc/kernel/us3_cpufreq.c | 4 ++--
+ arch/x86/ia32/ia32entry.S | 4 ++--
+ arch/x86/include/asm/pgtable.h | 6 ++++--
+ arch/x86/include/asm/uaccess.h | 6 +++---
+ arch/x86/kernel/kprobes-opt.c | 4 ++++
+ arch/x86/lib/copy_user_nocache_64.S | 2 +-
+ arch/x86/lib/getuser.S | 8 ++++----
+ arch/x86/lib/putuser.S | 8 ++++----
+ arch/x86/mm/fault.c | 6 +++---
+ drivers/net/slip/slhc.c | 2 +-
+ drivers/staging/iio/ring_sw.c | 2 +-
+ fs/binfmt_elf.c | 6 +++---
+ fs/nfsd/nfscache.c | 2 +-
+ fs/xattr.c | 21 +++++++++++++++++++++
+ include/linux/syscalls.h | 2 +-
+ include/linux/xattr.h | 3 +++
+ init/main.c | 3 +++
+ kernel/futex_compat.c | 2 +-
+ kernel/trace/trace.h | 2 +-
+ net/socket.c | 2 +-
+ security/Kconfig | 2 +-
+ 22 files changed, 67 insertions(+), 34 deletions(-)
+
+commit 814820abfe5b9a34401d838b2510431a4cd92be9
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon May 6 09:31:17 2013 +0000
+
+ Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa
+
+ tipc: potential divide by zero in tipc_link_recv_fragment()
+
+ The worry here is that fragm_sz could be zero since it comes from
+ skb->data.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/tipc/link.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon May 6 08:28:41 2013 +0000
+
+ Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc
+
+ tipc: add a bounds check in link_recv_changeover_msg()
+
+ The bearer_id here comes from skb->data and it can be a number from 0 to
+ 7. The problem is that the ->links[] array has only 2 elements so I
+ have added a range check.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/tipc/link.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit ed0428c4ef6c5498870772f212ac651216eb8d0c
+Merge: 2452d8d dbf932a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 21:18:25 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c
+ arch/x86/mm/init.c
+
+commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 20:24:01 2013 -0400
+
+ compile fix
+
+ grsecurity/gracl.c | 1 +
+ grsecurity/gracl_segv.c | 1 +
+ 2 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 18:25:26 2013 -0400
+
+ fix btrfs support here as well
+
+ grsecurity/gracl_segv.c | 17 +++++++++--------
+ 1 files changed, 9 insertions(+), 8 deletions(-)
+
+commit c75e4664fe4d20da1639f70d9def097c4f20856b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 18:12:57 2013 -0400
+
+ Fix RBAC compatibility with btrfs compiled as a module, as
+ reported on the forums by YuHg at:
+ http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952
+
+ fs/btrfs/inode.c | 11 +----------
+ grsecurity/gracl.c | 19 ++++++++++---------
+ grsecurity/gracl_segv.c | 2 +-
+ grsecurity/grsec_disabled.c | 2 +-
+ 4 files changed, 13 insertions(+), 21 deletions(-)
+
+commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat May 11 12:12:00 2013 -0400
+
+ allow copies just up to the start of kernel code
+
+ fs/exec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 04638852588cf243f865f5a73aa9dab94fab53b7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 10 16:53:07 2013 -0400
+
+ MODULES_EXEC_VADDR is a virtual address
+
+ fs/exec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 10 16:51:03 2013 -0400
+
+ exempt module rx areas from usercopy protection under i386 kernexec
+ their .rodata will be placed between stext/etext causing copies of
+ constant strings to trigger usercopy reports/terminations
+
+ fs/exec.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 8 20:25:52 2013 -0400
+
+ User jorgus on the forums:
+ http://forums.grsecurity.net/viewtopic.php?f=3&t=3446
+ discovered that the upstreamed version of enforcing RLIMIT_NPROC
+ at setuid/exec time missed an important corner case:
+ If RLIMIT_NPROC is set after a setuid occurs and the user's process
+ limit is reached elsewhere, no enforcement of RLIMIT_NPROC will
+ happen at exec time for the task with a modified RLIMIT_NPROC.
+
+ This patch fixes that.
+
+ kernel/sys.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff
+Merge: 539fff0 2452d8d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 8 18:13:41 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a
+Merge: 6c850d8 9c9ab76
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 8 18:13:31 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/irq.c
+ kernel/trace/trace_stack.c
+
+commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue May 7 21:43:00 2013 -0400
+
+ turn counter into a flag
+
+ grsecurity/Kconfig | 2 +-
+ grsecurity/grsec_chroot.c | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 3da48c0f89377e1ef76470d4b19f19df793fdf32
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue May 7 21:02:39 2013 -0400
+
+ add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity
+ useful for Fedora/RHEL users
+
+ grsecurity/Kconfig | 10 ++++++++++
+ grsecurity/grsec_chroot.c | 17 +++++++++++++++--
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+commit 418102925c0cfb0de51b0a021abaa575e28fafa6
+Author: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Date: Fri May 3 14:11:25 2013 +0200
+
+ Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717
+
+ perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
+
+ We should always have proper privileges when requesting kernel
+ data.
+
+ Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+ Cc: <stable@kernel.org>
+ Cc: Andi Kleen <ak@linux.intel.com>
+ Cc: eranian@google.com
+ Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
+ [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ]
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+ Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org
+
+ arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++---
+ 1 files changed, 10 insertions(+), 3 deletions(-)
+
+commit f9e1af27cca1722a4c6a801000b5b3b5410401a2
+Author: Eric Dumazet <edumazet@google.com>
+Date: Mon Apr 29 05:58:52 2013 +0000
+
+ Upstream commit: aebda156a570782a86fc4426842152237a19427d
+
+ net: defer net_secret[] initialization
+
+ Instead of feeding net_secret[] at boot time, defer the init
+ at the point first socket is created.
+
+ This permits some platforms to use better entropy sources than
+ the ones available at boot time.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/secure_seq.h | 1 +
+ net/core/secure_seq.c | 4 +---
+ net/ipv4/af_inet.c | 5 ++++-
+ 3 files changed, 6 insertions(+), 4 deletions(-)
+
+commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Wed May 1 02:59:23 2013 +0000
+
+ Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48
+
+ net: sctp: attribute printl with __printf for gcc fmt checks
+
+ Let GCC check for format string errors in sctp's probe printl
+ function. This patch fixes the warning when compiled with W=1:
+
+ net/sctp/probe.c:73:2: warning: function might be possible candidate
+ for 'gnu_printf' format attribute [-Wmissing-format-attribute]
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/probe.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 81b98190c66a90f0ed2de4560f542b1dea7664f2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 2 19:58:54 2013 -0400
+
+ remove no-longer-needed vmware 8 compat fix
+
+ mm/page_alloc.c | 6 ------
+ 1 files changed, 0 insertions(+), 6 deletions(-)
+
+commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 2 19:55:23 2013 -0400
+
+ remove unnecessary < 0 check
+
+ net/phonet/af_phonet.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 1 18:30:48 2013 -0400
+
+ remove references to CONFIG_X86_WP_WORKS_OK
+
+ arch/um/defconfig | 1 -
+ security/Kconfig | 2 +-
+ 2 files changed, 1 insertions(+), 2 deletions(-)
+
+commit 408da6791f93ffe00d26bfe919f1b2218fe0804d
+Merge: a8dbe8e 6c850d8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 1 18:28:44 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/sparc/mm/ultra.S
+ drivers/tty/tty_io.c
+
+commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf
+Merge: cdbcbef 9fa1d01
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 1 18:25:18 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 29 18:44:23 2013 -0400
+
+ add module.h to silence compiler warning, thanks to
+ Sergei Trofimovich
+
+ fs/btrfs/inode.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 55eba82aca97aa56378e000840c48965557721e8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 29 18:43:03 2013 -0400
+
+ compilation fix
+
+ kernel/trace/trace.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit e3bf912b54af6df7fbebc68b5999554562056c5c
+Merge: 5b72e37 cdbcbef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 29 18:34:42 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit cdbcbef45c4f003cbee11e10668a35d424c17c60
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 29 18:33:35 2013 -0400
+
+ Update to pax-linux-3.8.10-test21.patch:
+ - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
+ - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438
+ note that the false positive is not fixed yet
+ - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin
+ - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444)
+ - reverted the nested NMI fix in search for a real one
+ - simplified the arm_delay_ops constification
+
+ arch/arm/include/asm/delay.h | 8 ++++----
+ arch/arm/lib/delay.c | 17 +++++------------
+ arch/x86/kernel/entry_64.S | 11 ++++++++++-
+ arch/x86/kernel/i8259.c | 2 +-
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ arch/x86/kvm/vmx.c | 4 ++--
+ drivers/block/pktcdvd.c | 2 +-
+ fs/btrfs/extent-tree.c | 2 +-
+ fs/nfsd/nfscache.c | 6 ++++--
+ kernel/trace/trace.c | 2 +-
+ tools/gcc/structleak_plugin.c | 4 ++++
+ 11 files changed, 34 insertions(+), 26 deletions(-)
+
+commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 26 20:53:06 2013 -0400
+
+ don't use file_inode()
+
+ drivers/tty/tty_io.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946
+Author: Jiri Slaby <jslaby@suse.cz>
+Date: Fri Apr 26 13:48:53 2013 +0200
+
+ Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee
+
+ TTY: fix atime/mtime regression
+
+ In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
+ we removed timestamps from tty inodes to fix a security issue and waited
+ if something breaks. Well, 'w', the utility to find out logged users
+ and their inactivity time broke. It shows that users are inactive since
+ the time they logged in.
+
+ To revert to the old behaviour while still preventing attackers to
+ guess the password length, we update the timestamps in one-minute
+ intervals by this patch.
+
+ Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ drivers/tty/tty_io.c
+
+ drivers/tty/tty_io.c | 15 ++++++++++++++-
+ 1 files changed, 14 insertions(+), 1 deletions(-)
+
+commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec
+Author: Jiri Slaby <jslaby@suse.cz>
+Date: Fri Feb 15 15:25:05 2013 +0100
+
+ Upstream commit: b0de59b5733d
+
+ TTY: do not update atime/mtime on read/write
+
+ On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
+ out length of a password using timestamps of /dev/ptmx. It is
+ documented in "Timing Analysis of Keystrokes and Timing Attacks on
+ SSH". To avoid that problem, do not update time when reading
+ from/writing to a TTY.
+
+ I am afraid of regressions as this is a behavior we have since 0.97
+ and apps may expect the time to be current, e.g. for monitoring
+ whether there was a change on the TTY. Now, there is no change. So
+ this would better have a lot of testing before it goes upstream.
+
+ References: CVE-2013-0160
+
+ Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+ Cc: stable <stable@vger.kernel.org> # after 3.9 is out
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ drivers/tty/tty_io.c | 8 ++------
+ 1 files changed, 2 insertions(+), 6 deletions(-)
+
+commit 5344a24e2320d61dbdb88aae04922f0799deefd0
+Author: Zhao Hongjiang <zhaohongjiang@huawei.com>
+Date: Fri Apr 26 11:03:53 2013 +0800
+
+ Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad
+
+ aio: fix possible invalid memory access when DEBUG is enabled
+
+ dprintk() shouldn't access @ring after it's unmapped.
+
+ Signed-off-by: Zhao Hongjiang <zhaohongjiang@huawei.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/aio.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 786841cb279bbd8e458d67e112a1d01a3d4598a7
+Author: John David Anglin <dave.anglin@bell.net>
+Date: Tue Apr 23 22:42:07 2013 +0200
+
+ Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78
+
+ parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates
+
+ User applications running on SMP kernels have long suffered from instability
+ and random segmentation faults. This patch improves the situation although
+ there is more work to be done.
+
+ One of the problems is the various routines in pgtable.h that update page table
+ entries use different locking mechanisms, or no lock at all (set_pte_at). This
+ change modifies the routines to all use the same lock pa_dbit_lock. This lock
+ is used for dirty bit updates in the interruption code. The patch also purges
+ the TLB entries associated with the PTE to ensure that inconsistent values are
+ not used after the page table entry is updated. The UP and SMP code are now
+ identical.
+
+ The change also includes a minor update to the purge_tlb_entries function in
+ cache.c to improve its efficiency.
+
+ Signed-off-by: John David Anglin <dave.anglin@bell.net>
+ Cc: Helge Deller <deller@gmx.de>
+ Signed-off-by: Helge Deller <deller@gmx.de>
+
+ arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++-----------------
+ arch/parisc/kernel/cache.c | 5 +---
+ 2 files changed, 26 insertions(+), 26 deletions(-)
+
+commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1
+Merge: ba54c97 4d05084
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 26 18:17:20 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/x86/kvm/x86.c
+ include/linux/capability.h
+
+commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21
+Merge: c664779 bb8dd67
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 26 18:15:45 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2
+Author: David S. Miller <davem@davemloft.net>
+Date: Wed Apr 24 16:52:18 2013 -0700
+
+ Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee
+
+ sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching.
+
+ Reported-by: Meelis Roos <mroos@linux.ee>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/sparc/mm/tlb.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8
+Author: David S. Miller <davem@davemloft.net>
+Date: Fri Apr 19 17:26:26 2013 -0400
+
+ Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847
+
+ sparc64: Fix race in TLB batch processing.
+
+ As reported by Dave Kleikamp, when we emit cross calls to do batched
+ TLB flush processing we have a race because we do not synchronize on
+ the sibling cpus completing the cross call.
+
+ So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.)
+ and either flushes are missed or flushes will flush the wrong
+ addresses.
+
+ Fix this by using generic infrastructure to synchonize on the
+ completion of the cross call.
+
+ This first required getting the flush_tlb_pending() call out from
+ switch_to() which operates with locks held and interrupts disabled.
+ The problem is that smp_call_function_many() cannot be invoked with
+ IRQs disabled and this is explicitly checked for with WARN_ON_ONCE().
+
+ We get the batch processing outside of locked IRQ disabled sections by
+ using some ideas from the powerpc port. Namely, we only batch inside
+ of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a
+ region, we flush TLBs synchronously.
+
+ 1) Get rid of xcall_flush_tlb_pending and per-cpu type
+ implementations.
+
+ 2) Do TLB batch cross calls instead via:
+
+ smp_call_function_many()
+ tlb_pending_func()
+ __flush_tlb_pending()
+
+ 3) Batch only in lazy mmu sequences:
+
+ a) Add 'active' member to struct tlb_batch
+ b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE
+ c) Set 'active' in arch_enter_lazy_mmu_mode()
+ d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode()
+ e) Check 'active' in tlb_batch_add_one() and do a synchronous
+ flush if it's clear.
+
+ 4) Add infrastructure for synchronous TLB page flushes.
+
+ a) Implement __flush_tlb_page and per-cpu variants, patch
+ as needed.
+ b) Likewise for xcall_flush_tlb_page.
+ c) Implement smp_flush_tlb_page() to invoke the cross-call.
+ d) Wire up global_flush_tlb_page() to the right routine based
+ upon CONFIG_SMP
+
+ 5) It turns out that singleton batches are very common, 2 out of every
+ 3 batch flushes have only a single entry in them.
+
+ The batch flush waiting is very expensive, both because of the poll
+ on sibling cpu completeion, as well as because passing the tlb batch
+ pointer to the sibling cpus invokes a shared memory dereference.
+
+ Therefore, in flush_tlb_pending(), if there is only one entry in
+ the batch perform a completely asynchronous global_flush_tlb_page()
+ instead.
+
+ Reported-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Acked-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+
+ arch/sparc/include/asm/pgtable_64.h | 1 +
+ arch/sparc/include/asm/switch_to_64.h | 3 +-
+ arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++--
+ arch/sparc/kernel/smp_64.c | 41 ++++++++++-
+ arch/sparc/mm/tlb.c | 38 +++++++++-
+ arch/sparc/mm/tsb.c | 57 ++++++++++++----
+ arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++-------
+ 7 files changed, 241 insertions(+), 55 deletions(-)
+
+commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri Apr 19 15:32:32 2013 +0000
+
+ Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494
+
+ net: fix incorrect credentials passing
+
+ Commit 257b5358b32f ("scm: Capture the full credentials of the scm
+ sender") changed the credentials passing code to pass in the effective
+ uid/gid instead of the real uid/gid.
+
+ Obviously this doesn't matter most of the time (since normally they are
+ the same), but it results in differences for suid binaries when the wrong
+ uid/gid ends up being used.
+
+ This just undoes that (presumably unintentional) part of the commit.
+
+ Reported-by: Andy Lutomirski <luto@amacapital.net>
+ Cc: Eric W. Biederman <ebiederm@xmission.com>
+ Cc: Serge E. Hallyn <serge@hallyn.com>
+ Cc: David S. Miller <davem@davemloft.net>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/scm.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Apr 18 19:22:40 2013 -0400
+
+ move _etext to only cover kernel code, not read-only data, as reported by Gu1
+
+ arch/arm/kernel/vmlinux.lds.S | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 98ad6adbc48759e4f9eae435d3e51ba487155685
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Apr 18 19:17:24 2013 -0400
+
+ add asm/sections.h for USERCOPY change
+
+ fs/exec.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10
+Author: Dmitry Popov <dp@highloadlab.com>
+Date: Thu Apr 11 08:55:07 2013 +0000
+
+ Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6
+
+ tcp: incoming connections might use wrong route under synflood
+
+ There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
+ flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
+ RT_SCOPE_UNIVERSE, IPPROTO_TCP,
+ inet_sk_flowi_flags(sk),
+ (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
+ ireq->loc_addr, th->source, th->dest);
+
+ Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
+ taken. This dst_entry is used by new socket (get_cookie_sock ->
+ tcp_v4_syn_recv_sock), so its packets may take the wrong path.
+
+ Signed-off-by: Dmitry Popov <dp@highloadlab.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/syncookies.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 3600395e8fef3ae712e72f9b68c3609639616df8
+Author: Thomas Graf <tgraf@suug.ch>
+Date: Thu Apr 11 10:57:18 2013 +0000
+
+ Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413
+
+ tcp: Reallocate headroom if it would overflow csum_start
+
+ If a TCP retransmission gets partially ACKed and collapsed multiple
+ times it is possible for the headroom to grow beyond 64K which will
+ overflow the 16bit skb->csum_start which is based on the start of
+ the headroom. It has been observed rarely in the wild with IPoIB due
+ to the 64K MTU.
+
+ Verify if the acking and collapsing resulted in a headroom exceeding
+ what csum_start can cover and reallocate the headroom if so.
+
+ A big thank you to Jim Foraker <foraker1@llnl.gov> and the team at
+ LLNL for helping out with the investigation and testing.
+
+ Reported-by: Jim Foraker <foraker1@llnl.gov>
+ Signed-off-by: Thomas Graf <tgraf@suug.ch>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/tcp_output.c | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61
+Author: Ivan Vecera <ivecera@redhat.com>
+Date: Fri Apr 12 16:49:24 2013 +0200
+
+ Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f
+
+ be2net: take care of __vlan_put_tag return value
+
+ The driver should use return value of __vlan_put_tag with appropriate
+ NULL-check instead of old skb pointer.
+
+ Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/emulex/benet/be_main.c | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Fri Apr 12 03:17:12 2013 +0000
+
+ Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73
+
+ tuntap: fix error return code in tun_set_iff()
+
+ Fix to return a negative error code from the error handling
+ case instead of 0, as returned elsewhere in this function.
+
+ [ Bug added in linux-3.8 , commit 4008e97f866db665
+ ("tuntap: fix ambigious multiqueue API") ]
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Sat Apr 13 15:49:03 2013 +0000
+
+ Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93
+
+ esp4: fix error return code in esp_output()
+
+ Fix to return a negative error code from the error handling
+ case instead of 0, as returned elsewhere in this function.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/esp4.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 2b45b5f52c2a8930f80c62de392a62516c83e225
+Author: Bjørn Mork <bjorn@mork.no>
+Date: Tue Apr 16 00:17:07 2013 +0000
+
+ Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1
+
+ net: cdc_mbim: remove bogus sizeof()
+
+ The intention was to test against the constant, not the size of
+ the constant.
+
+ Signed-off-by: Bjørn Mork <bjorn@mork.no>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/usb/cdc_mbim.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 17d7408795519037a5a1272c7888238e20830bfe
+Author: Vyacheslav Dubeyko <slava@dubeyko.com>
+Date: Wed Apr 17 15:58:33 2013 -0700
+
+ Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4
+
+ hfsplus: fix potential overflow in hfsplus_file_truncate()
+
+ Change a u32 to loff_t hfsplus_file_truncate().
+
+ Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/hfsplus/extents.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b
+Author: Emese Revfy <re.emese@gmail.com>
+Date: Wed Apr 17 15:58:36 2013 -0700
+
+ Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f
+
+ kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
+
+ This fixes a kernel memory contents leak via the tkill and tgkill syscalls
+ for compat processes.
+
+ This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
+ when handling signals delivered from tkill.
+
+ The place of the infoleak:
+
+ int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
+ {
+ ...
+ put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
+ ...
+ }
+
+ Signed-off-by: Emese Revfy <re.emese@gmail.com>
+ Reviewed-by: PaX Team <pageexec@freemail.hu>
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Oleg Nesterov <oleg@redhat.com>
+ Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+ Cc: Serge Hallyn <serge.hallyn@canonical.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/signal.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 20:17:00 2013 -0400
+
+ Improve PAX_USERCOPY to reject direct copies to/from main kernel text
+
+ fs/exec.c | 29 +++++++++++++++++++++++++++--
+ 1 files changed, 27 insertions(+), 2 deletions(-)
+
+commit 3cb37d0c0c77dc3928ff8417f982139f95366eba
+Merge: e87c19f c664779
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 20:06:08 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c664779987cb0c27a242029f0e0db812e3236203
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 19:54:09 2013 -0400
+
+ add intentional_overflow marking for resource_size() as reasoned by:
+ http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
+
+ include/linux/ioport.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit e87c19f8312355b8658e5138c16bfa6043a379c8
+Merge: 802d119 d0c636c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 16:57:12 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d0c636ceaaf406e606898ce3e770e32fb043ea8a
+Merge: bc88628 2396403
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 16:57:01 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/paravirt.c
+
+commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 14 21:39:51 2013 -0400
+
+ move location of RBAC user check on setfsuid until after capability checks
+ for consistency with other checks
+
+ kernel/sys.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 1a860d7d67051559ab2e6d10f9888649c92904e6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 14 21:34:46 2013 -0400
+
+ A denied setfsuid by the RBAC system would result in an abort_creds() being called
+ with an uninitalized pointer, introduced by a bad forward-port
+
+ kernel/sys.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9
+Merge: c38d142 bc88628
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 14 21:28:33 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit bc88628a6a8fcccaabb90908640809b0540df225
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 14 21:26:41 2013 -0400
+
+ Update to pax-linux-3.8.7-test20.patch:
+ - fixed KERNEXEC and NMI nesting problem reported by stef&hunger
+ - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414
+ - CONSTIFY depends on KERNEXEC (for the kernel open/close feature)
+ - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364)
+
+ arch/powerpc/include/asm/smp.h | 2 +-
+ arch/x86/Kconfig | 4 ++--
+ arch/x86/kernel/entry_64.S | 8 ++++----
+ security/Kconfig | 2 +-
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+commit c38d142744489fc4d9be80188b6435a278438fd9
+Author: Suleiman Souhlal <suleiman@google.com>
+Date: Sat Apr 13 16:03:06 2013 -0700
+
+ Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1
+
+ vfs: Revert spurious fix to spinning prevention in prune_icache_sb
+
+ Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb").
+
+ This commit doesn't look right: since we are looking at the tail of the
+ list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
+ it back at the head of the list instead of the tail, otherwise we will
+ keep spinning on it.
+
+ Discovered when investigating why prune_icache_sb came top in perf
+ reports of a swapping load.
+
+ Signed-off-by: Suleiman Souhlal <suleiman@google.com>
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Cc: stable@vger.kernel.org # v3.2+
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/inode.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 93019624b80ba59798393942798d7f6ed0c1dbc6
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat Apr 13 15:15:30 2013 -0700
+
+ Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979
+
+ kobject: fix kset_find_obj() race with concurrent last kobject_put()
+
+ Anatol Pomozov identified a race condition that hits module unloading
+ and re-loading. To quote Anatol:
+
+ "This is a race codition that exists between kset_find_obj() and
+ kobject_put(). kset_find_obj() might return kobject that has refcount
+ equal to 0 if this kobject is freeing by kobject_put() in other
+ thread.
+
+ Here is timeline for the crash in case if kset_find_obj() searches for
+ an object tht nobody holds and other thread is doing kobject_put() on
+ the same kobject:
+
+ THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put())
+ splin_lock()
+ atomic_dec_return(kobj->kref), counter gets zero here
+ ... starts kobject cleanup ....
+ spin_lock() // WAIT thread A in kobj_kset_leave()
+ iterate over kset->list
+ atomic_inc(kobj->kref) (counter becomes 1)
+ spin_unlock()
+ spin_lock() // taken
+ // it does not know that thread A increased counter so it
+ remove obj from list
+ spin_unlock()
+ vfree(module) // frees module object with containing kobj
+
+ // kobj points to freed memory area!!
+ kobject_put(kobj) // OOPS!!!!
+
+ The race above happens because module.c tries to use kset_find_obj()
+ when somebody unloads module. The module.c code was introduced in
+ commit 6494a93d55fa"
+
+ Anatol supplied a patch specific for module.c that worked around the
+ problem by simply not using kset_find_obj() at all, but rather than make
+ a local band-aid, this just fixes kset_find_obj() to be thread-safe
+ using the proper model of refusing the get a new reference if the
+ refcount has already dropped to zero.
+
+ See examples of this proper refcount handling not only in the kref
+ documentation, but in various other equivalent uses of this pattern by
+ grepping for atomic_inc_not_zero().
+
+ [ Side note: the module race does indicate that module loading and
+ unloading is not properly serialized wrt sysfs information using the
+ module mutex. That may require further thought, but this is the
+ correct fix at the kobject layer regardless. ]
+
+ Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com>
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ lib/kobject.c | 9 ++++++++-
+ 1 files changed, 8 insertions(+), 1 deletions(-)
+
+commit 5277b052b5fab36729e1255fb3b12f47a4b12867
+Author: Dave Hansen <dave@sr71.net>
+Date: Fri Apr 12 16:23:54 2013 -0700
+
+ Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9
+
+ x86-32: Fix possible incomplete TLB invalidate with PAE pagetables
+
+ This patch attempts to fix:
+
+ https://bugzilla.kernel.org/show_bug.cgi?id=56461
+
+ The symptom is a crash and messages like this:
+
+ chrome: Corrupted page table at address 34a03000
+ *pdpt = 0000000000000000 *pde = 0000000000000000
+ Bad pagetable: 000f [#1] PREEMPT SMP
+
+ Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb:
+ enable tlb flush range support for x86") since that code started to free
+ unused pagetables.
+
+ On x86-32 PAE kernels, that new code has the potential to free an entire
+ PMD page and will clear one of the four page-directory-pointer-table
+ (aka pgd_t entries).
+
+ The hardware aggressively "caches" these top-level entries and invlpg
+ does not actually affect the CPU's copy. If we clear one we *HAVE* to
+ do a full TLB flush, otherwise we might continue using a freed pmd page.
+ (note, we do this properly on the population side in pud_populate()).
+
+ This patch tracks whenever we clear one of these entries in the 'struct
+ mmu_gather', and ensures that we follow up with a full tlb flush.
+
+ BTW, I disassembled and checked that:
+
+ if (tlb->fullmm == 0)
+ and
+ if (!tlb->fullmm && !tlb->need_flush_all)
+
+ generate essentially the same code, so there should be zero impact there
+ to the !PAE case.
+
+ Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+ Cc: Peter Anvin <hpa@zytor.com>
+ Cc: Ingo Molnar <mingo@kernel.org>
+ Cc: Artem S Tashkinov <t.artem@mailcity.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/x86/include/asm/tlb.h | 2 +-
+ arch/x86/mm/pgtable.c | 7 +++++++
+ include/asm-generic/tlb.h | 7 ++++++-
+ mm/memory.c | 1 +
+ 4 files changed, 15 insertions(+), 2 deletions(-)
+
+commit 521e573fc77d1783c1d4636dfbb4617a922f043d
+Merge: 032f626 f807619
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 12 19:29:34 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f80761993b85df96fc142dfc3a317cadc0f8eae5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 12 19:28:21 2013 -0400
+
+ Update to pax-linux-3.8.7-test19.patch:
+ - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld
+ - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411)
+ - fixed the structleak plugin to compile for gcc 4.5-4.6 as well
+
+ Makefile | 2 +-
+ arch/x86/xen/enlighten.c | 6 +++---
+ tools/gcc/structleak_plugin.c | 5 +++--
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+commit 032f626a4ae9bc3196313a2e762650c3d9abdc96
+Merge: a3a770e 89886f5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 12 18:38:40 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89886f561cc0d1c42a99624ec8c3704711088155
+Merge: 9123489 531ec28
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 12 18:38:30 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit a3a770e18578841e4fbe2aa0831a22811b4812cf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Apr 11 20:46:20 2013 -0400
+
+ Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot"
+ Will be fixed with the next PaX patch
+
+ This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7.
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit fc98763e4f1f1487928750b26a63098b9e0ed5b1
+Author: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Fri Mar 29 10:20:56 2013 -0400
+
+ Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16
+
+ xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables.
+
+ Occassionaly on a DL380 G4 the guest would crash quite early with this:
+
+ (XEN) d244:v0: unhandled page fault (ec=0003)
+ (XEN) Pagetable walk from ffffffff84dc7000:
+ (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789
+ (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d
+ (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def
+ (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7
+ (XEN) domain_crash_sync called from entry.S
+ (XEN) Domain 244 (vcpu#0) crashed on cpu#3:
+ (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]----
+ (XEN) CPU: 3
+ (XEN) RIP: e033:[<ffffffff81263f22>]
+ (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest
+ (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f
+ (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000
+
+ The offending code shows it to be a loop writting the value zero
+ (%rax) in the %rdi (the L4 provided by Xen) register:
+
+ 0: 44 00 00 add %r8b,(%rax)
+ 3: 31 c0 xor %eax,%eax
+ 5: b9 40 00 00 00 mov $0x40,%ecx
+ a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
+ 11: 00 00
+ 13: ff c9 dec %ecx
+ 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction
+ 18: 48 89 47 08 mov %rax,0x8(%rdi)
+ 1c: 48 89 47 10 mov %rax,0x10(%rdi)
+
+ which fails. xen_setup_kernel_pagetable recycles some of the Xen's
+ page-table entries when it has switched over to its Linux page-tables.
+
+ Right before try to clear the page, we make a hypercall to change
+ it from _RO to _RW and that works (otherwise we would hit an BUG()).
+ And the _RW flag is set for that page:
+ (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7
+
+ The error code is 3, so PFEC_page_present and PFEC_write_access, so page is
+ present (correct), and we tried to write to the page, but a violation
+ occurred. The one theory is that the the page entries in hardware
+ (which are cached) are not up to date with what we just set. Especially
+ as we have just done an CR3 write and flushed the multicalls.
+
+ This patch does solve the problem by flusing out the TLB page
+ entry after changing it from _RO to _RW and we don't hit this
+ issue anymore.
+
+ Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO
+ 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4]
+ Reported-and-Tested-by: Saar Maoz <Saar.Maoz@oracle.com>
+ Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+ arch/x86/xen/mmu.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11
+Author: Namhyung Kim <namhyung.kim@lge.com>
+Date: Mon Apr 1 21:46:23 2013 +0900
+
+ Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1
+
+ tracing: Fix double free when function profile init failed
+
+ On the failure path, stat->start and stat->pages will refer same page.
+ So it'll attempt to free the same page again and get kernel panic.
+
+ Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org
+
+ Cc: Frederic Weisbecker <fweisbec@gmail.com>
+ Cc: Namhyung Kim <namhyung.kim@lge.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+
+ kernel/trace/ftrace.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb
+Author: Neil Horman <nhorman@tuxdriver.com>
+Date: Tue Apr 9 23:19:00 2013 +0000
+
+ Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6
+
+ e100: Add dma mapping error check
+
+ e100 uses pci_map_single, but fails to check for a dma mapping error after its
+ use, resulting in a stack trace:
+
+ [ 46.656594] ------------[ cut here ]------------
+ [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950()
+ [ 46.657004] Hardware name: To Be Filled By O.E.M.
+ [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map
+ error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single]
+ [ 46.657004] Modules linked in:
+ [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus
+ snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc
+ e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp
+ k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd
+ sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit
+ drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core
+ sata_promise crc_itu_t
+ [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1
+ [ 46.657004] Call Trace:
+ [ 46.657004] <IRQ> [<ffffffff81065ed0>] warn_slowpath_common+0x70/0xa0
+ [ 46.657004] [<ffffffff81065f4c>] warn_slowpath_fmt+0x4c/0x50
+ [ 46.657004] [<ffffffff81364cfb>] check_unmap+0x47b/0x950
+ [ 46.657004] [<ffffffff8136522f>] debug_dma_unmap_page+0x5f/0x70
+ [ 46.657004] [<ffffffffa030f0f0>] ? e100_tx_clean+0x30/0x210 [e100]
+ [ 46.657004] [<ffffffffa030f1a8>] e100_tx_clean+0xe8/0x210 [e100]
+ [ 46.657004] [<ffffffffa030fc6f>] e100_poll+0x56f/0x6c0 [e100]
+ [ 46.657004] [<ffffffff8159dce1>] ? net_rx_action+0xa1/0x370
+ [ 46.657004] [<ffffffff8159ddb2>] net_rx_action+0x172/0x370
+ [ 46.657004] [<ffffffff810703bf>] __do_softirq+0xef/0x3d0
+ [ 46.657004] [<ffffffff816e4ebc>] call_softirq+0x1c/0x30
+ [ 46.657004] [<ffffffff8101c485>] do_softirq+0x85/0xc0
+ [ 46.657004] [<ffffffff81070885>] irq_exit+0xd5/0xe0
+ [ 46.657004] [<ffffffff816e5756>] do_IRQ+0x56/0xc0
+ [ 46.657004] [<ffffffff816dacb2>] common_interrupt+0x72/0x72
+ [ 46.657004] <EOI> [<ffffffff816da1eb>] ?
+ _raw_spin_unlock_irqrestore+0x3b/0x70
+ [ 46.657004] [<ffffffff816d124d>] __slab_free+0x58/0x38b
+ [ 46.657004] [<ffffffff81214424>] ? fsnotify_clear_marks_by_inode+0x34/0x120
+ [ 46.657004] [<ffffffff811b0417>] ? kmem_cache_free+0x97/0x320
+ [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
+ [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
+ [ 46.657004] [<ffffffff811b0692>] kmem_cache_free+0x312/0x320
+ [ 46.657004] [<ffffffff8157fc14>] sock_destroy_inode+0x34/0x40
+ [ 46.657004] [<ffffffff811e8c28>] destroy_inode+0x38/0x60
+ [ 46.657004] [<ffffffff811e8d5e>] evict+0x10e/0x1a0
+ [ 46.657004] [<ffffffff811e9605>] iput+0xf5/0x180
+ [ 46.657004] [<ffffffff811e4338>] dput+0x248/0x310
+ [ 46.657004] [<ffffffff811ce0e1>] __fput+0x171/0x240
+ [ 46.657004] [<ffffffff811ce26e>] ____fput+0xe/0x10
+ [ 46.657004] [<ffffffff8108d54c>] task_work_run+0xac/0xe0
+ [ 46.657004] [<ffffffff8106c6ed>] do_exit+0x26d/0xc30
+ [ 46.657004] [<ffffffff8109eccc>] ? finish_task_switch+0x7c/0x120
+ [ 46.657004] [<ffffffff816dad58>] ? retint_swapgs+0x13/0x1b
+ [ 46.657004] [<ffffffff8106d139>] do_group_exit+0x49/0xc0
+ [ 46.657004] [<ffffffff8106d1c4>] sys_exit_group+0x14/0x20
+ [ 46.657004] [<ffffffff816e3b19>] system_call_fastpath+0x16/0x1b
+ [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]---
+ [ 46.657004] Mapped at:
+ [ 46.657004] [<ffffffff813663d1>] debug_dma_map_page+0x91/0x140
+ [ 46.657004] [<ffffffffa030e8eb>] e100_xmit_prepare+0x12b/0x1c0 [e100]
+ [ 46.657004] [<ffffffffa030c924>] e100_exec_cb+0x84/0x140 [e100]
+ [ 46.657004] [<ffffffffa030e56a>] e100_xmit_frame+0x3a/0x190 [e100]
+ [ 46.657004] [<ffffffff8159ee89>] dev_hard_start_xmit+0x259/0x6c0
+
+ Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the
+ dma_mapping_error check in the obvious place
+
+ This was reported previously here:
+ http://article.gmane.org/gmane.linux.network/257893
+
+ But nobody stepped up and fixed it.
+
+ CC: Josh Boyer <jwboyer@redhat.com>
+ CC: e1000-devel@lists.sourceforge.net
+ Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+ Reported-by: Michal Jaegermann <michal@harddata.com>
+ Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+ Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++-----------
+ 1 files changed, 25 insertions(+), 11 deletions(-)
+
+commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Wed Apr 10 12:44:18 2013 -0400
+
+ Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67
+
+ NFSv4: Doh! Typo in the fix to nfs41_walk_client_list
+
+ Make sure that we set the status to 0 on success. Missed in testing
+ because it never appears when doing multiple mounts to _different_
+ servers.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Cc: <stable@vger.kernel.org> # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
+
+ fs/nfs/nfs4client.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea
+Author: Yuval Mintz <yuvalmin@broadcom.com>
+Date: Wed Apr 10 13:34:39 2013 +0300
+
+ Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b
+
+ bnx2x: Prevent null pointer dereference in AFEX mode
+
+ The cnic module is responsible for initializing various bnx2x structs
+ via callbacks provided by the bnx2x module.
+ One such struct is the queue object for the FCoE queue.
+
+ If a device is working in AFEX mode and its configuration allows FCoE yet
+ the cnic module is not loaded, it's very likely a null pointer dereference
+ will occur, as the bnx2x will erroneously access the FCoE's queue object.
+
+ Prevent said access until cnic properly registers itself.
+
+ Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
+ Signed-off-by: Ariel Elior <ariele@broadcom.com>
+ Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 2908830232725db624aaa052f7ad38d1f98bf541
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Apr 9 14:16:04 2013 +0800
+
+ Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc
+
+ can: gw: use kmem_cache_free() instead of kfree()
+
+ Memory allocated by kmem_cache_alloc() should be freed using
+ kmem_cache_free(), not kfree().
+
+ Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+ Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+
+ net/can/gw.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit d40b572e845a5fb561e3c4a80cc306cd38888a4e
+Author: Christoph Paasch <christoph.paasch@uclouvain.be>
+Date: Sun Apr 7 04:53:15 2013 +0000
+
+ Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd
+
+ ipv6/tcp: Stop processing ICMPv6 redirect messages
+
+ Tetja Rediske found that if the host receives an ICMPv6 redirect message
+ after sending a SYN+ACK, the connection will be reset.
+
+ He bisected it down to 093d04d (ipv6: Change skb->data before using
+ icmpv6_notify() to propagate redirect), but the origin of the bug comes
+ from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
+ handlers.). The bug simply did not trigger prior to 093d04d, because
+ skb->data did not point to the inner IP header and thus icmpv6_notify
+ did not call the correct err_handler.
+
+ This patch adds the missing "goto out;" in tcp_v6_err. After receiving
+ an ICMPv6 Redirect, we should not continue processing the ICMP in
+ tcp_v6_err, as this may trigger the removal of request-socks or setting
+ sk_err(_soft).
+
+ Reported-by: Tetja Rediske <tetja@tetja.de>
+ Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/tcp_ipv6.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit c7d5c2524456ef3ea9194840e7a9a75069a46824
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 10 20:32:54 2013 -0400
+
+ - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411)
+
+ Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit acac2380fd97acee4367d2aa24c74322dcf1d22b
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Fri Apr 5 16:11:11 2013 -0400
+
+ Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc
+
+ NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
+
+ It is unsafe to use list_for_each_entry_safe() here, because
+ when we drop the nn->nfs_client_lock, we pin the _current_ list
+ entry and ensure that it stays in the list, but we don't do the
+ same for the _next_ list entry. Use of list_for_each_entry() is
+ therefore the correct thing to do.
+
+ Also fix the refcounting in nfs41_walk_client_list().
+
+ Finally, ensure that the nfs_client has finished being initialised
+ and, in the case of NFSv4.1, that the session is set up.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Cc: Chuck Lever <chuck.lever@oracle.com>
+ Cc: Bryan Schumaker <bjschuma@netapp.com>
+ Cc: stable@vger.kernel.org [>= 3.7]
+
+ fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++----------------
+ 1 files changed, 28 insertions(+), 16 deletions(-)
+
+commit a6cf5f387b882ac0ce655b75f623f86c075517be
+Author: Chuck Lever <chuck.lever@oracle.com>
+Date: Fri Mar 22 12:52:59 2013 -0400
+
+ Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e
+
+ SUNRPC: Remove extra xprt_put()
+
+ While testing error cases where rpc_new_client() fails, I saw
+ some oopses.
+
+ If rpc_new_client() fails, it already invokes xprt_put(). Thus
+ __rpc_clone_client() does not need to invoke it again.
+
+ Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
+ Fri Sep 14, 2012.
+
+ Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+ Cc: stable@vger.kernel.org [>=3.7]
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+ net/sunrpc/clnt.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Fri Apr 5 14:13:21 2013 -0400
+
+ Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7
+
+ SUNRPC: Fix a potential memory leak in rpc_new_client
+
+ If the call to rpciod_up() fails, we currently leak a reference to the
+ struct rpc_xprt.
+ As part of the fix, we also remove the redundant check for xprt!=NULL.
+ This is already taken care of by the callers.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+ net/sunrpc/clnt.c | 7 ++-----
+ 1 files changed, 2 insertions(+), 5 deletions(-)
+
+commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 10 19:16:05 2013 -0400
+
+ From https://lkml.org/lkml/2013/4/8/469:
+ [PATCH] rtnetlink: call nlmsg_parse() with correct header length
+
+ net/core/rtnetlink.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 9529169b8c405874fd543b785f53c74fa0501c2a
+Author: Christopher Harvey <charvey@matrox.com>
+Date: Fri Apr 5 10:51:15 2013 -0400
+
+ Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546
+
+ drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal.
+
+ This change properly enables the "requester" in G200ER cards that is
+ responsible for getting pixels out of memory and clocking them out to
+ the screen.
+
+ Signed-off-by: Christopher Harvey <charvey@matrox.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+ drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++----------
+ 1 files changed, 3 insertions(+), 10 deletions(-)
+
+commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu Mar 28 13:30:23 2013 -0400
+
+ Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee
+
+ ecryptfs: close rmmod race
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/ecryptfs/miscdev.c | 14 ++------------
+ 1 files changed, 2 insertions(+), 12 deletions(-)
+
+commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 10 19:03:45 2013 -0400
+
+ Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1
+
+ arch/ia64/kernel/palinfo.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 83280e384ae3ceadad30369ced111dc7d4b46085
+Author: Andrey Vagin <avagin@openvz.org>
+Date: Tue Apr 9 17:33:29 2013 +0400
+
+ Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676
+
+ mnt: release locks on error path in do_loopback
+
+ do_loopback calls lock_mount(path) and forget to unlock_mount
+ if clone_mnt or copy_mnt fails.
+
+ [ 77.661566] ================================================
+ [ 77.662939] [ BUG: lock held when returning to user space! ]
+ [ 77.664104] 3.9.0-rc5+ #17 Not tainted
+ [ 77.664982] ------------------------------------------------
+ [ 77.666488] mount/514 is leaving the kernel with locks still held!
+ [ 77.668027] 2 locks held by mount/514:
+ [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [<ffffffff811cca22>] lock_mount+0x32/0xe0
+ [ 77.671755] #1: (&namespace_sem){+++++.}, at: [<ffffffff811cca3a>] lock_mount+0x4a/0xe0
+
+ Signed-off-by: Andrey Vagin <avagin@openvz.org>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/namespace.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 679e536b9d9536d804f049fe942367a596253e6d
+Author: Alex Williamson <alex.williamson@redhat.com>
+Date: Tue Mar 26 11:33:16 2013 -0600
+
+ Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c
+
+ vfio-pci: Fix possible integer overflow
+
+ The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
+ of which are unsigned. We attempt to bounds check these, but fail to
+ account for the case where start is a very large number, allowing
+ start + count to wrap back into the valid range. Bounds check both
+ start and start + count.
+
+ Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+
+ drivers/vfio/pci/vfio_pci.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 10 18:48:45 2013 -0400
+
+ Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b5261a6384ee42499b29495aaae40b271e77d394
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 9 17:30:45 2013 -0400
+
+ some undefined behavior fixups
+
+ grsecurity/gracl.c | 4 ++--
+ grsecurity/gracl_ip.c | 10 +++++-----
+ grsecurity/gracl_segv.c | 4 ++--
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+commit 9f83caa35e78be1f3e753586ab217555c3b21ff4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 9 17:28:54 2013 -0400
+
+ don't whine about denied ipv6 when it's not enabled
+
+ grsecurity/gracl_ip.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61
+Merge: 97bca88 9123489
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 9 17:18:45 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9123489428c58668a89f316db6619739cbdd2c2a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 9 17:17:46 2013 -0400
+
+ Update to pax-linux-3.8.6-test18.patch:
+ - new size overflow plugin from Emese to work around a gcc optimization
+ resulting in an intentional overflow, reported by Carlos Carvalho
+ (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409)
+
+ tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++-
+ 1 files changed, 66 insertions(+), 2 deletions(-)
+
+commit 97bca8889e0f1e853f16b7026c39c6729a8587ab
+Merge: 675a41e e9d6073
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 8 21:32:59 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/sparc/kernel/us3_cpufreq.c
+
+commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 8 21:19:03 2013 -0400
+
+ Update to pax-linux-3.8.6-test17.patch:
+ - fixed ia64/ppc/sparc compilation by spender
+ - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport)
+
+ arch/ia64/include/asm/uaccess.h | 2 -
+ arch/powerpc/include/asm/uaccess.h | 2 -
+ arch/sparc/include/asm/uaccess.h | 7 ----
+ arch/sparc/kernel/prom_common.c | 2 +-
+ arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++--------------------------
+ tools/gcc/structleak_plugin.c | 15 ++++----
+ 6 files changed, 28 insertions(+), 69 deletions(-)
+
+commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 7 12:00:50 2013 -0400
+
+ fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin
+
+ net/socket.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5a216624a06429488f24ce47db093da042f90e48
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Apr 6 13:22:24 2013 -0400
+
+ fix typo
+
+ arch/sparc/kernel/us3_cpufreq.c | 5 +----
+ 1 files changed, 1 insertions(+), 4 deletions(-)
+
+commit e476ca18d21788898cd3acd1b57049971a2fb70f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Apr 6 13:16:13 2013 -0400
+
+ properly fix cpufreq_driver for ultrasparc III with constification
+
+ arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------
+ 1 files changed, 17 insertions(+), 18 deletions(-)
+
+commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Apr 6 12:58:48 2013 -0400
+
+ mark prom_sparc_ops __initconst
+
+ arch/sparc/kernel/prom_common.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Apr 6 12:53:16 2013 -0400
+
+ fix ia64/powerpc/sparc compilation
+
+ arch/ia64/include/asm/uaccess.h | 2 --
+ arch/powerpc/include/asm/uaccess.h | 2 --
+ arch/sparc/include/asm/uaccess.h | 7 -------
+ 3 files changed, 0 insertions(+), 11 deletions(-)
+
+commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Tue Mar 19 20:26:57 2013 +0100
+
+ Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d
+
+ cfg80211: fix wdev tracing crash
+
+ Arend reported a crash in tracing if the driver returns an
+ ERR_PTR() value from the add_virtual_intf() callback. This
+ is due to the tracing then still attempting to dereference
+ the "pointer", fix this by using IS_ERR_OR_NULL().
+
+ Reported-by: Arend van Spriel <arend@broadcom.com>
+ Tested-by: Arend van Spriel <arend@broadcom.com>
+ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+
+ net/wireless/trace.h | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Mon Mar 25 11:51:14 2013 +0100
+
+ Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b
+
+ mac80211: fix remain-on-channel cancel crash
+
+ If a ROC item is canceled just as it expires, the work
+ struct may be scheduled while it is running (and waiting
+ for the mutex). This results in it being run after being
+ freed, which obviously crashes.
+
+ To fix this don't free it when aborting is requested but
+ instead mark it as "to be freed", which makes the work a
+ no-op and allows freeing it outside.
+
+ Cc: stable@vger.kernel.org [3.6+]
+ Reported-by: Jouni Malinen <j@w1.fi>
+ Tested-by: Jouni Malinen <j@w1.fi>
+ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+
+ net/mac80211/cfg.c | 6 ++++--
+ net/mac80211/ieee80211_i.h | 3 ++-
+ net/mac80211/offchannel.c | 23 +++++++++++++++++------
+ 3 files changed, 23 insertions(+), 9 deletions(-)
+
+commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4
+Author: Stone Piao <piaoyun@marvell.com>
+Date: Fri Mar 29 19:21:21 2013 -0700
+
+ Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f
+
+ mwifiex: limit channel number not to overflow memory
+
+ Limit the channel number in scan request, or the driver scan
+ config structure memory will be overflowed.
+
+ Cc: <stable@vger.kernel.org> # 3.5+
+ Signed-off-by: Stone Piao <piaoyun@marvell.com>
+ Signed-off-by: Bing Zhao <bzhao@marvell.com>
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ drivers/net/wireless/mwifiex/cfg80211.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 207c411512bdaf0e4271f93ecac6ca26588da36f
+Author: Gao feng <gaofeng@cn.fujitsu.com>
+Date: Thu Mar 21 19:48:41 2013 +0000
+
+ Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe
+
+ netfilter: reset nf_trace in nf_reset
+
+ We forgot to clear the nf_trace of sk_buff in nf_reset,
+ When we use veth device, this nf_trace information will
+ be leaked from one net namespace to another net namespace.
+
+ Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ include/linux/skbuff.h | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Fri Mar 22 01:28:18 2013 +0000
+
+ Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c
+
+ netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
+
+ Fix to return a negative error code from the error handling
+ case instead of 0, as returned elsewhere in this function.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nfnetlink_queue_core.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit a79feb7d3251eca577d83d7f69eee2b961ab2924
+Author: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sat Mar 23 16:57:59 2013 +0100
+
+ Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7
+
+ netfilter: nfnetlink_acct: return -EINVAL if object name is empty
+
+ If user-space tries to create accounting object with an empty
+ name, then return -EINVAL.
+
+ Reported-by: Michael Zintakis <michael.zintakis@googlemail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nfnetlink_acct.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7
+Author: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sat Mar 30 10:23:12 2013 +0000
+
+ Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756
+
+ netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
+
+ The bitmask used for the prefix mangling was being calculated
+ incorrectly, leading to the wrong part of the address being replaced
+ when the prefix length wasn't a multiple of 32.
+
+ Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/ipv6/netfilter/ip6t_NPT.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e
+Author: Veaceslav Falico <vfalico@redhat.com>
+Date: Wed Apr 3 05:46:33 2013 +0000
+
+ Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d
+
+ bonding: remove sysfs before removing devices
+
+ We have a race condition if we try to rmmod bonding and simultaneously add
+ a bond master through sysfs. In bonding_exit() we first remove the devices
+ (through rtnl_link_unregister() ) and only after that we remove the sysfs.
+ If we manage to add a device through sysfs after that the devices were
+ removed - we'll end up with that device/sysfs structure and with the module
+ unloaded.
+
+ Fix this by first removing the sysfs and only after that calling
+ rtnl_link_unregister().
+
+ Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d12cae44a9d12441d81c489178803237219d403d
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Wed Apr 3 16:14:47 2013 +0000
+
+ Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2
+
+ af_unix: If we don't care about credentials coallesce all messages
+
+ It was reported that the following LSB test case failed
+ https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
+ were not coallescing unix stream messages when the application was
+ expecting us to.
+
+ The problem was that the first send was before the socket was accepted
+ and thus sock->sk_socket was NULL in maybe_add_creds, and the second
+ send after the socket was accepted had a non-NULL value for sk->socket
+ and thus we could tell the credentials were not needed so we did not
+ bother.
+
+ The unnecessary credentials on the first message cause
+ unix_stream_recvmsg to start verifying that all messages had the same
+ credentials before coallescing and then the coallescing failed because
+ the second message had no credentials.
+
+ Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
+ long standing pessimization which would fail to coallesce messages when
+ reading from a unix stream socket if the senders were different even if
+ we did not care about their credentials.
+
+ I have tested this and verified that the in the LSB test case mentioned
+ above that the messages do coallesce now, while the were failing to
+ coallesce without this change.
+
+ Reported-by: Karel Srot <ksrot@redhat.com>
+ Reported-by: Ding Tianhong <dingtianhong@huawei.com>
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Wed Apr 3 16:13:35 2013 +0000
+
+ Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1
+
+ Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
+
+ This reverts commit 14134f6584212d585b310ce95428014b653dfaf6.
+
+ The problem that the above patch was meant to address is that af_unix
+ messages are not being coallesced because we are sending unnecesarry
+ credentials. Not sending credentials in maybe_add_creds totally
+ breaks unconnected unix domain sockets that wish to send credentails
+ to other sockets.
+
+ In practice this break some versions of udev because they receive a
+ message and the sending uid is bogus so they drop the message.
+
+ Reported-by: Sven Joachim <svenjoac@gmx.de>
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Wed Mar 20 21:31:42 2013 +0000
+
+ Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e
+
+ lantiq_etop: use free_netdev(netdev) instead of kfree()
+
+ Freeing netdev without free_netdev() leads to net, tx leaks.
+ And it may lead to dereferencing freed pointer.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/lantiq_etop.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f
+Author: Cong Wang <amwang@redhat.com>
+Date: Fri Mar 22 19:14:07 2013 +0000
+
+ Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb
+
+ 8021q: fix a potential use-after-free
+
+ vlan_vid_del() could possibly free ->vlan_info after a RCU grace
+ period, however, we may still refer to the freed memory area
+ by 'grp' pointer. Found by code inspection.
+
+ This patch moves vlan_vid_del() as behind as possible.
+
+ Cc: Patrick McHardy <kaber@trash.net>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/8021q/vlan.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit fff29c277024a39845d4b535083c8dafc21b45d9
+Author: Hong zhi guo <honkiko@gmail.com>
+Date: Sat Mar 23 02:27:50 2013 +0000
+
+ Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7
+
+ bridge: fix crash when set mac address of br interface
+
+ When I tried to set mac address of a bridge interface to a mac
+ address which already learned on this bridge, I got system hang.
+
+ The cause is straight forward: function br_fdb_change_mac_address
+ calls fdb_insert with NULL source nbp. Then an fdb lookup is
+ performed. If an fdb entry is found and it's local, it's OK. But
+ if it's not local, source is dereferenced for printk without NULL
+ check.
+
+ Signed-off-by: Hong Zhiguo <honkiko@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/bridge/br_fdb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349
+Author: Kumar Amit Mehta <gmate.amit@gmail.com>
+Date: Sat Mar 23 20:10:25 2013 +0000
+
+ Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a
+
+ bnx2x: fix assignment of signed expression to unsigned variable
+
+ fix for incorrect assignment of signed expression to unsigned variable.
+
+ Signed-off-by: Kumar Amit Mehta <gmate.amit@gmail.com>
+ Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
+
+commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e
+Author: dingtianhong <dingtianhong@huawei.com>
+Date: Mon Mar 25 17:02:04 2013 +0000
+
+ Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6
+
+ af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
+
+ SCM_SCREDENTIALS should apply to write() syscalls only either source or destination
+ socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong,
+ and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom).
+
+ Origionally-authored-by: Karel Srot <ksrot@redhat.com>
+ Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit b964e1e61f0f0ccaa380be3342f956c604054bdc
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Thu Mar 21 02:30:41 2013 -0700
+
+ Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015
+
+ yama: Better permission check for ptraceme
+
+ Change the permission check for yama_ptrace_ptracee to the standard
+ ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
+ in the tracees user namespace.
+
+ Reviewed-by: Kees Cook <keescook@chromium.org>
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+
+ security/yama/yama_lsm.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit b94e71c7b6abe75989edff18aca2781233fa143b
+Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Mon Apr 1 11:40:51 2013 +0400
+
+ Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d
+
+ ipc: set msg back to -EAGAIN if copy wasn't performed
+
+ Make sure that msg pointer is set back to error value in case of
+ MSG_COPY flag is set and desired message to copy wasn't found. This
+ garantees that msg is either a error pointer or a copy address.
+
+ Otherwise the last message in queue will be freed without unlinking from
+ the queue (which leads to memory corruption) and the dummy allocated
+ copy won't be released.
+
+ Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ ipc/msg.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit a997fbbe7a37ffd805f4784a18b8e530da6978d1
+Author: Jan Kara <jack@suse.cz>
+Date: Fri Mar 29 15:39:16 2013 +0100
+
+ Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6
+
+ reiserfs: Fix warning and inode leak when deleting inode with xattrs
+
+ After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
+ started failing to delete xattrs from inode. This was due to a buggy
+ test for '.' and '..' in fill_with_dentries() which resulted in passing
+ '.' and '..' entries to lookup_one_len() in some cases. That returned
+ error and so we failed to iterate over all xattrs of and inode.
+
+ Fix the test in fill_with_dentries() along the lines of the one in
+ lookup_one_len().
+
+ Reported-by: Pawel Zawora <pzawora@gmail.com>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Jan Kara <jack@suse.cz>
+
+ fs/reiserfs/xattr.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 9f07957378e0f55abb81da8e23b124a608fbe1cc
+Author: Paul Bolle <pebolle@tiscali.nl>
+Date: Wed Apr 3 12:24:45 2013 +0100
+
+ Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2
+
+ ARM: 7690/1: mm: fix CONFIG_LPAE typos
+
+ CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix
+ up the two typos under arch/arm/.
+
+ The fix to head.S is slightly scary, but this is just for setting up
+ an early io-mapping for the serial port when running on a big-endian,
+ LPAE system. Since these systems don't exist in the wild (at least, I
+ have no access to one outside of kvmtool, which doesn't provide a serial
+ port suitable for earlyprintk), then we can revisit the code later if it
+ causes any problems.
+
+ Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
+ Signed-off-by: Will Deacon <will.deacon@arm.com>
+ Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+
+ arch/arm/kernel/head.S | 2 +-
+ arch/arm/kernel/setup.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 984ba346b2d8f158473e9723ba145031368431ed
+Author: Catalin Marinas <catalin.marinas@arm.com>
+Date: Tue Mar 26 23:35:04 2013 +0100
+
+ Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb
+
+ ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations)
+
+ On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down
+ all use of the old entries. This patch implements the erratum workaround
+ which consists of:
+
+ 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation.
+ 2. Send IPI to the CPUs that are running the same mm (and ASID) as the
+ one being invalidated (or all the online CPUs for global pages).
+ 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception
+ return code already).
+
+ Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+ Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+
+ Conflicts:
+
+ arch/arm/include/asm/tlbflush.h
+ arch/arm/kernel/smp_tlb.c
+ arch/arm/mm/context.c
+
+ arch/arm/Kconfig | 10 +++++
+ arch/arm/include/asm/highmem.h | 7 ++++
+ arch/arm/include/asm/mmu_context.h | 2 +
+ arch/arm/include/asm/tlbflush.h | 15 ++++++++
+ arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++
+ arch/arm/mm/context.c | 6 ++-
+ 6 files changed, 104 insertions(+), 2 deletions(-)
+
+commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286
+Author: Jan Stancek <jstancek@redhat.com>
+Date: Thu Apr 4 11:35:10 2013 -0700
+
+ Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c
+
+ mm: prevent mmap_cache race in find_vma()
+
+ find_vma() can be called by multiple threads with read lock
+ held on mm->mmap_sem and any of them can update mm->mmap_cache.
+ Prevent compiler from re-fetching mm->mmap_cache, because other
+ readers could update it in the meantime:
+
+ thread 1 thread 2
+ |
+ find_vma() | find_vma()
+ struct vm_area_struct *vma = NULL; |
+ vma = mm->mmap_cache; |
+ if (!(vma && vma->vm_end > addr |
+ && vma->vm_start <= addr)) { |
+ | mm->mmap_cache = vma;
+ return vma; |
+ ^^ compiler may optimize this |
+ local variable out and re-read |
+ mm->mmap_cache |
+
+ This issue can be reproduced with gcc-4.8.0-1 on s390x by running
+ mallocstress testcase from LTP, which triggers:
+
+ kernel BUG at mm/rmap.c:1088!
+ Call Trace:
+ ([<000003d100c57000>] 0x3d100c57000)
+ [<000000000023a1c0>] do_wp_page+0x2fc/0xa88
+ [<000000000023baae>] handle_pte_fault+0x41a/0xac8
+ [<000000000023d832>] handle_mm_fault+0x17a/0x268
+ [<000000000060507a>] do_protection_exception+0x1e2/0x394
+ [<0000000000603a04>] pgm_check_handler+0x138/0x13c
+ [<000003fffcf1f07a>] 0x3fffcf1f07a
+ Last Breaking-Event-Address:
+ [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
+
+ Thanks to Jakub Jelinek for his insight on gcc and helping to
+ track this down.
+
+ Signed-off-by: Jan Stancek <jstancek@redhat.com>
+ Acked-by: David Rientjes <rientjes@google.com>
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mmap.c | 2 +-
+ mm/nommu.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 53f5096daa14967938bc154e6c41f9119863fb36
+Merge: e988d7c 0a45285
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 5 17:32:31 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/net/ethernet/broadcom/tg3.c
+
+commit 0a452855444d02502df6eb21ef3083cf303f71e1
+Merge: 0277fa1 00cfbb8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 5 17:31:15 2013 -0400
+
+ Update to pax-linux-3.8.6-test16.patch:
+ - fixed some attribute leakage into userland headers, patch by Mathias Krause
+ - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ drivers/gpu/drm/i915/intel_display.c
+
+commit e988d7c8d946c816a2cb97f0d38048a1584966b8
+Merge: baec40e 0277fa1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 3 22:05:41 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0277fa123b486cf11420967e4568d7653e225fd3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 3 22:04:48 2013 -0400
+
+ Update to pax-linux-3.8.5-test15.patch:
+ - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391)
+ - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394)
+
+ drivers/media/pci/cx88/cx88-video.c | 6 +++---
+ include/net/net_namespace.h | 4 ++++
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+commit baec40e6708fd5ae2000cad6c70c5980c998b91c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 2 19:50:32 2013 -0400
+
+ fix compilation as reported on forums for gcc versions lacking plugin
+ support
+
+ include/net/net_namespace.h | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095
+Merge: 6b69c35 0db9d15
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 2 17:47:27 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0db9d156826bdd50510086fde837648a3dfd370e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 2 17:46:05 2013 -0400
+
+ Update to pax-linux-3.8.5-test14.patch:
+ - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table
+
+ arch/x86/include/asm/uaccess_64.h | 6 +-
+ include/linux/moduleloader.h | 4 +-
+ tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++----------------
+ 3 files changed, 61 insertions(+), 47 deletions(-)
+
+commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 2 17:35:06 2013 -0400
+
+ remove duplicate compiler.h
+
+ include/linux/sysrq.h | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit 01e1d503fd2220adaaec0b92ea19441bdff73555
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 19:53:50 2013 -0400
+
+ fix intentional_overflow marking on sys_sendto
+
+ include/linux/syscalls.h | 2 +-
+ net/socket.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit cd5ff114d958470f471c63775278e8c05e774630
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 18:46:16 2013 -0400
+
+ fix size_overflow false positive
+
+ kernel/futex_compat.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 295ba16cc53df2375261accbedd6575ea327770a
+Merge: 18340f1 278a989
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:36:18 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/exec.c
+ include/linux/thread_info.h
+
+commit 278a989c831d62193c7b3d119fe2302babd45d12
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:34:34 2013 -0400
+
+ Resync with pax-linux-3.8.5-test13.patch
+
+ arch/arm/include/asm/pgtable.h | 3 ++-
+ arch/arm/lib/delay.c | 1 +
+ fs/exec.c | 8 ++++----
+ include/linux/compiler.h | 1 +
+ include/linux/proc_fs.h | 2 +-
+ include/linux/thread_info.h | 6 +++---
+ include/linux/zlib.h | 3 ++-
+ init/main.c | 4 ++--
+ kernel/user_namespace.c | 2 +-
+ lib/list_debug.c | 4 ++--
+ mm/slab.c | 1 +
+ mm/slob.c | 1 +
+ mm/slub.c | 1 +
+ net/core/sysctl_net_core.c | 3 +--
+ tools/gcc/constify_plugin.c | 1 +
+ 15 files changed, 24 insertions(+), 17 deletions(-)
+
+commit 18340f14bd42d06c60995ab04cf6bb235bcaade6
+Merge: 05f01ae e8cfeae
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:30:57 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9
+Merge: b461cb7 aa4cfde
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:30:44 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c
+ fs/nfsd/vfs.c
+
+commit 05f01ae4c3479541586a2387f916a6620889c479
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:05:39 2013 -0400
+
+ Another infoleak, up to 128 bytes on the stack in __sys_recvmsg
+ takes user-provided length, copies up to that amount in a sockaddr_storage
+ struct on the stack, then takes an upper-bounded-only user-provided length
+ and copies the sockaddr_storage struct back out to userland, complete with
+ uninitialized data
+
+ net/socket.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit eea6ade59490784e83e08ec67322288fcf14cb31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 23:07:37 2013 -0400
+
+ return a proper error, otherwise we could be accessing uninitialized data
+ (previous define was a positive value)
+
+ drivers/usb/storage/realtek_cr.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e
+Merge: c3dc9a6 b461cb7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:54:24 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b461cb7b1d85490430ef7896c247794af72c3749
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:54:11 2013 -0400
+
+ Add structleak plugin
+
+ tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 270 insertions(+), 0 deletions(-)
+
+commit c3dc9a6ef10782894bb11fd088fd712db44d8062
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:53:22 2013 -0400
+
+ Enable structleak by default for the security auto-config
+
+ security/Kconfig | 11 +++++++----
+ 1 files changed, 7 insertions(+), 4 deletions(-)
+
+commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e
+Merge: d8503a3 74bec16
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:47:10 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 74bec16b657147a5575b1f14f4423a717ba317a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:46:13 2013 -0400
+
+ Update to pax-linux-3.8.4-test13.patch:
+ - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722)
+ - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland
+
+ Makefile | 5 +++-
+ arch/x86/include/asm/compat.h | 2 +-
+ arch/x86/mm/fault.c | 3 +-
+ fs/binfmt_elf.c | 2 +-
+ include/linux/compiler.h | 42 ++++++++++++++--------------------------
+ security/Kconfig | 16 +++++++++++++++
+ tools/gcc/Makefile | 2 +
+ tools/gcc/constify_plugin.c | 7 +++++-
+ 8 files changed, 47 insertions(+), 32 deletions(-)
+
+commit d8503a3a35d68b9ba1615d29335aef3f70d51465
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:02:40 2013 -0400
+
+ Fix 8-byte stack infoleak in ia32_rt_sigpending
+ User controls length, kernel only performs check on the upper bound, will
+ fill in any amount less than sizeof(sigset_t) via a copy_to_user under
+ KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t
+ regardless of whether the sigset_t content copied into it has been initialized
+ or not
+
+ arch/x86/ia32/sys_ia32.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 26 21:05:05 2013 -0400
+
+ commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576
+ Author: J. Bruce Fields <bfields@redhat.com>
+ Date: Tue Mar 26 14:11:13 2013 -0400
+
+ nfsd4: reject "negative" acl lengths
+
+ Since we only enforce an upper bound, not a lower bound, a "negative"
+ length can get through here.
+
+ The symptom seen was a warning when we attempt to a kmalloc with an
+ excessive size.
+
+ Reported-by: Toralf Förster <toralf.foerster@gmx.de>
+ Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+
+ fs/nfsd/nfs4xdr.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89
+Author: Jeff Layton <jlayton@redhat.com>
+Date: Mon Mar 11 09:52:19 2013 -0400
+
+ Upstream commit: f853c616883a8de966873a1dab283f1369e275a1
+
+ cifs: ignore everything in SPNEGO blob after mechTypes
+
+ We've had several reports of people attempting to mount Windows 8 shares
+ and getting failures with a return code of -EINVAL. The default sec=
+ mode changed recently to sec=ntlmssp. With that, we expect and parse a
+ SPNEGO blob from the server in the NEGOTIATE reply.
+
+ The current decode_negTokenInit function first parses all of the
+ mechTypes and then tries to parse the rest of the negTokenInit reply.
+ The parser however currently expects a mechListMIC or nothing to follow the
+ mechTypes, but Windows 8 puts a mechToken field there instead to carry
+ some info for the new NegoEx stuff.
+
+ In practice, we don't do anything with the fields after the mechTypes
+ anyway so I don't see any real benefit in continuing to parse them.
+ This patch just has the kernel ignore the fields after the mechTypes.
+ We'll probably need to reinstate some of this if we ever want to support
+ NegoEx.
+
+ Reported-by: Jason Burgess <jason@jacknife2.dns2go.com>
+ Reported-by: Yan Li <elliot.li.tech@gmail.com>
+ Signed-off-by: Jeff Layton <jlayton@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Steve French <sfrench@us.ibm.com>
+
+ fs/cifs/asn1.c | 53 +++++------------------------------------------------
+ 1 files changed, 5 insertions(+), 48 deletions(-)
+
+commit 0b1c6223105a05d5a84e39a5e951868e37610e1c
+Merge: 93ff726 0deb54c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 18:35:15 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 18:35:05 2013 -0400
+
+ fix typo
+
+ arch/x86/mm/ioremap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 93ff72680353534d4b0b213aecb61f1fc2f9a152
+Merge: be9f8b8 f95e53a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 18:30:06 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f95e53abadb6e4665866e4502ff9f518514193e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 18:29:25 2013 -0400
+
+ Update to pax-linux-3.8.4-test12.patch:
+
+ - fixed perf compilation reported by Michael Tremer
+ - fixed USERCOPY reports triggered by SCTP, reported by mcp
+ - last fix for aslr gap accounting, promise (thanks to spender)
+
+ arch/x86/mm/ioremap.c | 3 +++
+ fs/binfmt_elf.c | 5 ++---
+ mm/mmap.c | 2 +-
+ net/sctp/socket.c | 19 +++++++++++++++----
+ tools/perf/util/include/linux/compiler.h | 8 ++++++++
+ 5 files changed, 29 insertions(+), 8 deletions(-)
+
+commit be9f8b82b0d8a21d7515fb6e44a907623381c5df
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 16:48:34 2013 -0400
+
+ From: Al Viro <viro@ZenIV.linux.org.uk>
+ To: Brad Spengler <spender@grsecurity.net>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Umm... I see what you are describing, and AFAICS you are correct; let me
+ see if I am misreading your analysis:
+ * vfsmount_lock may act fair; A holding it shared, with B spinning
+ on attempt to take it exclusive may lead to C spinning on attempt to take
+ it shared.
+ * path_is_under() tries get rename_lock while holding vfsmount_lock
+ shared.
+ * d_path() et.al. try to take vfsmount_lock shared, while holding
+ rename_lock.
+
+ All true and yes, it's a bug (I'd probably classify it as a livelock, but
+ that doesn't make any real difference). There are three possible solutions,
+ AFAICS:
+ 1) two-liner in path_is_under() replacing the use of vfsmount_lock
+ with that of namespace_sem; trivial, but results in function unexpectedly
+ blocking. The current callers are fine with that, but it's a trouble
+ waiting to happen.
+ 2) replace write_seqlock() in prepend_path() callers with
+ read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike
+ is_subdir() we need more than just ->d_parent not pointing to something
+ freed - we also care about ->d_name.len being in sync with ->d_name.name.
+ It probably can be worked around, but...
+
+ 3) declare that rename_lock nests inside vfsmount_lock and let
+ the callers of prepend_path() take vfsmount_lock(). I'd probably prefer
+ that one...
+
+ Nest rename_lock inside vfsmount_lock
+
+ ... lest we get livelocks between path_is_under() and d_path() and friends.
+
+ [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing
+ the issue ]
+
+ Spotted-by: Brad Spengler <spender@grsecurity.net>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/dcache.c | 16 +++++++++++-----
+ grsecurity/gracl.c | 20 ++++++++++----------
+ 2 files changed, 21 insertions(+), 15 deletions(-)
+
+commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri Mar 22 11:44:04 2013 -0700
+
+ Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353
+
+ vfs,proc: guarantee unique inodes in /proc
+
+ Dave Jones found another /proc issue with his Trinity tool: thanks to
+ the namespace model, we can have multiple /proc dentries that point to
+ the same inode, aliasing directories in /proc/<pid>/net/ for example.
+
+ This ends up being a total disaster, because it acts like hardlinked
+ directories, and causes locking problems. We rely on the topological
+ sort of the inodes pointed to by dentries, and if we have aliased
+ directories, that odering becomes unreliable.
+
+ In short: don't do this. Multiple dentries with the same (directory)
+ inode is just a bad idea, and the namespace code should never have
+ exposed things this way. But we're kind of stuck with it.
+
+ This solves things by just always allocating a new inode during /proc
+ dentry lookup, instead of using "iget_locked()" to look up existing
+ inodes by superblock and number. That actually simplies the code a bit,
+ at the cost of potentially doing more inode [de]allocations.
+
+ That said, the inode lookup wasn't free either (and did a lot of locking
+ of inodes), so it is probably not that noticeable. We could easily keep
+ the old lookup model for non-directory entries, but rather than try to
+ be excessively clever this just implements the minimal and simplest
+ workaround for the problem.
+
+ Reported-and-tested-by: Dave Jones <davej@redhat.com>
+ Analyzed-by: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/inode.c
+
+ fs/proc/inode.c | 9 +++------
+ 1 files changed, 3 insertions(+), 6 deletions(-)
+
+commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb
+Author: Vladimir Davydov <vdavydov@parallels.com>
+Date: Fri Mar 22 15:04:51 2013 -0700
+
+ Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301
+
+ mqueue: sys_mq_open: do not call mnt_drop_write() if read-only
+
+ mnt_drop_write() must be called only if mnt_want_write() succeeded,
+ otherwise the mnt_writers counter will diverge.
+
+ mnt_writers counters are used to check if remounting FS as read-only is
+ OK, so after an extra mnt_drop_write() call, it would be impossible to
+ remount mqueue FS as read-only. Besides, on umount a warning would be
+ printed like this one:
+
+ =====================================
+ [ BUG: bad unlock balance detected! ]
+ 3.9.0-rc3 #5 Not tainted
+ -------------------------------------
+ a.out/12486 is trying to release lock (sb_writers) at:
+ mnt_drop_write+0x1f/0x30
+ but there are no more locks to release!
+
+ Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
+ Cc: Doug Ledford <dledford@redhat.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ ipc/mqueue.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 23 13:02:32 2013 -0400
+
+ Don't use constify plugin if not enabled in config,
+ reported by Alexey Vlasov
+
+ Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 3afb82e020593249ac394e9859397c3e0ef5341c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 23 12:50:13 2013 -0400
+
+ oded 0day #2
+ http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
+ slide 20
+
+ drivers/net/ethernet/broadcom/tg3.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 4cc4b98b29faff2530540be16e0fcd8a74800b06
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 23 12:15:50 2013 -0400
+
+ oded 0day #1
+ http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
+ slide 18
+
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 23 12:13:12 2013 -0400
+
+ remove warning on accessing this /proc entry, HIDESYM already caught the infoleak
+
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 44cb11a9470f72157601d0ad4d572d111f90f504
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 22 18:11:42 2013 -0400
+
+ use VM_DONTDUMP
+
+ fs/binfmt_elf.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 22 17:53:09 2013 -0400
+
+ fix recent RLIMIT_AS changes (due to vm_flags typo)
+
+ Conflicts:
+
+ fs/binfmt_elf.c
+
+ fs/binfmt_elf.c | 2 +-
+ mm/mmap.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit fd5f0d92b0fbec02029dad124501a9c80e527a32
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 22 17:08:48 2013 -0400
+
+ complete_walk drops rcu-walk mode, no need for our own dropping
+ method outside of generic_permission
+
+ fs/namei.c | 30 ------------------------------
+ 1 files changed, 0 insertions(+), 30 deletions(-)
+
+commit b49ab1c73edb6442eec609b26bba4d850b3111b6
+Merge: 5e9a707 783ade9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 21 21:56:28 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 21 21:55:31 2013 -0400
+
+ Update to pax-linux-3.8.3-test11.patch:
+ - rewrote the ASLR gap accounting code once again
+ - fixed ptrace compat bug found by the size overflow plugin
+
+ fs/binfmt_elf.c | 25 ++++++++++++-------------
+ fs/exec.c | 7 ++-----
+ include/linux/compat.h | 2 +-
+ include/linux/mm.h | 5 +++++
+ include/linux/mm_types.h | 2 +-
+ kernel/ptrace.c | 2 +-
+ mm/mmap.c | 15 ++++++++++-----
+ 7 files changed, 32 insertions(+), 26 deletions(-)
+
+commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 21 19:37:33 2013 -0400
+
+ Make the constify plugin usage actually depend on the introduced config option
+ (it was still forced on)
+
+ tools/gcc/Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 1974b4f58d9d729c80ac1987785446115304a54c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 21 16:12:38 2013 -0400
+
+ fix failed merge
+
+ arch/arm/mm/fault.c | 15 +++------------
+ 1 files changed, 3 insertions(+), 12 deletions(-)
+
+commit 675a8ab4a8fe8315df348735a37a302a7535224c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 20 23:36:14 2013 -0400
+
+ From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001
+ From: Kees Cook <keescook@chromium.org>
+ Date: Sun, 10 Mar 2013 20:09:31 +0000
+ Subject: drm/i915: bounds check execbuffer relocation count
+
+ It is possible to wrap the counter used to allocate the buffer for
+ relocation copies. This could lead to heap writing overflows.
+
+ CVE-2013-0913
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Reported-by: Pinkie Pie
+ Cc: stable@vger.kernel.org
+
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
+ 1 files changed, 8 insertions(+), 3 deletions(-)
+
+commit ddeac12cbb9076bffd51c544e03463f94c9eaa39
+Author: Andy Honig <ahonig@google.com>
+Date: Wed Feb 20 14:48:10 2013 -0800
+
+ Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1
+
+ KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)
+
+ There is a potential use after free issue with the handling of
+ MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable
+ memory such as frame buffers then KVM might continue to write to that
+ address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins
+ the page in memory so it's unlikely to cause an issue, but if the user
+ space component re-purposes the memory previously used for the guest, then
+ the guest will be able to corrupt that memory.
+
+ Tested: Tested against kvmclock unit test
+
+ Signed-off-by: Andrew Honig <ahonig@google.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+
+ arch/x86/include/asm/kvm_host.h | 4 +-
+ arch/x86/kvm/x86.c | 47 ++++++++++++++++----------------------
+ 2 files changed, 22 insertions(+), 29 deletions(-)
+
+commit 0bcac31b57c381001feb69fd6ec8069e61e03432
+Author: Andy Honig <ahonig@google.com>
+Date: Mon Mar 11 09:34:52 2013 -0700
+
+ Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9
+
+ KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
+
+ If the guest sets the GPA of the time_page so that the request to update the
+ time straddles a page then KVM will write onto an incorrect page. The
+ write is done byusing kmap atomic to get a pointer to the page for the time
+ structure and then performing a memcpy to that page starting at an offset
+ that the guest controls. Well behaved guests always provide a 32-byte aligned
+ address, however a malicious guest could use this to corrupt host kernel
+ memory.
+
+ Tested: Tested against kvmclock unit test.
+
+ Signed-off-by: Andrew Honig <ahonig@google.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+
+ arch/x86/kvm/x86.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 695c59887e4ec10b0b695ab4f645d1226c433be0
+Author: Andy Honig <ahonig@google.com>
+Date: Wed Feb 20 14:49:16 2013 -0800
+
+ Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55
+
+ KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)
+
+ If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
+ that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
+ that request. ioapic_read_indirect contains an
+ ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
+ non-debug builds. In recent kernels this allows a guest to cause a kernel
+ oops by reading invalid memory. In older kernels (pre-3.3) this allows a
+ guest to read from large ranges of host memory.
+
+ Tested: tested against apic unit tests.
+
+ Signed-off-by: Andrew Honig <ahonig@google.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+
+ virt/kvm/ioapic.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e
+Merge: aec3cd4 c522e3a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 20 19:38:25 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3
+Merge: c57d855 405acc3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 20 19:38:11 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 19:56:04 2013 -0400
+
+ include linux/compiler.h
+
+ include/linux/zlib.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 18:42:20 2013 -0400
+
+ fix missing sock_release()
+
+ net/irda/af_irda.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit dd65c05cd24faf8946d4941434a553ee285c35a3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 18:36:17 2013 -0400
+
+ fix mpt fusion infoleak
+
+ drivers/message/fusion/mptbase.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit e297b4f150b769efdc4c547d3caf1e3c0f24735f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 18:33:45 2013 -0400
+
+ Fix size_overflow false positive reported by slashbeast
+
+ include/linux/zlib.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 17:35:36 2013 -0400
+
+ fix up failed merge
+
+ arch/arm/mm/fault.c | 9 ++-------
+ 1 files changed, 2 insertions(+), 7 deletions(-)
+
+commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 17:34:36 2013 -0400
+
+ update documentation on consequences of building without gcc plugin support
+
+ Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 17:18:13 2013 -0400
+
+ fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums
+
+ init/main.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit f00195c633f91cfbd8c1f530d2c371b713026e20
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 18 22:27:33 2013 -0400
+
+ Fix compile error reported by KDE on the forums
+
+ kernel/user_namespace.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 2979c6ee78aabb4421873ea53581380c6bb6ed05
+Merge: 0949569 c57d855
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 18 22:20:46 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/mm/fault.c
+ arch/x86/mm/fault.c
+ fs/exec.c
+
+commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 18 21:22:03 2013 -0400
+
+ Update to pax-linux-3.8.2-test9.patch:
+ arm changes from spender
+ - removed userland access to the vectors page
+ - removed obsolete sigreturn trampoline handling
+ - added emulation for __kuser_get_tls
+ - fixed missing uderef instrumentation in unaligned memory accessors (failed safe)
+ - fixed recent sysfs/power_supply attr breakage reported by Steven Allen
+ - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960)
+ - changed debian packager rules to include the compiler plugins, from Tyler Coumbes <coumbes@gmail.com>
+ - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956)
+ - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values
+ and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913.
+
+ arch/arm/kernel/process.c | 5 +-
+ arch/arm/kernel/signal.c | 24 +-
+ arch/arm/kernel/traps.c | 7 -
+ arch/arm/mm/alignment.c | 8 +
+ arch/arm/mm/fault.c | 23 +-
+ arch/arm/mm/mmu.c | 2 +-
+ arch/x86/include/asm/bitops.h | 2 +-
+ arch/x86/include/asm/desc.h | 2 +-
+ arch/x86/include/asm/div64.h | 2 +-
+ arch/x86/include/asm/io.h | 8 +-
+ arch/x86/include/asm/paravirt.h | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +-
+ arch/x86/kernel/setup_percpu.c | 2 +-
+ arch/x86/mm/fault.c | 4 +-
+ arch/x86/mm/numa.c | 2 +-
+ arch/x86/mm/physaddr.c | 4 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
+ drivers/lguest/page_tables.c | 2 +-
+ drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/power/power_supply_core.c | 1 +
+ drivers/usb/core/message.c | 2 +-
+ fs/befs/endian.h | 4 +-
+ fs/binfmt_elf.c | 5 +-
+ fs/exec.c | 4 +-
+ fs/qnx6/qnx6.h | 4 +-
+ fs/sysv/sysv.h | 2 +-
+ fs/ubifs/io.c | 2 +-
+ fs/ufs/swab.h | 4 +-
+ include/linux/compat.h | 4 +-
+ include/linux/completion.h | 6 +-
+ include/linux/cpumask.h | 12 +-
+ include/linux/ctype.h | 2 +-
+ include/linux/err.h | 4 +-
+ include/linux/math64.h | 6 +-
+ include/linux/sched.h | 2 +-
+ include/linux/unaligned/access_ok.h | 12 +-
+ include/linux/usb.h | 2 +-
+ include/uapi/linux/byteorder/little_endian.h | 4 +-
+ include/uapi/linux/swab.h | 6 +-
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 3 +
+ kernel/time.c | 2 +-
+ kernel/timer.c | 2 +-
+ lib/div64.c | 4 +-
+ mm/page-writeback.c | 2 +-
+ net/socket.c | 2 +
+ scripts/package/builddeb | 1 +
+ tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++----------
+ tools/gcc/size_overflow_plugin.c | 1072 ++--
+ 53 files changed, 6227 insertions(+), 3951 deletions(-)
+
+commit 09495691bb31f11ec14d9127429f9a0f3f716f22
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 17 20:51:50 2013 -0400
+
+ fix typo
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit deb85b00d0f9f886e264e116313f298401ec5c59
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 17 20:03:33 2013 -0400
+
+ Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task
+ with a subject applied to it with RES_CPU. Otherwise, the limit will only
+ begin to be applied at fork time.
+
+ Thanks to Bjornar Ness for the report.
+
+ grsecurity/gracl.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 2126421f123513f604ceef2b23ba9ed516de7e58
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 16 22:07:43 2013 -0400
+
+ Move inode auditing prior to our refcnt dropping
+
+ fs/namei.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4d4e665885aab4bacfe662ad6d2190fc9d817146
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 16 22:00:30 2013 -0400
+
+ Drop reference on completed path walked in RCU mode or when violating
+ the chroot fchdir check inside a chroot -- possible culprit for a reported
+ vfsmount_lock hang during unmount
+
+ fs/namei.c | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+commit 53a8a413f45340ee176dd36dd283de3a1ebb7417
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 16 16:43:45 2013 -0400
+
+ add user_arg_ptr back to exec.c
+
+ fs/exec.c | 12 ++++++++++++
+ 1 files changed, 12 insertions(+), 0 deletions(-)
+
+commit 83d285953c7e75db388c7f65be5cf1e16fcedec8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 16 11:22:36 2013 -0400
+
+ Don't globally include compat.h -- with the new X32 support it
+ changes some definitions involving ELF binaries resulting in invalid
+ coredumps, as reported by KDE on the forums:
+ http://forums.grsecurity.net/viewtopic.php?f=3&t=3310
+ Thanks to the PaX Team for debugging
+
+ fs/exec.c | 3 +++
+ grsecurity/grsec_exec.c | 13 +++++++++++++
+ include/linux/grsecurity.h | 15 ---------------
+ 3 files changed, 16 insertions(+), 15 deletions(-)
+
+commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 14 20:59:26 2013 -0400
+
+ Add peer information to /proc/net/unix from Kenan Kalajdzic:
+ http://marc.info/?l=linux-netdev&m=126745636809191&w=2
+
+ We use a "P" prefix to the inode number instead of "peer=". This
+ additional information can be used, for instance, to find what processes
+ are connected to MySQL's unix domain socket.
+
+ net/unix/af_unix.c | 12 +++++++++---
+ 1 files changed, 9 insertions(+), 3 deletions(-)
+
+commit 1cd623d11a462d151ea8a5cace4521e1724911a3
+Author: Oliver Neukum <oneukum@suse.de>
+Date: Tue Mar 12 14:52:42 2013 +0100
+
+ Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa
+
+ USB: cdc-wdm: fix buffer overflow
+
+ The buffer for responses must not overflow.
+ If this would happen, set a flag, drop the data and return
+ an error after user space has read all remaining data.
+
+ Signed-off-by: Oliver Neukum <oliver@neukum.org>
+ CC: stable@kernel.org
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++---
+ 1 files changed, 20 insertions(+), 3 deletions(-)
+
+commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc
+Merge: 9cdf9bc db4cb92
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 14 20:23:14 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/keys/compat.c
+
+commit db4cb924546e3fec3a59f78d056f48176eaf7100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 14 20:22:24 2013 -0400
+
+ Update to pax-linux-3.8.2-test8.patch
+
+ arch/arm/include/asm/cache.h | 2 ++
+ arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++----------
+ arch/arm/mach-omap2/omap_device.c | 4 ++--
+ arch/arm/mach-omap2/omap_device.h | 4 ++--
+ arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
+ 5 files changed, 19 insertions(+), 15 deletions(-)
+
+commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae
+Merge: 3c865f9 1a45c31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 14 20:20:54 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ arch/arm/include/asm/delay.h
+ arch/arm/include/asm/pgtable.h
+ arch/arm/lib/delay.c
+ security/keys/compat.c
+
+commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Tue Mar 12 02:59:49 2013 +0000
+
+ Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512
+
+ vfs: fix pipe counter breakage
+
+ If you open a pipe for neither read nor write, the pipe code will not
+ add any usage counters to the pipe, causing the 'struct pipe_inode_info"
+ to be potentially released early.
+
+ That doesn't normally matter, since you cannot actually use the pipe,
+ but the pipe release code - particularly fasync handling - still expects
+ the actual pipe infrastructure to all be there. And rather than adding
+ NULL pointer checks, let's just disallow this case, the same way we
+ already do for the named pipe ("fifo") case.
+
+ This is ancient going back to pre-2.4 days, and until trinity, nobody
+ naver noticed.
+
+ Reported-by: Dave Jones <davej@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/pipe.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit c11fa4be226659a40a6c73f0fa09fee074fba1b2
+Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Mon Feb 25 10:20:36 2013 -0500
+
+ Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49
+
+ Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
+
+ Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
+ compat_process_vm_rw() shows that the compatibility code requires an
+ explicit "access_ok()" check before calling
+ compat_rw_copy_check_uvector(). The same difference seems to appear when
+ we compare fs/read_write.c:do_readv_writev() to
+ fs/compat.c:compat_do_readv_writev().
+
+ This subtle difference between the compat and non-compat requirements
+ should probably be debated, as it seems to be error-prone. In fact,
+ there are two others sites that use this function in the Linux kernel,
+ and they both seem to get it wrong:
+
+ Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
+ also ends up calling compat_rw_copy_check_uvector() through
+ aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
+ be missing. Same situation for
+ security/keys/compat.c:compat_keyctl_instantiate_key_iov().
+
+ I propose that we add the access_ok() check directly into
+ compat_rw_copy_check_uvector(), so callers don't have to worry about it,
+ and it therefore makes the compat call code similar to its non-compat
+ counterpart. Place the access_ok() check in the same location where
+ copy_from_user() can trigger a -EFAULT error in the non-compat code, so
+ the ABI behaviors are alike on both compat and non-compat.
+
+ While we are here, fix compat_do_readv_writev() so it checks for
+ compat_rw_copy_check_uvector() negative return values.
+
+ And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
+ handling.
+
+ Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ security/keys/compat.c
+
+ fs/compat.c | 15 +++++++--------
+ mm/process_vm_access.c | 8 --------
+ security/keys/compat.c | 3 ++-
+ 3 files changed, 9 insertions(+), 17 deletions(-)
+
+commit 13487f197ab2d5bc76156224c24c45a44bbd6a11
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 11 18:38:38 2013 -0400
+
+ Fix leak of signal handler addresses across execve, found by Emese Revfy
+
+ kernel/signal.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 79b130c4b11c7940daf2b33d653a17666331c634
+Merge: 6480ce9 3c865f9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 10 20:04:03 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 10 20:03:12 2013 -0400
+
+ Update to pax-linux-3.8.2-test7.patch:
+ - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342)
+ - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268)
+
+ fs/binfmt_elf.c | 3 ++-
+ fs/exec.c | 3 +++
+ include/linux/mm_types.h | 2 +-
+ init/main.c | 4 ++--
+ mm/mmap.c | 2 +-
+ mm/page_alloc.c | 4 ++--
+ tools/gcc/latent_entropy_plugin.c | 11 +++++++----
+ 7 files changed, 18 insertions(+), 11 deletions(-)
+
+commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491
+Merge: 4a5305e 25b3569
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 10 10:41:16 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 25b356980568bed9958315bb5a551fdc610055ed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 10 10:40:48 2013 -0400
+
+ Update to pax-linux-3.8.2-test6.patch:
+ - fixed a KERNEXEC false positive on arm reported by Gu1
+ - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340)
+ - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339)
+ - added fix from spender for some namespace breakage reported by zakalwe
+ - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot
+
+ Documentation/kernel-parameters.txt | 5 +++++
+ arch/arm/kernel/patch.c | 2 ++
+ arch/x86/kernel/sys_i386_32.c | 5 +++--
+ drivers/acpi/blacklist.c | 2 +-
+ drivers/video/aty/mach64_cursor.c | 1 +
+ init/main.c | 4 ----
+ mm/page_alloc.c | 27 +++++++++++++++++++++++++++
+ net/ipv4/ip_fragment.c | 2 +-
+ security/Kconfig | 5 +++++
+ tools/gcc/latent_entropy_plugin.c | 7 +++++--
+ 10 files changed, 50 insertions(+), 10 deletions(-)
+
+commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 9 11:19:06 2013 -0500
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: "David S. Miller" <davem@davemloft.net>
+ Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
+ Stephen Hemminger <stephen@networkplumber.org>
+ Subject: [PATCH 1/3] bridge: fix mdb info leaks
+ Date: Sat, 9 Mar 2013 16:52:19 +0100
+
+ The bridging code discloses heap and stack bytes via the RTM_GETMDB
+ netlink interface and via the notify messages send to group RTNLGRP_MDB
+ afer a successful add/del.
+
+ Fix both cases by initializing all unset members/padding bytes with
+ memset(0).
+
+ Cc: Stephen Hemminger <stephen@networkplumber.org>
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: "David S. Miller" <davem@davemloft.net>
+ Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
+ Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices
+ Date: Sat, 9 Mar 2013 16:52:20 +0100
+
+ Initialize the mac address buffer with 0 as the driver specific function
+ will probably not fill the whole buffer. In fact, all in-kernel drivers
+ fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
+ bytes. Therefore we currently leak 26 bytes of stack memory to userland
+ via the netlink interface.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: "David S. Miller" <davem@davemloft.net>
+ Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
+ Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks
+ Date: Sat, 9 Mar 2013 16:52:21 +0100
+
+ The dcb netlink interface leaks stack memory in various places:
+ * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
+ copied completely,
+ * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
+ so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
+ for ieee_pfc structs, etc.,
+ * the same is true for CEE -- no in-kernel driver fills the whole
+ struct,
+
+ Prevent all of the above stack info leaks by properly initializing the
+ buffers/structures involved.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ net/bridge/br_mdb.c | 4 ++++
+ net/core/rtnetlink.c | 1 +
+ net/dcb/dcbnl.c | 8 ++++++++
+ 3 files changed, 13 insertions(+), 0 deletions(-)
+
+commit 601dd446f896e3a362f706943df18a68d50420a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 9 09:35:25 2013 -0500
+
+ add open/close wrappers in __patch_text() as reported by Gu1 on IRC
+
+ arch/arm/kernel/patch.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit ae39966fd85a493e9079b357e3faa62245a41222
+Author: Peter Hurley <peter@hurleysoftware.com>
+Date: Fri Mar 8 12:43:27 2013 -0800
+
+ Upstream commit: 88b9e456b1649722673ffa147914299799dc9041
+
+ ipc: don't allocate a copy larger than max
+
+ When MSG_COPY is set, a duplicate message must be allocated for the copy
+ before locking the queue. However, the copy could not be larger than was
+ sent which is limited to msg_ctlmax.
+
+ Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+ Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ ipc/msg.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 61240e99650ea3e540a03a3e994349c5086f166b
+Author: Peter Hurley <peter@hurleysoftware.com>
+Date: Fri Mar 8 12:43:26 2013 -0800
+
+ Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19
+
+ ipc: fix potential oops when src msg > 4k w/ MSG_COPY
+
+ If the src msg is > 4k, then dest->next points to the
+ next allocated segment; resetting it just prior to dereferencing
+ is bad.
+
+ Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+ Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ ipc/msgutil.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+commit 51727f602a267f34fb2e0dc9557f1714028d51a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 8 22:14:06 2013 -0500
+
+ add missing 'else' in recent constify fixups
+
+ net/ipv4/ip_fragment.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a38c1a640729b3d8e584d1ab98e908c221bc12cf
+Merge: 1580bb3 47c3f47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 8 18:18:37 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 8 18:17:22 2013 -0500
+
+ Update to pax-linux-3.8.2-test5.patch:
+ - fixed some fallout after the last round of constification changes, reported by several people
+
+ arch/arm/common/gic.c | 4 ++--
+ arch/arm/include/asm/hardware/gic.h | 3 ++-
+ arch/x86/include/asm/nmi.h | 2 +-
+ arch/x86/kernel/nmi.c | 2 +-
+ arch/x86/pci/irq.c | 2 +-
+ drivers/base/power/domain.c | 4 ++--
+ drivers/cpufreq/cpufreq_governor.c | 4 ++--
+ drivers/mfd/twl4030-irq.c | 1 +
+ drivers/video/vesafb.c | 7 +++++--
+ include/linux/irq.h | 1 +
+ include/linux/pm_domain.h | 2 +-
+ kernel/sched/core.c | 4 ++++
+ lib/Kconfig.debug | 4 ++--
+ net/core/sysctl_net_core.c | 2 +-
+ net/decnet/af_decnet.c | 1 +
+ net/ipv4/devinet.c | 2 +-
+ net/ipv4/ip_fragment.c | 2 +-
+ net/ipv4/route.c | 2 +-
+ net/ipv4/sysctl_net_ipv4.c | 2 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +-
+ net/ipv6/reassembly.c | 2 +-
+ scripts/sortextable.h | 6 +++---
+ 22 files changed, 36 insertions(+), 25 deletions(-)
+
+commit 1580bb38b4db0bf2a46316599815e8b234edad81
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 22:02:59 2013 -0500
+
+ add an additional open/close wrapper
+
+ kernel/sched/core.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 21622672d28d58e0d93a805cd1f9650a894a752a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 21:58:24 2013 -0500
+
+ fix oops at shutdown with new constify code
+
+ kernel/sched/core.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 21:18:44 2013 -0500
+
+ Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally
+ it currently conflicts with some lock debugging options, so made as an
+ option to allow for debugging when necessary
+
+ Makefile | 2 --
+ lib/Kconfig.debug | 6 +++---
+ security/Kconfig | 18 ++++++++++++++++++
+ 3 files changed, 21 insertions(+), 5 deletions(-)
+
+commit 0885b00b8373a1597b69c38032a0c9eee279303b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 20:55:19 2013 -0500
+
+ disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify
+
+ lib/Kconfig.debug | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c8a2617165e7127a54f293cbf57d22d50dd83abd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 20:30:41 2013 -0500
+
+ Fix error:
+ drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object
+ with cast and proper kernexec accessors
+
+ drivers/video/vesafb.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 20:20:28 2013 -0500
+
+ fix typo
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 399674de6c42bbcae2d01b082d6d9ce9d183b000
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 20:12:17 2013 -0500
+
+ fix compilation error -- no reason for task_pid_nr to not take a const task ptr
+
+ include/linux/sched.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f
+Author: Kees Cook <keescook@chromium.org>
+Date: Mon Feb 25 21:32:25 2013 +0000
+
+ Upstream commit: e70ab977991964a5a7ad1182799451d067e62669
+
+ proc connector: reject unprivileged listener bumps
+
+ While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
+ for an unprivileged user to turn off notifications for all listeners by
+ sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
+ required for a multicast bind.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: Evgeniy Polyakov <zbr@ioremap.net>
+ Cc: Matt Helsley <matthltc@us.ibm.com>
+ Cc: stable@vger.kernel.org
+ Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
+ Acked-by: Matt Helsley <matthltc@us.ibm.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/connector/cn_proc.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+commit ac6014ded57101e3e608941555ff507e20c1ece3
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Feb 26 19:15:02 2013 +0000
+
+ Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a
+
+ irda: small read beyond end of array in debug code
+
+ charset comes from skb->data. It's a number in the 0-255 range.
+ If we have debugging turned on then this could cause a read beyond
+ the end of the array.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/irda/iriap.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe
+Author: Guenter Roeck <linux@roeck-us.net>
+Date: Wed Feb 27 10:57:31 2013 +0000
+
+ Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1
+
+ net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
+
+ Building sctp may fail with:
+
+ In function ‘copy_from_user’,
+ inlined from ‘sctp_getsockopt_assoc_stats’ at
+ net/sctp/socket.c:5656:20:
+ arch/x86/include/asm/uaccess_32.h:211:26: error: call to
+ ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
+ buffer size is not provably correct
+
+ if built with W=1 due to a missing parameter size validation
+ before the call to copy_from_user.
+
+ Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/socket.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c
+Author: Guillaume Nault <g.nault@alphalink.fr>
+Date: Fri Mar 1 05:02:02 2013 +0000
+
+ Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a
+
+ l2tp: Restore socket refcount when sendmsg succeeds
+
+ The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
+ reference counter after successful transmissions. Any successful
+ sendmsg() call from userspace will then increase the reference counter
+ forever, thus preventing the kernel's session and tunnel data from
+ being freed later on.
+
+ The problem only happens when writing directly on L2TP sockets.
+ PPP sockets attached to L2TP are unaffected as the PPP subsystem
+ uses pppol2tp_xmit() which symmetrically increase/decrease reference
+ counters.
+
+ This patch adds the missing call to sock_put() before returning from
+ pppol2tp_sendmsg().
+
+ Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_ppp.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 98a9a5f981f5deda4059a255c1196886f2f27e2f
+Author: Cong Wang <amwang@redhat.com>
+Date: Sun Mar 3 16:18:11 2013 +0000
+
+ Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0
+
+ rds: limit the size allocated by rds_message_alloc()
+
+ Dave Jones reported the following bug:
+
+ "When fed mangled socket data, rds will trust what userspace gives it,
+ and tries to allocate enormous amounts of memory larger than what
+ kmalloc can satisfy."
+
+ WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
+ Hardware name: GA-MA78GM-S2H
+ Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
+ Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
+ Call Trace:
+ [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
+ [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
+ [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
+ [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
+ [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
+ [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
+ [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
+ [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
+ [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
+ [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
+ [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
+ [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
+ [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
+ [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
+ [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
+ [<ffffffff81567f30>] sys_sendto+0x130/0x180
+ [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
+ [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
+ [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
+ [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
+ [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
+ [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
+ ---[ end trace eed6ae990d018c8b ]---
+
+ Reported-by: Dave Jones <davej@redhat.com>
+ Cc: Dave Jones <davej@redhat.com>
+ Cc: David S. Miller <davem@davemloft.net>
+ Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/rds/message.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit b46df323e01c63c62fdb82cf2c47e4386f5a0499
+Author: Cong Wang <amwang@redhat.com>
+Date: Sun Mar 3 16:28:27 2013 +0000
+
+ Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e
+
+ sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE
+
+ Don't definite its own MAX_KMALLOC_SIZE, use the one
+ defined in mm.
+
+ Cc: Vlad Yasevich <vyasevich@gmail.com>
+ Cc: Sridhar Samudrala <sri@us.ibm.com>
+ Cc: Neil Horman <nhorman@tuxdriver.com>
+ Cc: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/ssnmap.c | 8 +++-----
+ 1 files changed, 3 insertions(+), 5 deletions(-)
+
+commit 4295a024e812f903fc580c81de5e81cc149503fa
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 17:57:49 2013 -0500
+
+ Upstream commit: https://lkml.org/lkml/2013/3/6/535
+
+ security/keys/process_keys.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 33edd486a9899a145a15586d7134636b0300aaee
+Merge: 4eeeaf3 a2a2094
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 17:53:00 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/include/asm/domain.h
+
+commit a2a20947f5e1332e474160a39af520738b3c8c19
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 17:51:04 2013 -0500
+
+ Update to pax-linux-3.8.2-test4.patch:
+ fixed arm compilation problems reported by Michael Tremer
+ - the constify plugin got smarter that enabled, with some additional patching,
+ the elimination of about half the static function pointers on amd64/allmod
+ (up from about 18%), depending on the kernel config it can be even more (70%)
+
+ Documentation/dontdiff | 2 +
+ arch/arm/include/asm/domain.h | 1 +
+ arch/x86/include/asm/i8259.h | 2 +-
+ arch/x86/include/asm/nmi.h | 4 +-
+ arch/x86/kernel/acpi/boot.c | 4 +-
+ arch/x86/kernel/apic/apic_noop.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 2 +-
+ arch/x86/kernel/apic/io_apic.c | 10 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
+ arch/x86/kernel/i8259.c | 6 +-
+ arch/x86/kernel/io_delay.c | 2 +-
+ arch/x86/kernel/nmi.c | 6 +-
+ arch/x86/kernel/nmi_selftest.c | 4 +-
+ arch/x86/kernel/pci-swiotlb.c | 2 +-
+ arch/x86/oprofile/nmi_int.c | 8 +-
+ arch/x86/oprofile/op_model_amd.c | 8 +-
+ arch/x86/oprofile/op_model_ppro.c | 7 +-
+ arch/x86/oprofile/op_x86_model.h | 2 +-
+ arch/x86/pci/irq.c | 6 +-
+ drivers/acpi/apei/apei-internal.h | 2 +-
+ drivers/acpi/bgrt.c | 6 +-
+ drivers/acpi/blacklist.c | 2 +-
+ drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/sysfs.c | 4 +-
+ drivers/base/bus.c | 4 +-
+ drivers/base/node.c | 2 +-
+ drivers/base/syscore.c | 4 +-
+ drivers/block/drbd/drbd_receiver.c | 4 +-
+ drivers/char/random.c | 2 +-
+ drivers/cpufreq/acpi-cpufreq.c | 20 ++-
+ drivers/cpufreq/cpufreq.c | 7 +-
+ drivers/cpufreq/cpufreq_governor.c | 4 +-
+ drivers/cpufreq/cpufreq_governor.h | 2 +-
+ drivers/cpufreq/p4-clockmod.c | 12 +-
+ drivers/cpufreq/speedstep-centrino.c | 7 +-
+ drivers/cpuidle/cpuidle.c | 2 +-
+ drivers/cpuidle/governor.c | 4 +-
+ drivers/cpuidle/sysfs.c | 2 +-
+ drivers/devfreq/devfreq.c | 4 +-
+ drivers/edac/edac_mc_sysfs.c | 2 +-
+ drivers/edac/edac_pci_sysfs.c | 2 +-
+ drivers/firewire/core-device.c | 2 +-
+ drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/efivars.c | 2 +-
+ drivers/firmware/google/memconsole.c | 4 +-
+ drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 2 +-
+ drivers/gpu/drm/drm_ioc32.c | 9 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/intel_display.c | 26 ++-
+ drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++--
+ drivers/gpu/drm/udl/udl_fb.c | 1 -
+ drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/asus_atk0110.c | 10 +-
+ drivers/hwmon/ibmaem.c | 2 +-
+ drivers/hwmon/pmbus/pmbus_core.c | 2 +-
+ drivers/iio/industrialio-core.c | 2 +-
+ drivers/input/mouse/psmouse.h | 2 +-
+ drivers/iommu/iommu.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
+ drivers/mfd/twl4030-irq.c | 8 +-
+ drivers/mfd/twl6030-irq.c | 10 +-
+ drivers/misc/c2port/core.c | 4 +-
+ drivers/mtd/sm_ftl.c | 2 +-
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/macvlan.c | 16 +-
+ drivers/net/vxlan.c | 2 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
+ drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/pci-sysfs.c | 6 +-
+ drivers/pci/pci.h | 2 +-
+ drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/sony-laptop.c | 2 +-
+ drivers/power/power_supply.h | 4 +-
+ drivers/power/power_supply_core.c | 6 +-
+ drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/rtc/rtc-cmos.c | 4 +-
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/scsi/bfa/bfa.h | 2 +-
+ drivers/staging/iio/iio_hwmon.c | 2 +-
+ drivers/usb/storage/usb.h | 2 +-
+ drivers/video/aty/atyfb_base.c | 8 +-
+ drivers/video/aty/mach64_cursor.c | 4 +-
+ drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/fb_defio.c | 6 +-
+ drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
+ drivers/video/nvidia/nvidia.c | 27 ++-
+ drivers/video/s1d13xxxfb.c | 6 +-
+ drivers/video/smscufx.c | 4 +-
+ drivers/video/udlfb.c | 4 +-
+ drivers/video/uvesafb.c | 14 +-
+ fs/exec.c | 6 +-
+ fs/ext4/super.c | 2 +-
+ fs/jfs/super.c | 4 +-
+ fs/nfs/callback_xdr.c | 2 +-
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfs4xdr.c | 6 +-
+ fs/nls/nls_base.c | 18 +-
+ fs/nls/nls_euc-jp.c | 6 +-
+ fs/nls/nls_koi8-ru.c | 6 +-
+ fs/proc/proc_sysctl.c | 18 +-
+ include/drm/drmP.h | 12 +-
+ include/keys/asymmetric-subtype.h | 2 +-
+ include/linux/atmdev.h | 2 +-
+ include/linux/binfmts.h | 2 +-
+ include/linux/configfs.h | 2 +-
+ include/linux/cpufreq.h | 3 +-
+ include/linux/cpuidle.h | 5 +-
+ include/linux/devfreq.h | 2 +-
+ include/linux/device.h | 7 +-
+ include/linux/extcon.h | 2 +-
+ include/linux/fb.h | 2 +-
+ include/linux/fscache.h | 2 +-
+ include/linux/genl_magic_func.h | 2 +-
+ include/linux/hwmon-sysfs.h | 5 +-
+ include/linux/iommu.h | 2 +-
+ include/linux/irq.h | 2 +-
+ include/linux/key-type.h | 2 +-
+ include/linux/kobject.h | 1 +
+ include/linux/kobject_ns.h | 2 +-
+ include/linux/list.h | 14 +-
+ include/linux/mod_devicetable.h | 2 +-
+ include/linux/module.h | 5 +-
+ include/linux/net.h | 2 +-
+ include/linux/netfilter.h | 2 +-
+ include/linux/nls.h | 2 +-
+ include/linux/pci_hotplug.h | 3 +-
+ include/linux/platform_data/usb-exynos.h | 2 +-
+ include/linux/pnp.h | 2 +-
+ include/linux/ppp-comp.h | 2 +-
+ include/linux/rculist.h | 16 ++
+ include/linux/sched.h | 2 +-
+ include/linux/sock_diag.h | 2 +-
+ include/linux/sunrpc/clnt.h | 2 +-
+ include/linux/sunrpc/svc.h | 2 +-
+ include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swiotlb.h | 3 +-
+ include/linux/syscore_ops.h | 2 +-
+ include/linux/sysctl.h | 6 +-
+ include/linux/sysfs.h | 10 +-
+ include/linux/sysrq.h | 1 +
+ include/linux/xattr.h | 2 +-
+ include/net/9p/transport.h | 2 +-
+ include/net/bluetooth/l2cap.h | 2 +-
+ include/net/genetlink.h | 2 +-
+ include/net/ip.h | 2 +-
+ include/net/ip_vs.h | 4 +-
+ include/net/llc_c_ac.h | 2 +-
+ include/net/llc_c_ev.h | 4 +-
+ include/net/llc_c_st.h | 2 +-
+ include/net/llc_s_ac.h | 2 +-
+ include/net/llc_s_st.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/net_namespace.h | 2 +-
+ include/net/netns/conntrack.h | 6 +-
+ include/net/rtnetlink.h | 2 +-
+ include/net/sctp/sm.h | 4 +-
+ include/net/sctp/structs.h | 2 +-
+ include/net/xfrm.h | 4 +-
+ ipc/ipc_sysctl.c | 10 +-
+ ipc/mq_sysctl.c | 2 +-
+ kernel/kmod.c | 2 +-
+ kernel/ksysfs.c | 2 +-
+ kernel/module.c | 4 +-
+ kernel/pid_namespace.c | 2 +-
+ kernel/rcutree_plugin.h | 2 +-
+ kernel/sched/core.c | 39 ++--
+ kernel/smpboot.c | 4 +-
+ kernel/softirq.c | 2 +-
+ kernel/sysctl.c | 2 +-
+ kernel/utsname_sysctl.c | 2 +-
+ kernel/watchdog.c | 2 +-
+ lib/Kconfig.debug | 2 +-
+ lib/kobject.c | 4 +-
+ lib/list_debug.c | 57 ++++-
+ lib/swiotlb.c | 2 +-
+ mm/hugetlb.c | 16 +-
+ mm/memory-failure.c | 2 +-
+ mm/slab_common.c | 2 +-
+ net/9p/mod.c | 4 +-
+ net/ax25/sysctl_net_ax25.c | 2 +-
+ net/core/neighbour.c | 2 +-
+ net/core/net-sysfs.c | 2 +-
+ net/core/net_namespace.c | 8 +-
+ net/core/rtnetlink.c | 11 +-
+ net/core/sock_diag.c | 9 +-
+ net/core/sysctl_net_core.c | 15 +-
+ net/ipv4/af_inet.c | 8 +-
+ net/ipv4/devinet.c | 12 +-
+ net/ipv4/inet_connection_sock.c | 2 +-
+ net/ipv4/ip_fragment.c | 9 +-
+ net/ipv4/ip_gre.c | 6 +-
+ net/ipv4/ip_vti.c | 4 +-
+ net/ipv4/ipip.c | 4 +-
+ net/ipv4/route.c | 14 +-
+ net/ipv4/sysctl_net_ipv4.c | 43 ++--
+ net/ipv6/addrconf.c | 4 +-
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_gre.c | 6 +-
+ net/ipv6/ip6_tunnel.c | 4 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +-
+ net/ipv6/reassembly.c | 11 +-
+ net/ipv6/route.c | 2 +-
+ net/ipv6/sit.c | 4 +-
+ net/ipv6/sysctl_net_ipv6.c | 2 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 4 +-
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ net/netfilter/nf_conntrack_acct.c | 2 +-
+ net/netfilter/nf_conntrack_ecache.c | 2 +-
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nf_conntrack_timestamp.c | 2 +-
+ net/netfilter/nf_log.c | 10 +-
+ net/netfilter/nf_sockopt.c | 4 +-
+ net/netlink/genetlink.c | 16 +-
+ net/phonet/sysctl.c | 2 +-
+ net/rds/rds.h | 2 +-
+ net/sctp/ipv6.c | 6 +-
+ net/sctp/protocol.c | 10 +-
+ net/sctp/sm_sideeffect.c | 2 +-
+ net/sctp/sysctl.c | 4 +-
+ net/sunrpc/clnt.c | 4 +-
+ net/sunrpc/svc.c | 4 +-
+ net/unix/sysctl_net_unix.c | 2 +-
+ net/xfrm/xfrm_policy.c | 11 +-
+ net/xfrm/xfrm_state.c | 29 ++-
+ net/xfrm/xfrm_sysctl.c | 2 +-
+ security/apparmor/lsm.c | 2 +-
+ security/keys/key.c | 18 +-
+ security/yama/yama_lsm.c | 22 +-
+ tools/gcc/Makefile | 4 +-
+ tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------
+ tools/gcc/size_overflow_plugin.c | 7 +-
+ 248 files changed, 994 insertions(+), 668 deletions(-)
+
+commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 6 12:58:21 2013 -0500
+
+ Make slab_state __read_only, it's only written to during init
+
+ mm/slab_common.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 6 12:31:35 2013 -0500
+
+ Make two new helper functions:
+ gr_is_global_root() and gr_is_global_nonroot()
+
+ grsecurity/gracl.c | 10 +++++-----
+ grsecurity/gracl_segv.c | 2 +-
+ grsecurity/grsec_link.c | 4 ++--
+ grsecurity/grsec_sig.c | 10 +++++-----
+ grsecurity/grsec_tpe.c | 6 +++---
+ include/linux/uidgid.h | 2 ++
+ 6 files changed, 18 insertions(+), 16 deletions(-)
+
+commit d45d88eddd4998b280b1e5b5384289ee11ca7088
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 6 12:14:41 2013 -0500
+
+ convert remaining task->pid to task_pid_nr(task)
+
+ grsecurity/gracl.c | 22 +++++++++++-----------
+ grsecurity/gracl_shm.c | 2 +-
+ grsecurity/grsec_chroot.c | 4 ++--
+ grsecurity/grsec_sig.c | 4 ++--
+ 4 files changed, 16 insertions(+), 16 deletions(-)
+
+commit c877f2ece03ee2232dd281c1977ae59507297124
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 5 17:29:54 2013 -0500
+
+ compat-log is only used anymore by vm86-on-64bit and allows unlimited
+ spamming of the kernel log buffer (and since it includes the changable
+ process name, can avoid syslog log deduplication)
+ Turn it off by default
+
+ fs/compat.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 7c1964c4b7276889d7967bee70e46918cdca1b14
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 4 17:19:10 2013 -0500
+
+ fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP
+ is enabled, introduced with recent userns support
+
+ init/main.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit c3ce01b94d8dd42b9c7942c0d513b152613e0656
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 18:46:12 2013 -0500
+
+ Prevent TOMOYO from auto-loading modules by unprivileged users
+ (Only reachable if TOMOYO is actually used)
+
+ security/tomoyo/mount.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 79e142f9455b398759ff9d93d4963a21b98dddda
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 18:28:45 2013 -0500
+
+ For now, don't permit any special access to /proc in a user namespace
+ Later we can go back and allow a userns-uid0 special access to a /proc
+ with a non-global pid namespace
+
+ fs/proc/base.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8b91fb393049ce5f3c0a86f62247409853fd9700
+Merge: d931eb8 603ef05
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:42:09 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:41:31 2013 -0500
+
+ Fix compilation error on ARM reported by Michael Tremer
+
+ arch/arm/mach-omap2/wd_timer.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit b4c9ce81fdd7839a150c97873c710c479e788280
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:39:53 2013 -0500
+
+ Fix compilation error on ARM reported by Michael Tremer
+
+ arch/arm/kernel/armksyms.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d931eb81ab3da46896268fd61373a6aa7bbea930
+Merge: bfa7f44 5948f93
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:34:36 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0
+Merge: ab30472 19b00d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:34:08 2013 -0500
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit bfa7f445c5d484de51a5828b92ad2ff65053cc87
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 15:12:12 2013 -0500
+
+ Initial support for user namespaces, as we previously didn't allow
+ the option to be enabled at all.
+
+ RBAC will act on the global uids/gids only, so all uids/gids in user
+ namespaces will be converted
+
+ Because Eric Biederman is insulted that I didn't support his
+ backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN
+ check in for user namespaces, so this is generally irrelevant.
+
+ fs/exec.c | 6 +-
+ fs/proc/base.c | 2 +-
+ fs/proc/proc_net.c | 4 +-
+ grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++-------------
+ grsecurity/gracl_cap.c | 4 +-
+ grsecurity/gracl_ip.c | 16 +++---
+ grsecurity/gracl_segv.c | 12 +++-
+ grsecurity/gracl_shm.c | 4 +-
+ grsecurity/grsec_disabled.c | 10 ++--
+ grsecurity/grsec_fifo.c | 6 +-
+ grsecurity/grsec_init.c | 24 ++++----
+ grsecurity/grsec_log.c | 3 -
+ grsecurity/grsec_tpe.c | 6 +-
+ include/linux/grinternal.h | 12 ++--
+ include/linux/grsecurity.h | 12 ++--
+ include/linux/uidgid.h | 3 +
+ init/Kconfig | 2 -
+ ipc/shm.c | 2 +-
+ kernel/cred.c | 5 +-
+ kernel/kallsyms.c | 2 +-
+ kernel/kmod.c | 6 +-
+ kernel/sys.c | 12 ++--
+ 22 files changed, 166 insertions(+), 115 deletions(-)
+
+commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed Feb 27 08:36:04 2013 -0800
+
+ Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0
+
+ mm: do not grow the stack vma just because of an overrun on preceding vma
+
+ The stack vma is designed to grow automatically (marked with VM_GROWSUP
+ or VM_GROWSDOWN depending on architecture) when an access is made beyond
+ the existing boundary. However, particularly if you have not limited
+ your stack at all ("ulimit -s unlimited"), this can cause the stack to
+ grow even if the access was really just one past *another* segment.
+
+ And that's wrong, especially since we first grow the segment, but then
+ immediately later enforce the stack guard page on the last page of the
+ segment. So _despite_ first growing the stack segment as a result of
+ the access, the kernel will then make the access cause a SIGSEGV anyway!
+
+ So do the same logic as the guard page check does, and consider an
+ access to within one page of the next segment to be a bad access, rather
+ than growing the stack to abut the next segment.
+
+ Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mmap.c | 27 +++++++++++++++++++++++++++
+ 1 files changed, 27 insertions(+), 0 deletions(-)
+
+commit 5596211af754867ca825f58e6e0300a8439950fe
+Author: H. Peter Anvin <hpa@linux.intel.com>
+Date: Wed Feb 27 12:46:40 2013 -0800
+
+ Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c
+
+ x86: Make sure we can boot in the case the BDA contains pure garbage
+
+ On non-BIOS platforms it is possible that the BIOS data area contains
+ garbage instead of being zeroed or something equivalent (firmware
+ people: we are talking of 1.5K here, so please do the sane thing.)
+
+ We need on the order of 20-30K of low memory in order to boot, which
+ may grow up to < 64K in the future. We probably want to avoid the
+ lowest of the low memory. At the same time, it seems extremely
+ unlikely that a legitimate EBDA would ever reach down to the 128K
+ (which would require it to be over half a megabyte in size.) Thus,
+ pick 128K as the cutoff for "this is insane, ignore." We may still
+ end up reserving a bunch of extra memory on the low megabyte, but that
+ is not really a major issue these days. In the worst case we lose
+ 512K of RAM.
+
+ This code really should be merged with trim_bios_range() in
+ arch/x86/kernel/setup.c, but that is a bigger patch for a later merge
+ window.
+
+ Reported-by: Darren Hart <dvhart@linux.intel.com>
+ Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+ Cc: Matt Fleming <matt.fleming@intel.com>
+ Cc: <stable@vger.kernel.org>
+ Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org
+
+ arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++-----------------
+ 1 files changed, 34 insertions(+), 19 deletions(-)
+
+commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Wed Feb 27 17:05:46 2013 -0800
+
+ Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469
+
+ memstick: move the dereference below the NULL test
+
+ The dereference should be moved below the NULL test.
+
+ spatch with a semantic match is used to found this.
+ (http://coccinelle.lip6.fr/)
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Cc: Maxim Levitsky <maximlevitsky@gmail.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/memstick/host/r592.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Wed Feb 27 17:05:21 2013 -0800
+
+ Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560
+
+ sysctl: fix null checking in bin_dn_node_address()
+
+ The null check of `strchr() + 1' is broken, which is always non-null,
+ leading to OOB read. Instead, check the result of strchr().
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/sysctl_binary.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 7ca96db0817416fd40761e7437d1939fc0731380
+Author: Tejun Heo <tj@kernel.org>
+Date: Wed Feb 27 17:03:34 2013 -0800
+
+ Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24
+
+ idr: fix a subtle bug in idr_get_next()
+
+ The iteration logic of idr_get_next() is borrowed mostly verbatim from
+ idr_for_each(). It walks down the tree looking for the slot matching
+ the current ID. If the matching slot is not found, the ID is
+ incremented by the distance of single slot at the given level and
+ repeats.
+
+ The implementation assumes that during the whole iteration id is aligned
+ to the layer boundaries of the level closest to the leaf, which is true
+ for all iterations starting from zero or an existing element and thus is
+ fine for idr_for_each().
+
+ However, idr_get_next() may be given any point and if the starting id
+ hits in the middle of a non-existent layer, increment to the next layer
+ will end up skipping the same offset into it. For example, an IDR with
+ IDs filled between [64, 127] would look like the following.
+
+ [ 0 64 ... ]
+ /----/ |
+ | |
+ NULL [ 64 ... 127 ]
+
+ If idr_get_next() is called with 63 as the starting point, it will try
+ to follow down the pointer from 0. As it is NULL, it will then try to
+ proceed to the next slot in the same level by adding the slot distance
+ at that level which is 64 - making the next try 127. It goes around the
+ loop and finds and returns 127 skipping [64, 126].
+
+ Note that this bug also triggers in idr_for_each_entry() loop which
+ deletes during iteration as deletions can make layers go away leaving
+ the iteration with unaligned ID into missing layers.
+
+ Fix it by ensuring proceeding to the next slot doesn't carry over the
+ unaligned offset - ie. use round_up(id + 1, slot_distance) instead of
+ id += slot_distance.
+
+ Signed-off-by: Tejun Heo <tj@kernel.org>
+ Reported-by: David Teigland <teigland@redhat.com>
+ Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ lib/idr.c | 9 ++++++++-
+ 1 files changed, 8 insertions(+), 1 deletions(-)
+
+commit 745362f28034f54242ba2e64eaa7374ab9869613
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 1 20:31:42 2013 -0500
+
+ Fix dentry use-after-free after failed complete_walk() with RBAC enabled
+ Many thanks to zakalwe from #grsecurity for the report and debugging help
+
+ fs/namei.c | 8 +++-----
+ 1 files changed, 3 insertions(+), 5 deletions(-)
+
+commit b53b3b14330920c6f7cfb74c8508a3026e1be620
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 28 18:29:26 2013 -0500
+
+ Fix bad git merge
+
+ fs/namespace.c | 8 --------
+ 1 files changed, 0 insertions(+), 8 deletions(-)
+
+commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede
+Merge: 1cce1dd ab30472
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 28 17:45:14 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ net/core/sock_diag.c
+
+commit ab3047280e1dfb43f1b301a296123757b4ac4f6e
+Merge: 4b61d21 4c91a0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 28 17:43:56 2013 -0500
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit 1cce1ddd17c584c80465521834c3faf1a7c607d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 27 22:20:22 2013 -0500
+
+ add compiler.h to sysrq.h to fix compilation problem reported by micu on forums
+
+ include/linux/sysrq.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 9f1e7fe130803fde83eb903b575335f59cd2bd18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 27 17:52:31 2013 -0500
+
+ declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel
+
+ kernel/printk.c | 12 +++++++-----
+ 1 files changed, 7 insertions(+), 5 deletions(-)
+
+commit 11dd499888fa76f3466821ce4daa5e0c55e43d39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 27 17:23:46 2013 -0500
+
+ Fix upstream vulnerability from addition of a /dev/kmsg device
+ while neglecting to add the same set of existing permission checks
+ from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG.
+ A temporary workaround without this patch would be to
+ chmod 0600 /dev/kmsg (and is likely a good idea anyway).
+
+ Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek
+ Initially reported to Redhat bugzilla by Christian Kujau:
+ https://bugzilla.redhat.com/show_bug.cgi?id=903192
+
+ kernel/printk.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 66c04806f5660988c3cb4855e60de294e77e3d0e
+Author: David Howells <dhowells@redhat.com>
+Date: Thu Feb 21 12:00:25 2013 +0000
+
+ Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f
+
+ KEYS: Revert one application of "Fix unreachable code" patch
+
+ A patch to fix some unreachable code in search_my_process_keyrings() got
+ applied twice by two different routes upstream as commits e67eab39bee2
+ and b010520ab3d2 (both "fix unreachable code").
+
+ Unfortunately, the second application removed something it shouldn't
+ have and this wasn't detected by GIT. This is due to the patch not
+ having sufficient lines of context to distinguish the two places of
+ application.
+
+ The effect of this is relatively minor: inside the kernel, the keyring
+ search routines may search multiple keyrings and then prioritise the
+ errors if no keys or negative keys are found in any of them. With the
+ extra deletion, the presence of a negative key in the thread keyring
+ (causing ENOKEY) is incorrectly overridden by an error searching the
+ process keyring.
+
+ So revert the second application of the patch.
+
+ Signed-off-by: David Howells <dhowells@redhat.com>
+ Cc: Jiri Kosina <jkosina@suse.cz>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ security/keys/process_keys.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 954b0c8a95b08c09c3d15ec38106ce403bf714da
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Thu Feb 21 16:42:43 2013 -0800
+
+ Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a
+
+ configfs: move the dereference below the NULL test
+
+ The dereference should be moved below the NULL test.
+
+ spatch with a semantic match is used to found this.
+ (http://coccinelle.lip6.fr/)
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Cc: Joel Becker <jlbec@evilplan.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/configfs/dir.c | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+commit d16d42c4fdc8baca5816d75b4a115102bf3d3423
+Author: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Sun Feb 24 20:06:09 2013 -0500
+
+ Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541
+
+ tty vt: fix character insertion overflow
+
+ Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on
+ command line edition") broke insert_char() in multiple ways. Then
+ commit b1a925f44a3a ("tty vt: Fix a regression in command line edition")
+ partially fixed it. However, the buffer being moved is still too large
+ and overflowing beyond the end of the current line, corrupting existing
+ characters on the next line.
+
+ Example test case:
+
+ echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B"
+
+ Expected result:
+
+ ab c
+ de
+
+ Current result:
+
+ ab c
+ e
+
+ Needless to say that this is very annoying when inserting words in the
+ middle of paragraphs with certain text editors.
+
+ Signed-off-by: Nicolas Pitre <nico@linaro.org>
+ Cc: Jean-François Moine <moinejf@free.fr>
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/tty/vt/vt.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 6cda35071669b4aabde081bd039e0ffea36f997a
+Author: Robin Holt <holt@sgi.com>
+Date: Fri Feb 22 16:35:34 2013 -0800
+
+ Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7
+
+ mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts
+
+ There is a race condition between mmu_notifier_unregister() and
+ __mmu_notifier_release().
+
+ Assume two tasks, one calling mmu_notifier_unregister() as a result of a
+ filp_close() ->flush() callout (task A), and the other calling
+ mmu_notifier_release() from an mmput() (task B).
+
+ A B
+ t1 srcu_read_lock()
+ t2 if (!hlist_unhashed())
+ t3 srcu_read_unlock()
+ t4 srcu_read_lock()
+ t5 hlist_del_init_rcu()
+ t6 synchronize_srcu()
+ t7 srcu_read_unlock()
+ t8 hlist_del_rcu() <--- NULL pointer deref.
+
+ Additionally, the list traversal in __mmu_notifier_release() is not
+ protected by the by the mmu_notifier_mm->hlist_lock which can result in
+ callouts to the ->release() notifier from both mmu_notifier_unregister()
+ and __mmu_notifier_release().
+
+ -stable suggestions:
+
+ The stable trees prior to 3.7.y need commits 21a92735f660 and
+ 70400303ce0c cherry-picked in that order prior to cherry-picking this
+ commit. The 3.7.y tree already has those two commits.
+
+ Signed-off-by: Robin Holt <holt@sgi.com>
+ Cc: Andrea Arcangeli <aarcange@redhat.com>
+ Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
+ Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
+ Cc: Avi Kivity <avi@redhat.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Marcelo Tosatti <mtosatti@redhat.com>
+ Cc: Sagi Grimberg <sagig@mellanox.co.il>
+ Cc: Haggai Eran <haggaie@mellanox.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++--------------------------
+ 1 files changed, 42 insertions(+), 40 deletions(-)
+
+commit bf5167ed78ba6131c6874887f714bda50c2cab83
+Author: Mike Galbraith <bitbucket@online.de>
+Date: Mon Jan 28 12:19:25 2013 +0100
+
+ Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6
+
+ sched: Fix select_idle_sibling() bouncing cow syndrome
+
+ If the previous CPU is cache affine and idle, select it.
+
+ The current implementation simply traverses the sd_llc domain,
+ taking the first idle CPU encountered, which walks buddy pairs
+ hand in hand over the package, inflicting excruciating pain.
+
+ 1 tbench pair (worst case) in a 10 core + SMT package:
+
+ pre 15.22 MB/sec 1 procs
+ post 252.01 MB/sec 1 procs
+
+ Signed-off-by: Mike Galbraith <bitbucket@online.de>
+ Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+ Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+ kernel/sched/fair.c | 21 +++++++--------------
+ 1 files changed, 7 insertions(+), 14 deletions(-)
+
+commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Fri Dec 28 18:58:39 2012 -0800
+
+ Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f
+
+ userns: Avoid recursion in put_user_ns
+
+ When freeing a deeply nested user namespace free_user_ns calls
+ put_user_ns on it's parent which may in turn call free_user_ns again.
+ When -fno-optimize-sibling-calls is passed to gcc one stack frame per
+ user namespace is left on the stack, potentially overflowing the
+ kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls
+ so we can't count on gcc to optimize this code.
+
+ Remove struct kref and use a plain atomic_t. Making the code more
+ flexible and easier to comprehend. Make the loop in free_user_ns
+ explict to guarantee that the stack does not overflow with
+ CONFIG_FRAME_POINTER enabled.
+
+ I have tested this fix with a simple program that uses unshare to
+ create a deeply nested user namespace structure and then calls exit.
+ With 1000 nesteuser namespaces before this change running my test
+ program causes the kernel to die a horrible death. With 10,000,000
+ nested user namespaces after this change my test program runs to
+ completion and causes no harm.
+
+ Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
+ Pointed-out-by: Vasily Kulikov <segoon@openwall.com>
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+
+ include/linux/user_namespace.h | 10 +++++-----
+ kernel/user.c | 4 +---
+ kernel/user_namespace.c | 17 +++++++++--------
+ 3 files changed, 15 insertions(+), 16 deletions(-)
+
+commit 81501c7106ccc186c94806f4db954626295b5ebe
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Feb 26 17:12:30 2013 -0500
+
+ Pass the same flags to kern_path_create as the original function
+
+ fs/namei.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit a677c8eee35afe48868f92c7d6745bfe809cd481
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri Feb 22 22:45:42 2013 -0500
+
+ Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559
+
+ get rid of unprotected dereferencing of mnt->mnt_ns
+
+ It's safe only under namespace_sem or vfsmount_lock; all places
+ in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use
+ current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in
+ there).
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/namespace.c | 29 +++++++++++++++++------------
+ 1 files changed, 17 insertions(+), 12 deletions(-)
+
+commit 89298124d0c96dc34a60377e7a1308f8f532ff75
+Author: Greg Thelen <gthelen@google.com>
+Date: Fri Feb 22 16:36:01 2013 -0800
+
+ Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987
+
+ tmpfs: fix use-after-free of mempolicy object
+
+ The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
+ option is not specified in the remount request. A new policy can be
+ specified if mpol=M is given.
+
+ Before this patch remounting an mpol bound tmpfs without specifying
+ mpol= mount option in the remount request would set the filesystem's
+ mempolicy object to a freed mempolicy object.
+
+ To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
+ # mkdir /tmp/x
+
+ # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
+
+ # grep /tmp/x /proc/mounts
+ nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
+
+ # mount -o remount,size=200M nodev /tmp/x
+
+ # grep /tmp/x /proc/mounts
+ nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
+ # note ? garbage in mpol=... output above
+
+ # dd if=/dev/zero of=/tmp/x/f count=1
+ # panic here
+
+ Panic:
+ BUG: unable to handle kernel NULL pointer dereference at (null)
+ IP: [< (null)>] (null)
+ [...]
+ Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
+ Call Trace:
+ mpol_shared_policy_init+0xa5/0x160
+ shmem_get_inode+0x209/0x270
+ shmem_mknod+0x3e/0xf0
+ shmem_create+0x18/0x20
+ vfs_create+0xb5/0x130
+ do_last+0x9a1/0xea0
+ path_openat+0xb3/0x4d0
+ do_filp_open+0x42/0xa0
+ do_sys_open+0xfe/0x1e0
+ compat_sys_open+0x1b/0x20
+ cstar_dispatch+0x7/0x1f
+
+ Non-debug kernels will not crash immediately because referencing the
+ dangling mpol will not cause a fault. Instead the filesystem will
+ reference a freed mempolicy object, which will cause unpredictable
+ behavior.
+
+ The problem boils down to a dropped mpol reference below if
+ shmem_parse_options() does not allocate a new mpol:
+
+ config = *sbinfo
+ shmem_parse_options(data, &config, true)
+ mpol_put(sbinfo->mpol)
+ sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */
+
+ This patch avoids the crash by not releasing the mempolicy if
+ shmem_parse_options() doesn't create a new mpol.
+
+ How far back does this issue go? I see it in both 2.6.36 and 3.3. I did
+ not look back further.
+
+ Signed-off-by: Greg Thelen <gthelen@google.com>
+ Acked-by: Hugh Dickins <hughd@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/shmem.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 23 11:08:05 2013 -0500
+
+ Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
+ with a family greater or equal then AF_MAX -- the array size of
+ sock_diag_handlers[]. The current code does not test for this
+ condition therefore is vulnerable to an out-of-bound access opening
+ doors for a privilege escalation.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ The sock_diag_lock_handler() and sock_diag_unlock_handler() actually
+ make the code less readable. Get rid of them and make the lock usage
+ and access to sock_diag_handlers[] clear on the first sight.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ net/core/sock_diag.c | 27 ++++++++++-----------------
+ 1 files changed, 10 insertions(+), 17 deletions(-)
+
+commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 23 10:58:52 2013 -0500
+
+ Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined
+
+ arch/arm/include/asm/domain.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 7b729586eb81f344fdedf0942fab0acc738a6725
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 22 19:02:51 2013 -0500
+
+ Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users.
+
+ kernel/fork.c | 17 +++++++++++++++++
+ 1 files changed, 17 insertions(+), 0 deletions(-)
+
+commit fadc560d0c486af88da83177735f5515e88acdcc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 23:06:48 2013 -0500
+
+ put is_hugetlbfs_mnt inside ifdefs
+
+ grsecurity/gracl.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 8252176922d405484f986eb2cc350b7cd3ae586e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 23:02:07 2013 -0500
+
+ remove unused label
+
+ kernel/module.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit dad4a980f0b625059e215d13da728aa7fd02a374
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 23:00:52 2013 -0500
+
+ compile fix
+
+ fs/open.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 22:57:49 2013 -0500
+
+ remove kmalloc_array_error for the same reasons as kcalloc_error
+
+ include/linux/slab.h | 9 ---------
+ 1 files changed, 0 insertions(+), 9 deletions(-)
+
+commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 22:49:35 2013 -0500
+
+ Initial port of grsecurity for Linux 3.8
+
+ Documentation/kernel-parameters.txt | 4 +
+ Makefile | 10 +-
+ arch/alpha/include/asm/cache.h | 4 +-
+ arch/alpha/kernel/osf_sys.c | 14 +-
+ arch/arm/include/asm/cache.h | 2 +
+ arch/arm/include/asm/thread_info.h | 9 +-
+ arch/arm/kernel/process.c | 4 +-
+ arch/arm/kernel/ptrace.c | 9 +
+ arch/arm/kernel/traps.c | 7 +-
+ arch/arm/mm/fault.c | 27 +-
+ arch/arm/mm/mmap.c | 6 +-
+ arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/include/asm/cache.h | 3 +-
+ arch/cris/include/arch-v10/arch/cache.h | 3 +-
+ arch/cris/include/arch-v32/arch/cache.h | 3 +-
+ arch/frv/include/asm/cache.h | 3 +-
+ arch/frv/mm/elf-fdpic.c | 7 +-
+ arch/hexagon/include/asm/cache.h | 6 +-
+ arch/ia64/include/asm/cache.h | 3 +-
+ arch/ia64/kernel/sys_ia64.c | 3 +-
+ arch/ia64/mm/hugetlbpage.c | 3 +-
+ arch/m32r/include/asm/cache.h | 4 +-
+ arch/m68k/include/asm/cache.h | 4 +-
+ arch/microblaze/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/thread_info.h | 9 +-
+ arch/mips/kernel/ptrace.c | 9 +
+ arch/mips/kernel/scall32-o32.S | 2 +-
+ arch/mips/kernel/scall64-64.S | 2 +-
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ arch/mips/mm/mmap.c | 3 +-
+ arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
+ arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
+ arch/openrisc/include/asm/cache.h | 4 +-
+ arch/parisc/include/asm/cache.h | 5 +-
+ arch/parisc/kernel/sys_parisc.c | 19 +-
+ arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/include/asm/thread_info.h | 8 +-
+ arch/powerpc/kernel/process.c | 10 +-
+ arch/powerpc/kernel/ptrace.c | 14 +
+ arch/powerpc/kernel/traps.c | 5 +
+ arch/powerpc/mm/slice.c | 8 +-
+ arch/s390/include/asm/cache.h | 4 +-
+ arch/score/include/asm/cache.h | 4 +-
+ arch/sh/include/asm/cache.h | 3 +-
+ arch/sh/mm/mmap.c | 6 +-
+ arch/sparc/include/asm/cache.h | 4 +-
+ arch/sparc/include/asm/thread_info_64.h | 9 +-
+ arch/sparc/kernel/process_32.c | 6 +-
+ arch/sparc/kernel/process_64.c | 8 +-
+ arch/sparc/kernel/ptrace_64.c | 14 +
+ arch/sparc/kernel/sys_sparc_64.c | 6 +-
+ arch/sparc/kernel/syscalls.S | 8 +-
+ arch/sparc/kernel/traps_32.c | 8 +-
+ arch/sparc/kernel/traps_64.c | 28 +-
+ arch/sparc/kernel/unaligned_64.c | 2 +-
+ arch/sparc/mm/fault_64.c | 2 +-
+ arch/sparc/mm/hugetlbpage.c | 3 +-
+ arch/tile/include/asm/cache.h | 3 +-
+ arch/um/include/asm/cache.h | 3 +-
+ arch/unicore32/include/asm/cache.h | 6 +-
+ arch/x86/Kconfig | 5 +-
+ arch/x86/Kconfig.debug | 2 +-
+ arch/x86/ia32/ia32_aout.c | 2 +
+ arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/kernel/dumpstack.c | 8 +
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 2 +-
+ arch/x86/kernel/ioport.c | 13 +
+ arch/x86/kernel/ptrace.c | 14 +
+ arch/x86/kernel/smpboot.c | 3 +
+ arch/x86/kernel/sys_i386_32.c | 14 +-
+ arch/x86/kernel/sys_x86_64.c | 3 +-
+ arch/x86/kernel/verify_cpu.S | 1 +
+ arch/x86/kernel/vm86_32.c | 16 +
+ arch/x86/mm/fault.c | 12 +-
+ arch/x86/mm/hugetlbpage.c | 3 +-
+ arch/x86/mm/init.c | 66 +-
+ arch/x86/net/bpf_jit_comp.c | 126 +-
+ arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
+ arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
+ crypto/ablkcipher.c | 12 +-
+ crypto/aead.c | 9 +-
+ crypto/ahash.c | 2 +-
+ crypto/blkcipher.c | 6 +-
+ crypto/crypto_user.c | 38 +-
+ crypto/pcompress.c | 3 +-
+ crypto/rng.c | 2 +-
+ crypto/shash.c | 3 +-
+ drivers/block/cciss.c | 2 +
+ drivers/char/Kconfig | 4 +-
+ drivers/char/genrtc.c | 1 +
+ drivers/char/mem.c | 17 +
+ drivers/char/random.c | 12 +
+ drivers/gpu/drm/drm_info.c | 4 +
+ drivers/hid/hid-wiimote-debug.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +-
+ drivers/message/fusion/mptbase.c | 5 +
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ drivers/pci/proc.c | 9 +
+ drivers/rtc/rtc-dev.c | 3 +
+ drivers/tty/sysrq.c | 2 +-
+ drivers/tty/vt/keyboard.c | 22 +-
+ drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
+ drivers/xen/xenfs/xenstored.c | 5 +
+ fs/attr.c | 1 +
+ fs/autofs4/waitq.c | 9 +
+ fs/binfmt_aout.c | 7 +
+ fs/binfmt_elf.c | 6 +
+ fs/btrfs/inode.c | 10 +-
+ fs/btrfs/ioctl.c | 6 +-
+ fs/compat.c | 18 +
+ fs/coredump.c | 10 +-
+ fs/debugfs/inode.c | 4 +
+ fs/exec.c | 155 +-
+ fs/ext2/balloc.c | 4 +-
+ fs/ext3/balloc.c | 4 +-
+ fs/ext4/balloc.c | 4 +-
+ fs/fcntl.c | 5 +
+ fs/file.c | 4 +
+ fs/filesystems.c | 5 +
+ fs/fs_struct.c | 26 +-
+ fs/hugetlbfs/inode.c | 5 +-
+ fs/namei.c | 269 ++-
+ fs/namespace.c | 24 +
+ fs/open.c | 38 +
+ fs/pipe.c | 2 +-
+ fs/proc/Kconfig | 10 +-
+ fs/proc/array.c | 59 +-
+ fs/proc/base.c | 168 +-
+ fs/proc/cmdline.c | 4 +
+ fs/proc/devices.c | 4 +
+ fs/proc/fd.c | 17 +-
+ fs/proc/inode.c | 17 +
+ fs/proc/internal.h | 3 +
+ fs/proc/kcore.c | 3 +
+ fs/proc/proc_net.c | 12 +
+ fs/proc/proc_sysctl.c | 43 +-
+ fs/proc/root.c | 8 +
+ fs/proc/task_mmu.c | 75 +-
+ fs/readdir.c | 19 +
+ fs/select.c | 2 +
+ fs/seq_file.c | 12 +-
+ fs/stat.c | 19 +-
+ fs/sysfs/dir.c | 12 +
+ fs/utimes.c | 7 +
+ fs/xattr.c | 19 +-
+ grsecurity/Kconfig | 1021 +++++
+ grsecurity/Makefile | 38 +
+ grsecurity/gracl.c | 4017 ++++++++++++++++++++
+ grsecurity/gracl_alloc.c | 105 +
+ grsecurity/gracl_cap.c | 110 +
+ grsecurity/gracl_fs.c | 431 +++
+ grsecurity/gracl_ip.c | 384 ++
+ grsecurity/gracl_learn.c | 207 +
+ grsecurity/gracl_res.c | 68 +
+ grsecurity/gracl_segv.c | 299 ++
+ grsecurity/gracl_shm.c | 40 +
+ grsecurity/grsec_chdir.c | 19 +
+ grsecurity/grsec_chroot.c | 357 ++
+ grsecurity/grsec_disabled.c | 434 +++
+ grsecurity/grsec_exec.c | 174 +
+ grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_fork.c | 23 +
+ grsecurity/grsec_init.c | 283 ++
+ grsecurity/grsec_link.c | 58 +
+ grsecurity/grsec_log.c | 329 ++
+ grsecurity/grsec_mem.c | 40 +
+ grsecurity/grsec_mount.c | 62 +
+ grsecurity/grsec_pax.c | 36 +
+ grsecurity/grsec_ptrace.c | 30 +
+ grsecurity/grsec_sig.c | 222 ++
+ grsecurity/grsec_sock.c | 244 ++
+ grsecurity/grsec_sysctl.c | 469 +++
+ grsecurity/grsec_time.c | 16 +
+ grsecurity/grsec_tpe.c | 73 +
+ grsecurity/grsum.c | 61 +
+ include/linux/capability.h | 5 +
+ include/linux/cred.h | 3 +
+ include/linux/fs.h | 10 +
+ include/linux/fsnotify.h | 6 +
+ include/linux/gracl.h | 319 ++
+ include/linux/gralloc.h | 9 +
+ include/linux/grdefs.h | 140 +
+ include/linux/grinternal.h | 215 ++
+ include/linux/grmsg.h | 111 +
+ include/linux/grsecurity.h | 257 ++
+ include/linux/grsock.h | 19 +
+ include/linux/kallsyms.h | 14 +-
+ include/linux/kmod.h | 2 +
+ include/linux/netfilter/xt_gradm.h | 9 +
+ include/linux/printk.h | 3 +-
+ include/linux/proc_fs.h | 12 +
+ include/linux/sched.h | 66 +-
+ include/linux/security.h | 1 +
+ include/linux/seq_file.h | 3 +
+ include/linux/shm.h | 4 +
+ include/linux/sysctl.h | 2 +
+ include/linux/thread_info.h | 2 +
+ include/linux/vermagic.h | 9 +-
+ include/trace/events/fs.h | 53 +
+ include/uapi/linux/personality.h | 1 +
+ init/Kconfig | 5 +-
+ init/main.c | 14 +
+ ipc/mqueue.c | 1 +
+ ipc/shm.c | 28 +
+ kernel/capability.c | 39 +-
+ kernel/cgroup.c | 2 +-
+ kernel/compat.c | 1 +
+ kernel/configs.c | 11 +
+ kernel/cred.c | 109 +-
+ kernel/exit.c | 10 +-
+ kernel/fork.c | 24 +-
+ kernel/futex.c | 1 +
+ kernel/kallsyms.c | 9 +
+ kernel/kcmp.c | 4 +
+ kernel/kmod.c | 71 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +
+ kernel/lockdep_proc.c | 10 +-
+ kernel/module.c | 80 +-
+ kernel/panic.c | 4 +-
+ kernel/pid.c | 19 +-
+ kernel/posix-timers.c | 8 +
+ kernel/printk.c | 5 +
+ kernel/ptrace.c | 20 +-
+ kernel/resource.c | 10 +
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 37 +-
+ kernel/sys.c | 38 +-
+ kernel/sysctl.c | 39 +-
+ kernel/taskstats.c | 6 +
+ kernel/time.c | 5 +
+ kernel/time/timekeeping.c | 3 +
+ kernel/time/timer_list.c | 12 +
+ kernel/time/timer_stats.c | 10 +-
+ lib/Kconfig.debug | 5 +-
+ lib/is_single_threaded.c | 3 +
+ lib/vsprintf.c | 35 +-
+ localversion-grsec | 1 +
+ mm/Kconfig | 4 +-
+ mm/filemap.c | 1 +
+ mm/kmemleak.c | 4 +-
+ mm/mempolicy.c | 12 +-
+ mm/migrate.c | 3 +-
+ mm/mlock.c | 3 +
+ mm/mmap.c | 62 +-
+ mm/mprotect.c | 8 +
+ mm/page_alloc.c | 6 +
+ mm/process_vm_access.c | 6 +
+ mm/shmem.c | 2 +-
+ mm/slab.c | 2 +-
+ mm/slub.c | 14 +-
+ mm/vmalloc.c | 4 +
+ mm/vmstat.c | 18 +-
+ net/core/dev.c | 9 +
+ net/core/sock_diag.c | 7 +
+ net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/ip_sockglue.c | 3 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_minisocks.c | 9 +-
+ net/ipv4/tcp_timer.c | 11 +
+ net/ipv4/udp.c | 24 +
+ net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/udp.c | 7 +
+ net/netfilter/Kconfig | 10 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 8 +
+ net/netfilter/xt_gradm.c | 51 +
+ net/netrom/af_netrom.c | 2 +-
+ net/phonet/af_phonet.c | 4 +-
+ net/sctp/proc.c | 3 +-
+ net/socket.c | 62 +-
+ net/sysctl_net.c | 2 +-
+ net/unix/af_unix.c | 19 +
+ security/Kconfig | 320 ++-
+ security/apparmor/lsm.c | 2 +-
+ security/commoncap.c | 29 +
+ security/min_addr.c | 2 +
+ security/security.c | 2 -
+ security/selinux/hooks.c | 2 -
+ security/yama/Kconfig | 2 +-
+ tools/gcc/Makefile | 2 +-
+ 286 files changed, 15083 insertions(+), 2067 deletions(-)
+
+commit 4b61d2188de70da9dc9b3e67fc0565077370eb27
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 20 21:00:42 2013 -0500
+
+ Initial import of pax-linux-3.8-test3.patch
+
+ Documentation/dontdiff | 43 +-
+ Documentation/kernel-parameters.txt | 7 +
+ Makefile | 97 +-
+ arch/alpha/include/asm/atomic.h | 10 +
+ arch/alpha/include/asm/elf.h | 7 +
+ arch/alpha/include/asm/pgalloc.h | 6 +
+ arch/alpha/include/asm/pgtable.h | 11 +
+ arch/alpha/kernel/module.c | 2 +-
+ arch/alpha/kernel/osf_sys.c | 10 +-
+ arch/alpha/mm/fault.c | 141 +-
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/atomic.h | 421 +++-
+ arch/arm/include/asm/cache.h | 3 +-
+ arch/arm/include/asm/cacheflush.h | 2 +-
+ arch/arm/include/asm/checksum.h | 14 +-
+ arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/delay.h | 8 +-
+ arch/arm/include/asm/domain.h | 32 +-
+ arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/fncpy.h | 2 +
+ arch/arm/include/asm/futex.h | 10 +
+ arch/arm/include/asm/kmap_types.h | 2 +-
+ arch/arm/include/asm/mach/dma.h | 2 +-
+ arch/arm/include/asm/mach/map.h | 7 +-
+ arch/arm/include/asm/outercache.h | 2 +-
+ arch/arm/include/asm/page.h | 2 +-
+ arch/arm/include/asm/pgalloc.h | 22 +-
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgtable-2level.h | 1 +
+ arch/arm/include/asm/pgtable-3level-hwdef.h | 4 +
+ arch/arm/include/asm/pgtable-3level.h | 2 +
+ arch/arm/include/asm/pgtable.h | 56 +-
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/include/asm/processor.h | 5 +-
+ arch/arm/include/asm/smp.h | 2 +-
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/include/asm/uaccess.h | 92 +-
+ arch/arm/include/uapi/asm/ptrace.h | 2 +-
+ arch/arm/kernel/armksyms.c | 4 +-
+ arch/arm/kernel/entry-armv.S | 107 +-
+ arch/arm/kernel/entry-common.S | 41 +-
+ arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/fiq.c | 2 +
+ arch/arm/kernel/head.S | 6 +-
+ arch/arm/kernel/hw_breakpoint.c | 2 +-
+ arch/arm/kernel/module.c | 29 +-
+ arch/arm/kernel/perf_event_cpu.c | 2 +-
+ arch/arm/kernel/process.c | 10 +-
+ arch/arm/kernel/setup.c | 22 +-
+ arch/arm/kernel/smp.c | 2 +-
+ arch/arm/kernel/traps.c | 8 +-
+ arch/arm/kernel/vmlinux.lds.S | 20 +-
+ arch/arm/lib/clear_user.S | 6 +-
+ arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/lib/copy_page.S | 1 +
+ arch/arm/lib/copy_to_user.S | 6 +-
+ arch/arm/lib/csumpartialcopyuser.S | 4 +-
+ arch/arm/lib/delay.c | 14 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 2 +-
+ arch/arm/mach-kirkwood/common.c | 19 +-
+ arch/arm/mach-omap2/board-n8x0.c | 2 +-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
+ arch/arm/mach-omap2/omap_hwmod.c | 4 +-
+ arch/arm/mach-ux500/include/mach/setup.h | 7 -
+ arch/arm/mm/Kconfig | 3 +-
+ arch/arm/mm/fault.c | 78 +
+ arch/arm/mm/fault.h | 12 +
+ arch/arm/mm/init.c | 41 +
+ arch/arm/mm/ioremap.c | 4 +-
+ arch/arm/mm/mmap.c | 36 +-
+ arch/arm/mm/mmu.c | 186 +-
+ arch/arm/mm/proc-v7-2level.S | 3 +
+ arch/arm/plat-omap/sram.c | 2 +
+ arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
+ arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/arm64/kernel/debug-monitors.c | 2 +-
+ arch/arm64/kernel/hw_breakpoint.c | 2 +-
+ arch/avr32/include/asm/elf.h | 8 +-
+ arch/avr32/include/asm/kmap_types.h | 4 +-
+ arch/avr32/mm/fault.c | 27 +
+ arch/frv/include/asm/atomic.h | 10 +
+ arch/frv/include/asm/kmap_types.h | 2 +-
+ arch/frv/mm/elf-fdpic.c | 7 +-
+ arch/ia64/include/asm/atomic.h | 10 +
+ arch/ia64/include/asm/elf.h | 7 +
+ arch/ia64/include/asm/pgalloc.h | 12 +
+ arch/ia64/include/asm/pgtable.h | 13 +-
+ arch/ia64/include/asm/spinlock.h | 2 +-
+ arch/ia64/include/asm/uaccess.h | 28 +-
+ arch/ia64/kernel/err_inject.c | 2 +-
+ arch/ia64/kernel/mca.c | 2 +-
+ arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/palinfo.c | 2 +-
+ arch/ia64/kernel/salinfo.c | 2 +-
+ arch/ia64/kernel/sys_ia64.c | 13 +-
+ arch/ia64/kernel/topology.c | 2 +-
+ arch/ia64/kernel/vmlinux.lds.S | 2 +-
+ arch/ia64/mm/fault.c | 32 +-
+ arch/ia64/mm/hugetlbpage.c | 2 +-
+ arch/ia64/mm/init.c | 13 +
+ arch/m32r/lib/usercopy.c | 6 +
+ arch/mips/include/asm/atomic.h | 14 +
+ arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/exec.h | 2 +-
+ arch/mips/include/asm/page.h | 2 +-
+ arch/mips/include/asm/pgalloc.h | 5 +
+ arch/mips/kernel/binfmt_elfn32.c | 7 +
+ arch/mips/kernel/binfmt_elfo32.c | 7 +
+ arch/mips/kernel/process.c | 12 -
+ arch/mips/mm/fault.c | 17 +
+ arch/mips/mm/mmap.c | 51 +-
+ arch/parisc/include/asm/atomic.h | 10 +
+ arch/parisc/include/asm/elf.h | 7 +
+ arch/parisc/include/asm/pgalloc.h | 6 +
+ arch/parisc/include/asm/pgtable.h | 11 +
+ arch/parisc/include/asm/uaccess.h | 4 +-
+ arch/parisc/kernel/module.c | 50 +-
+ arch/parisc/kernel/sys_parisc.c | 6 +-
+ arch/parisc/kernel/traps.c | 4 +-
+ arch/parisc/mm/fault.c | 140 +-
+ arch/powerpc/include/asm/atomic.h | 10 +
+ arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/exec.h | 2 +-
+ arch/powerpc/include/asm/kmap_types.h | 2 +-
+ arch/powerpc/include/asm/mman.h | 2 +-
+ arch/powerpc/include/asm/page.h | 8 +-
+ arch/powerpc/include/asm/page_64.h | 7 +-
+ arch/powerpc/include/asm/pgalloc-64.h | 7 +
+ arch/powerpc/include/asm/pgtable.h | 1 +
+ arch/powerpc/include/asm/pte-hash32.h | 1 +
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/include/asm/uaccess.h | 142 +-
+ arch/powerpc/kernel/exceptions-64e.S | 4 +-
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/module_32.c | 13 +-
+ arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/signal_32.c | 2 +-
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ arch/powerpc/kernel/sysfs.c | 2 +-
+ arch/powerpc/kernel/vdso.c | 5 +-
+ arch/powerpc/lib/usercopy_64.c | 18 -
+ arch/powerpc/mm/fault.c | 54 +-
+ arch/powerpc/mm/mmap_64.c | 16 +
+ arch/powerpc/mm/mmu_context_nohash.c | 2 +-
+ arch/powerpc/mm/numa.c | 2 +-
+ arch/powerpc/mm/slice.c | 23 +-
+ arch/powerpc/platforms/powermac/smp.c | 2 +-
+ arch/s390/include/asm/atomic.h | 10 +
+ arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/exec.h | 2 +-
+ arch/s390/include/asm/uaccess.h | 15 +-
+ arch/s390/kernel/module.c | 22 +-
+ arch/s390/kernel/process.c | 36 -
+ arch/s390/mm/mmap.c | 24 +
+ arch/score/include/asm/exec.h | 2 +-
+ arch/score/kernel/process.c | 5 -
+ arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
+ arch/sh/mm/mmap.c | 22 +-
+ arch/sparc/include/asm/atomic_64.h | 106 +-
+ arch/sparc/include/asm/cache.h | 2 +-
+ arch/sparc/include/asm/elf_32.h | 7 +
+ arch/sparc/include/asm/elf_64.h | 7 +
+ arch/sparc/include/asm/pgalloc_32.h | 1 +
+ arch/sparc/include/asm/pgalloc_64.h | 1 +
+ arch/sparc/include/asm/pgtable_32.h | 15 +-
+ arch/sparc/include/asm/pgtsrmmu.h | 5 +
+ arch/sparc/include/asm/spinlock_64.h | 35 +-
+ arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_64.h | 2 +
+ arch/sparc/include/asm/uaccess.h | 8 +
+ arch/sparc/include/asm/uaccess_32.h | 27 +-
+ arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/kernel/Makefile | 2 +-
+ arch/sparc/kernel/sys_sparc_32.c | 2 +-
+ arch/sparc/kernel/sys_sparc_64.c | 48 +-
+ arch/sparc/kernel/sysfs.c | 2 +-
+ arch/sparc/kernel/traps_64.c | 13 +-
+ arch/sparc/lib/Makefile | 2 +-
+ arch/sparc/lib/atomic_64.S | 136 +-
+ arch/sparc/lib/ksyms.c | 6 +
+ arch/sparc/mm/Makefile | 2 +-
+ arch/sparc/mm/fault_32.c | 292 ++
+ arch/sparc/mm/fault_64.c | 486 +++
+ arch/sparc/mm/hugetlbpage.c | 21 +-
+ arch/tile/include/asm/atomic_64.h | 10 +
+ arch/tile/include/asm/uaccess.h | 4 +-
+ arch/um/Makefile | 4 +
+ arch/um/include/asm/kmap_types.h | 2 +-
+ arch/um/include/asm/page.h | 3 +
+ arch/um/include/asm/pgtable-3level.h | 1 +
+ arch/um/kernel/process.c | 16 -
+ arch/x86/Kconfig | 10 +-
+ arch/x86/Kconfig.cpu | 6 +-
+ arch/x86/Kconfig.debug | 6 +-
+ arch/x86/Makefile | 10 +
+ arch/x86/boot/Makefile | 3 +
+ arch/x86/boot/bitops.h | 4 +-
+ arch/x86/boot/boot.h | 4 +-
+ arch/x86/boot/compressed/Makefile | 3 +
+ arch/x86/boot/compressed/eboot.c | 2 -
+ arch/x86/boot/compressed/head_32.S | 7 +-
+ arch/x86/boot/compressed/head_64.S | 4 +-
+ arch/x86/boot/compressed/misc.c | 4 +-
+ arch/x86/boot/cpucheck.c | 28 +-
+ arch/x86/boot/header.S | 6 +-
+ arch/x86/boot/memory.c | 2 +-
+ arch/x86/boot/video-vesa.c | 1 +
+ arch/x86/boot/video.c | 2 +-
+ arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/aesni-intel_asm.S | 31 +
+ arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/camellia-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 +
+ arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 +
+ arch/x86/crypto/sha1_ssse3_asm.S | 3 +
+ arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 +
+ arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/ia32/ia32_signal.c | 14 +-
+ arch/x86/ia32/ia32entry.S | 141 +-
+ arch/x86/ia32/sys_ia32.c | 12 +-
+ arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/include/asm/alternative.h | 4 +-
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/include/asm/apm.h | 4 +-
+ arch/x86/include/asm/atomic.h | 307 ++-
+ arch/x86/include/asm/atomic64_32.h | 100 +
+ arch/x86/include/asm/atomic64_64.h | 202 ++-
+ arch/x86/include/asm/bitops.h | 2 +-
+ arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/cache.h | 5 +-
+ arch/x86/include/asm/cacheflush.h | 2 +-
+ arch/x86/include/asm/checksum_32.h | 12 +-
+ arch/x86/include/asm/cmpxchg.h | 35 +
+ arch/x86/include/asm/cpufeature.h | 4 +-
+ arch/x86/include/asm/desc.h | 65 +-
+ arch/x86/include/asm/desc_defs.h | 6 +
+ arch/x86/include/asm/elf.h | 31 +-
+ arch/x86/include/asm/emergency-restart.h | 2 +-
+ arch/x86/include/asm/fpu-internal.h | 6 +-
+ arch/x86/include/asm/futex.h | 16 +-
+ arch/x86/include/asm/hw_irq.h | 4 +-
+ arch/x86/include/asm/io.h | 13 +-
+ arch/x86/include/asm/irqflags.h | 5 +
+ arch/x86/include/asm/kprobes.h | 9 +-
+ arch/x86/include/asm/local.h | 142 +-
+ arch/x86/include/asm/mman.h | 15 +
+ arch/x86/include/asm/mmu.h | 16 +-
+ arch/x86/include/asm/mmu_context.h | 76 +-
+ arch/x86/include/asm/module.h | 17 +-
+ arch/x86/include/asm/page_64_types.h | 2 +-
+ arch/x86/include/asm/paravirt.h | 44 +-
+ arch/x86/include/asm/paravirt_types.h | 17 +-
+ arch/x86/include/asm/pgalloc.h | 23 +
+ arch/x86/include/asm/pgtable-2level.h | 2 +
+ arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable.h | 110 +-
+ arch/x86/include/asm/pgtable_32.h | 14 +-
+ arch/x86/include/asm/pgtable_32_types.h | 15 +-
+ arch/x86/include/asm/pgtable_64.h | 19 +-
+ arch/x86/include/asm/pgtable_64_types.h | 5 +
+ arch/x86/include/asm/pgtable_types.h | 36 +-
+ arch/x86/include/asm/processor.h | 39 +-
+ arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/realmode.h | 4 +-
+ arch/x86/include/asm/reboot.h | 10 +-
+ arch/x86/include/asm/rwsem.h | 60 +-
+ arch/x86/include/asm/segment.h | 24 +-
+ arch/x86/include/asm/smp.h | 14 +-
+ arch/x86/include/asm/spinlock.h | 36 +-
+ arch/x86/include/asm/stackprotector.h | 4 +-
+ arch/x86/include/asm/stacktrace.h | 32 +-
+ arch/x86/include/asm/switch_to.h | 4 +-
+ arch/x86/include/asm/thread_info.h | 83 +-
+ arch/x86/include/asm/uaccess.h | 96 +-
+ arch/x86/include/asm/uaccess_32.h | 106 +-
+ arch/x86/include/asm/uaccess_64.h | 232 +-
+ arch/x86/include/asm/word-at-a-time.h | 2 +-
+ arch/x86/include/asm/x86_init.h | 10 +-
+ arch/x86/include/asm/xsave.h | 10 +-
+ arch/x86/include/uapi/asm/e820.h | 2 +-
+ arch/x86/kernel/Makefile | 2 +-
+ arch/x86/kernel/acpi/sleep.c | 4 +
+ arch/x86/kernel/acpi/wakeup_32.S | 6 +-
+ arch/x86/kernel/alternative.c | 65 +-
+ arch/x86/kernel/apic/apic.c | 6 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/bigsmp_32.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 5 +-
+ arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/numaq_32.c | 3 +-
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/summit_32.c | 2 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_phys.c | 2 +-
+ arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
+ arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/asm-offsets.c | 20 +
+ arch/x86/kernel/asm-offsets_64.c | 1 +
+ arch/x86/kernel/cpu/Makefile | 4 -
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/common.c | 75 +-
+ arch/x86/kernel/cpu/intel.c | 2 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 29 +-
+ arch/x86/kernel/cpu/mcheck/p5.c | 3 +
+ arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
+ arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
+ arch/x86/kernel/cpu/mtrr/main.c | 2 +-
+ arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 4 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
+ arch/x86/kernel/cpuid.c | 2 +-
+ arch/x86/kernel/crash.c | 4 +-
+ arch/x86/kernel/doublefault_32.c | 8 +-
+ arch/x86/kernel/dumpstack.c | 30 +-
+ arch/x86/kernel/dumpstack_32.c | 34 +-
+ arch/x86/kernel/dumpstack_64.c | 63 +-
+ arch/x86/kernel/early_printk.c | 1 +
+ arch/x86/kernel/entry_32.S | 354 ++-
+ arch/x86/kernel/entry_64.S | 512 +++-
+ arch/x86/kernel/ftrace.c | 14 +-
+ arch/x86/kernel/head32.c | 4 +-
+ arch/x86/kernel/head_32.S | 237 ++-
+ arch/x86/kernel/head_64.S | 158 +-
+ arch/x86/kernel/i386_ksyms_32.c | 8 +
+ arch/x86/kernel/i387.c | 2 +-
+ arch/x86/kernel/i8259.c | 2 +-
+ arch/x86/kernel/ioport.c | 2 +-
+ arch/x86/kernel/irq.c | 10 +-
+ arch/x86/kernel/irq_32.c | 69 +-
+ arch/x86/kernel/irq_64.c | 2 +-
+ arch/x86/kernel/kdebugfs.c | 2 +-
+ arch/x86/kernel/kgdb.c | 25 +-
+ arch/x86/kernel/kprobes-opt.c | 12 +-
+ arch/x86/kernel/kprobes.c | 30 +-
+ arch/x86/kernel/kvm.c | 2 +-
+ arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/machine_kexec_32.c | 6 +-
+ arch/x86/kernel/microcode_core.c | 2 +-
+ arch/x86/kernel/microcode_intel.c | 4 +-
+ arch/x86/kernel/module.c | 76 +-
+ arch/x86/kernel/msr.c | 2 +-
+ arch/x86/kernel/nmi.c | 11 +
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/kernel/paravirt.c | 43 +-
+ arch/x86/kernel/pci-iommu_table.c | 2 +-
+ arch/x86/kernel/process.c | 57 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 15 +-
+ arch/x86/kernel/ptrace.c | 25 +-
+ arch/x86/kernel/pvclock.c | 8 +-
+ arch/x86/kernel/reboot.c | 44 +-
+ arch/x86/kernel/relocate_kernel_64.S | 4 +-
+ arch/x86/kernel/setup.c | 14 +-
+ arch/x86/kernel/setup_percpu.c | 27 +-
+ arch/x86/kernel/signal.c | 15 +-
+ arch/x86/kernel/smp.c | 2 +-
+ arch/x86/kernel/smpboot.c | 15 +-
+ arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/sys_i386_32.c | 247 ++
+ arch/x86/kernel/sys_x86_64.c | 19 +-
+ arch/x86/kernel/tboot.c | 14 +-
+ arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tls.c | 7 +-
+ arch/x86/kernel/traps.c | 64 +-
+ arch/x86/kernel/uprobes.c | 2 +-
+ arch/x86/kernel/vm86_32.c | 6 +-
+ arch/x86/kernel/vmlinux.lds.S | 148 +-
+ arch/x86/kernel/vsyscall_64.c | 12 +-
+ arch/x86/kernel/x8664_ksyms_64.c | 2 -
+ arch/x86/kernel/x86_init.c | 8 +-
+ arch/x86/kernel/xsave.c | 2 +
+ arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ arch/x86/kvm/lapic.c | 2 +-
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ arch/x86/kvm/svm.c | 8 +
+ arch/x86/kvm/vmx.c | 47 +-
+ arch/x86/kvm/x86.c | 10 +-
+ arch/x86/lguest/boot.c | 3 +-
+ arch/x86/lib/atomic64_386_32.S | 164 +
+ arch/x86/lib/atomic64_cx8_32.S | 103 +-
+ arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/cmpxchg16b_emu.S | 2 +
+ arch/x86/lib/copy_page_64.S | 24 +-
+ arch/x86/lib/copy_user_64.S | 47 +-
+ arch/x86/lib/copy_user_nocache_64.S | 20 +-
+ arch/x86/lib/csum-copy_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 4 +-
+ arch/x86/lib/getuser.S | 68 +-
+ arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/iomap_copy_64.S | 2 +
+ arch/x86/lib/memcpy_64.S | 18 +-
+ arch/x86/lib/memmove_64.S | 34 +-
+ arch/x86/lib/memset_64.S | 7 +-
+ arch/x86/lib/mmx_32.c | 243 +-
+ arch/x86/lib/msr-reg.S | 18 +-
+ arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/rwlock.S | 42 +
+ arch/x86/lib/rwsem.S | 6 +-
+ arch/x86/lib/thunk_64.S | 2 +
+ arch/x86/lib/usercopy_32.c | 376 ++-
+ arch/x86/lib/usercopy_64.c | 25 +-
+ arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/fault.c | 555 +++-
+ arch/x86/mm/gup.c | 2 +-
+ arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/hugetlbpage.c | 30 +-
+ arch/x86/mm/init.c | 92 +-
+ arch/x86/mm/init_32.c | 122 +-
+ arch/x86/mm/init_64.c | 48 +-
+ arch/x86/mm/iomap_32.c | 4 +
+ arch/x86/mm/ioremap.c | 12 +-
+ arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
+ arch/x86/mm/mmap.c | 41 +-
+ arch/x86/mm/mmio-mod.c | 10 +-
+ arch/x86/mm/pageattr-test.c | 2 +-
+ arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pat.c | 12 +-
+ arch/x86/mm/pf_in.c | 10 +-
+ arch/x86/mm/pgtable.c | 137 +-
+ arch/x86/mm/pgtable_32.c | 3 +
+ arch/x86/mm/setup_nx.c | 7 +
+ arch/x86/mm/tlb.c | 4 +
+ arch/x86/net/bpf_jit.S | 14 +
+ arch/x86/net/bpf_jit_comp.c | 37 +-
+ arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/pci/amd_bus.c | 2 +-
+ arch/x86/pci/mrst.c | 4 +-
+ arch/x86/pci/pcbios.c | 144 +-
+ arch/x86/platform/efi/efi_32.c | 19 +
+ arch/x86/platform/efi/efi_stub_32.S | 64 +-
+ arch/x86/platform/efi/efi_stub_64.S | 8 +
+ arch/x86/platform/mrst/mrst.c | 6 +-
+ arch/x86/platform/olpc/olpc_dt.c | 2 +-
+ arch/x86/power/cpu.c | 4 +-
+ arch/x86/realmode/init.c | 8 +-
+ arch/x86/realmode/rm/Makefile | 3 +
+ arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/trampoline_32.S | 12 +-
+ arch/x86/realmode/rm/trampoline_64.S | 2 +-
+ arch/x86/tools/relocs.c | 95 +-
+ arch/x86/vdso/Makefile | 2 +-
+ arch/x86/vdso/vdso32-setup.c | 23 +-
+ arch/x86/vdso/vma.c | 29 +-
+ arch/x86/xen/enlighten.c | 47 +-
+ arch/x86/xen/mmu.c | 9 +
+ arch/x86/xen/smp.c | 18 +-
+ arch/x86/xen/xen-asm_32.S | 12 +-
+ arch/x86/xen/xen-head.S | 11 +
+ arch/x86/xen/xen-ops.h | 2 -
+ block/blk-iopoll.c | 4 +-
+ block/blk-map.c | 2 +-
+ block/blk-softirq.c | 4 +-
+ block/bsg.c | 12 +-
+ block/compat_ioctl.c | 2 +-
+ block/partitions/efi.c | 8 +-
+ block/scsi_ioctl.c | 27 +-
+ crypto/cryptd.c | 4 +-
+ drivers/acpi/apei/cper.c | 8 +-
+ drivers/acpi/ec_sys.c | 12 +-
+ drivers/acpi/processor_driver.c | 2 +-
+ drivers/ata/libata-core.c | 8 +-
+ drivers/ata/pata_arasan_cf.c | 4 +-
+ drivers/atm/adummy.c | 2 +-
+ drivers/atm/ambassador.c | 8 +-
+ drivers/atm/atmtcp.c | 14 +-
+ drivers/atm/eni.c | 10 +-
+ drivers/atm/firestream.c | 8 +-
+ drivers/atm/fore200e.c | 14 +-
+ drivers/atm/he.c | 18 +-
+ drivers/atm/horizon.c | 4 +-
+ drivers/atm/idt77252.c | 36 +-
+ drivers/atm/iphase.c | 34 +-
+ drivers/atm/lanai.c | 12 +-
+ drivers/atm/nicstar.c | 46 +-
+ drivers/atm/solos-pci.c | 4 +-
+ drivers/atm/suni.c | 4 +-
+ drivers/atm/uPD98402.c | 16 +-
+ drivers/atm/zatm.c | 6 +-
+ drivers/base/devtmpfs.c | 2 +-
+ drivers/base/power/wakeup.c | 8 +-
+ drivers/block/cciss.c | 28 +-
+ drivers/block/cciss.h | 2 +-
+ drivers/block/cpqarray.c | 28 +-
+ drivers/block/cpqarray.h | 2 +-
+ drivers/block/drbd/drbd_int.h | 6 +-
+ drivers/block/drbd/drbd_main.c | 8 +-
+ drivers/block/drbd/drbd_receiver.c | 18 +-
+ drivers/block/loop.c | 2 +-
+ drivers/cdrom/cdrom.c | 9 +-
+ drivers/cdrom/gdrom.c | 1 -
+ drivers/char/agp/frontend.c | 2 +-
+ drivers/char/hpet.c | 2 +-
+ drivers/char/ipmi/ipmi_msghandler.c | 8 +-
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
+ drivers/char/mem.c | 41 +-
+ drivers/char/nvram.c | 2 +-
+ drivers/char/pcmcia/synclink_cs.c | 18 +-
+ drivers/char/random.c | 8 +-
+ drivers/char/sonypi.c | 9 +-
+ drivers/char/tpm/tpm.c | 2 +-
+ drivers/char/tpm/tpm_acpi.c | 3 +-
+ drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/virtio_console.c | 4 +-
+ drivers/clocksource/arm_generic.c | 2 +-
+ drivers/cpufreq/cpufreq.c | 2 +-
+ drivers/cpufreq/cpufreq_stats.c | 2 +-
+ drivers/dma/sh/shdma.c | 2 +-
+ drivers/edac/edac_pci_sysfs.c | 20 +-
+ drivers/edac/mce_amd.h | 2 +-
+ drivers/firewire/core-card.c | 2 +-
+ drivers/firewire/core-cdev.c | 3 +-
+ drivers/firewire/core-transaction.c | 1 +
+ drivers/firewire/core.h | 1 +
+ drivers/firmware/dmi_scan.c | 7 +-
+ drivers/firmware/efivars.c | 2 +-
+ drivers/gpio/gpio-vr41xx.c | 2 +-
+ drivers/gpu/drm/drm_crtc_helper.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 4 +-
+ drivers/gpu/drm/drm_fops.c | 18 +-
+ drivers/gpu/drm/drm_global.c | 14 +-
+ drivers/gpu/drm/drm_info.c | 14 +-
+ drivers/gpu/drm/drm_ioc32.c | 4 +-
+ drivers/gpu/drm/drm_ioctl.c | 2 +-
+ drivers/gpu/drm/drm_lock.c | 4 +-
+ drivers/gpu/drm/drm_stub.c | 2 +-
+ drivers/gpu/drm/i810/i810_dma.c | 8 +-
+ drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.h | 6 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
+ drivers/gpu/drm/i915/i915_irq.c | 22 +-
+ drivers/gpu/drm/i915/intel_display.c | 9 +-
+ drivers/gpu/drm/mga/mga_drv.h | 4 +-
+ drivers/gpu/drm/mga/mga_irq.c | 8 +-
+ drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/r128/r128_cce.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.h | 4 +-
+ drivers/gpu/drm/r128/r128_irq.c | 4 +-
+ drivers/gpu/drm/r128/r128_state.c | 4 +-
+ drivers/gpu/drm/radeon/mkregtable.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 4 +-
+ drivers/gpu/drm/radeon/rs690.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
+ drivers/gpu/drm/via/via_drv.h | 4 +-
+ drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
+ drivers/hid/hid-core.c | 4 +-
+ drivers/hv/channel.c | 4 +-
+ drivers/hv/hv.c | 2 +-
+ drivers/hv/hyperv_vmbus.h | 2 +-
+ drivers/hv/vmbus_drv.c | 4 +-
+ drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/sht15.c | 12 +-
+ drivers/hwmon/via-cputemp.c | 2 +-
+ drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
+ drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
+ drivers/ide/ide-cd.c | 2 +-
+ drivers/infiniband/core/cm.c | 32 +-
+ drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/hw/cxgb4/mem.c | 4 +-
+ drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
+ drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
+ drivers/infiniband/hw/nes/nes.c | 4 +-
+ drivers/infiniband/hw/nes/nes.h | 40 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 62 +-
+ drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
+ drivers/infiniband/hw/nes/nes_nic.c | 40 +-
+ drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/input/gameport/gameport.c | 4 +-
+ drivers/input/input.c | 4 +-
+ drivers/input/joystick/sidewinder.c | 1 +
+ drivers/input/joystick/xpad.c | 4 +-
+ drivers/input/mousedev.c | 2 +-
+ drivers/input/serio/serio.c | 4 +-
+ drivers/isdn/capi/capi.c | 10 +-
+ drivers/isdn/gigaset/interface.c | 8 +-
+ drivers/isdn/hardware/avm/b1.c | 4 +-
+ drivers/isdn/i4l/isdn_tty.c | 22 +-
+ drivers/isdn/icn/icn.c | 2 +-
+ drivers/lguest/core.c | 10 +-
+ drivers/lguest/x86/core.c | 12 +-
+ drivers/lguest/x86/switcher_32.S | 27 +-
+ drivers/md/bitmap.c | 2 +-
+ drivers/md/dm-ioctl.c | 2 +-
+ drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-stripe.c | 10 +-
+ drivers/md/dm-table.c | 2 +-
+ drivers/md/dm-thin-metadata.c | 4 +-
+ drivers/md/dm.c | 16 +-
+ drivers/md/md.c | 26 +-
+ drivers/md/md.h | 6 +-
+ drivers/md/persistent-data/dm-space-map.h | 1 +
+ drivers/md/raid1.c | 4 +-
+ drivers/md/raid10.c | 16 +-
+ drivers/md/raid5.c | 10 +-
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ drivers/media/dvb-frontends/dib3000.h | 2 +-
+ drivers/media/platform/omap/omap_vout.c | 11 +-
+ drivers/media/platform/s5p-tv/mixer.h | 2 +-
+ drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
+ drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/message/fusion/mptsas.c | 34 +-
+ drivers/message/fusion/mptscsih.c | 19 +-
+ drivers/message/i2o/i2o_proc.c | 51 +-
+ drivers/message/i2o/iop.c | 8 +-
+ drivers/mfd/janz-cmodio.c | 1 +
+ drivers/misc/kgdbts.c | 4 +-
+ drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
+ drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/sgi-gru/gruhandles.c | 4 +-
+ drivers/misc/sgi-gru/gruprocfs.c | 8 +-
+ drivers/misc/sgi-gru/grutables.h | 154 +-
+ drivers/misc/sgi-xp/xp.h | 2 +-
+ drivers/misc/sgi-xp/xpc.h | 3 +-
+ drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ drivers/mmc/host/dw_mmc.h | 2 +-
+ drivers/mmc/host/sdhci-s3c.c | 8 +-
+ drivers/mtd/devices/doc2000.c | 2 +-
+ drivers/mtd/nand/denali.c | 1 +
+ drivers/mtd/nftlmount.c | 1 +
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
+ drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
+ drivers/net/ethernet/realtek/r8169.c | 8 +-
+ drivers/net/ethernet/sfc/ptp.c | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/hyperv/hyperv_net.h | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 +-
+ drivers/net/ieee802154/fakehard.c | 2 +-
+ drivers/net/macvlan.c | 2 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/ppp/ppp_generic.c | 4 +-
+ drivers/net/team/team.c | 2 +-
+ drivers/net/tun.c | 5 +-
+ drivers/net/usb/hso.c | 23 +-
+ drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
+ drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
+ drivers/net/wireless/ath/ath9k/hw.h | 4 +-
+ drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
+ drivers/net/wireless/mac80211_hwsim.c | 32 +-
+ drivers/net/wireless/rndis_wlan.c | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 8 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 6 +-
+ drivers/oprofile/buffer_sync.c | 8 +-
+ drivers/oprofile/event_buffer.c | 2 +-
+ drivers/oprofile/oprof.c | 2 +-
+ drivers/oprofile/oprofile_stats.c | 10 +-
+ drivers/oprofile/oprofile_stats.h | 10 +-
+ drivers/oprofile/oprofilefs.c | 2 +-
+ drivers/oprofile/timer_int.c | 2 +-
+ drivers/parport/procfs.c | 4 +-
+ drivers/pci/hotplug/cpcihp_generic.c | 6 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
+ drivers/pci/hotplug/cpqphp_nvram.c | 4 +
+ drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/probe.c | 2 +-
+ drivers/platform/x86/thinkpad_acpi.c | 70 +-
+ drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/resource.c | 4 +-
+ drivers/power/pda_power.c | 7 +-
+ drivers/regulator/max8660.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/scsi/bfa/bfa.h | 2 +-
+ drivers/scsi/bfa/bfa_fcpim.h | 2 +-
+ drivers/scsi/bfa/bfa_ioc.h | 4 +-
+ drivers/scsi/hosts.c | 4 +-
+ drivers/scsi/hpsa.c | 30 +-
+ drivers/scsi/hpsa.h | 2 +-
+ drivers/scsi/libfc/fc_exch.c | 50 +-
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ drivers/scsi/lpfc/lpfc.h | 8 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
+ drivers/scsi/lpfc/lpfc_init.c | 6 +-
+ drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
+ drivers/scsi/pmcraid.c | 20 +-
+ drivers/scsi/pmcraid.h | 8 +-
+ drivers/scsi/qla2xxx/qla_attr.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 6 +-
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +-
+ drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ drivers/scsi/scsi_tgt_lib.c | 2 +-
+ drivers/scsi/scsi_transport_fc.c | 8 +-
+ drivers/scsi/scsi_transport_iscsi.c | 6 +-
+ drivers/scsi/scsi_transport_srp.c | 6 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sg.c | 2 +-
+ drivers/spi/spi.c | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/ramster/tmem.c | 54 +-
+ drivers/staging/rtl8712/rtl871x_io.h | 2 +-
+ drivers/staging/sbe-2t3e3/netdev.c | 2 +-
+ drivers/staging/usbip/vhci.h | 2 +-
+ drivers/staging/usbip/vhci_hcd.c | 6 +-
+ drivers/staging/usbip/vhci_rx.c | 2 +-
+ drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/vt6656/hostap.c | 7 +-
+ drivers/staging/zcache/tmem.c | 4 +-
+ drivers/staging/zcache/tmem.h | 2 +
+ drivers/target/target_core_device.c | 2 +-
+ drivers/target/target_core_transport.c | 2 +-
+ drivers/tty/cyclades.c | 6 +-
+ drivers/tty/hvc/hvc_console.c | 14 +-
+ drivers/tty/hvc/hvcs.c | 21 +-
+ drivers/tty/ipwireless/tty.c | 27 +-
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/n_gsm.c | 4 +-
+ drivers/tty/n_tty.c | 3 +-
+ drivers/tty/pty.c | 4 +-
+ drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/kgdboc.c | 32 +-
+ drivers/tty/serial/samsung.c | 9 +-
+ drivers/tty/serial/serial_core.c | 8 +-
+ drivers/tty/synclink.c | 34 +-
+ drivers/tty/synclink_gt.c | 28 +-
+ drivers/tty/synclinkmp.c | 34 +-
+ drivers/tty/tty_io.c | 2 +-
+ drivers/tty/tty_ldisc.c | 10 +-
+ drivers/tty/tty_port.c | 22 +-
+ drivers/uio/uio.c | 21 +-
+ drivers/usb/atm/cxacru.c | 2 +-
+ drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/core/devices.c | 6 +-
+ drivers/usb/core/hcd.c | 4 +-
+ drivers/usb/core/sysfs.c | 2 +-
+ drivers/usb/core/usb.c | 2 +-
+ drivers/usb/early/ehci-dbgp.c | 16 +-
+ drivers/usb/gadget/u_serial.c | 22 +-
+ drivers/usb/serial/console.c | 6 +-
+ drivers/usb/wusbcore/wa-hc.h | 4 +-
+ drivers/usb/wusbcore/wa-xfer.c | 2 +-
+ drivers/video/aty/aty128fb.c | 2 +-
+ drivers/video/fbcmap.c | 3 +-
+ drivers/video/fbmem.c | 6 +-
+ drivers/video/i810/i810_accel.c | 1 +
+ drivers/video/udlfb.c | 32 +-
+ drivers/video/uvesafb.c | 39 +-
+ drivers/video/vesafb.c | 51 +-
+ drivers/video/via/via_clock.h | 2 +-
+ fs/9p/vfs_inode.c | 2 +-
+ fs/Kconfig.binfmt | 2 +-
+ fs/aio.c | 11 +-
+ fs/autofs4/waitq.c | 2 +-
+ fs/befs/linuxvfs.c | 2 +-
+ fs/binfmt_aout.c | 23 +-
+ fs/binfmt_elf.c | 604 ++++-
+ fs/binfmt_flat.c | 6 +
+ fs/bio.c | 6 +-
+ fs/block_dev.c | 2 +-
+ fs/btrfs/ctree.c | 9 +-
+ fs/btrfs/relocation.c | 2 +-
+ fs/btrfs/super.c | 2 +-
+ fs/cachefiles/bind.c | 6 +-
+ fs/cachefiles/daemon.c | 8 +-
+ fs/cachefiles/internal.h | 12 +-
+ fs/cachefiles/namei.c | 2 +-
+ fs/cachefiles/proc.c | 12 +-
+ fs/cachefiles/rdwr.c | 2 +-
+ fs/ceph/dir.c | 2 +-
+ fs/cifs/cifs_debug.c | 12 +-
+ fs/cifs/cifsfs.c | 8 +-
+ fs/cifs/cifsglob.h | 54 +-
+ fs/cifs/link.c | 2 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb1ops.c | 80 +-
+ fs/cifs/smb2ops.c | 84 +-
+ fs/cifs/smb2pdu.c | 3 +-
+ fs/coda/cache.c | 10 +-
+ fs/compat.c | 6 +-
+ fs/compat_binfmt_elf.c | 2 +
+ fs/compat_ioctl.c | 8 +-
+ fs/configfs/dir.c | 10 +-
+ fs/coredump.c | 24 +-
+ fs/dcache.c | 2 +-
+ fs/ecryptfs/inode.c | 4 +-
+ fs/ecryptfs/miscdev.c | 2 +-
+ fs/ecryptfs/read_write.c | 4 +-
+ fs/exec.c | 356 ++-
+ fs/ext4/ext4.h | 20 +-
+ fs/ext4/mballoc.c | 44 +-
+ fs/fhandle.c | 3 +-
+ fs/fifo.c | 22 +-
+ fs/fs_struct.c | 8 +-
+ fs/fscache/cookie.c | 36 +-
+ fs/fscache/internal.h | 196 +-
+ fs/fscache/object.c | 28 +-
+ fs/fscache/operation.c | 30 +-
+ fs/fscache/page.c | 110 +-
+ fs/fscache/stats.c | 344 +-
+ fs/fuse/cuse.c | 10 +-
+ fs/fuse/dev.c | 2 +-
+ fs/fuse/dir.c | 2 +-
+ fs/gfs2/inode.c | 2 +-
+ fs/hugetlbfs/inode.c | 13 +-
+ fs/inode.c | 4 +-
+ fs/jffs2/erase.c | 3 +-
+ fs/jffs2/wbuf.c | 3 +-
+ fs/jfs/super.c | 2 +-
+ fs/libfs.c | 10 +-
+ fs/lockd/clntproc.c | 4 +-
+ fs/locks.c | 8 +-
+ fs/namei.c | 15 +-
+ fs/namespace.c | 2 +-
+ fs/nfs/inode.c | 6 +-
+ fs/nfsd/vfs.c | 6 +-
+ fs/notify/fanotify/fanotify_user.c | 4 +-
+ fs/notify/notification.c | 4 +-
+ fs/ntfs/dir.c | 2 +-
+ fs/ntfs/file.c | 4 +-
+ fs/ocfs2/localalloc.c | 2 +-
+ fs/ocfs2/ocfs2.h | 10 +-
+ fs/ocfs2/suballoc.c | 12 +-
+ fs/ocfs2/super.c | 20 +-
+ fs/pipe.c | 33 +-
+ fs/proc/array.c | 20 +
+ fs/proc/kcore.c | 32 +-
+ fs/proc/meminfo.c | 2 +-
+ fs/proc/nommu.c | 2 +-
+ fs/proc/self.c | 2 +-
+ fs/proc/task_mmu.c | 39 +-
+ fs/proc/task_nommu.c | 4 +-
+ fs/quota/netlink.c | 4 +-
+ fs/readdir.c | 2 +-
+ fs/reiserfs/do_balan.c | 2 +-
+ fs/reiserfs/procfs.c | 2 +-
+ fs/reiserfs/reiserfs.h | 4 +-
+ fs/seq_file.c | 2 +-
+ fs/splice.c | 36 +-
+ fs/sysfs/file.c | 10 +-
+ fs/sysfs/symlink.c | 2 +-
+ fs/udf/misc.c | 2 +-
+ fs/xattr_acl.c | 4 +-
+ fs/xfs/xfs_bmap.c | 2 +-
+ fs/xfs/xfs_dir2_sf.c | 10 +-
+ fs/xfs/xfs_ioctl.c | 2 +-
+ fs/xfs/xfs_iops.c | 2 +-
+ include/asm-generic/4level-fixup.h | 2 +
+ include/asm-generic/atomic-long.h | 210 ++
+ include/asm-generic/atomic.h | 2 +-
+ include/asm-generic/atomic64.h | 12 +
+ include/asm-generic/cache.h | 4 +-
+ include/asm-generic/emergency-restart.h | 2 +-
+ include/asm-generic/kmap_types.h | 4 +-
+ include/asm-generic/local.h | 13 +
+ include/asm-generic/pgtable-nopmd.h | 18 +-
+ include/asm-generic/pgtable-nopud.h | 15 +-
+ include/asm-generic/pgtable.h | 8 +
+ include/asm-generic/vmlinux.lds.h | 10 +-
+ include/crypto/algapi.h | 2 +-
+ include/drm/drmP.h | 5 +-
+ include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/ttm/ttm_memory.h | 2 +-
+ include/linux/atmdev.h | 2 +-
+ include/linux/binfmts.h | 1 +
+ include/linux/blkdev.h | 2 +-
+ include/linux/blktrace_api.h | 2 +-
+ include/linux/cache.h | 4 +
+ include/linux/cdrom.h | 1 -
+ include/linux/cleancache.h | 2 +-
+ include/linux/compiler-gcc4.h | 20 +
+ include/linux/compiler.h | 72 +-
+ include/linux/cpu.h | 2 +-
+ include/linux/crypto.h | 6 +-
+ include/linux/decompress/mm.h | 2 +-
+ include/linux/dma-mapping.h | 2 +-
+ include/linux/dmaengine.h | 4 +-
+ include/linux/efi.h | 1 +
+ include/linux/elf.h | 2 +
+ include/linux/filter.h | 4 +
+ include/linux/frontswap.h | 2 +-
+ include/linux/fs.h | 3 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/fscache-cache.h | 4 +-
+ include/linux/fsnotify.h | 2 +-
+ include/linux/ftrace_event.h | 2 +-
+ include/linux/genhd.h | 2 +-
+ include/linux/gfp.h | 12 +-
+ include/linux/highmem.h | 12 +
+ include/linux/i2c.h | 1 +
+ include/linux/i2o.h | 2 +-
+ include/linux/if_pppox.h | 2 +-
+ include/linux/init.h | 33 +-
+ include/linux/init_task.h | 7 +
+ include/linux/interrupt.h | 8 +-
+ include/linux/kgdb.h | 6 +-
+ include/linux/kobject.h | 2 +-
+ include/linux/kref.h | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ include/linux/libata.h | 2 +-
+ include/linux/list.h | 3 +
+ include/linux/mm.h | 91 +-
+ include/linux/mm_types.h | 22 +-
+ include/linux/mmiotrace.h | 4 +-
+ include/linux/mmzone.h | 2 +-
+ include/linux/mod_devicetable.h | 4 +-
+ include/linux/module.h | 55 +-
+ include/linux/moduleloader.h | 18 +-
+ include/linux/moduleparam.h | 4 +-
+ include/linux/namei.h | 6 +-
+ include/linux/netdevice.h | 3 +-
+ include/linux/netfilter/ipset/ip_set.h | 2 +-
+ include/linux/netfilter/nfnetlink.h | 2 +-
+ include/linux/notifier.h | 3 +-
+ include/linux/oprofile.h | 4 +-
+ include/linux/perf_event.h | 10 +-
+ include/linux/pipe_fs_i.h | 6 +-
+ include/linux/platform_data/usb-ehci-s5p.h | 2 +-
+ include/linux/pm_runtime.h | 2 +-
+ include/linux/poison.h | 4 +-
+ include/linux/power/smartreflex.h | 2 +-
+ include/linux/random.h | 5 +
+ include/linux/reboot.h | 14 +-
+ include/linux/regset.h | 3 +-
+ include/linux/relay.h | 2 +-
+ include/linux/rio.h | 2 +-
+ include/linux/rmap.h | 4 +-
+ include/linux/sched.h | 64 +-
+ include/linux/seq_file.h | 1 +
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 36 +-
+ include/linux/slab_def.h | 33 +-
+ include/linux/slob_def.h | 4 +-
+ include/linux/slub_def.h | 10 +-
+ include/linux/sonet.h | 2 +-
+ include/linux/sunrpc/clnt.h | 8 +-
+ include/linux/sunrpc/svc_rdma.h | 18 +-
+ include/linux/sysrq.h | 2 +-
+ include/linux/thread_info.h | 7 +
+ include/linux/tty.h | 4 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/tty_ldisc.h | 2 +-
+ include/linux/types.h | 16 +
+ include/linux/uaccess.h | 6 +-
+ include/linux/unaligned/access_ok.h | 12 +-
+ include/linux/usb.h | 2 +-
+ include/linux/usb/renesas_usbhs.h | 2 +-
+ include/linux/vermagic.h | 21 +-
+ include/linux/vmalloc.h | 11 +-
+ include/linux/vmstat.h | 20 +-
+ include/media/v4l2-dev.h | 2 +-
+ include/media/v4l2-ioctl.h | 1 -
+ include/net/caif/cfctrl.h | 6 +-
+ include/net/flow.h | 2 +-
+ include/net/gro_cells.h | 6 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/inetpeer.h | 8 +-
+ include/net/ip_fib.h | 2 +-
+ include/net/ip_vs.h | 4 +-
+ include/net/irda/ircomm_tty.h | 1 +
+ include/net/iucv/af_iucv.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 6 +-
+ include/net/netdma.h | 2 +-
+ include/net/netlink.h | 2 +-
+ include/net/netns/ipv4.h | 2 +-
+ include/net/protocol.h | 4 +-
+ include/net/sctp/sctp.h | 6 +-
+ include/net/sctp/structs.h | 4 +-
+ include/net/sock.h | 6 +-
+ include/net/tcp.h | 8 +-
+ include/net/xfrm.h | 4 +-
+ include/rdma/iw_cm.h | 2 +-
+ include/scsi/libfc.h | 3 +-
+ include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_transport_fc.h | 3 +-
+ include/sound/soc.h | 4 +-
+ include/target/target_core_base.h | 2 +-
+ include/trace/events/irq.h | 4 +-
+ include/uapi/linux/a.out.h | 8 +
+ include/uapi/linux/byteorder/little_endian.h | 24 +-
+ include/uapi/linux/elf.h | 28 +
+ include/uapi/linux/screen_info.h | 3 +-
+ include/uapi/linux/sysctl.h | 6 +-
+ include/uapi/linux/xattr.h | 4 +
+ include/video/udlfb.h | 8 +-
+ include/video/uvesafb.h | 1 +
+ init/Kconfig | 2 +-
+ init/Makefile | 3 +
+ init/do_mounts.c | 14 +-
+ init/do_mounts.h | 8 +-
+ init/do_mounts_initrd.c | 22 +-
+ init/do_mounts_md.c | 6 +-
+ init/init_task.c | 4 +
+ init/initramfs.c | 40 +-
+ init/main.c | 78 +-
+ ipc/msg.c | 11 +-
+ ipc/sem.c | 11 +-
+ ipc/shm.c | 17 +-
+ kernel/acct.c | 2 +-
+ kernel/audit.c | 8 +-
+ kernel/auditsc.c | 4 +-
+ kernel/capability.c | 3 +
+ kernel/compat.c | 40 +-
+ kernel/debug/debug_core.c | 16 +-
+ kernel/debug/kdb/kdb_main.c | 4 +-
+ kernel/events/core.c | 28 +-
+ kernel/exit.c | 4 +-
+ kernel/fork.c | 167 +-
+ kernel/futex.c | 9 +
+ kernel/gcov/base.c | 7 +-
+ kernel/hrtimer.c | 4 +-
+ kernel/jump_label.c | 5 +
+ kernel/kallsyms.c | 39 +-
+ kernel/kexec.c | 3 +-
+ kernel/kmod.c | 2 +-
+ kernel/kprobes.c | 8 +-
+ kernel/lockdep.c | 7 +-
+ kernel/module.c | 333 ++-
+ kernel/mutex-debug.c | 12 +-
+ kernel/mutex-debug.h | 4 +-
+ kernel/mutex.c | 7 +-
+ kernel/notifier.c | 17 +-
+ kernel/panic.c | 3 +-
+ kernel/pid.c | 2 +-
+ kernel/posix-cpu-timers.c | 4 +-
+ kernel/posix-timers.c | 20 +-
+ kernel/power/process.c | 12 +-
+ kernel/profile.c | 14 +-
+ kernel/ptrace.c | 6 +-
+ kernel/rcutiny.c | 4 +-
+ kernel/rcutiny_plugin.h | 2 +-
+ kernel/rcutorture.c | 56 +-
+ kernel/rcutree.c | 72 +-
+ kernel/rcutree.h | 24 +-
+ kernel/rcutree_plugin.h | 18 +-
+ kernel/rcutree_trace.c | 22 +-
+ kernel/rtmutex-tester.c | 24 +-
+ kernel/sched/auto_group.c | 4 +-
+ kernel/sched/core.c | 2 +-
+ kernel/sched/fair.c | 4 +-
+ kernel/signal.c | 12 +-
+ kernel/smp.c | 2 +-
+ kernel/softirq.c | 16 +-
+ kernel/srcu.c | 6 +-
+ kernel/stop_machine.c | 2 +-
+ kernel/sys.c | 12 +-
+ kernel/sysctl.c | 37 +-
+ kernel/sysctl_binary.c | 14 +-
+ kernel/time/alarmtimer.c | 2 +-
+ kernel/time/tick-broadcast.c | 2 +-
+ kernel/time/timer_stats.c | 10 +-
+ kernel/timer.c | 4 +-
+ kernel/trace/blktrace.c | 6 +-
+ kernel/trace/ftrace.c | 20 +-
+ kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/trace.c | 6 +-
+ kernel/trace/trace_events.c | 25 +-
+ kernel/trace/trace_mmiotrace.c | 8 +-
+ kernel/trace/trace_output.c | 12 +-
+ kernel/trace/trace_stack.c | 2 +-
+ lib/Makefile | 2 +-
+ lib/bitmap.c | 8 +-
+ lib/bug.c | 2 +
+ lib/debugobjects.c | 2 +-
+ lib/devres.c | 4 +-
+ lib/dma-debug.c | 4 +-
+ lib/inflate.c | 2 +-
+ lib/ioremap.c | 4 +-
+ lib/list_debug.c | 89 +-
+ lib/radix-tree.c | 2 +-
+ lib/strncpy_from_user.c | 2 +-
+ lib/strnlen_user.c | 2 +-
+ lib/vsprintf.c | 12 +-
+ mm/Kconfig | 6 +-
+ mm/filemap.c | 2 +-
+ mm/fremap.c | 5 +
+ mm/highmem.c | 7 +-
+ mm/hugetlb.c | 54 +
+ mm/internal.h | 1 +
+ mm/maccess.c | 4 +-
+ mm/madvise.c | 41 +
+ mm/memory-failure.c | 18 +-
+ mm/memory.c | 404 ++-
+ mm/mempolicy.c | 26 +
+ mm/mlock.c | 16 +-
+ mm/mmap.c | 573 +++-
+ mm/mprotect.c | 138 +-
+ mm/mremap.c | 44 +-
+ mm/nommu.c | 11 +-
+ mm/page-writeback.c | 2 +-
+ mm/page_alloc.c | 14 +-
+ mm/percpu.c | 2 +-
+ mm/process_vm_access.c | 14 +-
+ mm/rmap.c | 38 +-
+ mm/shmem.c | 19 +-
+ mm/slab.c | 104 +-
+ mm/slab.h | 5 +-
+ mm/slab_common.c | 9 +-
+ mm/slob.c | 200 +-
+ mm/slub.c | 98 +-
+ mm/sparse-vmemmap.c | 4 +-
+ mm/sparse.c | 2 +-
+ mm/swap.c | 3 +
+ mm/swapfile.c | 12 +-
+ mm/util.c | 6 +
+ mm/vmalloc.c | 82 +-
+ mm/vmstat.c | 12 +-
+ net/8021q/vlan.c | 5 +-
+ net/9p/trans_fd.c | 2 +-
+ net/atm/atm_misc.c | 8 +-
+ net/atm/lec.h | 2 +-
+ net/atm/proc.c | 6 +-
+ net/atm/resources.c | 4 +-
+ net/batman-adv/bat_iv_ogm.c | 8 +-
+ net/batman-adv/hard-interface.c | 4 +-
+ net/batman-adv/soft-interface.c | 4 +-
+ net/batman-adv/types.h | 6 +-
+ net/batman-adv/unicast.c | 2 +-
+ net/bluetooth/hci_sock.c | 2 +-
+ net/bluetooth/l2cap_core.c | 6 +-
+ net/bluetooth/l2cap_sock.c | 12 +-
+ net/bluetooth/rfcomm/sock.c | 4 +-
+ net/bluetooth/rfcomm/tty.c | 10 +-
+ net/bridge/netfilter/ebtables.c | 6 +-
+ net/caif/cfctrl.c | 11 +-
+ net/can/af_can.c | 2 +-
+ net/can/gw.c | 6 +-
+ net/compat.c | 34 +-
+ net/core/datagram.c | 2 +-
+ net/core/dev.c | 16 +-
+ net/core/flow.c | 8 +-
+ net/core/iovec.c | 4 +-
+ net/core/rtnetlink.c | 2 +-
+ net/core/scm.c | 8 +-
+ net/core/sock.c | 24 +-
+ net/decnet/sysctl_net_decnet.c | 4 +-
+ net/ipv4/ah4.c | 2 +-
+ net/ipv4/esp4.c | 2 +-
+ net/ipv4/fib_frontend.c | 6 +-
+ net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inetpeer.c | 4 +-
+ net/ipv4/ip_fragment.c | 2 +-
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ipcomp.c | 2 +-
+ net/ipv4/ipconfig.c | 6 +-
+ net/ipv4/netfilter/arp_tables.c | 12 +-
+ net/ipv4/netfilter/ip_tables.c | 12 +-
+ net/ipv4/ping.c | 2 +-
+ net/ipv4/raw.c | 14 +-
+ net/ipv4/route.c | 2 +-
+ net/ipv4/tcp_input.c | 2 +-
+ net/ipv4/tcp_probe.c | 2 +-
+ net/ipv4/udp.c | 10 +-
+ net/ipv6/addrconf.c | 2 +-
+ net/ipv6/ip6_gre.c | 2 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 12 +-
+ net/ipv6/raw.c | 19 +-
+ net/ipv6/udp.c | 8 +-
+ net/irda/ircomm/ircomm_tty.c | 18 +-
+ net/iucv/af_iucv.c | 4 +-
+ net/iucv/iucv.c | 2 +-
+ net/key/af_key.c | 4 +-
+ net/mac80211/cfg.c | 4 +-
+ net/mac80211/ieee80211_i.h | 3 +-
+ net/mac80211/iface.c | 14 +-
+ net/mac80211/main.c | 2 +-
+ net/mac80211/pm.c | 6 +-
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/rc80211_pid_debugfs.c | 2 +-
+ net/mac80211/util.c | 2 +-
+ net/netfilter/ipvs/ip_vs_conn.c | 6 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 10 +-
+ net/netfilter/ipvs/ip_vs_sync.c | 6 +-
+ net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
+ net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/xt_statistic.c | 8 +-
+ net/netlink/af_netlink.c | 4 +-
+ net/packet/af_packet.c | 12 +-
+ net/phonet/pep.c | 6 +-
+ net/phonet/socket.c | 2 +-
+ net/rds/cong.c | 6 +-
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 4 +-
+ net/rds/iw.h | 2 +-
+ net/rds/iw_cm.c | 2 +-
+ net/rds/iw_recv.c | 4 +-
+ net/rds/tcp.c | 2 +-
+ net/rds/tcp_send.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/rxrpc/ar-ack.c | 14 +-
+ net/rxrpc/ar-call.c | 2 +-
+ net/rxrpc/ar-connection.c | 2 +-
+ net/rxrpc/ar-connevent.c | 2 +-
+ net/rxrpc/ar-input.c | 4 +-
+ net/rxrpc/ar-internal.h | 8 +-
+ net/rxrpc/ar-local.c | 2 +-
+ net/rxrpc/ar-output.c | 4 +-
+ net/rxrpc/ar-peer.c | 2 +-
+ net/rxrpc/ar-proc.c | 4 +-
+ net/rxrpc/ar-transport.c | 2 +-
+ net/rxrpc/rxkad.c | 4 +-
+ net/sctp/ipv6.c | 2 +-
+ net/sctp/protocol.c | 8 +-
+ net/sctp/socket.c | 2 +
+ net/socket.c | 34 +-
+ net/sunrpc/sched.c | 4 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/link.c | 6 +-
+ net/tipc/msg.c | 2 +-
+ net/tipc/subscr.c | 2 +-
+ net/wireless/wext-core.c | 19 +-
+ net/xfrm/xfrm_policy.c | 16 +-
+ net/xfrm/xfrm_state.c | 4 +-
+ scripts/Makefile.build | 2 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.host | 28 +-
+ scripts/basic/fixdep.c | 12 +-
+ scripts/gcc-plugin.sh | 17 +
+ scripts/link-vmlinux.sh | 2 +-
+ scripts/mod/file2alias.c | 14 +-
+ scripts/mod/modpost.c | 25 +-
+ scripts/mod/modpost.h | 6 +-
+ scripts/mod/sumversion.c | 2 +-
+ scripts/pnmtologo.c | 6 +-
+ security/Kconfig | 654 ++++-
+ security/integrity/ima/ima.h | 4 +-
+ security/integrity/ima/ima_api.c | 2 +-
+ security/integrity/ima/ima_fs.c | 4 +-
+ security/integrity/ima/ima_queue.c | 2 +-
+ security/keys/compat.c | 2 +-
+ security/keys/keyctl.c | 8 +-
+ security/keys/keyring.c | 6 +-
+ security/security.c | 9 +-
+ security/selinux/hooks.c | 2 +-
+ security/selinux/include/xfrm.h | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ security/tomoyo/tomoyo.c | 2 +-
+ sound/aoa/codecs/onyx.c | 7 +-
+ sound/aoa/codecs/onyx.h | 1 +
+ sound/core/oss/pcm_oss.c | 18 +-
+ sound/core/pcm_compat.c | 2 +-
+ sound/core/pcm_native.c | 4 +-
+ sound/core/seq/seq_device.c | 8 +-
+ sound/drivers/mts64.c | 14 +-
+ sound/drivers/opl4/opl4_lib.c | 2 +-
+ sound/drivers/portman2x4.c | 3 +-
+ sound/firewire/amdtp.c | 4 +-
+ sound/firewire/amdtp.h | 2 +-
+ sound/firewire/isight.c | 10 +-
+ sound/firewire/scs1x.c | 8 +-
+ sound/oss/sb_audio.c | 2 +-
+ sound/oss/swarm_cs4297a.c | 6 +-
+ sound/pci/ymfpci/ymfpci.h | 2 +-
+ sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 43 +
+ tools/gcc/checker_plugin.c | 171 +
+ tools/gcc/colorize_plugin.c | 151 +
+ tools/gcc/constify_plugin.c | 359 +++
+ tools/gcc/generate_size_overflow_hash.sh | 94 +
+ tools/gcc/kallocstat_plugin.c | 170 +
+ tools/gcc/kernexec_plugin.c | 465 +++
+ tools/gcc/latent_entropy_plugin.c | 321 ++
+ tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++
+ tools/gcc/size_overflow_plugin.c | 1941 +++++++++++
+ tools/gcc/stackleak_plugin.c | 327 ++
+ tools/perf/util/include/asm/alternative-asm.h | 3 +
+ virt/kvm/kvm_main.c | 32 +-
+ 1311 files changed, 26668 insertions(+), 6394 deletions(-)
+commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
+Merge: 0949bd4 fc53d63
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:03:44 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fc53d6338964741b368070ec5c935bc579b8c2a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:02:45 2012 -0400
+
+ Update to pax-linux-3.2.12-test33.patch
+
+commit 0949bd46a6455b308f66ad7c993bfee62412db35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 16:56:09 2012 -0400
+
+ Use current_umask() instead of current->fs->umask
+
+commit 22f6432d0fe733619cfcb523782ed7d80c46d645
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:42:42 2012 -0400
+
+ compile fix
+
+commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:34:56 2012 -0400
+
+ Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
+ uses of domains with particular hash collisions
+
+commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 20:25:49 2012 -0400
+
+ zero kernel_role
+
+commit b00953b43c69238d181d21121ef1577c988d5f6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:29:34 2012 -0400
+
+ zero real_root after releasing it
+
+commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
+Merge: b724f59 273f98e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:11:26 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 273f98e58cdac555d3b5dce5c1ca168349f95878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:10:52 2012 -0400
+
+ Temporary workaround for (most) size_overflow plugin false-positives
+ Increase randomization for brk-managed heap to 21 bits
+ Update to pax-linux-3.2.12-test32.patch
+
+commit b724f59125304460c2af8bd4b02921993afbb5d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:58:53 2012 -0400
+
+ compile fix
+
+commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:52:23 2012 -0400
+
+ Require default and kernel role
+
+commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:47:28 2012 -0400
+
+ Allow policies without special roles
+ don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
+
+commit 402ec3d24d66d38403dc543c84851f5e72d39e22
+Merge: 8e012dc f14661a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:06:59 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/namei.c
+
+commit f14661aaf202155c97f66626cea0269017bb7775
+Merge: eae671f 058b017
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:05:44 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
+Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Date: Fri Mar 16 17:08:39 2012 -0700
+
+ nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
+
+ According to the report from Slicky Devil, nilfs caused kernel oops at
+ nilfs_load_super_block function during mount after he shrank the
+ partition without resizing the filesystem:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000048
+ IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
+ *pde = 00000000
+ Oops: 0000 [#1] PREEMPT SMP
+ ...
+ Call Trace:
+ [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
+ [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
+ [<c0226636>] mount_fs+0x36/0x180
+ [<c023d961>] vfs_kern_mount+0x51/0xa0
+ [<c023ddae>] do_kern_mount+0x3e/0xe0
+ [<c023f189>] do_mount+0x169/0x700
+ [<c023fa9b>] sys_mount+0x6b/0xa0
+ [<c04abd1f>] sysenter_do_call+0x12/0x28
+ Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
+ 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
+ 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
+ EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
+ CR2: 0000000000000048
+
+ This turned out due to a defect in an error path which runs if the
+ calculated location of the secondary super block was invalid.
+
+ This patch fixes it and eliminates the reported oops.
+
+ Reported-by: Slicky Devil <slicky.dvl@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Tested-by: Slicky Devil <slicky.dvl@gmail.com>
+ Cc: <stable@vger.kernel.org> [2.6.30+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Fri Mar 16 17:08:38 2012 -0700
+
+ nilfs2: clamp ns_r_segments_percentage to [1, 99]
+
+ ns_r_segments_percentage is read from the disk. Bogus or malicious
+ value could cause integer overflow and malfunction due to meaningless
+ disk usage calculation. This patch reports error when mounting such
+ bogus volumes.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e1a90645643f9b0194a5984ec8febd06360d5c8b
+Author: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Sat Mar 10 09:20:21 2012 +0000
+
+ tcp: fix syncookie regression
+
+ commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
+ added a serious regression on synflood handling.
+
+ Simon Kirby discovered a successful connection was delayed by 20 seconds
+ before being responsive.
+
+ In my tests, I discovered that xmit frames were lost, and needed ~4
+ retransmits and a socket dst rebuild before being really sent.
+
+ In case of syncookie initiated connection, we use a different path to
+ initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
+
+ As ip_queue_xmit() now depends on inet flow being setup, fix this by
+ copying the temp flowi4 we use in cookie_v4_check().
+
+ Reported-by: Simon Kirby <sim@netnation.com>
+ Bisected-by: Simon Kirby <sim@netnation.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
+Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Mon Mar 12 02:59:41 2012 +0000
+
+ tun: don't hold network namespace by tun sockets
+
+ v3: added previously removed sock_put() to the tun_release() callback, because
+ sk_release_kernel() doesn't drop the socket reference.
+
+ v2: sk_release_kernel() used for socket release. Dummy tun_release() is
+ required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
+ call.
+
+ TUN was designed to destroy it's socket on network namesapce shutdown. But this
+ will never happen for persistent device, because it's socket holds network
+ namespace.
+ This patch removes of holding network namespace by TUN socket and replaces it
+ by creating socket in init_net and then changing it's net it to desired one. On
+ shutdown socket is moved back to init_net prior to final put.
+
+ Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon Dec 12 10:02:30 2011 -0600
+
+ vfs: Correctly set the dir i_mutex lockdep class
+
+ 9a7aa12f3911853a introduced additional logic around setting the i_mutex
+ lockdep class for directory inodes. The idea was that some filesystems
+ may want their own special lockdep class for different directory
+ inodes and calling unlock_new_inode() should not clobber one of
+ those special classes.
+
+ I believe that the added conditional, around the *negated* return value
+ of lockdep_match_class(), caused directory inodes to be placed in the
+ wrong lockdep class.
+
+ inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
+ all inodes. If the filesystem did not change the class during inode
+ initialization, then the conditional mentioned above was false and the
+ directory inode was incorrectly left in the non-directory lockdep class.
+ If the filesystem did set a special lockdep class, then the conditional
+ mentioned above was true and that class was clobbered with
+ i_mutex_dir_key.
+
+ This patch removes the negation from the conditional so that the i_mutex
+ lockdep class is properly set for directory inodes. Special classes are
+ preserved and directory inodes with unmodified classes are set with
+ i_mutex_dir_key.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 603590b0d2eca61ce26499eac9c563bc567a18c9
+Author: Jan Kara <jack@suse.cz>
+Date: Mon Feb 20 17:54:00 2012 +0100
+
+ udf: Fix deadlock in udf_release_file()
+
+ udf_release_file() can be called from munmap() path with mmap_sem held. Thus
+ we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
+ i_mutex is not needed in udf_release_file() anymore since protection by
+ i_data_sem is enough to protect from races with write and truncate.
+
+ Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:33 2012 +0100
+
+ vfs: fix double put after complete_walk()
+
+ complete_walk() already puts nd->path, no need to do it again at cleanup time.
+
+ This would result in Oopses if triggered, apparently the codepath is not too
+ well exercised.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 13885ba2b18400f3ef6540497d30f1af896605e5
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:34 2012 +0100
+
+ vfs: fix return value from do_last()
+
+ complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
+ ECHILD unconditionally. If not in RCU mode, this error will reach userspace
+ which is complete nonsense.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/namei.c
+
+commit f5ab7572c99ffb58953eb1070622307e904c3b7f
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Mar 10 17:07:28 2012 -0500
+
+ restore smp_mb() in unlock_new_inode()
+
+ wait_on_inode() doesn't have ->i_lock
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
+Author: David S. Miller <davem@davemloft.net>
+Date: Tue Mar 13 18:19:51 2012 -0700
+
+ sparc32: Add -Av8 to assembler command line.
+
+ Newer version of binutils are more strict about specifying the
+ correct options to enable certain classes of instructions.
+
+ The sparc32 build is done for v7 in order to support sun4c systems
+ which lack hardware integer multiply and divide instructions.
+
+ So we have to pass -Av8 when building the assembler routines that
+ use these instructions and get patched into the kernel when we find
+ out that we have a v8 capable cpu.
+
+ Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
+Author: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri Mar 9 20:55:10 2012 +0100
+
+ x86: Derandom delay_tsc for 64 bit
+
+ Commit f0fbf0abc093 ("x86: integrate delay functions") converted
+ delay_tsc() into a random delay generator for 64 bit. The reason is
+ that it merged the mostly identical versions of delay_32.c and
+ delay_64.c. Though the subtle difference of the result was:
+
+ static void delay_tsc(unsigned long loops)
+ {
+ - unsigned bclock, now;
+ + unsigned long bclock, now;
+
+ Now the function uses rdtscl() which returns the lower 32bit of the
+ TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
+ bit this fails when the lower 32bit are close to wrap around when
+ bclock is read, because the following check
+
+ if ((now - bclock) >= loops)
+ break;
+
+ evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
+ because the unsigned long (now - bclock) of these values results in
+ 0xffffffff00000001 which is definitely larger than the loops
+ value. That explains Tvortkos observation:
+
+ "Because I am seeing udelay(500) (_occasionally_) being short, and
+ that by delaying for some duration between 0us (yep) and 491us."
+
+ Make those variables explicitely u32 again, so this works for both 32
+ and 64 bit.
+
+ Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: stable@vger.kernel.org # >= 2.6.27
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu Mar 8 17:51:19 2012 +0000
+
+ aio: fix the "too late munmap()" race
+
+ Current code has put_ioctx() called asynchronously from aio_fput_routine();
+ that's done *after* we have killed the request that used to pin ioctx,
+ so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
+ from progressing. As the result, we can end up with async call of
+ put_ioctx() being the last one and possibly happening during exit_mmap()
+ or elf_core_dump(), neither of which expects stray munmap() being done
+ to them...
+
+ We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
+ with that, but that's all we care about - neither io_destroy() nor
+ exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
+ does really_put_req(), so the ioctx teardown won't be done until then
+ and we don't care about the contents of ioctx past that point.
+
+ Since actual freeing of these suckers is RCU-delayed, we don't need to
+ bump ioctx refcount when request goes into list for async removal.
+ All we need is rcu_read_lock held just over the ->ctx_lock-protected
+ area in aio_fput_routine().
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 002124c055afbf09b52226af65621999e8316448
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Wed Mar 7 05:16:35 2012 +0000
+
+ aio: fix io_setup/io_destroy race
+
+ Have ioctx_alloc() return an extra reference, so that caller would drop it
+ on success and not bother with re-grabbing it on failure exit. The current
+ code is obviously broken - io_destroy() from another thread that managed
+ to guess the address io_setup() would've returned would free ioctx right
+ under us; gets especially interesting if aio_context_t * we pass to
+ io_setup() points to PROT_READ mapping, so put_user() fails and we end
+ up doing io_destroy() on kioctx another thread has just got freed...
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Mar 15 15:17:12 2012 -0700
+
+ drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
+
+ strict_strtoul() writes a long but ->gamma_mode only has space to store an
+ int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
+ well. I've changed it to use kstrtouint() instead.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Inki Dae <inki.dae@samsung.com>
+ Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
+Merge: e4b05b6 eae671f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 21:04:27 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit eae671fafe93f04685c04a089cc13efebc05d600
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 20:58:01 2012 -0400
+
+ Update to pax-linux-3.2.11-test31.patch
+ Introduction of the size_overflow plugin from Emese Revfy
+ Many thanks to Emese for her hard work :)
+
+commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
+Merge: e55aa68 258c015
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:19 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:05 2012 -0400
+
+ fix ARM compilation
+
+commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
+Merge: 8f95ea9 55b7573
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:41 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:15 2012 -0400
+
+ Update to pax-linux-3.2.10-test28.patch
+
+commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
+Merge: c8786a2 886ac5e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:38:13 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
+
+commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:37:44 2012 -0400
+
+ Update to pax-linux-3.2.10-test26.patch
+
+commit c8786a2abed5e5327f68efa520c04db99bb6a63a
+Merge: 219c982 c061fcf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:06 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
+Merge: 89373d2 3f4b3b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:02 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
+Merge: 54e19a3 89373d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:57 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
+Merge: a778588 7459f11
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:49 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
+Merge: c4650f1 a778588
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:25 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:12 2012 -0400
+
+ Update to pax-linux-3.2.9-test24.patch
+
+commit c4650f14b13f84735fe3de06a1f3ff5776473eff
+Merge: fb2abee 1015790
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:08:28 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 101579028a736c224e590c7e12a7357018c424e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:07:27 2012 -0400
+
+ Update to pax-linux-3.2.9-test22.patch
+
+commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 11:02:17 2012 -0400
+
+ Allow 4096 CPUs
+
+commit 96bae28cbe6a41d48e3b56e5904814096e956000
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 10:25:58 2012 -0400
+
+ Use a per-cpu 48-bit counter instead of a global atomic64
+ Initialize each counter to have the cpu number in the lower 16 bits
+ instead of incrementing the counter each time by 1, perform the increments
+ above the cpu number so that wrapping/exhausting the counter doesn't corrupt
+ any state
+ idea from PaX Team
+
+commit b975688101da6e966aebb1bc6b8c5c5983974f9c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 20:33:12 2012 -0500
+
+ Special vnsec edition! :)
+ Further reduce argv/env allowance for suid/sgid apps to 512KB
+ Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
+ Clear 3GB personality on suid/sgid binaries
+ Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
+ with the main purpose of throwing off program stack -> arg/env alignment
+ Update documentation
+
+commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 19:54:47 2012 -0500
+
+ Resolve skbuff.h warnings that turn into errors during compilation in
+ the grsecurity directory with -Werror
+
+commit 2023210ad43a944033fcacc660ce410888f562ee
+Merge: ece4383 5f66adf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:48:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:47:06 2012 -0500
+
+ Add colorize plugin
+
+commit ece4383e5e91c92d138c4df84225a70b552f4d69
+Merge: a366d0e ab4a5a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:46 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:26 2012 -0500
+
+ Update to pax-linux-3.2.9-test21.patch
+
+commit a366d0ed963ce93fce10121c1100989d5f064e75
+Author: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun Mar 4 19:52:03 2012 -0500
+
+ mm: fix find_vma_prev
+
+ Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
+ management on PA-RISC.
+
+ After application of the patch, programs that allocate big arrays on the
+ stack crash with segfault, for example, this will crash if compiled
+ without optimization:
+
+ int main()
+ {
+ char array[200000];
+ array[199999] = 0;
+ return 0;
+ }
+
+ The reason is that PA-RISC has up-growing stack and the stack is usually
+ the last memory area. In the above example, a page fault happens above
+ the stack.
+
+ Previously, if we passed too high address to find_vma_prev, it returned
+ NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
+ change, it stores NULL in *pprev. Consequently, the stack area is not
+ found and it is not expanded, as it used to be before the change.
+
+ This patch restores the old behavior and makes it return the last VMA in
+ *pprev if the requested address is higher than address of any other VMA.
+
+ Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+ Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
+Author: Hugh Dickins <hughd@google.com>
+Date: Tue Mar 6 12:28:52 2012 -0800
+
+ mmap: EINVAL not ENOMEM when rejecting VM_GROWS
+
+ Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
+ from shared anonymous: hoist the file case's -EINVAL up for both.
+
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:38:42 2012 +0000
+
+ aout: move setup_arg_pages() prior to reading/mapping the binary
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Mon Mar 5 16:49:24 2012 +0000
+
+ vsprintf: make %pV handling compatible with kasprintf()
+
+ kasprintf() (and potentially other functions that I didn't run across so
+ far) want to evaluate argument lists twice. Caring to do so for the
+ primary list is obviously their job, but they can't reasonably be
+ expected to check the format string for instances of %pV, which however
+ need special handling too: On architectures like x86-64 (as opposed to
+ e.g. ix86), using the same argument list twice doesn't produce the
+ expected results, as an internally managed cursor gets updated during
+ the first run.
+
+ Fix the problem by always acting on a copy of the original list when
+ handling %pV.
+
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:39:47 2012 +0000
+
+ VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a831bd53764695ea680cc1fa3c98759a610ed2ac
+Author: Christian König <deathsimple@vodafone.de>
+Date: Tue Feb 28 23:19:20 2012 +0100
+
+ drm/radeon: fix uninitialized variable
+
+ Without this fix the driver randomly treats
+ textures as arrays and I'm really wondering
+ why gcc isn't complaining about it.
+
+ Signed-off-by: Christian König <deathsimple@vodafone.de>
+ Reviewed-by: Jerome Glisse <jglisse@redhat.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
+Author: H. Peter Anvin <hpa@zytor.com>
+Date: Fri Mar 2 10:43:48 2012 -0800
+
+ regset: Prevent null pointer reference on readonly regsets
+
+ The regset common infrastructure assumed that regsets would always
+ have .get and .set methods, but not necessarily .active methods.
+ Unfortunately people have since written regsets without .set methods.
+
+ Rather than putting in stub functions everywhere, handle regsets with
+ null .get or .set methods explicitly.
+
+ Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+ Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+ Acked-by: Roland McGrath <roland@hack.frob.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 072ddd99401c79b53c6bf6bff9deb93022124c79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 18:12:57 2012 -0500
+
+ Fix compiler errors reported on forums
+
+commit 1606774b48af24e6f99d99c624c0e447d4b66474
+Merge: 3127bd5 4ca2ffd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:35 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:21 2012 -0500
+
+ Update to pax-linux-3.2.9-test20.patch
+
+commit 3127bd581a292966b1057c7433219dac188c3720
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 21:30:37 2012 -0500
+
+ Fix memory leak on logged exec_id check failure in /proc/pid/statm
+ Thanks to Djalal Harouni for the report
+
+commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
+Merge: 0a56be8 9aa8288
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:38:22 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:37:43 2012 -0500
+
+ Update to pax-linux-3.2.9-test19.patch
+
+commit 0a56be884bbd7ce733cac0b879c45383494d73b0
+Merge: 9e66745 3f5c52a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:18:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:16:56 2012 -0500
+
+ Update to pax-linux-3.2.9-test18.patch
+
+commit ae53ec231d12719a36bf871f8c5841020ed692ee
+Merge: b255baf 44fb317
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:15:31 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 9e667456c03eadea2f305be761abe4de9a5877a3
+Merge: 5e4e200 b255baf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:59 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b255baf50365d39b406f43aab2c64745607baaa2
+Merge: 340ce90 1de504e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:29 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+ Update to pax-linux-3.2.8-test17.patch
+
+ Conflicts:
+ arch/x86/include/asm/i387.h
+ arch/x86/kernel/process_32.c
+ arch/x86/kernel/traps.c
+
+commit 5e4e200ac530452884b625cb75de240e1e98c731
+Merge: 44306d7 340ce90
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:02:13 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:01:48 2012 -0500
+
+ Update to pax-linux-3.2.7-test17.patch
+
+commit 44306d7b3097f77e73040dd25f4f6750751bae7a
+Merge: 29d0b07 521c411
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:04:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ Makefile
+
+commit 521c411bb4ca66ce01146fde8bac9dd22414076d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:03:33 2012 -0500
+
+ Update to pax-linux-3.2.7-test16.patch
+
+commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 17:12:44 2012 -0500
+
+ fix typo
+
+commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
+Merge: f45b3be caa8f83
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:27 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit caa8f83456c4d0b204beefffaa1d1993f2348d08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:12 2012 -0500
+
+ Update to pax-linux-3.2.7-test15.patch
+
+commit f45b3be34a345502a302e736af9a65742ddef7cb
+Merge: 62f35fd 9f1309b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:40:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:39:57 2012 -0500
+
+ Update to pax-linux-3.2.7-test14.patch
+
+commit 62f35fdbecc58f2988fe13638d907b87a15776bb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 09:08:55 2012 -0500
+
+ We could log on attempted exploits of writing /proc/self/mem, but the current
+ log function declares the access a read, so just swap the ordering for now
+
+commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:46:14 2012 -0500
+
+ Log /proc/pid/mem attempts
+
+commit 674471e581893a94d475acac3e3c4496209b3ac9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:15:00 2012 -0500
+
+ Make use of f_version for protecting /proc file structs (fine since we're not a directory
+ or seq_file)
+
+commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 20:02:19 2012 -0500
+
+ Fix ia64 compilation
+
+commit 50dfea412fd395e0183c2ade368efa525d38b267
+Merge: 12db845 4c6f99b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:53 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4c6f99bf338e03966356b147d0360cb3b522a44f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:36 2012 -0500
+
+ (6:57:09 PM) pipacs: but you can be proactive
+ (Fix other-arch atomic64/REFCOUNT compilation failures)
+
+commit 12db8453f6bb0a756f369c9151668ba1249bc478
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 21:10:12 2012 -0500
+
+ Remove unnecessary copies, as suggested by solar
+
+commit cc02cab84368467ea03cb35f861a8a7092d91ab4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 20:59:35 2012 -0500
+
+ Make global_exec_counter static, as suggested by solar
+
+commit e642091a475ebb3a30e81f85e7751233d0c2af43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 19:00:26 2012 -0500
+
+ sync with stable tree
+
+commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:48:47 2012 -0500
+
+ Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
+ Remove handling of old kludge in chmod/fchmod
+
+commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:18:49 2012 -0500
+
+ Apply umask checks to chmod/fchmod as well, as requested by sponsor
+ Union the enforced umask with the existing one to produce minimal privilege
+ Change umask type to u16
+
+commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 22 18:16:11 2012 -0500
+
+ Add per-role umask enforcement to RBAC, requested by a sponsor
+
+commit ad5ac943fe58199f1cc475912a39edb157acb77b
+Merge: dda0bb5 41722e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:42 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 41722e342e116d95f3d3556d66c97c888d752d39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:00 2012 -0500
+
+ Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
+ KERNEXEC plugin
+
+commit dda0bb57137846a476a866c60db2681aaf6052c0
+Merge: 4fd554e d70927a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:41 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d70927afec977d489a54c106a3c3ddc32e953050
+Merge: 1daebf1 9d0231c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:33 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 4fd554e3a097b22c5049fcdc423897477deff5ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 09:17:57 2012 -0500
+
+ Fix wrong logic on capability checks for switching roles, broke policies
+ Thanks to Richard Kojedzinszky for reporting
+
+commit 12f97d52ac603f24344f8d71569c412a307e9422
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 21:20:10 2012 -0500
+
+ sparc64 compile fix
+
+commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:38:32 2012 -0500
+
+ Update configuration help and name for GRKERNSEC_PROC_MEMMAP
+
+commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:18:01 2012 -0500
+
+ optimize the check a bit
+
+commit 03159050f64989be44ae03be769cbed62a7cd2e5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:00:45 2012 -0500
+
+ smile VUPEN :D
+ (limit argv+env to 1MB for suid/sgid binaries)
+
+commit dd759d8800d225a397e4de49fe729c7d601298d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:49:33 2012 -0500
+
+ Address Space Protection -> Memory Protections (suggested on IRC for consistency)
+
+commit 4de635bda8ebfb85312e3bf851bdbff93de400da
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:45:06 2012 -0500
+
+ Change the long long type for exec_id to the proper u64
+
+commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Feb 9 00:46:47 2012 +0000
+
+ isdn: type bug in isdn_net_header()
+
+ We use len to store the return value from eth_header(). eth_header()
+ can return -ETH_HLEN (-14). We want to pass this back instead of
+ truncating it to 65522 and returning that.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
+Author: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Sat Feb 4 10:47:10 2012 +0100
+
+ exec: fix use-after-free bug in setup_new_exec()
+
+ Setting the task name is done within setup_new_exec() by accessing
+ bprm->filename. However this happens after flush_old_exec().
+ This may result in a use after free bug, flush_old_exec() may
+ "complete" vfork_done, which will wake up the parent which in turn
+ may free the passed in filename.
+ To fix this add a new tcomm field in struct linux_binprm which
+ contains the now early generated task name until it is used.
+
+ Fixes this bug on s390:
+
+ Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
+ Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
+ Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
+ Call Trace:
+ ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
+ [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
+ [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
+ [<0000000000282b6c>] do_execve_common+0x410/0x514
+ [<0000000000282cb6>] do_execve+0x46/0x58
+ [<00000000005bce58>] kernel_execve+0x28/0x70
+ [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
+ [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
+ [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
+ Last Breaking-Event-Address:
+ [<00000000002830f0>] setup_new_exec+0x2fc/0x374
+
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+ Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+ Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d758ee9f5230893dabb5aab737b3109684bde196
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Feb 10 09:03:58 2012 +0100
+
+ relay: prevent integer overflow in relay_open()
+
+ "subbuf_size" and "n_subbufs" come from the user and they need to be
+ capped to prevent an integer overflow.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
+Merge: b1baadf 1daebf1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:47:04 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/proc/base.c
+
+commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
+Merge: 1413df2 c2db2e2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:45:54 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:44:05 2012 -0500
+
+ add missing declaration
+
+commit 3981059c35e8463002517935c28f3d74b8e3703c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:36:04 2012 -0500
+
+ Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
+ in addition to existing checks (this handles the setresuid ruid = euid case)
+
+commit 0beab03263c773f463412c350ad9064b44b6ede0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:13:40 2012 -0500
+
+ Revert setreuid changes when RBAC is enabled, breaks freeradius
+ I'll fix the learning issue Lavish reported a different way through
+ gradm modifications
+
+ This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
+
+commit 0c61cb1cfbbfec7d07647268c922d51434d22621
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 11 14:22:46 2012 -0500
+
+ copy exec_id on fork
+
+commit 000c08e0890630086b2ed04084050ed856a7ec31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 20:00:36 2012 -0500
+
+ compile fix
+
+commit 54b8c8f54484e5ee18040657827158bc4b63bccc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 19:19:52 2012 -0500
+
+ Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
+ denies reading of sensitive /proc/pid entries where the file descriptor
+ was opened in a different task than the one performing the read
+
+commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 17:43:24 2012 -0500
+
+ Remove duplicate signal check
+
+commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
+Merge: 4eba97e 1413df2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:34 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:08 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test11.patch
+
+commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
+Merge: 0e058dd 8dd90a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:50:12 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:49:07 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
+
+commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
+Merge: 7e4169c 6133971
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:48:57 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 19:24:45 2012 -0500
+
+ We now allow configurations with no PaX markings, giving the system no way to override the defaults
+
+commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 10:01:23 2012 -0500
+
+ Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
+
+commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 4 21:01:16 2012 -0500
+
+ Improve security of ptrace-based monitoring/sandboxing
+ See:
+ http://article.gmane.org/gmane.linux.kernel.lsm/15156
+
+commit ca4ca5a1027b41f9528794e52a53ce9c47926101
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:42:55 2012 -0500
+
+ fix typo
+
+commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:25:38 2012 -0500
+
+ Reported by lavish on IRC:
+ If a suid/sgid binary did not learn any setuid/setgid call during learning,
+ we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
+ any restrictions on uid/gid changes. uid and gid can however be changed
+ within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
+ euid/egid.
+
+ My fix:
+ POSIX doesn't specify whether unprivileged users can perform the above
+ setresuid/setresgid as an unprivileged user, though Linux has historically
+ permitted them. Modify this behavior when RBAC is enabled to require
+ CAP_SETUID/CAP_SETGID for these operations.
+
+ Thanks to Lavish for the report!
+
+ Conflicts:
+
+ kernel/sys.c
+
+commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
+Merge: ba586eb 7e4169c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:21 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:05 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test9.patch
+
+commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
+Author: Christopher Yeoh <cyeoh@au1.ibm.com>
+Date: Thu Feb 2 11:34:09 2012 +1030
+
+ Fix race in process_vm_rw_core
+
+ This fixes the race in process_vm_core found by Oleg (see
+
+ http://article.gmane.org/gmane.linux.kernel/1235667/
+
+ for details).
+
+ This has been updated since I last sent it as the creation of the new
+ mm_access() function did almost exactly the same thing as parts of the
+ previous version of this patch did.
+
+ In order to use mm_access() even when /proc isn't enabled, we move it to
+ kernel/fork.c where other related process mm access functions already
+ are.
+
+ Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+ mm/process_vm_access.c
+
+commit b9194d60fb9fe579f5c34817ed822abde18939a0
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:15:11 2012 +0100
+
+ proc: make sure mem_open() doesn't pin the target's memory
+
+ Once /proc/pid/mem is opened, the memory can't be released until
+ mem_release() even if its owner exits.
+
+ Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
+ pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
+ before access_remote_vm(), this verifies that this mm is still alive.
+
+ I am not sure what should mem_rw() return if atomic_inc_not_zero()
+ fails. With this patch it returns zero to match the "mm == NULL" case,
+ may be it should return -EINVAL like it did before e268337d.
+
+ Perhaps it makes sense to add the additional fatal_signal_pending()
+ check into the main loop, to ensure we do not hold this memory if
+ the target task was oom-killed.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:38 2012 +0100
+
+ proc: mem_release() should check mm != NULL
+
+ mem_release() can hit mm == NULL, add the necessary check.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:54 2012 +0100
+
+ note: redisabled mem_write
+
+ proc: unify mem_read() and mem_write()
+
+ No functional changes, cleanup and preparation.
+
+ mem_read() and mem_write() are very similar. Move this code into the
+ new common helper, mem_rw(), which takes the additional "int write"
+ argument.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+
+commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
+Merge: 3903f01 01fee18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:50:40 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 01fee1851aef26b898ccba5312cabf1f919b74cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:46 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test8.patch
+
+commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
+Merge: 201c0db 141936c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:01 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 3903f0172ecadf7a575ba3535402a1506133640a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 30 23:26:44 2012 -0500
+
+ Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
+
+ We'll whitelist required directories for compatibility instead of requiring
+ that people disable the feature entirely if they use SELinux, fuse, etc
+
+ Conflicts:
+
+ fs/sysfs/mount.c
+
+commit e3618feaa7e63807f1b88c199882075b3ec9bd05
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 29 01:12:19 2012 -0500
+
+ perform RBAC check if TPE is on but match fails, matches previous behavior
+
+commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 28 13:17:06 2012 -0500
+
+ log more information about the reason for a TPE denial for novice users, requested by a sponsor
+
+commit efefd67008cbad8a8591e2484410966a300a39a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:58:53 2012 -0500
+
+ merge upstream sha512 changes
+
+commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:49:07 2012 -0500
+
+ drop lock on error in xfs_readlink
+
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
+
+commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
+Author: Li Wang <liwang@nudt.edu.cn>
+Date: Thu Jan 19 09:44:36 2012 +0800
+
+ eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+
+ ecryptfs_write() can enter an infinite loop when truncating a file to a
+ size larger than 4G. This only happens on architectures where size_t is
+ represented by 32 bits.
+
+ This was caused by a size_t overflow due to it incorrectly being used to
+ store the result of a calculation which uses potentially large values of
+ type loff_t.
+
+ [tyhicks@canonical.com: rewrite subject and commit message]
+ Signed-off-by: Li Wang <liwang@nudt.edu.cn>
+ Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
+ Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+
+commit a7607747d0f74f357d78bb796d70635dd05f46e8
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 19 20:33:44 2012 -0600
+
+ eCryptfs: Check inode changes in setattr
+
+ Most filesystems call inode_change_ok() very early in ->setattr(), but
+ eCryptfs didn't call it at all. It allowed the lower filesystem to make
+ the call in its ->setattr() function. Then, eCryptfs would copy the
+ appropriate inode attributes from the lower inode to the eCryptfs inode.
+
+ This patch changes that and actually calls inode_change_ok() on the
+ eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
+ would happen earlier in ecryptfs_setattr(), but there are some possible
+ inode initialization steps that must happen first.
+
+ Since the call was already being made on the lower inode, the change in
+ functionality should be minimal, except for the case of a file extending
+ truncate call. In that case, inode_newsize_ok() was never being
+ called on the eCryptfs inode. Rather than inode_newsize_ok() catching
+ maximum file size errors early on, eCryptfs would encrypt zeroed pages
+ and write them to the lower filesystem until the lower filesystem's
+ write path caught the error in generic_write_checks(). This patch
+ introduces a new function, called ecryptfs_inode_newsize_ok(), which
+ checks if the new lower file size is within the appropriate limits when
+ the truncate operation will be growing the lower file.
+
+ In summary this change prevents eCryptfs truncate operations (and the
+ resulting page encryptions), which would exceed the lower filesystem
+ limits or FSIZE rlimits, from ever starting.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Li Wang <liwang@nudt.edu.cn>
+ Cc: <stable@vger.kernel.org>
+
+commit 0d96f190a39505254ace4e9330219aaeda9b64e3
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Wed Jan 18 18:30:04 2012 -0600
+
+ eCryptfs: Make truncate path killable
+
+ ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
+ page, zeroes out the appropriate portions, and then encrypts the page
+ before writing it to the lower filesystem. It was unkillable and due to
+ the lack of sparse file support could result in tying up a large portion
+ of system resources, while encrypting pages of zeros, with no way for
+ the truncate operation to be stopped from userspace.
+
+ This patch adds the ability for ecryptfs_write() to detect a pending
+ fatal signal and return as gracefully as possible. The intent is to
+ leave the lower file in a useable state, while still allowing a user to
+ break out of the encryption loop. If a pending fatal signal is detected,
+ the eCryptfs inode size is updated to reflect the modified inode size
+ and then -EINTR is returned.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: <stable@vger.kernel.org>
+
+commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Tue Jan 24 10:02:22 2012 -0600
+
+ eCryptfs: Fix oops when printing debug info in extent crypto functions
+
+ If pages passed to the eCryptfs extent-based crypto functions are not
+ mapped and the module parameter ecryptfs_verbosity=1 was specified at
+ loading time, a NULL pointer dereference will occur.
+
+ Note that this wouldn't happen on a production system, as you wouldn't
+ pass ecryptfs_verbosity=1 on a production system. It leaks private
+ information to the system logs and is for debugging only.
+
+ The debugging info printed in these messages is no longer very useful
+ and rather than doing a kmap() in these debugging paths, it will be
+ better to simply remove the debugging paths completely.
+
+ https://launchpad.net/bugs/913651
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Daniel DeFreez
+ Cc: <stable@vger.kernel.org>
+
+commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 12 11:30:44 2012 +0100
+
+ eCryptfs: Sanitize write counts of /dev/ecryptfs
+
+ A malicious count value specified when writing to /dev/ecryptfs may
+ result in a a very large kernel memory allocation.
+
+ This patch peeks at the specified packet payload size, adds that to the
+ size of the packet headers and compares the result with the write count
+ value. The resulting maximum memory allocation size is approximately 532
+ bytes.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Sasha Levin <levinsasha928@gmail.com>
+ Cc: <stable@vger.kernel.org>
+
+commit 96dcb7282d323813181a1791f51c0ab7696b675b
+Merge: 6c09fa5 201c0db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:44:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 201c0dbf177527367676028151e36d340923f033
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:43:24 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
+ on loading modules with empty sections
+
+commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:42:13 2012 -0500
+
+ compile fix
+
+commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:39:28 2012 -0500
+
+ use LSM flags instead of duplicating checks
+
+commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
+Merge: 44b9f11 558718b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:23 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 558718b2217beff69edf60f34a6f9893d910e9ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:04 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch
+
+commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:53:55 2012 -0500
+
+ don't increase the size of task_struct when unnecessary
+ change ptrace_readexec log message
+
+commit a9c9626e054adb885883aa64f85506852894dd33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:16:28 2012 -0500
+
+ Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
+ the protection applies to all unreadable binaries.
+
+commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
+Merge: 7b3f3af 05a1349
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:52:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ block/scsi_ioctl.c
+ drivers/scsi/sd.c
+ fs/proc/base.c
+
+commit 05a134966efb9cb9346ad3422888969ffc79ac1d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:47:36 2012 -0500
+
+ Resync with pax-linux-3.2.2-test5.patch
+
+commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
+Merge: c6d443d 3499d64
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:45:16 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
+
+ Conflicts:
+ ipc/shm.c
+
+commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 24 19:42:01 2012 -0500
+
+ Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
+ (may be changed if it breaks some userland), the other has its own
+ config option
+
+ First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
+ the syscall or /proc/sys.
+
+ Second feature requires read access to a suid/sgid binary in order
+ to ptrace it, preventing infoleaking of binaries in situations where
+ the admin has specified 4711 or 2711 perms. Feature has been
+ given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
+ a sysctl entry of ptrace_readexec
+
+commit 11a7bb25c411c9dccfdca5718639b4becdffd388
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:37:10 2012 -0500
+
+ Compilation fixes
+
+commit cd400e21c7c352baba47d6f375297a7847afb33a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:20:27 2012 -0500
+
+ Initial port of grsecurity 2.2.2 for Linux 3.2.1
+ Note that the new syscalls added to this kernel for remote process read/write
+ are subject to ptrace hardening/other relevant RBAC features
+ /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
+ as well
+ pax_track_stack has been removed from support for this kernel -- if you're running this kernel
+ you should be using a version of gcc with plugin support
+
+commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:47:31 2012 -0500
+
+ Import pax-linux-3.2.1-test5.patch
+commit bfd7db842f835f9837cd43644459b3a95b0b488d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:02:02 2012 -0500
+
+ Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
+ instead of returning -EACCES
+ thanks to Wraith from irc for the report
+
+commit 873ac13576506cd48ddb527c2540f274e249da50
+Merge: 34083dd 8a44fcc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:04:02 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:02:15 2012 -0500
+
+ Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
+ Denies executable shared memory when MPROTECT is active
+ Fixes ia32 emulation crash on 64bit host introduced in a recent patch
+
+commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 20:23:14 2012 -0500
+
+ Introduce new GRKERNSEC_SETXID implementation
+ We're not able to change the credentials of other threads in the process until at most
+ one syscall after the first thread does it, since we mark the threads as needing rescheduling
+ and such work occurs on syscall exit.
+ This does however ensure that we're only modifying the current task's credentials
+ which upholds RCU expectations
+
+ Many thanks to corsac for testing
+
+commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:42:48 2012 -0500
+
+ Simplify backport
+
+commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:08:16 2012 -0500
+
+ Commit the latest silent fix for a local privilege escalation from Linus
+ Also disable writing to /proc/pid/mem
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
+
+commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
+Merge: 0394a3f 7e6299b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:22:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e6299b4733c082dde930375dd207b63237751ec
+Merge: 83555fb 9bb1282
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:21:37 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
+Author: Jesper Juhl <jj@chaosbits.net>
+Date: Sun Jan 8 22:44:29 2012 +0100
+
+ audit: always follow va_copy() with va_end()
+
+ A call to va_copy() should always be followed by a call to va_end() in
+ the same function. In kernel/autit.c::audit_log_vformat() this is not
+ always done. This patch makes sure va_end() is always called.
+
+ Signed-off-by: Jesper Juhl <jj@chaosbits.net>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
+Author: Andi Kleen <ak@linux.intel.com>
+Date: Thu Jan 12 17:20:30 2012 -0800
+
+ panic: don't print redundant backtraces on oops
+
+ When an oops causes a panic and panic prints another backtrace it's pretty
+ common to have the original oops data be scrolled away on a 80x50 screen.
+
+ The second backtrace is quite redundant and not needed anyways.
+
+ So don't print the panic backtrace when oops_in_progress is true.
+
+ [akpm@linux-foundation.org: add comment]
+ Signed-off-by: Andi Kleen <ak@linux.intel.com>
+ Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Thu Jan 12 17:59:46 2012 +0100
+
+ fsnotify: don't BUG in fsnotify_destroy_mark()
+
+ Removing the parent of a watched file results in "kernel BUG at
+ fs/notify/mark.c:139".
+
+ To reproduce
+
+ add "-w /tmp/audit/dir/watched_file" to audit.rules
+ rm -rf /tmp/audit/dir
+
+ This is caused by fsnotify_destroy_mark() being called without an
+ extra reference taken by the caller.
+
+ Reported by Francesco Cosoleto here:
+
+ https://bugzilla.novell.com/show_bug.cgi?id=689860
+
+ Fix by removing the BUG_ON and adding a comment about not accessing mark after
+ the iput.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:28 2012 +0100
+
+ block: fail SCSI passthrough ioctls on partition devices
+
+ Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+ will pass the command to the underlying block device. This is
+ well-known, but it is also a large security problem when (via Unix
+ permissions, ACLs, SELinux or a combination thereof) a program or user
+ needs to be granted access only to part of the disk.
+
+ This patch lets partitions forward a small set of harmless ioctls;
+ others are logged with printk so that we can see which ioctls are
+ actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
+ Of course it was being sent to a (partition on a) hard disk, so it would
+ have failed with ENOTTY and the patch isn't changing anything in
+ practice. Still, I'm treating it specially to avoid spamming the logs.
+
+ In principle, this restriction should include programs running with
+ CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
+ /dev/sdb, it still should not be able to read/write outside the
+ boundaries of /dev/sda2 independent of the capabilities. However, for
+ now programs with CAP_SYS_RAWIO will still be allowed to send the
+ ioctls. Their actions will still be logged.
+
+ This patch does not affect the non-libata IDE driver. That driver
+ however already tests for bd != bd->bd_contains before issuing some
+ ioctl; it could be restricted further to forbid these ioctls even for
+ programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ [ Make it also print the command name when warning - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:27 2012 +0100
+
+ block: add and use scsi_blk_cmd_ioctl
+
+ Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
+
+ The function will then be enhanced to detect partition block devices
+ and, in that case, subject the ioctls to whitelisting.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97a79814903fc350e1d13704ea31528a42705401
+Author: Kees Cook <keescook@chromium.org>
+Date: Sat Jan 7 10:41:04 2012 -0800
+
+ audit: treat s_id as an untrusted string
+
+ The use of s_id should go through the untrusted string path, just to be
+ extra careful.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Acked-by: Mimi Zohar <zohar@us.ibm.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Dec 20 18:39:41 2011 -0500
+
+ audit: fix signedness bug in audit_log_execve_info()
+
+ In the loop, a size_t "len" is used to hold the return value of
+ audit_log_single_execve_arg(), which returns -1 on error. In that
+ case the error handling (len <= 0) will be bypassed since "len" is
+ unsigned, and the loop continues with (p += len) being wrapped.
+ Change the type of "len" to signed int to fix the error handling.
+
+ size_t len;
+ ...
+ for (...) {
+ len = audit_log_single_execve_arg(...);
+ if (len <= 0)
+ break;
+ p += len;
+ }
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Jan 17 03:28:51 2012 -0300
+
+ [media] ds3000: using logical && instead of bitwise &
+
+ The intent here was to test if the FE_HAS_LOCK was set. The current
+ test is equivalent to "if (status) { ..."
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit 36522330dc59d2fc70c042f3f081d75c32b6259a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 13:10:38 2012 -0500
+
+ Ignore the 0 signal for protected task RBAC checks
+
+commit d513acd55f7a683f6e146a4f570cdb63300479ab
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 11:56:13 2012 -0500
+
+ whitespace cleanup
+
+commit ced261c4b82818c700aff8487f647f6f3e5b5122
+Merge: d48751f 83555fb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:54 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
+Merge: fcd8129 93dad39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:43 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit d48751f3919ae855fda0ff6c149db82442329253
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 11 19:05:47 2012 -0500
+
+ Call our own set_user when forcing change to new id
+
+commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
+Merge: e6578ff fcd8129
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 16:00:10 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 15:58:43 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test23.patch
+
+commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
+Merge: 8859ec3 a120549
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:56 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a12054967a77090de1caa07c41e694a77db4e237
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:30 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test22.patch
+
+commit 8859ec32f9815c274df65448f9f2960176c380d3
+Merge: a5016b4 ddd4114
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:26:08 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/binfmt_elf.c
+ security/Kconfig
+
+commit ddd41147e158a79704983a409b7433eba797cf66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:12:42 2012 -0500
+
+ Resync with PaX patch (whitespace difference)
+
+commit 29e569df8205c5f0e043fe4803aa984406c8b118
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:09:47 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test21.patch
+
+commit a5016b4f9c09c337b17e063a7f369af1e86d944d
+Merge: 0124c92 04231d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:52:20 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
+Merge: 7bdddeb a919904
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:51:50 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ include/net/flow.h
+
+commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:33:05 2012 -0500
+
+ Make GRKERNSEC_SETXID option compatible with credential debugging
+
+commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
+Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Date: Wed Dec 28 15:57:11 2011 -0800
+
+ mm/mempolicy.c: refix mbind_range() vma issue
+
+ commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
+ slightly incorrect fix.
+
+ Why? Think following case.
+
+ 1. map 4 pages of a file at offset 0
+
+ [0123]
+
+ 2. map 2 pages just after the first mapping of the same file but with
+ page offset 2
+
+ [0123][23]
+
+ 3. mbind() 2 pages from the first mapping at offset 2.
+ mbind_range() should treat new vma is,
+
+ [0123][23]
+ |23|
+ mbind vma
+
+ but it does
+
+ [0123][23]
+ |01|
+ mbind vma
+
+ Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
+
+ This patch fixes it.
+
+ [testcase]
+ test result - before the patch
+
+ case4: 126: test failed. expect '2,4', actual '2,2,2'
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: 246: test failed. expect '4,2', actual '1,4'
+
+ ------------[ cut here ]------------
+ kernel BUG at mm/filemap.c:135!
+ invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
+
+ (snip long bug on messages)
+
+ test result - after the patch
+
+ case4: passed
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: passed
+
+ source: mbind_vma_test.c
+ ============================================================
+ #include <numaif.h>
+ #include <numa.h>
+ #include <sys/mman.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+ static unsigned long pagesize;
+ void* mmap_addr;
+ struct bitmask *nmask;
+ char buf[1024];
+ FILE *file;
+ char retbuf[10240] = "";
+ int mapped_fd;
+
+ char *rubysrc = "ruby -e '\
+ pid = %d; \
+ vstart = 0x%llx; \
+ vend = 0x%llx; \
+ s = `pmap -q #{pid}`; \
+ rary = []; \
+ s.each_line {|line|; \
+ ary=line.split(\" \"); \
+ addr = ary[0].to_i(16); \
+ if(vstart <= addr && addr < vend) then \
+ rary.push(ary[1].to_i()/4); \
+ end; \
+ }; \
+ print rary.join(\",\"); \
+ '";
+
+ void init(void)
+ {
+ void* addr;
+ char buf[128];
+
+ nmask = numa_allocate_nodemask();
+ numa_bitmask_setbit(nmask, 0);
+
+ pagesize = getpagesize();
+
+ sprintf(buf, "%s", "mbind_vma_XXXXXX");
+ mapped_fd = mkstemp(buf);
+ if (mapped_fd == -1)
+ perror("mkstemp "), exit(1);
+ unlink(buf);
+
+ if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
+ perror("lseek "), exit(1);
+ if (write(mapped_fd, "\0", 1) < 0)
+ perror("write "), exit(1);
+
+ addr = mmap(NULL, pagesize*8, PROT_NONE,
+ MAP_SHARED, mapped_fd, 0);
+ if (addr == MAP_FAILED)
+ perror("mmap "), exit(1);
+
+ if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
+ perror("mprotect "), exit(1);
+
+ mmap_addr = addr + pagesize;
+
+ /* make page populate */
+ memset(mmap_addr, 0, pagesize*6);
+ }
+
+ void fin(void)
+ {
+ void* addr = mmap_addr - pagesize;
+ munmap(addr, pagesize*8);
+
+ memset(buf, 0, sizeof(buf));
+ memset(retbuf, 0, sizeof(retbuf));
+ }
+
+ void mem_bind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_BIND, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_interleave(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_unbind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_DEFAULT, NULL, 0, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void Assert(char *expected, char *value, char *name, int line)
+ {
+ if (strcmp(expected, value) == 0) {
+ fprintf(stderr, "%s: passed\n", name);
+ return;
+ }
+ else {
+ fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
+ name, line,
+ expected, value);
+ // exit(1);
+ }
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPNNNNNNNNNN
+ case 4 below
+ */
+ void case4(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 4);
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case4", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPPPPPPPPPNN
+ case 5 below
+ */
+ void case5(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case5", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPPPPP 6
+ */
+ void case6(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("6", retbuf, "case6", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPXXXX 7
+ */
+ void case7(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case7", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPNNNNNNNN 8
+ */
+ void case8(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_interleave(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case8", __LINE__);
+
+ fin();
+ }
+
+ void case_n(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ /* make redundunt mappings [0][1234][34][7] */
+ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
+ MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
+
+ /* Expect to do nothing. */
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case_n", __LINE__);
+
+ fin();
+ }
+
+ int main(int argc, char** argv)
+ {
+ case4();
+ case5();
+ case6();
+ case7();
+ case8();
+ case_n();
+
+ return 0;
+ }
+ =============================================================
+
+ Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: Minchan Kim <minchan.kim@gmail.com>
+ Cc: Caspar Zhang <caspar@casparzhang.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Cc: Christoph Lameter <cl@linux.com>
+ Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
+ Cc: Mel Gorman <mel@csn.ul.ie>
+ Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+ Cc: <stable@vger.kernel.org> [3.1.x]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit f3a1082005781777086df235049f8c0b7efe524e
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Dec 27 22:32:41 2011 -0500
+
+ packet: fix possible dev refcnt leak when bind fail
+
+ If bind is fail when bind is called after set PACKET_FANOUT
+ sock option, the dev refcnt will leak.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 915f8b08dac68839dc7204ee81cf9852fda16d24
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Mon Dec 19 17:11:56 2011 -0800
+
+ nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
+
+ There is a potential integer overflow in nilfs_ioctl_clean_segments().
+ When a large argv[n].v_nmembs is passed from the userspace, the subsequent
+ call to vmalloc() will allocate a buffer smaller than expected, which
+ leads to out-of-bound access in nilfs_ioctl_move_blocks() and
+ lfs_clean_segments().
+
+ The following check does not prevent the overflow because nsegs is also
+ controlled by the userspace and could be very large.
+
+ if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
+ goto out_free;
+
+ This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
+ returns -EINVAL when overflow.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
+Author: Kautuk Consul <consul.kautuk@gmail.com>
+Date: Mon Dec 19 17:12:04 2011 -0800
+
+ mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
+
+ Static storage is not required for the struct vmap_area in
+ __get_vm_area_node.
+
+ Removing "static" to store this variable on the stack instead.
+
+ Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
+ Acked-by: David Rientjes <rientjes@google.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
+Author: Michel Lespinasse <walken@google.com>
+Date: Mon Dec 19 17:12:06 2011 -0800
+
+ binary_sysctl(): fix memory leak
+
+ binary_sysctl() calls sysctl_getname() which allocates from names_cache
+ slab usin __getname()
+
+ The matching function to free the name is __putname(), and not putname()
+ which should be used only to match getname() allocations.
+
+ This is because when auditing is enabled, putname() calls audit_putname
+ *instead* (not in addition) to __putname(). Then, if a syscall is in
+ progress, audit_putname does not release the name - instead, it expects
+ the name to get released when the syscall completes, but that will happen
+ only if audit_getname() was called previously, i.e. if the name was
+ allocated with getname() rather than the naked __getname(). So,
+ __getname() followed by putname() ends up leaking memory.
+
+ Signed-off-by: Michel Lespinasse <walken@google.com>
+ Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
+Author: Sean Hefty <sean.hefty@intel.com>
+Date: Tue Dec 6 21:17:11 2011 +0000
+
+ RDMA/cma: Verify private data length
+
+ private_data_len is defined as a u8. If the user specifies a large
+ private_data size (> 220 bytes), we will calculate a total length that
+ exceeds 255, resulting in private_data_len wrapping back to 0. This
+ can lead to overwriting random kernel memory. Avoid this by verifying
+ that the resulting size fits into a u8.
+
+ Reported-by: B. Thery <benjamin.thery@bull.net>
+ Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
+ Signed-off-by: Sean Hefty <sean.hefty@intel.com>
+ Signed-off-by: Roland Dreier <roland@purestorage.com>
+
+commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Sun Dec 11 23:40:56 2011 -0800
+
+ Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
+
+ The error check (intr_status < 0) didn't work because intr_status is
+ a u8. Change its type to signed int.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+
+commit e27f34e383d7863b2528a63b81b23db09781f6b6
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 16 12:44:15 2011 +0000
+
+ sctp: fix incorrect overflow check on autoclose
+
+ Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
+ limiting the autoclose value. If userspace passes in -1 on 32-bit
+ platform, the overflow check didn't work and autoclose would be set
+ to 0xffffffff.
+
+ This patch defines a max_autoclose (in seconds) for limiting the value
+ and exposes it through sysctl, with the following intentions.
+
+ 1) Avoid overflowing autoclose * HZ.
+
+ 2) Keep the default autoclose bound consistent across 32- and 64-bit
+ platforms (INT_MAX / HZ in this patch).
+
+ 3) Keep the autoclose value consistent between setsockopt() and
+ getsockopt() calls.
+
+ Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Wed Dec 21 05:18:33 2011 -0500
+
+ vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
+
+ Commit e133e737 didn't correctly fix the integer overflow issue.
+
+ - unsigned int required_size;
+ + u64 required_size;
+ ...
+ required_size = mode_cmd->pitch * mode_cmd->height;
+ - if (unlikely(required_size > dev_priv->vram_size)) {
+ + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
+
+ Note that both pitch and height are u32. Their product is still u32 and
+ would overflow before being assigned to required_size. A correct way is
+ to convert pitch and height to u64 before the multiplication.
+
+ required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
+
+ This patch calls the existing vmw_kms_validate_mode_vram() for
+ validation.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+ Conflicts:
+
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+
+commit eb8f0bd01fb994c9abc77dc84729794cd841753d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Thu Dec 22 13:35:22 2011 +0000
+
+ rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
+
+ Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
+ cause a kernel oops due to insufficient bounds checking.
+
+ if (count > 1<<30) {
+ /* Enforce a limit to prevent overflow */
+ return -EINVAL;
+ }
+ count = roundup_pow_of_two(count);
+ table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
+
+ Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
+
+ ... + (count * sizeof(struct rps_dev_flow))
+
+ where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
+ 32 bits.
+
+ This patch replaces the magic number (1 << 30) with a symbolic bound.
+
+ Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 648188958672024b616c42c1f6c98c8cfc85619d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 30 10:40:17 2011 -0500
+
+ netfilter: ctnetlink: fix timeout calculation
+
+ The sanity check (timeout < 0) never works; the dividend is unsigned
+ and so is the division, which should have been a signed division.
+
+ long timeout = (ct->timeout.expires - jiffies) / HZ;
+ if (timeout < 0)
+ timeout = 0;
+
+ This patch converts the time values to signed for the division.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit ab03a0973cee73f88655ff4981812ad316a6cd59
+Merge: 76f82df 7bdddeb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:50 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
+Merge: 3e59cb5 55cc81a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:36 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 20:15:02 2011 -0500
+
+ Only further restrict futex targeting another process -- our modified
+ permission check also happened to allow a case where a process retaining
+ uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
+ being non-zero (reported on forums by ben_w)
+
+commit 6b235a4450a5fea41663ec35fa0608988b6078c6
+Merge: 97c16f0 3e59cb5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:11:06 2011 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/hfs/btree.c
+
+commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
+Merge: 285eb4e c26f60b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:09:57 2011 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/process.c
+
+commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 19 21:54:01 2011 -0500
+
+ Add new option: "Enforce consistent multithreaded privileges"
+
+commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:58:31 2011 -0500
+
+ Remove harmless duplicate code -- exec_file would be null already so the
+ second check would never pass.
+
+commit 4e3304e94aa72737810bc50169519af157dce4ce
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:50:39 2011 -0500
+
+ Revert back to (possibly?) undocumented /proc/pid behavior that gdb
+ depended on for attaching to a thread. Entries exist in /proc for
+ threads, but are not visible in a readdir.
+
+commit 1bd899335f23815cfe8deac44c6b346398f3b95e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 18:03:28 2011 -0500
+
+ Put the already-walked path if in RCU-walk mode
+
+commit ec7ae36b7159f10649709779443a988662965d66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 17:35:21 2011 -0500
+
+ Fix memory leak introduced by recent (unpublished) commit
+ 75ab998b94a29d464518d6d501bdde3fbfcbfa14
+
+commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:56:10 2011 -0500
+
+ Explicitly check size copied to userland in override_release to silence gcc
+
+commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:54:02 2011 -0500
+
+ Initialize variable to silence erroneous gcc warning
+
+commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:47:47 2011 -0500
+
+ Future-proof other potential RCU-aware locations where we can log.
+
+commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:02:54 2011 -0500
+
+ Fix freeze reported by 'vs' on the forums. Bug occurred due to
+ MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
+ in generic_permission() was in the task's effective set but disallowed by
+ RBAC, would block when acquiring locks resulting in the freeze.
+
+ Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
+ as being required when CAP_DAC_OVERRIDE is present (consistent with
+ older patches).
+
+commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Nov 29 09:26:30 2011 +0000
+
+ sctp: better integer overflow check in sctp_auth_create_key()
+
+ The check from commit 30c2235c is incomplete and cannot prevent
+ cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
+ left-hand side of the check (INT_MAX - key_len), which is unsigned,
+ becomes 0xffffffff (UINT_MAX) and bypasses the check.
+
+ However this shouldn't be a security issue. The function is called
+ from the following two code paths:
+
+ 1) setsockopt()
+
+ 2) sctp_auth_asoc_set_secret()
+
+ In case (1), sca_keylength is never going to exceed 65535 since it's
+ bounded by a u16 from the user API. As such, the key length will
+ never overflow.
+
+ In case (2), sca_keylength is computed based on the user key (1 short)
+ and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
+ will not overflow.
+
+ In other words, this overflow check is not really necessary. Just
+ make it more correct.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit e565e28c3635a1d50f80541fbf6b606d742fec76
+Author: Josh Boyer <jwboyer@redhat.com>
+Date: Fri Aug 19 14:50:26 2011 -0400
+
+ fs/minix: Verify bitmap block counts before mounting
+
+ Newer versions of MINIX can create filesystems that allocate an extra
+ bitmap block. Mounting of this succeeds, but doing a statfs call will
+ result in an oops in count_free because of a negative number being used
+ for the bh index.
+
+ Avoid this by verifying the number of allocated blocks at mount time,
+ erroring out if there are not enough and make statfs ignore the extras
+ if there are too many.
+
+ This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
+
+ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6e134e398ec1a3f428261680e83df4319e64bed9
+Author: Julia Lawall <julia@diku.dk>
+Date: Tue Nov 15 14:53:11 2011 -0800
+
+ drivers/gpu/vga/vgaarb.c: add missing kfree
+
+ kbuf is a buffer that is local to this function, so all of the error paths
+ leaving the function should release it.
+
+ Signed-off-by: Julia Lawall <julia@diku.dk>
+ Cc: Jesper Juhl <jj@chaosbits.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit 2b9057b321e36860e8d63985b5c4e496f254b717
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:33:28 2011 -0500
+
+ Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
+
+commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+
+commit 285eb4ea45d853ae00426b3315a61c1368080dad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 10 18:33:46 2011 -0500
+
+ Import changes from pax-linux-3.1.5-test20.patch
+
+commit a6bda918fc90ec1d5c387e978d147ad2044153f1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 8 20:55:54 2011 -0500
+
+ Import changes from pax-linux-3.1.4-test19.patch
+
+commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c
+Merge: c3ccfb2 777e08c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 8 19:49:04 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 777e08c6a87ef43439f4431d8d458732ca5e17c6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 8 19:47:32 2013 -0400
+
+ Update to pax-linux-3.10.11-test26.patch:
+ - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger
+ - fixed an uninitialized read in splice, reported by hunger
+
+ fs/splice.c | 1 +
+ include/linux/syscalls.h | 14 +-
+ tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++----------------
+ 3 files changed, 247 insertions(+), 194 deletions(-)
+
+commit 5c3161364270c842d901789faac731f79a9f9cd6
+Merge: cf9c476 85cdabb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 8 19:24:25 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit c3ccfb29794a03413095422100ce90d40ef7df0f
+Author: Jakob Bornecrantz <jakob@vmware.com>
+Date: Thu Aug 29 02:32:53 2013 +0200
+
+ Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f
+
+ drm/vmwgfx: Split GMR2_REMAP commands if they are to large
+
+ This fixes the piglit test texturing/max-texture-size
+ causing the VM to die due to a too large SVGA command.
+
+ Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
+ Reviewed-by: Biran Paul <brianp@vmware.com>
+ Reviewed-by: Zack Rusin <zackr@vmware.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Dave Airlie <airlied@gmail.com>
+
+ drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++-----------
+ 1 files changed, 39 insertions(+), 19 deletions(-)
+
+commit d260badf708d6aa16c44f56f54727532dcae826e
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Tue Sep 3 19:29:12 2013 +0200
+
+ Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
+
+ net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
+
+ In tcp_v6_do_rcv() code, when processing pkt options, we soley work
+ on our skb clone opt_skb that we've created earlier before entering
+ tcp_rcv_established() on our way. However, only in condition ...
+
+ if (np->rxopt.bits.rxtclass)
+ np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
+
+ ... we work on skb itself. As we extract every other information out
+ of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
+ already be released by tcp_rcv_established() earlier on. When we try
+ to access it in ipv6_hdr(), we will dereference freed skb.
+
+ [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
+ IP_PKTOPTIONS") ]
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Jiri Benc <jbenc@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/tcp_ipv6.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Aug 29 11:47:00 2013 +0300
+
+ Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46
+
+ mISDN: return -EINVAL on error in dsp_control_req()
+
+ If skb->len is too short then we should return an error. Otherwise we
+ read beyond the end of skb->data for several bytes.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/isdn/mISDN/dsp_core.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 19:36:23 2013 -0400
+
+ fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
+
+ grsecurity/Kconfig | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit da68dbcd96c617923a0aedb177d36b2701f9c858
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 19:17:02 2013 -0400
+
+ Allow the deny_new_usb sysctl to be toggled off by a user with
+ CAP_SYS_ADMIN. This allows for more inventive uses of the feature
+ that would be impossible otherwise (like toggling it while the screen is
+ locked, etc)
+
+ grsecurity/grsec_sysctl.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit ce0e893adc830ee110f97071cc17e661fb35ae3d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 18:41:49 2013 -0400
+
+ Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what
+ GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for
+ users who know they want the functionality but don't want to bother
+ with modifying init scripts
+
+ Also eliminate reset_security_ops() as a ROP target when
+ SECURITY_SELINUX_DISABLE is disabled as it's the only user
+
+ grsecurity/Kconfig | 17 ++++++++++++++++-
+ grsecurity/grsec_init.c | 3 +++
+ grsecurity/grsec_sysctl.c | 2 +-
+ security/security.c | 4 ++++
+ 4 files changed, 24 insertions(+), 2 deletions(-)
+
+commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd
+Merge: 7ee3899 cf9c476
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 1 13:56:57 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit cf9c47690fa0f3da590de766ea8c6a543984ee3c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 1 13:56:16 2013 -0400
+
+ Update to pax-linux-3.10.10-test25.patch:
+ - fixed a few more REFCOUNT false positives, by Mathias Krause <minipli@googlemail.com>
+ - got inet_getid and ipv6_select_ident rid of the cmpxchg loop
+
+ block/blk-cgroup.c | 4 ++--
+ drivers/video/hyperv_fb.c | 4 ++--
+ fs/namespace.c | 4 ++--
+ include/net/inetpeer.h | 13 +++++--------
+ kernel/trace/trace_clock.c | 4 ++--
+ net/ipv6/output_core.c | 15 ++++++---------
+ net/sunrpc/auth_gss/svcauth_gss.c | 4 ++--
+ 7 files changed, 21 insertions(+), 27 deletions(-)
+
+commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa
+Merge: fd0338c 2bdeae7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 31 22:07:38 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 31 22:06:55 2013 -0400
+
+ Update to pax-linux-3.10.10-test24.patch:
+ - fixed a REFCOUNT false positive, by Mathias Krause <minipli@googlemail.com>
+ - fixed a bunch more after a quick audit of atomic_inc_return users
+
+ drivers/acpi/apei/ghes.c | 4 ++--
+ drivers/ata/libata-core.c | 4 ++--
+ drivers/ata/libata-scsi.c | 2 +-
+ drivers/ata/libata.h | 2 +-
+ drivers/block/drbd/drbd_nl.c | 4 ++--
+ drivers/crypto/hifn_795x.c | 4 ++--
+ drivers/edac/edac_device.c | 4 ++--
+ drivers/edac/edac_pci.c | 4 ++--
+ drivers/firewire/core-card.c | 4 ++--
+ drivers/hv/hv_balloon.c | 18 +++++++++---------
+ drivers/infiniband/hw/mlx4/mad.c | 2 +-
+ drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
+ drivers/input/misc/ims-pcu.c | 4 ++--
+ drivers/input/serio/serio_raw.c | 4 ++--
+ drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
+ drivers/media/radio/radio-maxiradio.c | 2 +-
+ drivers/media/radio/radio-shark.c | 2 +-
+ drivers/media/radio/radio-shark2.c | 2 +-
+ drivers/media/radio/radio-si476x.c | 2 +-
+ drivers/media/rc/rc-main.c | 4 ++--
+ drivers/media/v4l2-core/v4l2-device.c | 4 ++--
+ drivers/net/usb/sierra_net.c | 4 ++--
+ drivers/pci/hotplug/pciehp_hpc.c | 4 +---
+ drivers/regulator/core.c | 4 ++--
+ drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------
+ drivers/staging/android/timed_output.c | 6 +++---
+ drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10.h | 2 +-
+ drivers/target/sbp/sbp_target.c | 4 ++--
+ drivers/tty/hvc/hvsi.c | 12 ++++++------
+ drivers/tty/hvc/hvsi_lib.c | 6 +++---
+ drivers/tty/serial/ioc4_serial.c | 6 +++---
+ drivers/tty/serial/msm_serial.c | 4 ++--
+ drivers/usb/misc/appledisplay.c | 4 ++--
+ fs/afs/inode.c | 4 ++--
+ fs/btrfs/delayed-inode.c | 6 +++---
+ fs/btrfs/delayed-inode.h | 4 ++--
+ fs/fscache/cookie.c | 4 ++--
+ include/media/v4l2-device.h | 2 +-
+ net/ceph/messenger.c | 4 ++--
+ net/core/netpoll.c | 4 ++--
+ net/xfrm/xfrm_state.c | 4 ++--
+ security/selinux/avc.c | 6 +++---
+ 43 files changed, 93 insertions(+), 95 deletions(-)
+
+commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37
+Merge: 1bdf7ec 85099d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 31 21:07:29 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 31 21:06:55 2013 -0400
+
+ Update to pax-linux-3.10.10-test23.patch:
+ - added the necessary atomic_unchecked_t conversion for mips
+ - audited and fixed arm and sparc for proper atomic_unchecked_t usage
+
+ arch/arm/kvm/arm.c | 8 ++++----
+ arch/arm/mm/context.c | 10 +++++-----
+ arch/mips/kernel/irq.c | 6 +++---
+ arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------
+ arch/mips/sgi-ip27/ip27-nmi.c | 6 +++---
+ arch/sparc/kernel/smp_64.c | 12 ++++++------
+ arch/sparc/kernel/traps_64.c | 14 +++++++-------
+ arch/sparc/mm/init_64.c | 10 +++++-----
+ 8 files changed, 45 insertions(+), 45 deletions(-)
+
+commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34
+Merge: 995a168 38ee86c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 30 19:23:36 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 38ee86c05df0f8db582df8776b9f23f317d42bbb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 30 19:23:11 2013 -0400
+
+ Update to pax-linux-3.10.10-test22.patch:
+ - fixed !REFCOUNT/mips compilation, by Corey Minyard <cminyard@mvista.com>
+ - fixed a few more format strings
+
+ arch/mips/include/asm/atomic.h | 20 ++++++++++++++++----
+ drivers/md/bcache/super.c | 2 +-
+ drivers/net/wireless/iwlwifi/dvm/main.c | 3 +--
+ drivers/pci/hotplug/pciehp_hpc.c | 2 +-
+ drivers/platform/x86/wmi.c | 2 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/vfio/vfio.c | 4 ++--
+ fs/ntfs/super.c | 6 +++---
+ include/linux/workqueue.h | 6 +++---
+ net/mac80211/main.c | 2 +-
+ sound/pci/hda/hda_codec.c | 8 ++------
+ 11 files changed, 32 insertions(+), 25 deletions(-)
+
+commit 995a16841e2097c3a9dfc652e856469679c4a0ba
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 30 17:11:11 2013 -0400
+
+ fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
+
+ grsecurity/grsec_sysctl.c | 7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57
+Merge: be2497c 1052971
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 29 20:44:29 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ include/linux/sched.h
+
+commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2
+Merge: e902dad 8bf3379
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 29 20:39:50 2013 -0400
+
+ Update to pax-linux-3.10.10-test21.patch
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/sys_x86_64.c
+ arch/x86/mm/mmap.c
+ include/linux/sched.h
+
+commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8
+Merge: 081c22b e902dad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 20:52:44 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e902dad6b609a176f58c1b9393b3a98f14bd4b74
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 20:51:21 2013 -0400
+
+ Update to pax-linux-3.10.9-test21.patch:
+ - removed unnecessary type cast in do_PrefetchAbort, noticed by spender
+ - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov
+ - fixed a REFCOUNT false positive in UHID
+ - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9)
+ Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout
+ (come to the 10th H2HC if you want to learn about the magic behind this and other plugins):
+ - icmpv6_filter: no memory corruption, probably just some logical error in the caller
+ - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable)
+ - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come)
+ - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now
+ - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless
+ - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network
+
+ arch/arm/mm/fault.c | 2 +-
+ arch/mips/kernel/traps.c | 2 --
+ drivers/hid/uhid.c | 6 +++---
+ drivers/isdn/gigaset/usb-gigaset.c | 2 +-
+ drivers/isdn/i4l/isdn_common.c | 2 ++
+ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
+ drivers/usb/dwc3/gadget.c | 2 --
+ net/ieee802154/6lowpan.c | 2 +-
+ net/ipv6/raw.c | 2 +-
+ net/netfilter/nf_conntrack_proto_dccp.c | 6 +++---
+ 10 files changed, 14 insertions(+), 16 deletions(-)
+
+commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 20:42:39 2013 -0400
+
+ add export of gr_handle_new_usb()
+
+ grsecurity/grsec_usb.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 19:24:47 2013 -0400
+
+ Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit
+ Kees' recent findings are motivation enough to publish it
+
+ drivers/usb/core/hub.c | 5 +++++
+ grsecurity/Kconfig | 20 ++++++++++++++++++++
+ grsecurity/Makefile | 3 ++-
+ grsecurity/grsec_init.c | 1 +
+ grsecurity/grsec_sysctl.c | 11 +++++++++++
+ grsecurity/grsec_usb.c | 13 +++++++++++++
+ include/linux/grinternal.h | 1 +
+ include/linux/grsecurity.h | 2 ++
+ 8 files changed, 55 insertions(+), 1 deletions(-)
+
+commit 8044382257ec75a03f3d784ce048ef14e94b90ca
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 09:35:07 2013 -0700
+
+ HID: zeroplus: validate output report details
+
+ The zeroplus HID driver was not checking the size of allocated values
+ in fields it used. A HID device could send a malicious output report
+ that would cause the driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
+ ...
+ [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2889
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-zpff.c | 14 ++------------
+ 1 files changed, 2 insertions(+), 12 deletions(-)
+
+commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 14:36:15 2013 -0700
+
+ HID: provide a helper for validating hid reports
+
+ Many drivers need to validate the characteristics of their HID report
+ during initialization to avoid misusing the reports. This adds a common
+ helper to perform validation of the report, its field count, and the
+ value count within the fields.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
+ include/linux/hid.h | 4 +++
+ 2 files changed, 54 insertions(+), 0 deletions(-)
+
+commit 270ba9096ddecdc3cf6c4d76e6892184820116be
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 09:14:34 2013 -0700
+
+ HID: steelseries: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ steelseries HID driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
+ ...
+ [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2891
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-steelseries.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 08:49:21 2013 -0700
+
+ HID: pantherlord: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ pantherlord HID driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
+ ...
+ [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2892
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-pl.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit 60115e8108e508060815bce5ef9504233c81898c
+Author: Kees Cook <keescook@chromium.org>
+Date: Tue Aug 13 16:49:01 2013 -0700
+
+ HID: LG: validate HID output report details
+
+ A HID device could send a malicious output report that would cause the
+ lg, lg3, and lg4 HID drivers to write beyond the output report allocation
+ during an event, causing a heap overflow:
+
+ [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
+ ...
+ [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
+
+ Additionally, while lg2 did correctly validate the report details, it was
+ cleaned up and shortened.
+
+ CVE-2013-2893
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-lg2ff.c | 19 +++----------------
+ drivers/hid/hid-lg3ff.c | 29 ++++++-----------------------
+ drivers/hid/hid-lg4ff.c | 20 +-------------------
+ drivers/hid/hid-lgff.c | 17 ++---------------
+ 4 files changed, 12 insertions(+), 73 deletions(-)
+
+commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f
+Author: Kees Cook <keescook@chromium.org>
+Date: Thu Aug 15 23:21:23 2013 -0700
+
+ HID: lenovo-tpkbd: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ lenovo-tpkbd HID driver to write just beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
+ ...
+ [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2894
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 38627769bb2b9a550e251b2caf1babda7566fb4a
+Author: Kees Cook <keescook@chromium.org>
+Date: Thu Aug 15 23:45:03 2013 -0700
+
+ HID: logitech-dj: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ logitech-dj HID driver to leak kernel memory contents to the device, or
+ trigger a NULL dereference during initialization:
+
+ [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
+ ...
+ [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
+ [ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
+
+ CVE-2013-2895
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-logitech-dj.c | 12 ++++++++++--
+ 1 files changed, 10 insertions(+), 2 deletions(-)
+
+commit db334388c9d3f95aeb6aacdcec72169b6edd6f07
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 00:18:15 2013 -0700
+
+ HID: ntrig: validate feature report details
+
+ A HID device could send a malicious feature report that would cause the
+ ntrig HID driver to trigger a NULL dereference during initialization:
+
+ [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
+ ...
+ [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+ [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
+
+ CVE-2013-2896
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-ntrig.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 86adcfe96ceefd7d64593a493abe07c155bb8f88
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 00:11:32 2013 -0700
+
+ HID: multitouch: validate feature report details
+
+ When working on report indexes, always validate that they are in bounds.
+ Without this, a HID device could report a malicious feature report that
+ could trick the driver into a heap overflow:
+
+ [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
+ ...
+ [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2897
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
+ 1 files changed, 20 insertions(+), 5 deletions(-)
+
+commit 813f51e0881e4ea6d221da828b1cced02ad9694d
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:12:45 2013 -0700
+
+ HID: sensor-hub: validate feature report details
+
+ A HID device could send a malicious feature report that would cause the
+ sensor-hub HID driver to read past the end of heap allocation, leaking
+ kernel memory contents to the caller.
+
+ CVE-2013-2898
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-sensor-hub.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:05:10 2013 -0700
+
+ HID: picolcd_core: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ picolcd HID driver to trigger a NULL dereference during attr file writing.
+
+ CVE-2013-2899
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-picolcd_core.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 95e3cfb5a995dabe45b98cafb77e59d074de151f
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:09:54 2013 -0700
+
+ HID: check for NULL field when setting values
+
+ Defensively check that the field to be worked on is not NULL.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-core.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 96a55ce1b2f3af376c400a02059174e79ce4399c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 18:09:18 2013 -0400
+
+ http://marc.info/?l=linux-input&m=137772180514608&q=raw
+
+ From: Kees Cook <keescook@chromium.org>
+
+ The "Report ID" field of a HID report is used to build indexes of
+ reports. The kernel's index of these is limited to 256 entries, so any
+ malicious device that sets a Report ID greater than 255 will trigger
+ memory corruption on the host:
+
+ [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
+ [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
+
+ CVE-2013-2888
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ ---
+ drivers/hid/hid-core.c | 10 +++++++---
+ include/linux/hid.h | 4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+ drivers/hid/hid-core.c | 10 +++++++---
+ include/linux/hid.h | 4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+commit eb1106eef5f17bfda833ca3cf89e315919173257
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Aug 9 12:52:31 2013 +0300
+
+ Upstream commit: 909bd5926d474e275599094acad986af79671ac9
+
+ Hostap: copying wrong data prism2_ioctl_giwaplist()
+
+ We want the data stored in "addr" and "qual", but the extra ampersands
+ mean we are copying stack data instead.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 17:01:21 2013 -0400
+
+ fix typo in ipv6 backport
+
+ net/ipv6/addrconf.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4
+Author: Andy Lutomirski <luto@amacapital.net>
+Date: Thu Aug 22 11:39:15 2013 -0700
+
+ Upstream commit: d661684cf6820331feae71146c35da83d794467e
+
+ net: Check the correct namespace when spoofing pid over SCM_RIGHTS
+
+ This is a security bug.
+
+ The follow-up will fix nsproxy to discourage this type of issue from
+ happening again.
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+ Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/scm.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri Aug 16 13:02:27 2013 +0200
+
+ Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52
+
+ ipv6: remove max_addresses check from ipv6_create_tempaddr
+
+ Because of the max_addresses check attackers were able to disable privacy
+ extensions on an interface by creating enough autoconfigured addresses:
+
+ <http://seclists.org/oss-sec/2012/q4/292>
+
+ But the check is not actually needed: max_addresses protects the
+ kernel to install too many ipv6 addresses on an interface and guards
+ addrconf_prefix_rcv to install further addresses as soon as this limit
+ is reached. We only generate temporary addresses in direct response of
+ a new address showing up. As soon as we filled up the maximum number of
+ addresses of an interface, we stop installing more addresses and thus
+ also stop generating more temp addresses.
+
+ Even if the attacker tries to generate a lot of temporary addresses
+ by announcing a prefix and removing it again (lifetime == 0) we won't
+ install more temp addresses, because the temporary addresses do count
+ to the maximum number of addresses, thus we would stop installing new
+ autoconfigured addresses when the limit is reached.
+
+ This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
+ possible).
+
+ Thanks to Ding Tianhong to bring this topic up again.
+
+ Cc: Ding Tianhong <dingtianhong@huawei.com>
+ Cc: George Kargiotakis <kargig@void.gr>
+ Cc: P J P <ppandit@redhat.com>
+ Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Acked-by: Ding Tianhong <dingtianhong@huawei.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ net/ipv6/addrconf.c
+
+ net/ipv6/addrconf.c | 10 ++++------
+ 1 files changed, 4 insertions(+), 6 deletions(-)
+
+commit 8333e0981469a226a47d0142ff31090a48db95a4
+Author: David Vrabel <david.vrabel@citrix.com>
+Date: Thu Aug 15 13:21:06 2013 +0100
+
+ Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17
+
+ xen/events: initialize local per-cpu mask for all possible events
+
+ The sizeof() argument in init_evtchn_cpu_bindings() is incorrect
+ resulting in only the first 64 (or 32 in 32-bit guests) ports having
+ their bindings being initialized to VCPU 0.
+
+ In most cases this does not cause a problem as request_irq() will set
+ the irq affinity which will set the correct local per-cpu mask.
+ However, if the request_irq() is called on a VCPU other than 0, there
+ is a window between the unmasking of the event and the affinity being
+ set were an event may be lost because it is not locally unmasked on
+ any VCPU. If request_irq() is called on VCPU 0 then local irqs are
+ disabled during the window and the race does not occur.
+
+ Fix this by initializing all NR_EVENT_CHANNEL bits in the local
+ per-cpu masks.
+
+ Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+ Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+ CC: stable@vger.kernel.org
+
+ drivers/xen/events.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 2a9a83768433937a2b7a97001ba1627156c0efed
+Author: Roland Dreier <roland@purestorage.com>
+Date: Mon Aug 5 17:55:01 2013 -0700
+
+ Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091
+
+ [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
+
+ There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances
+ leads to one process writing data into the address space of some other
+ random unrelated process if the ioctl is interrupted by a signal.
+ What happens is the following:
+
+ - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the
+ underlying SCSI command will transfer data from the SCSI device to
+ the buffer provided in the ioctl)
+
+ - Before the command finishes, a signal is sent to the process waiting
+ in the ioctl. This will end up waking up the sg_ioctl() code:
+
+ result = wait_event_interruptible(sfp->read_wait,
+ (srp_done(sfp, srp) || sdp->detached));
+
+ but neither srp_done() nor sdp->detached is true, so we end up just
+ setting srp->orphan and returning to userspace:
+
+ srp->orphan = 1;
+ write_unlock_irq(&sfp->rq_list_lock);
+ return result; /* -ERESTARTSYS because signal hit process */
+
+ At this point the original process is done with the ioctl and
+ blithely goes ahead handling the signal, reissuing the ioctl, etc.
+
+ - Eventually, the SCSI command issued by the first ioctl finishes and
+ ends up in sg_rq_end_io(). At the end of that function, we run through:
+
+ write_lock_irqsave(&sfp->rq_list_lock, iflags);
+ if (unlikely(srp->orphan)) {
+ if (sfp->keep_orphan)
+ srp->sg_io_owned = 0;
+ else
+ done = 0;
+ }
+ srp->done = done;
+ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
+
+ if (likely(done)) {
+ /* Now wake up any sg_read() that is waiting for this
+ * packet.
+ */
+ wake_up_interruptible(&sfp->read_wait);
+ kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
+ kref_put(&sfp->f_ref, sg_remove_sfp);
+ } else {
+ INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
+ schedule_work(&srp->ew.work);
+ }
+
+ Since srp->orphan *is* set, we set done to 0 (assuming the
+ userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN
+ ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext()
+ to run in a workqueue.
+
+ - In workqueue context we go through sg_rq_end_io_usercontext() ->
+ sg_finish_rem_req() -> blk_rq_unmap_user() -> ... ->
+ bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user().
+
+ The key point here is that we are doing copy_to_user() on a
+ workqueue -- that is, we're on a kernel thread with current->mm
+ equal to whatever random previous user process was scheduled before
+ this kernel thread. So we end up copying whatever data the SCSI
+ command returned to the virtual address of the buffer passed into
+ the original ioctl, but it's quite likely we do this copying into a
+ different address space!
+
+ As suggested by James Bottomley <James.Bottomley@hansenpartnership.com>,
+ add a check for current->mm (which is NULL if we're on a kernel thread
+ without a real userspace address space) in bio_uncopy_user(), and skip
+ the copy if we're on a kernel thread.
+
+ There's no reason that I can think of for any caller of bio_uncopy_user()
+ to want to do copying on a kernel thread with a random active userspace
+ address space.
+
+ Huge thanks to Costa Sapuntzakis <costa@purestorage.com> for the
+ original pointer to this bug in the sg code.
+
+ Signed-off-by: Roland Dreier <roland@purestorage.com>
+ Tested-by: David Milburn <dmilburn@redhat.com>
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+
+ fs/bio.c | 20 +++++++++++++++-----
+ 1 files changed, 15 insertions(+), 5 deletions(-)
+
+commit e6fe57dee152671afd618d6bc8cbf23155be6c34
+Merge: cdc8f7d f2095a4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 27 18:13:35 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/mm/fault.c
+ security/Kconfig
+
+commit f2095a4787f7d332e5919f0bd00f8de6021ad612
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 27 18:08:23 2013 -0400
+
+ Update to pax-linux-3.10.9-test20.patch:
+ - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy
+ - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard <cminyard@mvista.com>
+ - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard <cminyard@mvista.com>
+ - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do
+ - added REFCOUNT support for mips, by Corey Minyard <cminyard@mvista.com>
+ - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720)
+ - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010)
+
+ arch/arm/mm/fault.c | 11 +-
+ arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++--
+ arch/mips/kernel/traps.c | 14 +-
+ arch/x86/include/asm/tlbflush.h | 4 +
+ arch/x86/include/asm/uaccess_64.h | 2 +-
+ fs/ntfs/file.c | 2 +-
+ kernel/events/internal.h | 4 +-
+ kernel/events/uprobes.c | 2 +-
+ kernel/futex.c | 2 +-
+ mm/filemap.c | 8 +-
+ security/Kconfig | 2 +-
+ tools/gcc/kernexec_plugin.c | 18 +-
+ tools/gcc/latent_entropy_plugin.c | 26 +-
+ tools/gcc/size_overflow_plugin.c | 3 +-
+ 14 files changed, 750 insertions(+), 70 deletions(-)
+
+commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9
+Merge: 5a9ae57 745975e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 26 20:27:33 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 745975e3b3b74b64e00e85778f9a22714d1274f2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 26 20:26:33 2013 -0400
+
+ Fix compilation when UDEREF is enabled and KERNEXEC is disabled,
+ as reported by fabled on the forums:
+ http://forums.grsecurity.net/viewtopic.php?f=1&t=3720
+
+ arch/arm/include/asm/pgtable.h | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36
+Merge: 486ec00 f68df21
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 20:15:20 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 20:14:50 2013 -0400
+
+ Update to pax-linux-3.10.9-test18.patch:
+ - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786)
+ - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790)
+ - forward port to 3.10.9
+
+ arch/x86/kernel/entry_64.S | 18 +++++++++---------
+ arch/x86/kernel/i386_ksyms_32.c | 4 ++++
+ arch/x86/kernel/x8664_ksyms_64.c | 4 ++++
+ 3 files changed, 17 insertions(+), 9 deletions(-)
+
+commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f
+Merge: f47a293 d8fed0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 20:12:47 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d8fed0eba89a7607afe296c0caf17bc72311d6e9
+Merge: f6ace8e 0a4b6d4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 20:12:33 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit f47a293a1440da2a3e2c239d43d636e37ca74f10
+Merge: f1e8ec7 f6ace8e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 18:20:05 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/kernel/perf_event.c
+ include/linux/sched.h
+
+commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72
+Merge: b4fa847 6f54059
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 18:18:02 2013 -0400
+
+ Update to pax-linux-3.10.8-test18.patch
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/sys_x86_64.c
+ arch/x86/mm/mmap.c
+ include/linux/sched.h
+
+commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca
+Merge: 6f88011 b4fa847
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 18:05:12 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b4fa84790ec760430818ab9b74a8b5acc6b40e63
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 18:04:14 2013 -0400
+
+ Update to pax-linux-3.10.7-test18.patch:
+ - reverted constification of zcache, problem reported by Marcin Mirosław (https://bugs.gentoo.org/show_bug.cgi?id=481752)
+ - fixed a UDEREF resume regression due to the constification of clone_pgd_mask
+ - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause
+
+ arch/arm/kernel/process.c | 2 +-
+ arch/x86/include/asm/processor.h | 25 ++-----------------------
+ arch/x86/kernel/cpu/common.c | 4 ++++
+ arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++
+ drivers/staging/zcache/tmem.c | 4 ++--
+ drivers/staging/zcache/tmem.h | 6 ++----
+ 6 files changed, 47 insertions(+), 30 deletions(-)
+
+commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 19 22:10:04 2013 -0400
+
+ fix bad git merge (call to __cpu_disable_lazy_restore was duplicated)
+ as reported by pipacs
+
+ arch/x86/kernel/smpboot.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3
+Merge: 6eba999 5de93c8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 22:03:19 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 22:02:47 2013 -0400
+
+ Update to pax-linux-3.10.7-test15.patch:
+ - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705)
+ - fixed some new REFCOUNT false positives, caught by inspection
+
+ arch/x86/kernel/cpu/common.c | 5 +++--
+ arch/x86/kernel/entry_64.S | 11 +++++++----
+ fs/ceph/super.c | 4 ++--
+ mm/backing-dev.c | 4 ++--
+ 4 files changed, 14 insertions(+), 10 deletions(-)
+
+commit 94c119587c76723c1072237b98fff9886ccb7689
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 20:49:39 2013 -0400
+
+ fix pipacs' DEMORGAN typo
+
+ arch/x86/include/asm/tlbflush.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00
+Merge: df347f6 64a293e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 18:13:04 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 18:12:37 2013 -0400
+
+ Update to pax-linux-3.10.7-test14.patch:
+ - fixed compile error introduced by the previous PCID change
+ - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214)
+
+ arch/x86/include/asm/tlbflush.h | 2 +-
+ kernel/posix-timers.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685
+Merge: d8efbc5 e11b314
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 08:15:00 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e11b314734c5b7317f5468be75305ad812e78c2b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 08:14:26 2013 -0400
+
+ Update to pax-linux-3.10.7-test13.patch:
+ - always enable the use of PCID and INVPCID when available in the CPU
+ - kvm guest kernels can use these features even if the host kernel lacks UDEREF
+
+ arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++----------------
+ arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++----------
+ 2 files changed, 70 insertions(+), 47 deletions(-)
+
+commit d8efbc54f5c8aba589d4d12eed9257a754a67de8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 12:00:20 2013 -0400
+
+ make kallsyms_lookup_size_offset available to approved source files
+
+ include/linux/kallsyms.h | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 6c8feffa95ce2db280160015027b52bb41a344c8
+Merge: dbf6930 0bb1c2b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 11:57:50 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 11:56:43 2013 -0400
+
+ Update to pax-linux-3.10.7-test12.patch:
+ - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause
+ - fixed some arm compile problems
+
+ arch/x86/include/asm/tlbflush.h | 2 +-
+ drivers/clocksource/bcm_kona_timer.c | 2 +-
+ kernel/signal.c | 4 ++++
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+
+commit dbf69305ad4f8a037aae95af90f9201f556dcb48
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 11:18:09 2013 -0400
+
+ allow use of kallsyms_lookup_name to approved source files
+
+ include/linux/kallsyms.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit a566c5f4dec33f410678c257e95ab6726ce8e4f9
+Merge: 68bd16f f562e3e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 10:35:02 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f562e3ef7737ea8d80431a722479b36a12504ace
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 10:34:51 2013 -0400
+
+ add uderef_64.c
+
+ arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++
+ 1 files changed, 37 insertions(+), 0 deletions(-)
+
+commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622
+Author: Asbjoern Sloth Toennesen <ast@fiberby.net>
+Date: Mon Aug 12 16:30:09 2013 +0000
+
+ Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504
+
+ rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header
+
+ Fix the iproute2 command `bridge vlan show`, after switching from
+ rtgenmsg to ifinfomsg.
+
+ Let's start with a little history:
+
+ Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in
+ the 3.9 merge window.
+ In the kernel commit 6cbdceeb, he added attribute support to
+ bridge GETLINK requests sent with rtgenmsg.
+
+ Mar 6th: Vlad got this iproute2 reference implementation of the bridge
+ vlan netlink interface accepted (iproute2 9eff0e5c)
+
+ Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca)
+ http://patchwork.ozlabs.org/patch/239602/
+ http://marc.info/?t=136680900700007
+
+ Apr 28th: Linus released 3.9
+
+ Apr 30th: Stephen released iproute2 3.9.0
+
+ The `bridge vlan show` command haven't been working since the switch to
+ ifinfomsg, or in a released version of iproute2. Since the kernel side
+ only supports rtgenmsg, which iproute2 switched away from just prior to
+ the iproute2 3.9.0 release.
+
+ I haven't been able to find any documentation, about neither rtgenmsg
+ nor ifinfomsg, and in which situation to use which, but kernel commit
+ 88c5b5ce seams to suggest that ifinfomsg should be used.
+
+ Fixing this in kernel will break compatibility, but I doubt that anybody
+ have been using it due to this bug in the user space reference
+ implementation, at least not without noticing this bug. That said the
+ functionality is still fully functional in 3.9, when reversing iproute2
+ commit 63338dca.
+
+ This could also be fixed in iproute2, but thats an ugly patch that would
+ reintroduce rtgenmsg in iproute2, and from searching in netdev it seams
+ like rtgenmsg usage is discouraged. I'm assuming that the only reason
+ that Vlad implemented the kernel side to use rtgenmsg, was because
+ iproute2 was using it at the time.
+
+ Signed-off-by: Asbjoern Sloth Toennesen <ast@fiberby.net>
+ Reviewed-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/rtnetlink.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8c7bc5bafddddff55ed4687203a977e96f72540a
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Tue Aug 13 09:04:05 2013 +0200
+
+ Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
+
+ genetlink: fix family dump race
+
+ When dumping generic netlink families, only the first dump call
+ is locked with genl_lock(), which protects the list of families,
+ and thus subsequent calls can access the data without locking,
+ racing against family addition/removal. This can cause a crash.
+ Fix it - the locking needs to be conditional because the first
+ time around it's already locked.
+
+ A similar bug was reported to me on an old kernel (3.4.47) but
+ the exact scenario that happened there is no longer possible,
+ on those kernels the first round wasn't locked either. Looking
+ at the current code I found the race described above, which had
+ also existed on the old kernel.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/netlink/genetlink.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Fri Aug 9 16:25:21 2013 +0200
+
+ Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e
+
+ net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption
+
+ Probably this one is quite unlikely to be triggered, but it's more safe
+ to do the call_rcu() at the end after we have dropped the reference on
+ the asoc and freed sctp packet chunks. The reason why is because in
+ sctp_transport_destroy_rcu() the transport is being kfree()'d, and if
+ we're unlucky enough we could run into corrupted pointers. Probably
+ that's more of theoretical nature, but it's safer to have this simple fix.
+
+ Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings
+ for deferred call_rcu's"). I also did the 8c98653f regression test and
+ it's fine that way.
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/transport.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 3925eab5483946fd746575a46f97bee9d566bb77
+Author: Stephane Grosjean <s.grosjean@peak-system.com>
+Date: Fri Aug 9 11:44:06 2013 +0200
+
+ Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e
+
+ can: pcan_usb: fix wrong memcpy() bytes length
+
+ Fix possibly wrong memcpy() bytes length since some CAN records received from
+ PCAN-USB could define a DLC field in range [9..15].
+ In that case, the real DLC value MUST be used to move forward the record pointer
+ but, only 8 bytes max. MUST be copied into the data field of the struct
+ can_frame object of the skb given to the network core.
+
+ Cc: linux-stable <stable@vger.kernel.org>
+ Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
+ Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c1ac6642baae4a400d1f87115024d1bb1ef53598
+Author: Linus Lüssing <linus.luessing@web.de>
+Date: Tue Aug 6 20:21:15 2013 +0200
+
+ Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929
+
+ batman-adv: fix potential kernel paging errors for unicast transmissions
+
+ There are several functions which might reallocate skb data. Currently
+ some places keep reusing their old ethhdr pointer regardless of whether
+ they became invalid after such a reallocation or not. This potentially
+ leads to kernel paging errors.
+
+ This patch fixes these by refetching the ethdr pointer after the
+ potential reallocations.
+
+ Signed-off-by: Linus Lüssing <linus.luessing@web.de>
+ Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
+
+ net/batman-adv/bridge_loop_avoidance.c | 2 ++
+ net/batman-adv/gateway_client.c | 13 ++++++++++++-
+ net/batman-adv/gateway_client.h | 3 +--
+ net/batman-adv/soft-interface.c | 9 ++++++++-
+ net/batman-adv/unicast.c | 13 ++++++++++---
+ 5 files changed, 33 insertions(+), 7 deletions(-)
+
+commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb
+Author: Yuchung Cheng <ycheng@google.com>
+Date: Fri Aug 9 17:21:27 2013 -0700
+
+ Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296
+
+ netfilter: nf_conntrack: fix tcp_in_window for Fast Open
+
+ Currently the conntrack checks if the ending sequence of a packet
+ falls within the observed receive window. However it does so even
+ if it has not observe any packet from the remote yet and uses an
+ uninitialized receive window (td_maxwin).
+
+ If a connection uses Fast Open to send a SYN-data packet which is
+ dropped afterward in the network. The subsequent SYNs retransmits
+ will all fail this check and be discarded, leading to a connection
+ timeout. This is because the SYN retransmit does not contain data
+ payload so
+
+ end == initial sequence number (isn) + 1
+ sender->td_end == isn + syn_data_len
+ receiver->td_maxwin == 0
+
+ The fix is to only apply this check after td_maxwin is initialized.
+
+ Reported-by: Michael Chan <mcfchan@stanford.edu>
+ Signed-off-by: Yuchung Cheng <ycheng@google.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Aug 1 12:36:57 2013 +0300
+
+ Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981
+
+ netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message
+
+ These structs have a "_pad" member. Also the "phw" structs have an 8
+ byte "hw_addr[]" array but sometimes only the first 6 bytes are
+ initialized.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nfnetlink_log.c | 6 +++++-
+ net/netfilter/nfnetlink_queue_core.c | 5 ++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f
+Author: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu Jul 25 10:46:46 2013 +0200
+
+ Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05
+
+ netfilter: xt_TCPOPTSTRIP: fix possible off by one access
+
+ Fix a possible off by one access since optlen()
+ touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1.
+
+ This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen
+ that stores the TCP header length, to save some cycles.
+
+ Reported-by: Julian Anastasov <ja@ssi.bg>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++----
+ 1 files changed, 6 insertions(+), 4 deletions(-)
+
+commit 4634def261cf5f635bc60afe8a6ad436b3ec151e
+Author: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu Jul 25 10:37:49 2013 +0200
+
+ Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd
+
+ netfilter: xt_TCPMSS: fix handling of malformed TCP header and options
+
+ Make sure the packet has enough room for the TCP header and
+ that it is not malformed.
+
+ While at it, store tcph->doff*4 in a variable, as it is used
+ several times.
+
+ This patch also fixes a possible off by one in case of malformed
+ TCP options.
+
+ Reported-by: Julian Anastasov <ja@ssi.bg>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------
+ 1 files changed, 16 insertions(+), 12 deletions(-)
+
+commit dc552b7b377b8b0cba23513ee09a2341d6714ae8
+Author: Dave Jones <davej@redhat.com>
+Date: Fri Aug 9 11:16:34 2013 -0700
+
+ Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e
+
+ 8139cp: Fix skb leak in rx_status_loop failure path.
+
+ Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96
+ ("8139cp: Add dma_mapping_error checking")
+
+ Signed-off-by: Dave Jones <davej@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/realtek/8139cp.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 227b279491a0bbcc70ca3654f34903282c378600
+Author: Timo Teräs <timo.teras@iki.fi>
+Date: Tue Aug 6 13:45:43 2013 +0300
+
+ Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b
+
+ ip_gre: fix ipgre_header to return correct offset
+
+ Fix ipgre_header() (header_ops->create) to return the correct
+ amount of bytes pushed. Most callers of dev_hard_header() seem
+ to care only if it was success, but af_packet.c uses it as
+ offset to the skb to copy from userspace only once. In practice
+ this fixes packet socket sendto()/sendmsg() to gre tunnels.
+
+ Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5
+ ("GRE: Refactor GRE tunneling code.")
+
+ Cc: Pravin B Shelar <pshelar@nicira.com>
+ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ip_gre.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb
+Author: Eric Dumazet <edumazet@google.com>
+Date: Mon Aug 5 11:18:49 2013 -0700
+
+ Upstream commit: aab515d7c32a34300312416c50314e755ea6f765
+
+ fib_trie: remove potential out of bound access
+
+ AddressSanitizer [1] dynamic checker pointed a potential
+ out of bound access in leaf_walk_rcu()
+
+ We could allocate one more slot in tnode_new() to leave the prefetch()
+ in-place but it looks not worth the pain.
+
+ Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode")
+
+ [1] :
+ https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
+
+ Reported-by: Andrey Konovalov <andreyknvl@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/fib_trie.c | 5 +----
+ 1 files changed, 1 insertions(+), 4 deletions(-)
+
+commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Mon Aug 5 12:49:35 2013 +0200
+
+ Upstream commit: 7921895a5e852fc99de347bc0600659997de9298
+
+ net: esp{4,6}: fix potential MTU calculation overflows
+
+ Commit 91657eafb ("xfrm: take net hdr len into account for esp payload
+ size calculation") introduced a possible interger overflow in
+ esp{4,6}_get_mtu() handlers in case of x->props.mode equals
+ XFRM_MODE_TUNNEL. Thus, the following expression will overflow
+
+ unsigned int net_adj;
+ ...
+ <case ipv{4,6} XFRM_MODE_TUNNEL>
+ net_adj = 0;
+ ...
+ return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
+ net_adj) & ~(align - 1)) + (net_adj - 2);
+
+ where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
+ context. Fix it by simply removing brackets as those operations here
+ do not need to have special precedence.
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Cc: Benjamin Poirier <bpoirier@suse.de>
+ Cc: Steffen Klassert <steffen.klassert@secunet.com>
+ Acked-by: Benjamin Poirier <bpoirier@suse.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/esp4.c | 2 +-
+ net/ipv6/esp6.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit f02bce292d1c2fe610be509c96593e70b3de387b
+Author: Julia Lawall <Julia.Lawall@lip6.fr>
+Date: Mon Aug 5 16:47:38 2013 +0200
+
+ Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142
+
+ net/vmw_vsock/af_vsock.c: drop unneeded semicolon
+
+ Drop the semicolon at the end of the list_for_each_entry loop header.
+
+ Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/vmw_vsock/af_vsock.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049
+Author: Tiger Yang <tiger.yang@oracle.com>
+Date: Tue Aug 13 16:00:58 2013 -0700
+
+ Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678
+
+ ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page
+
+ Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as
+ the struct file pointer, it finally result in a null pointer dereference
+ in ocfs2_duplicate_clusters_by_page.
+
+ This patch replace file pointer with inode pointer in
+ cow_duplicate_clusters to fix this issue.
+
+ [jeff.liu@oracle.com: rebased patch against linux-next tree]
+ Signed-off-by: Tiger Yang <tiger.yang@oracle.com>
+ Signed-off-by: Jie Liu <jeff.liu@oracle.com>
+ Cc: Joel Becker <jlbec@evilplan.org>
+ Cc: Mark Fasheh <mfasheh@suse.com>
+ Acked-by: Tao Ma <tm@tao.ma>
+ Tested-by: David Weber <wb@munzinger.de>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/ocfs2/aops.c | 2 +-
+ fs/ocfs2/file.c | 6 ++--
+ fs/ocfs2/move_extents.c | 2 +-
+ fs/ocfs2/refcounttree.c | 53 +++++++---------------------------------------
+ fs/ocfs2/refcounttree.h | 6 ++--
+ 5 files changed, 16 insertions(+), 53 deletions(-)
+
+commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Aug 15 15:52:57 2013 +0300
+
+ Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e
+
+ tun: signedness bug in tun_get_user()
+
+ The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
+ not totally correct. Because "len" and "sizeof()" are size_t type, that
+ means they are never less than zero.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Michael S. Tsirkin <mst@redhat.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 26ad267ddda451919357965a0cf271ca24d1bcf2
+Author: Weiping Pan <wpan@redhat.com>
+Date: Tue Aug 13 21:46:56 2013 +0800
+
+ Upstream commit: d9bf5f130946695063469749bfd190087b7fad39
+
+ tun: compare with 0 instead of total_len
+
+ Since we set "len = total_len" in the beginning of tun_get_user(),
+ so we should compare the new len with 0, instead of total_len,
+ or the if statement always returns false.
+
+ Signed-off-by: Weiping Pan <wpan@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9
+Author: Guenter Roeck <linux@roeck-us.net>
+Date: Fri Aug 16 20:50:55 2013 -0700
+
+ Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92
+
+ s390: Fix broken build
+
+ Fix this build error:
+
+ In file included from fs/exec.c:61:0:
+ arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned'
+ arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default]
+ arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu':
+ arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end'
+
+ Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range
+ invalidation corner cases").
+
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+ [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/s390/include/asm/tlb.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4e57312c2de2a25ddb181d129dafbc0251062c33
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu Aug 15 11:42:25 2013 -0700
+
+ Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce
+
+ Fix TLB gather virtual address range invalidation corner cases
+
+ Ben Tebulin reported:
+
+ "Since v3.7.2 on two independent machines a very specific Git
+ repository fails in 9/10 cases on git-fsck due to an SHA1/memory
+ failures. This only occurs on a very specific repository and can be
+ reproduced stably on two independent laptops. Git mailing list ran
+ out of ideas and for me this looks like some very exotic kernel issue"
+
+ and bisected the failure to the backport of commit 53a59fc67f97 ("mm:
+ limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT").
+
+ That commit itself is not actually buggy, but what it does is to make it
+ much more likely to hit the partial TLB invalidation case, since it
+ introduces a new case in tlb_next_batch() that previously only ever
+ happened when running out of memory.
+
+ The real bug is that the TLB gather virtual memory range setup is subtly
+ buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather:
+ enable tlb flush range in generic mmu_gather"), and the range handling
+ was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB
+ range flushed when __tlb_remove_page() runs out of slots"), but that fix
+ was not complete.
+
+ The problem with the TLB gather virtual address range is that it isn't
+ set up by the initial tlb_gather_mmu() initialization (which didn't get
+ the TLB range information), but it is set up ad-hoc later by the
+ functions that actually flush the TLB. And so any such case that forgot
+ to update the TLB range entries would potentially miss TLB invalidates.
+
+ Rather than try to figure out exactly which particular ad-hoc range
+ setup was missing (I personally suspect it's the hugetlb case in
+ zap_huge_pmd(), which didn't have the same logic as zap_pte_range()
+ did), this patch just gets rid of the problem at the source: make the
+ TLB range information available to tlb_gather_mmu(), and initialize it
+ when initializing all the other tlb gather fields.
+
+ This makes the patch larger, but conceptually much simpler. And the end
+ result is much more understandable; even if you want to play games with
+ partial ranges when invalidating the TLB contents in chunks, now the
+ range information is always there, and anybody who doesn't want to
+ bother with it won't introduce subtle bugs.
+
+ Ben verified that this fixes his problem.
+
+ Reported-bisected-and-tested-by: Ben Tebulin <tebulin@googlemail.com>
+ Build-testing-by: Stephen Rothwell <sfr@canb.auug.org.au>
+ Build-testing-by: Richard Weinberger <richard.weinberger@gmail.com>
+ Reviewed-by: Michal Hocko <mhocko@suse.cz>
+ Acked-by: Peter Zijlstra <peterz@infradead.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/arm/include/asm/tlb.h | 7 +++++--
+ arch/arm64/include/asm/tlb.h | 7 +++++--
+ arch/ia64/include/asm/tlb.h | 9 ++++++---
+ arch/s390/include/asm/tlb.h | 8 ++++++--
+ arch/sh/include/asm/tlb.h | 6 ++++--
+ arch/um/include/asm/tlb.h | 6 ++++--
+ fs/exec.c | 4 ++--
+ include/asm-generic/tlb.h | 2 +-
+ mm/hugetlb.c | 2 +-
+ mm/memory.c | 36 +++++++++++++++++++++---------------
+ mm/mmap.c | 4 ++--
+ 11 files changed, 57 insertions(+), 34 deletions(-)
+
+commit 771ed01c6027772eca1a0df8de65043e7f0d94f8
+Merge: 5568c80 ffceabf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 09:11:41 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ffceabfcc65c60109ba5fca694d78d4dc7047809
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 09:10:44 2013 -0400
+
+ Update to pax-linux-3.10.7-test11.patch:
+ - simplified some arm code
+ - disabled preemption when calling show_regs, reported by Corey Minyard
+ - added PCID based support for UDEREF on amd64 (blog will have more details)
+ - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc
+ - nopcid turns it off
+ - by default a strong form of UDEREF is used under PCID
+ - pax_weakuderef switches to the older, less secure UDEREF
+ - fixed several bugs that would also have manifested under SMAP
+ - INVPCID is used when available (Haswell)
+ - added a few more return insn instrumentation in new amd64 crypto code
+
+ Documentation/kernel-parameters.txt | 7 +
+ arch/arm/include/asm/uaccess.h | 3 +
+ arch/x86/crypto/blowfish-avx2-asm_64.S | 6 +
+ arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++
+ arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++
+ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
+ arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 +
+ arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++
+ arch/x86/crypto/sha256-avx-asm.S | 2 +
+ arch/x86/crypto/sha256-avx2-asm.S | 2 +
+ arch/x86/crypto/sha256-ssse3-asm.S | 2 +
+ arch/x86/crypto/sha512-avx-asm.S | 2 +
+ arch/x86/crypto/sha512-avx2-asm.S | 2 +
+ arch/x86/crypto/sha512-ssse3-asm.S | 2 +
+ arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++
+ arch/x86/ia32/ia32_signal.c | 2 +-
+ arch/x86/ia32/ia32entry.S | 24 ++++-
+ arch/x86/include/asm/cpufeature.h | 3 +-
+ arch/x86/include/asm/fpu-internal.h | 2 +
+ arch/x86/include/asm/futex.h | 4 +
+ arch/x86/include/asm/mmu_context.h | 80 +++++++++++---
+ arch/x86/include/asm/pgtable.h | 10 +-
+ arch/x86/include/asm/processor.h | 15 +++-
+ arch/x86/include/asm/segment.h | 5 +-
+ arch/x86/include/asm/smap.h | 64 +++++++++++-
+ arch/x86/include/asm/tlbflush.h | 63 +++++++++--
+ arch/x86/include/asm/uaccess.h | 18 +++-
+ arch/x86/include/asm/xsave.h | 4 +
+ arch/x86/kernel/cpu/common.c | 38 +++++++
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++---
+ arch/x86/kernel/head_32.S | 2 +-
+ arch/x86/kernel/head_64.S | 8 +-
+ arch/x86/kernel/process_64.c | 5 +
+ arch/x86/kernel/setup.c | 8 +-
+ arch/x86/kernel/signal.c | 4 +-
+ arch/x86/kernel/smpboot.c | 15 ++-
+ arch/x86/lib/copy_user_64.S | 50 +--------
+ arch/x86/lib/copy_user_nocache_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 11 ++-
+ arch/x86/lib/memcpy_64.S | 4 +-
+ arch/x86/lib/memmove_64.S | 2 +-
+ arch/x86/lib/memset_64.S | 4 +-
+ arch/x86/lib/usercopy_64.c | 5 +-
+ arch/x86/mm/Makefile | 4 +
+ arch/x86/mm/fault.c | 29 ++++--
+ arch/x86/mm/init.c | 7 +-
+ arch/x86/mm/init_64.c | 9 ++-
+ arch/x86/mm/pageattr.c | 2 +-
+ arch/x86/mm/pgtable.c | 3 +
+ arch/x86/platform/efi/efi_32.c | 2 +-
+ arch/x86/platform/efi/efi_64.c | 2 +-
+ arch/x86/realmode/rm/trampoline_64.S | 1 +
+ fs/exec.c | 2 +
+ include/asm-generic/uaccess.h | 8 ++
+ include/linux/compat.h | 1 +
+ include/linux/preempt.h | 19 +++
+ include/linux/signal.h | 1 +
+ include/linux/smp.h | 2 +
+ init/main.c | 14 ++-
+ kernel/signal.c | 16 +++
+ security/Kconfig | 5 +
+ tools/lib/lk/Makefile | 2 +-
+ tools/perf/Makefile | 2 +-
+ 64 files changed, 673 insertions(+), 136 deletions(-)
+
+commit 5568c8059e78d6d002815409df4e90c83b3b08a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 08:58:34 2013 -0400
+
+ Fix two harmless compiler warnings
+
+ arch/arm/kernel/process.c | 4 ++--
+ fs/exec.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 22:55:24 2013 -0400
+
+ Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b
+
+ arch/arm/kernel/perf_event.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 3637bc893b57a227b01852fe34685ab237285b10
+Author: Stephen Boyd <sboyd@codeaurora.org>
+Date: Wed Aug 7 16:18:08 2013 -0700
+
+ Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb
+
+ perf/arm: Fix armpmu_map_hw_event()
+
+ Fix constraint check in armpmu_map_hw_event().
+
+ Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
+ Cc: <stable@kernel.org>
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/arm/kernel/perf_event.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 11802e1f961a088c39af58d1c1b14d861eedfb35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 22:53:30 2013 -0400
+
+ More ARM backports
+
+ arch/arm/kernel/entry-armv.S | 3 ++-
+ arch/arm/kernel/fiq.c | 8 ++------
+ 2 files changed, 4 insertions(+), 7 deletions(-)
+
+commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 22:46:01 2013 -0400
+
+ Fix HIDESYM compatibility with kprobes, as reported by feandil at:
+ http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
+
+ include/linux/kallsyms.h | 2 +-
+ kernel/kprobes.c | 3 +++
+ 2 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7
+Author: yonghua zheng <younghua.zheng@gmail.com>
+Date: Tue Aug 13 16:01:03 2013 -0700
+
+ fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
+
+ Recently we met quite a lot of random kernel panic issues after enabling
+ CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something
+ to do with following bug in pagemap:
+
+ In struct pagemapread:
+
+ struct pagemapread {
+ int pos, len;
+ pagemap_entry_t *buffer;
+ bool v2;
+ };
+
+ pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
+ buffer, it is a mistake to compare pos and len in add_page_map() for
+ checking buffer is full or not, and this can lead to buffer overflow and
+ random kernel panic issue.
+
+ Correct len to be total number of PM_ENTRY_BYTES in buffer.
+
+ [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
+ Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/task_mmu.c
+
+ fs/proc/task_mmu.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 0a3dac834746de241c10d4978bf61b4f146ba89d
+Merge: dc19474 e12de30
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 17:39:01 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e12de30aa6b575fc3c9f5cd098dd03623598cb33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 17:34:47 2013 -0400
+
+ Update to pax-linux-3.10.7-test9.patch:
+ - Emese fixed a size overflow false positive reported by Sven Vermeulen
+ - fixed some arm compile problems reported by spender
+ - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard <cminyard@mvista.com>
+ eventually we'll have full REFCOUNT support on mips
+
+ arch/arm/kernel/process.c | 5 ++-
+ arch/arm/mm/Kconfig | 2 +-
+ arch/arm/mm/fault.c | 3 ++
+ arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++
+ mm/internal.h | 2 +-
+ 5 files changed, 65 insertions(+), 4 deletions(-)
+
+commit dc19474d0ea6ea3c939544ae5f906067b1784a10
+Merge: 51b78c0 82266f9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 15 21:47:37 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 82266f90a3f87ab5017329fb539aebf94c42253a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 15 21:14:47 2013 -0400
+
+ Update to pax-linux-3.10.7-test9.patch
+
+ arch/arm/kernel/process.c | 6 ++----
+ 1 files changed, 2 insertions(+), 4 deletions(-)
+
+commit 51b78c06d1f41614f593cd36456b4af559e9d7fa
+Merge: e32d904 cb77ead
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 15 20:53:45 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit cb77ead0eccb5abb75f7e437a3725d0254558ccd
+Merge: 13675b8 519be45
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 15 20:50:47 2013 -0400
+
+ Update to pax-linux-3.10.7-test8.patch
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit e32d904b87292288e74e2637b900fd1115687b8e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 10 09:41:40 2013 -0400
+
+ propagate the threadstack offset through to the topdown/bottomup allocators
+ on sparc64 hugepages
+
+ arch/sparc/mm/hugetlbpage.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Thu Aug 8 18:55:32 2013 +0200
+
+ Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8
+
+ another local DoS found in reaction to the one I reported,
+ we don't allow unpriv user ns use so this doesn't matter much to us
+
+ userns: limit the maximum depth of user_namespace->parent chain
+
+ Ensure that user_namespace->parent chain can't grow too much.
+ Currently we use the hardroded 32 as limit.
+
+ Reported-by: Andy Lutomirski <luto@amacapital.net>
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ include/linux/user_namespace.h | 1 +
+ kernel/user_namespace.c | 4 ++++
+ 2 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 223ac007ef18bf3a5095ba0a56675c1f16200149
+Merge: 1c92de4 13675b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 8 20:45:24 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 13675b848cf02bffd26924b2b84d927095bc253d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 8 20:43:52 2013 -0400
+
+ Update to pax-linux-3.10.5-test8.patch:
+ - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692)
+ - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard <cminyard@mvista.com>
+ - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard <cminyard@mvista.com>
+
+ arch/arm/include/asm/pgtable-2level.h | 4 +++-
+ arch/arm/mm/proc-v7-2level.S | 3 ---
+ arch/mips/mm/fault.c | 8 ++++++++
+ arch/x86/include/asm/processor.h | 3 ++-
+ include/linux/math64.h | 2 +-
+ security/Kconfig | 2 --
+ 6 files changed, 14 insertions(+), 8 deletions(-)
+
+commit 1c92de4b8811c330af033c31d83c9c45e3d064b2
+Merge: e65aa3d 1660f49
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 18:50:45 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1660f496848b8400d263f7920989dae15e72185a
+Merge: 7f91ba1 dc51cd2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 18:50:12 2013 -0400
+
+ Update to pax-linux-3.10.5-test7.patch
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/head_64.S
+ mm/mempolicy.c
+
+commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 17:58:42 2013 -0400
+
+ Disable RANDKSTACK for a VirtualBox host as mentioned on the
+ gentoo-hardened bugzilla:
+ https://bugs.gentoo.org/show_bug.cgi?id=382793
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 60d8cffd7740fd1d527790caf9a24a35d8c45858
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Jul 30 13:23:39 2013 +0300
+
+ Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20
+
+ net_sched: info leak in atm_tc_dump_class()
+
+ The "pvc" struct has a hole after pvc.sap_family which is not cleared.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Reviewed-by: Jiri Pirko <jiri@resnulli.us>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sched/sch_atm.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 50d20ebce56b6e0b9622685930e007e46c7c04bb
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Fri Aug 2 11:32:43 2013 +0200
+
+ Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86
+
+ net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails
+
+ Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa
+ resource that was allocated via inet_alloc_ifa() unfreed when returning
+ the function with -EINVAL. Thus, free it first via inet_free_ifa().
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Reviewed-by: Jiri Pirko <jiri@resnulli.us>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/devinet.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260
+Author: Himanshu Madhani <himanshu.madhani@qlogic.com>
+Date: Fri Aug 2 23:15:56 2013 -0400
+
+ Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1
+
+ qlcnic: Free up memory in error path.
+
+ Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
+ Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a
+Author: Shahed Shaikh <shahed.shaikh@qlogic.com>
+Date: Fri Aug 2 23:15:54 2013 -0400
+
+ Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f
+
+ qlcnic: Fix MAC address filter issue on 82xx adapter
+
+ Driver was passing the address of a pointer instead of
+ the pointer itself.
+
+ Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5570df953d6c143e05f1d60d9c23210e60dbbe81
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 17:26:40 2013 -0400
+
+ Move user namespace capability check to shared create_user_ns code so we
+ cover unshare() as well.
+
+ Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
+ user namespaces!
+
+ kernel/fork.c | 17 -----------------
+ kernel/user_namespace.c | 24 ++++++++++++++++++++++--
+ 2 files changed, 22 insertions(+), 19 deletions(-)
+
+commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 16:05:41 2013 -0400
+
+ silence a warning on older gcc
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b8966a5d577e9220fbc63306eee978f819f24e2e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 3 08:31:08 2013 -0400
+
+ we only care about mmaps of the beginning of an ELF, filter out
+ all others as suggested by pipacs
+
+ mm/mmap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:54:51 2013 -0400
+
+ add include
+
+ grsecurity/grsec_log.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:49:13 2013 -0400
+
+ fix compilation
+
+ include/linux/grinternal.h | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 1704c23fdc55b68f512dc9927940e72237f3f43e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:34:35 2013 -0400
+
+ Improve PaX reporting (tells when anon mapping is stack or heap)
+ Remove textrel logging option, combine into rwx logging option
+ Enhance RWX logging option to display when PT_GNU_STACK-enabled library
+ is loaded under an MPROTECTed binary
+ Enhance RWX mprotect logging to display stack/heap instead of just
+ anon mapping
+
+ fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++
+ fs/exec.c | 4 ++++
+ grsecurity/Kconfig | 21 +++++----------------
+ grsecurity/grsec_init.c | 4 ----
+ grsecurity/grsec_log.c | 14 ++++++++++++++
+ grsecurity/grsec_pax.c | 19 ++++++++++++++-----
+ grsecurity/grsec_sysctl.c | 9 ---------
+ include/linux/binfmts.h | 1 +
+ include/linux/grinternal.h | 2 +-
+ include/linux/grmsg.h | 3 ++-
+ include/linux/grsecurity.h | 3 ++-
+ mm/mmap.c | 7 +++++++
+ mm/mprotect.c | 2 +-
+ 13 files changed, 88 insertions(+), 38 deletions(-)
+
+commit faf81c100c8565524e21c9af780a0ad2ce3fd925
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 1 18:52:02 2013 -0400
+
+ add missing #define
+
+ grsecurity/gracl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit e87232d1fcb4da72df971cbc623aac6c9b3871a0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 1 18:43:53 2013 -0400
+
+ fix compilation for !COMPAT as reported on the forums
+
+ grsecurity/gracl.c | 195 ++++++++++++++++++++++++++--------------------------
+ 1 files changed, 97 insertions(+), 98 deletions(-)
+
+commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c
+Merge: 65019c9 7f91ba1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 17:47:31 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 65019c9bd05f860437071cbf00e2027fd2d68615
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 17:47:20 2013 -0400
+
+ Revert "revert recent PaX change that causes boot failures with 32bit userland"
+
+ This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
+
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 17:46:00 2013 -0400
+
+ Update to pax-linux-3.10.4-test7.patch:
+ - added a few more missing format strings
+ - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable
+ - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time
+ - fixed a UDEREF/i386 regression, __get_user_8 would always fail
+
+ arch/x86/include/asm/processor.h | 4 +-
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/dumpstack.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/reboot_fixups_32.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/lib/getuser.S | 4 +-
+ arch/x86/xen/smp.c | 2 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++--
+ drivers/video/backlight/backlight.c | 2 +-
+ drivers/video/backlight/lcd.c | 2 +-
+ fs/binfmt_elf.c | 51 +++++++++++++++++++++++++---
+ fs/exec.c | 50 +++++++++++++--------------
+ include/linux/sched.h | 2 +
+ 14 files changed, 88 insertions(+), 47 deletions(-)
+
+commit 043130da54cb7cc8dc44e0ce889d426e889a0532
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 16:26:58 2013 -0400
+
+ compile fix for !COMPAT as mentioned on forums
+
+ grsecurity/gracl.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit ed0a195abd4e41c2449a020a53a19c74dc866d78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:33:14 2013 -0400
+
+ perform compat conversion of rlimit infinity
+
+ grsecurity/gracl_compat.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit a99c1b9f31678c1c72a63bea65aed1b2d3205259
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:21:40 2013 -0400
+
+ remove debugging
+
+ grsecurity/gracl_compat.c | 44 +++++++++++---------------------------------
+ 1 files changed, 11 insertions(+), 33 deletions(-)
+
+commit e75b3f504692b97960a7530ad0855d91441d79c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:20:32 2013 -0400
+
+ eliminate compat_dev_t
+
+ include/linux/gracl_compat.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit e5abbaf95313066a724e1a843d4fc902a9a6450e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:13:22 2013 -0400
+
+ fix compat rlimit size
+
+ grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++-------------
+ include/linux/gracl_compat.h | 4 +-
+ 2 files changed, 49 insertions(+), 23 deletions(-)
+
+commit 877d6c2f8b3518ff39601084560bb33c58d35a1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 21:20:18 2013 -0400
+
+ compile fix
+
+ grsecurity/gracl.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit a2062eae8d1dc48d338480e599fedee2dc5e2f98
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 21:14:29 2013 -0400
+
+ copy correct pointer size in new compat code
+
+ grsecurity/gracl.c | 8 ++++----
+ grsecurity/gracl_compat.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 23278a1ee1c7738dd1e7005241394d32b82196e4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:48:58 2013 -0400
+
+ revert recent PaX change that causes boot failures with 32bit userland
+
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+commit ec27f71a813656fea8ab37faecb2b485fe99d08e
+Merge: 3a11bcf 05f0a61
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:42:21 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:41:44 2013 -0400
+
+ Update to pax-linux-3.10.4-test6.patch:
+ - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender
+
+ include/linux/syscalls.h | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:15:50 2013 -0400
+
+ compile fix
+
+ grsecurity/gracl_compat.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:12:46 2013 -0400
+
+ remove BUILD_BUG_ONs
+
+ grsecurity/gracl_compat.c | 20 --------------------
+ 1 files changed, 0 insertions(+), 20 deletions(-)
+
+commit a283b21cbd77622383a1dcb1f7bf1080db3bae88
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:18:36 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl_compat.c | 8 ++++----
+ include/linux/gracl_compat.h | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 8b744005f8bae565e24c1fd88af77e6e619b9434
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:16:42 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl.c | 4 ++--
+ grsecurity/gracl_compat.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:13:51 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit b93b829afcc98b6108b18d99ff63c53642d0b951
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:11:03 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl_compat.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:08:21 2013 -0400
+
+ more compile fixes
+
+ grsecurity/gracl.c | 28 ++++++++++++++--------------
+ 1 files changed, 14 insertions(+), 14 deletions(-)
+
+commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:59:50 2013 -0400
+
+ more compile fixes
+
+ grsecurity/gracl.c | 10 +++++++++-
+ 1 files changed, 9 insertions(+), 1 deletions(-)
+
+commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:56:47 2013 -0400
+
+ additional compile fixes
+
+ grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++--------
+ 1 files changed, 49 insertions(+), 10 deletions(-)
+
+commit ac695a081d1124fb28bec46814535d34c5e40611
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:47:15 2013 -0400
+
+ fix typo
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:46:59 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++-------------
+ 1 files changed, 39 insertions(+), 14 deletions(-)
+
+commit 82631f451cc7432b6c5578cf8d24155473feb25c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:22:44 2013 -0400
+
+ Initial commit of compat RBAC loading
+ Permits 32bit gradm to load policy for a 64bit kernel
+
+ Also removed code duplication for copying strings into the kernel
+
+ Work performed as part of sponsorship
+
+ grsecurity/Makefile | 4 +
+ grsecurity/gracl.c | 315 +++++++++++++++++++++++-------------------
+ grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++
+ include/linux/gracl_compat.h | 156 +++++++++++++++++++++
+ 4 files changed, 603 insertions(+), 142 deletions(-)
+
+commit 84c4a433dfb096e4a1162ee5e68025122c70b421
+Merge: c9d3ed3 9fe5897
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 17:08:56 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9fe58978938e357642885866ca48090a7753d403
+Merge: 8f693ad 6f7bb6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 17:08:43 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775
+Merge: d5e5bfd 8f693ad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 28 10:03:08 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8f693ade9b3e448f92706d34148b00a087637f70
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 28 10:02:16 2013 -0400
+
+ Update to pax-linux-3.10.3-test5.patch:
+ - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm)
+ - fixed handling of faulting userland accesses for UDEREF/arm, from spender
+ - updated the size overflow hash table, from Emese
+
+ arch/arm/kernel/entry-armv.S | 3 +-
+ arch/x86/include/asm/processor.h | 4 +-
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++----
+ 7 files changed, 513 insertions(+), 55 deletions(-)
+
+commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558
+Merge: 19e077b 8a8a0d0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 25 21:05:18 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 25 21:04:09 2013 -0400
+
+ Update to pax-linux-3.10.3-test4.patch:
+ - introduced per-slab object sanitization, contributed by Mathias Krause and secunet.
+ this is finer grained sanitization than the existing per-page based approach (which
+ is still done) at a somewhat higher performance cost. the pax_sanitize_slab command
+ line option can be used to enable/disable it on boot (it's enabled by default when
+ CONFIG_PAX_MEMORY_SANITIZE is enabled).
+
+ Documentation/kernel-parameters.txt | 4 ++++
+ fs/buffer.c | 2 +-
+ fs/dcache.c | 3 ++-
+ include/linux/slab.h | 7 +++++++
+ include/linux/slab_def.h | 4 ++++
+ kernel/fork.c | 2 +-
+ mm/rmap.c | 6 ++++--
+ mm/slab.c | 27 +++++++++++++++++++++++++++
+ mm/slab.h | 12 +++++++++++-
+ mm/slab_common.c | 14 ++++++++++++++
+ mm/slob.c | 5 +++++
+ mm/slub.c | 11 +++++++++++
+ net/core/skbuff.c | 6 ++++--
+ security/Kconfig | 23 +++++++++++++++++------
+ 14 files changed, 112 insertions(+), 14 deletions(-)
+
+commit 19e077bfff54ca211d0142c07cb6dd88069a390c
+Merge: 960ec51 c8f7f51
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 25 19:53:34 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c8f7f51591207b82530214300e86277028919286
+Merge: d5142e3 81a4648
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 25 19:52:29 2013 -0400
+
+ Update to pax-linux-3.10.3-test3.patch:
+ - fixed some compile issues reported by Michael Tremer and spender
+ - fixed an i386 regression with the lower address space gap on i386, reported by cnu
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ kernel/time/tick-broadcast.c
+
+commit 960ec51ab2142544fbae563d4fd5744775408965
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Jul 20 03:13:55 2013 +0400
+
+ Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2
+
+ livelock avoidance in sget()
+
+ Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about
+ to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive,
+ ->s_active is 1. Along comes two more processes, trying to mount the same
+ thing; sget() in each is picking that superblock, bumping ->s_count and
+ trying to grab ->s_umount. ->s_active is 3 now. Original mount(2)
+ finally gets to deactivate_locked_super() on failure; ->s_active is 2,
+ superblock is still ->fs_supers because shutdown will *not* happen until
+ ->s_active hits 0. ->s_umount is dropped and now we have two processes
+ chasing each other:
+ s_active = 2, A acquired ->s_umount, B blocked
+ A sees that the damn thing is stillborn, does deactivate_locked_super()
+ s_active = 1, A drops ->s_umount, B gets it
+ A restarts the search and finds the same superblock. And bumps it ->s_active.
+ s_active = 2, B holds ->s_umount, A blocked on trying to get it
+ ... and we are in the earlier situation with A and B switched places.
+
+ The root cause, of course, is that ->s_active should not grow until we'd
+ got MS_BORN. Then failing ->mount() will have deactivate_locked_super()
+ shut the damn thing down. Fortunately, it's easy to do - the key point
+ is that grab_super() is called only for superblocks currently on ->fs_supers,
+ so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and
+ bump ->s_active; we must never increment ->s_count for superblocks past
+ ->kill_sb(), but grab_super() is never called for those.
+
+ The bug is pretty old; we would've caught it by now, if not for accidental
+ exclusion between sget() for block filesystems; the things like cgroup or
+ e.g. mtd-based filesystems don't have anything of that sort, so they get
+ bitten. The right way to deal with that is obviously to fix sget()...
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/super.c | 25 ++++++++++---------------
+ 1 files changed, 10 insertions(+), 15 deletions(-)
+
+commit 3540cebbbfa4aef94527ad3e0e49097848147fb9
+Merge: ab95b58 d5142e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 21 22:47:46 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d5142e31785f8c32c7338c51fcc27313bdd4a84e
+Merge: f36ae8c 0f4a56e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 21 22:47:34 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit ab95b5842899d61ff5c30f4582e72029b3155be8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 21 22:28:40 2013 -0400
+
+ compile fix with constification reported by Michael Tremer
+
+ drivers/gpu/host1x/drm/dc.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 817cd2d1e7a55720326599dd8f542578eef30927
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri Jul 12 23:46:33 2013 +0200
+
+ Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494
+
+ ipv6: only static routes qualify for equal cost multipathing
+
+ Static routes in this case are non-expiring routes which did not get
+ configured by autoconf or by icmpv6 redirects.
+
+ To make sure we actually get an ecmp route while searching for the first
+ one in this fib6_node's leafs, also make sure it matches the ecmp route
+ assumptions.
+
+ v2:
+ a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF
+ already ensures that this route, even if added again without
+ RTF_EXPIRES (in case of a RA announcement with infinite timeout),
+ does not cause the rt6i_nsiblings logic to go wrong if a later RA
+ updates the expiration time later.
+
+ v3:
+ a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so,
+ because an pmtu event could update the RTF_EXPIRES flag and we would
+ not count this route, if another route joins this set. We now filter
+ only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that
+ don't get changed after rt6_info construction.
+
+ Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_fib.c | 15 +++++++++++----
+ 1 files changed, 11 insertions(+), 4 deletions(-)
+
+commit 77db8196d51b043e2e2d124094da101b0f01bccb
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Jul 12 09:39:03 2013 +0300
+
+ Upstream commit: b2781e1021525649c0b33fffd005ef219da33926
+
+ svcrdma: underflow issue in decode_write_list()
+
+ My static checker marks everything from ntohl() as untrusted and it
+ complains we could have an underflow problem doing:
+
+ return (u32 *)&ary->wc_array[nchunks];
+
+ Also on 32 bit systems the upper bound check could overflow.
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+
+ net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------
+ 1 files changed, 14 insertions(+), 6 deletions(-)
+
+commit 926473317fd7953137ef97835edd36dabc584b01
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 17 21:29:02 2013 -0400
+
+ add missing asm/pgtable.h include, reported by Michael Tremer
+
+ drivers/clk/socfpga/clk.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit c592ae0001b31932ef1491784dfa374058797c66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 16 20:40:24 2013 -0400
+
+ allow viewing of ecryptfs version under SYSFS_RESTRICT
+
+ fs/sysfs/dir.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 36db325ef3b07ea8cdb47f549e706e5d71398e14
+Merge: 9c96441 f36ae8c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 19:23:13 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f36ae8c741ae32b1caff10825be12c327792c925
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 19:22:15 2013 -0400
+
+ Update to pax-linux-3.10-test2.patch:
+ - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer
+ - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer
+ - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer
+ - spender fixed an madvise regression, reported by Peter Keel
+ - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616)
+ - fixed a headers_install regression, reported by Mathias Krause
+ - fixed a SLOB compile regression, reported by Mathias Krause
+
+ arch/arm/include/asm/uaccess.h | 4 ++--
+ arch/arm/mm/mmu.c | 15 +++++++++++++--
+ drivers/clk/socfpga/clk.c | 6 ++++--
+ mm/madvise.c | 4 ++--
+ mm/slab.c | 4 ++--
+ mm/slob.c | 4 ++--
+ scripts/headers_install.sh | 2 +-
+ 7 files changed, 26 insertions(+), 13 deletions(-)
+
+commit 9c9644156a49637050741d9165df79174e59b0ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 19:19:54 2013 -0400
+
+ Fix sparc64 compilation, reported by Blake Self
+
+ arch/sparc/kernel/sys_sparc_64.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 7bcd3db081454768542c3d741bcf32cd61a50cf5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:49:17 2013 -0400
+
+ Update PaX fix, just return the error
+
+ mm/madvise.c | 15 +++++++--------
+ 1 files changed, 7 insertions(+), 8 deletions(-)
+
+commit a10e377d0eddd37e8a3665b135e546ab03d9d171
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:36:00 2013 -0400
+
+ Fix madvise oops reported by Peter Keel
+
+ mm/madvise.c | 11 ++++++-----
+ 1 files changed, 6 insertions(+), 5 deletions(-)
+
+commit 08c5adca34d408772255b313f90d82c250c1d967
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:26:34 2013 -0400
+
+ don't make high vector mapping non-present on old ARM architectures, no
+ point in emulating some vector entries when the processor doesn't even support XN
+
+ arch/arm/mm/mmu.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit 2b40781d4197a89a003616af584884e36361c5b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 09:51:58 2013 -0400
+
+ Temporary compile fix for code incorrectly modifying const data
+ Wrap a cast version of the code with open/close
+
+ Thanks to Michael Tremer for the report
+
+ drivers/clk/socfpga/clk.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit a8258c1b4098c396cd4ea719e20858182feac1c1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 09:41:16 2013 -0400
+
+ Fix missing right parens in pipacs' "improvement" of my ARM code ;)
+ Thanks to Michael Tremer for reporting
+
+ arch/arm/include/asm/uaccess.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 8542e1e973be7cc9a009d2ada8033576b2890e6f
+Merge: 86f446e 2577f8e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jul 13 20:46:58 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ mm/memcontrol.c
+
+commit 2577f8e4ec41efb347706a59c6838de20f0c90da
+Merge: 75a36f0 cb5d8be
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jul 13 20:43:42 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ crypto/algapi.c
+ drivers/block/nbd.c
+
+commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jul 12 23:02:11 2013 -0400
+
+ we always want the vector page to be noaccess for userland
+ therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY
+ which turns into supervisor rwx, userland rx, we instead omit that entirely,
+ leaving it as supervisor rwx only
+
+ Fixes booting on ARMv5 and earlier, which need to write directly
+ to the high vector mapping via set_tls when context switching
+
+ Thanks to Michael Tremer for the bugreport
+
+ arch/arm/mm/mmu.c | 12 ++++++++++--
+ 1 files changed, 10 insertions(+), 2 deletions(-)
+
+commit 90cd0827eef656ec884f19c977873fefe2f2e47d
+Author: Cong Wang <amwang@redhat.com>
+Date: Sat Jun 29 12:02:59 2013 +0800
+
+ Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759
+
+ gre: fix a regression in ioctl
+
+ When testing GRE tunnel, I got:
+
+ # ip tunnel show
+ get tunnel gre0 failed: Invalid argument
+ get tunnel gre1 failed: Invalid argument
+
+ This is a regression introduced by commit c54419321455631079c7d
+ ("GRE: Refactor GRE tunneling code.") because previously we
+ only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL,
+ after that commit, the check is moved for all commands.
+
+ So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL.
+
+ After this patch I got:
+
+ # ip tunnel show
+ gre0: gre/ip remote any local any ttl inherit nopmtudisc
+ gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit
+
+ Cc: Pravin B Shelar <pshelar@nicira.com>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ip_gre.c | 9 +++++----
+ 1 files changed, 5 insertions(+), 4 deletions(-)
+
+commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5
+Author: Cong Wang <amwang@redhat.com>
+Date: Sat Jun 29 13:00:57 2013 +0800
+
+ Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7
+
+ vti: remove duplicated code to fix a memory leak
+
+ vti module allocates dev->tstats twice: in vti_fb_tunnel_init()
+ and in vti_tunnel_init(), this lead to a memory leak of
+ dev->tstats.
+
+ Just remove the duplicated operations in vti_fb_tunnel_init().
+
+ (candidate for -stable)
+
+ Cc: Stephen Hemminger <stephen@networkplumber.org>
+ Cc: Saurabh Mohan <saurabh.mohan@vyatta.com>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Acked-by: Stephen Hemminger <stephen@networkplumber.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ip_vti.c | 7 -------
+ 1 files changed, 0 insertions(+), 7 deletions(-)
+
+commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd
+Author: Michal Schmidt <mschmidt@redhat.com>
+Date: Mon Jul 1 17:23:05 2013 +0200
+
+ Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a
+
+ bnx2x: remove zeroing of dump data buffer
+
+ There is no need to initialize the dump data with zeros.
+ data is allocated with vzalloc, so it's already zero-filled.
+
+ More importantly, the memset is harmful, because dump->len (the length
+ requested by userspace) can be bigger than the allocated buffer (whose
+ size is determined by asking the driver's .get_dump_flag method).
+
+ Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 --
+ 1 files changed, 0 insertions(+), 2 deletions(-)
+
+commit c771072b72c261f9bddd6734dca6979c1b96e7df
+Author: Michal Schmidt <mschmidt@redhat.com>
+Date: Mon Jul 1 17:23:06 2013 +0200
+
+ Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318
+
+ bnx2x: fix dump flag handling
+
+ bnx2x interprets the dump flag as an index of a register preset.
+ It is important to validate the index to avoid out of bounds
+ memory accesses.
+
+ Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++
+ 2 files changed, 5 insertions(+), 0 deletions(-)
+
+commit aed315c8fad9b2044143b46b239574b1b72135ce
+Author: Michal Schmidt <mschmidt@redhat.com>
+Date: Mon Jul 1 17:23:30 2013 +0200
+
+ Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599
+
+ ethtool: make .get_dump_data() harder to misuse by drivers
+
+ As the patch "bnx2x: remove zeroing of dump data buffer" showed,
+ it is too easy implement .get_dump_data incorrectly in a driver.
+
+ Let's make sure drivers cannot get confused by userspace requesting
+ a too big dump.
+
+ Also WARN if the driver sets dump->len to something weird and make
+ sure the length reported to userspace is the actual length of data
+ copied to userspace.
+
+ Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+ Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/ethtool.c | 21 ++++++++++++++++++++-
+ 1 files changed, 20 insertions(+), 1 deletions(-)
+
+commit 5c57991e66216e386dcc875d34c33f0edd038569
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Jul 2 09:02:07 2013 +0800
+
+ Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd
+
+ l2tp: add missing .owner to struct pppox_proto
+
+ Add missing .owner of struct pppox_proto. This prevents the
+ module from being removed from underneath its users.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_ppp.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4
+Author: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Sun Jun 30 14:37:11 2013 +1000
+
+ Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423
+
+ cxgb3: Missing rtnl lock in error recovery
+
+ When exercising error injection on IBM pseries machine, I hit the
+ following warning:
+
+ [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2
+ [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142)
+ [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100
+ [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031)
+ [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19
+ [ 254.895474] Call Trace:
+ [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable)
+ [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c
+ [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230
+ [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3]
+ [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3]
+ [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0
+ [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190
+ [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330
+ [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0
+ [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0
+ [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80
+
+ It appears that t3_resume_ports() is called with the rtnl_lock held from
+ the fatal error task but not from the PCI error callbacks. This fixes it.
+
+ Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit ea8f4222cddf3250dbcfc7db0437ebf74c352370
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Jul 1 20:21:30 2013 +0200
+
+ Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1
+
+ ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
+
+ We accidentally call down to ip6_push_pending_frames when uncorking
+ pending AF_INET data on a ipv6 socket. This results in the following
+ splat (from Dave Jones):
+
+ skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
+ ------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:126!
+ invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
+ Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
+ +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
+ CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
+ task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
+ RIP: 0010:[<ffffffff816e759c>] [<ffffffff816e759c>] skb_panic+0x63/0x65
+ RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282
+ RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
+ RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
+ RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
+ R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
+ FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
+ Stack:
+ ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
+ ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
+ ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
+ Call Trace:
+ [<ffffffff8159a9aa>] skb_push+0x3a/0x40
+ [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
+ [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
+ [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
+ [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
+ [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
+ [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
+ [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
+ [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
+ [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
+ [<ffffffff816f5d54>] tracesys+0xdd/0xe2
+ Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
+ RIP [<ffffffff816e759c>] skb_panic+0x63/0x65
+ RSP <ffff8801e6431de8>
+
+ This patch adds a check if the pending data is of address family AF_INET
+ and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
+ if that is the case.
+
+ This bug was found by Dave Jones with trinity.
+
+ (Also move the initialization of fl6 below the AF_INET check, even if
+ not strictly necessary.)
+
+ Cc: Dave Jones <davej@redhat.com>
+ Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/udp.h | 1 +
+ net/ipv4/udp.c | 3 ++-
+ net/ipv6/udp.c | 7 ++++++-
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+commit cd83094a85d9bbd5a67332156407d53cf8835432
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue Jul 2 08:04:05 2013 +0200
+
+ Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be
+
+ ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
+
+ If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
+ of this when appending the second frame on a corked socket. This results
+ in the following splat:
+
+ [37598.993962] ------------[ cut here ]------------
+ [37598.994008] kernel BUG at net/core/skbuff.c:2064!
+ [37598.994008] invalid opcode: 0000 [#1] SMP
+ [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
+ +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
+ +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
+ [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
+ +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
+ [37598.994008] CPU 0
+ [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
+ [37598.994008] RIP: 0010:[<ffffffff815443a5>] [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
+ [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202
+ [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
+ [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
+ [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
+ [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
+ [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
+ [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
+ [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
+ [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
+ [37598.994008] Stack:
+ [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
+ [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
+ [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
+ [37598.994008] Call Trace:
+ [37598.994008] [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
+ [37598.994008] [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
+ [37598.994008] [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
+ [37598.994008] [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
+ [37598.994008] [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
+ [37598.994008] [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
+ [37598.994008] [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
+ [37598.994008] [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
+ [37598.994008] [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
+ [37598.994008] [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
+ [37598.994008] [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
+ [37598.994008] [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
+ [37598.994008] [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
+ [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
+ [37598.994008] RIP [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
+ [37598.994008] RSP <ffff88003670da18>
+ [37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
+
+ While there, also check if path mtu discovery is activated for this
+ socket. The logic was adapted from ip6_append_data when first writing
+ on the corked socket.
+
+ This bug was introduced with commit
+ 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
+ fragment").
+
+ v2:
+ a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
+ b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
+ feng, thanks!).
+ c) Change mtu to unsigned int, else we get a warning about
+ non-matching types because of the min()-macro type-check.
+
+ Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
+ Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_output.c | 16 ++++++++++------
+ 1 files changed, 10 insertions(+), 6 deletions(-)
+
+commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c
+Author: Michael S. Tsirkin <mst@redhat.com>
+Date: Sun Jul 7 14:26:53 2013 +0300
+
+ Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5
+
+ vhost-net: fix use-after-free in vhost_net_flush
+
+ vhost_net_ubuf_put_and_wait has a confusing name:
+ it will actually also free it's argument.
+ Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
+ "vhost-net: flush outstanding DMAs on memory change"
+ vhost_net_flush tries to use the argument after passing it
+ to vhost_net_ubuf_put_and_wait, this results
+ in use after free.
+ To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
+ add an new API for callers that want to free ubufs.
+
+ Acked-by: Asias He <asias@redhat.com>
+ Acked-by: Jason Wang <jasowang@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/vhost/net.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit 088806db74ac2f08c106202bc5498585a9ee529f
+Author: Michal Hocko <mhocko@suse.cz>
+Date: Mon Jul 8 16:00:29 2013 -0700
+
+ Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b
+
+ memcg, kmem: fix reference count handling on the error path
+
+ mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails.
+ This is not correct because only memcg_propagate_kmem takes an
+ additional reference while mem_cgroup_sockets_init is allowed to fail as
+ well (although no current implementation fails) but it doesn't take any
+ reference. This all suggests that it should be memcg_propagate_kmem
+ that should clean up after itself so this patch moves mem_cgroup_put
+ over there.
+
+ Unfortunately this is not that easy (as pointed out by Li Zefan) because
+ memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is
+ marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if
+ memcg_propagate_kmem fails so the additional reference is dropped in
+ that case in kmem_cgroup_destroy which means that the reference would be
+ dropped two times.
+
+ The easiest way then would be to simply remove mem_cgrroup_put from
+ mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right
+ thing.
+
+ Signed-off-by: Michal Hocko <mhocko@suse.cz>
+ Signed-off-by: Li Zefan <lizefan@huawei.com>
+ Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Tejun Heo <tj@kernel.org>
+ Cc: Glauber Costa <glommer@openvz.org>
+ Cc: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: <stable@vger.kernel.org> [3.8]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/memcontrol.c | 8 --------
+ 1 files changed, 0 insertions(+), 8 deletions(-)
+
+commit 08bfb6e700d13886ed722c2236e1ec10f03a95df
+Author: Michal Hocko <mhocko@suse.cz>
+Date: Mon Jul 8 16:00:27 2013 -0700
+
+ Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0
+
+ Revert "memcg: avoid dangling reference count in creation failure"
+
+ This reverts commit e4715f01be697a.
+
+ mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops
+ an additional reference from all parents so the additional
+ mem_cgrroup_put(parent) potentially causes use-after-free.
+
+ Signed-off-by: Michal Hocko <mhocko@suse.cz>
+ Signed-off-by: Li Zefan <lizefan@huawei.com>
+ Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Tejun Heo <tj@kernel.org>
+ Cc: Glauber Costa <glommer@openvz.org>
+ Cc: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: <stable@vger.kernel.org> [3.9+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/memcontrol.c | 2 --
+ 1 files changed, 0 insertions(+), 2 deletions(-)
+
+commit 3267ec559f48327a1836eccecd53215afc5810d0
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jun 20 13:13:59 2013 -0700
+
+ Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e
+
+ libceph: Fix NULL pointer dereference in auth client code
+
+ A malicious monitor can craft an auth reply message that could cause a
+ NULL function pointer dereference in the client's kernel.
+
+ To prevent this, the auth_none protocol handler needs an empty
+ ceph_auth_client_ops->build_request() function.
+
+ CVE-2013-1059
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Chanam Park <chanam.park@hkpco.kr>
+ Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
+ Reviewed-by: Sage Weil <sage@inktank.com>
+ Cc: stable@vger.kernel.org
+
+ net/ceph/auth_none.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit cdfeb4049e7cb38702215b2c356ce0407974ac79
+Author: Eric Paris <eparis@redhat.com>
+Date: Wed Jul 3 15:08:29 2013 -0700
+
+ Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53
+
+ fork: reorder permissions when violating number of processes limits
+
+ When a task is attempting to violate the RLIMIT_NPROC limit we have a
+ check to see if the task is sufficiently priviledged. The check first
+ looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0.
+
+ A result is that tasks which are allowed by the uid=0 check are first
+ checked against the security subsystem. This results in the security
+ subsystem auditting a denial for sys_admin and sys_resource and then the
+ task passing the uid=0 check.
+
+ This patch rearranges the code to first check uid=0, since if we pass that
+ we shouldn't hit the security system at all. We then check sys_resource,
+ since it is the smallest capability which will solve the problem. Lastly
+ we check the fallback everything cap_sysadmin. We don't want to give this
+ capability many places since it is so powerful.
+
+ This will eliminate many of the false positive/needless denial messages we
+ get when a root task tries to violate the nproc limit. (note that
+ kthreads count against root, so on a sufficiently large machine we can
+ actually get past the default limits before any userspace tasks are
+ launched.)
+
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/fork.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 08c87e049c8a50707908785d950fd48c334f4c09
+Author: Chen Gang <gang.chen@asianux.com>
+Date: Sat Jun 22 13:26:09 2013 +0800
+
+ Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6
+
+ arch: sparc: kernel: check the memory length before use strcpy().
+
+ For the related next strcpy(), the destination length is less than 512,
+ but the source maximize length may be 'OPROMMAXPARAM' (4096) which is
+ more than 512.
+
+ One work flow may:
+ openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT)
+ getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'.
+ opromsetopt() -> devide the buffer into 'var' and 'value'
+ of_set_property() -> pass
+ prom_setprop() -> pass
+ ldom_set_var()
+
+ And do not mind the additional 4 alignment buffer increasing, since
+ 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least.
+
+ Signed-off-by: Chen Gang <gang.chen@asianux.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/sparc/kernel/ds.c | 10 ++++++++++
+ 1 files changed, 10 insertions(+), 0 deletions(-)
+
+commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jul 12 20:38:45 2013 -0400
+
+ Fix SLAB boot errors due to PAX_USERCOPY reported on the forums
+
+ Unlike slub, slab can initally create two of the kmalloc_caches
+ which will be used later for generic kmallocs of their particular
+ aligned size (since the later loop in the unified allocator code
+ skips any already-existing kmalloc_caches)
+
+ mm/slab.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 22:04:59 2013 -0400
+
+ compile fixes
+
+ fs/exec.c | 2 +-
+ mm/mmap.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit e2d027c7e0f106be683c0c72482b8285daefcbe6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 20:58:40 2013 -0400
+
+ commit successful merges
+
+ Documentation/kernel-parameters.txt | 4 +
+ Makefile | 8 +-
+ arch/alpha/include/asm/cache.h | 4 +-
+ arch/alpha/kernel/osf_sys.c | 12 +-
+ arch/arm/include/asm/thread_info.h | 3 +-
+ arch/arm/kernel/ptrace.c | 9 +
+ arch/arm/kernel/traps.c | 7 +-
+ arch/arm/mm/fault.c | 29 +-
+ arch/arm/mm/mmap.c | 8 +-
+ arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/include/asm/cache.h | 3 +-
+ arch/cris/include/arch-v10/arch/cache.h | 3 +-
+ arch/cris/include/arch-v32/arch/cache.h | 3 +-
+ arch/frv/include/asm/cache.h | 3 +-
+ arch/frv/mm/elf-fdpic.c | 4 +-
+ arch/hexagon/include/asm/cache.h | 6 +-
+ arch/ia64/include/asm/cache.h | 3 +-
+ arch/ia64/kernel/sys_ia64.c | 2 +
+ arch/ia64/mm/hugetlbpage.c | 2 +
+ arch/m32r/include/asm/cache.h | 4 +-
+ arch/m68k/include/asm/cache.h | 4 +-
+ arch/metag/mm/hugetlbpage.c | 1 +
+ arch/microblaze/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/thread_info.h | 9 +-
+ arch/mips/kernel/ptrace.c | 9 +
+ arch/mips/kernel/scall32-o32.S | 2 +-
+ arch/mips/kernel/scall64-64.S | 2 +-
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ arch/mips/mm/mmap.c | 4 +-
+ arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
+ arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
+ arch/openrisc/include/asm/cache.h | 4 +-
+ arch/parisc/include/asm/cache.h | 5 +-
+ arch/parisc/kernel/sys_parisc.c | 17 +-
+ arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/kernel/process.c | 10 +-
+ arch/powerpc/kernel/ptrace.c | 14 +
+ arch/powerpc/kernel/traps.c | 5 +
+ arch/s390/include/asm/cache.h | 4 +-
+ arch/score/include/asm/cache.h | 4 +-
+ arch/sh/include/asm/cache.h | 3 +-
+ arch/sh/mm/mmap.c | 6 +-
+ arch/sparc/include/asm/cache.h | 4 +-
+ arch/sparc/include/asm/thread_info_64.h | 9 +-
+ arch/sparc/kernel/process_32.c | 6 +-
+ arch/sparc/kernel/process_64.c | 4 +-
+ arch/sparc/kernel/ptrace_64.c | 14 +
+ arch/sparc/kernel/sys_sparc_64.c | 8 +-
+ arch/sparc/kernel/syscalls.S | 8 +-
+ arch/sparc/kernel/traps_32.c | 8 +-
+ arch/sparc/kernel/traps_64.c | 28 +-
+ arch/sparc/kernel/unaligned_64.c | 2 +-
+ arch/sparc/mm/fault_64.c | 2 +-
+ arch/sparc/mm/hugetlbpage.c | 3 +-
+ arch/tile/include/asm/cache.h | 3 +-
+ arch/tile/mm/hugetlbpage.c | 2 +
+ arch/um/defconfig | 1 -
+ arch/um/include/asm/cache.h | 3 +-
+ arch/unicore32/include/asm/cache.h | 6 +-
+ arch/x86/Kconfig | 5 +-
+ arch/x86/ia32/ia32_aout.c | 2 +
+ arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/kernel/dumpstack.c | 8 +
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 2 +-
+ arch/x86/kernel/ioport.c | 13 +
+ arch/x86/kernel/ptrace.c | 14 +
+ arch/x86/kernel/signal.c | 9 +-
+ arch/x86/kernel/smpboot.c | 3 +
+ arch/x86/kernel/sys_i386_32.c | 9 +-
+ arch/x86/kernel/sys_x86_64.c | 8 +-
+ arch/x86/kernel/verify_cpu.S | 1 +
+ arch/x86/kernel/vm86_32.c | 1 +
+ arch/x86/mm/fault.c | 12 +-
+ arch/x86/mm/hugetlbpage.c | 15 +-
+ arch/x86/mm/init.c | 66 +-
+ arch/x86/net/bpf_jit_comp.c | 129 +-
+ arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
+ arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
+ drivers/block/cciss.c | 2 +
+ drivers/block/cpqarray.c | 1 +
+ drivers/cdrom/cdrom.c | 4 +-
+ drivers/char/Kconfig | 4 +-
+ drivers/char/genrtc.c | 1 +
+ drivers/char/mem.c | 17 +
+ drivers/char/mwave/tp3780i.c | 1 +
+ drivers/char/random.c | 12 +
+ drivers/gpu/drm/drm_info.c | 4 +
+ drivers/hid/hid-wiimote-debug.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +-
+ drivers/message/fusion/mptbase.c | 9 +
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ drivers/pci/proc.c | 9 +
+ drivers/rtc/rtc-dev.c | 3 +
+ drivers/tty/sysrq.c | 2 +-
+ drivers/tty/vt/keyboard.c | 22 +-
+ drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------
+ drivers/xen/xenfs/xenstored.c | 5 +
+ fs/attr.c | 1 +
+ fs/autofs4/waitq.c | 9 +
+ fs/binfmt_aout.c | 7 +
+ fs/binfmt_elf.c | 8 +-
+ fs/btrfs/ioctl.c | 6 +-
+ fs/compat.c | 20 +-
+ fs/coredump.c | 9 +-
+ fs/debugfs/inode.c | 4 +
+ fs/exec.c | 184 ++-
+ fs/ext2/balloc.c | 4 +-
+ fs/ext3/balloc.c | 4 +-
+ fs/ext4/resize.c | 17 +-
+ fs/fcntl.c | 5 +
+ fs/file.c | 4 +
+ fs/filesystems.c | 4 +
+ fs/fs_struct.c | 13 +-
+ fs/hugetlbfs/inode.c | 5 +-
+ fs/namei.c | 234 ++-
+ fs/namespace.c | 16 +
+ fs/notify/fanotify/fanotify_user.c | 1 +
+ fs/open.c | 38 +
+ fs/proc/Kconfig | 10 +-
+ fs/proc/array.c | 59 +-
+ fs/proc/base.c | 168 ++-
+ fs/proc/cmdline.c | 4 +
+ fs/proc/devices.c | 4 +
+ fs/proc/fd.c | 17 +-
+ fs/proc/inode.c | 4 +
+ fs/proc/kcore.c | 3 +
+ fs/proc/proc_net.c | 12 +
+ fs/proc/proc_sysctl.c | 43 +-
+ fs/proc/root.c | 8 +
+ fs/proc/task_mmu.c | 75 +-
+ fs/readdir.c | 19 +
+ fs/select.c | 2 +
+ fs/seq_file.c | 12 +-
+ fs/stat.c | 19 +-
+ fs/sysfs/dir.c | 12 +
+ fs/utimes.c | 7 +
+ fs/xattr.c | 19 +-
+ include/linux/capability.h | 5 +
+ include/linux/cred.h | 3 +
+ include/linux/fs.h | 10 +
+ include/linux/fsnotify.h | 6 +
+ include/linux/kallsyms.h | 14 +-
+ include/linux/kmod.h | 2 +
+ include/linux/mm.h | 1 +
+ include/linux/perf_event.h | 13 +-
+ include/linux/printk.h | 3 +-
+ include/linux/sched.h | 24 +-
+ include/linux/security.h | 1 +
+ include/linux/seq_file.h | 3 +
+ include/linux/shm.h | 4 +
+ include/linux/skbuff.h | 3 +
+ include/linux/slab.h | 9 -
+ include/linux/sysctl.h | 2 +
+ include/linux/thread_info.h | 2 +
+ include/linux/uidgid.h | 5 +
+ include/linux/vermagic.h | 9 +-
+ include/uapi/linux/personality.h | 1 +
+ init/Kconfig | 3 +-
+ init/main.c | 14 +
+ ipc/mqueue.c | 1 +
+ ipc/shm.c | 28 +
+ kernel/capability.c | 39 +-
+ kernel/cgroup.c | 2 +-
+ kernel/compat.c | 1 +
+ kernel/configs.c | 11 +
+ kernel/cred.c | 110 +-
+ kernel/events/core.c | 14 +-
+ kernel/exit.c | 10 +-
+ kernel/fork.c | 41 +-
+ kernel/futex.c | 1 +
+ kernel/kallsyms.c | 9 +
+ kernel/kcmp.c | 4 +
+ kernel/kmod.c | 64 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +
+ kernel/lockdep_proc.c | 10 +-
+ kernel/module.c | 81 +-
+ kernel/panic.c | 2 +-
+ kernel/pid.c | 19 +-
+ kernel/posix-timers.c | 7 +
+ kernel/printk.c | 5 +
+ kernel/ptrace.c | 20 +-
+ kernel/resource.c | 10 +
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 37 +-
+ kernel/sys.c | 45 +-
+ kernel/sysctl.c | 70 +-
+ kernel/taskstats.c | 6 +
+ kernel/time.c | 5 +
+ kernel/time/timekeeping.c | 1 +
+ kernel/time/timer_list.c | 12 +
+ kernel/time/timer_stats.c | 10 +-
+ lib/Kconfig.debug | 5 +-
+ lib/is_single_threaded.c | 3 +
+ mm/Kconfig | 4 +-
+ mm/filemap.c | 1 +
+ mm/kmemleak.c | 4 +-
+ mm/mempolicy.c | 12 +-
+ mm/migrate.c | 3 +-
+ mm/mlock.c | 3 +
+ mm/mmap.c | 63 +-
+ mm/mprotect.c | 8 +
+ mm/process_vm_access.c | 6 +
+ mm/slab.c | 2 +-
+ mm/slub.c | 14 +-
+ mm/vmalloc.c | 4 +
+ mm/vmstat.c | 18 +-
+ net/core/dev_ioctl.c | 4 +
+ net/core/sock_diag.c | 7 +
+ net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/ip_sockglue.c | 3 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_minisocks.c | 9 +-
+ net/ipv4/tcp_timer.c | 11 +
+ net/ipv4/udp.c | 24 +
+ net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/udp.c | 4 +
+ net/netfilter/Kconfig | 10 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 8 +
+ net/netrom/af_netrom.c | 1 -
+ net/phonet/af_phonet.c | 2 +-
+ net/sctp/proc.c | 3 +-
+ net/socket.c | 66 +-
+ net/sysctl_net.c | 2 +-
+ net/unix/af_unix.c | 31 +-
+ security/Kconfig | 343 +++-
+ security/apparmor/Kconfig | 9 +
+ security/apparmor/apparmorfs.c | 231 ++
+ security/commoncap.c | 29 +
+ security/min_addr.c | 2 +
+ security/security.c | 2 -
+ security/selinux/hooks.c | 2 -
+ security/tomoyo/mount.c | 4 +
+ security/yama/Kconfig | 2 +-
+ 242 files changed, 4385 insertions(+), 2042 deletions(-)
+
+commit 043a378c0f72ed92cc30182c48abce39867ac93f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 20:57:40 2013 -0400
+
+ Commit merge of new files and rejected patches
+
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/kernel/process.c | 4 +-
+ arch/powerpc/include/asm/thread_info.h | 7 +-
+ arch/powerpc/mm/slice.c | 2 +-
+ arch/sparc/kernel/process_64.c | 4 +-
+ arch/x86/kernel/vm86_32.c | 15 +
+ fs/coredump.c | 1 +
+ fs/ext4/balloc.c | 4 +-
+ fs/namei.c | 7 +
+ fs/namespace.c | 8 +
+ fs/pipe.c | 2 +-
+ fs/proc/inode.c | 13 +
+ fs/proc/internal.h | 3 +
+ grsecurity/Kconfig | 1054 +++++++++
+ grsecurity/Makefile | 38 +
+ grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++
+ grsecurity/gracl_alloc.c | 105 +
+ grsecurity/gracl_cap.c | 110 +
+ grsecurity/gracl_fs.c | 431 ++++
+ grsecurity/gracl_ip.c | 387 +++
+ grsecurity/gracl_learn.c | 207 ++
+ grsecurity/gracl_res.c | 68 +
+ grsecurity/gracl_segv.c | 305 +++
+ grsecurity/gracl_shm.c | 40 +
+ grsecurity/grsec_chdir.c | 19 +
+ grsecurity/grsec_chroot.c | 370 +++
+ grsecurity/grsec_disabled.c | 434 ++++
+ grsecurity/grsec_exec.c | 187 ++
+ grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_fork.c | 23 +
+ grsecurity/grsec_init.c | 283 +++
+ grsecurity/grsec_link.c | 58 +
+ grsecurity/grsec_log.c | 326 +++
+ grsecurity/grsec_mem.c | 40 +
+ grsecurity/grsec_mount.c | 62 +
+ grsecurity/grsec_pax.c | 36 +
+ grsecurity/grsec_ptrace.c | 30 +
+ grsecurity/grsec_sig.c | 246 ++
+ grsecurity/grsec_sock.c | 244 ++
+ grsecurity/grsec_sysctl.c | 469 ++++
+ grsecurity/grsec_time.c | 16 +
+ grsecurity/grsec_tpe.c | 73 +
+ grsecurity/grsum.c | 61 +
+ include/linux/gracl.h | 319 +++
+ include/linux/gralloc.h | 9 +
+ include/linux/grdefs.h | 140 ++
+ include/linux/grinternal.h | 227 ++
+ include/linux/grmsg.h | 112 +
+ include/linux/grsecurity.h | 241 ++
+ include/linux/grsock.h | 19 +
+ include/linux/netfilter/xt_gradm.h | 9 +
+ include/linux/proc_fs.h | 13 +
+ include/linux/sched.h | 48 +-
+ include/trace/events/fs.h | 53 +
+ kernel/kmod.c | 7 +-
+ kernel/panic.c | 2 +-
+ kernel/posix-timers.c | 1 +
+ kernel/time/timekeeping.c | 2 +
+ lib/Kconfig.debug | 2 +-
+ lib/vsprintf.c | 31 +
+ localversion-grsec | 1 +
+ mm/mmap.c | 13 +-
+ mm/shmem.c | 2 +-
+ net/core/net-procfs.c | 5 +
+ net/ipv6/udp.c | 3 +
+ net/netfilter/xt_gradm.c | 51 +
+ 66 files changed, 11184 insertions(+), 21 deletions(-)
+
+commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 17:35:47 2013 -0400
+
+ Initial import of pax-linux-3.10-test1.patch
+
+ Documentation/dontdiff | 46 +-
+ Documentation/kernel-parameters.txt | 12 +
+ Makefile | 100 +-
+ arch/alpha/include/asm/atomic.h | 10 +
+ arch/alpha/include/asm/elf.h | 7 +
+ arch/alpha/include/asm/pgalloc.h | 6 +
+ arch/alpha/include/asm/pgtable.h | 11 +
+ arch/alpha/kernel/module.c | 2 +-
+ arch/alpha/kernel/osf_sys.c | 8 +-
+ arch/alpha/mm/fault.c | 141 +-
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/atomic.h | 444 ++-
+ arch/arm/include/asm/cache.h | 5 +-
+ arch/arm/include/asm/cacheflush.h | 2 +-
+ arch/arm/include/asm/checksum.h | 14 +-
+ arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/domain.h | 33 +-
+ arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/fncpy.h | 2 +
+ arch/arm/include/asm/futex.h | 10 +
+ arch/arm/include/asm/kmap_types.h | 2 +-
+ arch/arm/include/asm/mach/dma.h | 2 +-
+ arch/arm/include/asm/mach/map.h | 7 +-
+ arch/arm/include/asm/outercache.h | 2 +-
+ arch/arm/include/asm/page.h | 2 +-
+ arch/arm/include/asm/pgalloc.h | 22 +-
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgtable-2level.h | 1 +
+ arch/arm/include/asm/pgtable-3level-hwdef.h | 2 +
+ arch/arm/include/asm/pgtable-3level.h | 2 +
+ arch/arm/include/asm/pgtable.h | 56 +-
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/include/asm/processor.h | 5 +-
+ arch/arm/include/asm/psci.h | 2 +-
+ arch/arm/include/asm/smp.h | 2 +-
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/include/asm/uaccess.h | 92 +-
+ arch/arm/include/uapi/asm/ptrace.h | 2 +-
+ arch/arm/kernel/armksyms.c | 8 +-
+ arch/arm/kernel/entry-armv.S | 107 +-
+ arch/arm/kernel/entry-common.S | 41 +-
+ arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/fiq.c | 2 +
+ arch/arm/kernel/head.S | 6 +-
+ arch/arm/kernel/hw_breakpoint.c | 2 +-
+ arch/arm/kernel/module.c | 29 +-
+ arch/arm/kernel/patch.c | 2 +
+ arch/arm/kernel/perf_event_cpu.c | 2 +-
+ arch/arm/kernel/process.c | 14 +-
+ arch/arm/kernel/psci.c | 2 +-
+ arch/arm/kernel/setup.c | 22 +-
+ arch/arm/kernel/signal.c | 24 +-
+ arch/arm/kernel/smp.c | 2 +-
+ arch/arm/kernel/traps.c | 15 +-
+ arch/arm/kernel/vmlinux.lds.S | 22 +-
+ arch/arm/lib/clear_user.S | 6 +-
+ arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/lib/copy_page.S | 1 +
+ arch/arm/lib/copy_to_user.S | 6 +-
+ arch/arm/lib/csumpartialcopyuser.S | 4 +-
+ arch/arm/lib/delay.c | 2 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 2 +-
+ arch/arm/mach-kirkwood/common.c | 19 +-
+ arch/arm/mach-omap2/board-n8x0.c | 2 +-
+ arch/arm/mach-omap2/gpmc.c | 22 +-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
+ arch/arm/mach-omap2/omap_device.c | 4 +-
+ arch/arm/mach-omap2/omap_device.h | 4 +-
+ arch/arm/mach-omap2/omap_hwmod.c | 4 +-
+ arch/arm/mach-omap2/wd_timer.c | 6 +-
+ arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
+ arch/arm/mach-ux500/setup.h | 7 -
+ arch/arm/mm/Kconfig | 3 +-
+ arch/arm/mm/alignment.c | 8 +
+ arch/arm/mm/fault.c | 91 +
+ arch/arm/mm/fault.h | 12 +
+ arch/arm/mm/init.c | 41 +
+ arch/arm/mm/ioremap.c | 4 +-
+ arch/arm/mm/mmap.c | 30 +-
+ arch/arm/mm/mmu.c | 187 +-
+ arch/arm/mm/proc-v7-2level.S | 3 +
+ arch/arm/plat-omap/sram.c | 2 +
+ arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/arm64/kernel/debug-monitors.c | 2 +-
+ arch/arm64/kernel/hw_breakpoint.c | 2 +-
+ arch/avr32/include/asm/elf.h | 8 +-
+ arch/avr32/include/asm/kmap_types.h | 4 +-
+ arch/avr32/mm/fault.c | 27 +
+ arch/frv/include/asm/atomic.h | 10 +
+ arch/frv/include/asm/kmap_types.h | 2 +-
+ arch/frv/mm/elf-fdpic.c | 3 +-
+ arch/ia64/include/asm/atomic.h | 10 +
+ arch/ia64/include/asm/elf.h | 7 +
+ arch/ia64/include/asm/pgalloc.h | 12 +
+ arch/ia64/include/asm/pgtable.h | 13 +-
+ arch/ia64/include/asm/spinlock.h | 2 +-
+ arch/ia64/include/asm/uaccess.h | 26 +-
+ arch/ia64/kernel/err_inject.c | 2 +-
+ arch/ia64/kernel/mca.c | 2 +-
+ arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/palinfo.c | 2 +-
+ arch/ia64/kernel/salinfo.c | 2 +-
+ arch/ia64/kernel/sys_ia64.c | 7 +
+ arch/ia64/kernel/topology.c | 2 +-
+ arch/ia64/kernel/vmlinux.lds.S | 2 +-
+ arch/ia64/mm/fault.c | 32 +-
+ arch/ia64/mm/init.c | 13 +
+ arch/m32r/lib/usercopy.c | 6 +
+ arch/mips/include/asm/atomic.h | 14 +
+ arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/exec.h | 2 +-
+ arch/mips/include/asm/page.h | 2 +-
+ arch/mips/include/asm/pgalloc.h | 5 +
+ arch/mips/kernel/binfmt_elfn32.c | 7 +
+ arch/mips/kernel/binfmt_elfo32.c | 7 +
+ arch/mips/kernel/process.c | 12 -
+ arch/mips/mm/fault.c | 17 +
+ arch/mips/mm/mmap.c | 51 +-
+ arch/parisc/include/asm/atomic.h | 10 +
+ arch/parisc/include/asm/elf.h | 7 +
+ arch/parisc/include/asm/pgalloc.h | 6 +
+ arch/parisc/include/asm/pgtable.h | 11 +
+ arch/parisc/include/asm/uaccess.h | 4 +-
+ arch/parisc/kernel/module.c | 50 +-
+ arch/parisc/kernel/sys_parisc.c | 9 +-
+ arch/parisc/kernel/traps.c | 4 +-
+ arch/parisc/mm/fault.c | 140 +-
+ arch/powerpc/include/asm/atomic.h | 10 +
+ arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/exec.h | 2 +-
+ arch/powerpc/include/asm/kmap_types.h | 2 +-
+ arch/powerpc/include/asm/mman.h | 2 +-
+ arch/powerpc/include/asm/page.h | 8 +-
+ arch/powerpc/include/asm/page_64.h | 7 +-
+ arch/powerpc/include/asm/pgalloc-64.h | 7 +
+ arch/powerpc/include/asm/pgtable.h | 1 +
+ arch/powerpc/include/asm/pte-hash32.h | 1 +
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/include/asm/smp.h | 2 +-
+ arch/powerpc/include/asm/uaccess.h | 140 +-
+ arch/powerpc/kernel/exceptions-64e.S | 4 +-
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/module_32.c | 13 +-
+ arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/signal_32.c | 2 +-
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ arch/powerpc/kernel/sysfs.c | 2 +-
+ arch/powerpc/kernel/vdso.c | 5 +-
+ arch/powerpc/lib/usercopy_64.c | 18 -
+ arch/powerpc/mm/fault.c | 54 +-
+ arch/powerpc/mm/mmap_64.c | 16 +
+ arch/powerpc/mm/mmu_context_nohash.c | 2 +-
+ arch/powerpc/mm/numa.c | 2 +-
+ arch/powerpc/mm/slice.c | 13 +-
+ arch/powerpc/platforms/cell/spufs/file.c | 4 +-
+ arch/powerpc/platforms/powermac/smp.c | 2 +-
+ arch/s390/include/asm/atomic.h | 10 +
+ arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/exec.h | 2 +-
+ arch/s390/include/asm/uaccess.h | 15 +-
+ arch/s390/kernel/module.c | 22 +-
+ arch/s390/kernel/process.c | 36 -
+ arch/s390/mm/mmap.c | 24 +
+ arch/score/include/asm/exec.h | 2 +-
+ arch/score/kernel/process.c | 5 -
+ arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
+ arch/sh/mm/mmap.c | 22 +-
+ arch/sparc/include/asm/atomic_64.h | 106 +-
+ arch/sparc/include/asm/cache.h | 2 +-
+ arch/sparc/include/asm/elf_32.h | 7 +
+ arch/sparc/include/asm/elf_64.h | 7 +
+ arch/sparc/include/asm/pgalloc_32.h | 1 +
+ arch/sparc/include/asm/pgalloc_64.h | 1 +
+ arch/sparc/include/asm/pgtable_32.h | 15 +-
+ arch/sparc/include/asm/pgtsrmmu.h | 5 +
+ arch/sparc/include/asm/spinlock_64.h | 35 +-
+ arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_64.h | 2 +
+ arch/sparc/include/asm/uaccess.h | 1 +
+ arch/sparc/include/asm/uaccess_32.h | 27 +-
+ arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/kernel/Makefile | 2 +-
+ arch/sparc/kernel/prom_common.c | 2 +-
+ arch/sparc/kernel/sys_sparc_32.c | 2 +-
+ arch/sparc/kernel/sys_sparc_64.c | 48 +-
+ arch/sparc/kernel/sysfs.c | 2 +-
+ arch/sparc/kernel/traps_64.c | 13 +-
+ arch/sparc/lib/Makefile | 2 +-
+ arch/sparc/lib/atomic_64.S | 136 +-
+ arch/sparc/lib/ksyms.c | 6 +
+ arch/sparc/mm/Makefile | 2 +-
+ arch/sparc/mm/fault_32.c | 292 +
+ arch/sparc/mm/fault_64.c | 486 ++
+ arch/sparc/mm/hugetlbpage.c | 21 +-
+ arch/tile/include/asm/atomic_64.h | 10 +
+ arch/tile/include/asm/uaccess.h | 4 +-
+ arch/um/Makefile | 4 +
+ arch/um/include/asm/kmap_types.h | 2 +-
+ arch/um/include/asm/page.h | 3 +
+ arch/um/include/asm/pgtable-3level.h | 1 +
+ arch/um/kernel/process.c | 16 -
+ arch/x86/Kconfig | 10 +-
+ arch/x86/Kconfig.cpu | 6 +-
+ arch/x86/Kconfig.debug | 4 +-
+ arch/x86/Makefile | 10 +
+ arch/x86/boot/Makefile | 3 +
+ arch/x86/boot/bitops.h | 4 +-
+ arch/x86/boot/boot.h | 4 +-
+ arch/x86/boot/compressed/Makefile | 3 +
+ arch/x86/boot/compressed/eboot.c | 2 -
+ arch/x86/boot/compressed/efi_stub_32.S | 16 +-
+ arch/x86/boot/compressed/head_32.S | 7 +-
+ arch/x86/boot/compressed/head_64.S | 8 +-
+ arch/x86/boot/compressed/misc.c | 4 +-
+ arch/x86/boot/cpucheck.c | 28 +-
+ arch/x86/boot/header.S | 6 +-
+ arch/x86/boot/memory.c | 2 +-
+ arch/x86/boot/video-vesa.c | 1 +
+ arch/x86/boot/video.c | 2 +-
+ arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/aesni-intel_asm.S | 22 +
+ arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/sha1_ssse3_asm.S | 2 +
+ arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
+ arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/ia32/ia32_signal.c | 14 +-
+ arch/x86/ia32/ia32entry.S | 141 +-
+ arch/x86/ia32/sys_ia32.c | 4 +-
+ arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/include/asm/alternative.h | 4 +-
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/include/asm/apm.h | 4 +-
+ arch/x86/include/asm/atomic.h | 307 +-
+ arch/x86/include/asm/atomic64_32.h | 100 +
+ arch/x86/include/asm/atomic64_64.h | 202 +-
+ arch/x86/include/asm/bitops.h | 4 +-
+ arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/cache.h | 5 +-
+ arch/x86/include/asm/cacheflush.h | 2 +-
+ arch/x86/include/asm/checksum_32.h | 12 +-
+ arch/x86/include/asm/cmpxchg.h | 35 +
+ arch/x86/include/asm/compat.h | 2 +-
+ arch/x86/include/asm/cpufeature.h | 4 +-
+ arch/x86/include/asm/desc.h | 67 +-
+ arch/x86/include/asm/desc_defs.h | 6 +
+ arch/x86/include/asm/div64.h | 2 +-
+ arch/x86/include/asm/elf.h | 31 +-
+ arch/x86/include/asm/emergency-restart.h | 2 +-
+ arch/x86/include/asm/fpu-internal.h | 6 +-
+ arch/x86/include/asm/futex.h | 16 +-
+ arch/x86/include/asm/hw_irq.h | 4 +-
+ arch/x86/include/asm/i8259.h | 2 +-
+ arch/x86/include/asm/io.h | 21 +-
+ arch/x86/include/asm/irqflags.h | 5 +
+ arch/x86/include/asm/kprobes.h | 9 +-
+ arch/x86/include/asm/local.h | 142 +-
+ arch/x86/include/asm/mman.h | 15 +
+ arch/x86/include/asm/mmu.h | 16 +-
+ arch/x86/include/asm/mmu_context.h | 76 +-
+ arch/x86/include/asm/module.h | 17 +-
+ arch/x86/include/asm/nmi.h | 6 +-
+ arch/x86/include/asm/page.h | 1 +
+ arch/x86/include/asm/page_64.h | 4 +-
+ arch/x86/include/asm/paravirt.h | 46 +-
+ arch/x86/include/asm/paravirt_types.h | 17 +-
+ arch/x86/include/asm/pgalloc.h | 23 +
+ arch/x86/include/asm/pgtable-2level.h | 2 +
+ arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable.h | 122 +-
+ arch/x86/include/asm/pgtable_32.h | 14 +-
+ arch/x86/include/asm/pgtable_32_types.h | 15 +-
+ arch/x86/include/asm/pgtable_64.h | 19 +-
+ arch/x86/include/asm/pgtable_64_types.h | 5 +
+ arch/x86/include/asm/pgtable_types.h | 36 +-
+ arch/x86/include/asm/processor.h | 39 +-
+ arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/realmode.h | 4 +-
+ arch/x86/include/asm/reboot.h | 10 +-
+ arch/x86/include/asm/rwsem.h | 60 +-
+ arch/x86/include/asm/segment.h | 24 +-
+ arch/x86/include/asm/smp.h | 14 +-
+ arch/x86/include/asm/spinlock.h | 36 +-
+ arch/x86/include/asm/stackprotector.h | 4 +-
+ arch/x86/include/asm/stacktrace.h | 32 +-
+ arch/x86/include/asm/switch_to.h | 4 +-
+ arch/x86/include/asm/thread_info.h | 83 +-
+ arch/x86/include/asm/uaccess.h | 96 +-
+ arch/x86/include/asm/uaccess_32.h | 106 +-
+ arch/x86/include/asm/uaccess_64.h | 232 +-
+ arch/x86/include/asm/word-at-a-time.h | 2 +-
+ arch/x86/include/asm/x86_init.h | 10 +-
+ arch/x86/include/asm/xsave.h | 10 +-
+ arch/x86/include/uapi/asm/e820.h | 2 +-
+ arch/x86/kernel/Makefile | 2 +-
+ arch/x86/kernel/acpi/boot.c | 4 +-
+ arch/x86/kernel/acpi/sleep.c | 4 +
+ arch/x86/kernel/acpi/wakeup_32.S | 6 +-
+ arch/x86/kernel/alternative.c | 65 +-
+ arch/x86/kernel/apic/apic.c | 4 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/apic_noop.c | 2 +-
+ arch/x86/kernel/apic/bigsmp_32.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 5 +-
+ arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/numaq_32.c | 3 +-
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/summit_32.c | 2 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_phys.c | 2 +-
+ arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
+ arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/asm-offsets.c | 20 +
+ arch/x86/kernel/asm-offsets_64.c | 1 +
+ arch/x86/kernel/cpu/Makefile | 4 -
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/common.c | 75 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 33 +-
+ arch/x86/kernel/cpu/mcheck/p5.c | 3 +
+ arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
+ arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
+ arch/x86/kernel/cpu/mtrr/main.c | 2 +-
+ arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 8 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
+ arch/x86/kernel/cpuid.c | 2 +-
+ arch/x86/kernel/crash.c | 4 +-
+ arch/x86/kernel/crash_dump_64.c | 2 +-
+ arch/x86/kernel/doublefault_32.c | 8 +-
+ arch/x86/kernel/dumpstack.c | 28 +-
+ arch/x86/kernel/dumpstack_32.c | 34 +-
+ arch/x86/kernel/dumpstack_64.c | 61 +-
+ arch/x86/kernel/e820.c | 4 +-
+ arch/x86/kernel/early_printk.c | 1 +
+ arch/x86/kernel/entry_32.S | 354 +-
+ arch/x86/kernel/entry_64.S | 548 ++-
+ arch/x86/kernel/ftrace.c | 14 +-
+ arch/x86/kernel/head64.c | 13 +-
+ arch/x86/kernel/head_32.S | 237 +-
+ arch/x86/kernel/head_64.S | 143 +-
+ arch/x86/kernel/i386_ksyms_32.c | 8 +
+ arch/x86/kernel/i387.c | 2 +-
+ arch/x86/kernel/i8259.c | 10 +-
+ arch/x86/kernel/io_delay.c | 2 +-
+ arch/x86/kernel/ioport.c | 2 +-
+ arch/x86/kernel/irq.c | 8 +-
+ arch/x86/kernel/irq_32.c | 69 +-
+ arch/x86/kernel/irq_64.c | 2 +-
+ arch/x86/kernel/kdebugfs.c | 2 +-
+ arch/x86/kernel/kgdb.c | 25 +-
+ arch/x86/kernel/kprobes/core.c | 30 +-
+ arch/x86/kernel/kprobes/opt.c | 16 +-
+ arch/x86/kernel/kvm.c | 2 +-
+ arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/machine_kexec_32.c | 6 +-
+ arch/x86/kernel/microcode_core.c | 2 +-
+ arch/x86/kernel/microcode_intel.c | 4 +-
+ arch/x86/kernel/module.c | 76 +-
+ arch/x86/kernel/msr.c | 2 +-
+ arch/x86/kernel/nmi.c | 19 +-
+ arch/x86/kernel/nmi_selftest.c | 4 +-
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/kernel/paravirt.c | 43 +-
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ arch/x86/kernel/pci-iommu_table.c | 2 +-
+ arch/x86/kernel/pci-swiotlb.c | 2 +-
+ arch/x86/kernel/process.c | 55 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 15 +-
+ arch/x86/kernel/ptrace.c | 25 +-
+ arch/x86/kernel/pvclock.c | 8 +-
+ arch/x86/kernel/reboot.c | 44 +-
+ arch/x86/kernel/relocate_kernel_64.S | 2 +
+ arch/x86/kernel/setup.c | 21 +-
+ arch/x86/kernel/setup_percpu.c | 29 +-
+ arch/x86/kernel/signal.c | 15 +-
+ arch/x86/kernel/smp.c | 2 +-
+ arch/x86/kernel/smpboot.c | 15 +-
+ arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/sys_i386_32.c | 184 +
+ arch/x86/kernel/sys_x86_64.c | 22 +-
+ arch/x86/kernel/tboot.c | 14 +-
+ arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tls.c | 7 +-
+ arch/x86/kernel/traps.c | 64 +-
+ arch/x86/kernel/uprobes.c | 4 +-
+ arch/x86/kernel/vm86_32.c | 6 +-
+ arch/x86/kernel/vmlinux.lds.S | 148 +-
+ arch/x86/kernel/vsyscall_64.c | 12 +-
+ arch/x86/kernel/x8664_ksyms_64.c | 2 -
+ arch/x86/kernel/x86_init.c | 8 +-
+ arch/x86/kernel/xsave.c | 2 +
+ arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ arch/x86/kvm/lapic.c | 2 +-
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ arch/x86/kvm/svm.c | 8 +
+ arch/x86/kvm/vmx.c | 61 +-
+ arch/x86/kvm/x86.c | 8 +-
+ arch/x86/lguest/boot.c | 3 +-
+ arch/x86/lib/atomic64_386_32.S | 164 +
+ arch/x86/lib/atomic64_cx8_32.S | 103 +-
+ arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/cmpxchg16b_emu.S | 2 +
+ arch/x86/lib/copy_page_64.S | 24 +-
+ arch/x86/lib/copy_user_64.S | 47 +-
+ arch/x86/lib/copy_user_nocache_64.S | 20 +-
+ arch/x86/lib/csum-copy_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 4 +-
+ arch/x86/lib/getuser.S | 70 +-
+ arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/iomap_copy_64.S | 2 +
+ arch/x86/lib/memcpy_64.S | 18 +-
+ arch/x86/lib/memmove_64.S | 34 +-
+ arch/x86/lib/memset_64.S | 7 +-
+ arch/x86/lib/mmx_32.c | 243 +-
+ arch/x86/lib/msr-reg.S | 18 +-
+ arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/rwlock.S | 42 +
+ arch/x86/lib/rwsem.S | 6 +-
+ arch/x86/lib/thunk_64.S | 2 +
+ arch/x86/lib/usercopy_32.c | 363 +-
+ arch/x86/lib/usercopy_64.c | 13 +-
+ arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/fault.c | 556 ++-
+ arch/x86/mm/gup.c | 2 +-
+ arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/hugetlbpage.c | 30 +-
+ arch/x86/mm/init.c | 98 +-
+ arch/x86/mm/init_32.c | 113 +-
+ arch/x86/mm/init_64.c | 38 +-
+ arch/x86/mm/iomap_32.c | 4 +
+ arch/x86/mm/ioremap.c | 15 +-
+ arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
+ arch/x86/mm/mmap.c | 41 +-
+ arch/x86/mm/mmio-mod.c | 10 +-
+ arch/x86/mm/numa.c | 2 +-
+ arch/x86/mm/pageattr-test.c | 2 +-
+ arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pat.c | 12 +-
+ arch/x86/mm/pat_rbtree.c | 2 +-
+ arch/x86/mm/pf_in.c | 10 +-
+ arch/x86/mm/pgtable.c | 137 +-
+ arch/x86/mm/pgtable_32.c | 3 +
+ arch/x86/mm/physaddr.c | 4 +-
+ arch/x86/mm/setup_nx.c | 7 +
+ arch/x86/mm/tlb.c | 4 +
+ arch/x86/net/bpf_jit.S | 14 +
+ arch/x86/net/bpf_jit_comp.c | 37 +-
+ arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/oprofile/nmi_int.c | 8 +-
+ arch/x86/oprofile/op_model_amd.c | 8 +-
+ arch/x86/oprofile/op_model_ppro.c | 7 +-
+ arch/x86/oprofile/op_x86_model.h | 2 +-
+ arch/x86/pci/amd_bus.c | 2 +-
+ arch/x86/pci/irq.c | 8 +-
+ arch/x86/pci/mrst.c | 4 +-
+ arch/x86/pci/pcbios.c | 144 +-
+ arch/x86/platform/efi/efi_32.c | 24 +
+ arch/x86/platform/efi/efi_64.c | 10 +
+ arch/x86/platform/efi/efi_stub_32.S | 64 +-
+ arch/x86/platform/efi/efi_stub_64.S | 8 +
+ arch/x86/platform/mrst/mrst.c | 6 +-
+ arch/x86/platform/olpc/olpc_dt.c | 2 +-
+ arch/x86/power/cpu.c | 11 +-
+ arch/x86/realmode/init.c | 10 +-
+ arch/x86/realmode/rm/Makefile | 3 +
+ arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/trampoline_32.S | 12 +-
+ arch/x86/realmode/rm/trampoline_64.S | 2 +-
+ arch/x86/tools/Makefile | 2 +-
+ arch/x86/tools/relocs.c | 94 +-
+ arch/x86/um/tls_32.c | 2 +-
+ arch/x86/vdso/Makefile | 2 +-
+ arch/x86/vdso/vdso32-setup.c | 23 +-
+ arch/x86/vdso/vma.c | 29 +-
+ arch/x86/xen/enlighten.c | 47 +-
+ arch/x86/xen/mmu.c | 9 +
+ arch/x86/xen/smp.c | 18 +-
+ arch/x86/xen/xen-asm_32.S | 12 +-
+ arch/x86/xen/xen-head.S | 11 +
+ arch/x86/xen/xen-ops.h | 2 -
+ block/blk-iopoll.c | 4 +-
+ block/blk-map.c | 2 +-
+ block/blk-softirq.c | 4 +-
+ block/bsg.c | 12 +-
+ block/compat_ioctl.c | 2 +-
+ block/genhd.c | 11 +-
+ block/partitions/efi.c | 8 +-
+ block/scsi_ioctl.c | 27 +-
+ crypto/algapi.c | 2 +-
+ crypto/cryptd.c | 4 +-
+ crypto/pcrypt.c | 6 +-
+ drivers/acpi/apei/apei-internal.h | 2 +-
+ drivers/acpi/apei/cper.c | 8 +-
+ drivers/acpi/bgrt.c | 6 +-
+ drivers/acpi/blacklist.c | 4 +-
+ drivers/acpi/ec_sys.c | 12 +-
+ drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/sysfs.c | 4 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/ata/libata-core.c | 8 +-
+ drivers/ata/pata_arasan_cf.c | 4 +-
+ drivers/atm/adummy.c | 2 +-
+ drivers/atm/ambassador.c | 8 +-
+ drivers/atm/atmtcp.c | 14 +-
+ drivers/atm/eni.c | 10 +-
+ drivers/atm/firestream.c | 8 +-
+ drivers/atm/fore200e.c | 14 +-
+ drivers/atm/he.c | 18 +-
+ drivers/atm/horizon.c | 4 +-
+ drivers/atm/idt77252.c | 36 +-
+ drivers/atm/iphase.c | 34 +-
+ drivers/atm/lanai.c | 12 +-
+ drivers/atm/nicstar.c | 46 +-
+ drivers/atm/solos-pci.c | 4 +-
+ drivers/atm/suni.c | 4 +-
+ drivers/atm/uPD98402.c | 16 +-
+ drivers/atm/zatm.c | 6 +-
+ drivers/base/attribute_container.c | 2 +-
+ drivers/base/bus.c | 4 +-
+ drivers/base/devtmpfs.c | 8 +-
+ drivers/base/node.c | 2 +-
+ drivers/base/power/domain.c | 4 +-
+ drivers/base/power/sysfs.c | 2 +-
+ drivers/base/power/wakeup.c | 8 +-
+ drivers/base/syscore.c | 4 +-
+ drivers/block/cciss.c | 28 +-
+ drivers/block/cciss.h | 2 +-
+ drivers/block/cpqarray.c | 28 +-
+ drivers/block/cpqarray.h | 2 +-
+ drivers/block/drbd/drbd_int.h | 6 +-
+ drivers/block/drbd/drbd_main.c | 8 +-
+ drivers/block/drbd/drbd_receiver.c | 22 +-
+ drivers/block/loop.c | 2 +-
+ drivers/block/nbd.c | 2 +-
+ drivers/block/pktcdvd.c | 2 +-
+ drivers/cdrom/cdrom.c | 11 +-
+ drivers/cdrom/gdrom.c | 1 -
+ drivers/char/agp/compat_ioctl.c | 2 +-
+ drivers/char/agp/frontend.c | 4 +-
+ drivers/char/hpet.c | 2 +-
+ drivers/char/hw_random/intel-rng.c | 2 +-
+ drivers/char/ipmi/ipmi_msghandler.c | 8 +-
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
+ drivers/char/mem.c | 45 +-
+ drivers/char/nvram.c | 2 +-
+ drivers/char/pcmcia/synclink_cs.c | 18 +-
+ drivers/char/random.c | 10 +-
+ drivers/char/sonypi.c | 9 +-
+ drivers/char/tpm/tpm_acpi.c | 3 +-
+ drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/virtio_console.c | 4 +-
+ drivers/clk/clk-composite.c | 2 +-
+ drivers/clocksource/arm_arch_timer.c | 2 +-
+ drivers/clocksource/metag_generic.c | 2 +-
+ drivers/cpufreq/acpi-cpufreq.c | 20 +-
+ drivers/cpufreq/cpufreq.c | 9 +-
+ drivers/cpufreq/cpufreq_governor.c | 6 +-
+ drivers/cpufreq/cpufreq_governor.h | 2 +-
+ drivers/cpufreq/cpufreq_ondemand.c | 8 +-
+ drivers/cpufreq/cpufreq_stats.c | 2 +-
+ drivers/cpufreq/p4-clockmod.c | 12 +-
+ drivers/cpufreq/sparc-us3-cpufreq.c | 69 +-
+ drivers/cpufreq/speedstep-centrino.c | 7 +-
+ drivers/cpuidle/cpuidle.c | 2 +-
+ drivers/cpuidle/governor.c | 4 +-
+ drivers/cpuidle/sysfs.c | 2 +-
+ drivers/devfreq/devfreq.c | 6 +-
+ drivers/dma/sh/shdma.c | 2 +-
+ drivers/edac/edac_mc_sysfs.c | 12 +-
+ drivers/edac/edac_pci_sysfs.c | 22 +-
+ drivers/edac/mce_amd.h | 2 +-
+ drivers/firewire/core-card.c | 2 +-
+ drivers/firewire/core-device.c | 2 +-
+ drivers/firewire/core-transaction.c | 1 +
+ drivers/firewire/core.h | 1 +
+ drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/dmi_scan.c | 7 +-
+ drivers/firmware/efi/efi.c | 12 +-
+ drivers/firmware/efi/efivars.c | 2 +-
+ drivers/firmware/google/memconsole.c | 4 +-
+ drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpio/gpio-vr41xx.c | 2 +-
+ drivers/gpu/drm/drm_crtc_helper.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 6 +-
+ drivers/gpu/drm/drm_fops.c | 18 +-
+ drivers/gpu/drm/drm_global.c | 14 +-
+ drivers/gpu/drm/drm_info.c | 14 +-
+ drivers/gpu/drm/drm_ioc32.c | 13 +-
+ drivers/gpu/drm/drm_ioctl.c | 2 +-
+ drivers/gpu/drm/drm_lock.c | 4 +-
+ drivers/gpu/drm/drm_stub.c | 2 +-
+ drivers/gpu/drm/drm_sysfs.c | 2 +-
+ drivers/gpu/drm/i810/i810_dma.c | 8 +-
+ drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/i915_irq.c | 22 +-
+ drivers/gpu/drm/i915/intel_display.c | 26 +-
+ drivers/gpu/drm/mga/mga_drv.h | 4 +-
+ drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/mga/mga_irq.c | 8 +-
+ drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
+ drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
+ drivers/gpu/drm/r128/r128_cce.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.h | 4 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/r128/r128_irq.c | 4 +-
+ drivers/gpu/drm/r128/r128_state.c | 4 +-
+ drivers/gpu/drm/radeon/mkregtable.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
+ drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 57 +-
+ drivers/gpu/drm/radeon/rs690.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
+ drivers/gpu/drm/udl/udl_fb.c | 1 -
+ drivers/gpu/drm/via/via_drv.h | 4 +-
+ drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
+ drivers/hid/hid-core.c | 4 +-
+ drivers/hv/channel.c | 4 +-
+ drivers/hv/hv.c | 2 +-
+ drivers/hv/hyperv_vmbus.h | 2 +-
+ drivers/hv/vmbus_drv.c | 4 +-
+ drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/asus_atk0110.c | 10 +-
+ drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/ibmaem.c | 2 +-
+ drivers/hwmon/iio_hwmon.c | 2 +-
+ drivers/hwmon/pmbus/pmbus_core.c | 10 +-
+ drivers/hwmon/sht15.c | 12 +-
+ drivers/hwmon/via-cputemp.c | 2 +-
+ drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
+ drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
+ drivers/i2c/i2c-dev.c | 2 +-
+ drivers/ide/ide-cd.c | 2 +-
+ drivers/iio/industrialio-core.c | 2 +-
+ drivers/infiniband/core/cm.c | 32 +-
+ drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/hw/cxgb4/mem.c | 4 +-
+ drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
+ drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
+ drivers/infiniband/hw/nes/nes.c | 4 +-
+ drivers/infiniband/hw/nes/nes.h | 40 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 62 +-
+ drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
+ drivers/infiniband/hw/nes/nes_nic.c | 40 +-
+ drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/input/gameport/gameport.c | 4 +-
+ drivers/input/input.c | 4 +-
+ drivers/input/joystick/sidewinder.c | 1 +
+ drivers/input/joystick/xpad.c | 4 +-
+ drivers/input/mouse/psmouse.h | 2 +-
+ drivers/input/mousedev.c | 2 +-
+ drivers/input/serio/serio.c | 4 +-
+ drivers/iommu/iommu.c | 2 +-
+ drivers/iommu/irq_remapping.c | 12 +-
+ drivers/irqchip/irq-gic.c | 4 +-
+ drivers/isdn/capi/capi.c | 10 +-
+ drivers/isdn/gigaset/interface.c | 8 +-
+ drivers/isdn/hardware/avm/b1.c | 4 +-
+ drivers/isdn/i4l/isdn_tty.c | 22 +-
+ drivers/isdn/icn/icn.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/lguest/core.c | 10 +-
+ drivers/lguest/page_tables.c | 2 +-
+ drivers/lguest/x86/core.c | 12 +-
+ drivers/lguest/x86/switcher_32.S | 27 +-
+ drivers/md/bcache/closure.h | 2 +-
+ drivers/md/bitmap.c | 2 +-
+ drivers/md/dm-ioctl.c | 2 +-
+ drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-stripe.c | 10 +-
+ drivers/md/dm-table.c | 2 +-
+ drivers/md/dm-thin-metadata.c | 4 +-
+ drivers/md/dm.c | 16 +-
+ drivers/md/md.c | 26 +-
+ drivers/md/md.h | 6 +-
+ drivers/md/persistent-data/dm-space-map.h | 1 +
+ drivers/md/raid1.c | 4 +-
+ drivers/md/raid10.c | 16 +-
+ drivers/md/raid5.c | 10 +-
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ drivers/media/dvb-frontends/dib3000.h | 2 +-
+ drivers/media/pci/cx88/cx88-video.c | 6 +-
+ drivers/media/platform/omap/omap_vout.c | 11 +-
+ drivers/media/platform/s5p-tv/mixer.h | 2 +-
+ drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
+ drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 11 +-
+ drivers/message/fusion/mptsas.c | 34 +-
+ drivers/message/fusion/mptscsih.c | 19 +-
+ drivers/message/i2o/i2o_proc.c | 51 +-
+ drivers/message/i2o/iop.c | 8 +-
+ drivers/mfd/janz-cmodio.c | 1 +
+ drivers/mfd/twl4030-irq.c | 9 +-
+ drivers/mfd/twl6030-irq.c | 10 +-
+ drivers/misc/c2port/core.c | 4 +-
+ drivers/misc/kgdbts.c | 4 +-
+ drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
+ drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/sgi-gru/gruhandles.c | 4 +-
+ drivers/misc/sgi-gru/gruprocfs.c | 8 +-
+ drivers/misc/sgi-gru/grutables.h | 154 +-
+ drivers/misc/sgi-xp/xp.h | 2 +-
+ drivers/misc/sgi-xp/xpc.h | 3 +-
+ drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ drivers/mmc/host/dw_mmc.h | 2 +-
+ drivers/mmc/host/sdhci-s3c.c | 8 +-
+ drivers/mtd/nand/denali.c | 1 +
+ drivers/mtd/nftlmount.c | 1 +
+ drivers/mtd/sm_ftl.c | 2 +-
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
+ drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
+ drivers/net/ethernet/realtek/r8169.c | 8 +-
+ drivers/net/ethernet/sfc/ptp.c | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/hyperv/hyperv_net.h | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 +-
+ drivers/net/ieee802154/fakehard.c | 2 +-
+ drivers/net/macvlan.c | 18 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/ppp/ppp_generic.c | 4 +-
+ drivers/net/slip/slhc.c | 2 +-
+ drivers/net/team/team.c | 2 +-
+ drivers/net/tun.c | 5 +-
+ drivers/net/usb/hso.c | 23 +-
+ drivers/net/vxlan.c | 2 +-
+ drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
+ drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
+ drivers/net/wireless/ath/ath9k/hw.h | 4 +-
+ drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
+ drivers/net/wireless/mac80211_hwsim.c | 32 +-
+ drivers/net/wireless/rndis_wlan.c | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 8 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 6 +-
+ drivers/oprofile/buffer_sync.c | 8 +-
+ drivers/oprofile/event_buffer.c | 2 +-
+ drivers/oprofile/oprof.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/oprofile/oprofile_stats.c | 10 +-
+ drivers/oprofile/oprofile_stats.h | 10 +-
+ drivers/oprofile/oprofilefs.c | 2 +-
+ drivers/oprofile/timer_int.c | 2 +-
+ drivers/parport/procfs.c | 4 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
+ drivers/pci/hotplug/cpcihp_generic.c | 6 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
+ drivers/pci/hotplug/cpqphp_nvram.c | 4 +
+ drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/pci-sysfs.c | 6 +-
+ drivers/pci/pci.h | 2 +-
+ drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/probe.c | 2 +-
+ drivers/platform/x86/chromeos_laptop.c | 2 +-
+ drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/sony-laptop.c | 2 +-
+ drivers/platform/x86/thinkpad_acpi.c | 70 +-
+ drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/resource.c | 4 +-
+ drivers/power/pda_power.c | 7 +-
+ drivers/power/power_supply.h | 4 +-
+ drivers/power/power_supply_core.c | 7 +-
+ drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/regulator/max8660.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/rtc/rtc-cmos.c | 4 +-
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/scsi/bfa/bfa_fcpim.h | 2 +-
+ drivers/scsi/bfa/bfa_ioc.h | 4 +-
+ drivers/scsi/hosts.c | 4 +-
+ drivers/scsi/hpsa.c | 30 +-
+ drivers/scsi/hpsa.h | 2 +-
+ drivers/scsi/libfc/fc_exch.c | 50 +-
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ drivers/scsi/lpfc/lpfc.h | 8 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
+ drivers/scsi/lpfc/lpfc_init.c | 6 +-
+ drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
+ drivers/scsi/pmcraid.c | 20 +-
+ drivers/scsi/pmcraid.h | 8 +-
+ drivers/scsi/qla2xxx/qla_attr.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 6 +-
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +-
+ drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ drivers/scsi/scsi_tgt_lib.c | 2 +-
+ drivers/scsi/scsi_transport_fc.c | 8 +-
+ drivers/scsi/scsi_transport_iscsi.c | 6 +-
+ drivers/scsi/scsi_transport_srp.c | 6 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sg.c | 2 +-
+ drivers/spi/spi.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/rtl8712/rtl871x_io.h | 2 +-
+ drivers/staging/sbe-2t3e3/netdev.c | 2 +-
+ drivers/staging/usbip/vhci.h | 2 +-
+ drivers/staging/usbip/vhci_hcd.c | 6 +-
+ drivers/staging/usbip/vhci_rx.c | 2 +-
+ drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/vt6656/hostap.c | 7 +-
+ drivers/staging/zcache/tmem.c | 4 +-
+ drivers/staging/zcache/tmem.h | 2 +
+ drivers/target/target_core_device.c | 2 +-
+ drivers/target/target_core_transport.c | 2 +-
+ drivers/tty/cyclades.c | 6 +-
+ drivers/tty/hvc/hvc_console.c | 14 +-
+ drivers/tty/hvc/hvcs.c | 21 +-
+ drivers/tty/ipwireless/tty.c | 27 +-
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/n_gsm.c | 4 +-
+ drivers/tty/n_tty.c | 3 +-
+ drivers/tty/pty.c | 4 +-
+ drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/kgdboc.c | 32 +-
+ drivers/tty/serial/samsung.c | 9 +-
+ drivers/tty/serial/serial_core.c | 8 +-
+ drivers/tty/synclink.c | 34 +-
+ drivers/tty/synclink_gt.c | 28 +-
+ drivers/tty/synclinkmp.c | 34 +-
+ drivers/tty/tty_io.c | 2 +-
+ drivers/tty/tty_ldisc.c | 10 +-
+ drivers/tty/tty_port.c | 22 +-
+ drivers/uio/uio.c | 21 +-
+ drivers/usb/atm/cxacru.c | 2 +-
+ drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/core/devices.c | 6 +-
+ drivers/usb/core/hcd.c | 4 +-
+ drivers/usb/core/message.c | 2 +-
+ drivers/usb/core/sysfs.c | 2 +-
+ drivers/usb/core/usb.c | 2 +-
+ drivers/usb/early/ehci-dbgp.c | 16 +-
+ drivers/usb/gadget/u_serial.c | 22 +-
+ drivers/usb/serial/console.c | 6 +-
+ drivers/usb/storage/usb.h | 2 +-
+ drivers/usb/wusbcore/wa-hc.h | 4 +-
+ drivers/usb/wusbcore/wa-xfer.c | 2 +-
+ drivers/vhost/vringh.c | 2 +-
+ drivers/video/aty/aty128fb.c | 2 +-
+ drivers/video/aty/atyfb_base.c | 8 +-
+ drivers/video/aty/mach64_cursor.c | 5 +-
+ drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/fb_defio.c | 6 +-
+ drivers/video/fbcmap.c | 3 +-
+ drivers/video/fbmem.c | 6 +-
+ drivers/video/i810/i810_accel.c | 1 +
+ drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
+ drivers/video/nvidia/nvidia.c | 27 +-
+ drivers/video/output.c | 2 +-
+ drivers/video/s1d13xxxfb.c | 6 +-
+ drivers/video/smscufx.c | 4 +-
+ drivers/video/udlfb.c | 36 +-
+ drivers/video/uvesafb.c | 53 +-
+ drivers/video/vesafb.c | 58 +-
+ drivers/video/via/via_clock.h | 2 +-
+ fs/9p/vfs_addr.c | 2 +-
+ fs/9p/vfs_inode.c | 2 +-
+ fs/Kconfig.binfmt | 2 +-
+ fs/aio.c | 12 +-
+ fs/autofs4/waitq.c | 2 +-
+ fs/befs/endian.h | 4 +-
+ fs/befs/linuxvfs.c | 2 +-
+ fs/binfmt_aout.c | 23 +-
+ fs/binfmt_elf.c | 607 ++-
+ fs/binfmt_flat.c | 6 +
+ fs/bio.c | 6 +-
+ fs/block_dev.c | 2 +-
+ fs/btrfs/ctree.c | 9 +-
+ fs/btrfs/super.c | 2 +-
+ fs/cachefiles/bind.c | 6 +-
+ fs/cachefiles/daemon.c | 8 +-
+ fs/cachefiles/internal.h | 12 +-
+ fs/cachefiles/namei.c | 2 +-
+ fs/cachefiles/proc.c | 12 +-
+ fs/cachefiles/rdwr.c | 2 +-
+ fs/ceph/dir.c | 2 +-
+ fs/cifs/cifs_debug.c | 12 +-
+ fs/cifs/cifsfs.c | 8 +-
+ fs/cifs/cifsglob.h | 54 +-
+ fs/cifs/link.c | 2 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb1ops.c | 80 +-
+ fs/cifs/smb2ops.c | 84 +-
+ fs/cifs/smb2pdu.c | 3 +-
+ fs/coda/cache.c | 10 +-
+ fs/compat.c | 6 +-
+ fs/compat_binfmt_elf.c | 2 +
+ fs/compat_ioctl.c | 12 +-
+ fs/configfs/dir.c | 10 +-
+ fs/coredump.c | 24 +-
+ fs/dcache.c | 2 +-
+ fs/ecryptfs/inode.c | 4 +-
+ fs/ecryptfs/miscdev.c | 2 +-
+ fs/exec.c | 362 ++-
+ fs/ext4/ext4.h | 20 +-
+ fs/ext4/mballoc.c | 44 +-
+ fs/ext4/mmp.c | 2 +-
+ fs/ext4/super.c | 4 +-
+ fs/fhandle.c | 3 +-
+ fs/fs_struct.c | 8 +-
+ fs/fscache/cookie.c | 36 +-
+ fs/fscache/internal.h | 196 +-
+ fs/fscache/object.c | 28 +-
+ fs/fscache/operation.c | 30 +-
+ fs/fscache/page.c | 110 +-
+ fs/fscache/stats.c | 344 +-
+ fs/fuse/cuse.c | 10 +-
+ fs/fuse/dev.c | 4 +-
+ fs/fuse/dir.c | 2 +-
+ fs/gfs2/inode.c | 2 +-
+ fs/hugetlbfs/inode.c | 13 +-
+ fs/inode.c | 4 +-
+ fs/jffs2/erase.c | 3 +-
+ fs/jffs2/wbuf.c | 3 +-
+ fs/jfs/super.c | 2 +-
+ fs/libfs.c | 10 +-
+ fs/lockd/clntproc.c | 4 +-
+ fs/lockd/svc.c | 2 +-
+ fs/locks.c | 8 +-
+ fs/namei.c | 15 +-
+ fs/namespace.c | 10 +-
+ fs/nfs/callback.c | 4 +-
+ fs/nfs/callback_xdr.c | 2 +-
+ fs/nfs/inode.c | 6 +-
+ fs/nfs/nfs4state.c | 2 +-
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfs4xdr.c | 6 +-
+ fs/nfsd/nfscache.c | 9 +-
+ fs/nfsd/vfs.c | 6 +-
+ fs/nls/nls_base.c | 18 +-
+ fs/nls/nls_euc-jp.c | 6 +-
+ fs/nls/nls_koi8-ru.c | 6 +-
+ fs/notify/fanotify/fanotify_user.c | 4 +-
+ fs/notify/notification.c | 4 +-
+ fs/ntfs/dir.c | 2 +-
+ fs/ntfs/file.c | 4 +-
+ fs/ocfs2/localalloc.c | 2 +-
+ fs/ocfs2/ocfs2.h | 10 +-
+ fs/ocfs2/suballoc.c | 12 +-
+ fs/ocfs2/super.c | 20 +-
+ fs/pipe.c | 61 +-
+ fs/proc/array.c | 20 +
+ fs/proc/base.c | 4 +-
+ fs/proc/kcore.c | 32 +-
+ fs/proc/meminfo.c | 2 +-
+ fs/proc/nommu.c | 2 +-
+ fs/proc/proc_sysctl.c | 18 +-
+ fs/proc/self.c | 2 +-
+ fs/proc/task_mmu.c | 39 +-
+ fs/proc/task_nommu.c | 4 +-
+ fs/proc/vmcore.c | 12 +-
+ fs/qnx6/qnx6.h | 4 +-
+ fs/quota/netlink.c | 4 +-
+ fs/read_write.c | 2 +-
+ fs/readdir.c | 2 +-
+ fs/reiserfs/do_balan.c | 2 +-
+ fs/reiserfs/procfs.c | 2 +-
+ fs/reiserfs/reiserfs.h | 4 +-
+ fs/seq_file.c | 2 +-
+ fs/splice.c | 40 +-
+ fs/sysfs/bin.c | 6 +-
+ fs/sysfs/dir.c | 2 +-
+ fs/sysfs/file.c | 10 +-
+ fs/sysfs/symlink.c | 2 +-
+ fs/sysv/sysv.h | 2 +-
+ fs/ubifs/io.c | 2 +-
+ fs/udf/misc.c | 2 +-
+ fs/ufs/swab.h | 4 +-
+ fs/xattr.c | 21 +
+ fs/xattr_acl.c | 4 +-
+ fs/xfs/xfs_bmap.c | 2 +-
+ fs/xfs/xfs_dir2_sf.c | 10 +-
+ fs/xfs/xfs_ioctl.c | 2 +-
+ fs/xfs/xfs_iops.c | 2 +-
+ include/asm-generic/4level-fixup.h | 2 +
+ include/asm-generic/atomic-long.h | 210 +
+ include/asm-generic/atomic.h | 2 +-
+ include/asm-generic/atomic64.h | 12 +
+ include/asm-generic/cache.h | 4 +-
+ include/asm-generic/emergency-restart.h | 2 +-
+ include/asm-generic/kmap_types.h | 4 +-
+ include/asm-generic/local.h | 13 +
+ include/asm-generic/pgtable-nopmd.h | 18 +-
+ include/asm-generic/pgtable-nopud.h | 15 +-
+ include/asm-generic/pgtable.h | 8 +
+ include/asm-generic/vmlinux.lds.h | 10 +-
+ include/crypto/algapi.h | 2 +-
+ include/drm/drmP.h | 17 +-
+ include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/ttm/ttm_memory.h | 2 +-
+ include/keys/asymmetric-subtype.h | 2 +-
+ include/linux/atmdev.h | 4 +-
+ include/linux/binfmts.h | 3 +-
+ include/linux/blkdev.h | 2 +-
+ include/linux/blktrace_api.h | 2 +-
+ include/linux/cache.h | 4 +
+ include/linux/cdrom.h | 1 -
+ include/linux/cleancache.h | 2 +-
+ include/linux/clk-provider.h | 1 +
+ include/linux/compat.h | 4 +-
+ include/linux/compiler-gcc4.h | 20 +
+ include/linux/compiler.h | 65 +-
+ include/linux/completion.h | 6 +-
+ include/linux/configfs.h | 2 +-
+ include/linux/cpu.h | 2 +-
+ include/linux/cpufreq.h | 3 +-
+ include/linux/cpuidle.h | 5 +-
+ include/linux/cpumask.h | 12 +-
+ include/linux/crypto.h | 6 +-
+ include/linux/ctype.h | 2 +-
+ include/linux/decompress/mm.h | 2 +-
+ include/linux/devfreq.h | 2 +-
+ include/linux/device.h | 7 +-
+ include/linux/dma-mapping.h | 2 +-
+ include/linux/dmaengine.h | 4 +-
+ include/linux/efi.h | 1 +
+ include/linux/elf.h | 2 +
+ include/linux/err.h | 4 +-
+ include/linux/extcon.h | 2 +-
+ include/linux/fb.h | 2 +-
+ include/linux/filter.h | 4 +
+ include/linux/frontswap.h | 2 +-
+ include/linux/fs.h | 3 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/fscache-cache.h | 4 +-
+ include/linux/fscache.h | 2 +-
+ include/linux/fsnotify.h | 2 +-
+ include/linux/genhd.h | 2 +-
+ include/linux/genl_magic_func.h | 2 +-
+ include/linux/gfp.h | 12 +-
+ include/linux/highmem.h | 12 +
+ include/linux/hwmon-sysfs.h | 5 +-
+ include/linux/i2c.h | 1 +
+ include/linux/i2o.h | 2 +-
+ include/linux/if_pppox.h | 2 +-
+ include/linux/init.h | 33 +-
+ include/linux/init_task.h | 7 +
+ include/linux/interrupt.h | 8 +-
+ include/linux/iommu.h | 2 +-
+ include/linux/ioport.h | 2 +-
+ include/linux/irq.h | 3 +-
+ include/linux/irqchip/arm-gic.h | 4 +-
+ include/linux/key-type.h | 2 +-
+ include/linux/kgdb.h | 6 +-
+ include/linux/kobject.h | 3 +-
+ include/linux/kobject_ns.h | 2 +-
+ include/linux/kref.h | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ include/linux/libata.h | 2 +-
+ include/linux/list.h | 15 +
+ include/linux/math64.h | 6 +-
+ include/linux/mm.h | 116 +-
+ include/linux/mm_types.h | 20 +
+ include/linux/mmiotrace.h | 4 +-
+ include/linux/mmzone.h | 2 +-
+ include/linux/mod_devicetable.h | 6 +-
+ include/linux/module.h | 60 +-
+ include/linux/moduleloader.h | 16 +
+ include/linux/moduleparam.h | 4 +-
+ include/linux/namei.h | 6 +-
+ include/linux/net.h | 2 +-
+ include/linux/netdevice.h | 3 +-
+ include/linux/netfilter.h | 2 +-
+ include/linux/netfilter/ipset/ip_set.h | 2 +-
+ include/linux/netfilter/nfnetlink.h | 2 +-
+ include/linux/nls.h | 2 +-
+ include/linux/notifier.h | 3 +-
+ include/linux/oprofile.h | 4 +-
+ include/linux/pci_hotplug.h | 3 +-
+ include/linux/perf_event.h | 12 +-
+ include/linux/pipe_fs_i.h | 8 +-
+ include/linux/platform_data/usb-ehci-s5p.h | 2 +-
+ include/linux/platform_data/usb-ohci-exynos.h | 2 +-
+ include/linux/pm_domain.h | 2 +-
+ include/linux/pm_runtime.h | 2 +-
+ include/linux/pnp.h | 2 +-
+ include/linux/poison.h | 4 +-
+ include/linux/power/smartreflex.h | 2 +-
+ include/linux/ppp-comp.h | 2 +-
+ include/linux/proc_ns.h | 2 +-
+ include/linux/random.h | 5 +
+ include/linux/rculist.h | 16 +
+ include/linux/reboot.h | 14 +-
+ include/linux/regset.h | 3 +-
+ include/linux/relay.h | 2 +-
+ include/linux/rio.h | 2 +-
+ include/linux/rmap.h | 4 +-
+ include/linux/sched.h | 65 +-
+ include/linux/sched/sysctl.h | 1 +
+ include/linux/seq_file.h | 1 +
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 42 +-
+ include/linux/slab_def.h | 28 +-
+ include/linux/slob_def.h | 4 +-
+ include/linux/slub_def.h | 8 +-
+ include/linux/sock_diag.h | 2 +-
+ include/linux/sonet.h | 2 +-
+ include/linux/sunrpc/addr.h | 8 +-
+ include/linux/sunrpc/clnt.h | 2 +-
+ include/linux/sunrpc/svc.h | 2 +-
+ include/linux/sunrpc/svc_rdma.h | 18 +-
+ include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swiotlb.h | 3 +-
+ include/linux/syscalls.h | 10 +-
+ include/linux/syscore_ops.h | 2 +-
+ include/linux/sysctl.h | 6 +-
+ include/linux/sysfs.h | 10 +-
+ include/linux/sysrq.h | 3 +-
+ include/linux/thread_info.h | 7 +
+ include/linux/tty.h | 4 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/tty_ldisc.h | 2 +-
+ include/linux/types.h | 16 +
+ include/linux/uaccess.h | 6 +-
+ include/linux/unaligned/access_ok.h | 24 +-
+ include/linux/usb.h | 4 +-
+ include/linux/usb/renesas_usbhs.h | 2 +-
+ include/linux/vermagic.h | 21 +-
+ include/linux/vmalloc.h | 11 +-
+ include/linux/vmstat.h | 20 +-
+ include/linux/xattr.h | 5 +-
+ include/linux/zlib.h | 3 +-
+ include/media/v4l2-dev.h | 2 +-
+ include/net/9p/transport.h | 2 +-
+ include/net/bluetooth/l2cap.h | 2 +-
+ include/net/caif/cfctrl.h | 6 +-
+ include/net/flow.h | 2 +-
+ include/net/genetlink.h | 2 +-
+ include/net/gro_cells.h | 2 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/inetpeer.h | 8 +-
+ include/net/ip.h | 2 +-
+ include/net/ip_fib.h | 2 +-
+ include/net/ip_vs.h | 8 +-
+ include/net/irda/ircomm_tty.h | 1 +
+ include/net/iucv/af_iucv.h | 2 +-
+ include/net/llc_c_ac.h | 2 +-
+ include/net/llc_c_ev.h | 4 +-
+ include/net/llc_c_st.h | 2 +-
+ include/net/llc_s_ac.h | 2 +-
+ include/net/llc_s_st.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 12 +-
+ include/net/netdma.h | 2 +-
+ include/net/netlink.h | 2 +-
+ include/net/netns/conntrack.h | 6 +-
+ include/net/netns/ipv4.h | 2 +-
+ include/net/netns/ipv6.h | 2 +-
+ include/net/protocol.h | 4 +-
+ include/net/rtnetlink.h | 2 +-
+ include/net/sctp/sctp.h | 6 +-
+ include/net/sctp/sm.h | 4 +-
+ include/net/sctp/structs.h | 2 +-
+ include/net/sock.h | 6 +-
+ include/net/tcp.h | 8 +-
+ include/net/xfrm.h | 8 +-
+ include/rdma/iw_cm.h | 2 +-
+ include/scsi/libfc.h | 3 +-
+ include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_transport_fc.h | 3 +-
+ include/sound/compress_driver.h | 2 +-
+ include/sound/soc.h | 4 +-
+ include/target/target_core_base.h | 2 +-
+ include/trace/events/irq.h | 4 +-
+ include/uapi/linux/a.out.h | 8 +
+ include/uapi/linux/byteorder/little_endian.h | 28 +-
+ include/uapi/linux/elf.h | 28 +
+ include/uapi/linux/screen_info.h | 3 +-
+ include/uapi/linux/swab.h | 6 +-
+ include/uapi/linux/sysctl.h | 6 +-
+ include/uapi/linux/xattr.h | 4 +
+ include/video/udlfb.h | 8 +-
+ include/video/uvesafb.h | 1 +
+ init/Kconfig | 2 +-
+ init/Makefile | 3 +
+ init/do_mounts.c | 14 +-
+ init/do_mounts.h | 8 +-
+ init/do_mounts_initrd.c | 30 +-
+ init/do_mounts_md.c | 6 +-
+ init/init_task.c | 4 +
+ init/initramfs.c | 42 +-
+ init/main.c | 83 +-
+ ipc/ipc_sysctl.c | 10 +-
+ ipc/mq_sysctl.c | 2 +-
+ ipc/msg.c | 11 +-
+ ipc/sem.c | 11 +-
+ ipc/shm.c | 17 +-
+ kernel/acct.c | 2 +-
+ kernel/audit.c | 8 +-
+ kernel/auditfilter.c | 2 +-
+ kernel/auditsc.c | 4 +-
+ kernel/capability.c | 3 +
+ kernel/compat.c | 38 +-
+ kernel/debug/debug_core.c | 16 +-
+ kernel/debug/kdb/kdb_main.c | 4 +-
+ kernel/events/core.c | 30 +-
+ kernel/events/internal.h | 10 +-
+ kernel/exit.c | 4 +-
+ kernel/fork.c | 167 +-
+ kernel/futex.c | 9 +
+ kernel/futex_compat.c | 2 +-
+ kernel/gcov/base.c | 7 +-
+ kernel/hrtimer.c | 4 +-
+ kernel/irq_work.c | 7 +-
+ kernel/jump_label.c | 5 +
+ kernel/kallsyms.c | 39 +-
+ kernel/kexec.c | 3 +-
+ kernel/kmod.c | 4 +-
+ kernel/kprobes.c | 8 +-
+ kernel/ksysfs.c | 2 +-
+ kernel/lockdep.c | 7 +-
+ kernel/module.c | 337 +-
+ kernel/mutex-debug.c | 12 +-
+ kernel/mutex-debug.h | 4 +-
+ kernel/mutex.c | 11 +-
+ kernel/notifier.c | 17 +-
+ kernel/panic.c | 3 +-
+ kernel/pid.c | 2 +-
+ kernel/pid_namespace.c | 2 +-
+ kernel/posix-cpu-timers.c | 4 +-
+ kernel/posix-timers.c | 22 +-
+ kernel/power/process.c | 12 +-
+ kernel/profile.c | 14 +-
+ kernel/ptrace.c | 8 +-
+ kernel/rcupdate.c | 4 +-
+ kernel/rcutiny.c | 4 +-
+ kernel/rcutiny_plugin.h | 2 +-
+ kernel/rcutorture.c | 56 +-
+ kernel/rcutree.c | 76 +-
+ kernel/rcutree.h | 24 +-
+ kernel/rcutree_plugin.h | 20 +-
+ kernel/rcutree_trace.c | 22 +-
+ kernel/rtmutex-tester.c | 24 +-
+ kernel/sched/auto_group.c | 4 +-
+ kernel/sched/core.c | 51 +-
+ kernel/sched/fair.c | 4 +-
+ kernel/sched/sched.h | 2 +-
+ kernel/signal.c | 12 +-
+ kernel/smp.c | 2 +-
+ kernel/smpboot.c | 4 +-
+ kernel/softirq.c | 18 +-
+ kernel/srcu.c | 4 +-
+ kernel/sys.c | 10 +-
+ kernel/sysctl.c | 39 +-
+ kernel/time.c | 2 +-
+ kernel/time/alarmtimer.c | 2 +-
+ kernel/time/tick-broadcast.c | 2 +-
+ kernel/time/timer_stats.c | 10 +-
+ kernel/timer.c | 6 +-
+ kernel/trace/blktrace.c | 6 +-
+ kernel/trace/ftrace.c | 18 +-
+ kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/trace.c | 2 +-
+ kernel/trace/trace.h | 2 +-
+ kernel/trace/trace_events.c | 25 +-
+ kernel/trace/trace_mmiotrace.c | 8 +-
+ kernel/trace/trace_output.c | 12 +-
+ kernel/trace/trace_stack.c | 2 +-
+ kernel/user_namespace.c | 2 +-
+ kernel/utsname_sysctl.c | 2 +-
+ kernel/watchdog.c | 2 +-
+ kernel/workqueue.c | 2 +-
+ lib/Kconfig.debug | 8 +-
+ lib/Makefile | 2 +-
+ lib/bitmap.c | 8 +-
+ lib/bug.c | 2 +
+ lib/debugobjects.c | 2 +-
+ lib/devres.c | 4 +-
+ lib/div64.c | 4 +-
+ lib/dma-debug.c | 4 +-
+ lib/inflate.c | 2 +-
+ lib/ioremap.c | 4 +-
+ lib/kobject.c | 6 +-
+ lib/list_debug.c | 126 +-
+ lib/radix-tree.c | 2 +-
+ lib/strncpy_from_user.c | 2 +-
+ lib/strnlen_user.c | 2 +-
+ lib/swiotlb.c | 2 +-
+ lib/usercopy.c | 6 +
+ lib/vsprintf.c | 12 +-
+ mm/Kconfig | 6 +-
+ mm/backing-dev.c | 4 +-
+ mm/filemap.c | 2 +-
+ mm/fremap.c | 5 +
+ mm/highmem.c | 7 +-
+ mm/hugetlb.c | 70 +-
+ mm/internal.h | 1 +
+ mm/maccess.c | 4 +-
+ mm/madvise.c | 41 +
+ mm/memory-failure.c | 26 +-
+ mm/memory.c | 424 ++-
+ mm/mempolicy.c | 26 +
+ mm/mlock.c | 15 +-
+ mm/mmap.c | 606 ++-
+ mm/mprotect.c | 139 +-
+ mm/mremap.c | 44 +-
+ mm/nommu.c | 21 +-
+ mm/page-writeback.c | 4 +-
+ mm/page_alloc.c | 41 +-
+ mm/page_io.c | 2 +-
+ mm/percpu.c | 2 +-
+ mm/process_vm_access.c | 14 +-
+ mm/rmap.c | 38 +-
+ mm/shmem.c | 19 +-
+ mm/slab.c | 79 +-
+ mm/slab.h | 5 +-
+ mm/slab_common.c | 46 +-
+ mm/slob.c | 201 +-
+ mm/slub.c | 79 +-
+ mm/sparse-vmemmap.c | 4 +-
+ mm/sparse.c | 2 +-
+ mm/swap.c | 3 +
+ mm/swapfile.c | 12 +-
+ mm/util.c | 6 +
+ mm/vmalloc.c | 77 +-
+ mm/vmstat.c | 12 +-
+ net/8021q/vlan.c | 5 +-
+ net/9p/mod.c | 4 +-
+ net/9p/trans_fd.c | 2 +-
+ net/atm/atm_misc.c | 8 +-
+ net/atm/lec.h | 2 +-
+ net/atm/proc.c | 6 +-
+ net/atm/resources.c | 4 +-
+ net/ax25/sysctl_net_ax25.c | 2 +-
+ net/batman-adv/bat_iv_ogm.c | 8 +-
+ net/batman-adv/hard-interface.c | 4 +-
+ net/batman-adv/soft-interface.c | 4 +-
+ net/batman-adv/types.h | 6 +-
+ net/batman-adv/unicast.c | 2 +-
+ net/bluetooth/hci_core.c | 8 +-
+ net/bluetooth/hci_sock.c | 2 +-
+ net/bluetooth/l2cap_core.c | 6 +-
+ net/bluetooth/l2cap_sock.c | 12 +-
+ net/bluetooth/rfcomm/sock.c | 4 +-
+ net/bluetooth/rfcomm/tty.c | 10 +-
+ net/bridge/netfilter/ebtables.c | 6 +-
+ net/caif/cfctrl.c | 11 +-
+ net/can/af_can.c | 2 +-
+ net/can/gw.c | 6 +-
+ net/compat.c | 34 +-
+ net/core/datagram.c | 2 +-
+ net/core/dev.c | 16 +-
+ net/core/flow.c | 8 +-
+ net/core/iovec.c | 4 +-
+ net/core/neighbour.c | 2 +-
+ net/core/net-sysfs.c | 2 +-
+ net/core/net_namespace.c | 8 +-
+ net/core/rtnetlink.c | 13 +-
+ net/core/scm.c | 8 +-
+ net/core/sock.c | 24 +-
+ net/core/sock_diag.c | 9 +-
+ net/core/sysctl_net_core.c | 18 +-
+ net/decnet/af_decnet.c | 1 +
+ net/decnet/sysctl_net_decnet.c | 4 +-
+ net/ipv4/af_inet.c | 8 +-
+ net/ipv4/ah4.c | 2 +-
+ net/ipv4/devinet.c | 18 +-
+ net/ipv4/esp4.c | 2 +-
+ net/ipv4/fib_frontend.c | 6 +-
+ net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inet_connection_sock.c | 2 +-
+ net/ipv4/inetpeer.c | 4 +-
+ net/ipv4/ip_fragment.c | 15 +-
+ net/ipv4/ip_gre.c | 6 +-
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ip_vti.c | 4 +-
+ net/ipv4/ipcomp.c | 2 +-
+ net/ipv4/ipconfig.c | 6 +-
+ net/ipv4/ipip.c | 4 +-
+ net/ipv4/netfilter/arp_tables.c | 12 +-
+ net/ipv4/netfilter/ip_tables.c | 12 +-
+ net/ipv4/ping.c | 2 +-
+ net/ipv4/raw.c | 14 +-
+ net/ipv4/route.c | 18 +-
+ net/ipv4/sysctl_net_ipv4.c | 45 +-
+ net/ipv4/tcp_input.c | 2 +-
+ net/ipv4/tcp_probe.c | 2 +-
+ net/ipv4/udp.c | 10 +-
+ net/ipv4/xfrm4_policy.c | 14 +-
+ net/ipv6/addrconf.c | 12 +-
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_gre.c | 8 +-
+ net/ipv6/ip6_tunnel.c | 4 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 12 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
+ net/ipv6/raw.c | 19 +-
+ net/ipv6/reassembly.c | 13 +-
+ net/ipv6/route.c | 2 +-
+ net/ipv6/sit.c | 4 +-
+ net/ipv6/sysctl_net_ipv6.c | 2 +-
+ net/ipv6/udp.c | 8 +-
+ net/ipv6/xfrm6_policy.c | 13 +-
+ net/irda/ircomm/ircomm_tty.c | 18 +-
+ net/iucv/af_iucv.c | 4 +-
+ net/iucv/iucv.c | 2 +-
+ net/key/af_key.c | 4 +-
+ net/mac80211/cfg.c | 8 +-
+ net/mac80211/ieee80211_i.h | 3 +-
+ net/mac80211/iface.c | 16 +-
+ net/mac80211/main.c | 2 +-
+ net/mac80211/pm.c | 6 +-
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/rc80211_pid_debugfs.c | 2 +-
+ net/mac80211/util.c | 4 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/ipvs/ip_vs_conn.c | 6 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ net/netfilter/ipvs/ip_vs_sync.c | 6 +-
+ net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
+ net/netfilter/nf_conntrack_acct.c | 2 +-
+ net/netfilter/nf_conntrack_ecache.c | 2 +-
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nf_conntrack_timestamp.c | 2 +-
+ net/netfilter/nf_log.c | 10 +-
+ net/netfilter/nf_sockopt.c | 4 +-
+ net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/xt_statistic.c | 8 +-
+ net/netlink/af_netlink.c | 4 +-
+ net/netlink/genetlink.c | 16 +-
+ net/packet/af_packet.c | 12 +-
+ net/phonet/pep.c | 6 +-
+ net/phonet/socket.c | 2 +-
+ net/phonet/sysctl.c | 2 +-
+ net/rds/cong.c | 6 +-
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 4 +-
+ net/rds/iw.h | 2 +-
+ net/rds/iw_cm.c | 2 +-
+ net/rds/iw_recv.c | 4 +-
+ net/rds/rds.h | 2 +-
+ net/rds/tcp.c | 2 +-
+ net/rds/tcp_send.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/rxrpc/ar-ack.c | 14 +-
+ net/rxrpc/ar-call.c | 2 +-
+ net/rxrpc/ar-connection.c | 2 +-
+ net/rxrpc/ar-connevent.c | 2 +-
+ net/rxrpc/ar-input.c | 4 +-
+ net/rxrpc/ar-internal.h | 8 +-
+ net/rxrpc/ar-local.c | 2 +-
+ net/rxrpc/ar-output.c | 4 +-
+ net/rxrpc/ar-peer.c | 2 +-
+ net/rxrpc/ar-proc.c | 4 +-
+ net/rxrpc/ar-transport.c | 2 +-
+ net/rxrpc/rxkad.c | 4 +-
+ net/sctp/ipv6.c | 6 +-
+ net/sctp/protocol.c | 10 +-
+ net/sctp/sm_sideeffect.c | 2 +-
+ net/sctp/socket.c | 21 +-
+ net/sctp/sysctl.c | 4 +-
+ net/socket.c | 18 +-
+ net/sunrpc/clnt.c | 4 +-
+ net/sunrpc/sched.c | 4 +-
+ net/sunrpc/svc.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/link.c | 6 +-
+ net/tipc/msg.c | 2 +-
+ net/tipc/subscr.c | 2 +-
+ net/unix/sysctl_net_unix.c | 2 +-
+ net/wireless/wext-core.c | 19 +-
+ net/xfrm/xfrm_policy.c | 27 +-
+ net/xfrm/xfrm_state.c | 29 +-
+ net/xfrm/xfrm_sysctl.c | 2 +-
+ scripts/Makefile.build | 2 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.host | 28 +-
+ scripts/basic/fixdep.c | 12 +-
+ scripts/gcc-plugin.sh | 17 +
+ scripts/headers_install.sh | 1 +
+ scripts/link-vmlinux.sh | 2 +-
+ scripts/mod/file2alias.c | 14 +-
+ scripts/mod/modpost.c | 25 +-
+ scripts/mod/modpost.h | 6 +-
+ scripts/mod/sumversion.c | 2 +-
+ scripts/package/builddeb | 1 +
+ scripts/pnmtologo.c | 6 +-
+ scripts/sortextable.h | 6 +-
+ security/Kconfig | 676 +++-
+ security/apparmor/lsm.c | 2 +-
+ security/integrity/ima/ima.h | 4 +-
+ security/integrity/ima/ima_api.c | 2 +-
+ security/integrity/ima/ima_fs.c | 4 +-
+ security/integrity/ima/ima_queue.c | 2 +-
+ security/keys/compat.c | 2 +-
+ security/keys/internal.h | 2 +-
+ security/keys/key.c | 18 +-
+ security/keys/keyctl.c | 8 +-
+ security/keys/keyring.c | 6 +-
+ security/security.c | 9 +-
+ security/selinux/hooks.c | 2 +-
+ security/selinux/include/xfrm.h | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ security/tomoyo/tomoyo.c | 2 +-
+ security/yama/yama_lsm.c | 22 +-
+ sound/aoa/codecs/onyx.c | 7 +-
+ sound/aoa/codecs/onyx.h | 1 +
+ sound/core/oss/pcm_oss.c | 18 +-
+ sound/core/pcm_compat.c | 2 +-
+ sound/core/pcm_native.c | 4 +-
+ sound/core/seq/seq_device.c | 8 +-
+ sound/core/sound.c | 2 +-
+ sound/drivers/mts64.c | 14 +-
+ sound/drivers/opl4/opl4_lib.c | 2 +-
+ sound/drivers/portman2x4.c | 3 +-
+ sound/firewire/amdtp.c | 4 +-
+ sound/firewire/amdtp.h | 2 +-
+ sound/firewire/isight.c | 10 +-
+ sound/firewire/scs1x.c | 8 +-
+ sound/oss/sb_audio.c | 2 +-
+ sound/oss/swarm_cs4297a.c | 6 +-
+ sound/pci/ymfpci/ymfpci.h | 2 +-
+ sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ sound/soc/fsl/fsl_ssi.c | 2 +-
+ sound/sound_core.c | 2 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 45 +
+ tools/gcc/checker_plugin.c | 172 +
+ tools/gcc/colorize_plugin.c | 151 +
+ tools/gcc/constify_plugin.c | 560 ++
+ tools/gcc/generate_size_overflow_hash.sh | 94 +
+ tools/gcc/kallocstat_plugin.c | 170 +
+ tools/gcc/kernexec_plugin.c | 465 ++
+ tools/gcc/latent_entropy_plugin.c | 327 ++
+ tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++
+ tools/gcc/size_overflow_plugin.c | 2114 +++++++
+ tools/gcc/stackleak_plugin.c | 327 ++
+ tools/gcc/structleak_plugin.c | 277 +
+ tools/perf/util/include/asm/alternative-asm.h | 3 +
+ tools/perf/util/include/linux/compiler.h | 8 +
+ virt/kvm/kvm_main.c | 32 +-
+ 1607 files changed, 30734 insertions(+), 7318 deletions(-)
+commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
+Merge: 0949bd4 fc53d63
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:03:44 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fc53d6338964741b368070ec5c935bc579b8c2a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:02:45 2012 -0400
+
+ Update to pax-linux-3.2.12-test33.patch
+
+commit 0949bd46a6455b308f66ad7c993bfee62412db35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 16:56:09 2012 -0400
+
+ Use current_umask() instead of current->fs->umask
+
+commit 22f6432d0fe733619cfcb523782ed7d80c46d645
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:42:42 2012 -0400
+
+ compile fix
+
+commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:34:56 2012 -0400
+
+ Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
+ uses of domains with particular hash collisions
+
+commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 20:25:49 2012 -0400
+
+ zero kernel_role
+
+commit b00953b43c69238d181d21121ef1577c988d5f6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:29:34 2012 -0400
+
+ zero real_root after releasing it
+
+commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
+Merge: b724f59 273f98e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:11:26 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 273f98e58cdac555d3b5dce5c1ca168349f95878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:10:52 2012 -0400
+
+ Temporary workaround for (most) size_overflow plugin false-positives
+ Increase randomization for brk-managed heap to 21 bits
+ Update to pax-linux-3.2.12-test32.patch
+
+commit b724f59125304460c2af8bd4b02921993afbb5d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:58:53 2012 -0400
+
+ compile fix
+
+commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:52:23 2012 -0400
+
+ Require default and kernel role
+
+commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:47:28 2012 -0400
+
+ Allow policies without special roles
+ don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
+
+commit 402ec3d24d66d38403dc543c84851f5e72d39e22
+Merge: 8e012dc f14661a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:06:59 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/namei.c
+
+commit f14661aaf202155c97f66626cea0269017bb7775
+Merge: eae671f 058b017
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:05:44 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
+Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Date: Fri Mar 16 17:08:39 2012 -0700
+
+ nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
+
+ According to the report from Slicky Devil, nilfs caused kernel oops at
+ nilfs_load_super_block function during mount after he shrank the
+ partition without resizing the filesystem:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000048
+ IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
+ *pde = 00000000
+ Oops: 0000 [#1] PREEMPT SMP
+ ...
+ Call Trace:
+ [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
+ [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
+ [<c0226636>] mount_fs+0x36/0x180
+ [<c023d961>] vfs_kern_mount+0x51/0xa0
+ [<c023ddae>] do_kern_mount+0x3e/0xe0
+ [<c023f189>] do_mount+0x169/0x700
+ [<c023fa9b>] sys_mount+0x6b/0xa0
+ [<c04abd1f>] sysenter_do_call+0x12/0x28
+ Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
+ 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
+ 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
+ EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
+ CR2: 0000000000000048
+
+ This turned out due to a defect in an error path which runs if the
+ calculated location of the secondary super block was invalid.
+
+ This patch fixes it and eliminates the reported oops.
+
+ Reported-by: Slicky Devil <slicky.dvl@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Tested-by: Slicky Devil <slicky.dvl@gmail.com>
+ Cc: <stable@vger.kernel.org> [2.6.30+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Fri Mar 16 17:08:38 2012 -0700
+
+ nilfs2: clamp ns_r_segments_percentage to [1, 99]
+
+ ns_r_segments_percentage is read from the disk. Bogus or malicious
+ value could cause integer overflow and malfunction due to meaningless
+ disk usage calculation. This patch reports error when mounting such
+ bogus volumes.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e1a90645643f9b0194a5984ec8febd06360d5c8b
+Author: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Sat Mar 10 09:20:21 2012 +0000
+
+ tcp: fix syncookie regression
+
+ commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
+ added a serious regression on synflood handling.
+
+ Simon Kirby discovered a successful connection was delayed by 20 seconds
+ before being responsive.
+
+ In my tests, I discovered that xmit frames were lost, and needed ~4
+ retransmits and a socket dst rebuild before being really sent.
+
+ In case of syncookie initiated connection, we use a different path to
+ initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
+
+ As ip_queue_xmit() now depends on inet flow being setup, fix this by
+ copying the temp flowi4 we use in cookie_v4_check().
+
+ Reported-by: Simon Kirby <sim@netnation.com>
+ Bisected-by: Simon Kirby <sim@netnation.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
+Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Mon Mar 12 02:59:41 2012 +0000
+
+ tun: don't hold network namespace by tun sockets
+
+ v3: added previously removed sock_put() to the tun_release() callback, because
+ sk_release_kernel() doesn't drop the socket reference.
+
+ v2: sk_release_kernel() used for socket release. Dummy tun_release() is
+ required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
+ call.
+
+ TUN was designed to destroy it's socket on network namesapce shutdown. But this
+ will never happen for persistent device, because it's socket holds network
+ namespace.
+ This patch removes of holding network namespace by TUN socket and replaces it
+ by creating socket in init_net and then changing it's net it to desired one. On
+ shutdown socket is moved back to init_net prior to final put.
+
+ Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon Dec 12 10:02:30 2011 -0600
+
+ vfs: Correctly set the dir i_mutex lockdep class
+
+ 9a7aa12f3911853a introduced additional logic around setting the i_mutex
+ lockdep class for directory inodes. The idea was that some filesystems
+ may want their own special lockdep class for different directory
+ inodes and calling unlock_new_inode() should not clobber one of
+ those special classes.
+
+ I believe that the added conditional, around the *negated* return value
+ of lockdep_match_class(), caused directory inodes to be placed in the
+ wrong lockdep class.
+
+ inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
+ all inodes. If the filesystem did not change the class during inode
+ initialization, then the conditional mentioned above was false and the
+ directory inode was incorrectly left in the non-directory lockdep class.
+ If the filesystem did set a special lockdep class, then the conditional
+ mentioned above was true and that class was clobbered with
+ i_mutex_dir_key.
+
+ This patch removes the negation from the conditional so that the i_mutex
+ lockdep class is properly set for directory inodes. Special classes are
+ preserved and directory inodes with unmodified classes are set with
+ i_mutex_dir_key.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 603590b0d2eca61ce26499eac9c563bc567a18c9
+Author: Jan Kara <jack@suse.cz>
+Date: Mon Feb 20 17:54:00 2012 +0100
+
+ udf: Fix deadlock in udf_release_file()
+
+ udf_release_file() can be called from munmap() path with mmap_sem held. Thus
+ we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
+ i_mutex is not needed in udf_release_file() anymore since protection by
+ i_data_sem is enough to protect from races with write and truncate.
+
+ Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:33 2012 +0100
+
+ vfs: fix double put after complete_walk()
+
+ complete_walk() already puts nd->path, no need to do it again at cleanup time.
+
+ This would result in Oopses if triggered, apparently the codepath is not too
+ well exercised.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 13885ba2b18400f3ef6540497d30f1af896605e5
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:34 2012 +0100
+
+ vfs: fix return value from do_last()
+
+ complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
+ ECHILD unconditionally. If not in RCU mode, this error will reach userspace
+ which is complete nonsense.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/namei.c
+
+commit f5ab7572c99ffb58953eb1070622307e904c3b7f
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Mar 10 17:07:28 2012 -0500
+
+ restore smp_mb() in unlock_new_inode()
+
+ wait_on_inode() doesn't have ->i_lock
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
+Author: David S. Miller <davem@davemloft.net>
+Date: Tue Mar 13 18:19:51 2012 -0700
+
+ sparc32: Add -Av8 to assembler command line.
+
+ Newer version of binutils are more strict about specifying the
+ correct options to enable certain classes of instructions.
+
+ The sparc32 build is done for v7 in order to support sun4c systems
+ which lack hardware integer multiply and divide instructions.
+
+ So we have to pass -Av8 when building the assembler routines that
+ use these instructions and get patched into the kernel when we find
+ out that we have a v8 capable cpu.
+
+ Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
+Author: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri Mar 9 20:55:10 2012 +0100
+
+ x86: Derandom delay_tsc for 64 bit
+
+ Commit f0fbf0abc093 ("x86: integrate delay functions") converted
+ delay_tsc() into a random delay generator for 64 bit. The reason is
+ that it merged the mostly identical versions of delay_32.c and
+ delay_64.c. Though the subtle difference of the result was:
+
+ static void delay_tsc(unsigned long loops)
+ {
+ - unsigned bclock, now;
+ + unsigned long bclock, now;
+
+ Now the function uses rdtscl() which returns the lower 32bit of the
+ TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
+ bit this fails when the lower 32bit are close to wrap around when
+ bclock is read, because the following check
+
+ if ((now - bclock) >= loops)
+ break;
+
+ evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
+ because the unsigned long (now - bclock) of these values results in
+ 0xffffffff00000001 which is definitely larger than the loops
+ value. That explains Tvortkos observation:
+
+ "Because I am seeing udelay(500) (_occasionally_) being short, and
+ that by delaying for some duration between 0us (yep) and 491us."
+
+ Make those variables explicitely u32 again, so this works for both 32
+ and 64 bit.
+
+ Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: stable@vger.kernel.org # >= 2.6.27
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu Mar 8 17:51:19 2012 +0000
+
+ aio: fix the "too late munmap()" race
+
+ Current code has put_ioctx() called asynchronously from aio_fput_routine();
+ that's done *after* we have killed the request that used to pin ioctx,
+ so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
+ from progressing. As the result, we can end up with async call of
+ put_ioctx() being the last one and possibly happening during exit_mmap()
+ or elf_core_dump(), neither of which expects stray munmap() being done
+ to them...
+
+ We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
+ with that, but that's all we care about - neither io_destroy() nor
+ exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
+ does really_put_req(), so the ioctx teardown won't be done until then
+ and we don't care about the contents of ioctx past that point.
+
+ Since actual freeing of these suckers is RCU-delayed, we don't need to
+ bump ioctx refcount when request goes into list for async removal.
+ All we need is rcu_read_lock held just over the ->ctx_lock-protected
+ area in aio_fput_routine().
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 002124c055afbf09b52226af65621999e8316448
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Wed Mar 7 05:16:35 2012 +0000
+
+ aio: fix io_setup/io_destroy race
+
+ Have ioctx_alloc() return an extra reference, so that caller would drop it
+ on success and not bother with re-grabbing it on failure exit. The current
+ code is obviously broken - io_destroy() from another thread that managed
+ to guess the address io_setup() would've returned would free ioctx right
+ under us; gets especially interesting if aio_context_t * we pass to
+ io_setup() points to PROT_READ mapping, so put_user() fails and we end
+ up doing io_destroy() on kioctx another thread has just got freed...
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Mar 15 15:17:12 2012 -0700
+
+ drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
+
+ strict_strtoul() writes a long but ->gamma_mode only has space to store an
+ int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
+ well. I've changed it to use kstrtouint() instead.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Inki Dae <inki.dae@samsung.com>
+ Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
+Merge: e4b05b6 eae671f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 21:04:27 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit eae671fafe93f04685c04a089cc13efebc05d600
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 20:58:01 2012 -0400
+
+ Update to pax-linux-3.2.11-test31.patch
+ Introduction of the size_overflow plugin from Emese Revfy
+ Many thanks to Emese for her hard work :)
+
+commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
+Merge: e55aa68 258c015
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:19 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:05 2012 -0400
+
+ fix ARM compilation
+
+commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
+Merge: 8f95ea9 55b7573
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:41 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:15 2012 -0400
+
+ Update to pax-linux-3.2.10-test28.patch
+
+commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
+Merge: c8786a2 886ac5e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:38:13 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
+
+commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:37:44 2012 -0400
+
+ Update to pax-linux-3.2.10-test26.patch
+
+commit c8786a2abed5e5327f68efa520c04db99bb6a63a
+Merge: 219c982 c061fcf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:06 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
+Merge: 89373d2 3f4b3b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:02 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
+Merge: 54e19a3 89373d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:57 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
+Merge: a778588 7459f11
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:49 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
+Merge: c4650f1 a778588
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:25 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:12 2012 -0400
+
+ Update to pax-linux-3.2.9-test24.patch
+
+commit c4650f14b13f84735fe3de06a1f3ff5776473eff
+Merge: fb2abee 1015790
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:08:28 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 101579028a736c224e590c7e12a7357018c424e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:07:27 2012 -0400
+
+ Update to pax-linux-3.2.9-test22.patch
+
+commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 11:02:17 2012 -0400
+
+ Allow 4096 CPUs
+
+commit 96bae28cbe6a41d48e3b56e5904814096e956000
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 10:25:58 2012 -0400
+
+ Use a per-cpu 48-bit counter instead of a global atomic64
+ Initialize each counter to have the cpu number in the lower 16 bits
+ instead of incrementing the counter each time by 1, perform the increments
+ above the cpu number so that wrapping/exhausting the counter doesn't corrupt
+ any state
+ idea from PaX Team
+
+commit b975688101da6e966aebb1bc6b8c5c5983974f9c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 20:33:12 2012 -0500
+
+ Special vnsec edition! :)
+ Further reduce argv/env allowance for suid/sgid apps to 512KB
+ Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
+ Clear 3GB personality on suid/sgid binaries
+ Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
+ with the main purpose of throwing off program stack -> arg/env alignment
+ Update documentation
+
+commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 19:54:47 2012 -0500
+
+ Resolve skbuff.h warnings that turn into errors during compilation in
+ the grsecurity directory with -Werror
+
+commit 2023210ad43a944033fcacc660ce410888f562ee
+Merge: ece4383 5f66adf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:48:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:47:06 2012 -0500
+
+ Add colorize plugin
+
+commit ece4383e5e91c92d138c4df84225a70b552f4d69
+Merge: a366d0e ab4a5a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:46 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:26 2012 -0500
+
+ Update to pax-linux-3.2.9-test21.patch
+
+commit a366d0ed963ce93fce10121c1100989d5f064e75
+Author: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun Mar 4 19:52:03 2012 -0500
+
+ mm: fix find_vma_prev
+
+ Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
+ management on PA-RISC.
+
+ After application of the patch, programs that allocate big arrays on the
+ stack crash with segfault, for example, this will crash if compiled
+ without optimization:
+
+ int main()
+ {
+ char array[200000];
+ array[199999] = 0;
+ return 0;
+ }
+
+ The reason is that PA-RISC has up-growing stack and the stack is usually
+ the last memory area. In the above example, a page fault happens above
+ the stack.
+
+ Previously, if we passed too high address to find_vma_prev, it returned
+ NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
+ change, it stores NULL in *pprev. Consequently, the stack area is not
+ found and it is not expanded, as it used to be before the change.
+
+ This patch restores the old behavior and makes it return the last VMA in
+ *pprev if the requested address is higher than address of any other VMA.
+
+ Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+ Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
+Author: Hugh Dickins <hughd@google.com>
+Date: Tue Mar 6 12:28:52 2012 -0800
+
+ mmap: EINVAL not ENOMEM when rejecting VM_GROWS
+
+ Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
+ from shared anonymous: hoist the file case's -EINVAL up for both.
+
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:38:42 2012 +0000
+
+ aout: move setup_arg_pages() prior to reading/mapping the binary
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Mon Mar 5 16:49:24 2012 +0000
+
+ vsprintf: make %pV handling compatible with kasprintf()
+
+ kasprintf() (and potentially other functions that I didn't run across so
+ far) want to evaluate argument lists twice. Caring to do so for the
+ primary list is obviously their job, but they can't reasonably be
+ expected to check the format string for instances of %pV, which however
+ need special handling too: On architectures like x86-64 (as opposed to
+ e.g. ix86), using the same argument list twice doesn't produce the
+ expected results, as an internally managed cursor gets updated during
+ the first run.
+
+ Fix the problem by always acting on a copy of the original list when
+ handling %pV.
+
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:39:47 2012 +0000
+
+ VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a831bd53764695ea680cc1fa3c98759a610ed2ac
+Author: Christian König <deathsimple@vodafone.de>
+Date: Tue Feb 28 23:19:20 2012 +0100
+
+ drm/radeon: fix uninitialized variable
+
+ Without this fix the driver randomly treats
+ textures as arrays and I'm really wondering
+ why gcc isn't complaining about it.
+
+ Signed-off-by: Christian König <deathsimple@vodafone.de>
+ Reviewed-by: Jerome Glisse <jglisse@redhat.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
+Author: H. Peter Anvin <hpa@zytor.com>
+Date: Fri Mar 2 10:43:48 2012 -0800
+
+ regset: Prevent null pointer reference on readonly regsets
+
+ The regset common infrastructure assumed that regsets would always
+ have .get and .set methods, but not necessarily .active methods.
+ Unfortunately people have since written regsets without .set methods.
+
+ Rather than putting in stub functions everywhere, handle regsets with
+ null .get or .set methods explicitly.
+
+ Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+ Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+ Acked-by: Roland McGrath <roland@hack.frob.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 072ddd99401c79b53c6bf6bff9deb93022124c79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 18:12:57 2012 -0500
+
+ Fix compiler errors reported on forums
+
+commit 1606774b48af24e6f99d99c624c0e447d4b66474
+Merge: 3127bd5 4ca2ffd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:35 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:21 2012 -0500
+
+ Update to pax-linux-3.2.9-test20.patch
+
+commit 3127bd581a292966b1057c7433219dac188c3720
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 21:30:37 2012 -0500
+
+ Fix memory leak on logged exec_id check failure in /proc/pid/statm
+ Thanks to Djalal Harouni for the report
+
+commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
+Merge: 0a56be8 9aa8288
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:38:22 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:37:43 2012 -0500
+
+ Update to pax-linux-3.2.9-test19.patch
+
+commit 0a56be884bbd7ce733cac0b879c45383494d73b0
+Merge: 9e66745 3f5c52a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:18:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:16:56 2012 -0500
+
+ Update to pax-linux-3.2.9-test18.patch
+
+commit ae53ec231d12719a36bf871f8c5841020ed692ee
+Merge: b255baf 44fb317
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:15:31 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 9e667456c03eadea2f305be761abe4de9a5877a3
+Merge: 5e4e200 b255baf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:59 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b255baf50365d39b406f43aab2c64745607baaa2
+Merge: 340ce90 1de504e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:29 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+ Update to pax-linux-3.2.8-test17.patch
+
+ Conflicts:
+ arch/x86/include/asm/i387.h
+ arch/x86/kernel/process_32.c
+ arch/x86/kernel/traps.c
+
+commit 5e4e200ac530452884b625cb75de240e1e98c731
+Merge: 44306d7 340ce90
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:02:13 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:01:48 2012 -0500
+
+ Update to pax-linux-3.2.7-test17.patch
+
+commit 44306d7b3097f77e73040dd25f4f6750751bae7a
+Merge: 29d0b07 521c411
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:04:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ Makefile
+
+commit 521c411bb4ca66ce01146fde8bac9dd22414076d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:03:33 2012 -0500
+
+ Update to pax-linux-3.2.7-test16.patch
+
+commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 17:12:44 2012 -0500
+
+ fix typo
+
+commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
+Merge: f45b3be caa8f83
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:27 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit caa8f83456c4d0b204beefffaa1d1993f2348d08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:12 2012 -0500
+
+ Update to pax-linux-3.2.7-test15.patch
+
+commit f45b3be34a345502a302e736af9a65742ddef7cb
+Merge: 62f35fd 9f1309b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:40:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:39:57 2012 -0500
+
+ Update to pax-linux-3.2.7-test14.patch
+
+commit 62f35fdbecc58f2988fe13638d907b87a15776bb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 09:08:55 2012 -0500
+
+ We could log on attempted exploits of writing /proc/self/mem, but the current
+ log function declares the access a read, so just swap the ordering for now
+
+commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:46:14 2012 -0500
+
+ Log /proc/pid/mem attempts
+
+commit 674471e581893a94d475acac3e3c4496209b3ac9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:15:00 2012 -0500
+
+ Make use of f_version for protecting /proc file structs (fine since we're not a directory
+ or seq_file)
+
+commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 20:02:19 2012 -0500
+
+ Fix ia64 compilation
+
+commit 50dfea412fd395e0183c2ade368efa525d38b267
+Merge: 12db845 4c6f99b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:53 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4c6f99bf338e03966356b147d0360cb3b522a44f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:36 2012 -0500
+
+ (6:57:09 PM) pipacs: but you can be proactive
+ (Fix other-arch atomic64/REFCOUNT compilation failures)
+
+commit 12db8453f6bb0a756f369c9151668ba1249bc478
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 21:10:12 2012 -0500
+
+ Remove unnecessary copies, as suggested by solar
+
+commit cc02cab84368467ea03cb35f861a8a7092d91ab4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 20:59:35 2012 -0500
+
+ Make global_exec_counter static, as suggested by solar
+
+commit e642091a475ebb3a30e81f85e7751233d0c2af43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 19:00:26 2012 -0500
+
+ sync with stable tree
+
+commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:48:47 2012 -0500
+
+ Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
+ Remove handling of old kludge in chmod/fchmod
+
+commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:18:49 2012 -0500
+
+ Apply umask checks to chmod/fchmod as well, as requested by sponsor
+ Union the enforced umask with the existing one to produce minimal privilege
+ Change umask type to u16
+
+commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 22 18:16:11 2012 -0500
+
+ Add per-role umask enforcement to RBAC, requested by a sponsor
+
+commit ad5ac943fe58199f1cc475912a39edb157acb77b
+Merge: dda0bb5 41722e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:42 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 41722e342e116d95f3d3556d66c97c888d752d39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:00 2012 -0500
+
+ Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
+ KERNEXEC plugin
+
+commit dda0bb57137846a476a866c60db2681aaf6052c0
+Merge: 4fd554e d70927a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:41 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d70927afec977d489a54c106a3c3ddc32e953050
+Merge: 1daebf1 9d0231c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:33 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 4fd554e3a097b22c5049fcdc423897477deff5ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 09:17:57 2012 -0500
+
+ Fix wrong logic on capability checks for switching roles, broke policies
+ Thanks to Richard Kojedzinszky for reporting
+
+commit 12f97d52ac603f24344f8d71569c412a307e9422
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 21:20:10 2012 -0500
+
+ sparc64 compile fix
+
+commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:38:32 2012 -0500
+
+ Update configuration help and name for GRKERNSEC_PROC_MEMMAP
+
+commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:18:01 2012 -0500
+
+ optimize the check a bit
+
+commit 03159050f64989be44ae03be769cbed62a7cd2e5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:00:45 2012 -0500
+
+ smile VUPEN :D
+ (limit argv+env to 1MB for suid/sgid binaries)
+
+commit dd759d8800d225a397e4de49fe729c7d601298d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:49:33 2012 -0500
+
+ Address Space Protection -> Memory Protections (suggested on IRC for consistency)
+
+commit 4de635bda8ebfb85312e3bf851bdbff93de400da
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:45:06 2012 -0500
+
+ Change the long long type for exec_id to the proper u64
+
+commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Feb 9 00:46:47 2012 +0000
+
+ isdn: type bug in isdn_net_header()
+
+ We use len to store the return value from eth_header(). eth_header()
+ can return -ETH_HLEN (-14). We want to pass this back instead of
+ truncating it to 65522 and returning that.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
+Author: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Sat Feb 4 10:47:10 2012 +0100
+
+ exec: fix use-after-free bug in setup_new_exec()
+
+ Setting the task name is done within setup_new_exec() by accessing
+ bprm->filename. However this happens after flush_old_exec().
+ This may result in a use after free bug, flush_old_exec() may
+ "complete" vfork_done, which will wake up the parent which in turn
+ may free the passed in filename.
+ To fix this add a new tcomm field in struct linux_binprm which
+ contains the now early generated task name until it is used.
+
+ Fixes this bug on s390:
+
+ Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
+ Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
+ Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
+ Call Trace:
+ ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
+ [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
+ [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
+ [<0000000000282b6c>] do_execve_common+0x410/0x514
+ [<0000000000282cb6>] do_execve+0x46/0x58
+ [<00000000005bce58>] kernel_execve+0x28/0x70
+ [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
+ [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
+ [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
+ Last Breaking-Event-Address:
+ [<00000000002830f0>] setup_new_exec+0x2fc/0x374
+
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+ Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+ Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d758ee9f5230893dabb5aab737b3109684bde196
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Feb 10 09:03:58 2012 +0100
+
+ relay: prevent integer overflow in relay_open()
+
+ "subbuf_size" and "n_subbufs" come from the user and they need to be
+ capped to prevent an integer overflow.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
+Merge: b1baadf 1daebf1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:47:04 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/proc/base.c
+
+commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
+Merge: 1413df2 c2db2e2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:45:54 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:44:05 2012 -0500
+
+ add missing declaration
+
+commit 3981059c35e8463002517935c28f3d74b8e3703c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:36:04 2012 -0500
+
+ Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
+ in addition to existing checks (this handles the setresuid ruid = euid case)
+
+commit 0beab03263c773f463412c350ad9064b44b6ede0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:13:40 2012 -0500
+
+ Revert setreuid changes when RBAC is enabled, breaks freeradius
+ I'll fix the learning issue Lavish reported a different way through
+ gradm modifications
+
+ This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
+
+commit 0c61cb1cfbbfec7d07647268c922d51434d22621
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 11 14:22:46 2012 -0500
+
+ copy exec_id on fork
+
+commit 000c08e0890630086b2ed04084050ed856a7ec31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 20:00:36 2012 -0500
+
+ compile fix
+
+commit 54b8c8f54484e5ee18040657827158bc4b63bccc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 19:19:52 2012 -0500
+
+ Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
+ denies reading of sensitive /proc/pid entries where the file descriptor
+ was opened in a different task than the one performing the read
+
+commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 17:43:24 2012 -0500
+
+ Remove duplicate signal check
+
+commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
+Merge: 4eba97e 1413df2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:34 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:08 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test11.patch
+
+commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
+Merge: 0e058dd 8dd90a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:50:12 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:49:07 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
+
+commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
+Merge: 7e4169c 6133971
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:48:57 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 19:24:45 2012 -0500
+
+ We now allow configurations with no PaX markings, giving the system no way to override the defaults
+
+commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 10:01:23 2012 -0500
+
+ Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
+
+commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 4 21:01:16 2012 -0500
+
+ Improve security of ptrace-based monitoring/sandboxing
+ See:
+ http://article.gmane.org/gmane.linux.kernel.lsm/15156
+
+commit ca4ca5a1027b41f9528794e52a53ce9c47926101
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:42:55 2012 -0500
+
+ fix typo
+
+commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:25:38 2012 -0500
+
+ Reported by lavish on IRC:
+ If a suid/sgid binary did not learn any setuid/setgid call during learning,
+ we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
+ any restrictions on uid/gid changes. uid and gid can however be changed
+ within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
+ euid/egid.
+
+ My fix:
+ POSIX doesn't specify whether unprivileged users can perform the above
+ setresuid/setresgid as an unprivileged user, though Linux has historically
+ permitted them. Modify this behavior when RBAC is enabled to require
+ CAP_SETUID/CAP_SETGID for these operations.
+
+ Thanks to Lavish for the report!
+
+ Conflicts:
+
+ kernel/sys.c
+
+commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
+Merge: ba586eb 7e4169c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:21 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:05 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test9.patch
+
+commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
+Author: Christopher Yeoh <cyeoh@au1.ibm.com>
+Date: Thu Feb 2 11:34:09 2012 +1030
+
+ Fix race in process_vm_rw_core
+
+ This fixes the race in process_vm_core found by Oleg (see
+
+ http://article.gmane.org/gmane.linux.kernel/1235667/
+
+ for details).
+
+ This has been updated since I last sent it as the creation of the new
+ mm_access() function did almost exactly the same thing as parts of the
+ previous version of this patch did.
+
+ In order to use mm_access() even when /proc isn't enabled, we move it to
+ kernel/fork.c where other related process mm access functions already
+ are.
+
+ Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+ mm/process_vm_access.c
+
+commit b9194d60fb9fe579f5c34817ed822abde18939a0
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:15:11 2012 +0100
+
+ proc: make sure mem_open() doesn't pin the target's memory
+
+ Once /proc/pid/mem is opened, the memory can't be released until
+ mem_release() even if its owner exits.
+
+ Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
+ pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
+ before access_remote_vm(), this verifies that this mm is still alive.
+
+ I am not sure what should mem_rw() return if atomic_inc_not_zero()
+ fails. With this patch it returns zero to match the "mm == NULL" case,
+ may be it should return -EINVAL like it did before e268337d.
+
+ Perhaps it makes sense to add the additional fatal_signal_pending()
+ check into the main loop, to ensure we do not hold this memory if
+ the target task was oom-killed.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:38 2012 +0100
+
+ proc: mem_release() should check mm != NULL
+
+ mem_release() can hit mm == NULL, add the necessary check.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:54 2012 +0100
+
+ note: redisabled mem_write
+
+ proc: unify mem_read() and mem_write()
+
+ No functional changes, cleanup and preparation.
+
+ mem_read() and mem_write() are very similar. Move this code into the
+ new common helper, mem_rw(), which takes the additional "int write"
+ argument.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+
+commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
+Merge: 3903f01 01fee18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:50:40 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 01fee1851aef26b898ccba5312cabf1f919b74cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:46 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test8.patch
+
+commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
+Merge: 201c0db 141936c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:01 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 3903f0172ecadf7a575ba3535402a1506133640a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 30 23:26:44 2012 -0500
+
+ Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
+
+ We'll whitelist required directories for compatibility instead of requiring
+ that people disable the feature entirely if they use SELinux, fuse, etc
+
+ Conflicts:
+
+ fs/sysfs/mount.c
+
+commit e3618feaa7e63807f1b88c199882075b3ec9bd05
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 29 01:12:19 2012 -0500
+
+ perform RBAC check if TPE is on but match fails, matches previous behavior
+
+commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 28 13:17:06 2012 -0500
+
+ log more information about the reason for a TPE denial for novice users, requested by a sponsor
+
+commit efefd67008cbad8a8591e2484410966a300a39a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:58:53 2012 -0500
+
+ merge upstream sha512 changes
+
+commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:49:07 2012 -0500
+
+ drop lock on error in xfs_readlink
+
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
+
+commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
+Author: Li Wang <liwang@nudt.edu.cn>
+Date: Thu Jan 19 09:44:36 2012 +0800
+
+ eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+
+ ecryptfs_write() can enter an infinite loop when truncating a file to a
+ size larger than 4G. This only happens on architectures where size_t is
+ represented by 32 bits.
+
+ This was caused by a size_t overflow due to it incorrectly being used to
+ store the result of a calculation which uses potentially large values of
+ type loff_t.
+
+ [tyhicks@canonical.com: rewrite subject and commit message]
+ Signed-off-by: Li Wang <liwang@nudt.edu.cn>
+ Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
+ Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+
+commit a7607747d0f74f357d78bb796d70635dd05f46e8
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 19 20:33:44 2012 -0600
+
+ eCryptfs: Check inode changes in setattr
+
+ Most filesystems call inode_change_ok() very early in ->setattr(), but
+ eCryptfs didn't call it at all. It allowed the lower filesystem to make
+ the call in its ->setattr() function. Then, eCryptfs would copy the
+ appropriate inode attributes from the lower inode to the eCryptfs inode.
+
+ This patch changes that and actually calls inode_change_ok() on the
+ eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
+ would happen earlier in ecryptfs_setattr(), but there are some possible
+ inode initialization steps that must happen first.
+
+ Since the call was already being made on the lower inode, the change in
+ functionality should be minimal, except for the case of a file extending
+ truncate call. In that case, inode_newsize_ok() was never being
+ called on the eCryptfs inode. Rather than inode_newsize_ok() catching
+ maximum file size errors early on, eCryptfs would encrypt zeroed pages
+ and write them to the lower filesystem until the lower filesystem's
+ write path caught the error in generic_write_checks(). This patch
+ introduces a new function, called ecryptfs_inode_newsize_ok(), which
+ checks if the new lower file size is within the appropriate limits when
+ the truncate operation will be growing the lower file.
+
+ In summary this change prevents eCryptfs truncate operations (and the
+ resulting page encryptions), which would exceed the lower filesystem
+ limits or FSIZE rlimits, from ever starting.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Li Wang <liwang@nudt.edu.cn>
+ Cc: <stable@vger.kernel.org>
+
+commit 0d96f190a39505254ace4e9330219aaeda9b64e3
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Wed Jan 18 18:30:04 2012 -0600
+
+ eCryptfs: Make truncate path killable
+
+ ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
+ page, zeroes out the appropriate portions, and then encrypts the page
+ before writing it to the lower filesystem. It was unkillable and due to
+ the lack of sparse file support could result in tying up a large portion
+ of system resources, while encrypting pages of zeros, with no way for
+ the truncate operation to be stopped from userspace.
+
+ This patch adds the ability for ecryptfs_write() to detect a pending
+ fatal signal and return as gracefully as possible. The intent is to
+ leave the lower file in a useable state, while still allowing a user to
+ break out of the encryption loop. If a pending fatal signal is detected,
+ the eCryptfs inode size is updated to reflect the modified inode size
+ and then -EINTR is returned.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: <stable@vger.kernel.org>
+
+commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Tue Jan 24 10:02:22 2012 -0600
+
+ eCryptfs: Fix oops when printing debug info in extent crypto functions
+
+ If pages passed to the eCryptfs extent-based crypto functions are not
+ mapped and the module parameter ecryptfs_verbosity=1 was specified at
+ loading time, a NULL pointer dereference will occur.
+
+ Note that this wouldn't happen on a production system, as you wouldn't
+ pass ecryptfs_verbosity=1 on a production system. It leaks private
+ information to the system logs and is for debugging only.
+
+ The debugging info printed in these messages is no longer very useful
+ and rather than doing a kmap() in these debugging paths, it will be
+ better to simply remove the debugging paths completely.
+
+ https://launchpad.net/bugs/913651
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Daniel DeFreez
+ Cc: <stable@vger.kernel.org>
+
+commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 12 11:30:44 2012 +0100
+
+ eCryptfs: Sanitize write counts of /dev/ecryptfs
+
+ A malicious count value specified when writing to /dev/ecryptfs may
+ result in a a very large kernel memory allocation.
+
+ This patch peeks at the specified packet payload size, adds that to the
+ size of the packet headers and compares the result with the write count
+ value. The resulting maximum memory allocation size is approximately 532
+ bytes.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Sasha Levin <levinsasha928@gmail.com>
+ Cc: <stable@vger.kernel.org>
+
+commit 96dcb7282d323813181a1791f51c0ab7696b675b
+Merge: 6c09fa5 201c0db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:44:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 201c0dbf177527367676028151e36d340923f033
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:43:24 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
+ on loading modules with empty sections
+
+commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:42:13 2012 -0500
+
+ compile fix
+
+commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:39:28 2012 -0500
+
+ use LSM flags instead of duplicating checks
+
+commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
+Merge: 44b9f11 558718b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:23 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 558718b2217beff69edf60f34a6f9893d910e9ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:04 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch
+
+commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:53:55 2012 -0500
+
+ don't increase the size of task_struct when unnecessary
+ change ptrace_readexec log message
+
+commit a9c9626e054adb885883aa64f85506852894dd33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:16:28 2012 -0500
+
+ Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
+ the protection applies to all unreadable binaries.
+
+commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
+Merge: 7b3f3af 05a1349
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:52:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ block/scsi_ioctl.c
+ drivers/scsi/sd.c
+ fs/proc/base.c
+
+commit 05a134966efb9cb9346ad3422888969ffc79ac1d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:47:36 2012 -0500
+
+ Resync with pax-linux-3.2.2-test5.patch
+
+commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
+Merge: c6d443d 3499d64
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:45:16 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
+
+ Conflicts:
+ ipc/shm.c
+
+commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 24 19:42:01 2012 -0500
+
+ Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
+ (may be changed if it breaks some userland), the other has its own
+ config option
+
+ First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
+ the syscall or /proc/sys.
+
+ Second feature requires read access to a suid/sgid binary in order
+ to ptrace it, preventing infoleaking of binaries in situations where
+ the admin has specified 4711 or 2711 perms. Feature has been
+ given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
+ a sysctl entry of ptrace_readexec
+
+commit 11a7bb25c411c9dccfdca5718639b4becdffd388
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:37:10 2012 -0500
+
+ Compilation fixes
+
+commit cd400e21c7c352baba47d6f375297a7847afb33a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:20:27 2012 -0500
+
+ Initial port of grsecurity 2.2.2 for Linux 3.2.1
+ Note that the new syscalls added to this kernel for remote process read/write
+ are subject to ptrace hardening/other relevant RBAC features
+ /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
+ as well
+ pax_track_stack has been removed from support for this kernel -- if you're running this kernel
+ you should be using a version of gcc with plugin support
+
+commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:47:31 2012 -0500
+
+ Import pax-linux-3.2.1-test5.patch
+commit bfd7db842f835f9837cd43644459b3a95b0b488d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:02:02 2012 -0500
+
+ Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
+ instead of returning -EACCES
+ thanks to Wraith from irc for the report
+
+commit 873ac13576506cd48ddb527c2540f274e249da50
+Merge: 34083dd 8a44fcc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:04:02 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:02:15 2012 -0500
+
+ Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
+ Denies executable shared memory when MPROTECT is active
+ Fixes ia32 emulation crash on 64bit host introduced in a recent patch
+
+commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 20:23:14 2012 -0500
+
+ Introduce new GRKERNSEC_SETXID implementation
+ We're not able to change the credentials of other threads in the process until at most
+ one syscall after the first thread does it, since we mark the threads as needing rescheduling
+ and such work occurs on syscall exit.
+ This does however ensure that we're only modifying the current task's credentials
+ which upholds RCU expectations
+
+ Many thanks to corsac for testing
+
+commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:42:48 2012 -0500
+
+ Simplify backport
+
+commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:08:16 2012 -0500
+
+ Commit the latest silent fix for a local privilege escalation from Linus
+ Also disable writing to /proc/pid/mem
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
+
+commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
+Merge: 0394a3f 7e6299b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:22:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e6299b4733c082dde930375dd207b63237751ec
+Merge: 83555fb 9bb1282
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:21:37 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
+Author: Jesper Juhl <jj@chaosbits.net>
+Date: Sun Jan 8 22:44:29 2012 +0100
+
+ audit: always follow va_copy() with va_end()
+
+ A call to va_copy() should always be followed by a call to va_end() in
+ the same function. In kernel/autit.c::audit_log_vformat() this is not
+ always done. This patch makes sure va_end() is always called.
+
+ Signed-off-by: Jesper Juhl <jj@chaosbits.net>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
+Author: Andi Kleen <ak@linux.intel.com>
+Date: Thu Jan 12 17:20:30 2012 -0800
+
+ panic: don't print redundant backtraces on oops
+
+ When an oops causes a panic and panic prints another backtrace it's pretty
+ common to have the original oops data be scrolled away on a 80x50 screen.
+
+ The second backtrace is quite redundant and not needed anyways.
+
+ So don't print the panic backtrace when oops_in_progress is true.
+
+ [akpm@linux-foundation.org: add comment]
+ Signed-off-by: Andi Kleen <ak@linux.intel.com>
+ Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Thu Jan 12 17:59:46 2012 +0100
+
+ fsnotify: don't BUG in fsnotify_destroy_mark()
+
+ Removing the parent of a watched file results in "kernel BUG at
+ fs/notify/mark.c:139".
+
+ To reproduce
+
+ add "-w /tmp/audit/dir/watched_file" to audit.rules
+ rm -rf /tmp/audit/dir
+
+ This is caused by fsnotify_destroy_mark() being called without an
+ extra reference taken by the caller.
+
+ Reported by Francesco Cosoleto here:
+
+ https://bugzilla.novell.com/show_bug.cgi?id=689860
+
+ Fix by removing the BUG_ON and adding a comment about not accessing mark after
+ the iput.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:28 2012 +0100
+
+ block: fail SCSI passthrough ioctls on partition devices
+
+ Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+ will pass the command to the underlying block device. This is
+ well-known, but it is also a large security problem when (via Unix
+ permissions, ACLs, SELinux or a combination thereof) a program or user
+ needs to be granted access only to part of the disk.
+
+ This patch lets partitions forward a small set of harmless ioctls;
+ others are logged with printk so that we can see which ioctls are
+ actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
+ Of course it was being sent to a (partition on a) hard disk, so it would
+ have failed with ENOTTY and the patch isn't changing anything in
+ practice. Still, I'm treating it specially to avoid spamming the logs.
+
+ In principle, this restriction should include programs running with
+ CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
+ /dev/sdb, it still should not be able to read/write outside the
+ boundaries of /dev/sda2 independent of the capabilities. However, for
+ now programs with CAP_SYS_RAWIO will still be allowed to send the
+ ioctls. Their actions will still be logged.
+
+ This patch does not affect the non-libata IDE driver. That driver
+ however already tests for bd != bd->bd_contains before issuing some
+ ioctl; it could be restricted further to forbid these ioctls even for
+ programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ [ Make it also print the command name when warning - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:27 2012 +0100
+
+ block: add and use scsi_blk_cmd_ioctl
+
+ Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
+
+ The function will then be enhanced to detect partition block devices
+ and, in that case, subject the ioctls to whitelisting.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97a79814903fc350e1d13704ea31528a42705401
+Author: Kees Cook <keescook@chromium.org>
+Date: Sat Jan 7 10:41:04 2012 -0800
+
+ audit: treat s_id as an untrusted string
+
+ The use of s_id should go through the untrusted string path, just to be
+ extra careful.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Acked-by: Mimi Zohar <zohar@us.ibm.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Dec 20 18:39:41 2011 -0500
+
+ audit: fix signedness bug in audit_log_execve_info()
+
+ In the loop, a size_t "len" is used to hold the return value of
+ audit_log_single_execve_arg(), which returns -1 on error. In that
+ case the error handling (len <= 0) will be bypassed since "len" is
+ unsigned, and the loop continues with (p += len) being wrapped.
+ Change the type of "len" to signed int to fix the error handling.
+
+ size_t len;
+ ...
+ for (...) {
+ len = audit_log_single_execve_arg(...);
+ if (len <= 0)
+ break;
+ p += len;
+ }
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Jan 17 03:28:51 2012 -0300
+
+ [media] ds3000: using logical && instead of bitwise &
+
+ The intent here was to test if the FE_HAS_LOCK was set. The current
+ test is equivalent to "if (status) { ..."
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit 36522330dc59d2fc70c042f3f081d75c32b6259a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 13:10:38 2012 -0500
+
+ Ignore the 0 signal for protected task RBAC checks
+
+commit d513acd55f7a683f6e146a4f570cdb63300479ab
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 11:56:13 2012 -0500
+
+ whitespace cleanup
+
+commit ced261c4b82818c700aff8487f647f6f3e5b5122
+Merge: d48751f 83555fb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:54 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
+Merge: fcd8129 93dad39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:43 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit d48751f3919ae855fda0ff6c149db82442329253
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 11 19:05:47 2012 -0500
+
+ Call our own set_user when forcing change to new id
+
+commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
+Merge: e6578ff fcd8129
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 16:00:10 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 15:58:43 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test23.patch
+
+commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
+Merge: 8859ec3 a120549
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:56 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a12054967a77090de1caa07c41e694a77db4e237
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:30 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test22.patch
+
+commit 8859ec32f9815c274df65448f9f2960176c380d3
+Merge: a5016b4 ddd4114
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:26:08 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/binfmt_elf.c
+ security/Kconfig
+
+commit ddd41147e158a79704983a409b7433eba797cf66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:12:42 2012 -0500
+
+ Resync with PaX patch (whitespace difference)
+
+commit 29e569df8205c5f0e043fe4803aa984406c8b118
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:09:47 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test21.patch
+
+commit a5016b4f9c09c337b17e063a7f369af1e86d944d
+Merge: 0124c92 04231d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:52:20 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
+Merge: 7bdddeb a919904
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:51:50 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ include/net/flow.h
+
+commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:33:05 2012 -0500
+
+ Make GRKERNSEC_SETXID option compatible with credential debugging
+
+commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
+Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Date: Wed Dec 28 15:57:11 2011 -0800
+
+ mm/mempolicy.c: refix mbind_range() vma issue
+
+ commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
+ slightly incorrect fix.
+
+ Why? Think following case.
+
+ 1. map 4 pages of a file at offset 0
+
+ [0123]
+
+ 2. map 2 pages just after the first mapping of the same file but with
+ page offset 2
+
+ [0123][23]
+
+ 3. mbind() 2 pages from the first mapping at offset 2.
+ mbind_range() should treat new vma is,
+
+ [0123][23]
+ |23|
+ mbind vma
+
+ but it does
+
+ [0123][23]
+ |01|
+ mbind vma
+
+ Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
+
+ This patch fixes it.
+
+ [testcase]
+ test result - before the patch
+
+ case4: 126: test failed. expect '2,4', actual '2,2,2'
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: 246: test failed. expect '4,2', actual '1,4'
+
+ ------------[ cut here ]------------
+ kernel BUG at mm/filemap.c:135!
+ invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
+
+ (snip long bug on messages)
+
+ test result - after the patch
+
+ case4: passed
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: passed
+
+ source: mbind_vma_test.c
+ ============================================================
+ #include <numaif.h>
+ #include <numa.h>
+ #include <sys/mman.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+ static unsigned long pagesize;
+ void* mmap_addr;
+ struct bitmask *nmask;
+ char buf[1024];
+ FILE *file;
+ char retbuf[10240] = "";
+ int mapped_fd;
+
+ char *rubysrc = "ruby -e '\
+ pid = %d; \
+ vstart = 0x%llx; \
+ vend = 0x%llx; \
+ s = `pmap -q #{pid}`; \
+ rary = []; \
+ s.each_line {|line|; \
+ ary=line.split(\" \"); \
+ addr = ary[0].to_i(16); \
+ if(vstart <= addr && addr < vend) then \
+ rary.push(ary[1].to_i()/4); \
+ end; \
+ }; \
+ print rary.join(\",\"); \
+ '";
+
+ void init(void)
+ {
+ void* addr;
+ char buf[128];
+
+ nmask = numa_allocate_nodemask();
+ numa_bitmask_setbit(nmask, 0);
+
+ pagesize = getpagesize();
+
+ sprintf(buf, "%s", "mbind_vma_XXXXXX");
+ mapped_fd = mkstemp(buf);
+ if (mapped_fd == -1)
+ perror("mkstemp "), exit(1);
+ unlink(buf);
+
+ if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
+ perror("lseek "), exit(1);
+ if (write(mapped_fd, "\0", 1) < 0)
+ perror("write "), exit(1);
+
+ addr = mmap(NULL, pagesize*8, PROT_NONE,
+ MAP_SHARED, mapped_fd, 0);
+ if (addr == MAP_FAILED)
+ perror("mmap "), exit(1);
+
+ if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
+ perror("mprotect "), exit(1);
+
+ mmap_addr = addr + pagesize;
+
+ /* make page populate */
+ memset(mmap_addr, 0, pagesize*6);
+ }
+
+ void fin(void)
+ {
+ void* addr = mmap_addr - pagesize;
+ munmap(addr, pagesize*8);
+
+ memset(buf, 0, sizeof(buf));
+ memset(retbuf, 0, sizeof(retbuf));
+ }
+
+ void mem_bind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_BIND, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_interleave(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_unbind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_DEFAULT, NULL, 0, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void Assert(char *expected, char *value, char *name, int line)
+ {
+ if (strcmp(expected, value) == 0) {
+ fprintf(stderr, "%s: passed\n", name);
+ return;
+ }
+ else {
+ fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
+ name, line,
+ expected, value);
+ // exit(1);
+ }
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPNNNNNNNNNN
+ case 4 below
+ */
+ void case4(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 4);
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case4", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPPPPPPPPPNN
+ case 5 below
+ */
+ void case5(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case5", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPPPPP 6
+ */
+ void case6(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("6", retbuf, "case6", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPXXXX 7
+ */
+ void case7(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case7", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPNNNNNNNN 8
+ */
+ void case8(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_interleave(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case8", __LINE__);
+
+ fin();
+ }
+
+ void case_n(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ /* make redundunt mappings [0][1234][34][7] */
+ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
+ MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
+
+ /* Expect to do nothing. */
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case_n", __LINE__);
+
+ fin();
+ }
+
+ int main(int argc, char** argv)
+ {
+ case4();
+ case5();
+ case6();
+ case7();
+ case8();
+ case_n();
+
+ return 0;
+ }
+ =============================================================
+
+ Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: Minchan Kim <minchan.kim@gmail.com>
+ Cc: Caspar Zhang <caspar@casparzhang.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Cc: Christoph Lameter <cl@linux.com>
+ Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
+ Cc: Mel Gorman <mel@csn.ul.ie>
+ Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+ Cc: <stable@vger.kernel.org> [3.1.x]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit f3a1082005781777086df235049f8c0b7efe524e
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Dec 27 22:32:41 2011 -0500
+
+ packet: fix possible dev refcnt leak when bind fail
+
+ If bind is fail when bind is called after set PACKET_FANOUT
+ sock option, the dev refcnt will leak.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 915f8b08dac68839dc7204ee81cf9852fda16d24
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Mon Dec 19 17:11:56 2011 -0800
+
+ nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
+
+ There is a potential integer overflow in nilfs_ioctl_clean_segments().
+ When a large argv[n].v_nmembs is passed from the userspace, the subsequent
+ call to vmalloc() will allocate a buffer smaller than expected, which
+ leads to out-of-bound access in nilfs_ioctl_move_blocks() and
+ lfs_clean_segments().
+
+ The following check does not prevent the overflow because nsegs is also
+ controlled by the userspace and could be very large.
+
+ if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
+ goto out_free;
+
+ This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
+ returns -EINVAL when overflow.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
+Author: Kautuk Consul <consul.kautuk@gmail.com>
+Date: Mon Dec 19 17:12:04 2011 -0800
+
+ mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
+
+ Static storage is not required for the struct vmap_area in
+ __get_vm_area_node.
+
+ Removing "static" to store this variable on the stack instead.
+
+ Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
+ Acked-by: David Rientjes <rientjes@google.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
+Author: Michel Lespinasse <walken@google.com>
+Date: Mon Dec 19 17:12:06 2011 -0800
+
+ binary_sysctl(): fix memory leak
+
+ binary_sysctl() calls sysctl_getname() which allocates from names_cache
+ slab usin __getname()
+
+ The matching function to free the name is __putname(), and not putname()
+ which should be used only to match getname() allocations.
+
+ This is because when auditing is enabled, putname() calls audit_putname
+ *instead* (not in addition) to __putname(). Then, if a syscall is in
+ progress, audit_putname does not release the name - instead, it expects
+ the name to get released when the syscall completes, but that will happen
+ only if audit_getname() was called previously, i.e. if the name was
+ allocated with getname() rather than the naked __getname(). So,
+ __getname() followed by putname() ends up leaking memory.
+
+ Signed-off-by: Michel Lespinasse <walken@google.com>
+ Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
+Author: Sean Hefty <sean.hefty@intel.com>
+Date: Tue Dec 6 21:17:11 2011 +0000
+
+ RDMA/cma: Verify private data length
+
+ private_data_len is defined as a u8. If the user specifies a large
+ private_data size (> 220 bytes), we will calculate a total length that
+ exceeds 255, resulting in private_data_len wrapping back to 0. This
+ can lead to overwriting random kernel memory. Avoid this by verifying
+ that the resulting size fits into a u8.
+
+ Reported-by: B. Thery <benjamin.thery@bull.net>
+ Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
+ Signed-off-by: Sean Hefty <sean.hefty@intel.com>
+ Signed-off-by: Roland Dreier <roland@purestorage.com>
+
+commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Sun Dec 11 23:40:56 2011 -0800
+
+ Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
+
+ The error check (intr_status < 0) didn't work because intr_status is
+ a u8. Change its type to signed int.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+
+commit e27f34e383d7863b2528a63b81b23db09781f6b6
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 16 12:44:15 2011 +0000
+
+ sctp: fix incorrect overflow check on autoclose
+
+ Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
+ limiting the autoclose value. If userspace passes in -1 on 32-bit
+ platform, the overflow check didn't work and autoclose would be set
+ to 0xffffffff.
+
+ This patch defines a max_autoclose (in seconds) for limiting the value
+ and exposes it through sysctl, with the following intentions.
+
+ 1) Avoid overflowing autoclose * HZ.
+
+ 2) Keep the default autoclose bound consistent across 32- and 64-bit
+ platforms (INT_MAX / HZ in this patch).
+
+ 3) Keep the autoclose value consistent between setsockopt() and
+ getsockopt() calls.
+
+ Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Wed Dec 21 05:18:33 2011 -0500
+
+ vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
+
+ Commit e133e737 didn't correctly fix the integer overflow issue.
+
+ - unsigned int required_size;
+ + u64 required_size;
+ ...
+ required_size = mode_cmd->pitch * mode_cmd->height;
+ - if (unlikely(required_size > dev_priv->vram_size)) {
+ + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
+
+ Note that both pitch and height are u32. Their product is still u32 and
+ would overflow before being assigned to required_size. A correct way is
+ to convert pitch and height to u64 before the multiplication.
+
+ required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
+
+ This patch calls the existing vmw_kms_validate_mode_vram() for
+ validation.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+ Conflicts:
+
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+
+commit eb8f0bd01fb994c9abc77dc84729794cd841753d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Thu Dec 22 13:35:22 2011 +0000
+
+ rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
+
+ Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
+ cause a kernel oops due to insufficient bounds checking.
+
+ if (count > 1<<30) {
+ /* Enforce a limit to prevent overflow */
+ return -EINVAL;
+ }
+ count = roundup_pow_of_two(count);
+ table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
+
+ Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
+
+ ... + (count * sizeof(struct rps_dev_flow))
+
+ where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
+ 32 bits.
+
+ This patch replaces the magic number (1 << 30) with a symbolic bound.
+
+ Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 648188958672024b616c42c1f6c98c8cfc85619d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 30 10:40:17 2011 -0500
+
+ netfilter: ctnetlink: fix timeout calculation
+
+ The sanity check (timeout < 0) never works; the dividend is unsigned
+ and so is the division, which should have been a signed division.
+
+ long timeout = (ct->timeout.expires - jiffies) / HZ;
+ if (timeout < 0)
+ timeout = 0;
+
+ This patch converts the time values to signed for the division.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit ab03a0973cee73f88655ff4981812ad316a6cd59
+Merge: 76f82df 7bdddeb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:50 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
+Merge: 3e59cb5 55cc81a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:36 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 20:15:02 2011 -0500
+
+ Only further restrict futex targeting another process -- our modified
+ permission check also happened to allow a case where a process retaining
+ uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
+ being non-zero (reported on forums by ben_w)
+
+commit 6b235a4450a5fea41663ec35fa0608988b6078c6
+Merge: 97c16f0 3e59cb5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:11:06 2011 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/hfs/btree.c
+
+commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
+Merge: 285eb4e c26f60b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:09:57 2011 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/process.c
+
+commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 19 21:54:01 2011 -0500
+
+ Add new option: "Enforce consistent multithreaded privileges"
+
+commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:58:31 2011 -0500
+
+ Remove harmless duplicate code -- exec_file would be null already so the
+ second check would never pass.
+
+commit 4e3304e94aa72737810bc50169519af157dce4ce
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:50:39 2011 -0500
+
+ Revert back to (possibly?) undocumented /proc/pid behavior that gdb
+ depended on for attaching to a thread. Entries exist in /proc for
+ threads, but are not visible in a readdir.
+
+commit 1bd899335f23815cfe8deac44c6b346398f3b95e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 18:03:28 2011 -0500
+
+ Put the already-walked path if in RCU-walk mode
+
+commit ec7ae36b7159f10649709779443a988662965d66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 17:35:21 2011 -0500
+
+ Fix memory leak introduced by recent (unpublished) commit
+ 75ab998b94a29d464518d6d501bdde3fbfcbfa14
+
+commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:56:10 2011 -0500
+
+ Explicitly check size copied to userland in override_release to silence gcc
+
+commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:54:02 2011 -0500
+
+ Initialize variable to silence erroneous gcc warning
+
+commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:47:47 2011 -0500
+
+ Future-proof other potential RCU-aware locations where we can log.
+
+commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:02:54 2011 -0500
+
+ Fix freeze reported by 'vs' on the forums. Bug occurred due to
+ MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
+ in generic_permission() was in the task's effective set but disallowed by
+ RBAC, would block when acquiring locks resulting in the freeze.
+
+ Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
+ as being required when CAP_DAC_OVERRIDE is present (consistent with
+ older patches).
+
+commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Nov 29 09:26:30 2011 +0000
+
+ sctp: better integer overflow check in sctp_auth_create_key()
+
+ The check from commit 30c2235c is incomplete and cannot prevent
+ cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
+ left-hand side of the check (INT_MAX - key_len), which is unsigned,
+ becomes 0xffffffff (UINT_MAX) and bypasses the check.
+
+ However this shouldn't be a security issue. The function is called
+ from the following two code paths:
+
+ 1) setsockopt()
+
+ 2) sctp_auth_asoc_set_secret()
+
+ In case (1), sca_keylength is never going to exceed 65535 since it's
+ bounded by a u16 from the user API. As such, the key length will
+ never overflow.
+
+ In case (2), sca_keylength is computed based on the user key (1 short)
+ and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
+ will not overflow.
+
+ In other words, this overflow check is not really necessary. Just
+ make it more correct.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit e565e28c3635a1d50f80541fbf6b606d742fec76
+Author: Josh Boyer <jwboyer@redhat.com>
+Date: Fri Aug 19 14:50:26 2011 -0400
+
+ fs/minix: Verify bitmap block counts before mounting
+
+ Newer versions of MINIX can create filesystems that allocate an extra
+ bitmap block. Mounting of this succeeds, but doing a statfs call will
+ result in an oops in count_free because of a negative number being used
+ for the bh index.
+
+ Avoid this by verifying the number of allocated blocks at mount time,
+ erroring out if there are not enough and make statfs ignore the extras
+ if there are too many.
+
+ This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
+
+ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6e134e398ec1a3f428261680e83df4319e64bed9
+Author: Julia Lawall <julia@diku.dk>
+Date: Tue Nov 15 14:53:11 2011 -0800
+
+ drivers/gpu/vga/vgaarb.c: add missing kfree
+
+ kbuf is a buffer that is local to this function, so all of the error paths
+ leaving the function should release it.
+
+ Signed-off-by: Julia Lawall <julia@diku.dk>
+ Cc: Jesper Juhl <jj@chaosbits.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit 2b9057b321e36860e8d63985b5c4e496f254b717
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:33:28 2011 -0500
+
+ Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
+
+commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+
+commit 285eb4ea45d853ae00426b3315a61c1368080dad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 10 18:33:46 2011 -0500
+
+ Import changes from pax-linux-3.1.5-test20.patch
+
+commit a6bda918fc90ec1d5c387e978d147ad2044153f1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 8 20:55:54 2011 -0500
+
+ Import changes from pax-linux-3.1.4-test19.patch
+
+commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 23:05:14 2013 -0400
+
+ always enforce a non-zero gap for RAND_THREADSTACK
+
+ mm/mmap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 40d67e38a42d4e94b43b3d7400addc662b9857dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 16:09:28 2013 -0400
+
+ fix up file comparisons
+
+ grsecurity/gracl_segv.c | 2 +-
+ grsecurity/grsec_sig.c | 4 ++--
+ include/linux/grinternal.h | 12 ++++++++++++
+ 3 files changed, 15 insertions(+), 3 deletions(-)
+
+commit a1fff2c95162314626dd96bec71d951a8c1c4708
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 15:33:18 2013 -0400
+
+ fix suid binary matching
+
+ grsecurity/grsec_sig.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 00131c458eea5200971c8fc326e90fdb6c2d0baa
+Merge: 37b97a9 47beb61
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 15:02:31 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 15:01:37 2013 -0400
+
+ Update to pax-linux-3.9.9-test13.patch:
+ - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626)
+ - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587)
+
+ arch/arm/include/asm/uaccess.h | 20 ++++++++++----------
+ arch/arm/kernel/armksyms.c | 2 +-
+ arch/arm/kernel/entry-armv.S | 4 ++--
+ arch/arm/mm/Kconfig | 2 +-
+ arch/x86/ia32/ia32entry.S | 4 ++--
+ arch/x86/include/asm/page.h | 1 +
+ arch/x86/kernel/entry_32.S | 4 ++--
+ arch/x86/kernel/entry_64.S | 8 ++++----
+ arch/x86/kernel/head64.c | 12 ++++++------
+ arch/x86/kernel/head_64.S | 16 ++++++++++++----
+ arch/x86/mm/init.c | 8 ++++++++
+ arch/x86/mm/init_32.c | 6 ------
+ arch/x86/mm/init_64.c | 6 ------
+ arch/x86/platform/efi/efi_32.c | 5 +++++
+ arch/x86/platform/efi/efi_64.c | 10 ++++++++++
+ 15 files changed, 64 insertions(+), 44 deletions(-)
+
+commit 89085d2d0643813a62f23d1199a335dc1e129bc0
+Merge: 963af7f 0adf2e7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 14:55:44 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 13:46:02 2013 -0400
+
+ fix typo
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 32538dba4959a290a1de81a7f8eeaba99f952aa6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 13:29:51 2013 -0400
+
+ update log arguments
+
+ grsecurity/grsec_sig.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 13:20:23 2013 -0400
+
+ Update logging of suid exec ban
+
+ Conflicts:
+
+ grsecurity/grsec_sig.c
+
+ grsecurity/grsec_sig.c | 3 +--
+ include/linux/grmsg.h | 1 +
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit ef808866c070aa1901bd2224521baaf5d145a3a7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 12:58:33 2013 -0400
+
+ Additional improvements to the user banning code:
+
+ Separate the kernel-bruteforcing case from the suid bruteforcing case
+ In the suid bruteforcing case, only kill existing copies of the bruteforced
+ binary. Instead of preventing all future execs by this user, prevent them
+ from executing any suid/sgid binaries for the next 15 minutes.
+
+ Kernel case is mostly unchanged from before, except the task trying to change
+ real uid to the banned user will be terminated instead of failing the setuid
+ call.
+
+ Configuration help has been updated to reflect the new changes.
+
+ fs/exec.c | 13 +++++---
+ grsecurity/Kconfig | 5 ++-
+ grsecurity/gracl.c | 6 ++--
+ grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------
+ include/linux/grsecurity.h | 1 -
+ include/linux/sched.h | 9 +++--
+ 6 files changed, 65 insertions(+), 45 deletions(-)
+
+commit 0f0b6c9d67d429364621b8784ef4a048b7e40736
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 3 16:14:09 2013 -0400
+
+ fix renamed export of csum_partial_copy_from_user, as reported by fabled
+ on the forums
+
+ arch/arm/kernel/armksyms.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 318235973c2a548c3d25562645d6b69f66e85934
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 3 16:09:16 2013 -0400
+
+ make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error
+ reported on the forums by fabled
+
+ arch/arm/mm/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b569a7f60fab7a522d8c142765c8b847bbce8a1e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 3 15:53:12 2013 -0400
+
+ Revise the user ban code to kill the process issuing a banned
+ set*id instead of returning an error. For the sake of keeping
+ unified user banning between the suid and kernel bruteforce case,
+ we will apply this killing to the suid bruteforce case, despite
+ a check just at exec time (that already existed) being sufficient.
+
+ Returning an error could enable exploitation of the "failure to check
+ setuid return value" case which was recently effectively closed
+ upstream, albeit in a rare situation with a suitable binary and
+ two colluding users.
+
+ Many thanks to stealth for reviewing the user ban code.
+
+ grsecurity/gracl.c | 4 ++--
+ grsecurity/grsec_sig.c | 16 +++++++++++++---
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f
+Author: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Date: Fri Jun 28 14:15:15 2013 +0300
+
+ Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d
+
+ UBIFS: fix a horrid bug
+
+ Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
+ mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
+ in the middle of 'ubifs_readdir()'.
+
+ This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
+ it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
+ but this may corrupt memory and lead to all kinds of problems like crashes an
+ security holes.
+
+ This patch fixes the problem by using the 'file->f_version' field, which
+ '->llseek()' always unconditionally sets to zero. We set it to 1 in
+ 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
+ seek and it is time to clear the state saved in 'file->private_data'.
+
+ I tested this patch by writing a user-space program which runds readdir and
+ seek in parallell. I could easily crash the kernel without these patches, but
+ could not crash it with these patches.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+ Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+ Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++---
+ 1 files changed, 27 insertions(+), 3 deletions(-)
+
+commit c22280b85088978bd8b45bd23096879459b48008
+Author: Stephane Eranian <eranian@google.com>
+Date: Thu Jun 20 11:36:28 2013 +0200
+
+ Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89
+
+ perf: Disable monitoring on setuid processes for regular users
+
+ There was a a bug in setup_new_exec(), whereby
+ the test to disabled perf monitoring was not
+ correct because the new credentials for the
+ process were not yet committed and therefore
+ the get_dumpable() test was never firing.
+
+ The patch fixes the problem by moving the
+ perf_event test until after the credentials
+ are committed.
+
+ Signed-off-by: Stephane Eranian <eranian@google.com>
+ Tested-by: Jiri Olsa <jolsa@redhat.com>
+ Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+ Cc: <stable@kernel.org>
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+ fs/exec.c | 16 +++++++++-------
+ 1 files changed, 9 insertions(+), 7 deletions(-)
+
+commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 29 13:10:02 2013 -0400
+
+ on context switch, make sure we switch DACR when domain support and
+ KERNEXEC is disabled but UDEREF is enabled
+
+ arch/arm/kernel/entry-armv.S | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 08d017fa51370921694ce087b28c96fec92993d4
+Author: Michael S. Tsirkin <mst@redhat.com>
+Date: Sun Jun 23 17:26:58 2013 +0300
+
+ Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2
+
+ macvtap: fix recovery from gup errors
+
+ get user pages might fail partially in macvtap zero copy
+ mode. To recover we need to put all pages that we got,
+ but code used a wrong index resulting in double-free
+ errors.
+
+ Reported-by: Brad Hubbard <bhubbard@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+ Acked-by: Jason Wang <jasowang@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/macvtap.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be
+Author: Michael S. Tsirkin <mst@redhat.com>
+Date: Sun Jun 23 17:19:03 2013 +0300
+
+ Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86
+
+ tun: fix recovery from gup errors
+
+ get user pages might fail partially in tun zero copy
+ mode. To recover we need to put all pages that we got,
+ but code used a wrong index resulting in double-free
+ errors.
+
+ Reported-by: Brad Hubbard <bhubbard@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+ Acked-by: Jason Wang <jasowang@redhat.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28
+Author: Balazs Peter Odor <balazs@obiserver.hu>
+Date: Sat Jun 22 19:24:43 2013 +0200
+
+ Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773
+
+ netfilter: nf_nat_sip: fix mangling
+
+ In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets)
+ there were some missing brackets around the logging information, thus
+ always returning drop.
+
+ Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061
+
+ Signed-off-by: Balazs Peter Odor <balazs@obiserver.hu>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nf_nat_sip.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 87c18924aecb841586b8972fabb20c5b75ca2fc9
+Author: Anderson Lizardo <anderson.lizardo@openbossa.org>
+Date: Sun Jun 2 16:30:40 2013 -0400
+
+ Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d
+
+ Bluetooth: Fix crash in l2cap_build_cmd() with small MTU
+
+ If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
+ controller, memory corruption happens due to a memcpy() call with
+ negative length.
+
+ Fix this crash on either incoming or outgoing connections with a MTU
+ smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:
+
+ [ 46.885433] BUG: unable to handle kernel paging request at f56ad000
+ [ 46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40
+ [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
+ [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
+ [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
+ [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
+ [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
+ [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
+ [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
+ [ 46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0
+ [ 46.888037] EIP is at memcpy+0x1d/0x40
+ [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
+ [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
+ [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
+ [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
+ [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
+ [ 46.888037] DR6: ffff0ff0 DR7: 00000400
+ [ 46.888037] Stack:
+ [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
+ [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
+ [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
+ [ 46.888037] Call Trace:
+ [ 46.888037] [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
+ [ 46.888037] [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
+ [ 46.888037] [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth]
+ [ 46.888037] [<c019b37b>] ? trace_hardirqs_off+0xb/0x10
+ [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
+ [ 46.888037] [<c064ad20>] ? mutex_lock_nested+0x280/0x360
+ [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
+ [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
+ [ 46.888037] [<c064ad08>] ? mutex_lock_nested+0x268/0x360
+ [ 46.888037] [<c01a125b>] ? trace_hardirqs_on+0xb/0x10
+ [ 46.888037] [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
+ [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
+ [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
+ [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
+ [ 46.888037] [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
+ [ 46.888037] [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth]
+ [ 46.888037] [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth]
+ [ 46.888037] [<c0158979>] process_one_work+0x1a9/0x600
+ [ 46.888037] [<c01588fb>] ? process_one_work+0x12b/0x600
+ [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
+ [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
+ [ 46.888037] [<c0159187>] worker_thread+0xf7/0x320
+ [ 46.888037] [<c0159090>] ? rescuer_thread+0x290/0x290
+ [ 46.888037] [<c01602f8>] kthread+0xa8/0xb0
+ [ 46.888037] [<c0656777>] ret_from_kernel_thread+0x1b/0x28
+ [ 46.888037] [<c0160250>] ? flush_kthread_worker+0x120/0x120
+ [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
+ [ 46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
+ [ 46.888037] CR2: 00000000f56ad000
+ [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]---
+
+ Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ net/bluetooth/l2cap_core.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit b0471b6c1160858fc646d8e94628fd1299f61692
+Author: Jaganath Kanakkassery <jaganath.k@samsung.com>
+Date: Fri Jun 21 19:55:11 2013 +0530
+
+ Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112
+
+ Bluetooth: Fix invalid length check in l2cap_information_rsp()
+
+ The length check is invalid since the length varies with type of
+ info response.
+
+ This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
+
+ Because of this, l2cap info rsp is not handled and command reject is sent.
+
+ > ACL data: handle 11 flags 0x02 dlen 16
+ L2CAP(s): Info rsp: type 2 result 0
+ Extended feature mask 0x00b8
+ Enhanced Retransmission mode
+ Streaming mode
+ FCS Option
+ Fixed Channels
+ < ACL data: handle 11 flags 0x00 dlen 10
+ L2CAP(s): Command rej: reason 0
+ Command not understood
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
+ Signed-off-by: Chan-Yeol Park <chanyeol.park@samsung.com>
+ Acked-by: Johan Hedberg <johan.hedberg@intel.com>
+ Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+
+ net/bluetooth/l2cap_core.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4184af98c360d825e638b268b1a9847232e8d299
+Author: Eric Dumazet <edumazet@google.com>
+Date: Wed Jun 26 04:15:07 2013 -0700
+
+ Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3
+
+ ipv6: ip6_sk_dst_check() must not assume ipv6 dst
+
+ It's possible to use AF_INET6 sockets and to connect to an IPv4
+ destination. After this, socket dst cache is a pointer to a rtable,
+ not rt6_info.
+
+ ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
+ various corruptions/crashes can happen.
+
+ Dave Jones can reproduce immediate crash with
+ trinity -q -l off -n -c sendmsg -c connect
+
+ With help from Hannes Frederic Sowa
+
+ Reported-by: Dave Jones <davej@redhat.com>
+ Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_output.c | 8 +++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2
+Author: Zefan Li <lizefan@huawei.com>
+Date: Wed Jun 26 15:29:54 2013 +0800
+
+ Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5
+
+ dlci: acquire rtnl_lock before calling __dev_get_by_name()
+
+ Otherwise the net device returned can be freed at anytime.
+
+ Signed-off-by: Li Zefan <lizefan@huawei.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/wan/dlci.c | 14 +++++++++-----
+ 1 files changed, 9 insertions(+), 5 deletions(-)
+
+commit 1fe6f23c9acd14d832d056909ff326bde418e645
+Author: Zefan Li <lizefan@huawei.com>
+Date: Wed Jun 26 15:31:58 2013 +0800
+
+ Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a
+
+ dlci: validate the net device in dlci_del()
+
+ We triggered an oops while running trinity with 3.4 kernel:
+
+ BUG: unable to handle kernel paging request at 0000000100000d07
+ IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
+ PGD 640c0d067 PUD 0
+ Oops: 0000 [#1] PREEMPT SMP
+ CPU 3
+ ...
+ Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA
+ RIP: 0010:[<ffffffffa0109738>] [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
+ ...
+ Call Trace:
+ [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
+ [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
+ [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
+ [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
+ [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
+ ...
+
+ It's because the net device is not a dlci device.
+
+ Reported-by: Li Jinyue <lijinyue@huawei.com>
+ Signed-off-by: Li Zefan <lizefan@huawei.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/wan/dlci.c | 12 ++++++++++++
+ 1 files changed, 12 insertions(+), 0 deletions(-)
+
+commit 4d4464407611527ef6b6b5475cfcab6121b3da66
+Merge: 59571a9 963af7f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 27 18:54:52 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 963af7f7f591759b731ce6325ceb583a72fcf423
+Merge: c51e25a 55db48a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 27 18:54:42 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 59571a9db7485f530a1e865a13cacc4c991ec41f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 26 18:39:08 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: Steffen Klassert <steffen.klassert@secunet.com>,
+ "David S. Miller" <davem@davemloft.net>
+ Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org,
+ Herbert Xu <herbert@gondor.apana.org.au>
+ Subject: [PATCH] af_key: fix info leaks in notify messages
+
+ key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
+ the sadb_msg_reserved member of the broadcasted message and thereby
+ leak 2 bytes of heap memory to listeners. Fix that.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+ Cc: Steffen Klassert <steffen.klassert@secunet.com>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Cc: Herbert Xu <herbert@gondor.apana.org.au>
+
+ net/key/af_key.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 26 18:33:06 2013 -0400
+
+ update rand_threadstack code to continue the search for a gap if the first
+ choice doesn't have enough space, instead of returning ENOMEM
+
+ mm/mmap.c | 17 ++++++++++-------
+ 1 files changed, 10 insertions(+), 7 deletions(-)
+
+commit 87020d4a4d83038d65ff1fd519938840f6888b9e
+Merge: 2682346 c51e25a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 26 18:25:32 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c51e25a23f30a1198076bd085f19b2073caf164d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 26 18:24:54 2013 -0400
+
+ Update to pax-linux-3.9.7-test12.patch:
+ - fixed a regression on PARAVIRT/amd64 kernels
+ - simplified the recent vm_unmapped_area_info based change
+
+ arch/x86/kernel/entry_64.S | 8 ++++----
+ mm/mmap.c | 22 ++++++++++++----------
+ 2 files changed, 16 insertions(+), 14 deletions(-)
+
+commit 26823469a08e59cb67bea18d448d9e8c65f82e08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 25 21:26:51 2013 -0400
+
+ re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX
+ vm_unmapped_area code is complete
+
+ arch/x86/kernel/sys_i386_32.c | 5 +++++
+ grsecurity/Kconfig | 2 +-
+ mm/mmap.c | 11 ++++++++++-
+ 3 files changed, 16 insertions(+), 2 deletions(-)
+
+commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7
+Merge: e58fe8c c4e0704
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 25 19:08:52 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/x86/kernel/sys_i386_32.c
+
+commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 25 19:05:39 2013 -0400
+
+ Update to pax-linux-3.9.7-test11.patch:
+ - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111)
+ - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure
+ - fixed the recent nested nmi related fixes some more
+ - fixed a regression in kernel memory initialization on relocatable i386 kernels
+ - empty_zero_page can be read-only on amd64 as well
+
+ arch/arm/mm/mmap.c | 6 --
+ arch/x86/kernel/entry_64.S | 8 +--
+ arch/x86/kernel/head_64.S | 1 -
+ arch/x86/kernel/setup.c | 2 +-
+ arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++----------------------------
+ drivers/lguest/core.c | 2 +-
+ include/linux/mm.h | 6 +-
+ include/linux/vmalloc.h | 2 +-
+ mm/mmap.c | 30 +++++++-
+ 9 files changed, 83 insertions(+), 134 deletions(-)
+
+commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 23 14:37:14 2013 -0400
+
+ second compile fix, reported by forsaken on forums
+
+ include/linux/vmalloc.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 23 14:36:35 2013 -0400
+
+ compile fix, reported by KDE on forums
+
+ kernel/printk.c | 7 -------
+ 1 files changed, 0 insertions(+), 7 deletions(-)
+
+commit 1fc9a5e2e267205d28302e1e86ca0da434561111
+Author: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun Jun 16 21:27:12 2013 +0100
+
+ Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d
+
+ x86/efi: Fix dummy variable buffer allocation
+
+ 1. Check for allocation failure
+ 2. Clear the buffer contents, as they may actually be written to flash
+ 3. Don't leak the buffer
+
+ Compile-tested only.
+
+ [ Tested successfully on my buggy ASUS machine - Matt ]
+
+ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Matt Fleming <matt.fleming@intel.com>
+
+ arch/x86/platform/efi/efi.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 83e15c8baaa620d8c777e84aa037b4302f0487c5
+Author: Dave Kleikamp <dave.kleikamp@oracle.com>
+Date: Tue Jun 18 09:05:36 2013 -0500
+
+ Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441
+
+ sparc: tsb must be flushed before tlb
+
+ This fixes a race where a cpu may re-load a tlb from a stale tsb right
+ after it has been flushed by a remote function call.
+
+ I still see some instability when stressing the system with parallel
+ kernel builds while creating memory pressure by writing to
+ /proc/sys/vm/nr_hugepages, but this patch improves the stability
+ significantly.
+
+ Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+ Acked-by: Bob Picco <bob.picco@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/sparc/mm/tlb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d93b62f6485db9aadda34322a6867868db07f56f
+Merge: 4ef62f5 71d83e9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 21 16:52:55 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 71d83e97c936563913bcfb5a25c45b2021a331eb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 21 16:48:42 2013 -0400
+
+ Update to pax-linux-3.9.7-test10.patch:
+ - fixed a few format string problems uncovered by -Wformat-nonliteral
+ - another attempt at fixing the nested nmi/cr0.wp problem
+ - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866)
+ - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274)
+ - fixed a locking issue with track_exec_limit reported by spender
+ - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/)
+
+ Documentation/dontdiff | 1 +
+ arch/x86/boot/compressed/efi_stub_32.S | 16 ++-----
+ arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
+ arch/x86/kernel/e820.c | 4 +-
+ arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------
+ arch/x86/kernel/vmlinux.lds.S | 2 +-
+ block/genhd.c | 11 +++--
+ crypto/algapi.c | 2 +-
+ crypto/pcrypt.c | 6 +-
+ drivers/base/attribute_container.c | 2 +-
+ drivers/base/power/sysfs.c | 2 +-
+ drivers/block/nbd.c | 2 +-
+ drivers/cdrom/cdrom.c | 2 +-
+ drivers/char/hw_random/intel-rng.c | 2 +-
+ drivers/char/mem.c | 2 +-
+ drivers/devfreq/devfreq.c | 2 +-
+ drivers/gpu/drm/drm_encoder_slave.c | 6 +--
+ drivers/gpu/drm/drm_sysfs.c | 2 +-
+ drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
+ drivers/iommu/irq_remapping.c | 2 +-
+ drivers/video/output.c | 2 +-
+ fs/ext4/mmp.c | 2 +-
+ fs/ext4/super.c | 2 +-
+ fs/lockd/svc.c | 2 +-
+ fs/nfs/callback.c | 4 +-
+ fs/nfs/nfs4state.c | 2 +-
+ fs/nfsd/nfscache.c | 3 +-
+ init/initramfs.c | 2 +-
+ kernel/rcutree.c | 2 +-
+ lib/kobject.c | 2 +-
+ mm/backing-dev.c | 4 +-
+ mm/mmap.c | 4 +-
+ mm/slub.c | 2 +-
+ mm/vmalloc.c | 15 +++----
+ net/bluetooth/hci_core.c | 8 ++--
+ net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
+ net/sunrpc/svc.c | 2 +-
+ security/Kconfig | 15 +++---
+ sound/core/sound.c | 2 +-
+ sound/sound_core.c | 2 +-
+ 40 files changed, 116 insertions(+), 111 deletions(-)
+
+commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c
+Merge: 39efd8f 256eff7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 21 16:45:15 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ kernel/printk.c
+
+commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6
+Merge: e6e3059 485f25f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 20 22:14:24 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 18 17:20:18 2013 -0400
+
+ add apparmor compat patch
+
+ security/apparmor/Kconfig | 9 ++
+ security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 240 insertions(+), 0 deletions(-)
+
+commit 49bee3c5341687504669bf62becf4a419a226ba0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 17 18:48:04 2013 -0400
+
+ Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db"
+
+ This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444.
+
+ kernel/sys.c | 29 +++--------------------------
+ 1 files changed, 3 insertions(+), 26 deletions(-)
+
+commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Sun Jun 16 18:06:06 2013 +0100
+
+ Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5
+
+ lseek(fd, n, SEEK_END) does *not* go to eof - n
+
+ When you copy some code, you are supposed to read it. If nothing else,
+ there's a chance to spot and fix an obvious bug instead of sharing it...
+
+ X-Song: "I Got It From Agnes", by Tom Lehrer
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ [ Tom Lehrer? You're dating yourself, Al ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +-
+ drivers/scsi/bfa/bfad_debugfs.c | 2 +-
+ drivers/scsi/fnic/fnic_debugfs.c | 2 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 5a450f1c46f0c84379518aee878993d3f4a331b6
+Author: Theodore Ts'o <tytso@mit.edu>
+Date: Thu Jun 6 11:14:31 2013 -0400
+
+ Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50
+
+ ext4: verify group number in verify_group_input() before using it
+
+ Check the group number for sanity earilier, before calling routines
+ such as ext4_bg_has_super() or ext4_group_overhead_blocks().
+
+ Reported-by: Jonathan Salwan <jonathan.salwan@gmail.com>
+ Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+
+ fs/ext4/resize.c | 17 +++++++++++------
+ 1 files changed, 11 insertions(+), 6 deletions(-)
+
+commit e2700ce1305cc746d2d9000392f00d96fdf28fb8
+Author: Neil Horman <nhorman@tuxdriver.com>
+Date: Wed Jun 12 14:26:44 2013 -0400
+
+ Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69
+
+ sctp: fully initialize sctp_outq in sctp_outq_init
+
+ In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86
+ (refactor sctp_outq_teardown to insure proper re-initalization)
+ we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the
+ outq structure. Steve West recently asked me why I removed the q->error = 0
+ initalization from sctp_outq_teardown. I did so because I was operating under
+ the impression that sctp_outq_init would properly initalize that value for us,
+ but it doesn't. sctp_outq_init operates under the assumption that the outq
+ struct is all 0's (as it is when called from sctp_association_init), but using
+ it in __sctp_outq_teardown violates that assumption. We should do a memset in
+ sctp_outq_init to ensure that the entire structure is in a known state there
+ instead.
+
+ Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+ Reported-by: "West, Steve (NSN - US/Fort Worth)" <steve.west@nsn.com>
+ CC: Vlad Yasevich <vyasevich@gmail.com>
+ CC: netdev@vger.kernel.org
+ CC: davem@davemloft.net
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ net/sctp/outqueue.c
+
+ net/sctp/outqueue.c | 8 ++------
+ 1 files changed, 2 insertions(+), 6 deletions(-)
+
+commit e13515ad7a9c7634599a105b2527752e527a905d
+Author: Saurabh Mohan <saurabh@vyatta.com>
+Date: Mon Jun 10 17:45:10 2013 -0700
+
+ Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817
+
+ net/ipv4: ip_vti clear skb cb before tunneling.
+
+ If users apply shaper to vti tunnel then it will cause a kernel crash. The
+ problem seems to be due to the vti_tunnel_xmit function not clearing
+ skb->opt field before passing the packet to xfrm tunneling code.
+
+ Signed-off-by: Saurabh Mohan <saurabh@vyatta.com>
+ Acked-by: Stephen Hemminger <stephen@networkplumber.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ip_vti.c | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4
+Author: Guillaume Nault <g.nault@alphalink.fr>
+Date: Wed Jun 12 16:07:36 2013 +0200
+
+ Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984
+
+ l2tp: Fix sendmsg() return value
+
+ PPPoL2TP sockets should comply with the standard send*() return values
+ (i.e. return number of bytes sent instead of 0 upon success).
+
+ Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_ppp.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit af361b412e816e894fb42ddff7a0545b7def64c0
+Author: Guillaume Nault <g.nault@alphalink.fr>
+Date: Wed Jun 12 16:07:23 2013 +0200
+
+ Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64
+
+ l2tp: Fix PPP header erasure and memory leak
+
+ Copy user data after PPP framing header. This prevents erasure of the
+ added PPP header and avoids leaking two bytes of uninitialised memory
+ at the end of skb's data buffer.
+
+ Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_ppp.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 1f43aca088c35dda35abf76e08544e534c71fed4
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Wed Jun 12 16:02:27 2013 +0200
+
+ Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe
+
+ packet: packet_getname_spkt: make sure string is always 0-terminated
+
+ uaddr->sa_data is exactly of size 14, which is hard-coded here and
+ passed as a size argument to strncpy(). A device name can be of size
+ IFNAMSIZ (== 16), meaning we might leave the destination string
+ unterminated. Thus, use strlcpy() and also sizeof() while we're
+ at it. We need to memset the data area beforehand, since strlcpy
+ does not padd the remaining buffer with zeroes for user space, so
+ that we do not possibly leak anything.
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/packet/af_packet.c | 5 ++---
+ 1 files changed, 2 insertions(+), 3 deletions(-)
+
+commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f
+Author: Andy Lutomirski <luto@amacapital.net>
+Date: Wed Jun 5 19:38:26 2013 +0000
+
+ Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab
+
+ net: Unbreak compat_sys_{send,recv}msg
+
+ I broke them in this commit:
+
+ commit 1be374a0518a288147c6a7398792583200a67261
+ Author: Andy Lutomirski <luto@amacapital.net>
+ Date: Wed May 22 14:07:44 2013 -0700
+
+ net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
+
+ This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept
+ MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It
+ also reverts some unnecessary checks in sys_socketcall.
+
+ Apparently I was suffering from underscore blindness the first time around.
+
+ Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+ Tested-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/linux/socket.h | 3 ++
+ net/compat.c | 13 +++++++-
+ net/socket.c | 72 ++++++++++++++++++++++--------------------------
+ 3 files changed, 47 insertions(+), 41 deletions(-)
+
+commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f
+Author: Andy Lutomirski <luto@amacapital.net>
+Date: Wed May 22 14:07:44 2013 -0700
+
+ Upstream commit: 1be374a0518a288147c6a7398792583200a67261
+
+ net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
+
+ To: linux-kernel@vger.kernel.org
+ Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski <luto@amacapital.net>, netdev@vger.kernel.org, "David S.
+ Miller" <davem@davemloft.net>
+ Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
+
+ MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API --
+ it's a hack that steals a bit to indicate to other networking code
+ that a compat entry was used. So don't allow it from a non-compat
+ syscall.
+
+ This prevents an oops when running this code:
+
+ int main()
+ {
+ int s;
+ struct sockaddr_in addr;
+ struct msghdr *hdr;
+
+ char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096,
+ PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
+ if (highpage == MAP_FAILED)
+ err(1, "mmap");
+
+ s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ if (s == -1)
+ err(1, "socket");
+
+ addr.sin_family = AF_INET;
+ addr.sin_port = htons(1);
+ addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0)
+ err(1, "connect");
+
+ void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE;
+ printf("Evil address is %p\n", evil);
+
+ if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0)
+ err(1, "sendmmsg");
+
+ return 0;
+ }
+
+ Cc: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/socket.c | 33 +++++++++++++++++++++++++++++++--
+ 1 files changed, 31 insertions(+), 2 deletions(-)
+
+commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri May 10 14:48:21 2013 -0700
+
+ Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c
+
+ b43: stop format string leaking into error msgs
+
+ The module parameter "fwpostfix" is userspace controllable, unfiltered,
+ and is used to define the firmware filename. b43_do_request_fw() populates
+ ctx->errors[] on error, containing the firmware filename. b43err()
+ parses its arguments as a format string. For systems with b43 hardware,
+ this could lead to a uid-0 to ring-0 escalation.
+
+ CVE-2013-2852
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ drivers/net/wireless/b43/main.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit dfb67a67049ace7b94ad7e2febfac69816d50d85
+Author: Mark A. Greer <mgreer@animalcreek.com>
+Date: Wed May 29 12:25:34 2013 -0700
+
+ Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5
+
+ mwifiex: debugfs: Fix out of bounds array access
+
+ When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
+ the following panic occurs:
+
+ $ cat /sys/kernel/debug/mwifiex/p2p0/info
+ Unable to handle kernel paging request at virtual address 74706164
+ pgd = de530000
+ [74706164] *pgd=00000000
+ Internal error: Oops: 5 [#1] SMP ARM
+ Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
+ CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
+ task: de16b6c0 ti: de048000 task.ti: de048000
+ PC is at strnlen+0xc/0x4c
+ LR is at string+0x3c/0xf8
+ pc : [<c02c123c>] lr : [<c02c2d1c>] psr: a0000013
+ sp : de049e10 ip : c06efba0 fp : de6d2092
+ r10: bf01a260 r9 : ffffffff r8 : 74706164
+ r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000
+ r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164
+ Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+ Control: 10c5387d Table: 9e530019 DAC: 00000015
+ Process cat (pid: 1635, stack limit = 0xde048240)
+ Stack: (0xde049e10 to 0xde04a000)
+ 9e00: de6d2092 00000002 bf01a25e de6d209c
+ 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
+ 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
+ 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
+ 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
+ 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
+ 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
+ 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
+ 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
+ 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
+ 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
+ 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
+ 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
+ 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
+ [<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
+ [<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
+ [<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
+ [<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
+ [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
+ [<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
+ [<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
+ Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
+ ---[ end trace ca98273dc605a04f ]---
+
+ The panic is caused by the mwifiex_info_read() routine assuming that
+ there can only be four modes (0-3) which is an invalid assumption.
+ For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
+ code accesses data beyond the bounds of the bss_modes[] array which
+ causes the panic. Fix this by updating bss_modes[] to support the
+ current list of modes and adding a check to prevent the out-of-bounds
+ access from occuring in the future when more modes are added.
+
+ Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
+ Acked-by: Bing Zhao <bzhao@marvell.com>
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++-----
+ 1 files changed, 17 insertions(+), 5 deletions(-)
+
+commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52
+Author: Johan Hedberg <johan.hedberg@intel.com>
+Date: Tue May 28 13:46:30 2013 +0300
+
+ Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888
+
+ Bluetooth: Fix missing length checks for L2CAP signalling PDUs
+
+ There has been code in place to check that the L2CAP length header
+ matches the amount of data received, but many PDU handlers have not been
+ checking that the data received actually matches that expected by the
+ specific PDU. This patch adds passing the length header to the specific
+ handler functions and ensures that those functions fail cleanly in the
+ case of an incorrect amount of data.
+
+ Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++-----------
+ 1 files changed, 52 insertions(+), 18 deletions(-)
+
+commit 628be2427afb241b5a1aa24bc5907d05287e1f25
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon Jun 3 12:00:49 2013 +0300
+
+ Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1
+
+ ipvs: info leak in __ip_vs_get_dest_entries()
+
+ The entry struct has a 2 byte hole after ->port and another 4 byte
+ hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your
+ namespace to hit this information leak.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Julian Anastasov <ja@ssi.bg>
+ Signed-off-by: Simon Horman <horms@verge.net.au>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/ipvs/ip_vs_ctl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 066d9226bc6c569d5f420c978b758e0bddd23444
+Author: Robin Holt <holt@sgi.com>
+Date: Wed Jun 12 14:04:37 2013 -0700
+
+ Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db
+
+ reboot: rigrate shutdown/reboot to boot cpu
+
+ We recently noticed that reboot of a 1024 cpu machine takes approx 16
+ minutes of just stopping the cpus. The slowdown was tracked to commit
+ f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in
+ kernel_restart()").
+
+ The current implementation does all the work of hot removing the cpus
+ before halting the system. We are switching to just migrating to the
+ boot cpu and then continuing with shutdown/reboot.
+
+ This also has the effect of not breaking x86's command line parameter
+ for specifying the reboot cpu. Note, this code was shamelessly copied
+ from arch/x86/kernel/reboot.c with bits removed pertaining to the
+ reboot_cpu command line parameter.
+
+ Signed-off-by: Robin Holt <holt@sgi.com>
+ Tested-by: Shawn Guo <shawn.guo@linaro.org>
+ Cc: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
+ Cc: H. Peter Anvin <hpa@zytor.com>
+ Cc: Thomas Gleixner <tglx@linutronix.de>
+ Cc: Ingo Molnar <mingo@elte.hu>
+ Cc: Russ Anderson <rja@sgi.com>
+ Cc: Robin Holt <holt@sgi.com>
+ Cc: Russell King <linux@arm.linux.org.uk>
+ Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/sys.c | 29 ++++++++++++++++++++++++++---
+ 1 files changed, 26 insertions(+), 3 deletions(-)
+
+commit 94e2a91600b07d39825e7059195f35eb611a39a2
+Merge: 20cc761 e6e3059
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 13 16:23:46 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a
+Merge: c6aadb1 4b73feb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 13 16:23:39 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 20cc7613e38cde07adc73179a91d6c15292e8d43
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Thu Jun 6 15:53:47 2013 +0200
+
+ Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c
+
+ net: sctp: fix NULL pointer dereference in socket destruction
+
+ While stress testing sctp sockets, I hit the following panic:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
+ IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
+ PGD 7cead067 PUD 7ce76067 PMD 0
+ Oops: 0000 [#1] SMP
+ Modules linked in: sctp(F) libcrc32c(F) [...]
+ CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1
+ Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
+ task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000
+ RIP: 0010:[<ffffffffa0490c4e>] [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
+ RSP: 0018:ffff88007b569e08 EFLAGS: 00010292
+ RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200
+ RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000
+ RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001
+ R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+ R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00
+ FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ Stack:
+ ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded
+ ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e
+ 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e
+ Call Trace:
+ [<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp]
+ [<ffffffff8145b60e>] sk_common_release+0x1e/0xf0
+ [<ffffffff814df36e>] inet_create+0x2ae/0x350
+ [<ffffffff81455a6f>] __sock_create+0x11f/0x240
+ [<ffffffff81455bf0>] sock_create+0x30/0x40
+ [<ffffffff8145696c>] SyS_socket+0x4c/0xc0
+ [<ffffffff815403be>] ? do_page_fault+0xe/0x10
+ [<ffffffff8153cb32>] ? page_fault+0x22/0x30
+ [<ffffffff81544e02>] system_call_fastpath+0x16/0x1b
+ Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f
+ 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48>
+ 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48
+ RIP [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
+ RSP <ffff88007b569e08>
+ CR2: 0000000000000020
+ ---[ end trace e0d71ec1108c1dd9 ]---
+
+ I did not hit this with the lksctp-tools functional tests, but with a
+ small, multi-threaded test program, that heavily allocates, binds,
+ listens and waits in accept on sctp sockets, and then randomly kills
+ some of them (no need for an actual client in this case to hit this).
+ Then, again, allocating, binding, etc, and then killing child processes.
+
+ This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable''
+ is set. The cause for that is actually very simple: in sctp_endpoint_init()
+ we enter the path of sctp_auth_init_hmacs(). There, we try to allocate
+ our crypto transforms through crypto_alloc_hash(). In our scenario,
+ it then can happen that crypto_alloc_hash() fails with -EINTR from
+ crypto_larval_wait(), thus we bail out and release the socket via
+ sk_common_release(), sctp_destroy_sock() and hit the NULL pointer
+ dereference as soon as we try to access members in the endpoint during
+ sctp_endpoint_free(), since endpoint at that time is still NULL. Now,
+ if we have that case, we do not need to do any cleanup work and just
+ leave the destruction handler.
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/socket.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit 386ba837978cc8a1111440bdcd8600f2df4634a4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 12 20:37:48 2013 -0400
+
+ fix deadlock when booting i386 kernel without NX
+
+ mm/mmap.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 11 22:18:07 2013 -0400
+
+ fix elif / elif defined() typo in recent change
+
+ kernel/events/core.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit bc43377e1e757cd37a06be0187884a42af718aab
+Merge: 3cdea63 c6aadb1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 11 18:50:39 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 11 18:49:36 2013 -0400
+
+ Update to pax-linux-3.9.4-test9.patch:
+ - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506)
+ - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort
+
+ arch/x86/kernel/setup.c | 2 +-
+ mm/mlock.c | 1 -
+ 2 files changed, 1 insertions(+), 2 deletions(-)
+
+commit 3cdea63e90607d8d55820b101854091623feedb8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 21:21:44 2013 -0400
+
+ Fix fanotify infoleak reported by Dan Carpenter at:
+ https://lkml.org/lkml/2013/6/3/128
+
+ Requires CAP_SYS_ADMIN, so this is about as low priority as it gets
+
+ fs/notify/fanotify/fanotify_user.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 373a2b5df78f82b9d3db72bd6577e29a71591323
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 21:16:46 2013 -0400
+
+ Backport infoleak fix by Dan Carpenter in cpqarray:
+ https://lkml.org/lkml/2013/6/3/131
+
+ drivers/block/cpqarray.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 251e84b9b05e063981b20be154c9389862f94759
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 21:04:17 2013 -0400
+
+ Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2
+
+ drivers/cdrom/cdrom.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 383d89bf95818b05a485a6e8b118963b5bcbc83e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 18:34:32 2013 -0400
+
+ change const to __read_only
+
+ kernel/sysctl.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
+
+commit 8f08f803f605649e63f0857a1b9a9805b629eaa4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 17:34:13 2013 -0400
+
+ compile fix, make const values const
+
+ kernel/sysctl.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
+
+commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 17:37:13 2013 -0400
+
+ Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a
+
+ drivers/char/mwave/tp3780i.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 1c590aa70c95ebd76ba9672aa23d800b81780615
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 9 19:50:35 2013 -0400
+
+ allow -1 perf_event_paranoid
+
+ kernel/sysctl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584
+Merge: 4e85539 117c3fa
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 9 17:30:12 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 117c3fa8d26c3806103123560f807d99071b60b6
+Merge: ed9b427 5dd2e98
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 9 17:30:00 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42
+Author: Eric Dumazet <edumazet@google.com>
+Date: Mon May 13 21:25:52 2013 +0000
+
+ Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e
+
+ tcp: fix tcp_md5_hash_skb_data()
+
+ TCP md5 communications fail [1] for some devices, because sg/crypto code
+ assume page offsets are below PAGE_SIZE.
+
+ This was discovered using mlx4 driver [2], but I suspect loopback
+ might trigger the same bug now we use order-3 pages in tcp_sendmsg()
+
+ [1] Failure is giving following messages.
+
+ huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100,
+ exited with 00000101?
+
+ [2] mlx4 driver uses order-2 pages to allocate RX frags
+
+ Reported-by: Matt Schnall <mischnal@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Bernhard Beck <bbeck@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/tcp.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb
+Author: Eric Dumazet <edumazet@google.com>
+Date: Fri May 17 04:53:13 2013 +0000
+
+ Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a
+
+ ipv6: fix possible crashes in ip6_cork_release()
+
+ commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data")
+ added some code duplication and bad error recovery, leading to potential
+ crash in ip6_cork_release() as kfree() could be called with garbage.
+
+ use kzalloc() to make sure this wont happen.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Cc: Herbert Xu <herbert@gondor.apana.org.au>
+ Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
+ Cc: Neal Cardwell <ncardwell@google.com>
+
+ net/ipv6/ip6_output.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5771263fe368cd384127dd17d7596a7e1a4e2eec
+Author: Chen Gang <gang.chen@asianux.com>
+Date: Thu May 16 23:13:04 2013 +0000
+
+ Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211
+
+ net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue.
+
+ 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the
+ strncpy() will always left the last byte of 'discovery->data.info'
+ uninitialized.
+
+ When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left
+ the last byte of 'discovery->data.info' uninitialized, the next
+ strlen() will cause issue.
+
+ Also 'discovery->data' is 'struct irda_device_info' which defined in
+ "include/uapi/...", it may copy to user mode, so need whole initialized.
+
+ All together, need use kzalloc() instead of kmalloc() to initialize all
+ members firstly.
+
+ Signed-off-by: Chen Gang <gang.chen@asianux.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/irda/irlap_frame.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c01c9af268cb066f240aec53454b8b74d8d01688
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sun May 19 08:36:36 2013 +0000
+
+ Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5
+
+ isdn/kcapi: fix a small underflow
+
+ In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes
+ from skb->data. The current code can underflow to one space before the
+ start of the array.
+
+ The sanity check isn't needed in __get_capi_appl_by_nr() but I changed
+ it to match the others.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/isdn/capi/kcapi.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66
+Author: Timo Teräs <timo.teras@iki.fi>
+Date: Wed May 22 01:40:47 2013 +0000
+
+ Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0
+
+ xfrm: properly handle invalid states as an error
+
+ The error exit path needs err explicitly set. Otherwise it
+ returns success and the only caller, xfrm_output_resume(),
+ would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is
+ NULL.
+
+ Bug introduced in commit bb65a9cb (xfrm: removes a superfluous
+ check and add a statistic).
+
+ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+ Cc: Li RongQing <roy.qing.li@gmail.com>
+ Cc: Steffen Klassert <steffen.klassert@secunet.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/xfrm/xfrm_output.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd
+Author: Jeff Mahoney <jeffm@jeffreymahoney.com>
+Date: Fri May 31 15:07:52 2013 -0400
+
+ Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab
+
+ reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry
+
+ After sleeping for filldir(), we check to see if the file system has
+ changed and research. The next_pos pointer is updated but its value
+ isn't pushed into the key used for the search itself. As a result,
+ the search returns the same item that the last cycle of the loop did
+ and filldir() is called multiple times with the same data.
+
+ The end result is that the buffer can contain the same name multiple
+ times. This can be returned to userspace or used internally in the
+ xattr code where it can manifest with the following warning:
+
+ jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2)
+
+ reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over
+ the xattr names and ends up trying to unlink the same name twice. The
+ second attempt fails with -ENOENT and the error is returned. At some
+ point I'll need to add support into reiserfsck to remove the orphaned
+ directories left behind when this occurs.
+
+ The fix is to push the value into the key before researching.
+
+ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+
+ fs/reiserfs/dir.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit ca0746bf380eec77d75d1741ac4742ded0e55ec7
+Author: Jeff Mahoney <jeffm@suse.com>
+Date: Fri May 31 15:51:17 2013 -0400
+
+ Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc
+
+ reiserfs: fix deadlock with nfs racing on create/lookup
+
+ Reiserfs is currently able to be deadlocked by having two NFS clients
+ where one has removed and recreated a file and another is accessing the
+ file with an open file handle.
+
+ If one client deletes and recreates a file with timing such that the
+ recreated file obtains the same [dirid, objectid] pair as the original
+ file while another client accesses the file via file handle, the create
+ and lookup can race and deadlock if the lookup manages to create the
+ in-memory inode first.
+
+ The create thread, in insert_inode_locked4, will hold the write lock
+ while waiting on the other inode to be unlocked. The lookup thread,
+ anywhere in the iget path, will release and reacquire the write lock while
+ it schedules. If it needs to reacquire the lock while the create thread
+ has it, it will never be able to make forward progress because it needs
+ to reacquire the lock before ultimately unlocking the inode.
+
+ This patch drops the write lock across the insert_inode_locked4 call so
+ that the ordering of inode_wait -> write lock is retained. Since this
+ would have been the case before the BKL push-down, this is safe.
+
+ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+
+ fs/reiserfs/inode.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit cd21c0eb4950498be46a07257426c0cea4aa2bf1
+Author: Jeff Mahoney <jeffm@suse.com>
+Date: Fri May 31 15:54:17 2013 -0400
+
+ Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b
+
+ reiserfs: fix problems with chowning setuid file w/ xattrs
+
+ reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr
+ and uses it to iterate over all the attrs associated with a file to change
+ ownership of xattrs (and transfer quota associated with the xattr files).
+
+ When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode
+ are passed to all the xattrs as well. This means that the xattr directory
+ will have S_IFREG added to its mode bits.
+
+ This has been prevented in practice by a missing IS_PRIVATE check
+ in reiserfs_acl_chmod, which caused a double-lock to occur while holding
+ the write lock. Since the file system was completely locked up, the
+ writeout of the corrupted mode never happened.
+
+ This patch temporarily clears everything but ATTR_UID|ATTR_GID for the
+ calls to reiserfs_setattr and adds the missing IS_PRIVATE check.
+
+ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+
+ fs/reiserfs/xattr.c | 14 +++++++++++++-
+ fs/reiserfs/xattr_acl.c | 3 +++
+ 2 files changed, 16 insertions(+), 1 deletions(-)
+
+commit c18cef940310c06bdf86d64d8cb227e56e165300
+Author: Dave Chinner <dchinner@redhat.com>
+Date: Mon May 27 16:38:25 2013 +1000
+
+ Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b
+
+ xfs: kill suid/sgid through the truncate path.
+
+ XFS has failed to kill suid/sgid bits correctly when truncating
+ files of non-zero size since commit c4ed4243 ("xfs: split
+ xfs_setattr") introduced in the 3.1 kernel. Fix it.
+
+ Fix it.
+
+ cc: stable kernel <stable@vger.kernel.org>
+ Signed-off-by: Dave Chinner <dchinner@redhat.com>
+ Reviewed-by: Brian Foster <bfoster@redhat.com>
+ Signed-off-by: Ben Myers <bpm@sgi.com>
+
+ (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6)
+
+ fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++---------------
+ 1 files changed, 32 insertions(+), 15 deletions(-)
+
+commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Wed May 29 15:36:40 2013 -0400
+
+ Upstream commit: f448badd34700ae728a32ba024249626d49c10e1
+
+ NFSv4: Fix a thinko in nfs4_try_open_cached
+
+ We need to pass the full open mode flags to nfs_may_open() when doing
+ a delegated open.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Cc: stable@vger.kernel.org
+
+ fs/nfs/nfs4proc.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c47de62893a9f269be0a272c2840aac1e2a35c68
+Author: Chen Gang <gang.chen@asianux.com>
+Date: Thu May 30 01:18:43 2013 +0000
+
+ Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8
+
+ parisc: kernel: using strlcpy() instead of strcpy()
+
+ 'boot_args' is an input args, and 'boot_command_line' has a fix length.
+ So use strlcpy() instead of strcpy() to avoid memory overflow.
+
+ Signed-off-by: Chen Gang <gang.chen@asianux.com>
+ Acked-by: Kyle McMartin <kyle@mcmartin.ca>
+ Signed-off-by: Helge Deller <deller@gmx.de>
+
+ arch/parisc/kernel/setup.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit ce869e6f799f95fcac340420ba3612503df80dbf
+Author: Chen Gang <gang.chen@asianux.com>
+Date: Mon May 27 04:57:09 2013 +0000
+
+ Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95
+
+ parisc: memory overflow, 'name' length is too short for using
+
+ 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6
+ * "%u:" + "%u" + '\0') may be 21.
+
+ Since 'name' length is 20, it may be memory overflow.
+
+ And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the
+ max length of 'name' must be less than 28.
+
+ So simplify thinking, we can use 28 instead of 20 directly, and do not
+ think of whether 'patchc.bc[i]' can '> 100'.
+
+ Signed-off-by: Chen Gang <gang.chen@asianux.com>
+ Signed-off-by: Helge Deller <deller@gmx.de>
+
+ arch/parisc/kernel/drivers.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5dc65cd34d442783118a17c518e2daedb90a31d0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 4 17:52:23 2013 -0400
+
+ add PERF_HARDEN recommendation
+
+ grsecurity/Kconfig | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 4 17:22:44 2013 -0400
+
+ Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN
+
+ grsecurity/Kconfig | 19 +++++++++++++++++++
+ include/linux/perf_event.h | 5 +++++
+ kernel/events/core.c | 10 +++++++++-
+ kernel/sysctl.c | 9 ++++++++-
+ 4 files changed, 41 insertions(+), 2 deletions(-)
+
+commit 84619a3501fd38285a72d9e963f58d1827beedd6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 1 14:23:31 2013 -0400
+
+ remove user-triggerable BUG_ON in do_munlockall()
+
+ mm/mlock.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit f4bcf6087bd7b9a5b9c9021790396865c5362da0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 1 13:44:05 2013 -0400
+
+ Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456
+
+ From: Kees Cook <keescook@chromium.org>
+ Date: Thu, 23 May 2013 17:32:17 +0000
+ Subject: iscsi-target: fix heap buffer overflow on error
+
+ If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
+ error response packet, generated by iscsi_add_notunderstood_response(),
+ would still attempt to copy the entire key into the packet, overflowing
+ the structure on the heap.
+
+ Remote preauthentication kernel memory corruption was possible if a
+ target was configured and listening on the network.
+
+ CVE-2013-2850
+
+ Embargo-screwup-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+
+ drivers/target/iscsi/iscsi_target_parameters.c | 8 +++-----
+ drivers/target/iscsi/iscsi_target_parameters.h | 4 +++-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 1 13:43:26 2013 -0400
+
+ Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters"
+ Applying upstream fix instead
+
+ This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291.
+
+ drivers/target/iscsi/iscsi_target_parameters.c | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sun May 19 21:52:20 2013 +0300
+
+ Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431
+
+ USB: cxacru: potential underflow in cxacru_cm_get_array()
+
+ commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream.
+
+ The value of "offd" comes off the instance->rcv_buf[] and we used it as
+ the offset into an array. The problem is that we check the upper bound
+ but not for negative values.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+
+ drivers/usb/atm/cxacru.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 1 11:30:17 2013 -0400
+
+ Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters
+
+ drivers/target/iscsi/iscsi_target_parameters.c | 5 ++---
+ 1 files changed, 2 insertions(+), 3 deletions(-)
+
+commit 8578566969d91678a3d7d5251b4eafc6d7775314
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 30 17:44:15 2013 -0400
+
+ Apply compatibility fix to previous RLIMIT_NPROC change
+ don't enforce the rlimit check at exec time if the user is root
+ Prevents problems with sudo if root is listed as part of a group
+ in limits.conf with process limits enforced
+
+ kernel/sys.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7
+Merge: 643b294 ed9b427
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 19:19:28 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ed9b4276488528d0c3803df1dc0df804238241e0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 19:18:45 2013 -0400
+
+ Updated to pax-linux-3.9.4-test8.patch:
+ - fixed some fallout detected by the checker plugin
+
+ arch/x86/kernel/crash_dump_64.c | 2 +-
+ drivers/base/devtmpfs.c | 6 +++---
+ drivers/char/agp/compat_ioctl.c | 2 +-
+ drivers/char/agp/frontend.c | 2 +-
+ drivers/char/mem.c | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++--
+ drivers/i2c/i2c-dev.c | 2 +-
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++---
+ drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++--------
+ fs/9p/vfs_addr.c | 2 +-
+ fs/binfmt_elf.c | 4 ++--
+ fs/compat_ioctl.c | 4 ++--
+ fs/exec.c | 2 +-
+ fs/namespace.c | 8 ++++----
+ fs/proc/vmcore.c | 12 ++++++++----
+ fs/read_write.c | 2 +-
+ include/linux/syscalls.h | 8 ++++----
+ init/do_mounts_initrd.c | 8 ++++----
+ init/main.c | 4 ++--
+ kernel/events/core.c | 2 +-
+ kernel/events/internal.h | 10 +++++-----
+ mm/page_io.c | 2 +-
+ security/keys/internal.h | 2 +-
+ tools/gcc/checker_plugin.c | 1 +
+ 24 files changed, 63 insertions(+), 54 deletions(-)
+
+commit 643b294b41c6adcad1cf107efe4ae52a834e6f15
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 18:51:31 2013 -0400
+
+ eliminate gcc warning
+
+ fs/exec.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 18:30:20 2013 -0400
+
+ use BUILD_BUG() instead of BUILD_BUG_ON(1)
+
+ arch/x86/net/bpf_jit_comp.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 5343410354267368e5809f3ad8d9a264f141be18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 17:57:41 2013 -0400
+
+ defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON
+ for unknown opcodes
+
+ arch/x86/net/bpf_jit_comp.c | 11 +++++++----
+ 1 files changed, 7 insertions(+), 4 deletions(-)
+
+commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d
+Author: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
+Date: Fri May 24 15:55:11 2013 -0700
+
+ Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83
+
+ mm: mmu_notifier: re-fix freed page still mapped in secondary MMU
+
+ Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and
+ multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier:
+ fix freed page still mapped in secondary MMU").
+
+ Since hlist_for_each_entry_rcu() is changed now, we can not revert that
+ patch directly, so this patch reverts the commit and simply fix the bug
+ spotted by that patch
+
+ This bug spotted by commit 751efd8610d3 is:
+
+ There is a race condition between mmu_notifier_unregister() and
+ __mmu_notifier_release().
+
+ Assume two tasks, one calling mmu_notifier_unregister() as a result
+ of a filp_close() ->flush() callout (task A), and the other calling
+ mmu_notifier_release() from an mmput() (task B).
+
+ A B
+ t1 srcu_read_lock()
+ t2 if (!hlist_unhashed())
+ t3 srcu_read_unlock()
+ t4 srcu_read_lock()
+ t5 hlist_del_init_rcu()
+ t6 synchronize_srcu()
+ t7 srcu_read_unlock()
+ t8 hlist_del_rcu() <--- NULL pointer deref.
+
+ This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu.
+
+ The another issue spotted in the commit is "multiple ->release()
+ callouts", we needn't care it too much because it is really rare (e.g,
+ can not happen on kvm since mmu-notify is unregistered after
+ exit_mmap()) and the later call of multiple ->release should be fast
+ since all the pages have already been released by the first call.
+ Anyway, this issue should be fixed in a separate patch.
+
+ -stable suggestions: Any version that has commit 751efd8610d3 need to be
+ backported. I find the oldest version has this commit is 3.0-stable.
+
+ [akpm@linux-foundation.org: tweak comments]
+ Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
+ Tested-by: Robin Holt <holt@sgi.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++---------------------------
+ 1 files changed, 39 insertions(+), 40 deletions(-)
+
+commit 163a5539b36247865d39b2bcfa8efc03a62124a6
+Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Date: Fri May 24 15:55:21 2013 -0700
+
+ Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18
+
+ mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
+
+ We should not use set_pmd_at to update pmd_t with pgtable_t pointer.
+ set_pmd_at is used to set pmd with huge pte entries and architectures
+ like ppc64, clear few flags from the pte when saving a new entry.
+ Without this change we observe bad pte errors like below on ppc64 with
+ THP enabled.
+
+ BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000
+
+ Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+ Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/huge_memory.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 3e54faf888d324d5f362dcba16173ea7bba61e8a
+Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Date: Fri May 24 15:55:08 2013 -0700
+
+ Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995
+
+ fat: fix possible overflow for fat_clusters
+
+ Intermediate value of fat_clusters can be overflowed on 32bits arch.
+
+ Reported-by: Krzysztof Strasburger <strasbur@chkw386.ch.pwr.wroc.pl>
+ Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/fat/inode.c | 15 ++++++++++++++-
+ 1 files changed, 14 insertions(+), 1 deletions(-)
+
+commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d
+Author: Jarod Wilson <jarod@redhat.com>
+Date: Fri May 24 15:55:31 2013 -0700
+
+ Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53
+
+ drivers/char/random.c: fix priming of last_data
+
+ Commit ec8f02da9ea5 ("random: prime last_data value per fips
+ requirements") added priming of last_data per fips requirements.
+
+ Unfortuantely, it did so in a way that can lead to multiple threads all
+ incrementing nbytes, but only one actually doing anything with the extra
+ data, which leads to some fun random corruption and panics.
+
+ The fix is to simply do everything needed to prime last_data in a single
+ shot, so there's no window for multiple cpus to increment nbytes -- in
+ fact, we won't even increment or decrement nbytes anymore, we'll just
+ extract the needed EXTRACT_SIZE one time per pool and then carry on with
+ the normal routine.
+
+ All these changes have been tested across multiple hosts and
+ architectures where panics were previously encoutered. The code changes
+ are are strictly limited to areas only touched when when booted in fips
+ mode.
+
+ This change should also go into 3.8-stable, to make the myriads of fips
+ users on 3.8.x happy.
+
+ Signed-off-by: Jarod Wilson <jarod@redhat.com>
+ Tested-by: Jan Stancek <jstancek@redhat.com>
+ Tested-by: Jan Stodola <jstodola@redhat.com>
+ Cc: Herbert Xu <herbert@gondor.apana.org.au>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Cc: Matt Mackall <mpm@selenic.com>
+ Cc: "Theodore Ts'o" <tytso@mit.edu>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/char/random.c | 30 +++++++++++++++---------------
+ 1 files changed, 15 insertions(+), 15 deletions(-)
+
+commit 2d74639040ba6ce47f57ec010714ec06529c4b42
+Author: Jiri Kosina <jkosina@suse.cz>
+Date: Fri May 24 15:55:33 2013 -0700
+
+ Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68
+
+ random: fix accounting race condition with lockless irq entropy_count update
+
+ Commit 902c098a3663 ("random: use lockless techniques in the interrupt
+ path") turned IRQ path from being spinlock protected into lockless
+ cmpxchg-retry update.
+
+ That commit removed r->lock serialization between crediting entropy bits
+ from IRQ context and accounting when extracting entropy on userspace
+ read path, but didn't turn the r->entropy_count reads/updates in
+ account() to use cmpxchg as well.
+
+ It has been observed, that under certain circumstances this leads to
+ read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets
+ corrupted and becomes negative, which in turn results in propagating 0
+ all the way from account() to the actual read() call.
+
+ Convert the accounting code to be the proper lockless counterpart of
+ what has been partially done by 902c098a3663.
+
+ Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+ Cc: Theodore Ts'o <tytso@mit.edu>
+ Cc: Greg KH <greg@kroah.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/char/random.c | 26 +++++++++++++++++---------
+ 1 files changed, 17 insertions(+), 9 deletions(-)
+
+commit 65d05c7ea468c23c175105526dd4f163302a92cf
+Merge: 1a98d0a 6ce3a135
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat May 25 07:48:15 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/x86/kernel/vm86_32.c
+
+commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166
+Merge: 79bdd65 0bfd8ff
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat May 25 07:46:55 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 23 18:42:23 2013 -0400
+
+ use existing local variable
+
+ fs/exec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b2b80ef8586061e32e986b31608717c25d1e7c54
+Merge: cb45fbd 79bdd65
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 23 17:58:53 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 79bdd65dac68267bc1b201c6b4a99966a373c305
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 23 17:57:46 2013 -0400
+
+ Update to pax-linux-3.9.3-test7.patch:
+ - fixed some size overflow related warnings (hash table, attributes)
+ - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html
+
+ arch/x86/include/asm/page_64.h | 2 +-
+ arch/x86/kernel/head64.c | 2 +-
+ tools/gcc/constify_plugin.c | 48 ++-
+ tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------
+ 4 files changed, 651 insertions(+), 592 deletions(-)
+
+commit cb45fbda4967b1b544a754fbdc92d73283379522
+Merge: 62588fa 57c11b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 20 17:32:17 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 57c11b85acd841a088aa4df8e60be337880df8cd
+Merge: 0598b37 4bb0869
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 20 17:32:08 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53
+Merge: e261c7b 0598b37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 17 22:57:36 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0598b3778624dbc6c3887af025c040dbd6e92ba5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 17 22:57:07 2013 -0400
+
+ Update to pax-linux-3.9.2-test6.patch:
+ - fixed a gcc assert in the structleak plugin, reported by Emese Revfy
+ - fixed pfn extraction from pud/pgd entries, reported by ousado
+
+ arch/x86/include/asm/pgtable.h | 9 +++++++--
+ tools/gcc/structleak_plugin.c | 3 ++-
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+commit e261c7bc611e9127bbb7bd95cddd51524bf255ae
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 22:54:12 2013 -0400
+
+ add offset to topdown check, fixes compilation
+
+ arch/x86/kernel/sys_x86_64.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 455c5ed5279cf546f5d5c3844fb16f17300b2219
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 20:57:41 2013 -0400
+
+ CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY,
+ reported by lulzh3ad on irc
+
+ security/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 0d4593e84707cdf6deb6b925c18c676a476b1613
+Merge: 43cd0c0 39a877f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 20:39:11 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 39a877f192ed305d88edac10a14a9e8e1e161f3f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 20:37:35 2013 -0400
+
+ Update to pax-linux-3.9.2-test105.patch:
+ - fixed !EFI boot problem, reported by spender
+ - fixed a few compile warnings
+ - fixed some more compile errors due to constification
+ - fixed some arm fallout, reported by Michael Tremer
+
+ arch/arm/include/asm/psci.h | 2 +-
+ arch/arm/kernel/psci.c | 2 +-
+ arch/x86/kernel/sys_x86_64.c | 3 +--
+ arch/x86/realmode/init.c | 2 +-
+ drivers/hwmon/pmbus/pmbus_core.c | 10 +++++-----
+ drivers/irqchip/irq-gic.c | 2 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++---
+ drivers/platform/x86/chromeos_laptop.c | 2 +-
+ fs/jfs/super.c | 4 ++--
+ include/linux/irqchip/arm-gic.h | 2 ++
+ include/sound/compress_driver.h | 2 +-
+ net/mac80211/cfg.c | 4 ++--
+ sound/soc/fsl/fsl_ssi.c | 2 +-
+ 14 files changed, 31 insertions(+), 22 deletions(-)
+
+commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 20:35:22 2013 -0400
+
+ Fix usercopy false positive under gcc 4.1
+
+ arch/x86/kernel/signal.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit 56a166129d817f6634c8c230e6ec497669bdfaca
+Author: Amerigo Wang <amwang@redhat.com>
+Date: Thu May 9 21:56:37 2013 +0000
+
+ Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f
+
+ ipv6,gre: do not leak info to user-space
+
+ There is a hole in struct ip6_tnl_parm2, so we have to
+ zero the struct on stack before copying it to user-space.
+
+ Cc: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_gre.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit d6f50dae2653ad912952da40417a8ccbd59c7699
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue May 14 16:52:35 2013 -0400
+
+ disable unprivileged kernel profiling under HIDESYM, rename
+ the variable to something more appropriate
+
+ include/linux/perf_event.h | 8 ++++----
+ kernel/events/core.c | 6 +++++-
+ kernel/sysctl.c | 4 ++--
+ 3 files changed, 11 insertions(+), 7 deletions(-)
+
+commit 01322c6951bed4eedefbd2178dbd99292b365d99
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 17:19:57 2013 -0400
+
+ mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its
+ existing stack-heap gap code for the new unified vm_unmapped_area
+
+ grsecurity/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 15:40:32 2013 -0400
+
+ fix NX fault on early boot
+
+ arch/x86/realmode/init.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:48:13 2013 -0400
+
+ compile fix, we weren't using %pa anyway and it's now being used
+ by upstream for physical address printing
+
+ lib/vsprintf.c | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:39:52 2013 -0400
+
+ compile fix
+
+ grsecurity/grsec_chroot.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:35:36 2013 -0400
+
+ compile fixes
+
+ grsecurity/grsec_chroot.c | 2 +-
+ include/linux/grinternal.h | 8 ++++----
+ include/linux/grsecurity.h | 4 ++--
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+commit f92047409f0a843ec0b44033ca4c37e539f9a1d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:27:18 2013 -0400
+
+ compile fix
+
+ fs/exec.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:23:17 2013 -0400
+
+ Initial port of grsecurity for 3.9.2
+
+ Documentation/kernel-parameters.txt | 4 +
+ Makefile | 8 +-
+ arch/alpha/include/asm/cache.h | 4 +-
+ arch/alpha/kernel/osf_sys.c | 12 +-
+ arch/arm/include/asm/thread_info.h | 9 +-
+ arch/arm/kernel/process.c | 4 +-
+ arch/arm/kernel/ptrace.c | 9 +
+ arch/arm/kernel/traps.c | 7 +-
+ arch/arm/mm/fault.c | 29 +-
+ arch/arm/mm/mmap.c | 8 +-
+ arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/include/asm/cache.h | 3 +-
+ arch/cris/include/arch-v10/arch/cache.h | 3 +-
+ arch/cris/include/arch-v32/arch/cache.h | 3 +-
+ arch/frv/include/asm/cache.h | 3 +-
+ arch/frv/mm/elf-fdpic.c | 4 +-
+ arch/hexagon/include/asm/cache.h | 6 +-
+ arch/ia64/include/asm/cache.h | 3 +-
+ arch/ia64/kernel/sys_ia64.c | 2 +
+ arch/ia64/mm/hugetlbpage.c | 2 +
+ arch/m32r/include/asm/cache.h | 4 +-
+ arch/m68k/include/asm/cache.h | 4 +-
+ arch/metag/mm/hugetlbpage.c | 1 +
+ arch/microblaze/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/thread_info.h | 9 +-
+ arch/mips/kernel/ptrace.c | 9 +
+ arch/mips/kernel/scall32-o32.S | 2 +-
+ arch/mips/kernel/scall64-64.S | 2 +-
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ arch/mips/mm/mmap.c | 4 +-
+ arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
+ arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
+ arch/openrisc/include/asm/cache.h | 4 +-
+ arch/parisc/include/asm/cache.h | 5 +-
+ arch/parisc/kernel/sys_parisc.c | 17 +-
+ arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/include/asm/thread_info.h | 8 +-
+ arch/powerpc/kernel/process.c | 10 +-
+ arch/powerpc/kernel/ptrace.c | 14 +
+ arch/powerpc/kernel/traps.c | 5 +
+ arch/powerpc/mm/slice.c | 8 +-
+ arch/s390/include/asm/cache.h | 4 +-
+ arch/score/include/asm/cache.h | 4 +-
+ arch/sh/include/asm/cache.h | 3 +-
+ arch/sh/mm/mmap.c | 6 +-
+ arch/sparc/include/asm/cache.h | 4 +-
+ arch/sparc/include/asm/thread_info_64.h | 9 +-
+ arch/sparc/kernel/process_32.c | 6 +-
+ arch/sparc/kernel/process_64.c | 8 +-
+ arch/sparc/kernel/ptrace_64.c | 14 +
+ arch/sparc/kernel/sys_sparc_64.c | 8 +-
+ arch/sparc/kernel/syscalls.S | 8 +-
+ arch/sparc/kernel/traps_32.c | 8 +-
+ arch/sparc/kernel/traps_64.c | 28 +-
+ arch/sparc/kernel/unaligned_64.c | 2 +-
+ arch/sparc/mm/fault_64.c | 2 +-
+ arch/sparc/mm/hugetlbpage.c | 3 +-
+ arch/tile/include/asm/cache.h | 3 +-
+ arch/tile/mm/hugetlbpage.c | 2 +
+ arch/um/defconfig | 1 -
+ arch/um/include/asm/cache.h | 3 +-
+ arch/unicore32/include/asm/cache.h | 6 +-
+ arch/x86/Kconfig | 5 +-
+ arch/x86/Kconfig.debug | 2 +-
+ arch/x86/ia32/ia32_aout.c | 2 +
+ arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/kernel/dumpstack.c | 8 +
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 2 +-
+ arch/x86/kernel/ioport.c | 13 +
+ arch/x86/kernel/ptrace.c | 14 +
+ arch/x86/kernel/smpboot.c | 3 +
+ arch/x86/kernel/sys_i386_32.c | 14 +-
+ arch/x86/kernel/sys_x86_64.c | 6 +-
+ arch/x86/kernel/verify_cpu.S | 1 +
+ arch/x86/kernel/vm86_32.c | 16 +
+ arch/x86/mm/fault.c | 12 +-
+ arch/x86/mm/hugetlbpage.c | 15 +-
+ arch/x86/mm/init.c | 66 +-
+ arch/x86/net/bpf_jit_comp.c | 126 +-
+ arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
+ arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
+ drivers/block/cciss.c | 2 +
+ drivers/char/Kconfig | 4 +-
+ drivers/char/genrtc.c | 1 +
+ drivers/char/mem.c | 17 +
+ drivers/char/random.c | 12 +
+ drivers/gpu/drm/drm_info.c | 4 +
+ drivers/hid/hid-wiimote-debug.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +-
+ drivers/message/fusion/mptbase.c | 9 +
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ drivers/pci/proc.c | 9 +
+ drivers/rtc/rtc-dev.c | 3 +
+ drivers/tty/sysrq.c | 2 +-
+ drivers/tty/vt/keyboard.c | 22 +-
+ drivers/usb/storage/realtek_cr.c | 2 +-
+ drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
+ drivers/xen/xenfs/xenstored.c | 5 +
+ fs/attr.c | 1 +
+ fs/autofs4/waitq.c | 9 +
+ fs/binfmt_aout.c | 7 +
+ fs/binfmt_elf.c | 8 +-
+ fs/btrfs/ioctl.c | 6 +-
+ fs/compat.c | 20 +-
+ fs/coredump.c | 10 +-
+ fs/debugfs/inode.c | 4 +
+ fs/exec.c | 181 +-
+ fs/ext2/balloc.c | 4 +-
+ fs/ext3/balloc.c | 4 +-
+ fs/ext4/balloc.c | 4 +-
+ fs/fcntl.c | 5 +
+ fs/file.c | 4 +
+ fs/filesystems.c | 4 +
+ fs/fs_struct.c | 13 +-
+ fs/hugetlbfs/inode.c | 5 +-
+ fs/namei.c | 241 ++-
+ fs/namespace.c | 24 +
+ fs/open.c | 38 +
+ fs/pipe.c | 2 +-
+ fs/proc/Kconfig | 10 +-
+ fs/proc/array.c | 59 +-
+ fs/proc/base.c | 168 +-
+ fs/proc/cmdline.c | 4 +
+ fs/proc/devices.c | 4 +
+ fs/proc/fd.c | 17 +-
+ fs/proc/inode.c | 17 +
+ fs/proc/internal.h | 3 +
+ fs/proc/kcore.c | 3 +
+ fs/proc/proc_net.c | 12 +
+ fs/proc/proc_sysctl.c | 43 +-
+ fs/proc/root.c | 8 +
+ fs/proc/task_mmu.c | 75 +-
+ fs/readdir.c | 19 +
+ fs/select.c | 2 +
+ fs/seq_file.c | 12 +-
+ fs/stat.c | 19 +-
+ fs/sysfs/dir.c | 12 +
+ fs/utimes.c | 7 +
+ fs/xattr.c | 19 +-
+ grsecurity/Kconfig | 1031 +++++
+ grsecurity/Makefile | 38 +
+ grsecurity/gracl.c | 4073 ++++++++++++++++++++
+ grsecurity/gracl_alloc.c | 105 +
+ grsecurity/gracl_cap.c | 110 +
+ grsecurity/gracl_fs.c | 431 +++
+ grsecurity/gracl_ip.c | 387 ++
+ grsecurity/gracl_learn.c | 207 +
+ grsecurity/gracl_res.c | 68 +
+ grsecurity/gracl_segv.c | 305 ++
+ grsecurity/gracl_shm.c | 40 +
+ grsecurity/grsec_chdir.c | 19 +
+ grsecurity/grsec_chroot.c | 370 ++
+ grsecurity/grsec_disabled.c | 434 +++
+ grsecurity/grsec_exec.c | 187 +
+ grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_fork.c | 23 +
+ grsecurity/grsec_init.c | 283 ++
+ grsecurity/grsec_link.c | 58 +
+ grsecurity/grsec_log.c | 326 ++
+ grsecurity/grsec_mem.c | 40 +
+ grsecurity/grsec_mount.c | 62 +
+ grsecurity/grsec_pax.c | 36 +
+ grsecurity/grsec_ptrace.c | 30 +
+ grsecurity/grsec_sig.c | 222 ++
+ grsecurity/grsec_sock.c | 244 ++
+ grsecurity/grsec_sysctl.c | 469 +++
+ grsecurity/grsec_time.c | 16 +
+ grsecurity/grsec_tpe.c | 73 +
+ grsecurity/grsum.c | 61 +
+ include/linux/capability.h | 5 +
+ include/linux/cred.h | 3 +
+ include/linux/fs.h | 10 +
+ include/linux/fsnotify.h | 6 +
+ include/linux/gracl.h | 319 ++
+ include/linux/gralloc.h | 9 +
+ include/linux/grdefs.h | 140 +
+ include/linux/grinternal.h | 215 +
+ include/linux/grmsg.h | 111 +
+ include/linux/grsecurity.h | 242 ++
+ include/linux/grsock.h | 19 +
+ include/linux/kallsyms.h | 14 +-
+ include/linux/kmod.h | 2 +
+ include/linux/mm.h | 1 +
+ include/linux/netfilter/xt_gradm.h | 9 +
+ include/linux/printk.h | 3 +-
+ include/linux/proc_fs.h | 12 +
+ include/linux/sched.h | 68 +-
+ include/linux/security.h | 1 +
+ include/linux/seq_file.h | 3 +
+ include/linux/shm.h | 4 +
+ include/linux/skbuff.h | 3 +
+ include/linux/slab.h | 9 -
+ include/linux/sysctl.h | 2 +
+ include/linux/thread_info.h | 2 +
+ include/linux/uidgid.h | 5 +
+ include/linux/vermagic.h | 9 +-
+ include/net/secure_seq.h | 1 +
+ include/trace/events/fs.h | 53 +
+ include/uapi/linux/personality.h | 1 +
+ init/Kconfig | 3 +-
+ init/main.c | 14 +
+ ipc/mqueue.c | 1 +
+ ipc/shm.c | 28 +
+ kernel/capability.c | 39 +-
+ kernel/cgroup.c | 2 +-
+ kernel/compat.c | 1 +
+ kernel/configs.c | 11 +
+ kernel/cred.c | 110 +-
+ kernel/exit.c | 10 +-
+ kernel/fork.c | 41 +-
+ kernel/futex.c | 1 +
+ kernel/kallsyms.c | 9 +
+ kernel/kcmp.c | 4 +
+ kernel/kmod.c | 71 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +
+ kernel/lockdep_proc.c | 10 +-
+ kernel/module.c | 81 +-
+ kernel/panic.c | 4 +-
+ kernel/pid.c | 19 +-
+ kernel/posix-timers.c | 8 +
+ kernel/printk.c | 13 +-
+ kernel/ptrace.c | 20 +-
+ kernel/resource.c | 10 +
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 37 +-
+ kernel/sys.c | 45 +-
+ kernel/sysctl.c | 39 +-
+ kernel/taskstats.c | 6 +
+ kernel/time.c | 5 +
+ kernel/time/timekeeping.c | 3 +
+ kernel/time/timer_list.c | 12 +
+ kernel/time/timer_stats.c | 10 +-
+ lib/Kconfig.debug | 5 +-
+ lib/is_single_threaded.c | 3 +
+ lib/vsprintf.c | 35 +-
+ localversion-grsec | 1 +
+ mm/Kconfig | 4 +-
+ mm/filemap.c | 1 +
+ mm/kmemleak.c | 4 +-
+ mm/mempolicy.c | 12 +-
+ mm/migrate.c | 3 +-
+ mm/mlock.c | 3 +
+ mm/mmap.c | 64 +-
+ mm/mprotect.c | 8 +
+ mm/process_vm_access.c | 6 +
+ mm/shmem.c | 2 +-
+ mm/slab.c | 2 +-
+ mm/slub.c | 14 +-
+ mm/vmalloc.c | 4 +
+ mm/vmstat.c | 18 +-
+ net/8021q/vlan.c | 7 +
+ net/core/dev_ioctl.c | 4 +
+ net/core/net-procfs.c | 5 +
+ net/core/secure_seq.c | 4 +-
+ net/core/sock_diag.c | 7 +
+ net/ipv4/af_inet.c | 5 +-
+ net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/ip_sockglue.c | 3 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_minisocks.c | 9 +-
+ net/ipv4/tcp_timer.c | 11 +
+ net/ipv4/udp.c | 24 +
+ net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/udp.c | 7 +
+ net/netfilter/Kconfig | 10 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 8 +
+ net/netfilter/xt_gradm.c | 51 +
+ net/netrom/af_netrom.c | 2 +-
+ net/phonet/af_phonet.c | 2 +-
+ net/sctp/probe.c | 2 +-
+ net/sctp/proc.c | 3 +-
+ net/socket.c | 66 +-
+ net/sysctl_net.c | 2 +-
+ net/tipc/link.c | 11 +-
+ net/unix/af_unix.c | 31 +-
+ security/Kconfig | 342 ++-
+ security/commoncap.c | 29 +
+ security/min_addr.c | 2 +
+ security/security.c | 2 -
+ security/selinux/hooks.c | 2 -
+ security/tomoyo/mount.c | 4 +
+ security/yama/Kconfig | 2 +-
+ 291 files changed, 15221 insertions(+), 2052 deletions(-)
+
+commit 88854c350c899bceca4a94598c42bed44d0dc91b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 07:37:47 2013 -0400
+
+ Initial import of pax-linux-3.9.2-test2.patch
+
+ Documentation/dontdiff | 45 +-
+ Documentation/kernel-parameters.txt | 12 +
+ Makefile | 100 +-
+ arch/alpha/include/asm/atomic.h | 10 +
+ arch/alpha/include/asm/elf.h | 7 +
+ arch/alpha/include/asm/pgalloc.h | 6 +
+ arch/alpha/include/asm/pgtable.h | 11 +
+ arch/alpha/kernel/module.c | 2 +-
+ arch/alpha/kernel/osf_sys.c | 8 +-
+ arch/alpha/mm/fault.c | 141 +-
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/atomic.h | 421 ++-
+ arch/arm/include/asm/cache.h | 5 +-
+ arch/arm/include/asm/cacheflush.h | 2 +-
+ arch/arm/include/asm/checksum.h | 14 +-
+ arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/domain.h | 33 +-
+ arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/fncpy.h | 2 +
+ arch/arm/include/asm/futex.h | 10 +
+ arch/arm/include/asm/kmap_types.h | 2 +-
+ arch/arm/include/asm/mach/dma.h | 2 +-
+ arch/arm/include/asm/mach/map.h | 7 +-
+ arch/arm/include/asm/outercache.h | 2 +-
+ arch/arm/include/asm/page.h | 2 +-
+ arch/arm/include/asm/pgalloc.h | 22 +-
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgtable-2level.h | 1 +
+ arch/arm/include/asm/pgtable-3level-hwdef.h | 2 +
+ arch/arm/include/asm/pgtable-3level.h | 2 +
+ arch/arm/include/asm/pgtable.h | 56 +-
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/include/asm/processor.h | 5 +-
+ arch/arm/include/asm/smp.h | 2 +-
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/include/asm/uaccess.h | 92 +-
+ arch/arm/include/uapi/asm/ptrace.h | 2 +-
+ arch/arm/kernel/armksyms.c | 6 +-
+ arch/arm/kernel/entry-armv.S | 107 +-
+ arch/arm/kernel/entry-common.S | 41 +-
+ arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/fiq.c | 2 +
+ arch/arm/kernel/head.S | 6 +-
+ arch/arm/kernel/hw_breakpoint.c | 2 +-
+ arch/arm/kernel/module.c | 29 +-
+ arch/arm/kernel/patch.c | 2 +
+ arch/arm/kernel/perf_event_cpu.c | 2 +-
+ arch/arm/kernel/process.c | 15 +-
+ arch/arm/kernel/setup.c | 22 +-
+ arch/arm/kernel/signal.c | 24 +-
+ arch/arm/kernel/smp.c | 2 +-
+ arch/arm/kernel/traps.c | 15 +-
+ arch/arm/kernel/vmlinux.lds.S | 22 +-
+ arch/arm/lib/clear_user.S | 6 +-
+ arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/lib/copy_page.S | 1 +
+ arch/arm/lib/copy_to_user.S | 6 +-
+ arch/arm/lib/csumpartialcopyuser.S | 4 +-
+ arch/arm/lib/delay.c | 2 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 2 +-
+ arch/arm/mach-kirkwood/common.c | 19 +-
+ arch/arm/mach-omap2/board-n8x0.c | 2 +-
+ arch/arm/mach-omap2/gpmc.c | 22 +-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
+ arch/arm/mach-omap2/omap_device.c | 4 +-
+ arch/arm/mach-omap2/omap_device.h | 4 +-
+ arch/arm/mach-omap2/omap_hwmod.c | 4 +-
+ arch/arm/mach-omap2/wd_timer.c | 6 +-
+ arch/arm/mach-ux500/include/mach/setup.h | 7 -
+ arch/arm/mm/Kconfig | 3 +-
+ arch/arm/mm/alignment.c | 8 +
+ arch/arm/mm/fault.c | 91 +
+ arch/arm/mm/fault.h | 12 +
+ arch/arm/mm/init.c | 41 +
+ arch/arm/mm/ioremap.c | 4 +-
+ arch/arm/mm/mmap.c | 36 +-
+ arch/arm/mm/mmu.c | 187 +-
+ arch/arm/mm/proc-v7-2level.S | 3 +
+ arch/arm/plat-omap/sram.c | 2 +
+ arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/arm64/kernel/debug-monitors.c | 2 +-
+ arch/arm64/kernel/hw_breakpoint.c | 2 +-
+ arch/avr32/include/asm/elf.h | 8 +-
+ arch/avr32/include/asm/kmap_types.h | 4 +-
+ arch/avr32/mm/fault.c | 27 +
+ arch/frv/include/asm/atomic.h | 10 +
+ arch/frv/include/asm/kmap_types.h | 2 +-
+ arch/frv/mm/elf-fdpic.c | 3 +-
+ arch/ia64/include/asm/atomic.h | 10 +
+ arch/ia64/include/asm/elf.h | 7 +
+ arch/ia64/include/asm/pgalloc.h | 12 +
+ arch/ia64/include/asm/pgtable.h | 13 +-
+ arch/ia64/include/asm/spinlock.h | 2 +-
+ arch/ia64/include/asm/uaccess.h | 26 +-
+ arch/ia64/kernel/err_inject.c | 2 +-
+ arch/ia64/kernel/mca.c | 2 +-
+ arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/palinfo.c | 2 +-
+ arch/ia64/kernel/salinfo.c | 2 +-
+ arch/ia64/kernel/sys_ia64.c | 7 +
+ arch/ia64/kernel/topology.c | 2 +-
+ arch/ia64/kernel/vmlinux.lds.S | 2 +-
+ arch/ia64/mm/fault.c | 32 +-
+ arch/ia64/mm/init.c | 13 +
+ arch/m32r/lib/usercopy.c | 6 +
+ arch/mips/include/asm/atomic.h | 14 +
+ arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/exec.h | 2 +-
+ arch/mips/include/asm/page.h | 2 +-
+ arch/mips/include/asm/pgalloc.h | 5 +
+ arch/mips/kernel/binfmt_elfn32.c | 7 +
+ arch/mips/kernel/binfmt_elfo32.c | 7 +
+ arch/mips/kernel/process.c | 12 -
+ arch/mips/mm/fault.c | 17 +
+ arch/mips/mm/mmap.c | 51 +-
+ arch/parisc/include/asm/atomic.h | 10 +
+ arch/parisc/include/asm/elf.h | 7 +
+ arch/parisc/include/asm/pgalloc.h | 6 +
+ arch/parisc/include/asm/pgtable.h | 11 +
+ arch/parisc/include/asm/uaccess.h | 4 +-
+ arch/parisc/kernel/module.c | 50 +-
+ arch/parisc/kernel/sys_parisc.c | 9 +-
+ arch/parisc/kernel/traps.c | 4 +-
+ arch/parisc/mm/fault.c | 140 +-
+ arch/powerpc/include/asm/atomic.h | 10 +
+ arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/exec.h | 2 +-
+ arch/powerpc/include/asm/kmap_types.h | 2 +-
+ arch/powerpc/include/asm/mman.h | 2 +-
+ arch/powerpc/include/asm/page.h | 8 +-
+ arch/powerpc/include/asm/page_64.h | 7 +-
+ arch/powerpc/include/asm/pgalloc-64.h | 7 +
+ arch/powerpc/include/asm/pgtable.h | 1 +
+ arch/powerpc/include/asm/pte-hash32.h | 1 +
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/include/asm/smp.h | 2 +-
+ arch/powerpc/include/asm/uaccess.h | 140 +-
+ arch/powerpc/kernel/exceptions-64e.S | 4 +-
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/module_32.c | 13 +-
+ arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/signal_32.c | 2 +-
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ arch/powerpc/kernel/sysfs.c | 2 +-
+ arch/powerpc/kernel/vdso.c | 5 +-
+ arch/powerpc/lib/usercopy_64.c | 18 -
+ arch/powerpc/mm/fault.c | 54 +-
+ arch/powerpc/mm/mmap_64.c | 16 +
+ arch/powerpc/mm/mmu_context_nohash.c | 2 +-
+ arch/powerpc/mm/numa.c | 2 +-
+ arch/powerpc/mm/slice.c | 23 +-
+ arch/powerpc/platforms/cell/spufs/file.c | 4 +-
+ arch/powerpc/platforms/powermac/smp.c | 2 +-
+ arch/s390/include/asm/atomic.h | 10 +
+ arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/exec.h | 2 +-
+ arch/s390/include/asm/uaccess.h | 15 +-
+ arch/s390/kernel/module.c | 22 +-
+ arch/s390/kernel/process.c | 36 -
+ arch/s390/mm/mmap.c | 24 +
+ arch/score/include/asm/exec.h | 2 +-
+ arch/score/kernel/process.c | 5 -
+ arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
+ arch/sh/mm/mmap.c | 22 +-
+ arch/sparc/include/asm/atomic_64.h | 106 +-
+ arch/sparc/include/asm/cache.h | 2 +-
+ arch/sparc/include/asm/elf_32.h | 7 +
+ arch/sparc/include/asm/elf_64.h | 7 +
+ arch/sparc/include/asm/pgalloc_32.h | 1 +
+ arch/sparc/include/asm/pgalloc_64.h | 1 +
+ arch/sparc/include/asm/pgtable_32.h | 15 +-
+ arch/sparc/include/asm/pgtsrmmu.h | 5 +
+ arch/sparc/include/asm/spinlock_64.h | 35 +-
+ arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_64.h | 2 +
+ arch/sparc/include/asm/uaccess.h | 1 +
+ arch/sparc/include/asm/uaccess_32.h | 27 +-
+ arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/kernel/Makefile | 2 +-
+ arch/sparc/kernel/prom_common.c | 2 +-
+ arch/sparc/kernel/sys_sparc_32.c | 2 +-
+ arch/sparc/kernel/sys_sparc_64.c | 48 +-
+ arch/sparc/kernel/sysfs.c | 2 +-
+ arch/sparc/kernel/traps_64.c | 13 +-
+ arch/sparc/kernel/us3_cpufreq.c | 69 +-
+ arch/sparc/lib/Makefile | 2 +-
+ arch/sparc/lib/atomic_64.S | 136 +-
+ arch/sparc/lib/ksyms.c | 6 +
+ arch/sparc/mm/Makefile | 2 +-
+ arch/sparc/mm/fault_32.c | 292 ++
+ arch/sparc/mm/fault_64.c | 486 ++
+ arch/sparc/mm/hugetlbpage.c | 21 +-
+ arch/tile/include/asm/atomic_64.h | 10 +
+ arch/tile/include/asm/uaccess.h | 4 +-
+ arch/um/Makefile | 4 +
+ arch/um/include/asm/kmap_types.h | 2 +-
+ arch/um/include/asm/page.h | 3 +
+ arch/um/include/asm/pgtable-3level.h | 1 +
+ arch/um/kernel/process.c | 16 -
+ arch/x86/Kconfig | 10 +-
+ arch/x86/Kconfig.cpu | 6 +-
+ arch/x86/Kconfig.debug | 6 +-
+ arch/x86/Makefile | 10 +
+ arch/x86/boot/Makefile | 3 +
+ arch/x86/boot/bitops.h | 4 +-
+ arch/x86/boot/boot.h | 4 +-
+ arch/x86/boot/compressed/Makefile | 3 +
+ arch/x86/boot/compressed/eboot.c | 2 -
+ arch/x86/boot/compressed/head_32.S | 7 +-
+ arch/x86/boot/compressed/head_64.S | 8 +-
+ arch/x86/boot/compressed/misc.c | 4 +-
+ arch/x86/boot/cpucheck.c | 28 +-
+ arch/x86/boot/header.S | 6 +-
+ arch/x86/boot/memory.c | 2 +-
+ arch/x86/boot/video-vesa.c | 1 +
+ arch/x86/boot/video.c | 2 +-
+ arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/aesni-intel_asm.S | 21 +
+ arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/sha1_ssse3_asm.S | 2 +
+ arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
+ arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/ia32/ia32_signal.c | 14 +-
+ arch/x86/ia32/ia32entry.S | 141 +-
+ arch/x86/ia32/sys_ia32.c | 6 +-
+ arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/include/asm/alternative.h | 4 +-
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/include/asm/apm.h | 4 +-
+ arch/x86/include/asm/atomic.h | 307 ++-
+ arch/x86/include/asm/atomic64_32.h | 100 +
+ arch/x86/include/asm/atomic64_64.h | 202 +-
+ arch/x86/include/asm/bitops.h | 4 +-
+ arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/cache.h | 5 +-
+ arch/x86/include/asm/cacheflush.h | 2 +-
+ arch/x86/include/asm/checksum_32.h | 12 +-
+ arch/x86/include/asm/cmpxchg.h | 35 +
+ arch/x86/include/asm/compat.h | 2 +-
+ arch/x86/include/asm/cpufeature.h | 4 +-
+ arch/x86/include/asm/desc.h | 67 +-
+ arch/x86/include/asm/desc_defs.h | 6 +
+ arch/x86/include/asm/div64.h | 2 +-
+ arch/x86/include/asm/elf.h | 31 +-
+ arch/x86/include/asm/emergency-restart.h | 2 +-
+ arch/x86/include/asm/fpu-internal.h | 6 +-
+ arch/x86/include/asm/futex.h | 16 +-
+ arch/x86/include/asm/hw_irq.h | 4 +-
+ arch/x86/include/asm/i8259.h | 2 +-
+ arch/x86/include/asm/io.h | 21 +-
+ arch/x86/include/asm/irqflags.h | 5 +
+ arch/x86/include/asm/kprobes.h | 9 +-
+ arch/x86/include/asm/local.h | 142 +-
+ arch/x86/include/asm/mman.h | 15 +
+ arch/x86/include/asm/mmu.h | 16 +-
+ arch/x86/include/asm/mmu_context.h | 76 +-
+ arch/x86/include/asm/module.h | 17 +-
+ arch/x86/include/asm/nmi.h | 6 +-
+ arch/x86/include/asm/page_64.h | 2 +-
+ arch/x86/include/asm/paravirt.h | 46 +-
+ arch/x86/include/asm/paravirt_types.h | 17 +-
+ arch/x86/include/asm/pgalloc.h | 23 +
+ arch/x86/include/asm/pgtable-2level.h | 2 +
+ arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable.h | 113 +-
+ arch/x86/include/asm/pgtable_32.h | 14 +-
+ arch/x86/include/asm/pgtable_32_types.h | 15 +-
+ arch/x86/include/asm/pgtable_64.h | 19 +-
+ arch/x86/include/asm/pgtable_64_types.h | 5 +
+ arch/x86/include/asm/pgtable_types.h | 36 +-
+ arch/x86/include/asm/processor.h | 39 +-
+ arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/realmode.h | 4 +-
+ arch/x86/include/asm/reboot.h | 10 +-
+ arch/x86/include/asm/rwsem.h | 60 +-
+ arch/x86/include/asm/segment.h | 24 +-
+ arch/x86/include/asm/smp.h | 14 +-
+ arch/x86/include/asm/spinlock.h | 36 +-
+ arch/x86/include/asm/stackprotector.h | 4 +-
+ arch/x86/include/asm/stacktrace.h | 32 +-
+ arch/x86/include/asm/switch_to.h | 4 +-
+ arch/x86/include/asm/thread_info.h | 83 +-
+ arch/x86/include/asm/uaccess.h | 96 +-
+ arch/x86/include/asm/uaccess_32.h | 106 +-
+ arch/x86/include/asm/uaccess_64.h | 232 +-
+ arch/x86/include/asm/word-at-a-time.h | 2 +-
+ arch/x86/include/asm/x86_init.h | 10 +-
+ arch/x86/include/asm/xsave.h | 10 +-
+ arch/x86/include/uapi/asm/e820.h | 2 +-
+ arch/x86/kernel/Makefile | 2 +-
+ arch/x86/kernel/acpi/boot.c | 4 +-
+ arch/x86/kernel/acpi/sleep.c | 4 +
+ arch/x86/kernel/acpi/wakeup_32.S | 6 +-
+ arch/x86/kernel/alternative.c | 65 +-
+ arch/x86/kernel/apic/apic.c | 4 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/apic_noop.c | 2 +-
+ arch/x86/kernel/apic/bigsmp_32.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 5 +-
+ arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/numaq_32.c | 3 +-
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/summit_32.c | 2 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_phys.c | 2 +-
+ arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
+ arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/asm-offsets.c | 20 +
+ arch/x86/kernel/asm-offsets_64.c | 1 +
+ arch/x86/kernel/cpu/Makefile | 4 -
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/common.c | 75 +-
+ arch/x86/kernel/cpu/intel.c | 2 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
+ arch/x86/kernel/cpu/mcheck/p5.c | 3 +
+ arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
+ arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
+ arch/x86/kernel/cpu/mtrr/main.c | 2 +-
+ arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 8 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
+ arch/x86/kernel/cpuid.c | 2 +-
+ arch/x86/kernel/crash.c | 4 +-
+ arch/x86/kernel/doublefault_32.c | 8 +-
+ arch/x86/kernel/dumpstack.c | 30 +-
+ arch/x86/kernel/dumpstack_32.c | 34 +-
+ arch/x86/kernel/dumpstack_64.c | 63 +-
+ arch/x86/kernel/early_printk.c | 1 +
+ arch/x86/kernel/entry_32.S | 354 ++-
+ arch/x86/kernel/entry_64.S | 530 ++-
+ arch/x86/kernel/ftrace.c | 14 +-
+ arch/x86/kernel/head64.c | 1 -
+ arch/x86/kernel/head_32.S | 237 +-
+ arch/x86/kernel/head_64.S | 120 +-
+ arch/x86/kernel/i386_ksyms_32.c | 8 +
+ arch/x86/kernel/i387.c | 2 +-
+ arch/x86/kernel/i8259.c | 10 +-
+ arch/x86/kernel/io_delay.c | 2 +-
+ arch/x86/kernel/ioport.c | 2 +-
+ arch/x86/kernel/irq.c | 8 +-
+ arch/x86/kernel/irq_32.c | 69 +-
+ arch/x86/kernel/irq_64.c | 2 +-
+ arch/x86/kernel/kdebugfs.c | 2 +-
+ arch/x86/kernel/kgdb.c | 25 +-
+ arch/x86/kernel/kprobes/core.c | 30 +-
+ arch/x86/kernel/kprobes/opt.c | 16 +-
+ arch/x86/kernel/kvm.c | 2 +-
+ arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/machine_kexec_32.c | 6 +-
+ arch/x86/kernel/microcode_core.c | 2 +-
+ arch/x86/kernel/microcode_intel.c | 4 +-
+ arch/x86/kernel/module.c | 76 +-
+ arch/x86/kernel/msr.c | 2 +-
+ arch/x86/kernel/nmi.c | 19 +-
+ arch/x86/kernel/nmi_selftest.c | 4 +-
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/kernel/paravirt.c | 43 +-
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ arch/x86/kernel/pci-iommu_table.c | 2 +-
+ arch/x86/kernel/pci-swiotlb.c | 2 +-
+ arch/x86/kernel/process.c | 57 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 15 +-
+ arch/x86/kernel/ptrace.c | 25 +-
+ arch/x86/kernel/pvclock.c | 8 +-
+ arch/x86/kernel/reboot.c | 44 +-
+ arch/x86/kernel/relocate_kernel_64.S | 4 +-
+ arch/x86/kernel/setup.c | 19 +-
+ arch/x86/kernel/setup_percpu.c | 29 +-
+ arch/x86/kernel/signal.c | 15 +-
+ arch/x86/kernel/smp.c | 2 +-
+ arch/x86/kernel/smpboot.c | 15 +-
+ arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/sys_i386_32.c | 248 +
+ arch/x86/kernel/sys_x86_64.c | 19 +-
+ arch/x86/kernel/tboot.c | 14 +-
+ arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tls.c | 7 +-
+ arch/x86/kernel/traps.c | 64 +-
+ arch/x86/kernel/uprobes.c | 2 +-
+ arch/x86/kernel/vm86_32.c | 6 +-
+ arch/x86/kernel/vmlinux.lds.S | 148 +-
+ arch/x86/kernel/vsyscall_64.c | 12 +-
+ arch/x86/kernel/x8664_ksyms_64.c | 2 -
+ arch/x86/kernel/x86_init.c | 8 +-
+ arch/x86/kernel/xsave.c | 2 +
+ arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ arch/x86/kvm/lapic.c | 2 +-
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ arch/x86/kvm/svm.c | 8 +
+ arch/x86/kvm/vmx.c | 57 +-
+ arch/x86/kvm/x86.c | 10 +-
+ arch/x86/lguest/boot.c | 3 +-
+ arch/x86/lib/atomic64_386_32.S | 164 +
+ arch/x86/lib/atomic64_cx8_32.S | 103 +-
+ arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/cmpxchg16b_emu.S | 2 +
+ arch/x86/lib/copy_page_64.S | 24 +-
+ arch/x86/lib/copy_user_64.S | 47 +-
+ arch/x86/lib/copy_user_nocache_64.S | 20 +-
+ arch/x86/lib/csum-copy_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 4 +-
+ arch/x86/lib/getuser.S | 70 +-
+ arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/iomap_copy_64.S | 2 +
+ arch/x86/lib/memcpy_64.S | 18 +-
+ arch/x86/lib/memmove_64.S | 34 +-
+ arch/x86/lib/memset_64.S | 7 +-
+ arch/x86/lib/mmx_32.c | 243 +-
+ arch/x86/lib/msr-reg.S | 18 +-
+ arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/rwlock.S | 42 +
+ arch/x86/lib/rwsem.S | 6 +-
+ arch/x86/lib/thunk_64.S | 2 +
+ arch/x86/lib/usercopy_32.c | 376 +-
+ arch/x86/lib/usercopy_64.c | 25 +-
+ arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/fault.c | 556 ++-
+ arch/x86/mm/gup.c | 2 +-
+ arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/hugetlbpage.c | 30 +-
+ arch/x86/mm/init.c | 90 +-
+ arch/x86/mm/init_32.c | 119 +-
+ arch/x86/mm/init_64.c | 44 +-
+ arch/x86/mm/iomap_32.c | 4 +
+ arch/x86/mm/ioremap.c | 15 +-
+ arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
+ arch/x86/mm/mmap.c | 41 +-
+ arch/x86/mm/mmio-mod.c | 10 +-
+ arch/x86/mm/numa.c | 2 +-
+ arch/x86/mm/pageattr-test.c | 2 +-
+ arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pat.c | 12 +-
+ arch/x86/mm/pf_in.c | 10 +-
+ arch/x86/mm/pgtable.c | 137 +-
+ arch/x86/mm/pgtable_32.c | 3 +
+ arch/x86/mm/physaddr.c | 4 +-
+ arch/x86/mm/setup_nx.c | 7 +
+ arch/x86/mm/tlb.c | 4 +
+ arch/x86/net/bpf_jit.S | 14 +
+ arch/x86/net/bpf_jit_comp.c | 37 +-
+ arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/oprofile/nmi_int.c | 8 +-
+ arch/x86/oprofile/op_model_amd.c | 8 +-
+ arch/x86/oprofile/op_model_ppro.c | 7 +-
+ arch/x86/oprofile/op_x86_model.h | 2 +-
+ arch/x86/pci/amd_bus.c | 2 +-
+ arch/x86/pci/irq.c | 8 +-
+ arch/x86/pci/mrst.c | 4 +-
+ arch/x86/pci/pcbios.c | 144 +-
+ arch/x86/platform/efi/efi_32.c | 19 +
+ arch/x86/platform/efi/efi_stub_32.S | 64 +-
+ arch/x86/platform/efi/efi_stub_64.S | 8 +
+ arch/x86/platform/mrst/mrst.c | 6 +-
+ arch/x86/platform/olpc/olpc_dt.c | 2 +-
+ arch/x86/power/cpu.c | 4 +-
+ arch/x86/realmode/init.c | 8 +-
+ arch/x86/realmode/rm/Makefile | 3 +
+ arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/trampoline_32.S | 12 +-
+ arch/x86/realmode/rm/trampoline_64.S | 2 +-
+ arch/x86/tools/relocs.c | 95 +-
+ arch/x86/vdso/Makefile | 2 +-
+ arch/x86/vdso/vdso32-setup.c | 23 +-
+ arch/x86/vdso/vma.c | 29 +-
+ arch/x86/xen/enlighten.c | 47 +-
+ arch/x86/xen/mmu.c | 9 +
+ arch/x86/xen/smp.c | 18 +-
+ arch/x86/xen/xen-asm_32.S | 12 +-
+ arch/x86/xen/xen-head.S | 11 +
+ arch/x86/xen/xen-ops.h | 2 -
+ block/blk-iopoll.c | 4 +-
+ block/blk-map.c | 2 +-
+ block/blk-softirq.c | 4 +-
+ block/bsg.c | 12 +-
+ block/compat_ioctl.c | 2 +-
+ block/partitions/efi.c | 8 +-
+ block/scsi_ioctl.c | 27 +-
+ crypto/cryptd.c | 4 +-
+ drivers/acpi/apei/apei-internal.h | 2 +-
+ drivers/acpi/apei/cper.c | 8 +-
+ drivers/acpi/bgrt.c | 6 +-
+ drivers/acpi/blacklist.c | 4 +-
+ drivers/acpi/ec_sys.c | 12 +-
+ drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/sysfs.c | 4 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/ata/libata-core.c | 8 +-
+ drivers/ata/pata_arasan_cf.c | 4 +-
+ drivers/atm/adummy.c | 2 +-
+ drivers/atm/ambassador.c | 8 +-
+ drivers/atm/atmtcp.c | 14 +-
+ drivers/atm/eni.c | 10 +-
+ drivers/atm/firestream.c | 8 +-
+ drivers/atm/fore200e.c | 14 +-
+ drivers/atm/he.c | 18 +-
+ drivers/atm/horizon.c | 4 +-
+ drivers/atm/idt77252.c | 36 +-
+ drivers/atm/iphase.c | 34 +-
+ drivers/atm/lanai.c | 12 +-
+ drivers/atm/nicstar.c | 46 +-
+ drivers/atm/solos-pci.c | 4 +-
+ drivers/atm/suni.c | 4 +-
+ drivers/atm/uPD98402.c | 16 +-
+ drivers/atm/zatm.c | 6 +-
+ drivers/base/bus.c | 4 +-
+ drivers/base/devtmpfs.c | 2 +-
+ drivers/base/node.c | 2 +-
+ drivers/base/power/domain.c | 4 +-
+ drivers/base/power/wakeup.c | 8 +-
+ drivers/base/syscore.c | 4 +-
+ drivers/block/cciss.c | 28 +-
+ drivers/block/cciss.h | 2 +-
+ drivers/block/cpqarray.c | 28 +-
+ drivers/block/cpqarray.h | 2 +-
+ drivers/block/drbd/drbd_int.h | 6 +-
+ drivers/block/drbd/drbd_main.c | 8 +-
+ drivers/block/drbd/drbd_receiver.c | 22 +-
+ drivers/block/loop.c | 2 +-
+ drivers/block/pktcdvd.c | 2 +-
+ drivers/cdrom/cdrom.c | 9 +-
+ drivers/cdrom/gdrom.c | 1 -
+ drivers/char/agp/frontend.c | 2 +-
+ drivers/char/hpet.c | 2 +-
+ drivers/char/ipmi/ipmi_msghandler.c | 8 +-
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
+ drivers/char/mem.c | 41 +-
+ drivers/char/nvram.c | 2 +-
+ drivers/char/pcmcia/synclink_cs.c | 18 +-
+ drivers/char/random.c | 10 +-
+ drivers/char/sonypi.c | 9 +-
+ drivers/char/tpm/tpm_acpi.c | 3 +-
+ drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/virtio_console.c | 4 +-
+ drivers/clocksource/arm_arch_timer.c | 2 +-
+ drivers/clocksource/metag_generic.c | 2 +-
+ drivers/cpufreq/acpi-cpufreq.c | 20 +-
+ drivers/cpufreq/cpufreq.c | 9 +-
+ drivers/cpufreq/cpufreq_governor.c | 4 +-
+ drivers/cpufreq/cpufreq_governor.h | 2 +-
+ drivers/cpufreq/cpufreq_stats.c | 2 +-
+ drivers/cpufreq/p4-clockmod.c | 12 +-
+ drivers/cpufreq/speedstep-centrino.c | 7 +-
+ drivers/cpuidle/cpuidle.c | 2 +-
+ drivers/cpuidle/governor.c | 4 +-
+ drivers/cpuidle/sysfs.c | 2 +-
+ drivers/devfreq/devfreq.c | 4 +-
+ drivers/dma/sh/shdma.c | 2 +-
+ drivers/edac/edac_mc_sysfs.c | 12 +-
+ drivers/edac/edac_pci_sysfs.c | 22 +-
+ drivers/edac/mce_amd.h | 2 +-
+ drivers/firewire/core-card.c | 2 +-
+ drivers/firewire/core-cdev.c | 3 +-
+ drivers/firewire/core-device.c | 2 +-
+ drivers/firewire/core-transaction.c | 1 +
+ drivers/firewire/core.h | 1 +
+ drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/dmi_scan.c | 7 +-
+ drivers/firmware/efivars.c | 4 +-
+ drivers/firmware/google/memconsole.c | 4 +-
+ drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpio/gpio-vr41xx.c | 2 +-
+ drivers/gpu/drm/drm_crtc_helper.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 6 +-
+ drivers/gpu/drm/drm_fops.c | 18 +-
+ drivers/gpu/drm/drm_global.c | 14 +-
+ drivers/gpu/drm/drm_info.c | 14 +-
+ drivers/gpu/drm/drm_ioc32.c | 13 +-
+ drivers/gpu/drm/drm_ioctl.c | 2 +-
+ drivers/gpu/drm/drm_lock.c | 4 +-
+ drivers/gpu/drm/drm_stub.c | 2 +-
+ drivers/gpu/drm/i810/i810_dma.c | 8 +-
+ drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/i915_irq.c | 22 +-
+ drivers/gpu/drm/i915/intel_display.c | 26 +-
+ drivers/gpu/drm/mga/mga_drv.h | 4 +-
+ drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/mga/mga_irq.c | 8 +-
+ drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
+ drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/r128/r128_cce.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.h | 4 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/r128/r128_irq.c | 4 +-
+ drivers/gpu/drm/r128/r128_state.c | 4 +-
+ drivers/gpu/drm/radeon/mkregtable.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
+ drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 37 +-
+ drivers/gpu/drm/radeon/rs690.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
+ drivers/gpu/drm/udl/udl_fb.c | 1 -
+ drivers/gpu/drm/via/via_drv.h | 4 +-
+ drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
+ drivers/hid/hid-core.c | 4 +-
+ drivers/hv/channel.c | 4 +-
+ drivers/hv/hv.c | 2 +-
+ drivers/hv/hyperv_vmbus.h | 2 +-
+ drivers/hv/vmbus_drv.c | 4 +-
+ drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/asus_atk0110.c | 10 +-
+ drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/ibmaem.c | 2 +-
+ drivers/hwmon/sht15.c | 12 +-
+ drivers/hwmon/via-cputemp.c | 2 +-
+ drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
+ drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
+ drivers/ide/ide-cd.c | 2 +-
+ drivers/iio/industrialio-core.c | 2 +-
+ drivers/infiniband/core/cm.c | 32 +-
+ drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/hw/cxgb4/mem.c | 4 +-
+ drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
+ drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
+ drivers/infiniband/hw/nes/nes.c | 4 +-
+ drivers/infiniband/hw/nes/nes.h | 40 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 62 +-
+ drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
+ drivers/infiniband/hw/nes/nes_nic.c | 40 +-
+ drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/input/gameport/gameport.c | 4 +-
+ drivers/input/input.c | 4 +-
+ drivers/input/joystick/sidewinder.c | 1 +
+ drivers/input/joystick/xpad.c | 4 +-
+ drivers/input/mouse/psmouse.h | 2 +-
+ drivers/input/mousedev.c | 2 +-
+ drivers/input/serio/serio.c | 4 +-
+ drivers/iommu/iommu.c | 2 +-
+ drivers/iommu/irq_remapping.c | 10 +-
+ drivers/irqchip/irq-gic.c | 4 +-
+ drivers/isdn/capi/capi.c | 10 +-
+ drivers/isdn/gigaset/interface.c | 8 +-
+ drivers/isdn/hardware/avm/b1.c | 4 +-
+ drivers/isdn/i4l/isdn_tty.c | 22 +-
+ drivers/isdn/icn/icn.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/lguest/core.c | 10 +-
+ drivers/lguest/page_tables.c | 2 +-
+ drivers/lguest/x86/core.c | 12 +-
+ drivers/lguest/x86/switcher_32.S | 27 +-
+ drivers/md/bitmap.c | 2 +-
+ drivers/md/dm-ioctl.c | 2 +-
+ drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-stripe.c | 10 +-
+ drivers/md/dm-table.c | 2 +-
+ drivers/md/dm-thin-metadata.c | 4 +-
+ drivers/md/dm.c | 16 +-
+ drivers/md/md.c | 26 +-
+ drivers/md/md.h | 6 +-
+ drivers/md/persistent-data/dm-space-map.h | 1 +
+ drivers/md/raid1.c | 4 +-
+ drivers/md/raid10.c | 16 +-
+ drivers/md/raid5.c | 10 +-
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ drivers/media/dvb-frontends/dib3000.h | 2 +-
+ drivers/media/pci/cx88/cx88-video.c | 6 +-
+ drivers/media/platform/omap/omap_vout.c | 11 +-
+ drivers/media/platform/s5p-tv/mixer.h | 2 +-
+ drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
+ drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
+ drivers/message/fusion/mptsas.c | 34 +-
+ drivers/message/fusion/mptscsih.c | 19 +-
+ drivers/message/i2o/i2o_proc.c | 51 +-
+ drivers/message/i2o/iop.c | 8 +-
+ drivers/mfd/janz-cmodio.c | 1 +
+ drivers/mfd/twl4030-irq.c | 9 +-
+ drivers/mfd/twl6030-irq.c | 10 +-
+ drivers/misc/c2port/core.c | 4 +-
+ drivers/misc/kgdbts.c | 4 +-
+ drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
+ drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/sgi-gru/gruhandles.c | 4 +-
+ drivers/misc/sgi-gru/gruprocfs.c | 8 +-
+ drivers/misc/sgi-gru/grutables.h | 154 +-
+ drivers/misc/sgi-xp/xp.h | 2 +-
+ drivers/misc/sgi-xp/xpc.h | 3 +-
+ drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ drivers/mmc/host/dw_mmc.h | 2 +-
+ drivers/mmc/host/sdhci-s3c.c | 8 +-
+ drivers/mtd/devices/doc2000.c | 2 +-
+ drivers/mtd/nand/denali.c | 1 +
+ drivers/mtd/nftlmount.c | 1 +
+ drivers/mtd/sm_ftl.c | 2 +-
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
+ drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
+ drivers/net/ethernet/realtek/r8169.c | 8 +-
+ drivers/net/ethernet/sfc/ptp.c | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/hyperv/hyperv_net.h | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 +-
+ drivers/net/ieee802154/fakehard.c | 2 +-
+ drivers/net/macvlan.c | 18 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/ppp/ppp_generic.c | 4 +-
+ drivers/net/slip/slhc.c | 2 +-
+ drivers/net/team/team.c | 2 +-
+ drivers/net/tun.c | 5 +-
+ drivers/net/usb/hso.c | 23 +-
+ drivers/net/vxlan.c | 2 +-
+ drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
+ drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
+ drivers/net/wireless/ath/ath9k/hw.h | 4 +-
+ drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
+ drivers/net/wireless/mac80211_hwsim.c | 32 +-
+ drivers/net/wireless/rndis_wlan.c | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 8 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 6 +-
+ drivers/oprofile/buffer_sync.c | 8 +-
+ drivers/oprofile/event_buffer.c | 2 +-
+ drivers/oprofile/oprof.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/oprofile/oprofile_stats.c | 10 +-
+ drivers/oprofile/oprofile_stats.h | 10 +-
+ drivers/oprofile/oprofilefs.c | 2 +-
+ drivers/oprofile/timer_int.c | 2 +-
+ drivers/parport/procfs.c | 4 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
+ drivers/pci/hotplug/cpcihp_generic.c | 6 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
+ drivers/pci/hotplug/cpqphp_nvram.c | 4 +
+ drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/pci-sysfs.c | 6 +-
+ drivers/pci/pci.h | 2 +-
+ drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/probe.c | 2 +-
+ drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/sony-laptop.c | 2 +-
+ drivers/platform/x86/thinkpad_acpi.c | 70 +-
+ drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/resource.c | 4 +-
+ drivers/power/pda_power.c | 7 +-
+ drivers/power/power_supply.h | 4 +-
+ drivers/power/power_supply_core.c | 7 +-
+ drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/regulator/max8660.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/rtc/rtc-cmos.c | 4 +-
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/scsi/bfa/bfa_fcpim.h | 2 +-
+ drivers/scsi/bfa/bfa_ioc.h | 4 +-
+ drivers/scsi/hosts.c | 4 +-
+ drivers/scsi/hpsa.c | 30 +-
+ drivers/scsi/hpsa.h | 2 +-
+ drivers/scsi/libfc/fc_exch.c | 50 +-
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ drivers/scsi/lpfc/lpfc.h | 8 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
+ drivers/scsi/lpfc/lpfc_init.c | 6 +-
+ drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
+ drivers/scsi/pmcraid.c | 20 +-
+ drivers/scsi/pmcraid.h | 8 +-
+ drivers/scsi/qla2xxx/qla_attr.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 6 +-
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +-
+ drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ drivers/scsi/scsi_tgt_lib.c | 2 +-
+ drivers/scsi/scsi_transport_fc.c | 8 +-
+ drivers/scsi/scsi_transport_iscsi.c | 6 +-
+ drivers/scsi/scsi_transport_srp.c | 6 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sg.c | 2 +-
+ drivers/spi/spi.c | 2 +-
+ drivers/staging/iio/iio_hwmon.c | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/rtl8712/rtl871x_io.h | 2 +-
+ drivers/staging/sbe-2t3e3/netdev.c | 2 +-
+ drivers/staging/usbip/vhci.h | 2 +-
+ drivers/staging/usbip/vhci_hcd.c | 6 +-
+ drivers/staging/usbip/vhci_rx.c | 2 +-
+ drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/vt6656/hostap.c | 7 +-
+ drivers/staging/zcache/tmem.c | 4 +-
+ drivers/staging/zcache/tmem.h | 2 +
+ drivers/target/target_core_device.c | 2 +-
+ drivers/target/target_core_transport.c | 2 +-
+ drivers/tty/cyclades.c | 6 +-
+ drivers/tty/hvc/hvc_console.c | 14 +-
+ drivers/tty/hvc/hvcs.c | 21 +-
+ drivers/tty/ipwireless/tty.c | 27 +-
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/n_gsm.c | 4 +-
+ drivers/tty/n_tty.c | 3 +-
+ drivers/tty/pty.c | 4 +-
+ drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/kgdboc.c | 32 +-
+ drivers/tty/serial/samsung.c | 9 +-
+ drivers/tty/serial/serial_core.c | 8 +-
+ drivers/tty/synclink.c | 34 +-
+ drivers/tty/synclink_gt.c | 28 +-
+ drivers/tty/synclinkmp.c | 34 +-
+ drivers/tty/tty_io.c | 2 +-
+ drivers/tty/tty_ldisc.c | 10 +-
+ drivers/tty/tty_port.c | 22 +-
+ drivers/uio/uio.c | 21 +-
+ drivers/usb/atm/cxacru.c | 2 +-
+ drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/core/devices.c | 6 +-
+ drivers/usb/core/hcd.c | 4 +-
+ drivers/usb/core/message.c | 2 +-
+ drivers/usb/core/sysfs.c | 2 +-
+ drivers/usb/core/usb.c | 2 +-
+ drivers/usb/early/ehci-dbgp.c | 16 +-
+ drivers/usb/gadget/u_serial.c | 22 +-
+ drivers/usb/serial/console.c | 6 +-
+ drivers/usb/storage/usb.h | 2 +-
+ drivers/usb/wusbcore/wa-hc.h | 4 +-
+ drivers/usb/wusbcore/wa-xfer.c | 2 +-
+ drivers/video/aty/aty128fb.c | 2 +-
+ drivers/video/aty/atyfb_base.c | 8 +-
+ drivers/video/aty/mach64_cursor.c | 5 +-
+ drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/fb_defio.c | 6 +-
+ drivers/video/fbcmap.c | 3 +-
+ drivers/video/fbmem.c | 6 +-
+ drivers/video/i810/i810_accel.c | 1 +
+ drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
+ drivers/video/nvidia/nvidia.c | 27 +-
+ drivers/video/s1d13xxxfb.c | 6 +-
+ drivers/video/smscufx.c | 4 +-
+ drivers/video/udlfb.c | 36 +-
+ drivers/video/uvesafb.c | 53 +-
+ drivers/video/vesafb.c | 58 +-
+ drivers/video/via/via_clock.h | 2 +-
+ fs/9p/vfs_inode.c | 2 +-
+ fs/Kconfig.binfmt | 2 +-
+ fs/aio.c | 11 +-
+ fs/autofs4/waitq.c | 2 +-
+ fs/befs/endian.h | 4 +-
+ fs/befs/linuxvfs.c | 2 +-
+ fs/binfmt_aout.c | 23 +-
+ fs/binfmt_elf.c | 605 +++-
+ fs/binfmt_flat.c | 6 +
+ fs/bio.c | 6 +-
+ fs/block_dev.c | 2 +-
+ fs/btrfs/ctree.c | 9 +-
+ fs/btrfs/super.c | 2 +-
+ fs/cachefiles/bind.c | 6 +-
+ fs/cachefiles/daemon.c | 8 +-
+ fs/cachefiles/internal.h | 12 +-
+ fs/cachefiles/namei.c | 2 +-
+ fs/cachefiles/proc.c | 12 +-
+ fs/cachefiles/rdwr.c | 2 +-
+ fs/ceph/dir.c | 2 +-
+ fs/cifs/cifs_debug.c | 12 +-
+ fs/cifs/cifsfs.c | 8 +-
+ fs/cifs/cifsglob.h | 54 +-
+ fs/cifs/link.c | 2 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb1ops.c | 80 +-
+ fs/cifs/smb2ops.c | 84 +-
+ fs/cifs/smb2pdu.c | 3 +-
+ fs/coda/cache.c | 10 +-
+ fs/compat.c | 6 +-
+ fs/compat_binfmt_elf.c | 2 +
+ fs/compat_ioctl.c | 8 +-
+ fs/configfs/dir.c | 10 +-
+ fs/coredump.c | 24 +-
+ fs/dcache.c | 2 +-
+ fs/ecryptfs/inode.c | 4 +-
+ fs/ecryptfs/miscdev.c | 2 +-
+ fs/ecryptfs/read_write.c | 2 +-
+ fs/exec.c | 362 ++-
+ fs/ext4/ext4.h | 20 +-
+ fs/ext4/mballoc.c | 44 +-
+ fs/ext4/super.c | 2 +-
+ fs/fhandle.c | 3 +-
+ fs/fifo.c | 22 +-
+ fs/fs_struct.c | 8 +-
+ fs/fscache/cookie.c | 36 +-
+ fs/fscache/internal.h | 196 +-
+ fs/fscache/object.c | 28 +-
+ fs/fscache/operation.c | 30 +-
+ fs/fscache/page.c | 110 +-
+ fs/fscache/stats.c | 344 +-
+ fs/fuse/cuse.c | 10 +-
+ fs/fuse/dev.c | 2 +-
+ fs/fuse/dir.c | 2 +-
+ fs/gfs2/inode.c | 2 +-
+ fs/hugetlbfs/inode.c | 13 +-
+ fs/inode.c | 4 +-
+ fs/jffs2/erase.c | 3 +-
+ fs/jffs2/wbuf.c | 3 +-
+ fs/jfs/super.c | 6 +-
+ fs/libfs.c | 10 +-
+ fs/lockd/clntproc.c | 4 +-
+ fs/locks.c | 8 +-
+ fs/namei.c | 15 +-
+ fs/namespace.c | 2 +-
+ fs/nfs/callback_xdr.c | 2 +-
+ fs/nfs/inode.c | 6 +-
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfs4xdr.c | 6 +-
+ fs/nfsd/nfscache.c | 8 +-
+ fs/nfsd/vfs.c | 6 +-
+ fs/nls/nls_base.c | 18 +-
+ fs/nls/nls_euc-jp.c | 6 +-
+ fs/nls/nls_koi8-ru.c | 6 +-
+ fs/notify/fanotify/fanotify_user.c | 4 +-
+ fs/notify/notification.c | 4 +-
+ fs/ntfs/dir.c | 2 +-
+ fs/ntfs/file.c | 4 +-
+ fs/ocfs2/localalloc.c | 2 +-
+ fs/ocfs2/ocfs2.h | 10 +-
+ fs/ocfs2/suballoc.c | 12 +-
+ fs/ocfs2/super.c | 20 +-
+ fs/pipe.c | 33 +-
+ fs/proc/array.c | 20 +
+ fs/proc/base.c | 4 +-
+ fs/proc/kcore.c | 32 +-
+ fs/proc/meminfo.c | 2 +-
+ fs/proc/nommu.c | 2 +-
+ fs/proc/proc_sysctl.c | 18 +-
+ fs/proc/self.c | 2 +-
+ fs/proc/task_mmu.c | 39 +-
+ fs/proc/task_nommu.c | 4 +-
+ fs/qnx6/qnx6.h | 4 +-
+ fs/quota/netlink.c | 4 +-
+ fs/readdir.c | 2 +-
+ fs/reiserfs/do_balan.c | 2 +-
+ fs/reiserfs/procfs.c | 2 +-
+ fs/reiserfs/reiserfs.h | 4 +-
+ fs/seq_file.c | 2 +-
+ fs/splice.c | 36 +-
+ fs/sysfs/bin.c | 6 +-
+ fs/sysfs/dir.c | 2 +-
+ fs/sysfs/file.c | 10 +-
+ fs/sysfs/symlink.c | 2 +-
+ fs/sysv/sysv.h | 2 +-
+ fs/ubifs/io.c | 2 +-
+ fs/udf/misc.c | 2 +-
+ fs/ufs/swab.h | 4 +-
+ fs/xattr.c | 21 +
+ fs/xattr_acl.c | 4 +-
+ fs/xfs/xfs_bmap.c | 2 +-
+ fs/xfs/xfs_dir2_sf.c | 10 +-
+ fs/xfs/xfs_ioctl.c | 2 +-
+ fs/xfs/xfs_iops.c | 2 +-
+ include/asm-generic/4level-fixup.h | 2 +
+ include/asm-generic/atomic-long.h | 210 +
+ include/asm-generic/atomic.h | 2 +-
+ include/asm-generic/atomic64.h | 12 +
+ include/asm-generic/cache.h | 4 +-
+ include/asm-generic/emergency-restart.h | 2 +-
+ include/asm-generic/kmap_types.h | 4 +-
+ include/asm-generic/local.h | 13 +
+ include/asm-generic/pgtable-nopmd.h | 18 +-
+ include/asm-generic/pgtable-nopud.h | 15 +-
+ include/asm-generic/pgtable.h | 8 +
+ include/asm-generic/vmlinux.lds.h | 10 +-
+ include/crypto/algapi.h | 2 +-
+ include/drm/drmP.h | 17 +-
+ include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/ttm/ttm_memory.h | 2 +-
+ include/keys/asymmetric-subtype.h | 2 +-
+ include/linux/atmdev.h | 4 +-
+ include/linux/binfmts.h | 3 +-
+ include/linux/blkdev.h | 2 +-
+ include/linux/blktrace_api.h | 2 +-
+ include/linux/cache.h | 4 +
+ include/linux/cdrom.h | 1 -
+ include/linux/cleancache.h | 2 +-
+ include/linux/compat.h | 6 +-
+ include/linux/compiler-gcc4.h | 20 +
+ include/linux/compiler.h | 65 +-
+ include/linux/completion.h | 6 +-
+ include/linux/configfs.h | 2 +-
+ include/linux/cpu.h | 2 +-
+ include/linux/cpufreq.h | 3 +-
+ include/linux/cpuidle.h | 5 +-
+ include/linux/cpumask.h | 12 +-
+ include/linux/crypto.h | 6 +-
+ include/linux/ctype.h | 2 +-
+ include/linux/decompress/mm.h | 2 +-
+ include/linux/devfreq.h | 2 +-
+ include/linux/device.h | 7 +-
+ include/linux/dma-mapping.h | 2 +-
+ include/linux/dmaengine.h | 4 +-
+ include/linux/efi.h | 1 +
+ include/linux/elf.h | 2 +
+ include/linux/err.h | 4 +-
+ include/linux/extcon.h | 2 +-
+ include/linux/fb.h | 2 +-
+ include/linux/filter.h | 4 +
+ include/linux/frontswap.h | 2 +-
+ include/linux/fs.h | 3 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/fscache-cache.h | 4 +-
+ include/linux/fscache.h | 2 +-
+ include/linux/fsnotify.h | 2 +-
+ include/linux/ftrace_event.h | 2 +-
+ include/linux/genhd.h | 2 +-
+ include/linux/genl_magic_func.h | 2 +-
+ include/linux/gfp.h | 12 +-
+ include/linux/highmem.h | 12 +
+ include/linux/hwmon-sysfs.h | 5 +-
+ include/linux/i2c.h | 1 +
+ include/linux/i2o.h | 2 +-
+ include/linux/if_pppox.h | 2 +-
+ include/linux/init.h | 33 +-
+ include/linux/init_task.h | 7 +
+ include/linux/interrupt.h | 8 +-
+ include/linux/iommu.h | 2 +-
+ include/linux/ioport.h | 2 +-
+ include/linux/irq.h | 3 +-
+ include/linux/irqchip/arm-gic.h | 2 +-
+ include/linux/key-type.h | 2 +-
+ include/linux/kgdb.h | 6 +-
+ include/linux/kobject.h | 3 +-
+ include/linux/kobject_ns.h | 2 +-
+ include/linux/kref.h | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ include/linux/libata.h | 2 +-
+ include/linux/list.h | 15 +
+ include/linux/math64.h | 6 +-
+ include/linux/mm.h | 110 +-
+ include/linux/mm_types.h | 20 +
+ include/linux/mmiotrace.h | 4 +-
+ include/linux/mmzone.h | 2 +-
+ include/linux/mod_devicetable.h | 6 +-
+ include/linux/module.h | 60 +-
+ include/linux/moduleloader.h | 16 +
+ include/linux/moduleparam.h | 4 +-
+ include/linux/namei.h | 6 +-
+ include/linux/net.h | 2 +-
+ include/linux/netdevice.h | 3 +-
+ include/linux/netfilter.h | 2 +-
+ include/linux/netfilter/ipset/ip_set.h | 2 +-
+ include/linux/netfilter/nfnetlink.h | 2 +-
+ include/linux/nls.h | 2 +-
+ include/linux/notifier.h | 3 +-
+ include/linux/oprofile.h | 4 +-
+ include/linux/pci_hotplug.h | 3 +-
+ include/linux/perf_event.h | 12 +-
+ include/linux/pipe_fs_i.h | 6 +-
+ include/linux/platform_data/usb-ehci-s5p.h | 2 +-
+ include/linux/platform_data/usb-exynos.h | 2 +-
+ include/linux/pm_domain.h | 2 +-
+ include/linux/pm_runtime.h | 2 +-
+ include/linux/pnp.h | 2 +-
+ include/linux/poison.h | 4 +-
+ include/linux/power/smartreflex.h | 2 +-
+ include/linux/ppp-comp.h | 2 +-
+ include/linux/proc_fs.h | 2 +-
+ include/linux/random.h | 5 +
+ include/linux/rculist.h | 16 +
+ include/linux/reboot.h | 14 +-
+ include/linux/regset.h | 3 +-
+ include/linux/relay.h | 2 +-
+ include/linux/rio.h | 2 +-
+ include/linux/rmap.h | 4 +-
+ include/linux/sched.h | 67 +-
+ include/linux/sched/sysctl.h | 1 +
+ include/linux/seq_file.h | 1 +
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 36 +-
+ include/linux/slab_def.h | 33 +-
+ include/linux/slob_def.h | 4 +-
+ include/linux/slub_def.h | 10 +-
+ include/linux/sock_diag.h | 2 +-
+ include/linux/sonet.h | 2 +-
+ include/linux/sunrpc/addr.h | 8 +-
+ include/linux/sunrpc/clnt.h | 2 +-
+ include/linux/sunrpc/svc.h | 2 +-
+ include/linux/sunrpc/svc_rdma.h | 18 +-
+ include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swiotlb.h | 3 +-
+ include/linux/syscalls.h | 2 +-
+ include/linux/syscore_ops.h | 2 +-
+ include/linux/sysctl.h | 6 +-
+ include/linux/sysfs.h | 10 +-
+ include/linux/sysrq.h | 3 +-
+ include/linux/thread_info.h | 7 +
+ include/linux/tty.h | 4 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/tty_ldisc.h | 2 +-
+ include/linux/types.h | 16 +
+ include/linux/uaccess.h | 6 +-
+ include/linux/unaligned/access_ok.h | 24 +-
+ include/linux/usb.h | 4 +-
+ include/linux/usb/renesas_usbhs.h | 2 +-
+ include/linux/vermagic.h | 21 +-
+ include/linux/vmalloc.h | 11 +-
+ include/linux/vmstat.h | 20 +-
+ include/linux/xattr.h | 5 +-
+ include/linux/zlib.h | 3 +-
+ include/media/v4l2-dev.h | 2 +-
+ include/media/v4l2-ioctl.h | 1 -
+ include/net/9p/transport.h | 2 +-
+ include/net/bluetooth/l2cap.h | 2 +-
+ include/net/caif/cfctrl.h | 6 +-
+ include/net/flow.h | 2 +-
+ include/net/genetlink.h | 2 +-
+ include/net/gro_cells.h | 2 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/inetpeer.h | 8 +-
+ include/net/ip.h | 2 +-
+ include/net/ip_fib.h | 2 +-
+ include/net/ip_vs.h | 8 +-
+ include/net/irda/ircomm_tty.h | 1 +
+ include/net/iucv/af_iucv.h | 2 +-
+ include/net/llc_c_ac.h | 2 +-
+ include/net/llc_c_ev.h | 4 +-
+ include/net/llc_c_st.h | 2 +-
+ include/net/llc_s_ac.h | 2 +-
+ include/net/llc_s_st.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 12 +-
+ include/net/netdma.h | 2 +-
+ include/net/netlink.h | 2 +-
+ include/net/netns/conntrack.h | 6 +-
+ include/net/netns/ipv4.h | 2 +-
+ include/net/protocol.h | 4 +-
+ include/net/rtnetlink.h | 2 +-
+ include/net/sctp/sctp.h | 6 +-
+ include/net/sctp/sm.h | 4 +-
+ include/net/sctp/structs.h | 2 +-
+ include/net/sock.h | 6 +-
+ include/net/tcp.h | 8 +-
+ include/net/xfrm.h | 8 +-
+ include/rdma/iw_cm.h | 2 +-
+ include/scsi/libfc.h | 3 +-
+ include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_transport_fc.h | 3 +-
+ include/sound/soc.h | 4 +-
+ include/target/target_core_base.h | 2 +-
+ include/trace/events/irq.h | 4 +-
+ include/uapi/linux/a.out.h | 8 +
+ include/uapi/linux/byteorder/little_endian.h | 28 +-
+ include/uapi/linux/elf.h | 28 +
+ include/uapi/linux/screen_info.h | 3 +-
+ include/uapi/linux/swab.h | 6 +-
+ include/uapi/linux/sysctl.h | 6 +-
+ include/uapi/linux/xattr.h | 4 +
+ include/video/udlfb.h | 8 +-
+ include/video/uvesafb.h | 1 +
+ init/Kconfig | 2 +-
+ init/Makefile | 3 +
+ init/do_mounts.c | 14 +-
+ init/do_mounts.h | 8 +-
+ init/do_mounts_initrd.c | 22 +-
+ init/do_mounts_md.c | 6 +-
+ init/init_task.c | 4 +
+ init/initramfs.c | 40 +-
+ init/main.c | 77 +-
+ ipc/ipc_sysctl.c | 10 +-
+ ipc/mq_sysctl.c | 2 +-
+ ipc/msg.c | 11 +-
+ ipc/sem.c | 11 +-
+ ipc/shm.c | 17 +-
+ kernel/acct.c | 2 +-
+ kernel/audit.c | 8 +-
+ kernel/auditsc.c | 4 +-
+ kernel/capability.c | 3 +
+ kernel/compat.c | 40 +-
+ kernel/debug/debug_core.c | 16 +-
+ kernel/debug/kdb/kdb_main.c | 4 +-
+ kernel/events/core.c | 28 +-
+ kernel/exit.c | 4 +-
+ kernel/fork.c | 167 +-
+ kernel/futex.c | 9 +
+ kernel/futex_compat.c | 2 +-
+ kernel/gcov/base.c | 7 +-
+ kernel/hrtimer.c | 4 +-
+ kernel/irq_work.c | 7 +-
+ kernel/jump_label.c | 5 +
+ kernel/kallsyms.c | 39 +-
+ kernel/kexec.c | 3 +-
+ kernel/kmod.c | 4 +-
+ kernel/kprobes.c | 8 +-
+ kernel/ksysfs.c | 2 +-
+ kernel/lockdep.c | 7 +-
+ kernel/module.c | 337 +-
+ kernel/mutex-debug.c | 12 +-
+ kernel/mutex-debug.h | 4 +-
+ kernel/mutex.c | 7 +-
+ kernel/notifier.c | 17 +-
+ kernel/panic.c | 3 +-
+ kernel/pid.c | 2 +-
+ kernel/pid_namespace.c | 2 +-
+ kernel/posix-cpu-timers.c | 4 +-
+ kernel/posix-timers.c | 20 +-
+ kernel/power/process.c | 12 +-
+ kernel/profile.c | 14 +-
+ kernel/ptrace.c | 8 +-
+ kernel/rcupdate.c | 4 +-
+ kernel/rcutiny.c | 4 +-
+ kernel/rcutiny_plugin.h | 2 +-
+ kernel/rcutorture.c | 56 +-
+ kernel/rcutree.c | 68 +-
+ kernel/rcutree.h | 24 +-
+ kernel/rcutree_plugin.h | 20 +-
+ kernel/rcutree_trace.c | 22 +-
+ kernel/rtmutex-tester.c | 24 +-
+ kernel/sched/auto_group.c | 4 +-
+ kernel/sched/core.c | 51 +-
+ kernel/sched/fair.c | 4 +-
+ kernel/signal.c | 12 +-
+ kernel/smp.c | 2 +-
+ kernel/smpboot.c | 4 +-
+ kernel/softirq.c | 18 +-
+ kernel/srcu.c | 4 +-
+ kernel/sys.c | 10 +-
+ kernel/sysctl.c | 39 +-
+ kernel/time.c | 2 +-
+ kernel/time/alarmtimer.c | 2 +-
+ kernel/time/tick-broadcast.c | 2 +-
+ kernel/time/timer_stats.c | 10 +-
+ kernel/timer.c | 6 +-
+ kernel/trace/blktrace.c | 6 +-
+ kernel/trace/ftrace.c | 20 +-
+ kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/trace.c | 8 +-
+ kernel/trace/trace.h | 2 +-
+ kernel/trace/trace_events.c | 25 +-
+ kernel/trace/trace_mmiotrace.c | 8 +-
+ kernel/trace/trace_output.c | 12 +-
+ kernel/trace/trace_stack.c | 2 +-
+ kernel/user_namespace.c | 2 +-
+ kernel/utsname_sysctl.c | 2 +-
+ kernel/watchdog.c | 2 +-
+ lib/Kconfig.debug | 6 +-
+ lib/Makefile | 2 +-
+ lib/bitmap.c | 8 +-
+ lib/bug.c | 2 +
+ lib/debugobjects.c | 2 +-
+ lib/devres.c | 4 +-
+ lib/div64.c | 4 +-
+ lib/dma-debug.c | 4 +-
+ lib/inflate.c | 2 +-
+ lib/ioremap.c | 4 +-
+ lib/kobject.c | 4 +-
+ lib/list_debug.c | 126 +-
+ lib/radix-tree.c | 2 +-
+ lib/strncpy_from_user.c | 2 +-
+ lib/strnlen_user.c | 2 +-
+ lib/swiotlb.c | 2 +-
+ lib/vsprintf.c | 12 +-
+ mm/Kconfig | 6 +-
+ mm/filemap.c | 2 +-
+ mm/fremap.c | 5 +
+ mm/highmem.c | 7 +-
+ mm/hugetlb.c | 70 +-
+ mm/internal.h | 1 +
+ mm/maccess.c | 4 +-
+ mm/madvise.c | 41 +
+ mm/memory-failure.c | 26 +-
+ mm/memory.c | 424 ++-
+ mm/mempolicy.c | 26 +
+ mm/mlock.c | 16 +-
+ mm/mmap.c | 576 ++-
+ mm/mprotect.c | 139 +-
+ mm/mremap.c | 44 +-
+ mm/nommu.c | 21 +-
+ mm/page-writeback.c | 4 +-
+ mm/page_alloc.c | 41 +-
+ mm/percpu.c | 2 +-
+ mm/process_vm_access.c | 14 +-
+ mm/rmap.c | 38 +-
+ mm/shmem.c | 19 +-
+ mm/slab.c | 105 +-
+ mm/slab.h | 5 +-
+ mm/slab_common.c | 11 +-
+ mm/slob.c | 201 +-
+ mm/slub.c | 99 +-
+ mm/sparse-vmemmap.c | 4 +-
+ mm/sparse.c | 2 +-
+ mm/swap.c | 3 +
+ mm/swapfile.c | 12 +-
+ mm/util.c | 6 +
+ mm/vmalloc.c | 82 +-
+ mm/vmstat.c | 12 +-
+ net/8021q/vlan.c | 5 +-
+ net/9p/mod.c | 4 +-
+ net/9p/trans_fd.c | 2 +-
+ net/atm/atm_misc.c | 8 +-
+ net/atm/lec.h | 2 +-
+ net/atm/proc.c | 6 +-
+ net/atm/resources.c | 4 +-
+ net/ax25/sysctl_net_ax25.c | 2 +-
+ net/batman-adv/bat_iv_ogm.c | 8 +-
+ net/batman-adv/hard-interface.c | 4 +-
+ net/batman-adv/soft-interface.c | 4 +-
+ net/batman-adv/types.h | 6 +-
+ net/batman-adv/unicast.c | 2 +-
+ net/bluetooth/hci_sock.c | 2 +-
+ net/bluetooth/l2cap_core.c | 6 +-
+ net/bluetooth/l2cap_sock.c | 12 +-
+ net/bluetooth/rfcomm/sock.c | 4 +-
+ net/bluetooth/rfcomm/tty.c | 10 +-
+ net/bridge/netfilter/ebtables.c | 6 +-
+ net/caif/cfctrl.c | 11 +-
+ net/can/af_can.c | 2 +-
+ net/can/gw.c | 6 +-
+ net/compat.c | 34 +-
+ net/core/datagram.c | 2 +-
+ net/core/dev.c | 16 +-
+ net/core/flow.c | 8 +-
+ net/core/iovec.c | 4 +-
+ net/core/neighbour.c | 2 +-
+ net/core/net-sysfs.c | 2 +-
+ net/core/net_namespace.c | 8 +-
+ net/core/rtnetlink.c | 13 +-
+ net/core/scm.c | 8 +-
+ net/core/sock.c | 24 +-
+ net/core/sock_diag.c | 9 +-
+ net/core/sysctl_net_core.c | 18 +-
+ net/decnet/af_decnet.c | 1 +
+ net/decnet/sysctl_net_decnet.c | 4 +-
+ net/ipv4/af_inet.c | 8 +-
+ net/ipv4/ah4.c | 2 +-
+ net/ipv4/devinet.c | 14 +-
+ net/ipv4/esp4.c | 2 +-
+ net/ipv4/fib_frontend.c | 6 +-
+ net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inet_connection_sock.c | 2 +-
+ net/ipv4/inetpeer.c | 4 +-
+ net/ipv4/ip_fragment.c | 15 +-
+ net/ipv4/ip_gre.c | 6 +-
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ip_vti.c | 4 +-
+ net/ipv4/ipcomp.c | 2 +-
+ net/ipv4/ipconfig.c | 6 +-
+ net/ipv4/ipip.c | 4 +-
+ net/ipv4/netfilter/arp_tables.c | 12 +-
+ net/ipv4/netfilter/ip_tables.c | 12 +-
+ net/ipv4/ping.c | 2 +-
+ net/ipv4/raw.c | 14 +-
+ net/ipv4/route.c | 18 +-
+ net/ipv4/sysctl_net_ipv4.c | 45 +-
+ net/ipv4/tcp_input.c | 2 +-
+ net/ipv4/tcp_probe.c | 2 +-
+ net/ipv4/udp.c | 10 +-
+ net/ipv4/xfrm4_policy.c | 14 +-
+ net/ipv6/addrconf.c | 6 +-
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_gre.c | 8 +-
+ net/ipv6/ip6_tunnel.c | 4 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 12 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
+ net/ipv6/raw.c | 19 +-
+ net/ipv6/reassembly.c | 13 +-
+ net/ipv6/route.c | 2 +-
+ net/ipv6/sit.c | 4 +-
+ net/ipv6/sysctl_net_ipv6.c | 2 +-
+ net/ipv6/udp.c | 8 +-
+ net/ipv6/xfrm6_policy.c | 13 +-
+ net/irda/ircomm/ircomm_tty.c | 18 +-
+ net/iucv/af_iucv.c | 4 +-
+ net/iucv/iucv.c | 2 +-
+ net/key/af_key.c | 4 +-
+ net/mac80211/cfg.c | 8 +-
+ net/mac80211/ieee80211_i.h | 3 +-
+ net/mac80211/iface.c | 14 +-
+ net/mac80211/main.c | 2 +-
+ net/mac80211/pm.c | 6 +-
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/rc80211_pid_debugfs.c | 2 +-
+ net/mac80211/util.c | 2 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/ipvs/ip_vs_conn.c | 6 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ net/netfilter/ipvs/ip_vs_sync.c | 6 +-
+ net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
+ net/netfilter/nf_conntrack_acct.c | 2 +-
+ net/netfilter/nf_conntrack_ecache.c | 2 +-
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nf_conntrack_timestamp.c | 2 +-
+ net/netfilter/nf_log.c | 10 +-
+ net/netfilter/nf_sockopt.c | 4 +-
+ net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/xt_statistic.c | 8 +-
+ net/netlink/af_netlink.c | 4 +-
+ net/netlink/genetlink.c | 16 +-
+ net/packet/af_packet.c | 12 +-
+ net/phonet/pep.c | 6 +-
+ net/phonet/socket.c | 2 +-
+ net/phonet/sysctl.c | 2 +-
+ net/rds/cong.c | 6 +-
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 4 +-
+ net/rds/iw.h | 2 +-
+ net/rds/iw_cm.c | 2 +-
+ net/rds/iw_recv.c | 4 +-
+ net/rds/rds.h | 2 +-
+ net/rds/tcp.c | 2 +-
+ net/rds/tcp_send.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/rxrpc/ar-ack.c | 14 +-
+ net/rxrpc/ar-call.c | 2 +-
+ net/rxrpc/ar-connection.c | 2 +-
+ net/rxrpc/ar-connevent.c | 2 +-
+ net/rxrpc/ar-input.c | 4 +-
+ net/rxrpc/ar-internal.h | 8 +-
+ net/rxrpc/ar-local.c | 2 +-
+ net/rxrpc/ar-output.c | 4 +-
+ net/rxrpc/ar-peer.c | 2 +-
+ net/rxrpc/ar-proc.c | 4 +-
+ net/rxrpc/ar-transport.c | 2 +-
+ net/rxrpc/rxkad.c | 4 +-
+ net/sctp/ipv6.c | 6 +-
+ net/sctp/protocol.c | 10 +-
+ net/sctp/sm_sideeffect.c | 2 +-
+ net/sctp/socket.c | 21 +-
+ net/sctp/sysctl.c | 4 +-
+ net/socket.c | 18 +-
+ net/sunrpc/clnt.c | 4 +-
+ net/sunrpc/sched.c | 4 +-
+ net/sunrpc/svc.c | 4 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/link.c | 6 +-
+ net/tipc/msg.c | 2 +-
+ net/tipc/subscr.c | 2 +-
+ net/unix/sysctl_net_unix.c | 2 +-
+ net/wireless/wext-core.c | 19 +-
+ net/xfrm/xfrm_policy.c | 27 +-
+ net/xfrm/xfrm_state.c | 29 +-
+ net/xfrm/xfrm_sysctl.c | 2 +-
+ scripts/Makefile.build | 2 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.host | 28 +-
+ scripts/basic/fixdep.c | 12 +-
+ scripts/gcc-plugin.sh | 17 +
+ scripts/headers_install.pl | 1 +
+ scripts/link-vmlinux.sh | 2 +-
+ scripts/mod/file2alias.c | 14 +-
+ scripts/mod/modpost.c | 25 +-
+ scripts/mod/modpost.h | 6 +-
+ scripts/mod/sumversion.c | 2 +-
+ scripts/package/builddeb | 1 +
+ scripts/pnmtologo.c | 6 +-
+ scripts/sortextable.h | 6 +-
+ security/Kconfig | 675 +++-
+ security/apparmor/lsm.c | 2 +-
+ security/integrity/ima/ima.h | 4 +-
+ security/integrity/ima/ima_api.c | 2 +-
+ security/integrity/ima/ima_fs.c | 4 +-
+ security/integrity/ima/ima_queue.c | 2 +-
+ security/keys/compat.c | 2 +-
+ security/keys/key.c | 18 +-
+ security/keys/keyctl.c | 8 +-
+ security/keys/keyring.c | 6 +-
+ security/security.c | 9 +-
+ security/selinux/hooks.c | 2 +-
+ security/selinux/include/xfrm.h | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ security/tomoyo/tomoyo.c | 2 +-
+ security/yama/yama_lsm.c | 22 +-
+ sound/aoa/codecs/onyx.c | 7 +-
+ sound/aoa/codecs/onyx.h | 1 +
+ sound/core/oss/pcm_oss.c | 18 +-
+ sound/core/pcm_compat.c | 2 +-
+ sound/core/pcm_native.c | 4 +-
+ sound/core/seq/seq_device.c | 8 +-
+ sound/drivers/mts64.c | 14 +-
+ sound/drivers/opl4/opl4_lib.c | 2 +-
+ sound/drivers/portman2x4.c | 3 +-
+ sound/firewire/amdtp.c | 4 +-
+ sound/firewire/amdtp.h | 2 +-
+ sound/firewire/isight.c | 10 +-
+ sound/firewire/scs1x.c | 8 +-
+ sound/oss/sb_audio.c | 2 +-
+ sound/oss/swarm_cs4297a.c | 6 +-
+ sound/pci/ymfpci/ymfpci.h | 2 +-
+ sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 45 +
+ tools/gcc/checker_plugin.c | 171 +
+ tools/gcc/colorize_plugin.c | 151 +
+ tools/gcc/constify_plugin.c | 518 ++
+ tools/gcc/generate_size_overflow_hash.sh | 94 +
+ tools/gcc/kallocstat_plugin.c | 170 +
+ tools/gcc/kernexec_plugin.c | 465 ++
+ tools/gcc/latent_entropy_plugin.c | 327 ++
+ tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++
+ tools/gcc/size_overflow_plugin.c | 2114 ++++++++
+ tools/gcc/stackleak_plugin.c | 327 ++
+ tools/gcc/structleak_plugin.c | 276 +
+ tools/perf/util/include/asm/alternative-asm.h | 3 +
+ tools/perf/util/include/linux/compiler.h | 8 +
+ virt/kvm/kvm_main.c | 32 +-
+ 1555 files changed, 30474 insertions(+), 7126 deletions(-)
+commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
+Merge: 0949bd4 fc53d63
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:03:44 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fc53d6338964741b368070ec5c935bc579b8c2a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:02:45 2012 -0400
+
+ Update to pax-linux-3.2.12-test33.patch
+
+commit 0949bd46a6455b308f66ad7c993bfee62412db35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 16:56:09 2012 -0400
+
+ Use current_umask() instead of current->fs->umask
+
+commit 22f6432d0fe733619cfcb523782ed7d80c46d645
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:42:42 2012 -0400
+
+ compile fix
+
+commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:34:56 2012 -0400
+
+ Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
+ uses of domains with particular hash collisions
+
+commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 20:25:49 2012 -0400
+
+ zero kernel_role
+
+commit b00953b43c69238d181d21121ef1577c988d5f6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:29:34 2012 -0400
+
+ zero real_root after releasing it
+
+commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
+Merge: b724f59 273f98e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:11:26 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 273f98e58cdac555d3b5dce5c1ca168349f95878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:10:52 2012 -0400
+
+ Temporary workaround for (most) size_overflow plugin false-positives
+ Increase randomization for brk-managed heap to 21 bits
+ Update to pax-linux-3.2.12-test32.patch
+
+commit b724f59125304460c2af8bd4b02921993afbb5d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:58:53 2012 -0400
+
+ compile fix
+
+commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:52:23 2012 -0400
+
+ Require default and kernel role
+
+commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:47:28 2012 -0400
+
+ Allow policies without special roles
+ don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
+
+commit 402ec3d24d66d38403dc543c84851f5e72d39e22
+Merge: 8e012dc f14661a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:06:59 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/namei.c
+
+commit f14661aaf202155c97f66626cea0269017bb7775
+Merge: eae671f 058b017
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:05:44 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
+Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Date: Fri Mar 16 17:08:39 2012 -0700
+
+ nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
+
+ According to the report from Slicky Devil, nilfs caused kernel oops at
+ nilfs_load_super_block function during mount after he shrank the
+ partition without resizing the filesystem:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000048
+ IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
+ *pde = 00000000
+ Oops: 0000 [#1] PREEMPT SMP
+ ...
+ Call Trace:
+ [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
+ [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
+ [<c0226636>] mount_fs+0x36/0x180
+ [<c023d961>] vfs_kern_mount+0x51/0xa0
+ [<c023ddae>] do_kern_mount+0x3e/0xe0
+ [<c023f189>] do_mount+0x169/0x700
+ [<c023fa9b>] sys_mount+0x6b/0xa0
+ [<c04abd1f>] sysenter_do_call+0x12/0x28
+ Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
+ 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
+ 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
+ EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
+ CR2: 0000000000000048
+
+ This turned out due to a defect in an error path which runs if the
+ calculated location of the secondary super block was invalid.
+
+ This patch fixes it and eliminates the reported oops.
+
+ Reported-by: Slicky Devil <slicky.dvl@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Tested-by: Slicky Devil <slicky.dvl@gmail.com>
+ Cc: <stable@vger.kernel.org> [2.6.30+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Fri Mar 16 17:08:38 2012 -0700
+
+ nilfs2: clamp ns_r_segments_percentage to [1, 99]
+
+ ns_r_segments_percentage is read from the disk. Bogus or malicious
+ value could cause integer overflow and malfunction due to meaningless
+ disk usage calculation. This patch reports error when mounting such
+ bogus volumes.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e1a90645643f9b0194a5984ec8febd06360d5c8b
+Author: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Sat Mar 10 09:20:21 2012 +0000
+
+ tcp: fix syncookie regression
+
+ commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
+ added a serious regression on synflood handling.
+
+ Simon Kirby discovered a successful connection was delayed by 20 seconds
+ before being responsive.
+
+ In my tests, I discovered that xmit frames were lost, and needed ~4
+ retransmits and a socket dst rebuild before being really sent.
+
+ In case of syncookie initiated connection, we use a different path to
+ initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
+
+ As ip_queue_xmit() now depends on inet flow being setup, fix this by
+ copying the temp flowi4 we use in cookie_v4_check().
+
+ Reported-by: Simon Kirby <sim@netnation.com>
+ Bisected-by: Simon Kirby <sim@netnation.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
+Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Mon Mar 12 02:59:41 2012 +0000
+
+ tun: don't hold network namespace by tun sockets
+
+ v3: added previously removed sock_put() to the tun_release() callback, because
+ sk_release_kernel() doesn't drop the socket reference.
+
+ v2: sk_release_kernel() used for socket release. Dummy tun_release() is
+ required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
+ call.
+
+ TUN was designed to destroy it's socket on network namesapce shutdown. But this
+ will never happen for persistent device, because it's socket holds network
+ namespace.
+ This patch removes of holding network namespace by TUN socket and replaces it
+ by creating socket in init_net and then changing it's net it to desired one. On
+ shutdown socket is moved back to init_net prior to final put.
+
+ Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon Dec 12 10:02:30 2011 -0600
+
+ vfs: Correctly set the dir i_mutex lockdep class
+
+ 9a7aa12f3911853a introduced additional logic around setting the i_mutex
+ lockdep class for directory inodes. The idea was that some filesystems
+ may want their own special lockdep class for different directory
+ inodes and calling unlock_new_inode() should not clobber one of
+ those special classes.
+
+ I believe that the added conditional, around the *negated* return value
+ of lockdep_match_class(), caused directory inodes to be placed in the
+ wrong lockdep class.
+
+ inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
+ all inodes. If the filesystem did not change the class during inode
+ initialization, then the conditional mentioned above was false and the
+ directory inode was incorrectly left in the non-directory lockdep class.
+ If the filesystem did set a special lockdep class, then the conditional
+ mentioned above was true and that class was clobbered with
+ i_mutex_dir_key.
+
+ This patch removes the negation from the conditional so that the i_mutex
+ lockdep class is properly set for directory inodes. Special classes are
+ preserved and directory inodes with unmodified classes are set with
+ i_mutex_dir_key.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 603590b0d2eca61ce26499eac9c563bc567a18c9
+Author: Jan Kara <jack@suse.cz>
+Date: Mon Feb 20 17:54:00 2012 +0100
+
+ udf: Fix deadlock in udf_release_file()
+
+ udf_release_file() can be called from munmap() path with mmap_sem held. Thus
+ we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
+ i_mutex is not needed in udf_release_file() anymore since protection by
+ i_data_sem is enough to protect from races with write and truncate.
+
+ Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:33 2012 +0100
+
+ vfs: fix double put after complete_walk()
+
+ complete_walk() already puts nd->path, no need to do it again at cleanup time.
+
+ This would result in Oopses if triggered, apparently the codepath is not too
+ well exercised.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 13885ba2b18400f3ef6540497d30f1af896605e5
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:34 2012 +0100
+
+ vfs: fix return value from do_last()
+
+ complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
+ ECHILD unconditionally. If not in RCU mode, this error will reach userspace
+ which is complete nonsense.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/namei.c
+
+commit f5ab7572c99ffb58953eb1070622307e904c3b7f
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Mar 10 17:07:28 2012 -0500
+
+ restore smp_mb() in unlock_new_inode()
+
+ wait_on_inode() doesn't have ->i_lock
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
+Author: David S. Miller <davem@davemloft.net>
+Date: Tue Mar 13 18:19:51 2012 -0700
+
+ sparc32: Add -Av8 to assembler command line.
+
+ Newer version of binutils are more strict about specifying the
+ correct options to enable certain classes of instructions.
+
+ The sparc32 build is done for v7 in order to support sun4c systems
+ which lack hardware integer multiply and divide instructions.
+
+ So we have to pass -Av8 when building the assembler routines that
+ use these instructions and get patched into the kernel when we find
+ out that we have a v8 capable cpu.
+
+ Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
+Author: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri Mar 9 20:55:10 2012 +0100
+
+ x86: Derandom delay_tsc for 64 bit
+
+ Commit f0fbf0abc093 ("x86: integrate delay functions") converted
+ delay_tsc() into a random delay generator for 64 bit. The reason is
+ that it merged the mostly identical versions of delay_32.c and
+ delay_64.c. Though the subtle difference of the result was:
+
+ static void delay_tsc(unsigned long loops)
+ {
+ - unsigned bclock, now;
+ + unsigned long bclock, now;
+
+ Now the function uses rdtscl() which returns the lower 32bit of the
+ TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
+ bit this fails when the lower 32bit are close to wrap around when
+ bclock is read, because the following check
+
+ if ((now - bclock) >= loops)
+ break;
+
+ evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
+ because the unsigned long (now - bclock) of these values results in
+ 0xffffffff00000001 which is definitely larger than the loops
+ value. That explains Tvortkos observation:
+
+ "Because I am seeing udelay(500) (_occasionally_) being short, and
+ that by delaying for some duration between 0us (yep) and 491us."
+
+ Make those variables explicitely u32 again, so this works for both 32
+ and 64 bit.
+
+ Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: stable@vger.kernel.org # >= 2.6.27
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu Mar 8 17:51:19 2012 +0000
+
+ aio: fix the "too late munmap()" race
+
+ Current code has put_ioctx() called asynchronously from aio_fput_routine();
+ that's done *after* we have killed the request that used to pin ioctx,
+ so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
+ from progressing. As the result, we can end up with async call of
+ put_ioctx() being the last one and possibly happening during exit_mmap()
+ or elf_core_dump(), neither of which expects stray munmap() being done
+ to them...
+
+ We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
+ with that, but that's all we care about - neither io_destroy() nor
+ exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
+ does really_put_req(), so the ioctx teardown won't be done until then
+ and we don't care about the contents of ioctx past that point.
+
+ Since actual freeing of these suckers is RCU-delayed, we don't need to
+ bump ioctx refcount when request goes into list for async removal.
+ All we need is rcu_read_lock held just over the ->ctx_lock-protected
+ area in aio_fput_routine().
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 002124c055afbf09b52226af65621999e8316448
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Wed Mar 7 05:16:35 2012 +0000
+
+ aio: fix io_setup/io_destroy race
+
+ Have ioctx_alloc() return an extra reference, so that caller would drop it
+ on success and not bother with re-grabbing it on failure exit. The current
+ code is obviously broken - io_destroy() from another thread that managed
+ to guess the address io_setup() would've returned would free ioctx right
+ under us; gets especially interesting if aio_context_t * we pass to
+ io_setup() points to PROT_READ mapping, so put_user() fails and we end
+ up doing io_destroy() on kioctx another thread has just got freed...
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Mar 15 15:17:12 2012 -0700
+
+ drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
+
+ strict_strtoul() writes a long but ->gamma_mode only has space to store an
+ int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
+ well. I've changed it to use kstrtouint() instead.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Inki Dae <inki.dae@samsung.com>
+ Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
+Merge: e4b05b6 eae671f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 21:04:27 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit eae671fafe93f04685c04a089cc13efebc05d600
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 20:58:01 2012 -0400
+
+ Update to pax-linux-3.2.11-test31.patch
+ Introduction of the size_overflow plugin from Emese Revfy
+ Many thanks to Emese for her hard work :)
+
+commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
+Merge: e55aa68 258c015
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:19 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:05 2012 -0400
+
+ fix ARM compilation
+
+commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
+Merge: 8f95ea9 55b7573
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:41 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:15 2012 -0400
+
+ Update to pax-linux-3.2.10-test28.patch
+
+commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
+Merge: c8786a2 886ac5e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:38:13 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
+
+commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:37:44 2012 -0400
+
+ Update to pax-linux-3.2.10-test26.patch
+
+commit c8786a2abed5e5327f68efa520c04db99bb6a63a
+Merge: 219c982 c061fcf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:06 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
+Merge: 89373d2 3f4b3b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:02 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
+Merge: 54e19a3 89373d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:57 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
+Merge: a778588 7459f11
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:49 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
+Merge: c4650f1 a778588
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:25 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:12 2012 -0400
+
+ Update to pax-linux-3.2.9-test24.patch
+
+commit c4650f14b13f84735fe3de06a1f3ff5776473eff
+Merge: fb2abee 1015790
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:08:28 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 101579028a736c224e590c7e12a7357018c424e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:07:27 2012 -0400
+
+ Update to pax-linux-3.2.9-test22.patch
+
+commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 11:02:17 2012 -0400
+
+ Allow 4096 CPUs
+
+commit 96bae28cbe6a41d48e3b56e5904814096e956000
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 10:25:58 2012 -0400
+
+ Use a per-cpu 48-bit counter instead of a global atomic64
+ Initialize each counter to have the cpu number in the lower 16 bits
+ instead of incrementing the counter each time by 1, perform the increments
+ above the cpu number so that wrapping/exhausting the counter doesn't corrupt
+ any state
+ idea from PaX Team
+
+commit b975688101da6e966aebb1bc6b8c5c5983974f9c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 20:33:12 2012 -0500
+
+ Special vnsec edition! :)
+ Further reduce argv/env allowance for suid/sgid apps to 512KB
+ Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
+ Clear 3GB personality on suid/sgid binaries
+ Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
+ with the main purpose of throwing off program stack -> arg/env alignment
+ Update documentation
+
+commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 19:54:47 2012 -0500
+
+ Resolve skbuff.h warnings that turn into errors during compilation in
+ the grsecurity directory with -Werror
+
+commit 2023210ad43a944033fcacc660ce410888f562ee
+Merge: ece4383 5f66adf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:48:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:47:06 2012 -0500
+
+ Add colorize plugin
+
+commit ece4383e5e91c92d138c4df84225a70b552f4d69
+Merge: a366d0e ab4a5a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:46 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:26 2012 -0500
+
+ Update to pax-linux-3.2.9-test21.patch
+
+commit a366d0ed963ce93fce10121c1100989d5f064e75
+Author: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun Mar 4 19:52:03 2012 -0500
+
+ mm: fix find_vma_prev
+
+ Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
+ management on PA-RISC.
+
+ After application of the patch, programs that allocate big arrays on the
+ stack crash with segfault, for example, this will crash if compiled
+ without optimization:
+
+ int main()
+ {
+ char array[200000];
+ array[199999] = 0;
+ return 0;
+ }
+
+ The reason is that PA-RISC has up-growing stack and the stack is usually
+ the last memory area. In the above example, a page fault happens above
+ the stack.
+
+ Previously, if we passed too high address to find_vma_prev, it returned
+ NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
+ change, it stores NULL in *pprev. Consequently, the stack area is not
+ found and it is not expanded, as it used to be before the change.
+
+ This patch restores the old behavior and makes it return the last VMA in
+ *pprev if the requested address is higher than address of any other VMA.
+
+ Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+ Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
+Author: Hugh Dickins <hughd@google.com>
+Date: Tue Mar 6 12:28:52 2012 -0800
+
+ mmap: EINVAL not ENOMEM when rejecting VM_GROWS
+
+ Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
+ from shared anonymous: hoist the file case's -EINVAL up for both.
+
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:38:42 2012 +0000
+
+ aout: move setup_arg_pages() prior to reading/mapping the binary
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Mon Mar 5 16:49:24 2012 +0000
+
+ vsprintf: make %pV handling compatible with kasprintf()
+
+ kasprintf() (and potentially other functions that I didn't run across so
+ far) want to evaluate argument lists twice. Caring to do so for the
+ primary list is obviously their job, but they can't reasonably be
+ expected to check the format string for instances of %pV, which however
+ need special handling too: On architectures like x86-64 (as opposed to
+ e.g. ix86), using the same argument list twice doesn't produce the
+ expected results, as an internally managed cursor gets updated during
+ the first run.
+
+ Fix the problem by always acting on a copy of the original list when
+ handling %pV.
+
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:39:47 2012 +0000
+
+ VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a831bd53764695ea680cc1fa3c98759a610ed2ac
+Author: Christian König <deathsimple@vodafone.de>
+Date: Tue Feb 28 23:19:20 2012 +0100
+
+ drm/radeon: fix uninitialized variable
+
+ Without this fix the driver randomly treats
+ textures as arrays and I'm really wondering
+ why gcc isn't complaining about it.
+
+ Signed-off-by: Christian König <deathsimple@vodafone.de>
+ Reviewed-by: Jerome Glisse <jglisse@redhat.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
+Author: H. Peter Anvin <hpa@zytor.com>
+Date: Fri Mar 2 10:43:48 2012 -0800
+
+ regset: Prevent null pointer reference on readonly regsets
+
+ The regset common infrastructure assumed that regsets would always
+ have .get and .set methods, but not necessarily .active methods.
+ Unfortunately people have since written regsets without .set methods.
+
+ Rather than putting in stub functions everywhere, handle regsets with
+ null .get or .set methods explicitly.
+
+ Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+ Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+ Acked-by: Roland McGrath <roland@hack.frob.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 072ddd99401c79b53c6bf6bff9deb93022124c79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 18:12:57 2012 -0500
+
+ Fix compiler errors reported on forums
+
+commit 1606774b48af24e6f99d99c624c0e447d4b66474
+Merge: 3127bd5 4ca2ffd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:35 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:21 2012 -0500
+
+ Update to pax-linux-3.2.9-test20.patch
+
+commit 3127bd581a292966b1057c7433219dac188c3720
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 21:30:37 2012 -0500
+
+ Fix memory leak on logged exec_id check failure in /proc/pid/statm
+ Thanks to Djalal Harouni for the report
+
+commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
+Merge: 0a56be8 9aa8288
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:38:22 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:37:43 2012 -0500
+
+ Update to pax-linux-3.2.9-test19.patch
+
+commit 0a56be884bbd7ce733cac0b879c45383494d73b0
+Merge: 9e66745 3f5c52a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:18:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:16:56 2012 -0500
+
+ Update to pax-linux-3.2.9-test18.patch
+
+commit ae53ec231d12719a36bf871f8c5841020ed692ee
+Merge: b255baf 44fb317
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:15:31 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 9e667456c03eadea2f305be761abe4de9a5877a3
+Merge: 5e4e200 b255baf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:59 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b255baf50365d39b406f43aab2c64745607baaa2
+Merge: 340ce90 1de504e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:29 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+ Update to pax-linux-3.2.8-test17.patch
+
+ Conflicts:
+ arch/x86/include/asm/i387.h
+ arch/x86/kernel/process_32.c
+ arch/x86/kernel/traps.c
+
+commit 5e4e200ac530452884b625cb75de240e1e98c731
+Merge: 44306d7 340ce90
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:02:13 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:01:48 2012 -0500
+
+ Update to pax-linux-3.2.7-test17.patch
+
+commit 44306d7b3097f77e73040dd25f4f6750751bae7a
+Merge: 29d0b07 521c411
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:04:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ Makefile
+
+commit 521c411bb4ca66ce01146fde8bac9dd22414076d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:03:33 2012 -0500
+
+ Update to pax-linux-3.2.7-test16.patch
+
+commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 17:12:44 2012 -0500
+
+ fix typo
+
+commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
+Merge: f45b3be caa8f83
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:27 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit caa8f83456c4d0b204beefffaa1d1993f2348d08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:12 2012 -0500
+
+ Update to pax-linux-3.2.7-test15.patch
+
+commit f45b3be34a345502a302e736af9a65742ddef7cb
+Merge: 62f35fd 9f1309b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:40:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:39:57 2012 -0500
+
+ Update to pax-linux-3.2.7-test14.patch
+
+commit 62f35fdbecc58f2988fe13638d907b87a15776bb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 09:08:55 2012 -0500
+
+ We could log on attempted exploits of writing /proc/self/mem, but the current
+ log function declares the access a read, so just swap the ordering for now
+
+commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:46:14 2012 -0500
+
+ Log /proc/pid/mem attempts
+
+commit 674471e581893a94d475acac3e3c4496209b3ac9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:15:00 2012 -0500
+
+ Make use of f_version for protecting /proc file structs (fine since we're not a directory
+ or seq_file)
+
+commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 20:02:19 2012 -0500
+
+ Fix ia64 compilation
+
+commit 50dfea412fd395e0183c2ade368efa525d38b267
+Merge: 12db845 4c6f99b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:53 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4c6f99bf338e03966356b147d0360cb3b522a44f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:36 2012 -0500
+
+ (6:57:09 PM) pipacs: but you can be proactive
+ (Fix other-arch atomic64/REFCOUNT compilation failures)
+
+commit 12db8453f6bb0a756f369c9151668ba1249bc478
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 21:10:12 2012 -0500
+
+ Remove unnecessary copies, as suggested by solar
+
+commit cc02cab84368467ea03cb35f861a8a7092d91ab4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 20:59:35 2012 -0500
+
+ Make global_exec_counter static, as suggested by solar
+
+commit e642091a475ebb3a30e81f85e7751233d0c2af43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 19:00:26 2012 -0500
+
+ sync with stable tree
+
+commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:48:47 2012 -0500
+
+ Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
+ Remove handling of old kludge in chmod/fchmod
+
+commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:18:49 2012 -0500
+
+ Apply umask checks to chmod/fchmod as well, as requested by sponsor
+ Union the enforced umask with the existing one to produce minimal privilege
+ Change umask type to u16
+
+commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 22 18:16:11 2012 -0500
+
+ Add per-role umask enforcement to RBAC, requested by a sponsor
+
+commit ad5ac943fe58199f1cc475912a39edb157acb77b
+Merge: dda0bb5 41722e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:42 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 41722e342e116d95f3d3556d66c97c888d752d39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:00 2012 -0500
+
+ Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
+ KERNEXEC plugin
+
+commit dda0bb57137846a476a866c60db2681aaf6052c0
+Merge: 4fd554e d70927a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:41 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d70927afec977d489a54c106a3c3ddc32e953050
+Merge: 1daebf1 9d0231c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:33 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 4fd554e3a097b22c5049fcdc423897477deff5ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 09:17:57 2012 -0500
+
+ Fix wrong logic on capability checks for switching roles, broke policies
+ Thanks to Richard Kojedzinszky for reporting
+
+commit 12f97d52ac603f24344f8d71569c412a307e9422
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 21:20:10 2012 -0500
+
+ sparc64 compile fix
+
+commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:38:32 2012 -0500
+
+ Update configuration help and name for GRKERNSEC_PROC_MEMMAP
+
+commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:18:01 2012 -0500
+
+ optimize the check a bit
+
+commit 03159050f64989be44ae03be769cbed62a7cd2e5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:00:45 2012 -0500
+
+ smile VUPEN :D
+ (limit argv+env to 1MB for suid/sgid binaries)
+
+commit dd759d8800d225a397e4de49fe729c7d601298d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:49:33 2012 -0500
+
+ Address Space Protection -> Memory Protections (suggested on IRC for consistency)
+
+commit 4de635bda8ebfb85312e3bf851bdbff93de400da
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:45:06 2012 -0500
+
+ Change the long long type for exec_id to the proper u64
+
+commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Feb 9 00:46:47 2012 +0000
+
+ isdn: type bug in isdn_net_header()
+
+ We use len to store the return value from eth_header(). eth_header()
+ can return -ETH_HLEN (-14). We want to pass this back instead of
+ truncating it to 65522 and returning that.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
+Author: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Sat Feb 4 10:47:10 2012 +0100
+
+ exec: fix use-after-free bug in setup_new_exec()
+
+ Setting the task name is done within setup_new_exec() by accessing
+ bprm->filename. However this happens after flush_old_exec().
+ This may result in a use after free bug, flush_old_exec() may
+ "complete" vfork_done, which will wake up the parent which in turn
+ may free the passed in filename.
+ To fix this add a new tcomm field in struct linux_binprm which
+ contains the now early generated task name until it is used.
+
+ Fixes this bug on s390:
+
+ Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
+ Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
+ Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
+ Call Trace:
+ ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
+ [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
+ [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
+ [<0000000000282b6c>] do_execve_common+0x410/0x514
+ [<0000000000282cb6>] do_execve+0x46/0x58
+ [<00000000005bce58>] kernel_execve+0x28/0x70
+ [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
+ [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
+ [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
+ Last Breaking-Event-Address:
+ [<00000000002830f0>] setup_new_exec+0x2fc/0x374
+
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+ Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+ Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d758ee9f5230893dabb5aab737b3109684bde196
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Feb 10 09:03:58 2012 +0100
+
+ relay: prevent integer overflow in relay_open()
+
+ "subbuf_size" and "n_subbufs" come from the user and they need to be
+ capped to prevent an integer overflow.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
+Merge: b1baadf 1daebf1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:47:04 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/proc/base.c
+
+commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
+Merge: 1413df2 c2db2e2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:45:54 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:44:05 2012 -0500
+
+ add missing declaration
+
+commit 3981059c35e8463002517935c28f3d74b8e3703c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:36:04 2012 -0500
+
+ Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
+ in addition to existing checks (this handles the setresuid ruid = euid case)
+
+commit 0beab03263c773f463412c350ad9064b44b6ede0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:13:40 2012 -0500
+
+ Revert setreuid changes when RBAC is enabled, breaks freeradius
+ I'll fix the learning issue Lavish reported a different way through
+ gradm modifications
+
+ This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
+
+commit 0c61cb1cfbbfec7d07647268c922d51434d22621
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 11 14:22:46 2012 -0500
+
+ copy exec_id on fork
+
+commit 000c08e0890630086b2ed04084050ed856a7ec31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 20:00:36 2012 -0500
+
+ compile fix
+
+commit 54b8c8f54484e5ee18040657827158bc4b63bccc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 19:19:52 2012 -0500
+
+ Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
+ denies reading of sensitive /proc/pid entries where the file descriptor
+ was opened in a different task than the one performing the read
+
+commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 17:43:24 2012 -0500
+
+ Remove duplicate signal check
+
+commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
+Merge: 4eba97e 1413df2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:34 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:08 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test11.patch
+
+commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
+Merge: 0e058dd 8dd90a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:50:12 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:49:07 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
+
+commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
+Merge: 7e4169c 6133971
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:48:57 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 19:24:45 2012 -0500
+
+ We now allow configurations with no PaX markings, giving the system no way to override the defaults
+
+commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 10:01:23 2012 -0500
+
+ Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
+
+commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 4 21:01:16 2012 -0500
+
+ Improve security of ptrace-based monitoring/sandboxing
+ See:
+ http://article.gmane.org/gmane.linux.kernel.lsm/15156
+
+commit ca4ca5a1027b41f9528794e52a53ce9c47926101
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:42:55 2012 -0500
+
+ fix typo
+
+commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:25:38 2012 -0500
+
+ Reported by lavish on IRC:
+ If a suid/sgid binary did not learn any setuid/setgid call during learning,
+ we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
+ any restrictions on uid/gid changes. uid and gid can however be changed
+ within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
+ euid/egid.
+
+ My fix:
+ POSIX doesn't specify whether unprivileged users can perform the above
+ setresuid/setresgid as an unprivileged user, though Linux has historically
+ permitted them. Modify this behavior when RBAC is enabled to require
+ CAP_SETUID/CAP_SETGID for these operations.
+
+ Thanks to Lavish for the report!
+
+ Conflicts:
+
+ kernel/sys.c
+
+commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
+Merge: ba586eb 7e4169c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:21 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:05 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test9.patch
+
+commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
+Author: Christopher Yeoh <cyeoh@au1.ibm.com>
+Date: Thu Feb 2 11:34:09 2012 +1030
+
+ Fix race in process_vm_rw_core
+
+ This fixes the race in process_vm_core found by Oleg (see
+
+ http://article.gmane.org/gmane.linux.kernel/1235667/
+
+ for details).
+
+ This has been updated since I last sent it as the creation of the new
+ mm_access() function did almost exactly the same thing as parts of the
+ previous version of this patch did.
+
+ In order to use mm_access() even when /proc isn't enabled, we move it to
+ kernel/fork.c where other related process mm access functions already
+ are.
+
+ Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+ mm/process_vm_access.c
+
+commit b9194d60fb9fe579f5c34817ed822abde18939a0
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:15:11 2012 +0100
+
+ proc: make sure mem_open() doesn't pin the target's memory
+
+ Once /proc/pid/mem is opened, the memory can't be released until
+ mem_release() even if its owner exits.
+
+ Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
+ pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
+ before access_remote_vm(), this verifies that this mm is still alive.
+
+ I am not sure what should mem_rw() return if atomic_inc_not_zero()
+ fails. With this patch it returns zero to match the "mm == NULL" case,
+ may be it should return -EINVAL like it did before e268337d.
+
+ Perhaps it makes sense to add the additional fatal_signal_pending()
+ check into the main loop, to ensure we do not hold this memory if
+ the target task was oom-killed.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:38 2012 +0100
+
+ proc: mem_release() should check mm != NULL
+
+ mem_release() can hit mm == NULL, add the necessary check.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:54 2012 +0100
+
+ note: redisabled mem_write
+
+ proc: unify mem_read() and mem_write()
+
+ No functional changes, cleanup and preparation.
+
+ mem_read() and mem_write() are very similar. Move this code into the
+ new common helper, mem_rw(), which takes the additional "int write"
+ argument.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+
+commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
+Merge: 3903f01 01fee18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:50:40 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 01fee1851aef26b898ccba5312cabf1f919b74cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:46 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test8.patch
+
+commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
+Merge: 201c0db 141936c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:01 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 3903f0172ecadf7a575ba3535402a1506133640a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 30 23:26:44 2012 -0500
+
+ Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
+
+ We'll whitelist required directories for compatibility instead of requiring
+ that people disable the feature entirely if they use SELinux, fuse, etc
+
+ Conflicts:
+
+ fs/sysfs/mount.c
+
+commit e3618feaa7e63807f1b88c199882075b3ec9bd05
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 29 01:12:19 2012 -0500
+
+ perform RBAC check if TPE is on but match fails, matches previous behavior
+
+commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 28 13:17:06 2012 -0500
+
+ log more information about the reason for a TPE denial for novice users, requested by a sponsor
+
+commit efefd67008cbad8a8591e2484410966a300a39a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:58:53 2012 -0500
+
+ merge upstream sha512 changes
+
+commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:49:07 2012 -0500
+
+ drop lock on error in xfs_readlink
+
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
+
+commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
+Author: Li Wang <liwang@nudt.edu.cn>
+Date: Thu Jan 19 09:44:36 2012 +0800
+
+ eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+
+ ecryptfs_write() can enter an infinite loop when truncating a file to a
+ size larger than 4G. This only happens on architectures where size_t is
+ represented by 32 bits.
+
+ This was caused by a size_t overflow due to it incorrectly being used to
+ store the result of a calculation which uses potentially large values of
+ type loff_t.
+
+ [tyhicks@canonical.com: rewrite subject and commit message]
+ Signed-off-by: Li Wang <liwang@nudt.edu.cn>
+ Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
+ Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+
+commit a7607747d0f74f357d78bb796d70635dd05f46e8
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 19 20:33:44 2012 -0600
+
+ eCryptfs: Check inode changes in setattr
+
+ Most filesystems call inode_change_ok() very early in ->setattr(), but
+ eCryptfs didn't call it at all. It allowed the lower filesystem to make
+ the call in its ->setattr() function. Then, eCryptfs would copy the
+ appropriate inode attributes from the lower inode to the eCryptfs inode.
+
+ This patch changes that and actually calls inode_change_ok() on the
+ eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
+ would happen earlier in ecryptfs_setattr(), but there are some possible
+ inode initialization steps that must happen first.
+
+ Since the call was already being made on the lower inode, the change in
+ functionality should be minimal, except for the case of a file extending
+ truncate call. In that case, inode_newsize_ok() was never being
+ called on the eCryptfs inode. Rather than inode_newsize_ok() catching
+ maximum file size errors early on, eCryptfs would encrypt zeroed pages
+ and write them to the lower filesystem until the lower filesystem's
+ write path caught the error in generic_write_checks(). This patch
+ introduces a new function, called ecryptfs_inode_newsize_ok(), which
+ checks if the new lower file size is within the appropriate limits when
+ the truncate operation will be growing the lower file.
+
+ In summary this change prevents eCryptfs truncate operations (and the
+ resulting page encryptions), which would exceed the lower filesystem
+ limits or FSIZE rlimits, from ever starting.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Li Wang <liwang@nudt.edu.cn>
+ Cc: <stable@vger.kernel.org>
+
+commit 0d96f190a39505254ace4e9330219aaeda9b64e3
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Wed Jan 18 18:30:04 2012 -0600
+
+ eCryptfs: Make truncate path killable
+
+ ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
+ page, zeroes out the appropriate portions, and then encrypts the page
+ before writing it to the lower filesystem. It was unkillable and due to
+ the lack of sparse file support could result in tying up a large portion
+ of system resources, while encrypting pages of zeros, with no way for
+ the truncate operation to be stopped from userspace.
+
+ This patch adds the ability for ecryptfs_write() to detect a pending
+ fatal signal and return as gracefully as possible. The intent is to
+ leave the lower file in a useable state, while still allowing a user to
+ break out of the encryption loop. If a pending fatal signal is detected,
+ the eCryptfs inode size is updated to reflect the modified inode size
+ and then -EINTR is returned.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: <stable@vger.kernel.org>
+
+commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Tue Jan 24 10:02:22 2012 -0600
+
+ eCryptfs: Fix oops when printing debug info in extent crypto functions
+
+ If pages passed to the eCryptfs extent-based crypto functions are not
+ mapped and the module parameter ecryptfs_verbosity=1 was specified at
+ loading time, a NULL pointer dereference will occur.
+
+ Note that this wouldn't happen on a production system, as you wouldn't
+ pass ecryptfs_verbosity=1 on a production system. It leaks private
+ information to the system logs and is for debugging only.
+
+ The debugging info printed in these messages is no longer very useful
+ and rather than doing a kmap() in these debugging paths, it will be
+ better to simply remove the debugging paths completely.
+
+ https://launchpad.net/bugs/913651
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Daniel DeFreez
+ Cc: <stable@vger.kernel.org>
+
+commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 12 11:30:44 2012 +0100
+
+ eCryptfs: Sanitize write counts of /dev/ecryptfs
+
+ A malicious count value specified when writing to /dev/ecryptfs may
+ result in a a very large kernel memory allocation.
+
+ This patch peeks at the specified packet payload size, adds that to the
+ size of the packet headers and compares the result with the write count
+ value. The resulting maximum memory allocation size is approximately 532
+ bytes.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Sasha Levin <levinsasha928@gmail.com>
+ Cc: <stable@vger.kernel.org>
+
+commit 96dcb7282d323813181a1791f51c0ab7696b675b
+Merge: 6c09fa5 201c0db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:44:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 201c0dbf177527367676028151e36d340923f033
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:43:24 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
+ on loading modules with empty sections
+
+commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:42:13 2012 -0500
+
+ compile fix
+
+commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:39:28 2012 -0500
+
+ use LSM flags instead of duplicating checks
+
+commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
+Merge: 44b9f11 558718b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:23 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 558718b2217beff69edf60f34a6f9893d910e9ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:04 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch
+
+commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:53:55 2012 -0500
+
+ don't increase the size of task_struct when unnecessary
+ change ptrace_readexec log message
+
+commit a9c9626e054adb885883aa64f85506852894dd33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:16:28 2012 -0500
+
+ Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
+ the protection applies to all unreadable binaries.
+
+commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
+Merge: 7b3f3af 05a1349
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:52:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ block/scsi_ioctl.c
+ drivers/scsi/sd.c
+ fs/proc/base.c
+
+commit 05a134966efb9cb9346ad3422888969ffc79ac1d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:47:36 2012 -0500
+
+ Resync with pax-linux-3.2.2-test5.patch
+
+commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
+Merge: c6d443d 3499d64
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:45:16 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
+
+ Conflicts:
+ ipc/shm.c
+
+commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 24 19:42:01 2012 -0500
+
+ Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
+ (may be changed if it breaks some userland), the other has its own
+ config option
+
+ First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
+ the syscall or /proc/sys.
+
+ Second feature requires read access to a suid/sgid binary in order
+ to ptrace it, preventing infoleaking of binaries in situations where
+ the admin has specified 4711 or 2711 perms. Feature has been
+ given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
+ a sysctl entry of ptrace_readexec
+
+commit 11a7bb25c411c9dccfdca5718639b4becdffd388
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:37:10 2012 -0500
+
+ Compilation fixes
+
+commit cd400e21c7c352baba47d6f375297a7847afb33a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:20:27 2012 -0500
+
+ Initial port of grsecurity 2.2.2 for Linux 3.2.1
+ Note that the new syscalls added to this kernel for remote process read/write
+ are subject to ptrace hardening/other relevant RBAC features
+ /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
+ as well
+ pax_track_stack has been removed from support for this kernel -- if you're running this kernel
+ you should be using a version of gcc with plugin support
+
+commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:47:31 2012 -0500
+
+ Import pax-linux-3.2.1-test5.patch
+commit bfd7db842f835f9837cd43644459b3a95b0b488d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:02:02 2012 -0500
+
+ Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
+ instead of returning -EACCES
+ thanks to Wraith from irc for the report
+
+commit 873ac13576506cd48ddb527c2540f274e249da50
+Merge: 34083dd 8a44fcc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:04:02 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:02:15 2012 -0500
+
+ Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
+ Denies executable shared memory when MPROTECT is active
+ Fixes ia32 emulation crash on 64bit host introduced in a recent patch
+
+commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 20:23:14 2012 -0500
+
+ Introduce new GRKERNSEC_SETXID implementation
+ We're not able to change the credentials of other threads in the process until at most
+ one syscall after the first thread does it, since we mark the threads as needing rescheduling
+ and such work occurs on syscall exit.
+ This does however ensure that we're only modifying the current task's credentials
+ which upholds RCU expectations
+
+ Many thanks to corsac for testing
+
+commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:42:48 2012 -0500
+
+ Simplify backport
+
+commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:08:16 2012 -0500
+
+ Commit the latest silent fix for a local privilege escalation from Linus
+ Also disable writing to /proc/pid/mem
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
+
+commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
+Merge: 0394a3f 7e6299b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:22:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e6299b4733c082dde930375dd207b63237751ec
+Merge: 83555fb 9bb1282
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:21:37 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
+Author: Jesper Juhl <jj@chaosbits.net>
+Date: Sun Jan 8 22:44:29 2012 +0100
+
+ audit: always follow va_copy() with va_end()
+
+ A call to va_copy() should always be followed by a call to va_end() in
+ the same function. In kernel/autit.c::audit_log_vformat() this is not
+ always done. This patch makes sure va_end() is always called.
+
+ Signed-off-by: Jesper Juhl <jj@chaosbits.net>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
+Author: Andi Kleen <ak@linux.intel.com>
+Date: Thu Jan 12 17:20:30 2012 -0800
+
+ panic: don't print redundant backtraces on oops
+
+ When an oops causes a panic and panic prints another backtrace it's pretty
+ common to have the original oops data be scrolled away on a 80x50 screen.
+
+ The second backtrace is quite redundant and not needed anyways.
+
+ So don't print the panic backtrace when oops_in_progress is true.
+
+ [akpm@linux-foundation.org: add comment]
+ Signed-off-by: Andi Kleen <ak@linux.intel.com>
+ Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Thu Jan 12 17:59:46 2012 +0100
+
+ fsnotify: don't BUG in fsnotify_destroy_mark()
+
+ Removing the parent of a watched file results in "kernel BUG at
+ fs/notify/mark.c:139".
+
+ To reproduce
+
+ add "-w /tmp/audit/dir/watched_file" to audit.rules
+ rm -rf /tmp/audit/dir
+
+ This is caused by fsnotify_destroy_mark() being called without an
+ extra reference taken by the caller.
+
+ Reported by Francesco Cosoleto here:
+
+ https://bugzilla.novell.com/show_bug.cgi?id=689860
+
+ Fix by removing the BUG_ON and adding a comment about not accessing mark after
+ the iput.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:28 2012 +0100
+
+ block: fail SCSI passthrough ioctls on partition devices
+
+ Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+ will pass the command to the underlying block device. This is
+ well-known, but it is also a large security problem when (via Unix
+ permissions, ACLs, SELinux or a combination thereof) a program or user
+ needs to be granted access only to part of the disk.
+
+ This patch lets partitions forward a small set of harmless ioctls;
+ others are logged with printk so that we can see which ioctls are
+ actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
+ Of course it was being sent to a (partition on a) hard disk, so it would
+ have failed with ENOTTY and the patch isn't changing anything in
+ practice. Still, I'm treating it specially to avoid spamming the logs.
+
+ In principle, this restriction should include programs running with
+ CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
+ /dev/sdb, it still should not be able to read/write outside the
+ boundaries of /dev/sda2 independent of the capabilities. However, for
+ now programs with CAP_SYS_RAWIO will still be allowed to send the
+ ioctls. Their actions will still be logged.
+
+ This patch does not affect the non-libata IDE driver. That driver
+ however already tests for bd != bd->bd_contains before issuing some
+ ioctl; it could be restricted further to forbid these ioctls even for
+ programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ [ Make it also print the command name when warning - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:27 2012 +0100
+
+ block: add and use scsi_blk_cmd_ioctl
+
+ Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
+
+ The function will then be enhanced to detect partition block devices
+ and, in that case, subject the ioctls to whitelisting.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97a79814903fc350e1d13704ea31528a42705401
+Author: Kees Cook <keescook@chromium.org>
+Date: Sat Jan 7 10:41:04 2012 -0800
+
+ audit: treat s_id as an untrusted string
+
+ The use of s_id should go through the untrusted string path, just to be
+ extra careful.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Acked-by: Mimi Zohar <zohar@us.ibm.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Dec 20 18:39:41 2011 -0500
+
+ audit: fix signedness bug in audit_log_execve_info()
+
+ In the loop, a size_t "len" is used to hold the return value of
+ audit_log_single_execve_arg(), which returns -1 on error. In that
+ case the error handling (len <= 0) will be bypassed since "len" is
+ unsigned, and the loop continues with (p += len) being wrapped.
+ Change the type of "len" to signed int to fix the error handling.
+
+ size_t len;
+ ...
+ for (...) {
+ len = audit_log_single_execve_arg(...);
+ if (len <= 0)
+ break;
+ p += len;
+ }
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Jan 17 03:28:51 2012 -0300
+
+ [media] ds3000: using logical && instead of bitwise &
+
+ The intent here was to test if the FE_HAS_LOCK was set. The current
+ test is equivalent to "if (status) { ..."
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit 36522330dc59d2fc70c042f3f081d75c32b6259a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 13:10:38 2012 -0500
+
+ Ignore the 0 signal for protected task RBAC checks
+
+commit d513acd55f7a683f6e146a4f570cdb63300479ab
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 11:56:13 2012 -0500
+
+ whitespace cleanup
+
+commit ced261c4b82818c700aff8487f647f6f3e5b5122
+Merge: d48751f 83555fb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:54 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
+Merge: fcd8129 93dad39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:43 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit d48751f3919ae855fda0ff6c149db82442329253
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 11 19:05:47 2012 -0500
+
+ Call our own set_user when forcing change to new id
+
+commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
+Merge: e6578ff fcd8129
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 16:00:10 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 15:58:43 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test23.patch
+
+commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
+Merge: 8859ec3 a120549
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:56 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a12054967a77090de1caa07c41e694a77db4e237
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:30 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test22.patch
+
+commit 8859ec32f9815c274df65448f9f2960176c380d3
+Merge: a5016b4 ddd4114
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:26:08 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/binfmt_elf.c
+ security/Kconfig
+
+commit ddd41147e158a79704983a409b7433eba797cf66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:12:42 2012 -0500
+
+ Resync with PaX patch (whitespace difference)
+
+commit 29e569df8205c5f0e043fe4803aa984406c8b118
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:09:47 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test21.patch
+
+commit a5016b4f9c09c337b17e063a7f369af1e86d944d
+Merge: 0124c92 04231d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:52:20 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
+Merge: 7bdddeb a919904
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:51:50 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ include/net/flow.h
+
+commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:33:05 2012 -0500
+
+ Make GRKERNSEC_SETXID option compatible with credential debugging
+
+commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
+Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Date: Wed Dec 28 15:57:11 2011 -0800
+
+ mm/mempolicy.c: refix mbind_range() vma issue
+
+ commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
+ slightly incorrect fix.
+
+ Why? Think following case.
+
+ 1. map 4 pages of a file at offset 0
+
+ [0123]
+
+ 2. map 2 pages just after the first mapping of the same file but with
+ page offset 2
+
+ [0123][23]
+
+ 3. mbind() 2 pages from the first mapping at offset 2.
+ mbind_range() should treat new vma is,
+
+ [0123][23]
+ |23|
+ mbind vma
+
+ but it does
+
+ [0123][23]
+ |01|
+ mbind vma
+
+ Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
+
+ This patch fixes it.
+
+ [testcase]
+ test result - before the patch
+
+ case4: 126: test failed. expect '2,4', actual '2,2,2'
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: 246: test failed. expect '4,2', actual '1,4'
+
+ ------------[ cut here ]------------
+ kernel BUG at mm/filemap.c:135!
+ invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
+
+ (snip long bug on messages)
+
+ test result - after the patch
+
+ case4: passed
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: passed
+
+ source: mbind_vma_test.c
+ ============================================================
+ #include <numaif.h>
+ #include <numa.h>
+ #include <sys/mman.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+ static unsigned long pagesize;
+ void* mmap_addr;
+ struct bitmask *nmask;
+ char buf[1024];
+ FILE *file;
+ char retbuf[10240] = "";
+ int mapped_fd;
+
+ char *rubysrc = "ruby -e '\
+ pid = %d; \
+ vstart = 0x%llx; \
+ vend = 0x%llx; \
+ s = `pmap -q #{pid}`; \
+ rary = []; \
+ s.each_line {|line|; \
+ ary=line.split(\" \"); \
+ addr = ary[0].to_i(16); \
+ if(vstart <= addr && addr < vend) then \
+ rary.push(ary[1].to_i()/4); \
+ end; \
+ }; \
+ print rary.join(\",\"); \
+ '";
+
+ void init(void)
+ {
+ void* addr;
+ char buf[128];
+
+ nmask = numa_allocate_nodemask();
+ numa_bitmask_setbit(nmask, 0);
+
+ pagesize = getpagesize();
+
+ sprintf(buf, "%s", "mbind_vma_XXXXXX");
+ mapped_fd = mkstemp(buf);
+ if (mapped_fd == -1)
+ perror("mkstemp "), exit(1);
+ unlink(buf);
+
+ if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
+ perror("lseek "), exit(1);
+ if (write(mapped_fd, "\0", 1) < 0)
+ perror("write "), exit(1);
+
+ addr = mmap(NULL, pagesize*8, PROT_NONE,
+ MAP_SHARED, mapped_fd, 0);
+ if (addr == MAP_FAILED)
+ perror("mmap "), exit(1);
+
+ if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
+ perror("mprotect "), exit(1);
+
+ mmap_addr = addr + pagesize;
+
+ /* make page populate */
+ memset(mmap_addr, 0, pagesize*6);
+ }
+
+ void fin(void)
+ {
+ void* addr = mmap_addr - pagesize;
+ munmap(addr, pagesize*8);
+
+ memset(buf, 0, sizeof(buf));
+ memset(retbuf, 0, sizeof(retbuf));
+ }
+
+ void mem_bind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_BIND, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_interleave(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_unbind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_DEFAULT, NULL, 0, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void Assert(char *expected, char *value, char *name, int line)
+ {
+ if (strcmp(expected, value) == 0) {
+ fprintf(stderr, "%s: passed\n", name);
+ return;
+ }
+ else {
+ fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
+ name, line,
+ expected, value);
+ // exit(1);
+ }
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPNNNNNNNNNN
+ case 4 below
+ */
+ void case4(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 4);
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case4", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPPPPPPPPPNN
+ case 5 below
+ */
+ void case5(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case5", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPPPPP 6
+ */
+ void case6(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("6", retbuf, "case6", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPXXXX 7
+ */
+ void case7(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case7", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPNNNNNNNN 8
+ */
+ void case8(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_interleave(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case8", __LINE__);
+
+ fin();
+ }
+
+ void case_n(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ /* make redundunt mappings [0][1234][34][7] */
+ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
+ MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
+
+ /* Expect to do nothing. */
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case_n", __LINE__);
+
+ fin();
+ }
+
+ int main(int argc, char** argv)
+ {
+ case4();
+ case5();
+ case6();
+ case7();
+ case8();
+ case_n();
+
+ return 0;
+ }
+ =============================================================
+
+ Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: Minchan Kim <minchan.kim@gmail.com>
+ Cc: Caspar Zhang <caspar@casparzhang.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Cc: Christoph Lameter <cl@linux.com>
+ Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
+ Cc: Mel Gorman <mel@csn.ul.ie>
+ Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+ Cc: <stable@vger.kernel.org> [3.1.x]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit f3a1082005781777086df235049f8c0b7efe524e
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Dec 27 22:32:41 2011 -0500
+
+ packet: fix possible dev refcnt leak when bind fail
+
+ If bind is fail when bind is called after set PACKET_FANOUT
+ sock option, the dev refcnt will leak.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 915f8b08dac68839dc7204ee81cf9852fda16d24
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Mon Dec 19 17:11:56 2011 -0800
+
+ nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
+
+ There is a potential integer overflow in nilfs_ioctl_clean_segments().
+ When a large argv[n].v_nmembs is passed from the userspace, the subsequent
+ call to vmalloc() will allocate a buffer smaller than expected, which
+ leads to out-of-bound access in nilfs_ioctl_move_blocks() and
+ lfs_clean_segments().
+
+ The following check does not prevent the overflow because nsegs is also
+ controlled by the userspace and could be very large.
+
+ if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
+ goto out_free;
+
+ This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
+ returns -EINVAL when overflow.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
+Author: Kautuk Consul <consul.kautuk@gmail.com>
+Date: Mon Dec 19 17:12:04 2011 -0800
+
+ mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
+
+ Static storage is not required for the struct vmap_area in
+ __get_vm_area_node.
+
+ Removing "static" to store this variable on the stack instead.
+
+ Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
+ Acked-by: David Rientjes <rientjes@google.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
+Author: Michel Lespinasse <walken@google.com>
+Date: Mon Dec 19 17:12:06 2011 -0800
+
+ binary_sysctl(): fix memory leak
+
+ binary_sysctl() calls sysctl_getname() which allocates from names_cache
+ slab usin __getname()
+
+ The matching function to free the name is __putname(), and not putname()
+ which should be used only to match getname() allocations.
+
+ This is because when auditing is enabled, putname() calls audit_putname
+ *instead* (not in addition) to __putname(). Then, if a syscall is in
+ progress, audit_putname does not release the name - instead, it expects
+ the name to get released when the syscall completes, but that will happen
+ only if audit_getname() was called previously, i.e. if the name was
+ allocated with getname() rather than the naked __getname(). So,
+ __getname() followed by putname() ends up leaking memory.
+
+ Signed-off-by: Michel Lespinasse <walken@google.com>
+ Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
+Author: Sean Hefty <sean.hefty@intel.com>
+Date: Tue Dec 6 21:17:11 2011 +0000
+
+ RDMA/cma: Verify private data length
+
+ private_data_len is defined as a u8. If the user specifies a large
+ private_data size (> 220 bytes), we will calculate a total length that
+ exceeds 255, resulting in private_data_len wrapping back to 0. This
+ can lead to overwriting random kernel memory. Avoid this by verifying
+ that the resulting size fits into a u8.
+
+ Reported-by: B. Thery <benjamin.thery@bull.net>
+ Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
+ Signed-off-by: Sean Hefty <sean.hefty@intel.com>
+ Signed-off-by: Roland Dreier <roland@purestorage.com>
+
+commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Sun Dec 11 23:40:56 2011 -0800
+
+ Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
+
+ The error check (intr_status < 0) didn't work because intr_status is
+ a u8. Change its type to signed int.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+
+commit e27f34e383d7863b2528a63b81b23db09781f6b6
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 16 12:44:15 2011 +0000
+
+ sctp: fix incorrect overflow check on autoclose
+
+ Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
+ limiting the autoclose value. If userspace passes in -1 on 32-bit
+ platform, the overflow check didn't work and autoclose would be set
+ to 0xffffffff.
+
+ This patch defines a max_autoclose (in seconds) for limiting the value
+ and exposes it through sysctl, with the following intentions.
+
+ 1) Avoid overflowing autoclose * HZ.
+
+ 2) Keep the default autoclose bound consistent across 32- and 64-bit
+ platforms (INT_MAX / HZ in this patch).
+
+ 3) Keep the autoclose value consistent between setsockopt() and
+ getsockopt() calls.
+
+ Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Wed Dec 21 05:18:33 2011 -0500
+
+ vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
+
+ Commit e133e737 didn't correctly fix the integer overflow issue.
+
+ - unsigned int required_size;
+ + u64 required_size;
+ ...
+ required_size = mode_cmd->pitch * mode_cmd->height;
+ - if (unlikely(required_size > dev_priv->vram_size)) {
+ + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
+
+ Note that both pitch and height are u32. Their product is still u32 and
+ would overflow before being assigned to required_size. A correct way is
+ to convert pitch and height to u64 before the multiplication.
+
+ required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
+
+ This patch calls the existing vmw_kms_validate_mode_vram() for
+ validation.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+ Conflicts:
+
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+
+commit eb8f0bd01fb994c9abc77dc84729794cd841753d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Thu Dec 22 13:35:22 2011 +0000
+
+ rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
+
+ Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
+ cause a kernel oops due to insufficient bounds checking.
+
+ if (count > 1<<30) {
+ /* Enforce a limit to prevent overflow */
+ return -EINVAL;
+ }
+ count = roundup_pow_of_two(count);
+ table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
+
+ Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
+
+ ... + (count * sizeof(struct rps_dev_flow))
+
+ where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
+ 32 bits.
+
+ This patch replaces the magic number (1 << 30) with a symbolic bound.
+
+ Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 648188958672024b616c42c1f6c98c8cfc85619d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 30 10:40:17 2011 -0500
+
+ netfilter: ctnetlink: fix timeout calculation
+
+ The sanity check (timeout < 0) never works; the dividend is unsigned
+ and so is the division, which should have been a signed division.
+
+ long timeout = (ct->timeout.expires - jiffies) / HZ;
+ if (timeout < 0)
+ timeout = 0;
+
+ This patch converts the time values to signed for the division.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit ab03a0973cee73f88655ff4981812ad316a6cd59
+Merge: 76f82df 7bdddeb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:50 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
+Merge: 3e59cb5 55cc81a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:36 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 20:15:02 2011 -0500
+
+ Only further restrict futex targeting another process -- our modified
+ permission check also happened to allow a case where a process retaining
+ uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
+ being non-zero (reported on forums by ben_w)
+
+commit 6b235a4450a5fea41663ec35fa0608988b6078c6
+Merge: 97c16f0 3e59cb5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:11:06 2011 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/hfs/btree.c
+
+commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
+Merge: 285eb4e c26f60b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:09:57 2011 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/process.c
+
+commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 19 21:54:01 2011 -0500
+
+ Add new option: "Enforce consistent multithreaded privileges"
+
+commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:58:31 2011 -0500
+
+ Remove harmless duplicate code -- exec_file would be null already so the
+ second check would never pass.
+
+commit 4e3304e94aa72737810bc50169519af157dce4ce
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:50:39 2011 -0500
+
+ Revert back to (possibly?) undocumented /proc/pid behavior that gdb
+ depended on for attaching to a thread. Entries exist in /proc for
+ threads, but are not visible in a readdir.
+
+commit 1bd899335f23815cfe8deac44c6b346398f3b95e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 18:03:28 2011 -0500
+
+ Put the already-walked path if in RCU-walk mode
+
+commit ec7ae36b7159f10649709779443a988662965d66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 17:35:21 2011 -0500
+
+ Fix memory leak introduced by recent (unpublished) commit
+ 75ab998b94a29d464518d6d501bdde3fbfcbfa14
+
+commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:56:10 2011 -0500
+
+ Explicitly check size copied to userland in override_release to silence gcc
+
+commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:54:02 2011 -0500
+
+ Initialize variable to silence erroneous gcc warning
+
+commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:47:47 2011 -0500
+
+ Future-proof other potential RCU-aware locations where we can log.
+
+commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:02:54 2011 -0500
+
+ Fix freeze reported by 'vs' on the forums. Bug occurred due to
+ MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
+ in generic_permission() was in the task's effective set but disallowed by
+ RBAC, would block when acquiring locks resulting in the freeze.
+
+ Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
+ as being required when CAP_DAC_OVERRIDE is present (consistent with
+ older patches).
+
+commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Nov 29 09:26:30 2011 +0000
+
+ sctp: better integer overflow check in sctp_auth_create_key()
+
+ The check from commit 30c2235c is incomplete and cannot prevent
+ cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
+ left-hand side of the check (INT_MAX - key_len), which is unsigned,
+ becomes 0xffffffff (UINT_MAX) and bypasses the check.
+
+ However this shouldn't be a security issue. The function is called
+ from the following two code paths:
+
+ 1) setsockopt()
+
+ 2) sctp_auth_asoc_set_secret()
+
+ In case (1), sca_keylength is never going to exceed 65535 since it's
+ bounded by a u16 from the user API. As such, the key length will
+ never overflow.
+
+ In case (2), sca_keylength is computed based on the user key (1 short)
+ and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
+ will not overflow.
+
+ In other words, this overflow check is not really necessary. Just
+ make it more correct.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit e565e28c3635a1d50f80541fbf6b606d742fec76
+Author: Josh Boyer <jwboyer@redhat.com>
+Date: Fri Aug 19 14:50:26 2011 -0400
+
+ fs/minix: Verify bitmap block counts before mounting
+
+ Newer versions of MINIX can create filesystems that allocate an extra
+ bitmap block. Mounting of this succeeds, but doing a statfs call will
+ result in an oops in count_free because of a negative number being used
+ for the bh index.
+
+ Avoid this by verifying the number of allocated blocks at mount time,
+ erroring out if there are not enough and make statfs ignore the extras
+ if there are too many.
+
+ This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
+
+ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6e134e398ec1a3f428261680e83df4319e64bed9
+Author: Julia Lawall <julia@diku.dk>
+Date: Tue Nov 15 14:53:11 2011 -0800
+
+ drivers/gpu/vga/vgaarb.c: add missing kfree
+
+ kbuf is a buffer that is local to this function, so all of the error paths
+ leaving the function should release it.
+
+ Signed-off-by: Julia Lawall <julia@diku.dk>
+ Cc: Jesper Juhl <jj@chaosbits.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit 2b9057b321e36860e8d63985b5c4e496f254b717
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:33:28 2011 -0500
+
+ Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
+
+commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+
+commit 285eb4ea45d853ae00426b3315a61c1368080dad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 10 18:33:46 2011 -0500
+
+ Import changes from pax-linux-3.1.5-test20.patch
+
+commit a6bda918fc90ec1d5c387e978d147ad2044153f1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 8 20:55:54 2011 -0500
+
+ Import changes from pax-linux-3.1.4-test19.patch
+
+commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7
+Merge: 814820a 3a59a59
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 21:51:18 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 21:50:07 2013 -0400
+
+ Update to pax-linux-3.8.13-test24.patch:
+ - fixed sparc/constification compile error, reported by blake
+ - UDEREF/amd64 should be a bit more efficient when disabled at boot time
+ - fixed some unnecessary integer truncations that could trip up the size overflow plugin
+
+ arch/arm/kernel/vmlinux.lds.S | 4 ++--
+ arch/sparc/kernel/us3_cpufreq.c | 4 ++--
+ arch/x86/ia32/ia32entry.S | 4 ++--
+ arch/x86/include/asm/pgtable.h | 6 ++++--
+ arch/x86/include/asm/uaccess.h | 6 +++---
+ arch/x86/kernel/kprobes-opt.c | 4 ++++
+ arch/x86/lib/copy_user_nocache_64.S | 2 +-
+ arch/x86/lib/getuser.S | 8 ++++----
+ arch/x86/lib/putuser.S | 8 ++++----
+ arch/x86/mm/fault.c | 6 +++---
+ drivers/net/slip/slhc.c | 2 +-
+ drivers/staging/iio/ring_sw.c | 2 +-
+ fs/binfmt_elf.c | 6 +++---
+ fs/nfsd/nfscache.c | 2 +-
+ fs/xattr.c | 21 +++++++++++++++++++++
+ include/linux/syscalls.h | 2 +-
+ include/linux/xattr.h | 3 +++
+ init/main.c | 3 +++
+ kernel/futex_compat.c | 2 +-
+ kernel/trace/trace.h | 2 +-
+ net/socket.c | 2 +-
+ security/Kconfig | 2 +-
+ 22 files changed, 67 insertions(+), 34 deletions(-)
+
+commit 814820abfe5b9a34401d838b2510431a4cd92be9
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon May 6 09:31:17 2013 +0000
+
+ Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa
+
+ tipc: potential divide by zero in tipc_link_recv_fragment()
+
+ The worry here is that fragm_sz could be zero since it comes from
+ skb->data.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/tipc/link.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon May 6 08:28:41 2013 +0000
+
+ Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc
+
+ tipc: add a bounds check in link_recv_changeover_msg()
+
+ The bearer_id here comes from skb->data and it can be a number from 0 to
+ 7. The problem is that the ->links[] array has only 2 elements so I
+ have added a range check.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/tipc/link.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit ed0428c4ef6c5498870772f212ac651216eb8d0c
+Merge: 2452d8d dbf932a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 21:18:25 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c
+ arch/x86/mm/init.c
+
+commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 20:24:01 2013 -0400
+
+ compile fix
+
+ grsecurity/gracl.c | 1 +
+ grsecurity/gracl_segv.c | 1 +
+ 2 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 18:25:26 2013 -0400
+
+ fix btrfs support here as well
+
+ grsecurity/gracl_segv.c | 17 +++++++++--------
+ 1 files changed, 9 insertions(+), 8 deletions(-)
+
+commit c75e4664fe4d20da1639f70d9def097c4f20856b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 18:12:57 2013 -0400
+
+ Fix RBAC compatibility with btrfs compiled as a module, as
+ reported on the forums by YuHg at:
+ http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952
+
+ fs/btrfs/inode.c | 11 +----------
+ grsecurity/gracl.c | 19 ++++++++++---------
+ grsecurity/gracl_segv.c | 2 +-
+ grsecurity/grsec_disabled.c | 2 +-
+ 4 files changed, 13 insertions(+), 21 deletions(-)
+
+commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat May 11 12:12:00 2013 -0400
+
+ allow copies just up to the start of kernel code
+
+ fs/exec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 04638852588cf243f865f5a73aa9dab94fab53b7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 10 16:53:07 2013 -0400
+
+ MODULES_EXEC_VADDR is a virtual address
+
+ fs/exec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 10 16:51:03 2013 -0400
+
+ exempt module rx areas from usercopy protection under i386 kernexec
+ their .rodata will be placed between stext/etext causing copies of
+ constant strings to trigger usercopy reports/terminations
+
+ fs/exec.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 8 20:25:52 2013 -0400
+
+ User jorgus on the forums:
+ http://forums.grsecurity.net/viewtopic.php?f=3&t=3446
+ discovered that the upstreamed version of enforcing RLIMIT_NPROC
+ at setuid/exec time missed an important corner case:
+ If RLIMIT_NPROC is set after a setuid occurs and the user's process
+ limit is reached elsewhere, no enforcement of RLIMIT_NPROC will
+ happen at exec time for the task with a modified RLIMIT_NPROC.
+
+ This patch fixes that.
+
+ kernel/sys.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff
+Merge: 539fff0 2452d8d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 8 18:13:41 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a
+Merge: 6c850d8 9c9ab76
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 8 18:13:31 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/irq.c
+ kernel/trace/trace_stack.c
+
+commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue May 7 21:43:00 2013 -0400
+
+ turn counter into a flag
+
+ grsecurity/Kconfig | 2 +-
+ grsecurity/grsec_chroot.c | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 3da48c0f89377e1ef76470d4b19f19df793fdf32
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue May 7 21:02:39 2013 -0400
+
+ add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity
+ useful for Fedora/RHEL users
+
+ grsecurity/Kconfig | 10 ++++++++++
+ grsecurity/grsec_chroot.c | 17 +++++++++++++++--
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+commit 418102925c0cfb0de51b0a021abaa575e28fafa6
+Author: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Date: Fri May 3 14:11:25 2013 +0200
+
+ Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717
+
+ perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
+
+ We should always have proper privileges when requesting kernel
+ data.
+
+ Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+ Cc: <stable@kernel.org>
+ Cc: Andi Kleen <ak@linux.intel.com>
+ Cc: eranian@google.com
+ Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
+ [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ]
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+ Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org
+
+ arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++---
+ 1 files changed, 10 insertions(+), 3 deletions(-)
+
+commit f9e1af27cca1722a4c6a801000b5b3b5410401a2
+Author: Eric Dumazet <edumazet@google.com>
+Date: Mon Apr 29 05:58:52 2013 +0000
+
+ Upstream commit: aebda156a570782a86fc4426842152237a19427d
+
+ net: defer net_secret[] initialization
+
+ Instead of feeding net_secret[] at boot time, defer the init
+ at the point first socket is created.
+
+ This permits some platforms to use better entropy sources than
+ the ones available at boot time.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/secure_seq.h | 1 +
+ net/core/secure_seq.c | 4 +---
+ net/ipv4/af_inet.c | 5 ++++-
+ 3 files changed, 6 insertions(+), 4 deletions(-)
+
+commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Wed May 1 02:59:23 2013 +0000
+
+ Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48
+
+ net: sctp: attribute printl with __printf for gcc fmt checks
+
+ Let GCC check for format string errors in sctp's probe printl
+ function. This patch fixes the warning when compiled with W=1:
+
+ net/sctp/probe.c:73:2: warning: function might be possible candidate
+ for 'gnu_printf' format attribute [-Wmissing-format-attribute]
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/probe.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 81b98190c66a90f0ed2de4560f542b1dea7664f2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 2 19:58:54 2013 -0400
+
+ remove no-longer-needed vmware 8 compat fix
+
+ mm/page_alloc.c | 6 ------
+ 1 files changed, 0 insertions(+), 6 deletions(-)
+
+commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 2 19:55:23 2013 -0400
+
+ remove unnecessary < 0 check
+
+ net/phonet/af_phonet.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 1 18:30:48 2013 -0400
+
+ remove references to CONFIG_X86_WP_WORKS_OK
+
+ arch/um/defconfig | 1 -
+ security/Kconfig | 2 +-
+ 2 files changed, 1 insertions(+), 2 deletions(-)
+
+commit 408da6791f93ffe00d26bfe919f1b2218fe0804d
+Merge: a8dbe8e 6c850d8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 1 18:28:44 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/sparc/mm/ultra.S
+ drivers/tty/tty_io.c
+
+commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf
+Merge: cdbcbef 9fa1d01
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 1 18:25:18 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 29 18:44:23 2013 -0400
+
+ add module.h to silence compiler warning, thanks to
+ Sergei Trofimovich
+
+ fs/btrfs/inode.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 55eba82aca97aa56378e000840c48965557721e8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 29 18:43:03 2013 -0400
+
+ compilation fix
+
+ kernel/trace/trace.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit e3bf912b54af6df7fbebc68b5999554562056c5c
+Merge: 5b72e37 cdbcbef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 29 18:34:42 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit cdbcbef45c4f003cbee11e10668a35d424c17c60
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 29 18:33:35 2013 -0400
+
+ Update to pax-linux-3.8.10-test21.patch:
+ - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
+ - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438
+ note that the false positive is not fixed yet
+ - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin
+ - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444)
+ - reverted the nested NMI fix in search for a real one
+ - simplified the arm_delay_ops constification
+
+ arch/arm/include/asm/delay.h | 8 ++++----
+ arch/arm/lib/delay.c | 17 +++++------------
+ arch/x86/kernel/entry_64.S | 11 ++++++++++-
+ arch/x86/kernel/i8259.c | 2 +-
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ arch/x86/kvm/vmx.c | 4 ++--
+ drivers/block/pktcdvd.c | 2 +-
+ fs/btrfs/extent-tree.c | 2 +-
+ fs/nfsd/nfscache.c | 6 ++++--
+ kernel/trace/trace.c | 2 +-
+ tools/gcc/structleak_plugin.c | 4 ++++
+ 11 files changed, 34 insertions(+), 26 deletions(-)
+
+commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 26 20:53:06 2013 -0400
+
+ don't use file_inode()
+
+ drivers/tty/tty_io.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946
+Author: Jiri Slaby <jslaby@suse.cz>
+Date: Fri Apr 26 13:48:53 2013 +0200
+
+ Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee
+
+ TTY: fix atime/mtime regression
+
+ In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
+ we removed timestamps from tty inodes to fix a security issue and waited
+ if something breaks. Well, 'w', the utility to find out logged users
+ and their inactivity time broke. It shows that users are inactive since
+ the time they logged in.
+
+ To revert to the old behaviour while still preventing attackers to
+ guess the password length, we update the timestamps in one-minute
+ intervals by this patch.
+
+ Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ drivers/tty/tty_io.c
+
+ drivers/tty/tty_io.c | 15 ++++++++++++++-
+ 1 files changed, 14 insertions(+), 1 deletions(-)
+
+commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec
+Author: Jiri Slaby <jslaby@suse.cz>
+Date: Fri Feb 15 15:25:05 2013 +0100
+
+ Upstream commit: b0de59b5733d
+
+ TTY: do not update atime/mtime on read/write
+
+ On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
+ out length of a password using timestamps of /dev/ptmx. It is
+ documented in "Timing Analysis of Keystrokes and Timing Attacks on
+ SSH". To avoid that problem, do not update time when reading
+ from/writing to a TTY.
+
+ I am afraid of regressions as this is a behavior we have since 0.97
+ and apps may expect the time to be current, e.g. for monitoring
+ whether there was a change on the TTY. Now, there is no change. So
+ this would better have a lot of testing before it goes upstream.
+
+ References: CVE-2013-0160
+
+ Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+ Cc: stable <stable@vger.kernel.org> # after 3.9 is out
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ drivers/tty/tty_io.c | 8 ++------
+ 1 files changed, 2 insertions(+), 6 deletions(-)
+
+commit 5344a24e2320d61dbdb88aae04922f0799deefd0
+Author: Zhao Hongjiang <zhaohongjiang@huawei.com>
+Date: Fri Apr 26 11:03:53 2013 +0800
+
+ Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad
+
+ aio: fix possible invalid memory access when DEBUG is enabled
+
+ dprintk() shouldn't access @ring after it's unmapped.
+
+ Signed-off-by: Zhao Hongjiang <zhaohongjiang@huawei.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/aio.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 786841cb279bbd8e458d67e112a1d01a3d4598a7
+Author: John David Anglin <dave.anglin@bell.net>
+Date: Tue Apr 23 22:42:07 2013 +0200
+
+ Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78
+
+ parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates
+
+ User applications running on SMP kernels have long suffered from instability
+ and random segmentation faults. This patch improves the situation although
+ there is more work to be done.
+
+ One of the problems is the various routines in pgtable.h that update page table
+ entries use different locking mechanisms, or no lock at all (set_pte_at). This
+ change modifies the routines to all use the same lock pa_dbit_lock. This lock
+ is used for dirty bit updates in the interruption code. The patch also purges
+ the TLB entries associated with the PTE to ensure that inconsistent values are
+ not used after the page table entry is updated. The UP and SMP code are now
+ identical.
+
+ The change also includes a minor update to the purge_tlb_entries function in
+ cache.c to improve its efficiency.
+
+ Signed-off-by: John David Anglin <dave.anglin@bell.net>
+ Cc: Helge Deller <deller@gmx.de>
+ Signed-off-by: Helge Deller <deller@gmx.de>
+
+ arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++-----------------
+ arch/parisc/kernel/cache.c | 5 +---
+ 2 files changed, 26 insertions(+), 26 deletions(-)
+
+commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1
+Merge: ba54c97 4d05084
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 26 18:17:20 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/x86/kvm/x86.c
+ include/linux/capability.h
+
+commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21
+Merge: c664779 bb8dd67
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 26 18:15:45 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2
+Author: David S. Miller <davem@davemloft.net>
+Date: Wed Apr 24 16:52:18 2013 -0700
+
+ Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee
+
+ sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching.
+
+ Reported-by: Meelis Roos <mroos@linux.ee>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/sparc/mm/tlb.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8
+Author: David S. Miller <davem@davemloft.net>
+Date: Fri Apr 19 17:26:26 2013 -0400
+
+ Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847
+
+ sparc64: Fix race in TLB batch processing.
+
+ As reported by Dave Kleikamp, when we emit cross calls to do batched
+ TLB flush processing we have a race because we do not synchronize on
+ the sibling cpus completing the cross call.
+
+ So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.)
+ and either flushes are missed or flushes will flush the wrong
+ addresses.
+
+ Fix this by using generic infrastructure to synchonize on the
+ completion of the cross call.
+
+ This first required getting the flush_tlb_pending() call out from
+ switch_to() which operates with locks held and interrupts disabled.
+ The problem is that smp_call_function_many() cannot be invoked with
+ IRQs disabled and this is explicitly checked for with WARN_ON_ONCE().
+
+ We get the batch processing outside of locked IRQ disabled sections by
+ using some ideas from the powerpc port. Namely, we only batch inside
+ of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a
+ region, we flush TLBs synchronously.
+
+ 1) Get rid of xcall_flush_tlb_pending and per-cpu type
+ implementations.
+
+ 2) Do TLB batch cross calls instead via:
+
+ smp_call_function_many()
+ tlb_pending_func()
+ __flush_tlb_pending()
+
+ 3) Batch only in lazy mmu sequences:
+
+ a) Add 'active' member to struct tlb_batch
+ b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE
+ c) Set 'active' in arch_enter_lazy_mmu_mode()
+ d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode()
+ e) Check 'active' in tlb_batch_add_one() and do a synchronous
+ flush if it's clear.
+
+ 4) Add infrastructure for synchronous TLB page flushes.
+
+ a) Implement __flush_tlb_page and per-cpu variants, patch
+ as needed.
+ b) Likewise for xcall_flush_tlb_page.
+ c) Implement smp_flush_tlb_page() to invoke the cross-call.
+ d) Wire up global_flush_tlb_page() to the right routine based
+ upon CONFIG_SMP
+
+ 5) It turns out that singleton batches are very common, 2 out of every
+ 3 batch flushes have only a single entry in them.
+
+ The batch flush waiting is very expensive, both because of the poll
+ on sibling cpu completeion, as well as because passing the tlb batch
+ pointer to the sibling cpus invokes a shared memory dereference.
+
+ Therefore, in flush_tlb_pending(), if there is only one entry in
+ the batch perform a completely asynchronous global_flush_tlb_page()
+ instead.
+
+ Reported-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Acked-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+
+ arch/sparc/include/asm/pgtable_64.h | 1 +
+ arch/sparc/include/asm/switch_to_64.h | 3 +-
+ arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++--
+ arch/sparc/kernel/smp_64.c | 41 ++++++++++-
+ arch/sparc/mm/tlb.c | 38 +++++++++-
+ arch/sparc/mm/tsb.c | 57 ++++++++++++----
+ arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++-------
+ 7 files changed, 241 insertions(+), 55 deletions(-)
+
+commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri Apr 19 15:32:32 2013 +0000
+
+ Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494
+
+ net: fix incorrect credentials passing
+
+ Commit 257b5358b32f ("scm: Capture the full credentials of the scm
+ sender") changed the credentials passing code to pass in the effective
+ uid/gid instead of the real uid/gid.
+
+ Obviously this doesn't matter most of the time (since normally they are
+ the same), but it results in differences for suid binaries when the wrong
+ uid/gid ends up being used.
+
+ This just undoes that (presumably unintentional) part of the commit.
+
+ Reported-by: Andy Lutomirski <luto@amacapital.net>
+ Cc: Eric W. Biederman <ebiederm@xmission.com>
+ Cc: Serge E. Hallyn <serge@hallyn.com>
+ Cc: David S. Miller <davem@davemloft.net>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/scm.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Apr 18 19:22:40 2013 -0400
+
+ move _etext to only cover kernel code, not read-only data, as reported by Gu1
+
+ arch/arm/kernel/vmlinux.lds.S | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 98ad6adbc48759e4f9eae435d3e51ba487155685
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Apr 18 19:17:24 2013 -0400
+
+ add asm/sections.h for USERCOPY change
+
+ fs/exec.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10
+Author: Dmitry Popov <dp@highloadlab.com>
+Date: Thu Apr 11 08:55:07 2013 +0000
+
+ Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6
+
+ tcp: incoming connections might use wrong route under synflood
+
+ There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
+ flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
+ RT_SCOPE_UNIVERSE, IPPROTO_TCP,
+ inet_sk_flowi_flags(sk),
+ (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
+ ireq->loc_addr, th->source, th->dest);
+
+ Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
+ taken. This dst_entry is used by new socket (get_cookie_sock ->
+ tcp_v4_syn_recv_sock), so its packets may take the wrong path.
+
+ Signed-off-by: Dmitry Popov <dp@highloadlab.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/syncookies.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 3600395e8fef3ae712e72f9b68c3609639616df8
+Author: Thomas Graf <tgraf@suug.ch>
+Date: Thu Apr 11 10:57:18 2013 +0000
+
+ Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413
+
+ tcp: Reallocate headroom if it would overflow csum_start
+
+ If a TCP retransmission gets partially ACKed and collapsed multiple
+ times it is possible for the headroom to grow beyond 64K which will
+ overflow the 16bit skb->csum_start which is based on the start of
+ the headroom. It has been observed rarely in the wild with IPoIB due
+ to the 64K MTU.
+
+ Verify if the acking and collapsing resulted in a headroom exceeding
+ what csum_start can cover and reallocate the headroom if so.
+
+ A big thank you to Jim Foraker <foraker1@llnl.gov> and the team at
+ LLNL for helping out with the investigation and testing.
+
+ Reported-by: Jim Foraker <foraker1@llnl.gov>
+ Signed-off-by: Thomas Graf <tgraf@suug.ch>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/tcp_output.c | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61
+Author: Ivan Vecera <ivecera@redhat.com>
+Date: Fri Apr 12 16:49:24 2013 +0200
+
+ Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f
+
+ be2net: take care of __vlan_put_tag return value
+
+ The driver should use return value of __vlan_put_tag with appropriate
+ NULL-check instead of old skb pointer.
+
+ Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/emulex/benet/be_main.c | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Fri Apr 12 03:17:12 2013 +0000
+
+ Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73
+
+ tuntap: fix error return code in tun_set_iff()
+
+ Fix to return a negative error code from the error handling
+ case instead of 0, as returned elsewhere in this function.
+
+ [ Bug added in linux-3.8 , commit 4008e97f866db665
+ ("tuntap: fix ambigious multiqueue API") ]
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Sat Apr 13 15:49:03 2013 +0000
+
+ Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93
+
+ esp4: fix error return code in esp_output()
+
+ Fix to return a negative error code from the error handling
+ case instead of 0, as returned elsewhere in this function.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/esp4.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 2b45b5f52c2a8930f80c62de392a62516c83e225
+Author: Bjørn Mork <bjorn@mork.no>
+Date: Tue Apr 16 00:17:07 2013 +0000
+
+ Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1
+
+ net: cdc_mbim: remove bogus sizeof()
+
+ The intention was to test against the constant, not the size of
+ the constant.
+
+ Signed-off-by: Bjørn Mork <bjorn@mork.no>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/usb/cdc_mbim.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 17d7408795519037a5a1272c7888238e20830bfe
+Author: Vyacheslav Dubeyko <slava@dubeyko.com>
+Date: Wed Apr 17 15:58:33 2013 -0700
+
+ Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4
+
+ hfsplus: fix potential overflow in hfsplus_file_truncate()
+
+ Change a u32 to loff_t hfsplus_file_truncate().
+
+ Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/hfsplus/extents.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b
+Author: Emese Revfy <re.emese@gmail.com>
+Date: Wed Apr 17 15:58:36 2013 -0700
+
+ Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f
+
+ kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
+
+ This fixes a kernel memory contents leak via the tkill and tgkill syscalls
+ for compat processes.
+
+ This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
+ when handling signals delivered from tkill.
+
+ The place of the infoleak:
+
+ int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
+ {
+ ...
+ put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
+ ...
+ }
+
+ Signed-off-by: Emese Revfy <re.emese@gmail.com>
+ Reviewed-by: PaX Team <pageexec@freemail.hu>
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Oleg Nesterov <oleg@redhat.com>
+ Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+ Cc: Serge Hallyn <serge.hallyn@canonical.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/signal.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 20:17:00 2013 -0400
+
+ Improve PAX_USERCOPY to reject direct copies to/from main kernel text
+
+ fs/exec.c | 29 +++++++++++++++++++++++++++--
+ 1 files changed, 27 insertions(+), 2 deletions(-)
+
+commit 3cb37d0c0c77dc3928ff8417f982139f95366eba
+Merge: e87c19f c664779
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 20:06:08 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c664779987cb0c27a242029f0e0db812e3236203
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 19:54:09 2013 -0400
+
+ add intentional_overflow marking for resource_size() as reasoned by:
+ http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
+
+ include/linux/ioport.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit e87c19f8312355b8658e5138c16bfa6043a379c8
+Merge: 802d119 d0c636c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 16:57:12 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d0c636ceaaf406e606898ce3e770e32fb043ea8a
+Merge: bc88628 2396403
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 16:57:01 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/paravirt.c
+
+commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 14 21:39:51 2013 -0400
+
+ move location of RBAC user check on setfsuid until after capability checks
+ for consistency with other checks
+
+ kernel/sys.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 1a860d7d67051559ab2e6d10f9888649c92904e6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 14 21:34:46 2013 -0400
+
+ A denied setfsuid by the RBAC system would result in an abort_creds() being called
+ with an uninitalized pointer, introduced by a bad forward-port
+
+ kernel/sys.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9
+Merge: c38d142 bc88628
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 14 21:28:33 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit bc88628a6a8fcccaabb90908640809b0540df225
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 14 21:26:41 2013 -0400
+
+ Update to pax-linux-3.8.7-test20.patch:
+ - fixed KERNEXEC and NMI nesting problem reported by stef&hunger
+ - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414
+ - CONSTIFY depends on KERNEXEC (for the kernel open/close feature)
+ - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364)
+
+ arch/powerpc/include/asm/smp.h | 2 +-
+ arch/x86/Kconfig | 4 ++--
+ arch/x86/kernel/entry_64.S | 8 ++++----
+ security/Kconfig | 2 +-
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+commit c38d142744489fc4d9be80188b6435a278438fd9
+Author: Suleiman Souhlal <suleiman@google.com>
+Date: Sat Apr 13 16:03:06 2013 -0700
+
+ Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1
+
+ vfs: Revert spurious fix to spinning prevention in prune_icache_sb
+
+ Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb").
+
+ This commit doesn't look right: since we are looking at the tail of the
+ list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
+ it back at the head of the list instead of the tail, otherwise we will
+ keep spinning on it.
+
+ Discovered when investigating why prune_icache_sb came top in perf
+ reports of a swapping load.
+
+ Signed-off-by: Suleiman Souhlal <suleiman@google.com>
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Cc: stable@vger.kernel.org # v3.2+
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/inode.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 93019624b80ba59798393942798d7f6ed0c1dbc6
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat Apr 13 15:15:30 2013 -0700
+
+ Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979
+
+ kobject: fix kset_find_obj() race with concurrent last kobject_put()
+
+ Anatol Pomozov identified a race condition that hits module unloading
+ and re-loading. To quote Anatol:
+
+ "This is a race codition that exists between kset_find_obj() and
+ kobject_put(). kset_find_obj() might return kobject that has refcount
+ equal to 0 if this kobject is freeing by kobject_put() in other
+ thread.
+
+ Here is timeline for the crash in case if kset_find_obj() searches for
+ an object tht nobody holds and other thread is doing kobject_put() on
+ the same kobject:
+
+ THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put())
+ splin_lock()
+ atomic_dec_return(kobj->kref), counter gets zero here
+ ... starts kobject cleanup ....
+ spin_lock() // WAIT thread A in kobj_kset_leave()
+ iterate over kset->list
+ atomic_inc(kobj->kref) (counter becomes 1)
+ spin_unlock()
+ spin_lock() // taken
+ // it does not know that thread A increased counter so it
+ remove obj from list
+ spin_unlock()
+ vfree(module) // frees module object with containing kobj
+
+ // kobj points to freed memory area!!
+ kobject_put(kobj) // OOPS!!!!
+
+ The race above happens because module.c tries to use kset_find_obj()
+ when somebody unloads module. The module.c code was introduced in
+ commit 6494a93d55fa"
+
+ Anatol supplied a patch specific for module.c that worked around the
+ problem by simply not using kset_find_obj() at all, but rather than make
+ a local band-aid, this just fixes kset_find_obj() to be thread-safe
+ using the proper model of refusing the get a new reference if the
+ refcount has already dropped to zero.
+
+ See examples of this proper refcount handling not only in the kref
+ documentation, but in various other equivalent uses of this pattern by
+ grepping for atomic_inc_not_zero().
+
+ [ Side note: the module race does indicate that module loading and
+ unloading is not properly serialized wrt sysfs information using the
+ module mutex. That may require further thought, but this is the
+ correct fix at the kobject layer regardless. ]
+
+ Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com>
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ lib/kobject.c | 9 ++++++++-
+ 1 files changed, 8 insertions(+), 1 deletions(-)
+
+commit 5277b052b5fab36729e1255fb3b12f47a4b12867
+Author: Dave Hansen <dave@sr71.net>
+Date: Fri Apr 12 16:23:54 2013 -0700
+
+ Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9
+
+ x86-32: Fix possible incomplete TLB invalidate with PAE pagetables
+
+ This patch attempts to fix:
+
+ https://bugzilla.kernel.org/show_bug.cgi?id=56461
+
+ The symptom is a crash and messages like this:
+
+ chrome: Corrupted page table at address 34a03000
+ *pdpt = 0000000000000000 *pde = 0000000000000000
+ Bad pagetable: 000f [#1] PREEMPT SMP
+
+ Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb:
+ enable tlb flush range support for x86") since that code started to free
+ unused pagetables.
+
+ On x86-32 PAE kernels, that new code has the potential to free an entire
+ PMD page and will clear one of the four page-directory-pointer-table
+ (aka pgd_t entries).
+
+ The hardware aggressively "caches" these top-level entries and invlpg
+ does not actually affect the CPU's copy. If we clear one we *HAVE* to
+ do a full TLB flush, otherwise we might continue using a freed pmd page.
+ (note, we do this properly on the population side in pud_populate()).
+
+ This patch tracks whenever we clear one of these entries in the 'struct
+ mmu_gather', and ensures that we follow up with a full tlb flush.
+
+ BTW, I disassembled and checked that:
+
+ if (tlb->fullmm == 0)
+ and
+ if (!tlb->fullmm && !tlb->need_flush_all)
+
+ generate essentially the same code, so there should be zero impact there
+ to the !PAE case.
+
+ Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+ Cc: Peter Anvin <hpa@zytor.com>
+ Cc: Ingo Molnar <mingo@kernel.org>
+ Cc: Artem S Tashkinov <t.artem@mailcity.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/x86/include/asm/tlb.h | 2 +-
+ arch/x86/mm/pgtable.c | 7 +++++++
+ include/asm-generic/tlb.h | 7 ++++++-
+ mm/memory.c | 1 +
+ 4 files changed, 15 insertions(+), 2 deletions(-)
+
+commit 521e573fc77d1783c1d4636dfbb4617a922f043d
+Merge: 032f626 f807619
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 12 19:29:34 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f80761993b85df96fc142dfc3a317cadc0f8eae5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 12 19:28:21 2013 -0400
+
+ Update to pax-linux-3.8.7-test19.patch:
+ - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld
+ - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411)
+ - fixed the structleak plugin to compile for gcc 4.5-4.6 as well
+
+ Makefile | 2 +-
+ arch/x86/xen/enlighten.c | 6 +++---
+ tools/gcc/structleak_plugin.c | 5 +++--
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+commit 032f626a4ae9bc3196313a2e762650c3d9abdc96
+Merge: a3a770e 89886f5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 12 18:38:40 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89886f561cc0d1c42a99624ec8c3704711088155
+Merge: 9123489 531ec28
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 12 18:38:30 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit a3a770e18578841e4fbe2aa0831a22811b4812cf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Apr 11 20:46:20 2013 -0400
+
+ Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot"
+ Will be fixed with the next PaX patch
+
+ This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7.
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit fc98763e4f1f1487928750b26a63098b9e0ed5b1
+Author: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Fri Mar 29 10:20:56 2013 -0400
+
+ Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16
+
+ xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables.
+
+ Occassionaly on a DL380 G4 the guest would crash quite early with this:
+
+ (XEN) d244:v0: unhandled page fault (ec=0003)
+ (XEN) Pagetable walk from ffffffff84dc7000:
+ (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789
+ (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d
+ (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def
+ (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7
+ (XEN) domain_crash_sync called from entry.S
+ (XEN) Domain 244 (vcpu#0) crashed on cpu#3:
+ (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]----
+ (XEN) CPU: 3
+ (XEN) RIP: e033:[<ffffffff81263f22>]
+ (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest
+ (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f
+ (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000
+
+ The offending code shows it to be a loop writting the value zero
+ (%rax) in the %rdi (the L4 provided by Xen) register:
+
+ 0: 44 00 00 add %r8b,(%rax)
+ 3: 31 c0 xor %eax,%eax
+ 5: b9 40 00 00 00 mov $0x40,%ecx
+ a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
+ 11: 00 00
+ 13: ff c9 dec %ecx
+ 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction
+ 18: 48 89 47 08 mov %rax,0x8(%rdi)
+ 1c: 48 89 47 10 mov %rax,0x10(%rdi)
+
+ which fails. xen_setup_kernel_pagetable recycles some of the Xen's
+ page-table entries when it has switched over to its Linux page-tables.
+
+ Right before try to clear the page, we make a hypercall to change
+ it from _RO to _RW and that works (otherwise we would hit an BUG()).
+ And the _RW flag is set for that page:
+ (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7
+
+ The error code is 3, so PFEC_page_present and PFEC_write_access, so page is
+ present (correct), and we tried to write to the page, but a violation
+ occurred. The one theory is that the the page entries in hardware
+ (which are cached) are not up to date with what we just set. Especially
+ as we have just done an CR3 write and flushed the multicalls.
+
+ This patch does solve the problem by flusing out the TLB page
+ entry after changing it from _RO to _RW and we don't hit this
+ issue anymore.
+
+ Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO
+ 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4]
+ Reported-and-Tested-by: Saar Maoz <Saar.Maoz@oracle.com>
+ Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+ arch/x86/xen/mmu.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11
+Author: Namhyung Kim <namhyung.kim@lge.com>
+Date: Mon Apr 1 21:46:23 2013 +0900
+
+ Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1
+
+ tracing: Fix double free when function profile init failed
+
+ On the failure path, stat->start and stat->pages will refer same page.
+ So it'll attempt to free the same page again and get kernel panic.
+
+ Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org
+
+ Cc: Frederic Weisbecker <fweisbec@gmail.com>
+ Cc: Namhyung Kim <namhyung.kim@lge.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+
+ kernel/trace/ftrace.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb
+Author: Neil Horman <nhorman@tuxdriver.com>
+Date: Tue Apr 9 23:19:00 2013 +0000
+
+ Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6
+
+ e100: Add dma mapping error check
+
+ e100 uses pci_map_single, but fails to check for a dma mapping error after its
+ use, resulting in a stack trace:
+
+ [ 46.656594] ------------[ cut here ]------------
+ [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950()
+ [ 46.657004] Hardware name: To Be Filled By O.E.M.
+ [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map
+ error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single]
+ [ 46.657004] Modules linked in:
+ [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus
+ snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc
+ e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp
+ k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd
+ sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit
+ drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core
+ sata_promise crc_itu_t
+ [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1
+ [ 46.657004] Call Trace:
+ [ 46.657004] <IRQ> [<ffffffff81065ed0>] warn_slowpath_common+0x70/0xa0
+ [ 46.657004] [<ffffffff81065f4c>] warn_slowpath_fmt+0x4c/0x50
+ [ 46.657004] [<ffffffff81364cfb>] check_unmap+0x47b/0x950
+ [ 46.657004] [<ffffffff8136522f>] debug_dma_unmap_page+0x5f/0x70
+ [ 46.657004] [<ffffffffa030f0f0>] ? e100_tx_clean+0x30/0x210 [e100]
+ [ 46.657004] [<ffffffffa030f1a8>] e100_tx_clean+0xe8/0x210 [e100]
+ [ 46.657004] [<ffffffffa030fc6f>] e100_poll+0x56f/0x6c0 [e100]
+ [ 46.657004] [<ffffffff8159dce1>] ? net_rx_action+0xa1/0x370
+ [ 46.657004] [<ffffffff8159ddb2>] net_rx_action+0x172/0x370
+ [ 46.657004] [<ffffffff810703bf>] __do_softirq+0xef/0x3d0
+ [ 46.657004] [<ffffffff816e4ebc>] call_softirq+0x1c/0x30
+ [ 46.657004] [<ffffffff8101c485>] do_softirq+0x85/0xc0
+ [ 46.657004] [<ffffffff81070885>] irq_exit+0xd5/0xe0
+ [ 46.657004] [<ffffffff816e5756>] do_IRQ+0x56/0xc0
+ [ 46.657004] [<ffffffff816dacb2>] common_interrupt+0x72/0x72
+ [ 46.657004] <EOI> [<ffffffff816da1eb>] ?
+ _raw_spin_unlock_irqrestore+0x3b/0x70
+ [ 46.657004] [<ffffffff816d124d>] __slab_free+0x58/0x38b
+ [ 46.657004] [<ffffffff81214424>] ? fsnotify_clear_marks_by_inode+0x34/0x120
+ [ 46.657004] [<ffffffff811b0417>] ? kmem_cache_free+0x97/0x320
+ [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
+ [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
+ [ 46.657004] [<ffffffff811b0692>] kmem_cache_free+0x312/0x320
+ [ 46.657004] [<ffffffff8157fc14>] sock_destroy_inode+0x34/0x40
+ [ 46.657004] [<ffffffff811e8c28>] destroy_inode+0x38/0x60
+ [ 46.657004] [<ffffffff811e8d5e>] evict+0x10e/0x1a0
+ [ 46.657004] [<ffffffff811e9605>] iput+0xf5/0x180
+ [ 46.657004] [<ffffffff811e4338>] dput+0x248/0x310
+ [ 46.657004] [<ffffffff811ce0e1>] __fput+0x171/0x240
+ [ 46.657004] [<ffffffff811ce26e>] ____fput+0xe/0x10
+ [ 46.657004] [<ffffffff8108d54c>] task_work_run+0xac/0xe0
+ [ 46.657004] [<ffffffff8106c6ed>] do_exit+0x26d/0xc30
+ [ 46.657004] [<ffffffff8109eccc>] ? finish_task_switch+0x7c/0x120
+ [ 46.657004] [<ffffffff816dad58>] ? retint_swapgs+0x13/0x1b
+ [ 46.657004] [<ffffffff8106d139>] do_group_exit+0x49/0xc0
+ [ 46.657004] [<ffffffff8106d1c4>] sys_exit_group+0x14/0x20
+ [ 46.657004] [<ffffffff816e3b19>] system_call_fastpath+0x16/0x1b
+ [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]---
+ [ 46.657004] Mapped at:
+ [ 46.657004] [<ffffffff813663d1>] debug_dma_map_page+0x91/0x140
+ [ 46.657004] [<ffffffffa030e8eb>] e100_xmit_prepare+0x12b/0x1c0 [e100]
+ [ 46.657004] [<ffffffffa030c924>] e100_exec_cb+0x84/0x140 [e100]
+ [ 46.657004] [<ffffffffa030e56a>] e100_xmit_frame+0x3a/0x190 [e100]
+ [ 46.657004] [<ffffffff8159ee89>] dev_hard_start_xmit+0x259/0x6c0
+
+ Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the
+ dma_mapping_error check in the obvious place
+
+ This was reported previously here:
+ http://article.gmane.org/gmane.linux.network/257893
+
+ But nobody stepped up and fixed it.
+
+ CC: Josh Boyer <jwboyer@redhat.com>
+ CC: e1000-devel@lists.sourceforge.net
+ Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+ Reported-by: Michal Jaegermann <michal@harddata.com>
+ Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+ Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++-----------
+ 1 files changed, 25 insertions(+), 11 deletions(-)
+
+commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Wed Apr 10 12:44:18 2013 -0400
+
+ Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67
+
+ NFSv4: Doh! Typo in the fix to nfs41_walk_client_list
+
+ Make sure that we set the status to 0 on success. Missed in testing
+ because it never appears when doing multiple mounts to _different_
+ servers.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Cc: <stable@vger.kernel.org> # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
+
+ fs/nfs/nfs4client.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea
+Author: Yuval Mintz <yuvalmin@broadcom.com>
+Date: Wed Apr 10 13:34:39 2013 +0300
+
+ Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b
+
+ bnx2x: Prevent null pointer dereference in AFEX mode
+
+ The cnic module is responsible for initializing various bnx2x structs
+ via callbacks provided by the bnx2x module.
+ One such struct is the queue object for the FCoE queue.
+
+ If a device is working in AFEX mode and its configuration allows FCoE yet
+ the cnic module is not loaded, it's very likely a null pointer dereference
+ will occur, as the bnx2x will erroneously access the FCoE's queue object.
+
+ Prevent said access until cnic properly registers itself.
+
+ Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
+ Signed-off-by: Ariel Elior <ariele@broadcom.com>
+ Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 2908830232725db624aaa052f7ad38d1f98bf541
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Apr 9 14:16:04 2013 +0800
+
+ Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc
+
+ can: gw: use kmem_cache_free() instead of kfree()
+
+ Memory allocated by kmem_cache_alloc() should be freed using
+ kmem_cache_free(), not kfree().
+
+ Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+ Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+
+ net/can/gw.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit d40b572e845a5fb561e3c4a80cc306cd38888a4e
+Author: Christoph Paasch <christoph.paasch@uclouvain.be>
+Date: Sun Apr 7 04:53:15 2013 +0000
+
+ Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd
+
+ ipv6/tcp: Stop processing ICMPv6 redirect messages
+
+ Tetja Rediske found that if the host receives an ICMPv6 redirect message
+ after sending a SYN+ACK, the connection will be reset.
+
+ He bisected it down to 093d04d (ipv6: Change skb->data before using
+ icmpv6_notify() to propagate redirect), but the origin of the bug comes
+ from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
+ handlers.). The bug simply did not trigger prior to 093d04d, because
+ skb->data did not point to the inner IP header and thus icmpv6_notify
+ did not call the correct err_handler.
+
+ This patch adds the missing "goto out;" in tcp_v6_err. After receiving
+ an ICMPv6 Redirect, we should not continue processing the ICMP in
+ tcp_v6_err, as this may trigger the removal of request-socks or setting
+ sk_err(_soft).
+
+ Reported-by: Tetja Rediske <tetja@tetja.de>
+ Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/tcp_ipv6.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit c7d5c2524456ef3ea9194840e7a9a75069a46824
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 10 20:32:54 2013 -0400
+
+ - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411)
+
+ Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit acac2380fd97acee4367d2aa24c74322dcf1d22b
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Fri Apr 5 16:11:11 2013 -0400
+
+ Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc
+
+ NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
+
+ It is unsafe to use list_for_each_entry_safe() here, because
+ when we drop the nn->nfs_client_lock, we pin the _current_ list
+ entry and ensure that it stays in the list, but we don't do the
+ same for the _next_ list entry. Use of list_for_each_entry() is
+ therefore the correct thing to do.
+
+ Also fix the refcounting in nfs41_walk_client_list().
+
+ Finally, ensure that the nfs_client has finished being initialised
+ and, in the case of NFSv4.1, that the session is set up.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Cc: Chuck Lever <chuck.lever@oracle.com>
+ Cc: Bryan Schumaker <bjschuma@netapp.com>
+ Cc: stable@vger.kernel.org [>= 3.7]
+
+ fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++----------------
+ 1 files changed, 28 insertions(+), 16 deletions(-)
+
+commit a6cf5f387b882ac0ce655b75f623f86c075517be
+Author: Chuck Lever <chuck.lever@oracle.com>
+Date: Fri Mar 22 12:52:59 2013 -0400
+
+ Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e
+
+ SUNRPC: Remove extra xprt_put()
+
+ While testing error cases where rpc_new_client() fails, I saw
+ some oopses.
+
+ If rpc_new_client() fails, it already invokes xprt_put(). Thus
+ __rpc_clone_client() does not need to invoke it again.
+
+ Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
+ Fri Sep 14, 2012.
+
+ Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+ Cc: stable@vger.kernel.org [>=3.7]
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+ net/sunrpc/clnt.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Fri Apr 5 14:13:21 2013 -0400
+
+ Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7
+
+ SUNRPC: Fix a potential memory leak in rpc_new_client
+
+ If the call to rpciod_up() fails, we currently leak a reference to the
+ struct rpc_xprt.
+ As part of the fix, we also remove the redundant check for xprt!=NULL.
+ This is already taken care of by the callers.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+ net/sunrpc/clnt.c | 7 ++-----
+ 1 files changed, 2 insertions(+), 5 deletions(-)
+
+commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 10 19:16:05 2013 -0400
+
+ From https://lkml.org/lkml/2013/4/8/469:
+ [PATCH] rtnetlink: call nlmsg_parse() with correct header length
+
+ net/core/rtnetlink.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 9529169b8c405874fd543b785f53c74fa0501c2a
+Author: Christopher Harvey <charvey@matrox.com>
+Date: Fri Apr 5 10:51:15 2013 -0400
+
+ Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546
+
+ drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal.
+
+ This change properly enables the "requester" in G200ER cards that is
+ responsible for getting pixels out of memory and clocking them out to
+ the screen.
+
+ Signed-off-by: Christopher Harvey <charvey@matrox.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+ drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++----------
+ 1 files changed, 3 insertions(+), 10 deletions(-)
+
+commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu Mar 28 13:30:23 2013 -0400
+
+ Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee
+
+ ecryptfs: close rmmod race
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/ecryptfs/miscdev.c | 14 ++------------
+ 1 files changed, 2 insertions(+), 12 deletions(-)
+
+commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 10 19:03:45 2013 -0400
+
+ Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1
+
+ arch/ia64/kernel/palinfo.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 83280e384ae3ceadad30369ced111dc7d4b46085
+Author: Andrey Vagin <avagin@openvz.org>
+Date: Tue Apr 9 17:33:29 2013 +0400
+
+ Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676
+
+ mnt: release locks on error path in do_loopback
+
+ do_loopback calls lock_mount(path) and forget to unlock_mount
+ if clone_mnt or copy_mnt fails.
+
+ [ 77.661566] ================================================
+ [ 77.662939] [ BUG: lock held when returning to user space! ]
+ [ 77.664104] 3.9.0-rc5+ #17 Not tainted
+ [ 77.664982] ------------------------------------------------
+ [ 77.666488] mount/514 is leaving the kernel with locks still held!
+ [ 77.668027] 2 locks held by mount/514:
+ [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [<ffffffff811cca22>] lock_mount+0x32/0xe0
+ [ 77.671755] #1: (&namespace_sem){+++++.}, at: [<ffffffff811cca3a>] lock_mount+0x4a/0xe0
+
+ Signed-off-by: Andrey Vagin <avagin@openvz.org>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/namespace.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 679e536b9d9536d804f049fe942367a596253e6d
+Author: Alex Williamson <alex.williamson@redhat.com>
+Date: Tue Mar 26 11:33:16 2013 -0600
+
+ Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c
+
+ vfio-pci: Fix possible integer overflow
+
+ The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
+ of which are unsigned. We attempt to bounds check these, but fail to
+ account for the case where start is a very large number, allowing
+ start + count to wrap back into the valid range. Bounds check both
+ start and start + count.
+
+ Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+
+ drivers/vfio/pci/vfio_pci.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 10 18:48:45 2013 -0400
+
+ Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b5261a6384ee42499b29495aaae40b271e77d394
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 9 17:30:45 2013 -0400
+
+ some undefined behavior fixups
+
+ grsecurity/gracl.c | 4 ++--
+ grsecurity/gracl_ip.c | 10 +++++-----
+ grsecurity/gracl_segv.c | 4 ++--
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+commit 9f83caa35e78be1f3e753586ab217555c3b21ff4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 9 17:28:54 2013 -0400
+
+ don't whine about denied ipv6 when it's not enabled
+
+ grsecurity/gracl_ip.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61
+Merge: 97bca88 9123489
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 9 17:18:45 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9123489428c58668a89f316db6619739cbdd2c2a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 9 17:17:46 2013 -0400
+
+ Update to pax-linux-3.8.6-test18.patch:
+ - new size overflow plugin from Emese to work around a gcc optimization
+ resulting in an intentional overflow, reported by Carlos Carvalho
+ (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409)
+
+ tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++-
+ 1 files changed, 66 insertions(+), 2 deletions(-)
+
+commit 97bca8889e0f1e853f16b7026c39c6729a8587ab
+Merge: 675a41e e9d6073
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 8 21:32:59 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/sparc/kernel/us3_cpufreq.c
+
+commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 8 21:19:03 2013 -0400
+
+ Update to pax-linux-3.8.6-test17.patch:
+ - fixed ia64/ppc/sparc compilation by spender
+ - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport)
+
+ arch/ia64/include/asm/uaccess.h | 2 -
+ arch/powerpc/include/asm/uaccess.h | 2 -
+ arch/sparc/include/asm/uaccess.h | 7 ----
+ arch/sparc/kernel/prom_common.c | 2 +-
+ arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++--------------------------
+ tools/gcc/structleak_plugin.c | 15 ++++----
+ 6 files changed, 28 insertions(+), 69 deletions(-)
+
+commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 7 12:00:50 2013 -0400
+
+ fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin
+
+ net/socket.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5a216624a06429488f24ce47db093da042f90e48
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Apr 6 13:22:24 2013 -0400
+
+ fix typo
+
+ arch/sparc/kernel/us3_cpufreq.c | 5 +----
+ 1 files changed, 1 insertions(+), 4 deletions(-)
+
+commit e476ca18d21788898cd3acd1b57049971a2fb70f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Apr 6 13:16:13 2013 -0400
+
+ properly fix cpufreq_driver for ultrasparc III with constification
+
+ arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------
+ 1 files changed, 17 insertions(+), 18 deletions(-)
+
+commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Apr 6 12:58:48 2013 -0400
+
+ mark prom_sparc_ops __initconst
+
+ arch/sparc/kernel/prom_common.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Apr 6 12:53:16 2013 -0400
+
+ fix ia64/powerpc/sparc compilation
+
+ arch/ia64/include/asm/uaccess.h | 2 --
+ arch/powerpc/include/asm/uaccess.h | 2 --
+ arch/sparc/include/asm/uaccess.h | 7 -------
+ 3 files changed, 0 insertions(+), 11 deletions(-)
+
+commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Tue Mar 19 20:26:57 2013 +0100
+
+ Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d
+
+ cfg80211: fix wdev tracing crash
+
+ Arend reported a crash in tracing if the driver returns an
+ ERR_PTR() value from the add_virtual_intf() callback. This
+ is due to the tracing then still attempting to dereference
+ the "pointer", fix this by using IS_ERR_OR_NULL().
+
+ Reported-by: Arend van Spriel <arend@broadcom.com>
+ Tested-by: Arend van Spriel <arend@broadcom.com>
+ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+
+ net/wireless/trace.h | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Mon Mar 25 11:51:14 2013 +0100
+
+ Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b
+
+ mac80211: fix remain-on-channel cancel crash
+
+ If a ROC item is canceled just as it expires, the work
+ struct may be scheduled while it is running (and waiting
+ for the mutex). This results in it being run after being
+ freed, which obviously crashes.
+
+ To fix this don't free it when aborting is requested but
+ instead mark it as "to be freed", which makes the work a
+ no-op and allows freeing it outside.
+
+ Cc: stable@vger.kernel.org [3.6+]
+ Reported-by: Jouni Malinen <j@w1.fi>
+ Tested-by: Jouni Malinen <j@w1.fi>
+ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+
+ net/mac80211/cfg.c | 6 ++++--
+ net/mac80211/ieee80211_i.h | 3 ++-
+ net/mac80211/offchannel.c | 23 +++++++++++++++++------
+ 3 files changed, 23 insertions(+), 9 deletions(-)
+
+commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4
+Author: Stone Piao <piaoyun@marvell.com>
+Date: Fri Mar 29 19:21:21 2013 -0700
+
+ Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f
+
+ mwifiex: limit channel number not to overflow memory
+
+ Limit the channel number in scan request, or the driver scan
+ config structure memory will be overflowed.
+
+ Cc: <stable@vger.kernel.org> # 3.5+
+ Signed-off-by: Stone Piao <piaoyun@marvell.com>
+ Signed-off-by: Bing Zhao <bzhao@marvell.com>
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ drivers/net/wireless/mwifiex/cfg80211.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 207c411512bdaf0e4271f93ecac6ca26588da36f
+Author: Gao feng <gaofeng@cn.fujitsu.com>
+Date: Thu Mar 21 19:48:41 2013 +0000
+
+ Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe
+
+ netfilter: reset nf_trace in nf_reset
+
+ We forgot to clear the nf_trace of sk_buff in nf_reset,
+ When we use veth device, this nf_trace information will
+ be leaked from one net namespace to another net namespace.
+
+ Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ include/linux/skbuff.h | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Fri Mar 22 01:28:18 2013 +0000
+
+ Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c
+
+ netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
+
+ Fix to return a negative error code from the error handling
+ case instead of 0, as returned elsewhere in this function.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nfnetlink_queue_core.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit a79feb7d3251eca577d83d7f69eee2b961ab2924
+Author: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sat Mar 23 16:57:59 2013 +0100
+
+ Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7
+
+ netfilter: nfnetlink_acct: return -EINVAL if object name is empty
+
+ If user-space tries to create accounting object with an empty
+ name, then return -EINVAL.
+
+ Reported-by: Michael Zintakis <michael.zintakis@googlemail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nfnetlink_acct.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7
+Author: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sat Mar 30 10:23:12 2013 +0000
+
+ Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756
+
+ netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
+
+ The bitmask used for the prefix mangling was being calculated
+ incorrectly, leading to the wrong part of the address being replaced
+ when the prefix length wasn't a multiple of 32.
+
+ Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/ipv6/netfilter/ip6t_NPT.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e
+Author: Veaceslav Falico <vfalico@redhat.com>
+Date: Wed Apr 3 05:46:33 2013 +0000
+
+ Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d
+
+ bonding: remove sysfs before removing devices
+
+ We have a race condition if we try to rmmod bonding and simultaneously add
+ a bond master through sysfs. In bonding_exit() we first remove the devices
+ (through rtnl_link_unregister() ) and only after that we remove the sysfs.
+ If we manage to add a device through sysfs after that the devices were
+ removed - we'll end up with that device/sysfs structure and with the module
+ unloaded.
+
+ Fix this by first removing the sysfs and only after that calling
+ rtnl_link_unregister().
+
+ Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d12cae44a9d12441d81c489178803237219d403d
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Wed Apr 3 16:14:47 2013 +0000
+
+ Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2
+
+ af_unix: If we don't care about credentials coallesce all messages
+
+ It was reported that the following LSB test case failed
+ https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
+ were not coallescing unix stream messages when the application was
+ expecting us to.
+
+ The problem was that the first send was before the socket was accepted
+ and thus sock->sk_socket was NULL in maybe_add_creds, and the second
+ send after the socket was accepted had a non-NULL value for sk->socket
+ and thus we could tell the credentials were not needed so we did not
+ bother.
+
+ The unnecessary credentials on the first message cause
+ unix_stream_recvmsg to start verifying that all messages had the same
+ credentials before coallescing and then the coallescing failed because
+ the second message had no credentials.
+
+ Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
+ long standing pessimization which would fail to coallesce messages when
+ reading from a unix stream socket if the senders were different even if
+ we did not care about their credentials.
+
+ I have tested this and verified that the in the LSB test case mentioned
+ above that the messages do coallesce now, while the were failing to
+ coallesce without this change.
+
+ Reported-by: Karel Srot <ksrot@redhat.com>
+ Reported-by: Ding Tianhong <dingtianhong@huawei.com>
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Wed Apr 3 16:13:35 2013 +0000
+
+ Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1
+
+ Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
+
+ This reverts commit 14134f6584212d585b310ce95428014b653dfaf6.
+
+ The problem that the above patch was meant to address is that af_unix
+ messages are not being coallesced because we are sending unnecesarry
+ credentials. Not sending credentials in maybe_add_creds totally
+ breaks unconnected unix domain sockets that wish to send credentails
+ to other sockets.
+
+ In practice this break some versions of udev because they receive a
+ message and the sending uid is bogus so they drop the message.
+
+ Reported-by: Sven Joachim <svenjoac@gmx.de>
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Wed Mar 20 21:31:42 2013 +0000
+
+ Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e
+
+ lantiq_etop: use free_netdev(netdev) instead of kfree()
+
+ Freeing netdev without free_netdev() leads to net, tx leaks.
+ And it may lead to dereferencing freed pointer.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/lantiq_etop.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f
+Author: Cong Wang <amwang@redhat.com>
+Date: Fri Mar 22 19:14:07 2013 +0000
+
+ Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb
+
+ 8021q: fix a potential use-after-free
+
+ vlan_vid_del() could possibly free ->vlan_info after a RCU grace
+ period, however, we may still refer to the freed memory area
+ by 'grp' pointer. Found by code inspection.
+
+ This patch moves vlan_vid_del() as behind as possible.
+
+ Cc: Patrick McHardy <kaber@trash.net>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/8021q/vlan.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit fff29c277024a39845d4b535083c8dafc21b45d9
+Author: Hong zhi guo <honkiko@gmail.com>
+Date: Sat Mar 23 02:27:50 2013 +0000
+
+ Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7
+
+ bridge: fix crash when set mac address of br interface
+
+ When I tried to set mac address of a bridge interface to a mac
+ address which already learned on this bridge, I got system hang.
+
+ The cause is straight forward: function br_fdb_change_mac_address
+ calls fdb_insert with NULL source nbp. Then an fdb lookup is
+ performed. If an fdb entry is found and it's local, it's OK. But
+ if it's not local, source is dereferenced for printk without NULL
+ check.
+
+ Signed-off-by: Hong Zhiguo <honkiko@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/bridge/br_fdb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349
+Author: Kumar Amit Mehta <gmate.amit@gmail.com>
+Date: Sat Mar 23 20:10:25 2013 +0000
+
+ Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a
+
+ bnx2x: fix assignment of signed expression to unsigned variable
+
+ fix for incorrect assignment of signed expression to unsigned variable.
+
+ Signed-off-by: Kumar Amit Mehta <gmate.amit@gmail.com>
+ Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
+
+commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e
+Author: dingtianhong <dingtianhong@huawei.com>
+Date: Mon Mar 25 17:02:04 2013 +0000
+
+ Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6
+
+ af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
+
+ SCM_SCREDENTIALS should apply to write() syscalls only either source or destination
+ socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong,
+ and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom).
+
+ Origionally-authored-by: Karel Srot <ksrot@redhat.com>
+ Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit b964e1e61f0f0ccaa380be3342f956c604054bdc
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Thu Mar 21 02:30:41 2013 -0700
+
+ Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015
+
+ yama: Better permission check for ptraceme
+
+ Change the permission check for yama_ptrace_ptracee to the standard
+ ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
+ in the tracees user namespace.
+
+ Reviewed-by: Kees Cook <keescook@chromium.org>
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+
+ security/yama/yama_lsm.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit b94e71c7b6abe75989edff18aca2781233fa143b
+Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Mon Apr 1 11:40:51 2013 +0400
+
+ Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d
+
+ ipc: set msg back to -EAGAIN if copy wasn't performed
+
+ Make sure that msg pointer is set back to error value in case of
+ MSG_COPY flag is set and desired message to copy wasn't found. This
+ garantees that msg is either a error pointer or a copy address.
+
+ Otherwise the last message in queue will be freed without unlinking from
+ the queue (which leads to memory corruption) and the dummy allocated
+ copy won't be released.
+
+ Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ ipc/msg.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit a997fbbe7a37ffd805f4784a18b8e530da6978d1
+Author: Jan Kara <jack@suse.cz>
+Date: Fri Mar 29 15:39:16 2013 +0100
+
+ Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6
+
+ reiserfs: Fix warning and inode leak when deleting inode with xattrs
+
+ After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
+ started failing to delete xattrs from inode. This was due to a buggy
+ test for '.' and '..' in fill_with_dentries() which resulted in passing
+ '.' and '..' entries to lookup_one_len() in some cases. That returned
+ error and so we failed to iterate over all xattrs of and inode.
+
+ Fix the test in fill_with_dentries() along the lines of the one in
+ lookup_one_len().
+
+ Reported-by: Pawel Zawora <pzawora@gmail.com>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Jan Kara <jack@suse.cz>
+
+ fs/reiserfs/xattr.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 9f07957378e0f55abb81da8e23b124a608fbe1cc
+Author: Paul Bolle <pebolle@tiscali.nl>
+Date: Wed Apr 3 12:24:45 2013 +0100
+
+ Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2
+
+ ARM: 7690/1: mm: fix CONFIG_LPAE typos
+
+ CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix
+ up the two typos under arch/arm/.
+
+ The fix to head.S is slightly scary, but this is just for setting up
+ an early io-mapping for the serial port when running on a big-endian,
+ LPAE system. Since these systems don't exist in the wild (at least, I
+ have no access to one outside of kvmtool, which doesn't provide a serial
+ port suitable for earlyprintk), then we can revisit the code later if it
+ causes any problems.
+
+ Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
+ Signed-off-by: Will Deacon <will.deacon@arm.com>
+ Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+
+ arch/arm/kernel/head.S | 2 +-
+ arch/arm/kernel/setup.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 984ba346b2d8f158473e9723ba145031368431ed
+Author: Catalin Marinas <catalin.marinas@arm.com>
+Date: Tue Mar 26 23:35:04 2013 +0100
+
+ Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb
+
+ ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations)
+
+ On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down
+ all use of the old entries. This patch implements the erratum workaround
+ which consists of:
+
+ 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation.
+ 2. Send IPI to the CPUs that are running the same mm (and ASID) as the
+ one being invalidated (or all the online CPUs for global pages).
+ 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception
+ return code already).
+
+ Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+ Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+
+ Conflicts:
+
+ arch/arm/include/asm/tlbflush.h
+ arch/arm/kernel/smp_tlb.c
+ arch/arm/mm/context.c
+
+ arch/arm/Kconfig | 10 +++++
+ arch/arm/include/asm/highmem.h | 7 ++++
+ arch/arm/include/asm/mmu_context.h | 2 +
+ arch/arm/include/asm/tlbflush.h | 15 ++++++++
+ arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++
+ arch/arm/mm/context.c | 6 ++-
+ 6 files changed, 104 insertions(+), 2 deletions(-)
+
+commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286
+Author: Jan Stancek <jstancek@redhat.com>
+Date: Thu Apr 4 11:35:10 2013 -0700
+
+ Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c
+
+ mm: prevent mmap_cache race in find_vma()
+
+ find_vma() can be called by multiple threads with read lock
+ held on mm->mmap_sem and any of them can update mm->mmap_cache.
+ Prevent compiler from re-fetching mm->mmap_cache, because other
+ readers could update it in the meantime:
+
+ thread 1 thread 2
+ |
+ find_vma() | find_vma()
+ struct vm_area_struct *vma = NULL; |
+ vma = mm->mmap_cache; |
+ if (!(vma && vma->vm_end > addr |
+ && vma->vm_start <= addr)) { |
+ | mm->mmap_cache = vma;
+ return vma; |
+ ^^ compiler may optimize this |
+ local variable out and re-read |
+ mm->mmap_cache |
+
+ This issue can be reproduced with gcc-4.8.0-1 on s390x by running
+ mallocstress testcase from LTP, which triggers:
+
+ kernel BUG at mm/rmap.c:1088!
+ Call Trace:
+ ([<000003d100c57000>] 0x3d100c57000)
+ [<000000000023a1c0>] do_wp_page+0x2fc/0xa88
+ [<000000000023baae>] handle_pte_fault+0x41a/0xac8
+ [<000000000023d832>] handle_mm_fault+0x17a/0x268
+ [<000000000060507a>] do_protection_exception+0x1e2/0x394
+ [<0000000000603a04>] pgm_check_handler+0x138/0x13c
+ [<000003fffcf1f07a>] 0x3fffcf1f07a
+ Last Breaking-Event-Address:
+ [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
+
+ Thanks to Jakub Jelinek for his insight on gcc and helping to
+ track this down.
+
+ Signed-off-by: Jan Stancek <jstancek@redhat.com>
+ Acked-by: David Rientjes <rientjes@google.com>
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mmap.c | 2 +-
+ mm/nommu.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 53f5096daa14967938bc154e6c41f9119863fb36
+Merge: e988d7c 0a45285
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 5 17:32:31 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/net/ethernet/broadcom/tg3.c
+
+commit 0a452855444d02502df6eb21ef3083cf303f71e1
+Merge: 0277fa1 00cfbb8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 5 17:31:15 2013 -0400
+
+ Update to pax-linux-3.8.6-test16.patch:
+ - fixed some attribute leakage into userland headers, patch by Mathias Krause
+ - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ drivers/gpu/drm/i915/intel_display.c
+
+commit e988d7c8d946c816a2cb97f0d38048a1584966b8
+Merge: baec40e 0277fa1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 3 22:05:41 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0277fa123b486cf11420967e4568d7653e225fd3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 3 22:04:48 2013 -0400
+
+ Update to pax-linux-3.8.5-test15.patch:
+ - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391)
+ - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394)
+
+ drivers/media/pci/cx88/cx88-video.c | 6 +++---
+ include/net/net_namespace.h | 4 ++++
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+commit baec40e6708fd5ae2000cad6c70c5980c998b91c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 2 19:50:32 2013 -0400
+
+ fix compilation as reported on forums for gcc versions lacking plugin
+ support
+
+ include/net/net_namespace.h | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095
+Merge: 6b69c35 0db9d15
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 2 17:47:27 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0db9d156826bdd50510086fde837648a3dfd370e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 2 17:46:05 2013 -0400
+
+ Update to pax-linux-3.8.5-test14.patch:
+ - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table
+
+ arch/x86/include/asm/uaccess_64.h | 6 +-
+ include/linux/moduleloader.h | 4 +-
+ tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++----------------
+ 3 files changed, 61 insertions(+), 47 deletions(-)
+
+commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 2 17:35:06 2013 -0400
+
+ remove duplicate compiler.h
+
+ include/linux/sysrq.h | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit 01e1d503fd2220adaaec0b92ea19441bdff73555
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 19:53:50 2013 -0400
+
+ fix intentional_overflow marking on sys_sendto
+
+ include/linux/syscalls.h | 2 +-
+ net/socket.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit cd5ff114d958470f471c63775278e8c05e774630
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 18:46:16 2013 -0400
+
+ fix size_overflow false positive
+
+ kernel/futex_compat.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 295ba16cc53df2375261accbedd6575ea327770a
+Merge: 18340f1 278a989
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:36:18 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/exec.c
+ include/linux/thread_info.h
+
+commit 278a989c831d62193c7b3d119fe2302babd45d12
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:34:34 2013 -0400
+
+ Resync with pax-linux-3.8.5-test13.patch
+
+ arch/arm/include/asm/pgtable.h | 3 ++-
+ arch/arm/lib/delay.c | 1 +
+ fs/exec.c | 8 ++++----
+ include/linux/compiler.h | 1 +
+ include/linux/proc_fs.h | 2 +-
+ include/linux/thread_info.h | 6 +++---
+ include/linux/zlib.h | 3 ++-
+ init/main.c | 4 ++--
+ kernel/user_namespace.c | 2 +-
+ lib/list_debug.c | 4 ++--
+ mm/slab.c | 1 +
+ mm/slob.c | 1 +
+ mm/slub.c | 1 +
+ net/core/sysctl_net_core.c | 3 +--
+ tools/gcc/constify_plugin.c | 1 +
+ 15 files changed, 24 insertions(+), 17 deletions(-)
+
+commit 18340f14bd42d06c60995ab04cf6bb235bcaade6
+Merge: 05f01ae e8cfeae
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:30:57 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9
+Merge: b461cb7 aa4cfde
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:30:44 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c
+ fs/nfsd/vfs.c
+
+commit 05f01ae4c3479541586a2387f916a6620889c479
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:05:39 2013 -0400
+
+ Another infoleak, up to 128 bytes on the stack in __sys_recvmsg
+ takes user-provided length, copies up to that amount in a sockaddr_storage
+ struct on the stack, then takes an upper-bounded-only user-provided length
+ and copies the sockaddr_storage struct back out to userland, complete with
+ uninitialized data
+
+ net/socket.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit eea6ade59490784e83e08ec67322288fcf14cb31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 23:07:37 2013 -0400
+
+ return a proper error, otherwise we could be accessing uninitialized data
+ (previous define was a positive value)
+
+ drivers/usb/storage/realtek_cr.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e
+Merge: c3dc9a6 b461cb7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:54:24 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b461cb7b1d85490430ef7896c247794af72c3749
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:54:11 2013 -0400
+
+ Add structleak plugin
+
+ tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 270 insertions(+), 0 deletions(-)
+
+commit c3dc9a6ef10782894bb11fd088fd712db44d8062
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:53:22 2013 -0400
+
+ Enable structleak by default for the security auto-config
+
+ security/Kconfig | 11 +++++++----
+ 1 files changed, 7 insertions(+), 4 deletions(-)
+
+commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e
+Merge: d8503a3 74bec16
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:47:10 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 74bec16b657147a5575b1f14f4423a717ba317a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:46:13 2013 -0400
+
+ Update to pax-linux-3.8.4-test13.patch:
+ - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722)
+ - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland
+
+ Makefile | 5 +++-
+ arch/x86/include/asm/compat.h | 2 +-
+ arch/x86/mm/fault.c | 3 +-
+ fs/binfmt_elf.c | 2 +-
+ include/linux/compiler.h | 42 ++++++++++++++--------------------------
+ security/Kconfig | 16 +++++++++++++++
+ tools/gcc/Makefile | 2 +
+ tools/gcc/constify_plugin.c | 7 +++++-
+ 8 files changed, 47 insertions(+), 32 deletions(-)
+
+commit d8503a3a35d68b9ba1615d29335aef3f70d51465
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:02:40 2013 -0400
+
+ Fix 8-byte stack infoleak in ia32_rt_sigpending
+ User controls length, kernel only performs check on the upper bound, will
+ fill in any amount less than sizeof(sigset_t) via a copy_to_user under
+ KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t
+ regardless of whether the sigset_t content copied into it has been initialized
+ or not
+
+ arch/x86/ia32/sys_ia32.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 26 21:05:05 2013 -0400
+
+ commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576
+ Author: J. Bruce Fields <bfields@redhat.com>
+ Date: Tue Mar 26 14:11:13 2013 -0400
+
+ nfsd4: reject "negative" acl lengths
+
+ Since we only enforce an upper bound, not a lower bound, a "negative"
+ length can get through here.
+
+ The symptom seen was a warning when we attempt to a kmalloc with an
+ excessive size.
+
+ Reported-by: Toralf Förster <toralf.foerster@gmx.de>
+ Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+
+ fs/nfsd/nfs4xdr.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89
+Author: Jeff Layton <jlayton@redhat.com>
+Date: Mon Mar 11 09:52:19 2013 -0400
+
+ Upstream commit: f853c616883a8de966873a1dab283f1369e275a1
+
+ cifs: ignore everything in SPNEGO blob after mechTypes
+
+ We've had several reports of people attempting to mount Windows 8 shares
+ and getting failures with a return code of -EINVAL. The default sec=
+ mode changed recently to sec=ntlmssp. With that, we expect and parse a
+ SPNEGO blob from the server in the NEGOTIATE reply.
+
+ The current decode_negTokenInit function first parses all of the
+ mechTypes and then tries to parse the rest of the negTokenInit reply.
+ The parser however currently expects a mechListMIC or nothing to follow the
+ mechTypes, but Windows 8 puts a mechToken field there instead to carry
+ some info for the new NegoEx stuff.
+
+ In practice, we don't do anything with the fields after the mechTypes
+ anyway so I don't see any real benefit in continuing to parse them.
+ This patch just has the kernel ignore the fields after the mechTypes.
+ We'll probably need to reinstate some of this if we ever want to support
+ NegoEx.
+
+ Reported-by: Jason Burgess <jason@jacknife2.dns2go.com>
+ Reported-by: Yan Li <elliot.li.tech@gmail.com>
+ Signed-off-by: Jeff Layton <jlayton@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Steve French <sfrench@us.ibm.com>
+
+ fs/cifs/asn1.c | 53 +++++------------------------------------------------
+ 1 files changed, 5 insertions(+), 48 deletions(-)
+
+commit 0b1c6223105a05d5a84e39a5e951868e37610e1c
+Merge: 93ff726 0deb54c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 18:35:15 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 18:35:05 2013 -0400
+
+ fix typo
+
+ arch/x86/mm/ioremap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 93ff72680353534d4b0b213aecb61f1fc2f9a152
+Merge: be9f8b8 f95e53a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 18:30:06 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f95e53abadb6e4665866e4502ff9f518514193e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 18:29:25 2013 -0400
+
+ Update to pax-linux-3.8.4-test12.patch:
+
+ - fixed perf compilation reported by Michael Tremer
+ - fixed USERCOPY reports triggered by SCTP, reported by mcp
+ - last fix for aslr gap accounting, promise (thanks to spender)
+
+ arch/x86/mm/ioremap.c | 3 +++
+ fs/binfmt_elf.c | 5 ++---
+ mm/mmap.c | 2 +-
+ net/sctp/socket.c | 19 +++++++++++++++----
+ tools/perf/util/include/linux/compiler.h | 8 ++++++++
+ 5 files changed, 29 insertions(+), 8 deletions(-)
+
+commit be9f8b82b0d8a21d7515fb6e44a907623381c5df
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 16:48:34 2013 -0400
+
+ From: Al Viro <viro@ZenIV.linux.org.uk>
+ To: Brad Spengler <spender@grsecurity.net>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Umm... I see what you are describing, and AFAICS you are correct; let me
+ see if I am misreading your analysis:
+ * vfsmount_lock may act fair; A holding it shared, with B spinning
+ on attempt to take it exclusive may lead to C spinning on attempt to take
+ it shared.
+ * path_is_under() tries get rename_lock while holding vfsmount_lock
+ shared.
+ * d_path() et.al. try to take vfsmount_lock shared, while holding
+ rename_lock.
+
+ All true and yes, it's a bug (I'd probably classify it as a livelock, but
+ that doesn't make any real difference). There are three possible solutions,
+ AFAICS:
+ 1) two-liner in path_is_under() replacing the use of vfsmount_lock
+ with that of namespace_sem; trivial, but results in function unexpectedly
+ blocking. The current callers are fine with that, but it's a trouble
+ waiting to happen.
+ 2) replace write_seqlock() in prepend_path() callers with
+ read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike
+ is_subdir() we need more than just ->d_parent not pointing to something
+ freed - we also care about ->d_name.len being in sync with ->d_name.name.
+ It probably can be worked around, but...
+
+ 3) declare that rename_lock nests inside vfsmount_lock and let
+ the callers of prepend_path() take vfsmount_lock(). I'd probably prefer
+ that one...
+
+ Nest rename_lock inside vfsmount_lock
+
+ ... lest we get livelocks between path_is_under() and d_path() and friends.
+
+ [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing
+ the issue ]
+
+ Spotted-by: Brad Spengler <spender@grsecurity.net>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/dcache.c | 16 +++++++++++-----
+ grsecurity/gracl.c | 20 ++++++++++----------
+ 2 files changed, 21 insertions(+), 15 deletions(-)
+
+commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri Mar 22 11:44:04 2013 -0700
+
+ Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353
+
+ vfs,proc: guarantee unique inodes in /proc
+
+ Dave Jones found another /proc issue with his Trinity tool: thanks to
+ the namespace model, we can have multiple /proc dentries that point to
+ the same inode, aliasing directories in /proc/<pid>/net/ for example.
+
+ This ends up being a total disaster, because it acts like hardlinked
+ directories, and causes locking problems. We rely on the topological
+ sort of the inodes pointed to by dentries, and if we have aliased
+ directories, that odering becomes unreliable.
+
+ In short: don't do this. Multiple dentries with the same (directory)
+ inode is just a bad idea, and the namespace code should never have
+ exposed things this way. But we're kind of stuck with it.
+
+ This solves things by just always allocating a new inode during /proc
+ dentry lookup, instead of using "iget_locked()" to look up existing
+ inodes by superblock and number. That actually simplies the code a bit,
+ at the cost of potentially doing more inode [de]allocations.
+
+ That said, the inode lookup wasn't free either (and did a lot of locking
+ of inodes), so it is probably not that noticeable. We could easily keep
+ the old lookup model for non-directory entries, but rather than try to
+ be excessively clever this just implements the minimal and simplest
+ workaround for the problem.
+
+ Reported-and-tested-by: Dave Jones <davej@redhat.com>
+ Analyzed-by: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/inode.c
+
+ fs/proc/inode.c | 9 +++------
+ 1 files changed, 3 insertions(+), 6 deletions(-)
+
+commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb
+Author: Vladimir Davydov <vdavydov@parallels.com>
+Date: Fri Mar 22 15:04:51 2013 -0700
+
+ Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301
+
+ mqueue: sys_mq_open: do not call mnt_drop_write() if read-only
+
+ mnt_drop_write() must be called only if mnt_want_write() succeeded,
+ otherwise the mnt_writers counter will diverge.
+
+ mnt_writers counters are used to check if remounting FS as read-only is
+ OK, so after an extra mnt_drop_write() call, it would be impossible to
+ remount mqueue FS as read-only. Besides, on umount a warning would be
+ printed like this one:
+
+ =====================================
+ [ BUG: bad unlock balance detected! ]
+ 3.9.0-rc3 #5 Not tainted
+ -------------------------------------
+ a.out/12486 is trying to release lock (sb_writers) at:
+ mnt_drop_write+0x1f/0x30
+ but there are no more locks to release!
+
+ Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
+ Cc: Doug Ledford <dledford@redhat.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ ipc/mqueue.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 23 13:02:32 2013 -0400
+
+ Don't use constify plugin if not enabled in config,
+ reported by Alexey Vlasov
+
+ Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 3afb82e020593249ac394e9859397c3e0ef5341c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 23 12:50:13 2013 -0400
+
+ oded 0day #2
+ http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
+ slide 20
+
+ drivers/net/ethernet/broadcom/tg3.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 4cc4b98b29faff2530540be16e0fcd8a74800b06
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 23 12:15:50 2013 -0400
+
+ oded 0day #1
+ http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
+ slide 18
+
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 23 12:13:12 2013 -0400
+
+ remove warning on accessing this /proc entry, HIDESYM already caught the infoleak
+
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 44cb11a9470f72157601d0ad4d572d111f90f504
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 22 18:11:42 2013 -0400
+
+ use VM_DONTDUMP
+
+ fs/binfmt_elf.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 22 17:53:09 2013 -0400
+
+ fix recent RLIMIT_AS changes (due to vm_flags typo)
+
+ Conflicts:
+
+ fs/binfmt_elf.c
+
+ fs/binfmt_elf.c | 2 +-
+ mm/mmap.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit fd5f0d92b0fbec02029dad124501a9c80e527a32
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 22 17:08:48 2013 -0400
+
+ complete_walk drops rcu-walk mode, no need for our own dropping
+ method outside of generic_permission
+
+ fs/namei.c | 30 ------------------------------
+ 1 files changed, 0 insertions(+), 30 deletions(-)
+
+commit b49ab1c73edb6442eec609b26bba4d850b3111b6
+Merge: 5e9a707 783ade9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 21 21:56:28 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 21 21:55:31 2013 -0400
+
+ Update to pax-linux-3.8.3-test11.patch:
+ - rewrote the ASLR gap accounting code once again
+ - fixed ptrace compat bug found by the size overflow plugin
+
+ fs/binfmt_elf.c | 25 ++++++++++++-------------
+ fs/exec.c | 7 ++-----
+ include/linux/compat.h | 2 +-
+ include/linux/mm.h | 5 +++++
+ include/linux/mm_types.h | 2 +-
+ kernel/ptrace.c | 2 +-
+ mm/mmap.c | 15 ++++++++++-----
+ 7 files changed, 32 insertions(+), 26 deletions(-)
+
+commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 21 19:37:33 2013 -0400
+
+ Make the constify plugin usage actually depend on the introduced config option
+ (it was still forced on)
+
+ tools/gcc/Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 1974b4f58d9d729c80ac1987785446115304a54c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 21 16:12:38 2013 -0400
+
+ fix failed merge
+
+ arch/arm/mm/fault.c | 15 +++------------
+ 1 files changed, 3 insertions(+), 12 deletions(-)
+
+commit 675a8ab4a8fe8315df348735a37a302a7535224c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 20 23:36:14 2013 -0400
+
+ From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001
+ From: Kees Cook <keescook@chromium.org>
+ Date: Sun, 10 Mar 2013 20:09:31 +0000
+ Subject: drm/i915: bounds check execbuffer relocation count
+
+ It is possible to wrap the counter used to allocate the buffer for
+ relocation copies. This could lead to heap writing overflows.
+
+ CVE-2013-0913
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Reported-by: Pinkie Pie
+ Cc: stable@vger.kernel.org
+
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
+ 1 files changed, 8 insertions(+), 3 deletions(-)
+
+commit ddeac12cbb9076bffd51c544e03463f94c9eaa39
+Author: Andy Honig <ahonig@google.com>
+Date: Wed Feb 20 14:48:10 2013 -0800
+
+ Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1
+
+ KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)
+
+ There is a potential use after free issue with the handling of
+ MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable
+ memory such as frame buffers then KVM might continue to write to that
+ address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins
+ the page in memory so it's unlikely to cause an issue, but if the user
+ space component re-purposes the memory previously used for the guest, then
+ the guest will be able to corrupt that memory.
+
+ Tested: Tested against kvmclock unit test
+
+ Signed-off-by: Andrew Honig <ahonig@google.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+
+ arch/x86/include/asm/kvm_host.h | 4 +-
+ arch/x86/kvm/x86.c | 47 ++++++++++++++++----------------------
+ 2 files changed, 22 insertions(+), 29 deletions(-)
+
+commit 0bcac31b57c381001feb69fd6ec8069e61e03432
+Author: Andy Honig <ahonig@google.com>
+Date: Mon Mar 11 09:34:52 2013 -0700
+
+ Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9
+
+ KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
+
+ If the guest sets the GPA of the time_page so that the request to update the
+ time straddles a page then KVM will write onto an incorrect page. The
+ write is done byusing kmap atomic to get a pointer to the page for the time
+ structure and then performing a memcpy to that page starting at an offset
+ that the guest controls. Well behaved guests always provide a 32-byte aligned
+ address, however a malicious guest could use this to corrupt host kernel
+ memory.
+
+ Tested: Tested against kvmclock unit test.
+
+ Signed-off-by: Andrew Honig <ahonig@google.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+
+ arch/x86/kvm/x86.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 695c59887e4ec10b0b695ab4f645d1226c433be0
+Author: Andy Honig <ahonig@google.com>
+Date: Wed Feb 20 14:49:16 2013 -0800
+
+ Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55
+
+ KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)
+
+ If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
+ that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
+ that request. ioapic_read_indirect contains an
+ ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
+ non-debug builds. In recent kernels this allows a guest to cause a kernel
+ oops by reading invalid memory. In older kernels (pre-3.3) this allows a
+ guest to read from large ranges of host memory.
+
+ Tested: tested against apic unit tests.
+
+ Signed-off-by: Andrew Honig <ahonig@google.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+
+ virt/kvm/ioapic.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e
+Merge: aec3cd4 c522e3a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 20 19:38:25 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3
+Merge: c57d855 405acc3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 20 19:38:11 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 19:56:04 2013 -0400
+
+ include linux/compiler.h
+
+ include/linux/zlib.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 18:42:20 2013 -0400
+
+ fix missing sock_release()
+
+ net/irda/af_irda.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit dd65c05cd24faf8946d4941434a553ee285c35a3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 18:36:17 2013 -0400
+
+ fix mpt fusion infoleak
+
+ drivers/message/fusion/mptbase.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit e297b4f150b769efdc4c547d3caf1e3c0f24735f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 18:33:45 2013 -0400
+
+ Fix size_overflow false positive reported by slashbeast
+
+ include/linux/zlib.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 17:35:36 2013 -0400
+
+ fix up failed merge
+
+ arch/arm/mm/fault.c | 9 ++-------
+ 1 files changed, 2 insertions(+), 7 deletions(-)
+
+commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 17:34:36 2013 -0400
+
+ update documentation on consequences of building without gcc plugin support
+
+ Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 17:18:13 2013 -0400
+
+ fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums
+
+ init/main.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit f00195c633f91cfbd8c1f530d2c371b713026e20
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 18 22:27:33 2013 -0400
+
+ Fix compile error reported by KDE on the forums
+
+ kernel/user_namespace.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 2979c6ee78aabb4421873ea53581380c6bb6ed05
+Merge: 0949569 c57d855
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 18 22:20:46 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/mm/fault.c
+ arch/x86/mm/fault.c
+ fs/exec.c
+
+commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 18 21:22:03 2013 -0400
+
+ Update to pax-linux-3.8.2-test9.patch:
+ arm changes from spender
+ - removed userland access to the vectors page
+ - removed obsolete sigreturn trampoline handling
+ - added emulation for __kuser_get_tls
+ - fixed missing uderef instrumentation in unaligned memory accessors (failed safe)
+ - fixed recent sysfs/power_supply attr breakage reported by Steven Allen
+ - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960)
+ - changed debian packager rules to include the compiler plugins, from Tyler Coumbes <coumbes@gmail.com>
+ - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956)
+ - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values
+ and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913.
+
+ arch/arm/kernel/process.c | 5 +-
+ arch/arm/kernel/signal.c | 24 +-
+ arch/arm/kernel/traps.c | 7 -
+ arch/arm/mm/alignment.c | 8 +
+ arch/arm/mm/fault.c | 23 +-
+ arch/arm/mm/mmu.c | 2 +-
+ arch/x86/include/asm/bitops.h | 2 +-
+ arch/x86/include/asm/desc.h | 2 +-
+ arch/x86/include/asm/div64.h | 2 +-
+ arch/x86/include/asm/io.h | 8 +-
+ arch/x86/include/asm/paravirt.h | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +-
+ arch/x86/kernel/setup_percpu.c | 2 +-
+ arch/x86/mm/fault.c | 4 +-
+ arch/x86/mm/numa.c | 2 +-
+ arch/x86/mm/physaddr.c | 4 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
+ drivers/lguest/page_tables.c | 2 +-
+ drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/power/power_supply_core.c | 1 +
+ drivers/usb/core/message.c | 2 +-
+ fs/befs/endian.h | 4 +-
+ fs/binfmt_elf.c | 5 +-
+ fs/exec.c | 4 +-
+ fs/qnx6/qnx6.h | 4 +-
+ fs/sysv/sysv.h | 2 +-
+ fs/ubifs/io.c | 2 +-
+ fs/ufs/swab.h | 4 +-
+ include/linux/compat.h | 4 +-
+ include/linux/completion.h | 6 +-
+ include/linux/cpumask.h | 12 +-
+ include/linux/ctype.h | 2 +-
+ include/linux/err.h | 4 +-
+ include/linux/math64.h | 6 +-
+ include/linux/sched.h | 2 +-
+ include/linux/unaligned/access_ok.h | 12 +-
+ include/linux/usb.h | 2 +-
+ include/uapi/linux/byteorder/little_endian.h | 4 +-
+ include/uapi/linux/swab.h | 6 +-
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 3 +
+ kernel/time.c | 2 +-
+ kernel/timer.c | 2 +-
+ lib/div64.c | 4 +-
+ mm/page-writeback.c | 2 +-
+ net/socket.c | 2 +
+ scripts/package/builddeb | 1 +
+ tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++----------
+ tools/gcc/size_overflow_plugin.c | 1072 ++--
+ 53 files changed, 6227 insertions(+), 3951 deletions(-)
+
+commit 09495691bb31f11ec14d9127429f9a0f3f716f22
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 17 20:51:50 2013 -0400
+
+ fix typo
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit deb85b00d0f9f886e264e116313f298401ec5c59
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 17 20:03:33 2013 -0400
+
+ Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task
+ with a subject applied to it with RES_CPU. Otherwise, the limit will only
+ begin to be applied at fork time.
+
+ Thanks to Bjornar Ness for the report.
+
+ grsecurity/gracl.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 2126421f123513f604ceef2b23ba9ed516de7e58
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 16 22:07:43 2013 -0400
+
+ Move inode auditing prior to our refcnt dropping
+
+ fs/namei.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4d4e665885aab4bacfe662ad6d2190fc9d817146
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 16 22:00:30 2013 -0400
+
+ Drop reference on completed path walked in RCU mode or when violating
+ the chroot fchdir check inside a chroot -- possible culprit for a reported
+ vfsmount_lock hang during unmount
+
+ fs/namei.c | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+commit 53a8a413f45340ee176dd36dd283de3a1ebb7417
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 16 16:43:45 2013 -0400
+
+ add user_arg_ptr back to exec.c
+
+ fs/exec.c | 12 ++++++++++++
+ 1 files changed, 12 insertions(+), 0 deletions(-)
+
+commit 83d285953c7e75db388c7f65be5cf1e16fcedec8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 16 11:22:36 2013 -0400
+
+ Don't globally include compat.h -- with the new X32 support it
+ changes some definitions involving ELF binaries resulting in invalid
+ coredumps, as reported by KDE on the forums:
+ http://forums.grsecurity.net/viewtopic.php?f=3&t=3310
+ Thanks to the PaX Team for debugging
+
+ fs/exec.c | 3 +++
+ grsecurity/grsec_exec.c | 13 +++++++++++++
+ include/linux/grsecurity.h | 15 ---------------
+ 3 files changed, 16 insertions(+), 15 deletions(-)
+
+commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 14 20:59:26 2013 -0400
+
+ Add peer information to /proc/net/unix from Kenan Kalajdzic:
+ http://marc.info/?l=linux-netdev&m=126745636809191&w=2
+
+ We use a "P" prefix to the inode number instead of "peer=". This
+ additional information can be used, for instance, to find what processes
+ are connected to MySQL's unix domain socket.
+
+ net/unix/af_unix.c | 12 +++++++++---
+ 1 files changed, 9 insertions(+), 3 deletions(-)
+
+commit 1cd623d11a462d151ea8a5cace4521e1724911a3
+Author: Oliver Neukum <oneukum@suse.de>
+Date: Tue Mar 12 14:52:42 2013 +0100
+
+ Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa
+
+ USB: cdc-wdm: fix buffer overflow
+
+ The buffer for responses must not overflow.
+ If this would happen, set a flag, drop the data and return
+ an error after user space has read all remaining data.
+
+ Signed-off-by: Oliver Neukum <oliver@neukum.org>
+ CC: stable@kernel.org
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++---
+ 1 files changed, 20 insertions(+), 3 deletions(-)
+
+commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc
+Merge: 9cdf9bc db4cb92
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 14 20:23:14 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/keys/compat.c
+
+commit db4cb924546e3fec3a59f78d056f48176eaf7100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 14 20:22:24 2013 -0400
+
+ Update to pax-linux-3.8.2-test8.patch
+
+ arch/arm/include/asm/cache.h | 2 ++
+ arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++----------
+ arch/arm/mach-omap2/omap_device.c | 4 ++--
+ arch/arm/mach-omap2/omap_device.h | 4 ++--
+ arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
+ 5 files changed, 19 insertions(+), 15 deletions(-)
+
+commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae
+Merge: 3c865f9 1a45c31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 14 20:20:54 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ arch/arm/include/asm/delay.h
+ arch/arm/include/asm/pgtable.h
+ arch/arm/lib/delay.c
+ security/keys/compat.c
+
+commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Tue Mar 12 02:59:49 2013 +0000
+
+ Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512
+
+ vfs: fix pipe counter breakage
+
+ If you open a pipe for neither read nor write, the pipe code will not
+ add any usage counters to the pipe, causing the 'struct pipe_inode_info"
+ to be potentially released early.
+
+ That doesn't normally matter, since you cannot actually use the pipe,
+ but the pipe release code - particularly fasync handling - still expects
+ the actual pipe infrastructure to all be there. And rather than adding
+ NULL pointer checks, let's just disallow this case, the same way we
+ already do for the named pipe ("fifo") case.
+
+ This is ancient going back to pre-2.4 days, and until trinity, nobody
+ naver noticed.
+
+ Reported-by: Dave Jones <davej@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/pipe.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit c11fa4be226659a40a6c73f0fa09fee074fba1b2
+Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Mon Feb 25 10:20:36 2013 -0500
+
+ Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49
+
+ Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
+
+ Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
+ compat_process_vm_rw() shows that the compatibility code requires an
+ explicit "access_ok()" check before calling
+ compat_rw_copy_check_uvector(). The same difference seems to appear when
+ we compare fs/read_write.c:do_readv_writev() to
+ fs/compat.c:compat_do_readv_writev().
+
+ This subtle difference between the compat and non-compat requirements
+ should probably be debated, as it seems to be error-prone. In fact,
+ there are two others sites that use this function in the Linux kernel,
+ and they both seem to get it wrong:
+
+ Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
+ also ends up calling compat_rw_copy_check_uvector() through
+ aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
+ be missing. Same situation for
+ security/keys/compat.c:compat_keyctl_instantiate_key_iov().
+
+ I propose that we add the access_ok() check directly into
+ compat_rw_copy_check_uvector(), so callers don't have to worry about it,
+ and it therefore makes the compat call code similar to its non-compat
+ counterpart. Place the access_ok() check in the same location where
+ copy_from_user() can trigger a -EFAULT error in the non-compat code, so
+ the ABI behaviors are alike on both compat and non-compat.
+
+ While we are here, fix compat_do_readv_writev() so it checks for
+ compat_rw_copy_check_uvector() negative return values.
+
+ And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
+ handling.
+
+ Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ security/keys/compat.c
+
+ fs/compat.c | 15 +++++++--------
+ mm/process_vm_access.c | 8 --------
+ security/keys/compat.c | 3 ++-
+ 3 files changed, 9 insertions(+), 17 deletions(-)
+
+commit 13487f197ab2d5bc76156224c24c45a44bbd6a11
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 11 18:38:38 2013 -0400
+
+ Fix leak of signal handler addresses across execve, found by Emese Revfy
+
+ kernel/signal.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 79b130c4b11c7940daf2b33d653a17666331c634
+Merge: 6480ce9 3c865f9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 10 20:04:03 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 10 20:03:12 2013 -0400
+
+ Update to pax-linux-3.8.2-test7.patch:
+ - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342)
+ - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268)
+
+ fs/binfmt_elf.c | 3 ++-
+ fs/exec.c | 3 +++
+ include/linux/mm_types.h | 2 +-
+ init/main.c | 4 ++--
+ mm/mmap.c | 2 +-
+ mm/page_alloc.c | 4 ++--
+ tools/gcc/latent_entropy_plugin.c | 11 +++++++----
+ 7 files changed, 18 insertions(+), 11 deletions(-)
+
+commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491
+Merge: 4a5305e 25b3569
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 10 10:41:16 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 25b356980568bed9958315bb5a551fdc610055ed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 10 10:40:48 2013 -0400
+
+ Update to pax-linux-3.8.2-test6.patch:
+ - fixed a KERNEXEC false positive on arm reported by Gu1
+ - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340)
+ - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339)
+ - added fix from spender for some namespace breakage reported by zakalwe
+ - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot
+
+ Documentation/kernel-parameters.txt | 5 +++++
+ arch/arm/kernel/patch.c | 2 ++
+ arch/x86/kernel/sys_i386_32.c | 5 +++--
+ drivers/acpi/blacklist.c | 2 +-
+ drivers/video/aty/mach64_cursor.c | 1 +
+ init/main.c | 4 ----
+ mm/page_alloc.c | 27 +++++++++++++++++++++++++++
+ net/ipv4/ip_fragment.c | 2 +-
+ security/Kconfig | 5 +++++
+ tools/gcc/latent_entropy_plugin.c | 7 +++++--
+ 10 files changed, 50 insertions(+), 10 deletions(-)
+
+commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 9 11:19:06 2013 -0500
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: "David S. Miller" <davem@davemloft.net>
+ Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
+ Stephen Hemminger <stephen@networkplumber.org>
+ Subject: [PATCH 1/3] bridge: fix mdb info leaks
+ Date: Sat, 9 Mar 2013 16:52:19 +0100
+
+ The bridging code discloses heap and stack bytes via the RTM_GETMDB
+ netlink interface and via the notify messages send to group RTNLGRP_MDB
+ afer a successful add/del.
+
+ Fix both cases by initializing all unset members/padding bytes with
+ memset(0).
+
+ Cc: Stephen Hemminger <stephen@networkplumber.org>
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: "David S. Miller" <davem@davemloft.net>
+ Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
+ Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices
+ Date: Sat, 9 Mar 2013 16:52:20 +0100
+
+ Initialize the mac address buffer with 0 as the driver specific function
+ will probably not fill the whole buffer. In fact, all in-kernel drivers
+ fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
+ bytes. Therefore we currently leak 26 bytes of stack memory to userland
+ via the netlink interface.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: "David S. Miller" <davem@davemloft.net>
+ Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
+ Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks
+ Date: Sat, 9 Mar 2013 16:52:21 +0100
+
+ The dcb netlink interface leaks stack memory in various places:
+ * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
+ copied completely,
+ * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
+ so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
+ for ieee_pfc structs, etc.,
+ * the same is true for CEE -- no in-kernel driver fills the whole
+ struct,
+
+ Prevent all of the above stack info leaks by properly initializing the
+ buffers/structures involved.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ net/bridge/br_mdb.c | 4 ++++
+ net/core/rtnetlink.c | 1 +
+ net/dcb/dcbnl.c | 8 ++++++++
+ 3 files changed, 13 insertions(+), 0 deletions(-)
+
+commit 601dd446f896e3a362f706943df18a68d50420a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 9 09:35:25 2013 -0500
+
+ add open/close wrappers in __patch_text() as reported by Gu1 on IRC
+
+ arch/arm/kernel/patch.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit ae39966fd85a493e9079b357e3faa62245a41222
+Author: Peter Hurley <peter@hurleysoftware.com>
+Date: Fri Mar 8 12:43:27 2013 -0800
+
+ Upstream commit: 88b9e456b1649722673ffa147914299799dc9041
+
+ ipc: don't allocate a copy larger than max
+
+ When MSG_COPY is set, a duplicate message must be allocated for the copy
+ before locking the queue. However, the copy could not be larger than was
+ sent which is limited to msg_ctlmax.
+
+ Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+ Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ ipc/msg.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 61240e99650ea3e540a03a3e994349c5086f166b
+Author: Peter Hurley <peter@hurleysoftware.com>
+Date: Fri Mar 8 12:43:26 2013 -0800
+
+ Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19
+
+ ipc: fix potential oops when src msg > 4k w/ MSG_COPY
+
+ If the src msg is > 4k, then dest->next points to the
+ next allocated segment; resetting it just prior to dereferencing
+ is bad.
+
+ Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+ Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ ipc/msgutil.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+commit 51727f602a267f34fb2e0dc9557f1714028d51a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 8 22:14:06 2013 -0500
+
+ add missing 'else' in recent constify fixups
+
+ net/ipv4/ip_fragment.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a38c1a640729b3d8e584d1ab98e908c221bc12cf
+Merge: 1580bb3 47c3f47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 8 18:18:37 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 8 18:17:22 2013 -0500
+
+ Update to pax-linux-3.8.2-test5.patch:
+ - fixed some fallout after the last round of constification changes, reported by several people
+
+ arch/arm/common/gic.c | 4 ++--
+ arch/arm/include/asm/hardware/gic.h | 3 ++-
+ arch/x86/include/asm/nmi.h | 2 +-
+ arch/x86/kernel/nmi.c | 2 +-
+ arch/x86/pci/irq.c | 2 +-
+ drivers/base/power/domain.c | 4 ++--
+ drivers/cpufreq/cpufreq_governor.c | 4 ++--
+ drivers/mfd/twl4030-irq.c | 1 +
+ drivers/video/vesafb.c | 7 +++++--
+ include/linux/irq.h | 1 +
+ include/linux/pm_domain.h | 2 +-
+ kernel/sched/core.c | 4 ++++
+ lib/Kconfig.debug | 4 ++--
+ net/core/sysctl_net_core.c | 2 +-
+ net/decnet/af_decnet.c | 1 +
+ net/ipv4/devinet.c | 2 +-
+ net/ipv4/ip_fragment.c | 2 +-
+ net/ipv4/route.c | 2 +-
+ net/ipv4/sysctl_net_ipv4.c | 2 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +-
+ net/ipv6/reassembly.c | 2 +-
+ scripts/sortextable.h | 6 +++---
+ 22 files changed, 36 insertions(+), 25 deletions(-)
+
+commit 1580bb38b4db0bf2a46316599815e8b234edad81
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 22:02:59 2013 -0500
+
+ add an additional open/close wrapper
+
+ kernel/sched/core.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 21622672d28d58e0d93a805cd1f9650a894a752a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 21:58:24 2013 -0500
+
+ fix oops at shutdown with new constify code
+
+ kernel/sched/core.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 21:18:44 2013 -0500
+
+ Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally
+ it currently conflicts with some lock debugging options, so made as an
+ option to allow for debugging when necessary
+
+ Makefile | 2 --
+ lib/Kconfig.debug | 6 +++---
+ security/Kconfig | 18 ++++++++++++++++++
+ 3 files changed, 21 insertions(+), 5 deletions(-)
+
+commit 0885b00b8373a1597b69c38032a0c9eee279303b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 20:55:19 2013 -0500
+
+ disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify
+
+ lib/Kconfig.debug | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c8a2617165e7127a54f293cbf57d22d50dd83abd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 20:30:41 2013 -0500
+
+ Fix error:
+ drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object
+ with cast and proper kernexec accessors
+
+ drivers/video/vesafb.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 20:20:28 2013 -0500
+
+ fix typo
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 399674de6c42bbcae2d01b082d6d9ce9d183b000
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 20:12:17 2013 -0500
+
+ fix compilation error -- no reason for task_pid_nr to not take a const task ptr
+
+ include/linux/sched.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f
+Author: Kees Cook <keescook@chromium.org>
+Date: Mon Feb 25 21:32:25 2013 +0000
+
+ Upstream commit: e70ab977991964a5a7ad1182799451d067e62669
+
+ proc connector: reject unprivileged listener bumps
+
+ While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
+ for an unprivileged user to turn off notifications for all listeners by
+ sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
+ required for a multicast bind.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: Evgeniy Polyakov <zbr@ioremap.net>
+ Cc: Matt Helsley <matthltc@us.ibm.com>
+ Cc: stable@vger.kernel.org
+ Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
+ Acked-by: Matt Helsley <matthltc@us.ibm.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/connector/cn_proc.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+commit ac6014ded57101e3e608941555ff507e20c1ece3
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Feb 26 19:15:02 2013 +0000
+
+ Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a
+
+ irda: small read beyond end of array in debug code
+
+ charset comes from skb->data. It's a number in the 0-255 range.
+ If we have debugging turned on then this could cause a read beyond
+ the end of the array.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/irda/iriap.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe
+Author: Guenter Roeck <linux@roeck-us.net>
+Date: Wed Feb 27 10:57:31 2013 +0000
+
+ Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1
+
+ net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
+
+ Building sctp may fail with:
+
+ In function ‘copy_from_user’,
+ inlined from ‘sctp_getsockopt_assoc_stats’ at
+ net/sctp/socket.c:5656:20:
+ arch/x86/include/asm/uaccess_32.h:211:26: error: call to
+ ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
+ buffer size is not provably correct
+
+ if built with W=1 due to a missing parameter size validation
+ before the call to copy_from_user.
+
+ Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/socket.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c
+Author: Guillaume Nault <g.nault@alphalink.fr>
+Date: Fri Mar 1 05:02:02 2013 +0000
+
+ Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a
+
+ l2tp: Restore socket refcount when sendmsg succeeds
+
+ The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
+ reference counter after successful transmissions. Any successful
+ sendmsg() call from userspace will then increase the reference counter
+ forever, thus preventing the kernel's session and tunnel data from
+ being freed later on.
+
+ The problem only happens when writing directly on L2TP sockets.
+ PPP sockets attached to L2TP are unaffected as the PPP subsystem
+ uses pppol2tp_xmit() which symmetrically increase/decrease reference
+ counters.
+
+ This patch adds the missing call to sock_put() before returning from
+ pppol2tp_sendmsg().
+
+ Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_ppp.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 98a9a5f981f5deda4059a255c1196886f2f27e2f
+Author: Cong Wang <amwang@redhat.com>
+Date: Sun Mar 3 16:18:11 2013 +0000
+
+ Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0
+
+ rds: limit the size allocated by rds_message_alloc()
+
+ Dave Jones reported the following bug:
+
+ "When fed mangled socket data, rds will trust what userspace gives it,
+ and tries to allocate enormous amounts of memory larger than what
+ kmalloc can satisfy."
+
+ WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
+ Hardware name: GA-MA78GM-S2H
+ Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
+ Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
+ Call Trace:
+ [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
+ [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
+ [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
+ [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
+ [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
+ [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
+ [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
+ [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
+ [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
+ [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
+ [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
+ [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
+ [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
+ [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
+ [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
+ [<ffffffff81567f30>] sys_sendto+0x130/0x180
+ [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
+ [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
+ [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
+ [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
+ [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
+ [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
+ ---[ end trace eed6ae990d018c8b ]---
+
+ Reported-by: Dave Jones <davej@redhat.com>
+ Cc: Dave Jones <davej@redhat.com>
+ Cc: David S. Miller <davem@davemloft.net>
+ Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/rds/message.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit b46df323e01c63c62fdb82cf2c47e4386f5a0499
+Author: Cong Wang <amwang@redhat.com>
+Date: Sun Mar 3 16:28:27 2013 +0000
+
+ Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e
+
+ sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE
+
+ Don't definite its own MAX_KMALLOC_SIZE, use the one
+ defined in mm.
+
+ Cc: Vlad Yasevich <vyasevich@gmail.com>
+ Cc: Sridhar Samudrala <sri@us.ibm.com>
+ Cc: Neil Horman <nhorman@tuxdriver.com>
+ Cc: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/ssnmap.c | 8 +++-----
+ 1 files changed, 3 insertions(+), 5 deletions(-)
+
+commit 4295a024e812f903fc580c81de5e81cc149503fa
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 17:57:49 2013 -0500
+
+ Upstream commit: https://lkml.org/lkml/2013/3/6/535
+
+ security/keys/process_keys.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 33edd486a9899a145a15586d7134636b0300aaee
+Merge: 4eeeaf3 a2a2094
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 17:53:00 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/include/asm/domain.h
+
+commit a2a20947f5e1332e474160a39af520738b3c8c19
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 17:51:04 2013 -0500
+
+ Update to pax-linux-3.8.2-test4.patch:
+ fixed arm compilation problems reported by Michael Tremer
+ - the constify plugin got smarter that enabled, with some additional patching,
+ the elimination of about half the static function pointers on amd64/allmod
+ (up from about 18%), depending on the kernel config it can be even more (70%)
+
+ Documentation/dontdiff | 2 +
+ arch/arm/include/asm/domain.h | 1 +
+ arch/x86/include/asm/i8259.h | 2 +-
+ arch/x86/include/asm/nmi.h | 4 +-
+ arch/x86/kernel/acpi/boot.c | 4 +-
+ arch/x86/kernel/apic/apic_noop.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 2 +-
+ arch/x86/kernel/apic/io_apic.c | 10 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
+ arch/x86/kernel/i8259.c | 6 +-
+ arch/x86/kernel/io_delay.c | 2 +-
+ arch/x86/kernel/nmi.c | 6 +-
+ arch/x86/kernel/nmi_selftest.c | 4 +-
+ arch/x86/kernel/pci-swiotlb.c | 2 +-
+ arch/x86/oprofile/nmi_int.c | 8 +-
+ arch/x86/oprofile/op_model_amd.c | 8 +-
+ arch/x86/oprofile/op_model_ppro.c | 7 +-
+ arch/x86/oprofile/op_x86_model.h | 2 +-
+ arch/x86/pci/irq.c | 6 +-
+ drivers/acpi/apei/apei-internal.h | 2 +-
+ drivers/acpi/bgrt.c | 6 +-
+ drivers/acpi/blacklist.c | 2 +-
+ drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/sysfs.c | 4 +-
+ drivers/base/bus.c | 4 +-
+ drivers/base/node.c | 2 +-
+ drivers/base/syscore.c | 4 +-
+ drivers/block/drbd/drbd_receiver.c | 4 +-
+ drivers/char/random.c | 2 +-
+ drivers/cpufreq/acpi-cpufreq.c | 20 ++-
+ drivers/cpufreq/cpufreq.c | 7 +-
+ drivers/cpufreq/cpufreq_governor.c | 4 +-
+ drivers/cpufreq/cpufreq_governor.h | 2 +-
+ drivers/cpufreq/p4-clockmod.c | 12 +-
+ drivers/cpufreq/speedstep-centrino.c | 7 +-
+ drivers/cpuidle/cpuidle.c | 2 +-
+ drivers/cpuidle/governor.c | 4 +-
+ drivers/cpuidle/sysfs.c | 2 +-
+ drivers/devfreq/devfreq.c | 4 +-
+ drivers/edac/edac_mc_sysfs.c | 2 +-
+ drivers/edac/edac_pci_sysfs.c | 2 +-
+ drivers/firewire/core-device.c | 2 +-
+ drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/efivars.c | 2 +-
+ drivers/firmware/google/memconsole.c | 4 +-
+ drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 2 +-
+ drivers/gpu/drm/drm_ioc32.c | 9 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/intel_display.c | 26 ++-
+ drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++--
+ drivers/gpu/drm/udl/udl_fb.c | 1 -
+ drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/asus_atk0110.c | 10 +-
+ drivers/hwmon/ibmaem.c | 2 +-
+ drivers/hwmon/pmbus/pmbus_core.c | 2 +-
+ drivers/iio/industrialio-core.c | 2 +-
+ drivers/input/mouse/psmouse.h | 2 +-
+ drivers/iommu/iommu.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
+ drivers/mfd/twl4030-irq.c | 8 +-
+ drivers/mfd/twl6030-irq.c | 10 +-
+ drivers/misc/c2port/core.c | 4 +-
+ drivers/mtd/sm_ftl.c | 2 +-
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/macvlan.c | 16 +-
+ drivers/net/vxlan.c | 2 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
+ drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/pci-sysfs.c | 6 +-
+ drivers/pci/pci.h | 2 +-
+ drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/sony-laptop.c | 2 +-
+ drivers/power/power_supply.h | 4 +-
+ drivers/power/power_supply_core.c | 6 +-
+ drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/rtc/rtc-cmos.c | 4 +-
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/scsi/bfa/bfa.h | 2 +-
+ drivers/staging/iio/iio_hwmon.c | 2 +-
+ drivers/usb/storage/usb.h | 2 +-
+ drivers/video/aty/atyfb_base.c | 8 +-
+ drivers/video/aty/mach64_cursor.c | 4 +-
+ drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/fb_defio.c | 6 +-
+ drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
+ drivers/video/nvidia/nvidia.c | 27 ++-
+ drivers/video/s1d13xxxfb.c | 6 +-
+ drivers/video/smscufx.c | 4 +-
+ drivers/video/udlfb.c | 4 +-
+ drivers/video/uvesafb.c | 14 +-
+ fs/exec.c | 6 +-
+ fs/ext4/super.c | 2 +-
+ fs/jfs/super.c | 4 +-
+ fs/nfs/callback_xdr.c | 2 +-
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfs4xdr.c | 6 +-
+ fs/nls/nls_base.c | 18 +-
+ fs/nls/nls_euc-jp.c | 6 +-
+ fs/nls/nls_koi8-ru.c | 6 +-
+ fs/proc/proc_sysctl.c | 18 +-
+ include/drm/drmP.h | 12 +-
+ include/keys/asymmetric-subtype.h | 2 +-
+ include/linux/atmdev.h | 2 +-
+ include/linux/binfmts.h | 2 +-
+ include/linux/configfs.h | 2 +-
+ include/linux/cpufreq.h | 3 +-
+ include/linux/cpuidle.h | 5 +-
+ include/linux/devfreq.h | 2 +-
+ include/linux/device.h | 7 +-
+ include/linux/extcon.h | 2 +-
+ include/linux/fb.h | 2 +-
+ include/linux/fscache.h | 2 +-
+ include/linux/genl_magic_func.h | 2 +-
+ include/linux/hwmon-sysfs.h | 5 +-
+ include/linux/iommu.h | 2 +-
+ include/linux/irq.h | 2 +-
+ include/linux/key-type.h | 2 +-
+ include/linux/kobject.h | 1 +
+ include/linux/kobject_ns.h | 2 +-
+ include/linux/list.h | 14 +-
+ include/linux/mod_devicetable.h | 2 +-
+ include/linux/module.h | 5 +-
+ include/linux/net.h | 2 +-
+ include/linux/netfilter.h | 2 +-
+ include/linux/nls.h | 2 +-
+ include/linux/pci_hotplug.h | 3 +-
+ include/linux/platform_data/usb-exynos.h | 2 +-
+ include/linux/pnp.h | 2 +-
+ include/linux/ppp-comp.h | 2 +-
+ include/linux/rculist.h | 16 ++
+ include/linux/sched.h | 2 +-
+ include/linux/sock_diag.h | 2 +-
+ include/linux/sunrpc/clnt.h | 2 +-
+ include/linux/sunrpc/svc.h | 2 +-
+ include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swiotlb.h | 3 +-
+ include/linux/syscore_ops.h | 2 +-
+ include/linux/sysctl.h | 6 +-
+ include/linux/sysfs.h | 10 +-
+ include/linux/sysrq.h | 1 +
+ include/linux/xattr.h | 2 +-
+ include/net/9p/transport.h | 2 +-
+ include/net/bluetooth/l2cap.h | 2 +-
+ include/net/genetlink.h | 2 +-
+ include/net/ip.h | 2 +-
+ include/net/ip_vs.h | 4 +-
+ include/net/llc_c_ac.h | 2 +-
+ include/net/llc_c_ev.h | 4 +-
+ include/net/llc_c_st.h | 2 +-
+ include/net/llc_s_ac.h | 2 +-
+ include/net/llc_s_st.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/net_namespace.h | 2 +-
+ include/net/netns/conntrack.h | 6 +-
+ include/net/rtnetlink.h | 2 +-
+ include/net/sctp/sm.h | 4 +-
+ include/net/sctp/structs.h | 2 +-
+ include/net/xfrm.h | 4 +-
+ ipc/ipc_sysctl.c | 10 +-
+ ipc/mq_sysctl.c | 2 +-
+ kernel/kmod.c | 2 +-
+ kernel/ksysfs.c | 2 +-
+ kernel/module.c | 4 +-
+ kernel/pid_namespace.c | 2 +-
+ kernel/rcutree_plugin.h | 2 +-
+ kernel/sched/core.c | 39 ++--
+ kernel/smpboot.c | 4 +-
+ kernel/softirq.c | 2 +-
+ kernel/sysctl.c | 2 +-
+ kernel/utsname_sysctl.c | 2 +-
+ kernel/watchdog.c | 2 +-
+ lib/Kconfig.debug | 2 +-
+ lib/kobject.c | 4 +-
+ lib/list_debug.c | 57 ++++-
+ lib/swiotlb.c | 2 +-
+ mm/hugetlb.c | 16 +-
+ mm/memory-failure.c | 2 +-
+ mm/slab_common.c | 2 +-
+ net/9p/mod.c | 4 +-
+ net/ax25/sysctl_net_ax25.c | 2 +-
+ net/core/neighbour.c | 2 +-
+ net/core/net-sysfs.c | 2 +-
+ net/core/net_namespace.c | 8 +-
+ net/core/rtnetlink.c | 11 +-
+ net/core/sock_diag.c | 9 +-
+ net/core/sysctl_net_core.c | 15 +-
+ net/ipv4/af_inet.c | 8 +-
+ net/ipv4/devinet.c | 12 +-
+ net/ipv4/inet_connection_sock.c | 2 +-
+ net/ipv4/ip_fragment.c | 9 +-
+ net/ipv4/ip_gre.c | 6 +-
+ net/ipv4/ip_vti.c | 4 +-
+ net/ipv4/ipip.c | 4 +-
+ net/ipv4/route.c | 14 +-
+ net/ipv4/sysctl_net_ipv4.c | 43 ++--
+ net/ipv6/addrconf.c | 4 +-
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_gre.c | 6 +-
+ net/ipv6/ip6_tunnel.c | 4 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +-
+ net/ipv6/reassembly.c | 11 +-
+ net/ipv6/route.c | 2 +-
+ net/ipv6/sit.c | 4 +-
+ net/ipv6/sysctl_net_ipv6.c | 2 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 4 +-
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ net/netfilter/nf_conntrack_acct.c | 2 +-
+ net/netfilter/nf_conntrack_ecache.c | 2 +-
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nf_conntrack_timestamp.c | 2 +-
+ net/netfilter/nf_log.c | 10 +-
+ net/netfilter/nf_sockopt.c | 4 +-
+ net/netlink/genetlink.c | 16 +-
+ net/phonet/sysctl.c | 2 +-
+ net/rds/rds.h | 2 +-
+ net/sctp/ipv6.c | 6 +-
+ net/sctp/protocol.c | 10 +-
+ net/sctp/sm_sideeffect.c | 2 +-
+ net/sctp/sysctl.c | 4 +-
+ net/sunrpc/clnt.c | 4 +-
+ net/sunrpc/svc.c | 4 +-
+ net/unix/sysctl_net_unix.c | 2 +-
+ net/xfrm/xfrm_policy.c | 11 +-
+ net/xfrm/xfrm_state.c | 29 ++-
+ net/xfrm/xfrm_sysctl.c | 2 +-
+ security/apparmor/lsm.c | 2 +-
+ security/keys/key.c | 18 +-
+ security/yama/yama_lsm.c | 22 +-
+ tools/gcc/Makefile | 4 +-
+ tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------
+ tools/gcc/size_overflow_plugin.c | 7 +-
+ 248 files changed, 994 insertions(+), 668 deletions(-)
+
+commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 6 12:58:21 2013 -0500
+
+ Make slab_state __read_only, it's only written to during init
+
+ mm/slab_common.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 6 12:31:35 2013 -0500
+
+ Make two new helper functions:
+ gr_is_global_root() and gr_is_global_nonroot()
+
+ grsecurity/gracl.c | 10 +++++-----
+ grsecurity/gracl_segv.c | 2 +-
+ grsecurity/grsec_link.c | 4 ++--
+ grsecurity/grsec_sig.c | 10 +++++-----
+ grsecurity/grsec_tpe.c | 6 +++---
+ include/linux/uidgid.h | 2 ++
+ 6 files changed, 18 insertions(+), 16 deletions(-)
+
+commit d45d88eddd4998b280b1e5b5384289ee11ca7088
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 6 12:14:41 2013 -0500
+
+ convert remaining task->pid to task_pid_nr(task)
+
+ grsecurity/gracl.c | 22 +++++++++++-----------
+ grsecurity/gracl_shm.c | 2 +-
+ grsecurity/grsec_chroot.c | 4 ++--
+ grsecurity/grsec_sig.c | 4 ++--
+ 4 files changed, 16 insertions(+), 16 deletions(-)
+
+commit c877f2ece03ee2232dd281c1977ae59507297124
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 5 17:29:54 2013 -0500
+
+ compat-log is only used anymore by vm86-on-64bit and allows unlimited
+ spamming of the kernel log buffer (and since it includes the changable
+ process name, can avoid syslog log deduplication)
+ Turn it off by default
+
+ fs/compat.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 7c1964c4b7276889d7967bee70e46918cdca1b14
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 4 17:19:10 2013 -0500
+
+ fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP
+ is enabled, introduced with recent userns support
+
+ init/main.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit c3ce01b94d8dd42b9c7942c0d513b152613e0656
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 18:46:12 2013 -0500
+
+ Prevent TOMOYO from auto-loading modules by unprivileged users
+ (Only reachable if TOMOYO is actually used)
+
+ security/tomoyo/mount.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 79e142f9455b398759ff9d93d4963a21b98dddda
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 18:28:45 2013 -0500
+
+ For now, don't permit any special access to /proc in a user namespace
+ Later we can go back and allow a userns-uid0 special access to a /proc
+ with a non-global pid namespace
+
+ fs/proc/base.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8b91fb393049ce5f3c0a86f62247409853fd9700
+Merge: d931eb8 603ef05
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:42:09 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:41:31 2013 -0500
+
+ Fix compilation error on ARM reported by Michael Tremer
+
+ arch/arm/mach-omap2/wd_timer.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit b4c9ce81fdd7839a150c97873c710c479e788280
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:39:53 2013 -0500
+
+ Fix compilation error on ARM reported by Michael Tremer
+
+ arch/arm/kernel/armksyms.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d931eb81ab3da46896268fd61373a6aa7bbea930
+Merge: bfa7f44 5948f93
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:34:36 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0
+Merge: ab30472 19b00d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:34:08 2013 -0500
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit bfa7f445c5d484de51a5828b92ad2ff65053cc87
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 15:12:12 2013 -0500
+
+ Initial support for user namespaces, as we previously didn't allow
+ the option to be enabled at all.
+
+ RBAC will act on the global uids/gids only, so all uids/gids in user
+ namespaces will be converted
+
+ Because Eric Biederman is insulted that I didn't support his
+ backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN
+ check in for user namespaces, so this is generally irrelevant.
+
+ fs/exec.c | 6 +-
+ fs/proc/base.c | 2 +-
+ fs/proc/proc_net.c | 4 +-
+ grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++-------------
+ grsecurity/gracl_cap.c | 4 +-
+ grsecurity/gracl_ip.c | 16 +++---
+ grsecurity/gracl_segv.c | 12 +++-
+ grsecurity/gracl_shm.c | 4 +-
+ grsecurity/grsec_disabled.c | 10 ++--
+ grsecurity/grsec_fifo.c | 6 +-
+ grsecurity/grsec_init.c | 24 ++++----
+ grsecurity/grsec_log.c | 3 -
+ grsecurity/grsec_tpe.c | 6 +-
+ include/linux/grinternal.h | 12 ++--
+ include/linux/grsecurity.h | 12 ++--
+ include/linux/uidgid.h | 3 +
+ init/Kconfig | 2 -
+ ipc/shm.c | 2 +-
+ kernel/cred.c | 5 +-
+ kernel/kallsyms.c | 2 +-
+ kernel/kmod.c | 6 +-
+ kernel/sys.c | 12 ++--
+ 22 files changed, 166 insertions(+), 115 deletions(-)
+
+commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed Feb 27 08:36:04 2013 -0800
+
+ Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0
+
+ mm: do not grow the stack vma just because of an overrun on preceding vma
+
+ The stack vma is designed to grow automatically (marked with VM_GROWSUP
+ or VM_GROWSDOWN depending on architecture) when an access is made beyond
+ the existing boundary. However, particularly if you have not limited
+ your stack at all ("ulimit -s unlimited"), this can cause the stack to
+ grow even if the access was really just one past *another* segment.
+
+ And that's wrong, especially since we first grow the segment, but then
+ immediately later enforce the stack guard page on the last page of the
+ segment. So _despite_ first growing the stack segment as a result of
+ the access, the kernel will then make the access cause a SIGSEGV anyway!
+
+ So do the same logic as the guard page check does, and consider an
+ access to within one page of the next segment to be a bad access, rather
+ than growing the stack to abut the next segment.
+
+ Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mmap.c | 27 +++++++++++++++++++++++++++
+ 1 files changed, 27 insertions(+), 0 deletions(-)
+
+commit 5596211af754867ca825f58e6e0300a8439950fe
+Author: H. Peter Anvin <hpa@linux.intel.com>
+Date: Wed Feb 27 12:46:40 2013 -0800
+
+ Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c
+
+ x86: Make sure we can boot in the case the BDA contains pure garbage
+
+ On non-BIOS platforms it is possible that the BIOS data area contains
+ garbage instead of being zeroed or something equivalent (firmware
+ people: we are talking of 1.5K here, so please do the sane thing.)
+
+ We need on the order of 20-30K of low memory in order to boot, which
+ may grow up to < 64K in the future. We probably want to avoid the
+ lowest of the low memory. At the same time, it seems extremely
+ unlikely that a legitimate EBDA would ever reach down to the 128K
+ (which would require it to be over half a megabyte in size.) Thus,
+ pick 128K as the cutoff for "this is insane, ignore." We may still
+ end up reserving a bunch of extra memory on the low megabyte, but that
+ is not really a major issue these days. In the worst case we lose
+ 512K of RAM.
+
+ This code really should be merged with trim_bios_range() in
+ arch/x86/kernel/setup.c, but that is a bigger patch for a later merge
+ window.
+
+ Reported-by: Darren Hart <dvhart@linux.intel.com>
+ Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+ Cc: Matt Fleming <matt.fleming@intel.com>
+ Cc: <stable@vger.kernel.org>
+ Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org
+
+ arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++-----------------
+ 1 files changed, 34 insertions(+), 19 deletions(-)
+
+commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Wed Feb 27 17:05:46 2013 -0800
+
+ Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469
+
+ memstick: move the dereference below the NULL test
+
+ The dereference should be moved below the NULL test.
+
+ spatch with a semantic match is used to found this.
+ (http://coccinelle.lip6.fr/)
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Cc: Maxim Levitsky <maximlevitsky@gmail.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/memstick/host/r592.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Wed Feb 27 17:05:21 2013 -0800
+
+ Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560
+
+ sysctl: fix null checking in bin_dn_node_address()
+
+ The null check of `strchr() + 1' is broken, which is always non-null,
+ leading to OOB read. Instead, check the result of strchr().
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/sysctl_binary.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 7ca96db0817416fd40761e7437d1939fc0731380
+Author: Tejun Heo <tj@kernel.org>
+Date: Wed Feb 27 17:03:34 2013 -0800
+
+ Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24
+
+ idr: fix a subtle bug in idr_get_next()
+
+ The iteration logic of idr_get_next() is borrowed mostly verbatim from
+ idr_for_each(). It walks down the tree looking for the slot matching
+ the current ID. If the matching slot is not found, the ID is
+ incremented by the distance of single slot at the given level and
+ repeats.
+
+ The implementation assumes that during the whole iteration id is aligned
+ to the layer boundaries of the level closest to the leaf, which is true
+ for all iterations starting from zero or an existing element and thus is
+ fine for idr_for_each().
+
+ However, idr_get_next() may be given any point and if the starting id
+ hits in the middle of a non-existent layer, increment to the next layer
+ will end up skipping the same offset into it. For example, an IDR with
+ IDs filled between [64, 127] would look like the following.
+
+ [ 0 64 ... ]
+ /----/ |
+ | |
+ NULL [ 64 ... 127 ]
+
+ If idr_get_next() is called with 63 as the starting point, it will try
+ to follow down the pointer from 0. As it is NULL, it will then try to
+ proceed to the next slot in the same level by adding the slot distance
+ at that level which is 64 - making the next try 127. It goes around the
+ loop and finds and returns 127 skipping [64, 126].
+
+ Note that this bug also triggers in idr_for_each_entry() loop which
+ deletes during iteration as deletions can make layers go away leaving
+ the iteration with unaligned ID into missing layers.
+
+ Fix it by ensuring proceeding to the next slot doesn't carry over the
+ unaligned offset - ie. use round_up(id + 1, slot_distance) instead of
+ id += slot_distance.
+
+ Signed-off-by: Tejun Heo <tj@kernel.org>
+ Reported-by: David Teigland <teigland@redhat.com>
+ Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ lib/idr.c | 9 ++++++++-
+ 1 files changed, 8 insertions(+), 1 deletions(-)
+
+commit 745362f28034f54242ba2e64eaa7374ab9869613
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 1 20:31:42 2013 -0500
+
+ Fix dentry use-after-free after failed complete_walk() with RBAC enabled
+ Many thanks to zakalwe from #grsecurity for the report and debugging help
+
+ fs/namei.c | 8 +++-----
+ 1 files changed, 3 insertions(+), 5 deletions(-)
+
+commit b53b3b14330920c6f7cfb74c8508a3026e1be620
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 28 18:29:26 2013 -0500
+
+ Fix bad git merge
+
+ fs/namespace.c | 8 --------
+ 1 files changed, 0 insertions(+), 8 deletions(-)
+
+commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede
+Merge: 1cce1dd ab30472
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 28 17:45:14 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ net/core/sock_diag.c
+
+commit ab3047280e1dfb43f1b301a296123757b4ac4f6e
+Merge: 4b61d21 4c91a0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 28 17:43:56 2013 -0500
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit 1cce1ddd17c584c80465521834c3faf1a7c607d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 27 22:20:22 2013 -0500
+
+ add compiler.h to sysrq.h to fix compilation problem reported by micu on forums
+
+ include/linux/sysrq.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 9f1e7fe130803fde83eb903b575335f59cd2bd18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 27 17:52:31 2013 -0500
+
+ declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel
+
+ kernel/printk.c | 12 +++++++-----
+ 1 files changed, 7 insertions(+), 5 deletions(-)
+
+commit 11dd499888fa76f3466821ce4daa5e0c55e43d39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 27 17:23:46 2013 -0500
+
+ Fix upstream vulnerability from addition of a /dev/kmsg device
+ while neglecting to add the same set of existing permission checks
+ from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG.
+ A temporary workaround without this patch would be to
+ chmod 0600 /dev/kmsg (and is likely a good idea anyway).
+
+ Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek
+ Initially reported to Redhat bugzilla by Christian Kujau:
+ https://bugzilla.redhat.com/show_bug.cgi?id=903192
+
+ kernel/printk.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 66c04806f5660988c3cb4855e60de294e77e3d0e
+Author: David Howells <dhowells@redhat.com>
+Date: Thu Feb 21 12:00:25 2013 +0000
+
+ Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f
+
+ KEYS: Revert one application of "Fix unreachable code" patch
+
+ A patch to fix some unreachable code in search_my_process_keyrings() got
+ applied twice by two different routes upstream as commits e67eab39bee2
+ and b010520ab3d2 (both "fix unreachable code").
+
+ Unfortunately, the second application removed something it shouldn't
+ have and this wasn't detected by GIT. This is due to the patch not
+ having sufficient lines of context to distinguish the two places of
+ application.
+
+ The effect of this is relatively minor: inside the kernel, the keyring
+ search routines may search multiple keyrings and then prioritise the
+ errors if no keys or negative keys are found in any of them. With the
+ extra deletion, the presence of a negative key in the thread keyring
+ (causing ENOKEY) is incorrectly overridden by an error searching the
+ process keyring.
+
+ So revert the second application of the patch.
+
+ Signed-off-by: David Howells <dhowells@redhat.com>
+ Cc: Jiri Kosina <jkosina@suse.cz>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ security/keys/process_keys.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 954b0c8a95b08c09c3d15ec38106ce403bf714da
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Thu Feb 21 16:42:43 2013 -0800
+
+ Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a
+
+ configfs: move the dereference below the NULL test
+
+ The dereference should be moved below the NULL test.
+
+ spatch with a semantic match is used to found this.
+ (http://coccinelle.lip6.fr/)
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Cc: Joel Becker <jlbec@evilplan.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/configfs/dir.c | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+commit d16d42c4fdc8baca5816d75b4a115102bf3d3423
+Author: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Sun Feb 24 20:06:09 2013 -0500
+
+ Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541
+
+ tty vt: fix character insertion overflow
+
+ Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on
+ command line edition") broke insert_char() in multiple ways. Then
+ commit b1a925f44a3a ("tty vt: Fix a regression in command line edition")
+ partially fixed it. However, the buffer being moved is still too large
+ and overflowing beyond the end of the current line, corrupting existing
+ characters on the next line.
+
+ Example test case:
+
+ echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B"
+
+ Expected result:
+
+ ab c
+ de
+
+ Current result:
+
+ ab c
+ e
+
+ Needless to say that this is very annoying when inserting words in the
+ middle of paragraphs with certain text editors.
+
+ Signed-off-by: Nicolas Pitre <nico@linaro.org>
+ Cc: Jean-François Moine <moinejf@free.fr>
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/tty/vt/vt.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 6cda35071669b4aabde081bd039e0ffea36f997a
+Author: Robin Holt <holt@sgi.com>
+Date: Fri Feb 22 16:35:34 2013 -0800
+
+ Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7
+
+ mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts
+
+ There is a race condition between mmu_notifier_unregister() and
+ __mmu_notifier_release().
+
+ Assume two tasks, one calling mmu_notifier_unregister() as a result of a
+ filp_close() ->flush() callout (task A), and the other calling
+ mmu_notifier_release() from an mmput() (task B).
+
+ A B
+ t1 srcu_read_lock()
+ t2 if (!hlist_unhashed())
+ t3 srcu_read_unlock()
+ t4 srcu_read_lock()
+ t5 hlist_del_init_rcu()
+ t6 synchronize_srcu()
+ t7 srcu_read_unlock()
+ t8 hlist_del_rcu() <--- NULL pointer deref.
+
+ Additionally, the list traversal in __mmu_notifier_release() is not
+ protected by the by the mmu_notifier_mm->hlist_lock which can result in
+ callouts to the ->release() notifier from both mmu_notifier_unregister()
+ and __mmu_notifier_release().
+
+ -stable suggestions:
+
+ The stable trees prior to 3.7.y need commits 21a92735f660 and
+ 70400303ce0c cherry-picked in that order prior to cherry-picking this
+ commit. The 3.7.y tree already has those two commits.
+
+ Signed-off-by: Robin Holt <holt@sgi.com>
+ Cc: Andrea Arcangeli <aarcange@redhat.com>
+ Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
+ Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
+ Cc: Avi Kivity <avi@redhat.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Marcelo Tosatti <mtosatti@redhat.com>
+ Cc: Sagi Grimberg <sagig@mellanox.co.il>
+ Cc: Haggai Eran <haggaie@mellanox.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++--------------------------
+ 1 files changed, 42 insertions(+), 40 deletions(-)
+
+commit bf5167ed78ba6131c6874887f714bda50c2cab83
+Author: Mike Galbraith <bitbucket@online.de>
+Date: Mon Jan 28 12:19:25 2013 +0100
+
+ Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6
+
+ sched: Fix select_idle_sibling() bouncing cow syndrome
+
+ If the previous CPU is cache affine and idle, select it.
+
+ The current implementation simply traverses the sd_llc domain,
+ taking the first idle CPU encountered, which walks buddy pairs
+ hand in hand over the package, inflicting excruciating pain.
+
+ 1 tbench pair (worst case) in a 10 core + SMT package:
+
+ pre 15.22 MB/sec 1 procs
+ post 252.01 MB/sec 1 procs
+
+ Signed-off-by: Mike Galbraith <bitbucket@online.de>
+ Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+ Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+ kernel/sched/fair.c | 21 +++++++--------------
+ 1 files changed, 7 insertions(+), 14 deletions(-)
+
+commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Fri Dec 28 18:58:39 2012 -0800
+
+ Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f
+
+ userns: Avoid recursion in put_user_ns
+
+ When freeing a deeply nested user namespace free_user_ns calls
+ put_user_ns on it's parent which may in turn call free_user_ns again.
+ When -fno-optimize-sibling-calls is passed to gcc one stack frame per
+ user namespace is left on the stack, potentially overflowing the
+ kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls
+ so we can't count on gcc to optimize this code.
+
+ Remove struct kref and use a plain atomic_t. Making the code more
+ flexible and easier to comprehend. Make the loop in free_user_ns
+ explict to guarantee that the stack does not overflow with
+ CONFIG_FRAME_POINTER enabled.
+
+ I have tested this fix with a simple program that uses unshare to
+ create a deeply nested user namespace structure and then calls exit.
+ With 1000 nesteuser namespaces before this change running my test
+ program causes the kernel to die a horrible death. With 10,000,000
+ nested user namespaces after this change my test program runs to
+ completion and causes no harm.
+
+ Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
+ Pointed-out-by: Vasily Kulikov <segoon@openwall.com>
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+
+ include/linux/user_namespace.h | 10 +++++-----
+ kernel/user.c | 4 +---
+ kernel/user_namespace.c | 17 +++++++++--------
+ 3 files changed, 15 insertions(+), 16 deletions(-)
+
+commit 81501c7106ccc186c94806f4db954626295b5ebe
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Feb 26 17:12:30 2013 -0500
+
+ Pass the same flags to kern_path_create as the original function
+
+ fs/namei.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit a677c8eee35afe48868f92c7d6745bfe809cd481
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri Feb 22 22:45:42 2013 -0500
+
+ Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559
+
+ get rid of unprotected dereferencing of mnt->mnt_ns
+
+ It's safe only under namespace_sem or vfsmount_lock; all places
+ in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use
+ current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in
+ there).
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/namespace.c | 29 +++++++++++++++++------------
+ 1 files changed, 17 insertions(+), 12 deletions(-)
+
+commit 89298124d0c96dc34a60377e7a1308f8f532ff75
+Author: Greg Thelen <gthelen@google.com>
+Date: Fri Feb 22 16:36:01 2013 -0800
+
+ Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987
+
+ tmpfs: fix use-after-free of mempolicy object
+
+ The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
+ option is not specified in the remount request. A new policy can be
+ specified if mpol=M is given.
+
+ Before this patch remounting an mpol bound tmpfs without specifying
+ mpol= mount option in the remount request would set the filesystem's
+ mempolicy object to a freed mempolicy object.
+
+ To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
+ # mkdir /tmp/x
+
+ # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
+
+ # grep /tmp/x /proc/mounts
+ nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
+
+ # mount -o remount,size=200M nodev /tmp/x
+
+ # grep /tmp/x /proc/mounts
+ nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
+ # note ? garbage in mpol=... output above
+
+ # dd if=/dev/zero of=/tmp/x/f count=1
+ # panic here
+
+ Panic:
+ BUG: unable to handle kernel NULL pointer dereference at (null)
+ IP: [< (null)>] (null)
+ [...]
+ Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
+ Call Trace:
+ mpol_shared_policy_init+0xa5/0x160
+ shmem_get_inode+0x209/0x270
+ shmem_mknod+0x3e/0xf0
+ shmem_create+0x18/0x20
+ vfs_create+0xb5/0x130
+ do_last+0x9a1/0xea0
+ path_openat+0xb3/0x4d0
+ do_filp_open+0x42/0xa0
+ do_sys_open+0xfe/0x1e0
+ compat_sys_open+0x1b/0x20
+ cstar_dispatch+0x7/0x1f
+
+ Non-debug kernels will not crash immediately because referencing the
+ dangling mpol will not cause a fault. Instead the filesystem will
+ reference a freed mempolicy object, which will cause unpredictable
+ behavior.
+
+ The problem boils down to a dropped mpol reference below if
+ shmem_parse_options() does not allocate a new mpol:
+
+ config = *sbinfo
+ shmem_parse_options(data, &config, true)
+ mpol_put(sbinfo->mpol)
+ sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */
+
+ This patch avoids the crash by not releasing the mempolicy if
+ shmem_parse_options() doesn't create a new mpol.
+
+ How far back does this issue go? I see it in both 2.6.36 and 3.3. I did
+ not look back further.
+
+ Signed-off-by: Greg Thelen <gthelen@google.com>
+ Acked-by: Hugh Dickins <hughd@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/shmem.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 23 11:08:05 2013 -0500
+
+ Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
+ with a family greater or equal then AF_MAX -- the array size of
+ sock_diag_handlers[]. The current code does not test for this
+ condition therefore is vulnerable to an out-of-bound access opening
+ doors for a privilege escalation.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ The sock_diag_lock_handler() and sock_diag_unlock_handler() actually
+ make the code less readable. Get rid of them and make the lock usage
+ and access to sock_diag_handlers[] clear on the first sight.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ net/core/sock_diag.c | 27 ++++++++++-----------------
+ 1 files changed, 10 insertions(+), 17 deletions(-)
+
+commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 23 10:58:52 2013 -0500
+
+ Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined
+
+ arch/arm/include/asm/domain.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 7b729586eb81f344fdedf0942fab0acc738a6725
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 22 19:02:51 2013 -0500
+
+ Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users.
+
+ kernel/fork.c | 17 +++++++++++++++++
+ 1 files changed, 17 insertions(+), 0 deletions(-)
+
+commit fadc560d0c486af88da83177735f5515e88acdcc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 23:06:48 2013 -0500
+
+ put is_hugetlbfs_mnt inside ifdefs
+
+ grsecurity/gracl.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 8252176922d405484f986eb2cc350b7cd3ae586e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 23:02:07 2013 -0500
+
+ remove unused label
+
+ kernel/module.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit dad4a980f0b625059e215d13da728aa7fd02a374
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 23:00:52 2013 -0500
+
+ compile fix
+
+ fs/open.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 22:57:49 2013 -0500
+
+ remove kmalloc_array_error for the same reasons as kcalloc_error
+
+ include/linux/slab.h | 9 ---------
+ 1 files changed, 0 insertions(+), 9 deletions(-)
+
+commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 22:49:35 2013 -0500
+
+ Initial port of grsecurity for Linux 3.8
+
+ Documentation/kernel-parameters.txt | 4 +
+ Makefile | 10 +-
+ arch/alpha/include/asm/cache.h | 4 +-
+ arch/alpha/kernel/osf_sys.c | 14 +-
+ arch/arm/include/asm/cache.h | 2 +
+ arch/arm/include/asm/thread_info.h | 9 +-
+ arch/arm/kernel/process.c | 4 +-
+ arch/arm/kernel/ptrace.c | 9 +
+ arch/arm/kernel/traps.c | 7 +-
+ arch/arm/mm/fault.c | 27 +-
+ arch/arm/mm/mmap.c | 6 +-
+ arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/include/asm/cache.h | 3 +-
+ arch/cris/include/arch-v10/arch/cache.h | 3 +-
+ arch/cris/include/arch-v32/arch/cache.h | 3 +-
+ arch/frv/include/asm/cache.h | 3 +-
+ arch/frv/mm/elf-fdpic.c | 7 +-
+ arch/hexagon/include/asm/cache.h | 6 +-
+ arch/ia64/include/asm/cache.h | 3 +-
+ arch/ia64/kernel/sys_ia64.c | 3 +-
+ arch/ia64/mm/hugetlbpage.c | 3 +-
+ arch/m32r/include/asm/cache.h | 4 +-
+ arch/m68k/include/asm/cache.h | 4 +-
+ arch/microblaze/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/thread_info.h | 9 +-
+ arch/mips/kernel/ptrace.c | 9 +
+ arch/mips/kernel/scall32-o32.S | 2 +-
+ arch/mips/kernel/scall64-64.S | 2 +-
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ arch/mips/mm/mmap.c | 3 +-
+ arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
+ arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
+ arch/openrisc/include/asm/cache.h | 4 +-
+ arch/parisc/include/asm/cache.h | 5 +-
+ arch/parisc/kernel/sys_parisc.c | 19 +-
+ arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/include/asm/thread_info.h | 8 +-
+ arch/powerpc/kernel/process.c | 10 +-
+ arch/powerpc/kernel/ptrace.c | 14 +
+ arch/powerpc/kernel/traps.c | 5 +
+ arch/powerpc/mm/slice.c | 8 +-
+ arch/s390/include/asm/cache.h | 4 +-
+ arch/score/include/asm/cache.h | 4 +-
+ arch/sh/include/asm/cache.h | 3 +-
+ arch/sh/mm/mmap.c | 6 +-
+ arch/sparc/include/asm/cache.h | 4 +-
+ arch/sparc/include/asm/thread_info_64.h | 9 +-
+ arch/sparc/kernel/process_32.c | 6 +-
+ arch/sparc/kernel/process_64.c | 8 +-
+ arch/sparc/kernel/ptrace_64.c | 14 +
+ arch/sparc/kernel/sys_sparc_64.c | 6 +-
+ arch/sparc/kernel/syscalls.S | 8 +-
+ arch/sparc/kernel/traps_32.c | 8 +-
+ arch/sparc/kernel/traps_64.c | 28 +-
+ arch/sparc/kernel/unaligned_64.c | 2 +-
+ arch/sparc/mm/fault_64.c | 2 +-
+ arch/sparc/mm/hugetlbpage.c | 3 +-
+ arch/tile/include/asm/cache.h | 3 +-
+ arch/um/include/asm/cache.h | 3 +-
+ arch/unicore32/include/asm/cache.h | 6 +-
+ arch/x86/Kconfig | 5 +-
+ arch/x86/Kconfig.debug | 2 +-
+ arch/x86/ia32/ia32_aout.c | 2 +
+ arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/kernel/dumpstack.c | 8 +
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 2 +-
+ arch/x86/kernel/ioport.c | 13 +
+ arch/x86/kernel/ptrace.c | 14 +
+ arch/x86/kernel/smpboot.c | 3 +
+ arch/x86/kernel/sys_i386_32.c | 14 +-
+ arch/x86/kernel/sys_x86_64.c | 3 +-
+ arch/x86/kernel/verify_cpu.S | 1 +
+ arch/x86/kernel/vm86_32.c | 16 +
+ arch/x86/mm/fault.c | 12 +-
+ arch/x86/mm/hugetlbpage.c | 3 +-
+ arch/x86/mm/init.c | 66 +-
+ arch/x86/net/bpf_jit_comp.c | 126 +-
+ arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
+ arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
+ crypto/ablkcipher.c | 12 +-
+ crypto/aead.c | 9 +-
+ crypto/ahash.c | 2 +-
+ crypto/blkcipher.c | 6 +-
+ crypto/crypto_user.c | 38 +-
+ crypto/pcompress.c | 3 +-
+ crypto/rng.c | 2 +-
+ crypto/shash.c | 3 +-
+ drivers/block/cciss.c | 2 +
+ drivers/char/Kconfig | 4 +-
+ drivers/char/genrtc.c | 1 +
+ drivers/char/mem.c | 17 +
+ drivers/char/random.c | 12 +
+ drivers/gpu/drm/drm_info.c | 4 +
+ drivers/hid/hid-wiimote-debug.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +-
+ drivers/message/fusion/mptbase.c | 5 +
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ drivers/pci/proc.c | 9 +
+ drivers/rtc/rtc-dev.c | 3 +
+ drivers/tty/sysrq.c | 2 +-
+ drivers/tty/vt/keyboard.c | 22 +-
+ drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
+ drivers/xen/xenfs/xenstored.c | 5 +
+ fs/attr.c | 1 +
+ fs/autofs4/waitq.c | 9 +
+ fs/binfmt_aout.c | 7 +
+ fs/binfmt_elf.c | 6 +
+ fs/btrfs/inode.c | 10 +-
+ fs/btrfs/ioctl.c | 6 +-
+ fs/compat.c | 18 +
+ fs/coredump.c | 10 +-
+ fs/debugfs/inode.c | 4 +
+ fs/exec.c | 155 +-
+ fs/ext2/balloc.c | 4 +-
+ fs/ext3/balloc.c | 4 +-
+ fs/ext4/balloc.c | 4 +-
+ fs/fcntl.c | 5 +
+ fs/file.c | 4 +
+ fs/filesystems.c | 5 +
+ fs/fs_struct.c | 26 +-
+ fs/hugetlbfs/inode.c | 5 +-
+ fs/namei.c | 269 ++-
+ fs/namespace.c | 24 +
+ fs/open.c | 38 +
+ fs/pipe.c | 2 +-
+ fs/proc/Kconfig | 10 +-
+ fs/proc/array.c | 59 +-
+ fs/proc/base.c | 168 +-
+ fs/proc/cmdline.c | 4 +
+ fs/proc/devices.c | 4 +
+ fs/proc/fd.c | 17 +-
+ fs/proc/inode.c | 17 +
+ fs/proc/internal.h | 3 +
+ fs/proc/kcore.c | 3 +
+ fs/proc/proc_net.c | 12 +
+ fs/proc/proc_sysctl.c | 43 +-
+ fs/proc/root.c | 8 +
+ fs/proc/task_mmu.c | 75 +-
+ fs/readdir.c | 19 +
+ fs/select.c | 2 +
+ fs/seq_file.c | 12 +-
+ fs/stat.c | 19 +-
+ fs/sysfs/dir.c | 12 +
+ fs/utimes.c | 7 +
+ fs/xattr.c | 19 +-
+ grsecurity/Kconfig | 1021 +++++
+ grsecurity/Makefile | 38 +
+ grsecurity/gracl.c | 4017 ++++++++++++++++++++
+ grsecurity/gracl_alloc.c | 105 +
+ grsecurity/gracl_cap.c | 110 +
+ grsecurity/gracl_fs.c | 431 +++
+ grsecurity/gracl_ip.c | 384 ++
+ grsecurity/gracl_learn.c | 207 +
+ grsecurity/gracl_res.c | 68 +
+ grsecurity/gracl_segv.c | 299 ++
+ grsecurity/gracl_shm.c | 40 +
+ grsecurity/grsec_chdir.c | 19 +
+ grsecurity/grsec_chroot.c | 357 ++
+ grsecurity/grsec_disabled.c | 434 +++
+ grsecurity/grsec_exec.c | 174 +
+ grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_fork.c | 23 +
+ grsecurity/grsec_init.c | 283 ++
+ grsecurity/grsec_link.c | 58 +
+ grsecurity/grsec_log.c | 329 ++
+ grsecurity/grsec_mem.c | 40 +
+ grsecurity/grsec_mount.c | 62 +
+ grsecurity/grsec_pax.c | 36 +
+ grsecurity/grsec_ptrace.c | 30 +
+ grsecurity/grsec_sig.c | 222 ++
+ grsecurity/grsec_sock.c | 244 ++
+ grsecurity/grsec_sysctl.c | 469 +++
+ grsecurity/grsec_time.c | 16 +
+ grsecurity/grsec_tpe.c | 73 +
+ grsecurity/grsum.c | 61 +
+ include/linux/capability.h | 5 +
+ include/linux/cred.h | 3 +
+ include/linux/fs.h | 10 +
+ include/linux/fsnotify.h | 6 +
+ include/linux/gracl.h | 319 ++
+ include/linux/gralloc.h | 9 +
+ include/linux/grdefs.h | 140 +
+ include/linux/grinternal.h | 215 ++
+ include/linux/grmsg.h | 111 +
+ include/linux/grsecurity.h | 257 ++
+ include/linux/grsock.h | 19 +
+ include/linux/kallsyms.h | 14 +-
+ include/linux/kmod.h | 2 +
+ include/linux/netfilter/xt_gradm.h | 9 +
+ include/linux/printk.h | 3 +-
+ include/linux/proc_fs.h | 12 +
+ include/linux/sched.h | 66 +-
+ include/linux/security.h | 1 +
+ include/linux/seq_file.h | 3 +
+ include/linux/shm.h | 4 +
+ include/linux/sysctl.h | 2 +
+ include/linux/thread_info.h | 2 +
+ include/linux/vermagic.h | 9 +-
+ include/trace/events/fs.h | 53 +
+ include/uapi/linux/personality.h | 1 +
+ init/Kconfig | 5 +-
+ init/main.c | 14 +
+ ipc/mqueue.c | 1 +
+ ipc/shm.c | 28 +
+ kernel/capability.c | 39 +-
+ kernel/cgroup.c | 2 +-
+ kernel/compat.c | 1 +
+ kernel/configs.c | 11 +
+ kernel/cred.c | 109 +-
+ kernel/exit.c | 10 +-
+ kernel/fork.c | 24 +-
+ kernel/futex.c | 1 +
+ kernel/kallsyms.c | 9 +
+ kernel/kcmp.c | 4 +
+ kernel/kmod.c | 71 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +
+ kernel/lockdep_proc.c | 10 +-
+ kernel/module.c | 80 +-
+ kernel/panic.c | 4 +-
+ kernel/pid.c | 19 +-
+ kernel/posix-timers.c | 8 +
+ kernel/printk.c | 5 +
+ kernel/ptrace.c | 20 +-
+ kernel/resource.c | 10 +
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 37 +-
+ kernel/sys.c | 38 +-
+ kernel/sysctl.c | 39 +-
+ kernel/taskstats.c | 6 +
+ kernel/time.c | 5 +
+ kernel/time/timekeeping.c | 3 +
+ kernel/time/timer_list.c | 12 +
+ kernel/time/timer_stats.c | 10 +-
+ lib/Kconfig.debug | 5 +-
+ lib/is_single_threaded.c | 3 +
+ lib/vsprintf.c | 35 +-
+ localversion-grsec | 1 +
+ mm/Kconfig | 4 +-
+ mm/filemap.c | 1 +
+ mm/kmemleak.c | 4 +-
+ mm/mempolicy.c | 12 +-
+ mm/migrate.c | 3 +-
+ mm/mlock.c | 3 +
+ mm/mmap.c | 62 +-
+ mm/mprotect.c | 8 +
+ mm/page_alloc.c | 6 +
+ mm/process_vm_access.c | 6 +
+ mm/shmem.c | 2 +-
+ mm/slab.c | 2 +-
+ mm/slub.c | 14 +-
+ mm/vmalloc.c | 4 +
+ mm/vmstat.c | 18 +-
+ net/core/dev.c | 9 +
+ net/core/sock_diag.c | 7 +
+ net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/ip_sockglue.c | 3 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_minisocks.c | 9 +-
+ net/ipv4/tcp_timer.c | 11 +
+ net/ipv4/udp.c | 24 +
+ net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/udp.c | 7 +
+ net/netfilter/Kconfig | 10 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 8 +
+ net/netfilter/xt_gradm.c | 51 +
+ net/netrom/af_netrom.c | 2 +-
+ net/phonet/af_phonet.c | 4 +-
+ net/sctp/proc.c | 3 +-
+ net/socket.c | 62 +-
+ net/sysctl_net.c | 2 +-
+ net/unix/af_unix.c | 19 +
+ security/Kconfig | 320 ++-
+ security/apparmor/lsm.c | 2 +-
+ security/commoncap.c | 29 +
+ security/min_addr.c | 2 +
+ security/security.c | 2 -
+ security/selinux/hooks.c | 2 -
+ security/yama/Kconfig | 2 +-
+ tools/gcc/Makefile | 2 +-
+ 286 files changed, 15083 insertions(+), 2067 deletions(-)
+
+commit 4b61d2188de70da9dc9b3e67fc0565077370eb27
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 20 21:00:42 2013 -0500
+
+ Initial import of pax-linux-3.8-test3.patch
+
+ Documentation/dontdiff | 43 +-
+ Documentation/kernel-parameters.txt | 7 +
+ Makefile | 97 +-
+ arch/alpha/include/asm/atomic.h | 10 +
+ arch/alpha/include/asm/elf.h | 7 +
+ arch/alpha/include/asm/pgalloc.h | 6 +
+ arch/alpha/include/asm/pgtable.h | 11 +
+ arch/alpha/kernel/module.c | 2 +-
+ arch/alpha/kernel/osf_sys.c | 10 +-
+ arch/alpha/mm/fault.c | 141 +-
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/atomic.h | 421 +++-
+ arch/arm/include/asm/cache.h | 3 +-
+ arch/arm/include/asm/cacheflush.h | 2 +-
+ arch/arm/include/asm/checksum.h | 14 +-
+ arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/delay.h | 8 +-
+ arch/arm/include/asm/domain.h | 32 +-
+ arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/fncpy.h | 2 +
+ arch/arm/include/asm/futex.h | 10 +
+ arch/arm/include/asm/kmap_types.h | 2 +-
+ arch/arm/include/asm/mach/dma.h | 2 +-
+ arch/arm/include/asm/mach/map.h | 7 +-
+ arch/arm/include/asm/outercache.h | 2 +-
+ arch/arm/include/asm/page.h | 2 +-
+ arch/arm/include/asm/pgalloc.h | 22 +-
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgtable-2level.h | 1 +
+ arch/arm/include/asm/pgtable-3level-hwdef.h | 4 +
+ arch/arm/include/asm/pgtable-3level.h | 2 +
+ arch/arm/include/asm/pgtable.h | 56 +-
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/include/asm/processor.h | 5 +-
+ arch/arm/include/asm/smp.h | 2 +-
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/include/asm/uaccess.h | 92 +-
+ arch/arm/include/uapi/asm/ptrace.h | 2 +-
+ arch/arm/kernel/armksyms.c | 4 +-
+ arch/arm/kernel/entry-armv.S | 107 +-
+ arch/arm/kernel/entry-common.S | 41 +-
+ arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/fiq.c | 2 +
+ arch/arm/kernel/head.S | 6 +-
+ arch/arm/kernel/hw_breakpoint.c | 2 +-
+ arch/arm/kernel/module.c | 29 +-
+ arch/arm/kernel/perf_event_cpu.c | 2 +-
+ arch/arm/kernel/process.c | 10 +-
+ arch/arm/kernel/setup.c | 22 +-
+ arch/arm/kernel/smp.c | 2 +-
+ arch/arm/kernel/traps.c | 8 +-
+ arch/arm/kernel/vmlinux.lds.S | 20 +-
+ arch/arm/lib/clear_user.S | 6 +-
+ arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/lib/copy_page.S | 1 +
+ arch/arm/lib/copy_to_user.S | 6 +-
+ arch/arm/lib/csumpartialcopyuser.S | 4 +-
+ arch/arm/lib/delay.c | 14 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 2 +-
+ arch/arm/mach-kirkwood/common.c | 19 +-
+ arch/arm/mach-omap2/board-n8x0.c | 2 +-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
+ arch/arm/mach-omap2/omap_hwmod.c | 4 +-
+ arch/arm/mach-ux500/include/mach/setup.h | 7 -
+ arch/arm/mm/Kconfig | 3 +-
+ arch/arm/mm/fault.c | 78 +
+ arch/arm/mm/fault.h | 12 +
+ arch/arm/mm/init.c | 41 +
+ arch/arm/mm/ioremap.c | 4 +-
+ arch/arm/mm/mmap.c | 36 +-
+ arch/arm/mm/mmu.c | 186 +-
+ arch/arm/mm/proc-v7-2level.S | 3 +
+ arch/arm/plat-omap/sram.c | 2 +
+ arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
+ arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/arm64/kernel/debug-monitors.c | 2 +-
+ arch/arm64/kernel/hw_breakpoint.c | 2 +-
+ arch/avr32/include/asm/elf.h | 8 +-
+ arch/avr32/include/asm/kmap_types.h | 4 +-
+ arch/avr32/mm/fault.c | 27 +
+ arch/frv/include/asm/atomic.h | 10 +
+ arch/frv/include/asm/kmap_types.h | 2 +-
+ arch/frv/mm/elf-fdpic.c | 7 +-
+ arch/ia64/include/asm/atomic.h | 10 +
+ arch/ia64/include/asm/elf.h | 7 +
+ arch/ia64/include/asm/pgalloc.h | 12 +
+ arch/ia64/include/asm/pgtable.h | 13 +-
+ arch/ia64/include/asm/spinlock.h | 2 +-
+ arch/ia64/include/asm/uaccess.h | 28 +-
+ arch/ia64/kernel/err_inject.c | 2 +-
+ arch/ia64/kernel/mca.c | 2 +-
+ arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/palinfo.c | 2 +-
+ arch/ia64/kernel/salinfo.c | 2 +-
+ arch/ia64/kernel/sys_ia64.c | 13 +-
+ arch/ia64/kernel/topology.c | 2 +-
+ arch/ia64/kernel/vmlinux.lds.S | 2 +-
+ arch/ia64/mm/fault.c | 32 +-
+ arch/ia64/mm/hugetlbpage.c | 2 +-
+ arch/ia64/mm/init.c | 13 +
+ arch/m32r/lib/usercopy.c | 6 +
+ arch/mips/include/asm/atomic.h | 14 +
+ arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/exec.h | 2 +-
+ arch/mips/include/asm/page.h | 2 +-
+ arch/mips/include/asm/pgalloc.h | 5 +
+ arch/mips/kernel/binfmt_elfn32.c | 7 +
+ arch/mips/kernel/binfmt_elfo32.c | 7 +
+ arch/mips/kernel/process.c | 12 -
+ arch/mips/mm/fault.c | 17 +
+ arch/mips/mm/mmap.c | 51 +-
+ arch/parisc/include/asm/atomic.h | 10 +
+ arch/parisc/include/asm/elf.h | 7 +
+ arch/parisc/include/asm/pgalloc.h | 6 +
+ arch/parisc/include/asm/pgtable.h | 11 +
+ arch/parisc/include/asm/uaccess.h | 4 +-
+ arch/parisc/kernel/module.c | 50 +-
+ arch/parisc/kernel/sys_parisc.c | 6 +-
+ arch/parisc/kernel/traps.c | 4 +-
+ arch/parisc/mm/fault.c | 140 +-
+ arch/powerpc/include/asm/atomic.h | 10 +
+ arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/exec.h | 2 +-
+ arch/powerpc/include/asm/kmap_types.h | 2 +-
+ arch/powerpc/include/asm/mman.h | 2 +-
+ arch/powerpc/include/asm/page.h | 8 +-
+ arch/powerpc/include/asm/page_64.h | 7 +-
+ arch/powerpc/include/asm/pgalloc-64.h | 7 +
+ arch/powerpc/include/asm/pgtable.h | 1 +
+ arch/powerpc/include/asm/pte-hash32.h | 1 +
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/include/asm/uaccess.h | 142 +-
+ arch/powerpc/kernel/exceptions-64e.S | 4 +-
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/module_32.c | 13 +-
+ arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/signal_32.c | 2 +-
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ arch/powerpc/kernel/sysfs.c | 2 +-
+ arch/powerpc/kernel/vdso.c | 5 +-
+ arch/powerpc/lib/usercopy_64.c | 18 -
+ arch/powerpc/mm/fault.c | 54 +-
+ arch/powerpc/mm/mmap_64.c | 16 +
+ arch/powerpc/mm/mmu_context_nohash.c | 2 +-
+ arch/powerpc/mm/numa.c | 2 +-
+ arch/powerpc/mm/slice.c | 23 +-
+ arch/powerpc/platforms/powermac/smp.c | 2 +-
+ arch/s390/include/asm/atomic.h | 10 +
+ arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/exec.h | 2 +-
+ arch/s390/include/asm/uaccess.h | 15 +-
+ arch/s390/kernel/module.c | 22 +-
+ arch/s390/kernel/process.c | 36 -
+ arch/s390/mm/mmap.c | 24 +
+ arch/score/include/asm/exec.h | 2 +-
+ arch/score/kernel/process.c | 5 -
+ arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
+ arch/sh/mm/mmap.c | 22 +-
+ arch/sparc/include/asm/atomic_64.h | 106 +-
+ arch/sparc/include/asm/cache.h | 2 +-
+ arch/sparc/include/asm/elf_32.h | 7 +
+ arch/sparc/include/asm/elf_64.h | 7 +
+ arch/sparc/include/asm/pgalloc_32.h | 1 +
+ arch/sparc/include/asm/pgalloc_64.h | 1 +
+ arch/sparc/include/asm/pgtable_32.h | 15 +-
+ arch/sparc/include/asm/pgtsrmmu.h | 5 +
+ arch/sparc/include/asm/spinlock_64.h | 35 +-
+ arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_64.h | 2 +
+ arch/sparc/include/asm/uaccess.h | 8 +
+ arch/sparc/include/asm/uaccess_32.h | 27 +-
+ arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/kernel/Makefile | 2 +-
+ arch/sparc/kernel/sys_sparc_32.c | 2 +-
+ arch/sparc/kernel/sys_sparc_64.c | 48 +-
+ arch/sparc/kernel/sysfs.c | 2 +-
+ arch/sparc/kernel/traps_64.c | 13 +-
+ arch/sparc/lib/Makefile | 2 +-
+ arch/sparc/lib/atomic_64.S | 136 +-
+ arch/sparc/lib/ksyms.c | 6 +
+ arch/sparc/mm/Makefile | 2 +-
+ arch/sparc/mm/fault_32.c | 292 ++
+ arch/sparc/mm/fault_64.c | 486 +++
+ arch/sparc/mm/hugetlbpage.c | 21 +-
+ arch/tile/include/asm/atomic_64.h | 10 +
+ arch/tile/include/asm/uaccess.h | 4 +-
+ arch/um/Makefile | 4 +
+ arch/um/include/asm/kmap_types.h | 2 +-
+ arch/um/include/asm/page.h | 3 +
+ arch/um/include/asm/pgtable-3level.h | 1 +
+ arch/um/kernel/process.c | 16 -
+ arch/x86/Kconfig | 10 +-
+ arch/x86/Kconfig.cpu | 6 +-
+ arch/x86/Kconfig.debug | 6 +-
+ arch/x86/Makefile | 10 +
+ arch/x86/boot/Makefile | 3 +
+ arch/x86/boot/bitops.h | 4 +-
+ arch/x86/boot/boot.h | 4 +-
+ arch/x86/boot/compressed/Makefile | 3 +
+ arch/x86/boot/compressed/eboot.c | 2 -
+ arch/x86/boot/compressed/head_32.S | 7 +-
+ arch/x86/boot/compressed/head_64.S | 4 +-
+ arch/x86/boot/compressed/misc.c | 4 +-
+ arch/x86/boot/cpucheck.c | 28 +-
+ arch/x86/boot/header.S | 6 +-
+ arch/x86/boot/memory.c | 2 +-
+ arch/x86/boot/video-vesa.c | 1 +
+ arch/x86/boot/video.c | 2 +-
+ arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/aesni-intel_asm.S | 31 +
+ arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/camellia-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 +
+ arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 +
+ arch/x86/crypto/sha1_ssse3_asm.S | 3 +
+ arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 +
+ arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/ia32/ia32_signal.c | 14 +-
+ arch/x86/ia32/ia32entry.S | 141 +-
+ arch/x86/ia32/sys_ia32.c | 12 +-
+ arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/include/asm/alternative.h | 4 +-
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/include/asm/apm.h | 4 +-
+ arch/x86/include/asm/atomic.h | 307 ++-
+ arch/x86/include/asm/atomic64_32.h | 100 +
+ arch/x86/include/asm/atomic64_64.h | 202 ++-
+ arch/x86/include/asm/bitops.h | 2 +-
+ arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/cache.h | 5 +-
+ arch/x86/include/asm/cacheflush.h | 2 +-
+ arch/x86/include/asm/checksum_32.h | 12 +-
+ arch/x86/include/asm/cmpxchg.h | 35 +
+ arch/x86/include/asm/cpufeature.h | 4 +-
+ arch/x86/include/asm/desc.h | 65 +-
+ arch/x86/include/asm/desc_defs.h | 6 +
+ arch/x86/include/asm/elf.h | 31 +-
+ arch/x86/include/asm/emergency-restart.h | 2 +-
+ arch/x86/include/asm/fpu-internal.h | 6 +-
+ arch/x86/include/asm/futex.h | 16 +-
+ arch/x86/include/asm/hw_irq.h | 4 +-
+ arch/x86/include/asm/io.h | 13 +-
+ arch/x86/include/asm/irqflags.h | 5 +
+ arch/x86/include/asm/kprobes.h | 9 +-
+ arch/x86/include/asm/local.h | 142 +-
+ arch/x86/include/asm/mman.h | 15 +
+ arch/x86/include/asm/mmu.h | 16 +-
+ arch/x86/include/asm/mmu_context.h | 76 +-
+ arch/x86/include/asm/module.h | 17 +-
+ arch/x86/include/asm/page_64_types.h | 2 +-
+ arch/x86/include/asm/paravirt.h | 44 +-
+ arch/x86/include/asm/paravirt_types.h | 17 +-
+ arch/x86/include/asm/pgalloc.h | 23 +
+ arch/x86/include/asm/pgtable-2level.h | 2 +
+ arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable.h | 110 +-
+ arch/x86/include/asm/pgtable_32.h | 14 +-
+ arch/x86/include/asm/pgtable_32_types.h | 15 +-
+ arch/x86/include/asm/pgtable_64.h | 19 +-
+ arch/x86/include/asm/pgtable_64_types.h | 5 +
+ arch/x86/include/asm/pgtable_types.h | 36 +-
+ arch/x86/include/asm/processor.h | 39 +-
+ arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/realmode.h | 4 +-
+ arch/x86/include/asm/reboot.h | 10 +-
+ arch/x86/include/asm/rwsem.h | 60 +-
+ arch/x86/include/asm/segment.h | 24 +-
+ arch/x86/include/asm/smp.h | 14 +-
+ arch/x86/include/asm/spinlock.h | 36 +-
+ arch/x86/include/asm/stackprotector.h | 4 +-
+ arch/x86/include/asm/stacktrace.h | 32 +-
+ arch/x86/include/asm/switch_to.h | 4 +-
+ arch/x86/include/asm/thread_info.h | 83 +-
+ arch/x86/include/asm/uaccess.h | 96 +-
+ arch/x86/include/asm/uaccess_32.h | 106 +-
+ arch/x86/include/asm/uaccess_64.h | 232 +-
+ arch/x86/include/asm/word-at-a-time.h | 2 +-
+ arch/x86/include/asm/x86_init.h | 10 +-
+ arch/x86/include/asm/xsave.h | 10 +-
+ arch/x86/include/uapi/asm/e820.h | 2 +-
+ arch/x86/kernel/Makefile | 2 +-
+ arch/x86/kernel/acpi/sleep.c | 4 +
+ arch/x86/kernel/acpi/wakeup_32.S | 6 +-
+ arch/x86/kernel/alternative.c | 65 +-
+ arch/x86/kernel/apic/apic.c | 6 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/bigsmp_32.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 5 +-
+ arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/numaq_32.c | 3 +-
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/summit_32.c | 2 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_phys.c | 2 +-
+ arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
+ arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/asm-offsets.c | 20 +
+ arch/x86/kernel/asm-offsets_64.c | 1 +
+ arch/x86/kernel/cpu/Makefile | 4 -
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/common.c | 75 +-
+ arch/x86/kernel/cpu/intel.c | 2 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 29 +-
+ arch/x86/kernel/cpu/mcheck/p5.c | 3 +
+ arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
+ arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
+ arch/x86/kernel/cpu/mtrr/main.c | 2 +-
+ arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 4 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
+ arch/x86/kernel/cpuid.c | 2 +-
+ arch/x86/kernel/crash.c | 4 +-
+ arch/x86/kernel/doublefault_32.c | 8 +-
+ arch/x86/kernel/dumpstack.c | 30 +-
+ arch/x86/kernel/dumpstack_32.c | 34 +-
+ arch/x86/kernel/dumpstack_64.c | 63 +-
+ arch/x86/kernel/early_printk.c | 1 +
+ arch/x86/kernel/entry_32.S | 354 ++-
+ arch/x86/kernel/entry_64.S | 512 +++-
+ arch/x86/kernel/ftrace.c | 14 +-
+ arch/x86/kernel/head32.c | 4 +-
+ arch/x86/kernel/head_32.S | 237 ++-
+ arch/x86/kernel/head_64.S | 158 +-
+ arch/x86/kernel/i386_ksyms_32.c | 8 +
+ arch/x86/kernel/i387.c | 2 +-
+ arch/x86/kernel/i8259.c | 2 +-
+ arch/x86/kernel/ioport.c | 2 +-
+ arch/x86/kernel/irq.c | 10 +-
+ arch/x86/kernel/irq_32.c | 69 +-
+ arch/x86/kernel/irq_64.c | 2 +-
+ arch/x86/kernel/kdebugfs.c | 2 +-
+ arch/x86/kernel/kgdb.c | 25 +-
+ arch/x86/kernel/kprobes-opt.c | 12 +-
+ arch/x86/kernel/kprobes.c | 30 +-
+ arch/x86/kernel/kvm.c | 2 +-
+ arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/machine_kexec_32.c | 6 +-
+ arch/x86/kernel/microcode_core.c | 2 +-
+ arch/x86/kernel/microcode_intel.c | 4 +-
+ arch/x86/kernel/module.c | 76 +-
+ arch/x86/kernel/msr.c | 2 +-
+ arch/x86/kernel/nmi.c | 11 +
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/kernel/paravirt.c | 43 +-
+ arch/x86/kernel/pci-iommu_table.c | 2 +-
+ arch/x86/kernel/process.c | 57 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 15 +-
+ arch/x86/kernel/ptrace.c | 25 +-
+ arch/x86/kernel/pvclock.c | 8 +-
+ arch/x86/kernel/reboot.c | 44 +-
+ arch/x86/kernel/relocate_kernel_64.S | 4 +-
+ arch/x86/kernel/setup.c | 14 +-
+ arch/x86/kernel/setup_percpu.c | 27 +-
+ arch/x86/kernel/signal.c | 15 +-
+ arch/x86/kernel/smp.c | 2 +-
+ arch/x86/kernel/smpboot.c | 15 +-
+ arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/sys_i386_32.c | 247 ++
+ arch/x86/kernel/sys_x86_64.c | 19 +-
+ arch/x86/kernel/tboot.c | 14 +-
+ arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tls.c | 7 +-
+ arch/x86/kernel/traps.c | 64 +-
+ arch/x86/kernel/uprobes.c | 2 +-
+ arch/x86/kernel/vm86_32.c | 6 +-
+ arch/x86/kernel/vmlinux.lds.S | 148 +-
+ arch/x86/kernel/vsyscall_64.c | 12 +-
+ arch/x86/kernel/x8664_ksyms_64.c | 2 -
+ arch/x86/kernel/x86_init.c | 8 +-
+ arch/x86/kernel/xsave.c | 2 +
+ arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ arch/x86/kvm/lapic.c | 2 +-
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ arch/x86/kvm/svm.c | 8 +
+ arch/x86/kvm/vmx.c | 47 +-
+ arch/x86/kvm/x86.c | 10 +-
+ arch/x86/lguest/boot.c | 3 +-
+ arch/x86/lib/atomic64_386_32.S | 164 +
+ arch/x86/lib/atomic64_cx8_32.S | 103 +-
+ arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/cmpxchg16b_emu.S | 2 +
+ arch/x86/lib/copy_page_64.S | 24 +-
+ arch/x86/lib/copy_user_64.S | 47 +-
+ arch/x86/lib/copy_user_nocache_64.S | 20 +-
+ arch/x86/lib/csum-copy_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 4 +-
+ arch/x86/lib/getuser.S | 68 +-
+ arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/iomap_copy_64.S | 2 +
+ arch/x86/lib/memcpy_64.S | 18 +-
+ arch/x86/lib/memmove_64.S | 34 +-
+ arch/x86/lib/memset_64.S | 7 +-
+ arch/x86/lib/mmx_32.c | 243 +-
+ arch/x86/lib/msr-reg.S | 18 +-
+ arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/rwlock.S | 42 +
+ arch/x86/lib/rwsem.S | 6 +-
+ arch/x86/lib/thunk_64.S | 2 +
+ arch/x86/lib/usercopy_32.c | 376 ++-
+ arch/x86/lib/usercopy_64.c | 25 +-
+ arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/fault.c | 555 +++-
+ arch/x86/mm/gup.c | 2 +-
+ arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/hugetlbpage.c | 30 +-
+ arch/x86/mm/init.c | 92 +-
+ arch/x86/mm/init_32.c | 122 +-
+ arch/x86/mm/init_64.c | 48 +-
+ arch/x86/mm/iomap_32.c | 4 +
+ arch/x86/mm/ioremap.c | 12 +-
+ arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
+ arch/x86/mm/mmap.c | 41 +-
+ arch/x86/mm/mmio-mod.c | 10 +-
+ arch/x86/mm/pageattr-test.c | 2 +-
+ arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pat.c | 12 +-
+ arch/x86/mm/pf_in.c | 10 +-
+ arch/x86/mm/pgtable.c | 137 +-
+ arch/x86/mm/pgtable_32.c | 3 +
+ arch/x86/mm/setup_nx.c | 7 +
+ arch/x86/mm/tlb.c | 4 +
+ arch/x86/net/bpf_jit.S | 14 +
+ arch/x86/net/bpf_jit_comp.c | 37 +-
+ arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/pci/amd_bus.c | 2 +-
+ arch/x86/pci/mrst.c | 4 +-
+ arch/x86/pci/pcbios.c | 144 +-
+ arch/x86/platform/efi/efi_32.c | 19 +
+ arch/x86/platform/efi/efi_stub_32.S | 64 +-
+ arch/x86/platform/efi/efi_stub_64.S | 8 +
+ arch/x86/platform/mrst/mrst.c | 6 +-
+ arch/x86/platform/olpc/olpc_dt.c | 2 +-
+ arch/x86/power/cpu.c | 4 +-
+ arch/x86/realmode/init.c | 8 +-
+ arch/x86/realmode/rm/Makefile | 3 +
+ arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/trampoline_32.S | 12 +-
+ arch/x86/realmode/rm/trampoline_64.S | 2 +-
+ arch/x86/tools/relocs.c | 95 +-
+ arch/x86/vdso/Makefile | 2 +-
+ arch/x86/vdso/vdso32-setup.c | 23 +-
+ arch/x86/vdso/vma.c | 29 +-
+ arch/x86/xen/enlighten.c | 47 +-
+ arch/x86/xen/mmu.c | 9 +
+ arch/x86/xen/smp.c | 18 +-
+ arch/x86/xen/xen-asm_32.S | 12 +-
+ arch/x86/xen/xen-head.S | 11 +
+ arch/x86/xen/xen-ops.h | 2 -
+ block/blk-iopoll.c | 4 +-
+ block/blk-map.c | 2 +-
+ block/blk-softirq.c | 4 +-
+ block/bsg.c | 12 +-
+ block/compat_ioctl.c | 2 +-
+ block/partitions/efi.c | 8 +-
+ block/scsi_ioctl.c | 27 +-
+ crypto/cryptd.c | 4 +-
+ drivers/acpi/apei/cper.c | 8 +-
+ drivers/acpi/ec_sys.c | 12 +-
+ drivers/acpi/processor_driver.c | 2 +-
+ drivers/ata/libata-core.c | 8 +-
+ drivers/ata/pata_arasan_cf.c | 4 +-
+ drivers/atm/adummy.c | 2 +-
+ drivers/atm/ambassador.c | 8 +-
+ drivers/atm/atmtcp.c | 14 +-
+ drivers/atm/eni.c | 10 +-
+ drivers/atm/firestream.c | 8 +-
+ drivers/atm/fore200e.c | 14 +-
+ drivers/atm/he.c | 18 +-
+ drivers/atm/horizon.c | 4 +-
+ drivers/atm/idt77252.c | 36 +-
+ drivers/atm/iphase.c | 34 +-
+ drivers/atm/lanai.c | 12 +-
+ drivers/atm/nicstar.c | 46 +-
+ drivers/atm/solos-pci.c | 4 +-
+ drivers/atm/suni.c | 4 +-
+ drivers/atm/uPD98402.c | 16 +-
+ drivers/atm/zatm.c | 6 +-
+ drivers/base/devtmpfs.c | 2 +-
+ drivers/base/power/wakeup.c | 8 +-
+ drivers/block/cciss.c | 28 +-
+ drivers/block/cciss.h | 2 +-
+ drivers/block/cpqarray.c | 28 +-
+ drivers/block/cpqarray.h | 2 +-
+ drivers/block/drbd/drbd_int.h | 6 +-
+ drivers/block/drbd/drbd_main.c | 8 +-
+ drivers/block/drbd/drbd_receiver.c | 18 +-
+ drivers/block/loop.c | 2 +-
+ drivers/cdrom/cdrom.c | 9 +-
+ drivers/cdrom/gdrom.c | 1 -
+ drivers/char/agp/frontend.c | 2 +-
+ drivers/char/hpet.c | 2 +-
+ drivers/char/ipmi/ipmi_msghandler.c | 8 +-
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
+ drivers/char/mem.c | 41 +-
+ drivers/char/nvram.c | 2 +-
+ drivers/char/pcmcia/synclink_cs.c | 18 +-
+ drivers/char/random.c | 8 +-
+ drivers/char/sonypi.c | 9 +-
+ drivers/char/tpm/tpm.c | 2 +-
+ drivers/char/tpm/tpm_acpi.c | 3 +-
+ drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/virtio_console.c | 4 +-
+ drivers/clocksource/arm_generic.c | 2 +-
+ drivers/cpufreq/cpufreq.c | 2 +-
+ drivers/cpufreq/cpufreq_stats.c | 2 +-
+ drivers/dma/sh/shdma.c | 2 +-
+ drivers/edac/edac_pci_sysfs.c | 20 +-
+ drivers/edac/mce_amd.h | 2 +-
+ drivers/firewire/core-card.c | 2 +-
+ drivers/firewire/core-cdev.c | 3 +-
+ drivers/firewire/core-transaction.c | 1 +
+ drivers/firewire/core.h | 1 +
+ drivers/firmware/dmi_scan.c | 7 +-
+ drivers/firmware/efivars.c | 2 +-
+ drivers/gpio/gpio-vr41xx.c | 2 +-
+ drivers/gpu/drm/drm_crtc_helper.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 4 +-
+ drivers/gpu/drm/drm_fops.c | 18 +-
+ drivers/gpu/drm/drm_global.c | 14 +-
+ drivers/gpu/drm/drm_info.c | 14 +-
+ drivers/gpu/drm/drm_ioc32.c | 4 +-
+ drivers/gpu/drm/drm_ioctl.c | 2 +-
+ drivers/gpu/drm/drm_lock.c | 4 +-
+ drivers/gpu/drm/drm_stub.c | 2 +-
+ drivers/gpu/drm/i810/i810_dma.c | 8 +-
+ drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.h | 6 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
+ drivers/gpu/drm/i915/i915_irq.c | 22 +-
+ drivers/gpu/drm/i915/intel_display.c | 9 +-
+ drivers/gpu/drm/mga/mga_drv.h | 4 +-
+ drivers/gpu/drm/mga/mga_irq.c | 8 +-
+ drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/r128/r128_cce.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.h | 4 +-
+ drivers/gpu/drm/r128/r128_irq.c | 4 +-
+ drivers/gpu/drm/r128/r128_state.c | 4 +-
+ drivers/gpu/drm/radeon/mkregtable.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 4 +-
+ drivers/gpu/drm/radeon/rs690.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
+ drivers/gpu/drm/via/via_drv.h | 4 +-
+ drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
+ drivers/hid/hid-core.c | 4 +-
+ drivers/hv/channel.c | 4 +-
+ drivers/hv/hv.c | 2 +-
+ drivers/hv/hyperv_vmbus.h | 2 +-
+ drivers/hv/vmbus_drv.c | 4 +-
+ drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/sht15.c | 12 +-
+ drivers/hwmon/via-cputemp.c | 2 +-
+ drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
+ drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
+ drivers/ide/ide-cd.c | 2 +-
+ drivers/infiniband/core/cm.c | 32 +-
+ drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/hw/cxgb4/mem.c | 4 +-
+ drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
+ drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
+ drivers/infiniband/hw/nes/nes.c | 4 +-
+ drivers/infiniband/hw/nes/nes.h | 40 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 62 +-
+ drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
+ drivers/infiniband/hw/nes/nes_nic.c | 40 +-
+ drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/input/gameport/gameport.c | 4 +-
+ drivers/input/input.c | 4 +-
+ drivers/input/joystick/sidewinder.c | 1 +
+ drivers/input/joystick/xpad.c | 4 +-
+ drivers/input/mousedev.c | 2 +-
+ drivers/input/serio/serio.c | 4 +-
+ drivers/isdn/capi/capi.c | 10 +-
+ drivers/isdn/gigaset/interface.c | 8 +-
+ drivers/isdn/hardware/avm/b1.c | 4 +-
+ drivers/isdn/i4l/isdn_tty.c | 22 +-
+ drivers/isdn/icn/icn.c | 2 +-
+ drivers/lguest/core.c | 10 +-
+ drivers/lguest/x86/core.c | 12 +-
+ drivers/lguest/x86/switcher_32.S | 27 +-
+ drivers/md/bitmap.c | 2 +-
+ drivers/md/dm-ioctl.c | 2 +-
+ drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-stripe.c | 10 +-
+ drivers/md/dm-table.c | 2 +-
+ drivers/md/dm-thin-metadata.c | 4 +-
+ drivers/md/dm.c | 16 +-
+ drivers/md/md.c | 26 +-
+ drivers/md/md.h | 6 +-
+ drivers/md/persistent-data/dm-space-map.h | 1 +
+ drivers/md/raid1.c | 4 +-
+ drivers/md/raid10.c | 16 +-
+ drivers/md/raid5.c | 10 +-
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ drivers/media/dvb-frontends/dib3000.h | 2 +-
+ drivers/media/platform/omap/omap_vout.c | 11 +-
+ drivers/media/platform/s5p-tv/mixer.h | 2 +-
+ drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
+ drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/message/fusion/mptsas.c | 34 +-
+ drivers/message/fusion/mptscsih.c | 19 +-
+ drivers/message/i2o/i2o_proc.c | 51 +-
+ drivers/message/i2o/iop.c | 8 +-
+ drivers/mfd/janz-cmodio.c | 1 +
+ drivers/misc/kgdbts.c | 4 +-
+ drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
+ drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/sgi-gru/gruhandles.c | 4 +-
+ drivers/misc/sgi-gru/gruprocfs.c | 8 +-
+ drivers/misc/sgi-gru/grutables.h | 154 +-
+ drivers/misc/sgi-xp/xp.h | 2 +-
+ drivers/misc/sgi-xp/xpc.h | 3 +-
+ drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ drivers/mmc/host/dw_mmc.h | 2 +-
+ drivers/mmc/host/sdhci-s3c.c | 8 +-
+ drivers/mtd/devices/doc2000.c | 2 +-
+ drivers/mtd/nand/denali.c | 1 +
+ drivers/mtd/nftlmount.c | 1 +
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
+ drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
+ drivers/net/ethernet/realtek/r8169.c | 8 +-
+ drivers/net/ethernet/sfc/ptp.c | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/hyperv/hyperv_net.h | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 +-
+ drivers/net/ieee802154/fakehard.c | 2 +-
+ drivers/net/macvlan.c | 2 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/ppp/ppp_generic.c | 4 +-
+ drivers/net/team/team.c | 2 +-
+ drivers/net/tun.c | 5 +-
+ drivers/net/usb/hso.c | 23 +-
+ drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
+ drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
+ drivers/net/wireless/ath/ath9k/hw.h | 4 +-
+ drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
+ drivers/net/wireless/mac80211_hwsim.c | 32 +-
+ drivers/net/wireless/rndis_wlan.c | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 8 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 6 +-
+ drivers/oprofile/buffer_sync.c | 8 +-
+ drivers/oprofile/event_buffer.c | 2 +-
+ drivers/oprofile/oprof.c | 2 +-
+ drivers/oprofile/oprofile_stats.c | 10 +-
+ drivers/oprofile/oprofile_stats.h | 10 +-
+ drivers/oprofile/oprofilefs.c | 2 +-
+ drivers/oprofile/timer_int.c | 2 +-
+ drivers/parport/procfs.c | 4 +-
+ drivers/pci/hotplug/cpcihp_generic.c | 6 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
+ drivers/pci/hotplug/cpqphp_nvram.c | 4 +
+ drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/probe.c | 2 +-
+ drivers/platform/x86/thinkpad_acpi.c | 70 +-
+ drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/resource.c | 4 +-
+ drivers/power/pda_power.c | 7 +-
+ drivers/regulator/max8660.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/scsi/bfa/bfa.h | 2 +-
+ drivers/scsi/bfa/bfa_fcpim.h | 2 +-
+ drivers/scsi/bfa/bfa_ioc.h | 4 +-
+ drivers/scsi/hosts.c | 4 +-
+ drivers/scsi/hpsa.c | 30 +-
+ drivers/scsi/hpsa.h | 2 +-
+ drivers/scsi/libfc/fc_exch.c | 50 +-
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ drivers/scsi/lpfc/lpfc.h | 8 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
+ drivers/scsi/lpfc/lpfc_init.c | 6 +-
+ drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
+ drivers/scsi/pmcraid.c | 20 +-
+ drivers/scsi/pmcraid.h | 8 +-
+ drivers/scsi/qla2xxx/qla_attr.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 6 +-
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +-
+ drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ drivers/scsi/scsi_tgt_lib.c | 2 +-
+ drivers/scsi/scsi_transport_fc.c | 8 +-
+ drivers/scsi/scsi_transport_iscsi.c | 6 +-
+ drivers/scsi/scsi_transport_srp.c | 6 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sg.c | 2 +-
+ drivers/spi/spi.c | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/ramster/tmem.c | 54 +-
+ drivers/staging/rtl8712/rtl871x_io.h | 2 +-
+ drivers/staging/sbe-2t3e3/netdev.c | 2 +-
+ drivers/staging/usbip/vhci.h | 2 +-
+ drivers/staging/usbip/vhci_hcd.c | 6 +-
+ drivers/staging/usbip/vhci_rx.c | 2 +-
+ drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/vt6656/hostap.c | 7 +-
+ drivers/staging/zcache/tmem.c | 4 +-
+ drivers/staging/zcache/tmem.h | 2 +
+ drivers/target/target_core_device.c | 2 +-
+ drivers/target/target_core_transport.c | 2 +-
+ drivers/tty/cyclades.c | 6 +-
+ drivers/tty/hvc/hvc_console.c | 14 +-
+ drivers/tty/hvc/hvcs.c | 21 +-
+ drivers/tty/ipwireless/tty.c | 27 +-
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/n_gsm.c | 4 +-
+ drivers/tty/n_tty.c | 3 +-
+ drivers/tty/pty.c | 4 +-
+ drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/kgdboc.c | 32 +-
+ drivers/tty/serial/samsung.c | 9 +-
+ drivers/tty/serial/serial_core.c | 8 +-
+ drivers/tty/synclink.c | 34 +-
+ drivers/tty/synclink_gt.c | 28 +-
+ drivers/tty/synclinkmp.c | 34 +-
+ drivers/tty/tty_io.c | 2 +-
+ drivers/tty/tty_ldisc.c | 10 +-
+ drivers/tty/tty_port.c | 22 +-
+ drivers/uio/uio.c | 21 +-
+ drivers/usb/atm/cxacru.c | 2 +-
+ drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/core/devices.c | 6 +-
+ drivers/usb/core/hcd.c | 4 +-
+ drivers/usb/core/sysfs.c | 2 +-
+ drivers/usb/core/usb.c | 2 +-
+ drivers/usb/early/ehci-dbgp.c | 16 +-
+ drivers/usb/gadget/u_serial.c | 22 +-
+ drivers/usb/serial/console.c | 6 +-
+ drivers/usb/wusbcore/wa-hc.h | 4 +-
+ drivers/usb/wusbcore/wa-xfer.c | 2 +-
+ drivers/video/aty/aty128fb.c | 2 +-
+ drivers/video/fbcmap.c | 3 +-
+ drivers/video/fbmem.c | 6 +-
+ drivers/video/i810/i810_accel.c | 1 +
+ drivers/video/udlfb.c | 32 +-
+ drivers/video/uvesafb.c | 39 +-
+ drivers/video/vesafb.c | 51 +-
+ drivers/video/via/via_clock.h | 2 +-
+ fs/9p/vfs_inode.c | 2 +-
+ fs/Kconfig.binfmt | 2 +-
+ fs/aio.c | 11 +-
+ fs/autofs4/waitq.c | 2 +-
+ fs/befs/linuxvfs.c | 2 +-
+ fs/binfmt_aout.c | 23 +-
+ fs/binfmt_elf.c | 604 ++++-
+ fs/binfmt_flat.c | 6 +
+ fs/bio.c | 6 +-
+ fs/block_dev.c | 2 +-
+ fs/btrfs/ctree.c | 9 +-
+ fs/btrfs/relocation.c | 2 +-
+ fs/btrfs/super.c | 2 +-
+ fs/cachefiles/bind.c | 6 +-
+ fs/cachefiles/daemon.c | 8 +-
+ fs/cachefiles/internal.h | 12 +-
+ fs/cachefiles/namei.c | 2 +-
+ fs/cachefiles/proc.c | 12 +-
+ fs/cachefiles/rdwr.c | 2 +-
+ fs/ceph/dir.c | 2 +-
+ fs/cifs/cifs_debug.c | 12 +-
+ fs/cifs/cifsfs.c | 8 +-
+ fs/cifs/cifsglob.h | 54 +-
+ fs/cifs/link.c | 2 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb1ops.c | 80 +-
+ fs/cifs/smb2ops.c | 84 +-
+ fs/cifs/smb2pdu.c | 3 +-
+ fs/coda/cache.c | 10 +-
+ fs/compat.c | 6 +-
+ fs/compat_binfmt_elf.c | 2 +
+ fs/compat_ioctl.c | 8 +-
+ fs/configfs/dir.c | 10 +-
+ fs/coredump.c | 24 +-
+ fs/dcache.c | 2 +-
+ fs/ecryptfs/inode.c | 4 +-
+ fs/ecryptfs/miscdev.c | 2 +-
+ fs/ecryptfs/read_write.c | 4 +-
+ fs/exec.c | 356 ++-
+ fs/ext4/ext4.h | 20 +-
+ fs/ext4/mballoc.c | 44 +-
+ fs/fhandle.c | 3 +-
+ fs/fifo.c | 22 +-
+ fs/fs_struct.c | 8 +-
+ fs/fscache/cookie.c | 36 +-
+ fs/fscache/internal.h | 196 +-
+ fs/fscache/object.c | 28 +-
+ fs/fscache/operation.c | 30 +-
+ fs/fscache/page.c | 110 +-
+ fs/fscache/stats.c | 344 +-
+ fs/fuse/cuse.c | 10 +-
+ fs/fuse/dev.c | 2 +-
+ fs/fuse/dir.c | 2 +-
+ fs/gfs2/inode.c | 2 +-
+ fs/hugetlbfs/inode.c | 13 +-
+ fs/inode.c | 4 +-
+ fs/jffs2/erase.c | 3 +-
+ fs/jffs2/wbuf.c | 3 +-
+ fs/jfs/super.c | 2 +-
+ fs/libfs.c | 10 +-
+ fs/lockd/clntproc.c | 4 +-
+ fs/locks.c | 8 +-
+ fs/namei.c | 15 +-
+ fs/namespace.c | 2 +-
+ fs/nfs/inode.c | 6 +-
+ fs/nfsd/vfs.c | 6 +-
+ fs/notify/fanotify/fanotify_user.c | 4 +-
+ fs/notify/notification.c | 4 +-
+ fs/ntfs/dir.c | 2 +-
+ fs/ntfs/file.c | 4 +-
+ fs/ocfs2/localalloc.c | 2 +-
+ fs/ocfs2/ocfs2.h | 10 +-
+ fs/ocfs2/suballoc.c | 12 +-
+ fs/ocfs2/super.c | 20 +-
+ fs/pipe.c | 33 +-
+ fs/proc/array.c | 20 +
+ fs/proc/kcore.c | 32 +-
+ fs/proc/meminfo.c | 2 +-
+ fs/proc/nommu.c | 2 +-
+ fs/proc/self.c | 2 +-
+ fs/proc/task_mmu.c | 39 +-
+ fs/proc/task_nommu.c | 4 +-
+ fs/quota/netlink.c | 4 +-
+ fs/readdir.c | 2 +-
+ fs/reiserfs/do_balan.c | 2 +-
+ fs/reiserfs/procfs.c | 2 +-
+ fs/reiserfs/reiserfs.h | 4 +-
+ fs/seq_file.c | 2 +-
+ fs/splice.c | 36 +-
+ fs/sysfs/file.c | 10 +-
+ fs/sysfs/symlink.c | 2 +-
+ fs/udf/misc.c | 2 +-
+ fs/xattr_acl.c | 4 +-
+ fs/xfs/xfs_bmap.c | 2 +-
+ fs/xfs/xfs_dir2_sf.c | 10 +-
+ fs/xfs/xfs_ioctl.c | 2 +-
+ fs/xfs/xfs_iops.c | 2 +-
+ include/asm-generic/4level-fixup.h | 2 +
+ include/asm-generic/atomic-long.h | 210 ++
+ include/asm-generic/atomic.h | 2 +-
+ include/asm-generic/atomic64.h | 12 +
+ include/asm-generic/cache.h | 4 +-
+ include/asm-generic/emergency-restart.h | 2 +-
+ include/asm-generic/kmap_types.h | 4 +-
+ include/asm-generic/local.h | 13 +
+ include/asm-generic/pgtable-nopmd.h | 18 +-
+ include/asm-generic/pgtable-nopud.h | 15 +-
+ include/asm-generic/pgtable.h | 8 +
+ include/asm-generic/vmlinux.lds.h | 10 +-
+ include/crypto/algapi.h | 2 +-
+ include/drm/drmP.h | 5 +-
+ include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/ttm/ttm_memory.h | 2 +-
+ include/linux/atmdev.h | 2 +-
+ include/linux/binfmts.h | 1 +
+ include/linux/blkdev.h | 2 +-
+ include/linux/blktrace_api.h | 2 +-
+ include/linux/cache.h | 4 +
+ include/linux/cdrom.h | 1 -
+ include/linux/cleancache.h | 2 +-
+ include/linux/compiler-gcc4.h | 20 +
+ include/linux/compiler.h | 72 +-
+ include/linux/cpu.h | 2 +-
+ include/linux/crypto.h | 6 +-
+ include/linux/decompress/mm.h | 2 +-
+ include/linux/dma-mapping.h | 2 +-
+ include/linux/dmaengine.h | 4 +-
+ include/linux/efi.h | 1 +
+ include/linux/elf.h | 2 +
+ include/linux/filter.h | 4 +
+ include/linux/frontswap.h | 2 +-
+ include/linux/fs.h | 3 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/fscache-cache.h | 4 +-
+ include/linux/fsnotify.h | 2 +-
+ include/linux/ftrace_event.h | 2 +-
+ include/linux/genhd.h | 2 +-
+ include/linux/gfp.h | 12 +-
+ include/linux/highmem.h | 12 +
+ include/linux/i2c.h | 1 +
+ include/linux/i2o.h | 2 +-
+ include/linux/if_pppox.h | 2 +-
+ include/linux/init.h | 33 +-
+ include/linux/init_task.h | 7 +
+ include/linux/interrupt.h | 8 +-
+ include/linux/kgdb.h | 6 +-
+ include/linux/kobject.h | 2 +-
+ include/linux/kref.h | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ include/linux/libata.h | 2 +-
+ include/linux/list.h | 3 +
+ include/linux/mm.h | 91 +-
+ include/linux/mm_types.h | 22 +-
+ include/linux/mmiotrace.h | 4 +-
+ include/linux/mmzone.h | 2 +-
+ include/linux/mod_devicetable.h | 4 +-
+ include/linux/module.h | 55 +-
+ include/linux/moduleloader.h | 18 +-
+ include/linux/moduleparam.h | 4 +-
+ include/linux/namei.h | 6 +-
+ include/linux/netdevice.h | 3 +-
+ include/linux/netfilter/ipset/ip_set.h | 2 +-
+ include/linux/netfilter/nfnetlink.h | 2 +-
+ include/linux/notifier.h | 3 +-
+ include/linux/oprofile.h | 4 +-
+ include/linux/perf_event.h | 10 +-
+ include/linux/pipe_fs_i.h | 6 +-
+ include/linux/platform_data/usb-ehci-s5p.h | 2 +-
+ include/linux/pm_runtime.h | 2 +-
+ include/linux/poison.h | 4 +-
+ include/linux/power/smartreflex.h | 2 +-
+ include/linux/random.h | 5 +
+ include/linux/reboot.h | 14 +-
+ include/linux/regset.h | 3 +-
+ include/linux/relay.h | 2 +-
+ include/linux/rio.h | 2 +-
+ include/linux/rmap.h | 4 +-
+ include/linux/sched.h | 64 +-
+ include/linux/seq_file.h | 1 +
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 36 +-
+ include/linux/slab_def.h | 33 +-
+ include/linux/slob_def.h | 4 +-
+ include/linux/slub_def.h | 10 +-
+ include/linux/sonet.h | 2 +-
+ include/linux/sunrpc/clnt.h | 8 +-
+ include/linux/sunrpc/svc_rdma.h | 18 +-
+ include/linux/sysrq.h | 2 +-
+ include/linux/thread_info.h | 7 +
+ include/linux/tty.h | 4 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/tty_ldisc.h | 2 +-
+ include/linux/types.h | 16 +
+ include/linux/uaccess.h | 6 +-
+ include/linux/unaligned/access_ok.h | 12 +-
+ include/linux/usb.h | 2 +-
+ include/linux/usb/renesas_usbhs.h | 2 +-
+ include/linux/vermagic.h | 21 +-
+ include/linux/vmalloc.h | 11 +-
+ include/linux/vmstat.h | 20 +-
+ include/media/v4l2-dev.h | 2 +-
+ include/media/v4l2-ioctl.h | 1 -
+ include/net/caif/cfctrl.h | 6 +-
+ include/net/flow.h | 2 +-
+ include/net/gro_cells.h | 6 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/inetpeer.h | 8 +-
+ include/net/ip_fib.h | 2 +-
+ include/net/ip_vs.h | 4 +-
+ include/net/irda/ircomm_tty.h | 1 +
+ include/net/iucv/af_iucv.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 6 +-
+ include/net/netdma.h | 2 +-
+ include/net/netlink.h | 2 +-
+ include/net/netns/ipv4.h | 2 +-
+ include/net/protocol.h | 4 +-
+ include/net/sctp/sctp.h | 6 +-
+ include/net/sctp/structs.h | 4 +-
+ include/net/sock.h | 6 +-
+ include/net/tcp.h | 8 +-
+ include/net/xfrm.h | 4 +-
+ include/rdma/iw_cm.h | 2 +-
+ include/scsi/libfc.h | 3 +-
+ include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_transport_fc.h | 3 +-
+ include/sound/soc.h | 4 +-
+ include/target/target_core_base.h | 2 +-
+ include/trace/events/irq.h | 4 +-
+ include/uapi/linux/a.out.h | 8 +
+ include/uapi/linux/byteorder/little_endian.h | 24 +-
+ include/uapi/linux/elf.h | 28 +
+ include/uapi/linux/screen_info.h | 3 +-
+ include/uapi/linux/sysctl.h | 6 +-
+ include/uapi/linux/xattr.h | 4 +
+ include/video/udlfb.h | 8 +-
+ include/video/uvesafb.h | 1 +
+ init/Kconfig | 2 +-
+ init/Makefile | 3 +
+ init/do_mounts.c | 14 +-
+ init/do_mounts.h | 8 +-
+ init/do_mounts_initrd.c | 22 +-
+ init/do_mounts_md.c | 6 +-
+ init/init_task.c | 4 +
+ init/initramfs.c | 40 +-
+ init/main.c | 78 +-
+ ipc/msg.c | 11 +-
+ ipc/sem.c | 11 +-
+ ipc/shm.c | 17 +-
+ kernel/acct.c | 2 +-
+ kernel/audit.c | 8 +-
+ kernel/auditsc.c | 4 +-
+ kernel/capability.c | 3 +
+ kernel/compat.c | 40 +-
+ kernel/debug/debug_core.c | 16 +-
+ kernel/debug/kdb/kdb_main.c | 4 +-
+ kernel/events/core.c | 28 +-
+ kernel/exit.c | 4 +-
+ kernel/fork.c | 167 +-
+ kernel/futex.c | 9 +
+ kernel/gcov/base.c | 7 +-
+ kernel/hrtimer.c | 4 +-
+ kernel/jump_label.c | 5 +
+ kernel/kallsyms.c | 39 +-
+ kernel/kexec.c | 3 +-
+ kernel/kmod.c | 2 +-
+ kernel/kprobes.c | 8 +-
+ kernel/lockdep.c | 7 +-
+ kernel/module.c | 333 ++-
+ kernel/mutex-debug.c | 12 +-
+ kernel/mutex-debug.h | 4 +-
+ kernel/mutex.c | 7 +-
+ kernel/notifier.c | 17 +-
+ kernel/panic.c | 3 +-
+ kernel/pid.c | 2 +-
+ kernel/posix-cpu-timers.c | 4 +-
+ kernel/posix-timers.c | 20 +-
+ kernel/power/process.c | 12 +-
+ kernel/profile.c | 14 +-
+ kernel/ptrace.c | 6 +-
+ kernel/rcutiny.c | 4 +-
+ kernel/rcutiny_plugin.h | 2 +-
+ kernel/rcutorture.c | 56 +-
+ kernel/rcutree.c | 72 +-
+ kernel/rcutree.h | 24 +-
+ kernel/rcutree_plugin.h | 18 +-
+ kernel/rcutree_trace.c | 22 +-
+ kernel/rtmutex-tester.c | 24 +-
+ kernel/sched/auto_group.c | 4 +-
+ kernel/sched/core.c | 2 +-
+ kernel/sched/fair.c | 4 +-
+ kernel/signal.c | 12 +-
+ kernel/smp.c | 2 +-
+ kernel/softirq.c | 16 +-
+ kernel/srcu.c | 6 +-
+ kernel/stop_machine.c | 2 +-
+ kernel/sys.c | 12 +-
+ kernel/sysctl.c | 37 +-
+ kernel/sysctl_binary.c | 14 +-
+ kernel/time/alarmtimer.c | 2 +-
+ kernel/time/tick-broadcast.c | 2 +-
+ kernel/time/timer_stats.c | 10 +-
+ kernel/timer.c | 4 +-
+ kernel/trace/blktrace.c | 6 +-
+ kernel/trace/ftrace.c | 20 +-
+ kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/trace.c | 6 +-
+ kernel/trace/trace_events.c | 25 +-
+ kernel/trace/trace_mmiotrace.c | 8 +-
+ kernel/trace/trace_output.c | 12 +-
+ kernel/trace/trace_stack.c | 2 +-
+ lib/Makefile | 2 +-
+ lib/bitmap.c | 8 +-
+ lib/bug.c | 2 +
+ lib/debugobjects.c | 2 +-
+ lib/devres.c | 4 +-
+ lib/dma-debug.c | 4 +-
+ lib/inflate.c | 2 +-
+ lib/ioremap.c | 4 +-
+ lib/list_debug.c | 89 +-
+ lib/radix-tree.c | 2 +-
+ lib/strncpy_from_user.c | 2 +-
+ lib/strnlen_user.c | 2 +-
+ lib/vsprintf.c | 12 +-
+ mm/Kconfig | 6 +-
+ mm/filemap.c | 2 +-
+ mm/fremap.c | 5 +
+ mm/highmem.c | 7 +-
+ mm/hugetlb.c | 54 +
+ mm/internal.h | 1 +
+ mm/maccess.c | 4 +-
+ mm/madvise.c | 41 +
+ mm/memory-failure.c | 18 +-
+ mm/memory.c | 404 ++-
+ mm/mempolicy.c | 26 +
+ mm/mlock.c | 16 +-
+ mm/mmap.c | 573 +++-
+ mm/mprotect.c | 138 +-
+ mm/mremap.c | 44 +-
+ mm/nommu.c | 11 +-
+ mm/page-writeback.c | 2 +-
+ mm/page_alloc.c | 14 +-
+ mm/percpu.c | 2 +-
+ mm/process_vm_access.c | 14 +-
+ mm/rmap.c | 38 +-
+ mm/shmem.c | 19 +-
+ mm/slab.c | 104 +-
+ mm/slab.h | 5 +-
+ mm/slab_common.c | 9 +-
+ mm/slob.c | 200 +-
+ mm/slub.c | 98 +-
+ mm/sparse-vmemmap.c | 4 +-
+ mm/sparse.c | 2 +-
+ mm/swap.c | 3 +
+ mm/swapfile.c | 12 +-
+ mm/util.c | 6 +
+ mm/vmalloc.c | 82 +-
+ mm/vmstat.c | 12 +-
+ net/8021q/vlan.c | 5 +-
+ net/9p/trans_fd.c | 2 +-
+ net/atm/atm_misc.c | 8 +-
+ net/atm/lec.h | 2 +-
+ net/atm/proc.c | 6 +-
+ net/atm/resources.c | 4 +-
+ net/batman-adv/bat_iv_ogm.c | 8 +-
+ net/batman-adv/hard-interface.c | 4 +-
+ net/batman-adv/soft-interface.c | 4 +-
+ net/batman-adv/types.h | 6 +-
+ net/batman-adv/unicast.c | 2 +-
+ net/bluetooth/hci_sock.c | 2 +-
+ net/bluetooth/l2cap_core.c | 6 +-
+ net/bluetooth/l2cap_sock.c | 12 +-
+ net/bluetooth/rfcomm/sock.c | 4 +-
+ net/bluetooth/rfcomm/tty.c | 10 +-
+ net/bridge/netfilter/ebtables.c | 6 +-
+ net/caif/cfctrl.c | 11 +-
+ net/can/af_can.c | 2 +-
+ net/can/gw.c | 6 +-
+ net/compat.c | 34 +-
+ net/core/datagram.c | 2 +-
+ net/core/dev.c | 16 +-
+ net/core/flow.c | 8 +-
+ net/core/iovec.c | 4 +-
+ net/core/rtnetlink.c | 2 +-
+ net/core/scm.c | 8 +-
+ net/core/sock.c | 24 +-
+ net/decnet/sysctl_net_decnet.c | 4 +-
+ net/ipv4/ah4.c | 2 +-
+ net/ipv4/esp4.c | 2 +-
+ net/ipv4/fib_frontend.c | 6 +-
+ net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inetpeer.c | 4 +-
+ net/ipv4/ip_fragment.c | 2 +-
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ipcomp.c | 2 +-
+ net/ipv4/ipconfig.c | 6 +-
+ net/ipv4/netfilter/arp_tables.c | 12 +-
+ net/ipv4/netfilter/ip_tables.c | 12 +-
+ net/ipv4/ping.c | 2 +-
+ net/ipv4/raw.c | 14 +-
+ net/ipv4/route.c | 2 +-
+ net/ipv4/tcp_input.c | 2 +-
+ net/ipv4/tcp_probe.c | 2 +-
+ net/ipv4/udp.c | 10 +-
+ net/ipv6/addrconf.c | 2 +-
+ net/ipv6/ip6_gre.c | 2 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 12 +-
+ net/ipv6/raw.c | 19 +-
+ net/ipv6/udp.c | 8 +-
+ net/irda/ircomm/ircomm_tty.c | 18 +-
+ net/iucv/af_iucv.c | 4 +-
+ net/iucv/iucv.c | 2 +-
+ net/key/af_key.c | 4 +-
+ net/mac80211/cfg.c | 4 +-
+ net/mac80211/ieee80211_i.h | 3 +-
+ net/mac80211/iface.c | 14 +-
+ net/mac80211/main.c | 2 +-
+ net/mac80211/pm.c | 6 +-
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/rc80211_pid_debugfs.c | 2 +-
+ net/mac80211/util.c | 2 +-
+ net/netfilter/ipvs/ip_vs_conn.c | 6 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 10 +-
+ net/netfilter/ipvs/ip_vs_sync.c | 6 +-
+ net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
+ net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/xt_statistic.c | 8 +-
+ net/netlink/af_netlink.c | 4 +-
+ net/packet/af_packet.c | 12 +-
+ net/phonet/pep.c | 6 +-
+ net/phonet/socket.c | 2 +-
+ net/rds/cong.c | 6 +-
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 4 +-
+ net/rds/iw.h | 2 +-
+ net/rds/iw_cm.c | 2 +-
+ net/rds/iw_recv.c | 4 +-
+ net/rds/tcp.c | 2 +-
+ net/rds/tcp_send.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/rxrpc/ar-ack.c | 14 +-
+ net/rxrpc/ar-call.c | 2 +-
+ net/rxrpc/ar-connection.c | 2 +-
+ net/rxrpc/ar-connevent.c | 2 +-
+ net/rxrpc/ar-input.c | 4 +-
+ net/rxrpc/ar-internal.h | 8 +-
+ net/rxrpc/ar-local.c | 2 +-
+ net/rxrpc/ar-output.c | 4 +-
+ net/rxrpc/ar-peer.c | 2 +-
+ net/rxrpc/ar-proc.c | 4 +-
+ net/rxrpc/ar-transport.c | 2 +-
+ net/rxrpc/rxkad.c | 4 +-
+ net/sctp/ipv6.c | 2 +-
+ net/sctp/protocol.c | 8 +-
+ net/sctp/socket.c | 2 +
+ net/socket.c | 34 +-
+ net/sunrpc/sched.c | 4 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/link.c | 6 +-
+ net/tipc/msg.c | 2 +-
+ net/tipc/subscr.c | 2 +-
+ net/wireless/wext-core.c | 19 +-
+ net/xfrm/xfrm_policy.c | 16 +-
+ net/xfrm/xfrm_state.c | 4 +-
+ scripts/Makefile.build | 2 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.host | 28 +-
+ scripts/basic/fixdep.c | 12 +-
+ scripts/gcc-plugin.sh | 17 +
+ scripts/link-vmlinux.sh | 2 +-
+ scripts/mod/file2alias.c | 14 +-
+ scripts/mod/modpost.c | 25 +-
+ scripts/mod/modpost.h | 6 +-
+ scripts/mod/sumversion.c | 2 +-
+ scripts/pnmtologo.c | 6 +-
+ security/Kconfig | 654 ++++-
+ security/integrity/ima/ima.h | 4 +-
+ security/integrity/ima/ima_api.c | 2 +-
+ security/integrity/ima/ima_fs.c | 4 +-
+ security/integrity/ima/ima_queue.c | 2 +-
+ security/keys/compat.c | 2 +-
+ security/keys/keyctl.c | 8 +-
+ security/keys/keyring.c | 6 +-
+ security/security.c | 9 +-
+ security/selinux/hooks.c | 2 +-
+ security/selinux/include/xfrm.h | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ security/tomoyo/tomoyo.c | 2 +-
+ sound/aoa/codecs/onyx.c | 7 +-
+ sound/aoa/codecs/onyx.h | 1 +
+ sound/core/oss/pcm_oss.c | 18 +-
+ sound/core/pcm_compat.c | 2 +-
+ sound/core/pcm_native.c | 4 +-
+ sound/core/seq/seq_device.c | 8 +-
+ sound/drivers/mts64.c | 14 +-
+ sound/drivers/opl4/opl4_lib.c | 2 +-
+ sound/drivers/portman2x4.c | 3 +-
+ sound/firewire/amdtp.c | 4 +-
+ sound/firewire/amdtp.h | 2 +-
+ sound/firewire/isight.c | 10 +-
+ sound/firewire/scs1x.c | 8 +-
+ sound/oss/sb_audio.c | 2 +-
+ sound/oss/swarm_cs4297a.c | 6 +-
+ sound/pci/ymfpci/ymfpci.h | 2 +-
+ sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 43 +
+ tools/gcc/checker_plugin.c | 171 +
+ tools/gcc/colorize_plugin.c | 151 +
+ tools/gcc/constify_plugin.c | 359 +++
+ tools/gcc/generate_size_overflow_hash.sh | 94 +
+ tools/gcc/kallocstat_plugin.c | 170 +
+ tools/gcc/kernexec_plugin.c | 465 +++
+ tools/gcc/latent_entropy_plugin.c | 321 ++
+ tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++
+ tools/gcc/size_overflow_plugin.c | 1941 +++++++++++
+ tools/gcc/stackleak_plugin.c | 327 ++
+ tools/perf/util/include/asm/alternative-asm.h | 3 +
+ virt/kvm/kvm_main.c | 32 +-
+ 1311 files changed, 26668 insertions(+), 6394 deletions(-)
+commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
+Merge: 0949bd4 fc53d63
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:03:44 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fc53d6338964741b368070ec5c935bc579b8c2a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:02:45 2012 -0400
+
+ Update to pax-linux-3.2.12-test33.patch
+
+commit 0949bd46a6455b308f66ad7c993bfee62412db35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 16:56:09 2012 -0400
+
+ Use current_umask() instead of current->fs->umask
+
+commit 22f6432d0fe733619cfcb523782ed7d80c46d645
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:42:42 2012 -0400
+
+ compile fix
+
+commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:34:56 2012 -0400
+
+ Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
+ uses of domains with particular hash collisions
+
+commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 20:25:49 2012 -0400
+
+ zero kernel_role
+
+commit b00953b43c69238d181d21121ef1577c988d5f6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:29:34 2012 -0400
+
+ zero real_root after releasing it
+
+commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
+Merge: b724f59 273f98e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:11:26 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 273f98e58cdac555d3b5dce5c1ca168349f95878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:10:52 2012 -0400
+
+ Temporary workaround for (most) size_overflow plugin false-positives
+ Increase randomization for brk-managed heap to 21 bits
+ Update to pax-linux-3.2.12-test32.patch
+
+commit b724f59125304460c2af8bd4b02921993afbb5d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:58:53 2012 -0400
+
+ compile fix
+
+commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:52:23 2012 -0400
+
+ Require default and kernel role
+
+commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:47:28 2012 -0400
+
+ Allow policies without special roles
+ don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
+
+commit 402ec3d24d66d38403dc543c84851f5e72d39e22
+Merge: 8e012dc f14661a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:06:59 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/namei.c
+
+commit f14661aaf202155c97f66626cea0269017bb7775
+Merge: eae671f 058b017
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:05:44 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
+Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Date: Fri Mar 16 17:08:39 2012 -0700
+
+ nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
+
+ According to the report from Slicky Devil, nilfs caused kernel oops at
+ nilfs_load_super_block function during mount after he shrank the
+ partition without resizing the filesystem:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000048
+ IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
+ *pde = 00000000
+ Oops: 0000 [#1] PREEMPT SMP
+ ...
+ Call Trace:
+ [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
+ [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
+ [<c0226636>] mount_fs+0x36/0x180
+ [<c023d961>] vfs_kern_mount+0x51/0xa0
+ [<c023ddae>] do_kern_mount+0x3e/0xe0
+ [<c023f189>] do_mount+0x169/0x700
+ [<c023fa9b>] sys_mount+0x6b/0xa0
+ [<c04abd1f>] sysenter_do_call+0x12/0x28
+ Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
+ 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
+ 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
+ EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
+ CR2: 0000000000000048
+
+ This turned out due to a defect in an error path which runs if the
+ calculated location of the secondary super block was invalid.
+
+ This patch fixes it and eliminates the reported oops.
+
+ Reported-by: Slicky Devil <slicky.dvl@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Tested-by: Slicky Devil <slicky.dvl@gmail.com>
+ Cc: <stable@vger.kernel.org> [2.6.30+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Fri Mar 16 17:08:38 2012 -0700
+
+ nilfs2: clamp ns_r_segments_percentage to [1, 99]
+
+ ns_r_segments_percentage is read from the disk. Bogus or malicious
+ value could cause integer overflow and malfunction due to meaningless
+ disk usage calculation. This patch reports error when mounting such
+ bogus volumes.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e1a90645643f9b0194a5984ec8febd06360d5c8b
+Author: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Sat Mar 10 09:20:21 2012 +0000
+
+ tcp: fix syncookie regression
+
+ commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
+ added a serious regression on synflood handling.
+
+ Simon Kirby discovered a successful connection was delayed by 20 seconds
+ before being responsive.
+
+ In my tests, I discovered that xmit frames were lost, and needed ~4
+ retransmits and a socket dst rebuild before being really sent.
+
+ In case of syncookie initiated connection, we use a different path to
+ initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
+
+ As ip_queue_xmit() now depends on inet flow being setup, fix this by
+ copying the temp flowi4 we use in cookie_v4_check().
+
+ Reported-by: Simon Kirby <sim@netnation.com>
+ Bisected-by: Simon Kirby <sim@netnation.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
+Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Mon Mar 12 02:59:41 2012 +0000
+
+ tun: don't hold network namespace by tun sockets
+
+ v3: added previously removed sock_put() to the tun_release() callback, because
+ sk_release_kernel() doesn't drop the socket reference.
+
+ v2: sk_release_kernel() used for socket release. Dummy tun_release() is
+ required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
+ call.
+
+ TUN was designed to destroy it's socket on network namesapce shutdown. But this
+ will never happen for persistent device, because it's socket holds network
+ namespace.
+ This patch removes of holding network namespace by TUN socket and replaces it
+ by creating socket in init_net and then changing it's net it to desired one. On
+ shutdown socket is moved back to init_net prior to final put.
+
+ Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon Dec 12 10:02:30 2011 -0600
+
+ vfs: Correctly set the dir i_mutex lockdep class
+
+ 9a7aa12f3911853a introduced additional logic around setting the i_mutex
+ lockdep class for directory inodes. The idea was that some filesystems
+ may want their own special lockdep class for different directory
+ inodes and calling unlock_new_inode() should not clobber one of
+ those special classes.
+
+ I believe that the added conditional, around the *negated* return value
+ of lockdep_match_class(), caused directory inodes to be placed in the
+ wrong lockdep class.
+
+ inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
+ all inodes. If the filesystem did not change the class during inode
+ initialization, then the conditional mentioned above was false and the
+ directory inode was incorrectly left in the non-directory lockdep class.
+ If the filesystem did set a special lockdep class, then the conditional
+ mentioned above was true and that class was clobbered with
+ i_mutex_dir_key.
+
+ This patch removes the negation from the conditional so that the i_mutex
+ lockdep class is properly set for directory inodes. Special classes are
+ preserved and directory inodes with unmodified classes are set with
+ i_mutex_dir_key.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 603590b0d2eca61ce26499eac9c563bc567a18c9
+Author: Jan Kara <jack@suse.cz>
+Date: Mon Feb 20 17:54:00 2012 +0100
+
+ udf: Fix deadlock in udf_release_file()
+
+ udf_release_file() can be called from munmap() path with mmap_sem held. Thus
+ we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
+ i_mutex is not needed in udf_release_file() anymore since protection by
+ i_data_sem is enough to protect from races with write and truncate.
+
+ Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:33 2012 +0100
+
+ vfs: fix double put after complete_walk()
+
+ complete_walk() already puts nd->path, no need to do it again at cleanup time.
+
+ This would result in Oopses if triggered, apparently the codepath is not too
+ well exercised.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 13885ba2b18400f3ef6540497d30f1af896605e5
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:34 2012 +0100
+
+ vfs: fix return value from do_last()
+
+ complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
+ ECHILD unconditionally. If not in RCU mode, this error will reach userspace
+ which is complete nonsense.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/namei.c
+
+commit f5ab7572c99ffb58953eb1070622307e904c3b7f
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Mar 10 17:07:28 2012 -0500
+
+ restore smp_mb() in unlock_new_inode()
+
+ wait_on_inode() doesn't have ->i_lock
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
+Author: David S. Miller <davem@davemloft.net>
+Date: Tue Mar 13 18:19:51 2012 -0700
+
+ sparc32: Add -Av8 to assembler command line.
+
+ Newer version of binutils are more strict about specifying the
+ correct options to enable certain classes of instructions.
+
+ The sparc32 build is done for v7 in order to support sun4c systems
+ which lack hardware integer multiply and divide instructions.
+
+ So we have to pass -Av8 when building the assembler routines that
+ use these instructions and get patched into the kernel when we find
+ out that we have a v8 capable cpu.
+
+ Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
+Author: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri Mar 9 20:55:10 2012 +0100
+
+ x86: Derandom delay_tsc for 64 bit
+
+ Commit f0fbf0abc093 ("x86: integrate delay functions") converted
+ delay_tsc() into a random delay generator for 64 bit. The reason is
+ that it merged the mostly identical versions of delay_32.c and
+ delay_64.c. Though the subtle difference of the result was:
+
+ static void delay_tsc(unsigned long loops)
+ {
+ - unsigned bclock, now;
+ + unsigned long bclock, now;
+
+ Now the function uses rdtscl() which returns the lower 32bit of the
+ TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
+ bit this fails when the lower 32bit are close to wrap around when
+ bclock is read, because the following check
+
+ if ((now - bclock) >= loops)
+ break;
+
+ evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
+ because the unsigned long (now - bclock) of these values results in
+ 0xffffffff00000001 which is definitely larger than the loops
+ value. That explains Tvortkos observation:
+
+ "Because I am seeing udelay(500) (_occasionally_) being short, and
+ that by delaying for some duration between 0us (yep) and 491us."
+
+ Make those variables explicitely u32 again, so this works for both 32
+ and 64 bit.
+
+ Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: stable@vger.kernel.org # >= 2.6.27
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu Mar 8 17:51:19 2012 +0000
+
+ aio: fix the "too late munmap()" race
+
+ Current code has put_ioctx() called asynchronously from aio_fput_routine();
+ that's done *after* we have killed the request that used to pin ioctx,
+ so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
+ from progressing. As the result, we can end up with async call of
+ put_ioctx() being the last one and possibly happening during exit_mmap()
+ or elf_core_dump(), neither of which expects stray munmap() being done
+ to them...
+
+ We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
+ with that, but that's all we care about - neither io_destroy() nor
+ exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
+ does really_put_req(), so the ioctx teardown won't be done until then
+ and we don't care about the contents of ioctx past that point.
+
+ Since actual freeing of these suckers is RCU-delayed, we don't need to
+ bump ioctx refcount when request goes into list for async removal.
+ All we need is rcu_read_lock held just over the ->ctx_lock-protected
+ area in aio_fput_routine().
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 002124c055afbf09b52226af65621999e8316448
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Wed Mar 7 05:16:35 2012 +0000
+
+ aio: fix io_setup/io_destroy race
+
+ Have ioctx_alloc() return an extra reference, so that caller would drop it
+ on success and not bother with re-grabbing it on failure exit. The current
+ code is obviously broken - io_destroy() from another thread that managed
+ to guess the address io_setup() would've returned would free ioctx right
+ under us; gets especially interesting if aio_context_t * we pass to
+ io_setup() points to PROT_READ mapping, so put_user() fails and we end
+ up doing io_destroy() on kioctx another thread has just got freed...
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Mar 15 15:17:12 2012 -0700
+
+ drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
+
+ strict_strtoul() writes a long but ->gamma_mode only has space to store an
+ int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
+ well. I've changed it to use kstrtouint() instead.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Inki Dae <inki.dae@samsung.com>
+ Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
+Merge: e4b05b6 eae671f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 21:04:27 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit eae671fafe93f04685c04a089cc13efebc05d600
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 20:58:01 2012 -0400
+
+ Update to pax-linux-3.2.11-test31.patch
+ Introduction of the size_overflow plugin from Emese Revfy
+ Many thanks to Emese for her hard work :)
+
+commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
+Merge: e55aa68 258c015
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:19 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:05 2012 -0400
+
+ fix ARM compilation
+
+commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
+Merge: 8f95ea9 55b7573
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:41 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:15 2012 -0400
+
+ Update to pax-linux-3.2.10-test28.patch
+
+commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
+Merge: c8786a2 886ac5e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:38:13 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
+
+commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:37:44 2012 -0400
+
+ Update to pax-linux-3.2.10-test26.patch
+
+commit c8786a2abed5e5327f68efa520c04db99bb6a63a
+Merge: 219c982 c061fcf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:06 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
+Merge: 89373d2 3f4b3b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:02 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
+Merge: 54e19a3 89373d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:57 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
+Merge: a778588 7459f11
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:49 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
+Merge: c4650f1 a778588
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:25 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:12 2012 -0400
+
+ Update to pax-linux-3.2.9-test24.patch
+
+commit c4650f14b13f84735fe3de06a1f3ff5776473eff
+Merge: fb2abee 1015790
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:08:28 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 101579028a736c224e590c7e12a7357018c424e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:07:27 2012 -0400
+
+ Update to pax-linux-3.2.9-test22.patch
+
+commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 11:02:17 2012 -0400
+
+ Allow 4096 CPUs
+
+commit 96bae28cbe6a41d48e3b56e5904814096e956000
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 10:25:58 2012 -0400
+
+ Use a per-cpu 48-bit counter instead of a global atomic64
+ Initialize each counter to have the cpu number in the lower 16 bits
+ instead of incrementing the counter each time by 1, perform the increments
+ above the cpu number so that wrapping/exhausting the counter doesn't corrupt
+ any state
+ idea from PaX Team
+
+commit b975688101da6e966aebb1bc6b8c5c5983974f9c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 20:33:12 2012 -0500
+
+ Special vnsec edition! :)
+ Further reduce argv/env allowance for suid/sgid apps to 512KB
+ Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
+ Clear 3GB personality on suid/sgid binaries
+ Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
+ with the main purpose of throwing off program stack -> arg/env alignment
+ Update documentation
+
+commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 19:54:47 2012 -0500
+
+ Resolve skbuff.h warnings that turn into errors during compilation in
+ the grsecurity directory with -Werror
+
+commit 2023210ad43a944033fcacc660ce410888f562ee
+Merge: ece4383 5f66adf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:48:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:47:06 2012 -0500
+
+ Add colorize plugin
+
+commit ece4383e5e91c92d138c4df84225a70b552f4d69
+Merge: a366d0e ab4a5a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:46 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:26 2012 -0500
+
+ Update to pax-linux-3.2.9-test21.patch
+
+commit a366d0ed963ce93fce10121c1100989d5f064e75
+Author: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun Mar 4 19:52:03 2012 -0500
+
+ mm: fix find_vma_prev
+
+ Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
+ management on PA-RISC.
+
+ After application of the patch, programs that allocate big arrays on the
+ stack crash with segfault, for example, this will crash if compiled
+ without optimization:
+
+ int main()
+ {
+ char array[200000];
+ array[199999] = 0;
+ return 0;
+ }
+
+ The reason is that PA-RISC has up-growing stack and the stack is usually
+ the last memory area. In the above example, a page fault happens above
+ the stack.
+
+ Previously, if we passed too high address to find_vma_prev, it returned
+ NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
+ change, it stores NULL in *pprev. Consequently, the stack area is not
+ found and it is not expanded, as it used to be before the change.
+
+ This patch restores the old behavior and makes it return the last VMA in
+ *pprev if the requested address is higher than address of any other VMA.
+
+ Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+ Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
+Author: Hugh Dickins <hughd@google.com>
+Date: Tue Mar 6 12:28:52 2012 -0800
+
+ mmap: EINVAL not ENOMEM when rejecting VM_GROWS
+
+ Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
+ from shared anonymous: hoist the file case's -EINVAL up for both.
+
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:38:42 2012 +0000
+
+ aout: move setup_arg_pages() prior to reading/mapping the binary
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Mon Mar 5 16:49:24 2012 +0000
+
+ vsprintf: make %pV handling compatible with kasprintf()
+
+ kasprintf() (and potentially other functions that I didn't run across so
+ far) want to evaluate argument lists twice. Caring to do so for the
+ primary list is obviously their job, but they can't reasonably be
+ expected to check the format string for instances of %pV, which however
+ need special handling too: On architectures like x86-64 (as opposed to
+ e.g. ix86), using the same argument list twice doesn't produce the
+ expected results, as an internally managed cursor gets updated during
+ the first run.
+
+ Fix the problem by always acting on a copy of the original list when
+ handling %pV.
+
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:39:47 2012 +0000
+
+ VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a831bd53764695ea680cc1fa3c98759a610ed2ac
+Author: Christian König <deathsimple@vodafone.de>
+Date: Tue Feb 28 23:19:20 2012 +0100
+
+ drm/radeon: fix uninitialized variable
+
+ Without this fix the driver randomly treats
+ textures as arrays and I'm really wondering
+ why gcc isn't complaining about it.
+
+ Signed-off-by: Christian König <deathsimple@vodafone.de>
+ Reviewed-by: Jerome Glisse <jglisse@redhat.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
+Author: H. Peter Anvin <hpa@zytor.com>
+Date: Fri Mar 2 10:43:48 2012 -0800
+
+ regset: Prevent null pointer reference on readonly regsets
+
+ The regset common infrastructure assumed that regsets would always
+ have .get and .set methods, but not necessarily .active methods.
+ Unfortunately people have since written regsets without .set methods.
+
+ Rather than putting in stub functions everywhere, handle regsets with
+ null .get or .set methods explicitly.
+
+ Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+ Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+ Acked-by: Roland McGrath <roland@hack.frob.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 072ddd99401c79b53c6bf6bff9deb93022124c79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 18:12:57 2012 -0500
+
+ Fix compiler errors reported on forums
+
+commit 1606774b48af24e6f99d99c624c0e447d4b66474
+Merge: 3127bd5 4ca2ffd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:35 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:21 2012 -0500
+
+ Update to pax-linux-3.2.9-test20.patch
+
+commit 3127bd581a292966b1057c7433219dac188c3720
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 21:30:37 2012 -0500
+
+ Fix memory leak on logged exec_id check failure in /proc/pid/statm
+ Thanks to Djalal Harouni for the report
+
+commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
+Merge: 0a56be8 9aa8288
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:38:22 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:37:43 2012 -0500
+
+ Update to pax-linux-3.2.9-test19.patch
+
+commit 0a56be884bbd7ce733cac0b879c45383494d73b0
+Merge: 9e66745 3f5c52a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:18:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:16:56 2012 -0500
+
+ Update to pax-linux-3.2.9-test18.patch
+
+commit ae53ec231d12719a36bf871f8c5841020ed692ee
+Merge: b255baf 44fb317
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:15:31 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 9e667456c03eadea2f305be761abe4de9a5877a3
+Merge: 5e4e200 b255baf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:59 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b255baf50365d39b406f43aab2c64745607baaa2
+Merge: 340ce90 1de504e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:29 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+ Update to pax-linux-3.2.8-test17.patch
+
+ Conflicts:
+ arch/x86/include/asm/i387.h
+ arch/x86/kernel/process_32.c
+ arch/x86/kernel/traps.c
+
+commit 5e4e200ac530452884b625cb75de240e1e98c731
+Merge: 44306d7 340ce90
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:02:13 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:01:48 2012 -0500
+
+ Update to pax-linux-3.2.7-test17.patch
+
+commit 44306d7b3097f77e73040dd25f4f6750751bae7a
+Merge: 29d0b07 521c411
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:04:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ Makefile
+
+commit 521c411bb4ca66ce01146fde8bac9dd22414076d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:03:33 2012 -0500
+
+ Update to pax-linux-3.2.7-test16.patch
+
+commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 17:12:44 2012 -0500
+
+ fix typo
+
+commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
+Merge: f45b3be caa8f83
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:27 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit caa8f83456c4d0b204beefffaa1d1993f2348d08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:12 2012 -0500
+
+ Update to pax-linux-3.2.7-test15.patch
+
+commit f45b3be34a345502a302e736af9a65742ddef7cb
+Merge: 62f35fd 9f1309b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:40:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:39:57 2012 -0500
+
+ Update to pax-linux-3.2.7-test14.patch
+
+commit 62f35fdbecc58f2988fe13638d907b87a15776bb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 09:08:55 2012 -0500
+
+ We could log on attempted exploits of writing /proc/self/mem, but the current
+ log function declares the access a read, so just swap the ordering for now
+
+commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:46:14 2012 -0500
+
+ Log /proc/pid/mem attempts
+
+commit 674471e581893a94d475acac3e3c4496209b3ac9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:15:00 2012 -0500
+
+ Make use of f_version for protecting /proc file structs (fine since we're not a directory
+ or seq_file)
+
+commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 20:02:19 2012 -0500
+
+ Fix ia64 compilation
+
+commit 50dfea412fd395e0183c2ade368efa525d38b267
+Merge: 12db845 4c6f99b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:53 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4c6f99bf338e03966356b147d0360cb3b522a44f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:36 2012 -0500
+
+ (6:57:09 PM) pipacs: but you can be proactive
+ (Fix other-arch atomic64/REFCOUNT compilation failures)
+
+commit 12db8453f6bb0a756f369c9151668ba1249bc478
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 21:10:12 2012 -0500
+
+ Remove unnecessary copies, as suggested by solar
+
+commit cc02cab84368467ea03cb35f861a8a7092d91ab4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 20:59:35 2012 -0500
+
+ Make global_exec_counter static, as suggested by solar
+
+commit e642091a475ebb3a30e81f85e7751233d0c2af43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 19:00:26 2012 -0500
+
+ sync with stable tree
+
+commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:48:47 2012 -0500
+
+ Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
+ Remove handling of old kludge in chmod/fchmod
+
+commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:18:49 2012 -0500
+
+ Apply umask checks to chmod/fchmod as well, as requested by sponsor
+ Union the enforced umask with the existing one to produce minimal privilege
+ Change umask type to u16
+
+commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 22 18:16:11 2012 -0500
+
+ Add per-role umask enforcement to RBAC, requested by a sponsor
+
+commit ad5ac943fe58199f1cc475912a39edb157acb77b
+Merge: dda0bb5 41722e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:42 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 41722e342e116d95f3d3556d66c97c888d752d39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:00 2012 -0500
+
+ Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
+ KERNEXEC plugin
+
+commit dda0bb57137846a476a866c60db2681aaf6052c0
+Merge: 4fd554e d70927a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:41 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d70927afec977d489a54c106a3c3ddc32e953050
+Merge: 1daebf1 9d0231c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:33 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 4fd554e3a097b22c5049fcdc423897477deff5ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 09:17:57 2012 -0500
+
+ Fix wrong logic on capability checks for switching roles, broke policies
+ Thanks to Richard Kojedzinszky for reporting
+
+commit 12f97d52ac603f24344f8d71569c412a307e9422
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 21:20:10 2012 -0500
+
+ sparc64 compile fix
+
+commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:38:32 2012 -0500
+
+ Update configuration help and name for GRKERNSEC_PROC_MEMMAP
+
+commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:18:01 2012 -0500
+
+ optimize the check a bit
+
+commit 03159050f64989be44ae03be769cbed62a7cd2e5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:00:45 2012 -0500
+
+ smile VUPEN :D
+ (limit argv+env to 1MB for suid/sgid binaries)
+
+commit dd759d8800d225a397e4de49fe729c7d601298d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:49:33 2012 -0500
+
+ Address Space Protection -> Memory Protections (suggested on IRC for consistency)
+
+commit 4de635bda8ebfb85312e3bf851bdbff93de400da
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:45:06 2012 -0500
+
+ Change the long long type for exec_id to the proper u64
+
+commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Feb 9 00:46:47 2012 +0000
+
+ isdn: type bug in isdn_net_header()
+
+ We use len to store the return value from eth_header(). eth_header()
+ can return -ETH_HLEN (-14). We want to pass this back instead of
+ truncating it to 65522 and returning that.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
+Author: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Sat Feb 4 10:47:10 2012 +0100
+
+ exec: fix use-after-free bug in setup_new_exec()
+
+ Setting the task name is done within setup_new_exec() by accessing
+ bprm->filename. However this happens after flush_old_exec().
+ This may result in a use after free bug, flush_old_exec() may
+ "complete" vfork_done, which will wake up the parent which in turn
+ may free the passed in filename.
+ To fix this add a new tcomm field in struct linux_binprm which
+ contains the now early generated task name until it is used.
+
+ Fixes this bug on s390:
+
+ Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
+ Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
+ Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
+ Call Trace:
+ ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
+ [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
+ [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
+ [<0000000000282b6c>] do_execve_common+0x410/0x514
+ [<0000000000282cb6>] do_execve+0x46/0x58
+ [<00000000005bce58>] kernel_execve+0x28/0x70
+ [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
+ [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
+ [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
+ Last Breaking-Event-Address:
+ [<00000000002830f0>] setup_new_exec+0x2fc/0x374
+
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+ Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+ Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d758ee9f5230893dabb5aab737b3109684bde196
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Feb 10 09:03:58 2012 +0100
+
+ relay: prevent integer overflow in relay_open()
+
+ "subbuf_size" and "n_subbufs" come from the user and they need to be
+ capped to prevent an integer overflow.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
+Merge: b1baadf 1daebf1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:47:04 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/proc/base.c
+
+commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
+Merge: 1413df2 c2db2e2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:45:54 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:44:05 2012 -0500
+
+ add missing declaration
+
+commit 3981059c35e8463002517935c28f3d74b8e3703c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:36:04 2012 -0500
+
+ Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
+ in addition to existing checks (this handles the setresuid ruid = euid case)
+
+commit 0beab03263c773f463412c350ad9064b44b6ede0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:13:40 2012 -0500
+
+ Revert setreuid changes when RBAC is enabled, breaks freeradius
+ I'll fix the learning issue Lavish reported a different way through
+ gradm modifications
+
+ This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
+
+commit 0c61cb1cfbbfec7d07647268c922d51434d22621
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 11 14:22:46 2012 -0500
+
+ copy exec_id on fork
+
+commit 000c08e0890630086b2ed04084050ed856a7ec31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 20:00:36 2012 -0500
+
+ compile fix
+
+commit 54b8c8f54484e5ee18040657827158bc4b63bccc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 19:19:52 2012 -0500
+
+ Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
+ denies reading of sensitive /proc/pid entries where the file descriptor
+ was opened in a different task than the one performing the read
+
+commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 17:43:24 2012 -0500
+
+ Remove duplicate signal check
+
+commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
+Merge: 4eba97e 1413df2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:34 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:08 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test11.patch
+
+commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
+Merge: 0e058dd 8dd90a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:50:12 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:49:07 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
+
+commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
+Merge: 7e4169c 6133971
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:48:57 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 19:24:45 2012 -0500
+
+ We now allow configurations with no PaX markings, giving the system no way to override the defaults
+
+commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 10:01:23 2012 -0500
+
+ Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
+
+commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 4 21:01:16 2012 -0500
+
+ Improve security of ptrace-based monitoring/sandboxing
+ See:
+ http://article.gmane.org/gmane.linux.kernel.lsm/15156
+
+commit ca4ca5a1027b41f9528794e52a53ce9c47926101
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:42:55 2012 -0500
+
+ fix typo
+
+commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:25:38 2012 -0500
+
+ Reported by lavish on IRC:
+ If a suid/sgid binary did not learn any setuid/setgid call during learning,
+ we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
+ any restrictions on uid/gid changes. uid and gid can however be changed
+ within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
+ euid/egid.
+
+ My fix:
+ POSIX doesn't specify whether unprivileged users can perform the above
+ setresuid/setresgid as an unprivileged user, though Linux has historically
+ permitted them. Modify this behavior when RBAC is enabled to require
+ CAP_SETUID/CAP_SETGID for these operations.
+
+ Thanks to Lavish for the report!
+
+ Conflicts:
+
+ kernel/sys.c
+
+commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
+Merge: ba586eb 7e4169c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:21 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:05 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test9.patch
+
+commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
+Author: Christopher Yeoh <cyeoh@au1.ibm.com>
+Date: Thu Feb 2 11:34:09 2012 +1030
+
+ Fix race in process_vm_rw_core
+
+ This fixes the race in process_vm_core found by Oleg (see
+
+ http://article.gmane.org/gmane.linux.kernel/1235667/
+
+ for details).
+
+ This has been updated since I last sent it as the creation of the new
+ mm_access() function did almost exactly the same thing as parts of the
+ previous version of this patch did.
+
+ In order to use mm_access() even when /proc isn't enabled, we move it to
+ kernel/fork.c where other related process mm access functions already
+ are.
+
+ Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+ mm/process_vm_access.c
+
+commit b9194d60fb9fe579f5c34817ed822abde18939a0
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:15:11 2012 +0100
+
+ proc: make sure mem_open() doesn't pin the target's memory
+
+ Once /proc/pid/mem is opened, the memory can't be released until
+ mem_release() even if its owner exits.
+
+ Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
+ pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
+ before access_remote_vm(), this verifies that this mm is still alive.
+
+ I am not sure what should mem_rw() return if atomic_inc_not_zero()
+ fails. With this patch it returns zero to match the "mm == NULL" case,
+ may be it should return -EINVAL like it did before e268337d.
+
+ Perhaps it makes sense to add the additional fatal_signal_pending()
+ check into the main loop, to ensure we do not hold this memory if
+ the target task was oom-killed.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:38 2012 +0100
+
+ proc: mem_release() should check mm != NULL
+
+ mem_release() can hit mm == NULL, add the necessary check.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:54 2012 +0100
+
+ note: redisabled mem_write
+
+ proc: unify mem_read() and mem_write()
+
+ No functional changes, cleanup and preparation.
+
+ mem_read() and mem_write() are very similar. Move this code into the
+ new common helper, mem_rw(), which takes the additional "int write"
+ argument.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+
+commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
+Merge: 3903f01 01fee18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:50:40 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 01fee1851aef26b898ccba5312cabf1f919b74cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:46 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test8.patch
+
+commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
+Merge: 201c0db 141936c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:01 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 3903f0172ecadf7a575ba3535402a1506133640a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 30 23:26:44 2012 -0500
+
+ Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
+
+ We'll whitelist required directories for compatibility instead of requiring
+ that people disable the feature entirely if they use SELinux, fuse, etc
+
+ Conflicts:
+
+ fs/sysfs/mount.c
+
+commit e3618feaa7e63807f1b88c199882075b3ec9bd05
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 29 01:12:19 2012 -0500
+
+ perform RBAC check if TPE is on but match fails, matches previous behavior
+
+commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 28 13:17:06 2012 -0500
+
+ log more information about the reason for a TPE denial for novice users, requested by a sponsor
+
+commit efefd67008cbad8a8591e2484410966a300a39a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:58:53 2012 -0500
+
+ merge upstream sha512 changes
+
+commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:49:07 2012 -0500
+
+ drop lock on error in xfs_readlink
+
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
+
+commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
+Author: Li Wang <liwang@nudt.edu.cn>
+Date: Thu Jan 19 09:44:36 2012 +0800
+
+ eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+
+ ecryptfs_write() can enter an infinite loop when truncating a file to a
+ size larger than 4G. This only happens on architectures where size_t is
+ represented by 32 bits.
+
+ This was caused by a size_t overflow due to it incorrectly being used to
+ store the result of a calculation which uses potentially large values of
+ type loff_t.
+
+ [tyhicks@canonical.com: rewrite subject and commit message]
+ Signed-off-by: Li Wang <liwang@nudt.edu.cn>
+ Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
+ Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+
+commit a7607747d0f74f357d78bb796d70635dd05f46e8
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 19 20:33:44 2012 -0600
+
+ eCryptfs: Check inode changes in setattr
+
+ Most filesystems call inode_change_ok() very early in ->setattr(), but
+ eCryptfs didn't call it at all. It allowed the lower filesystem to make
+ the call in its ->setattr() function. Then, eCryptfs would copy the
+ appropriate inode attributes from the lower inode to the eCryptfs inode.
+
+ This patch changes that and actually calls inode_change_ok() on the
+ eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
+ would happen earlier in ecryptfs_setattr(), but there are some possible
+ inode initialization steps that must happen first.
+
+ Since the call was already being made on the lower inode, the change in
+ functionality should be minimal, except for the case of a file extending
+ truncate call. In that case, inode_newsize_ok() was never being
+ called on the eCryptfs inode. Rather than inode_newsize_ok() catching
+ maximum file size errors early on, eCryptfs would encrypt zeroed pages
+ and write them to the lower filesystem until the lower filesystem's
+ write path caught the error in generic_write_checks(). This patch
+ introduces a new function, called ecryptfs_inode_newsize_ok(), which
+ checks if the new lower file size is within the appropriate limits when
+ the truncate operation will be growing the lower file.
+
+ In summary this change prevents eCryptfs truncate operations (and the
+ resulting page encryptions), which would exceed the lower filesystem
+ limits or FSIZE rlimits, from ever starting.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Li Wang <liwang@nudt.edu.cn>
+ Cc: <stable@vger.kernel.org>
+
+commit 0d96f190a39505254ace4e9330219aaeda9b64e3
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Wed Jan 18 18:30:04 2012 -0600
+
+ eCryptfs: Make truncate path killable
+
+ ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
+ page, zeroes out the appropriate portions, and then encrypts the page
+ before writing it to the lower filesystem. It was unkillable and due to
+ the lack of sparse file support could result in tying up a large portion
+ of system resources, while encrypting pages of zeros, with no way for
+ the truncate operation to be stopped from userspace.
+
+ This patch adds the ability for ecryptfs_write() to detect a pending
+ fatal signal and return as gracefully as possible. The intent is to
+ leave the lower file in a useable state, while still allowing a user to
+ break out of the encryption loop. If a pending fatal signal is detected,
+ the eCryptfs inode size is updated to reflect the modified inode size
+ and then -EINTR is returned.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: <stable@vger.kernel.org>
+
+commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Tue Jan 24 10:02:22 2012 -0600
+
+ eCryptfs: Fix oops when printing debug info in extent crypto functions
+
+ If pages passed to the eCryptfs extent-based crypto functions are not
+ mapped and the module parameter ecryptfs_verbosity=1 was specified at
+ loading time, a NULL pointer dereference will occur.
+
+ Note that this wouldn't happen on a production system, as you wouldn't
+ pass ecryptfs_verbosity=1 on a production system. It leaks private
+ information to the system logs and is for debugging only.
+
+ The debugging info printed in these messages is no longer very useful
+ and rather than doing a kmap() in these debugging paths, it will be
+ better to simply remove the debugging paths completely.
+
+ https://launchpad.net/bugs/913651
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Daniel DeFreez
+ Cc: <stable@vger.kernel.org>
+
+commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 12 11:30:44 2012 +0100
+
+ eCryptfs: Sanitize write counts of /dev/ecryptfs
+
+ A malicious count value specified when writing to /dev/ecryptfs may
+ result in a a very large kernel memory allocation.
+
+ This patch peeks at the specified packet payload size, adds that to the
+ size of the packet headers and compares the result with the write count
+ value. The resulting maximum memory allocation size is approximately 532
+ bytes.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Sasha Levin <levinsasha928@gmail.com>
+ Cc: <stable@vger.kernel.org>
+
+commit 96dcb7282d323813181a1791f51c0ab7696b675b
+Merge: 6c09fa5 201c0db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:44:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 201c0dbf177527367676028151e36d340923f033
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:43:24 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
+ on loading modules with empty sections
+
+commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:42:13 2012 -0500
+
+ compile fix
+
+commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:39:28 2012 -0500
+
+ use LSM flags instead of duplicating checks
+
+commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
+Merge: 44b9f11 558718b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:23 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 558718b2217beff69edf60f34a6f9893d910e9ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:04 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch
+
+commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:53:55 2012 -0500
+
+ don't increase the size of task_struct when unnecessary
+ change ptrace_readexec log message
+
+commit a9c9626e054adb885883aa64f85506852894dd33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:16:28 2012 -0500
+
+ Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
+ the protection applies to all unreadable binaries.
+
+commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
+Merge: 7b3f3af 05a1349
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:52:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ block/scsi_ioctl.c
+ drivers/scsi/sd.c
+ fs/proc/base.c
+
+commit 05a134966efb9cb9346ad3422888969ffc79ac1d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:47:36 2012 -0500
+
+ Resync with pax-linux-3.2.2-test5.patch
+
+commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
+Merge: c6d443d 3499d64
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:45:16 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
+
+ Conflicts:
+ ipc/shm.c
+
+commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 24 19:42:01 2012 -0500
+
+ Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
+ (may be changed if it breaks some userland), the other has its own
+ config option
+
+ First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
+ the syscall or /proc/sys.
+
+ Second feature requires read access to a suid/sgid binary in order
+ to ptrace it, preventing infoleaking of binaries in situations where
+ the admin has specified 4711 or 2711 perms. Feature has been
+ given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
+ a sysctl entry of ptrace_readexec
+
+commit 11a7bb25c411c9dccfdca5718639b4becdffd388
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:37:10 2012 -0500
+
+ Compilation fixes
+
+commit cd400e21c7c352baba47d6f375297a7847afb33a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:20:27 2012 -0500
+
+ Initial port of grsecurity 2.2.2 for Linux 3.2.1
+ Note that the new syscalls added to this kernel for remote process read/write
+ are subject to ptrace hardening/other relevant RBAC features
+ /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
+ as well
+ pax_track_stack has been removed from support for this kernel -- if you're running this kernel
+ you should be using a version of gcc with plugin support
+
+commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:47:31 2012 -0500
+
+ Import pax-linux-3.2.1-test5.patch
+commit bfd7db842f835f9837cd43644459b3a95b0b488d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:02:02 2012 -0500
+
+ Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
+ instead of returning -EACCES
+ thanks to Wraith from irc for the report
+
+commit 873ac13576506cd48ddb527c2540f274e249da50
+Merge: 34083dd 8a44fcc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:04:02 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:02:15 2012 -0500
+
+ Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
+ Denies executable shared memory when MPROTECT is active
+ Fixes ia32 emulation crash on 64bit host introduced in a recent patch
+
+commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 20:23:14 2012 -0500
+
+ Introduce new GRKERNSEC_SETXID implementation
+ We're not able to change the credentials of other threads in the process until at most
+ one syscall after the first thread does it, since we mark the threads as needing rescheduling
+ and such work occurs on syscall exit.
+ This does however ensure that we're only modifying the current task's credentials
+ which upholds RCU expectations
+
+ Many thanks to corsac for testing
+
+commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:42:48 2012 -0500
+
+ Simplify backport
+
+commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:08:16 2012 -0500
+
+ Commit the latest silent fix for a local privilege escalation from Linus
+ Also disable writing to /proc/pid/mem
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
+
+commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
+Merge: 0394a3f 7e6299b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:22:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e6299b4733c082dde930375dd207b63237751ec
+Merge: 83555fb 9bb1282
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:21:37 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
+Author: Jesper Juhl <jj@chaosbits.net>
+Date: Sun Jan 8 22:44:29 2012 +0100
+
+ audit: always follow va_copy() with va_end()
+
+ A call to va_copy() should always be followed by a call to va_end() in
+ the same function. In kernel/autit.c::audit_log_vformat() this is not
+ always done. This patch makes sure va_end() is always called.
+
+ Signed-off-by: Jesper Juhl <jj@chaosbits.net>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
+Author: Andi Kleen <ak@linux.intel.com>
+Date: Thu Jan 12 17:20:30 2012 -0800
+
+ panic: don't print redundant backtraces on oops
+
+ When an oops causes a panic and panic prints another backtrace it's pretty
+ common to have the original oops data be scrolled away on a 80x50 screen.
+
+ The second backtrace is quite redundant and not needed anyways.
+
+ So don't print the panic backtrace when oops_in_progress is true.
+
+ [akpm@linux-foundation.org: add comment]
+ Signed-off-by: Andi Kleen <ak@linux.intel.com>
+ Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Thu Jan 12 17:59:46 2012 +0100
+
+ fsnotify: don't BUG in fsnotify_destroy_mark()
+
+ Removing the parent of a watched file results in "kernel BUG at
+ fs/notify/mark.c:139".
+
+ To reproduce
+
+ add "-w /tmp/audit/dir/watched_file" to audit.rules
+ rm -rf /tmp/audit/dir
+
+ This is caused by fsnotify_destroy_mark() being called without an
+ extra reference taken by the caller.
+
+ Reported by Francesco Cosoleto here:
+
+ https://bugzilla.novell.com/show_bug.cgi?id=689860
+
+ Fix by removing the BUG_ON and adding a comment about not accessing mark after
+ the iput.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:28 2012 +0100
+
+ block: fail SCSI passthrough ioctls on partition devices
+
+ Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+ will pass the command to the underlying block device. This is
+ well-known, but it is also a large security problem when (via Unix
+ permissions, ACLs, SELinux or a combination thereof) a program or user
+ needs to be granted access only to part of the disk.
+
+ This patch lets partitions forward a small set of harmless ioctls;
+ others are logged with printk so that we can see which ioctls are
+ actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
+ Of course it was being sent to a (partition on a) hard disk, so it would
+ have failed with ENOTTY and the patch isn't changing anything in
+ practice. Still, I'm treating it specially to avoid spamming the logs.
+
+ In principle, this restriction should include programs running with
+ CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
+ /dev/sdb, it still should not be able to read/write outside the
+ boundaries of /dev/sda2 independent of the capabilities. However, for
+ now programs with CAP_SYS_RAWIO will still be allowed to send the
+ ioctls. Their actions will still be logged.
+
+ This patch does not affect the non-libata IDE driver. That driver
+ however already tests for bd != bd->bd_contains before issuing some
+ ioctl; it could be restricted further to forbid these ioctls even for
+ programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ [ Make it also print the command name when warning - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:27 2012 +0100
+
+ block: add and use scsi_blk_cmd_ioctl
+
+ Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
+
+ The function will then be enhanced to detect partition block devices
+ and, in that case, subject the ioctls to whitelisting.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97a79814903fc350e1d13704ea31528a42705401
+Author: Kees Cook <keescook@chromium.org>
+Date: Sat Jan 7 10:41:04 2012 -0800
+
+ audit: treat s_id as an untrusted string
+
+ The use of s_id should go through the untrusted string path, just to be
+ extra careful.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Acked-by: Mimi Zohar <zohar@us.ibm.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Dec 20 18:39:41 2011 -0500
+
+ audit: fix signedness bug in audit_log_execve_info()
+
+ In the loop, a size_t "len" is used to hold the return value of
+ audit_log_single_execve_arg(), which returns -1 on error. In that
+ case the error handling (len <= 0) will be bypassed since "len" is
+ unsigned, and the loop continues with (p += len) being wrapped.
+ Change the type of "len" to signed int to fix the error handling.
+
+ size_t len;
+ ...
+ for (...) {
+ len = audit_log_single_execve_arg(...);
+ if (len <= 0)
+ break;
+ p += len;
+ }
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Jan 17 03:28:51 2012 -0300
+
+ [media] ds3000: using logical && instead of bitwise &
+
+ The intent here was to test if the FE_HAS_LOCK was set. The current
+ test is equivalent to "if (status) { ..."
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit 36522330dc59d2fc70c042f3f081d75c32b6259a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 13:10:38 2012 -0500
+
+ Ignore the 0 signal for protected task RBAC checks
+
+commit d513acd55f7a683f6e146a4f570cdb63300479ab
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 11:56:13 2012 -0500
+
+ whitespace cleanup
+
+commit ced261c4b82818c700aff8487f647f6f3e5b5122
+Merge: d48751f 83555fb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:54 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
+Merge: fcd8129 93dad39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:43 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit d48751f3919ae855fda0ff6c149db82442329253
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 11 19:05:47 2012 -0500
+
+ Call our own set_user when forcing change to new id
+
+commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
+Merge: e6578ff fcd8129
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 16:00:10 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 15:58:43 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test23.patch
+
+commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
+Merge: 8859ec3 a120549
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:56 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a12054967a77090de1caa07c41e694a77db4e237
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:30 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test22.patch
+
+commit 8859ec32f9815c274df65448f9f2960176c380d3
+Merge: a5016b4 ddd4114
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:26:08 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/binfmt_elf.c
+ security/Kconfig
+
+commit ddd41147e158a79704983a409b7433eba797cf66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:12:42 2012 -0500
+
+ Resync with PaX patch (whitespace difference)
+
+commit 29e569df8205c5f0e043fe4803aa984406c8b118
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:09:47 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test21.patch
+
+commit a5016b4f9c09c337b17e063a7f369af1e86d944d
+Merge: 0124c92 04231d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:52:20 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
+Merge: 7bdddeb a919904
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:51:50 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ include/net/flow.h
+
+commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:33:05 2012 -0500
+
+ Make GRKERNSEC_SETXID option compatible with credential debugging
+
+commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
+Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Date: Wed Dec 28 15:57:11 2011 -0800
+
+ mm/mempolicy.c: refix mbind_range() vma issue
+
+ commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
+ slightly incorrect fix.
+
+ Why? Think following case.
+
+ 1. map 4 pages of a file at offset 0
+
+ [0123]
+
+ 2. map 2 pages just after the first mapping of the same file but with
+ page offset 2
+
+ [0123][23]
+
+ 3. mbind() 2 pages from the first mapping at offset 2.
+ mbind_range() should treat new vma is,
+
+ [0123][23]
+ |23|
+ mbind vma
+
+ but it does
+
+ [0123][23]
+ |01|
+ mbind vma
+
+ Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
+
+ This patch fixes it.
+
+ [testcase]
+ test result - before the patch
+
+ case4: 126: test failed. expect '2,4', actual '2,2,2'
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: 246: test failed. expect '4,2', actual '1,4'
+
+ ------------[ cut here ]------------
+ kernel BUG at mm/filemap.c:135!
+ invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
+
+ (snip long bug on messages)
+
+ test result - after the patch
+
+ case4: passed
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: passed
+
+ source: mbind_vma_test.c
+ ============================================================
+ #include <numaif.h>
+ #include <numa.h>
+ #include <sys/mman.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+ static unsigned long pagesize;
+ void* mmap_addr;
+ struct bitmask *nmask;
+ char buf[1024];
+ FILE *file;
+ char retbuf[10240] = "";
+ int mapped_fd;
+
+ char *rubysrc = "ruby -e '\
+ pid = %d; \
+ vstart = 0x%llx; \
+ vend = 0x%llx; \
+ s = `pmap -q #{pid}`; \
+ rary = []; \
+ s.each_line {|line|; \
+ ary=line.split(\" \"); \
+ addr = ary[0].to_i(16); \
+ if(vstart <= addr && addr < vend) then \
+ rary.push(ary[1].to_i()/4); \
+ end; \
+ }; \
+ print rary.join(\",\"); \
+ '";
+
+ void init(void)
+ {
+ void* addr;
+ char buf[128];
+
+ nmask = numa_allocate_nodemask();
+ numa_bitmask_setbit(nmask, 0);
+
+ pagesize = getpagesize();
+
+ sprintf(buf, "%s", "mbind_vma_XXXXXX");
+ mapped_fd = mkstemp(buf);
+ if (mapped_fd == -1)
+ perror("mkstemp "), exit(1);
+ unlink(buf);
+
+ if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
+ perror("lseek "), exit(1);
+ if (write(mapped_fd, "\0", 1) < 0)
+ perror("write "), exit(1);
+
+ addr = mmap(NULL, pagesize*8, PROT_NONE,
+ MAP_SHARED, mapped_fd, 0);
+ if (addr == MAP_FAILED)
+ perror("mmap "), exit(1);
+
+ if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
+ perror("mprotect "), exit(1);
+
+ mmap_addr = addr + pagesize;
+
+ /* make page populate */
+ memset(mmap_addr, 0, pagesize*6);
+ }
+
+ void fin(void)
+ {
+ void* addr = mmap_addr - pagesize;
+ munmap(addr, pagesize*8);
+
+ memset(buf, 0, sizeof(buf));
+ memset(retbuf, 0, sizeof(retbuf));
+ }
+
+ void mem_bind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_BIND, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_interleave(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_unbind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_DEFAULT, NULL, 0, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void Assert(char *expected, char *value, char *name, int line)
+ {
+ if (strcmp(expected, value) == 0) {
+ fprintf(stderr, "%s: passed\n", name);
+ return;
+ }
+ else {
+ fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
+ name, line,
+ expected, value);
+ // exit(1);
+ }
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPNNNNNNNNNN
+ case 4 below
+ */
+ void case4(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 4);
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case4", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPPPPPPPPPNN
+ case 5 below
+ */
+ void case5(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case5", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPPPPP 6
+ */
+ void case6(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("6", retbuf, "case6", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPXXXX 7
+ */
+ void case7(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case7", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPNNNNNNNN 8
+ */
+ void case8(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_interleave(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case8", __LINE__);
+
+ fin();
+ }
+
+ void case_n(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ /* make redundunt mappings [0][1234][34][7] */
+ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
+ MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
+
+ /* Expect to do nothing. */
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case_n", __LINE__);
+
+ fin();
+ }
+
+ int main(int argc, char** argv)
+ {
+ case4();
+ case5();
+ case6();
+ case7();
+ case8();
+ case_n();
+
+ return 0;
+ }
+ =============================================================
+
+ Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: Minchan Kim <minchan.kim@gmail.com>
+ Cc: Caspar Zhang <caspar@casparzhang.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Cc: Christoph Lameter <cl@linux.com>
+ Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
+ Cc: Mel Gorman <mel@csn.ul.ie>
+ Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+ Cc: <stable@vger.kernel.org> [3.1.x]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit f3a1082005781777086df235049f8c0b7efe524e
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Dec 27 22:32:41 2011 -0500
+
+ packet: fix possible dev refcnt leak when bind fail
+
+ If bind is fail when bind is called after set PACKET_FANOUT
+ sock option, the dev refcnt will leak.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 915f8b08dac68839dc7204ee81cf9852fda16d24
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Mon Dec 19 17:11:56 2011 -0800
+
+ nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
+
+ There is a potential integer overflow in nilfs_ioctl_clean_segments().
+ When a large argv[n].v_nmembs is passed from the userspace, the subsequent
+ call to vmalloc() will allocate a buffer smaller than expected, which
+ leads to out-of-bound access in nilfs_ioctl_move_blocks() and
+ lfs_clean_segments().
+
+ The following check does not prevent the overflow because nsegs is also
+ controlled by the userspace and could be very large.
+
+ if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
+ goto out_free;
+
+ This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
+ returns -EINVAL when overflow.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
+Author: Kautuk Consul <consul.kautuk@gmail.com>
+Date: Mon Dec 19 17:12:04 2011 -0800
+
+ mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
+
+ Static storage is not required for the struct vmap_area in
+ __get_vm_area_node.
+
+ Removing "static" to store this variable on the stack instead.
+
+ Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
+ Acked-by: David Rientjes <rientjes@google.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
+Author: Michel Lespinasse <walken@google.com>
+Date: Mon Dec 19 17:12:06 2011 -0800
+
+ binary_sysctl(): fix memory leak
+
+ binary_sysctl() calls sysctl_getname() which allocates from names_cache
+ slab usin __getname()
+
+ The matching function to free the name is __putname(), and not putname()
+ which should be used only to match getname() allocations.
+
+ This is because when auditing is enabled, putname() calls audit_putname
+ *instead* (not in addition) to __putname(). Then, if a syscall is in
+ progress, audit_putname does not release the name - instead, it expects
+ the name to get released when the syscall completes, but that will happen
+ only if audit_getname() was called previously, i.e. if the name was
+ allocated with getname() rather than the naked __getname(). So,
+ __getname() followed by putname() ends up leaking memory.
+
+ Signed-off-by: Michel Lespinasse <walken@google.com>
+ Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
+Author: Sean Hefty <sean.hefty@intel.com>
+Date: Tue Dec 6 21:17:11 2011 +0000
+
+ RDMA/cma: Verify private data length
+
+ private_data_len is defined as a u8. If the user specifies a large
+ private_data size (> 220 bytes), we will calculate a total length that
+ exceeds 255, resulting in private_data_len wrapping back to 0. This
+ can lead to overwriting random kernel memory. Avoid this by verifying
+ that the resulting size fits into a u8.
+
+ Reported-by: B. Thery <benjamin.thery@bull.net>
+ Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
+ Signed-off-by: Sean Hefty <sean.hefty@intel.com>
+ Signed-off-by: Roland Dreier <roland@purestorage.com>
+
+commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Sun Dec 11 23:40:56 2011 -0800
+
+ Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
+
+ The error check (intr_status < 0) didn't work because intr_status is
+ a u8. Change its type to signed int.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+
+commit e27f34e383d7863b2528a63b81b23db09781f6b6
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 16 12:44:15 2011 +0000
+
+ sctp: fix incorrect overflow check on autoclose
+
+ Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
+ limiting the autoclose value. If userspace passes in -1 on 32-bit
+ platform, the overflow check didn't work and autoclose would be set
+ to 0xffffffff.
+
+ This patch defines a max_autoclose (in seconds) for limiting the value
+ and exposes it through sysctl, with the following intentions.
+
+ 1) Avoid overflowing autoclose * HZ.
+
+ 2) Keep the default autoclose bound consistent across 32- and 64-bit
+ platforms (INT_MAX / HZ in this patch).
+
+ 3) Keep the autoclose value consistent between setsockopt() and
+ getsockopt() calls.
+
+ Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Wed Dec 21 05:18:33 2011 -0500
+
+ vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
+
+ Commit e133e737 didn't correctly fix the integer overflow issue.
+
+ - unsigned int required_size;
+ + u64 required_size;
+ ...
+ required_size = mode_cmd->pitch * mode_cmd->height;
+ - if (unlikely(required_size > dev_priv->vram_size)) {
+ + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
+
+ Note that both pitch and height are u32. Their product is still u32 and
+ would overflow before being assigned to required_size. A correct way is
+ to convert pitch and height to u64 before the multiplication.
+
+ required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
+
+ This patch calls the existing vmw_kms_validate_mode_vram() for
+ validation.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+ Conflicts:
+
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+
+commit eb8f0bd01fb994c9abc77dc84729794cd841753d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Thu Dec 22 13:35:22 2011 +0000
+
+ rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
+
+ Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
+ cause a kernel oops due to insufficient bounds checking.
+
+ if (count > 1<<30) {
+ /* Enforce a limit to prevent overflow */
+ return -EINVAL;
+ }
+ count = roundup_pow_of_two(count);
+ table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
+
+ Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
+
+ ... + (count * sizeof(struct rps_dev_flow))
+
+ where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
+ 32 bits.
+
+ This patch replaces the magic number (1 << 30) with a symbolic bound.
+
+ Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 648188958672024b616c42c1f6c98c8cfc85619d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 30 10:40:17 2011 -0500
+
+ netfilter: ctnetlink: fix timeout calculation
+
+ The sanity check (timeout < 0) never works; the dividend is unsigned
+ and so is the division, which should have been a signed division.
+
+ long timeout = (ct->timeout.expires - jiffies) / HZ;
+ if (timeout < 0)
+ timeout = 0;
+
+ This patch converts the time values to signed for the division.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit ab03a0973cee73f88655ff4981812ad316a6cd59
+Merge: 76f82df 7bdddeb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:50 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
+Merge: 3e59cb5 55cc81a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:36 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 20:15:02 2011 -0500
+
+ Only further restrict futex targeting another process -- our modified
+ permission check also happened to allow a case where a process retaining
+ uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
+ being non-zero (reported on forums by ben_w)
+
+commit 6b235a4450a5fea41663ec35fa0608988b6078c6
+Merge: 97c16f0 3e59cb5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:11:06 2011 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/hfs/btree.c
+
+commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
+Merge: 285eb4e c26f60b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:09:57 2011 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/process.c
+
+commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 19 21:54:01 2011 -0500
+
+ Add new option: "Enforce consistent multithreaded privileges"
+
+commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:58:31 2011 -0500
+
+ Remove harmless duplicate code -- exec_file would be null already so the
+ second check would never pass.
+
+commit 4e3304e94aa72737810bc50169519af157dce4ce
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:50:39 2011 -0500
+
+ Revert back to (possibly?) undocumented /proc/pid behavior that gdb
+ depended on for attaching to a thread. Entries exist in /proc for
+ threads, but are not visible in a readdir.
+
+commit 1bd899335f23815cfe8deac44c6b346398f3b95e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 18:03:28 2011 -0500
+
+ Put the already-walked path if in RCU-walk mode
+
+commit ec7ae36b7159f10649709779443a988662965d66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 17:35:21 2011 -0500
+
+ Fix memory leak introduced by recent (unpublished) commit
+ 75ab998b94a29d464518d6d501bdde3fbfcbfa14
+
+commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:56:10 2011 -0500
+
+ Explicitly check size copied to userland in override_release to silence gcc
+
+commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:54:02 2011 -0500
+
+ Initialize variable to silence erroneous gcc warning
+
+commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:47:47 2011 -0500
+
+ Future-proof other potential RCU-aware locations where we can log.
+
+commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:02:54 2011 -0500
+
+ Fix freeze reported by 'vs' on the forums. Bug occurred due to
+ MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
+ in generic_permission() was in the task's effective set but disallowed by
+ RBAC, would block when acquiring locks resulting in the freeze.
+
+ Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
+ as being required when CAP_DAC_OVERRIDE is present (consistent with
+ older patches).
+
+commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Nov 29 09:26:30 2011 +0000
+
+ sctp: better integer overflow check in sctp_auth_create_key()
+
+ The check from commit 30c2235c is incomplete and cannot prevent
+ cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
+ left-hand side of the check (INT_MAX - key_len), which is unsigned,
+ becomes 0xffffffff (UINT_MAX) and bypasses the check.
+
+ However this shouldn't be a security issue. The function is called
+ from the following two code paths:
+
+ 1) setsockopt()
+
+ 2) sctp_auth_asoc_set_secret()
+
+ In case (1), sca_keylength is never going to exceed 65535 since it's
+ bounded by a u16 from the user API. As such, the key length will
+ never overflow.
+
+ In case (2), sca_keylength is computed based on the user key (1 short)
+ and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
+ will not overflow.
+
+ In other words, this overflow check is not really necessary. Just
+ make it more correct.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit e565e28c3635a1d50f80541fbf6b606d742fec76
+Author: Josh Boyer <jwboyer@redhat.com>
+Date: Fri Aug 19 14:50:26 2011 -0400
+
+ fs/minix: Verify bitmap block counts before mounting
+
+ Newer versions of MINIX can create filesystems that allocate an extra
+ bitmap block. Mounting of this succeeds, but doing a statfs call will
+ result in an oops in count_free because of a negative number being used
+ for the bh index.
+
+ Avoid this by verifying the number of allocated blocks at mount time,
+ erroring out if there are not enough and make statfs ignore the extras
+ if there are too many.
+
+ This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
+
+ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6e134e398ec1a3f428261680e83df4319e64bed9
+Author: Julia Lawall <julia@diku.dk>
+Date: Tue Nov 15 14:53:11 2011 -0800
+
+ drivers/gpu/vga/vgaarb.c: add missing kfree
+
+ kbuf is a buffer that is local to this function, so all of the error paths
+ leaving the function should release it.
+
+ Signed-off-by: Julia Lawall <julia@diku.dk>
+ Cc: Jesper Juhl <jj@chaosbits.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit 2b9057b321e36860e8d63985b5c4e496f254b717
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:33:28 2011 -0500
+
+ Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
+
+commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+
+commit 285eb4ea45d853ae00426b3315a61c1368080dad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 10 18:33:46 2011 -0500
+
+ Import changes from pax-linux-3.1.5-test20.patch
+
+commit a6bda918fc90ec1d5c387e978d147ad2044153f1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 8 20:55:54 2011 -0500
+
+ Import changes from pax-linux-3.1.4-test19.patch
+
+commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+commit 9a7168e3d96ba81ab00bde22d38f7a035cc25466
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 17:50:21 2013 -0500
+
+ remove unnecessary code/comments after new reload method
+
+ grsecurity/gracl.c | 4 ----
+ grsecurity/gracl_policy.c | 13 -------------
+ 2 files changed, 0 insertions(+), 17 deletions(-)
+
+commit 4e61142788b54cbbc4e0d3418987ee892b34ee7d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 16:05:01 2013 -0500
+
+ Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous
+ features have been added since then)
+
+ Introduce new atomic RBAC reload method, developed as part of sponsorship
+ by EIG
+
+ This is accompanied by an updated 3.0 gradm which will use the new reload
+ method when -R is passed to gradm. The old method will still be available
+ via gradm -r (which is what a 2.9.1 gradm will continue to use).
+
+ The new RBAC reload method is atomic in the sense that at no point in the
+ reload process will the system not be covered by a coherent full policy.
+ In contrast to previous reload behavior, it also preserves inherited subjects
+ and special roles.
+
+ The old RBAC reload method has also been made atomic. Both methods have
+ been updated to perform role_allowed_ip checks only against the IP tagged
+ to the task at the time its role was first applied or changed. This resolves
+ long-standing usability problems with the use of role_allowed_ip and matches
+ the policies created by learning.
+
+ grsecurity/Makefile | 2 +-
+ grsecurity/gracl.c | 3903 +++++++++++++------------------------------
+ grsecurity/gracl_alloc.c | 42 +-
+ grsecurity/gracl_compat.c | 3 +-
+ grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++
+ grsecurity/gracl_segv.c | 12 +-
+ grsecurity/grsec_disabled.c | 7 -
+ grsecurity/grsec_init.c | 15 -
+ include/linux/gracl.h | 43 +-
+ include/linux/grinternal.h | 1 -
+ include/linux/grsecurity.h | 1 -
+ include/linux/sched.h | 2 +
+ 12 files changed, 3082 insertions(+), 2787 deletions(-)
+
+commit d8981a4fd03025434a466fd87a0eaea93755bc70
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 24 15:08:28 2013 -0500
+
+ compile fix for recent GRKERNSEC_CHROOT_INITRD change
+
+ init/main.c | 12 +++---------
+ 1 files changed, 3 insertions(+), 9 deletions(-)
+
+commit c3f95fe9875bea3eeb61cad1586b3f9b6226a42f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 18:27:37 2013 -0500
+
+ Make the recent usermode_helper protection race-free as far as userland
+ is concerned by creating a copy of the path to be executed, then check against
+ that copied path instead of the still-mutable original path
+
+ include/linux/kmod.h | 3 +++
+ kernel/kmod.c | 13 +++++++++++++
+ 2 files changed, 16 insertions(+), 0 deletions(-)
+
+commit ecdd0610bef058fd33fee50b489d949c1a0db07a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 17:20:15 2013 -0500
+
+ Produce a UDEREF message when faulting on kernel access to a non-present
+ page in the userland range. This is purely for consistency of logs,
+ due to there being no domain present to fault based on. An
+ "Unable to handle kernel fault.." oops would already (and still is)
+ generated for these cases, triggering grsec's bruteforce prevention.
+
+ Reported by acez on IRC
+
+ arch/arm/mm/fault.c | 11 +++++++++++
+ 1 files changed, 11 insertions(+), 0 deletions(-)
+
+commit 3f4adfade80bba0d865b5c603bd58da555ca4553
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 16:56:46 2013 -0500
+
+ Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option,
+ Also make sure we mark init as run if no initrd was used. Though this
+ should already be enforced in grsec_chroot.c, this should future-proof
+ the feature a bit in case userland somehow changes drastically.
+
+ Conflicts:
+
+ init/main.c
+
+ grsecurity/Kconfig | 2 +-
+ grsecurity/grsec_chroot.c | 2 +-
+ init/main.c | 15 +++++++++++++++
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+
+commit d4a9bb63091852b5b49ebd216796b374e5c0dc71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 16:33:20 2013 -0500
+
+ limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected
+
+ kernel/kmod.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+commit e727db195f8bed17c65d050e1772643d730fe565
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 23 16:02:01 2013 -0500
+
+ perform USERCOPY kernel text checks against the linear mapping on amd64 as well
+
+ fs/exec.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+commit 7e0e0cf6d81af9c7901e16345737157fd563ccfb
+Merge: 2fcc3a5 2d1263b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Nov 22 21:11:44 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 2d1263be436ef0c7c964a2028dec3fc7e90205a1
+Merge: d52f291 e0cd057
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Nov 22 21:11:33 2013 -0500
+
+ Merge branch 'linux-3.11.y' into pax-test
+
+ Conflicts:
+ drivers/net/ethernet/chelsio/cxgb3/sge.c
+
+commit 2fcc3a573d2b676c6cdb1aa0c9f61ce723189972
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Nov 22 20:31:37 2013 -0500
+
+ Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69"
+
+ This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df.
+
+ It caused errors with traceroute, reported to upstream and fixed with
+ http://patchwork.ozlabs.org/patch/293614/
+ But there's no reason for us to maintain this backport as we're
+ already impervious to recvmsg/msg_name infoleaks
+
+ Conflicts:
+
+ net/ipv4/ping.c
+
+ net/ieee802154/dgram.c | 3 ++-
+ net/ipv4/ping.c | 11 +++++++++--
+ net/ipv4/raw.c | 4 +++-
+ net/ipv4/udp.c | 7 ++++++-
+ net/ipv6/raw.c | 4 +++-
+ net/ipv6/udp.c | 5 ++++-
+ net/l2tp/l2tp_ip.c | 4 +++-
+ net/phonet/datagram.c | 9 +++++----
+ 8 files changed, 35 insertions(+), 12 deletions(-)
+
+commit 5a0b39755f07014ed0d34a432b89cfbb38b82e0b
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Nov 18 07:07:45 2013 +0100
+
+ Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0
+
+ ping: prevent NULL pointer dereference on write to msg_name
+
+ A plain read() on a socket does set msg->msg_name to NULL. So check for
+ NULL pointer first.
+
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ping.c | 34 +++++++++++++++++++---------------
+ 1 files changed, 19 insertions(+), 15 deletions(-)
+
+commit 8bb32f2682953e1b748a59c4a4363b237c3510df
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Nov 18 04:20:45 2013 +0100
+
+ Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69
+
+ inet: prevent leakage of uninitialized memory to user in recv syscalls
+
+ Only update *addr_len when we actually fill in sockaddr, otherwise we
+ can return uninitialized memory from the stack to the caller in the
+ recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)
+ checks because we only get called with a valid addr_len pointer either
+ from sock_common_recvmsg or inet_recvmsg.
+
+ If a blocking read waits on a socket which is concurrently shut down we
+ now return zero and set msg_msgnamelen to 0.
+
+ Reported-by: mpb <mpb.mail@gmail.com>
+ Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ieee802154/dgram.c | 3 +--
+ net/ipv4/ping.c | 19 +++++++------------
+ net/ipv4/raw.c | 4 +---
+ net/ipv4/udp.c | 7 +------
+ net/ipv6/raw.c | 4 +---
+ net/ipv6/udp.c | 5 +----
+ net/l2tp/l2tp_ip.c | 4 +---
+ net/phonet/datagram.c | 9 ++++-----
+ 8 files changed, 17 insertions(+), 38 deletions(-)
+
+commit 642d754081c130a151e7df27e5c07edf2f368106
+Author: Jeff Layton <jlayton@redhat.com>
+Date: Wed Nov 13 09:08:21 2013 -0500
+
+ Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545
+
+ nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once
+
+ Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or
+ NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again.
+ There is no guarantee that doing so will work however, so we can end up
+ retrying the call in an infinite loop.
+
+ Worse yet, we create the new client using rpc_clone_client_set_auth,
+ which creates the new client as a child of the old one. Thus, we can end
+ up with a *very* long lineage of rpc_clnts. When we go to put all of the
+ references to them, we can end up with a long call chain that can smash
+ the stack as each rpc_free_client() call can recurse back into itself.
+
+ This patch fixes this by simply ensuring that the SETCLIENTID call will
+ only be retried in this situation if the last attempt did not use
+ RPC_AUTH_UNIX.
+
+ Note too that with this change, we don't need the (i > 2) check in the
+ -EACCES case since we now have a more reliable test as to whether we
+ should reattempt.
+
+ Cc: stable@vger.kernel.org # v3.10+
+ Cc: Chuck Lever <chuck.lever@oracle.com>
+ Tested-by/Acked-by: Weston Andros Adamson <dros@netapp.com>
+ Signed-off-by: Jeff Layton <jlayton@redhat.com>
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+ fs/nfs/nfs4state.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit a96ee20d2e099c56fd89b91ee309551e7b50b8f2
+Author: Chuck Lever <chuck.lever@oracle.com>
+Date: Wed Jul 24 12:28:28 2013 -0400
+
+ Upstream commit: d688f7b8f62857c252b886fa16e8b38b83cfaf7e
+
+ NFS: Use root's credential for lease management when keytab is missing
+
+ Commit 05f4c350 "NFS: Discover NFSv4 server trunking when mounting"
+ Fri Sep 14 17:24:32 2012 introduced Uniform Client String support,
+ which forces our NFS client to establish a client ID immediately
+ during a mount operation rather than waiting until a user wants to
+ open a file.
+
+ Normally machine credentials (eg. from a keytab) are used to perform
+ a mount operation that is protected by Kerberos. Before 05fc350,
+ SETCLIENTID used a machine credential, or fell back to a regular
+ user's credential if no keytab is available.
+
+ On clients that don't have a keytab, performing SETCLIENTID early
+ means there's no user credential to fall back on, since no regular
+ user has kinit'd yet. 05f4c350 seems to have broken the ability
+ to mount with sec=krb5 on clients that don't have a keytab in
+ kernels 3.7 - 3.10.
+
+ To address this regression, commit 4edaa308 (NFS: Use "krb5i" to
+ establish NFSv4 state whenever possible), Sat Mar 16 15:56:20 2013,
+ was merged in 3.10. This commit forces the NFS client to fall back
+ to AUTH_SYS for lease management operations if no keytab is
+ available.
+
+ Neil Brown noticed that, since root is required to kinit to do a
+ sec=krb5 mount when a client doesn't have a keytab, we can try to
+ use root's Kerberos credential before AUTH_SYS.
+
+ Now, when determining a principal and flavor to use for lease
+ management, the NFS client tries in this order:
+
+ 1. Flavor: AUTH_GSS, krb5i
+ Principal: service principal (via keytab)
+
+ 2. Flavor: AUTH_GSS, krb5i
+ Principal: user principal established for UID 0 (via kinit)
+
+ 3. Flavor: AUTH_SYS
+ Principal: UID 0 / GID 0
+
+ Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+ fs/nfs/nfs4state.c | 19 ++++++++++++++++++-
+ 1 files changed, 18 insertions(+), 1 deletions(-)
+
+commit 6ebab64904f37af82e950b0c6d321437e810b248
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Tue Nov 12 17:24:36 2013 -0500
+
+ Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b
+
+ SUNRPC: Avoid deep recursion in rpc_release_client
+
+ In cases where an rpc client has a parent hierarchy, then
+ rpc_free_client may end up calling rpc_release_client() on the
+ parent, thus recursing back into rpc_free_client. If the hierarchy
+ is deep enough, then we can get into situations where the stack
+ simply overflows.
+
+ The fix is to have rpc_release_client() loop so that it can take
+ care of the parent rpc client hierarchy without needing to
+ recurse.
+
+ Reported-by: Jeff Layton <jlayton@redhat.com>
+ Reported-by: Weston Andros Adamson <dros@netapp.com>
+ Reported-by: Bruce Fields <bfields@fieldses.org>
+ Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+ net/sunrpc/clnt.c | 29 +++++++++++++++++------------
+ 1 files changed, 17 insertions(+), 12 deletions(-)
+
+commit fcb4306973aed105cc6d042077bf31e21b812008
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Fri Nov 8 16:03:50 2013 -0500
+
+ Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73
+
+ SUNRPC: Fix a data corruption issue when retransmitting RPC calls
+
+ The following scenario can cause silent data corruption when doing
+ NFS writes. It has mainly been observed when doing database writes
+ using O_DIRECT.
+
+ 1) The RPC client uses sendpage() to do zero-copy of the page data.
+ 2) Due to networking issues, the reply from the server is delayed,
+ and so the RPC client times out.
+
+ 3) The client issues a second sendpage of the page data as part of
+ an RPC call retransmission.
+
+ 4) The reply to the first transmission arrives from the server
+ _before_ the client hardware has emptied the TCP socket send
+ buffer.
+ 5) After processing the reply, the RPC state machine rules that
+ the call to be done, and triggers the completion callbacks.
+ 6) The application notices the RPC call is done, and reuses the
+ pages to store something else (e.g. a new write).
+
+ 7) The client NIC drains the TCP socket send buffer. Since the
+ page data has now changed, it reads a corrupted version of the
+ initial RPC call, and puts it on the wire.
+
+ This patch fixes the problem in the following manner:
+
+ The ordering guarantees of TCP ensure that when the server sends a
+ reply, then we know that the _first_ transmission has completed. Using
+ zero-copy in that situation is therefore safe.
+ If a time out occurs, we then send the retransmission using sendmsg()
+ (i.e. no zero-copy), We then know that the socket contains a full copy of
+ the data, and so it will retransmit a faithful reproduction even if the
+ RPC call completes, and the application reuses the O_DIRECT buffer in
+ the meantime.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Cc: stable@vger.kernel.org
+
+ net/sunrpc/xprtsock.c | 28 +++++++++++++++++++++-------
+ 1 files changed, 21 insertions(+), 7 deletions(-)
+
+commit 2c59d4080ae744532dbe595f6923dcba72279977
+Merge: b2b99c6 d52f291
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 18 19:07:55 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d52f291621da9227cda5fd647e82dfe9bfc11265
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 18 19:07:14 2013 -0500
+
+ Update to pax-linux-3.11.8-test14.patch:
+ - fixed a gcc-4.6 crash caused by a recent change in the latent entropy plugin, reported by Marko Randjelovic and mckinney (http://forums.grsecurity.net/viewtopic.php?f=3&t=3878)
+
+ mm/page_alloc.c | 2 +-
+ tools/gcc/latent_entropy_plugin.c | 34 ++++++++++++++++++++++++----------
+ 2 files changed, 25 insertions(+), 11 deletions(-)
+
+commit b2b99c6972e345565d561b722de210f071e5e259
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 20:47:37 2013 -0500
+
+ Upstream commit: 0e033e04c2678dbbe74a46b23fffb7bb918c288e
+
+ ipv6: fix headroom calculation in udp6_ufo_fragment
+ Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
+ fragmentation for tunnel traffic.") changed the calculation if
+ there is enough space to include a fragment header in the skb from a
+ skb->mac_header dervived one to skb_headroom. Because we already peeled
+ off the skb to transport_header this is wrong. Change this back to check
+ if we have enough room before the mac_header.
+
+ This fixes a panic Saran Neti reported. He used the tbf scheduler which
+ skb_gso_segments the skb. The offsets get negative and we panic in memcpy
+ because the skb was erroneously not expanded at the head.
+
+ Reported-by: Saran Neti <Saran.Neti@telus.com>
+ Cc: Pravin B Shelar <pshelar@nicira.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/udp_offload.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 012ee7647e16f464f8d1ad004e28eac2ba778158
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Nov 14 11:21:10 2013 +0300
+
+ Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796
+
+ isdnloop: use strlcpy() instead of strcpy()
+
+ These strings come from a copy_from_user() and there is no way to be
+ sure they are NUL terminated.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/isdn/isdnloop/isdnloop.c | 8 +++++---
+ 1 files changed, 5 insertions(+), 3 deletions(-)
+
+commit 2a897c9870257c3cd6dd17ec6ff453331dc71a4f
+Author: Eric Dumazet <edumazet@google.com>
+Date: Thu Nov 14 13:37:54 2013 -0800
+
+ Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf
+
+ ipv4: fix possible seqlock deadlock
+
+ ip4_datagram_connect() being called from process context,
+ it should use IP_INC_STATS() instead of IP_INC_STATS_BH()
+ otherwise we can deadlock on 32bit arches, or get corruptions of
+ SNMP counters.
+
+ Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP")
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Reported-by: Dave Jones <davej@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/datagram.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 1a642170613ae336331f2df38aa8f2c1227d3c96
+Merge: 60c6423 84d78c7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 20:28:51 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 84d78c7b2f5d1517e8c9d5ef2ca178c90e80a730
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 20:28:07 2013 -0500
+
+ Update to pax-linux-3.11.8-test13.patch:
+ - forward port to 3.11.8
+ - removed some no longer used code from bpf jit
+ - fixed some atomic_unchecked_t usage in oprofile and uio
+ - fixed a few incorrect uses of static local variables based on an analysis plugin written by Emese Revfy
+
+ arch/x86/include/asm/mmu_context.h | 8 ++++++++
+ arch/x86/kernel/setup.c | 2 +-
+ drivers/bluetooth/btwilink.c | 2 +-
+ drivers/md/dm-table.c | 2 +-
+ drivers/message/i2o/i2o_proc.c | 16 ++++++++--------
+ drivers/mfd/max8925-i2c.c | 2 +-
+ drivers/mfd/tps65910.c | 2 +-
+ drivers/mtd/chips/cfi_cmdset_0020.c | 2 +-
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +-
+ drivers/net/wireless/airo.c | 2 +-
+ drivers/net/wireless/b43/phy_lp.c | 2 +-
+ drivers/nfc/nfcwilink.c | 2 +-
+ drivers/oprofile/oprofilefs.c | 4 ++--
+ drivers/platform/x86/msi-wmi.c | 2 +-
+ drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +++++-------------
+ drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 ++++----
+ drivers/usb/serial/console.c | 2 +-
+ include/linux/filter.h | 4 ----
+ kernel/audit.c | 2 +-
+ 20 files changed, 41 insertions(+), 45 deletions(-)
+
+commit 60c642339ceb814688d1fdfa9bf3f9bc4cd0a38c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 20:15:51 2013 -0500
+
+ GRKERNSEC_HARDEN_IPC should depend on SYSVIPC
+
+ grsecurity/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit a5bc567fc9cea02e7e0146d4d25bbc25d9903f43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 19:07:11 2013 -0500
+
+ Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS
+ and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps
+ make it more obvious that while we make use of domains, CPU_USE_DOMAINS is
+ disabled as far as the kernel knows
+
+ arch/arm/mm/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a2568c19e361c8599fb9bb0a58ba758f5cb40dba
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 14 19:01:59 2013 -0500
+
+ Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research
+ on overly-permissive shared memory found in hundreds of areas in Linux
+ distros:
+ http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
+
+ Will let this sit in -test for a while to weed out any app incompatibilities
+
+ grsecurity/Kconfig | 17 +++++++++++++++++
+ grsecurity/Makefile | 2 +-
+ grsecurity/grsec_init.c | 4 ++++
+ grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++
+ grsecurity/grsec_sysctl.c | 9 +++++++++
+ include/linux/grinternal.h | 1 +
+ include/linux/grmsg.h | 1 +
+ ipc/util.c | 5 +++++
+ 8 files changed, 60 insertions(+), 1 deletions(-)
+
+commit 27c3b43bd5ad9c9b877016f26192dbc30da54018
+Merge: 08e883f d0a09ad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 13 22:27:13 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d0a09ad6430008135b98da6e1941e98a6110b59e
+Merge: 4e826ac 02709ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 13 22:27:03 2013 -0500
+
+ Merge branch 'linux-3.11.y' into pax-test
+
+commit 08e883f3159b541ec8b2740a4b3f35fb25629fd1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 11 10:48:10 2013 -0500
+
+ Fix the overflowable range check just to be correct.
+ Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt
+ but I believe this to be unexploitable due to bounds checks on 'count'
+ from rw_verify_area() in fs/read_write.c
+
+ drivers/video/arcfb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 094c08532f9877a287ffac7a87b05841a56b4e5d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 10 22:01:33 2013 -0500
+
+ Add missing include
+
+ fs/proc/proc_sysctl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit e383790f8252620f52895e202cc057c4318da3f4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 10 17:50:12 2013 -0500
+
+ add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS
+ option: GRKERNSEC_OLD_ARM_USERLAND
+
+ arch/arm/mm/Kconfig | 2 +-
+ grsecurity/Kconfig | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+), 1 deletions(-)
+
+commit 9b2775742dbcfcc004f02e5cc6bed6dcd9d73d26
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 10 15:19:27 2013 -0500
+
+ On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr
+ was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF
+ loading). Fix this by setting a proper default on these architectures like set on the LSM-based
+ mmap_min_addr.
+
+ Thanks to acez from IRC for debugging.
+
+ mm/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 17f832897194f46c4759aa02e048ad5623a04eed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 10 13:54:25 2013 -0500
+
+ Compatibility fix for LXC:
+ Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values,
+ use a CAP_NET_ADMIN check within the user namespace of the process performing the modification
+ CAP_SYS_ADMIN is still required for any other sysctl modification, including modification
+ of sysctls of a net namespace other than our own
+
+ This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's
+ networking
+
+ Thanks to ncopa from IRC for testing
+
+ fs/proc/proc_sysctl.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit b374a895f9ecfccbf3c8536a5a1a51b359a66a20
+Merge: fb281bd 4e826ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 6 17:27:16 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ net/l2tp/l2tp_core.c
+
+commit 4e826ac763867707352d93b7d23ed86e4c6829cf
+Merge: e309bfb 39773be
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 6 17:26:23 2013 -0500
+
+ Merge branch 'linux-3.11.y' into pax-test
+
+ Conflicts:
+ net/compat.c
+
+commit fb281bdee5ccb76facfe1172318a867b624011f4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 6 16:23:36 2013 -0500
+
+ Force on DEBUG_LIST so all users can benefit from safe linking/unlinking
+
+ Conflicts:
+
+ security/Kconfig
+
+ security/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit e249a2a0ee333a6ec0234de20d17670fe0d2b64a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 6 16:19:21 2013 -0500
+
+ change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel
+ bruteforce deterrence
+
+ Conflicts:
+
+ lib/list_debug.c
+
+ lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++-------------------
+ 1 files changed, 42 insertions(+), 23 deletions(-)
+
+commit 61f8b4eb5c8b11ff11d28372a44d6e0f3b9b68ba
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Oct 29 23:01:43 2013 +0300
+
+ Upstream commit: a8b33654b1e3b0c74d4a1fed041c9aae50b3c427
+
+ Staging: sb105x: info leak in mp_get_count()
+
+ The icount.reserved[] array isn't initialized so it leaks stack
+ information to userspace.
+
+ Reported-by: Nico Golde <nico@ngolde.de>
+ Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/staging/sb105x/sb_pci_mp.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 731cf7d12aa699cc30c18e5fe25b8c72b97df3de
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Oct 29 22:06:04 2013 +0300
+
+ Upstream commit: 201f99f170df14ba52ea4c52847779042b7a623b
+
+ uml: check length in exitcode_proc_write()
+
+ We don't cap the size of buffer from the user so we could write past the
+ end of the array here. Only root can write to this file.
+
+ Reported-by: Nico Golde <nico@ngolde.de>
+ Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/um/kernel/exitcode.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit 1285d10ec38f216f3c5de7ce085ce43447c78916
+Author: Jason Wang <jasowang@redhat.com>
+Date: Fri Nov 1 15:01:10 2013 +0800
+
+ Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd
+
+ net: flow_dissector: fail on evil iph->ihl
+
+ We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
+ skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
+ is evil (less than 5).
+
+ This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae
+ (rps: support IPIP encapsulation).
+
+ Cc: Eric Dumazet <edumazet@google.com>
+ Cc: Petr Matousek <pmatouse@redhat.com>
+ Cc: Michael S. Tsirkin <mst@redhat.com>
+ Cc: Daniel Borkmann <dborkman@redhat.com>
+ Signed-off-by: Jason Wang <jasowang@redhat.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/flow_dissector.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 3afa8cd39a80620059d7de6c382c853afe1ab4cc
+Author: Ming Lei <ming.lei@canonical.com>
+Date: Thu Oct 31 16:34:17 2013 -0700
+
+ Upstream commit: 3d77b50c5874b7e923be946ba793644f82336b75
+
+ lib/scatterlist.c: don't flush_kernel_dcache_page on slab page
+
+ Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper
+ functions") introduces two sg buffer copy helpers, and calls
+ flush_kernel_dcache_page() on pages in SG list after these pages are
+ written to.
+
+ Unfortunately, the commit may introduce a potential bug:
+
+ - Before sending some SCSI commands, kmalloc() buffer may be passed to
+ block layper, so flush_kernel_dcache_page() can see a slab page
+ finally
+
+ - According to cachetlb.txt, flush_kernel_dcache_page() is only called
+ on "a user page", which surely can't be a slab page.
+
+ - ARCH's implementation of flush_kernel_dcache_page() may use page
+ mapping information to do optimization so page_mapping() will see the
+ slab page, then VM_BUG_ON() is triggered.
+
+ Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled,
+ and this patch fixes the bug by adding test of '!PageSlab(miter->page)'
+ before calling flush_kernel_dcache_page().
+
+ Signed-off-by: Ming Lei <ming.lei@canonical.com>
+ Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+ Tested-by: Simon Baatz <gmbnomis@gmail.com>
+ Cc: Russell King - ARM Linux <linux@arm.linux.org.uk>
+ Cc: Will Deacon <will.deacon@arm.com>
+ Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
+ Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+ Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
+ Cc: Tejun Heo <tj@kernel.org>
+ Cc: "James E.J. Bottomley" <JBottomley@parallels.com>
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: <stable@vger.kernel.org> [3.2+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ lib/scatterlist.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 54a2d1367d37e6ff23e91e81e8a293f6db3572c4
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Oct 29 23:01:11 2013 +0300
+
+ Upstream commit: 8d1e72250c847fa96498ec029891de4dc638a5ba
+
+ Staging: bcm: info leak in ioctl
+
+ The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel
+ information to user space.
+
+ Reported-by: Nico Golde <nico@ngolde.de>
+ Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/staging/bcm/Bcmchar.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit a2ab9d69265a08280241a2f2152e535316d02f53
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Oct 29 22:11:06 2013 +0300
+
+ Upstream commit: f856567b930dfcdbc3323261bf77240ccdde01f5
+
+ aacraid: missing capable() check in compat ioctl
+
+ In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we
+ added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the
+ check as well.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/scsi/aacraid/linit.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 45be53b2583e3c3d9eb0bad55f22e03ad7943b3e
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Oct 29 23:00:15 2013 +0300
+
+ Upstream commit: b5e2f339865fb443107e5b10603e53bbc92dc054
+
+ staging: wlags49_h2: buffer overflow setting station name
+
+ We need to check the length parameter before doing the memcpy(). I've
+ actually changed it to strlcpy() as well so that it's NUL terminated.
+
+ You need CAP_NET_ADMIN to trigger these so it's not the end of the
+ world.
+
+ Reported-by: Nico Golde <nico@ngolde.de>
+ Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++---
+ 1 files changed, 6 insertions(+), 3 deletions(-)
+
+commit afd645c1684265260b64ec8189cbc2703b91f6ab
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Oct 29 22:07:47 2013 +0300
+
+ Upstream commit: c2c65cd2e14ada6de44cb527e7f1990bede24e15
+
+ staging: ozwpan: prevent overflow in oz_cdev_write()
+
+ We need to check "count" so we don't overflow the ei->data buffer.
+
+ Reported-by: Nico Golde <nico@ngolde.de>
+ Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/staging/ozwpan/ozcdev.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 4a907baeb462b7e0f50923be5a9d842aec93c97a
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue Oct 29 10:21:34 2013 -0700
+
+ Fixed a little differently than Linus...
+
+ Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1
+
+ Fix a few incorrectly checked [io_]remap_pfn_range() calls
+
+ Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that
+ really should use the vm_iomap_memory() helper. This trivially converts
+ two of them to the helper, and comments about why the third one really
+ needs to continue to use remap_pfn_range(), and adds the missing size
+ check.
+
+ Reported-by: Nico Golde <nico@ngolde.de>
+ Cc: stable@kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org.
+
+ Conflicts:
+
+ drivers/uio/uio.c
+
+ drivers/uio/uio.c | 19 +++++++++++++++++--
+ drivers/video/au1100fb.c | 26 +-------------------------
+ drivers/video/au1200fb.c | 23 +----------------------
+ 3 files changed, 19 insertions(+), 49 deletions(-)
+
+commit e68e94ddd03cf81d875b30a5e7b0e1bb4682e61f
+Merge: 0970b16 e309bfb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Oct 27 15:17:05 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e309bfbf7b506b2294b30233f7a3299173a75cf7
+Author: Hugh Dickins <hughd@google.com>
+Date: Wed Oct 16 13:47:09 2013 -0700
+
+ Upstream commit: 57a8f0cdb87da776bf0e4ce7554a9133854fa779
+
+ mm: revert mremap pud_free anti-fix
+
+ Revert commit 1ecfd533f4c5 ("mm/mremap.c: call pud_free() after fail
+ calling pmd_alloc()").
+
+ The original code was correct: pud_alloc(), pmd_alloc(), pte_alloc_map()
+ ensure that the pud, pmd, pt is already allocated, and seldom do they
+ need to allocate; on failure, upper levels are freed if appropriate by
+ the subsequent do_munmap(). Whereas commit 1ecfd533f4c5 did an
+ unconditional pud_free() of a most-likely still-in-use pud: saved only
+ by the near-impossiblity of pmd_alloc() failing.
+
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Cc: Chen Gang <gang.chen@asianux.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mremap.c | 5 +----
+ 1 files changed, 1 insertions(+), 4 deletions(-)
+
+commit 0970b16a9df08b8cca6929b6443f67df432ac3e5
+Author: Eric Dumazet <edumazet@google.com>
+Date: Tue Oct 1 21:04:11 2013 -0700
+
+ Upstream commit: 80ad1d61e72d626e30ebe8529a0455e660ca4693
+
+ net: do not call sock_put() on TIMEWAIT sockets
+
+ commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU /
+ hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets.
+
+ We should instead use inet_twsk_put()
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/inet_hashtables.c | 2 +-
+ net/ipv6/inet6_hashtables.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit ed0c9c47bc3468ad88b45b8ec55d0ad335214d28
+Author: Andi Kleen <ak@linux.intel.com>
+Date: Mon Sep 30 13:29:08 2013 -0700
+
+ Upstream commit: 58e4e1f6cacddb7823c44bcfb272174553f6c645
+
+ igb: Avoid uninitialized advertised variable in eee_set_cur
+
+ eee_get_cur assumes that the output data is already zeroed. It can
+ read-modify-write the advertised field:
+
+ if (ipcnfg & E1000_IPCNFG_EEE_100M_AN)
+ 2594 edata->advertised |= ADVERTISED_100baseT_Full;
+
+ This is ok for the normal ethtool eee_get call, which always
+ zeroes the input data before.
+
+ But eee_set_cur also calls eee_get_cur and it did not zero the input
+ field. Later on it then compares agsinst the field, which can contain partial
+ stack garbage.
+
+ Zero the input field in eee_set_cur() too.
+
+ Cc: jeffrey.t.kirsher@intel.com
+ Cc: netdev@vger.kernel.org
+ Signed-off-by: Andi Kleen <ak@linux.intel.com>
+ Acked-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 651730a8caabce37f78d8e6c84283b96e434d19f
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Oct 3 00:27:20 2013 +0300
+
+ Upstream commit: 1661bf364ae9c506bc8795fef70d1532931be1e8
+
+ net: heap overflow in __audit_sockaddr()
+
+ We need to cap ->msg_namelen or it leads to a buffer overflow when we
+ to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to
+ exploit this bug.
+
+ The call tree is:
+ ___sys_recvmsg()
+ move_addr_to_user()
+ audit_sockaddr()
+ __audit_sockaddr()
+
+ Reported-by: Jüri Aedla <juri.aedla@gmail.com>
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ net/compat.c
+
+ net/compat.c | 2 ++
+ net/socket.c | 24 ++++++++++++++++++++----
+ 2 files changed, 22 insertions(+), 4 deletions(-)
+
+commit b52e008aa27ecec1ca4a2d92ffe2fe874c47fcfc
+Author: Salva Peiró <speiro@ai2.upv.es>
+Date: Wed Oct 16 12:46:50 2013 +0200
+
+ Upstream commit: 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1
+
+ wanxl: fix info leak in ioctl
+
+ The wanxl_ioctl() code fails to initialize the two padding bytes of
+ struct sync_serial_settings after the ->loopback member. Add an explicit
+ memset(0) before filling the structure to avoid the info leak.
+
+ Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/wan/wanxl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit d7e5b4f97fbdd06c03433939efe0e444d877ab4f
+Author: Geyslan G. Bem <geyslan@gmail.com>
+Date: Fri Oct 11 16:49:16 2013 -0300
+
+ Upstream commit: 3edc8376c06133e3386265a824869cad03a4efd4
+
+ ecryptfs: Fix memory leakage in keystore.c
+
+ In 'decrypt_pki_encrypted_session_key' function:
+
+ Initializes 'payload' pointer and releases it on exit.
+
+ Signed-off-by: Geyslan G. Bem <geyslan@gmail.com>
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: stable@vger.kernel.org # v2.6.28+
+
+ fs/ecryptfs/keystore.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 0ccb7b191245318a36bbd1f59a1846dda72cb738
+Author: Colin Ian King <colin.king@canonical.com>
+Date: Thu Oct 24 14:08:07 2013 +0000
+
+ Upstream commit: 43b7c6c6a4e3916edd186ceb61be0c67d1e0969e
+
+ eCryptfs: fix 32 bit corruption issue
+
+ Shifting page->index on 32 bit systems was overflowing, causing
+ data corruption of > 4GB files. Fix this by casting it first.
+
+ https://launchpad.net/bugs/1243636
+
+ Signed-off-by: Colin Ian King <colin.king@canonical.com>
+ Reported-by: Lars Duesing <lars.duesing@camelotsweb.de>
+ Cc: stable@vger.kernel.org # v3.11+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+
+ fs/ecryptfs/crypto.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit eeb8d56181a3fa3cdfbc106156d4f60cf3a386d4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Oct 27 13:29:49 2013 -0400
+
+ This is a replacement patch only for stable which does fix the problems
+ handled by the following two commits in -net:
+
+ "ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9)
+ "ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b)
+
+ Three frames are written on a corked udp socket for which the output
+ netdevice has UFO enabled. If the first and third frame are smaller than
+ the mtu and the second one is bigger, we enqueue the second frame with
+ skb_append_datato_frags without initializing the gso fields. This leads
+ to the third frame appended regulary and thus constructing an invalid skb.
+
+ This fixes the problem by always using skb_append_datato_frags as soon
+ as the first frag got enqueued to the skb without marking the packet
+ as SKB_GSO_UDP.
+
+ The problem with only two frames for ipv6 was fixed by "ipv6: udp
+ packets following an UFO enqueued packet need also be handled by UFO"
+ (2811ebac2521ceac84f2bdae402455baa6a7fb47).
+
+ Cc: Jiri Pirko <jiri@resnulli.us>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Cc: David Miller <davem@davemloft.net>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+ include/linux/skbuff.h | 5 +++++
+ net/ipv4/ip_output.c | 2 +-
+ net/ipv6/ip6_output.c | 2 +-
+ 3 files changed, 7 insertions(+), 2 deletions(-)
+
+commit aead8ff29424c6a5d25eb4614be91a01f9f6af00
+Merge: 5cf8361 ddadc82
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Oct 26 08:42:26 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit ddadc822a1de40d3992a5c58ca2f970b5fee57ec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Oct 26 08:41:24 2013 -0400
+
+ - fixed miscompilation caused by a kernexec plugin related change in copy_user_generic, by Timo Teräs <timo.teras@iki.f> and Natanael Copa <ncopa@alpinelinux.org> (https://github.com/ncopa/linux-stable-grsec/commit/b8bf456d13988fb38cfe248676327f44a2d2ed2e)
+ - updated config help for latent entropy to reflect recent changes
+
+ arch/x86/include/asm/uaccess_64.h | 4 ++--
+ security/Kconfig | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 5cf8361c2a7762aa1cdd3d75655361058ad451ad
+Author: Johannes Weiner <hannes@cmpxchg.org>
+Date: Wed Oct 16 13:47:00 2013 -0700
+
+ Upstream commit: 84235de394d9775bfaa7fa9762a59d91fef0c1fc
+
+ fs: buffer: move allocation failure loop into the allocator
+
+ Buffer allocation has a very crude indefinite loop around waking the
+ flusher threads and performing global NOFS direct reclaim because it can
+ not handle allocation failures.
+
+ The most immediate problem with this is that the allocation may fail due
+ to a memory cgroup limit, where flushers + direct reclaim might not make
+ any progress towards resolving the situation at all. Because unlike the
+ global case, a memory cgroup may not have any cache at all, only
+ anonymous pages but no swap. This situation will lead to a reclaim
+ livelock with insane IO from waking the flushers and thrashing unrelated
+ filesystem cache in a tight loop.
+
+ Use __GFP_NOFAIL allocations for buffers for now. This makes sure that
+ any looping happens in the page allocator, which knows how to
+ orchestrate kswapd, direct reclaim, and the flushers sensibly. It also
+ allows memory cgroups to detect allocations that can't handle failure
+ and will allow them to ultimately bypass the limit if reclaim can not
+ make progress.
+
+ Reported-by: azurIt <azurit@pobox.sk>
+ Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: Michal Hocko <mhocko@suse.cz>
+ Cc: <stable@kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/buffer.c | 14 ++++++++++++--
+ mm/memcontrol.c | 2 ++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+commit 799326c8683d8d70b2035b1e5ab913c159112b6b
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Thu Oct 10 16:48:19 2013 +0200
+
+ Upstream commit: 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06
+
+ ext[34]: fix double put in tmpfile
+
+ d_tmpfile() already swallowed the inode ref.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/ext3/namei.c | 5 ++---
+ fs/ext4/namei.c | 5 ++---
+ 2 files changed, 4 insertions(+), 6 deletions(-)
+
+commit 799651db9a3b5b08eac1de0ee05f406df7a9a2e3
+Author: Jan Klos <honza.klos@gmail.com>
+Date: Sun Oct 6 21:08:20 2013 +0200
+
+ Upstream commit: 2f6c9479633780ba4a3484bba7eba5a721a5cf20
+
+ cifs: Fix inability to write files >2GB to SMB2/3 shares
+
+ When connecting to SMB2/3 shares, maximum file size is set to non-LFS maximum in superblock. This is due to cap_large_files bit being different for SMB1 and SMB2/3 (where it is just an internal flag that is not negotiated and the SMB1 one corresponds to multichannel capability, so maybe LFS works correctly if server sends 0x08 flag) while capabilities are checked always for the SMB1 bit in cifs_read_super().
+
+ The patch fixes this by checking for the correct bit according to the protocol version.
+
+ CC: Stable <stable@kernel.org>
+ Signed-off-by: Jan Klos <honza.klos@gmail.com>
+ Reviewed-by: Jeff Layton <jlayton@redhat.com>
+ Signed-off-by: Steve French <smfrench@gmail.com>
+
+ fs/cifs/cifsfs.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 549fe4c5bb5e67cb1351bb09455b1d77abe5ab22
+Author: Tim Gardner <tim.gardner@canonical.com>
+Date: Sun Oct 13 13:29:03 2013 -0600
+
+ Upstream commit: 0c26606cbe4937f2228a27bb0c2cad19855be87a
+
+ cifs: ntstatus_to_dos_map[] is not terminated
+
+ Functions that walk the ntstatus_to_dos_map[] array could
+ run off the end. For example, ntstatus_to_dos() loops
+ while ntstatus_to_dos_map[].ntstatus is not 0. Granted,
+ this is mostly theoretical, but could be used as a DOS attack
+ if the error code in the SMB header is bogus.
+
+ [Might consider adding to stable, as this patch is low risk - Steve]
+
+ Reviewed-by: Jeff Layton <jlayton@redhat.com>
+ Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
+ Signed-off-by: Steve French <smfrench@gmail.com>
+
+ fs/cifs/netmisc.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit ed8c09a96fa260e1864c632e1dd91b1320876305
+Author: Eric Dumazet <edumazet@google.com>
+Date: Tue Oct 15 11:54:30 2013 -0700
+
+ Upstream commit: c52e2421f7368fd36cbe330d2cf41b10452e39a9
+
+ tcp: must unclone packets before mangling them
+
+ TCP stack should make sure it owns skbs before mangling them.
+
+ We had various crashes using bnx2x, and it turned out gso_size
+ was cleared right before bnx2x driver was populating TC descriptor
+ of the _previous_ packet send. TCP stack can sometime retransmit
+ packets that are still in Qdisc.
+
+ Of course we could make bnx2x driver more robust (using
+ ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack.
+
+ We have identified two points where skb_unclone() was needed.
+
+ This patch adds a WARN_ON_ONCE() to warn us if we missed another
+ fix of this kind.
+
+ Kudos to Neal for finding the root cause of this bug. Its visible
+ using small MSS.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: Neal Cardwell <ncardwell@google.com>
+ Cc: Yuchung Cheng <ycheng@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/tcp_output.c | 9 ++++++---
+ 1 files changed, 6 insertions(+), 3 deletions(-)
+
+commit e5dcf1772ca2a85952da10a21d0650507dc061d3
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon Oct 14 15:28:38 2013 +0300
+
+ Upstream commit: 9e5f1721907fcfbd4b575bcafa0314188f7330a5
+
+ yam: integer underflow in yam_ioctl()
+
+ We cap bitrate at YAM_MAXBITRATE in yam_ioctl(), but it could also be
+ negative. I don't know the impact of using a negative bitrate but let's
+ prevent it.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/linux/yam.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 1f5d72d633f317248bba25158c326a61394aebf2
+Merge: 7ca4328 4df1b96
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Oct 18 19:36:17 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ ipc/shm.c
+
+commit 4df1b965687831808af2548487e0f35a2ccc5c29
+Merge: e41125e 5070441
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Oct 18 19:35:31 2013 -0400
+
+ Merge branch 'linux-3.11.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/setup.c
+
+commit 7ca43282302f7777ca3ae48d2552dbd0a6cef525
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 18:35:00 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: Evgeniy Polyakov <zbr@ioremap.net>
+ Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org
+ Subject: [PATCH 2/4] connector: use nlmsg_len() to check message length
+
+ The current code tests the length of the whole netlink message to be
+ at least as long to fit a cn_msg. This is wrong as nlmsg_len includes
+ the length of the netlink message header. Use nlmsg_len() instead to
+ fix this "off-by-NLMSG_HDRLEN" size check.
+
+ Cc: stable@vger.kernel.org # v2.6.14+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ drivers/connector/connector.c | 7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+commit 6c495f94e2f002ed19fb8e265e2746fd6ee08489
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 18:36:25 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: linux-audit@redhat.com
+ Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>
+ Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests
+
+ We leak 4 bytes of kernel stack in response to an AUDIT_GET request as
+ we miss to initialize the mask member of status_set. Fix that.
+
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: stable@vger.kernel.org # v2.6.6+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ kernel/audit.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 9557a8727fd46e68f092dec0830a982e85b231f7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 19:02:32 2013 -0400
+
+ add 2nd chunk of audit nlmsg_len() fix from minipli
+
+ kernel/audit.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit ceb5f8bae05f3321af941eddb9d2bbe264e0d2cd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 18:37:59 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: linux-audit@redhat.com
+ Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>
+ Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length
+
+ Using the nlmsg_len member of the netlink header to test if the message
+ is valid is wrong as it includes the size of the netlink header itself.
+ Thereby allowing to send short netlink messages that pass those checks.
+
+ Use nlmsg_len() instead to test for the right message length. The result
+ of nlmsg_len() is guaranteed to be non-negative as the netlink message
+ already passed the checks of nlmsg_ok().
+
+ Also switch to min_t() to please checkpatch.pl.
+
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd
+
+ kernel/audit.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 7547b29750381c776dfd47f4b1277a492d5b0f72
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 18:41:01 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: netfilter-devel@vger.kernel.org
+ Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik
+ <kadlec@blackhole.kfki.hu>, Bart De Schuymer <bart.de.schuymer@pandora.be>
+ Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks
+
+ The ulog messages leak heap bytes by the means of padding bytes and
+ incompletely filled string arrays. Fix those by memset(0)'ing the
+ whole struct before filling it.
+
+ Cc: Bart De Schuymer <bart.de.schuymer@pandora.be>
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ Conflicts:
+
+ net/bridge/netfilter/ebt_ulog.c
+
+ net/bridge/netfilter/ebt_ulog.c | 9 +++------
+ 1 files changed, 3 insertions(+), 6 deletions(-)
+
+commit c1da6a5ba1b529d70214142de4eaa7f1b9d62528
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 18:43:01 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: netfilter-devel@vger.kernel.org
+ Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik
+ <kadlec@blackhole.kfki.hu>
+ Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks
+
+ The ulog messages leak heap bytes by the means of padding bytes and
+ incompletely filled string arrays. Fix those by memset(0)'ing the
+ whole struct before filling it.
+
+ Cc: Pablo Neira Ayuso <pablo@netfilter.org>
+ Cc: Patrick McHardy <kaber@trash.net>
+ Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ Conflicts:
+
+ net/ipv4/netfilter/ipt_ULOG.c
+
+ net/ipv4/netfilter/ipt_ULOG.c | 7 +------
+ 1 files changed, 1 insertions(+), 6 deletions(-)
+
+commit 2965f6e6122325a18e69296ad3817c66ca59b7e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 16 18:49:45 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: "David S. Miller" <davem@davemloft.net>
+ Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org
+ Subject: [PATCH net] unix_diag: fix info leak
+
+ When filling the netlink message we miss to wipe the pad field,
+ therefore leak one byte of heap memory to userland. Fix this by
+ setting pad to 0.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ net/unix/diag.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit c6bc48165dc213ad8b24fbd872d5c01deb4508bc
+Author: Mathias Krause <minipli@googlemail.com>
+Date: Mon Sep 30 22:03:06 2013 +0200
+
+ Upstream commit: e727ca82e0e9616ab4844301e6bae60ca7327682
+
+ proc connector: fix info leaks
+
+ Initialize event_data for all possible message types to prevent leaking
+ kernel stack contents to userland (up to 20 bytes). Also set the flags
+ member of the connector message to 0 to prevent leaking two more stack
+ bytes this way.
+
+ Cc: stable@vger.kernel.org # v2.6.15+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/connector/cn_proc.c | 18 ++++++++++++++++++
+ 1 files changed, 18 insertions(+), 0 deletions(-)
+
+commit 6398c8e93f1f8fcf80ae2f024a8cca9ea84ccd04
+Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Date: Wed Oct 9 15:58:29 2013 +0100
+
+ Upstream commit: 3c1532df5c1b54b5f6246cdef94eeb73a39fe43a
+
+ ARM: 7851/1: check for number of arguments in syscall_get/set_arguments()
+
+ In ftrace_syscall_enter(),
+ syscall_get_arguments(..., 0, n, ...)
+ if (i == 0) { <handle ORIG_r0> ...; n--;}
+ memcpy(..., n * sizeof(args[0]));
+ If 'number of arguments(n)' is zero and 'argument index(i)' is also zero in
+ syscall_get_arguments(), none of arguments should be copied by memcpy().
+ Otherwise 'n--' can be a big positive number and unexpected amount of data
+ will be copied. Tracing system calls which take no argument, say sync(void),
+ may hit this case and eventually make the system corrupted.
+ This patch fixes the issue both in syscall_get_arguments() and
+ syscall_set_arguments().
+
+ Cc: <stable@vger.kernel.org>
+ Acked-by: Will Deacon <will.deacon@arm.com>
+ Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+ Signed-off-by: Will Deacon <will.deacon@arm.com>
+ Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+
+ arch/arm/include/asm/syscall.h | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit c062c6b6774efea3e8b21dc5262f8bf9b34609c2
+Author: Dave Jones <davej@redhat.com>
+Date: Thu Oct 10 20:05:35 2013 -0400
+
+ Upstream commit: 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc
+
+ ext4: fix memory leak in xattr
+
+ If we take the 2nd retry path in ext4_expand_extra_isize_ea, we
+ potentionally return from the function without having freed these
+ allocations. If we don't do the return, we over-write the previous
+ allocation pointers, so we leak either way.
+
+ Spotted with Coverity.
+
+ [ Fixed by tytso to set is and bs to NULL after freeing these
+ pointers, in case in the retry loop we later end up triggering an
+ error causing a jump to cleanup, at which point we could have a double
+ free bug. -- Ted ]
+
+ Signed-off-by: Dave Jones <davej@fedoraproject.org>
+ Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+ Reviewed-by: Eric Sandeen <sandeen@redhat.com>
+ Cc: stable@vger.kernel.org
+
+ fs/ext4/xattr.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 224e55268fbd4f81fca479e315c9483df591411d
+Author: Salva Peiró <speiro@ai2.upv.es>
+Date: Fri Oct 11 12:50:03 2013 +0300
+
+ Upstream commit: 96b340406724d87e4621284ebac5e059d67b2194
+
+ farsync: fix info leak in ioctl
+
+ The fst_get_iface() code fails to initialize the two padding bytes of
+ struct sync_serial_settings after the ->loopback member. Add an explicit
+ memset(0) before filling the structure to avoid the info leak.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/wan/farsync.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 2df2f7f9ca7c383331795980a56a2f47a0d0dfd9
+Author: James Hogan <james.hogan@imgtec.com>
+Date: Mon Oct 7 12:14:26 2013 +0100
+
+ Upstream commit: 8b3c569a3999a8fd5a819f892525ab5520777c92
+
+ MIPS: stack protector: Fix per-task canary switch
+
+ Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary
+ per task) was merged in v3.11 and introduced assembly in the MIPS resume
+ functions to update the value of the current canary in
+ __stack_chk_guard. However it used PTR_L resulting in a load of the
+ canary value, instead of PTR_LA to construct its address. The value is
+ intended to be random but is then treated as an address in the
+ subsequent LONG_S (store).
+
+ This was observed to cause a fault and panic:
+
+ CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4
+ Oops[#1]:
+ ...
+ $24 : 139fea20 1e1f7cb6
+ ...
+ Call Trace:
+ [<8000cc0c>] resume+0xac/0x118
+ [<8034f2a4>] __schedule+0x5f8/0x78c
+ [<8034f4e0>] schedule_preempt_disabled+0x20/0x2c
+ [<80348eec>] rest_init+0x74/0x84
+ [<804dc990>] start_kernel+0x43c/0x454
+ Code: 3c18804b 8f184030 8cb901f8 <af190000> 00c0e021 8cb002f0 8cb102f4 8cb202f8 8cb302fc
+
+ This can also be forced by modifying
+ arch/mips/include/asm/stackprotector.h so that the default
+ __stack_chk_guard value is more likely to be a bad (or unaligned)
+ pointer.
+
+ Fix it to use PTR_LA instead, to load the address of the canary value,
+ which the LONG_S can then use to write into it.
+
+ Reported-by: bobjones (via #mipslinux on IRC)
+ Signed-off-by: James Hogan <james.hogan@imgtec.com>
+ Cc: Ralf Baechle <ralf@linux-mips.org>
+ Cc: Gregory Fong <gregory.0xf0@gmail.com>
+ Cc: linux-mips@linux-mips.org
+ Cc: stable@vger.kernel.org
+ Patchwork: https://patchwork.linux-mips.org/patch/6026/
+ Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+
+ arch/mips/kernel/octeon_switch.S | 2 +-
+ arch/mips/kernel/r2300_switch.S | 2 +-
+ arch/mips/kernel/r4k_switch.S | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 4541f6c6871c1cffa3637ccbc817a37d6f093d1c
+Author: Fan Du <fan.du@windriver.com>
+Date: Tue Sep 17 15:14:13 2013 +0800
+
+ Upstream commit: 33fce60d6a6e137035f8e23a89d7fd55f3a24cda
+
+ xfrm: Guard IPsec anti replay window against replay bitmap
+
+ For legacy IPsec anti replay mechanism:
+
+ bitmap in struct xfrm_replay_state could only provide a 32 bits
+ window size limit in current design, thus user level parameter
+ sadb_sa_replay should honor this limit, otherwise misleading
+ outputs("replay=244") by setkey -D will be:
+
+ 192.168.25.2 192.168.22.2
+ esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000)
+ E: aes-cbc 9a8d7468 7655cf0b 719d27be b0ddaac2
+ A: hmac-sha1 2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331
+ seq=0x00000000 replay=244 flags=0x00000000 state=mature
+ created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013
+ diff: 22(s) hard: 30(s) soft: 26(s)
+ last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s)
+ current: 1408(bytes) hard: 0(bytes) soft: 0(bytes)
+ allocated: 22 hard: 0 soft: 0
+ sadb_seq=1 pid=4854 refcnt=0
+ 192.168.22.2 192.168.25.2
+ esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000)
+ E: aes-cbc 6485d990 f61a6bd5 e5660252 608ad282
+ A: hmac-sha1 0cca811a eb4fa893 c47ae56c 98f6e413 87379a88
+ seq=0x00000000 replay=244 flags=0x00000000 state=mature
+ created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013
+ diff: 22(s) hard: 30(s) soft: 26(s)
+ last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s)
+ current: 1408(bytes) hard: 0(bytes) soft: 0(bytes)
+ allocated: 22 hard: 0 soft: 0
+ sadb_seq=0 pid=4854 refcnt=0
+
+ And also, optimizing xfrm_replay_check window checking by setting the
+ desirable x->props.replay_window with only doing the comparison once
+ for all when xfrm_state is first born.
+
+ Signed-off-by: Fan Du <fan.du@windriver.com>
+ Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+
+ net/key/af_key.c | 3 ++-
+ net/xfrm/xfrm_replay.c | 3 +--
+ net/xfrm/xfrm_user.c | 3 ++-
+ 3 files changed, 5 insertions(+), 4 deletions(-)
+
+commit 3853002f1fb21ca8e23784e9eaeb971eaebc7541
+Author: Thomas Egerer <thomas.egerer@secunet.com>
+Date: Thu Sep 19 13:19:19 2013 +0200
+
+ Upstream commit: cd808fc9a6c7cd3a4311d9d2cffc4adbeaef5f6c
+
+ xfrm: Fix aevent generation for each received packet
+
+ If asynchronous events are enabled for a particular netlink socket,
+ the notify function is called by the advance function. The notify
+ function creates and dispatches a km_event if a replay timeout occurred,
+ or at least replay_maxdiff packets have been received since the last
+ asynchronous event has been sent. The function is supposed to return if
+ neither of the two events were detected for a state, or replay_maxdiff
+ is equal to zero.
+ Replay_maxdiff is initialized in xfrm_state_construct to the value of
+ the xfrm.sysctl_aevent_rseqth (2 by default), and updated if for a state
+ if the netlink attribute XFRMA_REPLAY_THRESH is set.
+ If, however, replay_maxdiff is set to zero, then all of the three notify
+ implementations perform a break from the switch statement instead of
+ checking whether a timeout occurred, and -- if not -- return. As a
+ result an asynchronous event is generated for every replay update of a
+ state that has a zero replay_maxdiff value.
+ This patch modifies the notify functions such that they immediately
+ return if replay_maxdiff has the value zero, unless a timeout occurred.
+
+ Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
+ Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+
+ net/xfrm/xfrm_replay.c | 51 +++++++++++++++++++++++++----------------------
+ 1 files changed, 27 insertions(+), 24 deletions(-)
+
+commit dafbbf04fb91cc92c049dcf7cabcc92fd5d29cb8
+Author: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Tue Oct 8 10:49:45 2013 +0200
+
+ Upstream commit: e7d8f6cb2f8735693396872f4608bbe305e8baee
+
+ xfrm: Add refcount handling to queued policies
+
+ We need to ensure that policies can't go away as long as the hold timer
+ is armed, so take a refcont when we arm the timer and drop one if we
+ delete it.
+
+ Bug was introduced with git commit a0073fe18 ("xfrm: Add a state
+ resolution packet queue")
+
+ Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+
+ net/xfrm/xfrm_policy.c | 24 +++++++++++++++++-------
+ 1 files changed, 17 insertions(+), 7 deletions(-)
+
+commit b4948dc963442682534b3a039664b564c764e4f8
+Author: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Tue Oct 8 10:49:51 2013 +0200
+
+ Upstream commit: 2bb53e2557964c2c5368a0392cf3b3b63a288cd0
+
+ xfrm: check for a vaild skb in xfrm_policy_queue_process
+
+ We might dreference a NULL pointer if the hold_queue is empty,
+ so add a check to avoid this.
+
+ Bug was introduced with git commit a0073fe18 ("xfrm: Add a state
+ resolution packet queue")
+
+ Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+
+ net/xfrm/xfrm_policy.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit fad7f264b264b0b17a307aa16162cb43c7688a30
+Author: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Mon Oct 7 23:19:58 2013 +0200
+
+ Upstream commit: c33a39c575068c2ea9bffb22fd6de2df19c74b89
+
+ net: vlan: fix nlmsg size calculation in vlan_get_size()
+
+ This patch fixes the calculation of the nlmsg size, by adding the missing
+ nla_total_size().
+
+ Cc: Patrick McHardy <kaber@trash.net>
+ Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/8021q/vlan_netlink.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 675e5611464fe6b4d41e7d8ba56ed845286b28dd
+Author: François Cachereul <f.cachereul@alphalink.fr>
+Date: Wed Oct 2 10:16:02 2013 +0200
+
+ Upstream commit: e18503f41f9b12132c95d7c31ca6ee5155e44e5c
+
+ l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses
+
+ IPv4 mapped addresses cause kernel panic.
+ The patch juste check whether the IPv6 address is an IPv4 mapped
+ address. If so, use IPv4 API instead of IPv6.
+
+ [ 940.026915] general protection fault: 0000 [#1]
+ [ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse
+ [ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1
+ [ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
+ [ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000
+ [ 940.026915] RIP: 0010:[<ffffffff81333780>] [<ffffffff81333780>] ip6_xmit+0x276/0x326
+ [ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286
+ [ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000
+ [ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40
+ [ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90
+ [ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0
+ [ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580
+ [ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000
+ [ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0
+ [ 940.026915] Stack:
+ [ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020
+ [ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800
+ [ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020
+ [ 940.026915] Call Trace:
+ [ 940.026915] [<ffffffff81356cc3>] ? inet6_csk_xmit+0xa4/0xc4
+ [ 940.026915] [<ffffffffa0038535>] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core]
+ [ 940.026915] [<ffffffff812b8d3b>] ? pskb_expand_head+0x161/0x214
+ [ 940.026915] [<ffffffffa003e91d>] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp]
+ [ 940.026915] [<ffffffffa00292e0>] ? ppp_channel_push+0x36/0x8b [ppp_generic]
+ [ 940.026915] [<ffffffffa00293fe>] ? ppp_write+0xaf/0xc5 [ppp_generic]
+ [ 940.026915] [<ffffffff8110ead4>] ? vfs_write+0xa2/0x106
+ [ 940.026915] [<ffffffff8110edd6>] ? SyS_write+0x56/0x8a
+ [ 940.026915] [<ffffffff81378ac0>] ? system_call_fastpath+0x16/0x1b
+ [ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49
+ 8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02
+ 00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51
+ [ 940.026915] RIP [<ffffffff81333780>] ip6_xmit+0x276/0x326
+ [ 940.026915] RSP <ffff88000737fd28>
+ [ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]---
+ [ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt
+
+ Signed-off-by: François CACHEREUL <f.cachereul@alphalink.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++++----
+ net/l2tp/l2tp_core.h | 3 +++
+ 2 files changed, 26 insertions(+), 4 deletions(-)
+
+commit 2db6fe58460d400bc8b995fa2328be03e27e55e1
+Merge: 28f9622 e41125e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 15 10:00:52 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/sparc/kernel/ds.c
+ net/sysctl_net.c
+
+commit e41125e4742f332cd8cd8cf0c00cb189dba0e037
+Merge: 740e5ec a145cb9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 15 09:58:29 2013 -0400
+
+ Merge branch 'linux-3.11.y' into pax-test
+
+commit 28f9622091224541efadf3ae006f0e5651c7fa45
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 1 22:48:34 2013 -0400
+
+ Fix this strlcpy crap properly
+
+ arch/sparc/kernel/ds.c | 7 +++----
+ 1 files changed, 3 insertions(+), 4 deletions(-)
+
+commit 837193210e4125fe4e9e554b28d7bc33985f3554
+Author: David S. Miller <davem@davemloft.net>
+Date: Fri Sep 27 13:46:04 2013 -0700
+
+ Upstream commit: 2bd161a605f1f84a5fc8a4fe8410113a94f79355
+
+ sparc64: Fix buggy strlcpy() conversion in ldom_reboot().
+
+ Commit 117a0c5fc9c2d06045bd217385b2b39ea426b5a6 ("sparc: kernel: using
+ strlcpy() instead of strcpy()") added a bug to ldom_reboot in
+ arch/sparc/kernel/ds.c
+
+ - strcpy(full_boot_str + strlen("boot "), boot_command);
+ + strlcpy(full_boot_str + strlen("boot "), boot_command,
+ + sizeof(full_boot_str + strlen("boot ")));
+
+ That last sizeof() expression evaluates to sizeof(size_t) which is
+ not what was intended.
+
+ Also even the corrected:
+
+ sizeof(full_boot_str) + strlen("boot ")
+
+ is not right as the destination buffer length is just plain
+ "sizeof(full_boot_str)" and that's what the final argument
+ should be.
+
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/sparc/kernel/ds.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit fc25f7a8bc9f268e659f0265bcdb4dcac648c249
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Sun Sep 29 05:40:50 2013 +0200
+
+ Upstream commit: 3da812d860755925da890e8c713f2d2e2d7b1bae
+
+ ipv6: gre: correct calculation of max_headroom
+
+ gre_hlen already accounts for sizeof(struct ipv6_hdr) + gre header,
+ so initialize max_headroom to zero. Otherwise the
+
+ if (encap_limit >= 0) {
+ max_headroom += 8;
+ mtu -= 8;
+ }
+
+ increments an uninitialized variable before max_headroom was reset.
+
+ Found with coverity: 728539
+
+ Cc: Dmitry Kozlov <xeb@mail.ru>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ net/ipv6/ip6_gre.c
+
+ net/ipv6/ip6_gre.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 0d68ac550952d0eaf60851497ceee68dbba24516
+Merge: 64257ad 740e5ec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 1 18:11:52 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/hid/hid-core.c
+ drivers/hid/hid-lg2ff.c
+ drivers/hid/hid-lg3ff.c
+ drivers/hid/hid-lg4ff.c
+ drivers/hid/hid-lgff.c
+ drivers/hid/hid-logitech-dj.c
+ drivers/hid/hid-steelseries.c
+ drivers/hid/hid-zpff.c
+ include/linux/hid.h
+
+commit 740e5ec087969afd43ae0b552b4e05914437ed32
+Merge: c38c6b0 db20388
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 1 17:40:46 2013 -0400
+
+ Merge branch 'linux-3.11.y' into pax-test
+
+commit 64257ad95c51285d415f93ebdd486fae6bb9415d
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Sat Sep 21 06:27:00 2013 +0200
+
+ Upstream commit: 2811ebac2521ceac84f2bdae402455baa6a7fb47
+
+ ipv6: udp packets following an UFO enqueued packet need also be handled by UFO
+
+ In the following scenario the socket is corked:
+ If the first UDP packet is larger then the mtu we try to append it to the
+ write queue via ip6_ufo_append_data. A following packet, which is smaller
+ than the mtu would be appended to the already queued up gso-skb via
+ plain ip6_append_data. This causes random memory corruptions.
+
+ In ip6_ufo_append_data we also have to be careful to not queue up the
+ same skb multiple times. So setup the gso frame only when no first skb
+ is available.
+
+ This also fixes a shortcoming where we add the current packet's length to
+ cork->length but return early because of a packet > mtu with dontfrag set
+ (instead of sutracting it again).
+
+ Found with trinity.
+
+ Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_output.c | 53 ++++++++++++++++++++----------------------------
+ 1 files changed, 22 insertions(+), 31 deletions(-)
+
+commit ee4ab63f6dfd57e8c5d67e1e154b86d1139937f6
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Sep 24 15:27:45 2013 -0700
+
+ Just a whitespace fix to sync with upstream as we already applied this fix
+ via Vasiliy Kulikov in 2010. It fell through the cracks upstream
+
+ cciss: fix info leak in cciss_ioctl32_passthru()
+
+ The arg64 struct has a hole after ->buf_size which isn't cleared. Or if
+ any of the calls to copy_from_user() fail then that would cause an
+ information leak as well.
+
+ This was assigned CVE-2013-2147.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Mike Miller <mike.miller@hp.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ drivers/block/cciss.c
+
+ drivers/block/cciss.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit 2a5d630a83f5ddd2ab0ce9cb32a93ad3e1f6dc3e
+Author: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Date: Tue Sep 24 18:29:11 2013 -0700
+
+ Upstream commit: 22356f447ceb8d97a4885792e7d9e4607f712e1b
+
+ mm: Place preemption point in do_mlockall() loop
+
+ There is a loop in do_mlockall() that lacks a preemption point, which
+ means that the following can happen on non-preemptible builds of the
+ kernel. Dave Jones reports:
+
+ "My fuzz tester keeps hitting this. Every instance shows the non-irq
+ stack came in from mlockall. I'm only seeing this on one box, but
+ that has more ram (8gb) than my other machines, which might explain
+ it.
+
+ INFO: rcu_preempt self-detected stall on CPU { 3} (t=6500 jiffies g=470344 c=470343 q=0)
+ sending NMI to all CPUs:
+ NMI backtrace for cpu 3
+ CPU: 3 PID: 29664 Comm: trinity-child2 Not tainted 3.11.0-rc1+ #32
+ Call Trace:
+ lru_add_drain_all+0x15/0x20
+ SyS_mlockall+0xa5/0x1a0
+ tracesys+0xdd/0xe2"
+
+ This commit addresses this problem by inserting the required preemption
+ point.
+
+ Reported-by: Dave Jones <davej@redhat.com>
+ Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@gmail.com>
+ Cc: Michel Lespinasse <walken@google.com>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mlock.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 042ecff756f1246abb9c84dd20ad9f6e9c429ed9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Sep 27 21:06:17 2013 -0400
+
+ Don't log attempts to create a socket with a family that the kernel doesn't
+ support
+ Further, if the kernel doesn't support the socket family, instead of returning
+ -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6
+ sockets in RBAC policy despite a kernel that doesn't support ipv6
+ observed during a Debian userland update necessitating a policy change
+
+ grsecurity/gracl_ip.c | 7 +++----
+ net/socket.c | 26 +++++++++++++++-----------
+ 2 files changed, 18 insertions(+), 15 deletions(-)
+
+commit 55f1e409275973513a3314fe5bfa76a4781c0db7
+Merge: 2eac654 c38c6b0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Sep 27 20:35:04 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/hid/hid-picolcd_core.c
+
+commit c38c6b0bbbe53bd528aeeb4a059764abc028c276
+Merge: 115bf6a a3308b5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Sep 27 20:34:15 2013 -0400
+
+ Merge branch 'linux-3.11.y' into pax-test
+
+ Conflicts:
+ arch/x86/ia32/ia32_signal.c
+ arch/x86/include/asm/checksum_32.h
+ arch/x86/include/asm/mmu_context.h
+ arch/x86/kernel/signal.c
+ arch/x86/lib/csum-wrappers_64.c
+ include/linux/compat.h
+
+commit 2eac65435fdffca548a56e5187840908438fc95c
+Merge: ba0ebde 115bf6a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 26 20:00:00 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 115bf6af0083ea28c751d551a39cfdba1798e9dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 26 19:59:14 2013 -0400
+
+ Update to pax-linux-3.11.1-test10.patch:
+ - added missing exports for module_alloc_exec/module_free_exec on arm, by Arnaud Fontaine
+ - fixed potential .exit.text section reference problem with REFCOUNT on arm, reported by Corey Minyard
+ - fixed REFCOUNT false positive in the new percpu refcount code, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=486040)
+ - fixed an integer overflow in the ELF loader that happens to be harmless due to another overflow, found by Emese Revfy's new size overflow plugin (not yet released)
+ - beefed up latent entropy extraction
+ - latent_entropy itself will be initialized to a compile-time random value (instead of 0)
+ - entropy will be collected from various irq and softirq handlers
+
+ arch/arm/kernel/module.c | 2 ++
+ arch/arm/kernel/vmlinux.lds.S | 2 +-
+ block/blk-iopoll.c | 2 +-
+ block/blk-softirq.c | 2 +-
+ fs/binfmt_elf.c | 8 +++++---
+ include/linux/genhd.h | 2 +-
+ include/linux/random.h | 4 ++--
+ kernel/hrtimer.c | 2 +-
+ kernel/rcutiny.c | 2 +-
+ kernel/rcutree.c | 2 +-
+ kernel/sched/fair.c | 2 +-
+ kernel/softirq.c | 4 ++--
+ kernel/timer.c | 2 +-
+ lib/percpu-refcount.c | 2 +-
+ net/core/dev.c | 4 ++--
+ tools/gcc/latent_entropy_plugin.c | 2 +-
+ 16 files changed, 24 insertions(+), 20 deletions(-)
+
+commit ba0ebdedeb2e128654dac48641bdc9d8b34530d6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 22 18:14:07 2013 -0400
+
+ Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db"
+
+ This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf.
+
+ net/netlink/genetlink.c | 7 -------
+ 1 files changed, 0 insertions(+), 7 deletions(-)
+
+commit ca27c99c4f2df039e21ec15c52824d84e2cd2f35
+Merge: f1e4228 90db383
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Sep 18 17:34:37 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 90db383fd7d650172d52229b0116ad7604c9bec1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Sep 18 17:32:42 2013 -0400
+
+ Update to pax-linux-3.11.1-test9.patch:
+ - fixed some arm compile regressions, reported by Arnaud Ebalard and Michael Tremer
+ - better implementation of __read_only for modules
+ - fixed a regression and an apparently needed kuser emulation on arm, reported by Arnaud Ebalard
+
+ arch/arm/kernel/entry-common.S | 12 ++++++------
+ arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 ++--
+ arch/arm/mm/fault.c | 26 +++++++++++++++++++++++++-
+ arch/x86/include/asm/cache.h | 4 ----
+ drivers/bus/arm-cci.c | 2 +-
+ drivers/clk/socfpga/clk.c | 2 +-
+ drivers/mmc/host/mmci.c | 4 +++-
+ drivers/net/ethernet/chelsio/cxgb3/sge.c | 2 +-
+ include/linux/cache.h | 4 ++++
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ scripts/module-common.lds | 4 ++++
+ 12 files changed, 49 insertions(+), 19 deletions(-)
+
+commit 43fd6b476981f2b72f1fcb7dd4de6b04643e0810
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Sep 18 17:32:25 2013 -0400
+
+ Revert "mark sctp_af_inet forward declaration as __read_only to fix compile error"
+
+ This reverts commit 5e30989102e2d0df166ab6ff915b90f675f8786f.
+
+ net/sctp/protocol.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit f1e42285e17479067b6cbcffc43916720e6dedd3
+Merge: 456ca17 5e30989
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Sep 16 21:42:34 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5e30989102e2d0df166ab6ff915b90f675f8786f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Sep 16 21:41:44 2013 -0400
+
+ mark sctp_af_inet forward declaration as __read_only to fix compile error
+
+ net/sctp/protocol.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 456ca176141f10355c1569b29225c9ce4b7db18e
+Merge: b406eac 5df8f36
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Sep 16 20:02:05 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5df8f36fbb39fbd47e04945001d11e52c16fc0b6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Sep 16 20:01:38 2013 -0400
+
+ Update to pax-linux-3.11.1-test7.patch:
+ - fixed arm compile error, reported by Arnaud Ebalard
+ - fixed NULL deref due to some xfrm constification, reported by marcin1j (http://forums.grsecurity.net/viewtopic.php?f=3&t=3743)
+ - fixed od_ops constification, fixes cpufreq ondemand on AMD
+ - latent entropy will now be gathered from module init code as well (i.e., at module load/init time)
+ - __read_only will now be enforced in modules as well
+ - removed unneccessary __read_only from ntfs
+
+ arch/arm/lib/uaccess_with_memcpy.c | 2 +-
+ arch/x86/include/asm/cache.h | 4 ++++
+ drivers/cpufreq/cpufreq_governor.h | 2 +-
+ drivers/cpufreq/cpufreq_ondemand.c | 2 +-
+ fs/ntfs/file.c | 4 ++--
+ include/linux/init.h | 5 -----
+ include/net/xfrm.h | 5 ++++-
+ init/main.c | 9 +++------
+ mm/page_alloc.c | 1 +
+ net/ipv4/xfrm4_policy.c | 4 ++--
+ net/ipv6/xfrm6_policy.c | 4 ++--
+ net/xfrm/xfrm_policy.c | 11 ++---------
+ 12 files changed, 23 insertions(+), 30 deletions(-)
+
+commit b406eac579bb3a5faa1c9d73b8af5530f942009a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Sep 16 12:53:22 2013 -0400
+
+ Backport commit from https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec.git/commit/?h=testing&id=4479ff76c43607b680f9349128d8493228b49dce
+
+ author Steffen Klassert <steffen.klassert@secunet.com> 2013-09-09 07:39:01 (GMT)
+ committer Steffen Klassert <steffen.klassert@secunet.com> 2013-09-16 07:39:37 (GMT)
+
+ xfrm: Fix replay size checking on async events
+ We pass the wrong netlink attribute to xfrm_replay_verify_len().
+ It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as
+ we currently doing. This causes memory corruptions if the
+ replay esn attribute has incorrect length. Fix this by passing
+ the right attribute to xfrm_replay_verify_len().
+
+ Reported-by: Michael Rossberg <michael.rossberg@tu-ilmenau.de>
+ Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+
+ net/xfrm/xfrm_user.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 9eeb1f53a99068a1f2a77e4d250e334165b789c9
+Merge: 84843a3 0a0ced6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 15 11:24:30 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/net/wireless/ath/ath10k/core.c
+ drivers/net/wireless/ath/ath10k/htc.c
+
+commit 0a0ced69ec737fc1abe5bc1c5a66579a22e9bb1d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 15 11:21:43 2013 -0400
+
+ Update to pax-linux-3.11.1-test6.patch:
+ - forward port to 3.11.1
+ - fixed some CONSTIFY fallout, reported by spender
+ - fixed INVPCID on i386, reported by spender
+ - simplified/consolidated the recent security_ops change
+
+ arch/x86/include/asm/mmu_context.h | 4 ++--
+ arch/x86/include/asm/tlbflush.h | 6 +++---
+ arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +-
+ drivers/net/wireless/ath/ath10k/core.c | 6 +++---
+ drivers/net/wireless/ath/ath10k/htc.c | 7 ++++---
+ include/linux/security.h | 2 --
+ security/security.c | 3 ---
+ security/selinux/hooks.c | 5 +++--
+ 8 files changed, 16 insertions(+), 19 deletions(-)
+
+commit 84843a394cde0578be728cb5fd34da9859dcf110
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 15 09:19:21 2013 -0400
+
+ remove unnecessary check from when protocol was signed
+
+ net/phonet/af_phonet.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit cc7c916cac4c2eb0ec243690627e2b6a13234fef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 15 08:53:27 2013 -0400
+
+ resync with PaX
+
+ security/selinux/hooks.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit fdeadf7ba061242685e07a2504c6be99161f292c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 23:04:53 2013 -0400
+
+ Fix constification of ath10k_hif_cb struct located on stack
+
+ drivers/net/wireless/ath/ath10k/hif.h | 1 +
+ drivers/net/wireless/ath/ath10k/htc.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 73c6875760e610cb636f86566a1be7a744d89b82
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 22:41:06 2013 -0400
+
+ use a no_const typedef for ath10k_htc_ops, which is located on the stack
+
+ drivers/net/wireless/ath/ath10k/core.c | 6 +++---
+ drivers/net/wireless/ath/ath10k/htc.h | 1 +
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+commit bffb0279b95b717c739365a5a25ca0391e7479b1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 22:13:46 2013 -0400
+
+ fix compilation error under constify
+
+ drivers/net/wireless/ath/ath10k/core.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 1044c726fd98de89a711c6655f811600d4051e46
+Merge: ffc8003 e39d12a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 21:57:25 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e39d12a3b877293ba677bf7642c8887144ae1576
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 21:56:56 2013 -0400
+
+ Update to pax-linux-3.11-test5.patch:
+ - backported 1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (pud leak in alloc_new_pmd)
+ - build_string doesn't need to account for the null terminator, fix some usage in the kernexec plugin
+
+ mm/mremap.c | 5 ++++-
+ tools/gcc/kernexec_plugin.c | 4 ++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+commit ffc8003e9c6d9a26c92ca83a8cdc48f1bf0d7a4b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 21:48:03 2013 -0400
+
+ fix compile error introduced by pipacs
+
+ security/selinux/hooks.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 874e80f445b1325df45f04cc317f67587e241218
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 21:12:45 2013 -0400
+
+ Fix invalid dependency causing warning:
+ warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN)
+
+ lib/Kconfig.debug | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 76675229b0398d812bd885c2ea9ebdc66cd5d74a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 19:53:56 2013 -0400
+
+ change unsigned long descriptor array to u64, for 32bit kernels on Haswell CPUs
+
+ arch/x86/include/asm/tlbflush.h | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit b6dd7c7dd3e78d549c4c0e18f7803aa918d3a838
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Sat Sep 7 16:44:59 2013 +0200
+
+ Upstream commit: a0fb05d1aef0f5df936f80b726d1b3bfd4275f95
+
+ net: sctp: fix bug in sctp_poll for SOCK_SELECT_ERR_QUEUE
+
+ If we do not add braces around ...
+
+ mask |= POLLERR |
+ sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0;
+
+ ... then this condition always evaluates to true as POLLERR is
+ defined as 8 and binary or'd with whatever result comes out of
+ sock_flag(). Hence instead of (X | Y) ? A : B, transform it into
+ X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix
+ smatch warnings inside datagram_poll") forgot about SCTP. :-(
+
+ Introduced by 7d4c04fc170 ("net: add option to enable error queue
+ packets waking select").
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Cc: Jacob Keller <jacob.e.keller@intel.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Acked-by: Jacob Keller <jacob.e.keller@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/socket.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4ad458cf887df99b3de3ce11fb83cd27bd13d986
+Author: Jason Wang <jasowang@redhat.com>
+Date: Wed Sep 11 18:09:48 2013 +0800
+
+ Upstream commit: 662ca437e714caaab855b12415d6ffd815985bc0
+
+ tuntap: correctly handle error in tun_set_iff()
+
+ Commit c8d68e6be1c3b242f1c598595830890b65cea64a
+ (tuntap: multiqueue support) only call free_netdev() on error in
+ tun_set_iff(). This causes several issues:
+
+ - memory of tun security were leaked
+ - use after free since the flow gc timer was not deleted and the tfile
+ were not detached
+
+ This patch solves the above issues.
+
+ Reported-by: Wannes Rombouts <wannes.rombouts@epitech.eu>
+ Cc: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: Jason Wang <jasowang@redhat.com>
+ Acked-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 11 ++++++++---
+ 1 files changed, 8 insertions(+), 3 deletions(-)
+
+commit b504140d8590bd67ed481ea84824a9846dde2d74
+Author: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Sun Sep 8 14:33:50 2013 +1000
+
+ Upstream commit: 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa
+
+ crypto: api - Fix race condition in larval lookup
+
+ crypto_larval_lookup should only return a larval if it created one.
+ Any larval created by another entity must be processed through
+ crypto_larval_wait before being returned.
+
+ Otherwise this will lead to a larval being killed twice, which
+ will most likely lead to a crash.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Kees Cook <keescook@chromium.org>
+ Tested-by: Kees Cook <keescook@chromium.org>
+ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+
+ crypto/api.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit f4212fa9ec1c34c59fabc43904e16112b776b6b2
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Wed Sep 11 16:58:36 2013 +0200
+
+ Upstream commit: 95ee62083cb6453e056562d91f597552021e6ae7
+
+ net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit
+
+ Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not
+ being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport
+ does not seem to have the desired effect:
+
+ SCTP + IPv4:
+
+ 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116)
+ 192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72
+ 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340)
+ 192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1):
+
+ SCTP + IPv6:
+
+ 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364)
+ fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp
+ 1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10]
+
+ Moreover, Alan says:
+
+ This problem was seen with both Racoon and Racoon2. Other people have seen
+ this with OpenSwan. When IPsec is configured to encrypt all upper layer
+ protocols the SCTP connection does not initialize. After using Wireshark to
+ follow packets, this is because the SCTP packet leaves Box A unencrypted and
+ Box B believes all upper layer protocols are to be encrypted so it drops
+ this packet, causing the SCTP connection to fail to initialize. When IPsec
+ is configured to encrypt just SCTP, the SCTP packets are observed unencrypted.
+
+ In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext"
+ string on the other end, results in cleartext on the wire where SCTP eventually
+ does not report any errors, thus in the latter case that Alan reports, the
+ non-paranoid user might think he's communicating over an encrypted transport on
+ SCTP although he's not (tcpdump ... -X):
+
+ ...
+ 0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l....
+ 0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext...
+
+ Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the
+ receiver side. Initial follow-up analysis from Alan's bug report was done by
+ Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this.
+
+ SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit().
+ This has the implication that it probably never really got updated along with
+ changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers.
+
+ SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since
+ a call to inet6_csk_xmit() would solve this problem, but result in unecessary
+ route lookups, let us just use the cached flowi6 instead that we got through
+ sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(),
+ we do the route lookup / flow caching in sctp_transport_route(), hold it in
+ tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in
+ sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect
+ of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst()
+ instead to get the correct source routed dst entry, which we assign to the skb.
+
+ Also source address routing example from 625034113 ("sctp: fix sctp to work with
+ ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095
+ it is actually 'recommended' to not use that anyway due to traffic amplification [1].
+ So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if
+ we overwrite the flow destination here, the lower IPv6 layer will be unable to
+ put the correct destination address into IP header, as routing header is added in
+ ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside,
+ result of this patch is that we do not have any XfrmInTmplMismatch increase plus on
+ the wire with this patch it now looks like:
+
+ SCTP + IPv6:
+
+ 08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba:
+ AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72
+ 08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a:
+ AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296
+
+ This fixes Kernel Bugzilla 24412. This security issue seems to be present since
+ 2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have
+ its fun with that. lksctp-tools IPv6 regression test suite passes as well with
+ this patch.
+
+ [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
+
+ Reported-by: Alan Chester <alan.chester@tekelec.com>
+ Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Cc: Steffen Klassert <steffen.klassert@secunet.com>
+ Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/ipv6.c | 42 +++++++++++++-----------------------------
+ 1 files changed, 13 insertions(+), 29 deletions(-)
+
+commit 726915e42b1a23b88cd420029003d82208a30006
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Sep 13 14:52:04 2013 -0700
+
+ Upstream commit: 35a4a5733b0a8290de39558b82896ab795b108a7
+
+ isdn: clean up debug format string usage
+
+ Avoid unneeded local string buffers for constructing debug output. Also
+ cleans up debug calls that contain a single parameter so that they cannot
+ be accidentally parsed as format strings.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: Karsten Keil <isdn@linux-pingi.de>
+ Cc: David Miller <davem@davemloft.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/isdn/hisax/amd7930_fn.c | 4 +-
+ drivers/isdn/hisax/avm_pci.c | 4 +-
+ drivers/isdn/hisax/config.c | 2 +-
+ drivers/isdn/hisax/diva.c | 4 +-
+ drivers/isdn/hisax/elsa.c | 2 +-
+ drivers/isdn/hisax/elsa_ser.c | 2 +-
+ drivers/isdn/hisax/hfc_pci.c | 2 +-
+ drivers/isdn/hisax/hfc_sx.c | 2 +-
+ drivers/isdn/hisax/hscx_irq.c | 4 +-
+ drivers/isdn/hisax/icc.c | 4 +-
+ drivers/isdn/hisax/ipacx.c | 8 +++---
+ drivers/isdn/hisax/isac.c | 4 +-
+ drivers/isdn/hisax/isar.c | 6 ++--
+ drivers/isdn/hisax/jade.c | 18 ++++----------
+ drivers/isdn/hisax/jade_irq.c | 4 +-
+ drivers/isdn/hisax/l3_1tr6.c | 50 ++++++++++++++-------------------------
+ drivers/isdn/hisax/netjet.c | 2 +-
+ drivers/isdn/hisax/q931.c | 6 ++--
+ drivers/isdn/hisax/w6692.c | 8 +++---
+ 19 files changed, 57 insertions(+), 79 deletions(-)
+
+commit 4c90e693066a984f2c3a05bd2b75fe2273906eb3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 19:16:48 2013 -0400
+
+ Fix a bad git merge, re-applied a previously reverted patch
+
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 5dea4b212b0405d6bcbea57516d77b21035d1178
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 16:56:37 2013 -0400
+
+ finish porting namei.c
+
+ fs/namei.c | 50 +++++++++++---------------------------------------
+ 1 files changed, 11 insertions(+), 39 deletions(-)
+
+commit a7d5c5e2d0fd4831df19247e41c73c362809b00f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 16:44:08 2013 -0400
+
+ cred->user -> current_user()
+
+ fs/exec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit be3db5fa6532557384fb66d2d9297d77666912cf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 16:36:24 2013 -0400
+
+ Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux
+
+ grsecurity/Kconfig | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit ce9afc12137b65991bfc7cce70e28d86bbb76956
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Tue Sep 3 19:29:12 2013 +0200
+
+ Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
+
+ net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
+
+ In tcp_v6_do_rcv() code, when processing pkt options, we soley work
+ on our skb clone opt_skb that we've created earlier before entering
+ tcp_rcv_established() on our way. However, only in condition ...
+
+ if (np->rxopt.bits.rxtclass)
+ np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
+
+ ... we work on skb itself. As we extract every other information out
+ of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
+ already be released by tcp_rcv_established() earlier on. When we try
+ to access it in ipv6_hdr(), we will dereference freed skb.
+
+ [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
+ IP_PKTOPTIONS") ]
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Jiri Benc <jbenc@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/ipv6/tcp_ipv6.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 84aa149aa0f178516f5784d028522d60d35696c9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 19:36:23 2013 -0400
+
+ fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 1145b56059535549be226da9891b56ab2d902b2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 19:17:02 2013 -0400
+
+ Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc)
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_sysctl.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit cc604c1c66e7034ad7ddc7fb3cec749e0e5828a3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 18:41:49 2013 -0400
+
+ Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts
+
+ Also eliminate reset_security_ops() as a ROP target when
+ SECURITY_SELINUX_DISABLE is disabled as it's the only user
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Kconfig | 17 ++++++++++++++++-
+ grsecurity/grsec_init.c | 3 +++
+ grsecurity/grsec_sysctl.c | 2 +-
+ 3 files changed, 20 insertions(+), 2 deletions(-)
+
+commit 06f8e6fe41a0de311b0c94bf853cb2c15aee67d4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 30 17:11:11 2013 -0400
+
+ fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_sysctl.c | 7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+commit 74dc00678ec84a254617b500a2880974dac95220
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 20:42:39 2013 -0400
+
+ add export of gr_handle_new_usb()
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_usb.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit f9b60ffe6e67563faa8d207fa6d00bd04252cf4f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 19:24:47 2013 -0400
+
+ Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/usb/core/hub.c | 5 +++++
+ grsecurity/Kconfig | 20 ++++++++++++++++++++
+ grsecurity/Makefile | 3 ++-
+ grsecurity/grsec_init.c | 1 +
+ grsecurity/grsec_sysctl.c | 11 +++++++++++
+ grsecurity/grsec_usb.c | 13 +++++++++++++
+ include/linux/grinternal.h | 1 +
+ include/linux/grsecurity.h | 2 ++
+ 8 files changed, 55 insertions(+), 1 deletions(-)
+
+commit 889852764d245f44e416da4eb203fda0bd327584
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 09:35:07 2013 -0700
+
+ HID: zeroplus: validate output report details
+
+ The zeroplus HID driver was not checking the size of allocated values
+ in fields it used. A HID device could send a malicious output report
+ that would cause the driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
+ ...
+ [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2889
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-zpff.c | 14 ++------------
+ 1 files changed, 2 insertions(+), 12 deletions(-)
+
+commit f30e932a87f25b53779d1f92b49923f8a2dc9834
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 14:36:15 2013 -0700
+
+ HID: provide a helper for validating hid reports
+
+ Many drivers need to validate the characteristics of their HID report
+ during initialization to avoid misusing the reports. This adds a common
+ helper to perform validation of the report, its field count, and the
+ value count within the fields.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
+ include/linux/hid.h | 4 +++
+ 2 files changed, 54 insertions(+), 0 deletions(-)
+
+commit f9eac59133855befee23d0c899e0d0e6ebcd3d44
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 09:14:34 2013 -0700
+
+ HID: steelseries: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ steelseries HID driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
+ ...
+ [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2891
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-steelseries.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 9f5ae466957014bc300929374ebb7afdd9d116d6
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 08:49:21 2013 -0700
+
+ HID: pantherlord: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ pantherlord HID driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
+ ...
+ [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2892
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-pl.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit b643b8f8af23488d92f16a817bf16c162d612ce1
+Author: Kees Cook <keescook@chromium.org>
+Date: Tue Aug 13 16:49:01 2013 -0700
+
+ HID: LG: validate HID output report details
+
+ A HID device could send a malicious output report that would cause the
+ lg, lg3, and lg4 HID drivers to write beyond the output report allocation
+ during an event, causing a heap overflow:
+
+ [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
+ ...
+ [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
+
+ Additionally, while lg2 did correctly validate the report details, it was
+ cleaned up and shortened.
+
+ CVE-2013-2893
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-lg2ff.c | 19 +++----------------
+ drivers/hid/hid-lg3ff.c | 29 ++++++-----------------------
+ drivers/hid/hid-lg4ff.c | 20 +-------------------
+ drivers/hid/hid-lgff.c | 17 ++---------------
+ 4 files changed, 12 insertions(+), 73 deletions(-)
+
+commit 975723a41239b1befae172e88082ff4422753508
+Author: Kees Cook <keescook@chromium.org>
+Date: Thu Aug 15 23:21:23 2013 -0700
+
+ HID: lenovo-tpkbd: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ lenovo-tpkbd HID driver to write just beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
+ ...
+ [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2894
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 54b39084efe20a3f10fcb58ee8327d7b6250b7cd
+Author: Kees Cook <keescook@chromium.org>
+Date: Thu Aug 15 23:45:03 2013 -0700
+
+ HID: logitech-dj: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ logitech-dj HID driver to leak kernel memory contents to the device, or
+ trigger a NULL dereference during initialization:
+
+ [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
+ ...
+ [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
+ [ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
+
+ CVE-2013-2895
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-logitech-dj.c | 12 ++++++++++--
+ 1 files changed, 10 insertions(+), 2 deletions(-)
+
+commit 05c3db7daee82d79c628c15b304f8621159e14f3
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 00:18:15 2013 -0700
+
+ HID: ntrig: validate feature report details
+
+ A HID device could send a malicious feature report that would cause the
+ ntrig HID driver to trigger a NULL dereference during initialization:
+
+ [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
+ ...
+ [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+ [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
+
+ CVE-2013-2896
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-ntrig.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit a79f25f59fdd0abaf4ecfab93017aa49de089498
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 00:11:32 2013 -0700
+
+ HID: multitouch: validate feature report details
+
+ When working on report indexes, always validate that they are in bounds.
+ Without this, a HID device could report a malicious feature report that
+ could trick the driver into a heap overflow:
+
+ [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
+ ...
+ [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2897
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
+ 1 files changed, 20 insertions(+), 5 deletions(-)
+
+commit 6fe8eb06e432f165872d3486fdce0d09de1515b3
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:12:45 2013 -0700
+
+ HID: sensor-hub: validate feature report details
+
+ A HID device could send a malicious feature report that would cause the
+ sensor-hub HID driver to read past the end of heap allocation, leaking
+ kernel memory contents to the caller.
+
+ CVE-2013-2898
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-sensor-hub.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit cd5ea45deb4aae3a6ca7b99e261d771792c2e8bf
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:05:10 2013 -0700
+
+ HID: picolcd_core: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ picolcd HID driver to trigger a NULL dereference during attr file writing.
+
+ CVE-2013-2899
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-picolcd_core.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c147e32922dd91edf1969b8a6eb333aafb4abb79
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:09:54 2013 -0700
+
+ HID: check for NULL field when setting values
+
+ Defensively check that the field to be worked on is not NULL.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-core.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 51b66e0a8cfd2eedb4f3275c7ffc2f7a831b4683
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 28 18:09:18 2013 -0400
+
+ http://marc.info/?l=linux-input&m=137772180514608&q=raw
+
+ The "Report ID" field of a HID report is used to build indexes of
+ reports. The kernel's index of these is limited to 256 entries, so any
+ malicious device that sets a Report ID greater than 255 will trigger
+ memory corruption on the host:
+
+ [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
+ [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
+
+ CVE-2013-2888
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ drivers/hid/hid-core.c | 10 +++++++---
+ include/linux/hid.h | 4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+commit 4ab7b9ed96612f5621898cead7163b6eecf30c7c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 19 22:10:04 2013 -0400
+
+ fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/x86/kernel/smpboot.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+commit 8a6f59dd3e43d20d8e999d50001b85ba605a4dac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 12:00:20 2013 -0400
+
+ make kallsyms_lookup_size_offset available to approved source files
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/kallsyms.h | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit abde07f6c047c0331f511318cb49a36d49218dfc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 11:18:09 2013 -0400
+
+ allow use of kallsyms_lookup_name to approved source files
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/kallsyms.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Tue Aug 13 09:04:05 2013 +0200
+
+ Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
+
+ genetlink: fix family dump race
+
+ When dumping generic netlink families, only the first dump call
+ is locked with genl_lock(), which protects the list of families,
+ and thus subsequent calls can access the data without locking,
+ racing against family addition/removal. This can cause a crash.
+ Fix it - the locking needs to be conditional because the first
+ time around it's already locked.
+
+ A similar bug was reported to me on an old kernel (3.4.47) but
+ the exact scenario that happened there is no longer possible,
+ on those kernels the first round wasn't locked either. Looking
+ at the current code I found the race described above, which had
+ also existed on the old kernel.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ net/netlink/genetlink.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit ab0fc298348a3fce6c8aaf4bef11f388b1bf4782
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 08:58:34 2013 -0400
+
+ Fix two harmless compiler warnings
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/arm/kernel/process.c | 4 ++--
+ fs/exec.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit d502375416b17270008ebdf11f1c3be7837f7c50
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 22:46:01 2013 -0400
+
+ Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/kallsyms.h | 2 +-
+ kernel/kprobes.c | 3 +++
+ 2 files changed, 4 insertions(+), 1 deletions(-)
+
+commit f6c363aba68cccff2815a488a7e9ed68990100d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 10 09:41:40 2013 -0400
+
+ propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/sparc/mm/hugetlbpage.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+commit 279d4c6643931d6488b2d5f1e7d29db8a3c3a347
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 17:58:42 2013 -0400
+
+ Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 55ee7adc9d4cd900fd86a4cfad7e0841b4373ee1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 17:26:40 2013 -0400
+
+ Move user namespace capability check to shared create_user_ns code so we cover unshare() as well.
+
+ Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
+ user namespaces!
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ kernel/fork.c | 17 -----------------
+ kernel/user_namespace.c | 15 +++++++++++++++
+ 2 files changed, 15 insertions(+), 17 deletions(-)
+
+commit 5c0737b045d057152a39154746d8c8e5d59185ed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 16:05:41 2013 -0400
+
+ silence a warning on older gcc
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b9cb48614b154a4c9a4caec48f5c6a391c7b4eb8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 3 08:31:08 2013 -0400
+
+ we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ mm/mmap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit abc10b7630ee1a61c18e7b03b3cbbc9849a346c6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:54:51 2013 -0400
+
+ add include
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/grsec_log.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 448fdce6e5e32cc5dc8f6a649d58104c11cbe2f5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:49:13 2013 -0400
+
+ fix compilation
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/grinternal.h | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit d4d49138661d5cb646f0dd012178447380b79956
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:34:35 2013 -0400
+
+ Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++
+ fs/exec.c | 4 ++++
+ grsecurity/Kconfig | 21 +++++----------------
+ grsecurity/grsec_init.c | 4 ----
+ grsecurity/grsec_log.c | 14 ++++++++++++++
+ grsecurity/grsec_pax.c | 19 ++++++++++++++-----
+ grsecurity/grsec_sysctl.c | 9 ---------
+ include/linux/binfmts.h | 1 +
+ include/linux/grinternal.h | 2 +-
+ include/linux/grmsg.h | 3 ++-
+ include/linux/grsecurity.h | 3 ++-
+ mm/mmap.c | 7 +++++++
+ mm/mprotect.c | 2 +-
+ 13 files changed, 88 insertions(+), 38 deletions(-)
+
+commit cfa6b85e91c7e8e7f00eeaf1908d22cbec4b0a15
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 1 18:52:02 2013 -0400
+
+ add missing #define
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 4a307f7d3ff3ab232c0b6341415088e7618c494e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 1 18:43:53 2013 -0400
+
+ fix compilation for !COMPAT as reported on the forums
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 195 ++++++++++++++++++++++++++--------------------------
+ 1 files changed, 97 insertions(+), 98 deletions(-)
+
+commit 78011eb5c2454b8afc96b98bd86ac172e589b13c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 17:47:20 2013 -0400
+
+ Revert "revert recent PaX change that causes boot failures with 32bit userland"
+
+ This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 17cdb36c3bee85c0985f7cc18aa8405fc7838cad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 16:26:58 2013 -0400
+
+ compile fix for !COMPAT as mentioned on forums
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit e670dc535e4501fd12d8bf00f1e1306c44266fe7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:33:14 2013 -0400
+
+ perform compat conversion of rlimit infinity
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit 2834fe28e69176da6ac4989c6e3dc713faafefe5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:21:40 2013 -0400
+
+ remove debugging
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 44 +++++++++++---------------------------------
+ 1 files changed, 11 insertions(+), 33 deletions(-)
+
+commit 2669672647f6955f0e5154596492c73cd4fda330
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:20:32 2013 -0400
+
+ eliminate compat_dev_t
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ include/linux/gracl_compat.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 75de5da79f5e03936a79ffe2c827462000001985
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:13:22 2013 -0400
+
+ fix compat rlimit size
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++-------------
+ include/linux/gracl_compat.h | 4 +-
+ 2 files changed, 49 insertions(+), 23 deletions(-)
+
+commit 9055a8feb8493a30d1ad0fcef25eb496630d223f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 21:20:18 2013 -0400
+
+ compile fix
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 080577d5a71de3d2700c4c17e1d13c67bc9b6720
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 21:14:29 2013 -0400
+
+ copy correct pointer size in new compat code
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 8 ++++----
+ grsecurity/gracl_compat.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 129b6204587740fd082e731a54d00e8a9fc35f8b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:15:50 2013 -0400
+
+ compile fix
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit 1a8481118c2da1cf9610ec5ba9ad950358e8cd3f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:12:46 2013 -0400
+
+ remove BUILD_BUG_ONs
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 20 --------------------
+ 1 files changed, 0 insertions(+), 20 deletions(-)
+
+commit 67fc73af0876d311c0d01d3b16fa429f44af12b9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:18:36 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 8 ++++----
+ include/linux/gracl_compat.h | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 32f9c3609f8d6c5c893c848e0bd76e0d8d3fa096
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:16:42 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 4 ++--
+ grsecurity/gracl_compat.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 798adb5cab6c3a8056e1b415e6f34a270f369721
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:13:51 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 4d4945ce90d83784634b898f83cb5a7699537733
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:11:03 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl_compat.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 2e0b7505d92a89b872d9ebccae57720e3c00e4a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:08:21 2013 -0400
+
+ more compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 28 ++++++++++++++--------------
+ 1 files changed, 14 insertions(+), 14 deletions(-)
+
+commit 6db464f72eff84f77335b69dc2748a3759e151d1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:59:50 2013 -0400
+
+ more compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 10 +++++++++-
+ 1 files changed, 9 insertions(+), 1 deletions(-)
+
+commit c5c54a2490dd8ec3fcad322d5c64b8cdfc6ce8d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:56:47 2013 -0400
+
+ additional compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++--------
+ 1 files changed, 49 insertions(+), 10 deletions(-)
+
+commit e78a78dcfc089142273243b54509840d3b50c538
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:47:15 2013 -0400
+
+ fix typo
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b27005e62bebc09e6604a6f5dc099742bb6b4434
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:46:59 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++-------------
+ 1 files changed, 39 insertions(+), 14 deletions(-)
+
+commit 101b84a778c254dfd7399f5bcd6264ff437f1176
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:22:44 2013 -0400
+
+ Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel
+
+ Also removed code duplication for copying strings into the kernel
+
+ Work performed as part of sponsorship
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ grsecurity/Makefile | 4 +
+ grsecurity/gracl.c | 315 +++++++++++++++++++++++-------------------
+ grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++
+ include/linux/gracl_compat.h | 156 +++++++++++++++++++++
+ 4 files changed, 603 insertions(+), 142 deletions(-)
+
+commit 9b2b2be730d058a2bac5ded5b51d087aa65eed9e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 16 20:40:24 2013 -0400
+
+ allow viewing of ecryptfs version under SYSFS_RESTRICT
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/sysfs/dir.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 3e182e4da46de4c6b9a9f45d41030bef19260954
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:49:17 2013 -0400
+
+ Update PaX fix, just return the error
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ mm/madvise.c | 11 +++++------
+ 1 files changed, 5 insertions(+), 6 deletions(-)
+
+commit 0e4d6c92225be5ed70eb4d826d020c1e49fb4870
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:36:00 2013 -0400
+
+ Fix madvise oops reported by Peter Keel
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ mm/madvise.c | 11 ++++++-----
+ 1 files changed, 6 insertions(+), 5 deletions(-)
+
+commit 32537d92b8da84f38bf45eb85b6953f452064936
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 22:04:59 2013 -0400
+
+ compile fixes
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ fs/exec.c | 2 +-
+ mm/mmap.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit a03302441afb0f56cccc9648a5d5e3c4c4d0db70
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 16:15:10 2013 -0400
+
+ Initial port of grsecurity to 3.11 using new git method
+
+ Documentation/kernel-parameters.txt | 4 +
+ Makefile | 8 +-
+ arch/alpha/include/asm/cache.h | 4 +-
+ arch/alpha/kernel/osf_sys.c | 12 +-
+ arch/arm/include/asm/thread_info.h | 3 +-
+ arch/arm/kernel/ptrace.c | 9 +
+ arch/arm/kernel/traps.c | 7 +-
+ arch/arm/mm/fault.c | 29 +-
+ arch/arm/mm/mmap.c | 8 +-
+ arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/include/asm/cache.h | 3 +-
+ arch/cris/include/arch-v10/arch/cache.h | 3 +-
+ arch/cris/include/arch-v32/arch/cache.h | 3 +-
+ arch/frv/include/asm/cache.h | 3 +-
+ arch/frv/mm/elf-fdpic.c | 4 +-
+ arch/hexagon/include/asm/cache.h | 6 +-
+ arch/ia64/include/asm/cache.h | 3 +-
+ arch/ia64/kernel/sys_ia64.c | 2 +
+ arch/ia64/mm/hugetlbpage.c | 2 +
+ arch/m32r/include/asm/cache.h | 4 +-
+ arch/m68k/include/asm/cache.h | 4 +-
+ arch/metag/mm/hugetlbpage.c | 1 +
+ arch/microblaze/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/thread_info.h | 12 +-
+ arch/mips/kernel/ptrace.c | 9 +
+ arch/mips/mm/mmap.c | 4 +-
+ arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
+ arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
+ arch/openrisc/include/asm/cache.h | 4 +-
+ arch/parisc/include/asm/cache.h | 5 +-
+ arch/parisc/kernel/sys_parisc.c | 17 +-
+ arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/kernel/process.c | 10 +-
+ arch/powerpc/kernel/ptrace.c | 14 +
+ arch/powerpc/kernel/traps.c | 5 +
+ arch/s390/include/asm/cache.h | 4 +-
+ arch/score/include/asm/cache.h | 4 +-
+ arch/sh/include/asm/cache.h | 3 +-
+ arch/sh/mm/mmap.c | 6 +-
+ arch/sparc/include/asm/cache.h | 4 +-
+ arch/sparc/include/asm/thread_info_64.h | 9 +-
+ arch/sparc/kernel/process_32.c | 6 +-
+ arch/sparc/kernel/process_64.c | 4 +-
+ arch/sparc/kernel/ptrace_64.c | 14 +
+ arch/sparc/kernel/sys_sparc_64.c | 8 +-
+ arch/sparc/kernel/syscalls.S | 8 +-
+ arch/sparc/kernel/traps_32.c | 8 +-
+ arch/sparc/kernel/traps_64.c | 28 +-
+ arch/sparc/kernel/unaligned_64.c | 2 +-
+ arch/sparc/mm/fault_64.c | 2 +-
+ arch/sparc/mm/hugetlbpage.c | 3 +-
+ arch/tile/include/asm/cache.h | 3 +-
+ arch/tile/mm/hugetlbpage.c | 2 +
+ arch/um/defconfig | 1 -
+ arch/um/include/asm/cache.h | 3 +-
+ arch/unicore32/include/asm/cache.h | 6 +-
+ arch/x86/Kconfig | 5 +-
+ arch/x86/ia32/ia32_aout.c | 2 +
+ arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/kernel/dumpstack.c | 8 +
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 2 +-
+ arch/x86/kernel/ioport.c | 13 +
+ arch/x86/kernel/ptrace.c | 14 +
+ arch/x86/kernel/signal.c | 9 +-
+ arch/x86/kernel/smpboot.c | 3 +
+ arch/x86/kernel/sys_i386_32.c | 9 +-
+ arch/x86/kernel/sys_x86_64.c | 8 +-
+ arch/x86/kernel/verify_cpu.S | 1 +
+ arch/x86/kernel/vm86_32.c | 1 +
+ arch/x86/mm/fault.c | 12 +-
+ arch/x86/mm/hugetlbpage.c | 15 +-
+ arch/x86/mm/init.c | 66 +-
+ arch/x86/net/bpf_jit_comp.c | 128 ++-
+ arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
+ arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
+ drivers/block/cciss.c | 2 +
+ drivers/block/cpqarray.c | 1 +
+ drivers/cdrom/cdrom.c | 2 +-
+ drivers/char/Kconfig | 4 +-
+ drivers/char/genrtc.c | 1 +
+ drivers/char/mem.c | 17 +
+ drivers/char/random.c | 12 +
+ drivers/gpu/drm/drm_info.c | 4 +
+ drivers/hid/hid-wiimote-debug.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +-
+ drivers/message/fusion/mptbase.c | 9 +
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ drivers/pci/proc.c | 9 +
+ drivers/rtc/rtc-dev.c | 3 +
+ drivers/tty/sysrq.c | 2 +-
+ drivers/tty/vt/keyboard.c | 22 +-
+ drivers/video/logo/logo_linux_clut224.ppm | 2000 +++++++++++---------
+ drivers/xen/xenfs/xenstored.c | 5 +
+ fs/attr.c | 1 +
+ fs/autofs4/waitq.c | 9 +
+ fs/binfmt_aout.c | 7 +
+ fs/binfmt_elf.c | 8 +-
+ fs/btrfs/ioctl.c | 6 +-
+ fs/compat.c | 20 +-
+ fs/coredump.c | 9 +-
+ fs/debugfs/inode.c | 4 +
+ fs/exec.c | 184 ++-
+ fs/ext2/balloc.c | 4 +-
+ fs/ext3/balloc.c | 4 +-
+ fs/fcntl.c | 5 +
+ fs/file.c | 4 +
+ fs/filesystems.c | 4 +
+ fs/fs_struct.c | 13 +-
+ fs/hugetlbfs/inode.c | 5 +-
+ fs/namei.c | 256 +++-
+ fs/namespace.c | 16 +
+ fs/open.c | 38 +
+ fs/proc/Kconfig | 10 +-
+ fs/proc/array.c | 59 +-
+ fs/proc/base.c | 166 ++-
+ fs/proc/cmdline.c | 4 +
+ fs/proc/devices.c | 4 +
+ fs/proc/fd.c | 17 +-
+ fs/proc/inode.c | 4 +
+ fs/proc/kcore.c | 3 +
+ fs/proc/proc_net.c | 12 +
+ fs/proc/proc_sysctl.c | 43 +-
+ fs/proc/root.c | 8 +
+ fs/proc/task_mmu.c | 75 +-
+ fs/readdir.c | 19 +
+ fs/select.c | 2 +
+ fs/seq_file.c | 12 +-
+ fs/stat.c | 19 +-
+ fs/sysfs/dir.c | 12 +
+ fs/utimes.c | 7 +
+ fs/xattr.c | 19 +-
+ include/linux/capability.h | 5 +
+ include/linux/cred.h | 3 +
+ include/linux/fs.h | 10 +
+ include/linux/fsnotify.h | 6 +
+ include/linux/kallsyms.h | 14 +-
+ include/linux/kmod.h | 2 +
+ include/linux/mm.h | 1 +
+ include/linux/perf_event.h | 13 +-
+ include/linux/printk.h | 3 +-
+ include/linux/sched.h | 24 +-
+ include/linux/security.h | 1 +
+ include/linux/seq_file.h | 3 +
+ include/linux/shm.h | 4 +
+ include/linux/skbuff.h | 3 +
+ include/linux/slab.h | 9 -
+ include/linux/sysctl.h | 2 +
+ include/linux/thread_info.h | 2 +
+ include/linux/uidgid.h | 5 +
+ include/linux/vermagic.h | 9 +-
+ include/uapi/linux/personality.h | 1 +
+ init/Kconfig | 3 +-
+ init/main.c | 14 +
+ ipc/mqueue.c | 1 +
+ ipc/shm.c | 28 +
+ kernel/capability.c | 39 +-
+ kernel/cgroup.c | 2 +-
+ kernel/compat.c | 1 +
+ kernel/configs.c | 11 +
+ kernel/cred.c | 110 ++-
+ kernel/events/core.c | 14 +-
+ kernel/exit.c | 10 +-
+ kernel/fork.c | 41 +-
+ kernel/futex.c | 1 +
+ kernel/kallsyms.c | 9 +
+ kernel/kcmp.c | 4 +
+ kernel/kmod.c | 64 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +
+ kernel/lockdep_proc.c | 10 +-
+ kernel/module.c | 81 +-
+ kernel/panic.c | 2 +-
+ kernel/pid.c | 19 +-
+ kernel/posix-timers.c | 7 +
+ kernel/printk/printk.c | 5 +
+ kernel/ptrace.c | 20 +-
+ kernel/resource.c | 10 +
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 37 +-
+ kernel/sys.c | 45 +-
+ kernel/sysctl.c | 69 +-
+ kernel/taskstats.c | 6 +
+ kernel/time.c | 5 +
+ kernel/time/timekeeping.c | 1 +
+ kernel/time/timer_list.c | 12 +
+ kernel/time/timer_stats.c | 10 +-
+ lib/Kconfig.debug | 5 +-
+ lib/is_single_threaded.c | 3 +
+ mm/Kconfig | 4 +-
+ mm/filemap.c | 1 +
+ mm/kmemleak.c | 4 +-
+ mm/mempolicy.c | 12 +-
+ mm/migrate.c | 3 +-
+ mm/mlock.c | 3 +
+ mm/mmap.c | 63 +-
+ mm/mprotect.c | 8 +
+ mm/process_vm_access.c | 6 +
+ mm/slab.c | 2 +-
+ mm/slub.c | 14 +-
+ mm/vmalloc.c | 4 +
+ mm/vmstat.c | 18 +-
+ net/core/dev_ioctl.c | 4 +
+ net/core/sock_diag.c | 7 +
+ net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/ip_sockglue.c | 3 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_minisocks.c | 9 +-
+ net/ipv4/tcp_timer.c | 11 +
+ net/ipv4/udp.c | 24 +
+ net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/udp.c | 4 +
+ net/netfilter/Kconfig | 10 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 8 +
+ net/netrom/af_netrom.c | 1 -
+ net/phonet/af_phonet.c | 2 +-
+ net/sctp/proc.c | 3 +-
+ net/socket.c | 66 +-
+ net/sysctl_net.c | 2 +-
+ net/unix/af_unix.c | 31 +-
+ security/Kconfig | 341 +++-
+ security/apparmor/Kconfig | 9 +
+ security/apparmor/apparmorfs.c | 231 +++
+ security/commoncap.c | 29 +
+ security/min_addr.c | 2 +
+ security/security.c | 2 -
+ security/selinux/hooks.c | 2 -
+ security/tomoyo/mount.c | 4 +
+ security/yama/Kconfig | 2 +-
+ 235 files changed, 4384 insertions(+), 1312 deletions(-)
+
+commit a76b033c58b4886552911442f1b89e0cee041dae
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 20:57:40 2013 -0400
+
+ Commit merge of new files and rejected patches
+
+ Signed-off-by: Brad Spengler <spender@grsecurity.net>
+
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/kernel/process.c | 4 +-
+ arch/powerpc/include/asm/thread_info.h | 7 +-
+ arch/powerpc/mm/slice.c | 2 +-
+ arch/sparc/kernel/process_64.c | 4 +-
+ arch/x86/kernel/vm86_32.c | 15 +
+ fs/coredump.c | 1 +
+ fs/ext4/balloc.c | 4 +-
+ fs/namei.c | 7 +
+ fs/namespace.c | 8 +
+ fs/pipe.c | 2 +-
+ fs/proc/inode.c | 13 +
+ fs/proc/internal.h | 3 +
+ grsecurity/Kconfig | 1054 +++++++++
+ grsecurity/Makefile | 38 +
+ grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++
+ grsecurity/gracl_alloc.c | 105 +
+ grsecurity/gracl_cap.c | 110 +
+ grsecurity/gracl_fs.c | 431 ++++
+ grsecurity/gracl_ip.c | 387 +++
+ grsecurity/gracl_learn.c | 207 ++
+ grsecurity/gracl_res.c | 68 +
+ grsecurity/gracl_segv.c | 305 +++
+ grsecurity/gracl_shm.c | 40 +
+ grsecurity/grsec_chdir.c | 19 +
+ grsecurity/grsec_chroot.c | 370 +++
+ grsecurity/grsec_disabled.c | 434 ++++
+ grsecurity/grsec_exec.c | 187 ++
+ grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_fork.c | 23 +
+ grsecurity/grsec_init.c | 283 +++
+ grsecurity/grsec_link.c | 58 +
+ grsecurity/grsec_log.c | 326 +++
+ grsecurity/grsec_mem.c | 40 +
+ grsecurity/grsec_mount.c | 62 +
+ grsecurity/grsec_pax.c | 36 +
+ grsecurity/grsec_ptrace.c | 30 +
+ grsecurity/grsec_sig.c | 246 ++
+ grsecurity/grsec_sock.c | 244 ++
+ grsecurity/grsec_sysctl.c | 469 ++++
+ grsecurity/grsec_time.c | 16 +
+ grsecurity/grsec_tpe.c | 73 +
+ grsecurity/grsum.c | 61 +
+ include/linux/gracl.h | 319 +++
+ include/linux/gralloc.h | 9 +
+ include/linux/grdefs.h | 140 ++
+ include/linux/grinternal.h | 227 ++
+ include/linux/grmsg.h | 112 +
+ include/linux/grsecurity.h | 241 ++
+ include/linux/grsock.h | 19 +
+ include/linux/netfilter/xt_gradm.h | 9 +
+ include/linux/proc_fs.h | 13 +
+ include/linux/sched.h | 48 +-
+ include/trace/events/fs.h | 53 +
+ kernel/kmod.c | 7 +-
+ kernel/panic.c | 2 +-
+ kernel/posix-timers.c | 1 +
+ kernel/time/timekeeping.c | 2 +
+ lib/Kconfig.debug | 2 +-
+ lib/vsprintf.c | 31 +
+ localversion-grsec | 1 +
+ mm/mmap.c | 13 +-
+ mm/shmem.c | 2 +-
+ net/core/net-procfs.c | 5 +
+ net/ipv6/udp.c | 3 +
+ net/netfilter/xt_gradm.c | 51 +
+ 66 files changed, 11184 insertions(+), 21 deletions(-)
+
+commit d1cf217118e0750f54aca9136d8c6a41f0ae439c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Sep 14 14:36:40 2013 -0400
+
+ Initial import of pax-linux-3.11-test4.patch
+
+ Documentation/dontdiff | 46 +-
+ Documentation/kernel-parameters.txt | 23 +
+ Makefile | 100 +-
+ arch/alpha/include/asm/atomic.h | 10 +
+ arch/alpha/include/asm/elf.h | 7 +
+ arch/alpha/include/asm/pgalloc.h | 6 +
+ arch/alpha/include/asm/pgtable.h | 11 +
+ arch/alpha/kernel/module.c | 2 +-
+ arch/alpha/kernel/osf_sys.c | 8 +-
+ arch/alpha/mm/fault.c | 141 +-
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/atomic.h | 444 ++-
+ arch/arm/include/asm/cache.h | 5 +-
+ arch/arm/include/asm/cacheflush.h | 2 +-
+ arch/arm/include/asm/checksum.h | 14 +-
+ arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/domain.h | 33 +-
+ arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/fncpy.h | 2 +
+ arch/arm/include/asm/futex.h | 10 +
+ arch/arm/include/asm/kmap_types.h | 2 +-
+ arch/arm/include/asm/mach/dma.h | 2 +-
+ arch/arm/include/asm/mach/map.h | 7 +-
+ arch/arm/include/asm/outercache.h | 2 +-
+ arch/arm/include/asm/page.h | 2 +-
+ arch/arm/include/asm/pgalloc.h | 22 +-
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgtable-2level.h | 3 +
+ arch/arm/include/asm/pgtable-3level-hwdef.h | 1 +
+ arch/arm/include/asm/pgtable-3level.h | 2 +
+ arch/arm/include/asm/pgtable.h | 54 +-
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/include/asm/psci.h | 2 +-
+ arch/arm/include/asm/smp.h | 2 +-
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/include/asm/uaccess.h | 95 +-
+ arch/arm/include/uapi/asm/ptrace.h | 2 +-
+ arch/arm/kernel/armksyms.c | 8 +-
+ arch/arm/kernel/entry-armv.S | 110 +-
+ arch/arm/kernel/entry-common.S | 40 +-
+ arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/fiq.c | 3 +
+ arch/arm/kernel/head.S | 6 +-
+ arch/arm/kernel/module.c | 29 +-
+ arch/arm/kernel/patch.c | 2 +
+ arch/arm/kernel/process.c | 42 +-
+ arch/arm/kernel/psci.c | 2 +-
+ arch/arm/kernel/setup.c | 22 +-
+ arch/arm/kernel/signal.c | 35 +-
+ arch/arm/kernel/smp.c | 2 +-
+ arch/arm/kernel/traps.c | 8 +-
+ arch/arm/kernel/vmlinux.lds.S | 22 +-
+ arch/arm/kvm/arm.c | 8 +-
+ arch/arm/lib/clear_user.S | 6 +-
+ arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/lib/copy_page.S | 1 +
+ arch/arm/lib/copy_to_user.S | 6 +-
+ arch/arm/lib/csumpartialcopyuser.S | 4 +-
+ arch/arm/lib/delay.c | 2 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 2 +-
+ arch/arm/mach-kirkwood/common.c | 19 +-
+ arch/arm/mach-omap2/board-n8x0.c | 2 +-
+ arch/arm/mach-omap2/gpmc.c | 22 +-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
+ arch/arm/mach-omap2/omap_device.c | 4 +-
+ arch/arm/mach-omap2/omap_device.h | 4 +-
+ arch/arm/mach-omap2/omap_hwmod.c | 4 +-
+ arch/arm/mach-omap2/wd_timer.c | 6 +-
+ arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
+ arch/arm/mach-ux500/setup.h | 7 -
+ arch/arm/mm/Kconfig | 6 +-
+ arch/arm/mm/alignment.c | 8 +
+ arch/arm/mm/context.c | 10 +-
+ arch/arm/mm/fault.c | 104 +
+ arch/arm/mm/fault.h | 12 +
+ arch/arm/mm/init.c | 41 +
+ arch/arm/mm/ioremap.c | 4 +-
+ arch/arm/mm/mmap.c | 30 +-
+ arch/arm/mm/mmu.c | 185 +-
+ arch/arm/plat-omap/sram.c | 2 +
+ arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/avr32/include/asm/elf.h | 8 +-
+ arch/avr32/include/asm/kmap_types.h | 4 +-
+ arch/avr32/mm/fault.c | 27 +
+ arch/frv/include/asm/atomic.h | 10 +
+ arch/frv/include/asm/kmap_types.h | 2 +-
+ arch/frv/mm/elf-fdpic.c | 3 +-
+ arch/ia64/include/asm/atomic.h | 10 +
+ arch/ia64/include/asm/elf.h | 7 +
+ arch/ia64/include/asm/pgalloc.h | 12 +
+ arch/ia64/include/asm/pgtable.h | 13 +-
+ arch/ia64/include/asm/spinlock.h | 2 +-
+ arch/ia64/include/asm/uaccess.h | 26 +-
+ arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/palinfo.c | 2 +-
+ arch/ia64/kernel/sys_ia64.c | 7 +
+ arch/ia64/kernel/vmlinux.lds.S | 2 +-
+ arch/ia64/mm/fault.c | 32 +-
+ arch/ia64/mm/init.c | 13 +
+ arch/m32r/lib/usercopy.c | 6 +
+ arch/mips/include/asm/atomic.h | 728 +++-
+ arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/exec.h | 2 +-
+ arch/mips/include/asm/local.h | 57 +
+ arch/mips/include/asm/page.h | 2 +-
+ arch/mips/include/asm/pgalloc.h | 5 +
+ arch/mips/include/asm/smtc_proc.h | 2 +-
+ arch/mips/kernel/binfmt_elfn32.c | 7 +
+ arch/mips/kernel/binfmt_elfo32.c | 7 +
+ arch/mips/kernel/irq.c | 6 +-
+ arch/mips/kernel/process.c | 12 -
+ arch/mips/kernel/smtc-proc.c | 6 +-
+ arch/mips/kernel/smtc.c | 2 +-
+ arch/mips/kernel/sync-r4k.c | 24 +-
+ arch/mips/kernel/traps.c | 13 +-
+ arch/mips/mm/fault.c | 25 +
+ arch/mips/mm/mmap.c | 51 +-
+ arch/mips/sgi-ip27/ip27-nmi.c | 6 +-
+ arch/parisc/include/asm/atomic.h | 10 +
+ arch/parisc/include/asm/elf.h | 7 +
+ arch/parisc/include/asm/pgalloc.h | 6 +
+ arch/parisc/include/asm/pgtable.h | 11 +
+ arch/parisc/include/asm/uaccess.h | 4 +-
+ arch/parisc/kernel/module.c | 50 +-
+ arch/parisc/kernel/sys_parisc.c | 9 +-
+ arch/parisc/kernel/traps.c | 4 +-
+ arch/parisc/mm/fault.c | 140 +-
+ arch/powerpc/include/asm/atomic.h | 10 +
+ arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/exec.h | 2 +-
+ arch/powerpc/include/asm/kmap_types.h | 2 +-
+ arch/powerpc/include/asm/mman.h | 2 +-
+ arch/powerpc/include/asm/page.h | 8 +-
+ arch/powerpc/include/asm/page_64.h | 7 +-
+ arch/powerpc/include/asm/pgalloc-64.h | 7 +
+ arch/powerpc/include/asm/pgtable.h | 1 +
+ arch/powerpc/include/asm/pte-hash32.h | 1 +
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/include/asm/smp.h | 2 +-
+ arch/powerpc/include/asm/uaccess.h | 140 +-
+ arch/powerpc/kernel/exceptions-64e.S | 4 +-
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/module_32.c | 13 +-
+ arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/signal_32.c | 2 +-
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ arch/powerpc/kernel/vdso.c | 5 +-
+ arch/powerpc/lib/usercopy_64.c | 18 -
+ arch/powerpc/mm/fault.c | 54 +-
+ arch/powerpc/mm/mmap.c | 16 +
+ arch/powerpc/mm/slice.c | 13 +-
+ arch/powerpc/platforms/cell/spufs/file.c | 4 +-
+ arch/s390/include/asm/atomic.h | 10 +
+ arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/exec.h | 2 +-
+ arch/s390/include/asm/uaccess.h | 15 +-
+ arch/s390/kernel/module.c | 22 +-
+ arch/s390/kernel/process.c | 36 -
+ arch/s390/mm/mmap.c | 24 +
+ arch/score/include/asm/exec.h | 2 +-
+ arch/score/kernel/process.c | 5 -
+ arch/sh/mm/mmap.c | 22 +-
+ arch/sparc/include/asm/atomic_64.h | 106 +-
+ arch/sparc/include/asm/cache.h | 2 +-
+ arch/sparc/include/asm/elf_32.h | 7 +
+ arch/sparc/include/asm/elf_64.h | 7 +
+ arch/sparc/include/asm/pgalloc_32.h | 1 +
+ arch/sparc/include/asm/pgalloc_64.h | 1 +
+ arch/sparc/include/asm/pgtable_32.h | 15 +-
+ arch/sparc/include/asm/pgtsrmmu.h | 5 +
+ arch/sparc/include/asm/spinlock_64.h | 35 +-
+ arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_64.h | 2 +
+ arch/sparc/include/asm/uaccess.h | 1 +
+ arch/sparc/include/asm/uaccess_32.h | 27 +-
+ arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/kernel/Makefile | 2 +-
+ arch/sparc/kernel/prom_common.c | 2 +-
+ arch/sparc/kernel/smp_64.c | 12 +-
+ arch/sparc/kernel/sys_sparc_32.c | 2 +-
+ arch/sparc/kernel/sys_sparc_64.c | 52 +-
+ arch/sparc/kernel/traps_64.c | 27 +-
+ arch/sparc/lib/Makefile | 2 +-
+ arch/sparc/lib/atomic_64.S | 136 +-
+ arch/sparc/lib/ksyms.c | 6 +
+ arch/sparc/mm/Makefile | 2 +-
+ arch/sparc/mm/fault_32.c | 292 +
+ arch/sparc/mm/fault_64.c | 486 ++
+ arch/sparc/mm/hugetlbpage.c | 21 +-
+ arch/sparc/mm/init_64.c | 10 +-
+ arch/tile/include/asm/atomic_64.h | 10 +
+ arch/tile/include/asm/uaccess.h | 4 +-
+ arch/um/Makefile | 4 +
+ arch/um/include/asm/kmap_types.h | 2 +-
+ arch/um/include/asm/page.h | 3 +
+ arch/um/include/asm/pgtable-3level.h | 1 +
+ arch/um/kernel/process.c | 16 -
+ arch/x86/Kconfig | 10 +-
+ arch/x86/Kconfig.cpu | 6 +-
+ arch/x86/Kconfig.debug | 4 +-
+ arch/x86/Makefile | 10 +
+ arch/x86/boot/Makefile | 3 +
+ arch/x86/boot/bitops.h | 4 +-
+ arch/x86/boot/boot.h | 4 +-
+ arch/x86/boot/compressed/Makefile | 3 +
+ arch/x86/boot/compressed/eboot.c | 2 -
+ arch/x86/boot/compressed/efi_stub_32.S | 16 +-
+ arch/x86/boot/compressed/head_32.S | 7 +-
+ arch/x86/boot/compressed/head_64.S | 8 +-
+ arch/x86/boot/compressed/misc.c | 4 +-
+ arch/x86/boot/cpucheck.c | 28 +-
+ arch/x86/boot/header.S | 6 +-
+ arch/x86/boot/memory.c | 2 +-
+ arch/x86/boot/video-vesa.c | 1 +
+ arch/x86/boot/video.c | 2 +-
+ arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/aesni-intel_asm.S | 22 +
+ arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 +
+ arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 +
+ arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
+ arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 +
+ arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/serpent-avx2-asm_64.S | 9 +
+ arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/sha1_ssse3_asm.S | 2 +
+ arch/x86/crypto/sha256-avx-asm.S | 2 +
+ arch/x86/crypto/sha256-avx2-asm.S | 2 +
+ arch/x86/crypto/sha256-ssse3-asm.S | 2 +
+ arch/x86/crypto/sha512-avx-asm.S | 2 +
+ arch/x86/crypto/sha512-avx2-asm.S | 2 +
+ arch/x86/crypto/sha512-ssse3-asm.S | 2 +
+ arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
+ arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/ia32/ia32_signal.c | 16 +-
+ arch/x86/ia32/ia32entry.S | 157 +-
+ arch/x86/ia32/sys_ia32.c | 4 +-
+ arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/include/asm/alternative.h | 4 +-
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/include/asm/apm.h | 4 +-
+ arch/x86/include/asm/atomic.h | 307 +-
+ arch/x86/include/asm/atomic64_32.h | 100 +
+ arch/x86/include/asm/atomic64_64.h | 202 +-
+ arch/x86/include/asm/bitops.h | 4 +-
+ arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/cache.h | 5 +-
+ arch/x86/include/asm/cacheflush.h | 2 +-
+ arch/x86/include/asm/checksum_32.h | 12 +-
+ arch/x86/include/asm/cmpxchg.h | 35 +
+ arch/x86/include/asm/compat.h | 2 +-
+ arch/x86/include/asm/cpufeature.h | 16 +-
+ arch/x86/include/asm/desc.h | 74 +-
+ arch/x86/include/asm/desc_defs.h | 6 +
+ arch/x86/include/asm/div64.h | 2 +-
+ arch/x86/include/asm/elf.h | 31 +-
+ arch/x86/include/asm/emergency-restart.h | 2 +-
+ arch/x86/include/asm/fpu-internal.h | 8 +-
+ arch/x86/include/asm/futex.h | 20 +-
+ arch/x86/include/asm/hw_irq.h | 4 +-
+ arch/x86/include/asm/i8259.h | 2 +-
+ arch/x86/include/asm/io.h | 21 +-
+ arch/x86/include/asm/irqflags.h | 5 +
+ arch/x86/include/asm/kprobes.h | 9 +-
+ arch/x86/include/asm/local.h | 142 +-
+ arch/x86/include/asm/mman.h | 15 +
+ arch/x86/include/asm/mmu.h | 16 +-
+ arch/x86/include/asm/mmu_context.h | 128 +-
+ arch/x86/include/asm/module.h | 17 +-
+ arch/x86/include/asm/nmi.h | 6 +-
+ arch/x86/include/asm/page.h | 1 +
+ arch/x86/include/asm/page_64.h | 4 +-
+ arch/x86/include/asm/paravirt.h | 46 +-
+ arch/x86/include/asm/paravirt_types.h | 17 +-
+ arch/x86/include/asm/pgalloc.h | 23 +
+ arch/x86/include/asm/pgtable-2level.h | 2 +
+ arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable.h | 124 +-
+ arch/x86/include/asm/pgtable_32.h | 14 +-
+ arch/x86/include/asm/pgtable_32_types.h | 15 +-
+ arch/x86/include/asm/pgtable_64.h | 19 +-
+ arch/x86/include/asm/pgtable_64_types.h | 5 +
+ arch/x86/include/asm/pgtable_types.h | 36 +-
+ arch/x86/include/asm/processor.h | 82 +-
+ arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/realmode.h | 4 +-
+ arch/x86/include/asm/reboot.h | 10 +-
+ arch/x86/include/asm/rwsem.h | 60 +-
+ arch/x86/include/asm/segment.h | 29 +-
+ arch/x86/include/asm/smap.h | 64 +-
+ arch/x86/include/asm/smp.h | 14 +-
+ arch/x86/include/asm/spinlock.h | 36 +-
+ arch/x86/include/asm/stackprotector.h | 4 +-
+ arch/x86/include/asm/stacktrace.h | 32 +-
+ arch/x86/include/asm/switch_to.h | 4 +-
+ arch/x86/include/asm/thread_info.h | 83 +-
+ arch/x86/include/asm/tlbflush.h | 74 +-
+ arch/x86/include/asm/uaccess.h | 112 +-
+ arch/x86/include/asm/uaccess_32.h | 106 +-
+ arch/x86/include/asm/uaccess_64.h | 232 +-
+ arch/x86/include/asm/word-at-a-time.h | 2 +-
+ arch/x86/include/asm/x86_init.h | 10 +-
+ arch/x86/include/asm/xsave.h | 14 +-
+ arch/x86/include/uapi/asm/e820.h | 2 +-
+ arch/x86/kernel/Makefile | 2 +-
+ arch/x86/kernel/acpi/boot.c | 4 +-
+ arch/x86/kernel/acpi/sleep.c | 4 +
+ arch/x86/kernel/acpi/wakeup_32.S | 6 +-
+ arch/x86/kernel/alternative.c | 65 +-
+ arch/x86/kernel/apic/apic.c | 4 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/apic_noop.c | 2 +-
+ arch/x86/kernel/apic/bigsmp_32.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 5 +-
+ arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/numaq_32.c | 3 +-
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/summit_32.c | 2 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_phys.c | 2 +-
+ arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
+ arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/asm-offsets.c | 20 +
+ arch/x86/kernel/asm-offsets_64.c | 1 +
+ arch/x86/kernel/cpu/Makefile | 4 -
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/common.c | 130 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
+ arch/x86/kernel/cpu/mcheck/p5.c | 3 +
+ arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
+ arch/x86/kernel/cpu/mtrr/main.c | 2 +-
+ arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 8 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
+ arch/x86/kernel/cpuid.c | 2 +-
+ arch/x86/kernel/crash.c | 4 +-
+ arch/x86/kernel/crash_dump_64.c | 2 +-
+ arch/x86/kernel/doublefault.c | 8 +-
+ arch/x86/kernel/dumpstack.c | 30 +-
+ arch/x86/kernel/dumpstack_32.c | 34 +-
+ arch/x86/kernel/dumpstack_64.c | 61 +-
+ arch/x86/kernel/e820.c | 4 +-
+ arch/x86/kernel/early_printk.c | 1 +
+ arch/x86/kernel/entry_32.S | 356 +-
+ arch/x86/kernel/entry_64.S | 669 ++-
+ arch/x86/kernel/ftrace.c | 14 +-
+ arch/x86/kernel/head64.c | 13 +-
+ arch/x86/kernel/head_32.S | 228 +-
+ arch/x86/kernel/head_64.S | 138 +-
+ arch/x86/kernel/i386_ksyms_32.c | 12 +
+ arch/x86/kernel/i387.c | 2 +-
+ arch/x86/kernel/i8259.c | 10 +-
+ arch/x86/kernel/io_delay.c | 2 +-
+ arch/x86/kernel/ioport.c | 2 +-
+ arch/x86/kernel/irq.c | 8 +-
+ arch/x86/kernel/irq_32.c | 67 +-
+ arch/x86/kernel/irq_64.c | 2 +-
+ arch/x86/kernel/kdebugfs.c | 2 +-
+ arch/x86/kernel/kgdb.c | 25 +-
+ arch/x86/kernel/kprobes/core.c | 30 +-
+ arch/x86/kernel/kprobes/opt.c | 16 +-
+ arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/machine_kexec_32.c | 6 +-
+ arch/x86/kernel/microcode_core.c | 2 +-
+ arch/x86/kernel/microcode_intel.c | 4 +-
+ arch/x86/kernel/module.c | 76 +-
+ arch/x86/kernel/msr.c | 2 +-
+ arch/x86/kernel/nmi.c | 19 +-
+ arch/x86/kernel/nmi_selftest.c | 4 +-
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/kernel/paravirt.c | 43 +-
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ arch/x86/kernel/pci-iommu_table.c | 2 +-
+ arch/x86/kernel/pci-swiotlb.c | 2 +-
+ arch/x86/kernel/process.c | 55 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 20 +-
+ arch/x86/kernel/ptrace.c | 25 +-
+ arch/x86/kernel/pvclock.c | 8 +-
+ arch/x86/kernel/reboot.c | 42 +-
+ arch/x86/kernel/reboot_fixups_32.c | 2 +-
+ arch/x86/kernel/relocate_kernel_64.S | 5 +-
+ arch/x86/kernel/setup.c | 65 +-
+ arch/x86/kernel/setup_percpu.c | 29 +-
+ arch/x86/kernel/signal.c | 19 +-
+ arch/x86/kernel/smp.c | 2 +-
+ arch/x86/kernel/smpboot.c | 28 +-
+ arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/sys_i386_32.c | 184 +
+ arch/x86/kernel/sys_x86_64.c | 22 +-
+ arch/x86/kernel/tboot.c | 12 +-
+ arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tls.c | 7 +-
+ arch/x86/kernel/tracepoint.c | 4 +-
+ arch/x86/kernel/traps.c | 62 +-
+ arch/x86/kernel/uprobes.c | 4 +-
+ arch/x86/kernel/vm86_32.c | 6 +-
+ arch/x86/kernel/vmlinux.lds.S | 147 +-
+ arch/x86/kernel/vsyscall_64.c | 12 +-
+ arch/x86/kernel/x8664_ksyms_64.c | 6 +-
+ arch/x86/kernel/x86_init.c | 6 +-
+ arch/x86/kernel/xsave.c | 2 +
+ arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/lapic.c | 2 +-
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ arch/x86/kvm/svm.c | 8 +
+ arch/x86/kvm/vmx.c | 61 +-
+ arch/x86/kvm/x86.c | 8 +-
+ arch/x86/lguest/boot.c | 3 +-
+ arch/x86/lib/atomic64_386_32.S | 164 +
+ arch/x86/lib/atomic64_cx8_32.S | 103 +-
+ arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/cmpxchg16b_emu.S | 2 +
+ arch/x86/lib/copy_page_64.S | 24 +-
+ arch/x86/lib/copy_user_64.S | 89 +-
+ arch/x86/lib/copy_user_nocache_64.S | 22 +-
+ arch/x86/lib/csum-copy_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 13 +-
+ arch/x86/lib/getuser.S | 74 +-
+ arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/iomap_copy_64.S | 2 +
+ arch/x86/lib/memcpy_64.S | 22 +-
+ arch/x86/lib/memmove_64.S | 36 +-
+ arch/x86/lib/memset_64.S | 11 +-
+ arch/x86/lib/mmx_32.c | 243 +-
+ arch/x86/lib/msr-reg.S | 18 +-
+ arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/rwlock.S | 42 +
+ arch/x86/lib/rwsem.S | 6 +-
+ arch/x86/lib/thunk_64.S | 2 +
+ arch/x86/lib/usercopy_32.c | 363 +-
+ arch/x86/lib/usercopy_64.c | 18 +-
+ arch/x86/mm/Makefile | 4 +
+ arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/fault.c | 571 ++-
+ arch/x86/mm/gup.c | 2 +-
+ arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/hugetlbpage.c | 30 +-
+ arch/x86/mm/init.c | 101 +-
+ arch/x86/mm/init_32.c | 111 +-
+ arch/x86/mm/init_64.c | 45 +-
+ arch/x86/mm/iomap_32.c | 4 +
+ arch/x86/mm/ioremap.c | 15 +-
+ arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
+ arch/x86/mm/mmap.c | 36 +-
+ arch/x86/mm/mmio-mod.c | 10 +-
+ arch/x86/mm/numa.c | 2 +-
+ arch/x86/mm/pageattr-test.c | 2 +-
+ arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pat.c | 12 +-
+ arch/x86/mm/pat_rbtree.c | 2 +-
+ arch/x86/mm/pf_in.c | 10 +-
+ arch/x86/mm/pgtable.c | 139 +-
+ arch/x86/mm/pgtable_32.c | 3 +
+ arch/x86/mm/physaddr.c | 4 +-
+ arch/x86/mm/setup_nx.c | 7 +
+ arch/x86/mm/tlb.c | 4 +
+ arch/x86/mm/uderef_64.c | 37 +
+ arch/x86/net/bpf_jit.S | 14 +
+ arch/x86/net/bpf_jit_comp.c | 39 +-
+ arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/oprofile/nmi_int.c | 8 +-
+ arch/x86/oprofile/op_model_amd.c | 8 +-
+ arch/x86/oprofile/op_model_ppro.c | 7 +-
+ arch/x86/oprofile/op_x86_model.h | 2 +-
+ arch/x86/pci/irq.c | 8 +-
+ arch/x86/pci/mrst.c | 4 +-
+ arch/x86/pci/pcbios.c | 144 +-
+ arch/x86/platform/efi/efi_32.c | 24 +
+ arch/x86/platform/efi/efi_64.c | 10 +
+ arch/x86/platform/efi/efi_stub_32.S | 64 +-
+ arch/x86/platform/efi/efi_stub_64.S | 8 +
+ arch/x86/platform/mrst/mrst.c | 6 +-
+ arch/x86/platform/olpc/olpc_dt.c | 2 +-
+ arch/x86/power/cpu.c | 11 +-
+ arch/x86/realmode/init.c | 10 +-
+ arch/x86/realmode/rm/Makefile | 3 +
+ arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/trampoline_32.S | 12 +-
+ arch/x86/realmode/rm/trampoline_64.S | 3 +-
+ arch/x86/tools/Makefile | 2 +-
+ arch/x86/tools/relocs.c | 94 +-
+ arch/x86/um/tls_32.c | 2 +-
+ arch/x86/vdso/Makefile | 2 +-
+ arch/x86/vdso/vdso32-setup.c | 23 +-
+ arch/x86/vdso/vma.c | 29 +-
+ arch/x86/xen/enlighten.c | 45 +-
+ arch/x86/xen/mmu.c | 9 +
+ arch/x86/xen/smp.c | 18 +-
+ arch/x86/xen/xen-asm_32.S | 12 +-
+ arch/x86/xen/xen-head.S | 11 +
+ arch/x86/xen/xen-ops.h | 2 -
+ block/blk-cgroup.c | 4 +-
+ block/blk-iopoll.c | 2 +-
+ block/blk-map.c | 2 +-
+ block/blk-softirq.c | 2 +-
+ block/bsg.c | 12 +-
+ block/compat_ioctl.c | 2 +-
+ block/genhd.c | 9 +-
+ block/partitions/efi.c | 8 +-
+ block/scsi_ioctl.c | 27 +-
+ crypto/cryptd.c | 4 +-
+ crypto/pcrypt.c | 2 +-
+ drivers/acpi/apei/apei-internal.h | 2 +-
+ drivers/acpi/apei/cper.c | 8 +-
+ drivers/acpi/apei/ghes.c | 4 +-
+ drivers/acpi/bgrt.c | 6 +-
+ drivers/acpi/blacklist.c | 4 +-
+ drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/sysfs.c | 4 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/ata/libata-core.c | 12 +-
+ drivers/ata/libata-scsi.c | 2 +-
+ drivers/ata/libata.h | 2 +-
+ drivers/ata/pata_arasan_cf.c | 4 +-
+ drivers/atm/adummy.c | 2 +-
+ drivers/atm/ambassador.c | 8 +-
+ drivers/atm/atmtcp.c | 14 +-
+ drivers/atm/eni.c | 10 +-
+ drivers/atm/firestream.c | 8 +-
+ drivers/atm/fore200e.c | 14 +-
+ drivers/atm/he.c | 18 +-
+ drivers/atm/horizon.c | 4 +-
+ drivers/atm/idt77252.c | 36 +-
+ drivers/atm/iphase.c | 34 +-
+ drivers/atm/lanai.c | 12 +-
+ drivers/atm/nicstar.c | 46 +-
+ drivers/atm/solos-pci.c | 4 +-
+ drivers/atm/suni.c | 4 +-
+ drivers/atm/uPD98402.c | 16 +-
+ drivers/atm/zatm.c | 6 +-
+ drivers/base/bus.c | 4 +-
+ drivers/base/devtmpfs.c | 8 +-
+ drivers/base/node.c | 2 +-
+ drivers/base/power/domain.c | 4 +-
+ drivers/base/power/sysfs.c | 2 +-
+ drivers/base/power/wakeup.c | 8 +-
+ drivers/base/syscore.c | 4 +-
+ drivers/block/cciss.c | 28 +-
+ drivers/block/cciss.h | 2 +-
+ drivers/block/cpqarray.c | 28 +-
+ drivers/block/cpqarray.h | 2 +-
+ drivers/block/drbd/drbd_int.h | 6 +-
+ drivers/block/drbd/drbd_main.c | 8 +-
+ drivers/block/drbd/drbd_nl.c | 4 +-
+ drivers/block/drbd/drbd_receiver.c | 22 +-
+ drivers/block/loop.c | 2 +-
+ drivers/block/pktcdvd.c | 2 +-
+ drivers/cdrom/cdrom.c | 11 +-
+ drivers/cdrom/gdrom.c | 1 -
+ drivers/char/agp/compat_ioctl.c | 2 +-
+ drivers/char/agp/frontend.c | 4 +-
+ drivers/char/hpet.c | 2 +-
+ drivers/char/hw_random/intel-rng.c | 2 +-
+ drivers/char/ipmi/ipmi_msghandler.c | 8 +-
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
+ drivers/char/mem.c | 43 +-
+ drivers/char/nvram.c | 2 +-
+ drivers/char/pcmcia/synclink_cs.c | 18 +-
+ drivers/char/random.c | 10 +-
+ drivers/char/sonypi.c | 9 +-
+ drivers/char/tpm/tpm_acpi.c | 3 +-
+ drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/virtio_console.c | 4 +-
+ drivers/clk/clk-composite.c | 2 +-
+ drivers/clk/socfpga/clk.c | 7 +-
+ drivers/cpufreq/acpi-cpufreq.c | 20 +-
+ drivers/cpufreq/cpufreq.c | 9 +-
+ drivers/cpufreq/cpufreq_governor.c | 6 +-
+ drivers/cpufreq/cpufreq_governor.h | 2 +-
+ drivers/cpufreq/cpufreq_ondemand.c | 8 +-
+ drivers/cpufreq/cpufreq_stats.c | 2 +-
+ drivers/cpufreq/p4-clockmod.c | 12 +-
+ drivers/cpufreq/sparc-us3-cpufreq.c | 69 +-
+ drivers/cpufreq/speedstep-centrino.c | 7 +-
+ drivers/cpuidle/cpuidle.c | 2 +-
+ drivers/cpuidle/governor.c | 4 +-
+ drivers/cpuidle/sysfs.c | 2 +-
+ drivers/crypto/hifn_795x.c | 4 +-
+ drivers/devfreq/devfreq.c | 4 +-
+ drivers/dma/sh/shdma.c | 2 +-
+ drivers/edac/edac_device.c | 4 +-
+ drivers/edac/edac_mc_sysfs.c | 12 +-
+ drivers/edac/edac_pci.c | 4 +-
+ drivers/edac/edac_pci_sysfs.c | 22 +-
+ drivers/edac/mce_amd.h | 2 +-
+ drivers/firewire/core-card.c | 6 +-
+ drivers/firewire/core-device.c | 2 +-
+ drivers/firewire/core-transaction.c | 1 +
+ drivers/firewire/core.h | 1 +
+ drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/dmi_scan.c | 7 +-
+ drivers/firmware/efi/efi.c | 12 +-
+ drivers/firmware/efi/efivars.c | 2 +-
+ drivers/firmware/google/memconsole.c | 4 +-
+ drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpio/gpio-vr41xx.c | 2 +-
+ drivers/gpu/drm/drm_crtc_helper.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 6 +-
+ drivers/gpu/drm/drm_fops.c | 18 +-
+ drivers/gpu/drm/drm_global.c | 14 +-
+ drivers/gpu/drm/drm_info.c | 14 +-
+ drivers/gpu/drm/drm_ioc32.c | 13 +-
+ drivers/gpu/drm/drm_ioctl.c | 2 +-
+ drivers/gpu/drm/drm_lock.c | 4 +-
+ drivers/gpu/drm/drm_stub.c | 2 +-
+ drivers/gpu/drm/drm_sysfs.c | 2 +-
+ drivers/gpu/drm/i810/i810_dma.c | 8 +-
+ drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.h | 2 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/i915_irq.c | 24 +-
+ drivers/gpu/drm/i915/intel_display.c | 26 +-
+ drivers/gpu/drm/mga/mga_drv.h | 4 +-
+ drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/mga/mga_irq.c | 8 +-
+ drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.h | 1 -
+ drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
+ drivers/gpu/drm/r128/r128_cce.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.h | 4 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/r128/r128_irq.c | 4 +-
+ drivers/gpu/drm/r128/r128_state.c | 4 +-
+ drivers/gpu/drm/radeon/mkregtable.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
+ drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 57 +-
+ drivers/gpu/drm/radeon/rs690.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
+ drivers/gpu/drm/udl/udl_fb.c | 1 -
+ drivers/gpu/drm/via/via_drv.h | 4 +-
+ drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
+ drivers/gpu/host1x/drm/dc.c | 2 +-
+ drivers/hid/hid-core.c | 4 +-
+ drivers/hid/uhid.c | 6 +-
+ drivers/hv/channel.c | 4 +-
+ drivers/hv/hv.c | 2 +-
+ drivers/hv/hv_balloon.c | 18 +-
+ drivers/hv/hyperv_vmbus.h | 2 +-
+ drivers/hv/vmbus_drv.c | 4 +-
+ drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/asus_atk0110.c | 10 +-
+ drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/ibmaem.c | 2 +-
+ drivers/hwmon/iio_hwmon.c | 2 +-
+ drivers/hwmon/pmbus/pmbus_core.c | 10 +-
+ drivers/hwmon/sht15.c | 12 +-
+ drivers/hwmon/via-cputemp.c | 2 +-
+ drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
+ drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
+ drivers/i2c/i2c-dev.c | 2 +-
+ drivers/ide/ide-cd.c | 2 +-
+ drivers/iio/industrialio-core.c | 2 +-
+ drivers/infiniband/core/cm.c | 32 +-
+ drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/hw/cxgb4/mem.c | 4 +-
+ drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
+ drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
+ drivers/infiniband/hw/mlx4/mad.c | 2 +-
+ drivers/infiniband/hw/mlx4/mcg.c | 2 +-
+ drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
+ drivers/infiniband/hw/nes/nes.c | 4 +-
+ drivers/infiniband/hw/nes/nes.h | 40 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 62 +-
+ drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
+ drivers/infiniband/hw/nes/nes_nic.c | 40 +-
+ drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/input/gameport/gameport.c | 4 +-
+ drivers/input/input.c | 4 +-
+ drivers/input/joystick/sidewinder.c | 1 +
+ drivers/input/joystick/xpad.c | 4 +-
+ drivers/input/misc/ims-pcu.c | 4 +-
+ drivers/input/mouse/psmouse.h | 2 +-
+ drivers/input/mousedev.c | 2 +-
+ drivers/input/serio/serio.c | 4 +-
+ drivers/input/serio/serio_raw.c | 4 +-
+ drivers/iommu/iommu.c | 2 +-
+ drivers/iommu/irq_remapping.c | 12 +-
+ drivers/irqchip/irq-gic.c | 4 +-
+ drivers/isdn/capi/capi.c | 10 +-
+ drivers/isdn/gigaset/interface.c | 8 +-
+ drivers/isdn/gigaset/usb-gigaset.c | 2 +-
+ drivers/isdn/hardware/avm/b1.c | 4 +-
+ drivers/isdn/i4l/isdn_common.c | 2 +
+ drivers/isdn/i4l/isdn_tty.c | 22 +-
+ drivers/isdn/icn/icn.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/lguest/core.c | 10 +-
+ drivers/lguest/page_tables.c | 2 +-
+ drivers/lguest/x86/core.c | 12 +-
+ drivers/lguest/x86/switcher_32.S | 27 +-
+ drivers/md/bcache/closure.h | 2 +-
+ drivers/md/bcache/super.c | 2 +-
+ drivers/md/bitmap.c | 2 +-
+ drivers/md/dm-ioctl.c | 2 +-
+ drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-stripe.c | 10 +-
+ drivers/md/dm-table.c | 2 +-
+ drivers/md/dm-thin-metadata.c | 4 +-
+ drivers/md/dm.c | 16 +-
+ drivers/md/md.c | 26 +-
+ drivers/md/md.h | 6 +-
+ drivers/md/persistent-data/dm-space-map.h | 1 +
+ drivers/md/raid1.c | 4 +-
+ drivers/md/raid10.c | 16 +-
+ drivers/md/raid5.c | 10 +-
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ drivers/media/dvb-frontends/dib3000.h | 2 +-
+ drivers/media/pci/cx88/cx88-video.c | 6 +-
+ drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
+ drivers/media/platform/omap/omap_vout.c | 11 +-
+ drivers/media/platform/s5p-tv/mixer.h | 2 +-
+ drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
+ drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +
+ drivers/media/radio/radio-maxiradio.c | 2 +-
+ drivers/media/radio/radio-shark.c | 2 +-
+ drivers/media/radio/radio-shark2.c | 2 +-
+ drivers/media/radio/radio-si476x.c | 2 +-
+ drivers/media/rc/rc-main.c | 4 +-
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +-
+ drivers/media/v4l2-core/v4l2-device.c | 4 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 11 +-
+ drivers/message/fusion/mptsas.c | 34 +-
+ drivers/message/fusion/mptscsih.c | 19 +-
+ drivers/message/i2o/i2o_proc.c | 51 +-
+ drivers/message/i2o/iop.c | 8 +-
+ drivers/mfd/janz-cmodio.c | 1 +
+ drivers/mfd/twl4030-irq.c | 9 +-
+ drivers/mfd/twl6030-irq.c | 10 +-
+ drivers/misc/c2port/core.c | 4 +-
+ drivers/misc/kgdbts.c | 4 +-
+ drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
+ drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/sgi-gru/gruhandles.c | 4 +-
+ drivers/misc/sgi-gru/gruprocfs.c | 8 +-
+ drivers/misc/sgi-gru/grutables.h | 154 +-
+ drivers/misc/sgi-xp/xp.h | 2 +-
+ drivers/misc/sgi-xp/xpc.h | 3 +-
+ drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ drivers/mmc/host/dw_mmc.h | 2 +-
+ drivers/mmc/host/sdhci-s3c.c | 8 +-
+ drivers/mtd/nand/denali.c | 1 +
+ drivers/mtd/nftlmount.c | 1 +
+ drivers/mtd/sm_ftl.c | 2 +-
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
+ drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
+ drivers/net/ethernet/realtek/r8169.c | 8 +-
+ drivers/net/ethernet/sfc/ptp.c | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/hyperv/hyperv_net.h | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 +-
+ drivers/net/ieee802154/fakehard.c | 2 +-
+ drivers/net/macvlan.c | 18 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/ppp/ppp_generic.c | 4 +-
+ drivers/net/slip/slhc.c | 2 +-
+ drivers/net/team/team.c | 2 +-
+ drivers/net/tun.c | 5 +-
+ drivers/net/usb/hso.c | 23 +-
+ drivers/net/usb/sierra_net.c | 4 +-
+ drivers/net/vxlan.c | 2 +-
+ drivers/net/wimax/i2400m/rx.c | 2 +-
+ drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
+ drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
+ drivers/net/wireless/ath/ath9k/hw.h | 4 +-
+ drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +-
+ drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
+ drivers/net/wireless/mac80211_hwsim.c | 32 +-
+ drivers/net/wireless/rndis_wlan.c | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 8 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 6 +-
+ drivers/oprofile/buffer_sync.c | 8 +-
+ drivers/oprofile/event_buffer.c | 2 +-
+ drivers/oprofile/oprof.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/oprofile/oprofile_stats.c | 10 +-
+ drivers/oprofile/oprofile_stats.h | 10 +-
+ drivers/oprofile/oprofilefs.c | 2 +-
+ drivers/oprofile/timer_int.c | 2 +-
+ drivers/parport/procfs.c | 4 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
+ drivers/pci/hotplug/cpcihp_generic.c | 6 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
+ drivers/pci/hotplug/cpqphp_nvram.c | 4 +
+ drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/pci-sysfs.c | 6 +-
+ drivers/pci/pci.h | 2 +-
+ drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/probe.c | 2 +-
+ drivers/platform/x86/chromeos_laptop.c | 2 +-
+ drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/sony-laptop.c | 2 +-
+ drivers/platform/x86/thinkpad_acpi.c | 70 +-
+ drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/resource.c | 4 +-
+ drivers/power/pda_power.c | 7 +-
+ drivers/power/power_supply.h | 4 +-
+ drivers/power/power_supply_core.c | 7 +-
+ drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/regulator/core.c | 4 +-
+ drivers/regulator/max8660.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/rtc/rtc-cmos.c | 4 +-
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/scsi/bfa/bfa_fcpim.h | 2 +-
+ drivers/scsi/bfa/bfa_ioc.h | 4 +-
+ drivers/scsi/fcoe/fcoe_sysfs.c | 12 +-
+ drivers/scsi/hosts.c | 4 +-
+ drivers/scsi/hpsa.c | 30 +-
+ drivers/scsi/hpsa.h | 2 +-
+ drivers/scsi/libfc/fc_exch.c | 50 +-
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ drivers/scsi/lpfc/lpfc.h | 8 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
+ drivers/scsi/lpfc/lpfc_init.c | 6 +-
+ drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
+ drivers/scsi/pmcraid.c | 20 +-
+ drivers/scsi/pmcraid.h | 8 +-
+ drivers/scsi/qla2xxx/qla_attr.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 6 +-
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +-
+ drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ drivers/scsi/scsi_tgt_lib.c | 2 +-
+ drivers/scsi/scsi_transport_fc.c | 8 +-
+ drivers/scsi/scsi_transport_iscsi.c | 6 +-
+ drivers/scsi/scsi_transport_srp.c | 6 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sg.c | 2 +-
+ drivers/spi/spi.c | 2 +-
+ drivers/staging/android/timed_output.c | 6 +-
+ drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10.h | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/rtl8712/rtl871x_io.h | 2 +-
+ drivers/staging/sbe-2t3e3/netdev.c | 2 +-
+ drivers/staging/usbip/vhci.h | 2 +-
+ drivers/staging/usbip/vhci_hcd.c | 6 +-
+ drivers/staging/usbip/vhci_rx.c | 2 +-
+ drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/vt6656/hostap.c | 7 +-
+ drivers/staging/zcache/tmem.h | 4 +-
+ drivers/target/sbp/sbp_target.c | 4 +-
+ drivers/target/target_core_device.c | 2 +-
+ drivers/target/target_core_transport.c | 2 +-
+ drivers/tty/cyclades.c | 6 +-
+ drivers/tty/hvc/hvc_console.c | 14 +-
+ drivers/tty/hvc/hvcs.c | 21 +-
+ drivers/tty/hvc/hvsi.c | 12 +-
+ drivers/tty/hvc/hvsi_lib.c | 6 +-
+ drivers/tty/ipwireless/tty.c | 27 +-
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/n_gsm.c | 4 +-
+ drivers/tty/n_tty.c | 3 +-
+ drivers/tty/pty.c | 4 +-
+ drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/ioc4_serial.c | 6 +-
+ drivers/tty/serial/kgdboc.c | 32 +-
+ drivers/tty/serial/msm_serial.c | 4 +-
+ drivers/tty/serial/samsung.c | 9 +-
+ drivers/tty/serial/serial_core.c | 8 +-
+ drivers/tty/synclink.c | 34 +-
+ drivers/tty/synclink_gt.c | 28 +-
+ drivers/tty/synclinkmp.c | 34 +-
+ drivers/tty/tty_io.c | 2 +-
+ drivers/tty/tty_ldisc.c | 10 +-
+ drivers/tty/tty_port.c | 22 +-
+ drivers/uio/uio.c | 21 +-
+ drivers/usb/atm/cxacru.c | 2 +-
+ drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/core/devices.c | 6 +-
+ drivers/usb/core/hcd.c | 4 +-
+ drivers/usb/core/message.c | 2 +-
+ drivers/usb/core/sysfs.c | 2 +-
+ drivers/usb/core/usb.c | 2 +-
+ drivers/usb/dwc3/gadget.c | 2 -
+ drivers/usb/early/ehci-dbgp.c | 16 +-
+ drivers/usb/gadget/u_serial.c | 22 +-
+ drivers/usb/misc/appledisplay.c | 4 +-
+ drivers/usb/serial/console.c | 6 +-
+ drivers/usb/storage/usb.h | 2 +-
+ drivers/usb/wusbcore/wa-hc.h | 4 +-
+ drivers/usb/wusbcore/wa-xfer.c | 2 +-
+ drivers/vfio/vfio.c | 2 +-
+ drivers/vhost/vringh.c | 2 +-
+ drivers/video/aty/aty128fb.c | 2 +-
+ drivers/video/aty/atyfb_base.c | 8 +-
+ drivers/video/aty/mach64_cursor.c | 5 +-
+ drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/fb_defio.c | 6 +-
+ drivers/video/fbcmap.c | 3 +-
+ drivers/video/fbmem.c | 6 +-
+ drivers/video/hyperv_fb.c | 4 +-
+ drivers/video/i810/i810_accel.c | 1 +
+ drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
+ drivers/video/nvidia/nvidia.c | 27 +-
+ drivers/video/s1d13xxxfb.c | 6 +-
+ drivers/video/smscufx.c | 4 +-
+ drivers/video/udlfb.c | 36 +-
+ drivers/video/uvesafb.c | 53 +-
+ drivers/video/vesafb.c | 58 +-
+ drivers/video/via/via_clock.h | 2 +-
+ fs/9p/vfs_addr.c | 2 +-
+ fs/9p/vfs_inode.c | 2 +-
+ fs/Kconfig.binfmt | 2 +-
+ fs/afs/inode.c | 4 +-
+ fs/aio.c | 12 +-
+ fs/autofs4/waitq.c | 2 +-
+ fs/befs/endian.h | 4 +-
+ fs/befs/linuxvfs.c | 2 +-
+ fs/binfmt_aout.c | 23 +-
+ fs/binfmt_elf.c | 648 ++-
+ fs/binfmt_flat.c | 6 +
+ fs/bio.c | 6 +-
+ fs/block_dev.c | 2 +-
+ fs/btrfs/ctree.c | 9 +-
+ fs/btrfs/delayed-inode.c | 6 +-
+ fs/btrfs/delayed-inode.h | 4 +-
+ fs/btrfs/super.c | 2 +-
+ fs/buffer.c | 2 +-
+ fs/cachefiles/bind.c | 6 +-
+ fs/cachefiles/daemon.c | 8 +-
+ fs/cachefiles/internal.h | 12 +-
+ fs/cachefiles/namei.c | 2 +-
+ fs/cachefiles/proc.c | 12 +-
+ fs/cachefiles/rdwr.c | 2 +-
+ fs/ceph/dir.c | 2 +-
+ fs/ceph/super.c | 4 +-
+ fs/cifs/cifs_debug.c | 12 +-
+ fs/cifs/cifsfs.c | 8 +-
+ fs/cifs/cifsglob.h | 54 +-
+ fs/cifs/link.c | 2 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb1ops.c | 80 +-
+ fs/cifs/smb2ops.c | 84 +-
+ fs/cifs/smb2pdu.c | 3 +-
+ fs/coda/cache.c | 10 +-
+ fs/compat.c | 4 +-
+ fs/compat_binfmt_elf.c | 2 +
+ fs/compat_ioctl.c | 12 +-
+ fs/configfs/dir.c | 10 +-
+ fs/coredump.c | 18 +-
+ fs/dcache.c | 3 +-
+ fs/ecryptfs/inode.c | 4 +-
+ fs/ecryptfs/miscdev.c | 2 +-
+ fs/exec.c | 362 +-
+ fs/ext4/ext4.h | 20 +-
+ fs/ext4/mballoc.c | 44 +-
+ fs/ext4/mmp.c | 2 +-
+ fs/ext4/super.c | 4 +-
+ fs/fhandle.c | 3 +-
+ fs/fs_struct.c | 8 +-
+ fs/fscache/cookie.c | 38 +-
+ fs/fscache/internal.h | 196 +-
+ fs/fscache/object.c | 26 +-
+ fs/fscache/operation.c | 30 +-
+ fs/fscache/page.c | 110 +-
+ fs/fscache/stats.c | 344 +-
+ fs/fuse/cuse.c | 10 +-
+ fs/fuse/dev.c | 4 +-
+ fs/fuse/dir.c | 2 +-
+ fs/gfs2/inode.c | 2 +-
+ fs/hugetlbfs/inode.c | 13 +-
+ fs/inode.c | 4 +-
+ fs/jffs2/erase.c | 3 +-
+ fs/jffs2/wbuf.c | 3 +-
+ fs/jfs/super.c | 2 +-
+ fs/libfs.c | 10 +-
+ fs/lockd/clntproc.c | 4 +-
+ fs/locks.c | 8 +-
+ fs/namei.c | 15 +-
+ fs/namespace.c | 16 +-
+ fs/nfs/callback_xdr.c | 2 +-
+ fs/nfs/inode.c | 6 +-
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfs4xdr.c | 6 +-
+ fs/nfsd/nfscache.c | 9 +-
+ fs/nfsd/vfs.c | 6 +-
+ fs/nls/nls_base.c | 18 +-
+ fs/nls/nls_euc-jp.c | 6 +-
+ fs/nls/nls_koi8-ru.c | 6 +-
+ fs/notify/fanotify/fanotify_user.c | 4 +-
+ fs/notify/notification.c | 4 +-
+ fs/ntfs/dir.c | 2 +-
+ fs/ntfs/file.c | 6 +-
+ fs/ntfs/super.c | 6 +-
+ fs/ocfs2/localalloc.c | 2 +-
+ fs/ocfs2/ocfs2.h | 10 +-
+ fs/ocfs2/suballoc.c | 12 +-
+ fs/ocfs2/super.c | 20 +-
+ fs/pipe.c | 61 +-
+ fs/proc/array.c | 20 +
+ fs/proc/base.c | 4 +-
+ fs/proc/kcore.c | 32 +-
+ fs/proc/meminfo.c | 2 +-
+ fs/proc/nommu.c | 2 +-
+ fs/proc/proc_sysctl.c | 18 +-
+ fs/proc/self.c | 2 +-
+ fs/proc/task_mmu.c | 39 +-
+ fs/proc/task_nommu.c | 4 +-
+ fs/proc/vmcore.c | 12 +-
+ fs/qnx6/qnx6.h | 4 +-
+ fs/quota/netlink.c | 4 +-
+ fs/read_write.c | 2 +-
+ fs/reiserfs/do_balan.c | 2 +-
+ fs/reiserfs/procfs.c | 2 +-
+ fs/reiserfs/reiserfs.h | 4 +-
+ fs/seq_file.c | 2 +-
+ fs/splice.c | 41 +-
+ fs/sysfs/bin.c | 6 +-
+ fs/sysfs/dir.c | 2 +-
+ fs/sysfs/file.c | 10 +-
+ fs/sysfs/symlink.c | 2 +-
+ fs/sysv/sysv.h | 2 +-
+ fs/ubifs/io.c | 2 +-
+ fs/udf/misc.c | 2 +-
+ fs/ufs/swab.h | 4 +-
+ fs/xattr.c | 21 +
+ fs/xattr_acl.c | 4 +-
+ fs/xfs/xfs_bmap.c | 2 +-
+ fs/xfs/xfs_dir2_sf.c | 7 +-
+ fs/xfs/xfs_ioctl.c | 2 +-
+ fs/xfs/xfs_iops.c | 2 +-
+ include/asm-generic/4level-fixup.h | 2 +
+ include/asm-generic/atomic-long.h | 210 +
+ include/asm-generic/atomic.h | 2 +-
+ include/asm-generic/atomic64.h | 12 +
+ include/asm-generic/cache.h | 4 +-
+ include/asm-generic/emergency-restart.h | 2 +-
+ include/asm-generic/kmap_types.h | 4 +-
+ include/asm-generic/local.h | 13 +
+ include/asm-generic/pgtable-nopmd.h | 18 +-
+ include/asm-generic/pgtable-nopud.h | 15 +-
+ include/asm-generic/pgtable.h | 16 +
+ include/asm-generic/uaccess.h | 16 +
+ include/asm-generic/vmlinux.lds.h | 10 +-
+ include/crypto/algapi.h | 2 +-
+ include/drm/drmP.h | 17 +-
+ include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/ttm/ttm_memory.h | 2 +-
+ include/keys/asymmetric-subtype.h | 2 +-
+ include/linux/atmdev.h | 4 +-
+ include/linux/binfmts.h | 3 +-
+ include/linux/blkdev.h | 2 +-
+ include/linux/blktrace_api.h | 2 +-
+ include/linux/cache.h | 4 +
+ include/linux/cdrom.h | 1 -
+ include/linux/cleancache.h | 2 +-
+ include/linux/clk-provider.h | 1 +
+ include/linux/compat.h | 5 +-
+ include/linux/compiler-gcc4.h | 20 +
+ include/linux/compiler.h | 65 +-
+ include/linux/completion.h | 6 +-
+ include/linux/configfs.h | 2 +-
+ include/linux/cpufreq.h | 3 +-
+ include/linux/cpuidle.h | 5 +-
+ include/linux/cpumask.h | 12 +-
+ include/linux/crypto.h | 6 +-
+ include/linux/ctype.h | 2 +-
+ include/linux/decompress/mm.h | 2 +-
+ include/linux/devfreq.h | 2 +-
+ include/linux/device.h | 7 +-
+ include/linux/dma-mapping.h | 2 +-
+ include/linux/dmaengine.h | 4 +-
+ include/linux/efi.h | 1 +
+ include/linux/elf.h | 2 +
+ include/linux/err.h | 4 +-
+ include/linux/extcon.h | 2 +-
+ include/linux/fb.h | 2 +-
+ include/linux/fdtable.h | 2 +-
+ include/linux/filter.h | 4 +
+ include/linux/frontswap.h | 2 +-
+ include/linux/fs.h | 3 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/fscache-cache.h | 4 +-
+ include/linux/fscache.h | 2 +-
+ include/linux/fsnotify.h | 2 +-
+ include/linux/genhd.h | 2 +-
+ include/linux/genl_magic_func.h | 2 +-
+ include/linux/gfp.h | 12 +-
+ include/linux/highmem.h | 12 +
+ include/linux/hwmon-sysfs.h | 5 +-
+ include/linux/i2c.h | 1 +
+ include/linux/i2o.h | 2 +-
+ include/linux/if_pppox.h | 2 +-
+ include/linux/init.h | 17 +-
+ include/linux/init_task.h | 7 +
+ include/linux/interrupt.h | 8 +-
+ include/linux/iommu.h | 2 +-
+ include/linux/ioport.h | 2 +-
+ include/linux/irq.h | 3 +-
+ include/linux/irqchip/arm-gic.h | 4 +-
+ include/linux/key-type.h | 2 +-
+ include/linux/kgdb.h | 6 +-
+ include/linux/kobject.h | 3 +-
+ include/linux/kobject_ns.h | 2 +-
+ include/linux/kref.h | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ include/linux/libata.h | 2 +-
+ include/linux/linkage.h | 1 +
+ include/linux/list.h | 15 +
+ include/linux/math64.h | 8 +-
+ include/linux/mm.h | 116 +-
+ include/linux/mm_types.h | 20 +
+ include/linux/mmiotrace.h | 4 +-
+ include/linux/mmzone.h | 2 +-
+ include/linux/mod_devicetable.h | 6 +-
+ include/linux/module.h | 60 +-
+ include/linux/moduleloader.h | 16 +
+ include/linux/moduleparam.h | 4 +-
+ include/linux/namei.h | 6 +-
+ include/linux/net.h | 2 +-
+ include/linux/netdevice.h | 3 +-
+ include/linux/netfilter.h | 2 +-
+ include/linux/netfilter/ipset/ip_set.h | 2 +-
+ include/linux/netfilter/nfnetlink.h | 2 +-
+ include/linux/nls.h | 2 +-
+ include/linux/notifier.h | 3 +-
+ include/linux/oprofile.h | 4 +-
+ include/linux/pci_hotplug.h | 3 +-
+ include/linux/perf_event.h | 10 +-
+ include/linux/pipe_fs_i.h | 8 +-
+ include/linux/platform_data/usb-ehci-s5p.h | 2 +-
+ include/linux/platform_data/usb-ohci-exynos.h | 2 +-
+ include/linux/pm_domain.h | 2 +-
+ include/linux/pm_runtime.h | 2 +-
+ include/linux/pnp.h | 2 +-
+ include/linux/poison.h | 4 +-
+ include/linux/power/smartreflex.h | 2 +-
+ include/linux/ppp-comp.h | 2 +-
+ include/linux/preempt.h | 19 +
+ include/linux/proc_ns.h | 2 +-
+ include/linux/random.h | 15 +
+ include/linux/rculist.h | 16 +
+ include/linux/reboot.h | 14 +-
+ include/linux/regset.h | 3 +-
+ include/linux/relay.h | 2 +-
+ include/linux/rio.h | 2 +-
+ include/linux/rmap.h | 4 +-
+ include/linux/sched.h | 67 +-
+ include/linux/sched/sysctl.h | 1 +
+ include/linux/security.h | 2 +-
+ include/linux/seq_file.h | 1 +
+ include/linux/signal.h | 1 +
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 48 +-
+ include/linux/slab_def.h | 32 +-
+ include/linux/slob_def.h | 4 +-
+ include/linux/slub_def.h | 8 +-
+ include/linux/smp.h | 2 +
+ include/linux/sock_diag.h | 2 +-
+ include/linux/sonet.h | 2 +-
+ include/linux/sunrpc/addr.h | 8 +-
+ include/linux/sunrpc/clnt.h | 2 +-
+ include/linux/sunrpc/svc.h | 2 +-
+ include/linux/sunrpc/svc_rdma.h | 18 +-
+ include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swiotlb.h | 3 +-
+ include/linux/syscalls.h | 18 +-
+ include/linux/syscore_ops.h | 2 +-
+ include/linux/sysctl.h | 6 +-
+ include/linux/sysfs.h | 9 +-
+ include/linux/sysrq.h | 3 +-
+ include/linux/thread_info.h | 7 +
+ include/linux/tty.h | 4 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/tty_ldisc.h | 2 +-
+ include/linux/types.h | 16 +
+ include/linux/uaccess.h | 6 +-
+ include/linux/unaligned/access_ok.h | 24 +-
+ include/linux/usb.h | 4 +-
+ include/linux/usb/renesas_usbhs.h | 2 +-
+ include/linux/vermagic.h | 21 +-
+ include/linux/vmalloc.h | 11 +-
+ include/linux/vmstat.h | 20 +-
+ include/linux/xattr.h | 5 +-
+ include/linux/zlib.h | 3 +-
+ include/media/v4l2-dev.h | 2 +-
+ include/media/v4l2-device.h | 2 +-
+ include/net/9p/transport.h | 2 +-
+ include/net/bluetooth/l2cap.h | 2 +-
+ include/net/caif/cfctrl.h | 6 +-
+ include/net/flow.h | 2 +-
+ include/net/genetlink.h | 2 +-
+ include/net/gro_cells.h | 2 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/inetpeer.h | 17 +-
+ include/net/ip.h | 2 +-
+ include/net/ip_fib.h | 2 +-
+ include/net/ip_vs.h | 8 +-
+ include/net/irda/ircomm_tty.h | 1 +
+ include/net/iucv/af_iucv.h | 2 +-
+ include/net/llc_c_ac.h | 2 +-
+ include/net/llc_c_ev.h | 4 +-
+ include/net/llc_c_st.h | 2 +-
+ include/net/llc_s_ac.h | 2 +-
+ include/net/llc_s_st.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 18 +-
+ include/net/netdma.h | 2 +-
+ include/net/netlink.h | 2 +-
+ include/net/netns/conntrack.h | 6 +-
+ include/net/netns/ipv4.h | 2 +-
+ include/net/netns/ipv6.h | 2 +-
+ include/net/ping.h | 2 +-
+ include/net/protocol.h | 4 +-
+ include/net/rtnetlink.h | 2 +-
+ include/net/sctp/sm.h | 4 +-
+ include/net/sctp/structs.h | 2 +-
+ include/net/sock.h | 6 +-
+ include/net/tcp.h | 8 +-
+ include/net/xfrm.h | 8 +-
+ include/rdma/iw_cm.h | 2 +-
+ include/scsi/libfc.h | 3 +-
+ include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_transport_fc.h | 3 +-
+ include/sound/compress_driver.h | 2 +-
+ include/sound/soc.h | 4 +-
+ include/target/target_core_base.h | 2 +-
+ include/trace/events/irq.h | 4 +-
+ include/uapi/linux/a.out.h | 8 +
+ include/uapi/linux/byteorder/little_endian.h | 28 +-
+ include/uapi/linux/elf.h | 28 +
+ include/uapi/linux/screen_info.h | 3 +-
+ include/uapi/linux/swab.h | 6 +-
+ include/uapi/linux/sysctl.h | 6 +-
+ include/uapi/linux/xattr.h | 4 +
+ include/video/udlfb.h | 8 +-
+ include/video/uvesafb.h | 1 +
+ init/Kconfig | 2 +-
+ init/Makefile | 3 +
+ init/do_mounts.c | 14 +-
+ init/do_mounts.h | 8 +-
+ init/do_mounts_initrd.c | 30 +-
+ init/do_mounts_md.c | 6 +-
+ init/init_task.c | 4 +
+ init/initramfs.c | 42 +-
+ init/main.c | 84 +-
+ ipc/ipc_sysctl.c | 10 +-
+ ipc/mq_sysctl.c | 2 +-
+ ipc/msg.c | 11 +-
+ ipc/sem.c | 11 +-
+ ipc/shm.c | 17 +-
+ kernel/acct.c | 2 +-
+ kernel/audit.c | 8 +-
+ kernel/auditsc.c | 4 +-
+ kernel/capability.c | 3 +
+ kernel/compat.c | 38 +-
+ kernel/debug/debug_core.c | 16 +-
+ kernel/debug/kdb/kdb_main.c | 4 +-
+ kernel/events/core.c | 30 +-
+ kernel/events/internal.h | 12 +-
+ kernel/events/uprobes.c | 2 +-
+ kernel/exit.c | 4 +-
+ kernel/fork.c | 170 +-
+ kernel/futex.c | 11 +-
+ kernel/futex_compat.c | 2 +-
+ kernel/gcov/base.c | 7 +-
+ kernel/hrtimer.c | 2 +-
+ kernel/irq_work.c | 7 +-
+ kernel/jump_label.c | 5 +
+ kernel/kallsyms.c | 39 +-
+ kernel/kexec.c | 3 +-
+ kernel/kmod.c | 4 +-
+ kernel/kprobes.c | 8 +-
+ kernel/ksysfs.c | 2 +-
+ kernel/lockdep.c | 7 +-
+ kernel/module.c | 337 +-
+ kernel/mutex-debug.c | 12 +-
+ kernel/mutex-debug.h | 4 +-
+ kernel/mutex.c | 10 +-
+ kernel/notifier.c | 17 +-
+ kernel/panic.c | 3 +-
+ kernel/pid.c | 2 +-
+ kernel/pid_namespace.c | 2 +-
+ kernel/posix-cpu-timers.c | 4 +-
+ kernel/posix-timers.c | 24 +-
+ kernel/power/process.c | 12 +-
+ kernel/profile.c | 14 +-
+ kernel/ptrace.c | 8 +-
+ kernel/rcupdate.c | 4 +-
+ kernel/rcutiny.c | 4 +-
+ kernel/rcutorture.c | 56 +-
+ kernel/rcutree.c | 74 +-
+ kernel/rcutree.h | 24 +-
+ kernel/rcutree_plugin.h | 20 +-
+ kernel/rcutree_trace.c | 22 +-
+ kernel/rtmutex-tester.c | 24 +-
+ kernel/sched/auto_group.c | 4 +-
+ kernel/sched/core.c | 49 +-
+ kernel/sched/fair.c | 4 +-
+ kernel/sched/sched.h | 2 +-
+ kernel/signal.c | 32 +-
+ kernel/smpboot.c | 4 +-
+ kernel/softirq.c | 14 +-
+ kernel/srcu.c | 4 +-
+ kernel/sys.c | 10 +-
+ kernel/sysctl.c | 39 +-
+ kernel/time.c | 2 +-
+ kernel/time/alarmtimer.c | 2 +-
+ kernel/time/timer_stats.c | 10 +-
+ kernel/timer.c | 4 +-
+ kernel/trace/blktrace.c | 6 +-
+ kernel/trace/ftrace.c | 18 +-
+ kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/trace.c | 2 +-
+ kernel/trace/trace.h | 2 +-
+ kernel/trace/trace_clock.c | 4 +-
+ kernel/trace/trace_events.c | 25 +-
+ kernel/trace/trace_mmiotrace.c | 8 +-
+ kernel/trace/trace_output.c | 12 +-
+ kernel/trace/trace_stack.c | 2 +-
+ kernel/user_namespace.c | 2 +-
+ kernel/utsname_sysctl.c | 2 +-
+ kernel/watchdog.c | 2 +-
+ kernel/workqueue.c | 2 +-
+ lib/Kconfig.debug | 8 +-
+ lib/Makefile | 2 +-
+ lib/bitmap.c | 8 +-
+ lib/bug.c | 2 +
+ lib/debugobjects.c | 2 +-
+ lib/devres.c | 4 +-
+ lib/div64.c | 4 +-
+ lib/dma-debug.c | 4 +-
+ lib/inflate.c | 2 +-
+ lib/ioremap.c | 4 +-
+ lib/kobject.c | 4 +-
+ lib/list_debug.c | 126 +-
+ lib/radix-tree.c | 2 +-
+ lib/strncpy_from_user.c | 2 +-
+ lib/strnlen_user.c | 2 +-
+ lib/swiotlb.c | 2 +-
+ lib/usercopy.c | 6 +
+ lib/vsprintf.c | 12 +-
+ mm/Kconfig | 6 +-
+ mm/backing-dev.c | 4 +-
+ mm/filemap.c | 10 +-
+ mm/fremap.c | 5 +
+ mm/highmem.c | 7 +-
+ mm/hugetlb.c | 70 +-
+ mm/internal.h | 3 +-
+ mm/maccess.c | 4 +-
+ mm/madvise.c | 41 +
+ mm/memory-failure.c | 26 +-
+ mm/memory.c | 424 ++-
+ mm/mempolicy.c | 25 +
+ mm/mlock.c | 15 +-
+ mm/mmap.c | 588 ++-
+ mm/mprotect.c | 139 +-
+ mm/mremap.c | 44 +-
+ mm/nommu.c | 21 +-
+ mm/page-writeback.c | 2 +-
+ mm/page_alloc.c | 41 +-
+ mm/page_io.c | 2 +-
+ mm/percpu.c | 2 +-
+ mm/process_vm_access.c | 14 +-
+ mm/rmap.c | 44 +-
+ mm/shmem.c | 19 +-
+ mm/slab.c | 108 +-
+ mm/slab.h | 15 +-
+ mm/slab_common.c | 60 +-
+ mm/slob.c | 206 +-
+ mm/slub.c | 88 +-
+ mm/sparse-vmemmap.c | 4 +-
+ mm/sparse.c | 2 +-
+ mm/swap.c | 3 +
+ mm/swapfile.c | 12 +-
+ mm/util.c | 6 +
+ mm/vmalloc.c | 77 +-
+ mm/vmstat.c | 10 +-
+ net/8021q/vlan.c | 5 +-
+ net/9p/mod.c | 4 +-
+ net/9p/trans_fd.c | 2 +-
+ net/atm/atm_misc.c | 8 +-
+ net/atm/lec.h | 2 +-
+ net/atm/proc.c | 6 +-
+ net/atm/resources.c | 4 +-
+ net/ax25/sysctl_net_ax25.c | 2 +-
+ net/batman-adv/bat_iv_ogm.c | 8 +-
+ net/batman-adv/hard-interface.c | 2 +-
+ net/batman-adv/soft-interface.c | 4 +-
+ net/batman-adv/types.h | 6 +-
+ net/batman-adv/unicast.c | 2 +-
+ net/bluetooth/hci_sock.c | 2 +-
+ net/bluetooth/l2cap_core.c | 6 +-
+ net/bluetooth/l2cap_sock.c | 12 +-
+ net/bluetooth/rfcomm/sock.c | 4 +-
+ net/bluetooth/rfcomm/tty.c | 10 +-
+ net/bridge/netfilter/ebtables.c | 6 +-
+ net/caif/cfctrl.c | 11 +-
+ net/can/af_can.c | 2 +-
+ net/can/gw.c | 6 +-
+ net/ceph/messenger.c | 4 +-
+ net/compat.c | 34 +-
+ net/core/datagram.c | 2 +-
+ net/core/dev.c | 16 +-
+ net/core/flow.c | 8 +-
+ net/core/iovec.c | 4 +-
+ net/core/neighbour.c | 2 +-
+ net/core/net-sysfs.c | 2 +-
+ net/core/net_namespace.c | 8 +-
+ net/core/netpoll.c | 4 +-
+ net/core/rtnetlink.c | 13 +-
+ net/core/scm.c | 8 +-
+ net/core/skbuff.c | 6 +-
+ net/core/sock.c | 24 +-
+ net/core/sock_diag.c | 9 +-
+ net/core/sysctl_net_core.c | 18 +-
+ net/decnet/af_decnet.c | 1 +
+ net/decnet/sysctl_net_decnet.c | 4 +-
+ net/ieee802154/6lowpan.c | 2 +-
+ net/ipv4/af_inet.c | 8 +-
+ net/ipv4/devinet.c | 18 +-
+ net/ipv4/fib_frontend.c | 6 +-
+ net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inet_connection_sock.c | 2 +-
+ net/ipv4/inetpeer.c | 4 +-
+ net/ipv4/ip_fragment.c | 15 +-
+ net/ipv4/ip_gre.c | 6 +-
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ip_vti.c | 4 +-
+ net/ipv4/ipconfig.c | 6 +-
+ net/ipv4/ipip.c | 4 +-
+ net/ipv4/netfilter/arp_tables.c | 12 +-
+ net/ipv4/netfilter/ip_tables.c | 12 +-
+ net/ipv4/ping.c | 14 +-
+ net/ipv4/raw.c | 14 +-
+ net/ipv4/route.c | 20 +-
+ net/ipv4/sysctl_net_ipv4.c | 45 +-
+ net/ipv4/tcp_input.c | 2 +-
+ net/ipv4/tcp_probe.c | 2 +-
+ net/ipv4/udp.c | 10 +-
+ net/ipv4/xfrm4_policy.c | 14 +-
+ net/ipv6/addrconf.c | 12 +-
+ net/ipv6/datagram.c | 2 +-
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_gre.c | 8 +-
+ net/ipv6/ip6_tunnel.c | 4 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 12 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
+ net/ipv6/output_core.c | 15 +-
+ net/ipv6/ping.c | 28 +-
+ net/ipv6/raw.c | 19 +-
+ net/ipv6/reassembly.c | 13 +-
+ net/ipv6/route.c | 2 +-
+ net/ipv6/sit.c | 4 +-
+ net/ipv6/sysctl_net_ipv6.c | 2 +-
+ net/ipv6/udp.c | 6 +-
+ net/ipv6/xfrm6_policy.c | 13 +-
+ net/irda/ircomm/ircomm_tty.c | 18 +-
+ net/iucv/af_iucv.c | 4 +-
+ net/iucv/iucv.c | 2 +-
+ net/key/af_key.c | 4 +-
+ net/mac80211/cfg.c | 8 +-
+ net/mac80211/ieee80211_i.h | 3 +-
+ net/mac80211/iface.c | 16 +-
+ net/mac80211/main.c | 2 +-
+ net/mac80211/pm.c | 6 +-
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/rc80211_pid_debugfs.c | 2 +-
+ net/mac80211/util.c | 4 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/ipvs/ip_vs_conn.c | 6 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ net/netfilter/ipvs/ip_vs_sync.c | 6 +-
+ net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
+ net/netfilter/nf_conntrack_acct.c | 2 +-
+ net/netfilter/nf_conntrack_ecache.c | 2 +-
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ net/netfilter/nf_conntrack_proto_dccp.c | 10 +-
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nf_conntrack_timestamp.c | 2 +-
+ net/netfilter/nf_log.c | 10 +-
+ net/netfilter/nf_sockopt.c | 4 +-
+ net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/xt_statistic.c | 8 +-
+ net/netlink/af_netlink.c | 4 +-
+ net/netlink/genetlink.c | 16 +-
+ net/packet/af_packet.c | 12 +-
+ net/phonet/pep.c | 6 +-
+ net/phonet/socket.c | 2 +-
+ net/phonet/sysctl.c | 2 +-
+ net/rds/cong.c | 6 +-
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 4 +-
+ net/rds/iw.h | 2 +-
+ net/rds/iw_cm.c | 2 +-
+ net/rds/iw_recv.c | 4 +-
+ net/rds/rds.h | 2 +-
+ net/rds/tcp.c | 2 +-
+ net/rds/tcp_send.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/rxrpc/ar-ack.c | 14 +-
+ net/rxrpc/ar-call.c | 2 +-
+ net/rxrpc/ar-connection.c | 2 +-
+ net/rxrpc/ar-connevent.c | 2 +-
+ net/rxrpc/ar-input.c | 4 +-
+ net/rxrpc/ar-internal.h | 8 +-
+ net/rxrpc/ar-local.c | 2 +-
+ net/rxrpc/ar-output.c | 4 +-
+ net/rxrpc/ar-peer.c | 2 +-
+ net/rxrpc/ar-proc.c | 4 +-
+ net/rxrpc/ar-transport.c | 2 +-
+ net/rxrpc/rxkad.c | 4 +-
+ net/sctp/ipv6.c | 6 +-
+ net/sctp/protocol.c | 10 +-
+ net/sctp/sm_sideeffect.c | 2 +-
+ net/sctp/socket.c | 21 +-
+ net/sctp/sysctl.c | 4 +-
+ net/socket.c | 18 +-
+ net/sunrpc/auth_gss/svcauth_gss.c | 4 +-
+ net/sunrpc/clnt.c | 4 +-
+ net/sunrpc/sched.c | 4 +-
+ net/sunrpc/svc.c | 4 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/link.c | 4 +-
+ net/tipc/msg.c | 2 +-
+ net/tipc/subscr.c | 2 +-
+ net/unix/sysctl_net_unix.c | 2 +-
+ net/wireless/wext-core.c | 19 +-
+ net/xfrm/xfrm_policy.c | 27 +-
+ net/xfrm/xfrm_state.c | 33 +-
+ net/xfrm/xfrm_sysctl.c | 2 +-
+ scripts/Makefile.build | 2 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.host | 28 +-
+ scripts/basic/fixdep.c | 12 +-
+ scripts/gcc-plugin.sh | 17 +
+ scripts/headers_install.sh | 1 +
+ scripts/link-vmlinux.sh | 2 +-
+ scripts/mod/file2alias.c | 14 +-
+ scripts/mod/modpost.c | 25 +-
+ scripts/mod/modpost.h | 6 +-
+ scripts/mod/sumversion.c | 2 +-
+ scripts/package/builddeb | 1 +
+ scripts/pnmtologo.c | 6 +-
+ scripts/sortextable.h | 6 +-
+ security/Kconfig | 690 +++-
+ security/apparmor/lsm.c | 2 +-
+ security/integrity/ima/ima.h | 4 +-
+ security/integrity/ima/ima_api.c | 2 +-
+ security/integrity/ima/ima_fs.c | 4 +-
+ security/integrity/ima/ima_queue.c | 2 +-
+ security/keys/compat.c | 2 +-
+ security/keys/internal.h | 2 +-
+ security/keys/key.c | 18 +-
+ security/keys/keyctl.c | 8 +-
+ security/keys/keyring.c | 6 +-
+ security/security.c | 12 +-
+ security/selinux/avc.c | 6 +-
+ security/selinux/hooks.c | 6 +-
+ security/selinux/include/xfrm.h | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ security/tomoyo/tomoyo.c | 2 +-
+ security/yama/yama_lsm.c | 22 +-
+ sound/aoa/codecs/onyx.c | 7 +-
+ sound/aoa/codecs/onyx.h | 1 +
+ sound/core/oss/pcm_oss.c | 18 +-
+ sound/core/pcm_compat.c | 2 +-
+ sound/core/pcm_native.c | 4 +-
+ sound/core/seq/seq_device.c | 8 +-
+ sound/core/sound.c | 2 +-
+ sound/drivers/mts64.c | 14 +-
+ sound/drivers/opl4/opl4_lib.c | 2 +-
+ sound/drivers/portman2x4.c | 3 +-
+ sound/firewire/amdtp.c | 4 +-
+ sound/firewire/amdtp.h | 2 +-
+ sound/firewire/isight.c | 10 +-
+ sound/firewire/scs1x.c | 8 +-
+ sound/oss/sb_audio.c | 2 +-
+ sound/oss/swarm_cs4297a.c | 6 +-
+ sound/pci/hda/hda_codec.c | 8 +-
+ sound/pci/ymfpci/ymfpci.h | 2 +-
+ sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ sound/soc/fsl/fsl_ssi.c | 2 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 45 +
+ tools/gcc/checker_plugin.c | 172 +
+ tools/gcc/colorize_plugin.c | 151 +
+ tools/gcc/constify_plugin.c | 560 ++
+ tools/gcc/generate_size_overflow_hash.sh | 94 +
+ tools/gcc/kallocstat_plugin.c | 170 +
+ tools/gcc/kernexec_plugin.c | 471 ++
+ tools/gcc/latent_entropy_plugin.c | 321 +
+ tools/gcc/size_overflow_hash.data | 6350 ++++++++++++++++++++
+ tools/gcc/size_overflow_plugin.c | 2113 +++++++
+ tools/gcc/stackleak_plugin.c | 327 +
+ tools/gcc/structleak_plugin.c | 277 +
+ tools/lib/lk/Makefile | 2 +-
+ tools/perf/util/include/asm/alternative-asm.h | 3 +
+ tools/perf/util/include/linux/compiler.h | 8 +
+ virt/kvm/kvm_main.c | 32 +-
+ 1664 files changed, 32957 insertions(+), 7636 deletions(-)
+commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c
+Merge: c3ccfb2 777e08c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 8 19:49:04 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 777e08c6a87ef43439f4431d8d458732ca5e17c6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 8 19:47:32 2013 -0400
+
+ Update to pax-linux-3.10.11-test26.patch:
+ - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger
+ - fixed an uninitialized read in splice, reported by hunger
+
+ fs/splice.c | 1 +
+ include/linux/syscalls.h | 14 +-
+ tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++----------------
+ 3 files changed, 247 insertions(+), 194 deletions(-)
+
+commit 5c3161364270c842d901789faac731f79a9f9cd6
+Merge: cf9c476 85cdabb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 8 19:24:25 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit c3ccfb29794a03413095422100ce90d40ef7df0f
+Author: Jakob Bornecrantz <jakob@vmware.com>
+Date: Thu Aug 29 02:32:53 2013 +0200
+
+ Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f
+
+ drm/vmwgfx: Split GMR2_REMAP commands if they are to large
+
+ This fixes the piglit test texturing/max-texture-size
+ causing the VM to die due to a too large SVGA command.
+
+ Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
+ Reviewed-by: Biran Paul <brianp@vmware.com>
+ Reviewed-by: Zack Rusin <zackr@vmware.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Dave Airlie <airlied@gmail.com>
+
+ drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++-----------
+ 1 files changed, 39 insertions(+), 19 deletions(-)
+
+commit d260badf708d6aa16c44f56f54727532dcae826e
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Tue Sep 3 19:29:12 2013 +0200
+
+ Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
+
+ net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
+
+ In tcp_v6_do_rcv() code, when processing pkt options, we soley work
+ on our skb clone opt_skb that we've created earlier before entering
+ tcp_rcv_established() on our way. However, only in condition ...
+
+ if (np->rxopt.bits.rxtclass)
+ np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
+
+ ... we work on skb itself. As we extract every other information out
+ of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
+ already be released by tcp_rcv_established() earlier on. When we try
+ to access it in ipv6_hdr(), we will dereference freed skb.
+
+ [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
+ IP_PKTOPTIONS") ]
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Jiri Benc <jbenc@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/tcp_ipv6.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Aug 29 11:47:00 2013 +0300
+
+ Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46
+
+ mISDN: return -EINVAL on error in dsp_control_req()
+
+ If skb->len is too short then we should return an error. Otherwise we
+ read beyond the end of skb->data for several bytes.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/isdn/mISDN/dsp_core.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 19:36:23 2013 -0400
+
+ fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
+
+ grsecurity/Kconfig | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit da68dbcd96c617923a0aedb177d36b2701f9c858
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 19:17:02 2013 -0400
+
+ Allow the deny_new_usb sysctl to be toggled off by a user with
+ CAP_SYS_ADMIN. This allows for more inventive uses of the feature
+ that would be impossible otherwise (like toggling it while the screen is
+ locked, etc)
+
+ grsecurity/grsec_sysctl.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit ce0e893adc830ee110f97071cc17e661fb35ae3d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 18:41:49 2013 -0400
+
+ Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what
+ GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for
+ users who know they want the functionality but don't want to bother
+ with modifying init scripts
+
+ Also eliminate reset_security_ops() as a ROP target when
+ SECURITY_SELINUX_DISABLE is disabled as it's the only user
+
+ grsecurity/Kconfig | 17 ++++++++++++++++-
+ grsecurity/grsec_init.c | 3 +++
+ grsecurity/grsec_sysctl.c | 2 +-
+ security/security.c | 4 ++++
+ 4 files changed, 24 insertions(+), 2 deletions(-)
+
+commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd
+Merge: 7ee3899 cf9c476
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 1 13:56:57 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit cf9c47690fa0f3da590de766ea8c6a543984ee3c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 1 13:56:16 2013 -0400
+
+ Update to pax-linux-3.10.10-test25.patch:
+ - fixed a few more REFCOUNT false positives, by Mathias Krause <minipli@googlemail.com>
+ - got inet_getid and ipv6_select_ident rid of the cmpxchg loop
+
+ block/blk-cgroup.c | 4 ++--
+ drivers/video/hyperv_fb.c | 4 ++--
+ fs/namespace.c | 4 ++--
+ include/net/inetpeer.h | 13 +++++--------
+ kernel/trace/trace_clock.c | 4 ++--
+ net/ipv6/output_core.c | 15 ++++++---------
+ net/sunrpc/auth_gss/svcauth_gss.c | 4 ++--
+ 7 files changed, 21 insertions(+), 27 deletions(-)
+
+commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa
+Merge: fd0338c 2bdeae7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 31 22:07:38 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 31 22:06:55 2013 -0400
+
+ Update to pax-linux-3.10.10-test24.patch:
+ - fixed a REFCOUNT false positive, by Mathias Krause <minipli@googlemail.com>
+ - fixed a bunch more after a quick audit of atomic_inc_return users
+
+ drivers/acpi/apei/ghes.c | 4 ++--
+ drivers/ata/libata-core.c | 4 ++--
+ drivers/ata/libata-scsi.c | 2 +-
+ drivers/ata/libata.h | 2 +-
+ drivers/block/drbd/drbd_nl.c | 4 ++--
+ drivers/crypto/hifn_795x.c | 4 ++--
+ drivers/edac/edac_device.c | 4 ++--
+ drivers/edac/edac_pci.c | 4 ++--
+ drivers/firewire/core-card.c | 4 ++--
+ drivers/hv/hv_balloon.c | 18 +++++++++---------
+ drivers/infiniband/hw/mlx4/mad.c | 2 +-
+ drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
+ drivers/input/misc/ims-pcu.c | 4 ++--
+ drivers/input/serio/serio_raw.c | 4 ++--
+ drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
+ drivers/media/radio/radio-maxiradio.c | 2 +-
+ drivers/media/radio/radio-shark.c | 2 +-
+ drivers/media/radio/radio-shark2.c | 2 +-
+ drivers/media/radio/radio-si476x.c | 2 +-
+ drivers/media/rc/rc-main.c | 4 ++--
+ drivers/media/v4l2-core/v4l2-device.c | 4 ++--
+ drivers/net/usb/sierra_net.c | 4 ++--
+ drivers/pci/hotplug/pciehp_hpc.c | 4 +---
+ drivers/regulator/core.c | 4 ++--
+ drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------
+ drivers/staging/android/timed_output.c | 6 +++---
+ drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10.h | 2 +-
+ drivers/target/sbp/sbp_target.c | 4 ++--
+ drivers/tty/hvc/hvsi.c | 12 ++++++------
+ drivers/tty/hvc/hvsi_lib.c | 6 +++---
+ drivers/tty/serial/ioc4_serial.c | 6 +++---
+ drivers/tty/serial/msm_serial.c | 4 ++--
+ drivers/usb/misc/appledisplay.c | 4 ++--
+ fs/afs/inode.c | 4 ++--
+ fs/btrfs/delayed-inode.c | 6 +++---
+ fs/btrfs/delayed-inode.h | 4 ++--
+ fs/fscache/cookie.c | 4 ++--
+ include/media/v4l2-device.h | 2 +-
+ net/ceph/messenger.c | 4 ++--
+ net/core/netpoll.c | 4 ++--
+ net/xfrm/xfrm_state.c | 4 ++--
+ security/selinux/avc.c | 6 +++---
+ 43 files changed, 93 insertions(+), 95 deletions(-)
+
+commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37
+Merge: 1bdf7ec 85099d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 31 21:07:29 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 31 21:06:55 2013 -0400
+
+ Update to pax-linux-3.10.10-test23.patch:
+ - added the necessary atomic_unchecked_t conversion for mips
+ - audited and fixed arm and sparc for proper atomic_unchecked_t usage
+
+ arch/arm/kvm/arm.c | 8 ++++----
+ arch/arm/mm/context.c | 10 +++++-----
+ arch/mips/kernel/irq.c | 6 +++---
+ arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------
+ arch/mips/sgi-ip27/ip27-nmi.c | 6 +++---
+ arch/sparc/kernel/smp_64.c | 12 ++++++------
+ arch/sparc/kernel/traps_64.c | 14 +++++++-------
+ arch/sparc/mm/init_64.c | 10 +++++-----
+ 8 files changed, 45 insertions(+), 45 deletions(-)
+
+commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34
+Merge: 995a168 38ee86c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 30 19:23:36 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 38ee86c05df0f8db582df8776b9f23f317d42bbb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 30 19:23:11 2013 -0400
+
+ Update to pax-linux-3.10.10-test22.patch:
+ - fixed !REFCOUNT/mips compilation, by Corey Minyard <cminyard@mvista.com>
+ - fixed a few more format strings
+
+ arch/mips/include/asm/atomic.h | 20 ++++++++++++++++----
+ drivers/md/bcache/super.c | 2 +-
+ drivers/net/wireless/iwlwifi/dvm/main.c | 3 +--
+ drivers/pci/hotplug/pciehp_hpc.c | 2 +-
+ drivers/platform/x86/wmi.c | 2 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/vfio/vfio.c | 4 ++--
+ fs/ntfs/super.c | 6 +++---
+ include/linux/workqueue.h | 6 +++---
+ net/mac80211/main.c | 2 +-
+ sound/pci/hda/hda_codec.c | 8 ++------
+ 11 files changed, 32 insertions(+), 25 deletions(-)
+
+commit 995a16841e2097c3a9dfc652e856469679c4a0ba
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 30 17:11:11 2013 -0400
+
+ fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
+
+ grsecurity/grsec_sysctl.c | 7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57
+Merge: be2497c 1052971
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 29 20:44:29 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ include/linux/sched.h
+
+commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2
+Merge: e902dad 8bf3379
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 29 20:39:50 2013 -0400
+
+ Update to pax-linux-3.10.10-test21.patch
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/sys_x86_64.c
+ arch/x86/mm/mmap.c
+ include/linux/sched.h
+
+commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8
+Merge: 081c22b e902dad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 20:52:44 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e902dad6b609a176f58c1b9393b3a98f14bd4b74
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 20:51:21 2013 -0400
+
+ Update to pax-linux-3.10.9-test21.patch:
+ - removed unnecessary type cast in do_PrefetchAbort, noticed by spender
+ - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov
+ - fixed a REFCOUNT false positive in UHID
+ - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9)
+ Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout
+ (come to the 10th H2HC if you want to learn about the magic behind this and other plugins):
+ - icmpv6_filter: no memory corruption, probably just some logical error in the caller
+ - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable)
+ - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come)
+ - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now
+ - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless
+ - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network
+
+ arch/arm/mm/fault.c | 2 +-
+ arch/mips/kernel/traps.c | 2 --
+ drivers/hid/uhid.c | 6 +++---
+ drivers/isdn/gigaset/usb-gigaset.c | 2 +-
+ drivers/isdn/i4l/isdn_common.c | 2 ++
+ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
+ drivers/usb/dwc3/gadget.c | 2 --
+ net/ieee802154/6lowpan.c | 2 +-
+ net/ipv6/raw.c | 2 +-
+ net/netfilter/nf_conntrack_proto_dccp.c | 6 +++---
+ 10 files changed, 14 insertions(+), 16 deletions(-)
+
+commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 20:42:39 2013 -0400
+
+ add export of gr_handle_new_usb()
+
+ grsecurity/grsec_usb.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 19:24:47 2013 -0400
+
+ Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit
+ Kees' recent findings are motivation enough to publish it
+
+ drivers/usb/core/hub.c | 5 +++++
+ grsecurity/Kconfig | 20 ++++++++++++++++++++
+ grsecurity/Makefile | 3 ++-
+ grsecurity/grsec_init.c | 1 +
+ grsecurity/grsec_sysctl.c | 11 +++++++++++
+ grsecurity/grsec_usb.c | 13 +++++++++++++
+ include/linux/grinternal.h | 1 +
+ include/linux/grsecurity.h | 2 ++
+ 8 files changed, 55 insertions(+), 1 deletions(-)
+
+commit 8044382257ec75a03f3d784ce048ef14e94b90ca
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 09:35:07 2013 -0700
+
+ HID: zeroplus: validate output report details
+
+ The zeroplus HID driver was not checking the size of allocated values
+ in fields it used. A HID device could send a malicious output report
+ that would cause the driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
+ ...
+ [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2889
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-zpff.c | 14 ++------------
+ 1 files changed, 2 insertions(+), 12 deletions(-)
+
+commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 14:36:15 2013 -0700
+
+ HID: provide a helper for validating hid reports
+
+ Many drivers need to validate the characteristics of their HID report
+ during initialization to avoid misusing the reports. This adds a common
+ helper to perform validation of the report, its field count, and the
+ value count within the fields.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
+ include/linux/hid.h | 4 +++
+ 2 files changed, 54 insertions(+), 0 deletions(-)
+
+commit 270ba9096ddecdc3cf6c4d76e6892184820116be
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 09:14:34 2013 -0700
+
+ HID: steelseries: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ steelseries HID driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
+ ...
+ [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2891
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-steelseries.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 08:49:21 2013 -0700
+
+ HID: pantherlord: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ pantherlord HID driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
+ ...
+ [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2892
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-pl.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit 60115e8108e508060815bce5ef9504233c81898c
+Author: Kees Cook <keescook@chromium.org>
+Date: Tue Aug 13 16:49:01 2013 -0700
+
+ HID: LG: validate HID output report details
+
+ A HID device could send a malicious output report that would cause the
+ lg, lg3, and lg4 HID drivers to write beyond the output report allocation
+ during an event, causing a heap overflow:
+
+ [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
+ ...
+ [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
+
+ Additionally, while lg2 did correctly validate the report details, it was
+ cleaned up and shortened.
+
+ CVE-2013-2893
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-lg2ff.c | 19 +++----------------
+ drivers/hid/hid-lg3ff.c | 29 ++++++-----------------------
+ drivers/hid/hid-lg4ff.c | 20 +-------------------
+ drivers/hid/hid-lgff.c | 17 ++---------------
+ 4 files changed, 12 insertions(+), 73 deletions(-)
+
+commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f
+Author: Kees Cook <keescook@chromium.org>
+Date: Thu Aug 15 23:21:23 2013 -0700
+
+ HID: lenovo-tpkbd: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ lenovo-tpkbd HID driver to write just beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
+ ...
+ [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2894
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 38627769bb2b9a550e251b2caf1babda7566fb4a
+Author: Kees Cook <keescook@chromium.org>
+Date: Thu Aug 15 23:45:03 2013 -0700
+
+ HID: logitech-dj: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ logitech-dj HID driver to leak kernel memory contents to the device, or
+ trigger a NULL dereference during initialization:
+
+ [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
+ ...
+ [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
+ [ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
+
+ CVE-2013-2895
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-logitech-dj.c | 12 ++++++++++--
+ 1 files changed, 10 insertions(+), 2 deletions(-)
+
+commit db334388c9d3f95aeb6aacdcec72169b6edd6f07
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 00:18:15 2013 -0700
+
+ HID: ntrig: validate feature report details
+
+ A HID device could send a malicious feature report that would cause the
+ ntrig HID driver to trigger a NULL dereference during initialization:
+
+ [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
+ ...
+ [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+ [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
+
+ CVE-2013-2896
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-ntrig.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 86adcfe96ceefd7d64593a493abe07c155bb8f88
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 00:11:32 2013 -0700
+
+ HID: multitouch: validate feature report details
+
+ When working on report indexes, always validate that they are in bounds.
+ Without this, a HID device could report a malicious feature report that
+ could trick the driver into a heap overflow:
+
+ [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
+ ...
+ [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2897
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
+ 1 files changed, 20 insertions(+), 5 deletions(-)
+
+commit 813f51e0881e4ea6d221da828b1cced02ad9694d
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:12:45 2013 -0700
+
+ HID: sensor-hub: validate feature report details
+
+ A HID device could send a malicious feature report that would cause the
+ sensor-hub HID driver to read past the end of heap allocation, leaking
+ kernel memory contents to the caller.
+
+ CVE-2013-2898
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-sensor-hub.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:05:10 2013 -0700
+
+ HID: picolcd_core: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ picolcd HID driver to trigger a NULL dereference during attr file writing.
+
+ CVE-2013-2899
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-picolcd_core.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 95e3cfb5a995dabe45b98cafb77e59d074de151f
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:09:54 2013 -0700
+
+ HID: check for NULL field when setting values
+
+ Defensively check that the field to be worked on is not NULL.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-core.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 96a55ce1b2f3af376c400a02059174e79ce4399c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 18:09:18 2013 -0400
+
+ http://marc.info/?l=linux-input&m=137772180514608&q=raw
+
+ From: Kees Cook <keescook@chromium.org>
+
+ The "Report ID" field of a HID report is used to build indexes of
+ reports. The kernel's index of these is limited to 256 entries, so any
+ malicious device that sets a Report ID greater than 255 will trigger
+ memory corruption on the host:
+
+ [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
+ [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
+
+ CVE-2013-2888
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ ---
+ drivers/hid/hid-core.c | 10 +++++++---
+ include/linux/hid.h | 4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+ drivers/hid/hid-core.c | 10 +++++++---
+ include/linux/hid.h | 4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+commit eb1106eef5f17bfda833ca3cf89e315919173257
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Aug 9 12:52:31 2013 +0300
+
+ Upstream commit: 909bd5926d474e275599094acad986af79671ac9
+
+ Hostap: copying wrong data prism2_ioctl_giwaplist()
+
+ We want the data stored in "addr" and "qual", but the extra ampersands
+ mean we are copying stack data instead.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 17:01:21 2013 -0400
+
+ fix typo in ipv6 backport
+
+ net/ipv6/addrconf.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4
+Author: Andy Lutomirski <luto@amacapital.net>
+Date: Thu Aug 22 11:39:15 2013 -0700
+
+ Upstream commit: d661684cf6820331feae71146c35da83d794467e
+
+ net: Check the correct namespace when spoofing pid over SCM_RIGHTS
+
+ This is a security bug.
+
+ The follow-up will fix nsproxy to discourage this type of issue from
+ happening again.
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+ Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/scm.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri Aug 16 13:02:27 2013 +0200
+
+ Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52
+
+ ipv6: remove max_addresses check from ipv6_create_tempaddr
+
+ Because of the max_addresses check attackers were able to disable privacy
+ extensions on an interface by creating enough autoconfigured addresses:
+
+ <http://seclists.org/oss-sec/2012/q4/292>
+
+ But the check is not actually needed: max_addresses protects the
+ kernel to install too many ipv6 addresses on an interface and guards
+ addrconf_prefix_rcv to install further addresses as soon as this limit
+ is reached. We only generate temporary addresses in direct response of
+ a new address showing up. As soon as we filled up the maximum number of
+ addresses of an interface, we stop installing more addresses and thus
+ also stop generating more temp addresses.
+
+ Even if the attacker tries to generate a lot of temporary addresses
+ by announcing a prefix and removing it again (lifetime == 0) we won't
+ install more temp addresses, because the temporary addresses do count
+ to the maximum number of addresses, thus we would stop installing new
+ autoconfigured addresses when the limit is reached.
+
+ This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
+ possible).
+
+ Thanks to Ding Tianhong to bring this topic up again.
+
+ Cc: Ding Tianhong <dingtianhong@huawei.com>
+ Cc: George Kargiotakis <kargig@void.gr>
+ Cc: P J P <ppandit@redhat.com>
+ Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Acked-by: Ding Tianhong <dingtianhong@huawei.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ net/ipv6/addrconf.c
+
+ net/ipv6/addrconf.c | 10 ++++------
+ 1 files changed, 4 insertions(+), 6 deletions(-)
+
+commit 8333e0981469a226a47d0142ff31090a48db95a4
+Author: David Vrabel <david.vrabel@citrix.com>
+Date: Thu Aug 15 13:21:06 2013 +0100
+
+ Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17
+
+ xen/events: initialize local per-cpu mask for all possible events
+
+ The sizeof() argument in init_evtchn_cpu_bindings() is incorrect
+ resulting in only the first 64 (or 32 in 32-bit guests) ports having
+ their bindings being initialized to VCPU 0.
+
+ In most cases this does not cause a problem as request_irq() will set
+ the irq affinity which will set the correct local per-cpu mask.
+ However, if the request_irq() is called on a VCPU other than 0, there
+ is a window between the unmasking of the event and the affinity being
+ set were an event may be lost because it is not locally unmasked on
+ any VCPU. If request_irq() is called on VCPU 0 then local irqs are
+ disabled during the window and the race does not occur.
+
+ Fix this by initializing all NR_EVENT_CHANNEL bits in the local
+ per-cpu masks.
+
+ Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+ Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+ CC: stable@vger.kernel.org
+
+ drivers/xen/events.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 2a9a83768433937a2b7a97001ba1627156c0efed
+Author: Roland Dreier <roland@purestorage.com>
+Date: Mon Aug 5 17:55:01 2013 -0700
+
+ Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091
+
+ [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
+
+ There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances
+ leads to one process writing data into the address space of some other
+ random unrelated process if the ioctl is interrupted by a signal.
+ What happens is the following:
+
+ - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the
+ underlying SCSI command will transfer data from the SCSI device to
+ the buffer provided in the ioctl)
+
+ - Before the command finishes, a signal is sent to the process waiting
+ in the ioctl. This will end up waking up the sg_ioctl() code:
+
+ result = wait_event_interruptible(sfp->read_wait,
+ (srp_done(sfp, srp) || sdp->detached));
+
+ but neither srp_done() nor sdp->detached is true, so we end up just
+ setting srp->orphan and returning to userspace:
+
+ srp->orphan = 1;
+ write_unlock_irq(&sfp->rq_list_lock);
+ return result; /* -ERESTARTSYS because signal hit process */
+
+ At this point the original process is done with the ioctl and
+ blithely goes ahead handling the signal, reissuing the ioctl, etc.
+
+ - Eventually, the SCSI command issued by the first ioctl finishes and
+ ends up in sg_rq_end_io(). At the end of that function, we run through:
+
+ write_lock_irqsave(&sfp->rq_list_lock, iflags);
+ if (unlikely(srp->orphan)) {
+ if (sfp->keep_orphan)
+ srp->sg_io_owned = 0;
+ else
+ done = 0;
+ }
+ srp->done = done;
+ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
+
+ if (likely(done)) {
+ /* Now wake up any sg_read() that is waiting for this
+ * packet.
+ */
+ wake_up_interruptible(&sfp->read_wait);
+ kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
+ kref_put(&sfp->f_ref, sg_remove_sfp);
+ } else {
+ INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
+ schedule_work(&srp->ew.work);
+ }
+
+ Since srp->orphan *is* set, we set done to 0 (assuming the
+ userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN
+ ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext()
+ to run in a workqueue.
+
+ - In workqueue context we go through sg_rq_end_io_usercontext() ->
+ sg_finish_rem_req() -> blk_rq_unmap_user() -> ... ->
+ bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user().
+
+ The key point here is that we are doing copy_to_user() on a
+ workqueue -- that is, we're on a kernel thread with current->mm
+ equal to whatever random previous user process was scheduled before
+ this kernel thread. So we end up copying whatever data the SCSI
+ command returned to the virtual address of the buffer passed into
+ the original ioctl, but it's quite likely we do this copying into a
+ different address space!
+
+ As suggested by James Bottomley <James.Bottomley@hansenpartnership.com>,
+ add a check for current->mm (which is NULL if we're on a kernel thread
+ without a real userspace address space) in bio_uncopy_user(), and skip
+ the copy if we're on a kernel thread.
+
+ There's no reason that I can think of for any caller of bio_uncopy_user()
+ to want to do copying on a kernel thread with a random active userspace
+ address space.
+
+ Huge thanks to Costa Sapuntzakis <costa@purestorage.com> for the
+ original pointer to this bug in the sg code.
+
+ Signed-off-by: Roland Dreier <roland@purestorage.com>
+ Tested-by: David Milburn <dmilburn@redhat.com>
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+
+ fs/bio.c | 20 +++++++++++++++-----
+ 1 files changed, 15 insertions(+), 5 deletions(-)
+
+commit e6fe57dee152671afd618d6bc8cbf23155be6c34
+Merge: cdc8f7d f2095a4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 27 18:13:35 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/mm/fault.c
+ security/Kconfig
+
+commit f2095a4787f7d332e5919f0bd00f8de6021ad612
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 27 18:08:23 2013 -0400
+
+ Update to pax-linux-3.10.9-test20.patch:
+ - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy
+ - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard <cminyard@mvista.com>
+ - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard <cminyard@mvista.com>
+ - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do
+ - added REFCOUNT support for mips, by Corey Minyard <cminyard@mvista.com>
+ - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720)
+ - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010)
+
+ arch/arm/mm/fault.c | 11 +-
+ arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++--
+ arch/mips/kernel/traps.c | 14 +-
+ arch/x86/include/asm/tlbflush.h | 4 +
+ arch/x86/include/asm/uaccess_64.h | 2 +-
+ fs/ntfs/file.c | 2 +-
+ kernel/events/internal.h | 4 +-
+ kernel/events/uprobes.c | 2 +-
+ kernel/futex.c | 2 +-
+ mm/filemap.c | 8 +-
+ security/Kconfig | 2 +-
+ tools/gcc/kernexec_plugin.c | 18 +-
+ tools/gcc/latent_entropy_plugin.c | 26 +-
+ tools/gcc/size_overflow_plugin.c | 3 +-
+ 14 files changed, 750 insertions(+), 70 deletions(-)
+
+commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9
+Merge: 5a9ae57 745975e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 26 20:27:33 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 745975e3b3b74b64e00e85778f9a22714d1274f2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 26 20:26:33 2013 -0400
+
+ Fix compilation when UDEREF is enabled and KERNEXEC is disabled,
+ as reported by fabled on the forums:
+ http://forums.grsecurity.net/viewtopic.php?f=1&t=3720
+
+ arch/arm/include/asm/pgtable.h | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36
+Merge: 486ec00 f68df21
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 20:15:20 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 20:14:50 2013 -0400
+
+ Update to pax-linux-3.10.9-test18.patch:
+ - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786)
+ - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790)
+ - forward port to 3.10.9
+
+ arch/x86/kernel/entry_64.S | 18 +++++++++---------
+ arch/x86/kernel/i386_ksyms_32.c | 4 ++++
+ arch/x86/kernel/x8664_ksyms_64.c | 4 ++++
+ 3 files changed, 17 insertions(+), 9 deletions(-)
+
+commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f
+Merge: f47a293 d8fed0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 20:12:47 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d8fed0eba89a7607afe296c0caf17bc72311d6e9
+Merge: f6ace8e 0a4b6d4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 20:12:33 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit f47a293a1440da2a3e2c239d43d636e37ca74f10
+Merge: f1e8ec7 f6ace8e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 18:20:05 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/kernel/perf_event.c
+ include/linux/sched.h
+
+commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72
+Merge: b4fa847 6f54059
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 18:18:02 2013 -0400
+
+ Update to pax-linux-3.10.8-test18.patch
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/sys_x86_64.c
+ arch/x86/mm/mmap.c
+ include/linux/sched.h
+
+commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca
+Merge: 6f88011 b4fa847
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 18:05:12 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b4fa84790ec760430818ab9b74a8b5acc6b40e63
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 18:04:14 2013 -0400
+
+ Update to pax-linux-3.10.7-test18.patch:
+ - reverted constification of zcache, problem reported by Marcin Mirosław (https://bugs.gentoo.org/show_bug.cgi?id=481752)
+ - fixed a UDEREF resume regression due to the constification of clone_pgd_mask
+ - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause
+
+ arch/arm/kernel/process.c | 2 +-
+ arch/x86/include/asm/processor.h | 25 ++-----------------------
+ arch/x86/kernel/cpu/common.c | 4 ++++
+ arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++
+ drivers/staging/zcache/tmem.c | 4 ++--
+ drivers/staging/zcache/tmem.h | 6 ++----
+ 6 files changed, 47 insertions(+), 30 deletions(-)
+
+commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 19 22:10:04 2013 -0400
+
+ fix bad git merge (call to __cpu_disable_lazy_restore was duplicated)
+ as reported by pipacs
+
+ arch/x86/kernel/smpboot.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3
+Merge: 6eba999 5de93c8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 22:03:19 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 22:02:47 2013 -0400
+
+ Update to pax-linux-3.10.7-test15.patch:
+ - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705)
+ - fixed some new REFCOUNT false positives, caught by inspection
+
+ arch/x86/kernel/cpu/common.c | 5 +++--
+ arch/x86/kernel/entry_64.S | 11 +++++++----
+ fs/ceph/super.c | 4 ++--
+ mm/backing-dev.c | 4 ++--
+ 4 files changed, 14 insertions(+), 10 deletions(-)
+
+commit 94c119587c76723c1072237b98fff9886ccb7689
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 20:49:39 2013 -0400
+
+ fix pipacs' DEMORGAN typo
+
+ arch/x86/include/asm/tlbflush.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00
+Merge: df347f6 64a293e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 18:13:04 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 18:12:37 2013 -0400
+
+ Update to pax-linux-3.10.7-test14.patch:
+ - fixed compile error introduced by the previous PCID change
+ - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214)
+
+ arch/x86/include/asm/tlbflush.h | 2 +-
+ kernel/posix-timers.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685
+Merge: d8efbc5 e11b314
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 08:15:00 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e11b314734c5b7317f5468be75305ad812e78c2b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 08:14:26 2013 -0400
+
+ Update to pax-linux-3.10.7-test13.patch:
+ - always enable the use of PCID and INVPCID when available in the CPU
+ - kvm guest kernels can use these features even if the host kernel lacks UDEREF
+
+ arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++----------------
+ arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++----------
+ 2 files changed, 70 insertions(+), 47 deletions(-)
+
+commit d8efbc54f5c8aba589d4d12eed9257a754a67de8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 12:00:20 2013 -0400
+
+ make kallsyms_lookup_size_offset available to approved source files
+
+ include/linux/kallsyms.h | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 6c8feffa95ce2db280160015027b52bb41a344c8
+Merge: dbf6930 0bb1c2b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 11:57:50 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 11:56:43 2013 -0400
+
+ Update to pax-linux-3.10.7-test12.patch:
+ - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause
+ - fixed some arm compile problems
+
+ arch/x86/include/asm/tlbflush.h | 2 +-
+ drivers/clocksource/bcm_kona_timer.c | 2 +-
+ kernel/signal.c | 4 ++++
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+
+commit dbf69305ad4f8a037aae95af90f9201f556dcb48
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 11:18:09 2013 -0400
+
+ allow use of kallsyms_lookup_name to approved source files
+
+ include/linux/kallsyms.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit a566c5f4dec33f410678c257e95ab6726ce8e4f9
+Merge: 68bd16f f562e3e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 10:35:02 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f562e3ef7737ea8d80431a722479b36a12504ace
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 10:34:51 2013 -0400
+
+ add uderef_64.c
+
+ arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++
+ 1 files changed, 37 insertions(+), 0 deletions(-)
+
+commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622
+Author: Asbjoern Sloth Toennesen <ast@fiberby.net>
+Date: Mon Aug 12 16:30:09 2013 +0000
+
+ Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504
+
+ rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header
+
+ Fix the iproute2 command `bridge vlan show`, after switching from
+ rtgenmsg to ifinfomsg.
+
+ Let's start with a little history:
+
+ Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in
+ the 3.9 merge window.
+ In the kernel commit 6cbdceeb, he added attribute support to
+ bridge GETLINK requests sent with rtgenmsg.
+
+ Mar 6th: Vlad got this iproute2 reference implementation of the bridge
+ vlan netlink interface accepted (iproute2 9eff0e5c)
+
+ Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca)
+ http://patchwork.ozlabs.org/patch/239602/
+ http://marc.info/?t=136680900700007
+
+ Apr 28th: Linus released 3.9
+
+ Apr 30th: Stephen released iproute2 3.9.0
+
+ The `bridge vlan show` command haven't been working since the switch to
+ ifinfomsg, or in a released version of iproute2. Since the kernel side
+ only supports rtgenmsg, which iproute2 switched away from just prior to
+ the iproute2 3.9.0 release.
+
+ I haven't been able to find any documentation, about neither rtgenmsg
+ nor ifinfomsg, and in which situation to use which, but kernel commit
+ 88c5b5ce seams to suggest that ifinfomsg should be used.
+
+ Fixing this in kernel will break compatibility, but I doubt that anybody
+ have been using it due to this bug in the user space reference
+ implementation, at least not without noticing this bug. That said the
+ functionality is still fully functional in 3.9, when reversing iproute2
+ commit 63338dca.
+
+ This could also be fixed in iproute2, but thats an ugly patch that would
+ reintroduce rtgenmsg in iproute2, and from searching in netdev it seams
+ like rtgenmsg usage is discouraged. I'm assuming that the only reason
+ that Vlad implemented the kernel side to use rtgenmsg, was because
+ iproute2 was using it at the time.
+
+ Signed-off-by: Asbjoern Sloth Toennesen <ast@fiberby.net>
+ Reviewed-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/rtnetlink.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8c7bc5bafddddff55ed4687203a977e96f72540a
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Tue Aug 13 09:04:05 2013 +0200
+
+ Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
+
+ genetlink: fix family dump race
+
+ When dumping generic netlink families, only the first dump call
+ is locked with genl_lock(), which protects the list of families,
+ and thus subsequent calls can access the data without locking,
+ racing against family addition/removal. This can cause a crash.
+ Fix it - the locking needs to be conditional because the first
+ time around it's already locked.
+
+ A similar bug was reported to me on an old kernel (3.4.47) but
+ the exact scenario that happened there is no longer possible,
+ on those kernels the first round wasn't locked either. Looking
+ at the current code I found the race described above, which had
+ also existed on the old kernel.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/netlink/genetlink.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Fri Aug 9 16:25:21 2013 +0200
+
+ Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e
+
+ net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption
+
+ Probably this one is quite unlikely to be triggered, but it's more safe
+ to do the call_rcu() at the end after we have dropped the reference on
+ the asoc and freed sctp packet chunks. The reason why is because in
+ sctp_transport_destroy_rcu() the transport is being kfree()'d, and if
+ we're unlucky enough we could run into corrupted pointers. Probably
+ that's more of theoretical nature, but it's safer to have this simple fix.
+
+ Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings
+ for deferred call_rcu's"). I also did the 8c98653f regression test and
+ it's fine that way.
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/transport.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 3925eab5483946fd746575a46f97bee9d566bb77
+Author: Stephane Grosjean <s.grosjean@peak-system.com>
+Date: Fri Aug 9 11:44:06 2013 +0200
+
+ Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e
+
+ can: pcan_usb: fix wrong memcpy() bytes length
+
+ Fix possibly wrong memcpy() bytes length since some CAN records received from
+ PCAN-USB could define a DLC field in range [9..15].
+ In that case, the real DLC value MUST be used to move forward the record pointer
+ but, only 8 bytes max. MUST be copied into the data field of the struct
+ can_frame object of the skb given to the network core.
+
+ Cc: linux-stable <stable@vger.kernel.org>
+ Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
+ Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c1ac6642baae4a400d1f87115024d1bb1ef53598
+Author: Linus Lüssing <linus.luessing@web.de>
+Date: Tue Aug 6 20:21:15 2013 +0200
+
+ Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929
+
+ batman-adv: fix potential kernel paging errors for unicast transmissions
+
+ There are several functions which might reallocate skb data. Currently
+ some places keep reusing their old ethhdr pointer regardless of whether
+ they became invalid after such a reallocation or not. This potentially
+ leads to kernel paging errors.
+
+ This patch fixes these by refetching the ethdr pointer after the
+ potential reallocations.
+
+ Signed-off-by: Linus Lüssing <linus.luessing@web.de>
+ Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
+
+ net/batman-adv/bridge_loop_avoidance.c | 2 ++
+ net/batman-adv/gateway_client.c | 13 ++++++++++++-
+ net/batman-adv/gateway_client.h | 3 +--
+ net/batman-adv/soft-interface.c | 9 ++++++++-
+ net/batman-adv/unicast.c | 13 ++++++++++---
+ 5 files changed, 33 insertions(+), 7 deletions(-)
+
+commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb
+Author: Yuchung Cheng <ycheng@google.com>
+Date: Fri Aug 9 17:21:27 2013 -0700
+
+ Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296
+
+ netfilter: nf_conntrack: fix tcp_in_window for Fast Open
+
+ Currently the conntrack checks if the ending sequence of a packet
+ falls within the observed receive window. However it does so even
+ if it has not observe any packet from the remote yet and uses an
+ uninitialized receive window (td_maxwin).
+
+ If a connection uses Fast Open to send a SYN-data packet which is
+ dropped afterward in the network. The subsequent SYNs retransmits
+ will all fail this check and be discarded, leading to a connection
+ timeout. This is because the SYN retransmit does not contain data
+ payload so
+
+ end == initial sequence number (isn) + 1
+ sender->td_end == isn + syn_data_len
+ receiver->td_maxwin == 0
+
+ The fix is to only apply this check after td_maxwin is initialized.
+
+ Reported-by: Michael Chan <mcfchan@stanford.edu>
+ Signed-off-by: Yuchung Cheng <ycheng@google.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Aug 1 12:36:57 2013 +0300
+
+ Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981
+
+ netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message
+
+ These structs have a "_pad" member. Also the "phw" structs have an 8
+ byte "hw_addr[]" array but sometimes only the first 6 bytes are
+ initialized.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nfnetlink_log.c | 6 +++++-
+ net/netfilter/nfnetlink_queue_core.c | 5 ++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f
+Author: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu Jul 25 10:46:46 2013 +0200
+
+ Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05
+
+ netfilter: xt_TCPOPTSTRIP: fix possible off by one access
+
+ Fix a possible off by one access since optlen()
+ touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1.
+
+ This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen
+ that stores the TCP header length, to save some cycles.
+
+ Reported-by: Julian Anastasov <ja@ssi.bg>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++----
+ 1 files changed, 6 insertions(+), 4 deletions(-)
+
+commit 4634def261cf5f635bc60afe8a6ad436b3ec151e
+Author: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu Jul 25 10:37:49 2013 +0200
+
+ Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd
+
+ netfilter: xt_TCPMSS: fix handling of malformed TCP header and options
+
+ Make sure the packet has enough room for the TCP header and
+ that it is not malformed.
+
+ While at it, store tcph->doff*4 in a variable, as it is used
+ several times.
+
+ This patch also fixes a possible off by one in case of malformed
+ TCP options.
+
+ Reported-by: Julian Anastasov <ja@ssi.bg>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------
+ 1 files changed, 16 insertions(+), 12 deletions(-)
+
+commit dc552b7b377b8b0cba23513ee09a2341d6714ae8
+Author: Dave Jones <davej@redhat.com>
+Date: Fri Aug 9 11:16:34 2013 -0700
+
+ Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e
+
+ 8139cp: Fix skb leak in rx_status_loop failure path.
+
+ Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96
+ ("8139cp: Add dma_mapping_error checking")
+
+ Signed-off-by: Dave Jones <davej@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/realtek/8139cp.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 227b279491a0bbcc70ca3654f34903282c378600
+Author: Timo Teräs <timo.teras@iki.fi>
+Date: Tue Aug 6 13:45:43 2013 +0300
+
+ Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b
+
+ ip_gre: fix ipgre_header to return correct offset
+
+ Fix ipgre_header() (header_ops->create) to return the correct
+ amount of bytes pushed. Most callers of dev_hard_header() seem
+ to care only if it was success, but af_packet.c uses it as
+ offset to the skb to copy from userspace only once. In practice
+ this fixes packet socket sendto()/sendmsg() to gre tunnels.
+
+ Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5
+ ("GRE: Refactor GRE tunneling code.")
+
+ Cc: Pravin B Shelar <pshelar@nicira.com>
+ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ip_gre.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb
+Author: Eric Dumazet <edumazet@google.com>
+Date: Mon Aug 5 11:18:49 2013 -0700
+
+ Upstream commit: aab515d7c32a34300312416c50314e755ea6f765
+
+ fib_trie: remove potential out of bound access
+
+ AddressSanitizer [1] dynamic checker pointed a potential
+ out of bound access in leaf_walk_rcu()
+
+ We could allocate one more slot in tnode_new() to leave the prefetch()
+ in-place but it looks not worth the pain.
+
+ Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode")
+
+ [1] :
+ https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
+
+ Reported-by: Andrey Konovalov <andreyknvl@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/fib_trie.c | 5 +----
+ 1 files changed, 1 insertions(+), 4 deletions(-)
+
+commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Mon Aug 5 12:49:35 2013 +0200
+
+ Upstream commit: 7921895a5e852fc99de347bc0600659997de9298
+
+ net: esp{4,6}: fix potential MTU calculation overflows
+
+ Commit 91657eafb ("xfrm: take net hdr len into account for esp payload
+ size calculation") introduced a possible interger overflow in
+ esp{4,6}_get_mtu() handlers in case of x->props.mode equals
+ XFRM_MODE_TUNNEL. Thus, the following expression will overflow
+
+ unsigned int net_adj;
+ ...
+ <case ipv{4,6} XFRM_MODE_TUNNEL>
+ net_adj = 0;
+ ...
+ return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
+ net_adj) & ~(align - 1)) + (net_adj - 2);
+
+ where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
+ context. Fix it by simply removing brackets as those operations here
+ do not need to have special precedence.
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Cc: Benjamin Poirier <bpoirier@suse.de>
+ Cc: Steffen Klassert <steffen.klassert@secunet.com>
+ Acked-by: Benjamin Poirier <bpoirier@suse.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/esp4.c | 2 +-
+ net/ipv6/esp6.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit f02bce292d1c2fe610be509c96593e70b3de387b
+Author: Julia Lawall <Julia.Lawall@lip6.fr>
+Date: Mon Aug 5 16:47:38 2013 +0200
+
+ Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142
+
+ net/vmw_vsock/af_vsock.c: drop unneeded semicolon
+
+ Drop the semicolon at the end of the list_for_each_entry loop header.
+
+ Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/vmw_vsock/af_vsock.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049
+Author: Tiger Yang <tiger.yang@oracle.com>
+Date: Tue Aug 13 16:00:58 2013 -0700
+
+ Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678
+
+ ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page
+
+ Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as
+ the struct file pointer, it finally result in a null pointer dereference
+ in ocfs2_duplicate_clusters_by_page.
+
+ This patch replace file pointer with inode pointer in
+ cow_duplicate_clusters to fix this issue.
+
+ [jeff.liu@oracle.com: rebased patch against linux-next tree]
+ Signed-off-by: Tiger Yang <tiger.yang@oracle.com>
+ Signed-off-by: Jie Liu <jeff.liu@oracle.com>
+ Cc: Joel Becker <jlbec@evilplan.org>
+ Cc: Mark Fasheh <mfasheh@suse.com>
+ Acked-by: Tao Ma <tm@tao.ma>
+ Tested-by: David Weber <wb@munzinger.de>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/ocfs2/aops.c | 2 +-
+ fs/ocfs2/file.c | 6 ++--
+ fs/ocfs2/move_extents.c | 2 +-
+ fs/ocfs2/refcounttree.c | 53 +++++++---------------------------------------
+ fs/ocfs2/refcounttree.h | 6 ++--
+ 5 files changed, 16 insertions(+), 53 deletions(-)
+
+commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Aug 15 15:52:57 2013 +0300
+
+ Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e
+
+ tun: signedness bug in tun_get_user()
+
+ The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
+ not totally correct. Because "len" and "sizeof()" are size_t type, that
+ means they are never less than zero.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Michael S. Tsirkin <mst@redhat.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 26ad267ddda451919357965a0cf271ca24d1bcf2
+Author: Weiping Pan <wpan@redhat.com>
+Date: Tue Aug 13 21:46:56 2013 +0800
+
+ Upstream commit: d9bf5f130946695063469749bfd190087b7fad39
+
+ tun: compare with 0 instead of total_len
+
+ Since we set "len = total_len" in the beginning of tun_get_user(),
+ so we should compare the new len with 0, instead of total_len,
+ or the if statement always returns false.
+
+ Signed-off-by: Weiping Pan <wpan@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9
+Author: Guenter Roeck <linux@roeck-us.net>
+Date: Fri Aug 16 20:50:55 2013 -0700
+
+ Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92
+
+ s390: Fix broken build
+
+ Fix this build error:
+
+ In file included from fs/exec.c:61:0:
+ arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned'
+ arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default]
+ arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu':
+ arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end'
+
+ Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range
+ invalidation corner cases").
+
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+ [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/s390/include/asm/tlb.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4e57312c2de2a25ddb181d129dafbc0251062c33
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu Aug 15 11:42:25 2013 -0700
+
+ Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce
+
+ Fix TLB gather virtual address range invalidation corner cases
+
+ Ben Tebulin reported:
+
+ "Since v3.7.2 on two independent machines a very specific Git
+ repository fails in 9/10 cases on git-fsck due to an SHA1/memory
+ failures. This only occurs on a very specific repository and can be
+ reproduced stably on two independent laptops. Git mailing list ran
+ out of ideas and for me this looks like some very exotic kernel issue"
+
+ and bisected the failure to the backport of commit 53a59fc67f97 ("mm:
+ limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT").
+
+ That commit itself is not actually buggy, but what it does is to make it
+ much more likely to hit the partial TLB invalidation case, since it
+ introduces a new case in tlb_next_batch() that previously only ever
+ happened when running out of memory.
+
+ The real bug is that the TLB gather virtual memory range setup is subtly
+ buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather:
+ enable tlb flush range in generic mmu_gather"), and the range handling
+ was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB
+ range flushed when __tlb_remove_page() runs out of slots"), but that fix
+ was not complete.
+
+ The problem with the TLB gather virtual address range is that it isn't
+ set up by the initial tlb_gather_mmu() initialization (which didn't get
+ the TLB range information), but it is set up ad-hoc later by the
+ functions that actually flush the TLB. And so any such case that forgot
+ to update the TLB range entries would potentially miss TLB invalidates.
+
+ Rather than try to figure out exactly which particular ad-hoc range
+ setup was missing (I personally suspect it's the hugetlb case in
+ zap_huge_pmd(), which didn't have the same logic as zap_pte_range()
+ did), this patch just gets rid of the problem at the source: make the
+ TLB range information available to tlb_gather_mmu(), and initialize it
+ when initializing all the other tlb gather fields.
+
+ This makes the patch larger, but conceptually much simpler. And the end
+ result is much more understandable; even if you want to play games with
+ partial ranges when invalidating the TLB contents in chunks, now the
+ range information is always there, and anybody who doesn't want to
+ bother with it won't introduce subtle bugs.
+
+ Ben verified that this fixes his problem.
+
+ Reported-bisected-and-tested-by: Ben Tebulin <tebulin@googlemail.com>
+ Build-testing-by: Stephen Rothwell <sfr@canb.auug.org.au>
+ Build-testing-by: Richard Weinberger <richard.weinberger@gmail.com>
+ Reviewed-by: Michal Hocko <mhocko@suse.cz>
+ Acked-by: Peter Zijlstra <peterz@infradead.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/arm/include/asm/tlb.h | 7 +++++--
+ arch/arm64/include/asm/tlb.h | 7 +++++--
+ arch/ia64/include/asm/tlb.h | 9 ++++++---
+ arch/s390/include/asm/tlb.h | 8 ++++++--
+ arch/sh/include/asm/tlb.h | 6 ++++--
+ arch/um/include/asm/tlb.h | 6 ++++--
+ fs/exec.c | 4 ++--
+ include/asm-generic/tlb.h | 2 +-
+ mm/hugetlb.c | 2 +-
+ mm/memory.c | 36 +++++++++++++++++++++---------------
+ mm/mmap.c | 4 ++--
+ 11 files changed, 57 insertions(+), 34 deletions(-)
+
+commit 771ed01c6027772eca1a0df8de65043e7f0d94f8
+Merge: 5568c80 ffceabf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 09:11:41 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ffceabfcc65c60109ba5fca694d78d4dc7047809
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 09:10:44 2013 -0400
+
+ Update to pax-linux-3.10.7-test11.patch:
+ - simplified some arm code
+ - disabled preemption when calling show_regs, reported by Corey Minyard
+ - added PCID based support for UDEREF on amd64 (blog will have more details)
+ - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc
+ - nopcid turns it off
+ - by default a strong form of UDEREF is used under PCID
+ - pax_weakuderef switches to the older, less secure UDEREF
+ - fixed several bugs that would also have manifested under SMAP
+ - INVPCID is used when available (Haswell)
+ - added a few more return insn instrumentation in new amd64 crypto code
+
+ Documentation/kernel-parameters.txt | 7 +
+ arch/arm/include/asm/uaccess.h | 3 +
+ arch/x86/crypto/blowfish-avx2-asm_64.S | 6 +
+ arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++
+ arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++
+ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
+ arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 +
+ arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++
+ arch/x86/crypto/sha256-avx-asm.S | 2 +
+ arch/x86/crypto/sha256-avx2-asm.S | 2 +
+ arch/x86/crypto/sha256-ssse3-asm.S | 2 +
+ arch/x86/crypto/sha512-avx-asm.S | 2 +
+ arch/x86/crypto/sha512-avx2-asm.S | 2 +
+ arch/x86/crypto/sha512-ssse3-asm.S | 2 +
+ arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++
+ arch/x86/ia32/ia32_signal.c | 2 +-
+ arch/x86/ia32/ia32entry.S | 24 ++++-
+ arch/x86/include/asm/cpufeature.h | 3 +-
+ arch/x86/include/asm/fpu-internal.h | 2 +
+ arch/x86/include/asm/futex.h | 4 +
+ arch/x86/include/asm/mmu_context.h | 80 +++++++++++---
+ arch/x86/include/asm/pgtable.h | 10 +-
+ arch/x86/include/asm/processor.h | 15 +++-
+ arch/x86/include/asm/segment.h | 5 +-
+ arch/x86/include/asm/smap.h | 64 +++++++++++-
+ arch/x86/include/asm/tlbflush.h | 63 +++++++++--
+ arch/x86/include/asm/uaccess.h | 18 +++-
+ arch/x86/include/asm/xsave.h | 4 +
+ arch/x86/kernel/cpu/common.c | 38 +++++++
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++---
+ arch/x86/kernel/head_32.S | 2 +-
+ arch/x86/kernel/head_64.S | 8 +-
+ arch/x86/kernel/process_64.c | 5 +
+ arch/x86/kernel/setup.c | 8 +-
+ arch/x86/kernel/signal.c | 4 +-
+ arch/x86/kernel/smpboot.c | 15 ++-
+ arch/x86/lib/copy_user_64.S | 50 +--------
+ arch/x86/lib/copy_user_nocache_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 11 ++-
+ arch/x86/lib/memcpy_64.S | 4 +-
+ arch/x86/lib/memmove_64.S | 2 +-
+ arch/x86/lib/memset_64.S | 4 +-
+ arch/x86/lib/usercopy_64.c | 5 +-
+ arch/x86/mm/Makefile | 4 +
+ arch/x86/mm/fault.c | 29 ++++--
+ arch/x86/mm/init.c | 7 +-
+ arch/x86/mm/init_64.c | 9 ++-
+ arch/x86/mm/pageattr.c | 2 +-
+ arch/x86/mm/pgtable.c | 3 +
+ arch/x86/platform/efi/efi_32.c | 2 +-
+ arch/x86/platform/efi/efi_64.c | 2 +-
+ arch/x86/realmode/rm/trampoline_64.S | 1 +
+ fs/exec.c | 2 +
+ include/asm-generic/uaccess.h | 8 ++
+ include/linux/compat.h | 1 +
+ include/linux/preempt.h | 19 +++
+ include/linux/signal.h | 1 +
+ include/linux/smp.h | 2 +
+ init/main.c | 14 ++-
+ kernel/signal.c | 16 +++
+ security/Kconfig | 5 +
+ tools/lib/lk/Makefile | 2 +-
+ tools/perf/Makefile | 2 +-
+ 64 files changed, 673 insertions(+), 136 deletions(-)
+
+commit 5568c8059e78d6d002815409df4e90c83b3b08a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 08:58:34 2013 -0400
+
+ Fix two harmless compiler warnings
+
+ arch/arm/kernel/process.c | 4 ++--
+ fs/exec.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 22:55:24 2013 -0400
+
+ Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b
+
+ arch/arm/kernel/perf_event.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 3637bc893b57a227b01852fe34685ab237285b10
+Author: Stephen Boyd <sboyd@codeaurora.org>
+Date: Wed Aug 7 16:18:08 2013 -0700
+
+ Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb
+
+ perf/arm: Fix armpmu_map_hw_event()
+
+ Fix constraint check in armpmu_map_hw_event().
+
+ Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
+ Cc: <stable@kernel.org>
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/arm/kernel/perf_event.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 11802e1f961a088c39af58d1c1b14d861eedfb35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 22:53:30 2013 -0400
+
+ More ARM backports
+
+ arch/arm/kernel/entry-armv.S | 3 ++-
+ arch/arm/kernel/fiq.c | 8 ++------
+ 2 files changed, 4 insertions(+), 7 deletions(-)
+
+commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 22:46:01 2013 -0400
+
+ Fix HIDESYM compatibility with kprobes, as reported by feandil at:
+ http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
+
+ include/linux/kallsyms.h | 2 +-
+ kernel/kprobes.c | 3 +++
+ 2 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7
+Author: yonghua zheng <younghua.zheng@gmail.com>
+Date: Tue Aug 13 16:01:03 2013 -0700
+
+ fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
+
+ Recently we met quite a lot of random kernel panic issues after enabling
+ CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something
+ to do with following bug in pagemap:
+
+ In struct pagemapread:
+
+ struct pagemapread {
+ int pos, len;
+ pagemap_entry_t *buffer;
+ bool v2;
+ };
+
+ pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
+ buffer, it is a mistake to compare pos and len in add_page_map() for
+ checking buffer is full or not, and this can lead to buffer overflow and
+ random kernel panic issue.
+
+ Correct len to be total number of PM_ENTRY_BYTES in buffer.
+
+ [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
+ Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/task_mmu.c
+
+ fs/proc/task_mmu.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 0a3dac834746de241c10d4978bf61b4f146ba89d
+Merge: dc19474 e12de30
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 17:39:01 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e12de30aa6b575fc3c9f5cd098dd03623598cb33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 17:34:47 2013 -0400
+
+ Update to pax-linux-3.10.7-test9.patch:
+ - Emese fixed a size overflow false positive reported by Sven Vermeulen
+ - fixed some arm compile problems reported by spender
+ - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard <cminyard@mvista.com>
+ eventually we'll have full REFCOUNT support on mips
+
+ arch/arm/kernel/process.c | 5 ++-
+ arch/arm/mm/Kconfig | 2 +-
+ arch/arm/mm/fault.c | 3 ++
+ arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++
+ mm/internal.h | 2 +-
+ 5 files changed, 65 insertions(+), 4 deletions(-)
+
+commit dc19474d0ea6ea3c939544ae5f906067b1784a10
+Merge: 51b78c0 82266f9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 15 21:47:37 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 82266f90a3f87ab5017329fb539aebf94c42253a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 15 21:14:47 2013 -0400
+
+ Update to pax-linux-3.10.7-test9.patch
+
+ arch/arm/kernel/process.c | 6 ++----
+ 1 files changed, 2 insertions(+), 4 deletions(-)
+
+commit 51b78c06d1f41614f593cd36456b4af559e9d7fa
+Merge: e32d904 cb77ead
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 15 20:53:45 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit cb77ead0eccb5abb75f7e437a3725d0254558ccd
+Merge: 13675b8 519be45
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 15 20:50:47 2013 -0400
+
+ Update to pax-linux-3.10.7-test8.patch
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit e32d904b87292288e74e2637b900fd1115687b8e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 10 09:41:40 2013 -0400
+
+ propagate the threadstack offset through to the topdown/bottomup allocators
+ on sparc64 hugepages
+
+ arch/sparc/mm/hugetlbpage.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Thu Aug 8 18:55:32 2013 +0200
+
+ Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8
+
+ another local DoS found in reaction to the one I reported,
+ we don't allow unpriv user ns use so this doesn't matter much to us
+
+ userns: limit the maximum depth of user_namespace->parent chain
+
+ Ensure that user_namespace->parent chain can't grow too much.
+ Currently we use the hardroded 32 as limit.
+
+ Reported-by: Andy Lutomirski <luto@amacapital.net>
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ include/linux/user_namespace.h | 1 +
+ kernel/user_namespace.c | 4 ++++
+ 2 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 223ac007ef18bf3a5095ba0a56675c1f16200149
+Merge: 1c92de4 13675b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 8 20:45:24 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 13675b848cf02bffd26924b2b84d927095bc253d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 8 20:43:52 2013 -0400
+
+ Update to pax-linux-3.10.5-test8.patch:
+ - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692)
+ - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard <cminyard@mvista.com>
+ - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard <cminyard@mvista.com>
+
+ arch/arm/include/asm/pgtable-2level.h | 4 +++-
+ arch/arm/mm/proc-v7-2level.S | 3 ---
+ arch/mips/mm/fault.c | 8 ++++++++
+ arch/x86/include/asm/processor.h | 3 ++-
+ include/linux/math64.h | 2 +-
+ security/Kconfig | 2 --
+ 6 files changed, 14 insertions(+), 8 deletions(-)
+
+commit 1c92de4b8811c330af033c31d83c9c45e3d064b2
+Merge: e65aa3d 1660f49
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 18:50:45 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1660f496848b8400d263f7920989dae15e72185a
+Merge: 7f91ba1 dc51cd2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 18:50:12 2013 -0400
+
+ Update to pax-linux-3.10.5-test7.patch
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/head_64.S
+ mm/mempolicy.c
+
+commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 17:58:42 2013 -0400
+
+ Disable RANDKSTACK for a VirtualBox host as mentioned on the
+ gentoo-hardened bugzilla:
+ https://bugs.gentoo.org/show_bug.cgi?id=382793
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 60d8cffd7740fd1d527790caf9a24a35d8c45858
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Jul 30 13:23:39 2013 +0300
+
+ Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20
+
+ net_sched: info leak in atm_tc_dump_class()
+
+ The "pvc" struct has a hole after pvc.sap_family which is not cleared.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Reviewed-by: Jiri Pirko <jiri@resnulli.us>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sched/sch_atm.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 50d20ebce56b6e0b9622685930e007e46c7c04bb
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Fri Aug 2 11:32:43 2013 +0200
+
+ Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86
+
+ net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails
+
+ Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa
+ resource that was allocated via inet_alloc_ifa() unfreed when returning
+ the function with -EINVAL. Thus, free it first via inet_free_ifa().
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Reviewed-by: Jiri Pirko <jiri@resnulli.us>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/devinet.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260
+Author: Himanshu Madhani <himanshu.madhani@qlogic.com>
+Date: Fri Aug 2 23:15:56 2013 -0400
+
+ Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1
+
+ qlcnic: Free up memory in error path.
+
+ Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
+ Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a
+Author: Shahed Shaikh <shahed.shaikh@qlogic.com>
+Date: Fri Aug 2 23:15:54 2013 -0400
+
+ Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f
+
+ qlcnic: Fix MAC address filter issue on 82xx adapter
+
+ Driver was passing the address of a pointer instead of
+ the pointer itself.
+
+ Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5570df953d6c143e05f1d60d9c23210e60dbbe81
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 17:26:40 2013 -0400
+
+ Move user namespace capability check to shared create_user_ns code so we
+ cover unshare() as well.
+
+ Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
+ user namespaces!
+
+ kernel/fork.c | 17 -----------------
+ kernel/user_namespace.c | 24 ++++++++++++++++++++++--
+ 2 files changed, 22 insertions(+), 19 deletions(-)
+
+commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 16:05:41 2013 -0400
+
+ silence a warning on older gcc
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b8966a5d577e9220fbc63306eee978f819f24e2e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 3 08:31:08 2013 -0400
+
+ we only care about mmaps of the beginning of an ELF, filter out
+ all others as suggested by pipacs
+
+ mm/mmap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:54:51 2013 -0400
+
+ add include
+
+ grsecurity/grsec_log.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:49:13 2013 -0400
+
+ fix compilation
+
+ include/linux/grinternal.h | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 1704c23fdc55b68f512dc9927940e72237f3f43e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:34:35 2013 -0400
+
+ Improve PaX reporting (tells when anon mapping is stack or heap)
+ Remove textrel logging option, combine into rwx logging option
+ Enhance RWX logging option to display when PT_GNU_STACK-enabled library
+ is loaded under an MPROTECTed binary
+ Enhance RWX mprotect logging to display stack/heap instead of just
+ anon mapping
+
+ fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++
+ fs/exec.c | 4 ++++
+ grsecurity/Kconfig | 21 +++++----------------
+ grsecurity/grsec_init.c | 4 ----
+ grsecurity/grsec_log.c | 14 ++++++++++++++
+ grsecurity/grsec_pax.c | 19 ++++++++++++++-----
+ grsecurity/grsec_sysctl.c | 9 ---------
+ include/linux/binfmts.h | 1 +
+ include/linux/grinternal.h | 2 +-
+ include/linux/grmsg.h | 3 ++-
+ include/linux/grsecurity.h | 3 ++-
+ mm/mmap.c | 7 +++++++
+ mm/mprotect.c | 2 +-
+ 13 files changed, 88 insertions(+), 38 deletions(-)
+
+commit faf81c100c8565524e21c9af780a0ad2ce3fd925
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 1 18:52:02 2013 -0400
+
+ add missing #define
+
+ grsecurity/gracl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit e87232d1fcb4da72df971cbc623aac6c9b3871a0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 1 18:43:53 2013 -0400
+
+ fix compilation for !COMPAT as reported on the forums
+
+ grsecurity/gracl.c | 195 ++++++++++++++++++++++++++--------------------------
+ 1 files changed, 97 insertions(+), 98 deletions(-)
+
+commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c
+Merge: 65019c9 7f91ba1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 17:47:31 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 65019c9bd05f860437071cbf00e2027fd2d68615
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 17:47:20 2013 -0400
+
+ Revert "revert recent PaX change that causes boot failures with 32bit userland"
+
+ This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
+
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 17:46:00 2013 -0400
+
+ Update to pax-linux-3.10.4-test7.patch:
+ - added a few more missing format strings
+ - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable
+ - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time
+ - fixed a UDEREF/i386 regression, __get_user_8 would always fail
+
+ arch/x86/include/asm/processor.h | 4 +-
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/dumpstack.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/reboot_fixups_32.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/lib/getuser.S | 4 +-
+ arch/x86/xen/smp.c | 2 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++--
+ drivers/video/backlight/backlight.c | 2 +-
+ drivers/video/backlight/lcd.c | 2 +-
+ fs/binfmt_elf.c | 51 +++++++++++++++++++++++++---
+ fs/exec.c | 50 +++++++++++++--------------
+ include/linux/sched.h | 2 +
+ 14 files changed, 88 insertions(+), 47 deletions(-)
+
+commit 043130da54cb7cc8dc44e0ce889d426e889a0532
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 16:26:58 2013 -0400
+
+ compile fix for !COMPAT as mentioned on forums
+
+ grsecurity/gracl.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit ed0a195abd4e41c2449a020a53a19c74dc866d78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:33:14 2013 -0400
+
+ perform compat conversion of rlimit infinity
+
+ grsecurity/gracl_compat.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit a99c1b9f31678c1c72a63bea65aed1b2d3205259
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:21:40 2013 -0400
+
+ remove debugging
+
+ grsecurity/gracl_compat.c | 44 +++++++++++---------------------------------
+ 1 files changed, 11 insertions(+), 33 deletions(-)
+
+commit e75b3f504692b97960a7530ad0855d91441d79c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:20:32 2013 -0400
+
+ eliminate compat_dev_t
+
+ include/linux/gracl_compat.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit e5abbaf95313066a724e1a843d4fc902a9a6450e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:13:22 2013 -0400
+
+ fix compat rlimit size
+
+ grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++-------------
+ include/linux/gracl_compat.h | 4 +-
+ 2 files changed, 49 insertions(+), 23 deletions(-)
+
+commit 877d6c2f8b3518ff39601084560bb33c58d35a1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 21:20:18 2013 -0400
+
+ compile fix
+
+ grsecurity/gracl.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit a2062eae8d1dc48d338480e599fedee2dc5e2f98
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 21:14:29 2013 -0400
+
+ copy correct pointer size in new compat code
+
+ grsecurity/gracl.c | 8 ++++----
+ grsecurity/gracl_compat.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 23278a1ee1c7738dd1e7005241394d32b82196e4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:48:58 2013 -0400
+
+ revert recent PaX change that causes boot failures with 32bit userland
+
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+commit ec27f71a813656fea8ab37faecb2b485fe99d08e
+Merge: 3a11bcf 05f0a61
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:42:21 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:41:44 2013 -0400
+
+ Update to pax-linux-3.10.4-test6.patch:
+ - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender
+
+ include/linux/syscalls.h | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:15:50 2013 -0400
+
+ compile fix
+
+ grsecurity/gracl_compat.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:12:46 2013 -0400
+
+ remove BUILD_BUG_ONs
+
+ grsecurity/gracl_compat.c | 20 --------------------
+ 1 files changed, 0 insertions(+), 20 deletions(-)
+
+commit a283b21cbd77622383a1dcb1f7bf1080db3bae88
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:18:36 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl_compat.c | 8 ++++----
+ include/linux/gracl_compat.h | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 8b744005f8bae565e24c1fd88af77e6e619b9434
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:16:42 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl.c | 4 ++--
+ grsecurity/gracl_compat.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:13:51 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit b93b829afcc98b6108b18d99ff63c53642d0b951
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:11:03 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl_compat.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:08:21 2013 -0400
+
+ more compile fixes
+
+ grsecurity/gracl.c | 28 ++++++++++++++--------------
+ 1 files changed, 14 insertions(+), 14 deletions(-)
+
+commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:59:50 2013 -0400
+
+ more compile fixes
+
+ grsecurity/gracl.c | 10 +++++++++-
+ 1 files changed, 9 insertions(+), 1 deletions(-)
+
+commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:56:47 2013 -0400
+
+ additional compile fixes
+
+ grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++--------
+ 1 files changed, 49 insertions(+), 10 deletions(-)
+
+commit ac695a081d1124fb28bec46814535d34c5e40611
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:47:15 2013 -0400
+
+ fix typo
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:46:59 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++-------------
+ 1 files changed, 39 insertions(+), 14 deletions(-)
+
+commit 82631f451cc7432b6c5578cf8d24155473feb25c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:22:44 2013 -0400
+
+ Initial commit of compat RBAC loading
+ Permits 32bit gradm to load policy for a 64bit kernel
+
+ Also removed code duplication for copying strings into the kernel
+
+ Work performed as part of sponsorship
+
+ grsecurity/Makefile | 4 +
+ grsecurity/gracl.c | 315 +++++++++++++++++++++++-------------------
+ grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++
+ include/linux/gracl_compat.h | 156 +++++++++++++++++++++
+ 4 files changed, 603 insertions(+), 142 deletions(-)
+
+commit 84c4a433dfb096e4a1162ee5e68025122c70b421
+Merge: c9d3ed3 9fe5897
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 17:08:56 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9fe58978938e357642885866ca48090a7753d403
+Merge: 8f693ad 6f7bb6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 17:08:43 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775
+Merge: d5e5bfd 8f693ad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 28 10:03:08 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8f693ade9b3e448f92706d34148b00a087637f70
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 28 10:02:16 2013 -0400
+
+ Update to pax-linux-3.10.3-test5.patch:
+ - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm)
+ - fixed handling of faulting userland accesses for UDEREF/arm, from spender
+ - updated the size overflow hash table, from Emese
+
+ arch/arm/kernel/entry-armv.S | 3 +-
+ arch/x86/include/asm/processor.h | 4 +-
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++----
+ 7 files changed, 513 insertions(+), 55 deletions(-)
+
+commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558
+Merge: 19e077b 8a8a0d0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 25 21:05:18 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 25 21:04:09 2013 -0400
+
+ Update to pax-linux-3.10.3-test4.patch:
+ - introduced per-slab object sanitization, contributed by Mathias Krause and secunet.
+ this is finer grained sanitization than the existing per-page based approach (which
+ is still done) at a somewhat higher performance cost. the pax_sanitize_slab command
+ line option can be used to enable/disable it on boot (it's enabled by default when
+ CONFIG_PAX_MEMORY_SANITIZE is enabled).
+
+ Documentation/kernel-parameters.txt | 4 ++++
+ fs/buffer.c | 2 +-
+ fs/dcache.c | 3 ++-
+ include/linux/slab.h | 7 +++++++
+ include/linux/slab_def.h | 4 ++++
+ kernel/fork.c | 2 +-
+ mm/rmap.c | 6 ++++--
+ mm/slab.c | 27 +++++++++++++++++++++++++++
+ mm/slab.h | 12 +++++++++++-
+ mm/slab_common.c | 14 ++++++++++++++
+ mm/slob.c | 5 +++++
+ mm/slub.c | 11 +++++++++++
+ net/core/skbuff.c | 6 ++++--
+ security/Kconfig | 23 +++++++++++++++++------
+ 14 files changed, 112 insertions(+), 14 deletions(-)
+
+commit 19e077bfff54ca211d0142c07cb6dd88069a390c
+Merge: 960ec51 c8f7f51
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 25 19:53:34 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c8f7f51591207b82530214300e86277028919286
+Merge: d5142e3 81a4648
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 25 19:52:29 2013 -0400
+
+ Update to pax-linux-3.10.3-test3.patch:
+ - fixed some compile issues reported by Michael Tremer and spender
+ - fixed an i386 regression with the lower address space gap on i386, reported by cnu
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ kernel/time/tick-broadcast.c
+
+commit 960ec51ab2142544fbae563d4fd5744775408965
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Jul 20 03:13:55 2013 +0400
+
+ Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2
+
+ livelock avoidance in sget()
+
+ Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about
+ to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive,
+ ->s_active is 1. Along comes two more processes, trying to mount the same
+ thing; sget() in each is picking that superblock, bumping ->s_count and
+ trying to grab ->s_umount. ->s_active is 3 now. Original mount(2)
+ finally gets to deactivate_locked_super() on failure; ->s_active is 2,
+ superblock is still ->fs_supers because shutdown will *not* happen until
+ ->s_active hits 0. ->s_umount is dropped and now we have two processes
+ chasing each other:
+ s_active = 2, A acquired ->s_umount, B blocked
+ A sees that the damn thing is stillborn, does deactivate_locked_super()
+ s_active = 1, A drops ->s_umount, B gets it
+ A restarts the search and finds the same superblock. And bumps it ->s_active.
+ s_active = 2, B holds ->s_umount, A blocked on trying to get it
+ ... and we are in the earlier situation with A and B switched places.
+
+ The root cause, of course, is that ->s_active should not grow until we'd
+ got MS_BORN. Then failing ->mount() will have deactivate_locked_super()
+ shut the damn thing down. Fortunately, it's easy to do - the key point
+ is that grab_super() is called only for superblocks currently on ->fs_supers,
+ so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and
+ bump ->s_active; we must never increment ->s_count for superblocks past
+ ->kill_sb(), but grab_super() is never called for those.
+
+ The bug is pretty old; we would've caught it by now, if not for accidental
+ exclusion between sget() for block filesystems; the things like cgroup or
+ e.g. mtd-based filesystems don't have anything of that sort, so they get
+ bitten. The right way to deal with that is obviously to fix sget()...
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/super.c | 25 ++++++++++---------------
+ 1 files changed, 10 insertions(+), 15 deletions(-)
+
+commit 3540cebbbfa4aef94527ad3e0e49097848147fb9
+Merge: ab95b58 d5142e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 21 22:47:46 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d5142e31785f8c32c7338c51fcc27313bdd4a84e
+Merge: f36ae8c 0f4a56e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 21 22:47:34 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit ab95b5842899d61ff5c30f4582e72029b3155be8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 21 22:28:40 2013 -0400
+
+ compile fix with constification reported by Michael Tremer
+
+ drivers/gpu/host1x/drm/dc.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 817cd2d1e7a55720326599dd8f542578eef30927
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri Jul 12 23:46:33 2013 +0200
+
+ Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494
+
+ ipv6: only static routes qualify for equal cost multipathing
+
+ Static routes in this case are non-expiring routes which did not get
+ configured by autoconf or by icmpv6 redirects.
+
+ To make sure we actually get an ecmp route while searching for the first
+ one in this fib6_node's leafs, also make sure it matches the ecmp route
+ assumptions.
+
+ v2:
+ a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF
+ already ensures that this route, even if added again without
+ RTF_EXPIRES (in case of a RA announcement with infinite timeout),
+ does not cause the rt6i_nsiblings logic to go wrong if a later RA
+ updates the expiration time later.
+
+ v3:
+ a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so,
+ because an pmtu event could update the RTF_EXPIRES flag and we would
+ not count this route, if another route joins this set. We now filter
+ only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that
+ don't get changed after rt6_info construction.
+
+ Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_fib.c | 15 +++++++++++----
+ 1 files changed, 11 insertions(+), 4 deletions(-)
+
+commit 77db8196d51b043e2e2d124094da101b0f01bccb
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Jul 12 09:39:03 2013 +0300
+
+ Upstream commit: b2781e1021525649c0b33fffd005ef219da33926
+
+ svcrdma: underflow issue in decode_write_list()
+
+ My static checker marks everything from ntohl() as untrusted and it
+ complains we could have an underflow problem doing:
+
+ return (u32 *)&ary->wc_array[nchunks];
+
+ Also on 32 bit systems the upper bound check could overflow.
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+
+ net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------
+ 1 files changed, 14 insertions(+), 6 deletions(-)
+
+commit 926473317fd7953137ef97835edd36dabc584b01
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 17 21:29:02 2013 -0400
+
+ add missing asm/pgtable.h include, reported by Michael Tremer
+
+ drivers/clk/socfpga/clk.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit c592ae0001b31932ef1491784dfa374058797c66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 16 20:40:24 2013 -0400
+
+ allow viewing of ecryptfs version under SYSFS_RESTRICT
+
+ fs/sysfs/dir.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 36db325ef3b07ea8cdb47f549e706e5d71398e14
+Merge: 9c96441 f36ae8c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 19:23:13 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f36ae8c741ae32b1caff10825be12c327792c925
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 19:22:15 2013 -0400
+
+ Update to pax-linux-3.10-test2.patch:
+ - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer
+ - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer
+ - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer
+ - spender fixed an madvise regression, reported by Peter Keel
+ - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616)
+ - fixed a headers_install regression, reported by Mathias Krause
+ - fixed a SLOB compile regression, reported by Mathias Krause
+
+ arch/arm/include/asm/uaccess.h | 4 ++--
+ arch/arm/mm/mmu.c | 15 +++++++++++++--
+ drivers/clk/socfpga/clk.c | 6 ++++--
+ mm/madvise.c | 4 ++--
+ mm/slab.c | 4 ++--
+ mm/slob.c | 4 ++--
+ scripts/headers_install.sh | 2 +-
+ 7 files changed, 26 insertions(+), 13 deletions(-)
+
+commit 9c9644156a49637050741d9165df79174e59b0ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 19:19:54 2013 -0400
+
+ Fix sparc64 compilation, reported by Blake Self
+
+ arch/sparc/kernel/sys_sparc_64.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 7bcd3db081454768542c3d741bcf32cd61a50cf5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:49:17 2013 -0400
+
+ Update PaX fix, just return the error
+
+ mm/madvise.c | 15 +++++++--------
+ 1 files changed, 7 insertions(+), 8 deletions(-)
+
+commit a10e377d0eddd37e8a3665b135e546ab03d9d171
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:36:00 2013 -0400
+
+ Fix madvise oops reported by Peter Keel
+
+ mm/madvise.c | 11 ++++++-----
+ 1 files changed, 6 insertions(+), 5 deletions(-)
+
+commit 08c5adca34d408772255b313f90d82c250c1d967
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:26:34 2013 -0400
+
+ don't make high vector mapping non-present on old ARM architectures, no
+ point in emulating some vector entries when the processor doesn't even support XN
+
+ arch/arm/mm/mmu.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit 2b40781d4197a89a003616af584884e36361c5b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 09:51:58 2013 -0400
+
+ Temporary compile fix for code incorrectly modifying const data
+ Wrap a cast version of the code with open/close
+
+ Thanks to Michael Tremer for the report
+
+ drivers/clk/socfpga/clk.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit a8258c1b4098c396cd4ea719e20858182feac1c1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 09:41:16 2013 -0400
+
+ Fix missing right parens in pipacs' "improvement" of my ARM code ;)
+ Thanks to Michael Tremer for reporting
+
+ arch/arm/include/asm/uaccess.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 8542e1e973be7cc9a009d2ada8033576b2890e6f
+Merge: 86f446e 2577f8e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jul 13 20:46:58 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ mm/memcontrol.c
+
+commit 2577f8e4ec41efb347706a59c6838de20f0c90da
+Merge: 75a36f0 cb5d8be
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jul 13 20:43:42 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ crypto/algapi.c
+ drivers/block/nbd.c
+
+commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jul 12 23:02:11 2013 -0400
+
+ we always want the vector page to be noaccess for userland
+ therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY
+ which turns into supervisor rwx, userland rx, we instead omit that entirely,
+ leaving it as supervisor rwx only
+
+ Fixes booting on ARMv5 and earlier, which need to write directly
+ to the high vector mapping via set_tls when context switching
+
+ Thanks to Michael Tremer for the bugreport
+
+ arch/arm/mm/mmu.c | 12 ++++++++++--
+ 1 files changed, 10 insertions(+), 2 deletions(-)
+
+commit 90cd0827eef656ec884f19c977873fefe2f2e47d
+Author: Cong Wang <amwang@redhat.com>
+Date: Sat Jun 29 12:02:59 2013 +0800
+
+ Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759
+
+ gre: fix a regression in ioctl
+
+ When testing GRE tunnel, I got:
+
+ # ip tunnel show
+ get tunnel gre0 failed: Invalid argument
+ get tunnel gre1 failed: Invalid argument
+
+ This is a regression introduced by commit c54419321455631079c7d
+ ("GRE: Refactor GRE tunneling code.") because previously we
+ only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL,
+ after that commit, the check is moved for all commands.
+
+ So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL.
+
+ After this patch I got:
+
+ # ip tunnel show
+ gre0: gre/ip remote any local any ttl inherit nopmtudisc
+ gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit
+
+ Cc: Pravin B Shelar <pshelar@nicira.com>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ip_gre.c | 9 +++++----
+ 1 files changed, 5 insertions(+), 4 deletions(-)
+
+commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5
+Author: Cong Wang <amwang@redhat.com>
+Date: Sat Jun 29 13:00:57 2013 +0800
+
+ Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7
+
+ vti: remove duplicated code to fix a memory leak
+
+ vti module allocates dev->tstats twice: in vti_fb_tunnel_init()
+ and in vti_tunnel_init(), this lead to a memory leak of
+ dev->tstats.
+
+ Just remove the duplicated operations in vti_fb_tunnel_init().
+
+ (candidate for -stable)
+
+ Cc: Stephen Hemminger <stephen@networkplumber.org>
+ Cc: Saurabh Mohan <saurabh.mohan@vyatta.com>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Acked-by: Stephen Hemminger <stephen@networkplumber.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ip_vti.c | 7 -------
+ 1 files changed, 0 insertions(+), 7 deletions(-)
+
+commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd
+Author: Michal Schmidt <mschmidt@redhat.com>
+Date: Mon Jul 1 17:23:05 2013 +0200
+
+ Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a
+
+ bnx2x: remove zeroing of dump data buffer
+
+ There is no need to initialize the dump data with zeros.
+ data is allocated with vzalloc, so it's already zero-filled.
+
+ More importantly, the memset is harmful, because dump->len (the length
+ requested by userspace) can be bigger than the allocated buffer (whose
+ size is determined by asking the driver's .get_dump_flag method).
+
+ Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 --
+ 1 files changed, 0 insertions(+), 2 deletions(-)
+
+commit c771072b72c261f9bddd6734dca6979c1b96e7df
+Author: Michal Schmidt <mschmidt@redhat.com>
+Date: Mon Jul 1 17:23:06 2013 +0200
+
+ Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318
+
+ bnx2x: fix dump flag handling
+
+ bnx2x interprets the dump flag as an index of a register preset.
+ It is important to validate the index to avoid out of bounds
+ memory accesses.
+
+ Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++
+ 2 files changed, 5 insertions(+), 0 deletions(-)
+
+commit aed315c8fad9b2044143b46b239574b1b72135ce
+Author: Michal Schmidt <mschmidt@redhat.com>
+Date: Mon Jul 1 17:23:30 2013 +0200
+
+ Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599
+
+ ethtool: make .get_dump_data() harder to misuse by drivers
+
+ As the patch "bnx2x: remove zeroing of dump data buffer" showed,
+ it is too easy implement .get_dump_data incorrectly in a driver.
+
+ Let's make sure drivers cannot get confused by userspace requesting
+ a too big dump.
+
+ Also WARN if the driver sets dump->len to something weird and make
+ sure the length reported to userspace is the actual length of data
+ copied to userspace.
+
+ Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+ Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/ethtool.c | 21 ++++++++++++++++++++-
+ 1 files changed, 20 insertions(+), 1 deletions(-)
+
+commit 5c57991e66216e386dcc875d34c33f0edd038569
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Jul 2 09:02:07 2013 +0800
+
+ Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd
+
+ l2tp: add missing .owner to struct pppox_proto
+
+ Add missing .owner of struct pppox_proto. This prevents the
+ module from being removed from underneath its users.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_ppp.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4
+Author: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Sun Jun 30 14:37:11 2013 +1000
+
+ Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423
+
+ cxgb3: Missing rtnl lock in error recovery
+
+ When exercising error injection on IBM pseries machine, I hit the
+ following warning:
+
+ [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2
+ [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142)
+ [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100
+ [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031)
+ [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19
+ [ 254.895474] Call Trace:
+ [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable)
+ [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c
+ [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230
+ [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3]
+ [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3]
+ [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0
+ [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190
+ [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330
+ [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0
+ [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0
+ [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80
+
+ It appears that t3_resume_ports() is called with the rtnl_lock held from
+ the fatal error task but not from the PCI error callbacks. This fixes it.
+
+ Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit ea8f4222cddf3250dbcfc7db0437ebf74c352370
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Jul 1 20:21:30 2013 +0200
+
+ Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1
+
+ ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
+
+ We accidentally call down to ip6_push_pending_frames when uncorking
+ pending AF_INET data on a ipv6 socket. This results in the following
+ splat (from Dave Jones):
+
+ skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
+ ------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:126!
+ invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
+ Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
+ +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
+ CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
+ task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
+ RIP: 0010:[<ffffffff816e759c>] [<ffffffff816e759c>] skb_panic+0x63/0x65
+ RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282
+ RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
+ RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
+ RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
+ R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
+ FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
+ Stack:
+ ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
+ ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
+ ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
+ Call Trace:
+ [<ffffffff8159a9aa>] skb_push+0x3a/0x40
+ [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
+ [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
+ [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
+ [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
+ [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
+ [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
+ [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
+ [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
+ [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
+ [<ffffffff816f5d54>] tracesys+0xdd/0xe2
+ Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
+ RIP [<ffffffff816e759c>] skb_panic+0x63/0x65
+ RSP <ffff8801e6431de8>
+
+ This patch adds a check if the pending data is of address family AF_INET
+ and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
+ if that is the case.
+
+ This bug was found by Dave Jones with trinity.
+
+ (Also move the initialization of fl6 below the AF_INET check, even if
+ not strictly necessary.)
+
+ Cc: Dave Jones <davej@redhat.com>
+ Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/udp.h | 1 +
+ net/ipv4/udp.c | 3 ++-
+ net/ipv6/udp.c | 7 ++++++-
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+commit cd83094a85d9bbd5a67332156407d53cf8835432
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue Jul 2 08:04:05 2013 +0200
+
+ Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be
+
+ ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
+
+ If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
+ of this when appending the second frame on a corked socket. This results
+ in the following splat:
+
+ [37598.993962] ------------[ cut here ]------------
+ [37598.994008] kernel BUG at net/core/skbuff.c:2064!
+ [37598.994008] invalid opcode: 0000 [#1] SMP
+ [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
+ +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
+ +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
+ [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
+ +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
+ [37598.994008] CPU 0
+ [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
+ [37598.994008] RIP: 0010:[<ffffffff815443a5>] [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
+ [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202
+ [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
+ [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
+ [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
+ [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
+ [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
+ [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
+ [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
+ [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
+ [37598.994008] Stack:
+ [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
+ [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
+ [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
+ [37598.994008] Call Trace:
+ [37598.994008] [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
+ [37598.994008] [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
+ [37598.994008] [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
+ [37598.994008] [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
+ [37598.994008] [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
+ [37598.994008] [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
+ [37598.994008] [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
+ [37598.994008] [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
+ [37598.994008] [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
+ [37598.994008] [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
+ [37598.994008] [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
+ [37598.994008] [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
+ [37598.994008] [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
+ [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
+ [37598.994008] RIP [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
+ [37598.994008] RSP <ffff88003670da18>
+ [37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
+
+ While there, also check if path mtu discovery is activated for this
+ socket. The logic was adapted from ip6_append_data when first writing
+ on the corked socket.
+
+ This bug was introduced with commit
+ 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
+ fragment").
+
+ v2:
+ a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
+ b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
+ feng, thanks!).
+ c) Change mtu to unsigned int, else we get a warning about
+ non-matching types because of the min()-macro type-check.
+
+ Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
+ Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_output.c | 16 ++++++++++------
+ 1 files changed, 10 insertions(+), 6 deletions(-)
+
+commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c
+Author: Michael S. Tsirkin <mst@redhat.com>
+Date: Sun Jul 7 14:26:53 2013 +0300
+
+ Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5
+
+ vhost-net: fix use-after-free in vhost_net_flush
+
+ vhost_net_ubuf_put_and_wait has a confusing name:
+ it will actually also free it's argument.
+ Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
+ "vhost-net: flush outstanding DMAs on memory change"
+ vhost_net_flush tries to use the argument after passing it
+ to vhost_net_ubuf_put_and_wait, this results
+ in use after free.
+ To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
+ add an new API for callers that want to free ubufs.
+
+ Acked-by: Asias He <asias@redhat.com>
+ Acked-by: Jason Wang <jasowang@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/vhost/net.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit 088806db74ac2f08c106202bc5498585a9ee529f
+Author: Michal Hocko <mhocko@suse.cz>
+Date: Mon Jul 8 16:00:29 2013 -0700
+
+ Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b
+
+ memcg, kmem: fix reference count handling on the error path
+
+ mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails.
+ This is not correct because only memcg_propagate_kmem takes an
+ additional reference while mem_cgroup_sockets_init is allowed to fail as
+ well (although no current implementation fails) but it doesn't take any
+ reference. This all suggests that it should be memcg_propagate_kmem
+ that should clean up after itself so this patch moves mem_cgroup_put
+ over there.
+
+ Unfortunately this is not that easy (as pointed out by Li Zefan) because
+ memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is
+ marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if
+ memcg_propagate_kmem fails so the additional reference is dropped in
+ that case in kmem_cgroup_destroy which means that the reference would be
+ dropped two times.
+
+ The easiest way then would be to simply remove mem_cgrroup_put from
+ mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right
+ thing.
+
+ Signed-off-by: Michal Hocko <mhocko@suse.cz>
+ Signed-off-by: Li Zefan <lizefan@huawei.com>
+ Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Tejun Heo <tj@kernel.org>
+ Cc: Glauber Costa <glommer@openvz.org>
+ Cc: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: <stable@vger.kernel.org> [3.8]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/memcontrol.c | 8 --------
+ 1 files changed, 0 insertions(+), 8 deletions(-)
+
+commit 08bfb6e700d13886ed722c2236e1ec10f03a95df
+Author: Michal Hocko <mhocko@suse.cz>
+Date: Mon Jul 8 16:00:27 2013 -0700
+
+ Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0
+
+ Revert "memcg: avoid dangling reference count in creation failure"
+
+ This reverts commit e4715f01be697a.
+
+ mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops
+ an additional reference from all parents so the additional
+ mem_cgrroup_put(parent) potentially causes use-after-free.
+
+ Signed-off-by: Michal Hocko <mhocko@suse.cz>
+ Signed-off-by: Li Zefan <lizefan@huawei.com>
+ Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Tejun Heo <tj@kernel.org>
+ Cc: Glauber Costa <glommer@openvz.org>
+ Cc: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: <stable@vger.kernel.org> [3.9+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/memcontrol.c | 2 --
+ 1 files changed, 0 insertions(+), 2 deletions(-)
+
+commit 3267ec559f48327a1836eccecd53215afc5810d0
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jun 20 13:13:59 2013 -0700
+
+ Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e
+
+ libceph: Fix NULL pointer dereference in auth client code
+
+ A malicious monitor can craft an auth reply message that could cause a
+ NULL function pointer dereference in the client's kernel.
+
+ To prevent this, the auth_none protocol handler needs an empty
+ ceph_auth_client_ops->build_request() function.
+
+ CVE-2013-1059
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Chanam Park <chanam.park@hkpco.kr>
+ Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
+ Reviewed-by: Sage Weil <sage@inktank.com>
+ Cc: stable@vger.kernel.org
+
+ net/ceph/auth_none.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit cdfeb4049e7cb38702215b2c356ce0407974ac79
+Author: Eric Paris <eparis@redhat.com>
+Date: Wed Jul 3 15:08:29 2013 -0700
+
+ Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53
+
+ fork: reorder permissions when violating number of processes limits
+
+ When a task is attempting to violate the RLIMIT_NPROC limit we have a
+ check to see if the task is sufficiently priviledged. The check first
+ looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0.
+
+ A result is that tasks which are allowed by the uid=0 check are first
+ checked against the security subsystem. This results in the security
+ subsystem auditting a denial for sys_admin and sys_resource and then the
+ task passing the uid=0 check.
+
+ This patch rearranges the code to first check uid=0, since if we pass that
+ we shouldn't hit the security system at all. We then check sys_resource,
+ since it is the smallest capability which will solve the problem. Lastly
+ we check the fallback everything cap_sysadmin. We don't want to give this
+ capability many places since it is so powerful.
+
+ This will eliminate many of the false positive/needless denial messages we
+ get when a root task tries to violate the nproc limit. (note that
+ kthreads count against root, so on a sufficiently large machine we can
+ actually get past the default limits before any userspace tasks are
+ launched.)
+
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/fork.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 08c87e049c8a50707908785d950fd48c334f4c09
+Author: Chen Gang <gang.chen@asianux.com>
+Date: Sat Jun 22 13:26:09 2013 +0800
+
+ Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6
+
+ arch: sparc: kernel: check the memory length before use strcpy().
+
+ For the related next strcpy(), the destination length is less than 512,
+ but the source maximize length may be 'OPROMMAXPARAM' (4096) which is
+ more than 512.
+
+ One work flow may:
+ openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT)
+ getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'.
+ opromsetopt() -> devide the buffer into 'var' and 'value'
+ of_set_property() -> pass
+ prom_setprop() -> pass
+ ldom_set_var()
+
+ And do not mind the additional 4 alignment buffer increasing, since
+ 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least.
+
+ Signed-off-by: Chen Gang <gang.chen@asianux.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/sparc/kernel/ds.c | 10 ++++++++++
+ 1 files changed, 10 insertions(+), 0 deletions(-)
+
+commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jul 12 20:38:45 2013 -0400
+
+ Fix SLAB boot errors due to PAX_USERCOPY reported on the forums
+
+ Unlike slub, slab can initally create two of the kmalloc_caches
+ which will be used later for generic kmallocs of their particular
+ aligned size (since the later loop in the unified allocator code
+ skips any already-existing kmalloc_caches)
+
+ mm/slab.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 22:04:59 2013 -0400
+
+ compile fixes
+
+ fs/exec.c | 2 +-
+ mm/mmap.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit e2d027c7e0f106be683c0c72482b8285daefcbe6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 20:58:40 2013 -0400
+
+ commit successful merges
+
+ Documentation/kernel-parameters.txt | 4 +
+ Makefile | 8 +-
+ arch/alpha/include/asm/cache.h | 4 +-
+ arch/alpha/kernel/osf_sys.c | 12 +-
+ arch/arm/include/asm/thread_info.h | 3 +-
+ arch/arm/kernel/ptrace.c | 9 +
+ arch/arm/kernel/traps.c | 7 +-
+ arch/arm/mm/fault.c | 29 +-
+ arch/arm/mm/mmap.c | 8 +-
+ arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/include/asm/cache.h | 3 +-
+ arch/cris/include/arch-v10/arch/cache.h | 3 +-
+ arch/cris/include/arch-v32/arch/cache.h | 3 +-
+ arch/frv/include/asm/cache.h | 3 +-
+ arch/frv/mm/elf-fdpic.c | 4 +-
+ arch/hexagon/include/asm/cache.h | 6 +-
+ arch/ia64/include/asm/cache.h | 3 +-
+ arch/ia64/kernel/sys_ia64.c | 2 +
+ arch/ia64/mm/hugetlbpage.c | 2 +
+ arch/m32r/include/asm/cache.h | 4 +-
+ arch/m68k/include/asm/cache.h | 4 +-
+ arch/metag/mm/hugetlbpage.c | 1 +
+ arch/microblaze/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/thread_info.h | 9 +-
+ arch/mips/kernel/ptrace.c | 9 +
+ arch/mips/kernel/scall32-o32.S | 2 +-
+ arch/mips/kernel/scall64-64.S | 2 +-
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ arch/mips/mm/mmap.c | 4 +-
+ arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
+ arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
+ arch/openrisc/include/asm/cache.h | 4 +-
+ arch/parisc/include/asm/cache.h | 5 +-
+ arch/parisc/kernel/sys_parisc.c | 17 +-
+ arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/kernel/process.c | 10 +-
+ arch/powerpc/kernel/ptrace.c | 14 +
+ arch/powerpc/kernel/traps.c | 5 +
+ arch/s390/include/asm/cache.h | 4 +-
+ arch/score/include/asm/cache.h | 4 +-
+ arch/sh/include/asm/cache.h | 3 +-
+ arch/sh/mm/mmap.c | 6 +-
+ arch/sparc/include/asm/cache.h | 4 +-
+ arch/sparc/include/asm/thread_info_64.h | 9 +-
+ arch/sparc/kernel/process_32.c | 6 +-
+ arch/sparc/kernel/process_64.c | 4 +-
+ arch/sparc/kernel/ptrace_64.c | 14 +
+ arch/sparc/kernel/sys_sparc_64.c | 8 +-
+ arch/sparc/kernel/syscalls.S | 8 +-
+ arch/sparc/kernel/traps_32.c | 8 +-
+ arch/sparc/kernel/traps_64.c | 28 +-
+ arch/sparc/kernel/unaligned_64.c | 2 +-
+ arch/sparc/mm/fault_64.c | 2 +-
+ arch/sparc/mm/hugetlbpage.c | 3 +-
+ arch/tile/include/asm/cache.h | 3 +-
+ arch/tile/mm/hugetlbpage.c | 2 +
+ arch/um/defconfig | 1 -
+ arch/um/include/asm/cache.h | 3 +-
+ arch/unicore32/include/asm/cache.h | 6 +-
+ arch/x86/Kconfig | 5 +-
+ arch/x86/ia32/ia32_aout.c | 2 +
+ arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/kernel/dumpstack.c | 8 +
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 2 +-
+ arch/x86/kernel/ioport.c | 13 +
+ arch/x86/kernel/ptrace.c | 14 +
+ arch/x86/kernel/signal.c | 9 +-
+ arch/x86/kernel/smpboot.c | 3 +
+ arch/x86/kernel/sys_i386_32.c | 9 +-
+ arch/x86/kernel/sys_x86_64.c | 8 +-
+ arch/x86/kernel/verify_cpu.S | 1 +
+ arch/x86/kernel/vm86_32.c | 1 +
+ arch/x86/mm/fault.c | 12 +-
+ arch/x86/mm/hugetlbpage.c | 15 +-
+ arch/x86/mm/init.c | 66 +-
+ arch/x86/net/bpf_jit_comp.c | 129 +-
+ arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
+ arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
+ drivers/block/cciss.c | 2 +
+ drivers/block/cpqarray.c | 1 +
+ drivers/cdrom/cdrom.c | 4 +-
+ drivers/char/Kconfig | 4 +-
+ drivers/char/genrtc.c | 1 +
+ drivers/char/mem.c | 17 +
+ drivers/char/mwave/tp3780i.c | 1 +
+ drivers/char/random.c | 12 +
+ drivers/gpu/drm/drm_info.c | 4 +
+ drivers/hid/hid-wiimote-debug.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +-
+ drivers/message/fusion/mptbase.c | 9 +
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ drivers/pci/proc.c | 9 +
+ drivers/rtc/rtc-dev.c | 3 +
+ drivers/tty/sysrq.c | 2 +-
+ drivers/tty/vt/keyboard.c | 22 +-
+ drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------
+ drivers/xen/xenfs/xenstored.c | 5 +
+ fs/attr.c | 1 +
+ fs/autofs4/waitq.c | 9 +
+ fs/binfmt_aout.c | 7 +
+ fs/binfmt_elf.c | 8 +-
+ fs/btrfs/ioctl.c | 6 +-
+ fs/compat.c | 20 +-
+ fs/coredump.c | 9 +-
+ fs/debugfs/inode.c | 4 +
+ fs/exec.c | 184 ++-
+ fs/ext2/balloc.c | 4 +-
+ fs/ext3/balloc.c | 4 +-
+ fs/ext4/resize.c | 17 +-
+ fs/fcntl.c | 5 +
+ fs/file.c | 4 +
+ fs/filesystems.c | 4 +
+ fs/fs_struct.c | 13 +-
+ fs/hugetlbfs/inode.c | 5 +-
+ fs/namei.c | 234 ++-
+ fs/namespace.c | 16 +
+ fs/notify/fanotify/fanotify_user.c | 1 +
+ fs/open.c | 38 +
+ fs/proc/Kconfig | 10 +-
+ fs/proc/array.c | 59 +-
+ fs/proc/base.c | 168 ++-
+ fs/proc/cmdline.c | 4 +
+ fs/proc/devices.c | 4 +
+ fs/proc/fd.c | 17 +-
+ fs/proc/inode.c | 4 +
+ fs/proc/kcore.c | 3 +
+ fs/proc/proc_net.c | 12 +
+ fs/proc/proc_sysctl.c | 43 +-
+ fs/proc/root.c | 8 +
+ fs/proc/task_mmu.c | 75 +-
+ fs/readdir.c | 19 +
+ fs/select.c | 2 +
+ fs/seq_file.c | 12 +-
+ fs/stat.c | 19 +-
+ fs/sysfs/dir.c | 12 +
+ fs/utimes.c | 7 +
+ fs/xattr.c | 19 +-
+ include/linux/capability.h | 5 +
+ include/linux/cred.h | 3 +
+ include/linux/fs.h | 10 +
+ include/linux/fsnotify.h | 6 +
+ include/linux/kallsyms.h | 14 +-
+ include/linux/kmod.h | 2 +
+ include/linux/mm.h | 1 +
+ include/linux/perf_event.h | 13 +-
+ include/linux/printk.h | 3 +-
+ include/linux/sched.h | 24 +-
+ include/linux/security.h | 1 +
+ include/linux/seq_file.h | 3 +
+ include/linux/shm.h | 4 +
+ include/linux/skbuff.h | 3 +
+ include/linux/slab.h | 9 -
+ include/linux/sysctl.h | 2 +
+ include/linux/thread_info.h | 2 +
+ include/linux/uidgid.h | 5 +
+ include/linux/vermagic.h | 9 +-
+ include/uapi/linux/personality.h | 1 +
+ init/Kconfig | 3 +-
+ init/main.c | 14 +
+ ipc/mqueue.c | 1 +
+ ipc/shm.c | 28 +
+ kernel/capability.c | 39 +-
+ kernel/cgroup.c | 2 +-
+ kernel/compat.c | 1 +
+ kernel/configs.c | 11 +
+ kernel/cred.c | 110 +-
+ kernel/events/core.c | 14 +-
+ kernel/exit.c | 10 +-
+ kernel/fork.c | 41 +-
+ kernel/futex.c | 1 +
+ kernel/kallsyms.c | 9 +
+ kernel/kcmp.c | 4 +
+ kernel/kmod.c | 64 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +
+ kernel/lockdep_proc.c | 10 +-
+ kernel/module.c | 81 +-
+ kernel/panic.c | 2 +-
+ kernel/pid.c | 19 +-
+ kernel/posix-timers.c | 7 +
+ kernel/printk.c | 5 +
+ kernel/ptrace.c | 20 +-
+ kernel/resource.c | 10 +
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 37 +-
+ kernel/sys.c | 45 +-
+ kernel/sysctl.c | 70 +-
+ kernel/taskstats.c | 6 +
+ kernel/time.c | 5 +
+ kernel/time/timekeeping.c | 1 +
+ kernel/time/timer_list.c | 12 +
+ kernel/time/timer_stats.c | 10 +-
+ lib/Kconfig.debug | 5 +-
+ lib/is_single_threaded.c | 3 +
+ mm/Kconfig | 4 +-
+ mm/filemap.c | 1 +
+ mm/kmemleak.c | 4 +-
+ mm/mempolicy.c | 12 +-
+ mm/migrate.c | 3 +-
+ mm/mlock.c | 3 +
+ mm/mmap.c | 63 +-
+ mm/mprotect.c | 8 +
+ mm/process_vm_access.c | 6 +
+ mm/slab.c | 2 +-
+ mm/slub.c | 14 +-
+ mm/vmalloc.c | 4 +
+ mm/vmstat.c | 18 +-
+ net/core/dev_ioctl.c | 4 +
+ net/core/sock_diag.c | 7 +
+ net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/ip_sockglue.c | 3 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_minisocks.c | 9 +-
+ net/ipv4/tcp_timer.c | 11 +
+ net/ipv4/udp.c | 24 +
+ net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/udp.c | 4 +
+ net/netfilter/Kconfig | 10 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 8 +
+ net/netrom/af_netrom.c | 1 -
+ net/phonet/af_phonet.c | 2 +-
+ net/sctp/proc.c | 3 +-
+ net/socket.c | 66 +-
+ net/sysctl_net.c | 2 +-
+ net/unix/af_unix.c | 31 +-
+ security/Kconfig | 343 +++-
+ security/apparmor/Kconfig | 9 +
+ security/apparmor/apparmorfs.c | 231 ++
+ security/commoncap.c | 29 +
+ security/min_addr.c | 2 +
+ security/security.c | 2 -
+ security/selinux/hooks.c | 2 -
+ security/tomoyo/mount.c | 4 +
+ security/yama/Kconfig | 2 +-
+ 242 files changed, 4385 insertions(+), 2042 deletions(-)
+
+commit 043a378c0f72ed92cc30182c48abce39867ac93f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 20:57:40 2013 -0400
+
+ Commit merge of new files and rejected patches
+
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/kernel/process.c | 4 +-
+ arch/powerpc/include/asm/thread_info.h | 7 +-
+ arch/powerpc/mm/slice.c | 2 +-
+ arch/sparc/kernel/process_64.c | 4 +-
+ arch/x86/kernel/vm86_32.c | 15 +
+ fs/coredump.c | 1 +
+ fs/ext4/balloc.c | 4 +-
+ fs/namei.c | 7 +
+ fs/namespace.c | 8 +
+ fs/pipe.c | 2 +-
+ fs/proc/inode.c | 13 +
+ fs/proc/internal.h | 3 +
+ grsecurity/Kconfig | 1054 +++++++++
+ grsecurity/Makefile | 38 +
+ grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++
+ grsecurity/gracl_alloc.c | 105 +
+ grsecurity/gracl_cap.c | 110 +
+ grsecurity/gracl_fs.c | 431 ++++
+ grsecurity/gracl_ip.c | 387 +++
+ grsecurity/gracl_learn.c | 207 ++
+ grsecurity/gracl_res.c | 68 +
+ grsecurity/gracl_segv.c | 305 +++
+ grsecurity/gracl_shm.c | 40 +
+ grsecurity/grsec_chdir.c | 19 +
+ grsecurity/grsec_chroot.c | 370 +++
+ grsecurity/grsec_disabled.c | 434 ++++
+ grsecurity/grsec_exec.c | 187 ++
+ grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_fork.c | 23 +
+ grsecurity/grsec_init.c | 283 +++
+ grsecurity/grsec_link.c | 58 +
+ grsecurity/grsec_log.c | 326 +++
+ grsecurity/grsec_mem.c | 40 +
+ grsecurity/grsec_mount.c | 62 +
+ grsecurity/grsec_pax.c | 36 +
+ grsecurity/grsec_ptrace.c | 30 +
+ grsecurity/grsec_sig.c | 246 ++
+ grsecurity/grsec_sock.c | 244 ++
+ grsecurity/grsec_sysctl.c | 469 ++++
+ grsecurity/grsec_time.c | 16 +
+ grsecurity/grsec_tpe.c | 73 +
+ grsecurity/grsum.c | 61 +
+ include/linux/gracl.h | 319 +++
+ include/linux/gralloc.h | 9 +
+ include/linux/grdefs.h | 140 ++
+ include/linux/grinternal.h | 227 ++
+ include/linux/grmsg.h | 112 +
+ include/linux/grsecurity.h | 241 ++
+ include/linux/grsock.h | 19 +
+ include/linux/netfilter/xt_gradm.h | 9 +
+ include/linux/proc_fs.h | 13 +
+ include/linux/sched.h | 48 +-
+ include/trace/events/fs.h | 53 +
+ kernel/kmod.c | 7 +-
+ kernel/panic.c | 2 +-
+ kernel/posix-timers.c | 1 +
+ kernel/time/timekeeping.c | 2 +
+ lib/Kconfig.debug | 2 +-
+ lib/vsprintf.c | 31 +
+ localversion-grsec | 1 +
+ mm/mmap.c | 13 +-
+ mm/shmem.c | 2 +-
+ net/core/net-procfs.c | 5 +
+ net/ipv6/udp.c | 3 +
+ net/netfilter/xt_gradm.c | 51 +
+ 66 files changed, 11184 insertions(+), 21 deletions(-)
+
+commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 17:35:47 2013 -0400
+
+ Initial import of pax-linux-3.10-test1.patch
+
+ Documentation/dontdiff | 46 +-
+ Documentation/kernel-parameters.txt | 12 +
+ Makefile | 100 +-
+ arch/alpha/include/asm/atomic.h | 10 +
+ arch/alpha/include/asm/elf.h | 7 +
+ arch/alpha/include/asm/pgalloc.h | 6 +
+ arch/alpha/include/asm/pgtable.h | 11 +
+ arch/alpha/kernel/module.c | 2 +-
+ arch/alpha/kernel/osf_sys.c | 8 +-
+ arch/alpha/mm/fault.c | 141 +-
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/atomic.h | 444 ++-
+ arch/arm/include/asm/cache.h | 5 +-
+ arch/arm/include/asm/cacheflush.h | 2 +-
+ arch/arm/include/asm/checksum.h | 14 +-
+ arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/domain.h | 33 +-
+ arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/fncpy.h | 2 +
+ arch/arm/include/asm/futex.h | 10 +
+ arch/arm/include/asm/kmap_types.h | 2 +-
+ arch/arm/include/asm/mach/dma.h | 2 +-
+ arch/arm/include/asm/mach/map.h | 7 +-
+ arch/arm/include/asm/outercache.h | 2 +-
+ arch/arm/include/asm/page.h | 2 +-
+ arch/arm/include/asm/pgalloc.h | 22 +-
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgtable-2level.h | 1 +
+ arch/arm/include/asm/pgtable-3level-hwdef.h | 2 +
+ arch/arm/include/asm/pgtable-3level.h | 2 +
+ arch/arm/include/asm/pgtable.h | 56 +-
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/include/asm/processor.h | 5 +-
+ arch/arm/include/asm/psci.h | 2 +-
+ arch/arm/include/asm/smp.h | 2 +-
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/include/asm/uaccess.h | 92 +-
+ arch/arm/include/uapi/asm/ptrace.h | 2 +-
+ arch/arm/kernel/armksyms.c | 8 +-
+ arch/arm/kernel/entry-armv.S | 107 +-
+ arch/arm/kernel/entry-common.S | 41 +-
+ arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/fiq.c | 2 +
+ arch/arm/kernel/head.S | 6 +-
+ arch/arm/kernel/hw_breakpoint.c | 2 +-
+ arch/arm/kernel/module.c | 29 +-
+ arch/arm/kernel/patch.c | 2 +
+ arch/arm/kernel/perf_event_cpu.c | 2 +-
+ arch/arm/kernel/process.c | 14 +-
+ arch/arm/kernel/psci.c | 2 +-
+ arch/arm/kernel/setup.c | 22 +-
+ arch/arm/kernel/signal.c | 24 +-
+ arch/arm/kernel/smp.c | 2 +-
+ arch/arm/kernel/traps.c | 15 +-
+ arch/arm/kernel/vmlinux.lds.S | 22 +-
+ arch/arm/lib/clear_user.S | 6 +-
+ arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/lib/copy_page.S | 1 +
+ arch/arm/lib/copy_to_user.S | 6 +-
+ arch/arm/lib/csumpartialcopyuser.S | 4 +-
+ arch/arm/lib/delay.c | 2 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 2 +-
+ arch/arm/mach-kirkwood/common.c | 19 +-
+ arch/arm/mach-omap2/board-n8x0.c | 2 +-
+ arch/arm/mach-omap2/gpmc.c | 22 +-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
+ arch/arm/mach-omap2/omap_device.c | 4 +-
+ arch/arm/mach-omap2/omap_device.h | 4 +-
+ arch/arm/mach-omap2/omap_hwmod.c | 4 +-
+ arch/arm/mach-omap2/wd_timer.c | 6 +-
+ arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
+ arch/arm/mach-ux500/setup.h | 7 -
+ arch/arm/mm/Kconfig | 3 +-
+ arch/arm/mm/alignment.c | 8 +
+ arch/arm/mm/fault.c | 91 +
+ arch/arm/mm/fault.h | 12 +
+ arch/arm/mm/init.c | 41 +
+ arch/arm/mm/ioremap.c | 4 +-
+ arch/arm/mm/mmap.c | 30 +-
+ arch/arm/mm/mmu.c | 187 +-
+ arch/arm/mm/proc-v7-2level.S | 3 +
+ arch/arm/plat-omap/sram.c | 2 +
+ arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/arm64/kernel/debug-monitors.c | 2 +-
+ arch/arm64/kernel/hw_breakpoint.c | 2 +-
+ arch/avr32/include/asm/elf.h | 8 +-
+ arch/avr32/include/asm/kmap_types.h | 4 +-
+ arch/avr32/mm/fault.c | 27 +
+ arch/frv/include/asm/atomic.h | 10 +
+ arch/frv/include/asm/kmap_types.h | 2 +-
+ arch/frv/mm/elf-fdpic.c | 3 +-
+ arch/ia64/include/asm/atomic.h | 10 +
+ arch/ia64/include/asm/elf.h | 7 +
+ arch/ia64/include/asm/pgalloc.h | 12 +
+ arch/ia64/include/asm/pgtable.h | 13 +-
+ arch/ia64/include/asm/spinlock.h | 2 +-
+ arch/ia64/include/asm/uaccess.h | 26 +-
+ arch/ia64/kernel/err_inject.c | 2 +-
+ arch/ia64/kernel/mca.c | 2 +-
+ arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/palinfo.c | 2 +-
+ arch/ia64/kernel/salinfo.c | 2 +-
+ arch/ia64/kernel/sys_ia64.c | 7 +
+ arch/ia64/kernel/topology.c | 2 +-
+ arch/ia64/kernel/vmlinux.lds.S | 2 +-
+ arch/ia64/mm/fault.c | 32 +-
+ arch/ia64/mm/init.c | 13 +
+ arch/m32r/lib/usercopy.c | 6 +
+ arch/mips/include/asm/atomic.h | 14 +
+ arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/exec.h | 2 +-
+ arch/mips/include/asm/page.h | 2 +-
+ arch/mips/include/asm/pgalloc.h | 5 +
+ arch/mips/kernel/binfmt_elfn32.c | 7 +
+ arch/mips/kernel/binfmt_elfo32.c | 7 +
+ arch/mips/kernel/process.c | 12 -
+ arch/mips/mm/fault.c | 17 +
+ arch/mips/mm/mmap.c | 51 +-
+ arch/parisc/include/asm/atomic.h | 10 +
+ arch/parisc/include/asm/elf.h | 7 +
+ arch/parisc/include/asm/pgalloc.h | 6 +
+ arch/parisc/include/asm/pgtable.h | 11 +
+ arch/parisc/include/asm/uaccess.h | 4 +-
+ arch/parisc/kernel/module.c | 50 +-
+ arch/parisc/kernel/sys_parisc.c | 9 +-
+ arch/parisc/kernel/traps.c | 4 +-
+ arch/parisc/mm/fault.c | 140 +-
+ arch/powerpc/include/asm/atomic.h | 10 +
+ arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/exec.h | 2 +-
+ arch/powerpc/include/asm/kmap_types.h | 2 +-
+ arch/powerpc/include/asm/mman.h | 2 +-
+ arch/powerpc/include/asm/page.h | 8 +-
+ arch/powerpc/include/asm/page_64.h | 7 +-
+ arch/powerpc/include/asm/pgalloc-64.h | 7 +
+ arch/powerpc/include/asm/pgtable.h | 1 +
+ arch/powerpc/include/asm/pte-hash32.h | 1 +
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/include/asm/smp.h | 2 +-
+ arch/powerpc/include/asm/uaccess.h | 140 +-
+ arch/powerpc/kernel/exceptions-64e.S | 4 +-
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/module_32.c | 13 +-
+ arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/signal_32.c | 2 +-
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ arch/powerpc/kernel/sysfs.c | 2 +-
+ arch/powerpc/kernel/vdso.c | 5 +-
+ arch/powerpc/lib/usercopy_64.c | 18 -
+ arch/powerpc/mm/fault.c | 54 +-
+ arch/powerpc/mm/mmap_64.c | 16 +
+ arch/powerpc/mm/mmu_context_nohash.c | 2 +-
+ arch/powerpc/mm/numa.c | 2 +-
+ arch/powerpc/mm/slice.c | 13 +-
+ arch/powerpc/platforms/cell/spufs/file.c | 4 +-
+ arch/powerpc/platforms/powermac/smp.c | 2 +-
+ arch/s390/include/asm/atomic.h | 10 +
+ arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/exec.h | 2 +-
+ arch/s390/include/asm/uaccess.h | 15 +-
+ arch/s390/kernel/module.c | 22 +-
+ arch/s390/kernel/process.c | 36 -
+ arch/s390/mm/mmap.c | 24 +
+ arch/score/include/asm/exec.h | 2 +-
+ arch/score/kernel/process.c | 5 -
+ arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
+ arch/sh/mm/mmap.c | 22 +-
+ arch/sparc/include/asm/atomic_64.h | 106 +-
+ arch/sparc/include/asm/cache.h | 2 +-
+ arch/sparc/include/asm/elf_32.h | 7 +
+ arch/sparc/include/asm/elf_64.h | 7 +
+ arch/sparc/include/asm/pgalloc_32.h | 1 +
+ arch/sparc/include/asm/pgalloc_64.h | 1 +
+ arch/sparc/include/asm/pgtable_32.h | 15 +-
+ arch/sparc/include/asm/pgtsrmmu.h | 5 +
+ arch/sparc/include/asm/spinlock_64.h | 35 +-
+ arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_64.h | 2 +
+ arch/sparc/include/asm/uaccess.h | 1 +
+ arch/sparc/include/asm/uaccess_32.h | 27 +-
+ arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/kernel/Makefile | 2 +-
+ arch/sparc/kernel/prom_common.c | 2 +-
+ arch/sparc/kernel/sys_sparc_32.c | 2 +-
+ arch/sparc/kernel/sys_sparc_64.c | 48 +-
+ arch/sparc/kernel/sysfs.c | 2 +-
+ arch/sparc/kernel/traps_64.c | 13 +-
+ arch/sparc/lib/Makefile | 2 +-
+ arch/sparc/lib/atomic_64.S | 136 +-
+ arch/sparc/lib/ksyms.c | 6 +
+ arch/sparc/mm/Makefile | 2 +-
+ arch/sparc/mm/fault_32.c | 292 +
+ arch/sparc/mm/fault_64.c | 486 ++
+ arch/sparc/mm/hugetlbpage.c | 21 +-
+ arch/tile/include/asm/atomic_64.h | 10 +
+ arch/tile/include/asm/uaccess.h | 4 +-
+ arch/um/Makefile | 4 +
+ arch/um/include/asm/kmap_types.h | 2 +-
+ arch/um/include/asm/page.h | 3 +
+ arch/um/include/asm/pgtable-3level.h | 1 +
+ arch/um/kernel/process.c | 16 -
+ arch/x86/Kconfig | 10 +-
+ arch/x86/Kconfig.cpu | 6 +-
+ arch/x86/Kconfig.debug | 4 +-
+ arch/x86/Makefile | 10 +
+ arch/x86/boot/Makefile | 3 +
+ arch/x86/boot/bitops.h | 4 +-
+ arch/x86/boot/boot.h | 4 +-
+ arch/x86/boot/compressed/Makefile | 3 +
+ arch/x86/boot/compressed/eboot.c | 2 -
+ arch/x86/boot/compressed/efi_stub_32.S | 16 +-
+ arch/x86/boot/compressed/head_32.S | 7 +-
+ arch/x86/boot/compressed/head_64.S | 8 +-
+ arch/x86/boot/compressed/misc.c | 4 +-
+ arch/x86/boot/cpucheck.c | 28 +-
+ arch/x86/boot/header.S | 6 +-
+ arch/x86/boot/memory.c | 2 +-
+ arch/x86/boot/video-vesa.c | 1 +
+ arch/x86/boot/video.c | 2 +-
+ arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/aesni-intel_asm.S | 22 +
+ arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/sha1_ssse3_asm.S | 2 +
+ arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
+ arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/ia32/ia32_signal.c | 14 +-
+ arch/x86/ia32/ia32entry.S | 141 +-
+ arch/x86/ia32/sys_ia32.c | 4 +-
+ arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/include/asm/alternative.h | 4 +-
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/include/asm/apm.h | 4 +-
+ arch/x86/include/asm/atomic.h | 307 +-
+ arch/x86/include/asm/atomic64_32.h | 100 +
+ arch/x86/include/asm/atomic64_64.h | 202 +-
+ arch/x86/include/asm/bitops.h | 4 +-
+ arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/cache.h | 5 +-
+ arch/x86/include/asm/cacheflush.h | 2 +-
+ arch/x86/include/asm/checksum_32.h | 12 +-
+ arch/x86/include/asm/cmpxchg.h | 35 +
+ arch/x86/include/asm/compat.h | 2 +-
+ arch/x86/include/asm/cpufeature.h | 4 +-
+ arch/x86/include/asm/desc.h | 67 +-
+ arch/x86/include/asm/desc_defs.h | 6 +
+ arch/x86/include/asm/div64.h | 2 +-
+ arch/x86/include/asm/elf.h | 31 +-
+ arch/x86/include/asm/emergency-restart.h | 2 +-
+ arch/x86/include/asm/fpu-internal.h | 6 +-
+ arch/x86/include/asm/futex.h | 16 +-
+ arch/x86/include/asm/hw_irq.h | 4 +-
+ arch/x86/include/asm/i8259.h | 2 +-
+ arch/x86/include/asm/io.h | 21 +-
+ arch/x86/include/asm/irqflags.h | 5 +
+ arch/x86/include/asm/kprobes.h | 9 +-
+ arch/x86/include/asm/local.h | 142 +-
+ arch/x86/include/asm/mman.h | 15 +
+ arch/x86/include/asm/mmu.h | 16 +-
+ arch/x86/include/asm/mmu_context.h | 76 +-
+ arch/x86/include/asm/module.h | 17 +-
+ arch/x86/include/asm/nmi.h | 6 +-
+ arch/x86/include/asm/page.h | 1 +
+ arch/x86/include/asm/page_64.h | 4 +-
+ arch/x86/include/asm/paravirt.h | 46 +-
+ arch/x86/include/asm/paravirt_types.h | 17 +-
+ arch/x86/include/asm/pgalloc.h | 23 +
+ arch/x86/include/asm/pgtable-2level.h | 2 +
+ arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable.h | 122 +-
+ arch/x86/include/asm/pgtable_32.h | 14 +-
+ arch/x86/include/asm/pgtable_32_types.h | 15 +-
+ arch/x86/include/asm/pgtable_64.h | 19 +-
+ arch/x86/include/asm/pgtable_64_types.h | 5 +
+ arch/x86/include/asm/pgtable_types.h | 36 +-
+ arch/x86/include/asm/processor.h | 39 +-
+ arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/realmode.h | 4 +-
+ arch/x86/include/asm/reboot.h | 10 +-
+ arch/x86/include/asm/rwsem.h | 60 +-
+ arch/x86/include/asm/segment.h | 24 +-
+ arch/x86/include/asm/smp.h | 14 +-
+ arch/x86/include/asm/spinlock.h | 36 +-
+ arch/x86/include/asm/stackprotector.h | 4 +-
+ arch/x86/include/asm/stacktrace.h | 32 +-
+ arch/x86/include/asm/switch_to.h | 4 +-
+ arch/x86/include/asm/thread_info.h | 83 +-
+ arch/x86/include/asm/uaccess.h | 96 +-
+ arch/x86/include/asm/uaccess_32.h | 106 +-
+ arch/x86/include/asm/uaccess_64.h | 232 +-
+ arch/x86/include/asm/word-at-a-time.h | 2 +-
+ arch/x86/include/asm/x86_init.h | 10 +-
+ arch/x86/include/asm/xsave.h | 10 +-
+ arch/x86/include/uapi/asm/e820.h | 2 +-
+ arch/x86/kernel/Makefile | 2 +-
+ arch/x86/kernel/acpi/boot.c | 4 +-
+ arch/x86/kernel/acpi/sleep.c | 4 +
+ arch/x86/kernel/acpi/wakeup_32.S | 6 +-
+ arch/x86/kernel/alternative.c | 65 +-
+ arch/x86/kernel/apic/apic.c | 4 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/apic_noop.c | 2 +-
+ arch/x86/kernel/apic/bigsmp_32.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 5 +-
+ arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/numaq_32.c | 3 +-
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/summit_32.c | 2 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_phys.c | 2 +-
+ arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
+ arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/asm-offsets.c | 20 +
+ arch/x86/kernel/asm-offsets_64.c | 1 +
+ arch/x86/kernel/cpu/Makefile | 4 -
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/common.c | 75 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 33 +-
+ arch/x86/kernel/cpu/mcheck/p5.c | 3 +
+ arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
+ arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
+ arch/x86/kernel/cpu/mtrr/main.c | 2 +-
+ arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 8 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
+ arch/x86/kernel/cpuid.c | 2 +-
+ arch/x86/kernel/crash.c | 4 +-
+ arch/x86/kernel/crash_dump_64.c | 2 +-
+ arch/x86/kernel/doublefault_32.c | 8 +-
+ arch/x86/kernel/dumpstack.c | 28 +-
+ arch/x86/kernel/dumpstack_32.c | 34 +-
+ arch/x86/kernel/dumpstack_64.c | 61 +-
+ arch/x86/kernel/e820.c | 4 +-
+ arch/x86/kernel/early_printk.c | 1 +
+ arch/x86/kernel/entry_32.S | 354 +-
+ arch/x86/kernel/entry_64.S | 548 ++-
+ arch/x86/kernel/ftrace.c | 14 +-
+ arch/x86/kernel/head64.c | 13 +-
+ arch/x86/kernel/head_32.S | 237 +-
+ arch/x86/kernel/head_64.S | 143 +-
+ arch/x86/kernel/i386_ksyms_32.c | 8 +
+ arch/x86/kernel/i387.c | 2 +-
+ arch/x86/kernel/i8259.c | 10 +-
+ arch/x86/kernel/io_delay.c | 2 +-
+ arch/x86/kernel/ioport.c | 2 +-
+ arch/x86/kernel/irq.c | 8 +-
+ arch/x86/kernel/irq_32.c | 69 +-
+ arch/x86/kernel/irq_64.c | 2 +-
+ arch/x86/kernel/kdebugfs.c | 2 +-
+ arch/x86/kernel/kgdb.c | 25 +-
+ arch/x86/kernel/kprobes/core.c | 30 +-
+ arch/x86/kernel/kprobes/opt.c | 16 +-
+ arch/x86/kernel/kvm.c | 2 +-
+ arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/machine_kexec_32.c | 6 +-
+ arch/x86/kernel/microcode_core.c | 2 +-
+ arch/x86/kernel/microcode_intel.c | 4 +-
+ arch/x86/kernel/module.c | 76 +-
+ arch/x86/kernel/msr.c | 2 +-
+ arch/x86/kernel/nmi.c | 19 +-
+ arch/x86/kernel/nmi_selftest.c | 4 +-
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/kernel/paravirt.c | 43 +-
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ arch/x86/kernel/pci-iommu_table.c | 2 +-
+ arch/x86/kernel/pci-swiotlb.c | 2 +-
+ arch/x86/kernel/process.c | 55 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 15 +-
+ arch/x86/kernel/ptrace.c | 25 +-
+ arch/x86/kernel/pvclock.c | 8 +-
+ arch/x86/kernel/reboot.c | 44 +-
+ arch/x86/kernel/relocate_kernel_64.S | 2 +
+ arch/x86/kernel/setup.c | 21 +-
+ arch/x86/kernel/setup_percpu.c | 29 +-
+ arch/x86/kernel/signal.c | 15 +-
+ arch/x86/kernel/smp.c | 2 +-
+ arch/x86/kernel/smpboot.c | 15 +-
+ arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/sys_i386_32.c | 184 +
+ arch/x86/kernel/sys_x86_64.c | 22 +-
+ arch/x86/kernel/tboot.c | 14 +-
+ arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tls.c | 7 +-
+ arch/x86/kernel/traps.c | 64 +-
+ arch/x86/kernel/uprobes.c | 4 +-
+ arch/x86/kernel/vm86_32.c | 6 +-
+ arch/x86/kernel/vmlinux.lds.S | 148 +-
+ arch/x86/kernel/vsyscall_64.c | 12 +-
+ arch/x86/kernel/x8664_ksyms_64.c | 2 -
+ arch/x86/kernel/x86_init.c | 8 +-
+ arch/x86/kernel/xsave.c | 2 +
+ arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ arch/x86/kvm/lapic.c | 2 +-
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ arch/x86/kvm/svm.c | 8 +
+ arch/x86/kvm/vmx.c | 61 +-
+ arch/x86/kvm/x86.c | 8 +-
+ arch/x86/lguest/boot.c | 3 +-
+ arch/x86/lib/atomic64_386_32.S | 164 +
+ arch/x86/lib/atomic64_cx8_32.S | 103 +-
+ arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/cmpxchg16b_emu.S | 2 +
+ arch/x86/lib/copy_page_64.S | 24 +-
+ arch/x86/lib/copy_user_64.S | 47 +-
+ arch/x86/lib/copy_user_nocache_64.S | 20 +-
+ arch/x86/lib/csum-copy_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 4 +-
+ arch/x86/lib/getuser.S | 70 +-
+ arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/iomap_copy_64.S | 2 +
+ arch/x86/lib/memcpy_64.S | 18 +-
+ arch/x86/lib/memmove_64.S | 34 +-
+ arch/x86/lib/memset_64.S | 7 +-
+ arch/x86/lib/mmx_32.c | 243 +-
+ arch/x86/lib/msr-reg.S | 18 +-
+ arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/rwlock.S | 42 +
+ arch/x86/lib/rwsem.S | 6 +-
+ arch/x86/lib/thunk_64.S | 2 +
+ arch/x86/lib/usercopy_32.c | 363 +-
+ arch/x86/lib/usercopy_64.c | 13 +-
+ arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/fault.c | 556 ++-
+ arch/x86/mm/gup.c | 2 +-
+ arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/hugetlbpage.c | 30 +-
+ arch/x86/mm/init.c | 98 +-
+ arch/x86/mm/init_32.c | 113 +-
+ arch/x86/mm/init_64.c | 38 +-
+ arch/x86/mm/iomap_32.c | 4 +
+ arch/x86/mm/ioremap.c | 15 +-
+ arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
+ arch/x86/mm/mmap.c | 41 +-
+ arch/x86/mm/mmio-mod.c | 10 +-
+ arch/x86/mm/numa.c | 2 +-
+ arch/x86/mm/pageattr-test.c | 2 +-
+ arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pat.c | 12 +-
+ arch/x86/mm/pat_rbtree.c | 2 +-
+ arch/x86/mm/pf_in.c | 10 +-
+ arch/x86/mm/pgtable.c | 137 +-
+ arch/x86/mm/pgtable_32.c | 3 +
+ arch/x86/mm/physaddr.c | 4 +-
+ arch/x86/mm/setup_nx.c | 7 +
+ arch/x86/mm/tlb.c | 4 +
+ arch/x86/net/bpf_jit.S | 14 +
+ arch/x86/net/bpf_jit_comp.c | 37 +-
+ arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/oprofile/nmi_int.c | 8 +-
+ arch/x86/oprofile/op_model_amd.c | 8 +-
+ arch/x86/oprofile/op_model_ppro.c | 7 +-
+ arch/x86/oprofile/op_x86_model.h | 2 +-
+ arch/x86/pci/amd_bus.c | 2 +-
+ arch/x86/pci/irq.c | 8 +-
+ arch/x86/pci/mrst.c | 4 +-
+ arch/x86/pci/pcbios.c | 144 +-
+ arch/x86/platform/efi/efi_32.c | 24 +
+ arch/x86/platform/efi/efi_64.c | 10 +
+ arch/x86/platform/efi/efi_stub_32.S | 64 +-
+ arch/x86/platform/efi/efi_stub_64.S | 8 +
+ arch/x86/platform/mrst/mrst.c | 6 +-
+ arch/x86/platform/olpc/olpc_dt.c | 2 +-
+ arch/x86/power/cpu.c | 11 +-
+ arch/x86/realmode/init.c | 10 +-
+ arch/x86/realmode/rm/Makefile | 3 +
+ arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/trampoline_32.S | 12 +-
+ arch/x86/realmode/rm/trampoline_64.S | 2 +-
+ arch/x86/tools/Makefile | 2 +-
+ arch/x86/tools/relocs.c | 94 +-
+ arch/x86/um/tls_32.c | 2 +-
+ arch/x86/vdso/Makefile | 2 +-
+ arch/x86/vdso/vdso32-setup.c | 23 +-
+ arch/x86/vdso/vma.c | 29 +-
+ arch/x86/xen/enlighten.c | 47 +-
+ arch/x86/xen/mmu.c | 9 +
+ arch/x86/xen/smp.c | 18 +-
+ arch/x86/xen/xen-asm_32.S | 12 +-
+ arch/x86/xen/xen-head.S | 11 +
+ arch/x86/xen/xen-ops.h | 2 -
+ block/blk-iopoll.c | 4 +-
+ block/blk-map.c | 2 +-
+ block/blk-softirq.c | 4 +-
+ block/bsg.c | 12 +-
+ block/compat_ioctl.c | 2 +-
+ block/genhd.c | 11 +-
+ block/partitions/efi.c | 8 +-
+ block/scsi_ioctl.c | 27 +-
+ crypto/algapi.c | 2 +-
+ crypto/cryptd.c | 4 +-
+ crypto/pcrypt.c | 6 +-
+ drivers/acpi/apei/apei-internal.h | 2 +-
+ drivers/acpi/apei/cper.c | 8 +-
+ drivers/acpi/bgrt.c | 6 +-
+ drivers/acpi/blacklist.c | 4 +-
+ drivers/acpi/ec_sys.c | 12 +-
+ drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/sysfs.c | 4 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/ata/libata-core.c | 8 +-
+ drivers/ata/pata_arasan_cf.c | 4 +-
+ drivers/atm/adummy.c | 2 +-
+ drivers/atm/ambassador.c | 8 +-
+ drivers/atm/atmtcp.c | 14 +-
+ drivers/atm/eni.c | 10 +-
+ drivers/atm/firestream.c | 8 +-
+ drivers/atm/fore200e.c | 14 +-
+ drivers/atm/he.c | 18 +-
+ drivers/atm/horizon.c | 4 +-
+ drivers/atm/idt77252.c | 36 +-
+ drivers/atm/iphase.c | 34 +-
+ drivers/atm/lanai.c | 12 +-
+ drivers/atm/nicstar.c | 46 +-
+ drivers/atm/solos-pci.c | 4 +-
+ drivers/atm/suni.c | 4 +-
+ drivers/atm/uPD98402.c | 16 +-
+ drivers/atm/zatm.c | 6 +-
+ drivers/base/attribute_container.c | 2 +-
+ drivers/base/bus.c | 4 +-
+ drivers/base/devtmpfs.c | 8 +-
+ drivers/base/node.c | 2 +-
+ drivers/base/power/domain.c | 4 +-
+ drivers/base/power/sysfs.c | 2 +-
+ drivers/base/power/wakeup.c | 8 +-
+ drivers/base/syscore.c | 4 +-
+ drivers/block/cciss.c | 28 +-
+ drivers/block/cciss.h | 2 +-
+ drivers/block/cpqarray.c | 28 +-
+ drivers/block/cpqarray.h | 2 +-
+ drivers/block/drbd/drbd_int.h | 6 +-
+ drivers/block/drbd/drbd_main.c | 8 +-
+ drivers/block/drbd/drbd_receiver.c | 22 +-
+ drivers/block/loop.c | 2 +-
+ drivers/block/nbd.c | 2 +-
+ drivers/block/pktcdvd.c | 2 +-
+ drivers/cdrom/cdrom.c | 11 +-
+ drivers/cdrom/gdrom.c | 1 -
+ drivers/char/agp/compat_ioctl.c | 2 +-
+ drivers/char/agp/frontend.c | 4 +-
+ drivers/char/hpet.c | 2 +-
+ drivers/char/hw_random/intel-rng.c | 2 +-
+ drivers/char/ipmi/ipmi_msghandler.c | 8 +-
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
+ drivers/char/mem.c | 45 +-
+ drivers/char/nvram.c | 2 +-
+ drivers/char/pcmcia/synclink_cs.c | 18 +-
+ drivers/char/random.c | 10 +-
+ drivers/char/sonypi.c | 9 +-
+ drivers/char/tpm/tpm_acpi.c | 3 +-
+ drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/virtio_console.c | 4 +-
+ drivers/clk/clk-composite.c | 2 +-
+ drivers/clocksource/arm_arch_timer.c | 2 +-
+ drivers/clocksource/metag_generic.c | 2 +-
+ drivers/cpufreq/acpi-cpufreq.c | 20 +-
+ drivers/cpufreq/cpufreq.c | 9 +-
+ drivers/cpufreq/cpufreq_governor.c | 6 +-
+ drivers/cpufreq/cpufreq_governor.h | 2 +-
+ drivers/cpufreq/cpufreq_ondemand.c | 8 +-
+ drivers/cpufreq/cpufreq_stats.c | 2 +-
+ drivers/cpufreq/p4-clockmod.c | 12 +-
+ drivers/cpufreq/sparc-us3-cpufreq.c | 69 +-
+ drivers/cpufreq/speedstep-centrino.c | 7 +-
+ drivers/cpuidle/cpuidle.c | 2 +-
+ drivers/cpuidle/governor.c | 4 +-
+ drivers/cpuidle/sysfs.c | 2 +-
+ drivers/devfreq/devfreq.c | 6 +-
+ drivers/dma/sh/shdma.c | 2 +-
+ drivers/edac/edac_mc_sysfs.c | 12 +-
+ drivers/edac/edac_pci_sysfs.c | 22 +-
+ drivers/edac/mce_amd.h | 2 +-
+ drivers/firewire/core-card.c | 2 +-
+ drivers/firewire/core-device.c | 2 +-
+ drivers/firewire/core-transaction.c | 1 +
+ drivers/firewire/core.h | 1 +
+ drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/dmi_scan.c | 7 +-
+ drivers/firmware/efi/efi.c | 12 +-
+ drivers/firmware/efi/efivars.c | 2 +-
+ drivers/firmware/google/memconsole.c | 4 +-
+ drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpio/gpio-vr41xx.c | 2 +-
+ drivers/gpu/drm/drm_crtc_helper.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 6 +-
+ drivers/gpu/drm/drm_fops.c | 18 +-
+ drivers/gpu/drm/drm_global.c | 14 +-
+ drivers/gpu/drm/drm_info.c | 14 +-
+ drivers/gpu/drm/drm_ioc32.c | 13 +-
+ drivers/gpu/drm/drm_ioctl.c | 2 +-
+ drivers/gpu/drm/drm_lock.c | 4 +-
+ drivers/gpu/drm/drm_stub.c | 2 +-
+ drivers/gpu/drm/drm_sysfs.c | 2 +-
+ drivers/gpu/drm/i810/i810_dma.c | 8 +-
+ drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/i915_irq.c | 22 +-
+ drivers/gpu/drm/i915/intel_display.c | 26 +-
+ drivers/gpu/drm/mga/mga_drv.h | 4 +-
+ drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/mga/mga_irq.c | 8 +-
+ drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
+ drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
+ drivers/gpu/drm/r128/r128_cce.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.h | 4 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/r128/r128_irq.c | 4 +-
+ drivers/gpu/drm/r128/r128_state.c | 4 +-
+ drivers/gpu/drm/radeon/mkregtable.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
+ drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 57 +-
+ drivers/gpu/drm/radeon/rs690.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
+ drivers/gpu/drm/udl/udl_fb.c | 1 -
+ drivers/gpu/drm/via/via_drv.h | 4 +-
+ drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
+ drivers/hid/hid-core.c | 4 +-
+ drivers/hv/channel.c | 4 +-
+ drivers/hv/hv.c | 2 +-
+ drivers/hv/hyperv_vmbus.h | 2 +-
+ drivers/hv/vmbus_drv.c | 4 +-
+ drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/asus_atk0110.c | 10 +-
+ drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/ibmaem.c | 2 +-
+ drivers/hwmon/iio_hwmon.c | 2 +-
+ drivers/hwmon/pmbus/pmbus_core.c | 10 +-
+ drivers/hwmon/sht15.c | 12 +-
+ drivers/hwmon/via-cputemp.c | 2 +-
+ drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
+ drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
+ drivers/i2c/i2c-dev.c | 2 +-
+ drivers/ide/ide-cd.c | 2 +-
+ drivers/iio/industrialio-core.c | 2 +-
+ drivers/infiniband/core/cm.c | 32 +-
+ drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/hw/cxgb4/mem.c | 4 +-
+ drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
+ drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
+ drivers/infiniband/hw/nes/nes.c | 4 +-
+ drivers/infiniband/hw/nes/nes.h | 40 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 62 +-
+ drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
+ drivers/infiniband/hw/nes/nes_nic.c | 40 +-
+ drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/input/gameport/gameport.c | 4 +-
+ drivers/input/input.c | 4 +-
+ drivers/input/joystick/sidewinder.c | 1 +
+ drivers/input/joystick/xpad.c | 4 +-
+ drivers/input/mouse/psmouse.h | 2 +-
+ drivers/input/mousedev.c | 2 +-
+ drivers/input/serio/serio.c | 4 +-
+ drivers/iommu/iommu.c | 2 +-
+ drivers/iommu/irq_remapping.c | 12 +-
+ drivers/irqchip/irq-gic.c | 4 +-
+ drivers/isdn/capi/capi.c | 10 +-
+ drivers/isdn/gigaset/interface.c | 8 +-
+ drivers/isdn/hardware/avm/b1.c | 4 +-
+ drivers/isdn/i4l/isdn_tty.c | 22 +-
+ drivers/isdn/icn/icn.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/lguest/core.c | 10 +-
+ drivers/lguest/page_tables.c | 2 +-
+ drivers/lguest/x86/core.c | 12 +-
+ drivers/lguest/x86/switcher_32.S | 27 +-
+ drivers/md/bcache/closure.h | 2 +-
+ drivers/md/bitmap.c | 2 +-
+ drivers/md/dm-ioctl.c | 2 +-
+ drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-stripe.c | 10 +-
+ drivers/md/dm-table.c | 2 +-
+ drivers/md/dm-thin-metadata.c | 4 +-
+ drivers/md/dm.c | 16 +-
+ drivers/md/md.c | 26 +-
+ drivers/md/md.h | 6 +-
+ drivers/md/persistent-data/dm-space-map.h | 1 +
+ drivers/md/raid1.c | 4 +-
+ drivers/md/raid10.c | 16 +-
+ drivers/md/raid5.c | 10 +-
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ drivers/media/dvb-frontends/dib3000.h | 2 +-
+ drivers/media/pci/cx88/cx88-video.c | 6 +-
+ drivers/media/platform/omap/omap_vout.c | 11 +-
+ drivers/media/platform/s5p-tv/mixer.h | 2 +-
+ drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
+ drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 11 +-
+ drivers/message/fusion/mptsas.c | 34 +-
+ drivers/message/fusion/mptscsih.c | 19 +-
+ drivers/message/i2o/i2o_proc.c | 51 +-
+ drivers/message/i2o/iop.c | 8 +-
+ drivers/mfd/janz-cmodio.c | 1 +
+ drivers/mfd/twl4030-irq.c | 9 +-
+ drivers/mfd/twl6030-irq.c | 10 +-
+ drivers/misc/c2port/core.c | 4 +-
+ drivers/misc/kgdbts.c | 4 +-
+ drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
+ drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/sgi-gru/gruhandles.c | 4 +-
+ drivers/misc/sgi-gru/gruprocfs.c | 8 +-
+ drivers/misc/sgi-gru/grutables.h | 154 +-
+ drivers/misc/sgi-xp/xp.h | 2 +-
+ drivers/misc/sgi-xp/xpc.h | 3 +-
+ drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ drivers/mmc/host/dw_mmc.h | 2 +-
+ drivers/mmc/host/sdhci-s3c.c | 8 +-
+ drivers/mtd/nand/denali.c | 1 +
+ drivers/mtd/nftlmount.c | 1 +
+ drivers/mtd/sm_ftl.c | 2 +-
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
+ drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
+ drivers/net/ethernet/realtek/r8169.c | 8 +-
+ drivers/net/ethernet/sfc/ptp.c | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/hyperv/hyperv_net.h | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 +-
+ drivers/net/ieee802154/fakehard.c | 2 +-
+ drivers/net/macvlan.c | 18 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/ppp/ppp_generic.c | 4 +-
+ drivers/net/slip/slhc.c | 2 +-
+ drivers/net/team/team.c | 2 +-
+ drivers/net/tun.c | 5 +-
+ drivers/net/usb/hso.c | 23 +-
+ drivers/net/vxlan.c | 2 +-
+ drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
+ drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
+ drivers/net/wireless/ath/ath9k/hw.h | 4 +-
+ drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
+ drivers/net/wireless/mac80211_hwsim.c | 32 +-
+ drivers/net/wireless/rndis_wlan.c | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 8 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 6 +-
+ drivers/oprofile/buffer_sync.c | 8 +-
+ drivers/oprofile/event_buffer.c | 2 +-
+ drivers/oprofile/oprof.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/oprofile/oprofile_stats.c | 10 +-
+ drivers/oprofile/oprofile_stats.h | 10 +-
+ drivers/oprofile/oprofilefs.c | 2 +-
+ drivers/oprofile/timer_int.c | 2 +-
+ drivers/parport/procfs.c | 4 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
+ drivers/pci/hotplug/cpcihp_generic.c | 6 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
+ drivers/pci/hotplug/cpqphp_nvram.c | 4 +
+ drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/pci-sysfs.c | 6 +-
+ drivers/pci/pci.h | 2 +-
+ drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/probe.c | 2 +-
+ drivers/platform/x86/chromeos_laptop.c | 2 +-
+ drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/sony-laptop.c | 2 +-
+ drivers/platform/x86/thinkpad_acpi.c | 70 +-
+ drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/resource.c | 4 +-
+ drivers/power/pda_power.c | 7 +-
+ drivers/power/power_supply.h | 4 +-
+ drivers/power/power_supply_core.c | 7 +-
+ drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/regulator/max8660.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/rtc/rtc-cmos.c | 4 +-
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/scsi/bfa/bfa_fcpim.h | 2 +-
+ drivers/scsi/bfa/bfa_ioc.h | 4 +-
+ drivers/scsi/hosts.c | 4 +-
+ drivers/scsi/hpsa.c | 30 +-
+ drivers/scsi/hpsa.h | 2 +-
+ drivers/scsi/libfc/fc_exch.c | 50 +-
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ drivers/scsi/lpfc/lpfc.h | 8 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
+ drivers/scsi/lpfc/lpfc_init.c | 6 +-
+ drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
+ drivers/scsi/pmcraid.c | 20 +-
+ drivers/scsi/pmcraid.h | 8 +-
+ drivers/scsi/qla2xxx/qla_attr.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 6 +-
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +-
+ drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ drivers/scsi/scsi_tgt_lib.c | 2 +-
+ drivers/scsi/scsi_transport_fc.c | 8 +-
+ drivers/scsi/scsi_transport_iscsi.c | 6 +-
+ drivers/scsi/scsi_transport_srp.c | 6 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sg.c | 2 +-
+ drivers/spi/spi.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/rtl8712/rtl871x_io.h | 2 +-
+ drivers/staging/sbe-2t3e3/netdev.c | 2 +-
+ drivers/staging/usbip/vhci.h | 2 +-
+ drivers/staging/usbip/vhci_hcd.c | 6 +-
+ drivers/staging/usbip/vhci_rx.c | 2 +-
+ drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/vt6656/hostap.c | 7 +-
+ drivers/staging/zcache/tmem.c | 4 +-
+ drivers/staging/zcache/tmem.h | 2 +
+ drivers/target/target_core_device.c | 2 +-
+ drivers/target/target_core_transport.c | 2 +-
+ drivers/tty/cyclades.c | 6 +-
+ drivers/tty/hvc/hvc_console.c | 14 +-
+ drivers/tty/hvc/hvcs.c | 21 +-
+ drivers/tty/ipwireless/tty.c | 27 +-
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/n_gsm.c | 4 +-
+ drivers/tty/n_tty.c | 3 +-
+ drivers/tty/pty.c | 4 +-
+ drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/kgdboc.c | 32 +-
+ drivers/tty/serial/samsung.c | 9 +-
+ drivers/tty/serial/serial_core.c | 8 +-
+ drivers/tty/synclink.c | 34 +-
+ drivers/tty/synclink_gt.c | 28 +-
+ drivers/tty/synclinkmp.c | 34 +-
+ drivers/tty/tty_io.c | 2 +-
+ drivers/tty/tty_ldisc.c | 10 +-
+ drivers/tty/tty_port.c | 22 +-
+ drivers/uio/uio.c | 21 +-
+ drivers/usb/atm/cxacru.c | 2 +-
+ drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/core/devices.c | 6 +-
+ drivers/usb/core/hcd.c | 4 +-
+ drivers/usb/core/message.c | 2 +-
+ drivers/usb/core/sysfs.c | 2 +-
+ drivers/usb/core/usb.c | 2 +-
+ drivers/usb/early/ehci-dbgp.c | 16 +-
+ drivers/usb/gadget/u_serial.c | 22 +-
+ drivers/usb/serial/console.c | 6 +-
+ drivers/usb/storage/usb.h | 2 +-
+ drivers/usb/wusbcore/wa-hc.h | 4 +-
+ drivers/usb/wusbcore/wa-xfer.c | 2 +-
+ drivers/vhost/vringh.c | 2 +-
+ drivers/video/aty/aty128fb.c | 2 +-
+ drivers/video/aty/atyfb_base.c | 8 +-
+ drivers/video/aty/mach64_cursor.c | 5 +-
+ drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/fb_defio.c | 6 +-
+ drivers/video/fbcmap.c | 3 +-
+ drivers/video/fbmem.c | 6 +-
+ drivers/video/i810/i810_accel.c | 1 +
+ drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
+ drivers/video/nvidia/nvidia.c | 27 +-
+ drivers/video/output.c | 2 +-
+ drivers/video/s1d13xxxfb.c | 6 +-
+ drivers/video/smscufx.c | 4 +-
+ drivers/video/udlfb.c | 36 +-
+ drivers/video/uvesafb.c | 53 +-
+ drivers/video/vesafb.c | 58 +-
+ drivers/video/via/via_clock.h | 2 +-
+ fs/9p/vfs_addr.c | 2 +-
+ fs/9p/vfs_inode.c | 2 +-
+ fs/Kconfig.binfmt | 2 +-
+ fs/aio.c | 12 +-
+ fs/autofs4/waitq.c | 2 +-
+ fs/befs/endian.h | 4 +-
+ fs/befs/linuxvfs.c | 2 +-
+ fs/binfmt_aout.c | 23 +-
+ fs/binfmt_elf.c | 607 ++-
+ fs/binfmt_flat.c | 6 +
+ fs/bio.c | 6 +-
+ fs/block_dev.c | 2 +-
+ fs/btrfs/ctree.c | 9 +-
+ fs/btrfs/super.c | 2 +-
+ fs/cachefiles/bind.c | 6 +-
+ fs/cachefiles/daemon.c | 8 +-
+ fs/cachefiles/internal.h | 12 +-
+ fs/cachefiles/namei.c | 2 +-
+ fs/cachefiles/proc.c | 12 +-
+ fs/cachefiles/rdwr.c | 2 +-
+ fs/ceph/dir.c | 2 +-
+ fs/cifs/cifs_debug.c | 12 +-
+ fs/cifs/cifsfs.c | 8 +-
+ fs/cifs/cifsglob.h | 54 +-
+ fs/cifs/link.c | 2 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb1ops.c | 80 +-
+ fs/cifs/smb2ops.c | 84 +-
+ fs/cifs/smb2pdu.c | 3 +-
+ fs/coda/cache.c | 10 +-
+ fs/compat.c | 6 +-
+ fs/compat_binfmt_elf.c | 2 +
+ fs/compat_ioctl.c | 12 +-
+ fs/configfs/dir.c | 10 +-
+ fs/coredump.c | 24 +-
+ fs/dcache.c | 2 +-
+ fs/ecryptfs/inode.c | 4 +-
+ fs/ecryptfs/miscdev.c | 2 +-
+ fs/exec.c | 362 ++-
+ fs/ext4/ext4.h | 20 +-
+ fs/ext4/mballoc.c | 44 +-
+ fs/ext4/mmp.c | 2 +-
+ fs/ext4/super.c | 4 +-
+ fs/fhandle.c | 3 +-
+ fs/fs_struct.c | 8 +-
+ fs/fscache/cookie.c | 36 +-
+ fs/fscache/internal.h | 196 +-
+ fs/fscache/object.c | 28 +-
+ fs/fscache/operation.c | 30 +-
+ fs/fscache/page.c | 110 +-
+ fs/fscache/stats.c | 344 +-
+ fs/fuse/cuse.c | 10 +-
+ fs/fuse/dev.c | 4 +-
+ fs/fuse/dir.c | 2 +-
+ fs/gfs2/inode.c | 2 +-
+ fs/hugetlbfs/inode.c | 13 +-
+ fs/inode.c | 4 +-
+ fs/jffs2/erase.c | 3 +-
+ fs/jffs2/wbuf.c | 3 +-
+ fs/jfs/super.c | 2 +-
+ fs/libfs.c | 10 +-
+ fs/lockd/clntproc.c | 4 +-
+ fs/lockd/svc.c | 2 +-
+ fs/locks.c | 8 +-
+ fs/namei.c | 15 +-
+ fs/namespace.c | 10 +-
+ fs/nfs/callback.c | 4 +-
+ fs/nfs/callback_xdr.c | 2 +-
+ fs/nfs/inode.c | 6 +-
+ fs/nfs/nfs4state.c | 2 +-
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfs4xdr.c | 6 +-
+ fs/nfsd/nfscache.c | 9 +-
+ fs/nfsd/vfs.c | 6 +-
+ fs/nls/nls_base.c | 18 +-
+ fs/nls/nls_euc-jp.c | 6 +-
+ fs/nls/nls_koi8-ru.c | 6 +-
+ fs/notify/fanotify/fanotify_user.c | 4 +-
+ fs/notify/notification.c | 4 +-
+ fs/ntfs/dir.c | 2 +-
+ fs/ntfs/file.c | 4 +-
+ fs/ocfs2/localalloc.c | 2 +-
+ fs/ocfs2/ocfs2.h | 10 +-
+ fs/ocfs2/suballoc.c | 12 +-
+ fs/ocfs2/super.c | 20 +-
+ fs/pipe.c | 61 +-
+ fs/proc/array.c | 20 +
+ fs/proc/base.c | 4 +-
+ fs/proc/kcore.c | 32 +-
+ fs/proc/meminfo.c | 2 +-
+ fs/proc/nommu.c | 2 +-
+ fs/proc/proc_sysctl.c | 18 +-
+ fs/proc/self.c | 2 +-
+ fs/proc/task_mmu.c | 39 +-
+ fs/proc/task_nommu.c | 4 +-
+ fs/proc/vmcore.c | 12 +-
+ fs/qnx6/qnx6.h | 4 +-
+ fs/quota/netlink.c | 4 +-
+ fs/read_write.c | 2 +-
+ fs/readdir.c | 2 +-
+ fs/reiserfs/do_balan.c | 2 +-
+ fs/reiserfs/procfs.c | 2 +-
+ fs/reiserfs/reiserfs.h | 4 +-
+ fs/seq_file.c | 2 +-
+ fs/splice.c | 40 +-
+ fs/sysfs/bin.c | 6 +-
+ fs/sysfs/dir.c | 2 +-
+ fs/sysfs/file.c | 10 +-
+ fs/sysfs/symlink.c | 2 +-
+ fs/sysv/sysv.h | 2 +-
+ fs/ubifs/io.c | 2 +-
+ fs/udf/misc.c | 2 +-
+ fs/ufs/swab.h | 4 +-
+ fs/xattr.c | 21 +
+ fs/xattr_acl.c | 4 +-
+ fs/xfs/xfs_bmap.c | 2 +-
+ fs/xfs/xfs_dir2_sf.c | 10 +-
+ fs/xfs/xfs_ioctl.c | 2 +-
+ fs/xfs/xfs_iops.c | 2 +-
+ include/asm-generic/4level-fixup.h | 2 +
+ include/asm-generic/atomic-long.h | 210 +
+ include/asm-generic/atomic.h | 2 +-
+ include/asm-generic/atomic64.h | 12 +
+ include/asm-generic/cache.h | 4 +-
+ include/asm-generic/emergency-restart.h | 2 +-
+ include/asm-generic/kmap_types.h | 4 +-
+ include/asm-generic/local.h | 13 +
+ include/asm-generic/pgtable-nopmd.h | 18 +-
+ include/asm-generic/pgtable-nopud.h | 15 +-
+ include/asm-generic/pgtable.h | 8 +
+ include/asm-generic/vmlinux.lds.h | 10 +-
+ include/crypto/algapi.h | 2 +-
+ include/drm/drmP.h | 17 +-
+ include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/ttm/ttm_memory.h | 2 +-
+ include/keys/asymmetric-subtype.h | 2 +-
+ include/linux/atmdev.h | 4 +-
+ include/linux/binfmts.h | 3 +-
+ include/linux/blkdev.h | 2 +-
+ include/linux/blktrace_api.h | 2 +-
+ include/linux/cache.h | 4 +
+ include/linux/cdrom.h | 1 -
+ include/linux/cleancache.h | 2 +-
+ include/linux/clk-provider.h | 1 +
+ include/linux/compat.h | 4 +-
+ include/linux/compiler-gcc4.h | 20 +
+ include/linux/compiler.h | 65 +-
+ include/linux/completion.h | 6 +-
+ include/linux/configfs.h | 2 +-
+ include/linux/cpu.h | 2 +-
+ include/linux/cpufreq.h | 3 +-
+ include/linux/cpuidle.h | 5 +-
+ include/linux/cpumask.h | 12 +-
+ include/linux/crypto.h | 6 +-
+ include/linux/ctype.h | 2 +-
+ include/linux/decompress/mm.h | 2 +-
+ include/linux/devfreq.h | 2 +-
+ include/linux/device.h | 7 +-
+ include/linux/dma-mapping.h | 2 +-
+ include/linux/dmaengine.h | 4 +-
+ include/linux/efi.h | 1 +
+ include/linux/elf.h | 2 +
+ include/linux/err.h | 4 +-
+ include/linux/extcon.h | 2 +-
+ include/linux/fb.h | 2 +-
+ include/linux/filter.h | 4 +
+ include/linux/frontswap.h | 2 +-
+ include/linux/fs.h | 3 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/fscache-cache.h | 4 +-
+ include/linux/fscache.h | 2 +-
+ include/linux/fsnotify.h | 2 +-
+ include/linux/genhd.h | 2 +-
+ include/linux/genl_magic_func.h | 2 +-
+ include/linux/gfp.h | 12 +-
+ include/linux/highmem.h | 12 +
+ include/linux/hwmon-sysfs.h | 5 +-
+ include/linux/i2c.h | 1 +
+ include/linux/i2o.h | 2 +-
+ include/linux/if_pppox.h | 2 +-
+ include/linux/init.h | 33 +-
+ include/linux/init_task.h | 7 +
+ include/linux/interrupt.h | 8 +-
+ include/linux/iommu.h | 2 +-
+ include/linux/ioport.h | 2 +-
+ include/linux/irq.h | 3 +-
+ include/linux/irqchip/arm-gic.h | 4 +-
+ include/linux/key-type.h | 2 +-
+ include/linux/kgdb.h | 6 +-
+ include/linux/kobject.h | 3 +-
+ include/linux/kobject_ns.h | 2 +-
+ include/linux/kref.h | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ include/linux/libata.h | 2 +-
+ include/linux/list.h | 15 +
+ include/linux/math64.h | 6 +-
+ include/linux/mm.h | 116 +-
+ include/linux/mm_types.h | 20 +
+ include/linux/mmiotrace.h | 4 +-
+ include/linux/mmzone.h | 2 +-
+ include/linux/mod_devicetable.h | 6 +-
+ include/linux/module.h | 60 +-
+ include/linux/moduleloader.h | 16 +
+ include/linux/moduleparam.h | 4 +-
+ include/linux/namei.h | 6 +-
+ include/linux/net.h | 2 +-
+ include/linux/netdevice.h | 3 +-
+ include/linux/netfilter.h | 2 +-
+ include/linux/netfilter/ipset/ip_set.h | 2 +-
+ include/linux/netfilter/nfnetlink.h | 2 +-
+ include/linux/nls.h | 2 +-
+ include/linux/notifier.h | 3 +-
+ include/linux/oprofile.h | 4 +-
+ include/linux/pci_hotplug.h | 3 +-
+ include/linux/perf_event.h | 12 +-
+ include/linux/pipe_fs_i.h | 8 +-
+ include/linux/platform_data/usb-ehci-s5p.h | 2 +-
+ include/linux/platform_data/usb-ohci-exynos.h | 2 +-
+ include/linux/pm_domain.h | 2 +-
+ include/linux/pm_runtime.h | 2 +-
+ include/linux/pnp.h | 2 +-
+ include/linux/poison.h | 4 +-
+ include/linux/power/smartreflex.h | 2 +-
+ include/linux/ppp-comp.h | 2 +-
+ include/linux/proc_ns.h | 2 +-
+ include/linux/random.h | 5 +
+ include/linux/rculist.h | 16 +
+ include/linux/reboot.h | 14 +-
+ include/linux/regset.h | 3 +-
+ include/linux/relay.h | 2 +-
+ include/linux/rio.h | 2 +-
+ include/linux/rmap.h | 4 +-
+ include/linux/sched.h | 65 +-
+ include/linux/sched/sysctl.h | 1 +
+ include/linux/seq_file.h | 1 +
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 42 +-
+ include/linux/slab_def.h | 28 +-
+ include/linux/slob_def.h | 4 +-
+ include/linux/slub_def.h | 8 +-
+ include/linux/sock_diag.h | 2 +-
+ include/linux/sonet.h | 2 +-
+ include/linux/sunrpc/addr.h | 8 +-
+ include/linux/sunrpc/clnt.h | 2 +-
+ include/linux/sunrpc/svc.h | 2 +-
+ include/linux/sunrpc/svc_rdma.h | 18 +-
+ include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swiotlb.h | 3 +-
+ include/linux/syscalls.h | 10 +-
+ include/linux/syscore_ops.h | 2 +-
+ include/linux/sysctl.h | 6 +-
+ include/linux/sysfs.h | 10 +-
+ include/linux/sysrq.h | 3 +-
+ include/linux/thread_info.h | 7 +
+ include/linux/tty.h | 4 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/tty_ldisc.h | 2 +-
+ include/linux/types.h | 16 +
+ include/linux/uaccess.h | 6 +-
+ include/linux/unaligned/access_ok.h | 24 +-
+ include/linux/usb.h | 4 +-
+ include/linux/usb/renesas_usbhs.h | 2 +-
+ include/linux/vermagic.h | 21 +-
+ include/linux/vmalloc.h | 11 +-
+ include/linux/vmstat.h | 20 +-
+ include/linux/xattr.h | 5 +-
+ include/linux/zlib.h | 3 +-
+ include/media/v4l2-dev.h | 2 +-
+ include/net/9p/transport.h | 2 +-
+ include/net/bluetooth/l2cap.h | 2 +-
+ include/net/caif/cfctrl.h | 6 +-
+ include/net/flow.h | 2 +-
+ include/net/genetlink.h | 2 +-
+ include/net/gro_cells.h | 2 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/inetpeer.h | 8 +-
+ include/net/ip.h | 2 +-
+ include/net/ip_fib.h | 2 +-
+ include/net/ip_vs.h | 8 +-
+ include/net/irda/ircomm_tty.h | 1 +
+ include/net/iucv/af_iucv.h | 2 +-
+ include/net/llc_c_ac.h | 2 +-
+ include/net/llc_c_ev.h | 4 +-
+ include/net/llc_c_st.h | 2 +-
+ include/net/llc_s_ac.h | 2 +-
+ include/net/llc_s_st.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 12 +-
+ include/net/netdma.h | 2 +-
+ include/net/netlink.h | 2 +-
+ include/net/netns/conntrack.h | 6 +-
+ include/net/netns/ipv4.h | 2 +-
+ include/net/netns/ipv6.h | 2 +-
+ include/net/protocol.h | 4 +-
+ include/net/rtnetlink.h | 2 +-
+ include/net/sctp/sctp.h | 6 +-
+ include/net/sctp/sm.h | 4 +-
+ include/net/sctp/structs.h | 2 +-
+ include/net/sock.h | 6 +-
+ include/net/tcp.h | 8 +-
+ include/net/xfrm.h | 8 +-
+ include/rdma/iw_cm.h | 2 +-
+ include/scsi/libfc.h | 3 +-
+ include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_transport_fc.h | 3 +-
+ include/sound/compress_driver.h | 2 +-
+ include/sound/soc.h | 4 +-
+ include/target/target_core_base.h | 2 +-
+ include/trace/events/irq.h | 4 +-
+ include/uapi/linux/a.out.h | 8 +
+ include/uapi/linux/byteorder/little_endian.h | 28 +-
+ include/uapi/linux/elf.h | 28 +
+ include/uapi/linux/screen_info.h | 3 +-
+ include/uapi/linux/swab.h | 6 +-
+ include/uapi/linux/sysctl.h | 6 +-
+ include/uapi/linux/xattr.h | 4 +
+ include/video/udlfb.h | 8 +-
+ include/video/uvesafb.h | 1 +
+ init/Kconfig | 2 +-
+ init/Makefile | 3 +
+ init/do_mounts.c | 14 +-
+ init/do_mounts.h | 8 +-
+ init/do_mounts_initrd.c | 30 +-
+ init/do_mounts_md.c | 6 +-
+ init/init_task.c | 4 +
+ init/initramfs.c | 42 +-
+ init/main.c | 83 +-
+ ipc/ipc_sysctl.c | 10 +-
+ ipc/mq_sysctl.c | 2 +-
+ ipc/msg.c | 11 +-
+ ipc/sem.c | 11 +-
+ ipc/shm.c | 17 +-
+ kernel/acct.c | 2 +-
+ kernel/audit.c | 8 +-
+ kernel/auditfilter.c | 2 +-
+ kernel/auditsc.c | 4 +-
+ kernel/capability.c | 3 +
+ kernel/compat.c | 38 +-
+ kernel/debug/debug_core.c | 16 +-
+ kernel/debug/kdb/kdb_main.c | 4 +-
+ kernel/events/core.c | 30 +-
+ kernel/events/internal.h | 10 +-
+ kernel/exit.c | 4 +-
+ kernel/fork.c | 167 +-
+ kernel/futex.c | 9 +
+ kernel/futex_compat.c | 2 +-
+ kernel/gcov/base.c | 7 +-
+ kernel/hrtimer.c | 4 +-
+ kernel/irq_work.c | 7 +-
+ kernel/jump_label.c | 5 +
+ kernel/kallsyms.c | 39 +-
+ kernel/kexec.c | 3 +-
+ kernel/kmod.c | 4 +-
+ kernel/kprobes.c | 8 +-
+ kernel/ksysfs.c | 2 +-
+ kernel/lockdep.c | 7 +-
+ kernel/module.c | 337 +-
+ kernel/mutex-debug.c | 12 +-
+ kernel/mutex-debug.h | 4 +-
+ kernel/mutex.c | 11 +-
+ kernel/notifier.c | 17 +-
+ kernel/panic.c | 3 +-
+ kernel/pid.c | 2 +-
+ kernel/pid_namespace.c | 2 +-
+ kernel/posix-cpu-timers.c | 4 +-
+ kernel/posix-timers.c | 22 +-
+ kernel/power/process.c | 12 +-
+ kernel/profile.c | 14 +-
+ kernel/ptrace.c | 8 +-
+ kernel/rcupdate.c | 4 +-
+ kernel/rcutiny.c | 4 +-
+ kernel/rcutiny_plugin.h | 2 +-
+ kernel/rcutorture.c | 56 +-
+ kernel/rcutree.c | 76 +-
+ kernel/rcutree.h | 24 +-
+ kernel/rcutree_plugin.h | 20 +-
+ kernel/rcutree_trace.c | 22 +-
+ kernel/rtmutex-tester.c | 24 +-
+ kernel/sched/auto_group.c | 4 +-
+ kernel/sched/core.c | 51 +-
+ kernel/sched/fair.c | 4 +-
+ kernel/sched/sched.h | 2 +-
+ kernel/signal.c | 12 +-
+ kernel/smp.c | 2 +-
+ kernel/smpboot.c | 4 +-
+ kernel/softirq.c | 18 +-
+ kernel/srcu.c | 4 +-
+ kernel/sys.c | 10 +-
+ kernel/sysctl.c | 39 +-
+ kernel/time.c | 2 +-
+ kernel/time/alarmtimer.c | 2 +-
+ kernel/time/tick-broadcast.c | 2 +-
+ kernel/time/timer_stats.c | 10 +-
+ kernel/timer.c | 6 +-
+ kernel/trace/blktrace.c | 6 +-
+ kernel/trace/ftrace.c | 18 +-
+ kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/trace.c | 2 +-
+ kernel/trace/trace.h | 2 +-
+ kernel/trace/trace_events.c | 25 +-
+ kernel/trace/trace_mmiotrace.c | 8 +-
+ kernel/trace/trace_output.c | 12 +-
+ kernel/trace/trace_stack.c | 2 +-
+ kernel/user_namespace.c | 2 +-
+ kernel/utsname_sysctl.c | 2 +-
+ kernel/watchdog.c | 2 +-
+ kernel/workqueue.c | 2 +-
+ lib/Kconfig.debug | 8 +-
+ lib/Makefile | 2 +-
+ lib/bitmap.c | 8 +-
+ lib/bug.c | 2 +
+ lib/debugobjects.c | 2 +-
+ lib/devres.c | 4 +-
+ lib/div64.c | 4 +-
+ lib/dma-debug.c | 4 +-
+ lib/inflate.c | 2 +-
+ lib/ioremap.c | 4 +-
+ lib/kobject.c | 6 +-
+ lib/list_debug.c | 126 +-
+ lib/radix-tree.c | 2 +-
+ lib/strncpy_from_user.c | 2 +-
+ lib/strnlen_user.c | 2 +-
+ lib/swiotlb.c | 2 +-
+ lib/usercopy.c | 6 +
+ lib/vsprintf.c | 12 +-
+ mm/Kconfig | 6 +-
+ mm/backing-dev.c | 4 +-
+ mm/filemap.c | 2 +-
+ mm/fremap.c | 5 +
+ mm/highmem.c | 7 +-
+ mm/hugetlb.c | 70 +-
+ mm/internal.h | 1 +
+ mm/maccess.c | 4 +-
+ mm/madvise.c | 41 +
+ mm/memory-failure.c | 26 +-
+ mm/memory.c | 424 ++-
+ mm/mempolicy.c | 26 +
+ mm/mlock.c | 15 +-
+ mm/mmap.c | 606 ++-
+ mm/mprotect.c | 139 +-
+ mm/mremap.c | 44 +-
+ mm/nommu.c | 21 +-
+ mm/page-writeback.c | 4 +-
+ mm/page_alloc.c | 41 +-
+ mm/page_io.c | 2 +-
+ mm/percpu.c | 2 +-
+ mm/process_vm_access.c | 14 +-
+ mm/rmap.c | 38 +-
+ mm/shmem.c | 19 +-
+ mm/slab.c | 79 +-
+ mm/slab.h | 5 +-
+ mm/slab_common.c | 46 +-
+ mm/slob.c | 201 +-
+ mm/slub.c | 79 +-
+ mm/sparse-vmemmap.c | 4 +-
+ mm/sparse.c | 2 +-
+ mm/swap.c | 3 +
+ mm/swapfile.c | 12 +-
+ mm/util.c | 6 +
+ mm/vmalloc.c | 77 +-
+ mm/vmstat.c | 12 +-
+ net/8021q/vlan.c | 5 +-
+ net/9p/mod.c | 4 +-
+ net/9p/trans_fd.c | 2 +-
+ net/atm/atm_misc.c | 8 +-
+ net/atm/lec.h | 2 +-
+ net/atm/proc.c | 6 +-
+ net/atm/resources.c | 4 +-
+ net/ax25/sysctl_net_ax25.c | 2 +-
+ net/batman-adv/bat_iv_ogm.c | 8 +-
+ net/batman-adv/hard-interface.c | 4 +-
+ net/batman-adv/soft-interface.c | 4 +-
+ net/batman-adv/types.h | 6 +-
+ net/batman-adv/unicast.c | 2 +-
+ net/bluetooth/hci_core.c | 8 +-
+ net/bluetooth/hci_sock.c | 2 +-
+ net/bluetooth/l2cap_core.c | 6 +-
+ net/bluetooth/l2cap_sock.c | 12 +-
+ net/bluetooth/rfcomm/sock.c | 4 +-
+ net/bluetooth/rfcomm/tty.c | 10 +-
+ net/bridge/netfilter/ebtables.c | 6 +-
+ net/caif/cfctrl.c | 11 +-
+ net/can/af_can.c | 2 +-
+ net/can/gw.c | 6 +-
+ net/compat.c | 34 +-
+ net/core/datagram.c | 2 +-
+ net/core/dev.c | 16 +-
+ net/core/flow.c | 8 +-
+ net/core/iovec.c | 4 +-
+ net/core/neighbour.c | 2 +-
+ net/core/net-sysfs.c | 2 +-
+ net/core/net_namespace.c | 8 +-
+ net/core/rtnetlink.c | 13 +-
+ net/core/scm.c | 8 +-
+ net/core/sock.c | 24 +-
+ net/core/sock_diag.c | 9 +-
+ net/core/sysctl_net_core.c | 18 +-
+ net/decnet/af_decnet.c | 1 +
+ net/decnet/sysctl_net_decnet.c | 4 +-
+ net/ipv4/af_inet.c | 8 +-
+ net/ipv4/ah4.c | 2 +-
+ net/ipv4/devinet.c | 18 +-
+ net/ipv4/esp4.c | 2 +-
+ net/ipv4/fib_frontend.c | 6 +-
+ net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inet_connection_sock.c | 2 +-
+ net/ipv4/inetpeer.c | 4 +-
+ net/ipv4/ip_fragment.c | 15 +-
+ net/ipv4/ip_gre.c | 6 +-
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ip_vti.c | 4 +-
+ net/ipv4/ipcomp.c | 2 +-
+ net/ipv4/ipconfig.c | 6 +-
+ net/ipv4/ipip.c | 4 +-
+ net/ipv4/netfilter/arp_tables.c | 12 +-
+ net/ipv4/netfilter/ip_tables.c | 12 +-
+ net/ipv4/ping.c | 2 +-
+ net/ipv4/raw.c | 14 +-
+ net/ipv4/route.c | 18 +-
+ net/ipv4/sysctl_net_ipv4.c | 45 +-
+ net/ipv4/tcp_input.c | 2 +-
+ net/ipv4/tcp_probe.c | 2 +-
+ net/ipv4/udp.c | 10 +-
+ net/ipv4/xfrm4_policy.c | 14 +-
+ net/ipv6/addrconf.c | 12 +-
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_gre.c | 8 +-
+ net/ipv6/ip6_tunnel.c | 4 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 12 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
+ net/ipv6/raw.c | 19 +-
+ net/ipv6/reassembly.c | 13 +-
+ net/ipv6/route.c | 2 +-
+ net/ipv6/sit.c | 4 +-
+ net/ipv6/sysctl_net_ipv6.c | 2 +-
+ net/ipv6/udp.c | 8 +-
+ net/ipv6/xfrm6_policy.c | 13 +-
+ net/irda/ircomm/ircomm_tty.c | 18 +-
+ net/iucv/af_iucv.c | 4 +-
+ net/iucv/iucv.c | 2 +-
+ net/key/af_key.c | 4 +-
+ net/mac80211/cfg.c | 8 +-
+ net/mac80211/ieee80211_i.h | 3 +-
+ net/mac80211/iface.c | 16 +-
+ net/mac80211/main.c | 2 +-
+ net/mac80211/pm.c | 6 +-
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/rc80211_pid_debugfs.c | 2 +-
+ net/mac80211/util.c | 4 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/ipvs/ip_vs_conn.c | 6 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ net/netfilter/ipvs/ip_vs_sync.c | 6 +-
+ net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
+ net/netfilter/nf_conntrack_acct.c | 2 +-
+ net/netfilter/nf_conntrack_ecache.c | 2 +-
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nf_conntrack_timestamp.c | 2 +-
+ net/netfilter/nf_log.c | 10 +-
+ net/netfilter/nf_sockopt.c | 4 +-
+ net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/xt_statistic.c | 8 +-
+ net/netlink/af_netlink.c | 4 +-
+ net/netlink/genetlink.c | 16 +-
+ net/packet/af_packet.c | 12 +-
+ net/phonet/pep.c | 6 +-
+ net/phonet/socket.c | 2 +-
+ net/phonet/sysctl.c | 2 +-
+ net/rds/cong.c | 6 +-
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 4 +-
+ net/rds/iw.h | 2 +-
+ net/rds/iw_cm.c | 2 +-
+ net/rds/iw_recv.c | 4 +-
+ net/rds/rds.h | 2 +-
+ net/rds/tcp.c | 2 +-
+ net/rds/tcp_send.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/rxrpc/ar-ack.c | 14 +-
+ net/rxrpc/ar-call.c | 2 +-
+ net/rxrpc/ar-connection.c | 2 +-
+ net/rxrpc/ar-connevent.c | 2 +-
+ net/rxrpc/ar-input.c | 4 +-
+ net/rxrpc/ar-internal.h | 8 +-
+ net/rxrpc/ar-local.c | 2 +-
+ net/rxrpc/ar-output.c | 4 +-
+ net/rxrpc/ar-peer.c | 2 +-
+ net/rxrpc/ar-proc.c | 4 +-
+ net/rxrpc/ar-transport.c | 2 +-
+ net/rxrpc/rxkad.c | 4 +-
+ net/sctp/ipv6.c | 6 +-
+ net/sctp/protocol.c | 10 +-
+ net/sctp/sm_sideeffect.c | 2 +-
+ net/sctp/socket.c | 21 +-
+ net/sctp/sysctl.c | 4 +-
+ net/socket.c | 18 +-
+ net/sunrpc/clnt.c | 4 +-
+ net/sunrpc/sched.c | 4 +-
+ net/sunrpc/svc.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/link.c | 6 +-
+ net/tipc/msg.c | 2 +-
+ net/tipc/subscr.c | 2 +-
+ net/unix/sysctl_net_unix.c | 2 +-
+ net/wireless/wext-core.c | 19 +-
+ net/xfrm/xfrm_policy.c | 27 +-
+ net/xfrm/xfrm_state.c | 29 +-
+ net/xfrm/xfrm_sysctl.c | 2 +-
+ scripts/Makefile.build | 2 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.host | 28 +-
+ scripts/basic/fixdep.c | 12 +-
+ scripts/gcc-plugin.sh | 17 +
+ scripts/headers_install.sh | 1 +
+ scripts/link-vmlinux.sh | 2 +-
+ scripts/mod/file2alias.c | 14 +-
+ scripts/mod/modpost.c | 25 +-
+ scripts/mod/modpost.h | 6 +-
+ scripts/mod/sumversion.c | 2 +-
+ scripts/package/builddeb | 1 +
+ scripts/pnmtologo.c | 6 +-
+ scripts/sortextable.h | 6 +-
+ security/Kconfig | 676 +++-
+ security/apparmor/lsm.c | 2 +-
+ security/integrity/ima/ima.h | 4 +-
+ security/integrity/ima/ima_api.c | 2 +-
+ security/integrity/ima/ima_fs.c | 4 +-
+ security/integrity/ima/ima_queue.c | 2 +-
+ security/keys/compat.c | 2 +-
+ security/keys/internal.h | 2 +-
+ security/keys/key.c | 18 +-
+ security/keys/keyctl.c | 8 +-
+ security/keys/keyring.c | 6 +-
+ security/security.c | 9 +-
+ security/selinux/hooks.c | 2 +-
+ security/selinux/include/xfrm.h | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ security/tomoyo/tomoyo.c | 2 +-
+ security/yama/yama_lsm.c | 22 +-
+ sound/aoa/codecs/onyx.c | 7 +-
+ sound/aoa/codecs/onyx.h | 1 +
+ sound/core/oss/pcm_oss.c | 18 +-
+ sound/core/pcm_compat.c | 2 +-
+ sound/core/pcm_native.c | 4 +-
+ sound/core/seq/seq_device.c | 8 +-
+ sound/core/sound.c | 2 +-
+ sound/drivers/mts64.c | 14 +-
+ sound/drivers/opl4/opl4_lib.c | 2 +-
+ sound/drivers/portman2x4.c | 3 +-
+ sound/firewire/amdtp.c | 4 +-
+ sound/firewire/amdtp.h | 2 +-
+ sound/firewire/isight.c | 10 +-
+ sound/firewire/scs1x.c | 8 +-
+ sound/oss/sb_audio.c | 2 +-
+ sound/oss/swarm_cs4297a.c | 6 +-
+ sound/pci/ymfpci/ymfpci.h | 2 +-
+ sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ sound/soc/fsl/fsl_ssi.c | 2 +-
+ sound/sound_core.c | 2 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 45 +
+ tools/gcc/checker_plugin.c | 172 +
+ tools/gcc/colorize_plugin.c | 151 +
+ tools/gcc/constify_plugin.c | 560 ++
+ tools/gcc/generate_size_overflow_hash.sh | 94 +
+ tools/gcc/kallocstat_plugin.c | 170 +
+ tools/gcc/kernexec_plugin.c | 465 ++
+ tools/gcc/latent_entropy_plugin.c | 327 ++
+ tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++
+ tools/gcc/size_overflow_plugin.c | 2114 +++++++
+ tools/gcc/stackleak_plugin.c | 327 ++
+ tools/gcc/structleak_plugin.c | 277 +
+ tools/perf/util/include/asm/alternative-asm.h | 3 +
+ tools/perf/util/include/linux/compiler.h | 8 +
+ virt/kvm/kvm_main.c | 32 +-
+ 1607 files changed, 30734 insertions(+), 7318 deletions(-)
+commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
+Merge: 0949bd4 fc53d63
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:03:44 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fc53d6338964741b368070ec5c935bc579b8c2a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:02:45 2012 -0400
+
+ Update to pax-linux-3.2.12-test33.patch
+
+commit 0949bd46a6455b308f66ad7c993bfee62412db35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 16:56:09 2012 -0400
+
+ Use current_umask() instead of current->fs->umask
+
+commit 22f6432d0fe733619cfcb523782ed7d80c46d645
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:42:42 2012 -0400
+
+ compile fix
+
+commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:34:56 2012 -0400
+
+ Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
+ uses of domains with particular hash collisions
+
+commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 20:25:49 2012 -0400
+
+ zero kernel_role
+
+commit b00953b43c69238d181d21121ef1577c988d5f6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:29:34 2012 -0400
+
+ zero real_root after releasing it
+
+commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
+Merge: b724f59 273f98e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:11:26 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 273f98e58cdac555d3b5dce5c1ca168349f95878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:10:52 2012 -0400
+
+ Temporary workaround for (most) size_overflow plugin false-positives
+ Increase randomization for brk-managed heap to 21 bits
+ Update to pax-linux-3.2.12-test32.patch
+
+commit b724f59125304460c2af8bd4b02921993afbb5d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:58:53 2012 -0400
+
+ compile fix
+
+commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:52:23 2012 -0400
+
+ Require default and kernel role
+
+commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:47:28 2012 -0400
+
+ Allow policies without special roles
+ don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
+
+commit 402ec3d24d66d38403dc543c84851f5e72d39e22
+Merge: 8e012dc f14661a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:06:59 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/namei.c
+
+commit f14661aaf202155c97f66626cea0269017bb7775
+Merge: eae671f 058b017
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:05:44 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
+Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Date: Fri Mar 16 17:08:39 2012 -0700
+
+ nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
+
+ According to the report from Slicky Devil, nilfs caused kernel oops at
+ nilfs_load_super_block function during mount after he shrank the
+ partition without resizing the filesystem:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000048
+ IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
+ *pde = 00000000
+ Oops: 0000 [#1] PREEMPT SMP
+ ...
+ Call Trace:
+ [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
+ [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
+ [<c0226636>] mount_fs+0x36/0x180
+ [<c023d961>] vfs_kern_mount+0x51/0xa0
+ [<c023ddae>] do_kern_mount+0x3e/0xe0
+ [<c023f189>] do_mount+0x169/0x700
+ [<c023fa9b>] sys_mount+0x6b/0xa0
+ [<c04abd1f>] sysenter_do_call+0x12/0x28
+ Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
+ 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
+ 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
+ EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
+ CR2: 0000000000000048
+
+ This turned out due to a defect in an error path which runs if the
+ calculated location of the secondary super block was invalid.
+
+ This patch fixes it and eliminates the reported oops.
+
+ Reported-by: Slicky Devil <slicky.dvl@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Tested-by: Slicky Devil <slicky.dvl@gmail.com>
+ Cc: <stable@vger.kernel.org> [2.6.30+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Fri Mar 16 17:08:38 2012 -0700
+
+ nilfs2: clamp ns_r_segments_percentage to [1, 99]
+
+ ns_r_segments_percentage is read from the disk. Bogus or malicious
+ value could cause integer overflow and malfunction due to meaningless
+ disk usage calculation. This patch reports error when mounting such
+ bogus volumes.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e1a90645643f9b0194a5984ec8febd06360d5c8b
+Author: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Sat Mar 10 09:20:21 2012 +0000
+
+ tcp: fix syncookie regression
+
+ commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
+ added a serious regression on synflood handling.
+
+ Simon Kirby discovered a successful connection was delayed by 20 seconds
+ before being responsive.
+
+ In my tests, I discovered that xmit frames were lost, and needed ~4
+ retransmits and a socket dst rebuild before being really sent.
+
+ In case of syncookie initiated connection, we use a different path to
+ initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
+
+ As ip_queue_xmit() now depends on inet flow being setup, fix this by
+ copying the temp flowi4 we use in cookie_v4_check().
+
+ Reported-by: Simon Kirby <sim@netnation.com>
+ Bisected-by: Simon Kirby <sim@netnation.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
+Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Mon Mar 12 02:59:41 2012 +0000
+
+ tun: don't hold network namespace by tun sockets
+
+ v3: added previously removed sock_put() to the tun_release() callback, because
+ sk_release_kernel() doesn't drop the socket reference.
+
+ v2: sk_release_kernel() used for socket release. Dummy tun_release() is
+ required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
+ call.
+
+ TUN was designed to destroy it's socket on network namesapce shutdown. But this
+ will never happen for persistent device, because it's socket holds network
+ namespace.
+ This patch removes of holding network namespace by TUN socket and replaces it
+ by creating socket in init_net and then changing it's net it to desired one. On
+ shutdown socket is moved back to init_net prior to final put.
+
+ Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon Dec 12 10:02:30 2011 -0600
+
+ vfs: Correctly set the dir i_mutex lockdep class
+
+ 9a7aa12f3911853a introduced additional logic around setting the i_mutex
+ lockdep class for directory inodes. The idea was that some filesystems
+ may want their own special lockdep class for different directory
+ inodes and calling unlock_new_inode() should not clobber one of
+ those special classes.
+
+ I believe that the added conditional, around the *negated* return value
+ of lockdep_match_class(), caused directory inodes to be placed in the
+ wrong lockdep class.
+
+ inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
+ all inodes. If the filesystem did not change the class during inode
+ initialization, then the conditional mentioned above was false and the
+ directory inode was incorrectly left in the non-directory lockdep class.
+ If the filesystem did set a special lockdep class, then the conditional
+ mentioned above was true and that class was clobbered with
+ i_mutex_dir_key.
+
+ This patch removes the negation from the conditional so that the i_mutex
+ lockdep class is properly set for directory inodes. Special classes are
+ preserved and directory inodes with unmodified classes are set with
+ i_mutex_dir_key.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 603590b0d2eca61ce26499eac9c563bc567a18c9
+Author: Jan Kara <jack@suse.cz>
+Date: Mon Feb 20 17:54:00 2012 +0100
+
+ udf: Fix deadlock in udf_release_file()
+
+ udf_release_file() can be called from munmap() path with mmap_sem held. Thus
+ we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
+ i_mutex is not needed in udf_release_file() anymore since protection by
+ i_data_sem is enough to protect from races with write and truncate.
+
+ Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:33 2012 +0100
+
+ vfs: fix double put after complete_walk()
+
+ complete_walk() already puts nd->path, no need to do it again at cleanup time.
+
+ This would result in Oopses if triggered, apparently the codepath is not too
+ well exercised.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 13885ba2b18400f3ef6540497d30f1af896605e5
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:34 2012 +0100
+
+ vfs: fix return value from do_last()
+
+ complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
+ ECHILD unconditionally. If not in RCU mode, this error will reach userspace
+ which is complete nonsense.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/namei.c
+
+commit f5ab7572c99ffb58953eb1070622307e904c3b7f
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Mar 10 17:07:28 2012 -0500
+
+ restore smp_mb() in unlock_new_inode()
+
+ wait_on_inode() doesn't have ->i_lock
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
+Author: David S. Miller <davem@davemloft.net>
+Date: Tue Mar 13 18:19:51 2012 -0700
+
+ sparc32: Add -Av8 to assembler command line.
+
+ Newer version of binutils are more strict about specifying the
+ correct options to enable certain classes of instructions.
+
+ The sparc32 build is done for v7 in order to support sun4c systems
+ which lack hardware integer multiply and divide instructions.
+
+ So we have to pass -Av8 when building the assembler routines that
+ use these instructions and get patched into the kernel when we find
+ out that we have a v8 capable cpu.
+
+ Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
+Author: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri Mar 9 20:55:10 2012 +0100
+
+ x86: Derandom delay_tsc for 64 bit
+
+ Commit f0fbf0abc093 ("x86: integrate delay functions") converted
+ delay_tsc() into a random delay generator for 64 bit. The reason is
+ that it merged the mostly identical versions of delay_32.c and
+ delay_64.c. Though the subtle difference of the result was:
+
+ static void delay_tsc(unsigned long loops)
+ {
+ - unsigned bclock, now;
+ + unsigned long bclock, now;
+
+ Now the function uses rdtscl() which returns the lower 32bit of the
+ TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
+ bit this fails when the lower 32bit are close to wrap around when
+ bclock is read, because the following check
+
+ if ((now - bclock) >= loops)
+ break;
+
+ evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
+ because the unsigned long (now - bclock) of these values results in
+ 0xffffffff00000001 which is definitely larger than the loops
+ value. That explains Tvortkos observation:
+
+ "Because I am seeing udelay(500) (_occasionally_) being short, and
+ that by delaying for some duration between 0us (yep) and 491us."
+
+ Make those variables explicitely u32 again, so this works for both 32
+ and 64 bit.
+
+ Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: stable@vger.kernel.org # >= 2.6.27
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu Mar 8 17:51:19 2012 +0000
+
+ aio: fix the "too late munmap()" race
+
+ Current code has put_ioctx() called asynchronously from aio_fput_routine();
+ that's done *after* we have killed the request that used to pin ioctx,
+ so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
+ from progressing. As the result, we can end up with async call of
+ put_ioctx() being the last one and possibly happening during exit_mmap()
+ or elf_core_dump(), neither of which expects stray munmap() being done
+ to them...
+
+ We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
+ with that, but that's all we care about - neither io_destroy() nor
+ exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
+ does really_put_req(), so the ioctx teardown won't be done until then
+ and we don't care about the contents of ioctx past that point.
+
+ Since actual freeing of these suckers is RCU-delayed, we don't need to
+ bump ioctx refcount when request goes into list for async removal.
+ All we need is rcu_read_lock held just over the ->ctx_lock-protected
+ area in aio_fput_routine().
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 002124c055afbf09b52226af65621999e8316448
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Wed Mar 7 05:16:35 2012 +0000
+
+ aio: fix io_setup/io_destroy race
+
+ Have ioctx_alloc() return an extra reference, so that caller would drop it
+ on success and not bother with re-grabbing it on failure exit. The current
+ code is obviously broken - io_destroy() from another thread that managed
+ to guess the address io_setup() would've returned would free ioctx right
+ under us; gets especially interesting if aio_context_t * we pass to
+ io_setup() points to PROT_READ mapping, so put_user() fails and we end
+ up doing io_destroy() on kioctx another thread has just got freed...
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Mar 15 15:17:12 2012 -0700
+
+ drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
+
+ strict_strtoul() writes a long but ->gamma_mode only has space to store an
+ int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
+ well. I've changed it to use kstrtouint() instead.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Inki Dae <inki.dae@samsung.com>
+ Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
+Merge: e4b05b6 eae671f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 21:04:27 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit eae671fafe93f04685c04a089cc13efebc05d600
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 20:58:01 2012 -0400
+
+ Update to pax-linux-3.2.11-test31.patch
+ Introduction of the size_overflow plugin from Emese Revfy
+ Many thanks to Emese for her hard work :)
+
+commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
+Merge: e55aa68 258c015
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:19 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:05 2012 -0400
+
+ fix ARM compilation
+
+commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
+Merge: 8f95ea9 55b7573
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:41 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:15 2012 -0400
+
+ Update to pax-linux-3.2.10-test28.patch
+
+commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
+Merge: c8786a2 886ac5e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:38:13 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
+
+commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:37:44 2012 -0400
+
+ Update to pax-linux-3.2.10-test26.patch
+
+commit c8786a2abed5e5327f68efa520c04db99bb6a63a
+Merge: 219c982 c061fcf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:06 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
+Merge: 89373d2 3f4b3b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:02 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
+Merge: 54e19a3 89373d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:57 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
+Merge: a778588 7459f11
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:49 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
+Merge: c4650f1 a778588
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:25 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:12 2012 -0400
+
+ Update to pax-linux-3.2.9-test24.patch
+
+commit c4650f14b13f84735fe3de06a1f3ff5776473eff
+Merge: fb2abee 1015790
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:08:28 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 101579028a736c224e590c7e12a7357018c424e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:07:27 2012 -0400
+
+ Update to pax-linux-3.2.9-test22.patch
+
+commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 11:02:17 2012 -0400
+
+ Allow 4096 CPUs
+
+commit 96bae28cbe6a41d48e3b56e5904814096e956000
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 10:25:58 2012 -0400
+
+ Use a per-cpu 48-bit counter instead of a global atomic64
+ Initialize each counter to have the cpu number in the lower 16 bits
+ instead of incrementing the counter each time by 1, perform the increments
+ above the cpu number so that wrapping/exhausting the counter doesn't corrupt
+ any state
+ idea from PaX Team
+
+commit b975688101da6e966aebb1bc6b8c5c5983974f9c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 20:33:12 2012 -0500
+
+ Special vnsec edition! :)
+ Further reduce argv/env allowance for suid/sgid apps to 512KB
+ Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
+ Clear 3GB personality on suid/sgid binaries
+ Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
+ with the main purpose of throwing off program stack -> arg/env alignment
+ Update documentation
+
+commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 19:54:47 2012 -0500
+
+ Resolve skbuff.h warnings that turn into errors during compilation in
+ the grsecurity directory with -Werror
+
+commit 2023210ad43a944033fcacc660ce410888f562ee
+Merge: ece4383 5f66adf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:48:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:47:06 2012 -0500
+
+ Add colorize plugin
+
+commit ece4383e5e91c92d138c4df84225a70b552f4d69
+Merge: a366d0e ab4a5a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:46 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:26 2012 -0500
+
+ Update to pax-linux-3.2.9-test21.patch
+
+commit a366d0ed963ce93fce10121c1100989d5f064e75
+Author: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun Mar 4 19:52:03 2012 -0500
+
+ mm: fix find_vma_prev
+
+ Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
+ management on PA-RISC.
+
+ After application of the patch, programs that allocate big arrays on the
+ stack crash with segfault, for example, this will crash if compiled
+ without optimization:
+
+ int main()
+ {
+ char array[200000];
+ array[199999] = 0;
+ return 0;
+ }
+
+ The reason is that PA-RISC has up-growing stack and the stack is usually
+ the last memory area. In the above example, a page fault happens above
+ the stack.
+
+ Previously, if we passed too high address to find_vma_prev, it returned
+ NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
+ change, it stores NULL in *pprev. Consequently, the stack area is not
+ found and it is not expanded, as it used to be before the change.
+
+ This patch restores the old behavior and makes it return the last VMA in
+ *pprev if the requested address is higher than address of any other VMA.
+
+ Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+ Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
+Author: Hugh Dickins <hughd@google.com>
+Date: Tue Mar 6 12:28:52 2012 -0800
+
+ mmap: EINVAL not ENOMEM when rejecting VM_GROWS
+
+ Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
+ from shared anonymous: hoist the file case's -EINVAL up for both.
+
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:38:42 2012 +0000
+
+ aout: move setup_arg_pages() prior to reading/mapping the binary
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Mon Mar 5 16:49:24 2012 +0000
+
+ vsprintf: make %pV handling compatible with kasprintf()
+
+ kasprintf() (and potentially other functions that I didn't run across so
+ far) want to evaluate argument lists twice. Caring to do so for the
+ primary list is obviously their job, but they can't reasonably be
+ expected to check the format string for instances of %pV, which however
+ need special handling too: On architectures like x86-64 (as opposed to
+ e.g. ix86), using the same argument list twice doesn't produce the
+ expected results, as an internally managed cursor gets updated during
+ the first run.
+
+ Fix the problem by always acting on a copy of the original list when
+ handling %pV.
+
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:39:47 2012 +0000
+
+ VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a831bd53764695ea680cc1fa3c98759a610ed2ac
+Author: Christian König <deathsimple@vodafone.de>
+Date: Tue Feb 28 23:19:20 2012 +0100
+
+ drm/radeon: fix uninitialized variable
+
+ Without this fix the driver randomly treats
+ textures as arrays and I'm really wondering
+ why gcc isn't complaining about it.
+
+ Signed-off-by: Christian König <deathsimple@vodafone.de>
+ Reviewed-by: Jerome Glisse <jglisse@redhat.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
+Author: H. Peter Anvin <hpa@zytor.com>
+Date: Fri Mar 2 10:43:48 2012 -0800
+
+ regset: Prevent null pointer reference on readonly regsets
+
+ The regset common infrastructure assumed that regsets would always
+ have .get and .set methods, but not necessarily .active methods.
+ Unfortunately people have since written regsets without .set methods.
+
+ Rather than putting in stub functions everywhere, handle regsets with
+ null .get or .set methods explicitly.
+
+ Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+ Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+ Acked-by: Roland McGrath <roland@hack.frob.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 072ddd99401c79b53c6bf6bff9deb93022124c79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 18:12:57 2012 -0500
+
+ Fix compiler errors reported on forums
+
+commit 1606774b48af24e6f99d99c624c0e447d4b66474
+Merge: 3127bd5 4ca2ffd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:35 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:21 2012 -0500
+
+ Update to pax-linux-3.2.9-test20.patch
+
+commit 3127bd581a292966b1057c7433219dac188c3720
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 21:30:37 2012 -0500
+
+ Fix memory leak on logged exec_id check failure in /proc/pid/statm
+ Thanks to Djalal Harouni for the report
+
+commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
+Merge: 0a56be8 9aa8288
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:38:22 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:37:43 2012 -0500
+
+ Update to pax-linux-3.2.9-test19.patch
+
+commit 0a56be884bbd7ce733cac0b879c45383494d73b0
+Merge: 9e66745 3f5c52a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:18:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:16:56 2012 -0500
+
+ Update to pax-linux-3.2.9-test18.patch
+
+commit ae53ec231d12719a36bf871f8c5841020ed692ee
+Merge: b255baf 44fb317
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:15:31 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 9e667456c03eadea2f305be761abe4de9a5877a3
+Merge: 5e4e200 b255baf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:59 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b255baf50365d39b406f43aab2c64745607baaa2
+Merge: 340ce90 1de504e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:29 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+ Update to pax-linux-3.2.8-test17.patch
+
+ Conflicts:
+ arch/x86/include/asm/i387.h
+ arch/x86/kernel/process_32.c
+ arch/x86/kernel/traps.c
+
+commit 5e4e200ac530452884b625cb75de240e1e98c731
+Merge: 44306d7 340ce90
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:02:13 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:01:48 2012 -0500
+
+ Update to pax-linux-3.2.7-test17.patch
+
+commit 44306d7b3097f77e73040dd25f4f6750751bae7a
+Merge: 29d0b07 521c411
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:04:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ Makefile
+
+commit 521c411bb4ca66ce01146fde8bac9dd22414076d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:03:33 2012 -0500
+
+ Update to pax-linux-3.2.7-test16.patch
+
+commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 17:12:44 2012 -0500
+
+ fix typo
+
+commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
+Merge: f45b3be caa8f83
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:27 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit caa8f83456c4d0b204beefffaa1d1993f2348d08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:12 2012 -0500
+
+ Update to pax-linux-3.2.7-test15.patch
+
+commit f45b3be34a345502a302e736af9a65742ddef7cb
+Merge: 62f35fd 9f1309b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:40:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:39:57 2012 -0500
+
+ Update to pax-linux-3.2.7-test14.patch
+
+commit 62f35fdbecc58f2988fe13638d907b87a15776bb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 09:08:55 2012 -0500
+
+ We could log on attempted exploits of writing /proc/self/mem, but the current
+ log function declares the access a read, so just swap the ordering for now
+
+commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:46:14 2012 -0500
+
+ Log /proc/pid/mem attempts
+
+commit 674471e581893a94d475acac3e3c4496209b3ac9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:15:00 2012 -0500
+
+ Make use of f_version for protecting /proc file structs (fine since we're not a directory
+ or seq_file)
+
+commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 20:02:19 2012 -0500
+
+ Fix ia64 compilation
+
+commit 50dfea412fd395e0183c2ade368efa525d38b267
+Merge: 12db845 4c6f99b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:53 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4c6f99bf338e03966356b147d0360cb3b522a44f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:36 2012 -0500
+
+ (6:57:09 PM) pipacs: but you can be proactive
+ (Fix other-arch atomic64/REFCOUNT compilation failures)
+
+commit 12db8453f6bb0a756f369c9151668ba1249bc478
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 21:10:12 2012 -0500
+
+ Remove unnecessary copies, as suggested by solar
+
+commit cc02cab84368467ea03cb35f861a8a7092d91ab4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 20:59:35 2012 -0500
+
+ Make global_exec_counter static, as suggested by solar
+
+commit e642091a475ebb3a30e81f85e7751233d0c2af43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 19:00:26 2012 -0500
+
+ sync with stable tree
+
+commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:48:47 2012 -0500
+
+ Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
+ Remove handling of old kludge in chmod/fchmod
+
+commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:18:49 2012 -0500
+
+ Apply umask checks to chmod/fchmod as well, as requested by sponsor
+ Union the enforced umask with the existing one to produce minimal privilege
+ Change umask type to u16
+
+commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 22 18:16:11 2012 -0500
+
+ Add per-role umask enforcement to RBAC, requested by a sponsor
+
+commit ad5ac943fe58199f1cc475912a39edb157acb77b
+Merge: dda0bb5 41722e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:42 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 41722e342e116d95f3d3556d66c97c888d752d39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:00 2012 -0500
+
+ Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
+ KERNEXEC plugin
+
+commit dda0bb57137846a476a866c60db2681aaf6052c0
+Merge: 4fd554e d70927a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:41 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d70927afec977d489a54c106a3c3ddc32e953050
+Merge: 1daebf1 9d0231c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:33 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 4fd554e3a097b22c5049fcdc423897477deff5ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 09:17:57 2012 -0500
+
+ Fix wrong logic on capability checks for switching roles, broke policies
+ Thanks to Richard Kojedzinszky for reporting
+
+commit 12f97d52ac603f24344f8d71569c412a307e9422
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 21:20:10 2012 -0500
+
+ sparc64 compile fix
+
+commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:38:32 2012 -0500
+
+ Update configuration help and name for GRKERNSEC_PROC_MEMMAP
+
+commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:18:01 2012 -0500
+
+ optimize the check a bit
+
+commit 03159050f64989be44ae03be769cbed62a7cd2e5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:00:45 2012 -0500
+
+ smile VUPEN :D
+ (limit argv+env to 1MB for suid/sgid binaries)
+
+commit dd759d8800d225a397e4de49fe729c7d601298d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:49:33 2012 -0500
+
+ Address Space Protection -> Memory Protections (suggested on IRC for consistency)
+
+commit 4de635bda8ebfb85312e3bf851bdbff93de400da
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:45:06 2012 -0500
+
+ Change the long long type for exec_id to the proper u64
+
+commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Feb 9 00:46:47 2012 +0000
+
+ isdn: type bug in isdn_net_header()
+
+ We use len to store the return value from eth_header(). eth_header()
+ can return -ETH_HLEN (-14). We want to pass this back instead of
+ truncating it to 65522 and returning that.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
+Author: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Sat Feb 4 10:47:10 2012 +0100
+
+ exec: fix use-after-free bug in setup_new_exec()
+
+ Setting the task name is done within setup_new_exec() by accessing
+ bprm->filename. However this happens after flush_old_exec().
+ This may result in a use after free bug, flush_old_exec() may
+ "complete" vfork_done, which will wake up the parent which in turn
+ may free the passed in filename.
+ To fix this add a new tcomm field in struct linux_binprm which
+ contains the now early generated task name until it is used.
+
+ Fixes this bug on s390:
+
+ Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
+ Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
+ Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
+ Call Trace:
+ ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
+ [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
+ [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
+ [<0000000000282b6c>] do_execve_common+0x410/0x514
+ [<0000000000282cb6>] do_execve+0x46/0x58
+ [<00000000005bce58>] kernel_execve+0x28/0x70
+ [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
+ [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
+ [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
+ Last Breaking-Event-Address:
+ [<00000000002830f0>] setup_new_exec+0x2fc/0x374
+
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+ Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+ Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d758ee9f5230893dabb5aab737b3109684bde196
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Feb 10 09:03:58 2012 +0100
+
+ relay: prevent integer overflow in relay_open()
+
+ "subbuf_size" and "n_subbufs" come from the user and they need to be
+ capped to prevent an integer overflow.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
+Merge: b1baadf 1daebf1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:47:04 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/proc/base.c
+
+commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
+Merge: 1413df2 c2db2e2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:45:54 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:44:05 2012 -0500
+
+ add missing declaration
+
+commit 3981059c35e8463002517935c28f3d74b8e3703c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:36:04 2012 -0500
+
+ Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
+ in addition to existing checks (this handles the setresuid ruid = euid case)
+
+commit 0beab03263c773f463412c350ad9064b44b6ede0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:13:40 2012 -0500
+
+ Revert setreuid changes when RBAC is enabled, breaks freeradius
+ I'll fix the learning issue Lavish reported a different way through
+ gradm modifications
+
+ This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
+
+commit 0c61cb1cfbbfec7d07647268c922d51434d22621
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 11 14:22:46 2012 -0500
+
+ copy exec_id on fork
+
+commit 000c08e0890630086b2ed04084050ed856a7ec31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 20:00:36 2012 -0500
+
+ compile fix
+
+commit 54b8c8f54484e5ee18040657827158bc4b63bccc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 19:19:52 2012 -0500
+
+ Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
+ denies reading of sensitive /proc/pid entries where the file descriptor
+ was opened in a different task than the one performing the read
+
+commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 17:43:24 2012 -0500
+
+ Remove duplicate signal check
+
+commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
+Merge: 4eba97e 1413df2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:34 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:08 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test11.patch
+
+commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
+Merge: 0e058dd 8dd90a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:50:12 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:49:07 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
+
+commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
+Merge: 7e4169c 6133971
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:48:57 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 19:24:45 2012 -0500
+
+ We now allow configurations with no PaX markings, giving the system no way to override the defaults
+
+commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 10:01:23 2012 -0500
+
+ Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
+
+commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 4 21:01:16 2012 -0500
+
+ Improve security of ptrace-based monitoring/sandboxing
+ See:
+ http://article.gmane.org/gmane.linux.kernel.lsm/15156
+
+commit ca4ca5a1027b41f9528794e52a53ce9c47926101
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:42:55 2012 -0500
+
+ fix typo
+
+commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:25:38 2012 -0500
+
+ Reported by lavish on IRC:
+ If a suid/sgid binary did not learn any setuid/setgid call during learning,
+ we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
+ any restrictions on uid/gid changes. uid and gid can however be changed
+ within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
+ euid/egid.
+
+ My fix:
+ POSIX doesn't specify whether unprivileged users can perform the above
+ setresuid/setresgid as an unprivileged user, though Linux has historically
+ permitted them. Modify this behavior when RBAC is enabled to require
+ CAP_SETUID/CAP_SETGID for these operations.
+
+ Thanks to Lavish for the report!
+
+ Conflicts:
+
+ kernel/sys.c
+
+commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
+Merge: ba586eb 7e4169c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:21 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:05 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test9.patch
+
+commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
+Author: Christopher Yeoh <cyeoh@au1.ibm.com>
+Date: Thu Feb 2 11:34:09 2012 +1030
+
+ Fix race in process_vm_rw_core
+
+ This fixes the race in process_vm_core found by Oleg (see
+
+ http://article.gmane.org/gmane.linux.kernel/1235667/
+
+ for details).
+
+ This has been updated since I last sent it as the creation of the new
+ mm_access() function did almost exactly the same thing as parts of the
+ previous version of this patch did.
+
+ In order to use mm_access() even when /proc isn't enabled, we move it to
+ kernel/fork.c where other related process mm access functions already
+ are.
+
+ Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+ mm/process_vm_access.c
+
+commit b9194d60fb9fe579f5c34817ed822abde18939a0
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:15:11 2012 +0100
+
+ proc: make sure mem_open() doesn't pin the target's memory
+
+ Once /proc/pid/mem is opened, the memory can't be released until
+ mem_release() even if its owner exits.
+
+ Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
+ pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
+ before access_remote_vm(), this verifies that this mm is still alive.
+
+ I am not sure what should mem_rw() return if atomic_inc_not_zero()
+ fails. With this patch it returns zero to match the "mm == NULL" case,
+ may be it should return -EINVAL like it did before e268337d.
+
+ Perhaps it makes sense to add the additional fatal_signal_pending()
+ check into the main loop, to ensure we do not hold this memory if
+ the target task was oom-killed.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:38 2012 +0100
+
+ proc: mem_release() should check mm != NULL
+
+ mem_release() can hit mm == NULL, add the necessary check.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:54 2012 +0100
+
+ note: redisabled mem_write
+
+ proc: unify mem_read() and mem_write()
+
+ No functional changes, cleanup and preparation.
+
+ mem_read() and mem_write() are very similar. Move this code into the
+ new common helper, mem_rw(), which takes the additional "int write"
+ argument.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+
+commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
+Merge: 3903f01 01fee18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:50:40 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 01fee1851aef26b898ccba5312cabf1f919b74cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:46 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test8.patch
+
+commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
+Merge: 201c0db 141936c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:01 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 3903f0172ecadf7a575ba3535402a1506133640a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 30 23:26:44 2012 -0500
+
+ Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
+
+ We'll whitelist required directories for compatibility instead of requiring
+ that people disable the feature entirely if they use SELinux, fuse, etc
+
+ Conflicts:
+
+ fs/sysfs/mount.c
+
+commit e3618feaa7e63807f1b88c199882075b3ec9bd05
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 29 01:12:19 2012 -0500
+
+ perform RBAC check if TPE is on but match fails, matches previous behavior
+
+commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 28 13:17:06 2012 -0500
+
+ log more information about the reason for a TPE denial for novice users, requested by a sponsor
+
+commit efefd67008cbad8a8591e2484410966a300a39a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:58:53 2012 -0500
+
+ merge upstream sha512 changes
+
+commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:49:07 2012 -0500
+
+ drop lock on error in xfs_readlink
+
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
+
+commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
+Author: Li Wang <liwang@nudt.edu.cn>
+Date: Thu Jan 19 09:44:36 2012 +0800
+
+ eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+
+ ecryptfs_write() can enter an infinite loop when truncating a file to a
+ size larger than 4G. This only happens on architectures where size_t is
+ represented by 32 bits.
+
+ This was caused by a size_t overflow due to it incorrectly being used to
+ store the result of a calculation which uses potentially large values of
+ type loff_t.
+
+ [tyhicks@canonical.com: rewrite subject and commit message]
+ Signed-off-by: Li Wang <liwang@nudt.edu.cn>
+ Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
+ Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+
+commit a7607747d0f74f357d78bb796d70635dd05f46e8
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 19 20:33:44 2012 -0600
+
+ eCryptfs: Check inode changes in setattr
+
+ Most filesystems call inode_change_ok() very early in ->setattr(), but
+ eCryptfs didn't call it at all. It allowed the lower filesystem to make
+ the call in its ->setattr() function. Then, eCryptfs would copy the
+ appropriate inode attributes from the lower inode to the eCryptfs inode.
+
+ This patch changes that and actually calls inode_change_ok() on the
+ eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
+ would happen earlier in ecryptfs_setattr(), but there are some possible
+ inode initialization steps that must happen first.
+
+ Since the call was already being made on the lower inode, the change in
+ functionality should be minimal, except for the case of a file extending
+ truncate call. In that case, inode_newsize_ok() was never being
+ called on the eCryptfs inode. Rather than inode_newsize_ok() catching
+ maximum file size errors early on, eCryptfs would encrypt zeroed pages
+ and write them to the lower filesystem until the lower filesystem's
+ write path caught the error in generic_write_checks(). This patch
+ introduces a new function, called ecryptfs_inode_newsize_ok(), which
+ checks if the new lower file size is within the appropriate limits when
+ the truncate operation will be growing the lower file.
+
+ In summary this change prevents eCryptfs truncate operations (and the
+ resulting page encryptions), which would exceed the lower filesystem
+ limits or FSIZE rlimits, from ever starting.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Li Wang <liwang@nudt.edu.cn>
+ Cc: <stable@vger.kernel.org>
+
+commit 0d96f190a39505254ace4e9330219aaeda9b64e3
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Wed Jan 18 18:30:04 2012 -0600
+
+ eCryptfs: Make truncate path killable
+
+ ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
+ page, zeroes out the appropriate portions, and then encrypts the page
+ before writing it to the lower filesystem. It was unkillable and due to
+ the lack of sparse file support could result in tying up a large portion
+ of system resources, while encrypting pages of zeros, with no way for
+ the truncate operation to be stopped from userspace.
+
+ This patch adds the ability for ecryptfs_write() to detect a pending
+ fatal signal and return as gracefully as possible. The intent is to
+ leave the lower file in a useable state, while still allowing a user to
+ break out of the encryption loop. If a pending fatal signal is detected,
+ the eCryptfs inode size is updated to reflect the modified inode size
+ and then -EINTR is returned.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: <stable@vger.kernel.org>
+
+commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Tue Jan 24 10:02:22 2012 -0600
+
+ eCryptfs: Fix oops when printing debug info in extent crypto functions
+
+ If pages passed to the eCryptfs extent-based crypto functions are not
+ mapped and the module parameter ecryptfs_verbosity=1 was specified at
+ loading time, a NULL pointer dereference will occur.
+
+ Note that this wouldn't happen on a production system, as you wouldn't
+ pass ecryptfs_verbosity=1 on a production system. It leaks private
+ information to the system logs and is for debugging only.
+
+ The debugging info printed in these messages is no longer very useful
+ and rather than doing a kmap() in these debugging paths, it will be
+ better to simply remove the debugging paths completely.
+
+ https://launchpad.net/bugs/913651
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Daniel DeFreez
+ Cc: <stable@vger.kernel.org>
+
+commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 12 11:30:44 2012 +0100
+
+ eCryptfs: Sanitize write counts of /dev/ecryptfs
+
+ A malicious count value specified when writing to /dev/ecryptfs may
+ result in a a very large kernel memory allocation.
+
+ This patch peeks at the specified packet payload size, adds that to the
+ size of the packet headers and compares the result with the write count
+ value. The resulting maximum memory allocation size is approximately 532
+ bytes.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Sasha Levin <levinsasha928@gmail.com>
+ Cc: <stable@vger.kernel.org>
+
+commit 96dcb7282d323813181a1791f51c0ab7696b675b
+Merge: 6c09fa5 201c0db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:44:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 201c0dbf177527367676028151e36d340923f033
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:43:24 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
+ on loading modules with empty sections
+
+commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:42:13 2012 -0500
+
+ compile fix
+
+commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:39:28 2012 -0500
+
+ use LSM flags instead of duplicating checks
+
+commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
+Merge: 44b9f11 558718b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:23 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 558718b2217beff69edf60f34a6f9893d910e9ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:04 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch
+
+commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:53:55 2012 -0500
+
+ don't increase the size of task_struct when unnecessary
+ change ptrace_readexec log message
+
+commit a9c9626e054adb885883aa64f85506852894dd33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:16:28 2012 -0500
+
+ Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
+ the protection applies to all unreadable binaries.
+
+commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
+Merge: 7b3f3af 05a1349
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:52:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ block/scsi_ioctl.c
+ drivers/scsi/sd.c
+ fs/proc/base.c
+
+commit 05a134966efb9cb9346ad3422888969ffc79ac1d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:47:36 2012 -0500
+
+ Resync with pax-linux-3.2.2-test5.patch
+
+commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
+Merge: c6d443d 3499d64
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:45:16 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
+
+ Conflicts:
+ ipc/shm.c
+
+commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 24 19:42:01 2012 -0500
+
+ Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
+ (may be changed if it breaks some userland), the other has its own
+ config option
+
+ First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
+ the syscall or /proc/sys.
+
+ Second feature requires read access to a suid/sgid binary in order
+ to ptrace it, preventing infoleaking of binaries in situations where
+ the admin has specified 4711 or 2711 perms. Feature has been
+ given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
+ a sysctl entry of ptrace_readexec
+
+commit 11a7bb25c411c9dccfdca5718639b4becdffd388
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:37:10 2012 -0500
+
+ Compilation fixes
+
+commit cd400e21c7c352baba47d6f375297a7847afb33a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:20:27 2012 -0500
+
+ Initial port of grsecurity 2.2.2 for Linux 3.2.1
+ Note that the new syscalls added to this kernel for remote process read/write
+ are subject to ptrace hardening/other relevant RBAC features
+ /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
+ as well
+ pax_track_stack has been removed from support for this kernel -- if you're running this kernel
+ you should be using a version of gcc with plugin support
+
+commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:47:31 2012 -0500
+
+ Import pax-linux-3.2.1-test5.patch
+commit bfd7db842f835f9837cd43644459b3a95b0b488d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:02:02 2012 -0500
+
+ Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
+ instead of returning -EACCES
+ thanks to Wraith from irc for the report
+
+commit 873ac13576506cd48ddb527c2540f274e249da50
+Merge: 34083dd 8a44fcc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:04:02 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:02:15 2012 -0500
+
+ Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
+ Denies executable shared memory when MPROTECT is active
+ Fixes ia32 emulation crash on 64bit host introduced in a recent patch
+
+commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 20:23:14 2012 -0500
+
+ Introduce new GRKERNSEC_SETXID implementation
+ We're not able to change the credentials of other threads in the process until at most
+ one syscall after the first thread does it, since we mark the threads as needing rescheduling
+ and such work occurs on syscall exit.
+ This does however ensure that we're only modifying the current task's credentials
+ which upholds RCU expectations
+
+ Many thanks to corsac for testing
+
+commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:42:48 2012 -0500
+
+ Simplify backport
+
+commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:08:16 2012 -0500
+
+ Commit the latest silent fix for a local privilege escalation from Linus
+ Also disable writing to /proc/pid/mem
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
+
+commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
+Merge: 0394a3f 7e6299b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:22:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e6299b4733c082dde930375dd207b63237751ec
+Merge: 83555fb 9bb1282
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:21:37 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
+Author: Jesper Juhl <jj@chaosbits.net>
+Date: Sun Jan 8 22:44:29 2012 +0100
+
+ audit: always follow va_copy() with va_end()
+
+ A call to va_copy() should always be followed by a call to va_end() in
+ the same function. In kernel/autit.c::audit_log_vformat() this is not
+ always done. This patch makes sure va_end() is always called.
+
+ Signed-off-by: Jesper Juhl <jj@chaosbits.net>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
+Author: Andi Kleen <ak@linux.intel.com>
+Date: Thu Jan 12 17:20:30 2012 -0800
+
+ panic: don't print redundant backtraces on oops
+
+ When an oops causes a panic and panic prints another backtrace it's pretty
+ common to have the original oops data be scrolled away on a 80x50 screen.
+
+ The second backtrace is quite redundant and not needed anyways.
+
+ So don't print the panic backtrace when oops_in_progress is true.
+
+ [akpm@linux-foundation.org: add comment]
+ Signed-off-by: Andi Kleen <ak@linux.intel.com>
+ Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Thu Jan 12 17:59:46 2012 +0100
+
+ fsnotify: don't BUG in fsnotify_destroy_mark()
+
+ Removing the parent of a watched file results in "kernel BUG at
+ fs/notify/mark.c:139".
+
+ To reproduce
+
+ add "-w /tmp/audit/dir/watched_file" to audit.rules
+ rm -rf /tmp/audit/dir
+
+ This is caused by fsnotify_destroy_mark() being called without an
+ extra reference taken by the caller.
+
+ Reported by Francesco Cosoleto here:
+
+ https://bugzilla.novell.com/show_bug.cgi?id=689860
+
+ Fix by removing the BUG_ON and adding a comment about not accessing mark after
+ the iput.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:28 2012 +0100
+
+ block: fail SCSI passthrough ioctls on partition devices
+
+ Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+ will pass the command to the underlying block device. This is
+ well-known, but it is also a large security problem when (via Unix
+ permissions, ACLs, SELinux or a combination thereof) a program or user
+ needs to be granted access only to part of the disk.
+
+ This patch lets partitions forward a small set of harmless ioctls;
+ others are logged with printk so that we can see which ioctls are
+ actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
+ Of course it was being sent to a (partition on a) hard disk, so it would
+ have failed with ENOTTY and the patch isn't changing anything in
+ practice. Still, I'm treating it specially to avoid spamming the logs.
+
+ In principle, this restriction should include programs running with
+ CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
+ /dev/sdb, it still should not be able to read/write outside the
+ boundaries of /dev/sda2 independent of the capabilities. However, for
+ now programs with CAP_SYS_RAWIO will still be allowed to send the
+ ioctls. Their actions will still be logged.
+
+ This patch does not affect the non-libata IDE driver. That driver
+ however already tests for bd != bd->bd_contains before issuing some
+ ioctl; it could be restricted further to forbid these ioctls even for
+ programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ [ Make it also print the command name when warning - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:27 2012 +0100
+
+ block: add and use scsi_blk_cmd_ioctl
+
+ Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
+
+ The function will then be enhanced to detect partition block devices
+ and, in that case, subject the ioctls to whitelisting.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97a79814903fc350e1d13704ea31528a42705401
+Author: Kees Cook <keescook@chromium.org>
+Date: Sat Jan 7 10:41:04 2012 -0800
+
+ audit: treat s_id as an untrusted string
+
+ The use of s_id should go through the untrusted string path, just to be
+ extra careful.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Acked-by: Mimi Zohar <zohar@us.ibm.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Dec 20 18:39:41 2011 -0500
+
+ audit: fix signedness bug in audit_log_execve_info()
+
+ In the loop, a size_t "len" is used to hold the return value of
+ audit_log_single_execve_arg(), which returns -1 on error. In that
+ case the error handling (len <= 0) will be bypassed since "len" is
+ unsigned, and the loop continues with (p += len) being wrapped.
+ Change the type of "len" to signed int to fix the error handling.
+
+ size_t len;
+ ...
+ for (...) {
+ len = audit_log_single_execve_arg(...);
+ if (len <= 0)
+ break;
+ p += len;
+ }
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Jan 17 03:28:51 2012 -0300
+
+ [media] ds3000: using logical && instead of bitwise &
+
+ The intent here was to test if the FE_HAS_LOCK was set. The current
+ test is equivalent to "if (status) { ..."
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit 36522330dc59d2fc70c042f3f081d75c32b6259a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 13:10:38 2012 -0500
+
+ Ignore the 0 signal for protected task RBAC checks
+
+commit d513acd55f7a683f6e146a4f570cdb63300479ab
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 11:56:13 2012 -0500
+
+ whitespace cleanup
+
+commit ced261c4b82818c700aff8487f647f6f3e5b5122
+Merge: d48751f 83555fb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:54 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
+Merge: fcd8129 93dad39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:43 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit d48751f3919ae855fda0ff6c149db82442329253
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 11 19:05:47 2012 -0500
+
+ Call our own set_user when forcing change to new id
+
+commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
+Merge: e6578ff fcd8129
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 16:00:10 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 15:58:43 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test23.patch
+
+commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
+Merge: 8859ec3 a120549
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:56 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a12054967a77090de1caa07c41e694a77db4e237
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:30 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test22.patch
+
+commit 8859ec32f9815c274df65448f9f2960176c380d3
+Merge: a5016b4 ddd4114
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:26:08 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/binfmt_elf.c
+ security/Kconfig
+
+commit ddd41147e158a79704983a409b7433eba797cf66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:12:42 2012 -0500
+
+ Resync with PaX patch (whitespace difference)
+
+commit 29e569df8205c5f0e043fe4803aa984406c8b118
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:09:47 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test21.patch
+
+commit a5016b4f9c09c337b17e063a7f369af1e86d944d
+Merge: 0124c92 04231d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:52:20 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
+Merge: 7bdddeb a919904
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:51:50 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ include/net/flow.h
+
+commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:33:05 2012 -0500
+
+ Make GRKERNSEC_SETXID option compatible with credential debugging
+
+commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
+Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Date: Wed Dec 28 15:57:11 2011 -0800
+
+ mm/mempolicy.c: refix mbind_range() vma issue
+
+ commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
+ slightly incorrect fix.
+
+ Why? Think following case.
+
+ 1. map 4 pages of a file at offset 0
+
+ [0123]
+
+ 2. map 2 pages just after the first mapping of the same file but with
+ page offset 2
+
+ [0123][23]
+
+ 3. mbind() 2 pages from the first mapping at offset 2.
+ mbind_range() should treat new vma is,
+
+ [0123][23]
+ |23|
+ mbind vma
+
+ but it does
+
+ [0123][23]
+ |01|
+ mbind vma
+
+ Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
+
+ This patch fixes it.
+
+ [testcase]
+ test result - before the patch
+
+ case4: 126: test failed. expect '2,4', actual '2,2,2'
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: 246: test failed. expect '4,2', actual '1,4'
+
+ ------------[ cut here ]------------
+ kernel BUG at mm/filemap.c:135!
+ invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
+
+ (snip long bug on messages)
+
+ test result - after the patch
+
+ case4: passed
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: passed
+
+ source: mbind_vma_test.c
+ ============================================================
+ #include <numaif.h>
+ #include <numa.h>
+ #include <sys/mman.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+ static unsigned long pagesize;
+ void* mmap_addr;
+ struct bitmask *nmask;
+ char buf[1024];
+ FILE *file;
+ char retbuf[10240] = "";
+ int mapped_fd;
+
+ char *rubysrc = "ruby -e '\
+ pid = %d; \
+ vstart = 0x%llx; \
+ vend = 0x%llx; \
+ s = `pmap -q #{pid}`; \
+ rary = []; \
+ s.each_line {|line|; \
+ ary=line.split(\" \"); \
+ addr = ary[0].to_i(16); \
+ if(vstart <= addr && addr < vend) then \
+ rary.push(ary[1].to_i()/4); \
+ end; \
+ }; \
+ print rary.join(\",\"); \
+ '";
+
+ void init(void)
+ {
+ void* addr;
+ char buf[128];
+
+ nmask = numa_allocate_nodemask();
+ numa_bitmask_setbit(nmask, 0);
+
+ pagesize = getpagesize();
+
+ sprintf(buf, "%s", "mbind_vma_XXXXXX");
+ mapped_fd = mkstemp(buf);
+ if (mapped_fd == -1)
+ perror("mkstemp "), exit(1);
+ unlink(buf);
+
+ if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
+ perror("lseek "), exit(1);
+ if (write(mapped_fd, "\0", 1) < 0)
+ perror("write "), exit(1);
+
+ addr = mmap(NULL, pagesize*8, PROT_NONE,
+ MAP_SHARED, mapped_fd, 0);
+ if (addr == MAP_FAILED)
+ perror("mmap "), exit(1);
+
+ if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
+ perror("mprotect "), exit(1);
+
+ mmap_addr = addr + pagesize;
+
+ /* make page populate */
+ memset(mmap_addr, 0, pagesize*6);
+ }
+
+ void fin(void)
+ {
+ void* addr = mmap_addr - pagesize;
+ munmap(addr, pagesize*8);
+
+ memset(buf, 0, sizeof(buf));
+ memset(retbuf, 0, sizeof(retbuf));
+ }
+
+ void mem_bind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_BIND, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_interleave(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_unbind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_DEFAULT, NULL, 0, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void Assert(char *expected, char *value, char *name, int line)
+ {
+ if (strcmp(expected, value) == 0) {
+ fprintf(stderr, "%s: passed\n", name);
+ return;
+ }
+ else {
+ fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
+ name, line,
+ expected, value);
+ // exit(1);
+ }
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPNNNNNNNNNN
+ case 4 below
+ */
+ void case4(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 4);
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case4", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPPPPPPPPPNN
+ case 5 below
+ */
+ void case5(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case5", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPPPPP 6
+ */
+ void case6(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("6", retbuf, "case6", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPXXXX 7
+ */
+ void case7(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case7", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPNNNNNNNN 8
+ */
+ void case8(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_interleave(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case8", __LINE__);
+
+ fin();
+ }
+
+ void case_n(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ /* make redundunt mappings [0][1234][34][7] */
+ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
+ MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
+
+ /* Expect to do nothing. */
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case_n", __LINE__);
+
+ fin();
+ }
+
+ int main(int argc, char** argv)
+ {
+ case4();
+ case5();
+ case6();
+ case7();
+ case8();
+ case_n();
+
+ return 0;
+ }
+ =============================================================
+
+ Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: Minchan Kim <minchan.kim@gmail.com>
+ Cc: Caspar Zhang <caspar@casparzhang.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Cc: Christoph Lameter <cl@linux.com>
+ Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
+ Cc: Mel Gorman <mel@csn.ul.ie>
+ Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+ Cc: <stable@vger.kernel.org> [3.1.x]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit f3a1082005781777086df235049f8c0b7efe524e
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Dec 27 22:32:41 2011 -0500
+
+ packet: fix possible dev refcnt leak when bind fail
+
+ If bind is fail when bind is called after set PACKET_FANOUT
+ sock option, the dev refcnt will leak.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 915f8b08dac68839dc7204ee81cf9852fda16d24
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Mon Dec 19 17:11:56 2011 -0800
+
+ nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
+
+ There is a potential integer overflow in nilfs_ioctl_clean_segments().
+ When a large argv[n].v_nmembs is passed from the userspace, the subsequent
+ call to vmalloc() will allocate a buffer smaller than expected, which
+ leads to out-of-bound access in nilfs_ioctl_move_blocks() and
+ lfs_clean_segments().
+
+ The following check does not prevent the overflow because nsegs is also
+ controlled by the userspace and could be very large.
+
+ if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
+ goto out_free;
+
+ This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
+ returns -EINVAL when overflow.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
+Author: Kautuk Consul <consul.kautuk@gmail.com>
+Date: Mon Dec 19 17:12:04 2011 -0800
+
+ mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
+
+ Static storage is not required for the struct vmap_area in
+ __get_vm_area_node.
+
+ Removing "static" to store this variable on the stack instead.
+
+ Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
+ Acked-by: David Rientjes <rientjes@google.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
+Author: Michel Lespinasse <walken@google.com>
+Date: Mon Dec 19 17:12:06 2011 -0800
+
+ binary_sysctl(): fix memory leak
+
+ binary_sysctl() calls sysctl_getname() which allocates from names_cache
+ slab usin __getname()
+
+ The matching function to free the name is __putname(), and not putname()
+ which should be used only to match getname() allocations.
+
+ This is because when auditing is enabled, putname() calls audit_putname
+ *instead* (not in addition) to __putname(). Then, if a syscall is in
+ progress, audit_putname does not release the name - instead, it expects
+ the name to get released when the syscall completes, but that will happen
+ only if audit_getname() was called previously, i.e. if the name was
+ allocated with getname() rather than the naked __getname(). So,
+ __getname() followed by putname() ends up leaking memory.
+
+ Signed-off-by: Michel Lespinasse <walken@google.com>
+ Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
+Author: Sean Hefty <sean.hefty@intel.com>
+Date: Tue Dec 6 21:17:11 2011 +0000
+
+ RDMA/cma: Verify private data length
+
+ private_data_len is defined as a u8. If the user specifies a large
+ private_data size (> 220 bytes), we will calculate a total length that
+ exceeds 255, resulting in private_data_len wrapping back to 0. This
+ can lead to overwriting random kernel memory. Avoid this by verifying
+ that the resulting size fits into a u8.
+
+ Reported-by: B. Thery <benjamin.thery@bull.net>
+ Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
+ Signed-off-by: Sean Hefty <sean.hefty@intel.com>
+ Signed-off-by: Roland Dreier <roland@purestorage.com>
+
+commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Sun Dec 11 23:40:56 2011 -0800
+
+ Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
+
+ The error check (intr_status < 0) didn't work because intr_status is
+ a u8. Change its type to signed int.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+
+commit e27f34e383d7863b2528a63b81b23db09781f6b6
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 16 12:44:15 2011 +0000
+
+ sctp: fix incorrect overflow check on autoclose
+
+ Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
+ limiting the autoclose value. If userspace passes in -1 on 32-bit
+ platform, the overflow check didn't work and autoclose would be set
+ to 0xffffffff.
+
+ This patch defines a max_autoclose (in seconds) for limiting the value
+ and exposes it through sysctl, with the following intentions.
+
+ 1) Avoid overflowing autoclose * HZ.
+
+ 2) Keep the default autoclose bound consistent across 32- and 64-bit
+ platforms (INT_MAX / HZ in this patch).
+
+ 3) Keep the autoclose value consistent between setsockopt() and
+ getsockopt() calls.
+
+ Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Wed Dec 21 05:18:33 2011 -0500
+
+ vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
+
+ Commit e133e737 didn't correctly fix the integer overflow issue.
+
+ - unsigned int required_size;
+ + u64 required_size;
+ ...
+ required_size = mode_cmd->pitch * mode_cmd->height;
+ - if (unlikely(required_size > dev_priv->vram_size)) {
+ + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
+
+ Note that both pitch and height are u32. Their product is still u32 and
+ would overflow before being assigned to required_size. A correct way is
+ to convert pitch and height to u64 before the multiplication.
+
+ required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
+
+ This patch calls the existing vmw_kms_validate_mode_vram() for
+ validation.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+ Conflicts:
+
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+
+commit eb8f0bd01fb994c9abc77dc84729794cd841753d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Thu Dec 22 13:35:22 2011 +0000
+
+ rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
+
+ Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
+ cause a kernel oops due to insufficient bounds checking.
+
+ if (count > 1<<30) {
+ /* Enforce a limit to prevent overflow */
+ return -EINVAL;
+ }
+ count = roundup_pow_of_two(count);
+ table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
+
+ Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
+
+ ... + (count * sizeof(struct rps_dev_flow))
+
+ where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
+ 32 bits.
+
+ This patch replaces the magic number (1 << 30) with a symbolic bound.
+
+ Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 648188958672024b616c42c1f6c98c8cfc85619d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 30 10:40:17 2011 -0500
+
+ netfilter: ctnetlink: fix timeout calculation
+
+ The sanity check (timeout < 0) never works; the dividend is unsigned
+ and so is the division, which should have been a signed division.
+
+ long timeout = (ct->timeout.expires - jiffies) / HZ;
+ if (timeout < 0)
+ timeout = 0;
+
+ This patch converts the time values to signed for the division.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit ab03a0973cee73f88655ff4981812ad316a6cd59
+Merge: 76f82df 7bdddeb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:50 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
+Merge: 3e59cb5 55cc81a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:36 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 20:15:02 2011 -0500
+
+ Only further restrict futex targeting another process -- our modified
+ permission check also happened to allow a case where a process retaining
+ uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
+ being non-zero (reported on forums by ben_w)
+
+commit 6b235a4450a5fea41663ec35fa0608988b6078c6
+Merge: 97c16f0 3e59cb5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:11:06 2011 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/hfs/btree.c
+
+commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
+Merge: 285eb4e c26f60b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:09:57 2011 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/process.c
+
+commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 19 21:54:01 2011 -0500
+
+ Add new option: "Enforce consistent multithreaded privileges"
+
+commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:58:31 2011 -0500
+
+ Remove harmless duplicate code -- exec_file would be null already so the
+ second check would never pass.
+
+commit 4e3304e94aa72737810bc50169519af157dce4ce
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:50:39 2011 -0500
+
+ Revert back to (possibly?) undocumented /proc/pid behavior that gdb
+ depended on for attaching to a thread. Entries exist in /proc for
+ threads, but are not visible in a readdir.
+
+commit 1bd899335f23815cfe8deac44c6b346398f3b95e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 18:03:28 2011 -0500
+
+ Put the already-walked path if in RCU-walk mode
+
+commit ec7ae36b7159f10649709779443a988662965d66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 17:35:21 2011 -0500
+
+ Fix memory leak introduced by recent (unpublished) commit
+ 75ab998b94a29d464518d6d501bdde3fbfcbfa14
+
+commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:56:10 2011 -0500
+
+ Explicitly check size copied to userland in override_release to silence gcc
+
+commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:54:02 2011 -0500
+
+ Initialize variable to silence erroneous gcc warning
+
+commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:47:47 2011 -0500
+
+ Future-proof other potential RCU-aware locations where we can log.
+
+commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:02:54 2011 -0500
+
+ Fix freeze reported by 'vs' on the forums. Bug occurred due to
+ MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
+ in generic_permission() was in the task's effective set but disallowed by
+ RBAC, would block when acquiring locks resulting in the freeze.
+
+ Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
+ as being required when CAP_DAC_OVERRIDE is present (consistent with
+ older patches).
+
+commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Nov 29 09:26:30 2011 +0000
+
+ sctp: better integer overflow check in sctp_auth_create_key()
+
+ The check from commit 30c2235c is incomplete and cannot prevent
+ cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
+ left-hand side of the check (INT_MAX - key_len), which is unsigned,
+ becomes 0xffffffff (UINT_MAX) and bypasses the check.
+
+ However this shouldn't be a security issue. The function is called
+ from the following two code paths:
+
+ 1) setsockopt()
+
+ 2) sctp_auth_asoc_set_secret()
+
+ In case (1), sca_keylength is never going to exceed 65535 since it's
+ bounded by a u16 from the user API. As such, the key length will
+ never overflow.
+
+ In case (2), sca_keylength is computed based on the user key (1 short)
+ and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
+ will not overflow.
+
+ In other words, this overflow check is not really necessary. Just
+ make it more correct.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit e565e28c3635a1d50f80541fbf6b606d742fec76
+Author: Josh Boyer <jwboyer@redhat.com>
+Date: Fri Aug 19 14:50:26 2011 -0400
+
+ fs/minix: Verify bitmap block counts before mounting
+
+ Newer versions of MINIX can create filesystems that allocate an extra
+ bitmap block. Mounting of this succeeds, but doing a statfs call will
+ result in an oops in count_free because of a negative number being used
+ for the bh index.
+
+ Avoid this by verifying the number of allocated blocks at mount time,
+ erroring out if there are not enough and make statfs ignore the extras
+ if there are too many.
+
+ This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
+
+ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6e134e398ec1a3f428261680e83df4319e64bed9
+Author: Julia Lawall <julia@diku.dk>
+Date: Tue Nov 15 14:53:11 2011 -0800
+
+ drivers/gpu/vga/vgaarb.c: add missing kfree
+
+ kbuf is a buffer that is local to this function, so all of the error paths
+ leaving the function should release it.
+
+ Signed-off-by: Julia Lawall <julia@diku.dk>
+ Cc: Jesper Juhl <jj@chaosbits.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit 2b9057b321e36860e8d63985b5c4e496f254b717
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:33:28 2011 -0500
+
+ Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
+
+commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+
+commit 285eb4ea45d853ae00426b3315a61c1368080dad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 10 18:33:46 2011 -0500
+
+ Import changes from pax-linux-3.1.5-test20.patch
+
+commit a6bda918fc90ec1d5c387e978d147ad2044153f1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 8 20:55:54 2011 -0500
+
+ Import changes from pax-linux-3.1.4-test19.patch
+
+commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 23:05:14 2013 -0400
+
+ always enforce a non-zero gap for RAND_THREADSTACK
+
+ mm/mmap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 40d67e38a42d4e94b43b3d7400addc662b9857dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 16:09:28 2013 -0400
+
+ fix up file comparisons
+
+ grsecurity/gracl_segv.c | 2 +-
+ grsecurity/grsec_sig.c | 4 ++--
+ include/linux/grinternal.h | 12 ++++++++++++
+ 3 files changed, 15 insertions(+), 3 deletions(-)
+
+commit a1fff2c95162314626dd96bec71d951a8c1c4708
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 15:33:18 2013 -0400
+
+ fix suid binary matching
+
+ grsecurity/grsec_sig.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 00131c458eea5200971c8fc326e90fdb6c2d0baa
+Merge: 37b97a9 47beb61
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 15:02:31 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 15:01:37 2013 -0400
+
+ Update to pax-linux-3.9.9-test13.patch:
+ - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626)
+ - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587)
+
+ arch/arm/include/asm/uaccess.h | 20 ++++++++++----------
+ arch/arm/kernel/armksyms.c | 2 +-
+ arch/arm/kernel/entry-armv.S | 4 ++--
+ arch/arm/mm/Kconfig | 2 +-
+ arch/x86/ia32/ia32entry.S | 4 ++--
+ arch/x86/include/asm/page.h | 1 +
+ arch/x86/kernel/entry_32.S | 4 ++--
+ arch/x86/kernel/entry_64.S | 8 ++++----
+ arch/x86/kernel/head64.c | 12 ++++++------
+ arch/x86/kernel/head_64.S | 16 ++++++++++++----
+ arch/x86/mm/init.c | 8 ++++++++
+ arch/x86/mm/init_32.c | 6 ------
+ arch/x86/mm/init_64.c | 6 ------
+ arch/x86/platform/efi/efi_32.c | 5 +++++
+ arch/x86/platform/efi/efi_64.c | 10 ++++++++++
+ 15 files changed, 64 insertions(+), 44 deletions(-)
+
+commit 89085d2d0643813a62f23d1199a335dc1e129bc0
+Merge: 963af7f 0adf2e7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 14:55:44 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 13:46:02 2013 -0400
+
+ fix typo
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 32538dba4959a290a1de81a7f8eeaba99f952aa6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 13:29:51 2013 -0400
+
+ update log arguments
+
+ grsecurity/grsec_sig.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 13:20:23 2013 -0400
+
+ Update logging of suid exec ban
+
+ Conflicts:
+
+ grsecurity/grsec_sig.c
+
+ grsecurity/grsec_sig.c | 3 +--
+ include/linux/grmsg.h | 1 +
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit ef808866c070aa1901bd2224521baaf5d145a3a7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 12:58:33 2013 -0400
+
+ Additional improvements to the user banning code:
+
+ Separate the kernel-bruteforcing case from the suid bruteforcing case
+ In the suid bruteforcing case, only kill existing copies of the bruteforced
+ binary. Instead of preventing all future execs by this user, prevent them
+ from executing any suid/sgid binaries for the next 15 minutes.
+
+ Kernel case is mostly unchanged from before, except the task trying to change
+ real uid to the banned user will be terminated instead of failing the setuid
+ call.
+
+ Configuration help has been updated to reflect the new changes.
+
+ fs/exec.c | 13 +++++---
+ grsecurity/Kconfig | 5 ++-
+ grsecurity/gracl.c | 6 ++--
+ grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------
+ include/linux/grsecurity.h | 1 -
+ include/linux/sched.h | 9 +++--
+ 6 files changed, 65 insertions(+), 45 deletions(-)
+
+commit 0f0b6c9d67d429364621b8784ef4a048b7e40736
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 3 16:14:09 2013 -0400
+
+ fix renamed export of csum_partial_copy_from_user, as reported by fabled
+ on the forums
+
+ arch/arm/kernel/armksyms.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 318235973c2a548c3d25562645d6b69f66e85934
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 3 16:09:16 2013 -0400
+
+ make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error
+ reported on the forums by fabled
+
+ arch/arm/mm/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b569a7f60fab7a522d8c142765c8b847bbce8a1e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 3 15:53:12 2013 -0400
+
+ Revise the user ban code to kill the process issuing a banned
+ set*id instead of returning an error. For the sake of keeping
+ unified user banning between the suid and kernel bruteforce case,
+ we will apply this killing to the suid bruteforce case, despite
+ a check just at exec time (that already existed) being sufficient.
+
+ Returning an error could enable exploitation of the "failure to check
+ setuid return value" case which was recently effectively closed
+ upstream, albeit in a rare situation with a suitable binary and
+ two colluding users.
+
+ Many thanks to stealth for reviewing the user ban code.
+
+ grsecurity/gracl.c | 4 ++--
+ grsecurity/grsec_sig.c | 16 +++++++++++++---
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f
+Author: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Date: Fri Jun 28 14:15:15 2013 +0300
+
+ Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d
+
+ UBIFS: fix a horrid bug
+
+ Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
+ mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
+ in the middle of 'ubifs_readdir()'.
+
+ This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
+ it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
+ but this may corrupt memory and lead to all kinds of problems like crashes an
+ security holes.
+
+ This patch fixes the problem by using the 'file->f_version' field, which
+ '->llseek()' always unconditionally sets to zero. We set it to 1 in
+ 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
+ seek and it is time to clear the state saved in 'file->private_data'.
+
+ I tested this patch by writing a user-space program which runds readdir and
+ seek in parallell. I could easily crash the kernel without these patches, but
+ could not crash it with these patches.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+ Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+ Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++---
+ 1 files changed, 27 insertions(+), 3 deletions(-)
+
+commit c22280b85088978bd8b45bd23096879459b48008
+Author: Stephane Eranian <eranian@google.com>
+Date: Thu Jun 20 11:36:28 2013 +0200
+
+ Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89
+
+ perf: Disable monitoring on setuid processes for regular users
+
+ There was a a bug in setup_new_exec(), whereby
+ the test to disabled perf monitoring was not
+ correct because the new credentials for the
+ process were not yet committed and therefore
+ the get_dumpable() test was never firing.
+
+ The patch fixes the problem by moving the
+ perf_event test until after the credentials
+ are committed.
+
+ Signed-off-by: Stephane Eranian <eranian@google.com>
+ Tested-by: Jiri Olsa <jolsa@redhat.com>
+ Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+ Cc: <stable@kernel.org>
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+ fs/exec.c | 16 +++++++++-------
+ 1 files changed, 9 insertions(+), 7 deletions(-)
+
+commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 29 13:10:02 2013 -0400
+
+ on context switch, make sure we switch DACR when domain support and
+ KERNEXEC is disabled but UDEREF is enabled
+
+ arch/arm/kernel/entry-armv.S | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 08d017fa51370921694ce087b28c96fec92993d4
+Author: Michael S. Tsirkin <mst@redhat.com>
+Date: Sun Jun 23 17:26:58 2013 +0300
+
+ Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2
+
+ macvtap: fix recovery from gup errors
+
+ get user pages might fail partially in macvtap zero copy
+ mode. To recover we need to put all pages that we got,
+ but code used a wrong index resulting in double-free
+ errors.
+
+ Reported-by: Brad Hubbard <bhubbard@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+ Acked-by: Jason Wang <jasowang@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/macvtap.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be
+Author: Michael S. Tsirkin <mst@redhat.com>
+Date: Sun Jun 23 17:19:03 2013 +0300
+
+ Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86
+
+ tun: fix recovery from gup errors
+
+ get user pages might fail partially in tun zero copy
+ mode. To recover we need to put all pages that we got,
+ but code used a wrong index resulting in double-free
+ errors.
+
+ Reported-by: Brad Hubbard <bhubbard@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+ Acked-by: Jason Wang <jasowang@redhat.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28
+Author: Balazs Peter Odor <balazs@obiserver.hu>
+Date: Sat Jun 22 19:24:43 2013 +0200
+
+ Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773
+
+ netfilter: nf_nat_sip: fix mangling
+
+ In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets)
+ there were some missing brackets around the logging information, thus
+ always returning drop.
+
+ Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061
+
+ Signed-off-by: Balazs Peter Odor <balazs@obiserver.hu>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nf_nat_sip.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 87c18924aecb841586b8972fabb20c5b75ca2fc9
+Author: Anderson Lizardo <anderson.lizardo@openbossa.org>
+Date: Sun Jun 2 16:30:40 2013 -0400
+
+ Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d
+
+ Bluetooth: Fix crash in l2cap_build_cmd() with small MTU
+
+ If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
+ controller, memory corruption happens due to a memcpy() call with
+ negative length.
+
+ Fix this crash on either incoming or outgoing connections with a MTU
+ smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:
+
+ [ 46.885433] BUG: unable to handle kernel paging request at f56ad000
+ [ 46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40
+ [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
+ [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
+ [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
+ [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
+ [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
+ [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
+ [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
+ [ 46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0
+ [ 46.888037] EIP is at memcpy+0x1d/0x40
+ [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
+ [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
+ [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
+ [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
+ [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
+ [ 46.888037] DR6: ffff0ff0 DR7: 00000400
+ [ 46.888037] Stack:
+ [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
+ [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
+ [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
+ [ 46.888037] Call Trace:
+ [ 46.888037] [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
+ [ 46.888037] [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
+ [ 46.888037] [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth]
+ [ 46.888037] [<c019b37b>] ? trace_hardirqs_off+0xb/0x10
+ [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
+ [ 46.888037] [<c064ad20>] ? mutex_lock_nested+0x280/0x360
+ [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
+ [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
+ [ 46.888037] [<c064ad08>] ? mutex_lock_nested+0x268/0x360
+ [ 46.888037] [<c01a125b>] ? trace_hardirqs_on+0xb/0x10
+ [ 46.888037] [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
+ [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
+ [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
+ [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
+ [ 46.888037] [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
+ [ 46.888037] [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth]
+ [ 46.888037] [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth]
+ [ 46.888037] [<c0158979>] process_one_work+0x1a9/0x600
+ [ 46.888037] [<c01588fb>] ? process_one_work+0x12b/0x600
+ [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
+ [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
+ [ 46.888037] [<c0159187>] worker_thread+0xf7/0x320
+ [ 46.888037] [<c0159090>] ? rescuer_thread+0x290/0x290
+ [ 46.888037] [<c01602f8>] kthread+0xa8/0xb0
+ [ 46.888037] [<c0656777>] ret_from_kernel_thread+0x1b/0x28
+ [ 46.888037] [<c0160250>] ? flush_kthread_worker+0x120/0x120
+ [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
+ [ 46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
+ [ 46.888037] CR2: 00000000f56ad000
+ [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]---
+
+ Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ net/bluetooth/l2cap_core.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit b0471b6c1160858fc646d8e94628fd1299f61692
+Author: Jaganath Kanakkassery <jaganath.k@samsung.com>
+Date: Fri Jun 21 19:55:11 2013 +0530
+
+ Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112
+
+ Bluetooth: Fix invalid length check in l2cap_information_rsp()
+
+ The length check is invalid since the length varies with type of
+ info response.
+
+ This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
+
+ Because of this, l2cap info rsp is not handled and command reject is sent.
+
+ > ACL data: handle 11 flags 0x02 dlen 16
+ L2CAP(s): Info rsp: type 2 result 0
+ Extended feature mask 0x00b8
+ Enhanced Retransmission mode
+ Streaming mode
+ FCS Option
+ Fixed Channels
+ < ACL data: handle 11 flags 0x00 dlen 10
+ L2CAP(s): Command rej: reason 0
+ Command not understood
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
+ Signed-off-by: Chan-Yeol Park <chanyeol.park@samsung.com>
+ Acked-by: Johan Hedberg <johan.hedberg@intel.com>
+ Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+
+ net/bluetooth/l2cap_core.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4184af98c360d825e638b268b1a9847232e8d299
+Author: Eric Dumazet <edumazet@google.com>
+Date: Wed Jun 26 04:15:07 2013 -0700
+
+ Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3
+
+ ipv6: ip6_sk_dst_check() must not assume ipv6 dst
+
+ It's possible to use AF_INET6 sockets and to connect to an IPv4
+ destination. After this, socket dst cache is a pointer to a rtable,
+ not rt6_info.
+
+ ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
+ various corruptions/crashes can happen.
+
+ Dave Jones can reproduce immediate crash with
+ trinity -q -l off -n -c sendmsg -c connect
+
+ With help from Hannes Frederic Sowa
+
+ Reported-by: Dave Jones <davej@redhat.com>
+ Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_output.c | 8 +++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2
+Author: Zefan Li <lizefan@huawei.com>
+Date: Wed Jun 26 15:29:54 2013 +0800
+
+ Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5
+
+ dlci: acquire rtnl_lock before calling __dev_get_by_name()
+
+ Otherwise the net device returned can be freed at anytime.
+
+ Signed-off-by: Li Zefan <lizefan@huawei.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/wan/dlci.c | 14 +++++++++-----
+ 1 files changed, 9 insertions(+), 5 deletions(-)
+
+commit 1fe6f23c9acd14d832d056909ff326bde418e645
+Author: Zefan Li <lizefan@huawei.com>
+Date: Wed Jun 26 15:31:58 2013 +0800
+
+ Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a
+
+ dlci: validate the net device in dlci_del()
+
+ We triggered an oops while running trinity with 3.4 kernel:
+
+ BUG: unable to handle kernel paging request at 0000000100000d07
+ IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
+ PGD 640c0d067 PUD 0
+ Oops: 0000 [#1] PREEMPT SMP
+ CPU 3
+ ...
+ Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA
+ RIP: 0010:[<ffffffffa0109738>] [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
+ ...
+ Call Trace:
+ [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
+ [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
+ [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
+ [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
+ [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
+ ...
+
+ It's because the net device is not a dlci device.
+
+ Reported-by: Li Jinyue <lijinyue@huawei.com>
+ Signed-off-by: Li Zefan <lizefan@huawei.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/wan/dlci.c | 12 ++++++++++++
+ 1 files changed, 12 insertions(+), 0 deletions(-)
+
+commit 4d4464407611527ef6b6b5475cfcab6121b3da66
+Merge: 59571a9 963af7f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 27 18:54:52 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 963af7f7f591759b731ce6325ceb583a72fcf423
+Merge: c51e25a 55db48a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 27 18:54:42 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 59571a9db7485f530a1e865a13cacc4c991ec41f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 26 18:39:08 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: Steffen Klassert <steffen.klassert@secunet.com>,
+ "David S. Miller" <davem@davemloft.net>
+ Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org,
+ Herbert Xu <herbert@gondor.apana.org.au>
+ Subject: [PATCH] af_key: fix info leaks in notify messages
+
+ key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
+ the sadb_msg_reserved member of the broadcasted message and thereby
+ leak 2 bytes of heap memory to listeners. Fix that.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+ Cc: Steffen Klassert <steffen.klassert@secunet.com>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Cc: Herbert Xu <herbert@gondor.apana.org.au>
+
+ net/key/af_key.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 26 18:33:06 2013 -0400
+
+ update rand_threadstack code to continue the search for a gap if the first
+ choice doesn't have enough space, instead of returning ENOMEM
+
+ mm/mmap.c | 17 ++++++++++-------
+ 1 files changed, 10 insertions(+), 7 deletions(-)
+
+commit 87020d4a4d83038d65ff1fd519938840f6888b9e
+Merge: 2682346 c51e25a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 26 18:25:32 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c51e25a23f30a1198076bd085f19b2073caf164d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 26 18:24:54 2013 -0400
+
+ Update to pax-linux-3.9.7-test12.patch:
+ - fixed a regression on PARAVIRT/amd64 kernels
+ - simplified the recent vm_unmapped_area_info based change
+
+ arch/x86/kernel/entry_64.S | 8 ++++----
+ mm/mmap.c | 22 ++++++++++++----------
+ 2 files changed, 16 insertions(+), 14 deletions(-)
+
+commit 26823469a08e59cb67bea18d448d9e8c65f82e08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 25 21:26:51 2013 -0400
+
+ re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX
+ vm_unmapped_area code is complete
+
+ arch/x86/kernel/sys_i386_32.c | 5 +++++
+ grsecurity/Kconfig | 2 +-
+ mm/mmap.c | 11 ++++++++++-
+ 3 files changed, 16 insertions(+), 2 deletions(-)
+
+commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7
+Merge: e58fe8c c4e0704
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 25 19:08:52 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/x86/kernel/sys_i386_32.c
+
+commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 25 19:05:39 2013 -0400
+
+ Update to pax-linux-3.9.7-test11.patch:
+ - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111)
+ - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure
+ - fixed the recent nested nmi related fixes some more
+ - fixed a regression in kernel memory initialization on relocatable i386 kernels
+ - empty_zero_page can be read-only on amd64 as well
+
+ arch/arm/mm/mmap.c | 6 --
+ arch/x86/kernel/entry_64.S | 8 +--
+ arch/x86/kernel/head_64.S | 1 -
+ arch/x86/kernel/setup.c | 2 +-
+ arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++----------------------------
+ drivers/lguest/core.c | 2 +-
+ include/linux/mm.h | 6 +-
+ include/linux/vmalloc.h | 2 +-
+ mm/mmap.c | 30 +++++++-
+ 9 files changed, 83 insertions(+), 134 deletions(-)
+
+commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 23 14:37:14 2013 -0400
+
+ second compile fix, reported by forsaken on forums
+
+ include/linux/vmalloc.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 23 14:36:35 2013 -0400
+
+ compile fix, reported by KDE on forums
+
+ kernel/printk.c | 7 -------
+ 1 files changed, 0 insertions(+), 7 deletions(-)
+
+commit 1fc9a5e2e267205d28302e1e86ca0da434561111
+Author: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun Jun 16 21:27:12 2013 +0100
+
+ Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d
+
+ x86/efi: Fix dummy variable buffer allocation
+
+ 1. Check for allocation failure
+ 2. Clear the buffer contents, as they may actually be written to flash
+ 3. Don't leak the buffer
+
+ Compile-tested only.
+
+ [ Tested successfully on my buggy ASUS machine - Matt ]
+
+ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Matt Fleming <matt.fleming@intel.com>
+
+ arch/x86/platform/efi/efi.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 83e15c8baaa620d8c777e84aa037b4302f0487c5
+Author: Dave Kleikamp <dave.kleikamp@oracle.com>
+Date: Tue Jun 18 09:05:36 2013 -0500
+
+ Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441
+
+ sparc: tsb must be flushed before tlb
+
+ This fixes a race where a cpu may re-load a tlb from a stale tsb right
+ after it has been flushed by a remote function call.
+
+ I still see some instability when stressing the system with parallel
+ kernel builds while creating memory pressure by writing to
+ /proc/sys/vm/nr_hugepages, but this patch improves the stability
+ significantly.
+
+ Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+ Acked-by: Bob Picco <bob.picco@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/sparc/mm/tlb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d93b62f6485db9aadda34322a6867868db07f56f
+Merge: 4ef62f5 71d83e9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 21 16:52:55 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 71d83e97c936563913bcfb5a25c45b2021a331eb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 21 16:48:42 2013 -0400
+
+ Update to pax-linux-3.9.7-test10.patch:
+ - fixed a few format string problems uncovered by -Wformat-nonliteral
+ - another attempt at fixing the nested nmi/cr0.wp problem
+ - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866)
+ - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274)
+ - fixed a locking issue with track_exec_limit reported by spender
+ - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/)
+
+ Documentation/dontdiff | 1 +
+ arch/x86/boot/compressed/efi_stub_32.S | 16 ++-----
+ arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
+ arch/x86/kernel/e820.c | 4 +-
+ arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------
+ arch/x86/kernel/vmlinux.lds.S | 2 +-
+ block/genhd.c | 11 +++--
+ crypto/algapi.c | 2 +-
+ crypto/pcrypt.c | 6 +-
+ drivers/base/attribute_container.c | 2 +-
+ drivers/base/power/sysfs.c | 2 +-
+ drivers/block/nbd.c | 2 +-
+ drivers/cdrom/cdrom.c | 2 +-
+ drivers/char/hw_random/intel-rng.c | 2 +-
+ drivers/char/mem.c | 2 +-
+ drivers/devfreq/devfreq.c | 2 +-
+ drivers/gpu/drm/drm_encoder_slave.c | 6 +--
+ drivers/gpu/drm/drm_sysfs.c | 2 +-
+ drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
+ drivers/iommu/irq_remapping.c | 2 +-
+ drivers/video/output.c | 2 +-
+ fs/ext4/mmp.c | 2 +-
+ fs/ext4/super.c | 2 +-
+ fs/lockd/svc.c | 2 +-
+ fs/nfs/callback.c | 4 +-
+ fs/nfs/nfs4state.c | 2 +-
+ fs/nfsd/nfscache.c | 3 +-
+ init/initramfs.c | 2 +-
+ kernel/rcutree.c | 2 +-
+ lib/kobject.c | 2 +-
+ mm/backing-dev.c | 4 +-
+ mm/mmap.c | 4 +-
+ mm/slub.c | 2 +-
+ mm/vmalloc.c | 15 +++----
+ net/bluetooth/hci_core.c | 8 ++--
+ net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
+ net/sunrpc/svc.c | 2 +-
+ security/Kconfig | 15 +++---
+ sound/core/sound.c | 2 +-
+ sound/sound_core.c | 2 +-
+ 40 files changed, 116 insertions(+), 111 deletions(-)
+
+commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c
+Merge: 39efd8f 256eff7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 21 16:45:15 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ kernel/printk.c
+
+commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6
+Merge: e6e3059 485f25f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 20 22:14:24 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 18 17:20:18 2013 -0400
+
+ add apparmor compat patch
+
+ security/apparmor/Kconfig | 9 ++
+ security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 240 insertions(+), 0 deletions(-)
+
+commit 49bee3c5341687504669bf62becf4a419a226ba0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 17 18:48:04 2013 -0400
+
+ Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db"
+
+ This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444.
+
+ kernel/sys.c | 29 +++--------------------------
+ 1 files changed, 3 insertions(+), 26 deletions(-)
+
+commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Sun Jun 16 18:06:06 2013 +0100
+
+ Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5
+
+ lseek(fd, n, SEEK_END) does *not* go to eof - n
+
+ When you copy some code, you are supposed to read it. If nothing else,
+ there's a chance to spot and fix an obvious bug instead of sharing it...
+
+ X-Song: "I Got It From Agnes", by Tom Lehrer
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ [ Tom Lehrer? You're dating yourself, Al ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +-
+ drivers/scsi/bfa/bfad_debugfs.c | 2 +-
+ drivers/scsi/fnic/fnic_debugfs.c | 2 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 5a450f1c46f0c84379518aee878993d3f4a331b6
+Author: Theodore Ts'o <tytso@mit.edu>
+Date: Thu Jun 6 11:14:31 2013 -0400
+
+ Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50
+
+ ext4: verify group number in verify_group_input() before using it
+
+ Check the group number for sanity earilier, before calling routines
+ such as ext4_bg_has_super() or ext4_group_overhead_blocks().
+
+ Reported-by: Jonathan Salwan <jonathan.salwan@gmail.com>
+ Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+
+ fs/ext4/resize.c | 17 +++++++++++------
+ 1 files changed, 11 insertions(+), 6 deletions(-)
+
+commit e2700ce1305cc746d2d9000392f00d96fdf28fb8
+Author: Neil Horman <nhorman@tuxdriver.com>
+Date: Wed Jun 12 14:26:44 2013 -0400
+
+ Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69
+
+ sctp: fully initialize sctp_outq in sctp_outq_init
+
+ In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86
+ (refactor sctp_outq_teardown to insure proper re-initalization)
+ we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the
+ outq structure. Steve West recently asked me why I removed the q->error = 0
+ initalization from sctp_outq_teardown. I did so because I was operating under
+ the impression that sctp_outq_init would properly initalize that value for us,
+ but it doesn't. sctp_outq_init operates under the assumption that the outq
+ struct is all 0's (as it is when called from sctp_association_init), but using
+ it in __sctp_outq_teardown violates that assumption. We should do a memset in
+ sctp_outq_init to ensure that the entire structure is in a known state there
+ instead.
+
+ Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+ Reported-by: "West, Steve (NSN - US/Fort Worth)" <steve.west@nsn.com>
+ CC: Vlad Yasevich <vyasevich@gmail.com>
+ CC: netdev@vger.kernel.org
+ CC: davem@davemloft.net
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ net/sctp/outqueue.c
+
+ net/sctp/outqueue.c | 8 ++------
+ 1 files changed, 2 insertions(+), 6 deletions(-)
+
+commit e13515ad7a9c7634599a105b2527752e527a905d
+Author: Saurabh Mohan <saurabh@vyatta.com>
+Date: Mon Jun 10 17:45:10 2013 -0700
+
+ Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817
+
+ net/ipv4: ip_vti clear skb cb before tunneling.
+
+ If users apply shaper to vti tunnel then it will cause a kernel crash. The
+ problem seems to be due to the vti_tunnel_xmit function not clearing
+ skb->opt field before passing the packet to xfrm tunneling code.
+
+ Signed-off-by: Saurabh Mohan <saurabh@vyatta.com>
+ Acked-by: Stephen Hemminger <stephen@networkplumber.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ip_vti.c | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4
+Author: Guillaume Nault <g.nault@alphalink.fr>
+Date: Wed Jun 12 16:07:36 2013 +0200
+
+ Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984
+
+ l2tp: Fix sendmsg() return value
+
+ PPPoL2TP sockets should comply with the standard send*() return values
+ (i.e. return number of bytes sent instead of 0 upon success).
+
+ Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_ppp.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit af361b412e816e894fb42ddff7a0545b7def64c0
+Author: Guillaume Nault <g.nault@alphalink.fr>
+Date: Wed Jun 12 16:07:23 2013 +0200
+
+ Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64
+
+ l2tp: Fix PPP header erasure and memory leak
+
+ Copy user data after PPP framing header. This prevents erasure of the
+ added PPP header and avoids leaking two bytes of uninitialised memory
+ at the end of skb's data buffer.
+
+ Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_ppp.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 1f43aca088c35dda35abf76e08544e534c71fed4
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Wed Jun 12 16:02:27 2013 +0200
+
+ Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe
+
+ packet: packet_getname_spkt: make sure string is always 0-terminated
+
+ uaddr->sa_data is exactly of size 14, which is hard-coded here and
+ passed as a size argument to strncpy(). A device name can be of size
+ IFNAMSIZ (== 16), meaning we might leave the destination string
+ unterminated. Thus, use strlcpy() and also sizeof() while we're
+ at it. We need to memset the data area beforehand, since strlcpy
+ does not padd the remaining buffer with zeroes for user space, so
+ that we do not possibly leak anything.
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/packet/af_packet.c | 5 ++---
+ 1 files changed, 2 insertions(+), 3 deletions(-)
+
+commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f
+Author: Andy Lutomirski <luto@amacapital.net>
+Date: Wed Jun 5 19:38:26 2013 +0000
+
+ Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab
+
+ net: Unbreak compat_sys_{send,recv}msg
+
+ I broke them in this commit:
+
+ commit 1be374a0518a288147c6a7398792583200a67261
+ Author: Andy Lutomirski <luto@amacapital.net>
+ Date: Wed May 22 14:07:44 2013 -0700
+
+ net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
+
+ This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept
+ MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It
+ also reverts some unnecessary checks in sys_socketcall.
+
+ Apparently I was suffering from underscore blindness the first time around.
+
+ Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+ Tested-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/linux/socket.h | 3 ++
+ net/compat.c | 13 +++++++-
+ net/socket.c | 72 ++++++++++++++++++++++--------------------------
+ 3 files changed, 47 insertions(+), 41 deletions(-)
+
+commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f
+Author: Andy Lutomirski <luto@amacapital.net>
+Date: Wed May 22 14:07:44 2013 -0700
+
+ Upstream commit: 1be374a0518a288147c6a7398792583200a67261
+
+ net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
+
+ To: linux-kernel@vger.kernel.org
+ Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski <luto@amacapital.net>, netdev@vger.kernel.org, "David S.
+ Miller" <davem@davemloft.net>
+ Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
+
+ MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API --
+ it's a hack that steals a bit to indicate to other networking code
+ that a compat entry was used. So don't allow it from a non-compat
+ syscall.
+
+ This prevents an oops when running this code:
+
+ int main()
+ {
+ int s;
+ struct sockaddr_in addr;
+ struct msghdr *hdr;
+
+ char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096,
+ PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
+ if (highpage == MAP_FAILED)
+ err(1, "mmap");
+
+ s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ if (s == -1)
+ err(1, "socket");
+
+ addr.sin_family = AF_INET;
+ addr.sin_port = htons(1);
+ addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0)
+ err(1, "connect");
+
+ void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE;
+ printf("Evil address is %p\n", evil);
+
+ if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0)
+ err(1, "sendmmsg");
+
+ return 0;
+ }
+
+ Cc: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/socket.c | 33 +++++++++++++++++++++++++++++++--
+ 1 files changed, 31 insertions(+), 2 deletions(-)
+
+commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri May 10 14:48:21 2013 -0700
+
+ Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c
+
+ b43: stop format string leaking into error msgs
+
+ The module parameter "fwpostfix" is userspace controllable, unfiltered,
+ and is used to define the firmware filename. b43_do_request_fw() populates
+ ctx->errors[] on error, containing the firmware filename. b43err()
+ parses its arguments as a format string. For systems with b43 hardware,
+ this could lead to a uid-0 to ring-0 escalation.
+
+ CVE-2013-2852
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ drivers/net/wireless/b43/main.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit dfb67a67049ace7b94ad7e2febfac69816d50d85
+Author: Mark A. Greer <mgreer@animalcreek.com>
+Date: Wed May 29 12:25:34 2013 -0700
+
+ Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5
+
+ mwifiex: debugfs: Fix out of bounds array access
+
+ When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
+ the following panic occurs:
+
+ $ cat /sys/kernel/debug/mwifiex/p2p0/info
+ Unable to handle kernel paging request at virtual address 74706164
+ pgd = de530000
+ [74706164] *pgd=00000000
+ Internal error: Oops: 5 [#1] SMP ARM
+ Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
+ CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
+ task: de16b6c0 ti: de048000 task.ti: de048000
+ PC is at strnlen+0xc/0x4c
+ LR is at string+0x3c/0xf8
+ pc : [<c02c123c>] lr : [<c02c2d1c>] psr: a0000013
+ sp : de049e10 ip : c06efba0 fp : de6d2092
+ r10: bf01a260 r9 : ffffffff r8 : 74706164
+ r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000
+ r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164
+ Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+ Control: 10c5387d Table: 9e530019 DAC: 00000015
+ Process cat (pid: 1635, stack limit = 0xde048240)
+ Stack: (0xde049e10 to 0xde04a000)
+ 9e00: de6d2092 00000002 bf01a25e de6d209c
+ 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
+ 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
+ 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
+ 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
+ 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
+ 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
+ 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
+ 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
+ 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
+ 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
+ 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
+ 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
+ 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
+ [<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
+ [<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
+ [<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
+ [<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
+ [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
+ [<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
+ [<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
+ Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
+ ---[ end trace ca98273dc605a04f ]---
+
+ The panic is caused by the mwifiex_info_read() routine assuming that
+ there can only be four modes (0-3) which is an invalid assumption.
+ For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
+ code accesses data beyond the bounds of the bss_modes[] array which
+ causes the panic. Fix this by updating bss_modes[] to support the
+ current list of modes and adding a check to prevent the out-of-bounds
+ access from occuring in the future when more modes are added.
+
+ Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
+ Acked-by: Bing Zhao <bzhao@marvell.com>
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++-----
+ 1 files changed, 17 insertions(+), 5 deletions(-)
+
+commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52
+Author: Johan Hedberg <johan.hedberg@intel.com>
+Date: Tue May 28 13:46:30 2013 +0300
+
+ Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888
+
+ Bluetooth: Fix missing length checks for L2CAP signalling PDUs
+
+ There has been code in place to check that the L2CAP length header
+ matches the amount of data received, but many PDU handlers have not been
+ checking that the data received actually matches that expected by the
+ specific PDU. This patch adds passing the length header to the specific
+ handler functions and ensures that those functions fail cleanly in the
+ case of an incorrect amount of data.
+
+ Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++-----------
+ 1 files changed, 52 insertions(+), 18 deletions(-)
+
+commit 628be2427afb241b5a1aa24bc5907d05287e1f25
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon Jun 3 12:00:49 2013 +0300
+
+ Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1
+
+ ipvs: info leak in __ip_vs_get_dest_entries()
+
+ The entry struct has a 2 byte hole after ->port and another 4 byte
+ hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your
+ namespace to hit this information leak.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Julian Anastasov <ja@ssi.bg>
+ Signed-off-by: Simon Horman <horms@verge.net.au>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/ipvs/ip_vs_ctl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 066d9226bc6c569d5f420c978b758e0bddd23444
+Author: Robin Holt <holt@sgi.com>
+Date: Wed Jun 12 14:04:37 2013 -0700
+
+ Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db
+
+ reboot: rigrate shutdown/reboot to boot cpu
+
+ We recently noticed that reboot of a 1024 cpu machine takes approx 16
+ minutes of just stopping the cpus. The slowdown was tracked to commit
+ f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in
+ kernel_restart()").
+
+ The current implementation does all the work of hot removing the cpus
+ before halting the system. We are switching to just migrating to the
+ boot cpu and then continuing with shutdown/reboot.
+
+ This also has the effect of not breaking x86's command line parameter
+ for specifying the reboot cpu. Note, this code was shamelessly copied
+ from arch/x86/kernel/reboot.c with bits removed pertaining to the
+ reboot_cpu command line parameter.
+
+ Signed-off-by: Robin Holt <holt@sgi.com>
+ Tested-by: Shawn Guo <shawn.guo@linaro.org>
+ Cc: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
+ Cc: H. Peter Anvin <hpa@zytor.com>
+ Cc: Thomas Gleixner <tglx@linutronix.de>
+ Cc: Ingo Molnar <mingo@elte.hu>
+ Cc: Russ Anderson <rja@sgi.com>
+ Cc: Robin Holt <holt@sgi.com>
+ Cc: Russell King <linux@arm.linux.org.uk>
+ Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/sys.c | 29 ++++++++++++++++++++++++++---
+ 1 files changed, 26 insertions(+), 3 deletions(-)
+
+commit 94e2a91600b07d39825e7059195f35eb611a39a2
+Merge: 20cc761 e6e3059
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 13 16:23:46 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a
+Merge: c6aadb1 4b73feb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 13 16:23:39 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 20cc7613e38cde07adc73179a91d6c15292e8d43
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Thu Jun 6 15:53:47 2013 +0200
+
+ Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c
+
+ net: sctp: fix NULL pointer dereference in socket destruction
+
+ While stress testing sctp sockets, I hit the following panic:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
+ IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
+ PGD 7cead067 PUD 7ce76067 PMD 0
+ Oops: 0000 [#1] SMP
+ Modules linked in: sctp(F) libcrc32c(F) [...]
+ CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1
+ Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
+ task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000
+ RIP: 0010:[<ffffffffa0490c4e>] [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
+ RSP: 0018:ffff88007b569e08 EFLAGS: 00010292
+ RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200
+ RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000
+ RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001
+ R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+ R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00
+ FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ Stack:
+ ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded
+ ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e
+ 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e
+ Call Trace:
+ [<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp]
+ [<ffffffff8145b60e>] sk_common_release+0x1e/0xf0
+ [<ffffffff814df36e>] inet_create+0x2ae/0x350
+ [<ffffffff81455a6f>] __sock_create+0x11f/0x240
+ [<ffffffff81455bf0>] sock_create+0x30/0x40
+ [<ffffffff8145696c>] SyS_socket+0x4c/0xc0
+ [<ffffffff815403be>] ? do_page_fault+0xe/0x10
+ [<ffffffff8153cb32>] ? page_fault+0x22/0x30
+ [<ffffffff81544e02>] system_call_fastpath+0x16/0x1b
+ Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f
+ 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48>
+ 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48
+ RIP [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
+ RSP <ffff88007b569e08>
+ CR2: 0000000000000020
+ ---[ end trace e0d71ec1108c1dd9 ]---
+
+ I did not hit this with the lksctp-tools functional tests, but with a
+ small, multi-threaded test program, that heavily allocates, binds,
+ listens and waits in accept on sctp sockets, and then randomly kills
+ some of them (no need for an actual client in this case to hit this).
+ Then, again, allocating, binding, etc, and then killing child processes.
+
+ This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable''
+ is set. The cause for that is actually very simple: in sctp_endpoint_init()
+ we enter the path of sctp_auth_init_hmacs(). There, we try to allocate
+ our crypto transforms through crypto_alloc_hash(). In our scenario,
+ it then can happen that crypto_alloc_hash() fails with -EINTR from
+ crypto_larval_wait(), thus we bail out and release the socket via
+ sk_common_release(), sctp_destroy_sock() and hit the NULL pointer
+ dereference as soon as we try to access members in the endpoint during
+ sctp_endpoint_free(), since endpoint at that time is still NULL. Now,
+ if we have that case, we do not need to do any cleanup work and just
+ leave the destruction handler.
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/socket.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit 386ba837978cc8a1111440bdcd8600f2df4634a4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 12 20:37:48 2013 -0400
+
+ fix deadlock when booting i386 kernel without NX
+
+ mm/mmap.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 11 22:18:07 2013 -0400
+
+ fix elif / elif defined() typo in recent change
+
+ kernel/events/core.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit bc43377e1e757cd37a06be0187884a42af718aab
+Merge: 3cdea63 c6aadb1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 11 18:50:39 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 11 18:49:36 2013 -0400
+
+ Update to pax-linux-3.9.4-test9.patch:
+ - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506)
+ - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort
+
+ arch/x86/kernel/setup.c | 2 +-
+ mm/mlock.c | 1 -
+ 2 files changed, 1 insertions(+), 2 deletions(-)
+
+commit 3cdea63e90607d8d55820b101854091623feedb8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 21:21:44 2013 -0400
+
+ Fix fanotify infoleak reported by Dan Carpenter at:
+ https://lkml.org/lkml/2013/6/3/128
+
+ Requires CAP_SYS_ADMIN, so this is about as low priority as it gets
+
+ fs/notify/fanotify/fanotify_user.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 373a2b5df78f82b9d3db72bd6577e29a71591323
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 21:16:46 2013 -0400
+
+ Backport infoleak fix by Dan Carpenter in cpqarray:
+ https://lkml.org/lkml/2013/6/3/131
+
+ drivers/block/cpqarray.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 251e84b9b05e063981b20be154c9389862f94759
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 21:04:17 2013 -0400
+
+ Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2
+
+ drivers/cdrom/cdrom.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 383d89bf95818b05a485a6e8b118963b5bcbc83e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 18:34:32 2013 -0400
+
+ change const to __read_only
+
+ kernel/sysctl.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
+
+commit 8f08f803f605649e63f0857a1b9a9805b629eaa4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 17:34:13 2013 -0400
+
+ compile fix, make const values const
+
+ kernel/sysctl.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
+
+commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 17:37:13 2013 -0400
+
+ Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a
+
+ drivers/char/mwave/tp3780i.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 1c590aa70c95ebd76ba9672aa23d800b81780615
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 9 19:50:35 2013 -0400
+
+ allow -1 perf_event_paranoid
+
+ kernel/sysctl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584
+Merge: 4e85539 117c3fa
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 9 17:30:12 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 117c3fa8d26c3806103123560f807d99071b60b6
+Merge: ed9b427 5dd2e98
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 9 17:30:00 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42
+Author: Eric Dumazet <edumazet@google.com>
+Date: Mon May 13 21:25:52 2013 +0000
+
+ Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e
+
+ tcp: fix tcp_md5_hash_skb_data()
+
+ TCP md5 communications fail [1] for some devices, because sg/crypto code
+ assume page offsets are below PAGE_SIZE.
+
+ This was discovered using mlx4 driver [2], but I suspect loopback
+ might trigger the same bug now we use order-3 pages in tcp_sendmsg()
+
+ [1] Failure is giving following messages.
+
+ huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100,
+ exited with 00000101?
+
+ [2] mlx4 driver uses order-2 pages to allocate RX frags
+
+ Reported-by: Matt Schnall <mischnal@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Bernhard Beck <bbeck@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/tcp.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb
+Author: Eric Dumazet <edumazet@google.com>
+Date: Fri May 17 04:53:13 2013 +0000
+
+ Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a
+
+ ipv6: fix possible crashes in ip6_cork_release()
+
+ commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data")
+ added some code duplication and bad error recovery, leading to potential
+ crash in ip6_cork_release() as kfree() could be called with garbage.
+
+ use kzalloc() to make sure this wont happen.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Cc: Herbert Xu <herbert@gondor.apana.org.au>
+ Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
+ Cc: Neal Cardwell <ncardwell@google.com>
+
+ net/ipv6/ip6_output.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5771263fe368cd384127dd17d7596a7e1a4e2eec
+Author: Chen Gang <gang.chen@asianux.com>
+Date: Thu May 16 23:13:04 2013 +0000
+
+ Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211
+
+ net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue.
+
+ 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the
+ strncpy() will always left the last byte of 'discovery->data.info'
+ uninitialized.
+
+ When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left
+ the last byte of 'discovery->data.info' uninitialized, the next
+ strlen() will cause issue.
+
+ Also 'discovery->data' is 'struct irda_device_info' which defined in
+ "include/uapi/...", it may copy to user mode, so need whole initialized.
+
+ All together, need use kzalloc() instead of kmalloc() to initialize all
+ members firstly.
+
+ Signed-off-by: Chen Gang <gang.chen@asianux.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/irda/irlap_frame.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c01c9af268cb066f240aec53454b8b74d8d01688
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sun May 19 08:36:36 2013 +0000
+
+ Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5
+
+ isdn/kcapi: fix a small underflow
+
+ In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes
+ from skb->data. The current code can underflow to one space before the
+ start of the array.
+
+ The sanity check isn't needed in __get_capi_appl_by_nr() but I changed
+ it to match the others.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/isdn/capi/kcapi.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66
+Author: Timo Teräs <timo.teras@iki.fi>
+Date: Wed May 22 01:40:47 2013 +0000
+
+ Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0
+
+ xfrm: properly handle invalid states as an error
+
+ The error exit path needs err explicitly set. Otherwise it
+ returns success and the only caller, xfrm_output_resume(),
+ would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is
+ NULL.
+
+ Bug introduced in commit bb65a9cb (xfrm: removes a superfluous
+ check and add a statistic).
+
+ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+ Cc: Li RongQing <roy.qing.li@gmail.com>
+ Cc: Steffen Klassert <steffen.klassert@secunet.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/xfrm/xfrm_output.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd
+Author: Jeff Mahoney <jeffm@jeffreymahoney.com>
+Date: Fri May 31 15:07:52 2013 -0400
+
+ Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab
+
+ reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry
+
+ After sleeping for filldir(), we check to see if the file system has
+ changed and research. The next_pos pointer is updated but its value
+ isn't pushed into the key used for the search itself. As a result,
+ the search returns the same item that the last cycle of the loop did
+ and filldir() is called multiple times with the same data.
+
+ The end result is that the buffer can contain the same name multiple
+ times. This can be returned to userspace or used internally in the
+ xattr code where it can manifest with the following warning:
+
+ jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2)
+
+ reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over
+ the xattr names and ends up trying to unlink the same name twice. The
+ second attempt fails with -ENOENT and the error is returned. At some
+ point I'll need to add support into reiserfsck to remove the orphaned
+ directories left behind when this occurs.
+
+ The fix is to push the value into the key before researching.
+
+ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+
+ fs/reiserfs/dir.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit ca0746bf380eec77d75d1741ac4742ded0e55ec7
+Author: Jeff Mahoney <jeffm@suse.com>
+Date: Fri May 31 15:51:17 2013 -0400
+
+ Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc
+
+ reiserfs: fix deadlock with nfs racing on create/lookup
+
+ Reiserfs is currently able to be deadlocked by having two NFS clients
+ where one has removed and recreated a file and another is accessing the
+ file with an open file handle.
+
+ If one client deletes and recreates a file with timing such that the
+ recreated file obtains the same [dirid, objectid] pair as the original
+ file while another client accesses the file via file handle, the create
+ and lookup can race and deadlock if the lookup manages to create the
+ in-memory inode first.
+
+ The create thread, in insert_inode_locked4, will hold the write lock
+ while waiting on the other inode to be unlocked. The lookup thread,
+ anywhere in the iget path, will release and reacquire the write lock while
+ it schedules. If it needs to reacquire the lock while the create thread
+ has it, it will never be able to make forward progress because it needs
+ to reacquire the lock before ultimately unlocking the inode.
+
+ This patch drops the write lock across the insert_inode_locked4 call so
+ that the ordering of inode_wait -> write lock is retained. Since this
+ would have been the case before the BKL push-down, this is safe.
+
+ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+
+ fs/reiserfs/inode.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit cd21c0eb4950498be46a07257426c0cea4aa2bf1
+Author: Jeff Mahoney <jeffm@suse.com>
+Date: Fri May 31 15:54:17 2013 -0400
+
+ Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b
+
+ reiserfs: fix problems with chowning setuid file w/ xattrs
+
+ reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr
+ and uses it to iterate over all the attrs associated with a file to change
+ ownership of xattrs (and transfer quota associated with the xattr files).
+
+ When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode
+ are passed to all the xattrs as well. This means that the xattr directory
+ will have S_IFREG added to its mode bits.
+
+ This has been prevented in practice by a missing IS_PRIVATE check
+ in reiserfs_acl_chmod, which caused a double-lock to occur while holding
+ the write lock. Since the file system was completely locked up, the
+ writeout of the corrupted mode never happened.
+
+ This patch temporarily clears everything but ATTR_UID|ATTR_GID for the
+ calls to reiserfs_setattr and adds the missing IS_PRIVATE check.
+
+ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+
+ fs/reiserfs/xattr.c | 14 +++++++++++++-
+ fs/reiserfs/xattr_acl.c | 3 +++
+ 2 files changed, 16 insertions(+), 1 deletions(-)
+
+commit c18cef940310c06bdf86d64d8cb227e56e165300
+Author: Dave Chinner <dchinner@redhat.com>
+Date: Mon May 27 16:38:25 2013 +1000
+
+ Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b
+
+ xfs: kill suid/sgid through the truncate path.
+
+ XFS has failed to kill suid/sgid bits correctly when truncating
+ files of non-zero size since commit c4ed4243 ("xfs: split
+ xfs_setattr") introduced in the 3.1 kernel. Fix it.
+
+ Fix it.
+
+ cc: stable kernel <stable@vger.kernel.org>
+ Signed-off-by: Dave Chinner <dchinner@redhat.com>
+ Reviewed-by: Brian Foster <bfoster@redhat.com>
+ Signed-off-by: Ben Myers <bpm@sgi.com>
+
+ (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6)
+
+ fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++---------------
+ 1 files changed, 32 insertions(+), 15 deletions(-)
+
+commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Wed May 29 15:36:40 2013 -0400
+
+ Upstream commit: f448badd34700ae728a32ba024249626d49c10e1
+
+ NFSv4: Fix a thinko in nfs4_try_open_cached
+
+ We need to pass the full open mode flags to nfs_may_open() when doing
+ a delegated open.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Cc: stable@vger.kernel.org
+
+ fs/nfs/nfs4proc.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c47de62893a9f269be0a272c2840aac1e2a35c68
+Author: Chen Gang <gang.chen@asianux.com>
+Date: Thu May 30 01:18:43 2013 +0000
+
+ Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8
+
+ parisc: kernel: using strlcpy() instead of strcpy()
+
+ 'boot_args' is an input args, and 'boot_command_line' has a fix length.
+ So use strlcpy() instead of strcpy() to avoid memory overflow.
+
+ Signed-off-by: Chen Gang <gang.chen@asianux.com>
+ Acked-by: Kyle McMartin <kyle@mcmartin.ca>
+ Signed-off-by: Helge Deller <deller@gmx.de>
+
+ arch/parisc/kernel/setup.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit ce869e6f799f95fcac340420ba3612503df80dbf
+Author: Chen Gang <gang.chen@asianux.com>
+Date: Mon May 27 04:57:09 2013 +0000
+
+ Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95
+
+ parisc: memory overflow, 'name' length is too short for using
+
+ 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6
+ * "%u:" + "%u" + '\0') may be 21.
+
+ Since 'name' length is 20, it may be memory overflow.
+
+ And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the
+ max length of 'name' must be less than 28.
+
+ So simplify thinking, we can use 28 instead of 20 directly, and do not
+ think of whether 'patchc.bc[i]' can '> 100'.
+
+ Signed-off-by: Chen Gang <gang.chen@asianux.com>
+ Signed-off-by: Helge Deller <deller@gmx.de>
+
+ arch/parisc/kernel/drivers.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5dc65cd34d442783118a17c518e2daedb90a31d0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 4 17:52:23 2013 -0400
+
+ add PERF_HARDEN recommendation
+
+ grsecurity/Kconfig | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 4 17:22:44 2013 -0400
+
+ Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN
+
+ grsecurity/Kconfig | 19 +++++++++++++++++++
+ include/linux/perf_event.h | 5 +++++
+ kernel/events/core.c | 10 +++++++++-
+ kernel/sysctl.c | 9 ++++++++-
+ 4 files changed, 41 insertions(+), 2 deletions(-)
+
+commit 84619a3501fd38285a72d9e963f58d1827beedd6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 1 14:23:31 2013 -0400
+
+ remove user-triggerable BUG_ON in do_munlockall()
+
+ mm/mlock.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit f4bcf6087bd7b9a5b9c9021790396865c5362da0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 1 13:44:05 2013 -0400
+
+ Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456
+
+ From: Kees Cook <keescook@chromium.org>
+ Date: Thu, 23 May 2013 17:32:17 +0000
+ Subject: iscsi-target: fix heap buffer overflow on error
+
+ If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
+ error response packet, generated by iscsi_add_notunderstood_response(),
+ would still attempt to copy the entire key into the packet, overflowing
+ the structure on the heap.
+
+ Remote preauthentication kernel memory corruption was possible if a
+ target was configured and listening on the network.
+
+ CVE-2013-2850
+
+ Embargo-screwup-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+
+ drivers/target/iscsi/iscsi_target_parameters.c | 8 +++-----
+ drivers/target/iscsi/iscsi_target_parameters.h | 4 +++-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 1 13:43:26 2013 -0400
+
+ Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters"
+ Applying upstream fix instead
+
+ This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291.
+
+ drivers/target/iscsi/iscsi_target_parameters.c | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sun May 19 21:52:20 2013 +0300
+
+ Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431
+
+ USB: cxacru: potential underflow in cxacru_cm_get_array()
+
+ commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream.
+
+ The value of "offd" comes off the instance->rcv_buf[] and we used it as
+ the offset into an array. The problem is that we check the upper bound
+ but not for negative values.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+
+ drivers/usb/atm/cxacru.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 1 11:30:17 2013 -0400
+
+ Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters
+
+ drivers/target/iscsi/iscsi_target_parameters.c | 5 ++---
+ 1 files changed, 2 insertions(+), 3 deletions(-)
+
+commit 8578566969d91678a3d7d5251b4eafc6d7775314
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 30 17:44:15 2013 -0400
+
+ Apply compatibility fix to previous RLIMIT_NPROC change
+ don't enforce the rlimit check at exec time if the user is root
+ Prevents problems with sudo if root is listed as part of a group
+ in limits.conf with process limits enforced
+
+ kernel/sys.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7
+Merge: 643b294 ed9b427
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 19:19:28 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ed9b4276488528d0c3803df1dc0df804238241e0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 19:18:45 2013 -0400
+
+ Updated to pax-linux-3.9.4-test8.patch:
+ - fixed some fallout detected by the checker plugin
+
+ arch/x86/kernel/crash_dump_64.c | 2 +-
+ drivers/base/devtmpfs.c | 6 +++---
+ drivers/char/agp/compat_ioctl.c | 2 +-
+ drivers/char/agp/frontend.c | 2 +-
+ drivers/char/mem.c | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++--
+ drivers/i2c/i2c-dev.c | 2 +-
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++---
+ drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++--------
+ fs/9p/vfs_addr.c | 2 +-
+ fs/binfmt_elf.c | 4 ++--
+ fs/compat_ioctl.c | 4 ++--
+ fs/exec.c | 2 +-
+ fs/namespace.c | 8 ++++----
+ fs/proc/vmcore.c | 12 ++++++++----
+ fs/read_write.c | 2 +-
+ include/linux/syscalls.h | 8 ++++----
+ init/do_mounts_initrd.c | 8 ++++----
+ init/main.c | 4 ++--
+ kernel/events/core.c | 2 +-
+ kernel/events/internal.h | 10 +++++-----
+ mm/page_io.c | 2 +-
+ security/keys/internal.h | 2 +-
+ tools/gcc/checker_plugin.c | 1 +
+ 24 files changed, 63 insertions(+), 54 deletions(-)
+
+commit 643b294b41c6adcad1cf107efe4ae52a834e6f15
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 18:51:31 2013 -0400
+
+ eliminate gcc warning
+
+ fs/exec.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 18:30:20 2013 -0400
+
+ use BUILD_BUG() instead of BUILD_BUG_ON(1)
+
+ arch/x86/net/bpf_jit_comp.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 5343410354267368e5809f3ad8d9a264f141be18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 17:57:41 2013 -0400
+
+ defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON
+ for unknown opcodes
+
+ arch/x86/net/bpf_jit_comp.c | 11 +++++++----
+ 1 files changed, 7 insertions(+), 4 deletions(-)
+
+commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d
+Author: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
+Date: Fri May 24 15:55:11 2013 -0700
+
+ Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83
+
+ mm: mmu_notifier: re-fix freed page still mapped in secondary MMU
+
+ Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and
+ multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier:
+ fix freed page still mapped in secondary MMU").
+
+ Since hlist_for_each_entry_rcu() is changed now, we can not revert that
+ patch directly, so this patch reverts the commit and simply fix the bug
+ spotted by that patch
+
+ This bug spotted by commit 751efd8610d3 is:
+
+ There is a race condition between mmu_notifier_unregister() and
+ __mmu_notifier_release().
+
+ Assume two tasks, one calling mmu_notifier_unregister() as a result
+ of a filp_close() ->flush() callout (task A), and the other calling
+ mmu_notifier_release() from an mmput() (task B).
+
+ A B
+ t1 srcu_read_lock()
+ t2 if (!hlist_unhashed())
+ t3 srcu_read_unlock()
+ t4 srcu_read_lock()
+ t5 hlist_del_init_rcu()
+ t6 synchronize_srcu()
+ t7 srcu_read_unlock()
+ t8 hlist_del_rcu() <--- NULL pointer deref.
+
+ This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu.
+
+ The another issue spotted in the commit is "multiple ->release()
+ callouts", we needn't care it too much because it is really rare (e.g,
+ can not happen on kvm since mmu-notify is unregistered after
+ exit_mmap()) and the later call of multiple ->release should be fast
+ since all the pages have already been released by the first call.
+ Anyway, this issue should be fixed in a separate patch.
+
+ -stable suggestions: Any version that has commit 751efd8610d3 need to be
+ backported. I find the oldest version has this commit is 3.0-stable.
+
+ [akpm@linux-foundation.org: tweak comments]
+ Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
+ Tested-by: Robin Holt <holt@sgi.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++---------------------------
+ 1 files changed, 39 insertions(+), 40 deletions(-)
+
+commit 163a5539b36247865d39b2bcfa8efc03a62124a6
+Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Date: Fri May 24 15:55:21 2013 -0700
+
+ Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18
+
+ mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
+
+ We should not use set_pmd_at to update pmd_t with pgtable_t pointer.
+ set_pmd_at is used to set pmd with huge pte entries and architectures
+ like ppc64, clear few flags from the pte when saving a new entry.
+ Without this change we observe bad pte errors like below on ppc64 with
+ THP enabled.
+
+ BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000
+
+ Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+ Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/huge_memory.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 3e54faf888d324d5f362dcba16173ea7bba61e8a
+Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Date: Fri May 24 15:55:08 2013 -0700
+
+ Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995
+
+ fat: fix possible overflow for fat_clusters
+
+ Intermediate value of fat_clusters can be overflowed on 32bits arch.
+
+ Reported-by: Krzysztof Strasburger <strasbur@chkw386.ch.pwr.wroc.pl>
+ Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/fat/inode.c | 15 ++++++++++++++-
+ 1 files changed, 14 insertions(+), 1 deletions(-)
+
+commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d
+Author: Jarod Wilson <jarod@redhat.com>
+Date: Fri May 24 15:55:31 2013 -0700
+
+ Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53
+
+ drivers/char/random.c: fix priming of last_data
+
+ Commit ec8f02da9ea5 ("random: prime last_data value per fips
+ requirements") added priming of last_data per fips requirements.
+
+ Unfortuantely, it did so in a way that can lead to multiple threads all
+ incrementing nbytes, but only one actually doing anything with the extra
+ data, which leads to some fun random corruption and panics.
+
+ The fix is to simply do everything needed to prime last_data in a single
+ shot, so there's no window for multiple cpus to increment nbytes -- in
+ fact, we won't even increment or decrement nbytes anymore, we'll just
+ extract the needed EXTRACT_SIZE one time per pool and then carry on with
+ the normal routine.
+
+ All these changes have been tested across multiple hosts and
+ architectures where panics were previously encoutered. The code changes
+ are are strictly limited to areas only touched when when booted in fips
+ mode.
+
+ This change should also go into 3.8-stable, to make the myriads of fips
+ users on 3.8.x happy.
+
+ Signed-off-by: Jarod Wilson <jarod@redhat.com>
+ Tested-by: Jan Stancek <jstancek@redhat.com>
+ Tested-by: Jan Stodola <jstodola@redhat.com>
+ Cc: Herbert Xu <herbert@gondor.apana.org.au>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Cc: Matt Mackall <mpm@selenic.com>
+ Cc: "Theodore Ts'o" <tytso@mit.edu>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/char/random.c | 30 +++++++++++++++---------------
+ 1 files changed, 15 insertions(+), 15 deletions(-)
+
+commit 2d74639040ba6ce47f57ec010714ec06529c4b42
+Author: Jiri Kosina <jkosina@suse.cz>
+Date: Fri May 24 15:55:33 2013 -0700
+
+ Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68
+
+ random: fix accounting race condition with lockless irq entropy_count update
+
+ Commit 902c098a3663 ("random: use lockless techniques in the interrupt
+ path") turned IRQ path from being spinlock protected into lockless
+ cmpxchg-retry update.
+
+ That commit removed r->lock serialization between crediting entropy bits
+ from IRQ context and accounting when extracting entropy on userspace
+ read path, but didn't turn the r->entropy_count reads/updates in
+ account() to use cmpxchg as well.
+
+ It has been observed, that under certain circumstances this leads to
+ read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets
+ corrupted and becomes negative, which in turn results in propagating 0
+ all the way from account() to the actual read() call.
+
+ Convert the accounting code to be the proper lockless counterpart of
+ what has been partially done by 902c098a3663.
+
+ Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+ Cc: Theodore Ts'o <tytso@mit.edu>
+ Cc: Greg KH <greg@kroah.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/char/random.c | 26 +++++++++++++++++---------
+ 1 files changed, 17 insertions(+), 9 deletions(-)
+
+commit 65d05c7ea468c23c175105526dd4f163302a92cf
+Merge: 1a98d0a 6ce3a135
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat May 25 07:48:15 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/x86/kernel/vm86_32.c
+
+commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166
+Merge: 79bdd65 0bfd8ff
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat May 25 07:46:55 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 23 18:42:23 2013 -0400
+
+ use existing local variable
+
+ fs/exec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b2b80ef8586061e32e986b31608717c25d1e7c54
+Merge: cb45fbd 79bdd65
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 23 17:58:53 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 79bdd65dac68267bc1b201c6b4a99966a373c305
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 23 17:57:46 2013 -0400
+
+ Update to pax-linux-3.9.3-test7.patch:
+ - fixed some size overflow related warnings (hash table, attributes)
+ - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html
+
+ arch/x86/include/asm/page_64.h | 2 +-
+ arch/x86/kernel/head64.c | 2 +-
+ tools/gcc/constify_plugin.c | 48 ++-
+ tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------
+ 4 files changed, 651 insertions(+), 592 deletions(-)
+
+commit cb45fbda4967b1b544a754fbdc92d73283379522
+Merge: 62588fa 57c11b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 20 17:32:17 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 57c11b85acd841a088aa4df8e60be337880df8cd
+Merge: 0598b37 4bb0869
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 20 17:32:08 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53
+Merge: e261c7b 0598b37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 17 22:57:36 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0598b3778624dbc6c3887af025c040dbd6e92ba5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 17 22:57:07 2013 -0400
+
+ Update to pax-linux-3.9.2-test6.patch:
+ - fixed a gcc assert in the structleak plugin, reported by Emese Revfy
+ - fixed pfn extraction from pud/pgd entries, reported by ousado
+
+ arch/x86/include/asm/pgtable.h | 9 +++++++--
+ tools/gcc/structleak_plugin.c | 3 ++-
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+commit e261c7bc611e9127bbb7bd95cddd51524bf255ae
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 22:54:12 2013 -0400
+
+ add offset to topdown check, fixes compilation
+
+ arch/x86/kernel/sys_x86_64.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 455c5ed5279cf546f5d5c3844fb16f17300b2219
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 20:57:41 2013 -0400
+
+ CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY,
+ reported by lulzh3ad on irc
+
+ security/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 0d4593e84707cdf6deb6b925c18c676a476b1613
+Merge: 43cd0c0 39a877f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 20:39:11 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 39a877f192ed305d88edac10a14a9e8e1e161f3f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 20:37:35 2013 -0400
+
+ Update to pax-linux-3.9.2-test105.patch:
+ - fixed !EFI boot problem, reported by spender
+ - fixed a few compile warnings
+ - fixed some more compile errors due to constification
+ - fixed some arm fallout, reported by Michael Tremer
+
+ arch/arm/include/asm/psci.h | 2 +-
+ arch/arm/kernel/psci.c | 2 +-
+ arch/x86/kernel/sys_x86_64.c | 3 +--
+ arch/x86/realmode/init.c | 2 +-
+ drivers/hwmon/pmbus/pmbus_core.c | 10 +++++-----
+ drivers/irqchip/irq-gic.c | 2 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++---
+ drivers/platform/x86/chromeos_laptop.c | 2 +-
+ fs/jfs/super.c | 4 ++--
+ include/linux/irqchip/arm-gic.h | 2 ++
+ include/sound/compress_driver.h | 2 +-
+ net/mac80211/cfg.c | 4 ++--
+ sound/soc/fsl/fsl_ssi.c | 2 +-
+ 14 files changed, 31 insertions(+), 22 deletions(-)
+
+commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 20:35:22 2013 -0400
+
+ Fix usercopy false positive under gcc 4.1
+
+ arch/x86/kernel/signal.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit 56a166129d817f6634c8c230e6ec497669bdfaca
+Author: Amerigo Wang <amwang@redhat.com>
+Date: Thu May 9 21:56:37 2013 +0000
+
+ Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f
+
+ ipv6,gre: do not leak info to user-space
+
+ There is a hole in struct ip6_tnl_parm2, so we have to
+ zero the struct on stack before copying it to user-space.
+
+ Cc: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_gre.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit d6f50dae2653ad912952da40417a8ccbd59c7699
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue May 14 16:52:35 2013 -0400
+
+ disable unprivileged kernel profiling under HIDESYM, rename
+ the variable to something more appropriate
+
+ include/linux/perf_event.h | 8 ++++----
+ kernel/events/core.c | 6 +++++-
+ kernel/sysctl.c | 4 ++--
+ 3 files changed, 11 insertions(+), 7 deletions(-)
+
+commit 01322c6951bed4eedefbd2178dbd99292b365d99
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 17:19:57 2013 -0400
+
+ mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its
+ existing stack-heap gap code for the new unified vm_unmapped_area
+
+ grsecurity/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 15:40:32 2013 -0400
+
+ fix NX fault on early boot
+
+ arch/x86/realmode/init.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:48:13 2013 -0400
+
+ compile fix, we weren't using %pa anyway and it's now being used
+ by upstream for physical address printing
+
+ lib/vsprintf.c | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:39:52 2013 -0400
+
+ compile fix
+
+ grsecurity/grsec_chroot.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:35:36 2013 -0400
+
+ compile fixes
+
+ grsecurity/grsec_chroot.c | 2 +-
+ include/linux/grinternal.h | 8 ++++----
+ include/linux/grsecurity.h | 4 ++--
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+commit f92047409f0a843ec0b44033ca4c37e539f9a1d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:27:18 2013 -0400
+
+ compile fix
+
+ fs/exec.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:23:17 2013 -0400
+
+ Initial port of grsecurity for 3.9.2
+
+ Documentation/kernel-parameters.txt | 4 +
+ Makefile | 8 +-
+ arch/alpha/include/asm/cache.h | 4 +-
+ arch/alpha/kernel/osf_sys.c | 12 +-
+ arch/arm/include/asm/thread_info.h | 9 +-
+ arch/arm/kernel/process.c | 4 +-
+ arch/arm/kernel/ptrace.c | 9 +
+ arch/arm/kernel/traps.c | 7 +-
+ arch/arm/mm/fault.c | 29 +-
+ arch/arm/mm/mmap.c | 8 +-
+ arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/include/asm/cache.h | 3 +-
+ arch/cris/include/arch-v10/arch/cache.h | 3 +-
+ arch/cris/include/arch-v32/arch/cache.h | 3 +-
+ arch/frv/include/asm/cache.h | 3 +-
+ arch/frv/mm/elf-fdpic.c | 4 +-
+ arch/hexagon/include/asm/cache.h | 6 +-
+ arch/ia64/include/asm/cache.h | 3 +-
+ arch/ia64/kernel/sys_ia64.c | 2 +
+ arch/ia64/mm/hugetlbpage.c | 2 +
+ arch/m32r/include/asm/cache.h | 4 +-
+ arch/m68k/include/asm/cache.h | 4 +-
+ arch/metag/mm/hugetlbpage.c | 1 +
+ arch/microblaze/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/thread_info.h | 9 +-
+ arch/mips/kernel/ptrace.c | 9 +
+ arch/mips/kernel/scall32-o32.S | 2 +-
+ arch/mips/kernel/scall64-64.S | 2 +-
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ arch/mips/mm/mmap.c | 4 +-
+ arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
+ arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
+ arch/openrisc/include/asm/cache.h | 4 +-
+ arch/parisc/include/asm/cache.h | 5 +-
+ arch/parisc/kernel/sys_parisc.c | 17 +-
+ arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/include/asm/thread_info.h | 8 +-
+ arch/powerpc/kernel/process.c | 10 +-
+ arch/powerpc/kernel/ptrace.c | 14 +
+ arch/powerpc/kernel/traps.c | 5 +
+ arch/powerpc/mm/slice.c | 8 +-
+ arch/s390/include/asm/cache.h | 4 +-
+ arch/score/include/asm/cache.h | 4 +-
+ arch/sh/include/asm/cache.h | 3 +-
+ arch/sh/mm/mmap.c | 6 +-
+ arch/sparc/include/asm/cache.h | 4 +-
+ arch/sparc/include/asm/thread_info_64.h | 9 +-
+ arch/sparc/kernel/process_32.c | 6 +-
+ arch/sparc/kernel/process_64.c | 8 +-
+ arch/sparc/kernel/ptrace_64.c | 14 +
+ arch/sparc/kernel/sys_sparc_64.c | 8 +-
+ arch/sparc/kernel/syscalls.S | 8 +-
+ arch/sparc/kernel/traps_32.c | 8 +-
+ arch/sparc/kernel/traps_64.c | 28 +-
+ arch/sparc/kernel/unaligned_64.c | 2 +-
+ arch/sparc/mm/fault_64.c | 2 +-
+ arch/sparc/mm/hugetlbpage.c | 3 +-
+ arch/tile/include/asm/cache.h | 3 +-
+ arch/tile/mm/hugetlbpage.c | 2 +
+ arch/um/defconfig | 1 -
+ arch/um/include/asm/cache.h | 3 +-
+ arch/unicore32/include/asm/cache.h | 6 +-
+ arch/x86/Kconfig | 5 +-
+ arch/x86/Kconfig.debug | 2 +-
+ arch/x86/ia32/ia32_aout.c | 2 +
+ arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/kernel/dumpstack.c | 8 +
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 2 +-
+ arch/x86/kernel/ioport.c | 13 +
+ arch/x86/kernel/ptrace.c | 14 +
+ arch/x86/kernel/smpboot.c | 3 +
+ arch/x86/kernel/sys_i386_32.c | 14 +-
+ arch/x86/kernel/sys_x86_64.c | 6 +-
+ arch/x86/kernel/verify_cpu.S | 1 +
+ arch/x86/kernel/vm86_32.c | 16 +
+ arch/x86/mm/fault.c | 12 +-
+ arch/x86/mm/hugetlbpage.c | 15 +-
+ arch/x86/mm/init.c | 66 +-
+ arch/x86/net/bpf_jit_comp.c | 126 +-
+ arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
+ arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
+ drivers/block/cciss.c | 2 +
+ drivers/char/Kconfig | 4 +-
+ drivers/char/genrtc.c | 1 +
+ drivers/char/mem.c | 17 +
+ drivers/char/random.c | 12 +
+ drivers/gpu/drm/drm_info.c | 4 +
+ drivers/hid/hid-wiimote-debug.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +-
+ drivers/message/fusion/mptbase.c | 9 +
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ drivers/pci/proc.c | 9 +
+ drivers/rtc/rtc-dev.c | 3 +
+ drivers/tty/sysrq.c | 2 +-
+ drivers/tty/vt/keyboard.c | 22 +-
+ drivers/usb/storage/realtek_cr.c | 2 +-
+ drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
+ drivers/xen/xenfs/xenstored.c | 5 +
+ fs/attr.c | 1 +
+ fs/autofs4/waitq.c | 9 +
+ fs/binfmt_aout.c | 7 +
+ fs/binfmt_elf.c | 8 +-
+ fs/btrfs/ioctl.c | 6 +-
+ fs/compat.c | 20 +-
+ fs/coredump.c | 10 +-
+ fs/debugfs/inode.c | 4 +
+ fs/exec.c | 181 +-
+ fs/ext2/balloc.c | 4 +-
+ fs/ext3/balloc.c | 4 +-
+ fs/ext4/balloc.c | 4 +-
+ fs/fcntl.c | 5 +
+ fs/file.c | 4 +
+ fs/filesystems.c | 4 +
+ fs/fs_struct.c | 13 +-
+ fs/hugetlbfs/inode.c | 5 +-
+ fs/namei.c | 241 ++-
+ fs/namespace.c | 24 +
+ fs/open.c | 38 +
+ fs/pipe.c | 2 +-
+ fs/proc/Kconfig | 10 +-
+ fs/proc/array.c | 59 +-
+ fs/proc/base.c | 168 +-
+ fs/proc/cmdline.c | 4 +
+ fs/proc/devices.c | 4 +
+ fs/proc/fd.c | 17 +-
+ fs/proc/inode.c | 17 +
+ fs/proc/internal.h | 3 +
+ fs/proc/kcore.c | 3 +
+ fs/proc/proc_net.c | 12 +
+ fs/proc/proc_sysctl.c | 43 +-
+ fs/proc/root.c | 8 +
+ fs/proc/task_mmu.c | 75 +-
+ fs/readdir.c | 19 +
+ fs/select.c | 2 +
+ fs/seq_file.c | 12 +-
+ fs/stat.c | 19 +-
+ fs/sysfs/dir.c | 12 +
+ fs/utimes.c | 7 +
+ fs/xattr.c | 19 +-
+ grsecurity/Kconfig | 1031 +++++
+ grsecurity/Makefile | 38 +
+ grsecurity/gracl.c | 4073 ++++++++++++++++++++
+ grsecurity/gracl_alloc.c | 105 +
+ grsecurity/gracl_cap.c | 110 +
+ grsecurity/gracl_fs.c | 431 +++
+ grsecurity/gracl_ip.c | 387 ++
+ grsecurity/gracl_learn.c | 207 +
+ grsecurity/gracl_res.c | 68 +
+ grsecurity/gracl_segv.c | 305 ++
+ grsecurity/gracl_shm.c | 40 +
+ grsecurity/grsec_chdir.c | 19 +
+ grsecurity/grsec_chroot.c | 370 ++
+ grsecurity/grsec_disabled.c | 434 +++
+ grsecurity/grsec_exec.c | 187 +
+ grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_fork.c | 23 +
+ grsecurity/grsec_init.c | 283 ++
+ grsecurity/grsec_link.c | 58 +
+ grsecurity/grsec_log.c | 326 ++
+ grsecurity/grsec_mem.c | 40 +
+ grsecurity/grsec_mount.c | 62 +
+ grsecurity/grsec_pax.c | 36 +
+ grsecurity/grsec_ptrace.c | 30 +
+ grsecurity/grsec_sig.c | 222 ++
+ grsecurity/grsec_sock.c | 244 ++
+ grsecurity/grsec_sysctl.c | 469 +++
+ grsecurity/grsec_time.c | 16 +
+ grsecurity/grsec_tpe.c | 73 +
+ grsecurity/grsum.c | 61 +
+ include/linux/capability.h | 5 +
+ include/linux/cred.h | 3 +
+ include/linux/fs.h | 10 +
+ include/linux/fsnotify.h | 6 +
+ include/linux/gracl.h | 319 ++
+ include/linux/gralloc.h | 9 +
+ include/linux/grdefs.h | 140 +
+ include/linux/grinternal.h | 215 +
+ include/linux/grmsg.h | 111 +
+ include/linux/grsecurity.h | 242 ++
+ include/linux/grsock.h | 19 +
+ include/linux/kallsyms.h | 14 +-
+ include/linux/kmod.h | 2 +
+ include/linux/mm.h | 1 +
+ include/linux/netfilter/xt_gradm.h | 9 +
+ include/linux/printk.h | 3 +-
+ include/linux/proc_fs.h | 12 +
+ include/linux/sched.h | 68 +-
+ include/linux/security.h | 1 +
+ include/linux/seq_file.h | 3 +
+ include/linux/shm.h | 4 +
+ include/linux/skbuff.h | 3 +
+ include/linux/slab.h | 9 -
+ include/linux/sysctl.h | 2 +
+ include/linux/thread_info.h | 2 +
+ include/linux/uidgid.h | 5 +
+ include/linux/vermagic.h | 9 +-
+ include/net/secure_seq.h | 1 +
+ include/trace/events/fs.h | 53 +
+ include/uapi/linux/personality.h | 1 +
+ init/Kconfig | 3 +-
+ init/main.c | 14 +
+ ipc/mqueue.c | 1 +
+ ipc/shm.c | 28 +
+ kernel/capability.c | 39 +-
+ kernel/cgroup.c | 2 +-
+ kernel/compat.c | 1 +
+ kernel/configs.c | 11 +
+ kernel/cred.c | 110 +-
+ kernel/exit.c | 10 +-
+ kernel/fork.c | 41 +-
+ kernel/futex.c | 1 +
+ kernel/kallsyms.c | 9 +
+ kernel/kcmp.c | 4 +
+ kernel/kmod.c | 71 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +
+ kernel/lockdep_proc.c | 10 +-
+ kernel/module.c | 81 +-
+ kernel/panic.c | 4 +-
+ kernel/pid.c | 19 +-
+ kernel/posix-timers.c | 8 +
+ kernel/printk.c | 13 +-
+ kernel/ptrace.c | 20 +-
+ kernel/resource.c | 10 +
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 37 +-
+ kernel/sys.c | 45 +-
+ kernel/sysctl.c | 39 +-
+ kernel/taskstats.c | 6 +
+ kernel/time.c | 5 +
+ kernel/time/timekeeping.c | 3 +
+ kernel/time/timer_list.c | 12 +
+ kernel/time/timer_stats.c | 10 +-
+ lib/Kconfig.debug | 5 +-
+ lib/is_single_threaded.c | 3 +
+ lib/vsprintf.c | 35 +-
+ localversion-grsec | 1 +
+ mm/Kconfig | 4 +-
+ mm/filemap.c | 1 +
+ mm/kmemleak.c | 4 +-
+ mm/mempolicy.c | 12 +-
+ mm/migrate.c | 3 +-
+ mm/mlock.c | 3 +
+ mm/mmap.c | 64 +-
+ mm/mprotect.c | 8 +
+ mm/process_vm_access.c | 6 +
+ mm/shmem.c | 2 +-
+ mm/slab.c | 2 +-
+ mm/slub.c | 14 +-
+ mm/vmalloc.c | 4 +
+ mm/vmstat.c | 18 +-
+ net/8021q/vlan.c | 7 +
+ net/core/dev_ioctl.c | 4 +
+ net/core/net-procfs.c | 5 +
+ net/core/secure_seq.c | 4 +-
+ net/core/sock_diag.c | 7 +
+ net/ipv4/af_inet.c | 5 +-
+ net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/ip_sockglue.c | 3 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_minisocks.c | 9 +-
+ net/ipv4/tcp_timer.c | 11 +
+ net/ipv4/udp.c | 24 +
+ net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/udp.c | 7 +
+ net/netfilter/Kconfig | 10 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 8 +
+ net/netfilter/xt_gradm.c | 51 +
+ net/netrom/af_netrom.c | 2 +-
+ net/phonet/af_phonet.c | 2 +-
+ net/sctp/probe.c | 2 +-
+ net/sctp/proc.c | 3 +-
+ net/socket.c | 66 +-
+ net/sysctl_net.c | 2 +-
+ net/tipc/link.c | 11 +-
+ net/unix/af_unix.c | 31 +-
+ security/Kconfig | 342 ++-
+ security/commoncap.c | 29 +
+ security/min_addr.c | 2 +
+ security/security.c | 2 -
+ security/selinux/hooks.c | 2 -
+ security/tomoyo/mount.c | 4 +
+ security/yama/Kconfig | 2 +-
+ 291 files changed, 15221 insertions(+), 2052 deletions(-)
+
+commit 88854c350c899bceca4a94598c42bed44d0dc91b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 07:37:47 2013 -0400
+
+ Initial import of pax-linux-3.9.2-test2.patch
+
+ Documentation/dontdiff | 45 +-
+ Documentation/kernel-parameters.txt | 12 +
+ Makefile | 100 +-
+ arch/alpha/include/asm/atomic.h | 10 +
+ arch/alpha/include/asm/elf.h | 7 +
+ arch/alpha/include/asm/pgalloc.h | 6 +
+ arch/alpha/include/asm/pgtable.h | 11 +
+ arch/alpha/kernel/module.c | 2 +-
+ arch/alpha/kernel/osf_sys.c | 8 +-
+ arch/alpha/mm/fault.c | 141 +-
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/atomic.h | 421 ++-
+ arch/arm/include/asm/cache.h | 5 +-
+ arch/arm/include/asm/cacheflush.h | 2 +-
+ arch/arm/include/asm/checksum.h | 14 +-
+ arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/domain.h | 33 +-
+ arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/fncpy.h | 2 +
+ arch/arm/include/asm/futex.h | 10 +
+ arch/arm/include/asm/kmap_types.h | 2 +-
+ arch/arm/include/asm/mach/dma.h | 2 +-
+ arch/arm/include/asm/mach/map.h | 7 +-
+ arch/arm/include/asm/outercache.h | 2 +-
+ arch/arm/include/asm/page.h | 2 +-
+ arch/arm/include/asm/pgalloc.h | 22 +-
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgtable-2level.h | 1 +
+ arch/arm/include/asm/pgtable-3level-hwdef.h | 2 +
+ arch/arm/include/asm/pgtable-3level.h | 2 +
+ arch/arm/include/asm/pgtable.h | 56 +-
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/include/asm/processor.h | 5 +-
+ arch/arm/include/asm/smp.h | 2 +-
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/include/asm/uaccess.h | 92 +-
+ arch/arm/include/uapi/asm/ptrace.h | 2 +-
+ arch/arm/kernel/armksyms.c | 6 +-
+ arch/arm/kernel/entry-armv.S | 107 +-
+ arch/arm/kernel/entry-common.S | 41 +-
+ arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/fiq.c | 2 +
+ arch/arm/kernel/head.S | 6 +-
+ arch/arm/kernel/hw_breakpoint.c | 2 +-
+ arch/arm/kernel/module.c | 29 +-
+ arch/arm/kernel/patch.c | 2 +
+ arch/arm/kernel/perf_event_cpu.c | 2 +-
+ arch/arm/kernel/process.c | 15 +-
+ arch/arm/kernel/setup.c | 22 +-
+ arch/arm/kernel/signal.c | 24 +-
+ arch/arm/kernel/smp.c | 2 +-
+ arch/arm/kernel/traps.c | 15 +-
+ arch/arm/kernel/vmlinux.lds.S | 22 +-
+ arch/arm/lib/clear_user.S | 6 +-
+ arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/lib/copy_page.S | 1 +
+ arch/arm/lib/copy_to_user.S | 6 +-
+ arch/arm/lib/csumpartialcopyuser.S | 4 +-
+ arch/arm/lib/delay.c | 2 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 2 +-
+ arch/arm/mach-kirkwood/common.c | 19 +-
+ arch/arm/mach-omap2/board-n8x0.c | 2 +-
+ arch/arm/mach-omap2/gpmc.c | 22 +-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
+ arch/arm/mach-omap2/omap_device.c | 4 +-
+ arch/arm/mach-omap2/omap_device.h | 4 +-
+ arch/arm/mach-omap2/omap_hwmod.c | 4 +-
+ arch/arm/mach-omap2/wd_timer.c | 6 +-
+ arch/arm/mach-ux500/include/mach/setup.h | 7 -
+ arch/arm/mm/Kconfig | 3 +-
+ arch/arm/mm/alignment.c | 8 +
+ arch/arm/mm/fault.c | 91 +
+ arch/arm/mm/fault.h | 12 +
+ arch/arm/mm/init.c | 41 +
+ arch/arm/mm/ioremap.c | 4 +-
+ arch/arm/mm/mmap.c | 36 +-
+ arch/arm/mm/mmu.c | 187 +-
+ arch/arm/mm/proc-v7-2level.S | 3 +
+ arch/arm/plat-omap/sram.c | 2 +
+ arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/arm64/kernel/debug-monitors.c | 2 +-
+ arch/arm64/kernel/hw_breakpoint.c | 2 +-
+ arch/avr32/include/asm/elf.h | 8 +-
+ arch/avr32/include/asm/kmap_types.h | 4 +-
+ arch/avr32/mm/fault.c | 27 +
+ arch/frv/include/asm/atomic.h | 10 +
+ arch/frv/include/asm/kmap_types.h | 2 +-
+ arch/frv/mm/elf-fdpic.c | 3 +-
+ arch/ia64/include/asm/atomic.h | 10 +
+ arch/ia64/include/asm/elf.h | 7 +
+ arch/ia64/include/asm/pgalloc.h | 12 +
+ arch/ia64/include/asm/pgtable.h | 13 +-
+ arch/ia64/include/asm/spinlock.h | 2 +-
+ arch/ia64/include/asm/uaccess.h | 26 +-
+ arch/ia64/kernel/err_inject.c | 2 +-
+ arch/ia64/kernel/mca.c | 2 +-
+ arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/palinfo.c | 2 +-
+ arch/ia64/kernel/salinfo.c | 2 +-
+ arch/ia64/kernel/sys_ia64.c | 7 +
+ arch/ia64/kernel/topology.c | 2 +-
+ arch/ia64/kernel/vmlinux.lds.S | 2 +-
+ arch/ia64/mm/fault.c | 32 +-
+ arch/ia64/mm/init.c | 13 +
+ arch/m32r/lib/usercopy.c | 6 +
+ arch/mips/include/asm/atomic.h | 14 +
+ arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/exec.h | 2 +-
+ arch/mips/include/asm/page.h | 2 +-
+ arch/mips/include/asm/pgalloc.h | 5 +
+ arch/mips/kernel/binfmt_elfn32.c | 7 +
+ arch/mips/kernel/binfmt_elfo32.c | 7 +
+ arch/mips/kernel/process.c | 12 -
+ arch/mips/mm/fault.c | 17 +
+ arch/mips/mm/mmap.c | 51 +-
+ arch/parisc/include/asm/atomic.h | 10 +
+ arch/parisc/include/asm/elf.h | 7 +
+ arch/parisc/include/asm/pgalloc.h | 6 +
+ arch/parisc/include/asm/pgtable.h | 11 +
+ arch/parisc/include/asm/uaccess.h | 4 +-
+ arch/parisc/kernel/module.c | 50 +-
+ arch/parisc/kernel/sys_parisc.c | 9 +-
+ arch/parisc/kernel/traps.c | 4 +-
+ arch/parisc/mm/fault.c | 140 +-
+ arch/powerpc/include/asm/atomic.h | 10 +
+ arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/exec.h | 2 +-
+ arch/powerpc/include/asm/kmap_types.h | 2 +-
+ arch/powerpc/include/asm/mman.h | 2 +-
+ arch/powerpc/include/asm/page.h | 8 +-
+ arch/powerpc/include/asm/page_64.h | 7 +-
+ arch/powerpc/include/asm/pgalloc-64.h | 7 +
+ arch/powerpc/include/asm/pgtable.h | 1 +
+ arch/powerpc/include/asm/pte-hash32.h | 1 +
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/include/asm/smp.h | 2 +-
+ arch/powerpc/include/asm/uaccess.h | 140 +-
+ arch/powerpc/kernel/exceptions-64e.S | 4 +-
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/module_32.c | 13 +-
+ arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/signal_32.c | 2 +-
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ arch/powerpc/kernel/sysfs.c | 2 +-
+ arch/powerpc/kernel/vdso.c | 5 +-
+ arch/powerpc/lib/usercopy_64.c | 18 -
+ arch/powerpc/mm/fault.c | 54 +-
+ arch/powerpc/mm/mmap_64.c | 16 +
+ arch/powerpc/mm/mmu_context_nohash.c | 2 +-
+ arch/powerpc/mm/numa.c | 2 +-
+ arch/powerpc/mm/slice.c | 23 +-
+ arch/powerpc/platforms/cell/spufs/file.c | 4 +-
+ arch/powerpc/platforms/powermac/smp.c | 2 +-
+ arch/s390/include/asm/atomic.h | 10 +
+ arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/exec.h | 2 +-
+ arch/s390/include/asm/uaccess.h | 15 +-
+ arch/s390/kernel/module.c | 22 +-
+ arch/s390/kernel/process.c | 36 -
+ arch/s390/mm/mmap.c | 24 +
+ arch/score/include/asm/exec.h | 2 +-
+ arch/score/kernel/process.c | 5 -
+ arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
+ arch/sh/mm/mmap.c | 22 +-
+ arch/sparc/include/asm/atomic_64.h | 106 +-
+ arch/sparc/include/asm/cache.h | 2 +-
+ arch/sparc/include/asm/elf_32.h | 7 +
+ arch/sparc/include/asm/elf_64.h | 7 +
+ arch/sparc/include/asm/pgalloc_32.h | 1 +
+ arch/sparc/include/asm/pgalloc_64.h | 1 +
+ arch/sparc/include/asm/pgtable_32.h | 15 +-
+ arch/sparc/include/asm/pgtsrmmu.h | 5 +
+ arch/sparc/include/asm/spinlock_64.h | 35 +-
+ arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_64.h | 2 +
+ arch/sparc/include/asm/uaccess.h | 1 +
+ arch/sparc/include/asm/uaccess_32.h | 27 +-
+ arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/kernel/Makefile | 2 +-
+ arch/sparc/kernel/prom_common.c | 2 +-
+ arch/sparc/kernel/sys_sparc_32.c | 2 +-
+ arch/sparc/kernel/sys_sparc_64.c | 48 +-
+ arch/sparc/kernel/sysfs.c | 2 +-
+ arch/sparc/kernel/traps_64.c | 13 +-
+ arch/sparc/kernel/us3_cpufreq.c | 69 +-
+ arch/sparc/lib/Makefile | 2 +-
+ arch/sparc/lib/atomic_64.S | 136 +-
+ arch/sparc/lib/ksyms.c | 6 +
+ arch/sparc/mm/Makefile | 2 +-
+ arch/sparc/mm/fault_32.c | 292 ++
+ arch/sparc/mm/fault_64.c | 486 ++
+ arch/sparc/mm/hugetlbpage.c | 21 +-
+ arch/tile/include/asm/atomic_64.h | 10 +
+ arch/tile/include/asm/uaccess.h | 4 +-
+ arch/um/Makefile | 4 +
+ arch/um/include/asm/kmap_types.h | 2 +-
+ arch/um/include/asm/page.h | 3 +
+ arch/um/include/asm/pgtable-3level.h | 1 +
+ arch/um/kernel/process.c | 16 -
+ arch/x86/Kconfig | 10 +-
+ arch/x86/Kconfig.cpu | 6 +-
+ arch/x86/Kconfig.debug | 6 +-
+ arch/x86/Makefile | 10 +
+ arch/x86/boot/Makefile | 3 +
+ arch/x86/boot/bitops.h | 4 +-
+ arch/x86/boot/boot.h | 4 +-
+ arch/x86/boot/compressed/Makefile | 3 +
+ arch/x86/boot/compressed/eboot.c | 2 -
+ arch/x86/boot/compressed/head_32.S | 7 +-
+ arch/x86/boot/compressed/head_64.S | 8 +-
+ arch/x86/boot/compressed/misc.c | 4 +-
+ arch/x86/boot/cpucheck.c | 28 +-
+ arch/x86/boot/header.S | 6 +-
+ arch/x86/boot/memory.c | 2 +-
+ arch/x86/boot/video-vesa.c | 1 +
+ arch/x86/boot/video.c | 2 +-
+ arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/aesni-intel_asm.S | 21 +
+ arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/sha1_ssse3_asm.S | 2 +
+ arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
+ arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/ia32/ia32_signal.c | 14 +-
+ arch/x86/ia32/ia32entry.S | 141 +-
+ arch/x86/ia32/sys_ia32.c | 6 +-
+ arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/include/asm/alternative.h | 4 +-
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/include/asm/apm.h | 4 +-
+ arch/x86/include/asm/atomic.h | 307 ++-
+ arch/x86/include/asm/atomic64_32.h | 100 +
+ arch/x86/include/asm/atomic64_64.h | 202 +-
+ arch/x86/include/asm/bitops.h | 4 +-
+ arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/cache.h | 5 +-
+ arch/x86/include/asm/cacheflush.h | 2 +-
+ arch/x86/include/asm/checksum_32.h | 12 +-
+ arch/x86/include/asm/cmpxchg.h | 35 +
+ arch/x86/include/asm/compat.h | 2 +-
+ arch/x86/include/asm/cpufeature.h | 4 +-
+ arch/x86/include/asm/desc.h | 67 +-
+ arch/x86/include/asm/desc_defs.h | 6 +
+ arch/x86/include/asm/div64.h | 2 +-
+ arch/x86/include/asm/elf.h | 31 +-
+ arch/x86/include/asm/emergency-restart.h | 2 +-
+ arch/x86/include/asm/fpu-internal.h | 6 +-
+ arch/x86/include/asm/futex.h | 16 +-
+ arch/x86/include/asm/hw_irq.h | 4 +-
+ arch/x86/include/asm/i8259.h | 2 +-
+ arch/x86/include/asm/io.h | 21 +-
+ arch/x86/include/asm/irqflags.h | 5 +
+ arch/x86/include/asm/kprobes.h | 9 +-
+ arch/x86/include/asm/local.h | 142 +-
+ arch/x86/include/asm/mman.h | 15 +
+ arch/x86/include/asm/mmu.h | 16 +-
+ arch/x86/include/asm/mmu_context.h | 76 +-
+ arch/x86/include/asm/module.h | 17 +-
+ arch/x86/include/asm/nmi.h | 6 +-
+ arch/x86/include/asm/page_64.h | 2 +-
+ arch/x86/include/asm/paravirt.h | 46 +-
+ arch/x86/include/asm/paravirt_types.h | 17 +-
+ arch/x86/include/asm/pgalloc.h | 23 +
+ arch/x86/include/asm/pgtable-2level.h | 2 +
+ arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable.h | 113 +-
+ arch/x86/include/asm/pgtable_32.h | 14 +-
+ arch/x86/include/asm/pgtable_32_types.h | 15 +-
+ arch/x86/include/asm/pgtable_64.h | 19 +-
+ arch/x86/include/asm/pgtable_64_types.h | 5 +
+ arch/x86/include/asm/pgtable_types.h | 36 +-
+ arch/x86/include/asm/processor.h | 39 +-
+ arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/realmode.h | 4 +-
+ arch/x86/include/asm/reboot.h | 10 +-
+ arch/x86/include/asm/rwsem.h | 60 +-
+ arch/x86/include/asm/segment.h | 24 +-
+ arch/x86/include/asm/smp.h | 14 +-
+ arch/x86/include/asm/spinlock.h | 36 +-
+ arch/x86/include/asm/stackprotector.h | 4 +-
+ arch/x86/include/asm/stacktrace.h | 32 +-
+ arch/x86/include/asm/switch_to.h | 4 +-
+ arch/x86/include/asm/thread_info.h | 83 +-
+ arch/x86/include/asm/uaccess.h | 96 +-
+ arch/x86/include/asm/uaccess_32.h | 106 +-
+ arch/x86/include/asm/uaccess_64.h | 232 +-
+ arch/x86/include/asm/word-at-a-time.h | 2 +-
+ arch/x86/include/asm/x86_init.h | 10 +-
+ arch/x86/include/asm/xsave.h | 10 +-
+ arch/x86/include/uapi/asm/e820.h | 2 +-
+ arch/x86/kernel/Makefile | 2 +-
+ arch/x86/kernel/acpi/boot.c | 4 +-
+ arch/x86/kernel/acpi/sleep.c | 4 +
+ arch/x86/kernel/acpi/wakeup_32.S | 6 +-
+ arch/x86/kernel/alternative.c | 65 +-
+ arch/x86/kernel/apic/apic.c | 4 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/apic_noop.c | 2 +-
+ arch/x86/kernel/apic/bigsmp_32.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 5 +-
+ arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/numaq_32.c | 3 +-
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/summit_32.c | 2 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_phys.c | 2 +-
+ arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
+ arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/asm-offsets.c | 20 +
+ arch/x86/kernel/asm-offsets_64.c | 1 +
+ arch/x86/kernel/cpu/Makefile | 4 -
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/common.c | 75 +-
+ arch/x86/kernel/cpu/intel.c | 2 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
+ arch/x86/kernel/cpu/mcheck/p5.c | 3 +
+ arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
+ arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
+ arch/x86/kernel/cpu/mtrr/main.c | 2 +-
+ arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 8 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
+ arch/x86/kernel/cpuid.c | 2 +-
+ arch/x86/kernel/crash.c | 4 +-
+ arch/x86/kernel/doublefault_32.c | 8 +-
+ arch/x86/kernel/dumpstack.c | 30 +-
+ arch/x86/kernel/dumpstack_32.c | 34 +-
+ arch/x86/kernel/dumpstack_64.c | 63 +-
+ arch/x86/kernel/early_printk.c | 1 +
+ arch/x86/kernel/entry_32.S | 354 ++-
+ arch/x86/kernel/entry_64.S | 530 ++-
+ arch/x86/kernel/ftrace.c | 14 +-
+ arch/x86/kernel/head64.c | 1 -
+ arch/x86/kernel/head_32.S | 237 +-
+ arch/x86/kernel/head_64.S | 120 +-
+ arch/x86/kernel/i386_ksyms_32.c | 8 +
+ arch/x86/kernel/i387.c | 2 +-
+ arch/x86/kernel/i8259.c | 10 +-
+ arch/x86/kernel/io_delay.c | 2 +-
+ arch/x86/kernel/ioport.c | 2 +-
+ arch/x86/kernel/irq.c | 8 +-
+ arch/x86/kernel/irq_32.c | 69 +-
+ arch/x86/kernel/irq_64.c | 2 +-
+ arch/x86/kernel/kdebugfs.c | 2 +-
+ arch/x86/kernel/kgdb.c | 25 +-
+ arch/x86/kernel/kprobes/core.c | 30 +-
+ arch/x86/kernel/kprobes/opt.c | 16 +-
+ arch/x86/kernel/kvm.c | 2 +-
+ arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/machine_kexec_32.c | 6 +-
+ arch/x86/kernel/microcode_core.c | 2 +-
+ arch/x86/kernel/microcode_intel.c | 4 +-
+ arch/x86/kernel/module.c | 76 +-
+ arch/x86/kernel/msr.c | 2 +-
+ arch/x86/kernel/nmi.c | 19 +-
+ arch/x86/kernel/nmi_selftest.c | 4 +-
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/kernel/paravirt.c | 43 +-
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ arch/x86/kernel/pci-iommu_table.c | 2 +-
+ arch/x86/kernel/pci-swiotlb.c | 2 +-
+ arch/x86/kernel/process.c | 57 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 15 +-
+ arch/x86/kernel/ptrace.c | 25 +-
+ arch/x86/kernel/pvclock.c | 8 +-
+ arch/x86/kernel/reboot.c | 44 +-
+ arch/x86/kernel/relocate_kernel_64.S | 4 +-
+ arch/x86/kernel/setup.c | 19 +-
+ arch/x86/kernel/setup_percpu.c | 29 +-
+ arch/x86/kernel/signal.c | 15 +-
+ arch/x86/kernel/smp.c | 2 +-
+ arch/x86/kernel/smpboot.c | 15 +-
+ arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/sys_i386_32.c | 248 +
+ arch/x86/kernel/sys_x86_64.c | 19 +-
+ arch/x86/kernel/tboot.c | 14 +-
+ arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tls.c | 7 +-
+ arch/x86/kernel/traps.c | 64 +-
+ arch/x86/kernel/uprobes.c | 2 +-
+ arch/x86/kernel/vm86_32.c | 6 +-
+ arch/x86/kernel/vmlinux.lds.S | 148 +-
+ arch/x86/kernel/vsyscall_64.c | 12 +-
+ arch/x86/kernel/x8664_ksyms_64.c | 2 -
+ arch/x86/kernel/x86_init.c | 8 +-
+ arch/x86/kernel/xsave.c | 2 +
+ arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ arch/x86/kvm/lapic.c | 2 +-
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ arch/x86/kvm/svm.c | 8 +
+ arch/x86/kvm/vmx.c | 57 +-
+ arch/x86/kvm/x86.c | 10 +-
+ arch/x86/lguest/boot.c | 3 +-
+ arch/x86/lib/atomic64_386_32.S | 164 +
+ arch/x86/lib/atomic64_cx8_32.S | 103 +-
+ arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/cmpxchg16b_emu.S | 2 +
+ arch/x86/lib/copy_page_64.S | 24 +-
+ arch/x86/lib/copy_user_64.S | 47 +-
+ arch/x86/lib/copy_user_nocache_64.S | 20 +-
+ arch/x86/lib/csum-copy_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 4 +-
+ arch/x86/lib/getuser.S | 70 +-
+ arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/iomap_copy_64.S | 2 +
+ arch/x86/lib/memcpy_64.S | 18 +-
+ arch/x86/lib/memmove_64.S | 34 +-
+ arch/x86/lib/memset_64.S | 7 +-
+ arch/x86/lib/mmx_32.c | 243 +-
+ arch/x86/lib/msr-reg.S | 18 +-
+ arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/rwlock.S | 42 +
+ arch/x86/lib/rwsem.S | 6 +-
+ arch/x86/lib/thunk_64.S | 2 +
+ arch/x86/lib/usercopy_32.c | 376 +-
+ arch/x86/lib/usercopy_64.c | 25 +-
+ arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/fault.c | 556 ++-
+ arch/x86/mm/gup.c | 2 +-
+ arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/hugetlbpage.c | 30 +-
+ arch/x86/mm/init.c | 90 +-
+ arch/x86/mm/init_32.c | 119 +-
+ arch/x86/mm/init_64.c | 44 +-
+ arch/x86/mm/iomap_32.c | 4 +
+ arch/x86/mm/ioremap.c | 15 +-
+ arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
+ arch/x86/mm/mmap.c | 41 +-
+ arch/x86/mm/mmio-mod.c | 10 +-
+ arch/x86/mm/numa.c | 2 +-
+ arch/x86/mm/pageattr-test.c | 2 +-
+ arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pat.c | 12 +-
+ arch/x86/mm/pf_in.c | 10 +-
+ arch/x86/mm/pgtable.c | 137 +-
+ arch/x86/mm/pgtable_32.c | 3 +
+ arch/x86/mm/physaddr.c | 4 +-
+ arch/x86/mm/setup_nx.c | 7 +
+ arch/x86/mm/tlb.c | 4 +
+ arch/x86/net/bpf_jit.S | 14 +
+ arch/x86/net/bpf_jit_comp.c | 37 +-
+ arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/oprofile/nmi_int.c | 8 +-
+ arch/x86/oprofile/op_model_amd.c | 8 +-
+ arch/x86/oprofile/op_model_ppro.c | 7 +-
+ arch/x86/oprofile/op_x86_model.h | 2 +-
+ arch/x86/pci/amd_bus.c | 2 +-
+ arch/x86/pci/irq.c | 8 +-
+ arch/x86/pci/mrst.c | 4 +-
+ arch/x86/pci/pcbios.c | 144 +-
+ arch/x86/platform/efi/efi_32.c | 19 +
+ arch/x86/platform/efi/efi_stub_32.S | 64 +-
+ arch/x86/platform/efi/efi_stub_64.S | 8 +
+ arch/x86/platform/mrst/mrst.c | 6 +-
+ arch/x86/platform/olpc/olpc_dt.c | 2 +-
+ arch/x86/power/cpu.c | 4 +-
+ arch/x86/realmode/init.c | 8 +-
+ arch/x86/realmode/rm/Makefile | 3 +
+ arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/trampoline_32.S | 12 +-
+ arch/x86/realmode/rm/trampoline_64.S | 2 +-
+ arch/x86/tools/relocs.c | 95 +-
+ arch/x86/vdso/Makefile | 2 +-
+ arch/x86/vdso/vdso32-setup.c | 23 +-
+ arch/x86/vdso/vma.c | 29 +-
+ arch/x86/xen/enlighten.c | 47 +-
+ arch/x86/xen/mmu.c | 9 +
+ arch/x86/xen/smp.c | 18 +-
+ arch/x86/xen/xen-asm_32.S | 12 +-
+ arch/x86/xen/xen-head.S | 11 +
+ arch/x86/xen/xen-ops.h | 2 -
+ block/blk-iopoll.c | 4 +-
+ block/blk-map.c | 2 +-
+ block/blk-softirq.c | 4 +-
+ block/bsg.c | 12 +-
+ block/compat_ioctl.c | 2 +-
+ block/partitions/efi.c | 8 +-
+ block/scsi_ioctl.c | 27 +-
+ crypto/cryptd.c | 4 +-
+ drivers/acpi/apei/apei-internal.h | 2 +-
+ drivers/acpi/apei/cper.c | 8 +-
+ drivers/acpi/bgrt.c | 6 +-
+ drivers/acpi/blacklist.c | 4 +-
+ drivers/acpi/ec_sys.c | 12 +-
+ drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/sysfs.c | 4 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/ata/libata-core.c | 8 +-
+ drivers/ata/pata_arasan_cf.c | 4 +-
+ drivers/atm/adummy.c | 2 +-
+ drivers/atm/ambassador.c | 8 +-
+ drivers/atm/atmtcp.c | 14 +-
+ drivers/atm/eni.c | 10 +-
+ drivers/atm/firestream.c | 8 +-
+ drivers/atm/fore200e.c | 14 +-
+ drivers/atm/he.c | 18 +-
+ drivers/atm/horizon.c | 4 +-
+ drivers/atm/idt77252.c | 36 +-
+ drivers/atm/iphase.c | 34 +-
+ drivers/atm/lanai.c | 12 +-
+ drivers/atm/nicstar.c | 46 +-
+ drivers/atm/solos-pci.c | 4 +-
+ drivers/atm/suni.c | 4 +-
+ drivers/atm/uPD98402.c | 16 +-
+ drivers/atm/zatm.c | 6 +-
+ drivers/base/bus.c | 4 +-
+ drivers/base/devtmpfs.c | 2 +-
+ drivers/base/node.c | 2 +-
+ drivers/base/power/domain.c | 4 +-
+ drivers/base/power/wakeup.c | 8 +-
+ drivers/base/syscore.c | 4 +-
+ drivers/block/cciss.c | 28 +-
+ drivers/block/cciss.h | 2 +-
+ drivers/block/cpqarray.c | 28 +-
+ drivers/block/cpqarray.h | 2 +-
+ drivers/block/drbd/drbd_int.h | 6 +-
+ drivers/block/drbd/drbd_main.c | 8 +-
+ drivers/block/drbd/drbd_receiver.c | 22 +-
+ drivers/block/loop.c | 2 +-
+ drivers/block/pktcdvd.c | 2 +-
+ drivers/cdrom/cdrom.c | 9 +-
+ drivers/cdrom/gdrom.c | 1 -
+ drivers/char/agp/frontend.c | 2 +-
+ drivers/char/hpet.c | 2 +-
+ drivers/char/ipmi/ipmi_msghandler.c | 8 +-
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
+ drivers/char/mem.c | 41 +-
+ drivers/char/nvram.c | 2 +-
+ drivers/char/pcmcia/synclink_cs.c | 18 +-
+ drivers/char/random.c | 10 +-
+ drivers/char/sonypi.c | 9 +-
+ drivers/char/tpm/tpm_acpi.c | 3 +-
+ drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/virtio_console.c | 4 +-
+ drivers/clocksource/arm_arch_timer.c | 2 +-
+ drivers/clocksource/metag_generic.c | 2 +-
+ drivers/cpufreq/acpi-cpufreq.c | 20 +-
+ drivers/cpufreq/cpufreq.c | 9 +-
+ drivers/cpufreq/cpufreq_governor.c | 4 +-
+ drivers/cpufreq/cpufreq_governor.h | 2 +-
+ drivers/cpufreq/cpufreq_stats.c | 2 +-
+ drivers/cpufreq/p4-clockmod.c | 12 +-
+ drivers/cpufreq/speedstep-centrino.c | 7 +-
+ drivers/cpuidle/cpuidle.c | 2 +-
+ drivers/cpuidle/governor.c | 4 +-
+ drivers/cpuidle/sysfs.c | 2 +-
+ drivers/devfreq/devfreq.c | 4 +-
+ drivers/dma/sh/shdma.c | 2 +-
+ drivers/edac/edac_mc_sysfs.c | 12 +-
+ drivers/edac/edac_pci_sysfs.c | 22 +-
+ drivers/edac/mce_amd.h | 2 +-
+ drivers/firewire/core-card.c | 2 +-
+ drivers/firewire/core-cdev.c | 3 +-
+ drivers/firewire/core-device.c | 2 +-
+ drivers/firewire/core-transaction.c | 1 +
+ drivers/firewire/core.h | 1 +
+ drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/dmi_scan.c | 7 +-
+ drivers/firmware/efivars.c | 4 +-
+ drivers/firmware/google/memconsole.c | 4 +-
+ drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpio/gpio-vr41xx.c | 2 +-
+ drivers/gpu/drm/drm_crtc_helper.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 6 +-
+ drivers/gpu/drm/drm_fops.c | 18 +-
+ drivers/gpu/drm/drm_global.c | 14 +-
+ drivers/gpu/drm/drm_info.c | 14 +-
+ drivers/gpu/drm/drm_ioc32.c | 13 +-
+ drivers/gpu/drm/drm_ioctl.c | 2 +-
+ drivers/gpu/drm/drm_lock.c | 4 +-
+ drivers/gpu/drm/drm_stub.c | 2 +-
+ drivers/gpu/drm/i810/i810_dma.c | 8 +-
+ drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/i915_irq.c | 22 +-
+ drivers/gpu/drm/i915/intel_display.c | 26 +-
+ drivers/gpu/drm/mga/mga_drv.h | 4 +-
+ drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/mga/mga_irq.c | 8 +-
+ drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
+ drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/r128/r128_cce.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.h | 4 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/r128/r128_irq.c | 4 +-
+ drivers/gpu/drm/r128/r128_state.c | 4 +-
+ drivers/gpu/drm/radeon/mkregtable.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
+ drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 37 +-
+ drivers/gpu/drm/radeon/rs690.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
+ drivers/gpu/drm/udl/udl_fb.c | 1 -
+ drivers/gpu/drm/via/via_drv.h | 4 +-
+ drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
+ drivers/hid/hid-core.c | 4 +-
+ drivers/hv/channel.c | 4 +-
+ drivers/hv/hv.c | 2 +-
+ drivers/hv/hyperv_vmbus.h | 2 +-
+ drivers/hv/vmbus_drv.c | 4 +-
+ drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/asus_atk0110.c | 10 +-
+ drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/ibmaem.c | 2 +-
+ drivers/hwmon/sht15.c | 12 +-
+ drivers/hwmon/via-cputemp.c | 2 +-
+ drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
+ drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
+ drivers/ide/ide-cd.c | 2 +-
+ drivers/iio/industrialio-core.c | 2 +-
+ drivers/infiniband/core/cm.c | 32 +-
+ drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/hw/cxgb4/mem.c | 4 +-
+ drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
+ drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
+ drivers/infiniband/hw/nes/nes.c | 4 +-
+ drivers/infiniband/hw/nes/nes.h | 40 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 62 +-
+ drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
+ drivers/infiniband/hw/nes/nes_nic.c | 40 +-
+ drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/input/gameport/gameport.c | 4 +-
+ drivers/input/input.c | 4 +-
+ drivers/input/joystick/sidewinder.c | 1 +
+ drivers/input/joystick/xpad.c | 4 +-
+ drivers/input/mouse/psmouse.h | 2 +-
+ drivers/input/mousedev.c | 2 +-
+ drivers/input/serio/serio.c | 4 +-
+ drivers/iommu/iommu.c | 2 +-
+ drivers/iommu/irq_remapping.c | 10 +-
+ drivers/irqchip/irq-gic.c | 4 +-
+ drivers/isdn/capi/capi.c | 10 +-
+ drivers/isdn/gigaset/interface.c | 8 +-
+ drivers/isdn/hardware/avm/b1.c | 4 +-
+ drivers/isdn/i4l/isdn_tty.c | 22 +-
+ drivers/isdn/icn/icn.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/lguest/core.c | 10 +-
+ drivers/lguest/page_tables.c | 2 +-
+ drivers/lguest/x86/core.c | 12 +-
+ drivers/lguest/x86/switcher_32.S | 27 +-
+ drivers/md/bitmap.c | 2 +-
+ drivers/md/dm-ioctl.c | 2 +-
+ drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-stripe.c | 10 +-
+ drivers/md/dm-table.c | 2 +-
+ drivers/md/dm-thin-metadata.c | 4 +-
+ drivers/md/dm.c | 16 +-
+ drivers/md/md.c | 26 +-
+ drivers/md/md.h | 6 +-
+ drivers/md/persistent-data/dm-space-map.h | 1 +
+ drivers/md/raid1.c | 4 +-
+ drivers/md/raid10.c | 16 +-
+ drivers/md/raid5.c | 10 +-
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ drivers/media/dvb-frontends/dib3000.h | 2 +-
+ drivers/media/pci/cx88/cx88-video.c | 6 +-
+ drivers/media/platform/omap/omap_vout.c | 11 +-
+ drivers/media/platform/s5p-tv/mixer.h | 2 +-
+ drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
+ drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
+ drivers/message/fusion/mptsas.c | 34 +-
+ drivers/message/fusion/mptscsih.c | 19 +-
+ drivers/message/i2o/i2o_proc.c | 51 +-
+ drivers/message/i2o/iop.c | 8 +-
+ drivers/mfd/janz-cmodio.c | 1 +
+ drivers/mfd/twl4030-irq.c | 9 +-
+ drivers/mfd/twl6030-irq.c | 10 +-
+ drivers/misc/c2port/core.c | 4 +-
+ drivers/misc/kgdbts.c | 4 +-
+ drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
+ drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/sgi-gru/gruhandles.c | 4 +-
+ drivers/misc/sgi-gru/gruprocfs.c | 8 +-
+ drivers/misc/sgi-gru/grutables.h | 154 +-
+ drivers/misc/sgi-xp/xp.h | 2 +-
+ drivers/misc/sgi-xp/xpc.h | 3 +-
+ drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ drivers/mmc/host/dw_mmc.h | 2 +-
+ drivers/mmc/host/sdhci-s3c.c | 8 +-
+ drivers/mtd/devices/doc2000.c | 2 +-
+ drivers/mtd/nand/denali.c | 1 +
+ drivers/mtd/nftlmount.c | 1 +
+ drivers/mtd/sm_ftl.c | 2 +-
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
+ drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
+ drivers/net/ethernet/realtek/r8169.c | 8 +-
+ drivers/net/ethernet/sfc/ptp.c | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/hyperv/hyperv_net.h | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 +-
+ drivers/net/ieee802154/fakehard.c | 2 +-
+ drivers/net/macvlan.c | 18 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/ppp/ppp_generic.c | 4 +-
+ drivers/net/slip/slhc.c | 2 +-
+ drivers/net/team/team.c | 2 +-
+ drivers/net/tun.c | 5 +-
+ drivers/net/usb/hso.c | 23 +-
+ drivers/net/vxlan.c | 2 +-
+ drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
+ drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
+ drivers/net/wireless/ath/ath9k/hw.h | 4 +-
+ drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
+ drivers/net/wireless/mac80211_hwsim.c | 32 +-
+ drivers/net/wireless/rndis_wlan.c | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 8 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 6 +-
+ drivers/oprofile/buffer_sync.c | 8 +-
+ drivers/oprofile/event_buffer.c | 2 +-
+ drivers/oprofile/oprof.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/oprofile/oprofile_stats.c | 10 +-
+ drivers/oprofile/oprofile_stats.h | 10 +-
+ drivers/oprofile/oprofilefs.c | 2 +-
+ drivers/oprofile/timer_int.c | 2 +-
+ drivers/parport/procfs.c | 4 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
+ drivers/pci/hotplug/cpcihp_generic.c | 6 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
+ drivers/pci/hotplug/cpqphp_nvram.c | 4 +
+ drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/pci-sysfs.c | 6 +-
+ drivers/pci/pci.h | 2 +-
+ drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/probe.c | 2 +-
+ drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/sony-laptop.c | 2 +-
+ drivers/platform/x86/thinkpad_acpi.c | 70 +-
+ drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/resource.c | 4 +-
+ drivers/power/pda_power.c | 7 +-
+ drivers/power/power_supply.h | 4 +-
+ drivers/power/power_supply_core.c | 7 +-
+ drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/regulator/max8660.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/rtc/rtc-cmos.c | 4 +-
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/scsi/bfa/bfa_fcpim.h | 2 +-
+ drivers/scsi/bfa/bfa_ioc.h | 4 +-
+ drivers/scsi/hosts.c | 4 +-
+ drivers/scsi/hpsa.c | 30 +-
+ drivers/scsi/hpsa.h | 2 +-
+ drivers/scsi/libfc/fc_exch.c | 50 +-
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ drivers/scsi/lpfc/lpfc.h | 8 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
+ drivers/scsi/lpfc/lpfc_init.c | 6 +-
+ drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
+ drivers/scsi/pmcraid.c | 20 +-
+ drivers/scsi/pmcraid.h | 8 +-
+ drivers/scsi/qla2xxx/qla_attr.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 6 +-
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +-
+ drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ drivers/scsi/scsi_tgt_lib.c | 2 +-
+ drivers/scsi/scsi_transport_fc.c | 8 +-
+ drivers/scsi/scsi_transport_iscsi.c | 6 +-
+ drivers/scsi/scsi_transport_srp.c | 6 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sg.c | 2 +-
+ drivers/spi/spi.c | 2 +-
+ drivers/staging/iio/iio_hwmon.c | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/rtl8712/rtl871x_io.h | 2 +-
+ drivers/staging/sbe-2t3e3/netdev.c | 2 +-
+ drivers/staging/usbip/vhci.h | 2 +-
+ drivers/staging/usbip/vhci_hcd.c | 6 +-
+ drivers/staging/usbip/vhci_rx.c | 2 +-
+ drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/vt6656/hostap.c | 7 +-
+ drivers/staging/zcache/tmem.c | 4 +-
+ drivers/staging/zcache/tmem.h | 2 +
+ drivers/target/target_core_device.c | 2 +-
+ drivers/target/target_core_transport.c | 2 +-
+ drivers/tty/cyclades.c | 6 +-
+ drivers/tty/hvc/hvc_console.c | 14 +-
+ drivers/tty/hvc/hvcs.c | 21 +-
+ drivers/tty/ipwireless/tty.c | 27 +-
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/n_gsm.c | 4 +-
+ drivers/tty/n_tty.c | 3 +-
+ drivers/tty/pty.c | 4 +-
+ drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/kgdboc.c | 32 +-
+ drivers/tty/serial/samsung.c | 9 +-
+ drivers/tty/serial/serial_core.c | 8 +-
+ drivers/tty/synclink.c | 34 +-
+ drivers/tty/synclink_gt.c | 28 +-
+ drivers/tty/synclinkmp.c | 34 +-
+ drivers/tty/tty_io.c | 2 +-
+ drivers/tty/tty_ldisc.c | 10 +-
+ drivers/tty/tty_port.c | 22 +-
+ drivers/uio/uio.c | 21 +-
+ drivers/usb/atm/cxacru.c | 2 +-
+ drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/core/devices.c | 6 +-
+ drivers/usb/core/hcd.c | 4 +-
+ drivers/usb/core/message.c | 2 +-
+ drivers/usb/core/sysfs.c | 2 +-
+ drivers/usb/core/usb.c | 2 +-
+ drivers/usb/early/ehci-dbgp.c | 16 +-
+ drivers/usb/gadget/u_serial.c | 22 +-
+ drivers/usb/serial/console.c | 6 +-
+ drivers/usb/storage/usb.h | 2 +-
+ drivers/usb/wusbcore/wa-hc.h | 4 +-
+ drivers/usb/wusbcore/wa-xfer.c | 2 +-
+ drivers/video/aty/aty128fb.c | 2 +-
+ drivers/video/aty/atyfb_base.c | 8 +-
+ drivers/video/aty/mach64_cursor.c | 5 +-
+ drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/fb_defio.c | 6 +-
+ drivers/video/fbcmap.c | 3 +-
+ drivers/video/fbmem.c | 6 +-
+ drivers/video/i810/i810_accel.c | 1 +
+ drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
+ drivers/video/nvidia/nvidia.c | 27 +-
+ drivers/video/s1d13xxxfb.c | 6 +-
+ drivers/video/smscufx.c | 4 +-
+ drivers/video/udlfb.c | 36 +-
+ drivers/video/uvesafb.c | 53 +-
+ drivers/video/vesafb.c | 58 +-
+ drivers/video/via/via_clock.h | 2 +-
+ fs/9p/vfs_inode.c | 2 +-
+ fs/Kconfig.binfmt | 2 +-
+ fs/aio.c | 11 +-
+ fs/autofs4/waitq.c | 2 +-
+ fs/befs/endian.h | 4 +-
+ fs/befs/linuxvfs.c | 2 +-
+ fs/binfmt_aout.c | 23 +-
+ fs/binfmt_elf.c | 605 +++-
+ fs/binfmt_flat.c | 6 +
+ fs/bio.c | 6 +-
+ fs/block_dev.c | 2 +-
+ fs/btrfs/ctree.c | 9 +-
+ fs/btrfs/super.c | 2 +-
+ fs/cachefiles/bind.c | 6 +-
+ fs/cachefiles/daemon.c | 8 +-
+ fs/cachefiles/internal.h | 12 +-
+ fs/cachefiles/namei.c | 2 +-
+ fs/cachefiles/proc.c | 12 +-
+ fs/cachefiles/rdwr.c | 2 +-
+ fs/ceph/dir.c | 2 +-
+ fs/cifs/cifs_debug.c | 12 +-
+ fs/cifs/cifsfs.c | 8 +-
+ fs/cifs/cifsglob.h | 54 +-
+ fs/cifs/link.c | 2 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb1ops.c | 80 +-
+ fs/cifs/smb2ops.c | 84 +-
+ fs/cifs/smb2pdu.c | 3 +-
+ fs/coda/cache.c | 10 +-
+ fs/compat.c | 6 +-
+ fs/compat_binfmt_elf.c | 2 +
+ fs/compat_ioctl.c | 8 +-
+ fs/configfs/dir.c | 10 +-
+ fs/coredump.c | 24 +-
+ fs/dcache.c | 2 +-
+ fs/ecryptfs/inode.c | 4 +-
+ fs/ecryptfs/miscdev.c | 2 +-
+ fs/ecryptfs/read_write.c | 2 +-
+ fs/exec.c | 362 ++-
+ fs/ext4/ext4.h | 20 +-
+ fs/ext4/mballoc.c | 44 +-
+ fs/ext4/super.c | 2 +-
+ fs/fhandle.c | 3 +-
+ fs/fifo.c | 22 +-
+ fs/fs_struct.c | 8 +-
+ fs/fscache/cookie.c | 36 +-
+ fs/fscache/internal.h | 196 +-
+ fs/fscache/object.c | 28 +-
+ fs/fscache/operation.c | 30 +-
+ fs/fscache/page.c | 110 +-
+ fs/fscache/stats.c | 344 +-
+ fs/fuse/cuse.c | 10 +-
+ fs/fuse/dev.c | 2 +-
+ fs/fuse/dir.c | 2 +-
+ fs/gfs2/inode.c | 2 +-
+ fs/hugetlbfs/inode.c | 13 +-
+ fs/inode.c | 4 +-
+ fs/jffs2/erase.c | 3 +-
+ fs/jffs2/wbuf.c | 3 +-
+ fs/jfs/super.c | 6 +-
+ fs/libfs.c | 10 +-
+ fs/lockd/clntproc.c | 4 +-
+ fs/locks.c | 8 +-
+ fs/namei.c | 15 +-
+ fs/namespace.c | 2 +-
+ fs/nfs/callback_xdr.c | 2 +-
+ fs/nfs/inode.c | 6 +-
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfs4xdr.c | 6 +-
+ fs/nfsd/nfscache.c | 8 +-
+ fs/nfsd/vfs.c | 6 +-
+ fs/nls/nls_base.c | 18 +-
+ fs/nls/nls_euc-jp.c | 6 +-
+ fs/nls/nls_koi8-ru.c | 6 +-
+ fs/notify/fanotify/fanotify_user.c | 4 +-
+ fs/notify/notification.c | 4 +-
+ fs/ntfs/dir.c | 2 +-
+ fs/ntfs/file.c | 4 +-
+ fs/ocfs2/localalloc.c | 2 +-
+ fs/ocfs2/ocfs2.h | 10 +-
+ fs/ocfs2/suballoc.c | 12 +-
+ fs/ocfs2/super.c | 20 +-
+ fs/pipe.c | 33 +-
+ fs/proc/array.c | 20 +
+ fs/proc/base.c | 4 +-
+ fs/proc/kcore.c | 32 +-
+ fs/proc/meminfo.c | 2 +-
+ fs/proc/nommu.c | 2 +-
+ fs/proc/proc_sysctl.c | 18 +-
+ fs/proc/self.c | 2 +-
+ fs/proc/task_mmu.c | 39 +-
+ fs/proc/task_nommu.c | 4 +-
+ fs/qnx6/qnx6.h | 4 +-
+ fs/quota/netlink.c | 4 +-
+ fs/readdir.c | 2 +-
+ fs/reiserfs/do_balan.c | 2 +-
+ fs/reiserfs/procfs.c | 2 +-
+ fs/reiserfs/reiserfs.h | 4 +-
+ fs/seq_file.c | 2 +-
+ fs/splice.c | 36 +-
+ fs/sysfs/bin.c | 6 +-
+ fs/sysfs/dir.c | 2 +-
+ fs/sysfs/file.c | 10 +-
+ fs/sysfs/symlink.c | 2 +-
+ fs/sysv/sysv.h | 2 +-
+ fs/ubifs/io.c | 2 +-
+ fs/udf/misc.c | 2 +-
+ fs/ufs/swab.h | 4 +-
+ fs/xattr.c | 21 +
+ fs/xattr_acl.c | 4 +-
+ fs/xfs/xfs_bmap.c | 2 +-
+ fs/xfs/xfs_dir2_sf.c | 10 +-
+ fs/xfs/xfs_ioctl.c | 2 +-
+ fs/xfs/xfs_iops.c | 2 +-
+ include/asm-generic/4level-fixup.h | 2 +
+ include/asm-generic/atomic-long.h | 210 +
+ include/asm-generic/atomic.h | 2 +-
+ include/asm-generic/atomic64.h | 12 +
+ include/asm-generic/cache.h | 4 +-
+ include/asm-generic/emergency-restart.h | 2 +-
+ include/asm-generic/kmap_types.h | 4 +-
+ include/asm-generic/local.h | 13 +
+ include/asm-generic/pgtable-nopmd.h | 18 +-
+ include/asm-generic/pgtable-nopud.h | 15 +-
+ include/asm-generic/pgtable.h | 8 +
+ include/asm-generic/vmlinux.lds.h | 10 +-
+ include/crypto/algapi.h | 2 +-
+ include/drm/drmP.h | 17 +-
+ include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/ttm/ttm_memory.h | 2 +-
+ include/keys/asymmetric-subtype.h | 2 +-
+ include/linux/atmdev.h | 4 +-
+ include/linux/binfmts.h | 3 +-
+ include/linux/blkdev.h | 2 +-
+ include/linux/blktrace_api.h | 2 +-
+ include/linux/cache.h | 4 +
+ include/linux/cdrom.h | 1 -
+ include/linux/cleancache.h | 2 +-
+ include/linux/compat.h | 6 +-
+ include/linux/compiler-gcc4.h | 20 +
+ include/linux/compiler.h | 65 +-
+ include/linux/completion.h | 6 +-
+ include/linux/configfs.h | 2 +-
+ include/linux/cpu.h | 2 +-
+ include/linux/cpufreq.h | 3 +-
+ include/linux/cpuidle.h | 5 +-
+ include/linux/cpumask.h | 12 +-
+ include/linux/crypto.h | 6 +-
+ include/linux/ctype.h | 2 +-
+ include/linux/decompress/mm.h | 2 +-
+ include/linux/devfreq.h | 2 +-
+ include/linux/device.h | 7 +-
+ include/linux/dma-mapping.h | 2 +-
+ include/linux/dmaengine.h | 4 +-
+ include/linux/efi.h | 1 +
+ include/linux/elf.h | 2 +
+ include/linux/err.h | 4 +-
+ include/linux/extcon.h | 2 +-
+ include/linux/fb.h | 2 +-
+ include/linux/filter.h | 4 +
+ include/linux/frontswap.h | 2 +-
+ include/linux/fs.h | 3 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/fscache-cache.h | 4 +-
+ include/linux/fscache.h | 2 +-
+ include/linux/fsnotify.h | 2 +-
+ include/linux/ftrace_event.h | 2 +-
+ include/linux/genhd.h | 2 +-
+ include/linux/genl_magic_func.h | 2 +-
+ include/linux/gfp.h | 12 +-
+ include/linux/highmem.h | 12 +
+ include/linux/hwmon-sysfs.h | 5 +-
+ include/linux/i2c.h | 1 +
+ include/linux/i2o.h | 2 +-
+ include/linux/if_pppox.h | 2 +-
+ include/linux/init.h | 33 +-
+ include/linux/init_task.h | 7 +
+ include/linux/interrupt.h | 8 +-
+ include/linux/iommu.h | 2 +-
+ include/linux/ioport.h | 2 +-
+ include/linux/irq.h | 3 +-
+ include/linux/irqchip/arm-gic.h | 2 +-
+ include/linux/key-type.h | 2 +-
+ include/linux/kgdb.h | 6 +-
+ include/linux/kobject.h | 3 +-
+ include/linux/kobject_ns.h | 2 +-
+ include/linux/kref.h | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ include/linux/libata.h | 2 +-
+ include/linux/list.h | 15 +
+ include/linux/math64.h | 6 +-
+ include/linux/mm.h | 110 +-
+ include/linux/mm_types.h | 20 +
+ include/linux/mmiotrace.h | 4 +-
+ include/linux/mmzone.h | 2 +-
+ include/linux/mod_devicetable.h | 6 +-
+ include/linux/module.h | 60 +-
+ include/linux/moduleloader.h | 16 +
+ include/linux/moduleparam.h | 4 +-
+ include/linux/namei.h | 6 +-
+ include/linux/net.h | 2 +-
+ include/linux/netdevice.h | 3 +-
+ include/linux/netfilter.h | 2 +-
+ include/linux/netfilter/ipset/ip_set.h | 2 +-
+ include/linux/netfilter/nfnetlink.h | 2 +-
+ include/linux/nls.h | 2 +-
+ include/linux/notifier.h | 3 +-
+ include/linux/oprofile.h | 4 +-
+ include/linux/pci_hotplug.h | 3 +-
+ include/linux/perf_event.h | 12 +-
+ include/linux/pipe_fs_i.h | 6 +-
+ include/linux/platform_data/usb-ehci-s5p.h | 2 +-
+ include/linux/platform_data/usb-exynos.h | 2 +-
+ include/linux/pm_domain.h | 2 +-
+ include/linux/pm_runtime.h | 2 +-
+ include/linux/pnp.h | 2 +-
+ include/linux/poison.h | 4 +-
+ include/linux/power/smartreflex.h | 2 +-
+ include/linux/ppp-comp.h | 2 +-
+ include/linux/proc_fs.h | 2 +-
+ include/linux/random.h | 5 +
+ include/linux/rculist.h | 16 +
+ include/linux/reboot.h | 14 +-
+ include/linux/regset.h | 3 +-
+ include/linux/relay.h | 2 +-
+ include/linux/rio.h | 2 +-
+ include/linux/rmap.h | 4 +-
+ include/linux/sched.h | 67 +-
+ include/linux/sched/sysctl.h | 1 +
+ include/linux/seq_file.h | 1 +
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 36 +-
+ include/linux/slab_def.h | 33 +-
+ include/linux/slob_def.h | 4 +-
+ include/linux/slub_def.h | 10 +-
+ include/linux/sock_diag.h | 2 +-
+ include/linux/sonet.h | 2 +-
+ include/linux/sunrpc/addr.h | 8 +-
+ include/linux/sunrpc/clnt.h | 2 +-
+ include/linux/sunrpc/svc.h | 2 +-
+ include/linux/sunrpc/svc_rdma.h | 18 +-
+ include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swiotlb.h | 3 +-
+ include/linux/syscalls.h | 2 +-
+ include/linux/syscore_ops.h | 2 +-
+ include/linux/sysctl.h | 6 +-
+ include/linux/sysfs.h | 10 +-
+ include/linux/sysrq.h | 3 +-
+ include/linux/thread_info.h | 7 +
+ include/linux/tty.h | 4 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/tty_ldisc.h | 2 +-
+ include/linux/types.h | 16 +
+ include/linux/uaccess.h | 6 +-
+ include/linux/unaligned/access_ok.h | 24 +-
+ include/linux/usb.h | 4 +-
+ include/linux/usb/renesas_usbhs.h | 2 +-
+ include/linux/vermagic.h | 21 +-
+ include/linux/vmalloc.h | 11 +-
+ include/linux/vmstat.h | 20 +-
+ include/linux/xattr.h | 5 +-
+ include/linux/zlib.h | 3 +-
+ include/media/v4l2-dev.h | 2 +-
+ include/media/v4l2-ioctl.h | 1 -
+ include/net/9p/transport.h | 2 +-
+ include/net/bluetooth/l2cap.h | 2 +-
+ include/net/caif/cfctrl.h | 6 +-
+ include/net/flow.h | 2 +-
+ include/net/genetlink.h | 2 +-
+ include/net/gro_cells.h | 2 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/inetpeer.h | 8 +-
+ include/net/ip.h | 2 +-
+ include/net/ip_fib.h | 2 +-
+ include/net/ip_vs.h | 8 +-
+ include/net/irda/ircomm_tty.h | 1 +
+ include/net/iucv/af_iucv.h | 2 +-
+ include/net/llc_c_ac.h | 2 +-
+ include/net/llc_c_ev.h | 4 +-
+ include/net/llc_c_st.h | 2 +-
+ include/net/llc_s_ac.h | 2 +-
+ include/net/llc_s_st.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 12 +-
+ include/net/netdma.h | 2 +-
+ include/net/netlink.h | 2 +-
+ include/net/netns/conntrack.h | 6 +-
+ include/net/netns/ipv4.h | 2 +-
+ include/net/protocol.h | 4 +-
+ include/net/rtnetlink.h | 2 +-
+ include/net/sctp/sctp.h | 6 +-
+ include/net/sctp/sm.h | 4 +-
+ include/net/sctp/structs.h | 2 +-
+ include/net/sock.h | 6 +-
+ include/net/tcp.h | 8 +-
+ include/net/xfrm.h | 8 +-
+ include/rdma/iw_cm.h | 2 +-
+ include/scsi/libfc.h | 3 +-
+ include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_transport_fc.h | 3 +-
+ include/sound/soc.h | 4 +-
+ include/target/target_core_base.h | 2 +-
+ include/trace/events/irq.h | 4 +-
+ include/uapi/linux/a.out.h | 8 +
+ include/uapi/linux/byteorder/little_endian.h | 28 +-
+ include/uapi/linux/elf.h | 28 +
+ include/uapi/linux/screen_info.h | 3 +-
+ include/uapi/linux/swab.h | 6 +-
+ include/uapi/linux/sysctl.h | 6 +-
+ include/uapi/linux/xattr.h | 4 +
+ include/video/udlfb.h | 8 +-
+ include/video/uvesafb.h | 1 +
+ init/Kconfig | 2 +-
+ init/Makefile | 3 +
+ init/do_mounts.c | 14 +-
+ init/do_mounts.h | 8 +-
+ init/do_mounts_initrd.c | 22 +-
+ init/do_mounts_md.c | 6 +-
+ init/init_task.c | 4 +
+ init/initramfs.c | 40 +-
+ init/main.c | 77 +-
+ ipc/ipc_sysctl.c | 10 +-
+ ipc/mq_sysctl.c | 2 +-
+ ipc/msg.c | 11 +-
+ ipc/sem.c | 11 +-
+ ipc/shm.c | 17 +-
+ kernel/acct.c | 2 +-
+ kernel/audit.c | 8 +-
+ kernel/auditsc.c | 4 +-
+ kernel/capability.c | 3 +
+ kernel/compat.c | 40 +-
+ kernel/debug/debug_core.c | 16 +-
+ kernel/debug/kdb/kdb_main.c | 4 +-
+ kernel/events/core.c | 28 +-
+ kernel/exit.c | 4 +-
+ kernel/fork.c | 167 +-
+ kernel/futex.c | 9 +
+ kernel/futex_compat.c | 2 +-
+ kernel/gcov/base.c | 7 +-
+ kernel/hrtimer.c | 4 +-
+ kernel/irq_work.c | 7 +-
+ kernel/jump_label.c | 5 +
+ kernel/kallsyms.c | 39 +-
+ kernel/kexec.c | 3 +-
+ kernel/kmod.c | 4 +-
+ kernel/kprobes.c | 8 +-
+ kernel/ksysfs.c | 2 +-
+ kernel/lockdep.c | 7 +-
+ kernel/module.c | 337 +-
+ kernel/mutex-debug.c | 12 +-
+ kernel/mutex-debug.h | 4 +-
+ kernel/mutex.c | 7 +-
+ kernel/notifier.c | 17 +-
+ kernel/panic.c | 3 +-
+ kernel/pid.c | 2 +-
+ kernel/pid_namespace.c | 2 +-
+ kernel/posix-cpu-timers.c | 4 +-
+ kernel/posix-timers.c | 20 +-
+ kernel/power/process.c | 12 +-
+ kernel/profile.c | 14 +-
+ kernel/ptrace.c | 8 +-
+ kernel/rcupdate.c | 4 +-
+ kernel/rcutiny.c | 4 +-
+ kernel/rcutiny_plugin.h | 2 +-
+ kernel/rcutorture.c | 56 +-
+ kernel/rcutree.c | 68 +-
+ kernel/rcutree.h | 24 +-
+ kernel/rcutree_plugin.h | 20 +-
+ kernel/rcutree_trace.c | 22 +-
+ kernel/rtmutex-tester.c | 24 +-
+ kernel/sched/auto_group.c | 4 +-
+ kernel/sched/core.c | 51 +-
+ kernel/sched/fair.c | 4 +-
+ kernel/signal.c | 12 +-
+ kernel/smp.c | 2 +-
+ kernel/smpboot.c | 4 +-
+ kernel/softirq.c | 18 +-
+ kernel/srcu.c | 4 +-
+ kernel/sys.c | 10 +-
+ kernel/sysctl.c | 39 +-
+ kernel/time.c | 2 +-
+ kernel/time/alarmtimer.c | 2 +-
+ kernel/time/tick-broadcast.c | 2 +-
+ kernel/time/timer_stats.c | 10 +-
+ kernel/timer.c | 6 +-
+ kernel/trace/blktrace.c | 6 +-
+ kernel/trace/ftrace.c | 20 +-
+ kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/trace.c | 8 +-
+ kernel/trace/trace.h | 2 +-
+ kernel/trace/trace_events.c | 25 +-
+ kernel/trace/trace_mmiotrace.c | 8 +-
+ kernel/trace/trace_output.c | 12 +-
+ kernel/trace/trace_stack.c | 2 +-
+ kernel/user_namespace.c | 2 +-
+ kernel/utsname_sysctl.c | 2 +-
+ kernel/watchdog.c | 2 +-
+ lib/Kconfig.debug | 6 +-
+ lib/Makefile | 2 +-
+ lib/bitmap.c | 8 +-
+ lib/bug.c | 2 +
+ lib/debugobjects.c | 2 +-
+ lib/devres.c | 4 +-
+ lib/div64.c | 4 +-
+ lib/dma-debug.c | 4 +-
+ lib/inflate.c | 2 +-
+ lib/ioremap.c | 4 +-
+ lib/kobject.c | 4 +-
+ lib/list_debug.c | 126 +-
+ lib/radix-tree.c | 2 +-
+ lib/strncpy_from_user.c | 2 +-
+ lib/strnlen_user.c | 2 +-
+ lib/swiotlb.c | 2 +-
+ lib/vsprintf.c | 12 +-
+ mm/Kconfig | 6 +-
+ mm/filemap.c | 2 +-
+ mm/fremap.c | 5 +
+ mm/highmem.c | 7 +-
+ mm/hugetlb.c | 70 +-
+ mm/internal.h | 1 +
+ mm/maccess.c | 4 +-
+ mm/madvise.c | 41 +
+ mm/memory-failure.c | 26 +-
+ mm/memory.c | 424 ++-
+ mm/mempolicy.c | 26 +
+ mm/mlock.c | 16 +-
+ mm/mmap.c | 576 ++-
+ mm/mprotect.c | 139 +-
+ mm/mremap.c | 44 +-
+ mm/nommu.c | 21 +-
+ mm/page-writeback.c | 4 +-
+ mm/page_alloc.c | 41 +-
+ mm/percpu.c | 2 +-
+ mm/process_vm_access.c | 14 +-
+ mm/rmap.c | 38 +-
+ mm/shmem.c | 19 +-
+ mm/slab.c | 105 +-
+ mm/slab.h | 5 +-
+ mm/slab_common.c | 11 +-
+ mm/slob.c | 201 +-
+ mm/slub.c | 99 +-
+ mm/sparse-vmemmap.c | 4 +-
+ mm/sparse.c | 2 +-
+ mm/swap.c | 3 +
+ mm/swapfile.c | 12 +-
+ mm/util.c | 6 +
+ mm/vmalloc.c | 82 +-
+ mm/vmstat.c | 12 +-
+ net/8021q/vlan.c | 5 +-
+ net/9p/mod.c | 4 +-
+ net/9p/trans_fd.c | 2 +-
+ net/atm/atm_misc.c | 8 +-
+ net/atm/lec.h | 2 +-
+ net/atm/proc.c | 6 +-
+ net/atm/resources.c | 4 +-
+ net/ax25/sysctl_net_ax25.c | 2 +-
+ net/batman-adv/bat_iv_ogm.c | 8 +-
+ net/batman-adv/hard-interface.c | 4 +-
+ net/batman-adv/soft-interface.c | 4 +-
+ net/batman-adv/types.h | 6 +-
+ net/batman-adv/unicast.c | 2 +-
+ net/bluetooth/hci_sock.c | 2 +-
+ net/bluetooth/l2cap_core.c | 6 +-
+ net/bluetooth/l2cap_sock.c | 12 +-
+ net/bluetooth/rfcomm/sock.c | 4 +-
+ net/bluetooth/rfcomm/tty.c | 10 +-
+ net/bridge/netfilter/ebtables.c | 6 +-
+ net/caif/cfctrl.c | 11 +-
+ net/can/af_can.c | 2 +-
+ net/can/gw.c | 6 +-
+ net/compat.c | 34 +-
+ net/core/datagram.c | 2 +-
+ net/core/dev.c | 16 +-
+ net/core/flow.c | 8 +-
+ net/core/iovec.c | 4 +-
+ net/core/neighbour.c | 2 +-
+ net/core/net-sysfs.c | 2 +-
+ net/core/net_namespace.c | 8 +-
+ net/core/rtnetlink.c | 13 +-
+ net/core/scm.c | 8 +-
+ net/core/sock.c | 24 +-
+ net/core/sock_diag.c | 9 +-
+ net/core/sysctl_net_core.c | 18 +-
+ net/decnet/af_decnet.c | 1 +
+ net/decnet/sysctl_net_decnet.c | 4 +-
+ net/ipv4/af_inet.c | 8 +-
+ net/ipv4/ah4.c | 2 +-
+ net/ipv4/devinet.c | 14 +-
+ net/ipv4/esp4.c | 2 +-
+ net/ipv4/fib_frontend.c | 6 +-
+ net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inet_connection_sock.c | 2 +-
+ net/ipv4/inetpeer.c | 4 +-
+ net/ipv4/ip_fragment.c | 15 +-
+ net/ipv4/ip_gre.c | 6 +-
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ip_vti.c | 4 +-
+ net/ipv4/ipcomp.c | 2 +-
+ net/ipv4/ipconfig.c | 6 +-
+ net/ipv4/ipip.c | 4 +-
+ net/ipv4/netfilter/arp_tables.c | 12 +-
+ net/ipv4/netfilter/ip_tables.c | 12 +-
+ net/ipv4/ping.c | 2 +-
+ net/ipv4/raw.c | 14 +-
+ net/ipv4/route.c | 18 +-
+ net/ipv4/sysctl_net_ipv4.c | 45 +-
+ net/ipv4/tcp_input.c | 2 +-
+ net/ipv4/tcp_probe.c | 2 +-
+ net/ipv4/udp.c | 10 +-
+ net/ipv4/xfrm4_policy.c | 14 +-
+ net/ipv6/addrconf.c | 6 +-
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_gre.c | 8 +-
+ net/ipv6/ip6_tunnel.c | 4 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 12 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
+ net/ipv6/raw.c | 19 +-
+ net/ipv6/reassembly.c | 13 +-
+ net/ipv6/route.c | 2 +-
+ net/ipv6/sit.c | 4 +-
+ net/ipv6/sysctl_net_ipv6.c | 2 +-
+ net/ipv6/udp.c | 8 +-
+ net/ipv6/xfrm6_policy.c | 13 +-
+ net/irda/ircomm/ircomm_tty.c | 18 +-
+ net/iucv/af_iucv.c | 4 +-
+ net/iucv/iucv.c | 2 +-
+ net/key/af_key.c | 4 +-
+ net/mac80211/cfg.c | 8 +-
+ net/mac80211/ieee80211_i.h | 3 +-
+ net/mac80211/iface.c | 14 +-
+ net/mac80211/main.c | 2 +-
+ net/mac80211/pm.c | 6 +-
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/rc80211_pid_debugfs.c | 2 +-
+ net/mac80211/util.c | 2 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/ipvs/ip_vs_conn.c | 6 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ net/netfilter/ipvs/ip_vs_sync.c | 6 +-
+ net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
+ net/netfilter/nf_conntrack_acct.c | 2 +-
+ net/netfilter/nf_conntrack_ecache.c | 2 +-
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nf_conntrack_timestamp.c | 2 +-
+ net/netfilter/nf_log.c | 10 +-
+ net/netfilter/nf_sockopt.c | 4 +-
+ net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/xt_statistic.c | 8 +-
+ net/netlink/af_netlink.c | 4 +-
+ net/netlink/genetlink.c | 16 +-
+ net/packet/af_packet.c | 12 +-
+ net/phonet/pep.c | 6 +-
+ net/phonet/socket.c | 2 +-
+ net/phonet/sysctl.c | 2 +-
+ net/rds/cong.c | 6 +-
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 4 +-
+ net/rds/iw.h | 2 +-
+ net/rds/iw_cm.c | 2 +-
+ net/rds/iw_recv.c | 4 +-
+ net/rds/rds.h | 2 +-
+ net/rds/tcp.c | 2 +-
+ net/rds/tcp_send.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/rxrpc/ar-ack.c | 14 +-
+ net/rxrpc/ar-call.c | 2 +-
+ net/rxrpc/ar-connection.c | 2 +-
+ net/rxrpc/ar-connevent.c | 2 +-
+ net/rxrpc/ar-input.c | 4 +-
+ net/rxrpc/ar-internal.h | 8 +-
+ net/rxrpc/ar-local.c | 2 +-
+ net/rxrpc/ar-output.c | 4 +-
+ net/rxrpc/ar-peer.c | 2 +-
+ net/rxrpc/ar-proc.c | 4 +-
+ net/rxrpc/ar-transport.c | 2 +-
+ net/rxrpc/rxkad.c | 4 +-
+ net/sctp/ipv6.c | 6 +-
+ net/sctp/protocol.c | 10 +-
+ net/sctp/sm_sideeffect.c | 2 +-
+ net/sctp/socket.c | 21 +-
+ net/sctp/sysctl.c | 4 +-
+ net/socket.c | 18 +-
+ net/sunrpc/clnt.c | 4 +-
+ net/sunrpc/sched.c | 4 +-
+ net/sunrpc/svc.c | 4 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/link.c | 6 +-
+ net/tipc/msg.c | 2 +-
+ net/tipc/subscr.c | 2 +-
+ net/unix/sysctl_net_unix.c | 2 +-
+ net/wireless/wext-core.c | 19 +-
+ net/xfrm/xfrm_policy.c | 27 +-
+ net/xfrm/xfrm_state.c | 29 +-
+ net/xfrm/xfrm_sysctl.c | 2 +-
+ scripts/Makefile.build | 2 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.host | 28 +-
+ scripts/basic/fixdep.c | 12 +-
+ scripts/gcc-plugin.sh | 17 +
+ scripts/headers_install.pl | 1 +
+ scripts/link-vmlinux.sh | 2 +-
+ scripts/mod/file2alias.c | 14 +-
+ scripts/mod/modpost.c | 25 +-
+ scripts/mod/modpost.h | 6 +-
+ scripts/mod/sumversion.c | 2 +-
+ scripts/package/builddeb | 1 +
+ scripts/pnmtologo.c | 6 +-
+ scripts/sortextable.h | 6 +-
+ security/Kconfig | 675 +++-
+ security/apparmor/lsm.c | 2 +-
+ security/integrity/ima/ima.h | 4 +-
+ security/integrity/ima/ima_api.c | 2 +-
+ security/integrity/ima/ima_fs.c | 4 +-
+ security/integrity/ima/ima_queue.c | 2 +-
+ security/keys/compat.c | 2 +-
+ security/keys/key.c | 18 +-
+ security/keys/keyctl.c | 8 +-
+ security/keys/keyring.c | 6 +-
+ security/security.c | 9 +-
+ security/selinux/hooks.c | 2 +-
+ security/selinux/include/xfrm.h | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ security/tomoyo/tomoyo.c | 2 +-
+ security/yama/yama_lsm.c | 22 +-
+ sound/aoa/codecs/onyx.c | 7 +-
+ sound/aoa/codecs/onyx.h | 1 +
+ sound/core/oss/pcm_oss.c | 18 +-
+ sound/core/pcm_compat.c | 2 +-
+ sound/core/pcm_native.c | 4 +-
+ sound/core/seq/seq_device.c | 8 +-
+ sound/drivers/mts64.c | 14 +-
+ sound/drivers/opl4/opl4_lib.c | 2 +-
+ sound/drivers/portman2x4.c | 3 +-
+ sound/firewire/amdtp.c | 4 +-
+ sound/firewire/amdtp.h | 2 +-
+ sound/firewire/isight.c | 10 +-
+ sound/firewire/scs1x.c | 8 +-
+ sound/oss/sb_audio.c | 2 +-
+ sound/oss/swarm_cs4297a.c | 6 +-
+ sound/pci/ymfpci/ymfpci.h | 2 +-
+ sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 45 +
+ tools/gcc/checker_plugin.c | 171 +
+ tools/gcc/colorize_plugin.c | 151 +
+ tools/gcc/constify_plugin.c | 518 ++
+ tools/gcc/generate_size_overflow_hash.sh | 94 +
+ tools/gcc/kallocstat_plugin.c | 170 +
+ tools/gcc/kernexec_plugin.c | 465 ++
+ tools/gcc/latent_entropy_plugin.c | 327 ++
+ tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++
+ tools/gcc/size_overflow_plugin.c | 2114 ++++++++
+ tools/gcc/stackleak_plugin.c | 327 ++
+ tools/gcc/structleak_plugin.c | 276 +
+ tools/perf/util/include/asm/alternative-asm.h | 3 +
+ tools/perf/util/include/linux/compiler.h | 8 +
+ virt/kvm/kvm_main.c | 32 +-
+ 1555 files changed, 30474 insertions(+), 7126 deletions(-)
+commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
+Merge: 0949bd4 fc53d63
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:03:44 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fc53d6338964741b368070ec5c935bc579b8c2a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:02:45 2012 -0400
+
+ Update to pax-linux-3.2.12-test33.patch
+
+commit 0949bd46a6455b308f66ad7c993bfee62412db35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 16:56:09 2012 -0400
+
+ Use current_umask() instead of current->fs->umask
+
+commit 22f6432d0fe733619cfcb523782ed7d80c46d645
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:42:42 2012 -0400
+
+ compile fix
+
+commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:34:56 2012 -0400
+
+ Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
+ uses of domains with particular hash collisions
+
+commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 20:25:49 2012 -0400
+
+ zero kernel_role
+
+commit b00953b43c69238d181d21121ef1577c988d5f6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:29:34 2012 -0400
+
+ zero real_root after releasing it
+
+commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
+Merge: b724f59 273f98e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:11:26 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 273f98e58cdac555d3b5dce5c1ca168349f95878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:10:52 2012 -0400
+
+ Temporary workaround for (most) size_overflow plugin false-positives
+ Increase randomization for brk-managed heap to 21 bits
+ Update to pax-linux-3.2.12-test32.patch
+
+commit b724f59125304460c2af8bd4b02921993afbb5d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:58:53 2012 -0400
+
+ compile fix
+
+commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:52:23 2012 -0400
+
+ Require default and kernel role
+
+commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:47:28 2012 -0400
+
+ Allow policies without special roles
+ don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
+
+commit 402ec3d24d66d38403dc543c84851f5e72d39e22
+Merge: 8e012dc f14661a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:06:59 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/namei.c
+
+commit f14661aaf202155c97f66626cea0269017bb7775
+Merge: eae671f 058b017
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:05:44 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
+Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Date: Fri Mar 16 17:08:39 2012 -0700
+
+ nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
+
+ According to the report from Slicky Devil, nilfs caused kernel oops at
+ nilfs_load_super_block function during mount after he shrank the
+ partition without resizing the filesystem:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000048
+ IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
+ *pde = 00000000
+ Oops: 0000 [#1] PREEMPT SMP
+ ...
+ Call Trace:
+ [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
+ [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
+ [<c0226636>] mount_fs+0x36/0x180
+ [<c023d961>] vfs_kern_mount+0x51/0xa0
+ [<c023ddae>] do_kern_mount+0x3e/0xe0
+ [<c023f189>] do_mount+0x169/0x700
+ [<c023fa9b>] sys_mount+0x6b/0xa0
+ [<c04abd1f>] sysenter_do_call+0x12/0x28
+ Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
+ 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
+ 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
+ EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
+ CR2: 0000000000000048
+
+ This turned out due to a defect in an error path which runs if the
+ calculated location of the secondary super block was invalid.
+
+ This patch fixes it and eliminates the reported oops.
+
+ Reported-by: Slicky Devil <slicky.dvl@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Tested-by: Slicky Devil <slicky.dvl@gmail.com>
+ Cc: <stable@vger.kernel.org> [2.6.30+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Fri Mar 16 17:08:38 2012 -0700
+
+ nilfs2: clamp ns_r_segments_percentage to [1, 99]
+
+ ns_r_segments_percentage is read from the disk. Bogus or malicious
+ value could cause integer overflow and malfunction due to meaningless
+ disk usage calculation. This patch reports error when mounting such
+ bogus volumes.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e1a90645643f9b0194a5984ec8febd06360d5c8b
+Author: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Sat Mar 10 09:20:21 2012 +0000
+
+ tcp: fix syncookie regression
+
+ commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
+ added a serious regression on synflood handling.
+
+ Simon Kirby discovered a successful connection was delayed by 20 seconds
+ before being responsive.
+
+ In my tests, I discovered that xmit frames were lost, and needed ~4
+ retransmits and a socket dst rebuild before being really sent.
+
+ In case of syncookie initiated connection, we use a different path to
+ initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
+
+ As ip_queue_xmit() now depends on inet flow being setup, fix this by
+ copying the temp flowi4 we use in cookie_v4_check().
+
+ Reported-by: Simon Kirby <sim@netnation.com>
+ Bisected-by: Simon Kirby <sim@netnation.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
+Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Mon Mar 12 02:59:41 2012 +0000
+
+ tun: don't hold network namespace by tun sockets
+
+ v3: added previously removed sock_put() to the tun_release() callback, because
+ sk_release_kernel() doesn't drop the socket reference.
+
+ v2: sk_release_kernel() used for socket release. Dummy tun_release() is
+ required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
+ call.
+
+ TUN was designed to destroy it's socket on network namesapce shutdown. But this
+ will never happen for persistent device, because it's socket holds network
+ namespace.
+ This patch removes of holding network namespace by TUN socket and replaces it
+ by creating socket in init_net and then changing it's net it to desired one. On
+ shutdown socket is moved back to init_net prior to final put.
+
+ Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon Dec 12 10:02:30 2011 -0600
+
+ vfs: Correctly set the dir i_mutex lockdep class
+
+ 9a7aa12f3911853a introduced additional logic around setting the i_mutex
+ lockdep class for directory inodes. The idea was that some filesystems
+ may want their own special lockdep class for different directory
+ inodes and calling unlock_new_inode() should not clobber one of
+ those special classes.
+
+ I believe that the added conditional, around the *negated* return value
+ of lockdep_match_class(), caused directory inodes to be placed in the
+ wrong lockdep class.
+
+ inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
+ all inodes. If the filesystem did not change the class during inode
+ initialization, then the conditional mentioned above was false and the
+ directory inode was incorrectly left in the non-directory lockdep class.
+ If the filesystem did set a special lockdep class, then the conditional
+ mentioned above was true and that class was clobbered with
+ i_mutex_dir_key.
+
+ This patch removes the negation from the conditional so that the i_mutex
+ lockdep class is properly set for directory inodes. Special classes are
+ preserved and directory inodes with unmodified classes are set with
+ i_mutex_dir_key.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 603590b0d2eca61ce26499eac9c563bc567a18c9
+Author: Jan Kara <jack@suse.cz>
+Date: Mon Feb 20 17:54:00 2012 +0100
+
+ udf: Fix deadlock in udf_release_file()
+
+ udf_release_file() can be called from munmap() path with mmap_sem held. Thus
+ we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
+ i_mutex is not needed in udf_release_file() anymore since protection by
+ i_data_sem is enough to protect from races with write and truncate.
+
+ Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:33 2012 +0100
+
+ vfs: fix double put after complete_walk()
+
+ complete_walk() already puts nd->path, no need to do it again at cleanup time.
+
+ This would result in Oopses if triggered, apparently the codepath is not too
+ well exercised.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 13885ba2b18400f3ef6540497d30f1af896605e5
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:34 2012 +0100
+
+ vfs: fix return value from do_last()
+
+ complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
+ ECHILD unconditionally. If not in RCU mode, this error will reach userspace
+ which is complete nonsense.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/namei.c
+
+commit f5ab7572c99ffb58953eb1070622307e904c3b7f
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Mar 10 17:07:28 2012 -0500
+
+ restore smp_mb() in unlock_new_inode()
+
+ wait_on_inode() doesn't have ->i_lock
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
+Author: David S. Miller <davem@davemloft.net>
+Date: Tue Mar 13 18:19:51 2012 -0700
+
+ sparc32: Add -Av8 to assembler command line.
+
+ Newer version of binutils are more strict about specifying the
+ correct options to enable certain classes of instructions.
+
+ The sparc32 build is done for v7 in order to support sun4c systems
+ which lack hardware integer multiply and divide instructions.
+
+ So we have to pass -Av8 when building the assembler routines that
+ use these instructions and get patched into the kernel when we find
+ out that we have a v8 capable cpu.
+
+ Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
+Author: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri Mar 9 20:55:10 2012 +0100
+
+ x86: Derandom delay_tsc for 64 bit
+
+ Commit f0fbf0abc093 ("x86: integrate delay functions") converted
+ delay_tsc() into a random delay generator for 64 bit. The reason is
+ that it merged the mostly identical versions of delay_32.c and
+ delay_64.c. Though the subtle difference of the result was:
+
+ static void delay_tsc(unsigned long loops)
+ {
+ - unsigned bclock, now;
+ + unsigned long bclock, now;
+
+ Now the function uses rdtscl() which returns the lower 32bit of the
+ TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
+ bit this fails when the lower 32bit are close to wrap around when
+ bclock is read, because the following check
+
+ if ((now - bclock) >= loops)
+ break;
+
+ evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
+ because the unsigned long (now - bclock) of these values results in
+ 0xffffffff00000001 which is definitely larger than the loops
+ value. That explains Tvortkos observation:
+
+ "Because I am seeing udelay(500) (_occasionally_) being short, and
+ that by delaying for some duration between 0us (yep) and 491us."
+
+ Make those variables explicitely u32 again, so this works for both 32
+ and 64 bit.
+
+ Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: stable@vger.kernel.org # >= 2.6.27
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu Mar 8 17:51:19 2012 +0000
+
+ aio: fix the "too late munmap()" race
+
+ Current code has put_ioctx() called asynchronously from aio_fput_routine();
+ that's done *after* we have killed the request that used to pin ioctx,
+ so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
+ from progressing. As the result, we can end up with async call of
+ put_ioctx() being the last one and possibly happening during exit_mmap()
+ or elf_core_dump(), neither of which expects stray munmap() being done
+ to them...
+
+ We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
+ with that, but that's all we care about - neither io_destroy() nor
+ exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
+ does really_put_req(), so the ioctx teardown won't be done until then
+ and we don't care about the contents of ioctx past that point.
+
+ Since actual freeing of these suckers is RCU-delayed, we don't need to
+ bump ioctx refcount when request goes into list for async removal.
+ All we need is rcu_read_lock held just over the ->ctx_lock-protected
+ area in aio_fput_routine().
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 002124c055afbf09b52226af65621999e8316448
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Wed Mar 7 05:16:35 2012 +0000
+
+ aio: fix io_setup/io_destroy race
+
+ Have ioctx_alloc() return an extra reference, so that caller would drop it
+ on success and not bother with re-grabbing it on failure exit. The current
+ code is obviously broken - io_destroy() from another thread that managed
+ to guess the address io_setup() would've returned would free ioctx right
+ under us; gets especially interesting if aio_context_t * we pass to
+ io_setup() points to PROT_READ mapping, so put_user() fails and we end
+ up doing io_destroy() on kioctx another thread has just got freed...
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Mar 15 15:17:12 2012 -0700
+
+ drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
+
+ strict_strtoul() writes a long but ->gamma_mode only has space to store an
+ int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
+ well. I've changed it to use kstrtouint() instead.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Inki Dae <inki.dae@samsung.com>
+ Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
+Merge: e4b05b6 eae671f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 21:04:27 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit eae671fafe93f04685c04a089cc13efebc05d600
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 20:58:01 2012 -0400
+
+ Update to pax-linux-3.2.11-test31.patch
+ Introduction of the size_overflow plugin from Emese Revfy
+ Many thanks to Emese for her hard work :)
+
+commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
+Merge: e55aa68 258c015
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:19 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:05 2012 -0400
+
+ fix ARM compilation
+
+commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
+Merge: 8f95ea9 55b7573
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:41 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:15 2012 -0400
+
+ Update to pax-linux-3.2.10-test28.patch
+
+commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
+Merge: c8786a2 886ac5e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:38:13 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
+
+commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:37:44 2012 -0400
+
+ Update to pax-linux-3.2.10-test26.patch
+
+commit c8786a2abed5e5327f68efa520c04db99bb6a63a
+Merge: 219c982 c061fcf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:06 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
+Merge: 89373d2 3f4b3b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:02 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
+Merge: 54e19a3 89373d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:57 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
+Merge: a778588 7459f11
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:49 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
+Merge: c4650f1 a778588
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:25 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:12 2012 -0400
+
+ Update to pax-linux-3.2.9-test24.patch
+
+commit c4650f14b13f84735fe3de06a1f3ff5776473eff
+Merge: fb2abee 1015790
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:08:28 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 101579028a736c224e590c7e12a7357018c424e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:07:27 2012 -0400
+
+ Update to pax-linux-3.2.9-test22.patch
+
+commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 11:02:17 2012 -0400
+
+ Allow 4096 CPUs
+
+commit 96bae28cbe6a41d48e3b56e5904814096e956000
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 10:25:58 2012 -0400
+
+ Use a per-cpu 48-bit counter instead of a global atomic64
+ Initialize each counter to have the cpu number in the lower 16 bits
+ instead of incrementing the counter each time by 1, perform the increments
+ above the cpu number so that wrapping/exhausting the counter doesn't corrupt
+ any state
+ idea from PaX Team
+
+commit b975688101da6e966aebb1bc6b8c5c5983974f9c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 20:33:12 2012 -0500
+
+ Special vnsec edition! :)
+ Further reduce argv/env allowance for suid/sgid apps to 512KB
+ Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
+ Clear 3GB personality on suid/sgid binaries
+ Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
+ with the main purpose of throwing off program stack -> arg/env alignment
+ Update documentation
+
+commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 19:54:47 2012 -0500
+
+ Resolve skbuff.h warnings that turn into errors during compilation in
+ the grsecurity directory with -Werror
+
+commit 2023210ad43a944033fcacc660ce410888f562ee
+Merge: ece4383 5f66adf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:48:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:47:06 2012 -0500
+
+ Add colorize plugin
+
+commit ece4383e5e91c92d138c4df84225a70b552f4d69
+Merge: a366d0e ab4a5a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:46 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:26 2012 -0500
+
+ Update to pax-linux-3.2.9-test21.patch
+
+commit a366d0ed963ce93fce10121c1100989d5f064e75
+Author: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun Mar 4 19:52:03 2012 -0500
+
+ mm: fix find_vma_prev
+
+ Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
+ management on PA-RISC.
+
+ After application of the patch, programs that allocate big arrays on the
+ stack crash with segfault, for example, this will crash if compiled
+ without optimization:
+
+ int main()
+ {
+ char array[200000];
+ array[199999] = 0;
+ return 0;
+ }
+
+ The reason is that PA-RISC has up-growing stack and the stack is usually
+ the last memory area. In the above example, a page fault happens above
+ the stack.
+
+ Previously, if we passed too high address to find_vma_prev, it returned
+ NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
+ change, it stores NULL in *pprev. Consequently, the stack area is not
+ found and it is not expanded, as it used to be before the change.
+
+ This patch restores the old behavior and makes it return the last VMA in
+ *pprev if the requested address is higher than address of any other VMA.
+
+ Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+ Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
+Author: Hugh Dickins <hughd@google.com>
+Date: Tue Mar 6 12:28:52 2012 -0800
+
+ mmap: EINVAL not ENOMEM when rejecting VM_GROWS
+
+ Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
+ from shared anonymous: hoist the file case's -EINVAL up for both.
+
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:38:42 2012 +0000
+
+ aout: move setup_arg_pages() prior to reading/mapping the binary
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Mon Mar 5 16:49:24 2012 +0000
+
+ vsprintf: make %pV handling compatible with kasprintf()
+
+ kasprintf() (and potentially other functions that I didn't run across so
+ far) want to evaluate argument lists twice. Caring to do so for the
+ primary list is obviously their job, but they can't reasonably be
+ expected to check the format string for instances of %pV, which however
+ need special handling too: On architectures like x86-64 (as opposed to
+ e.g. ix86), using the same argument list twice doesn't produce the
+ expected results, as an internally managed cursor gets updated during
+ the first run.
+
+ Fix the problem by always acting on a copy of the original list when
+ handling %pV.
+
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:39:47 2012 +0000
+
+ VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a831bd53764695ea680cc1fa3c98759a610ed2ac
+Author: Christian König <deathsimple@vodafone.de>
+Date: Tue Feb 28 23:19:20 2012 +0100
+
+ drm/radeon: fix uninitialized variable
+
+ Without this fix the driver randomly treats
+ textures as arrays and I'm really wondering
+ why gcc isn't complaining about it.
+
+ Signed-off-by: Christian König <deathsimple@vodafone.de>
+ Reviewed-by: Jerome Glisse <jglisse@redhat.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
+Author: H. Peter Anvin <hpa@zytor.com>
+Date: Fri Mar 2 10:43:48 2012 -0800
+
+ regset: Prevent null pointer reference on readonly regsets
+
+ The regset common infrastructure assumed that regsets would always
+ have .get and .set methods, but not necessarily .active methods.
+ Unfortunately people have since written regsets without .set methods.
+
+ Rather than putting in stub functions everywhere, handle regsets with
+ null .get or .set methods explicitly.
+
+ Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+ Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+ Acked-by: Roland McGrath <roland@hack.frob.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 072ddd99401c79b53c6bf6bff9deb93022124c79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 18:12:57 2012 -0500
+
+ Fix compiler errors reported on forums
+
+commit 1606774b48af24e6f99d99c624c0e447d4b66474
+Merge: 3127bd5 4ca2ffd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:35 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:21 2012 -0500
+
+ Update to pax-linux-3.2.9-test20.patch
+
+commit 3127bd581a292966b1057c7433219dac188c3720
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 21:30:37 2012 -0500
+
+ Fix memory leak on logged exec_id check failure in /proc/pid/statm
+ Thanks to Djalal Harouni for the report
+
+commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
+Merge: 0a56be8 9aa8288
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:38:22 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:37:43 2012 -0500
+
+ Update to pax-linux-3.2.9-test19.patch
+
+commit 0a56be884bbd7ce733cac0b879c45383494d73b0
+Merge: 9e66745 3f5c52a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:18:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:16:56 2012 -0500
+
+ Update to pax-linux-3.2.9-test18.patch
+
+commit ae53ec231d12719a36bf871f8c5841020ed692ee
+Merge: b255baf 44fb317
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:15:31 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 9e667456c03eadea2f305be761abe4de9a5877a3
+Merge: 5e4e200 b255baf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:59 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b255baf50365d39b406f43aab2c64745607baaa2
+Merge: 340ce90 1de504e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:29 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+ Update to pax-linux-3.2.8-test17.patch
+
+ Conflicts:
+ arch/x86/include/asm/i387.h
+ arch/x86/kernel/process_32.c
+ arch/x86/kernel/traps.c
+
+commit 5e4e200ac530452884b625cb75de240e1e98c731
+Merge: 44306d7 340ce90
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:02:13 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:01:48 2012 -0500
+
+ Update to pax-linux-3.2.7-test17.patch
+
+commit 44306d7b3097f77e73040dd25f4f6750751bae7a
+Merge: 29d0b07 521c411
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:04:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ Makefile
+
+commit 521c411bb4ca66ce01146fde8bac9dd22414076d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:03:33 2012 -0500
+
+ Update to pax-linux-3.2.7-test16.patch
+
+commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 17:12:44 2012 -0500
+
+ fix typo
+
+commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
+Merge: f45b3be caa8f83
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:27 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit caa8f83456c4d0b204beefffaa1d1993f2348d08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:12 2012 -0500
+
+ Update to pax-linux-3.2.7-test15.patch
+
+commit f45b3be34a345502a302e736af9a65742ddef7cb
+Merge: 62f35fd 9f1309b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:40:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:39:57 2012 -0500
+
+ Update to pax-linux-3.2.7-test14.patch
+
+commit 62f35fdbecc58f2988fe13638d907b87a15776bb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 09:08:55 2012 -0500
+
+ We could log on attempted exploits of writing /proc/self/mem, but the current
+ log function declares the access a read, so just swap the ordering for now
+
+commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:46:14 2012 -0500
+
+ Log /proc/pid/mem attempts
+
+commit 674471e581893a94d475acac3e3c4496209b3ac9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:15:00 2012 -0500
+
+ Make use of f_version for protecting /proc file structs (fine since we're not a directory
+ or seq_file)
+
+commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 20:02:19 2012 -0500
+
+ Fix ia64 compilation
+
+commit 50dfea412fd395e0183c2ade368efa525d38b267
+Merge: 12db845 4c6f99b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:53 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4c6f99bf338e03966356b147d0360cb3b522a44f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:36 2012 -0500
+
+ (6:57:09 PM) pipacs: but you can be proactive
+ (Fix other-arch atomic64/REFCOUNT compilation failures)
+
+commit 12db8453f6bb0a756f369c9151668ba1249bc478
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 21:10:12 2012 -0500
+
+ Remove unnecessary copies, as suggested by solar
+
+commit cc02cab84368467ea03cb35f861a8a7092d91ab4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 20:59:35 2012 -0500
+
+ Make global_exec_counter static, as suggested by solar
+
+commit e642091a475ebb3a30e81f85e7751233d0c2af43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 19:00:26 2012 -0500
+
+ sync with stable tree
+
+commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:48:47 2012 -0500
+
+ Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
+ Remove handling of old kludge in chmod/fchmod
+
+commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:18:49 2012 -0500
+
+ Apply umask checks to chmod/fchmod as well, as requested by sponsor
+ Union the enforced umask with the existing one to produce minimal privilege
+ Change umask type to u16
+
+commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 22 18:16:11 2012 -0500
+
+ Add per-role umask enforcement to RBAC, requested by a sponsor
+
+commit ad5ac943fe58199f1cc475912a39edb157acb77b
+Merge: dda0bb5 41722e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:42 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 41722e342e116d95f3d3556d66c97c888d752d39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:00 2012 -0500
+
+ Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
+ KERNEXEC plugin
+
+commit dda0bb57137846a476a866c60db2681aaf6052c0
+Merge: 4fd554e d70927a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:41 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d70927afec977d489a54c106a3c3ddc32e953050
+Merge: 1daebf1 9d0231c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:33 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 4fd554e3a097b22c5049fcdc423897477deff5ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 09:17:57 2012 -0500
+
+ Fix wrong logic on capability checks for switching roles, broke policies
+ Thanks to Richard Kojedzinszky for reporting
+
+commit 12f97d52ac603f24344f8d71569c412a307e9422
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 21:20:10 2012 -0500
+
+ sparc64 compile fix
+
+commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:38:32 2012 -0500
+
+ Update configuration help and name for GRKERNSEC_PROC_MEMMAP
+
+commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:18:01 2012 -0500
+
+ optimize the check a bit
+
+commit 03159050f64989be44ae03be769cbed62a7cd2e5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:00:45 2012 -0500
+
+ smile VUPEN :D
+ (limit argv+env to 1MB for suid/sgid binaries)
+
+commit dd759d8800d225a397e4de49fe729c7d601298d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:49:33 2012 -0500
+
+ Address Space Protection -> Memory Protections (suggested on IRC for consistency)
+
+commit 4de635bda8ebfb85312e3bf851bdbff93de400da
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:45:06 2012 -0500
+
+ Change the long long type for exec_id to the proper u64
+
+commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Feb 9 00:46:47 2012 +0000
+
+ isdn: type bug in isdn_net_header()
+
+ We use len to store the return value from eth_header(). eth_header()
+ can return -ETH_HLEN (-14). We want to pass this back instead of
+ truncating it to 65522 and returning that.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
+Author: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Sat Feb 4 10:47:10 2012 +0100
+
+ exec: fix use-after-free bug in setup_new_exec()
+
+ Setting the task name is done within setup_new_exec() by accessing
+ bprm->filename. However this happens after flush_old_exec().
+ This may result in a use after free bug, flush_old_exec() may
+ "complete" vfork_done, which will wake up the parent which in turn
+ may free the passed in filename.
+ To fix this add a new tcomm field in struct linux_binprm which
+ contains the now early generated task name until it is used.
+
+ Fixes this bug on s390:
+
+ Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
+ Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
+ Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
+ Call Trace:
+ ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
+ [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
+ [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
+ [<0000000000282b6c>] do_execve_common+0x410/0x514
+ [<0000000000282cb6>] do_execve+0x46/0x58
+ [<00000000005bce58>] kernel_execve+0x28/0x70
+ [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
+ [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
+ [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
+ Last Breaking-Event-Address:
+ [<00000000002830f0>] setup_new_exec+0x2fc/0x374
+
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+ Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+ Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d758ee9f5230893dabb5aab737b3109684bde196
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Feb 10 09:03:58 2012 +0100
+
+ relay: prevent integer overflow in relay_open()
+
+ "subbuf_size" and "n_subbufs" come from the user and they need to be
+ capped to prevent an integer overflow.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
+Merge: b1baadf 1daebf1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:47:04 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/proc/base.c
+
+commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
+Merge: 1413df2 c2db2e2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:45:54 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:44:05 2012 -0500
+
+ add missing declaration
+
+commit 3981059c35e8463002517935c28f3d74b8e3703c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:36:04 2012 -0500
+
+ Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
+ in addition to existing checks (this handles the setresuid ruid = euid case)
+
+commit 0beab03263c773f463412c350ad9064b44b6ede0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:13:40 2012 -0500
+
+ Revert setreuid changes when RBAC is enabled, breaks freeradius
+ I'll fix the learning issue Lavish reported a different way through
+ gradm modifications
+
+ This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
+
+commit 0c61cb1cfbbfec7d07647268c922d51434d22621
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 11 14:22:46 2012 -0500
+
+ copy exec_id on fork
+
+commit 000c08e0890630086b2ed04084050ed856a7ec31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 20:00:36 2012 -0500
+
+ compile fix
+
+commit 54b8c8f54484e5ee18040657827158bc4b63bccc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 19:19:52 2012 -0500
+
+ Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
+ denies reading of sensitive /proc/pid entries where the file descriptor
+ was opened in a different task than the one performing the read
+
+commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 17:43:24 2012 -0500
+
+ Remove duplicate signal check
+
+commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
+Merge: 4eba97e 1413df2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:34 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:08 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test11.patch
+
+commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
+Merge: 0e058dd 8dd90a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:50:12 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:49:07 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
+
+commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
+Merge: 7e4169c 6133971
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:48:57 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 19:24:45 2012 -0500
+
+ We now allow configurations with no PaX markings, giving the system no way to override the defaults
+
+commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 10:01:23 2012 -0500
+
+ Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
+
+commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 4 21:01:16 2012 -0500
+
+ Improve security of ptrace-based monitoring/sandboxing
+ See:
+ http://article.gmane.org/gmane.linux.kernel.lsm/15156
+
+commit ca4ca5a1027b41f9528794e52a53ce9c47926101
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:42:55 2012 -0500
+
+ fix typo
+
+commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:25:38 2012 -0500
+
+ Reported by lavish on IRC:
+ If a suid/sgid binary did not learn any setuid/setgid call during learning,
+ we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
+ any restrictions on uid/gid changes. uid and gid can however be changed
+ within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
+ euid/egid.
+
+ My fix:
+ POSIX doesn't specify whether unprivileged users can perform the above
+ setresuid/setresgid as an unprivileged user, though Linux has historically
+ permitted them. Modify this behavior when RBAC is enabled to require
+ CAP_SETUID/CAP_SETGID for these operations.
+
+ Thanks to Lavish for the report!
+
+ Conflicts:
+
+ kernel/sys.c
+
+commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
+Merge: ba586eb 7e4169c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:21 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:05 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test9.patch
+
+commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
+Author: Christopher Yeoh <cyeoh@au1.ibm.com>
+Date: Thu Feb 2 11:34:09 2012 +1030
+
+ Fix race in process_vm_rw_core
+
+ This fixes the race in process_vm_core found by Oleg (see
+
+ http://article.gmane.org/gmane.linux.kernel/1235667/
+
+ for details).
+
+ This has been updated since I last sent it as the creation of the new
+ mm_access() function did almost exactly the same thing as parts of the
+ previous version of this patch did.
+
+ In order to use mm_access() even when /proc isn't enabled, we move it to
+ kernel/fork.c where other related process mm access functions already
+ are.
+
+ Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+ mm/process_vm_access.c
+
+commit b9194d60fb9fe579f5c34817ed822abde18939a0
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:15:11 2012 +0100
+
+ proc: make sure mem_open() doesn't pin the target's memory
+
+ Once /proc/pid/mem is opened, the memory can't be released until
+ mem_release() even if its owner exits.
+
+ Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
+ pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
+ before access_remote_vm(), this verifies that this mm is still alive.
+
+ I am not sure what should mem_rw() return if atomic_inc_not_zero()
+ fails. With this patch it returns zero to match the "mm == NULL" case,
+ may be it should return -EINVAL like it did before e268337d.
+
+ Perhaps it makes sense to add the additional fatal_signal_pending()
+ check into the main loop, to ensure we do not hold this memory if
+ the target task was oom-killed.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:38 2012 +0100
+
+ proc: mem_release() should check mm != NULL
+
+ mem_release() can hit mm == NULL, add the necessary check.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:54 2012 +0100
+
+ note: redisabled mem_write
+
+ proc: unify mem_read() and mem_write()
+
+ No functional changes, cleanup and preparation.
+
+ mem_read() and mem_write() are very similar. Move this code into the
+ new common helper, mem_rw(), which takes the additional "int write"
+ argument.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+
+commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
+Merge: 3903f01 01fee18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:50:40 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 01fee1851aef26b898ccba5312cabf1f919b74cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:46 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test8.patch
+
+commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
+Merge: 201c0db 141936c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:01 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 3903f0172ecadf7a575ba3535402a1506133640a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 30 23:26:44 2012 -0500
+
+ Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
+
+ We'll whitelist required directories for compatibility instead of requiring
+ that people disable the feature entirely if they use SELinux, fuse, etc
+
+ Conflicts:
+
+ fs/sysfs/mount.c
+
+commit e3618feaa7e63807f1b88c199882075b3ec9bd05
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 29 01:12:19 2012 -0500
+
+ perform RBAC check if TPE is on but match fails, matches previous behavior
+
+commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 28 13:17:06 2012 -0500
+
+ log more information about the reason for a TPE denial for novice users, requested by a sponsor
+
+commit efefd67008cbad8a8591e2484410966a300a39a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:58:53 2012 -0500
+
+ merge upstream sha512 changes
+
+commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:49:07 2012 -0500
+
+ drop lock on error in xfs_readlink
+
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
+
+commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
+Author: Li Wang <liwang@nudt.edu.cn>
+Date: Thu Jan 19 09:44:36 2012 +0800
+
+ eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+
+ ecryptfs_write() can enter an infinite loop when truncating a file to a
+ size larger than 4G. This only happens on architectures where size_t is
+ represented by 32 bits.
+
+ This was caused by a size_t overflow due to it incorrectly being used to
+ store the result of a calculation which uses potentially large values of
+ type loff_t.
+
+ [tyhicks@canonical.com: rewrite subject and commit message]
+ Signed-off-by: Li Wang <liwang@nudt.edu.cn>
+ Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
+ Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+
+commit a7607747d0f74f357d78bb796d70635dd05f46e8
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 19 20:33:44 2012 -0600
+
+ eCryptfs: Check inode changes in setattr
+
+ Most filesystems call inode_change_ok() very early in ->setattr(), but
+ eCryptfs didn't call it at all. It allowed the lower filesystem to make
+ the call in its ->setattr() function. Then, eCryptfs would copy the
+ appropriate inode attributes from the lower inode to the eCryptfs inode.
+
+ This patch changes that and actually calls inode_change_ok() on the
+ eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
+ would happen earlier in ecryptfs_setattr(), but there are some possible
+ inode initialization steps that must happen first.
+
+ Since the call was already being made on the lower inode, the change in
+ functionality should be minimal, except for the case of a file extending
+ truncate call. In that case, inode_newsize_ok() was never being
+ called on the eCryptfs inode. Rather than inode_newsize_ok() catching
+ maximum file size errors early on, eCryptfs would encrypt zeroed pages
+ and write them to the lower filesystem until the lower filesystem's
+ write path caught the error in generic_write_checks(). This patch
+ introduces a new function, called ecryptfs_inode_newsize_ok(), which
+ checks if the new lower file size is within the appropriate limits when
+ the truncate operation will be growing the lower file.
+
+ In summary this change prevents eCryptfs truncate operations (and the
+ resulting page encryptions), which would exceed the lower filesystem
+ limits or FSIZE rlimits, from ever starting.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Li Wang <liwang@nudt.edu.cn>
+ Cc: <stable@vger.kernel.org>
+
+commit 0d96f190a39505254ace4e9330219aaeda9b64e3
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Wed Jan 18 18:30:04 2012 -0600
+
+ eCryptfs: Make truncate path killable
+
+ ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
+ page, zeroes out the appropriate portions, and then encrypts the page
+ before writing it to the lower filesystem. It was unkillable and due to
+ the lack of sparse file support could result in tying up a large portion
+ of system resources, while encrypting pages of zeros, with no way for
+ the truncate operation to be stopped from userspace.
+
+ This patch adds the ability for ecryptfs_write() to detect a pending
+ fatal signal and return as gracefully as possible. The intent is to
+ leave the lower file in a useable state, while still allowing a user to
+ break out of the encryption loop. If a pending fatal signal is detected,
+ the eCryptfs inode size is updated to reflect the modified inode size
+ and then -EINTR is returned.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: <stable@vger.kernel.org>
+
+commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Tue Jan 24 10:02:22 2012 -0600
+
+ eCryptfs: Fix oops when printing debug info in extent crypto functions
+
+ If pages passed to the eCryptfs extent-based crypto functions are not
+ mapped and the module parameter ecryptfs_verbosity=1 was specified at
+ loading time, a NULL pointer dereference will occur.
+
+ Note that this wouldn't happen on a production system, as you wouldn't
+ pass ecryptfs_verbosity=1 on a production system. It leaks private
+ information to the system logs and is for debugging only.
+
+ The debugging info printed in these messages is no longer very useful
+ and rather than doing a kmap() in these debugging paths, it will be
+ better to simply remove the debugging paths completely.
+
+ https://launchpad.net/bugs/913651
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Daniel DeFreez
+ Cc: <stable@vger.kernel.org>
+
+commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 12 11:30:44 2012 +0100
+
+ eCryptfs: Sanitize write counts of /dev/ecryptfs
+
+ A malicious count value specified when writing to /dev/ecryptfs may
+ result in a a very large kernel memory allocation.
+
+ This patch peeks at the specified packet payload size, adds that to the
+ size of the packet headers and compares the result with the write count
+ value. The resulting maximum memory allocation size is approximately 532
+ bytes.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Sasha Levin <levinsasha928@gmail.com>
+ Cc: <stable@vger.kernel.org>
+
+commit 96dcb7282d323813181a1791f51c0ab7696b675b
+Merge: 6c09fa5 201c0db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:44:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 201c0dbf177527367676028151e36d340923f033
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:43:24 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
+ on loading modules with empty sections
+
+commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:42:13 2012 -0500
+
+ compile fix
+
+commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:39:28 2012 -0500
+
+ use LSM flags instead of duplicating checks
+
+commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
+Merge: 44b9f11 558718b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:23 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 558718b2217beff69edf60f34a6f9893d910e9ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:04 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch
+
+commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:53:55 2012 -0500
+
+ don't increase the size of task_struct when unnecessary
+ change ptrace_readexec log message
+
+commit a9c9626e054adb885883aa64f85506852894dd33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:16:28 2012 -0500
+
+ Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
+ the protection applies to all unreadable binaries.
+
+commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
+Merge: 7b3f3af 05a1349
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:52:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ block/scsi_ioctl.c
+ drivers/scsi/sd.c
+ fs/proc/base.c
+
+commit 05a134966efb9cb9346ad3422888969ffc79ac1d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:47:36 2012 -0500
+
+ Resync with pax-linux-3.2.2-test5.patch
+
+commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
+Merge: c6d443d 3499d64
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:45:16 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
+
+ Conflicts:
+ ipc/shm.c
+
+commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 24 19:42:01 2012 -0500
+
+ Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
+ (may be changed if it breaks some userland), the other has its own
+ config option
+
+ First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
+ the syscall or /proc/sys.
+
+ Second feature requires read access to a suid/sgid binary in order
+ to ptrace it, preventing infoleaking of binaries in situations where
+ the admin has specified 4711 or 2711 perms. Feature has been
+ given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
+ a sysctl entry of ptrace_readexec
+
+commit 11a7bb25c411c9dccfdca5718639b4becdffd388
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:37:10 2012 -0500
+
+ Compilation fixes
+
+commit cd400e21c7c352baba47d6f375297a7847afb33a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:20:27 2012 -0500
+
+ Initial port of grsecurity 2.2.2 for Linux 3.2.1
+ Note that the new syscalls added to this kernel for remote process read/write
+ are subject to ptrace hardening/other relevant RBAC features
+ /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
+ as well
+ pax_track_stack has been removed from support for this kernel -- if you're running this kernel
+ you should be using a version of gcc with plugin support
+
+commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:47:31 2012 -0500
+
+ Import pax-linux-3.2.1-test5.patch
+commit bfd7db842f835f9837cd43644459b3a95b0b488d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:02:02 2012 -0500
+
+ Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
+ instead of returning -EACCES
+ thanks to Wraith from irc for the report
+
+commit 873ac13576506cd48ddb527c2540f274e249da50
+Merge: 34083dd 8a44fcc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:04:02 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:02:15 2012 -0500
+
+ Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
+ Denies executable shared memory when MPROTECT is active
+ Fixes ia32 emulation crash on 64bit host introduced in a recent patch
+
+commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 20:23:14 2012 -0500
+
+ Introduce new GRKERNSEC_SETXID implementation
+ We're not able to change the credentials of other threads in the process until at most
+ one syscall after the first thread does it, since we mark the threads as needing rescheduling
+ and such work occurs on syscall exit.
+ This does however ensure that we're only modifying the current task's credentials
+ which upholds RCU expectations
+
+ Many thanks to corsac for testing
+
+commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:42:48 2012 -0500
+
+ Simplify backport
+
+commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:08:16 2012 -0500
+
+ Commit the latest silent fix for a local privilege escalation from Linus
+ Also disable writing to /proc/pid/mem
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
+
+commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
+Merge: 0394a3f 7e6299b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:22:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e6299b4733c082dde930375dd207b63237751ec
+Merge: 83555fb 9bb1282
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:21:37 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
+Author: Jesper Juhl <jj@chaosbits.net>
+Date: Sun Jan 8 22:44:29 2012 +0100
+
+ audit: always follow va_copy() with va_end()
+
+ A call to va_copy() should always be followed by a call to va_end() in
+ the same function. In kernel/autit.c::audit_log_vformat() this is not
+ always done. This patch makes sure va_end() is always called.
+
+ Signed-off-by: Jesper Juhl <jj@chaosbits.net>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
+Author: Andi Kleen <ak@linux.intel.com>
+Date: Thu Jan 12 17:20:30 2012 -0800
+
+ panic: don't print redundant backtraces on oops
+
+ When an oops causes a panic and panic prints another backtrace it's pretty
+ common to have the original oops data be scrolled away on a 80x50 screen.
+
+ The second backtrace is quite redundant and not needed anyways.
+
+ So don't print the panic backtrace when oops_in_progress is true.
+
+ [akpm@linux-foundation.org: add comment]
+ Signed-off-by: Andi Kleen <ak@linux.intel.com>
+ Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Thu Jan 12 17:59:46 2012 +0100
+
+ fsnotify: don't BUG in fsnotify_destroy_mark()
+
+ Removing the parent of a watched file results in "kernel BUG at
+ fs/notify/mark.c:139".
+
+ To reproduce
+
+ add "-w /tmp/audit/dir/watched_file" to audit.rules
+ rm -rf /tmp/audit/dir
+
+ This is caused by fsnotify_destroy_mark() being called without an
+ extra reference taken by the caller.
+
+ Reported by Francesco Cosoleto here:
+
+ https://bugzilla.novell.com/show_bug.cgi?id=689860
+
+ Fix by removing the BUG_ON and adding a comment about not accessing mark after
+ the iput.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:28 2012 +0100
+
+ block: fail SCSI passthrough ioctls on partition devices
+
+ Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+ will pass the command to the underlying block device. This is
+ well-known, but it is also a large security problem when (via Unix
+ permissions, ACLs, SELinux or a combination thereof) a program or user
+ needs to be granted access only to part of the disk.
+
+ This patch lets partitions forward a small set of harmless ioctls;
+ others are logged with printk so that we can see which ioctls are
+ actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
+ Of course it was being sent to a (partition on a) hard disk, so it would
+ have failed with ENOTTY and the patch isn't changing anything in
+ practice. Still, I'm treating it specially to avoid spamming the logs.
+
+ In principle, this restriction should include programs running with
+ CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
+ /dev/sdb, it still should not be able to read/write outside the
+ boundaries of /dev/sda2 independent of the capabilities. However, for
+ now programs with CAP_SYS_RAWIO will still be allowed to send the
+ ioctls. Their actions will still be logged.
+
+ This patch does not affect the non-libata IDE driver. That driver
+ however already tests for bd != bd->bd_contains before issuing some
+ ioctl; it could be restricted further to forbid these ioctls even for
+ programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ [ Make it also print the command name when warning - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:27 2012 +0100
+
+ block: add and use scsi_blk_cmd_ioctl
+
+ Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
+
+ The function will then be enhanced to detect partition block devices
+ and, in that case, subject the ioctls to whitelisting.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97a79814903fc350e1d13704ea31528a42705401
+Author: Kees Cook <keescook@chromium.org>
+Date: Sat Jan 7 10:41:04 2012 -0800
+
+ audit: treat s_id as an untrusted string
+
+ The use of s_id should go through the untrusted string path, just to be
+ extra careful.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Acked-by: Mimi Zohar <zohar@us.ibm.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Dec 20 18:39:41 2011 -0500
+
+ audit: fix signedness bug in audit_log_execve_info()
+
+ In the loop, a size_t "len" is used to hold the return value of
+ audit_log_single_execve_arg(), which returns -1 on error. In that
+ case the error handling (len <= 0) will be bypassed since "len" is
+ unsigned, and the loop continues with (p += len) being wrapped.
+ Change the type of "len" to signed int to fix the error handling.
+
+ size_t len;
+ ...
+ for (...) {
+ len = audit_log_single_execve_arg(...);
+ if (len <= 0)
+ break;
+ p += len;
+ }
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Jan 17 03:28:51 2012 -0300
+
+ [media] ds3000: using logical && instead of bitwise &
+
+ The intent here was to test if the FE_HAS_LOCK was set. The current
+ test is equivalent to "if (status) { ..."
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit 36522330dc59d2fc70c042f3f081d75c32b6259a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 13:10:38 2012 -0500
+
+ Ignore the 0 signal for protected task RBAC checks
+
+commit d513acd55f7a683f6e146a4f570cdb63300479ab
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 11:56:13 2012 -0500
+
+ whitespace cleanup
+
+commit ced261c4b82818c700aff8487f647f6f3e5b5122
+Merge: d48751f 83555fb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:54 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
+Merge: fcd8129 93dad39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:43 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit d48751f3919ae855fda0ff6c149db82442329253
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 11 19:05:47 2012 -0500
+
+ Call our own set_user when forcing change to new id
+
+commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
+Merge: e6578ff fcd8129
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 16:00:10 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 15:58:43 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test23.patch
+
+commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
+Merge: 8859ec3 a120549
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:56 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a12054967a77090de1caa07c41e694a77db4e237
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:30 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test22.patch
+
+commit 8859ec32f9815c274df65448f9f2960176c380d3
+Merge: a5016b4 ddd4114
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:26:08 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/binfmt_elf.c
+ security/Kconfig
+
+commit ddd41147e158a79704983a409b7433eba797cf66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:12:42 2012 -0500
+
+ Resync with PaX patch (whitespace difference)
+
+commit 29e569df8205c5f0e043fe4803aa984406c8b118
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:09:47 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test21.patch
+
+commit a5016b4f9c09c337b17e063a7f369af1e86d944d
+Merge: 0124c92 04231d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:52:20 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
+Merge: 7bdddeb a919904
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:51:50 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ include/net/flow.h
+
+commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:33:05 2012 -0500
+
+ Make GRKERNSEC_SETXID option compatible with credential debugging
+
+commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
+Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Date: Wed Dec 28 15:57:11 2011 -0800
+
+ mm/mempolicy.c: refix mbind_range() vma issue
+
+ commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
+ slightly incorrect fix.
+
+ Why? Think following case.
+
+ 1. map 4 pages of a file at offset 0
+
+ [0123]
+
+ 2. map 2 pages just after the first mapping of the same file but with
+ page offset 2
+
+ [0123][23]
+
+ 3. mbind() 2 pages from the first mapping at offset 2.
+ mbind_range() should treat new vma is,
+
+ [0123][23]
+ |23|
+ mbind vma
+
+ but it does
+
+ [0123][23]
+ |01|
+ mbind vma
+
+ Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
+
+ This patch fixes it.
+
+ [testcase]
+ test result - before the patch
+
+ case4: 126: test failed. expect '2,4', actual '2,2,2'
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: 246: test failed. expect '4,2', actual '1,4'
+
+ ------------[ cut here ]------------
+ kernel BUG at mm/filemap.c:135!
+ invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
+
+ (snip long bug on messages)
+
+ test result - after the patch
+
+ case4: passed
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: passed
+
+ source: mbind_vma_test.c
+ ============================================================
+ #include <numaif.h>
+ #include <numa.h>
+ #include <sys/mman.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+ static unsigned long pagesize;
+ void* mmap_addr;
+ struct bitmask *nmask;
+ char buf[1024];
+ FILE *file;
+ char retbuf[10240] = "";
+ int mapped_fd;
+
+ char *rubysrc = "ruby -e '\
+ pid = %d; \
+ vstart = 0x%llx; \
+ vend = 0x%llx; \
+ s = `pmap -q #{pid}`; \
+ rary = []; \
+ s.each_line {|line|; \
+ ary=line.split(\" \"); \
+ addr = ary[0].to_i(16); \
+ if(vstart <= addr && addr < vend) then \
+ rary.push(ary[1].to_i()/4); \
+ end; \
+ }; \
+ print rary.join(\",\"); \
+ '";
+
+ void init(void)
+ {
+ void* addr;
+ char buf[128];
+
+ nmask = numa_allocate_nodemask();
+ numa_bitmask_setbit(nmask, 0);
+
+ pagesize = getpagesize();
+
+ sprintf(buf, "%s", "mbind_vma_XXXXXX");
+ mapped_fd = mkstemp(buf);
+ if (mapped_fd == -1)
+ perror("mkstemp "), exit(1);
+ unlink(buf);
+
+ if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
+ perror("lseek "), exit(1);
+ if (write(mapped_fd, "\0", 1) < 0)
+ perror("write "), exit(1);
+
+ addr = mmap(NULL, pagesize*8, PROT_NONE,
+ MAP_SHARED, mapped_fd, 0);
+ if (addr == MAP_FAILED)
+ perror("mmap "), exit(1);
+
+ if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
+ perror("mprotect "), exit(1);
+
+ mmap_addr = addr + pagesize;
+
+ /* make page populate */
+ memset(mmap_addr, 0, pagesize*6);
+ }
+
+ void fin(void)
+ {
+ void* addr = mmap_addr - pagesize;
+ munmap(addr, pagesize*8);
+
+ memset(buf, 0, sizeof(buf));
+ memset(retbuf, 0, sizeof(retbuf));
+ }
+
+ void mem_bind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_BIND, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_interleave(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_unbind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_DEFAULT, NULL, 0, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void Assert(char *expected, char *value, char *name, int line)
+ {
+ if (strcmp(expected, value) == 0) {
+ fprintf(stderr, "%s: passed\n", name);
+ return;
+ }
+ else {
+ fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
+ name, line,
+ expected, value);
+ // exit(1);
+ }
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPNNNNNNNNNN
+ case 4 below
+ */
+ void case4(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 4);
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case4", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPPPPPPPPPNN
+ case 5 below
+ */
+ void case5(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case5", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPPPPP 6
+ */
+ void case6(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("6", retbuf, "case6", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPXXXX 7
+ */
+ void case7(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case7", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPNNNNNNNN 8
+ */
+ void case8(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_interleave(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case8", __LINE__);
+
+ fin();
+ }
+
+ void case_n(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ /* make redundunt mappings [0][1234][34][7] */
+ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
+ MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
+
+ /* Expect to do nothing. */
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case_n", __LINE__);
+
+ fin();
+ }
+
+ int main(int argc, char** argv)
+ {
+ case4();
+ case5();
+ case6();
+ case7();
+ case8();
+ case_n();
+
+ return 0;
+ }
+ =============================================================
+
+ Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: Minchan Kim <minchan.kim@gmail.com>
+ Cc: Caspar Zhang <caspar@casparzhang.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Cc: Christoph Lameter <cl@linux.com>
+ Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
+ Cc: Mel Gorman <mel@csn.ul.ie>
+ Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+ Cc: <stable@vger.kernel.org> [3.1.x]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit f3a1082005781777086df235049f8c0b7efe524e
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Dec 27 22:32:41 2011 -0500
+
+ packet: fix possible dev refcnt leak when bind fail
+
+ If bind is fail when bind is called after set PACKET_FANOUT
+ sock option, the dev refcnt will leak.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 915f8b08dac68839dc7204ee81cf9852fda16d24
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Mon Dec 19 17:11:56 2011 -0800
+
+ nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
+
+ There is a potential integer overflow in nilfs_ioctl_clean_segments().
+ When a large argv[n].v_nmembs is passed from the userspace, the subsequent
+ call to vmalloc() will allocate a buffer smaller than expected, which
+ leads to out-of-bound access in nilfs_ioctl_move_blocks() and
+ lfs_clean_segments().
+
+ The following check does not prevent the overflow because nsegs is also
+ controlled by the userspace and could be very large.
+
+ if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
+ goto out_free;
+
+ This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
+ returns -EINVAL when overflow.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
+Author: Kautuk Consul <consul.kautuk@gmail.com>
+Date: Mon Dec 19 17:12:04 2011 -0800
+
+ mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
+
+ Static storage is not required for the struct vmap_area in
+ __get_vm_area_node.
+
+ Removing "static" to store this variable on the stack instead.
+
+ Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
+ Acked-by: David Rientjes <rientjes@google.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
+Author: Michel Lespinasse <walken@google.com>
+Date: Mon Dec 19 17:12:06 2011 -0800
+
+ binary_sysctl(): fix memory leak
+
+ binary_sysctl() calls sysctl_getname() which allocates from names_cache
+ slab usin __getname()
+
+ The matching function to free the name is __putname(), and not putname()
+ which should be used only to match getname() allocations.
+
+ This is because when auditing is enabled, putname() calls audit_putname
+ *instead* (not in addition) to __putname(). Then, if a syscall is in
+ progress, audit_putname does not release the name - instead, it expects
+ the name to get released when the syscall completes, but that will happen
+ only if audit_getname() was called previously, i.e. if the name was
+ allocated with getname() rather than the naked __getname(). So,
+ __getname() followed by putname() ends up leaking memory.
+
+ Signed-off-by: Michel Lespinasse <walken@google.com>
+ Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
+Author: Sean Hefty <sean.hefty@intel.com>
+Date: Tue Dec 6 21:17:11 2011 +0000
+
+ RDMA/cma: Verify private data length
+
+ private_data_len is defined as a u8. If the user specifies a large
+ private_data size (> 220 bytes), we will calculate a total length that
+ exceeds 255, resulting in private_data_len wrapping back to 0. This
+ can lead to overwriting random kernel memory. Avoid this by verifying
+ that the resulting size fits into a u8.
+
+ Reported-by: B. Thery <benjamin.thery@bull.net>
+ Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
+ Signed-off-by: Sean Hefty <sean.hefty@intel.com>
+ Signed-off-by: Roland Dreier <roland@purestorage.com>
+
+commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Sun Dec 11 23:40:56 2011 -0800
+
+ Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
+
+ The error check (intr_status < 0) didn't work because intr_status is
+ a u8. Change its type to signed int.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+
+commit e27f34e383d7863b2528a63b81b23db09781f6b6
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 16 12:44:15 2011 +0000
+
+ sctp: fix incorrect overflow check on autoclose
+
+ Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
+ limiting the autoclose value. If userspace passes in -1 on 32-bit
+ platform, the overflow check didn't work and autoclose would be set
+ to 0xffffffff.
+
+ This patch defines a max_autoclose (in seconds) for limiting the value
+ and exposes it through sysctl, with the following intentions.
+
+ 1) Avoid overflowing autoclose * HZ.
+
+ 2) Keep the default autoclose bound consistent across 32- and 64-bit
+ platforms (INT_MAX / HZ in this patch).
+
+ 3) Keep the autoclose value consistent between setsockopt() and
+ getsockopt() calls.
+
+ Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Wed Dec 21 05:18:33 2011 -0500
+
+ vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
+
+ Commit e133e737 didn't correctly fix the integer overflow issue.
+
+ - unsigned int required_size;
+ + u64 required_size;
+ ...
+ required_size = mode_cmd->pitch * mode_cmd->height;
+ - if (unlikely(required_size > dev_priv->vram_size)) {
+ + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
+
+ Note that both pitch and height are u32. Their product is still u32 and
+ would overflow before being assigned to required_size. A correct way is
+ to convert pitch and height to u64 before the multiplication.
+
+ required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
+
+ This patch calls the existing vmw_kms_validate_mode_vram() for
+ validation.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+ Conflicts:
+
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+
+commit eb8f0bd01fb994c9abc77dc84729794cd841753d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Thu Dec 22 13:35:22 2011 +0000
+
+ rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
+
+ Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
+ cause a kernel oops due to insufficient bounds checking.
+
+ if (count > 1<<30) {
+ /* Enforce a limit to prevent overflow */
+ return -EINVAL;
+ }
+ count = roundup_pow_of_two(count);
+ table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
+
+ Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
+
+ ... + (count * sizeof(struct rps_dev_flow))
+
+ where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
+ 32 bits.
+
+ This patch replaces the magic number (1 << 30) with a symbolic bound.
+
+ Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 648188958672024b616c42c1f6c98c8cfc85619d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 30 10:40:17 2011 -0500
+
+ netfilter: ctnetlink: fix timeout calculation
+
+ The sanity check (timeout < 0) never works; the dividend is unsigned
+ and so is the division, which should have been a signed division.
+
+ long timeout = (ct->timeout.expires - jiffies) / HZ;
+ if (timeout < 0)
+ timeout = 0;
+
+ This patch converts the time values to signed for the division.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit ab03a0973cee73f88655ff4981812ad316a6cd59
+Merge: 76f82df 7bdddeb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:50 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
+Merge: 3e59cb5 55cc81a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:36 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 20:15:02 2011 -0500
+
+ Only further restrict futex targeting another process -- our modified
+ permission check also happened to allow a case where a process retaining
+ uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
+ being non-zero (reported on forums by ben_w)
+
+commit 6b235a4450a5fea41663ec35fa0608988b6078c6
+Merge: 97c16f0 3e59cb5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:11:06 2011 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/hfs/btree.c
+
+commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
+Merge: 285eb4e c26f60b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:09:57 2011 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/process.c
+
+commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 19 21:54:01 2011 -0500
+
+ Add new option: "Enforce consistent multithreaded privileges"
+
+commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:58:31 2011 -0500
+
+ Remove harmless duplicate code -- exec_file would be null already so the
+ second check would never pass.
+
+commit 4e3304e94aa72737810bc50169519af157dce4ce
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:50:39 2011 -0500
+
+ Revert back to (possibly?) undocumented /proc/pid behavior that gdb
+ depended on for attaching to a thread. Entries exist in /proc for
+ threads, but are not visible in a readdir.
+
+commit 1bd899335f23815cfe8deac44c6b346398f3b95e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 18:03:28 2011 -0500
+
+ Put the already-walked path if in RCU-walk mode
+
+commit ec7ae36b7159f10649709779443a988662965d66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 17:35:21 2011 -0500
+
+ Fix memory leak introduced by recent (unpublished) commit
+ 75ab998b94a29d464518d6d501bdde3fbfcbfa14
+
+commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:56:10 2011 -0500
+
+ Explicitly check size copied to userland in override_release to silence gcc
+
+commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:54:02 2011 -0500
+
+ Initialize variable to silence erroneous gcc warning
+
+commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:47:47 2011 -0500
+
+ Future-proof other potential RCU-aware locations where we can log.
+
+commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:02:54 2011 -0500
+
+ Fix freeze reported by 'vs' on the forums. Bug occurred due to
+ MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
+ in generic_permission() was in the task's effective set but disallowed by
+ RBAC, would block when acquiring locks resulting in the freeze.
+
+ Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
+ as being required when CAP_DAC_OVERRIDE is present (consistent with
+ older patches).
+
+commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Nov 29 09:26:30 2011 +0000
+
+ sctp: better integer overflow check in sctp_auth_create_key()
+
+ The check from commit 30c2235c is incomplete and cannot prevent
+ cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
+ left-hand side of the check (INT_MAX - key_len), which is unsigned,
+ becomes 0xffffffff (UINT_MAX) and bypasses the check.
+
+ However this shouldn't be a security issue. The function is called
+ from the following two code paths:
+
+ 1) setsockopt()
+
+ 2) sctp_auth_asoc_set_secret()
+
+ In case (1), sca_keylength is never going to exceed 65535 since it's
+ bounded by a u16 from the user API. As such, the key length will
+ never overflow.
+
+ In case (2), sca_keylength is computed based on the user key (1 short)
+ and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
+ will not overflow.
+
+ In other words, this overflow check is not really necessary. Just
+ make it more correct.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit e565e28c3635a1d50f80541fbf6b606d742fec76
+Author: Josh Boyer <jwboyer@redhat.com>
+Date: Fri Aug 19 14:50:26 2011 -0400
+
+ fs/minix: Verify bitmap block counts before mounting
+
+ Newer versions of MINIX can create filesystems that allocate an extra
+ bitmap block. Mounting of this succeeds, but doing a statfs call will
+ result in an oops in count_free because of a negative number being used
+ for the bh index.
+
+ Avoid this by verifying the number of allocated blocks at mount time,
+ erroring out if there are not enough and make statfs ignore the extras
+ if there are too many.
+
+ This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
+
+ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6e134e398ec1a3f428261680e83df4319e64bed9
+Author: Julia Lawall <julia@diku.dk>
+Date: Tue Nov 15 14:53:11 2011 -0800
+
+ drivers/gpu/vga/vgaarb.c: add missing kfree
+
+ kbuf is a buffer that is local to this function, so all of the error paths
+ leaving the function should release it.
+
+ Signed-off-by: Julia Lawall <julia@diku.dk>
+ Cc: Jesper Juhl <jj@chaosbits.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit 2b9057b321e36860e8d63985b5c4e496f254b717
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:33:28 2011 -0500
+
+ Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
+
+commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+
+commit 285eb4ea45d853ae00426b3315a61c1368080dad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 10 18:33:46 2011 -0500
+
+ Import changes from pax-linux-3.1.5-test20.patch
+
+commit a6bda918fc90ec1d5c387e978d147ad2044153f1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 8 20:55:54 2011 -0500
+
+ Import changes from pax-linux-3.1.4-test19.patch
+
+commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7
+Merge: 814820a 3a59a59
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 21:51:18 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 21:50:07 2013 -0400
+
+ Update to pax-linux-3.8.13-test24.patch:
+ - fixed sparc/constification compile error, reported by blake
+ - UDEREF/amd64 should be a bit more efficient when disabled at boot time
+ - fixed some unnecessary integer truncations that could trip up the size overflow plugin
+
+ arch/arm/kernel/vmlinux.lds.S | 4 ++--
+ arch/sparc/kernel/us3_cpufreq.c | 4 ++--
+ arch/x86/ia32/ia32entry.S | 4 ++--
+ arch/x86/include/asm/pgtable.h | 6 ++++--
+ arch/x86/include/asm/uaccess.h | 6 +++---
+ arch/x86/kernel/kprobes-opt.c | 4 ++++
+ arch/x86/lib/copy_user_nocache_64.S | 2 +-
+ arch/x86/lib/getuser.S | 8 ++++----
+ arch/x86/lib/putuser.S | 8 ++++----
+ arch/x86/mm/fault.c | 6 +++---
+ drivers/net/slip/slhc.c | 2 +-
+ drivers/staging/iio/ring_sw.c | 2 +-
+ fs/binfmt_elf.c | 6 +++---
+ fs/nfsd/nfscache.c | 2 +-
+ fs/xattr.c | 21 +++++++++++++++++++++
+ include/linux/syscalls.h | 2 +-
+ include/linux/xattr.h | 3 +++
+ init/main.c | 3 +++
+ kernel/futex_compat.c | 2 +-
+ kernel/trace/trace.h | 2 +-
+ net/socket.c | 2 +-
+ security/Kconfig | 2 +-
+ 22 files changed, 67 insertions(+), 34 deletions(-)
+
+commit 814820abfe5b9a34401d838b2510431a4cd92be9
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon May 6 09:31:17 2013 +0000
+
+ Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa
+
+ tipc: potential divide by zero in tipc_link_recv_fragment()
+
+ The worry here is that fragm_sz could be zero since it comes from
+ skb->data.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/tipc/link.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon May 6 08:28:41 2013 +0000
+
+ Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc
+
+ tipc: add a bounds check in link_recv_changeover_msg()
+
+ The bearer_id here comes from skb->data and it can be a number from 0 to
+ 7. The problem is that the ->links[] array has only 2 elements so I
+ have added a range check.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/tipc/link.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit ed0428c4ef6c5498870772f212ac651216eb8d0c
+Merge: 2452d8d dbf932a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 21:18:25 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c
+ arch/x86/mm/init.c
+
+commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 20:24:01 2013 -0400
+
+ compile fix
+
+ grsecurity/gracl.c | 1 +
+ grsecurity/gracl_segv.c | 1 +
+ 2 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 18:25:26 2013 -0400
+
+ fix btrfs support here as well
+
+ grsecurity/gracl_segv.c | 17 +++++++++--------
+ 1 files changed, 9 insertions(+), 8 deletions(-)
+
+commit c75e4664fe4d20da1639f70d9def097c4f20856b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 18:12:57 2013 -0400
+
+ Fix RBAC compatibility with btrfs compiled as a module, as
+ reported on the forums by YuHg at:
+ http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952
+
+ fs/btrfs/inode.c | 11 +----------
+ grsecurity/gracl.c | 19 ++++++++++---------
+ grsecurity/gracl_segv.c | 2 +-
+ grsecurity/grsec_disabled.c | 2 +-
+ 4 files changed, 13 insertions(+), 21 deletions(-)
+
+commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat May 11 12:12:00 2013 -0400
+
+ allow copies just up to the start of kernel code
+
+ fs/exec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 04638852588cf243f865f5a73aa9dab94fab53b7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 10 16:53:07 2013 -0400
+
+ MODULES_EXEC_VADDR is a virtual address
+
+ fs/exec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 10 16:51:03 2013 -0400
+
+ exempt module rx areas from usercopy protection under i386 kernexec
+ their .rodata will be placed between stext/etext causing copies of
+ constant strings to trigger usercopy reports/terminations
+
+ fs/exec.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 8 20:25:52 2013 -0400
+
+ User jorgus on the forums:
+ http://forums.grsecurity.net/viewtopic.php?f=3&t=3446
+ discovered that the upstreamed version of enforcing RLIMIT_NPROC
+ at setuid/exec time missed an important corner case:
+ If RLIMIT_NPROC is set after a setuid occurs and the user's process
+ limit is reached elsewhere, no enforcement of RLIMIT_NPROC will
+ happen at exec time for the task with a modified RLIMIT_NPROC.
+
+ This patch fixes that.
+
+ kernel/sys.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff
+Merge: 539fff0 2452d8d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 8 18:13:41 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a
+Merge: 6c850d8 9c9ab76
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 8 18:13:31 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/irq.c
+ kernel/trace/trace_stack.c
+
+commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue May 7 21:43:00 2013 -0400
+
+ turn counter into a flag
+
+ grsecurity/Kconfig | 2 +-
+ grsecurity/grsec_chroot.c | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 3da48c0f89377e1ef76470d4b19f19df793fdf32
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue May 7 21:02:39 2013 -0400
+
+ add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity
+ useful for Fedora/RHEL users
+
+ grsecurity/Kconfig | 10 ++++++++++
+ grsecurity/grsec_chroot.c | 17 +++++++++++++++--
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+commit 418102925c0cfb0de51b0a021abaa575e28fafa6
+Author: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Date: Fri May 3 14:11:25 2013 +0200
+
+ Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717
+
+ perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
+
+ We should always have proper privileges when requesting kernel
+ data.
+
+ Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+ Cc: <stable@kernel.org>
+ Cc: Andi Kleen <ak@linux.intel.com>
+ Cc: eranian@google.com
+ Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
+ [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ]
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+ Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org
+
+ arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++---
+ 1 files changed, 10 insertions(+), 3 deletions(-)
+
+commit f9e1af27cca1722a4c6a801000b5b3b5410401a2
+Author: Eric Dumazet <edumazet@google.com>
+Date: Mon Apr 29 05:58:52 2013 +0000
+
+ Upstream commit: aebda156a570782a86fc4426842152237a19427d
+
+ net: defer net_secret[] initialization
+
+ Instead of feeding net_secret[] at boot time, defer the init
+ at the point first socket is created.
+
+ This permits some platforms to use better entropy sources than
+ the ones available at boot time.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/secure_seq.h | 1 +
+ net/core/secure_seq.c | 4 +---
+ net/ipv4/af_inet.c | 5 ++++-
+ 3 files changed, 6 insertions(+), 4 deletions(-)
+
+commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Wed May 1 02:59:23 2013 +0000
+
+ Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48
+
+ net: sctp: attribute printl with __printf for gcc fmt checks
+
+ Let GCC check for format string errors in sctp's probe printl
+ function. This patch fixes the warning when compiled with W=1:
+
+ net/sctp/probe.c:73:2: warning: function might be possible candidate
+ for 'gnu_printf' format attribute [-Wmissing-format-attribute]
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/probe.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 81b98190c66a90f0ed2de4560f542b1dea7664f2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 2 19:58:54 2013 -0400
+
+ remove no-longer-needed vmware 8 compat fix
+
+ mm/page_alloc.c | 6 ------
+ 1 files changed, 0 insertions(+), 6 deletions(-)
+
+commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 2 19:55:23 2013 -0400
+
+ remove unnecessary < 0 check
+
+ net/phonet/af_phonet.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 1 18:30:48 2013 -0400
+
+ remove references to CONFIG_X86_WP_WORKS_OK
+
+ arch/um/defconfig | 1 -
+ security/Kconfig | 2 +-
+ 2 files changed, 1 insertions(+), 2 deletions(-)
+
+commit 408da6791f93ffe00d26bfe919f1b2218fe0804d
+Merge: a8dbe8e 6c850d8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 1 18:28:44 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/sparc/mm/ultra.S
+ drivers/tty/tty_io.c
+
+commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf
+Merge: cdbcbef 9fa1d01
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 1 18:25:18 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 29 18:44:23 2013 -0400
+
+ add module.h to silence compiler warning, thanks to
+ Sergei Trofimovich
+
+ fs/btrfs/inode.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 55eba82aca97aa56378e000840c48965557721e8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 29 18:43:03 2013 -0400
+
+ compilation fix
+
+ kernel/trace/trace.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit e3bf912b54af6df7fbebc68b5999554562056c5c
+Merge: 5b72e37 cdbcbef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 29 18:34:42 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit cdbcbef45c4f003cbee11e10668a35d424c17c60
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 29 18:33:35 2013 -0400
+
+ Update to pax-linux-3.8.10-test21.patch:
+ - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
+ - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438
+ note that the false positive is not fixed yet
+ - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin
+ - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444)
+ - reverted the nested NMI fix in search for a real one
+ - simplified the arm_delay_ops constification
+
+ arch/arm/include/asm/delay.h | 8 ++++----
+ arch/arm/lib/delay.c | 17 +++++------------
+ arch/x86/kernel/entry_64.S | 11 ++++++++++-
+ arch/x86/kernel/i8259.c | 2 +-
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ arch/x86/kvm/vmx.c | 4 ++--
+ drivers/block/pktcdvd.c | 2 +-
+ fs/btrfs/extent-tree.c | 2 +-
+ fs/nfsd/nfscache.c | 6 ++++--
+ kernel/trace/trace.c | 2 +-
+ tools/gcc/structleak_plugin.c | 4 ++++
+ 11 files changed, 34 insertions(+), 26 deletions(-)
+
+commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 26 20:53:06 2013 -0400
+
+ don't use file_inode()
+
+ drivers/tty/tty_io.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946
+Author: Jiri Slaby <jslaby@suse.cz>
+Date: Fri Apr 26 13:48:53 2013 +0200
+
+ Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee
+
+ TTY: fix atime/mtime regression
+
+ In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
+ we removed timestamps from tty inodes to fix a security issue and waited
+ if something breaks. Well, 'w', the utility to find out logged users
+ and their inactivity time broke. It shows that users are inactive since
+ the time they logged in.
+
+ To revert to the old behaviour while still preventing attackers to
+ guess the password length, we update the timestamps in one-minute
+ intervals by this patch.
+
+ Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ drivers/tty/tty_io.c
+
+ drivers/tty/tty_io.c | 15 ++++++++++++++-
+ 1 files changed, 14 insertions(+), 1 deletions(-)
+
+commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec
+Author: Jiri Slaby <jslaby@suse.cz>
+Date: Fri Feb 15 15:25:05 2013 +0100
+
+ Upstream commit: b0de59b5733d
+
+ TTY: do not update atime/mtime on read/write
+
+ On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
+ out length of a password using timestamps of /dev/ptmx. It is
+ documented in "Timing Analysis of Keystrokes and Timing Attacks on
+ SSH". To avoid that problem, do not update time when reading
+ from/writing to a TTY.
+
+ I am afraid of regressions as this is a behavior we have since 0.97
+ and apps may expect the time to be current, e.g. for monitoring
+ whether there was a change on the TTY. Now, there is no change. So
+ this would better have a lot of testing before it goes upstream.
+
+ References: CVE-2013-0160
+
+ Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+ Cc: stable <stable@vger.kernel.org> # after 3.9 is out
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ drivers/tty/tty_io.c | 8 ++------
+ 1 files changed, 2 insertions(+), 6 deletions(-)
+
+commit 5344a24e2320d61dbdb88aae04922f0799deefd0
+Author: Zhao Hongjiang <zhaohongjiang@huawei.com>
+Date: Fri Apr 26 11:03:53 2013 +0800
+
+ Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad
+
+ aio: fix possible invalid memory access when DEBUG is enabled
+
+ dprintk() shouldn't access @ring after it's unmapped.
+
+ Signed-off-by: Zhao Hongjiang <zhaohongjiang@huawei.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/aio.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 786841cb279bbd8e458d67e112a1d01a3d4598a7
+Author: John David Anglin <dave.anglin@bell.net>
+Date: Tue Apr 23 22:42:07 2013 +0200
+
+ Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78
+
+ parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates
+
+ User applications running on SMP kernels have long suffered from instability
+ and random segmentation faults. This patch improves the situation although
+ there is more work to be done.
+
+ One of the problems is the various routines in pgtable.h that update page table
+ entries use different locking mechanisms, or no lock at all (set_pte_at). This
+ change modifies the routines to all use the same lock pa_dbit_lock. This lock
+ is used for dirty bit updates in the interruption code. The patch also purges
+ the TLB entries associated with the PTE to ensure that inconsistent values are
+ not used after the page table entry is updated. The UP and SMP code are now
+ identical.
+
+ The change also includes a minor update to the purge_tlb_entries function in
+ cache.c to improve its efficiency.
+
+ Signed-off-by: John David Anglin <dave.anglin@bell.net>
+ Cc: Helge Deller <deller@gmx.de>
+ Signed-off-by: Helge Deller <deller@gmx.de>
+
+ arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++-----------------
+ arch/parisc/kernel/cache.c | 5 +---
+ 2 files changed, 26 insertions(+), 26 deletions(-)
+
+commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1
+Merge: ba54c97 4d05084
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 26 18:17:20 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/x86/kvm/x86.c
+ include/linux/capability.h
+
+commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21
+Merge: c664779 bb8dd67
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 26 18:15:45 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2
+Author: David S. Miller <davem@davemloft.net>
+Date: Wed Apr 24 16:52:18 2013 -0700
+
+ Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee
+
+ sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching.
+
+ Reported-by: Meelis Roos <mroos@linux.ee>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/sparc/mm/tlb.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8
+Author: David S. Miller <davem@davemloft.net>
+Date: Fri Apr 19 17:26:26 2013 -0400
+
+ Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847
+
+ sparc64: Fix race in TLB batch processing.
+
+ As reported by Dave Kleikamp, when we emit cross calls to do batched
+ TLB flush processing we have a race because we do not synchronize on
+ the sibling cpus completing the cross call.
+
+ So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.)
+ and either flushes are missed or flushes will flush the wrong
+ addresses.
+
+ Fix this by using generic infrastructure to synchonize on the
+ completion of the cross call.
+
+ This first required getting the flush_tlb_pending() call out from
+ switch_to() which operates with locks held and interrupts disabled.
+ The problem is that smp_call_function_many() cannot be invoked with
+ IRQs disabled and this is explicitly checked for with WARN_ON_ONCE().
+
+ We get the batch processing outside of locked IRQ disabled sections by
+ using some ideas from the powerpc port. Namely, we only batch inside
+ of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a
+ region, we flush TLBs synchronously.
+
+ 1) Get rid of xcall_flush_tlb_pending and per-cpu type
+ implementations.
+
+ 2) Do TLB batch cross calls instead via:
+
+ smp_call_function_many()
+ tlb_pending_func()
+ __flush_tlb_pending()
+
+ 3) Batch only in lazy mmu sequences:
+
+ a) Add 'active' member to struct tlb_batch
+ b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE
+ c) Set 'active' in arch_enter_lazy_mmu_mode()
+ d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode()
+ e) Check 'active' in tlb_batch_add_one() and do a synchronous
+ flush if it's clear.
+
+ 4) Add infrastructure for synchronous TLB page flushes.
+
+ a) Implement __flush_tlb_page and per-cpu variants, patch
+ as needed.
+ b) Likewise for xcall_flush_tlb_page.
+ c) Implement smp_flush_tlb_page() to invoke the cross-call.
+ d) Wire up global_flush_tlb_page() to the right routine based
+ upon CONFIG_SMP
+
+ 5) It turns out that singleton batches are very common, 2 out of every
+ 3 batch flushes have only a single entry in them.
+
+ The batch flush waiting is very expensive, both because of the poll
+ on sibling cpu completeion, as well as because passing the tlb batch
+ pointer to the sibling cpus invokes a shared memory dereference.
+
+ Therefore, in flush_tlb_pending(), if there is only one entry in
+ the batch perform a completely asynchronous global_flush_tlb_page()
+ instead.
+
+ Reported-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Acked-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+
+ arch/sparc/include/asm/pgtable_64.h | 1 +
+ arch/sparc/include/asm/switch_to_64.h | 3 +-
+ arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++--
+ arch/sparc/kernel/smp_64.c | 41 ++++++++++-
+ arch/sparc/mm/tlb.c | 38 +++++++++-
+ arch/sparc/mm/tsb.c | 57 ++++++++++++----
+ arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++-------
+ 7 files changed, 241 insertions(+), 55 deletions(-)
+
+commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri Apr 19 15:32:32 2013 +0000
+
+ Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494
+
+ net: fix incorrect credentials passing
+
+ Commit 257b5358b32f ("scm: Capture the full credentials of the scm
+ sender") changed the credentials passing code to pass in the effective
+ uid/gid instead of the real uid/gid.
+
+ Obviously this doesn't matter most of the time (since normally they are
+ the same), but it results in differences for suid binaries when the wrong
+ uid/gid ends up being used.
+
+ This just undoes that (presumably unintentional) part of the commit.
+
+ Reported-by: Andy Lutomirski <luto@amacapital.net>
+ Cc: Eric W. Biederman <ebiederm@xmission.com>
+ Cc: Serge E. Hallyn <serge@hallyn.com>
+ Cc: David S. Miller <davem@davemloft.net>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/scm.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Apr 18 19:22:40 2013 -0400
+
+ move _etext to only cover kernel code, not read-only data, as reported by Gu1
+
+ arch/arm/kernel/vmlinux.lds.S | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 98ad6adbc48759e4f9eae435d3e51ba487155685
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Apr 18 19:17:24 2013 -0400
+
+ add asm/sections.h for USERCOPY change
+
+ fs/exec.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10
+Author: Dmitry Popov <dp@highloadlab.com>
+Date: Thu Apr 11 08:55:07 2013 +0000
+
+ Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6
+
+ tcp: incoming connections might use wrong route under synflood
+
+ There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
+ flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
+ RT_SCOPE_UNIVERSE, IPPROTO_TCP,
+ inet_sk_flowi_flags(sk),
+ (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
+ ireq->loc_addr, th->source, th->dest);
+
+ Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
+ taken. This dst_entry is used by new socket (get_cookie_sock ->
+ tcp_v4_syn_recv_sock), so its packets may take the wrong path.
+
+ Signed-off-by: Dmitry Popov <dp@highloadlab.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/syncookies.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 3600395e8fef3ae712e72f9b68c3609639616df8
+Author: Thomas Graf <tgraf@suug.ch>
+Date: Thu Apr 11 10:57:18 2013 +0000
+
+ Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413
+
+ tcp: Reallocate headroom if it would overflow csum_start
+
+ If a TCP retransmission gets partially ACKed and collapsed multiple
+ times it is possible for the headroom to grow beyond 64K which will
+ overflow the 16bit skb->csum_start which is based on the start of
+ the headroom. It has been observed rarely in the wild with IPoIB due
+ to the 64K MTU.
+
+ Verify if the acking and collapsing resulted in a headroom exceeding
+ what csum_start can cover and reallocate the headroom if so.
+
+ A big thank you to Jim Foraker <foraker1@llnl.gov> and the team at
+ LLNL for helping out with the investigation and testing.
+
+ Reported-by: Jim Foraker <foraker1@llnl.gov>
+ Signed-off-by: Thomas Graf <tgraf@suug.ch>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/tcp_output.c | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61
+Author: Ivan Vecera <ivecera@redhat.com>
+Date: Fri Apr 12 16:49:24 2013 +0200
+
+ Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f
+
+ be2net: take care of __vlan_put_tag return value
+
+ The driver should use return value of __vlan_put_tag with appropriate
+ NULL-check instead of old skb pointer.
+
+ Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/emulex/benet/be_main.c | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Fri Apr 12 03:17:12 2013 +0000
+
+ Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73
+
+ tuntap: fix error return code in tun_set_iff()
+
+ Fix to return a negative error code from the error handling
+ case instead of 0, as returned elsewhere in this function.
+
+ [ Bug added in linux-3.8 , commit 4008e97f866db665
+ ("tuntap: fix ambigious multiqueue API") ]
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Sat Apr 13 15:49:03 2013 +0000
+
+ Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93
+
+ esp4: fix error return code in esp_output()
+
+ Fix to return a negative error code from the error handling
+ case instead of 0, as returned elsewhere in this function.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/esp4.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 2b45b5f52c2a8930f80c62de392a62516c83e225
+Author: Bjørn Mork <bjorn@mork.no>
+Date: Tue Apr 16 00:17:07 2013 +0000
+
+ Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1
+
+ net: cdc_mbim: remove bogus sizeof()
+
+ The intention was to test against the constant, not the size of
+ the constant.
+
+ Signed-off-by: Bjørn Mork <bjorn@mork.no>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/usb/cdc_mbim.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 17d7408795519037a5a1272c7888238e20830bfe
+Author: Vyacheslav Dubeyko <slava@dubeyko.com>
+Date: Wed Apr 17 15:58:33 2013 -0700
+
+ Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4
+
+ hfsplus: fix potential overflow in hfsplus_file_truncate()
+
+ Change a u32 to loff_t hfsplus_file_truncate().
+
+ Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/hfsplus/extents.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b
+Author: Emese Revfy <re.emese@gmail.com>
+Date: Wed Apr 17 15:58:36 2013 -0700
+
+ Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f
+
+ kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
+
+ This fixes a kernel memory contents leak via the tkill and tgkill syscalls
+ for compat processes.
+
+ This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
+ when handling signals delivered from tkill.
+
+ The place of the infoleak:
+
+ int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
+ {
+ ...
+ put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
+ ...
+ }
+
+ Signed-off-by: Emese Revfy <re.emese@gmail.com>
+ Reviewed-by: PaX Team <pageexec@freemail.hu>
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Oleg Nesterov <oleg@redhat.com>
+ Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+ Cc: Serge Hallyn <serge.hallyn@canonical.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/signal.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 20:17:00 2013 -0400
+
+ Improve PAX_USERCOPY to reject direct copies to/from main kernel text
+
+ fs/exec.c | 29 +++++++++++++++++++++++++++--
+ 1 files changed, 27 insertions(+), 2 deletions(-)
+
+commit 3cb37d0c0c77dc3928ff8417f982139f95366eba
+Merge: e87c19f c664779
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 20:06:08 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c664779987cb0c27a242029f0e0db812e3236203
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 19:54:09 2013 -0400
+
+ add intentional_overflow marking for resource_size() as reasoned by:
+ http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
+
+ include/linux/ioport.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit e87c19f8312355b8658e5138c16bfa6043a379c8
+Merge: 802d119 d0c636c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 16:57:12 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d0c636ceaaf406e606898ce3e770e32fb043ea8a
+Merge: bc88628 2396403
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 16:57:01 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/paravirt.c
+
+commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 14 21:39:51 2013 -0400
+
+ move location of RBAC user check on setfsuid until after capability checks
+ for consistency with other checks
+
+ kernel/sys.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 1a860d7d67051559ab2e6d10f9888649c92904e6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 14 21:34:46 2013 -0400
+
+ A denied setfsuid by the RBAC system would result in an abort_creds() being called
+ with an uninitalized pointer, introduced by a bad forward-port
+
+ kernel/sys.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9
+Merge: c38d142 bc88628
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 14 21:28:33 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit bc88628a6a8fcccaabb90908640809b0540df225
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 14 21:26:41 2013 -0400
+
+ Update to pax-linux-3.8.7-test20.patch:
+ - fixed KERNEXEC and NMI nesting problem reported by stef&hunger
+ - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414
+ - CONSTIFY depends on KERNEXEC (for the kernel open/close feature)
+ - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364)
+
+ arch/powerpc/include/asm/smp.h | 2 +-
+ arch/x86/Kconfig | 4 ++--
+ arch/x86/kernel/entry_64.S | 8 ++++----
+ security/Kconfig | 2 +-
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+commit c38d142744489fc4d9be80188b6435a278438fd9
+Author: Suleiman Souhlal <suleiman@google.com>
+Date: Sat Apr 13 16:03:06 2013 -0700
+
+ Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1
+
+ vfs: Revert spurious fix to spinning prevention in prune_icache_sb
+
+ Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb").
+
+ This commit doesn't look right: since we are looking at the tail of the
+ list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
+ it back at the head of the list instead of the tail, otherwise we will
+ keep spinning on it.
+
+ Discovered when investigating why prune_icache_sb came top in perf
+ reports of a swapping load.
+
+ Signed-off-by: Suleiman Souhlal <suleiman@google.com>
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Cc: stable@vger.kernel.org # v3.2+
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/inode.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 93019624b80ba59798393942798d7f6ed0c1dbc6
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat Apr 13 15:15:30 2013 -0700
+
+ Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979
+
+ kobject: fix kset_find_obj() race with concurrent last kobject_put()
+
+ Anatol Pomozov identified a race condition that hits module unloading
+ and re-loading. To quote Anatol:
+
+ "This is a race codition that exists between kset_find_obj() and
+ kobject_put(). kset_find_obj() might return kobject that has refcount
+ equal to 0 if this kobject is freeing by kobject_put() in other
+ thread.
+
+ Here is timeline for the crash in case if kset_find_obj() searches for
+ an object tht nobody holds and other thread is doing kobject_put() on
+ the same kobject:
+
+ THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put())
+ splin_lock()
+ atomic_dec_return(kobj->kref), counter gets zero here
+ ... starts kobject cleanup ....
+ spin_lock() // WAIT thread A in kobj_kset_leave()
+ iterate over kset->list
+ atomic_inc(kobj->kref) (counter becomes 1)
+ spin_unlock()
+ spin_lock() // taken
+ // it does not know that thread A increased counter so it
+ remove obj from list
+ spin_unlock()
+ vfree(module) // frees module object with containing kobj
+
+ // kobj points to freed memory area!!
+ kobject_put(kobj) // OOPS!!!!
+
+ The race above happens because module.c tries to use kset_find_obj()
+ when somebody unloads module. The module.c code was introduced in
+ commit 6494a93d55fa"
+
+ Anatol supplied a patch specific for module.c that worked around the
+ problem by simply not using kset_find_obj() at all, but rather than make
+ a local band-aid, this just fixes kset_find_obj() to be thread-safe
+ using the proper model of refusing the get a new reference if the
+ refcount has already dropped to zero.
+
+ See examples of this proper refcount handling not only in the kref
+ documentation, but in various other equivalent uses of this pattern by
+ grepping for atomic_inc_not_zero().
+
+ [ Side note: the module race does indicate that module loading and
+ unloading is not properly serialized wrt sysfs information using the
+ module mutex. That may require further thought, but this is the
+ correct fix at the kobject layer regardless. ]
+
+ Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com>
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ lib/kobject.c | 9 ++++++++-
+ 1 files changed, 8 insertions(+), 1 deletions(-)
+
+commit 5277b052b5fab36729e1255fb3b12f47a4b12867
+Author: Dave Hansen <dave@sr71.net>
+Date: Fri Apr 12 16:23:54 2013 -0700
+
+ Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9
+
+ x86-32: Fix possible incomplete TLB invalidate with PAE pagetables
+
+ This patch attempts to fix:
+
+ https://bugzilla.kernel.org/show_bug.cgi?id=56461
+
+ The symptom is a crash and messages like this:
+
+ chrome: Corrupted page table at address 34a03000
+ *pdpt = 0000000000000000 *pde = 0000000000000000
+ Bad pagetable: 000f [#1] PREEMPT SMP
+
+ Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb:
+ enable tlb flush range support for x86") since that code started to free
+ unused pagetables.
+
+ On x86-32 PAE kernels, that new code has the potential to free an entire
+ PMD page and will clear one of the four page-directory-pointer-table
+ (aka pgd_t entries).
+
+ The hardware aggressively "caches" these top-level entries and invlpg
+ does not actually affect the CPU's copy. If we clear one we *HAVE* to
+ do a full TLB flush, otherwise we might continue using a freed pmd page.
+ (note, we do this properly on the population side in pud_populate()).
+
+ This patch tracks whenever we clear one of these entries in the 'struct
+ mmu_gather', and ensures that we follow up with a full tlb flush.
+
+ BTW, I disassembled and checked that:
+
+ if (tlb->fullmm == 0)
+ and
+ if (!tlb->fullmm && !tlb->need_flush_all)
+
+ generate essentially the same code, so there should be zero impact there
+ to the !PAE case.
+
+ Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+ Cc: Peter Anvin <hpa@zytor.com>
+ Cc: Ingo Molnar <mingo@kernel.org>
+ Cc: Artem S Tashkinov <t.artem@mailcity.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/x86/include/asm/tlb.h | 2 +-
+ arch/x86/mm/pgtable.c | 7 +++++++
+ include/asm-generic/tlb.h | 7 ++++++-
+ mm/memory.c | 1 +
+ 4 files changed, 15 insertions(+), 2 deletions(-)
+
+commit 521e573fc77d1783c1d4636dfbb4617a922f043d
+Merge: 032f626 f807619
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 12 19:29:34 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f80761993b85df96fc142dfc3a317cadc0f8eae5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 12 19:28:21 2013 -0400
+
+ Update to pax-linux-3.8.7-test19.patch:
+ - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld
+ - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411)
+ - fixed the structleak plugin to compile for gcc 4.5-4.6 as well
+
+ Makefile | 2 +-
+ arch/x86/xen/enlighten.c | 6 +++---
+ tools/gcc/structleak_plugin.c | 5 +++--
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+commit 032f626a4ae9bc3196313a2e762650c3d9abdc96
+Merge: a3a770e 89886f5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 12 18:38:40 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89886f561cc0d1c42a99624ec8c3704711088155
+Merge: 9123489 531ec28
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 12 18:38:30 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit a3a770e18578841e4fbe2aa0831a22811b4812cf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Apr 11 20:46:20 2013 -0400
+
+ Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot"
+ Will be fixed with the next PaX patch
+
+ This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7.
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit fc98763e4f1f1487928750b26a63098b9e0ed5b1
+Author: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Fri Mar 29 10:20:56 2013 -0400
+
+ Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16
+
+ xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables.
+
+ Occassionaly on a DL380 G4 the guest would crash quite early with this:
+
+ (XEN) d244:v0: unhandled page fault (ec=0003)
+ (XEN) Pagetable walk from ffffffff84dc7000:
+ (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789
+ (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d
+ (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def
+ (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7
+ (XEN) domain_crash_sync called from entry.S
+ (XEN) Domain 244 (vcpu#0) crashed on cpu#3:
+ (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]----
+ (XEN) CPU: 3
+ (XEN) RIP: e033:[<ffffffff81263f22>]
+ (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest
+ (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f
+ (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000
+
+ The offending code shows it to be a loop writting the value zero
+ (%rax) in the %rdi (the L4 provided by Xen) register:
+
+ 0: 44 00 00 add %r8b,(%rax)
+ 3: 31 c0 xor %eax,%eax
+ 5: b9 40 00 00 00 mov $0x40,%ecx
+ a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
+ 11: 00 00
+ 13: ff c9 dec %ecx
+ 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction
+ 18: 48 89 47 08 mov %rax,0x8(%rdi)
+ 1c: 48 89 47 10 mov %rax,0x10(%rdi)
+
+ which fails. xen_setup_kernel_pagetable recycles some of the Xen's
+ page-table entries when it has switched over to its Linux page-tables.
+
+ Right before try to clear the page, we make a hypercall to change
+ it from _RO to _RW and that works (otherwise we would hit an BUG()).
+ And the _RW flag is set for that page:
+ (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7
+
+ The error code is 3, so PFEC_page_present and PFEC_write_access, so page is
+ present (correct), and we tried to write to the page, but a violation
+ occurred. The one theory is that the the page entries in hardware
+ (which are cached) are not up to date with what we just set. Especially
+ as we have just done an CR3 write and flushed the multicalls.
+
+ This patch does solve the problem by flusing out the TLB page
+ entry after changing it from _RO to _RW and we don't hit this
+ issue anymore.
+
+ Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO
+ 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4]
+ Reported-and-Tested-by: Saar Maoz <Saar.Maoz@oracle.com>
+ Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+ arch/x86/xen/mmu.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11
+Author: Namhyung Kim <namhyung.kim@lge.com>
+Date: Mon Apr 1 21:46:23 2013 +0900
+
+ Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1
+
+ tracing: Fix double free when function profile init failed
+
+ On the failure path, stat->start and stat->pages will refer same page.
+ So it'll attempt to free the same page again and get kernel panic.
+
+ Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org
+
+ Cc: Frederic Weisbecker <fweisbec@gmail.com>
+ Cc: Namhyung Kim <namhyung.kim@lge.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+
+ kernel/trace/ftrace.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb
+Author: Neil Horman <nhorman@tuxdriver.com>
+Date: Tue Apr 9 23:19:00 2013 +0000
+
+ Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6
+
+ e100: Add dma mapping error check
+
+ e100 uses pci_map_single, but fails to check for a dma mapping error after its
+ use, resulting in a stack trace:
+
+ [ 46.656594] ------------[ cut here ]------------
+ [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950()
+ [ 46.657004] Hardware name: To Be Filled By O.E.M.
+ [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map
+ error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single]
+ [ 46.657004] Modules linked in:
+ [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus
+ snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc
+ e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp
+ k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd
+ sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit
+ drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core
+ sata_promise crc_itu_t
+ [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1
+ [ 46.657004] Call Trace:
+ [ 46.657004] <IRQ> [<ffffffff81065ed0>] warn_slowpath_common+0x70/0xa0
+ [ 46.657004] [<ffffffff81065f4c>] warn_slowpath_fmt+0x4c/0x50
+ [ 46.657004] [<ffffffff81364cfb>] check_unmap+0x47b/0x950
+ [ 46.657004] [<ffffffff8136522f>] debug_dma_unmap_page+0x5f/0x70
+ [ 46.657004] [<ffffffffa030f0f0>] ? e100_tx_clean+0x30/0x210 [e100]
+ [ 46.657004] [<ffffffffa030f1a8>] e100_tx_clean+0xe8/0x210 [e100]
+ [ 46.657004] [<ffffffffa030fc6f>] e100_poll+0x56f/0x6c0 [e100]
+ [ 46.657004] [<ffffffff8159dce1>] ? net_rx_action+0xa1/0x370
+ [ 46.657004] [<ffffffff8159ddb2>] net_rx_action+0x172/0x370
+ [ 46.657004] [<ffffffff810703bf>] __do_softirq+0xef/0x3d0
+ [ 46.657004] [<ffffffff816e4ebc>] call_softirq+0x1c/0x30
+ [ 46.657004] [<ffffffff8101c485>] do_softirq+0x85/0xc0
+ [ 46.657004] [<ffffffff81070885>] irq_exit+0xd5/0xe0
+ [ 46.657004] [<ffffffff816e5756>] do_IRQ+0x56/0xc0
+ [ 46.657004] [<ffffffff816dacb2>] common_interrupt+0x72/0x72
+ [ 46.657004] <EOI> [<ffffffff816da1eb>] ?
+ _raw_spin_unlock_irqrestore+0x3b/0x70
+ [ 46.657004] [<ffffffff816d124d>] __slab_free+0x58/0x38b
+ [ 46.657004] [<ffffffff81214424>] ? fsnotify_clear_marks_by_inode+0x34/0x120
+ [ 46.657004] [<ffffffff811b0417>] ? kmem_cache_free+0x97/0x320
+ [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
+ [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
+ [ 46.657004] [<ffffffff811b0692>] kmem_cache_free+0x312/0x320
+ [ 46.657004] [<ffffffff8157fc14>] sock_destroy_inode+0x34/0x40
+ [ 46.657004] [<ffffffff811e8c28>] destroy_inode+0x38/0x60
+ [ 46.657004] [<ffffffff811e8d5e>] evict+0x10e/0x1a0
+ [ 46.657004] [<ffffffff811e9605>] iput+0xf5/0x180
+ [ 46.657004] [<ffffffff811e4338>] dput+0x248/0x310
+ [ 46.657004] [<ffffffff811ce0e1>] __fput+0x171/0x240
+ [ 46.657004] [<ffffffff811ce26e>] ____fput+0xe/0x10
+ [ 46.657004] [<ffffffff8108d54c>] task_work_run+0xac/0xe0
+ [ 46.657004] [<ffffffff8106c6ed>] do_exit+0x26d/0xc30
+ [ 46.657004] [<ffffffff8109eccc>] ? finish_task_switch+0x7c/0x120
+ [ 46.657004] [<ffffffff816dad58>] ? retint_swapgs+0x13/0x1b
+ [ 46.657004] [<ffffffff8106d139>] do_group_exit+0x49/0xc0
+ [ 46.657004] [<ffffffff8106d1c4>] sys_exit_group+0x14/0x20
+ [ 46.657004] [<ffffffff816e3b19>] system_call_fastpath+0x16/0x1b
+ [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]---
+ [ 46.657004] Mapped at:
+ [ 46.657004] [<ffffffff813663d1>] debug_dma_map_page+0x91/0x140
+ [ 46.657004] [<ffffffffa030e8eb>] e100_xmit_prepare+0x12b/0x1c0 [e100]
+ [ 46.657004] [<ffffffffa030c924>] e100_exec_cb+0x84/0x140 [e100]
+ [ 46.657004] [<ffffffffa030e56a>] e100_xmit_frame+0x3a/0x190 [e100]
+ [ 46.657004] [<ffffffff8159ee89>] dev_hard_start_xmit+0x259/0x6c0
+
+ Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the
+ dma_mapping_error check in the obvious place
+
+ This was reported previously here:
+ http://article.gmane.org/gmane.linux.network/257893
+
+ But nobody stepped up and fixed it.
+
+ CC: Josh Boyer <jwboyer@redhat.com>
+ CC: e1000-devel@lists.sourceforge.net
+ Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+ Reported-by: Michal Jaegermann <michal@harddata.com>
+ Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+ Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++-----------
+ 1 files changed, 25 insertions(+), 11 deletions(-)
+
+commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Wed Apr 10 12:44:18 2013 -0400
+
+ Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67
+
+ NFSv4: Doh! Typo in the fix to nfs41_walk_client_list
+
+ Make sure that we set the status to 0 on success. Missed in testing
+ because it never appears when doing multiple mounts to _different_
+ servers.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Cc: <stable@vger.kernel.org> # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
+
+ fs/nfs/nfs4client.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea
+Author: Yuval Mintz <yuvalmin@broadcom.com>
+Date: Wed Apr 10 13:34:39 2013 +0300
+
+ Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b
+
+ bnx2x: Prevent null pointer dereference in AFEX mode
+
+ The cnic module is responsible for initializing various bnx2x structs
+ via callbacks provided by the bnx2x module.
+ One such struct is the queue object for the FCoE queue.
+
+ If a device is working in AFEX mode and its configuration allows FCoE yet
+ the cnic module is not loaded, it's very likely a null pointer dereference
+ will occur, as the bnx2x will erroneously access the FCoE's queue object.
+
+ Prevent said access until cnic properly registers itself.
+
+ Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
+ Signed-off-by: Ariel Elior <ariele@broadcom.com>
+ Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 2908830232725db624aaa052f7ad38d1f98bf541
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Apr 9 14:16:04 2013 +0800
+
+ Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc
+
+ can: gw: use kmem_cache_free() instead of kfree()
+
+ Memory allocated by kmem_cache_alloc() should be freed using
+ kmem_cache_free(), not kfree().
+
+ Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+ Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+
+ net/can/gw.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit d40b572e845a5fb561e3c4a80cc306cd38888a4e
+Author: Christoph Paasch <christoph.paasch@uclouvain.be>
+Date: Sun Apr 7 04:53:15 2013 +0000
+
+ Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd
+
+ ipv6/tcp: Stop processing ICMPv6 redirect messages
+
+ Tetja Rediske found that if the host receives an ICMPv6 redirect message
+ after sending a SYN+ACK, the connection will be reset.
+
+ He bisected it down to 093d04d (ipv6: Change skb->data before using
+ icmpv6_notify() to propagate redirect), but the origin of the bug comes
+ from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
+ handlers.). The bug simply did not trigger prior to 093d04d, because
+ skb->data did not point to the inner IP header and thus icmpv6_notify
+ did not call the correct err_handler.
+
+ This patch adds the missing "goto out;" in tcp_v6_err. After receiving
+ an ICMPv6 Redirect, we should not continue processing the ICMP in
+ tcp_v6_err, as this may trigger the removal of request-socks or setting
+ sk_err(_soft).
+
+ Reported-by: Tetja Rediske <tetja@tetja.de>
+ Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/tcp_ipv6.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit c7d5c2524456ef3ea9194840e7a9a75069a46824
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 10 20:32:54 2013 -0400
+
+ - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411)
+
+ Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit acac2380fd97acee4367d2aa24c74322dcf1d22b
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Fri Apr 5 16:11:11 2013 -0400
+
+ Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc
+
+ NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
+
+ It is unsafe to use list_for_each_entry_safe() here, because
+ when we drop the nn->nfs_client_lock, we pin the _current_ list
+ entry and ensure that it stays in the list, but we don't do the
+ same for the _next_ list entry. Use of list_for_each_entry() is
+ therefore the correct thing to do.
+
+ Also fix the refcounting in nfs41_walk_client_list().
+
+ Finally, ensure that the nfs_client has finished being initialised
+ and, in the case of NFSv4.1, that the session is set up.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Cc: Chuck Lever <chuck.lever@oracle.com>
+ Cc: Bryan Schumaker <bjschuma@netapp.com>
+ Cc: stable@vger.kernel.org [>= 3.7]
+
+ fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++----------------
+ 1 files changed, 28 insertions(+), 16 deletions(-)
+
+commit a6cf5f387b882ac0ce655b75f623f86c075517be
+Author: Chuck Lever <chuck.lever@oracle.com>
+Date: Fri Mar 22 12:52:59 2013 -0400
+
+ Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e
+
+ SUNRPC: Remove extra xprt_put()
+
+ While testing error cases where rpc_new_client() fails, I saw
+ some oopses.
+
+ If rpc_new_client() fails, it already invokes xprt_put(). Thus
+ __rpc_clone_client() does not need to invoke it again.
+
+ Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
+ Fri Sep 14, 2012.
+
+ Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+ Cc: stable@vger.kernel.org [>=3.7]
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+ net/sunrpc/clnt.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Fri Apr 5 14:13:21 2013 -0400
+
+ Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7
+
+ SUNRPC: Fix a potential memory leak in rpc_new_client
+
+ If the call to rpciod_up() fails, we currently leak a reference to the
+ struct rpc_xprt.
+ As part of the fix, we also remove the redundant check for xprt!=NULL.
+ This is already taken care of by the callers.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+ net/sunrpc/clnt.c | 7 ++-----
+ 1 files changed, 2 insertions(+), 5 deletions(-)
+
+commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 10 19:16:05 2013 -0400
+
+ From https://lkml.org/lkml/2013/4/8/469:
+ [PATCH] rtnetlink: call nlmsg_parse() with correct header length
+
+ net/core/rtnetlink.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 9529169b8c405874fd543b785f53c74fa0501c2a
+Author: Christopher Harvey <charvey@matrox.com>
+Date: Fri Apr 5 10:51:15 2013 -0400
+
+ Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546
+
+ drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal.
+
+ This change properly enables the "requester" in G200ER cards that is
+ responsible for getting pixels out of memory and clocking them out to
+ the screen.
+
+ Signed-off-by: Christopher Harvey <charvey@matrox.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+ drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++----------
+ 1 files changed, 3 insertions(+), 10 deletions(-)
+
+commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu Mar 28 13:30:23 2013 -0400
+
+ Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee
+
+ ecryptfs: close rmmod race
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/ecryptfs/miscdev.c | 14 ++------------
+ 1 files changed, 2 insertions(+), 12 deletions(-)
+
+commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 10 19:03:45 2013 -0400
+
+ Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1
+
+ arch/ia64/kernel/palinfo.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 83280e384ae3ceadad30369ced111dc7d4b46085
+Author: Andrey Vagin <avagin@openvz.org>
+Date: Tue Apr 9 17:33:29 2013 +0400
+
+ Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676
+
+ mnt: release locks on error path in do_loopback
+
+ do_loopback calls lock_mount(path) and forget to unlock_mount
+ if clone_mnt or copy_mnt fails.
+
+ [ 77.661566] ================================================
+ [ 77.662939] [ BUG: lock held when returning to user space! ]
+ [ 77.664104] 3.9.0-rc5+ #17 Not tainted
+ [ 77.664982] ------------------------------------------------
+ [ 77.666488] mount/514 is leaving the kernel with locks still held!
+ [ 77.668027] 2 locks held by mount/514:
+ [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [<ffffffff811cca22>] lock_mount+0x32/0xe0
+ [ 77.671755] #1: (&namespace_sem){+++++.}, at: [<ffffffff811cca3a>] lock_mount+0x4a/0xe0
+
+ Signed-off-by: Andrey Vagin <avagin@openvz.org>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/namespace.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 679e536b9d9536d804f049fe942367a596253e6d
+Author: Alex Williamson <alex.williamson@redhat.com>
+Date: Tue Mar 26 11:33:16 2013 -0600
+
+ Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c
+
+ vfio-pci: Fix possible integer overflow
+
+ The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
+ of which are unsigned. We attempt to bounds check these, but fail to
+ account for the case where start is a very large number, allowing
+ start + count to wrap back into the valid range. Bounds check both
+ start and start + count.
+
+ Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+
+ drivers/vfio/pci/vfio_pci.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 10 18:48:45 2013 -0400
+
+ Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b5261a6384ee42499b29495aaae40b271e77d394
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 9 17:30:45 2013 -0400
+
+ some undefined behavior fixups
+
+ grsecurity/gracl.c | 4 ++--
+ grsecurity/gracl_ip.c | 10 +++++-----
+ grsecurity/gracl_segv.c | 4 ++--
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+commit 9f83caa35e78be1f3e753586ab217555c3b21ff4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 9 17:28:54 2013 -0400
+
+ don't whine about denied ipv6 when it's not enabled
+
+ grsecurity/gracl_ip.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61
+Merge: 97bca88 9123489
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 9 17:18:45 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9123489428c58668a89f316db6619739cbdd2c2a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 9 17:17:46 2013 -0400
+
+ Update to pax-linux-3.8.6-test18.patch:
+ - new size overflow plugin from Emese to work around a gcc optimization
+ resulting in an intentional overflow, reported by Carlos Carvalho
+ (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409)
+
+ tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++-
+ 1 files changed, 66 insertions(+), 2 deletions(-)
+
+commit 97bca8889e0f1e853f16b7026c39c6729a8587ab
+Merge: 675a41e e9d6073
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 8 21:32:59 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/sparc/kernel/us3_cpufreq.c
+
+commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 8 21:19:03 2013 -0400
+
+ Update to pax-linux-3.8.6-test17.patch:
+ - fixed ia64/ppc/sparc compilation by spender
+ - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport)
+
+ arch/ia64/include/asm/uaccess.h | 2 -
+ arch/powerpc/include/asm/uaccess.h | 2 -
+ arch/sparc/include/asm/uaccess.h | 7 ----
+ arch/sparc/kernel/prom_common.c | 2 +-
+ arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++--------------------------
+ tools/gcc/structleak_plugin.c | 15 ++++----
+ 6 files changed, 28 insertions(+), 69 deletions(-)
+
+commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 7 12:00:50 2013 -0400
+
+ fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin
+
+ net/socket.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5a216624a06429488f24ce47db093da042f90e48
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Apr 6 13:22:24 2013 -0400
+
+ fix typo
+
+ arch/sparc/kernel/us3_cpufreq.c | 5 +----
+ 1 files changed, 1 insertions(+), 4 deletions(-)
+
+commit e476ca18d21788898cd3acd1b57049971a2fb70f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Apr 6 13:16:13 2013 -0400
+
+ properly fix cpufreq_driver for ultrasparc III with constification
+
+ arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------
+ 1 files changed, 17 insertions(+), 18 deletions(-)
+
+commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Apr 6 12:58:48 2013 -0400
+
+ mark prom_sparc_ops __initconst
+
+ arch/sparc/kernel/prom_common.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Apr 6 12:53:16 2013 -0400
+
+ fix ia64/powerpc/sparc compilation
+
+ arch/ia64/include/asm/uaccess.h | 2 --
+ arch/powerpc/include/asm/uaccess.h | 2 --
+ arch/sparc/include/asm/uaccess.h | 7 -------
+ 3 files changed, 0 insertions(+), 11 deletions(-)
+
+commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Tue Mar 19 20:26:57 2013 +0100
+
+ Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d
+
+ cfg80211: fix wdev tracing crash
+
+ Arend reported a crash in tracing if the driver returns an
+ ERR_PTR() value from the add_virtual_intf() callback. This
+ is due to the tracing then still attempting to dereference
+ the "pointer", fix this by using IS_ERR_OR_NULL().
+
+ Reported-by: Arend van Spriel <arend@broadcom.com>
+ Tested-by: Arend van Spriel <arend@broadcom.com>
+ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+
+ net/wireless/trace.h | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Mon Mar 25 11:51:14 2013 +0100
+
+ Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b
+
+ mac80211: fix remain-on-channel cancel crash
+
+ If a ROC item is canceled just as it expires, the work
+ struct may be scheduled while it is running (and waiting
+ for the mutex). This results in it being run after being
+ freed, which obviously crashes.
+
+ To fix this don't free it when aborting is requested but
+ instead mark it as "to be freed", which makes the work a
+ no-op and allows freeing it outside.
+
+ Cc: stable@vger.kernel.org [3.6+]
+ Reported-by: Jouni Malinen <j@w1.fi>
+ Tested-by: Jouni Malinen <j@w1.fi>
+ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+
+ net/mac80211/cfg.c | 6 ++++--
+ net/mac80211/ieee80211_i.h | 3 ++-
+ net/mac80211/offchannel.c | 23 +++++++++++++++++------
+ 3 files changed, 23 insertions(+), 9 deletions(-)
+
+commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4
+Author: Stone Piao <piaoyun@marvell.com>
+Date: Fri Mar 29 19:21:21 2013 -0700
+
+ Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f
+
+ mwifiex: limit channel number not to overflow memory
+
+ Limit the channel number in scan request, or the driver scan
+ config structure memory will be overflowed.
+
+ Cc: <stable@vger.kernel.org> # 3.5+
+ Signed-off-by: Stone Piao <piaoyun@marvell.com>
+ Signed-off-by: Bing Zhao <bzhao@marvell.com>
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ drivers/net/wireless/mwifiex/cfg80211.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 207c411512bdaf0e4271f93ecac6ca26588da36f
+Author: Gao feng <gaofeng@cn.fujitsu.com>
+Date: Thu Mar 21 19:48:41 2013 +0000
+
+ Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe
+
+ netfilter: reset nf_trace in nf_reset
+
+ We forgot to clear the nf_trace of sk_buff in nf_reset,
+ When we use veth device, this nf_trace information will
+ be leaked from one net namespace to another net namespace.
+
+ Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ include/linux/skbuff.h | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Fri Mar 22 01:28:18 2013 +0000
+
+ Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c
+
+ netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
+
+ Fix to return a negative error code from the error handling
+ case instead of 0, as returned elsewhere in this function.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nfnetlink_queue_core.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit a79feb7d3251eca577d83d7f69eee2b961ab2924
+Author: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sat Mar 23 16:57:59 2013 +0100
+
+ Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7
+
+ netfilter: nfnetlink_acct: return -EINVAL if object name is empty
+
+ If user-space tries to create accounting object with an empty
+ name, then return -EINVAL.
+
+ Reported-by: Michael Zintakis <michael.zintakis@googlemail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nfnetlink_acct.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7
+Author: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sat Mar 30 10:23:12 2013 +0000
+
+ Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756
+
+ netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
+
+ The bitmask used for the prefix mangling was being calculated
+ incorrectly, leading to the wrong part of the address being replaced
+ when the prefix length wasn't a multiple of 32.
+
+ Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/ipv6/netfilter/ip6t_NPT.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e
+Author: Veaceslav Falico <vfalico@redhat.com>
+Date: Wed Apr 3 05:46:33 2013 +0000
+
+ Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d
+
+ bonding: remove sysfs before removing devices
+
+ We have a race condition if we try to rmmod bonding and simultaneously add
+ a bond master through sysfs. In bonding_exit() we first remove the devices
+ (through rtnl_link_unregister() ) and only after that we remove the sysfs.
+ If we manage to add a device through sysfs after that the devices were
+ removed - we'll end up with that device/sysfs structure and with the module
+ unloaded.
+
+ Fix this by first removing the sysfs and only after that calling
+ rtnl_link_unregister().
+
+ Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d12cae44a9d12441d81c489178803237219d403d
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Wed Apr 3 16:14:47 2013 +0000
+
+ Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2
+
+ af_unix: If we don't care about credentials coallesce all messages
+
+ It was reported that the following LSB test case failed
+ https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
+ were not coallescing unix stream messages when the application was
+ expecting us to.
+
+ The problem was that the first send was before the socket was accepted
+ and thus sock->sk_socket was NULL in maybe_add_creds, and the second
+ send after the socket was accepted had a non-NULL value for sk->socket
+ and thus we could tell the credentials were not needed so we did not
+ bother.
+
+ The unnecessary credentials on the first message cause
+ unix_stream_recvmsg to start verifying that all messages had the same
+ credentials before coallescing and then the coallescing failed because
+ the second message had no credentials.
+
+ Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
+ long standing pessimization which would fail to coallesce messages when
+ reading from a unix stream socket if the senders were different even if
+ we did not care about their credentials.
+
+ I have tested this and verified that the in the LSB test case mentioned
+ above that the messages do coallesce now, while the were failing to
+ coallesce without this change.
+
+ Reported-by: Karel Srot <ksrot@redhat.com>
+ Reported-by: Ding Tianhong <dingtianhong@huawei.com>
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Wed Apr 3 16:13:35 2013 +0000
+
+ Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1
+
+ Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
+
+ This reverts commit 14134f6584212d585b310ce95428014b653dfaf6.
+
+ The problem that the above patch was meant to address is that af_unix
+ messages are not being coallesced because we are sending unnecesarry
+ credentials. Not sending credentials in maybe_add_creds totally
+ breaks unconnected unix domain sockets that wish to send credentails
+ to other sockets.
+
+ In practice this break some versions of udev because they receive a
+ message and the sending uid is bogus so they drop the message.
+
+ Reported-by: Sven Joachim <svenjoac@gmx.de>
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Wed Mar 20 21:31:42 2013 +0000
+
+ Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e
+
+ lantiq_etop: use free_netdev(netdev) instead of kfree()
+
+ Freeing netdev without free_netdev() leads to net, tx leaks.
+ And it may lead to dereferencing freed pointer.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/lantiq_etop.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f
+Author: Cong Wang <amwang@redhat.com>
+Date: Fri Mar 22 19:14:07 2013 +0000
+
+ Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb
+
+ 8021q: fix a potential use-after-free
+
+ vlan_vid_del() could possibly free ->vlan_info after a RCU grace
+ period, however, we may still refer to the freed memory area
+ by 'grp' pointer. Found by code inspection.
+
+ This patch moves vlan_vid_del() as behind as possible.
+
+ Cc: Patrick McHardy <kaber@trash.net>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/8021q/vlan.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit fff29c277024a39845d4b535083c8dafc21b45d9
+Author: Hong zhi guo <honkiko@gmail.com>
+Date: Sat Mar 23 02:27:50 2013 +0000
+
+ Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7
+
+ bridge: fix crash when set mac address of br interface
+
+ When I tried to set mac address of a bridge interface to a mac
+ address which already learned on this bridge, I got system hang.
+
+ The cause is straight forward: function br_fdb_change_mac_address
+ calls fdb_insert with NULL source nbp. Then an fdb lookup is
+ performed. If an fdb entry is found and it's local, it's OK. But
+ if it's not local, source is dereferenced for printk without NULL
+ check.
+
+ Signed-off-by: Hong Zhiguo <honkiko@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/bridge/br_fdb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349
+Author: Kumar Amit Mehta <gmate.amit@gmail.com>
+Date: Sat Mar 23 20:10:25 2013 +0000
+
+ Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a
+
+ bnx2x: fix assignment of signed expression to unsigned variable
+
+ fix for incorrect assignment of signed expression to unsigned variable.
+
+ Signed-off-by: Kumar Amit Mehta <gmate.amit@gmail.com>
+ Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
+
+commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e
+Author: dingtianhong <dingtianhong@huawei.com>
+Date: Mon Mar 25 17:02:04 2013 +0000
+
+ Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6
+
+ af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
+
+ SCM_SCREDENTIALS should apply to write() syscalls only either source or destination
+ socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong,
+ and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom).
+
+ Origionally-authored-by: Karel Srot <ksrot@redhat.com>
+ Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit b964e1e61f0f0ccaa380be3342f956c604054bdc
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Thu Mar 21 02:30:41 2013 -0700
+
+ Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015
+
+ yama: Better permission check for ptraceme
+
+ Change the permission check for yama_ptrace_ptracee to the standard
+ ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
+ in the tracees user namespace.
+
+ Reviewed-by: Kees Cook <keescook@chromium.org>
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+
+ security/yama/yama_lsm.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit b94e71c7b6abe75989edff18aca2781233fa143b
+Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Mon Apr 1 11:40:51 2013 +0400
+
+ Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d
+
+ ipc: set msg back to -EAGAIN if copy wasn't performed
+
+ Make sure that msg pointer is set back to error value in case of
+ MSG_COPY flag is set and desired message to copy wasn't found. This
+ garantees that msg is either a error pointer or a copy address.
+
+ Otherwise the last message in queue will be freed without unlinking from
+ the queue (which leads to memory corruption) and the dummy allocated
+ copy won't be released.
+
+ Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ ipc/msg.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit a997fbbe7a37ffd805f4784a18b8e530da6978d1
+Author: Jan Kara <jack@suse.cz>
+Date: Fri Mar 29 15:39:16 2013 +0100
+
+ Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6
+
+ reiserfs: Fix warning and inode leak when deleting inode with xattrs
+
+ After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
+ started failing to delete xattrs from inode. This was due to a buggy
+ test for '.' and '..' in fill_with_dentries() which resulted in passing
+ '.' and '..' entries to lookup_one_len() in some cases. That returned
+ error and so we failed to iterate over all xattrs of and inode.
+
+ Fix the test in fill_with_dentries() along the lines of the one in
+ lookup_one_len().
+
+ Reported-by: Pawel Zawora <pzawora@gmail.com>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Jan Kara <jack@suse.cz>
+
+ fs/reiserfs/xattr.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 9f07957378e0f55abb81da8e23b124a608fbe1cc
+Author: Paul Bolle <pebolle@tiscali.nl>
+Date: Wed Apr 3 12:24:45 2013 +0100
+
+ Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2
+
+ ARM: 7690/1: mm: fix CONFIG_LPAE typos
+
+ CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix
+ up the two typos under arch/arm/.
+
+ The fix to head.S is slightly scary, but this is just for setting up
+ an early io-mapping for the serial port when running on a big-endian,
+ LPAE system. Since these systems don't exist in the wild (at least, I
+ have no access to one outside of kvmtool, which doesn't provide a serial
+ port suitable for earlyprintk), then we can revisit the code later if it
+ causes any problems.
+
+ Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
+ Signed-off-by: Will Deacon <will.deacon@arm.com>
+ Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+
+ arch/arm/kernel/head.S | 2 +-
+ arch/arm/kernel/setup.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 984ba346b2d8f158473e9723ba145031368431ed
+Author: Catalin Marinas <catalin.marinas@arm.com>
+Date: Tue Mar 26 23:35:04 2013 +0100
+
+ Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb
+
+ ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations)
+
+ On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down
+ all use of the old entries. This patch implements the erratum workaround
+ which consists of:
+
+ 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation.
+ 2. Send IPI to the CPUs that are running the same mm (and ASID) as the
+ one being invalidated (or all the online CPUs for global pages).
+ 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception
+ return code already).
+
+ Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+ Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+
+ Conflicts:
+
+ arch/arm/include/asm/tlbflush.h
+ arch/arm/kernel/smp_tlb.c
+ arch/arm/mm/context.c
+
+ arch/arm/Kconfig | 10 +++++
+ arch/arm/include/asm/highmem.h | 7 ++++
+ arch/arm/include/asm/mmu_context.h | 2 +
+ arch/arm/include/asm/tlbflush.h | 15 ++++++++
+ arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++
+ arch/arm/mm/context.c | 6 ++-
+ 6 files changed, 104 insertions(+), 2 deletions(-)
+
+commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286
+Author: Jan Stancek <jstancek@redhat.com>
+Date: Thu Apr 4 11:35:10 2013 -0700
+
+ Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c
+
+ mm: prevent mmap_cache race in find_vma()
+
+ find_vma() can be called by multiple threads with read lock
+ held on mm->mmap_sem and any of them can update mm->mmap_cache.
+ Prevent compiler from re-fetching mm->mmap_cache, because other
+ readers could update it in the meantime:
+
+ thread 1 thread 2
+ |
+ find_vma() | find_vma()
+ struct vm_area_struct *vma = NULL; |
+ vma = mm->mmap_cache; |
+ if (!(vma && vma->vm_end > addr |
+ && vma->vm_start <= addr)) { |
+ | mm->mmap_cache = vma;
+ return vma; |
+ ^^ compiler may optimize this |
+ local variable out and re-read |
+ mm->mmap_cache |
+
+ This issue can be reproduced with gcc-4.8.0-1 on s390x by running
+ mallocstress testcase from LTP, which triggers:
+
+ kernel BUG at mm/rmap.c:1088!
+ Call Trace:
+ ([<000003d100c57000>] 0x3d100c57000)
+ [<000000000023a1c0>] do_wp_page+0x2fc/0xa88
+ [<000000000023baae>] handle_pte_fault+0x41a/0xac8
+ [<000000000023d832>] handle_mm_fault+0x17a/0x268
+ [<000000000060507a>] do_protection_exception+0x1e2/0x394
+ [<0000000000603a04>] pgm_check_handler+0x138/0x13c
+ [<000003fffcf1f07a>] 0x3fffcf1f07a
+ Last Breaking-Event-Address:
+ [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
+
+ Thanks to Jakub Jelinek for his insight on gcc and helping to
+ track this down.
+
+ Signed-off-by: Jan Stancek <jstancek@redhat.com>
+ Acked-by: David Rientjes <rientjes@google.com>
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mmap.c | 2 +-
+ mm/nommu.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 53f5096daa14967938bc154e6c41f9119863fb36
+Merge: e988d7c 0a45285
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 5 17:32:31 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/net/ethernet/broadcom/tg3.c
+
+commit 0a452855444d02502df6eb21ef3083cf303f71e1
+Merge: 0277fa1 00cfbb8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 5 17:31:15 2013 -0400
+
+ Update to pax-linux-3.8.6-test16.patch:
+ - fixed some attribute leakage into userland headers, patch by Mathias Krause
+ - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ drivers/gpu/drm/i915/intel_display.c
+
+commit e988d7c8d946c816a2cb97f0d38048a1584966b8
+Merge: baec40e 0277fa1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 3 22:05:41 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0277fa123b486cf11420967e4568d7653e225fd3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 3 22:04:48 2013 -0400
+
+ Update to pax-linux-3.8.5-test15.patch:
+ - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391)
+ - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394)
+
+ drivers/media/pci/cx88/cx88-video.c | 6 +++---
+ include/net/net_namespace.h | 4 ++++
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+commit baec40e6708fd5ae2000cad6c70c5980c998b91c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 2 19:50:32 2013 -0400
+
+ fix compilation as reported on forums for gcc versions lacking plugin
+ support
+
+ include/net/net_namespace.h | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095
+Merge: 6b69c35 0db9d15
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 2 17:47:27 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0db9d156826bdd50510086fde837648a3dfd370e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 2 17:46:05 2013 -0400
+
+ Update to pax-linux-3.8.5-test14.patch:
+ - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table
+
+ arch/x86/include/asm/uaccess_64.h | 6 +-
+ include/linux/moduleloader.h | 4 +-
+ tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++----------------
+ 3 files changed, 61 insertions(+), 47 deletions(-)
+
+commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 2 17:35:06 2013 -0400
+
+ remove duplicate compiler.h
+
+ include/linux/sysrq.h | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit 01e1d503fd2220adaaec0b92ea19441bdff73555
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 19:53:50 2013 -0400
+
+ fix intentional_overflow marking on sys_sendto
+
+ include/linux/syscalls.h | 2 +-
+ net/socket.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit cd5ff114d958470f471c63775278e8c05e774630
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 18:46:16 2013 -0400
+
+ fix size_overflow false positive
+
+ kernel/futex_compat.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 295ba16cc53df2375261accbedd6575ea327770a
+Merge: 18340f1 278a989
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:36:18 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/exec.c
+ include/linux/thread_info.h
+
+commit 278a989c831d62193c7b3d119fe2302babd45d12
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:34:34 2013 -0400
+
+ Resync with pax-linux-3.8.5-test13.patch
+
+ arch/arm/include/asm/pgtable.h | 3 ++-
+ arch/arm/lib/delay.c | 1 +
+ fs/exec.c | 8 ++++----
+ include/linux/compiler.h | 1 +
+ include/linux/proc_fs.h | 2 +-
+ include/linux/thread_info.h | 6 +++---
+ include/linux/zlib.h | 3 ++-
+ init/main.c | 4 ++--
+ kernel/user_namespace.c | 2 +-
+ lib/list_debug.c | 4 ++--
+ mm/slab.c | 1 +
+ mm/slob.c | 1 +
+ mm/slub.c | 1 +
+ net/core/sysctl_net_core.c | 3 +--
+ tools/gcc/constify_plugin.c | 1 +
+ 15 files changed, 24 insertions(+), 17 deletions(-)
+
+commit 18340f14bd42d06c60995ab04cf6bb235bcaade6
+Merge: 05f01ae e8cfeae
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:30:57 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9
+Merge: b461cb7 aa4cfde
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:30:44 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c
+ fs/nfsd/vfs.c
+
+commit 05f01ae4c3479541586a2387f916a6620889c479
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:05:39 2013 -0400
+
+ Another infoleak, up to 128 bytes on the stack in __sys_recvmsg
+ takes user-provided length, copies up to that amount in a sockaddr_storage
+ struct on the stack, then takes an upper-bounded-only user-provided length
+ and copies the sockaddr_storage struct back out to userland, complete with
+ uninitialized data
+
+ net/socket.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit eea6ade59490784e83e08ec67322288fcf14cb31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 23:07:37 2013 -0400
+
+ return a proper error, otherwise we could be accessing uninitialized data
+ (previous define was a positive value)
+
+ drivers/usb/storage/realtek_cr.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e
+Merge: c3dc9a6 b461cb7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:54:24 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b461cb7b1d85490430ef7896c247794af72c3749
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:54:11 2013 -0400
+
+ Add structleak plugin
+
+ tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 270 insertions(+), 0 deletions(-)
+
+commit c3dc9a6ef10782894bb11fd088fd712db44d8062
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:53:22 2013 -0400
+
+ Enable structleak by default for the security auto-config
+
+ security/Kconfig | 11 +++++++----
+ 1 files changed, 7 insertions(+), 4 deletions(-)
+
+commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e
+Merge: d8503a3 74bec16
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:47:10 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 74bec16b657147a5575b1f14f4423a717ba317a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:46:13 2013 -0400
+
+ Update to pax-linux-3.8.4-test13.patch:
+ - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722)
+ - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland
+
+ Makefile | 5 +++-
+ arch/x86/include/asm/compat.h | 2 +-
+ arch/x86/mm/fault.c | 3 +-
+ fs/binfmt_elf.c | 2 +-
+ include/linux/compiler.h | 42 ++++++++++++++--------------------------
+ security/Kconfig | 16 +++++++++++++++
+ tools/gcc/Makefile | 2 +
+ tools/gcc/constify_plugin.c | 7 +++++-
+ 8 files changed, 47 insertions(+), 32 deletions(-)
+
+commit d8503a3a35d68b9ba1615d29335aef3f70d51465
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:02:40 2013 -0400
+
+ Fix 8-byte stack infoleak in ia32_rt_sigpending
+ User controls length, kernel only performs check on the upper bound, will
+ fill in any amount less than sizeof(sigset_t) via a copy_to_user under
+ KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t
+ regardless of whether the sigset_t content copied into it has been initialized
+ or not
+
+ arch/x86/ia32/sys_ia32.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 26 21:05:05 2013 -0400
+
+ commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576
+ Author: J. Bruce Fields <bfields@redhat.com>
+ Date: Tue Mar 26 14:11:13 2013 -0400
+
+ nfsd4: reject "negative" acl lengths
+
+ Since we only enforce an upper bound, not a lower bound, a "negative"
+ length can get through here.
+
+ The symptom seen was a warning when we attempt to a kmalloc with an
+ excessive size.
+
+ Reported-by: Toralf Förster <toralf.foerster@gmx.de>
+ Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+
+ fs/nfsd/nfs4xdr.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89
+Author: Jeff Layton <jlayton@redhat.com>
+Date: Mon Mar 11 09:52:19 2013 -0400
+
+ Upstream commit: f853c616883a8de966873a1dab283f1369e275a1
+
+ cifs: ignore everything in SPNEGO blob after mechTypes
+
+ We've had several reports of people attempting to mount Windows 8 shares
+ and getting failures with a return code of -EINVAL. The default sec=
+ mode changed recently to sec=ntlmssp. With that, we expect and parse a
+ SPNEGO blob from the server in the NEGOTIATE reply.
+
+ The current decode_negTokenInit function first parses all of the
+ mechTypes and then tries to parse the rest of the negTokenInit reply.
+ The parser however currently expects a mechListMIC or nothing to follow the
+ mechTypes, but Windows 8 puts a mechToken field there instead to carry
+ some info for the new NegoEx stuff.
+
+ In practice, we don't do anything with the fields after the mechTypes
+ anyway so I don't see any real benefit in continuing to parse them.
+ This patch just has the kernel ignore the fields after the mechTypes.
+ We'll probably need to reinstate some of this if we ever want to support
+ NegoEx.
+
+ Reported-by: Jason Burgess <jason@jacknife2.dns2go.com>
+ Reported-by: Yan Li <elliot.li.tech@gmail.com>
+ Signed-off-by: Jeff Layton <jlayton@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Steve French <sfrench@us.ibm.com>
+
+ fs/cifs/asn1.c | 53 +++++------------------------------------------------
+ 1 files changed, 5 insertions(+), 48 deletions(-)
+
+commit 0b1c6223105a05d5a84e39a5e951868e37610e1c
+Merge: 93ff726 0deb54c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 18:35:15 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 18:35:05 2013 -0400
+
+ fix typo
+
+ arch/x86/mm/ioremap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 93ff72680353534d4b0b213aecb61f1fc2f9a152
+Merge: be9f8b8 f95e53a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 18:30:06 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f95e53abadb6e4665866e4502ff9f518514193e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 18:29:25 2013 -0400
+
+ Update to pax-linux-3.8.4-test12.patch:
+
+ - fixed perf compilation reported by Michael Tremer
+ - fixed USERCOPY reports triggered by SCTP, reported by mcp
+ - last fix for aslr gap accounting, promise (thanks to spender)
+
+ arch/x86/mm/ioremap.c | 3 +++
+ fs/binfmt_elf.c | 5 ++---
+ mm/mmap.c | 2 +-
+ net/sctp/socket.c | 19 +++++++++++++++----
+ tools/perf/util/include/linux/compiler.h | 8 ++++++++
+ 5 files changed, 29 insertions(+), 8 deletions(-)
+
+commit be9f8b82b0d8a21d7515fb6e44a907623381c5df
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 16:48:34 2013 -0400
+
+ From: Al Viro <viro@ZenIV.linux.org.uk>
+ To: Brad Spengler <spender@grsecurity.net>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Umm... I see what you are describing, and AFAICS you are correct; let me
+ see if I am misreading your analysis:
+ * vfsmount_lock may act fair; A holding it shared, with B spinning
+ on attempt to take it exclusive may lead to C spinning on attempt to take
+ it shared.
+ * path_is_under() tries get rename_lock while holding vfsmount_lock
+ shared.
+ * d_path() et.al. try to take vfsmount_lock shared, while holding
+ rename_lock.
+
+ All true and yes, it's a bug (I'd probably classify it as a livelock, but
+ that doesn't make any real difference). There are three possible solutions,
+ AFAICS:
+ 1) two-liner in path_is_under() replacing the use of vfsmount_lock
+ with that of namespace_sem; trivial, but results in function unexpectedly
+ blocking. The current callers are fine with that, but it's a trouble
+ waiting to happen.
+ 2) replace write_seqlock() in prepend_path() callers with
+ read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike
+ is_subdir() we need more than just ->d_parent not pointing to something
+ freed - we also care about ->d_name.len being in sync with ->d_name.name.
+ It probably can be worked around, but...
+
+ 3) declare that rename_lock nests inside vfsmount_lock and let
+ the callers of prepend_path() take vfsmount_lock(). I'd probably prefer
+ that one...
+
+ Nest rename_lock inside vfsmount_lock
+
+ ... lest we get livelocks between path_is_under() and d_path() and friends.
+
+ [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing
+ the issue ]
+
+ Spotted-by: Brad Spengler <spender@grsecurity.net>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/dcache.c | 16 +++++++++++-----
+ grsecurity/gracl.c | 20 ++++++++++----------
+ 2 files changed, 21 insertions(+), 15 deletions(-)
+
+commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri Mar 22 11:44:04 2013 -0700
+
+ Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353
+
+ vfs,proc: guarantee unique inodes in /proc
+
+ Dave Jones found another /proc issue with his Trinity tool: thanks to
+ the namespace model, we can have multiple /proc dentries that point to
+ the same inode, aliasing directories in /proc/<pid>/net/ for example.
+
+ This ends up being a total disaster, because it acts like hardlinked
+ directories, and causes locking problems. We rely on the topological
+ sort of the inodes pointed to by dentries, and if we have aliased
+ directories, that odering becomes unreliable.
+
+ In short: don't do this. Multiple dentries with the same (directory)
+ inode is just a bad idea, and the namespace code should never have
+ exposed things this way. But we're kind of stuck with it.
+
+ This solves things by just always allocating a new inode during /proc
+ dentry lookup, instead of using "iget_locked()" to look up existing
+ inodes by superblock and number. That actually simplies the code a bit,
+ at the cost of potentially doing more inode [de]allocations.
+
+ That said, the inode lookup wasn't free either (and did a lot of locking
+ of inodes), so it is probably not that noticeable. We could easily keep
+ the old lookup model for non-directory entries, but rather than try to
+ be excessively clever this just implements the minimal and simplest
+ workaround for the problem.
+
+ Reported-and-tested-by: Dave Jones <davej@redhat.com>
+ Analyzed-by: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/inode.c
+
+ fs/proc/inode.c | 9 +++------
+ 1 files changed, 3 insertions(+), 6 deletions(-)
+
+commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb
+Author: Vladimir Davydov <vdavydov@parallels.com>
+Date: Fri Mar 22 15:04:51 2013 -0700
+
+ Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301
+
+ mqueue: sys_mq_open: do not call mnt_drop_write() if read-only
+
+ mnt_drop_write() must be called only if mnt_want_write() succeeded,
+ otherwise the mnt_writers counter will diverge.
+
+ mnt_writers counters are used to check if remounting FS as read-only is
+ OK, so after an extra mnt_drop_write() call, it would be impossible to
+ remount mqueue FS as read-only. Besides, on umount a warning would be
+ printed like this one:
+
+ =====================================
+ [ BUG: bad unlock balance detected! ]
+ 3.9.0-rc3 #5 Not tainted
+ -------------------------------------
+ a.out/12486 is trying to release lock (sb_writers) at:
+ mnt_drop_write+0x1f/0x30
+ but there are no more locks to release!
+
+ Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
+ Cc: Doug Ledford <dledford@redhat.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ ipc/mqueue.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 23 13:02:32 2013 -0400
+
+ Don't use constify plugin if not enabled in config,
+ reported by Alexey Vlasov
+
+ Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 3afb82e020593249ac394e9859397c3e0ef5341c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 23 12:50:13 2013 -0400
+
+ oded 0day #2
+ http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
+ slide 20
+
+ drivers/net/ethernet/broadcom/tg3.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 4cc4b98b29faff2530540be16e0fcd8a74800b06
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 23 12:15:50 2013 -0400
+
+ oded 0day #1
+ http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
+ slide 18
+
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 23 12:13:12 2013 -0400
+
+ remove warning on accessing this /proc entry, HIDESYM already caught the infoleak
+
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 44cb11a9470f72157601d0ad4d572d111f90f504
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 22 18:11:42 2013 -0400
+
+ use VM_DONTDUMP
+
+ fs/binfmt_elf.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 22 17:53:09 2013 -0400
+
+ fix recent RLIMIT_AS changes (due to vm_flags typo)
+
+ Conflicts:
+
+ fs/binfmt_elf.c
+
+ fs/binfmt_elf.c | 2 +-
+ mm/mmap.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit fd5f0d92b0fbec02029dad124501a9c80e527a32
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 22 17:08:48 2013 -0400
+
+ complete_walk drops rcu-walk mode, no need for our own dropping
+ method outside of generic_permission
+
+ fs/namei.c | 30 ------------------------------
+ 1 files changed, 0 insertions(+), 30 deletions(-)
+
+commit b49ab1c73edb6442eec609b26bba4d850b3111b6
+Merge: 5e9a707 783ade9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 21 21:56:28 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 21 21:55:31 2013 -0400
+
+ Update to pax-linux-3.8.3-test11.patch:
+ - rewrote the ASLR gap accounting code once again
+ - fixed ptrace compat bug found by the size overflow plugin
+
+ fs/binfmt_elf.c | 25 ++++++++++++-------------
+ fs/exec.c | 7 ++-----
+ include/linux/compat.h | 2 +-
+ include/linux/mm.h | 5 +++++
+ include/linux/mm_types.h | 2 +-
+ kernel/ptrace.c | 2 +-
+ mm/mmap.c | 15 ++++++++++-----
+ 7 files changed, 32 insertions(+), 26 deletions(-)
+
+commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 21 19:37:33 2013 -0400
+
+ Make the constify plugin usage actually depend on the introduced config option
+ (it was still forced on)
+
+ tools/gcc/Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 1974b4f58d9d729c80ac1987785446115304a54c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 21 16:12:38 2013 -0400
+
+ fix failed merge
+
+ arch/arm/mm/fault.c | 15 +++------------
+ 1 files changed, 3 insertions(+), 12 deletions(-)
+
+commit 675a8ab4a8fe8315df348735a37a302a7535224c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 20 23:36:14 2013 -0400
+
+ From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001
+ From: Kees Cook <keescook@chromium.org>
+ Date: Sun, 10 Mar 2013 20:09:31 +0000
+ Subject: drm/i915: bounds check execbuffer relocation count
+
+ It is possible to wrap the counter used to allocate the buffer for
+ relocation copies. This could lead to heap writing overflows.
+
+ CVE-2013-0913
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Reported-by: Pinkie Pie
+ Cc: stable@vger.kernel.org
+
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
+ 1 files changed, 8 insertions(+), 3 deletions(-)
+
+commit ddeac12cbb9076bffd51c544e03463f94c9eaa39
+Author: Andy Honig <ahonig@google.com>
+Date: Wed Feb 20 14:48:10 2013 -0800
+
+ Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1
+
+ KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)
+
+ There is a potential use after free issue with the handling of
+ MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable
+ memory such as frame buffers then KVM might continue to write to that
+ address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins
+ the page in memory so it's unlikely to cause an issue, but if the user
+ space component re-purposes the memory previously used for the guest, then
+ the guest will be able to corrupt that memory.
+
+ Tested: Tested against kvmclock unit test
+
+ Signed-off-by: Andrew Honig <ahonig@google.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+
+ arch/x86/include/asm/kvm_host.h | 4 +-
+ arch/x86/kvm/x86.c | 47 ++++++++++++++++----------------------
+ 2 files changed, 22 insertions(+), 29 deletions(-)
+
+commit 0bcac31b57c381001feb69fd6ec8069e61e03432
+Author: Andy Honig <ahonig@google.com>
+Date: Mon Mar 11 09:34:52 2013 -0700
+
+ Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9
+
+ KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
+
+ If the guest sets the GPA of the time_page so that the request to update the
+ time straddles a page then KVM will write onto an incorrect page. The
+ write is done byusing kmap atomic to get a pointer to the page for the time
+ structure and then performing a memcpy to that page starting at an offset
+ that the guest controls. Well behaved guests always provide a 32-byte aligned
+ address, however a malicious guest could use this to corrupt host kernel
+ memory.
+
+ Tested: Tested against kvmclock unit test.
+
+ Signed-off-by: Andrew Honig <ahonig@google.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+
+ arch/x86/kvm/x86.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 695c59887e4ec10b0b695ab4f645d1226c433be0
+Author: Andy Honig <ahonig@google.com>
+Date: Wed Feb 20 14:49:16 2013 -0800
+
+ Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55
+
+ KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)
+
+ If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
+ that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
+ that request. ioapic_read_indirect contains an
+ ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
+ non-debug builds. In recent kernels this allows a guest to cause a kernel
+ oops by reading invalid memory. In older kernels (pre-3.3) this allows a
+ guest to read from large ranges of host memory.
+
+ Tested: tested against apic unit tests.
+
+ Signed-off-by: Andrew Honig <ahonig@google.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+
+ virt/kvm/ioapic.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e
+Merge: aec3cd4 c522e3a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 20 19:38:25 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3
+Merge: c57d855 405acc3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 20 19:38:11 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 19:56:04 2013 -0400
+
+ include linux/compiler.h
+
+ include/linux/zlib.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 18:42:20 2013 -0400
+
+ fix missing sock_release()
+
+ net/irda/af_irda.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit dd65c05cd24faf8946d4941434a553ee285c35a3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 18:36:17 2013 -0400
+
+ fix mpt fusion infoleak
+
+ drivers/message/fusion/mptbase.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit e297b4f150b769efdc4c547d3caf1e3c0f24735f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 18:33:45 2013 -0400
+
+ Fix size_overflow false positive reported by slashbeast
+
+ include/linux/zlib.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 17:35:36 2013 -0400
+
+ fix up failed merge
+
+ arch/arm/mm/fault.c | 9 ++-------
+ 1 files changed, 2 insertions(+), 7 deletions(-)
+
+commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 17:34:36 2013 -0400
+
+ update documentation on consequences of building without gcc plugin support
+
+ Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 17:18:13 2013 -0400
+
+ fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums
+
+ init/main.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit f00195c633f91cfbd8c1f530d2c371b713026e20
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 18 22:27:33 2013 -0400
+
+ Fix compile error reported by KDE on the forums
+
+ kernel/user_namespace.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 2979c6ee78aabb4421873ea53581380c6bb6ed05
+Merge: 0949569 c57d855
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 18 22:20:46 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/mm/fault.c
+ arch/x86/mm/fault.c
+ fs/exec.c
+
+commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 18 21:22:03 2013 -0400
+
+ Update to pax-linux-3.8.2-test9.patch:
+ arm changes from spender
+ - removed userland access to the vectors page
+ - removed obsolete sigreturn trampoline handling
+ - added emulation for __kuser_get_tls
+ - fixed missing uderef instrumentation in unaligned memory accessors (failed safe)
+ - fixed recent sysfs/power_supply attr breakage reported by Steven Allen
+ - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960)
+ - changed debian packager rules to include the compiler plugins, from Tyler Coumbes <coumbes@gmail.com>
+ - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956)
+ - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values
+ and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913.
+
+ arch/arm/kernel/process.c | 5 +-
+ arch/arm/kernel/signal.c | 24 +-
+ arch/arm/kernel/traps.c | 7 -
+ arch/arm/mm/alignment.c | 8 +
+ arch/arm/mm/fault.c | 23 +-
+ arch/arm/mm/mmu.c | 2 +-
+ arch/x86/include/asm/bitops.h | 2 +-
+ arch/x86/include/asm/desc.h | 2 +-
+ arch/x86/include/asm/div64.h | 2 +-
+ arch/x86/include/asm/io.h | 8 +-
+ arch/x86/include/asm/paravirt.h | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +-
+ arch/x86/kernel/setup_percpu.c | 2 +-
+ arch/x86/mm/fault.c | 4 +-
+ arch/x86/mm/numa.c | 2 +-
+ arch/x86/mm/physaddr.c | 4 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
+ drivers/lguest/page_tables.c | 2 +-
+ drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/power/power_supply_core.c | 1 +
+ drivers/usb/core/message.c | 2 +-
+ fs/befs/endian.h | 4 +-
+ fs/binfmt_elf.c | 5 +-
+ fs/exec.c | 4 +-
+ fs/qnx6/qnx6.h | 4 +-
+ fs/sysv/sysv.h | 2 +-
+ fs/ubifs/io.c | 2 +-
+ fs/ufs/swab.h | 4 +-
+ include/linux/compat.h | 4 +-
+ include/linux/completion.h | 6 +-
+ include/linux/cpumask.h | 12 +-
+ include/linux/ctype.h | 2 +-
+ include/linux/err.h | 4 +-
+ include/linux/math64.h | 6 +-
+ include/linux/sched.h | 2 +-
+ include/linux/unaligned/access_ok.h | 12 +-
+ include/linux/usb.h | 2 +-
+ include/uapi/linux/byteorder/little_endian.h | 4 +-
+ include/uapi/linux/swab.h | 6 +-
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 3 +
+ kernel/time.c | 2 +-
+ kernel/timer.c | 2 +-
+ lib/div64.c | 4 +-
+ mm/page-writeback.c | 2 +-
+ net/socket.c | 2 +
+ scripts/package/builddeb | 1 +
+ tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++----------
+ tools/gcc/size_overflow_plugin.c | 1072 ++--
+ 53 files changed, 6227 insertions(+), 3951 deletions(-)
+
+commit 09495691bb31f11ec14d9127429f9a0f3f716f22
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 17 20:51:50 2013 -0400
+
+ fix typo
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit deb85b00d0f9f886e264e116313f298401ec5c59
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 17 20:03:33 2013 -0400
+
+ Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task
+ with a subject applied to it with RES_CPU. Otherwise, the limit will only
+ begin to be applied at fork time.
+
+ Thanks to Bjornar Ness for the report.
+
+ grsecurity/gracl.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 2126421f123513f604ceef2b23ba9ed516de7e58
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 16 22:07:43 2013 -0400
+
+ Move inode auditing prior to our refcnt dropping
+
+ fs/namei.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4d4e665885aab4bacfe662ad6d2190fc9d817146
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 16 22:00:30 2013 -0400
+
+ Drop reference on completed path walked in RCU mode or when violating
+ the chroot fchdir check inside a chroot -- possible culprit for a reported
+ vfsmount_lock hang during unmount
+
+ fs/namei.c | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+commit 53a8a413f45340ee176dd36dd283de3a1ebb7417
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 16 16:43:45 2013 -0400
+
+ add user_arg_ptr back to exec.c
+
+ fs/exec.c | 12 ++++++++++++
+ 1 files changed, 12 insertions(+), 0 deletions(-)
+
+commit 83d285953c7e75db388c7f65be5cf1e16fcedec8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 16 11:22:36 2013 -0400
+
+ Don't globally include compat.h -- with the new X32 support it
+ changes some definitions involving ELF binaries resulting in invalid
+ coredumps, as reported by KDE on the forums:
+ http://forums.grsecurity.net/viewtopic.php?f=3&t=3310
+ Thanks to the PaX Team for debugging
+
+ fs/exec.c | 3 +++
+ grsecurity/grsec_exec.c | 13 +++++++++++++
+ include/linux/grsecurity.h | 15 ---------------
+ 3 files changed, 16 insertions(+), 15 deletions(-)
+
+commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 14 20:59:26 2013 -0400
+
+ Add peer information to /proc/net/unix from Kenan Kalajdzic:
+ http://marc.info/?l=linux-netdev&m=126745636809191&w=2
+
+ We use a "P" prefix to the inode number instead of "peer=". This
+ additional information can be used, for instance, to find what processes
+ are connected to MySQL's unix domain socket.
+
+ net/unix/af_unix.c | 12 +++++++++---
+ 1 files changed, 9 insertions(+), 3 deletions(-)
+
+commit 1cd623d11a462d151ea8a5cace4521e1724911a3
+Author: Oliver Neukum <oneukum@suse.de>
+Date: Tue Mar 12 14:52:42 2013 +0100
+
+ Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa
+
+ USB: cdc-wdm: fix buffer overflow
+
+ The buffer for responses must not overflow.
+ If this would happen, set a flag, drop the data and return
+ an error after user space has read all remaining data.
+
+ Signed-off-by: Oliver Neukum <oliver@neukum.org>
+ CC: stable@kernel.org
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++---
+ 1 files changed, 20 insertions(+), 3 deletions(-)
+
+commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc
+Merge: 9cdf9bc db4cb92
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 14 20:23:14 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/keys/compat.c
+
+commit db4cb924546e3fec3a59f78d056f48176eaf7100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 14 20:22:24 2013 -0400
+
+ Update to pax-linux-3.8.2-test8.patch
+
+ arch/arm/include/asm/cache.h | 2 ++
+ arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++----------
+ arch/arm/mach-omap2/omap_device.c | 4 ++--
+ arch/arm/mach-omap2/omap_device.h | 4 ++--
+ arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
+ 5 files changed, 19 insertions(+), 15 deletions(-)
+
+commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae
+Merge: 3c865f9 1a45c31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 14 20:20:54 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ arch/arm/include/asm/delay.h
+ arch/arm/include/asm/pgtable.h
+ arch/arm/lib/delay.c
+ security/keys/compat.c
+
+commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Tue Mar 12 02:59:49 2013 +0000
+
+ Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512
+
+ vfs: fix pipe counter breakage
+
+ If you open a pipe for neither read nor write, the pipe code will not
+ add any usage counters to the pipe, causing the 'struct pipe_inode_info"
+ to be potentially released early.
+
+ That doesn't normally matter, since you cannot actually use the pipe,
+ but the pipe release code - particularly fasync handling - still expects
+ the actual pipe infrastructure to all be there. And rather than adding
+ NULL pointer checks, let's just disallow this case, the same way we
+ already do for the named pipe ("fifo") case.
+
+ This is ancient going back to pre-2.4 days, and until trinity, nobody
+ naver noticed.
+
+ Reported-by: Dave Jones <davej@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/pipe.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit c11fa4be226659a40a6c73f0fa09fee074fba1b2
+Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Mon Feb 25 10:20:36 2013 -0500
+
+ Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49
+
+ Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
+
+ Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
+ compat_process_vm_rw() shows that the compatibility code requires an
+ explicit "access_ok()" check before calling
+ compat_rw_copy_check_uvector(). The same difference seems to appear when
+ we compare fs/read_write.c:do_readv_writev() to
+ fs/compat.c:compat_do_readv_writev().
+
+ This subtle difference between the compat and non-compat requirements
+ should probably be debated, as it seems to be error-prone. In fact,
+ there are two others sites that use this function in the Linux kernel,
+ and they both seem to get it wrong:
+
+ Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
+ also ends up calling compat_rw_copy_check_uvector() through
+ aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
+ be missing. Same situation for
+ security/keys/compat.c:compat_keyctl_instantiate_key_iov().
+
+ I propose that we add the access_ok() check directly into
+ compat_rw_copy_check_uvector(), so callers don't have to worry about it,
+ and it therefore makes the compat call code similar to its non-compat
+ counterpart. Place the access_ok() check in the same location where
+ copy_from_user() can trigger a -EFAULT error in the non-compat code, so
+ the ABI behaviors are alike on both compat and non-compat.
+
+ While we are here, fix compat_do_readv_writev() so it checks for
+ compat_rw_copy_check_uvector() negative return values.
+
+ And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
+ handling.
+
+ Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ security/keys/compat.c
+
+ fs/compat.c | 15 +++++++--------
+ mm/process_vm_access.c | 8 --------
+ security/keys/compat.c | 3 ++-
+ 3 files changed, 9 insertions(+), 17 deletions(-)
+
+commit 13487f197ab2d5bc76156224c24c45a44bbd6a11
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 11 18:38:38 2013 -0400
+
+ Fix leak of signal handler addresses across execve, found by Emese Revfy
+
+ kernel/signal.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 79b130c4b11c7940daf2b33d653a17666331c634
+Merge: 6480ce9 3c865f9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 10 20:04:03 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 10 20:03:12 2013 -0400
+
+ Update to pax-linux-3.8.2-test7.patch:
+ - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342)
+ - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268)
+
+ fs/binfmt_elf.c | 3 ++-
+ fs/exec.c | 3 +++
+ include/linux/mm_types.h | 2 +-
+ init/main.c | 4 ++--
+ mm/mmap.c | 2 +-
+ mm/page_alloc.c | 4 ++--
+ tools/gcc/latent_entropy_plugin.c | 11 +++++++----
+ 7 files changed, 18 insertions(+), 11 deletions(-)
+
+commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491
+Merge: 4a5305e 25b3569
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 10 10:41:16 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 25b356980568bed9958315bb5a551fdc610055ed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 10 10:40:48 2013 -0400
+
+ Update to pax-linux-3.8.2-test6.patch:
+ - fixed a KERNEXEC false positive on arm reported by Gu1
+ - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340)
+ - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339)
+ - added fix from spender for some namespace breakage reported by zakalwe
+ - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot
+
+ Documentation/kernel-parameters.txt | 5 +++++
+ arch/arm/kernel/patch.c | 2 ++
+ arch/x86/kernel/sys_i386_32.c | 5 +++--
+ drivers/acpi/blacklist.c | 2 +-
+ drivers/video/aty/mach64_cursor.c | 1 +
+ init/main.c | 4 ----
+ mm/page_alloc.c | 27 +++++++++++++++++++++++++++
+ net/ipv4/ip_fragment.c | 2 +-
+ security/Kconfig | 5 +++++
+ tools/gcc/latent_entropy_plugin.c | 7 +++++--
+ 10 files changed, 50 insertions(+), 10 deletions(-)
+
+commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 9 11:19:06 2013 -0500
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: "David S. Miller" <davem@davemloft.net>
+ Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
+ Stephen Hemminger <stephen@networkplumber.org>
+ Subject: [PATCH 1/3] bridge: fix mdb info leaks
+ Date: Sat, 9 Mar 2013 16:52:19 +0100
+
+ The bridging code discloses heap and stack bytes via the RTM_GETMDB
+ netlink interface and via the notify messages send to group RTNLGRP_MDB
+ afer a successful add/del.
+
+ Fix both cases by initializing all unset members/padding bytes with
+ memset(0).
+
+ Cc: Stephen Hemminger <stephen@networkplumber.org>
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: "David S. Miller" <davem@davemloft.net>
+ Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
+ Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices
+ Date: Sat, 9 Mar 2013 16:52:20 +0100
+
+ Initialize the mac address buffer with 0 as the driver specific function
+ will probably not fill the whole buffer. In fact, all in-kernel drivers
+ fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
+ bytes. Therefore we currently leak 26 bytes of stack memory to userland
+ via the netlink interface.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: "David S. Miller" <davem@davemloft.net>
+ Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
+ Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks
+ Date: Sat, 9 Mar 2013 16:52:21 +0100
+
+ The dcb netlink interface leaks stack memory in various places:
+ * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
+ copied completely,
+ * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
+ so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
+ for ieee_pfc structs, etc.,
+ * the same is true for CEE -- no in-kernel driver fills the whole
+ struct,
+
+ Prevent all of the above stack info leaks by properly initializing the
+ buffers/structures involved.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ net/bridge/br_mdb.c | 4 ++++
+ net/core/rtnetlink.c | 1 +
+ net/dcb/dcbnl.c | 8 ++++++++
+ 3 files changed, 13 insertions(+), 0 deletions(-)
+
+commit 601dd446f896e3a362f706943df18a68d50420a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 9 09:35:25 2013 -0500
+
+ add open/close wrappers in __patch_text() as reported by Gu1 on IRC
+
+ arch/arm/kernel/patch.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit ae39966fd85a493e9079b357e3faa62245a41222
+Author: Peter Hurley <peter@hurleysoftware.com>
+Date: Fri Mar 8 12:43:27 2013 -0800
+
+ Upstream commit: 88b9e456b1649722673ffa147914299799dc9041
+
+ ipc: don't allocate a copy larger than max
+
+ When MSG_COPY is set, a duplicate message must be allocated for the copy
+ before locking the queue. However, the copy could not be larger than was
+ sent which is limited to msg_ctlmax.
+
+ Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+ Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ ipc/msg.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 61240e99650ea3e540a03a3e994349c5086f166b
+Author: Peter Hurley <peter@hurleysoftware.com>
+Date: Fri Mar 8 12:43:26 2013 -0800
+
+ Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19
+
+ ipc: fix potential oops when src msg > 4k w/ MSG_COPY
+
+ If the src msg is > 4k, then dest->next points to the
+ next allocated segment; resetting it just prior to dereferencing
+ is bad.
+
+ Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+ Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ ipc/msgutil.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+commit 51727f602a267f34fb2e0dc9557f1714028d51a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 8 22:14:06 2013 -0500
+
+ add missing 'else' in recent constify fixups
+
+ net/ipv4/ip_fragment.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a38c1a640729b3d8e584d1ab98e908c221bc12cf
+Merge: 1580bb3 47c3f47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 8 18:18:37 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 8 18:17:22 2013 -0500
+
+ Update to pax-linux-3.8.2-test5.patch:
+ - fixed some fallout after the last round of constification changes, reported by several people
+
+ arch/arm/common/gic.c | 4 ++--
+ arch/arm/include/asm/hardware/gic.h | 3 ++-
+ arch/x86/include/asm/nmi.h | 2 +-
+ arch/x86/kernel/nmi.c | 2 +-
+ arch/x86/pci/irq.c | 2 +-
+ drivers/base/power/domain.c | 4 ++--
+ drivers/cpufreq/cpufreq_governor.c | 4 ++--
+ drivers/mfd/twl4030-irq.c | 1 +
+ drivers/video/vesafb.c | 7 +++++--
+ include/linux/irq.h | 1 +
+ include/linux/pm_domain.h | 2 +-
+ kernel/sched/core.c | 4 ++++
+ lib/Kconfig.debug | 4 ++--
+ net/core/sysctl_net_core.c | 2 +-
+ net/decnet/af_decnet.c | 1 +
+ net/ipv4/devinet.c | 2 +-
+ net/ipv4/ip_fragment.c | 2 +-
+ net/ipv4/route.c | 2 +-
+ net/ipv4/sysctl_net_ipv4.c | 2 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +-
+ net/ipv6/reassembly.c | 2 +-
+ scripts/sortextable.h | 6 +++---
+ 22 files changed, 36 insertions(+), 25 deletions(-)
+
+commit 1580bb38b4db0bf2a46316599815e8b234edad81
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 22:02:59 2013 -0500
+
+ add an additional open/close wrapper
+
+ kernel/sched/core.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 21622672d28d58e0d93a805cd1f9650a894a752a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 21:58:24 2013 -0500
+
+ fix oops at shutdown with new constify code
+
+ kernel/sched/core.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 21:18:44 2013 -0500
+
+ Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally
+ it currently conflicts with some lock debugging options, so made as an
+ option to allow for debugging when necessary
+
+ Makefile | 2 --
+ lib/Kconfig.debug | 6 +++---
+ security/Kconfig | 18 ++++++++++++++++++
+ 3 files changed, 21 insertions(+), 5 deletions(-)
+
+commit 0885b00b8373a1597b69c38032a0c9eee279303b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 20:55:19 2013 -0500
+
+ disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify
+
+ lib/Kconfig.debug | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c8a2617165e7127a54f293cbf57d22d50dd83abd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 20:30:41 2013 -0500
+
+ Fix error:
+ drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object
+ with cast and proper kernexec accessors
+
+ drivers/video/vesafb.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 20:20:28 2013 -0500
+
+ fix typo
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 399674de6c42bbcae2d01b082d6d9ce9d183b000
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 20:12:17 2013 -0500
+
+ fix compilation error -- no reason for task_pid_nr to not take a const task ptr
+
+ include/linux/sched.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f
+Author: Kees Cook <keescook@chromium.org>
+Date: Mon Feb 25 21:32:25 2013 +0000
+
+ Upstream commit: e70ab977991964a5a7ad1182799451d067e62669
+
+ proc connector: reject unprivileged listener bumps
+
+ While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
+ for an unprivileged user to turn off notifications for all listeners by
+ sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
+ required for a multicast bind.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: Evgeniy Polyakov <zbr@ioremap.net>
+ Cc: Matt Helsley <matthltc@us.ibm.com>
+ Cc: stable@vger.kernel.org
+ Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
+ Acked-by: Matt Helsley <matthltc@us.ibm.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/connector/cn_proc.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+commit ac6014ded57101e3e608941555ff507e20c1ece3
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Feb 26 19:15:02 2013 +0000
+
+ Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a
+
+ irda: small read beyond end of array in debug code
+
+ charset comes from skb->data. It's a number in the 0-255 range.
+ If we have debugging turned on then this could cause a read beyond
+ the end of the array.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/irda/iriap.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe
+Author: Guenter Roeck <linux@roeck-us.net>
+Date: Wed Feb 27 10:57:31 2013 +0000
+
+ Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1
+
+ net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
+
+ Building sctp may fail with:
+
+ In function ‘copy_from_user’,
+ inlined from ‘sctp_getsockopt_assoc_stats’ at
+ net/sctp/socket.c:5656:20:
+ arch/x86/include/asm/uaccess_32.h:211:26: error: call to
+ ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
+ buffer size is not provably correct
+
+ if built with W=1 due to a missing parameter size validation
+ before the call to copy_from_user.
+
+ Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/socket.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c
+Author: Guillaume Nault <g.nault@alphalink.fr>
+Date: Fri Mar 1 05:02:02 2013 +0000
+
+ Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a
+
+ l2tp: Restore socket refcount when sendmsg succeeds
+
+ The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
+ reference counter after successful transmissions. Any successful
+ sendmsg() call from userspace will then increase the reference counter
+ forever, thus preventing the kernel's session and tunnel data from
+ being freed later on.
+
+ The problem only happens when writing directly on L2TP sockets.
+ PPP sockets attached to L2TP are unaffected as the PPP subsystem
+ uses pppol2tp_xmit() which symmetrically increase/decrease reference
+ counters.
+
+ This patch adds the missing call to sock_put() before returning from
+ pppol2tp_sendmsg().
+
+ Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_ppp.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 98a9a5f981f5deda4059a255c1196886f2f27e2f
+Author: Cong Wang <amwang@redhat.com>
+Date: Sun Mar 3 16:18:11 2013 +0000
+
+ Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0
+
+ rds: limit the size allocated by rds_message_alloc()
+
+ Dave Jones reported the following bug:
+
+ "When fed mangled socket data, rds will trust what userspace gives it,
+ and tries to allocate enormous amounts of memory larger than what
+ kmalloc can satisfy."
+
+ WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
+ Hardware name: GA-MA78GM-S2H
+ Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
+ Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
+ Call Trace:
+ [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
+ [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
+ [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
+ [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
+ [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
+ [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
+ [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
+ [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
+ [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
+ [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
+ [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
+ [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
+ [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
+ [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
+ [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
+ [<ffffffff81567f30>] sys_sendto+0x130/0x180
+ [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
+ [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
+ [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
+ [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
+ [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
+ [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
+ ---[ end trace eed6ae990d018c8b ]---
+
+ Reported-by: Dave Jones <davej@redhat.com>
+ Cc: Dave Jones <davej@redhat.com>
+ Cc: David S. Miller <davem@davemloft.net>
+ Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/rds/message.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit b46df323e01c63c62fdb82cf2c47e4386f5a0499
+Author: Cong Wang <amwang@redhat.com>
+Date: Sun Mar 3 16:28:27 2013 +0000
+
+ Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e
+
+ sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE
+
+ Don't definite its own MAX_KMALLOC_SIZE, use the one
+ defined in mm.
+
+ Cc: Vlad Yasevich <vyasevich@gmail.com>
+ Cc: Sridhar Samudrala <sri@us.ibm.com>
+ Cc: Neil Horman <nhorman@tuxdriver.com>
+ Cc: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/ssnmap.c | 8 +++-----
+ 1 files changed, 3 insertions(+), 5 deletions(-)
+
+commit 4295a024e812f903fc580c81de5e81cc149503fa
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 17:57:49 2013 -0500
+
+ Upstream commit: https://lkml.org/lkml/2013/3/6/535
+
+ security/keys/process_keys.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 33edd486a9899a145a15586d7134636b0300aaee
+Merge: 4eeeaf3 a2a2094
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 17:53:00 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/include/asm/domain.h
+
+commit a2a20947f5e1332e474160a39af520738b3c8c19
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 17:51:04 2013 -0500
+
+ Update to pax-linux-3.8.2-test4.patch:
+ fixed arm compilation problems reported by Michael Tremer
+ - the constify plugin got smarter that enabled, with some additional patching,
+ the elimination of about half the static function pointers on amd64/allmod
+ (up from about 18%), depending on the kernel config it can be even more (70%)
+
+ Documentation/dontdiff | 2 +
+ arch/arm/include/asm/domain.h | 1 +
+ arch/x86/include/asm/i8259.h | 2 +-
+ arch/x86/include/asm/nmi.h | 4 +-
+ arch/x86/kernel/acpi/boot.c | 4 +-
+ arch/x86/kernel/apic/apic_noop.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 2 +-
+ arch/x86/kernel/apic/io_apic.c | 10 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
+ arch/x86/kernel/i8259.c | 6 +-
+ arch/x86/kernel/io_delay.c | 2 +-
+ arch/x86/kernel/nmi.c | 6 +-
+ arch/x86/kernel/nmi_selftest.c | 4 +-
+ arch/x86/kernel/pci-swiotlb.c | 2 +-
+ arch/x86/oprofile/nmi_int.c | 8 +-
+ arch/x86/oprofile/op_model_amd.c | 8 +-
+ arch/x86/oprofile/op_model_ppro.c | 7 +-
+ arch/x86/oprofile/op_x86_model.h | 2 +-
+ arch/x86/pci/irq.c | 6 +-
+ drivers/acpi/apei/apei-internal.h | 2 +-
+ drivers/acpi/bgrt.c | 6 +-
+ drivers/acpi/blacklist.c | 2 +-
+ drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/sysfs.c | 4 +-
+ drivers/base/bus.c | 4 +-
+ drivers/base/node.c | 2 +-
+ drivers/base/syscore.c | 4 +-
+ drivers/block/drbd/drbd_receiver.c | 4 +-
+ drivers/char/random.c | 2 +-
+ drivers/cpufreq/acpi-cpufreq.c | 20 ++-
+ drivers/cpufreq/cpufreq.c | 7 +-
+ drivers/cpufreq/cpufreq_governor.c | 4 +-
+ drivers/cpufreq/cpufreq_governor.h | 2 +-
+ drivers/cpufreq/p4-clockmod.c | 12 +-
+ drivers/cpufreq/speedstep-centrino.c | 7 +-
+ drivers/cpuidle/cpuidle.c | 2 +-
+ drivers/cpuidle/governor.c | 4 +-
+ drivers/cpuidle/sysfs.c | 2 +-
+ drivers/devfreq/devfreq.c | 4 +-
+ drivers/edac/edac_mc_sysfs.c | 2 +-
+ drivers/edac/edac_pci_sysfs.c | 2 +-
+ drivers/firewire/core-device.c | 2 +-
+ drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/efivars.c | 2 +-
+ drivers/firmware/google/memconsole.c | 4 +-
+ drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 2 +-
+ drivers/gpu/drm/drm_ioc32.c | 9 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/intel_display.c | 26 ++-
+ drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++--
+ drivers/gpu/drm/udl/udl_fb.c | 1 -
+ drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/asus_atk0110.c | 10 +-
+ drivers/hwmon/ibmaem.c | 2 +-
+ drivers/hwmon/pmbus/pmbus_core.c | 2 +-
+ drivers/iio/industrialio-core.c | 2 +-
+ drivers/input/mouse/psmouse.h | 2 +-
+ drivers/iommu/iommu.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
+ drivers/mfd/twl4030-irq.c | 8 +-
+ drivers/mfd/twl6030-irq.c | 10 +-
+ drivers/misc/c2port/core.c | 4 +-
+ drivers/mtd/sm_ftl.c | 2 +-
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/macvlan.c | 16 +-
+ drivers/net/vxlan.c | 2 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
+ drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/pci-sysfs.c | 6 +-
+ drivers/pci/pci.h | 2 +-
+ drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/sony-laptop.c | 2 +-
+ drivers/power/power_supply.h | 4 +-
+ drivers/power/power_supply_core.c | 6 +-
+ drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/rtc/rtc-cmos.c | 4 +-
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/scsi/bfa/bfa.h | 2 +-
+ drivers/staging/iio/iio_hwmon.c | 2 +-
+ drivers/usb/storage/usb.h | 2 +-
+ drivers/video/aty/atyfb_base.c | 8 +-
+ drivers/video/aty/mach64_cursor.c | 4 +-
+ drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/fb_defio.c | 6 +-
+ drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
+ drivers/video/nvidia/nvidia.c | 27 ++-
+ drivers/video/s1d13xxxfb.c | 6 +-
+ drivers/video/smscufx.c | 4 +-
+ drivers/video/udlfb.c | 4 +-
+ drivers/video/uvesafb.c | 14 +-
+ fs/exec.c | 6 +-
+ fs/ext4/super.c | 2 +-
+ fs/jfs/super.c | 4 +-
+ fs/nfs/callback_xdr.c | 2 +-
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfs4xdr.c | 6 +-
+ fs/nls/nls_base.c | 18 +-
+ fs/nls/nls_euc-jp.c | 6 +-
+ fs/nls/nls_koi8-ru.c | 6 +-
+ fs/proc/proc_sysctl.c | 18 +-
+ include/drm/drmP.h | 12 +-
+ include/keys/asymmetric-subtype.h | 2 +-
+ include/linux/atmdev.h | 2 +-
+ include/linux/binfmts.h | 2 +-
+ include/linux/configfs.h | 2 +-
+ include/linux/cpufreq.h | 3 +-
+ include/linux/cpuidle.h | 5 +-
+ include/linux/devfreq.h | 2 +-
+ include/linux/device.h | 7 +-
+ include/linux/extcon.h | 2 +-
+ include/linux/fb.h | 2 +-
+ include/linux/fscache.h | 2 +-
+ include/linux/genl_magic_func.h | 2 +-
+ include/linux/hwmon-sysfs.h | 5 +-
+ include/linux/iommu.h | 2 +-
+ include/linux/irq.h | 2 +-
+ include/linux/key-type.h | 2 +-
+ include/linux/kobject.h | 1 +
+ include/linux/kobject_ns.h | 2 +-
+ include/linux/list.h | 14 +-
+ include/linux/mod_devicetable.h | 2 +-
+ include/linux/module.h | 5 +-
+ include/linux/net.h | 2 +-
+ include/linux/netfilter.h | 2 +-
+ include/linux/nls.h | 2 +-
+ include/linux/pci_hotplug.h | 3 +-
+ include/linux/platform_data/usb-exynos.h | 2 +-
+ include/linux/pnp.h | 2 +-
+ include/linux/ppp-comp.h | 2 +-
+ include/linux/rculist.h | 16 ++
+ include/linux/sched.h | 2 +-
+ include/linux/sock_diag.h | 2 +-
+ include/linux/sunrpc/clnt.h | 2 +-
+ include/linux/sunrpc/svc.h | 2 +-
+ include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swiotlb.h | 3 +-
+ include/linux/syscore_ops.h | 2 +-
+ include/linux/sysctl.h | 6 +-
+ include/linux/sysfs.h | 10 +-
+ include/linux/sysrq.h | 1 +
+ include/linux/xattr.h | 2 +-
+ include/net/9p/transport.h | 2 +-
+ include/net/bluetooth/l2cap.h | 2 +-
+ include/net/genetlink.h | 2 +-
+ include/net/ip.h | 2 +-
+ include/net/ip_vs.h | 4 +-
+ include/net/llc_c_ac.h | 2 +-
+ include/net/llc_c_ev.h | 4 +-
+ include/net/llc_c_st.h | 2 +-
+ include/net/llc_s_ac.h | 2 +-
+ include/net/llc_s_st.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/net_namespace.h | 2 +-
+ include/net/netns/conntrack.h | 6 +-
+ include/net/rtnetlink.h | 2 +-
+ include/net/sctp/sm.h | 4 +-
+ include/net/sctp/structs.h | 2 +-
+ include/net/xfrm.h | 4 +-
+ ipc/ipc_sysctl.c | 10 +-
+ ipc/mq_sysctl.c | 2 +-
+ kernel/kmod.c | 2 +-
+ kernel/ksysfs.c | 2 +-
+ kernel/module.c | 4 +-
+ kernel/pid_namespace.c | 2 +-
+ kernel/rcutree_plugin.h | 2 +-
+ kernel/sched/core.c | 39 ++--
+ kernel/smpboot.c | 4 +-
+ kernel/softirq.c | 2 +-
+ kernel/sysctl.c | 2 +-
+ kernel/utsname_sysctl.c | 2 +-
+ kernel/watchdog.c | 2 +-
+ lib/Kconfig.debug | 2 +-
+ lib/kobject.c | 4 +-
+ lib/list_debug.c | 57 ++++-
+ lib/swiotlb.c | 2 +-
+ mm/hugetlb.c | 16 +-
+ mm/memory-failure.c | 2 +-
+ mm/slab_common.c | 2 +-
+ net/9p/mod.c | 4 +-
+ net/ax25/sysctl_net_ax25.c | 2 +-
+ net/core/neighbour.c | 2 +-
+ net/core/net-sysfs.c | 2 +-
+ net/core/net_namespace.c | 8 +-
+ net/core/rtnetlink.c | 11 +-
+ net/core/sock_diag.c | 9 +-
+ net/core/sysctl_net_core.c | 15 +-
+ net/ipv4/af_inet.c | 8 +-
+ net/ipv4/devinet.c | 12 +-
+ net/ipv4/inet_connection_sock.c | 2 +-
+ net/ipv4/ip_fragment.c | 9 +-
+ net/ipv4/ip_gre.c | 6 +-
+ net/ipv4/ip_vti.c | 4 +-
+ net/ipv4/ipip.c | 4 +-
+ net/ipv4/route.c | 14 +-
+ net/ipv4/sysctl_net_ipv4.c | 43 ++--
+ net/ipv6/addrconf.c | 4 +-
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_gre.c | 6 +-
+ net/ipv6/ip6_tunnel.c | 4 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +-
+ net/ipv6/reassembly.c | 11 +-
+ net/ipv6/route.c | 2 +-
+ net/ipv6/sit.c | 4 +-
+ net/ipv6/sysctl_net_ipv6.c | 2 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 4 +-
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ net/netfilter/nf_conntrack_acct.c | 2 +-
+ net/netfilter/nf_conntrack_ecache.c | 2 +-
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nf_conntrack_timestamp.c | 2 +-
+ net/netfilter/nf_log.c | 10 +-
+ net/netfilter/nf_sockopt.c | 4 +-
+ net/netlink/genetlink.c | 16 +-
+ net/phonet/sysctl.c | 2 +-
+ net/rds/rds.h | 2 +-
+ net/sctp/ipv6.c | 6 +-
+ net/sctp/protocol.c | 10 +-
+ net/sctp/sm_sideeffect.c | 2 +-
+ net/sctp/sysctl.c | 4 +-
+ net/sunrpc/clnt.c | 4 +-
+ net/sunrpc/svc.c | 4 +-
+ net/unix/sysctl_net_unix.c | 2 +-
+ net/xfrm/xfrm_policy.c | 11 +-
+ net/xfrm/xfrm_state.c | 29 ++-
+ net/xfrm/xfrm_sysctl.c | 2 +-
+ security/apparmor/lsm.c | 2 +-
+ security/keys/key.c | 18 +-
+ security/yama/yama_lsm.c | 22 +-
+ tools/gcc/Makefile | 4 +-
+ tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------
+ tools/gcc/size_overflow_plugin.c | 7 +-
+ 248 files changed, 994 insertions(+), 668 deletions(-)
+
+commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 6 12:58:21 2013 -0500
+
+ Make slab_state __read_only, it's only written to during init
+
+ mm/slab_common.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 6 12:31:35 2013 -0500
+
+ Make two new helper functions:
+ gr_is_global_root() and gr_is_global_nonroot()
+
+ grsecurity/gracl.c | 10 +++++-----
+ grsecurity/gracl_segv.c | 2 +-
+ grsecurity/grsec_link.c | 4 ++--
+ grsecurity/grsec_sig.c | 10 +++++-----
+ grsecurity/grsec_tpe.c | 6 +++---
+ include/linux/uidgid.h | 2 ++
+ 6 files changed, 18 insertions(+), 16 deletions(-)
+
+commit d45d88eddd4998b280b1e5b5384289ee11ca7088
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 6 12:14:41 2013 -0500
+
+ convert remaining task->pid to task_pid_nr(task)
+
+ grsecurity/gracl.c | 22 +++++++++++-----------
+ grsecurity/gracl_shm.c | 2 +-
+ grsecurity/grsec_chroot.c | 4 ++--
+ grsecurity/grsec_sig.c | 4 ++--
+ 4 files changed, 16 insertions(+), 16 deletions(-)
+
+commit c877f2ece03ee2232dd281c1977ae59507297124
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 5 17:29:54 2013 -0500
+
+ compat-log is only used anymore by vm86-on-64bit and allows unlimited
+ spamming of the kernel log buffer (and since it includes the changable
+ process name, can avoid syslog log deduplication)
+ Turn it off by default
+
+ fs/compat.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 7c1964c4b7276889d7967bee70e46918cdca1b14
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 4 17:19:10 2013 -0500
+
+ fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP
+ is enabled, introduced with recent userns support
+
+ init/main.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit c3ce01b94d8dd42b9c7942c0d513b152613e0656
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 18:46:12 2013 -0500
+
+ Prevent TOMOYO from auto-loading modules by unprivileged users
+ (Only reachable if TOMOYO is actually used)
+
+ security/tomoyo/mount.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 79e142f9455b398759ff9d93d4963a21b98dddda
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 18:28:45 2013 -0500
+
+ For now, don't permit any special access to /proc in a user namespace
+ Later we can go back and allow a userns-uid0 special access to a /proc
+ with a non-global pid namespace
+
+ fs/proc/base.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8b91fb393049ce5f3c0a86f62247409853fd9700
+Merge: d931eb8 603ef05
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:42:09 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:41:31 2013 -0500
+
+ Fix compilation error on ARM reported by Michael Tremer
+
+ arch/arm/mach-omap2/wd_timer.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit b4c9ce81fdd7839a150c97873c710c479e788280
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:39:53 2013 -0500
+
+ Fix compilation error on ARM reported by Michael Tremer
+
+ arch/arm/kernel/armksyms.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d931eb81ab3da46896268fd61373a6aa7bbea930
+Merge: bfa7f44 5948f93
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:34:36 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0
+Merge: ab30472 19b00d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:34:08 2013 -0500
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit bfa7f445c5d484de51a5828b92ad2ff65053cc87
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 15:12:12 2013 -0500
+
+ Initial support for user namespaces, as we previously didn't allow
+ the option to be enabled at all.
+
+ RBAC will act on the global uids/gids only, so all uids/gids in user
+ namespaces will be converted
+
+ Because Eric Biederman is insulted that I didn't support his
+ backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN
+ check in for user namespaces, so this is generally irrelevant.
+
+ fs/exec.c | 6 +-
+ fs/proc/base.c | 2 +-
+ fs/proc/proc_net.c | 4 +-
+ grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++-------------
+ grsecurity/gracl_cap.c | 4 +-
+ grsecurity/gracl_ip.c | 16 +++---
+ grsecurity/gracl_segv.c | 12 +++-
+ grsecurity/gracl_shm.c | 4 +-
+ grsecurity/grsec_disabled.c | 10 ++--
+ grsecurity/grsec_fifo.c | 6 +-
+ grsecurity/grsec_init.c | 24 ++++----
+ grsecurity/grsec_log.c | 3 -
+ grsecurity/grsec_tpe.c | 6 +-
+ include/linux/grinternal.h | 12 ++--
+ include/linux/grsecurity.h | 12 ++--
+ include/linux/uidgid.h | 3 +
+ init/Kconfig | 2 -
+ ipc/shm.c | 2 +-
+ kernel/cred.c | 5 +-
+ kernel/kallsyms.c | 2 +-
+ kernel/kmod.c | 6 +-
+ kernel/sys.c | 12 ++--
+ 22 files changed, 166 insertions(+), 115 deletions(-)
+
+commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed Feb 27 08:36:04 2013 -0800
+
+ Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0
+
+ mm: do not grow the stack vma just because of an overrun on preceding vma
+
+ The stack vma is designed to grow automatically (marked with VM_GROWSUP
+ or VM_GROWSDOWN depending on architecture) when an access is made beyond
+ the existing boundary. However, particularly if you have not limited
+ your stack at all ("ulimit -s unlimited"), this can cause the stack to
+ grow even if the access was really just one past *another* segment.
+
+ And that's wrong, especially since we first grow the segment, but then
+ immediately later enforce the stack guard page on the last page of the
+ segment. So _despite_ first growing the stack segment as a result of
+ the access, the kernel will then make the access cause a SIGSEGV anyway!
+
+ So do the same logic as the guard page check does, and consider an
+ access to within one page of the next segment to be a bad access, rather
+ than growing the stack to abut the next segment.
+
+ Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mmap.c | 27 +++++++++++++++++++++++++++
+ 1 files changed, 27 insertions(+), 0 deletions(-)
+
+commit 5596211af754867ca825f58e6e0300a8439950fe
+Author: H. Peter Anvin <hpa@linux.intel.com>
+Date: Wed Feb 27 12:46:40 2013 -0800
+
+ Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c
+
+ x86: Make sure we can boot in the case the BDA contains pure garbage
+
+ On non-BIOS platforms it is possible that the BIOS data area contains
+ garbage instead of being zeroed or something equivalent (firmware
+ people: we are talking of 1.5K here, so please do the sane thing.)
+
+ We need on the order of 20-30K of low memory in order to boot, which
+ may grow up to < 64K in the future. We probably want to avoid the
+ lowest of the low memory. At the same time, it seems extremely
+ unlikely that a legitimate EBDA would ever reach down to the 128K
+ (which would require it to be over half a megabyte in size.) Thus,
+ pick 128K as the cutoff for "this is insane, ignore." We may still
+ end up reserving a bunch of extra memory on the low megabyte, but that
+ is not really a major issue these days. In the worst case we lose
+ 512K of RAM.
+
+ This code really should be merged with trim_bios_range() in
+ arch/x86/kernel/setup.c, but that is a bigger patch for a later merge
+ window.
+
+ Reported-by: Darren Hart <dvhart@linux.intel.com>
+ Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+ Cc: Matt Fleming <matt.fleming@intel.com>
+ Cc: <stable@vger.kernel.org>
+ Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org
+
+ arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++-----------------
+ 1 files changed, 34 insertions(+), 19 deletions(-)
+
+commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Wed Feb 27 17:05:46 2013 -0800
+
+ Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469
+
+ memstick: move the dereference below the NULL test
+
+ The dereference should be moved below the NULL test.
+
+ spatch with a semantic match is used to found this.
+ (http://coccinelle.lip6.fr/)
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Cc: Maxim Levitsky <maximlevitsky@gmail.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/memstick/host/r592.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Wed Feb 27 17:05:21 2013 -0800
+
+ Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560
+
+ sysctl: fix null checking in bin_dn_node_address()
+
+ The null check of `strchr() + 1' is broken, which is always non-null,
+ leading to OOB read. Instead, check the result of strchr().
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/sysctl_binary.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 7ca96db0817416fd40761e7437d1939fc0731380
+Author: Tejun Heo <tj@kernel.org>
+Date: Wed Feb 27 17:03:34 2013 -0800
+
+ Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24
+
+ idr: fix a subtle bug in idr_get_next()
+
+ The iteration logic of idr_get_next() is borrowed mostly verbatim from
+ idr_for_each(). It walks down the tree looking for the slot matching
+ the current ID. If the matching slot is not found, the ID is
+ incremented by the distance of single slot at the given level and
+ repeats.
+
+ The implementation assumes that during the whole iteration id is aligned
+ to the layer boundaries of the level closest to the leaf, which is true
+ for all iterations starting from zero or an existing element and thus is
+ fine for idr_for_each().
+
+ However, idr_get_next() may be given any point and if the starting id
+ hits in the middle of a non-existent layer, increment to the next layer
+ will end up skipping the same offset into it. For example, an IDR with
+ IDs filled between [64, 127] would look like the following.
+
+ [ 0 64 ... ]
+ /----/ |
+ | |
+ NULL [ 64 ... 127 ]
+
+ If idr_get_next() is called with 63 as the starting point, it will try
+ to follow down the pointer from 0. As it is NULL, it will then try to
+ proceed to the next slot in the same level by adding the slot distance
+ at that level which is 64 - making the next try 127. It goes around the
+ loop and finds and returns 127 skipping [64, 126].
+
+ Note that this bug also triggers in idr_for_each_entry() loop which
+ deletes during iteration as deletions can make layers go away leaving
+ the iteration with unaligned ID into missing layers.
+
+ Fix it by ensuring proceeding to the next slot doesn't carry over the
+ unaligned offset - ie. use round_up(id + 1, slot_distance) instead of
+ id += slot_distance.
+
+ Signed-off-by: Tejun Heo <tj@kernel.org>
+ Reported-by: David Teigland <teigland@redhat.com>
+ Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ lib/idr.c | 9 ++++++++-
+ 1 files changed, 8 insertions(+), 1 deletions(-)
+
+commit 745362f28034f54242ba2e64eaa7374ab9869613
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 1 20:31:42 2013 -0500
+
+ Fix dentry use-after-free after failed complete_walk() with RBAC enabled
+ Many thanks to zakalwe from #grsecurity for the report and debugging help
+
+ fs/namei.c | 8 +++-----
+ 1 files changed, 3 insertions(+), 5 deletions(-)
+
+commit b53b3b14330920c6f7cfb74c8508a3026e1be620
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 28 18:29:26 2013 -0500
+
+ Fix bad git merge
+
+ fs/namespace.c | 8 --------
+ 1 files changed, 0 insertions(+), 8 deletions(-)
+
+commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede
+Merge: 1cce1dd ab30472
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 28 17:45:14 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ net/core/sock_diag.c
+
+commit ab3047280e1dfb43f1b301a296123757b4ac4f6e
+Merge: 4b61d21 4c91a0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 28 17:43:56 2013 -0500
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit 1cce1ddd17c584c80465521834c3faf1a7c607d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 27 22:20:22 2013 -0500
+
+ add compiler.h to sysrq.h to fix compilation problem reported by micu on forums
+
+ include/linux/sysrq.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 9f1e7fe130803fde83eb903b575335f59cd2bd18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 27 17:52:31 2013 -0500
+
+ declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel
+
+ kernel/printk.c | 12 +++++++-----
+ 1 files changed, 7 insertions(+), 5 deletions(-)
+
+commit 11dd499888fa76f3466821ce4daa5e0c55e43d39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 27 17:23:46 2013 -0500
+
+ Fix upstream vulnerability from addition of a /dev/kmsg device
+ while neglecting to add the same set of existing permission checks
+ from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG.
+ A temporary workaround without this patch would be to
+ chmod 0600 /dev/kmsg (and is likely a good idea anyway).
+
+ Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek
+ Initially reported to Redhat bugzilla by Christian Kujau:
+ https://bugzilla.redhat.com/show_bug.cgi?id=903192
+
+ kernel/printk.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 66c04806f5660988c3cb4855e60de294e77e3d0e
+Author: David Howells <dhowells@redhat.com>
+Date: Thu Feb 21 12:00:25 2013 +0000
+
+ Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f
+
+ KEYS: Revert one application of "Fix unreachable code" patch
+
+ A patch to fix some unreachable code in search_my_process_keyrings() got
+ applied twice by two different routes upstream as commits e67eab39bee2
+ and b010520ab3d2 (both "fix unreachable code").
+
+ Unfortunately, the second application removed something it shouldn't
+ have and this wasn't detected by GIT. This is due to the patch not
+ having sufficient lines of context to distinguish the two places of
+ application.
+
+ The effect of this is relatively minor: inside the kernel, the keyring
+ search routines may search multiple keyrings and then prioritise the
+ errors if no keys or negative keys are found in any of them. With the
+ extra deletion, the presence of a negative key in the thread keyring
+ (causing ENOKEY) is incorrectly overridden by an error searching the
+ process keyring.
+
+ So revert the second application of the patch.
+
+ Signed-off-by: David Howells <dhowells@redhat.com>
+ Cc: Jiri Kosina <jkosina@suse.cz>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ security/keys/process_keys.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 954b0c8a95b08c09c3d15ec38106ce403bf714da
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Thu Feb 21 16:42:43 2013 -0800
+
+ Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a
+
+ configfs: move the dereference below the NULL test
+
+ The dereference should be moved below the NULL test.
+
+ spatch with a semantic match is used to found this.
+ (http://coccinelle.lip6.fr/)
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Cc: Joel Becker <jlbec@evilplan.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/configfs/dir.c | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+commit d16d42c4fdc8baca5816d75b4a115102bf3d3423
+Author: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Sun Feb 24 20:06:09 2013 -0500
+
+ Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541
+
+ tty vt: fix character insertion overflow
+
+ Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on
+ command line edition") broke insert_char() in multiple ways. Then
+ commit b1a925f44a3a ("tty vt: Fix a regression in command line edition")
+ partially fixed it. However, the buffer being moved is still too large
+ and overflowing beyond the end of the current line, corrupting existing
+ characters on the next line.
+
+ Example test case:
+
+ echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B"
+
+ Expected result:
+
+ ab c
+ de
+
+ Current result:
+
+ ab c
+ e
+
+ Needless to say that this is very annoying when inserting words in the
+ middle of paragraphs with certain text editors.
+
+ Signed-off-by: Nicolas Pitre <nico@linaro.org>
+ Cc: Jean-François Moine <moinejf@free.fr>
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/tty/vt/vt.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 6cda35071669b4aabde081bd039e0ffea36f997a
+Author: Robin Holt <holt@sgi.com>
+Date: Fri Feb 22 16:35:34 2013 -0800
+
+ Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7
+
+ mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts
+
+ There is a race condition between mmu_notifier_unregister() and
+ __mmu_notifier_release().
+
+ Assume two tasks, one calling mmu_notifier_unregister() as a result of a
+ filp_close() ->flush() callout (task A), and the other calling
+ mmu_notifier_release() from an mmput() (task B).
+
+ A B
+ t1 srcu_read_lock()
+ t2 if (!hlist_unhashed())
+ t3 srcu_read_unlock()
+ t4 srcu_read_lock()
+ t5 hlist_del_init_rcu()
+ t6 synchronize_srcu()
+ t7 srcu_read_unlock()
+ t8 hlist_del_rcu() <--- NULL pointer deref.
+
+ Additionally, the list traversal in __mmu_notifier_release() is not
+ protected by the by the mmu_notifier_mm->hlist_lock which can result in
+ callouts to the ->release() notifier from both mmu_notifier_unregister()
+ and __mmu_notifier_release().
+
+ -stable suggestions:
+
+ The stable trees prior to 3.7.y need commits 21a92735f660 and
+ 70400303ce0c cherry-picked in that order prior to cherry-picking this
+ commit. The 3.7.y tree already has those two commits.
+
+ Signed-off-by: Robin Holt <holt@sgi.com>
+ Cc: Andrea Arcangeli <aarcange@redhat.com>
+ Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
+ Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
+ Cc: Avi Kivity <avi@redhat.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Marcelo Tosatti <mtosatti@redhat.com>
+ Cc: Sagi Grimberg <sagig@mellanox.co.il>
+ Cc: Haggai Eran <haggaie@mellanox.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++--------------------------
+ 1 files changed, 42 insertions(+), 40 deletions(-)
+
+commit bf5167ed78ba6131c6874887f714bda50c2cab83
+Author: Mike Galbraith <bitbucket@online.de>
+Date: Mon Jan 28 12:19:25 2013 +0100
+
+ Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6
+
+ sched: Fix select_idle_sibling() bouncing cow syndrome
+
+ If the previous CPU is cache affine and idle, select it.
+
+ The current implementation simply traverses the sd_llc domain,
+ taking the first idle CPU encountered, which walks buddy pairs
+ hand in hand over the package, inflicting excruciating pain.
+
+ 1 tbench pair (worst case) in a 10 core + SMT package:
+
+ pre 15.22 MB/sec 1 procs
+ post 252.01 MB/sec 1 procs
+
+ Signed-off-by: Mike Galbraith <bitbucket@online.de>
+ Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+ Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+ kernel/sched/fair.c | 21 +++++++--------------
+ 1 files changed, 7 insertions(+), 14 deletions(-)
+
+commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Fri Dec 28 18:58:39 2012 -0800
+
+ Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f
+
+ userns: Avoid recursion in put_user_ns
+
+ When freeing a deeply nested user namespace free_user_ns calls
+ put_user_ns on it's parent which may in turn call free_user_ns again.
+ When -fno-optimize-sibling-calls is passed to gcc one stack frame per
+ user namespace is left on the stack, potentially overflowing the
+ kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls
+ so we can't count on gcc to optimize this code.
+
+ Remove struct kref and use a plain atomic_t. Making the code more
+ flexible and easier to comprehend. Make the loop in free_user_ns
+ explict to guarantee that the stack does not overflow with
+ CONFIG_FRAME_POINTER enabled.
+
+ I have tested this fix with a simple program that uses unshare to
+ create a deeply nested user namespace structure and then calls exit.
+ With 1000 nesteuser namespaces before this change running my test
+ program causes the kernel to die a horrible death. With 10,000,000
+ nested user namespaces after this change my test program runs to
+ completion and causes no harm.
+
+ Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
+ Pointed-out-by: Vasily Kulikov <segoon@openwall.com>
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+
+ include/linux/user_namespace.h | 10 +++++-----
+ kernel/user.c | 4 +---
+ kernel/user_namespace.c | 17 +++++++++--------
+ 3 files changed, 15 insertions(+), 16 deletions(-)
+
+commit 81501c7106ccc186c94806f4db954626295b5ebe
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Feb 26 17:12:30 2013 -0500
+
+ Pass the same flags to kern_path_create as the original function
+
+ fs/namei.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit a677c8eee35afe48868f92c7d6745bfe809cd481
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri Feb 22 22:45:42 2013 -0500
+
+ Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559
+
+ get rid of unprotected dereferencing of mnt->mnt_ns
+
+ It's safe only under namespace_sem or vfsmount_lock; all places
+ in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use
+ current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in
+ there).
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/namespace.c | 29 +++++++++++++++++------------
+ 1 files changed, 17 insertions(+), 12 deletions(-)
+
+commit 89298124d0c96dc34a60377e7a1308f8f532ff75
+Author: Greg Thelen <gthelen@google.com>
+Date: Fri Feb 22 16:36:01 2013 -0800
+
+ Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987
+
+ tmpfs: fix use-after-free of mempolicy object
+
+ The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
+ option is not specified in the remount request. A new policy can be
+ specified if mpol=M is given.
+
+ Before this patch remounting an mpol bound tmpfs without specifying
+ mpol= mount option in the remount request would set the filesystem's
+ mempolicy object to a freed mempolicy object.
+
+ To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
+ # mkdir /tmp/x
+
+ # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
+
+ # grep /tmp/x /proc/mounts
+ nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
+
+ # mount -o remount,size=200M nodev /tmp/x
+
+ # grep /tmp/x /proc/mounts
+ nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
+ # note ? garbage in mpol=... output above
+
+ # dd if=/dev/zero of=/tmp/x/f count=1
+ # panic here
+
+ Panic:
+ BUG: unable to handle kernel NULL pointer dereference at (null)
+ IP: [< (null)>] (null)
+ [...]
+ Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
+ Call Trace:
+ mpol_shared_policy_init+0xa5/0x160
+ shmem_get_inode+0x209/0x270
+ shmem_mknod+0x3e/0xf0
+ shmem_create+0x18/0x20
+ vfs_create+0xb5/0x130
+ do_last+0x9a1/0xea0
+ path_openat+0xb3/0x4d0
+ do_filp_open+0x42/0xa0
+ do_sys_open+0xfe/0x1e0
+ compat_sys_open+0x1b/0x20
+ cstar_dispatch+0x7/0x1f
+
+ Non-debug kernels will not crash immediately because referencing the
+ dangling mpol will not cause a fault. Instead the filesystem will
+ reference a freed mempolicy object, which will cause unpredictable
+ behavior.
+
+ The problem boils down to a dropped mpol reference below if
+ shmem_parse_options() does not allocate a new mpol:
+
+ config = *sbinfo
+ shmem_parse_options(data, &config, true)
+ mpol_put(sbinfo->mpol)
+ sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */
+
+ This patch avoids the crash by not releasing the mempolicy if
+ shmem_parse_options() doesn't create a new mpol.
+
+ How far back does this issue go? I see it in both 2.6.36 and 3.3. I did
+ not look back further.
+
+ Signed-off-by: Greg Thelen <gthelen@google.com>
+ Acked-by: Hugh Dickins <hughd@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/shmem.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 23 11:08:05 2013 -0500
+
+ Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
+ with a family greater or equal then AF_MAX -- the array size of
+ sock_diag_handlers[]. The current code does not test for this
+ condition therefore is vulnerable to an out-of-bound access opening
+ doors for a privilege escalation.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ The sock_diag_lock_handler() and sock_diag_unlock_handler() actually
+ make the code less readable. Get rid of them and make the lock usage
+ and access to sock_diag_handlers[] clear on the first sight.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ net/core/sock_diag.c | 27 ++++++++++-----------------
+ 1 files changed, 10 insertions(+), 17 deletions(-)
+
+commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 23 10:58:52 2013 -0500
+
+ Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined
+
+ arch/arm/include/asm/domain.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 7b729586eb81f344fdedf0942fab0acc738a6725
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 22 19:02:51 2013 -0500
+
+ Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users.
+
+ kernel/fork.c | 17 +++++++++++++++++
+ 1 files changed, 17 insertions(+), 0 deletions(-)
+
+commit fadc560d0c486af88da83177735f5515e88acdcc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 23:06:48 2013 -0500
+
+ put is_hugetlbfs_mnt inside ifdefs
+
+ grsecurity/gracl.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 8252176922d405484f986eb2cc350b7cd3ae586e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 23:02:07 2013 -0500
+
+ remove unused label
+
+ kernel/module.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit dad4a980f0b625059e215d13da728aa7fd02a374
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 23:00:52 2013 -0500
+
+ compile fix
+
+ fs/open.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 22:57:49 2013 -0500
+
+ remove kmalloc_array_error for the same reasons as kcalloc_error
+
+ include/linux/slab.h | 9 ---------
+ 1 files changed, 0 insertions(+), 9 deletions(-)
+
+commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 22:49:35 2013 -0500
+
+ Initial port of grsecurity for Linux 3.8
+
+ Documentation/kernel-parameters.txt | 4 +
+ Makefile | 10 +-
+ arch/alpha/include/asm/cache.h | 4 +-
+ arch/alpha/kernel/osf_sys.c | 14 +-
+ arch/arm/include/asm/cache.h | 2 +
+ arch/arm/include/asm/thread_info.h | 9 +-
+ arch/arm/kernel/process.c | 4 +-
+ arch/arm/kernel/ptrace.c | 9 +
+ arch/arm/kernel/traps.c | 7 +-
+ arch/arm/mm/fault.c | 27 +-
+ arch/arm/mm/mmap.c | 6 +-
+ arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/include/asm/cache.h | 3 +-
+ arch/cris/include/arch-v10/arch/cache.h | 3 +-
+ arch/cris/include/arch-v32/arch/cache.h | 3 +-
+ arch/frv/include/asm/cache.h | 3 +-
+ arch/frv/mm/elf-fdpic.c | 7 +-
+ arch/hexagon/include/asm/cache.h | 6 +-
+ arch/ia64/include/asm/cache.h | 3 +-
+ arch/ia64/kernel/sys_ia64.c | 3 +-
+ arch/ia64/mm/hugetlbpage.c | 3 +-
+ arch/m32r/include/asm/cache.h | 4 +-
+ arch/m68k/include/asm/cache.h | 4 +-
+ arch/microblaze/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/thread_info.h | 9 +-
+ arch/mips/kernel/ptrace.c | 9 +
+ arch/mips/kernel/scall32-o32.S | 2 +-
+ arch/mips/kernel/scall64-64.S | 2 +-
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ arch/mips/mm/mmap.c | 3 +-
+ arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
+ arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
+ arch/openrisc/include/asm/cache.h | 4 +-
+ arch/parisc/include/asm/cache.h | 5 +-
+ arch/parisc/kernel/sys_parisc.c | 19 +-
+ arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/include/asm/thread_info.h | 8 +-
+ arch/powerpc/kernel/process.c | 10 +-
+ arch/powerpc/kernel/ptrace.c | 14 +
+ arch/powerpc/kernel/traps.c | 5 +
+ arch/powerpc/mm/slice.c | 8 +-
+ arch/s390/include/asm/cache.h | 4 +-
+ arch/score/include/asm/cache.h | 4 +-
+ arch/sh/include/asm/cache.h | 3 +-
+ arch/sh/mm/mmap.c | 6 +-
+ arch/sparc/include/asm/cache.h | 4 +-
+ arch/sparc/include/asm/thread_info_64.h | 9 +-
+ arch/sparc/kernel/process_32.c | 6 +-
+ arch/sparc/kernel/process_64.c | 8 +-
+ arch/sparc/kernel/ptrace_64.c | 14 +
+ arch/sparc/kernel/sys_sparc_64.c | 6 +-
+ arch/sparc/kernel/syscalls.S | 8 +-
+ arch/sparc/kernel/traps_32.c | 8 +-
+ arch/sparc/kernel/traps_64.c | 28 +-
+ arch/sparc/kernel/unaligned_64.c | 2 +-
+ arch/sparc/mm/fault_64.c | 2 +-
+ arch/sparc/mm/hugetlbpage.c | 3 +-
+ arch/tile/include/asm/cache.h | 3 +-
+ arch/um/include/asm/cache.h | 3 +-
+ arch/unicore32/include/asm/cache.h | 6 +-
+ arch/x86/Kconfig | 5 +-
+ arch/x86/Kconfig.debug | 2 +-
+ arch/x86/ia32/ia32_aout.c | 2 +
+ arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/kernel/dumpstack.c | 8 +
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 2 +-
+ arch/x86/kernel/ioport.c | 13 +
+ arch/x86/kernel/ptrace.c | 14 +
+ arch/x86/kernel/smpboot.c | 3 +
+ arch/x86/kernel/sys_i386_32.c | 14 +-
+ arch/x86/kernel/sys_x86_64.c | 3 +-
+ arch/x86/kernel/verify_cpu.S | 1 +
+ arch/x86/kernel/vm86_32.c | 16 +
+ arch/x86/mm/fault.c | 12 +-
+ arch/x86/mm/hugetlbpage.c | 3 +-
+ arch/x86/mm/init.c | 66 +-
+ arch/x86/net/bpf_jit_comp.c | 126 +-
+ arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
+ arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
+ crypto/ablkcipher.c | 12 +-
+ crypto/aead.c | 9 +-
+ crypto/ahash.c | 2 +-
+ crypto/blkcipher.c | 6 +-
+ crypto/crypto_user.c | 38 +-
+ crypto/pcompress.c | 3 +-
+ crypto/rng.c | 2 +-
+ crypto/shash.c | 3 +-
+ drivers/block/cciss.c | 2 +
+ drivers/char/Kconfig | 4 +-
+ drivers/char/genrtc.c | 1 +
+ drivers/char/mem.c | 17 +
+ drivers/char/random.c | 12 +
+ drivers/gpu/drm/drm_info.c | 4 +
+ drivers/hid/hid-wiimote-debug.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +-
+ drivers/message/fusion/mptbase.c | 5 +
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ drivers/pci/proc.c | 9 +
+ drivers/rtc/rtc-dev.c | 3 +
+ drivers/tty/sysrq.c | 2 +-
+ drivers/tty/vt/keyboard.c | 22 +-
+ drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
+ drivers/xen/xenfs/xenstored.c | 5 +
+ fs/attr.c | 1 +
+ fs/autofs4/waitq.c | 9 +
+ fs/binfmt_aout.c | 7 +
+ fs/binfmt_elf.c | 6 +
+ fs/btrfs/inode.c | 10 +-
+ fs/btrfs/ioctl.c | 6 +-
+ fs/compat.c | 18 +
+ fs/coredump.c | 10 +-
+ fs/debugfs/inode.c | 4 +
+ fs/exec.c | 155 +-
+ fs/ext2/balloc.c | 4 +-
+ fs/ext3/balloc.c | 4 +-
+ fs/ext4/balloc.c | 4 +-
+ fs/fcntl.c | 5 +
+ fs/file.c | 4 +
+ fs/filesystems.c | 5 +
+ fs/fs_struct.c | 26 +-
+ fs/hugetlbfs/inode.c | 5 +-
+ fs/namei.c | 269 ++-
+ fs/namespace.c | 24 +
+ fs/open.c | 38 +
+ fs/pipe.c | 2 +-
+ fs/proc/Kconfig | 10 +-
+ fs/proc/array.c | 59 +-
+ fs/proc/base.c | 168 +-
+ fs/proc/cmdline.c | 4 +
+ fs/proc/devices.c | 4 +
+ fs/proc/fd.c | 17 +-
+ fs/proc/inode.c | 17 +
+ fs/proc/internal.h | 3 +
+ fs/proc/kcore.c | 3 +
+ fs/proc/proc_net.c | 12 +
+ fs/proc/proc_sysctl.c | 43 +-
+ fs/proc/root.c | 8 +
+ fs/proc/task_mmu.c | 75 +-
+ fs/readdir.c | 19 +
+ fs/select.c | 2 +
+ fs/seq_file.c | 12 +-
+ fs/stat.c | 19 +-
+ fs/sysfs/dir.c | 12 +
+ fs/utimes.c | 7 +
+ fs/xattr.c | 19 +-
+ grsecurity/Kconfig | 1021 +++++
+ grsecurity/Makefile | 38 +
+ grsecurity/gracl.c | 4017 ++++++++++++++++++++
+ grsecurity/gracl_alloc.c | 105 +
+ grsecurity/gracl_cap.c | 110 +
+ grsecurity/gracl_fs.c | 431 +++
+ grsecurity/gracl_ip.c | 384 ++
+ grsecurity/gracl_learn.c | 207 +
+ grsecurity/gracl_res.c | 68 +
+ grsecurity/gracl_segv.c | 299 ++
+ grsecurity/gracl_shm.c | 40 +
+ grsecurity/grsec_chdir.c | 19 +
+ grsecurity/grsec_chroot.c | 357 ++
+ grsecurity/grsec_disabled.c | 434 +++
+ grsecurity/grsec_exec.c | 174 +
+ grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_fork.c | 23 +
+ grsecurity/grsec_init.c | 283 ++
+ grsecurity/grsec_link.c | 58 +
+ grsecurity/grsec_log.c | 329 ++
+ grsecurity/grsec_mem.c | 40 +
+ grsecurity/grsec_mount.c | 62 +
+ grsecurity/grsec_pax.c | 36 +
+ grsecurity/grsec_ptrace.c | 30 +
+ grsecurity/grsec_sig.c | 222 ++
+ grsecurity/grsec_sock.c | 244 ++
+ grsecurity/grsec_sysctl.c | 469 +++
+ grsecurity/grsec_time.c | 16 +
+ grsecurity/grsec_tpe.c | 73 +
+ grsecurity/grsum.c | 61 +
+ include/linux/capability.h | 5 +
+ include/linux/cred.h | 3 +
+ include/linux/fs.h | 10 +
+ include/linux/fsnotify.h | 6 +
+ include/linux/gracl.h | 319 ++
+ include/linux/gralloc.h | 9 +
+ include/linux/grdefs.h | 140 +
+ include/linux/grinternal.h | 215 ++
+ include/linux/grmsg.h | 111 +
+ include/linux/grsecurity.h | 257 ++
+ include/linux/grsock.h | 19 +
+ include/linux/kallsyms.h | 14 +-
+ include/linux/kmod.h | 2 +
+ include/linux/netfilter/xt_gradm.h | 9 +
+ include/linux/printk.h | 3 +-
+ include/linux/proc_fs.h | 12 +
+ include/linux/sched.h | 66 +-
+ include/linux/security.h | 1 +
+ include/linux/seq_file.h | 3 +
+ include/linux/shm.h | 4 +
+ include/linux/sysctl.h | 2 +
+ include/linux/thread_info.h | 2 +
+ include/linux/vermagic.h | 9 +-
+ include/trace/events/fs.h | 53 +
+ include/uapi/linux/personality.h | 1 +
+ init/Kconfig | 5 +-
+ init/main.c | 14 +
+ ipc/mqueue.c | 1 +
+ ipc/shm.c | 28 +
+ kernel/capability.c | 39 +-
+ kernel/cgroup.c | 2 +-
+ kernel/compat.c | 1 +
+ kernel/configs.c | 11 +
+ kernel/cred.c | 109 +-
+ kernel/exit.c | 10 +-
+ kernel/fork.c | 24 +-
+ kernel/futex.c | 1 +
+ kernel/kallsyms.c | 9 +
+ kernel/kcmp.c | 4 +
+ kernel/kmod.c | 71 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +
+ kernel/lockdep_proc.c | 10 +-
+ kernel/module.c | 80 +-
+ kernel/panic.c | 4 +-
+ kernel/pid.c | 19 +-
+ kernel/posix-timers.c | 8 +
+ kernel/printk.c | 5 +
+ kernel/ptrace.c | 20 +-
+ kernel/resource.c | 10 +
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 37 +-
+ kernel/sys.c | 38 +-
+ kernel/sysctl.c | 39 +-
+ kernel/taskstats.c | 6 +
+ kernel/time.c | 5 +
+ kernel/time/timekeeping.c | 3 +
+ kernel/time/timer_list.c | 12 +
+ kernel/time/timer_stats.c | 10 +-
+ lib/Kconfig.debug | 5 +-
+ lib/is_single_threaded.c | 3 +
+ lib/vsprintf.c | 35 +-
+ localversion-grsec | 1 +
+ mm/Kconfig | 4 +-
+ mm/filemap.c | 1 +
+ mm/kmemleak.c | 4 +-
+ mm/mempolicy.c | 12 +-
+ mm/migrate.c | 3 +-
+ mm/mlock.c | 3 +
+ mm/mmap.c | 62 +-
+ mm/mprotect.c | 8 +
+ mm/page_alloc.c | 6 +
+ mm/process_vm_access.c | 6 +
+ mm/shmem.c | 2 +-
+ mm/slab.c | 2 +-
+ mm/slub.c | 14 +-
+ mm/vmalloc.c | 4 +
+ mm/vmstat.c | 18 +-
+ net/core/dev.c | 9 +
+ net/core/sock_diag.c | 7 +
+ net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/ip_sockglue.c | 3 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_minisocks.c | 9 +-
+ net/ipv4/tcp_timer.c | 11 +
+ net/ipv4/udp.c | 24 +
+ net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/udp.c | 7 +
+ net/netfilter/Kconfig | 10 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 8 +
+ net/netfilter/xt_gradm.c | 51 +
+ net/netrom/af_netrom.c | 2 +-
+ net/phonet/af_phonet.c | 4 +-
+ net/sctp/proc.c | 3 +-
+ net/socket.c | 62 +-
+ net/sysctl_net.c | 2 +-
+ net/unix/af_unix.c | 19 +
+ security/Kconfig | 320 ++-
+ security/apparmor/lsm.c | 2 +-
+ security/commoncap.c | 29 +
+ security/min_addr.c | 2 +
+ security/security.c | 2 -
+ security/selinux/hooks.c | 2 -
+ security/yama/Kconfig | 2 +-
+ tools/gcc/Makefile | 2 +-
+ 286 files changed, 15083 insertions(+), 2067 deletions(-)
+
+commit 4b61d2188de70da9dc9b3e67fc0565077370eb27
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 20 21:00:42 2013 -0500
+
+ Initial import of pax-linux-3.8-test3.patch
+
+ Documentation/dontdiff | 43 +-
+ Documentation/kernel-parameters.txt | 7 +
+ Makefile | 97 +-
+ arch/alpha/include/asm/atomic.h | 10 +
+ arch/alpha/include/asm/elf.h | 7 +
+ arch/alpha/include/asm/pgalloc.h | 6 +
+ arch/alpha/include/asm/pgtable.h | 11 +
+ arch/alpha/kernel/module.c | 2 +-
+ arch/alpha/kernel/osf_sys.c | 10 +-
+ arch/alpha/mm/fault.c | 141 +-
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/atomic.h | 421 +++-
+ arch/arm/include/asm/cache.h | 3 +-
+ arch/arm/include/asm/cacheflush.h | 2 +-
+ arch/arm/include/asm/checksum.h | 14 +-
+ arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/delay.h | 8 +-
+ arch/arm/include/asm/domain.h | 32 +-
+ arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/fncpy.h | 2 +
+ arch/arm/include/asm/futex.h | 10 +
+ arch/arm/include/asm/kmap_types.h | 2 +-
+ arch/arm/include/asm/mach/dma.h | 2 +-
+ arch/arm/include/asm/mach/map.h | 7 +-
+ arch/arm/include/asm/outercache.h | 2 +-
+ arch/arm/include/asm/page.h | 2 +-
+ arch/arm/include/asm/pgalloc.h | 22 +-
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgtable-2level.h | 1 +
+ arch/arm/include/asm/pgtable-3level-hwdef.h | 4 +
+ arch/arm/include/asm/pgtable-3level.h | 2 +
+ arch/arm/include/asm/pgtable.h | 56 +-
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/include/asm/processor.h | 5 +-
+ arch/arm/include/asm/smp.h | 2 +-
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/include/asm/uaccess.h | 92 +-
+ arch/arm/include/uapi/asm/ptrace.h | 2 +-
+ arch/arm/kernel/armksyms.c | 4 +-
+ arch/arm/kernel/entry-armv.S | 107 +-
+ arch/arm/kernel/entry-common.S | 41 +-
+ arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/fiq.c | 2 +
+ arch/arm/kernel/head.S | 6 +-
+ arch/arm/kernel/hw_breakpoint.c | 2 +-
+ arch/arm/kernel/module.c | 29 +-
+ arch/arm/kernel/perf_event_cpu.c | 2 +-
+ arch/arm/kernel/process.c | 10 +-
+ arch/arm/kernel/setup.c | 22 +-
+ arch/arm/kernel/smp.c | 2 +-
+ arch/arm/kernel/traps.c | 8 +-
+ arch/arm/kernel/vmlinux.lds.S | 20 +-
+ arch/arm/lib/clear_user.S | 6 +-
+ arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/lib/copy_page.S | 1 +
+ arch/arm/lib/copy_to_user.S | 6 +-
+ arch/arm/lib/csumpartialcopyuser.S | 4 +-
+ arch/arm/lib/delay.c | 14 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 2 +-
+ arch/arm/mach-kirkwood/common.c | 19 +-
+ arch/arm/mach-omap2/board-n8x0.c | 2 +-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
+ arch/arm/mach-omap2/omap_hwmod.c | 4 +-
+ arch/arm/mach-ux500/include/mach/setup.h | 7 -
+ arch/arm/mm/Kconfig | 3 +-
+ arch/arm/mm/fault.c | 78 +
+ arch/arm/mm/fault.h | 12 +
+ arch/arm/mm/init.c | 41 +
+ arch/arm/mm/ioremap.c | 4 +-
+ arch/arm/mm/mmap.c | 36 +-
+ arch/arm/mm/mmu.c | 186 +-
+ arch/arm/mm/proc-v7-2level.S | 3 +
+ arch/arm/plat-omap/sram.c | 2 +
+ arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
+ arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/arm64/kernel/debug-monitors.c | 2 +-
+ arch/arm64/kernel/hw_breakpoint.c | 2 +-
+ arch/avr32/include/asm/elf.h | 8 +-
+ arch/avr32/include/asm/kmap_types.h | 4 +-
+ arch/avr32/mm/fault.c | 27 +
+ arch/frv/include/asm/atomic.h | 10 +
+ arch/frv/include/asm/kmap_types.h | 2 +-
+ arch/frv/mm/elf-fdpic.c | 7 +-
+ arch/ia64/include/asm/atomic.h | 10 +
+ arch/ia64/include/asm/elf.h | 7 +
+ arch/ia64/include/asm/pgalloc.h | 12 +
+ arch/ia64/include/asm/pgtable.h | 13 +-
+ arch/ia64/include/asm/spinlock.h | 2 +-
+ arch/ia64/include/asm/uaccess.h | 28 +-
+ arch/ia64/kernel/err_inject.c | 2 +-
+ arch/ia64/kernel/mca.c | 2 +-
+ arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/palinfo.c | 2 +-
+ arch/ia64/kernel/salinfo.c | 2 +-
+ arch/ia64/kernel/sys_ia64.c | 13 +-
+ arch/ia64/kernel/topology.c | 2 +-
+ arch/ia64/kernel/vmlinux.lds.S | 2 +-
+ arch/ia64/mm/fault.c | 32 +-
+ arch/ia64/mm/hugetlbpage.c | 2 +-
+ arch/ia64/mm/init.c | 13 +
+ arch/m32r/lib/usercopy.c | 6 +
+ arch/mips/include/asm/atomic.h | 14 +
+ arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/exec.h | 2 +-
+ arch/mips/include/asm/page.h | 2 +-
+ arch/mips/include/asm/pgalloc.h | 5 +
+ arch/mips/kernel/binfmt_elfn32.c | 7 +
+ arch/mips/kernel/binfmt_elfo32.c | 7 +
+ arch/mips/kernel/process.c | 12 -
+ arch/mips/mm/fault.c | 17 +
+ arch/mips/mm/mmap.c | 51 +-
+ arch/parisc/include/asm/atomic.h | 10 +
+ arch/parisc/include/asm/elf.h | 7 +
+ arch/parisc/include/asm/pgalloc.h | 6 +
+ arch/parisc/include/asm/pgtable.h | 11 +
+ arch/parisc/include/asm/uaccess.h | 4 +-
+ arch/parisc/kernel/module.c | 50 +-
+ arch/parisc/kernel/sys_parisc.c | 6 +-
+ arch/parisc/kernel/traps.c | 4 +-
+ arch/parisc/mm/fault.c | 140 +-
+ arch/powerpc/include/asm/atomic.h | 10 +
+ arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/exec.h | 2 +-
+ arch/powerpc/include/asm/kmap_types.h | 2 +-
+ arch/powerpc/include/asm/mman.h | 2 +-
+ arch/powerpc/include/asm/page.h | 8 +-
+ arch/powerpc/include/asm/page_64.h | 7 +-
+ arch/powerpc/include/asm/pgalloc-64.h | 7 +
+ arch/powerpc/include/asm/pgtable.h | 1 +
+ arch/powerpc/include/asm/pte-hash32.h | 1 +
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/include/asm/uaccess.h | 142 +-
+ arch/powerpc/kernel/exceptions-64e.S | 4 +-
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/module_32.c | 13 +-
+ arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/signal_32.c | 2 +-
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ arch/powerpc/kernel/sysfs.c | 2 +-
+ arch/powerpc/kernel/vdso.c | 5 +-
+ arch/powerpc/lib/usercopy_64.c | 18 -
+ arch/powerpc/mm/fault.c | 54 +-
+ arch/powerpc/mm/mmap_64.c | 16 +
+ arch/powerpc/mm/mmu_context_nohash.c | 2 +-
+ arch/powerpc/mm/numa.c | 2 +-
+ arch/powerpc/mm/slice.c | 23 +-
+ arch/powerpc/platforms/powermac/smp.c | 2 +-
+ arch/s390/include/asm/atomic.h | 10 +
+ arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/exec.h | 2 +-
+ arch/s390/include/asm/uaccess.h | 15 +-
+ arch/s390/kernel/module.c | 22 +-
+ arch/s390/kernel/process.c | 36 -
+ arch/s390/mm/mmap.c | 24 +
+ arch/score/include/asm/exec.h | 2 +-
+ arch/score/kernel/process.c | 5 -
+ arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
+ arch/sh/mm/mmap.c | 22 +-
+ arch/sparc/include/asm/atomic_64.h | 106 +-
+ arch/sparc/include/asm/cache.h | 2 +-
+ arch/sparc/include/asm/elf_32.h | 7 +
+ arch/sparc/include/asm/elf_64.h | 7 +
+ arch/sparc/include/asm/pgalloc_32.h | 1 +
+ arch/sparc/include/asm/pgalloc_64.h | 1 +
+ arch/sparc/include/asm/pgtable_32.h | 15 +-
+ arch/sparc/include/asm/pgtsrmmu.h | 5 +
+ arch/sparc/include/asm/spinlock_64.h | 35 +-
+ arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_64.h | 2 +
+ arch/sparc/include/asm/uaccess.h | 8 +
+ arch/sparc/include/asm/uaccess_32.h | 27 +-
+ arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/kernel/Makefile | 2 +-
+ arch/sparc/kernel/sys_sparc_32.c | 2 +-
+ arch/sparc/kernel/sys_sparc_64.c | 48 +-
+ arch/sparc/kernel/sysfs.c | 2 +-
+ arch/sparc/kernel/traps_64.c | 13 +-
+ arch/sparc/lib/Makefile | 2 +-
+ arch/sparc/lib/atomic_64.S | 136 +-
+ arch/sparc/lib/ksyms.c | 6 +
+ arch/sparc/mm/Makefile | 2 +-
+ arch/sparc/mm/fault_32.c | 292 ++
+ arch/sparc/mm/fault_64.c | 486 +++
+ arch/sparc/mm/hugetlbpage.c | 21 +-
+ arch/tile/include/asm/atomic_64.h | 10 +
+ arch/tile/include/asm/uaccess.h | 4 +-
+ arch/um/Makefile | 4 +
+ arch/um/include/asm/kmap_types.h | 2 +-
+ arch/um/include/asm/page.h | 3 +
+ arch/um/include/asm/pgtable-3level.h | 1 +
+ arch/um/kernel/process.c | 16 -
+ arch/x86/Kconfig | 10 +-
+ arch/x86/Kconfig.cpu | 6 +-
+ arch/x86/Kconfig.debug | 6 +-
+ arch/x86/Makefile | 10 +
+ arch/x86/boot/Makefile | 3 +
+ arch/x86/boot/bitops.h | 4 +-
+ arch/x86/boot/boot.h | 4 +-
+ arch/x86/boot/compressed/Makefile | 3 +
+ arch/x86/boot/compressed/eboot.c | 2 -
+ arch/x86/boot/compressed/head_32.S | 7 +-
+ arch/x86/boot/compressed/head_64.S | 4 +-
+ arch/x86/boot/compressed/misc.c | 4 +-
+ arch/x86/boot/cpucheck.c | 28 +-
+ arch/x86/boot/header.S | 6 +-
+ arch/x86/boot/memory.c | 2 +-
+ arch/x86/boot/video-vesa.c | 1 +
+ arch/x86/boot/video.c | 2 +-
+ arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/aesni-intel_asm.S | 31 +
+ arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/camellia-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 +
+ arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 +
+ arch/x86/crypto/sha1_ssse3_asm.S | 3 +
+ arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 +
+ arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/ia32/ia32_signal.c | 14 +-
+ arch/x86/ia32/ia32entry.S | 141 +-
+ arch/x86/ia32/sys_ia32.c | 12 +-
+ arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/include/asm/alternative.h | 4 +-
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/include/asm/apm.h | 4 +-
+ arch/x86/include/asm/atomic.h | 307 ++-
+ arch/x86/include/asm/atomic64_32.h | 100 +
+ arch/x86/include/asm/atomic64_64.h | 202 ++-
+ arch/x86/include/asm/bitops.h | 2 +-
+ arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/cache.h | 5 +-
+ arch/x86/include/asm/cacheflush.h | 2 +-
+ arch/x86/include/asm/checksum_32.h | 12 +-
+ arch/x86/include/asm/cmpxchg.h | 35 +
+ arch/x86/include/asm/cpufeature.h | 4 +-
+ arch/x86/include/asm/desc.h | 65 +-
+ arch/x86/include/asm/desc_defs.h | 6 +
+ arch/x86/include/asm/elf.h | 31 +-
+ arch/x86/include/asm/emergency-restart.h | 2 +-
+ arch/x86/include/asm/fpu-internal.h | 6 +-
+ arch/x86/include/asm/futex.h | 16 +-
+ arch/x86/include/asm/hw_irq.h | 4 +-
+ arch/x86/include/asm/io.h | 13 +-
+ arch/x86/include/asm/irqflags.h | 5 +
+ arch/x86/include/asm/kprobes.h | 9 +-
+ arch/x86/include/asm/local.h | 142 +-
+ arch/x86/include/asm/mman.h | 15 +
+ arch/x86/include/asm/mmu.h | 16 +-
+ arch/x86/include/asm/mmu_context.h | 76 +-
+ arch/x86/include/asm/module.h | 17 +-
+ arch/x86/include/asm/page_64_types.h | 2 +-
+ arch/x86/include/asm/paravirt.h | 44 +-
+ arch/x86/include/asm/paravirt_types.h | 17 +-
+ arch/x86/include/asm/pgalloc.h | 23 +
+ arch/x86/include/asm/pgtable-2level.h | 2 +
+ arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable.h | 110 +-
+ arch/x86/include/asm/pgtable_32.h | 14 +-
+ arch/x86/include/asm/pgtable_32_types.h | 15 +-
+ arch/x86/include/asm/pgtable_64.h | 19 +-
+ arch/x86/include/asm/pgtable_64_types.h | 5 +
+ arch/x86/include/asm/pgtable_types.h | 36 +-
+ arch/x86/include/asm/processor.h | 39 +-
+ arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/realmode.h | 4 +-
+ arch/x86/include/asm/reboot.h | 10 +-
+ arch/x86/include/asm/rwsem.h | 60 +-
+ arch/x86/include/asm/segment.h | 24 +-
+ arch/x86/include/asm/smp.h | 14 +-
+ arch/x86/include/asm/spinlock.h | 36 +-
+ arch/x86/include/asm/stackprotector.h | 4 +-
+ arch/x86/include/asm/stacktrace.h | 32 +-
+ arch/x86/include/asm/switch_to.h | 4 +-
+ arch/x86/include/asm/thread_info.h | 83 +-
+ arch/x86/include/asm/uaccess.h | 96 +-
+ arch/x86/include/asm/uaccess_32.h | 106 +-
+ arch/x86/include/asm/uaccess_64.h | 232 +-
+ arch/x86/include/asm/word-at-a-time.h | 2 +-
+ arch/x86/include/asm/x86_init.h | 10 +-
+ arch/x86/include/asm/xsave.h | 10 +-
+ arch/x86/include/uapi/asm/e820.h | 2 +-
+ arch/x86/kernel/Makefile | 2 +-
+ arch/x86/kernel/acpi/sleep.c | 4 +
+ arch/x86/kernel/acpi/wakeup_32.S | 6 +-
+ arch/x86/kernel/alternative.c | 65 +-
+ arch/x86/kernel/apic/apic.c | 6 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/bigsmp_32.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 5 +-
+ arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/numaq_32.c | 3 +-
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/summit_32.c | 2 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_phys.c | 2 +-
+ arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
+ arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/asm-offsets.c | 20 +
+ arch/x86/kernel/asm-offsets_64.c | 1 +
+ arch/x86/kernel/cpu/Makefile | 4 -
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/common.c | 75 +-
+ arch/x86/kernel/cpu/intel.c | 2 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 29 +-
+ arch/x86/kernel/cpu/mcheck/p5.c | 3 +
+ arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
+ arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
+ arch/x86/kernel/cpu/mtrr/main.c | 2 +-
+ arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 4 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
+ arch/x86/kernel/cpuid.c | 2 +-
+ arch/x86/kernel/crash.c | 4 +-
+ arch/x86/kernel/doublefault_32.c | 8 +-
+ arch/x86/kernel/dumpstack.c | 30 +-
+ arch/x86/kernel/dumpstack_32.c | 34 +-
+ arch/x86/kernel/dumpstack_64.c | 63 +-
+ arch/x86/kernel/early_printk.c | 1 +
+ arch/x86/kernel/entry_32.S | 354 ++-
+ arch/x86/kernel/entry_64.S | 512 +++-
+ arch/x86/kernel/ftrace.c | 14 +-
+ arch/x86/kernel/head32.c | 4 +-
+ arch/x86/kernel/head_32.S | 237 ++-
+ arch/x86/kernel/head_64.S | 158 +-
+ arch/x86/kernel/i386_ksyms_32.c | 8 +
+ arch/x86/kernel/i387.c | 2 +-
+ arch/x86/kernel/i8259.c | 2 +-
+ arch/x86/kernel/ioport.c | 2 +-
+ arch/x86/kernel/irq.c | 10 +-
+ arch/x86/kernel/irq_32.c | 69 +-
+ arch/x86/kernel/irq_64.c | 2 +-
+ arch/x86/kernel/kdebugfs.c | 2 +-
+ arch/x86/kernel/kgdb.c | 25 +-
+ arch/x86/kernel/kprobes-opt.c | 12 +-
+ arch/x86/kernel/kprobes.c | 30 +-
+ arch/x86/kernel/kvm.c | 2 +-
+ arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/machine_kexec_32.c | 6 +-
+ arch/x86/kernel/microcode_core.c | 2 +-
+ arch/x86/kernel/microcode_intel.c | 4 +-
+ arch/x86/kernel/module.c | 76 +-
+ arch/x86/kernel/msr.c | 2 +-
+ arch/x86/kernel/nmi.c | 11 +
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/kernel/paravirt.c | 43 +-
+ arch/x86/kernel/pci-iommu_table.c | 2 +-
+ arch/x86/kernel/process.c | 57 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 15 +-
+ arch/x86/kernel/ptrace.c | 25 +-
+ arch/x86/kernel/pvclock.c | 8 +-
+ arch/x86/kernel/reboot.c | 44 +-
+ arch/x86/kernel/relocate_kernel_64.S | 4 +-
+ arch/x86/kernel/setup.c | 14 +-
+ arch/x86/kernel/setup_percpu.c | 27 +-
+ arch/x86/kernel/signal.c | 15 +-
+ arch/x86/kernel/smp.c | 2 +-
+ arch/x86/kernel/smpboot.c | 15 +-
+ arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/sys_i386_32.c | 247 ++
+ arch/x86/kernel/sys_x86_64.c | 19 +-
+ arch/x86/kernel/tboot.c | 14 +-
+ arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tls.c | 7 +-
+ arch/x86/kernel/traps.c | 64 +-
+ arch/x86/kernel/uprobes.c | 2 +-
+ arch/x86/kernel/vm86_32.c | 6 +-
+ arch/x86/kernel/vmlinux.lds.S | 148 +-
+ arch/x86/kernel/vsyscall_64.c | 12 +-
+ arch/x86/kernel/x8664_ksyms_64.c | 2 -
+ arch/x86/kernel/x86_init.c | 8 +-
+ arch/x86/kernel/xsave.c | 2 +
+ arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ arch/x86/kvm/lapic.c | 2 +-
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ arch/x86/kvm/svm.c | 8 +
+ arch/x86/kvm/vmx.c | 47 +-
+ arch/x86/kvm/x86.c | 10 +-
+ arch/x86/lguest/boot.c | 3 +-
+ arch/x86/lib/atomic64_386_32.S | 164 +
+ arch/x86/lib/atomic64_cx8_32.S | 103 +-
+ arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/cmpxchg16b_emu.S | 2 +
+ arch/x86/lib/copy_page_64.S | 24 +-
+ arch/x86/lib/copy_user_64.S | 47 +-
+ arch/x86/lib/copy_user_nocache_64.S | 20 +-
+ arch/x86/lib/csum-copy_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 4 +-
+ arch/x86/lib/getuser.S | 68 +-
+ arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/iomap_copy_64.S | 2 +
+ arch/x86/lib/memcpy_64.S | 18 +-
+ arch/x86/lib/memmove_64.S | 34 +-
+ arch/x86/lib/memset_64.S | 7 +-
+ arch/x86/lib/mmx_32.c | 243 +-
+ arch/x86/lib/msr-reg.S | 18 +-
+ arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/rwlock.S | 42 +
+ arch/x86/lib/rwsem.S | 6 +-
+ arch/x86/lib/thunk_64.S | 2 +
+ arch/x86/lib/usercopy_32.c | 376 ++-
+ arch/x86/lib/usercopy_64.c | 25 +-
+ arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/fault.c | 555 +++-
+ arch/x86/mm/gup.c | 2 +-
+ arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/hugetlbpage.c | 30 +-
+ arch/x86/mm/init.c | 92 +-
+ arch/x86/mm/init_32.c | 122 +-
+ arch/x86/mm/init_64.c | 48 +-
+ arch/x86/mm/iomap_32.c | 4 +
+ arch/x86/mm/ioremap.c | 12 +-
+ arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
+ arch/x86/mm/mmap.c | 41 +-
+ arch/x86/mm/mmio-mod.c | 10 +-
+ arch/x86/mm/pageattr-test.c | 2 +-
+ arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pat.c | 12 +-
+ arch/x86/mm/pf_in.c | 10 +-
+ arch/x86/mm/pgtable.c | 137 +-
+ arch/x86/mm/pgtable_32.c | 3 +
+ arch/x86/mm/setup_nx.c | 7 +
+ arch/x86/mm/tlb.c | 4 +
+ arch/x86/net/bpf_jit.S | 14 +
+ arch/x86/net/bpf_jit_comp.c | 37 +-
+ arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/pci/amd_bus.c | 2 +-
+ arch/x86/pci/mrst.c | 4 +-
+ arch/x86/pci/pcbios.c | 144 +-
+ arch/x86/platform/efi/efi_32.c | 19 +
+ arch/x86/platform/efi/efi_stub_32.S | 64 +-
+ arch/x86/platform/efi/efi_stub_64.S | 8 +
+ arch/x86/platform/mrst/mrst.c | 6 +-
+ arch/x86/platform/olpc/olpc_dt.c | 2 +-
+ arch/x86/power/cpu.c | 4 +-
+ arch/x86/realmode/init.c | 8 +-
+ arch/x86/realmode/rm/Makefile | 3 +
+ arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/trampoline_32.S | 12 +-
+ arch/x86/realmode/rm/trampoline_64.S | 2 +-
+ arch/x86/tools/relocs.c | 95 +-
+ arch/x86/vdso/Makefile | 2 +-
+ arch/x86/vdso/vdso32-setup.c | 23 +-
+ arch/x86/vdso/vma.c | 29 +-
+ arch/x86/xen/enlighten.c | 47 +-
+ arch/x86/xen/mmu.c | 9 +
+ arch/x86/xen/smp.c | 18 +-
+ arch/x86/xen/xen-asm_32.S | 12 +-
+ arch/x86/xen/xen-head.S | 11 +
+ arch/x86/xen/xen-ops.h | 2 -
+ block/blk-iopoll.c | 4 +-
+ block/blk-map.c | 2 +-
+ block/blk-softirq.c | 4 +-
+ block/bsg.c | 12 +-
+ block/compat_ioctl.c | 2 +-
+ block/partitions/efi.c | 8 +-
+ block/scsi_ioctl.c | 27 +-
+ crypto/cryptd.c | 4 +-
+ drivers/acpi/apei/cper.c | 8 +-
+ drivers/acpi/ec_sys.c | 12 +-
+ drivers/acpi/processor_driver.c | 2 +-
+ drivers/ata/libata-core.c | 8 +-
+ drivers/ata/pata_arasan_cf.c | 4 +-
+ drivers/atm/adummy.c | 2 +-
+ drivers/atm/ambassador.c | 8 +-
+ drivers/atm/atmtcp.c | 14 +-
+ drivers/atm/eni.c | 10 +-
+ drivers/atm/firestream.c | 8 +-
+ drivers/atm/fore200e.c | 14 +-
+ drivers/atm/he.c | 18 +-
+ drivers/atm/horizon.c | 4 +-
+ drivers/atm/idt77252.c | 36 +-
+ drivers/atm/iphase.c | 34 +-
+ drivers/atm/lanai.c | 12 +-
+ drivers/atm/nicstar.c | 46 +-
+ drivers/atm/solos-pci.c | 4 +-
+ drivers/atm/suni.c | 4 +-
+ drivers/atm/uPD98402.c | 16 +-
+ drivers/atm/zatm.c | 6 +-
+ drivers/base/devtmpfs.c | 2 +-
+ drivers/base/power/wakeup.c | 8 +-
+ drivers/block/cciss.c | 28 +-
+ drivers/block/cciss.h | 2 +-
+ drivers/block/cpqarray.c | 28 +-
+ drivers/block/cpqarray.h | 2 +-
+ drivers/block/drbd/drbd_int.h | 6 +-
+ drivers/block/drbd/drbd_main.c | 8 +-
+ drivers/block/drbd/drbd_receiver.c | 18 +-
+ drivers/block/loop.c | 2 +-
+ drivers/cdrom/cdrom.c | 9 +-
+ drivers/cdrom/gdrom.c | 1 -
+ drivers/char/agp/frontend.c | 2 +-
+ drivers/char/hpet.c | 2 +-
+ drivers/char/ipmi/ipmi_msghandler.c | 8 +-
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
+ drivers/char/mem.c | 41 +-
+ drivers/char/nvram.c | 2 +-
+ drivers/char/pcmcia/synclink_cs.c | 18 +-
+ drivers/char/random.c | 8 +-
+ drivers/char/sonypi.c | 9 +-
+ drivers/char/tpm/tpm.c | 2 +-
+ drivers/char/tpm/tpm_acpi.c | 3 +-
+ drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/virtio_console.c | 4 +-
+ drivers/clocksource/arm_generic.c | 2 +-
+ drivers/cpufreq/cpufreq.c | 2 +-
+ drivers/cpufreq/cpufreq_stats.c | 2 +-
+ drivers/dma/sh/shdma.c | 2 +-
+ drivers/edac/edac_pci_sysfs.c | 20 +-
+ drivers/edac/mce_amd.h | 2 +-
+ drivers/firewire/core-card.c | 2 +-
+ drivers/firewire/core-cdev.c | 3 +-
+ drivers/firewire/core-transaction.c | 1 +
+ drivers/firewire/core.h | 1 +
+ drivers/firmware/dmi_scan.c | 7 +-
+ drivers/firmware/efivars.c | 2 +-
+ drivers/gpio/gpio-vr41xx.c | 2 +-
+ drivers/gpu/drm/drm_crtc_helper.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 4 +-
+ drivers/gpu/drm/drm_fops.c | 18 +-
+ drivers/gpu/drm/drm_global.c | 14 +-
+ drivers/gpu/drm/drm_info.c | 14 +-
+ drivers/gpu/drm/drm_ioc32.c | 4 +-
+ drivers/gpu/drm/drm_ioctl.c | 2 +-
+ drivers/gpu/drm/drm_lock.c | 4 +-
+ drivers/gpu/drm/drm_stub.c | 2 +-
+ drivers/gpu/drm/i810/i810_dma.c | 8 +-
+ drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.h | 6 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
+ drivers/gpu/drm/i915/i915_irq.c | 22 +-
+ drivers/gpu/drm/i915/intel_display.c | 9 +-
+ drivers/gpu/drm/mga/mga_drv.h | 4 +-
+ drivers/gpu/drm/mga/mga_irq.c | 8 +-
+ drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/r128/r128_cce.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.h | 4 +-
+ drivers/gpu/drm/r128/r128_irq.c | 4 +-
+ drivers/gpu/drm/r128/r128_state.c | 4 +-
+ drivers/gpu/drm/radeon/mkregtable.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 4 +-
+ drivers/gpu/drm/radeon/rs690.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
+ drivers/gpu/drm/via/via_drv.h | 4 +-
+ drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
+ drivers/hid/hid-core.c | 4 +-
+ drivers/hv/channel.c | 4 +-
+ drivers/hv/hv.c | 2 +-
+ drivers/hv/hyperv_vmbus.h | 2 +-
+ drivers/hv/vmbus_drv.c | 4 +-
+ drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/sht15.c | 12 +-
+ drivers/hwmon/via-cputemp.c | 2 +-
+ drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
+ drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
+ drivers/ide/ide-cd.c | 2 +-
+ drivers/infiniband/core/cm.c | 32 +-
+ drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/hw/cxgb4/mem.c | 4 +-
+ drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
+ drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
+ drivers/infiniband/hw/nes/nes.c | 4 +-
+ drivers/infiniband/hw/nes/nes.h | 40 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 62 +-
+ drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
+ drivers/infiniband/hw/nes/nes_nic.c | 40 +-
+ drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/input/gameport/gameport.c | 4 +-
+ drivers/input/input.c | 4 +-
+ drivers/input/joystick/sidewinder.c | 1 +
+ drivers/input/joystick/xpad.c | 4 +-
+ drivers/input/mousedev.c | 2 +-
+ drivers/input/serio/serio.c | 4 +-
+ drivers/isdn/capi/capi.c | 10 +-
+ drivers/isdn/gigaset/interface.c | 8 +-
+ drivers/isdn/hardware/avm/b1.c | 4 +-
+ drivers/isdn/i4l/isdn_tty.c | 22 +-
+ drivers/isdn/icn/icn.c | 2 +-
+ drivers/lguest/core.c | 10 +-
+ drivers/lguest/x86/core.c | 12 +-
+ drivers/lguest/x86/switcher_32.S | 27 +-
+ drivers/md/bitmap.c | 2 +-
+ drivers/md/dm-ioctl.c | 2 +-
+ drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-stripe.c | 10 +-
+ drivers/md/dm-table.c | 2 +-
+ drivers/md/dm-thin-metadata.c | 4 +-
+ drivers/md/dm.c | 16 +-
+ drivers/md/md.c | 26 +-
+ drivers/md/md.h | 6 +-
+ drivers/md/persistent-data/dm-space-map.h | 1 +
+ drivers/md/raid1.c | 4 +-
+ drivers/md/raid10.c | 16 +-
+ drivers/md/raid5.c | 10 +-
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ drivers/media/dvb-frontends/dib3000.h | 2 +-
+ drivers/media/platform/omap/omap_vout.c | 11 +-
+ drivers/media/platform/s5p-tv/mixer.h | 2 +-
+ drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
+ drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/message/fusion/mptsas.c | 34 +-
+ drivers/message/fusion/mptscsih.c | 19 +-
+ drivers/message/i2o/i2o_proc.c | 51 +-
+ drivers/message/i2o/iop.c | 8 +-
+ drivers/mfd/janz-cmodio.c | 1 +
+ drivers/misc/kgdbts.c | 4 +-
+ drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
+ drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/sgi-gru/gruhandles.c | 4 +-
+ drivers/misc/sgi-gru/gruprocfs.c | 8 +-
+ drivers/misc/sgi-gru/grutables.h | 154 +-
+ drivers/misc/sgi-xp/xp.h | 2 +-
+ drivers/misc/sgi-xp/xpc.h | 3 +-
+ drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ drivers/mmc/host/dw_mmc.h | 2 +-
+ drivers/mmc/host/sdhci-s3c.c | 8 +-
+ drivers/mtd/devices/doc2000.c | 2 +-
+ drivers/mtd/nand/denali.c | 1 +
+ drivers/mtd/nftlmount.c | 1 +
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
+ drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
+ drivers/net/ethernet/realtek/r8169.c | 8 +-
+ drivers/net/ethernet/sfc/ptp.c | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/hyperv/hyperv_net.h | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 +-
+ drivers/net/ieee802154/fakehard.c | 2 +-
+ drivers/net/macvlan.c | 2 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/ppp/ppp_generic.c | 4 +-
+ drivers/net/team/team.c | 2 +-
+ drivers/net/tun.c | 5 +-
+ drivers/net/usb/hso.c | 23 +-
+ drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
+ drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
+ drivers/net/wireless/ath/ath9k/hw.h | 4 +-
+ drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
+ drivers/net/wireless/mac80211_hwsim.c | 32 +-
+ drivers/net/wireless/rndis_wlan.c | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 8 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 6 +-
+ drivers/oprofile/buffer_sync.c | 8 +-
+ drivers/oprofile/event_buffer.c | 2 +-
+ drivers/oprofile/oprof.c | 2 +-
+ drivers/oprofile/oprofile_stats.c | 10 +-
+ drivers/oprofile/oprofile_stats.h | 10 +-
+ drivers/oprofile/oprofilefs.c | 2 +-
+ drivers/oprofile/timer_int.c | 2 +-
+ drivers/parport/procfs.c | 4 +-
+ drivers/pci/hotplug/cpcihp_generic.c | 6 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
+ drivers/pci/hotplug/cpqphp_nvram.c | 4 +
+ drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/probe.c | 2 +-
+ drivers/platform/x86/thinkpad_acpi.c | 70 +-
+ drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/resource.c | 4 +-
+ drivers/power/pda_power.c | 7 +-
+ drivers/regulator/max8660.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/scsi/bfa/bfa.h | 2 +-
+ drivers/scsi/bfa/bfa_fcpim.h | 2 +-
+ drivers/scsi/bfa/bfa_ioc.h | 4 +-
+ drivers/scsi/hosts.c | 4 +-
+ drivers/scsi/hpsa.c | 30 +-
+ drivers/scsi/hpsa.h | 2 +-
+ drivers/scsi/libfc/fc_exch.c | 50 +-
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ drivers/scsi/lpfc/lpfc.h | 8 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
+ drivers/scsi/lpfc/lpfc_init.c | 6 +-
+ drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
+ drivers/scsi/pmcraid.c | 20 +-
+ drivers/scsi/pmcraid.h | 8 +-
+ drivers/scsi/qla2xxx/qla_attr.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 6 +-
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +-
+ drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ drivers/scsi/scsi_tgt_lib.c | 2 +-
+ drivers/scsi/scsi_transport_fc.c | 8 +-
+ drivers/scsi/scsi_transport_iscsi.c | 6 +-
+ drivers/scsi/scsi_transport_srp.c | 6 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sg.c | 2 +-
+ drivers/spi/spi.c | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/ramster/tmem.c | 54 +-
+ drivers/staging/rtl8712/rtl871x_io.h | 2 +-
+ drivers/staging/sbe-2t3e3/netdev.c | 2 +-
+ drivers/staging/usbip/vhci.h | 2 +-
+ drivers/staging/usbip/vhci_hcd.c | 6 +-
+ drivers/staging/usbip/vhci_rx.c | 2 +-
+ drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/vt6656/hostap.c | 7 +-
+ drivers/staging/zcache/tmem.c | 4 +-
+ drivers/staging/zcache/tmem.h | 2 +
+ drivers/target/target_core_device.c | 2 +-
+ drivers/target/target_core_transport.c | 2 +-
+ drivers/tty/cyclades.c | 6 +-
+ drivers/tty/hvc/hvc_console.c | 14 +-
+ drivers/tty/hvc/hvcs.c | 21 +-
+ drivers/tty/ipwireless/tty.c | 27 +-
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/n_gsm.c | 4 +-
+ drivers/tty/n_tty.c | 3 +-
+ drivers/tty/pty.c | 4 +-
+ drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/kgdboc.c | 32 +-
+ drivers/tty/serial/samsung.c | 9 +-
+ drivers/tty/serial/serial_core.c | 8 +-
+ drivers/tty/synclink.c | 34 +-
+ drivers/tty/synclink_gt.c | 28 +-
+ drivers/tty/synclinkmp.c | 34 +-
+ drivers/tty/tty_io.c | 2 +-
+ drivers/tty/tty_ldisc.c | 10 +-
+ drivers/tty/tty_port.c | 22 +-
+ drivers/uio/uio.c | 21 +-
+ drivers/usb/atm/cxacru.c | 2 +-
+ drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/core/devices.c | 6 +-
+ drivers/usb/core/hcd.c | 4 +-
+ drivers/usb/core/sysfs.c | 2 +-
+ drivers/usb/core/usb.c | 2 +-
+ drivers/usb/early/ehci-dbgp.c | 16 +-
+ drivers/usb/gadget/u_serial.c | 22 +-
+ drivers/usb/serial/console.c | 6 +-
+ drivers/usb/wusbcore/wa-hc.h | 4 +-
+ drivers/usb/wusbcore/wa-xfer.c | 2 +-
+ drivers/video/aty/aty128fb.c | 2 +-
+ drivers/video/fbcmap.c | 3 +-
+ drivers/video/fbmem.c | 6 +-
+ drivers/video/i810/i810_accel.c | 1 +
+ drivers/video/udlfb.c | 32 +-
+ drivers/video/uvesafb.c | 39 +-
+ drivers/video/vesafb.c | 51 +-
+ drivers/video/via/via_clock.h | 2 +-
+ fs/9p/vfs_inode.c | 2 +-
+ fs/Kconfig.binfmt | 2 +-
+ fs/aio.c | 11 +-
+ fs/autofs4/waitq.c | 2 +-
+ fs/befs/linuxvfs.c | 2 +-
+ fs/binfmt_aout.c | 23 +-
+ fs/binfmt_elf.c | 604 ++++-
+ fs/binfmt_flat.c | 6 +
+ fs/bio.c | 6 +-
+ fs/block_dev.c | 2 +-
+ fs/btrfs/ctree.c | 9 +-
+ fs/btrfs/relocation.c | 2 +-
+ fs/btrfs/super.c | 2 +-
+ fs/cachefiles/bind.c | 6 +-
+ fs/cachefiles/daemon.c | 8 +-
+ fs/cachefiles/internal.h | 12 +-
+ fs/cachefiles/namei.c | 2 +-
+ fs/cachefiles/proc.c | 12 +-
+ fs/cachefiles/rdwr.c | 2 +-
+ fs/ceph/dir.c | 2 +-
+ fs/cifs/cifs_debug.c | 12 +-
+ fs/cifs/cifsfs.c | 8 +-
+ fs/cifs/cifsglob.h | 54 +-
+ fs/cifs/link.c | 2 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb1ops.c | 80 +-
+ fs/cifs/smb2ops.c | 84 +-
+ fs/cifs/smb2pdu.c | 3 +-
+ fs/coda/cache.c | 10 +-
+ fs/compat.c | 6 +-
+ fs/compat_binfmt_elf.c | 2 +
+ fs/compat_ioctl.c | 8 +-
+ fs/configfs/dir.c | 10 +-
+ fs/coredump.c | 24 +-
+ fs/dcache.c | 2 +-
+ fs/ecryptfs/inode.c | 4 +-
+ fs/ecryptfs/miscdev.c | 2 +-
+ fs/ecryptfs/read_write.c | 4 +-
+ fs/exec.c | 356 ++-
+ fs/ext4/ext4.h | 20 +-
+ fs/ext4/mballoc.c | 44 +-
+ fs/fhandle.c | 3 +-
+ fs/fifo.c | 22 +-
+ fs/fs_struct.c | 8 +-
+ fs/fscache/cookie.c | 36 +-
+ fs/fscache/internal.h | 196 +-
+ fs/fscache/object.c | 28 +-
+ fs/fscache/operation.c | 30 +-
+ fs/fscache/page.c | 110 +-
+ fs/fscache/stats.c | 344 +-
+ fs/fuse/cuse.c | 10 +-
+ fs/fuse/dev.c | 2 +-
+ fs/fuse/dir.c | 2 +-
+ fs/gfs2/inode.c | 2 +-
+ fs/hugetlbfs/inode.c | 13 +-
+ fs/inode.c | 4 +-
+ fs/jffs2/erase.c | 3 +-
+ fs/jffs2/wbuf.c | 3 +-
+ fs/jfs/super.c | 2 +-
+ fs/libfs.c | 10 +-
+ fs/lockd/clntproc.c | 4 +-
+ fs/locks.c | 8 +-
+ fs/namei.c | 15 +-
+ fs/namespace.c | 2 +-
+ fs/nfs/inode.c | 6 +-
+ fs/nfsd/vfs.c | 6 +-
+ fs/notify/fanotify/fanotify_user.c | 4 +-
+ fs/notify/notification.c | 4 +-
+ fs/ntfs/dir.c | 2 +-
+ fs/ntfs/file.c | 4 +-
+ fs/ocfs2/localalloc.c | 2 +-
+ fs/ocfs2/ocfs2.h | 10 +-
+ fs/ocfs2/suballoc.c | 12 +-
+ fs/ocfs2/super.c | 20 +-
+ fs/pipe.c | 33 +-
+ fs/proc/array.c | 20 +
+ fs/proc/kcore.c | 32 +-
+ fs/proc/meminfo.c | 2 +-
+ fs/proc/nommu.c | 2 +-
+ fs/proc/self.c | 2 +-
+ fs/proc/task_mmu.c | 39 +-
+ fs/proc/task_nommu.c | 4 +-
+ fs/quota/netlink.c | 4 +-
+ fs/readdir.c | 2 +-
+ fs/reiserfs/do_balan.c | 2 +-
+ fs/reiserfs/procfs.c | 2 +-
+ fs/reiserfs/reiserfs.h | 4 +-
+ fs/seq_file.c | 2 +-
+ fs/splice.c | 36 +-
+ fs/sysfs/file.c | 10 +-
+ fs/sysfs/symlink.c | 2 +-
+ fs/udf/misc.c | 2 +-
+ fs/xattr_acl.c | 4 +-
+ fs/xfs/xfs_bmap.c | 2 +-
+ fs/xfs/xfs_dir2_sf.c | 10 +-
+ fs/xfs/xfs_ioctl.c | 2 +-
+ fs/xfs/xfs_iops.c | 2 +-
+ include/asm-generic/4level-fixup.h | 2 +
+ include/asm-generic/atomic-long.h | 210 ++
+ include/asm-generic/atomic.h | 2 +-
+ include/asm-generic/atomic64.h | 12 +
+ include/asm-generic/cache.h | 4 +-
+ include/asm-generic/emergency-restart.h | 2 +-
+ include/asm-generic/kmap_types.h | 4 +-
+ include/asm-generic/local.h | 13 +
+ include/asm-generic/pgtable-nopmd.h | 18 +-
+ include/asm-generic/pgtable-nopud.h | 15 +-
+ include/asm-generic/pgtable.h | 8 +
+ include/asm-generic/vmlinux.lds.h | 10 +-
+ include/crypto/algapi.h | 2 +-
+ include/drm/drmP.h | 5 +-
+ include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/ttm/ttm_memory.h | 2 +-
+ include/linux/atmdev.h | 2 +-
+ include/linux/binfmts.h | 1 +
+ include/linux/blkdev.h | 2 +-
+ include/linux/blktrace_api.h | 2 +-
+ include/linux/cache.h | 4 +
+ include/linux/cdrom.h | 1 -
+ include/linux/cleancache.h | 2 +-
+ include/linux/compiler-gcc4.h | 20 +
+ include/linux/compiler.h | 72 +-
+ include/linux/cpu.h | 2 +-
+ include/linux/crypto.h | 6 +-
+ include/linux/decompress/mm.h | 2 +-
+ include/linux/dma-mapping.h | 2 +-
+ include/linux/dmaengine.h | 4 +-
+ include/linux/efi.h | 1 +
+ include/linux/elf.h | 2 +
+ include/linux/filter.h | 4 +
+ include/linux/frontswap.h | 2 +-
+ include/linux/fs.h | 3 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/fscache-cache.h | 4 +-
+ include/linux/fsnotify.h | 2 +-
+ include/linux/ftrace_event.h | 2 +-
+ include/linux/genhd.h | 2 +-
+ include/linux/gfp.h | 12 +-
+ include/linux/highmem.h | 12 +
+ include/linux/i2c.h | 1 +
+ include/linux/i2o.h | 2 +-
+ include/linux/if_pppox.h | 2 +-
+ include/linux/init.h | 33 +-
+ include/linux/init_task.h | 7 +
+ include/linux/interrupt.h | 8 +-
+ include/linux/kgdb.h | 6 +-
+ include/linux/kobject.h | 2 +-
+ include/linux/kref.h | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ include/linux/libata.h | 2 +-
+ include/linux/list.h | 3 +
+ include/linux/mm.h | 91 +-
+ include/linux/mm_types.h | 22 +-
+ include/linux/mmiotrace.h | 4 +-
+ include/linux/mmzone.h | 2 +-
+ include/linux/mod_devicetable.h | 4 +-
+ include/linux/module.h | 55 +-
+ include/linux/moduleloader.h | 18 +-
+ include/linux/moduleparam.h | 4 +-
+ include/linux/namei.h | 6 +-
+ include/linux/netdevice.h | 3 +-
+ include/linux/netfilter/ipset/ip_set.h | 2 +-
+ include/linux/netfilter/nfnetlink.h | 2 +-
+ include/linux/notifier.h | 3 +-
+ include/linux/oprofile.h | 4 +-
+ include/linux/perf_event.h | 10 +-
+ include/linux/pipe_fs_i.h | 6 +-
+ include/linux/platform_data/usb-ehci-s5p.h | 2 +-
+ include/linux/pm_runtime.h | 2 +-
+ include/linux/poison.h | 4 +-
+ include/linux/power/smartreflex.h | 2 +-
+ include/linux/random.h | 5 +
+ include/linux/reboot.h | 14 +-
+ include/linux/regset.h | 3 +-
+ include/linux/relay.h | 2 +-
+ include/linux/rio.h | 2 +-
+ include/linux/rmap.h | 4 +-
+ include/linux/sched.h | 64 +-
+ include/linux/seq_file.h | 1 +
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 36 +-
+ include/linux/slab_def.h | 33 +-
+ include/linux/slob_def.h | 4 +-
+ include/linux/slub_def.h | 10 +-
+ include/linux/sonet.h | 2 +-
+ include/linux/sunrpc/clnt.h | 8 +-
+ include/linux/sunrpc/svc_rdma.h | 18 +-
+ include/linux/sysrq.h | 2 +-
+ include/linux/thread_info.h | 7 +
+ include/linux/tty.h | 4 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/tty_ldisc.h | 2 +-
+ include/linux/types.h | 16 +
+ include/linux/uaccess.h | 6 +-
+ include/linux/unaligned/access_ok.h | 12 +-
+ include/linux/usb.h | 2 +-
+ include/linux/usb/renesas_usbhs.h | 2 +-
+ include/linux/vermagic.h | 21 +-
+ include/linux/vmalloc.h | 11 +-
+ include/linux/vmstat.h | 20 +-
+ include/media/v4l2-dev.h | 2 +-
+ include/media/v4l2-ioctl.h | 1 -
+ include/net/caif/cfctrl.h | 6 +-
+ include/net/flow.h | 2 +-
+ include/net/gro_cells.h | 6 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/inetpeer.h | 8 +-
+ include/net/ip_fib.h | 2 +-
+ include/net/ip_vs.h | 4 +-
+ include/net/irda/ircomm_tty.h | 1 +
+ include/net/iucv/af_iucv.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 6 +-
+ include/net/netdma.h | 2 +-
+ include/net/netlink.h | 2 +-
+ include/net/netns/ipv4.h | 2 +-
+ include/net/protocol.h | 4 +-
+ include/net/sctp/sctp.h | 6 +-
+ include/net/sctp/structs.h | 4 +-
+ include/net/sock.h | 6 +-
+ include/net/tcp.h | 8 +-
+ include/net/xfrm.h | 4 +-
+ include/rdma/iw_cm.h | 2 +-
+ include/scsi/libfc.h | 3 +-
+ include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_transport_fc.h | 3 +-
+ include/sound/soc.h | 4 +-
+ include/target/target_core_base.h | 2 +-
+ include/trace/events/irq.h | 4 +-
+ include/uapi/linux/a.out.h | 8 +
+ include/uapi/linux/byteorder/little_endian.h | 24 +-
+ include/uapi/linux/elf.h | 28 +
+ include/uapi/linux/screen_info.h | 3 +-
+ include/uapi/linux/sysctl.h | 6 +-
+ include/uapi/linux/xattr.h | 4 +
+ include/video/udlfb.h | 8 +-
+ include/video/uvesafb.h | 1 +
+ init/Kconfig | 2 +-
+ init/Makefile | 3 +
+ init/do_mounts.c | 14 +-
+ init/do_mounts.h | 8 +-
+ init/do_mounts_initrd.c | 22 +-
+ init/do_mounts_md.c | 6 +-
+ init/init_task.c | 4 +
+ init/initramfs.c | 40 +-
+ init/main.c | 78 +-
+ ipc/msg.c | 11 +-
+ ipc/sem.c | 11 +-
+ ipc/shm.c | 17 +-
+ kernel/acct.c | 2 +-
+ kernel/audit.c | 8 +-
+ kernel/auditsc.c | 4 +-
+ kernel/capability.c | 3 +
+ kernel/compat.c | 40 +-
+ kernel/debug/debug_core.c | 16 +-
+ kernel/debug/kdb/kdb_main.c | 4 +-
+ kernel/events/core.c | 28 +-
+ kernel/exit.c | 4 +-
+ kernel/fork.c | 167 +-
+ kernel/futex.c | 9 +
+ kernel/gcov/base.c | 7 +-
+ kernel/hrtimer.c | 4 +-
+ kernel/jump_label.c | 5 +
+ kernel/kallsyms.c | 39 +-
+ kernel/kexec.c | 3 +-
+ kernel/kmod.c | 2 +-
+ kernel/kprobes.c | 8 +-
+ kernel/lockdep.c | 7 +-
+ kernel/module.c | 333 ++-
+ kernel/mutex-debug.c | 12 +-
+ kernel/mutex-debug.h | 4 +-
+ kernel/mutex.c | 7 +-
+ kernel/notifier.c | 17 +-
+ kernel/panic.c | 3 +-
+ kernel/pid.c | 2 +-
+ kernel/posix-cpu-timers.c | 4 +-
+ kernel/posix-timers.c | 20 +-
+ kernel/power/process.c | 12 +-
+ kernel/profile.c | 14 +-
+ kernel/ptrace.c | 6 +-
+ kernel/rcutiny.c | 4 +-
+ kernel/rcutiny_plugin.h | 2 +-
+ kernel/rcutorture.c | 56 +-
+ kernel/rcutree.c | 72 +-
+ kernel/rcutree.h | 24 +-
+ kernel/rcutree_plugin.h | 18 +-
+ kernel/rcutree_trace.c | 22 +-
+ kernel/rtmutex-tester.c | 24 +-
+ kernel/sched/auto_group.c | 4 +-
+ kernel/sched/core.c | 2 +-
+ kernel/sched/fair.c | 4 +-
+ kernel/signal.c | 12 +-
+ kernel/smp.c | 2 +-
+ kernel/softirq.c | 16 +-
+ kernel/srcu.c | 6 +-
+ kernel/stop_machine.c | 2 +-
+ kernel/sys.c | 12 +-
+ kernel/sysctl.c | 37 +-
+ kernel/sysctl_binary.c | 14 +-
+ kernel/time/alarmtimer.c | 2 +-
+ kernel/time/tick-broadcast.c | 2 +-
+ kernel/time/timer_stats.c | 10 +-
+ kernel/timer.c | 4 +-
+ kernel/trace/blktrace.c | 6 +-
+ kernel/trace/ftrace.c | 20 +-
+ kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/trace.c | 6 +-
+ kernel/trace/trace_events.c | 25 +-
+ kernel/trace/trace_mmiotrace.c | 8 +-
+ kernel/trace/trace_output.c | 12 +-
+ kernel/trace/trace_stack.c | 2 +-
+ lib/Makefile | 2 +-
+ lib/bitmap.c | 8 +-
+ lib/bug.c | 2 +
+ lib/debugobjects.c | 2 +-
+ lib/devres.c | 4 +-
+ lib/dma-debug.c | 4 +-
+ lib/inflate.c | 2 +-
+ lib/ioremap.c | 4 +-
+ lib/list_debug.c | 89 +-
+ lib/radix-tree.c | 2 +-
+ lib/strncpy_from_user.c | 2 +-
+ lib/strnlen_user.c | 2 +-
+ lib/vsprintf.c | 12 +-
+ mm/Kconfig | 6 +-
+ mm/filemap.c | 2 +-
+ mm/fremap.c | 5 +
+ mm/highmem.c | 7 +-
+ mm/hugetlb.c | 54 +
+ mm/internal.h | 1 +
+ mm/maccess.c | 4 +-
+ mm/madvise.c | 41 +
+ mm/memory-failure.c | 18 +-
+ mm/memory.c | 404 ++-
+ mm/mempolicy.c | 26 +
+ mm/mlock.c | 16 +-
+ mm/mmap.c | 573 +++-
+ mm/mprotect.c | 138 +-
+ mm/mremap.c | 44 +-
+ mm/nommu.c | 11 +-
+ mm/page-writeback.c | 2 +-
+ mm/page_alloc.c | 14 +-
+ mm/percpu.c | 2 +-
+ mm/process_vm_access.c | 14 +-
+ mm/rmap.c | 38 +-
+ mm/shmem.c | 19 +-
+ mm/slab.c | 104 +-
+ mm/slab.h | 5 +-
+ mm/slab_common.c | 9 +-
+ mm/slob.c | 200 +-
+ mm/slub.c | 98 +-
+ mm/sparse-vmemmap.c | 4 +-
+ mm/sparse.c | 2 +-
+ mm/swap.c | 3 +
+ mm/swapfile.c | 12 +-
+ mm/util.c | 6 +
+ mm/vmalloc.c | 82 +-
+ mm/vmstat.c | 12 +-
+ net/8021q/vlan.c | 5 +-
+ net/9p/trans_fd.c | 2 +-
+ net/atm/atm_misc.c | 8 +-
+ net/atm/lec.h | 2 +-
+ net/atm/proc.c | 6 +-
+ net/atm/resources.c | 4 +-
+ net/batman-adv/bat_iv_ogm.c | 8 +-
+ net/batman-adv/hard-interface.c | 4 +-
+ net/batman-adv/soft-interface.c | 4 +-
+ net/batman-adv/types.h | 6 +-
+ net/batman-adv/unicast.c | 2 +-
+ net/bluetooth/hci_sock.c | 2 +-
+ net/bluetooth/l2cap_core.c | 6 +-
+ net/bluetooth/l2cap_sock.c | 12 +-
+ net/bluetooth/rfcomm/sock.c | 4 +-
+ net/bluetooth/rfcomm/tty.c | 10 +-
+ net/bridge/netfilter/ebtables.c | 6 +-
+ net/caif/cfctrl.c | 11 +-
+ net/can/af_can.c | 2 +-
+ net/can/gw.c | 6 +-
+ net/compat.c | 34 +-
+ net/core/datagram.c | 2 +-
+ net/core/dev.c | 16 +-
+ net/core/flow.c | 8 +-
+ net/core/iovec.c | 4 +-
+ net/core/rtnetlink.c | 2 +-
+ net/core/scm.c | 8 +-
+ net/core/sock.c | 24 +-
+ net/decnet/sysctl_net_decnet.c | 4 +-
+ net/ipv4/ah4.c | 2 +-
+ net/ipv4/esp4.c | 2 +-
+ net/ipv4/fib_frontend.c | 6 +-
+ net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inetpeer.c | 4 +-
+ net/ipv4/ip_fragment.c | 2 +-
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ipcomp.c | 2 +-
+ net/ipv4/ipconfig.c | 6 +-
+ net/ipv4/netfilter/arp_tables.c | 12 +-
+ net/ipv4/netfilter/ip_tables.c | 12 +-
+ net/ipv4/ping.c | 2 +-
+ net/ipv4/raw.c | 14 +-
+ net/ipv4/route.c | 2 +-
+ net/ipv4/tcp_input.c | 2 +-
+ net/ipv4/tcp_probe.c | 2 +-
+ net/ipv4/udp.c | 10 +-
+ net/ipv6/addrconf.c | 2 +-
+ net/ipv6/ip6_gre.c | 2 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 12 +-
+ net/ipv6/raw.c | 19 +-
+ net/ipv6/udp.c | 8 +-
+ net/irda/ircomm/ircomm_tty.c | 18 +-
+ net/iucv/af_iucv.c | 4 +-
+ net/iucv/iucv.c | 2 +-
+ net/key/af_key.c | 4 +-
+ net/mac80211/cfg.c | 4 +-
+ net/mac80211/ieee80211_i.h | 3 +-
+ net/mac80211/iface.c | 14 +-
+ net/mac80211/main.c | 2 +-
+ net/mac80211/pm.c | 6 +-
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/rc80211_pid_debugfs.c | 2 +-
+ net/mac80211/util.c | 2 +-
+ net/netfilter/ipvs/ip_vs_conn.c | 6 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 10 +-
+ net/netfilter/ipvs/ip_vs_sync.c | 6 +-
+ net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
+ net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/xt_statistic.c | 8 +-
+ net/netlink/af_netlink.c | 4 +-
+ net/packet/af_packet.c | 12 +-
+ net/phonet/pep.c | 6 +-
+ net/phonet/socket.c | 2 +-
+ net/rds/cong.c | 6 +-
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 4 +-
+ net/rds/iw.h | 2 +-
+ net/rds/iw_cm.c | 2 +-
+ net/rds/iw_recv.c | 4 +-
+ net/rds/tcp.c | 2 +-
+ net/rds/tcp_send.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/rxrpc/ar-ack.c | 14 +-
+ net/rxrpc/ar-call.c | 2 +-
+ net/rxrpc/ar-connection.c | 2 +-
+ net/rxrpc/ar-connevent.c | 2 +-
+ net/rxrpc/ar-input.c | 4 +-
+ net/rxrpc/ar-internal.h | 8 +-
+ net/rxrpc/ar-local.c | 2 +-
+ net/rxrpc/ar-output.c | 4 +-
+ net/rxrpc/ar-peer.c | 2 +-
+ net/rxrpc/ar-proc.c | 4 +-
+ net/rxrpc/ar-transport.c | 2 +-
+ net/rxrpc/rxkad.c | 4 +-
+ net/sctp/ipv6.c | 2 +-
+ net/sctp/protocol.c | 8 +-
+ net/sctp/socket.c | 2 +
+ net/socket.c | 34 +-
+ net/sunrpc/sched.c | 4 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/link.c | 6 +-
+ net/tipc/msg.c | 2 +-
+ net/tipc/subscr.c | 2 +-
+ net/wireless/wext-core.c | 19 +-
+ net/xfrm/xfrm_policy.c | 16 +-
+ net/xfrm/xfrm_state.c | 4 +-
+ scripts/Makefile.build | 2 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.host | 28 +-
+ scripts/basic/fixdep.c | 12 +-
+ scripts/gcc-plugin.sh | 17 +
+ scripts/link-vmlinux.sh | 2 +-
+ scripts/mod/file2alias.c | 14 +-
+ scripts/mod/modpost.c | 25 +-
+ scripts/mod/modpost.h | 6 +-
+ scripts/mod/sumversion.c | 2 +-
+ scripts/pnmtologo.c | 6 +-
+ security/Kconfig | 654 ++++-
+ security/integrity/ima/ima.h | 4 +-
+ security/integrity/ima/ima_api.c | 2 +-
+ security/integrity/ima/ima_fs.c | 4 +-
+ security/integrity/ima/ima_queue.c | 2 +-
+ security/keys/compat.c | 2 +-
+ security/keys/keyctl.c | 8 +-
+ security/keys/keyring.c | 6 +-
+ security/security.c | 9 +-
+ security/selinux/hooks.c | 2 +-
+ security/selinux/include/xfrm.h | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ security/tomoyo/tomoyo.c | 2 +-
+ sound/aoa/codecs/onyx.c | 7 +-
+ sound/aoa/codecs/onyx.h | 1 +
+ sound/core/oss/pcm_oss.c | 18 +-
+ sound/core/pcm_compat.c | 2 +-
+ sound/core/pcm_native.c | 4 +-
+ sound/core/seq/seq_device.c | 8 +-
+ sound/drivers/mts64.c | 14 +-
+ sound/drivers/opl4/opl4_lib.c | 2 +-
+ sound/drivers/portman2x4.c | 3 +-
+ sound/firewire/amdtp.c | 4 +-
+ sound/firewire/amdtp.h | 2 +-
+ sound/firewire/isight.c | 10 +-
+ sound/firewire/scs1x.c | 8 +-
+ sound/oss/sb_audio.c | 2 +-
+ sound/oss/swarm_cs4297a.c | 6 +-
+ sound/pci/ymfpci/ymfpci.h | 2 +-
+ sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 43 +
+ tools/gcc/checker_plugin.c | 171 +
+ tools/gcc/colorize_plugin.c | 151 +
+ tools/gcc/constify_plugin.c | 359 +++
+ tools/gcc/generate_size_overflow_hash.sh | 94 +
+ tools/gcc/kallocstat_plugin.c | 170 +
+ tools/gcc/kernexec_plugin.c | 465 +++
+ tools/gcc/latent_entropy_plugin.c | 321 ++
+ tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++
+ tools/gcc/size_overflow_plugin.c | 1941 +++++++++++
+ tools/gcc/stackleak_plugin.c | 327 ++
+ tools/perf/util/include/asm/alternative-asm.h | 3 +
+ virt/kvm/kvm_main.c | 32 +-
+ 1311 files changed, 26668 insertions(+), 6394 deletions(-)
+commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
+Merge: 0949bd4 fc53d63
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:03:44 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fc53d6338964741b368070ec5c935bc579b8c2a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:02:45 2012 -0400
+
+ Update to pax-linux-3.2.12-test33.patch
+
+commit 0949bd46a6455b308f66ad7c993bfee62412db35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 16:56:09 2012 -0400
+
+ Use current_umask() instead of current->fs->umask
+
+commit 22f6432d0fe733619cfcb523782ed7d80c46d645
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:42:42 2012 -0400
+
+ compile fix
+
+commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:34:56 2012 -0400
+
+ Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
+ uses of domains with particular hash collisions
+
+commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 20:25:49 2012 -0400
+
+ zero kernel_role
+
+commit b00953b43c69238d181d21121ef1577c988d5f6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:29:34 2012 -0400
+
+ zero real_root after releasing it
+
+commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
+Merge: b724f59 273f98e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:11:26 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 273f98e58cdac555d3b5dce5c1ca168349f95878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:10:52 2012 -0400
+
+ Temporary workaround for (most) size_overflow plugin false-positives
+ Increase randomization for brk-managed heap to 21 bits
+ Update to pax-linux-3.2.12-test32.patch
+
+commit b724f59125304460c2af8bd4b02921993afbb5d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:58:53 2012 -0400
+
+ compile fix
+
+commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:52:23 2012 -0400
+
+ Require default and kernel role
+
+commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:47:28 2012 -0400
+
+ Allow policies without special roles
+ don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
+
+commit 402ec3d24d66d38403dc543c84851f5e72d39e22
+Merge: 8e012dc f14661a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:06:59 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/namei.c
+
+commit f14661aaf202155c97f66626cea0269017bb7775
+Merge: eae671f 058b017
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:05:44 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
+Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Date: Fri Mar 16 17:08:39 2012 -0700
+
+ nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
+
+ According to the report from Slicky Devil, nilfs caused kernel oops at
+ nilfs_load_super_block function during mount after he shrank the
+ partition without resizing the filesystem:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000048
+ IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
+ *pde = 00000000
+ Oops: 0000 [#1] PREEMPT SMP
+ ...
+ Call Trace:
+ [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
+ [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
+ [<c0226636>] mount_fs+0x36/0x180
+ [<c023d961>] vfs_kern_mount+0x51/0xa0
+ [<c023ddae>] do_kern_mount+0x3e/0xe0
+ [<c023f189>] do_mount+0x169/0x700
+ [<c023fa9b>] sys_mount+0x6b/0xa0
+ [<c04abd1f>] sysenter_do_call+0x12/0x28
+ Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
+ 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
+ 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
+ EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
+ CR2: 0000000000000048
+
+ This turned out due to a defect in an error path which runs if the
+ calculated location of the secondary super block was invalid.
+
+ This patch fixes it and eliminates the reported oops.
+
+ Reported-by: Slicky Devil <slicky.dvl@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Tested-by: Slicky Devil <slicky.dvl@gmail.com>
+ Cc: <stable@vger.kernel.org> [2.6.30+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Fri Mar 16 17:08:38 2012 -0700
+
+ nilfs2: clamp ns_r_segments_percentage to [1, 99]
+
+ ns_r_segments_percentage is read from the disk. Bogus or malicious
+ value could cause integer overflow and malfunction due to meaningless
+ disk usage calculation. This patch reports error when mounting such
+ bogus volumes.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e1a90645643f9b0194a5984ec8febd06360d5c8b
+Author: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Sat Mar 10 09:20:21 2012 +0000
+
+ tcp: fix syncookie regression
+
+ commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
+ added a serious regression on synflood handling.
+
+ Simon Kirby discovered a successful connection was delayed by 20 seconds
+ before being responsive.
+
+ In my tests, I discovered that xmit frames were lost, and needed ~4
+ retransmits and a socket dst rebuild before being really sent.
+
+ In case of syncookie initiated connection, we use a different path to
+ initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
+
+ As ip_queue_xmit() now depends on inet flow being setup, fix this by
+ copying the temp flowi4 we use in cookie_v4_check().
+
+ Reported-by: Simon Kirby <sim@netnation.com>
+ Bisected-by: Simon Kirby <sim@netnation.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
+Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Mon Mar 12 02:59:41 2012 +0000
+
+ tun: don't hold network namespace by tun sockets
+
+ v3: added previously removed sock_put() to the tun_release() callback, because
+ sk_release_kernel() doesn't drop the socket reference.
+
+ v2: sk_release_kernel() used for socket release. Dummy tun_release() is
+ required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
+ call.
+
+ TUN was designed to destroy it's socket on network namesapce shutdown. But this
+ will never happen for persistent device, because it's socket holds network
+ namespace.
+ This patch removes of holding network namespace by TUN socket and replaces it
+ by creating socket in init_net and then changing it's net it to desired one. On
+ shutdown socket is moved back to init_net prior to final put.
+
+ Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon Dec 12 10:02:30 2011 -0600
+
+ vfs: Correctly set the dir i_mutex lockdep class
+
+ 9a7aa12f3911853a introduced additional logic around setting the i_mutex
+ lockdep class for directory inodes. The idea was that some filesystems
+ may want their own special lockdep class for different directory
+ inodes and calling unlock_new_inode() should not clobber one of
+ those special classes.
+
+ I believe that the added conditional, around the *negated* return value
+ of lockdep_match_class(), caused directory inodes to be placed in the
+ wrong lockdep class.
+
+ inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
+ all inodes. If the filesystem did not change the class during inode
+ initialization, then the conditional mentioned above was false and the
+ directory inode was incorrectly left in the non-directory lockdep class.
+ If the filesystem did set a special lockdep class, then the conditional
+ mentioned above was true and that class was clobbered with
+ i_mutex_dir_key.
+
+ This patch removes the negation from the conditional so that the i_mutex
+ lockdep class is properly set for directory inodes. Special classes are
+ preserved and directory inodes with unmodified classes are set with
+ i_mutex_dir_key.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 603590b0d2eca61ce26499eac9c563bc567a18c9
+Author: Jan Kara <jack@suse.cz>
+Date: Mon Feb 20 17:54:00 2012 +0100
+
+ udf: Fix deadlock in udf_release_file()
+
+ udf_release_file() can be called from munmap() path with mmap_sem held. Thus
+ we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
+ i_mutex is not needed in udf_release_file() anymore since protection by
+ i_data_sem is enough to protect from races with write and truncate.
+
+ Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:33 2012 +0100
+
+ vfs: fix double put after complete_walk()
+
+ complete_walk() already puts nd->path, no need to do it again at cleanup time.
+
+ This would result in Oopses if triggered, apparently the codepath is not too
+ well exercised.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 13885ba2b18400f3ef6540497d30f1af896605e5
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:34 2012 +0100
+
+ vfs: fix return value from do_last()
+
+ complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
+ ECHILD unconditionally. If not in RCU mode, this error will reach userspace
+ which is complete nonsense.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/namei.c
+
+commit f5ab7572c99ffb58953eb1070622307e904c3b7f
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Mar 10 17:07:28 2012 -0500
+
+ restore smp_mb() in unlock_new_inode()
+
+ wait_on_inode() doesn't have ->i_lock
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
+Author: David S. Miller <davem@davemloft.net>
+Date: Tue Mar 13 18:19:51 2012 -0700
+
+ sparc32: Add -Av8 to assembler command line.
+
+ Newer version of binutils are more strict about specifying the
+ correct options to enable certain classes of instructions.
+
+ The sparc32 build is done for v7 in order to support sun4c systems
+ which lack hardware integer multiply and divide instructions.
+
+ So we have to pass -Av8 when building the assembler routines that
+ use these instructions and get patched into the kernel when we find
+ out that we have a v8 capable cpu.
+
+ Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
+Author: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri Mar 9 20:55:10 2012 +0100
+
+ x86: Derandom delay_tsc for 64 bit
+
+ Commit f0fbf0abc093 ("x86: integrate delay functions") converted
+ delay_tsc() into a random delay generator for 64 bit. The reason is
+ that it merged the mostly identical versions of delay_32.c and
+ delay_64.c. Though the subtle difference of the result was:
+
+ static void delay_tsc(unsigned long loops)
+ {
+ - unsigned bclock, now;
+ + unsigned long bclock, now;
+
+ Now the function uses rdtscl() which returns the lower 32bit of the
+ TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
+ bit this fails when the lower 32bit are close to wrap around when
+ bclock is read, because the following check
+
+ if ((now - bclock) >= loops)
+ break;
+
+ evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
+ because the unsigned long (now - bclock) of these values results in
+ 0xffffffff00000001 which is definitely larger than the loops
+ value. That explains Tvortkos observation:
+
+ "Because I am seeing udelay(500) (_occasionally_) being short, and
+ that by delaying for some duration between 0us (yep) and 491us."
+
+ Make those variables explicitely u32 again, so this works for both 32
+ and 64 bit.
+
+ Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: stable@vger.kernel.org # >= 2.6.27
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu Mar 8 17:51:19 2012 +0000
+
+ aio: fix the "too late munmap()" race
+
+ Current code has put_ioctx() called asynchronously from aio_fput_routine();
+ that's done *after* we have killed the request that used to pin ioctx,
+ so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
+ from progressing. As the result, we can end up with async call of
+ put_ioctx() being the last one and possibly happening during exit_mmap()
+ or elf_core_dump(), neither of which expects stray munmap() being done
+ to them...
+
+ We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
+ with that, but that's all we care about - neither io_destroy() nor
+ exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
+ does really_put_req(), so the ioctx teardown won't be done until then
+ and we don't care about the contents of ioctx past that point.
+
+ Since actual freeing of these suckers is RCU-delayed, we don't need to
+ bump ioctx refcount when request goes into list for async removal.
+ All we need is rcu_read_lock held just over the ->ctx_lock-protected
+ area in aio_fput_routine().
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 002124c055afbf09b52226af65621999e8316448
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Wed Mar 7 05:16:35 2012 +0000
+
+ aio: fix io_setup/io_destroy race
+
+ Have ioctx_alloc() return an extra reference, so that caller would drop it
+ on success and not bother with re-grabbing it on failure exit. The current
+ code is obviously broken - io_destroy() from another thread that managed
+ to guess the address io_setup() would've returned would free ioctx right
+ under us; gets especially interesting if aio_context_t * we pass to
+ io_setup() points to PROT_READ mapping, so put_user() fails and we end
+ up doing io_destroy() on kioctx another thread has just got freed...
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Mar 15 15:17:12 2012 -0700
+
+ drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
+
+ strict_strtoul() writes a long but ->gamma_mode only has space to store an
+ int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
+ well. I've changed it to use kstrtouint() instead.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Inki Dae <inki.dae@samsung.com>
+ Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
+Merge: e4b05b6 eae671f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 21:04:27 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit eae671fafe93f04685c04a089cc13efebc05d600
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 20:58:01 2012 -0400
+
+ Update to pax-linux-3.2.11-test31.patch
+ Introduction of the size_overflow plugin from Emese Revfy
+ Many thanks to Emese for her hard work :)
+
+commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
+Merge: e55aa68 258c015
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:19 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:05 2012 -0400
+
+ fix ARM compilation
+
+commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
+Merge: 8f95ea9 55b7573
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:41 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:15 2012 -0400
+
+ Update to pax-linux-3.2.10-test28.patch
+
+commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
+Merge: c8786a2 886ac5e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:38:13 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
+
+commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:37:44 2012 -0400
+
+ Update to pax-linux-3.2.10-test26.patch
+
+commit c8786a2abed5e5327f68efa520c04db99bb6a63a
+Merge: 219c982 c061fcf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:06 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
+Merge: 89373d2 3f4b3b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:02 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
+Merge: 54e19a3 89373d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:57 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
+Merge: a778588 7459f11
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:49 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
+Merge: c4650f1 a778588
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:25 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:12 2012 -0400
+
+ Update to pax-linux-3.2.9-test24.patch
+
+commit c4650f14b13f84735fe3de06a1f3ff5776473eff
+Merge: fb2abee 1015790
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:08:28 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 101579028a736c224e590c7e12a7357018c424e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:07:27 2012 -0400
+
+ Update to pax-linux-3.2.9-test22.patch
+
+commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 11:02:17 2012 -0400
+
+ Allow 4096 CPUs
+
+commit 96bae28cbe6a41d48e3b56e5904814096e956000
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 10:25:58 2012 -0400
+
+ Use a per-cpu 48-bit counter instead of a global atomic64
+ Initialize each counter to have the cpu number in the lower 16 bits
+ instead of incrementing the counter each time by 1, perform the increments
+ above the cpu number so that wrapping/exhausting the counter doesn't corrupt
+ any state
+ idea from PaX Team
+
+commit b975688101da6e966aebb1bc6b8c5c5983974f9c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 20:33:12 2012 -0500
+
+ Special vnsec edition! :)
+ Further reduce argv/env allowance for suid/sgid apps to 512KB
+ Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
+ Clear 3GB personality on suid/sgid binaries
+ Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
+ with the main purpose of throwing off program stack -> arg/env alignment
+ Update documentation
+
+commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 19:54:47 2012 -0500
+
+ Resolve skbuff.h warnings that turn into errors during compilation in
+ the grsecurity directory with -Werror
+
+commit 2023210ad43a944033fcacc660ce410888f562ee
+Merge: ece4383 5f66adf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:48:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:47:06 2012 -0500
+
+ Add colorize plugin
+
+commit ece4383e5e91c92d138c4df84225a70b552f4d69
+Merge: a366d0e ab4a5a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:46 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:26 2012 -0500
+
+ Update to pax-linux-3.2.9-test21.patch
+
+commit a366d0ed963ce93fce10121c1100989d5f064e75
+Author: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun Mar 4 19:52:03 2012 -0500
+
+ mm: fix find_vma_prev
+
+ Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
+ management on PA-RISC.
+
+ After application of the patch, programs that allocate big arrays on the
+ stack crash with segfault, for example, this will crash if compiled
+ without optimization:
+
+ int main()
+ {
+ char array[200000];
+ array[199999] = 0;
+ return 0;
+ }
+
+ The reason is that PA-RISC has up-growing stack and the stack is usually
+ the last memory area. In the above example, a page fault happens above
+ the stack.
+
+ Previously, if we passed too high address to find_vma_prev, it returned
+ NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
+ change, it stores NULL in *pprev. Consequently, the stack area is not
+ found and it is not expanded, as it used to be before the change.
+
+ This patch restores the old behavior and makes it return the last VMA in
+ *pprev if the requested address is higher than address of any other VMA.
+
+ Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+ Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
+Author: Hugh Dickins <hughd@google.com>
+Date: Tue Mar 6 12:28:52 2012 -0800
+
+ mmap: EINVAL not ENOMEM when rejecting VM_GROWS
+
+ Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
+ from shared anonymous: hoist the file case's -EINVAL up for both.
+
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:38:42 2012 +0000
+
+ aout: move setup_arg_pages() prior to reading/mapping the binary
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Mon Mar 5 16:49:24 2012 +0000
+
+ vsprintf: make %pV handling compatible with kasprintf()
+
+ kasprintf() (and potentially other functions that I didn't run across so
+ far) want to evaluate argument lists twice. Caring to do so for the
+ primary list is obviously their job, but they can't reasonably be
+ expected to check the format string for instances of %pV, which however
+ need special handling too: On architectures like x86-64 (as opposed to
+ e.g. ix86), using the same argument list twice doesn't produce the
+ expected results, as an internally managed cursor gets updated during
+ the first run.
+
+ Fix the problem by always acting on a copy of the original list when
+ handling %pV.
+
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:39:47 2012 +0000
+
+ VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a831bd53764695ea680cc1fa3c98759a610ed2ac
+Author: Christian König <deathsimple@vodafone.de>
+Date: Tue Feb 28 23:19:20 2012 +0100
+
+ drm/radeon: fix uninitialized variable
+
+ Without this fix the driver randomly treats
+ textures as arrays and I'm really wondering
+ why gcc isn't complaining about it.
+
+ Signed-off-by: Christian König <deathsimple@vodafone.de>
+ Reviewed-by: Jerome Glisse <jglisse@redhat.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
+Author: H. Peter Anvin <hpa@zytor.com>
+Date: Fri Mar 2 10:43:48 2012 -0800
+
+ regset: Prevent null pointer reference on readonly regsets
+
+ The regset common infrastructure assumed that regsets would always
+ have .get and .set methods, but not necessarily .active methods.
+ Unfortunately people have since written regsets without .set methods.
+
+ Rather than putting in stub functions everywhere, handle regsets with
+ null .get or .set methods explicitly.
+
+ Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+ Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+ Acked-by: Roland McGrath <roland@hack.frob.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 072ddd99401c79b53c6bf6bff9deb93022124c79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 18:12:57 2012 -0500
+
+ Fix compiler errors reported on forums
+
+commit 1606774b48af24e6f99d99c624c0e447d4b66474
+Merge: 3127bd5 4ca2ffd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:35 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:21 2012 -0500
+
+ Update to pax-linux-3.2.9-test20.patch
+
+commit 3127bd581a292966b1057c7433219dac188c3720
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 21:30:37 2012 -0500
+
+ Fix memory leak on logged exec_id check failure in /proc/pid/statm
+ Thanks to Djalal Harouni for the report
+
+commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
+Merge: 0a56be8 9aa8288
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:38:22 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:37:43 2012 -0500
+
+ Update to pax-linux-3.2.9-test19.patch
+
+commit 0a56be884bbd7ce733cac0b879c45383494d73b0
+Merge: 9e66745 3f5c52a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:18:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:16:56 2012 -0500
+
+ Update to pax-linux-3.2.9-test18.patch
+
+commit ae53ec231d12719a36bf871f8c5841020ed692ee
+Merge: b255baf 44fb317
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:15:31 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 9e667456c03eadea2f305be761abe4de9a5877a3
+Merge: 5e4e200 b255baf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:59 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b255baf50365d39b406f43aab2c64745607baaa2
+Merge: 340ce90 1de504e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:29 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+ Update to pax-linux-3.2.8-test17.patch
+
+ Conflicts:
+ arch/x86/include/asm/i387.h
+ arch/x86/kernel/process_32.c
+ arch/x86/kernel/traps.c
+
+commit 5e4e200ac530452884b625cb75de240e1e98c731
+Merge: 44306d7 340ce90
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:02:13 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:01:48 2012 -0500
+
+ Update to pax-linux-3.2.7-test17.patch
+
+commit 44306d7b3097f77e73040dd25f4f6750751bae7a
+Merge: 29d0b07 521c411
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:04:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ Makefile
+
+commit 521c411bb4ca66ce01146fde8bac9dd22414076d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:03:33 2012 -0500
+
+ Update to pax-linux-3.2.7-test16.patch
+
+commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 17:12:44 2012 -0500
+
+ fix typo
+
+commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
+Merge: f45b3be caa8f83
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:27 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit caa8f83456c4d0b204beefffaa1d1993f2348d08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:12 2012 -0500
+
+ Update to pax-linux-3.2.7-test15.patch
+
+commit f45b3be34a345502a302e736af9a65742ddef7cb
+Merge: 62f35fd 9f1309b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:40:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:39:57 2012 -0500
+
+ Update to pax-linux-3.2.7-test14.patch
+
+commit 62f35fdbecc58f2988fe13638d907b87a15776bb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 09:08:55 2012 -0500
+
+ We could log on attempted exploits of writing /proc/self/mem, but the current
+ log function declares the access a read, so just swap the ordering for now
+
+commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:46:14 2012 -0500
+
+ Log /proc/pid/mem attempts
+
+commit 674471e581893a94d475acac3e3c4496209b3ac9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:15:00 2012 -0500
+
+ Make use of f_version for protecting /proc file structs (fine since we're not a directory
+ or seq_file)
+
+commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 20:02:19 2012 -0500
+
+ Fix ia64 compilation
+
+commit 50dfea412fd395e0183c2ade368efa525d38b267
+Merge: 12db845 4c6f99b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:53 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4c6f99bf338e03966356b147d0360cb3b522a44f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:36 2012 -0500
+
+ (6:57:09 PM) pipacs: but you can be proactive
+ (Fix other-arch atomic64/REFCOUNT compilation failures)
+
+commit 12db8453f6bb0a756f369c9151668ba1249bc478
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 21:10:12 2012 -0500
+
+ Remove unnecessary copies, as suggested by solar
+
+commit cc02cab84368467ea03cb35f861a8a7092d91ab4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 20:59:35 2012 -0500
+
+ Make global_exec_counter static, as suggested by solar
+
+commit e642091a475ebb3a30e81f85e7751233d0c2af43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 19:00:26 2012 -0500
+
+ sync with stable tree
+
+commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:48:47 2012 -0500
+
+ Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
+ Remove handling of old kludge in chmod/fchmod
+
+commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:18:49 2012 -0500
+
+ Apply umask checks to chmod/fchmod as well, as requested by sponsor
+ Union the enforced umask with the existing one to produce minimal privilege
+ Change umask type to u16
+
+commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 22 18:16:11 2012 -0500
+
+ Add per-role umask enforcement to RBAC, requested by a sponsor
+
+commit ad5ac943fe58199f1cc475912a39edb157acb77b
+Merge: dda0bb5 41722e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:42 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 41722e342e116d95f3d3556d66c97c888d752d39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:00 2012 -0500
+
+ Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
+ KERNEXEC plugin
+
+commit dda0bb57137846a476a866c60db2681aaf6052c0
+Merge: 4fd554e d70927a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:41 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d70927afec977d489a54c106a3c3ddc32e953050
+Merge: 1daebf1 9d0231c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:33 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 4fd554e3a097b22c5049fcdc423897477deff5ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 09:17:57 2012 -0500
+
+ Fix wrong logic on capability checks for switching roles, broke policies
+ Thanks to Richard Kojedzinszky for reporting
+
+commit 12f97d52ac603f24344f8d71569c412a307e9422
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 21:20:10 2012 -0500
+
+ sparc64 compile fix
+
+commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:38:32 2012 -0500
+
+ Update configuration help and name for GRKERNSEC_PROC_MEMMAP
+
+commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:18:01 2012 -0500
+
+ optimize the check a bit
+
+commit 03159050f64989be44ae03be769cbed62a7cd2e5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:00:45 2012 -0500
+
+ smile VUPEN :D
+ (limit argv+env to 1MB for suid/sgid binaries)
+
+commit dd759d8800d225a397e4de49fe729c7d601298d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:49:33 2012 -0500
+
+ Address Space Protection -> Memory Protections (suggested on IRC for consistency)
+
+commit 4de635bda8ebfb85312e3bf851bdbff93de400da
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:45:06 2012 -0500
+
+ Change the long long type for exec_id to the proper u64
+
+commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Feb 9 00:46:47 2012 +0000
+
+ isdn: type bug in isdn_net_header()
+
+ We use len to store the return value from eth_header(). eth_header()
+ can return -ETH_HLEN (-14). We want to pass this back instead of
+ truncating it to 65522 and returning that.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
+Author: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Sat Feb 4 10:47:10 2012 +0100
+
+ exec: fix use-after-free bug in setup_new_exec()
+
+ Setting the task name is done within setup_new_exec() by accessing
+ bprm->filename. However this happens after flush_old_exec().
+ This may result in a use after free bug, flush_old_exec() may
+ "complete" vfork_done, which will wake up the parent which in turn
+ may free the passed in filename.
+ To fix this add a new tcomm field in struct linux_binprm which
+ contains the now early generated task name until it is used.
+
+ Fixes this bug on s390:
+
+ Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
+ Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
+ Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
+ Call Trace:
+ ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
+ [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
+ [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
+ [<0000000000282b6c>] do_execve_common+0x410/0x514
+ [<0000000000282cb6>] do_execve+0x46/0x58
+ [<00000000005bce58>] kernel_execve+0x28/0x70
+ [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
+ [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
+ [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
+ Last Breaking-Event-Address:
+ [<00000000002830f0>] setup_new_exec+0x2fc/0x374
+
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+ Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+ Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d758ee9f5230893dabb5aab737b3109684bde196
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Feb 10 09:03:58 2012 +0100
+
+ relay: prevent integer overflow in relay_open()
+
+ "subbuf_size" and "n_subbufs" come from the user and they need to be
+ capped to prevent an integer overflow.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
+Merge: b1baadf 1daebf1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:47:04 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/proc/base.c
+
+commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
+Merge: 1413df2 c2db2e2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:45:54 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:44:05 2012 -0500
+
+ add missing declaration
+
+commit 3981059c35e8463002517935c28f3d74b8e3703c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:36:04 2012 -0500
+
+ Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
+ in addition to existing checks (this handles the setresuid ruid = euid case)
+
+commit 0beab03263c773f463412c350ad9064b44b6ede0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:13:40 2012 -0500
+
+ Revert setreuid changes when RBAC is enabled, breaks freeradius
+ I'll fix the learning issue Lavish reported a different way through
+ gradm modifications
+
+ This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
+
+commit 0c61cb1cfbbfec7d07647268c922d51434d22621
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 11 14:22:46 2012 -0500
+
+ copy exec_id on fork
+
+commit 000c08e0890630086b2ed04084050ed856a7ec31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 20:00:36 2012 -0500
+
+ compile fix
+
+commit 54b8c8f54484e5ee18040657827158bc4b63bccc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 19:19:52 2012 -0500
+
+ Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
+ denies reading of sensitive /proc/pid entries where the file descriptor
+ was opened in a different task than the one performing the read
+
+commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 17:43:24 2012 -0500
+
+ Remove duplicate signal check
+
+commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
+Merge: 4eba97e 1413df2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:34 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:08 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test11.patch
+
+commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
+Merge: 0e058dd 8dd90a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:50:12 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:49:07 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
+
+commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
+Merge: 7e4169c 6133971
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:48:57 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 19:24:45 2012 -0500
+
+ We now allow configurations with no PaX markings, giving the system no way to override the defaults
+
+commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 10:01:23 2012 -0500
+
+ Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
+
+commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 4 21:01:16 2012 -0500
+
+ Improve security of ptrace-based monitoring/sandboxing
+ See:
+ http://article.gmane.org/gmane.linux.kernel.lsm/15156
+
+commit ca4ca5a1027b41f9528794e52a53ce9c47926101
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:42:55 2012 -0500
+
+ fix typo
+
+commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:25:38 2012 -0500
+
+ Reported by lavish on IRC:
+ If a suid/sgid binary did not learn any setuid/setgid call during learning,
+ we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
+ any restrictions on uid/gid changes. uid and gid can however be changed
+ within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
+ euid/egid.
+
+ My fix:
+ POSIX doesn't specify whether unprivileged users can perform the above
+ setresuid/setresgid as an unprivileged user, though Linux has historically
+ permitted them. Modify this behavior when RBAC is enabled to require
+ CAP_SETUID/CAP_SETGID for these operations.
+
+ Thanks to Lavish for the report!
+
+ Conflicts:
+
+ kernel/sys.c
+
+commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
+Merge: ba586eb 7e4169c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:21 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:05 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test9.patch
+
+commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
+Author: Christopher Yeoh <cyeoh@au1.ibm.com>
+Date: Thu Feb 2 11:34:09 2012 +1030
+
+ Fix race in process_vm_rw_core
+
+ This fixes the race in process_vm_core found by Oleg (see
+
+ http://article.gmane.org/gmane.linux.kernel/1235667/
+
+ for details).
+
+ This has been updated since I last sent it as the creation of the new
+ mm_access() function did almost exactly the same thing as parts of the
+ previous version of this patch did.
+
+ In order to use mm_access() even when /proc isn't enabled, we move it to
+ kernel/fork.c where other related process mm access functions already
+ are.
+
+ Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+ mm/process_vm_access.c
+
+commit b9194d60fb9fe579f5c34817ed822abde18939a0
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:15:11 2012 +0100
+
+ proc: make sure mem_open() doesn't pin the target's memory
+
+ Once /proc/pid/mem is opened, the memory can't be released until
+ mem_release() even if its owner exits.
+
+ Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
+ pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
+ before access_remote_vm(), this verifies that this mm is still alive.
+
+ I am not sure what should mem_rw() return if atomic_inc_not_zero()
+ fails. With this patch it returns zero to match the "mm == NULL" case,
+ may be it should return -EINVAL like it did before e268337d.
+
+ Perhaps it makes sense to add the additional fatal_signal_pending()
+ check into the main loop, to ensure we do not hold this memory if
+ the target task was oom-killed.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:38 2012 +0100
+
+ proc: mem_release() should check mm != NULL
+
+ mem_release() can hit mm == NULL, add the necessary check.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:54 2012 +0100
+
+ note: redisabled mem_write
+
+ proc: unify mem_read() and mem_write()
+
+ No functional changes, cleanup and preparation.
+
+ mem_read() and mem_write() are very similar. Move this code into the
+ new common helper, mem_rw(), which takes the additional "int write"
+ argument.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+
+commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
+Merge: 3903f01 01fee18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:50:40 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 01fee1851aef26b898ccba5312cabf1f919b74cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:46 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test8.patch
+
+commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
+Merge: 201c0db 141936c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:01 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 3903f0172ecadf7a575ba3535402a1506133640a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 30 23:26:44 2012 -0500
+
+ Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
+
+ We'll whitelist required directories for compatibility instead of requiring
+ that people disable the feature entirely if they use SELinux, fuse, etc
+
+ Conflicts:
+
+ fs/sysfs/mount.c
+
+commit e3618feaa7e63807f1b88c199882075b3ec9bd05
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 29 01:12:19 2012 -0500
+
+ perform RBAC check if TPE is on but match fails, matches previous behavior
+
+commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 28 13:17:06 2012 -0500
+
+ log more information about the reason for a TPE denial for novice users, requested by a sponsor
+
+commit efefd67008cbad8a8591e2484410966a300a39a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:58:53 2012 -0500
+
+ merge upstream sha512 changes
+
+commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:49:07 2012 -0500
+
+ drop lock on error in xfs_readlink
+
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
+
+commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
+Author: Li Wang <liwang@nudt.edu.cn>
+Date: Thu Jan 19 09:44:36 2012 +0800
+
+ eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+
+ ecryptfs_write() can enter an infinite loop when truncating a file to a
+ size larger than 4G. This only happens on architectures where size_t is
+ represented by 32 bits.
+
+ This was caused by a size_t overflow due to it incorrectly being used to
+ store the result of a calculation which uses potentially large values of
+ type loff_t.
+
+ [tyhicks@canonical.com: rewrite subject and commit message]
+ Signed-off-by: Li Wang <liwang@nudt.edu.cn>
+ Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
+ Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+
+commit a7607747d0f74f357d78bb796d70635dd05f46e8
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 19 20:33:44 2012 -0600
+
+ eCryptfs: Check inode changes in setattr
+
+ Most filesystems call inode_change_ok() very early in ->setattr(), but
+ eCryptfs didn't call it at all. It allowed the lower filesystem to make
+ the call in its ->setattr() function. Then, eCryptfs would copy the
+ appropriate inode attributes from the lower inode to the eCryptfs inode.
+
+ This patch changes that and actually calls inode_change_ok() on the
+ eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
+ would happen earlier in ecryptfs_setattr(), but there are some possible
+ inode initialization steps that must happen first.
+
+ Since the call was already being made on the lower inode, the change in
+ functionality should be minimal, except for the case of a file extending
+ truncate call. In that case, inode_newsize_ok() was never being
+ called on the eCryptfs inode. Rather than inode_newsize_ok() catching
+ maximum file size errors early on, eCryptfs would encrypt zeroed pages
+ and write them to the lower filesystem until the lower filesystem's
+ write path caught the error in generic_write_checks(). This patch
+ introduces a new function, called ecryptfs_inode_newsize_ok(), which
+ checks if the new lower file size is within the appropriate limits when
+ the truncate operation will be growing the lower file.
+
+ In summary this change prevents eCryptfs truncate operations (and the
+ resulting page encryptions), which would exceed the lower filesystem
+ limits or FSIZE rlimits, from ever starting.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Li Wang <liwang@nudt.edu.cn>
+ Cc: <stable@vger.kernel.org>
+
+commit 0d96f190a39505254ace4e9330219aaeda9b64e3
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Wed Jan 18 18:30:04 2012 -0600
+
+ eCryptfs: Make truncate path killable
+
+ ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
+ page, zeroes out the appropriate portions, and then encrypts the page
+ before writing it to the lower filesystem. It was unkillable and due to
+ the lack of sparse file support could result in tying up a large portion
+ of system resources, while encrypting pages of zeros, with no way for
+ the truncate operation to be stopped from userspace.
+
+ This patch adds the ability for ecryptfs_write() to detect a pending
+ fatal signal and return as gracefully as possible. The intent is to
+ leave the lower file in a useable state, while still allowing a user to
+ break out of the encryption loop. If a pending fatal signal is detected,
+ the eCryptfs inode size is updated to reflect the modified inode size
+ and then -EINTR is returned.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: <stable@vger.kernel.org>
+
+commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Tue Jan 24 10:02:22 2012 -0600
+
+ eCryptfs: Fix oops when printing debug info in extent crypto functions
+
+ If pages passed to the eCryptfs extent-based crypto functions are not
+ mapped and the module parameter ecryptfs_verbosity=1 was specified at
+ loading time, a NULL pointer dereference will occur.
+
+ Note that this wouldn't happen on a production system, as you wouldn't
+ pass ecryptfs_verbosity=1 on a production system. It leaks private
+ information to the system logs and is for debugging only.
+
+ The debugging info printed in these messages is no longer very useful
+ and rather than doing a kmap() in these debugging paths, it will be
+ better to simply remove the debugging paths completely.
+
+ https://launchpad.net/bugs/913651
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Daniel DeFreez
+ Cc: <stable@vger.kernel.org>
+
+commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 12 11:30:44 2012 +0100
+
+ eCryptfs: Sanitize write counts of /dev/ecryptfs
+
+ A malicious count value specified when writing to /dev/ecryptfs may
+ result in a a very large kernel memory allocation.
+
+ This patch peeks at the specified packet payload size, adds that to the
+ size of the packet headers and compares the result with the write count
+ value. The resulting maximum memory allocation size is approximately 532
+ bytes.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Sasha Levin <levinsasha928@gmail.com>
+ Cc: <stable@vger.kernel.org>
+
+commit 96dcb7282d323813181a1791f51c0ab7696b675b
+Merge: 6c09fa5 201c0db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:44:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 201c0dbf177527367676028151e36d340923f033
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:43:24 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
+ on loading modules with empty sections
+
+commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:42:13 2012 -0500
+
+ compile fix
+
+commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:39:28 2012 -0500
+
+ use LSM flags instead of duplicating checks
+
+commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
+Merge: 44b9f11 558718b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:23 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 558718b2217beff69edf60f34a6f9893d910e9ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:04 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch
+
+commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:53:55 2012 -0500
+
+ don't increase the size of task_struct when unnecessary
+ change ptrace_readexec log message
+
+commit a9c9626e054adb885883aa64f85506852894dd33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:16:28 2012 -0500
+
+ Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
+ the protection applies to all unreadable binaries.
+
+commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
+Merge: 7b3f3af 05a1349
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:52:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ block/scsi_ioctl.c
+ drivers/scsi/sd.c
+ fs/proc/base.c
+
+commit 05a134966efb9cb9346ad3422888969ffc79ac1d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:47:36 2012 -0500
+
+ Resync with pax-linux-3.2.2-test5.patch
+
+commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
+Merge: c6d443d 3499d64
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:45:16 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
+
+ Conflicts:
+ ipc/shm.c
+
+commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 24 19:42:01 2012 -0500
+
+ Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
+ (may be changed if it breaks some userland), the other has its own
+ config option
+
+ First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
+ the syscall or /proc/sys.
+
+ Second feature requires read access to a suid/sgid binary in order
+ to ptrace it, preventing infoleaking of binaries in situations where
+ the admin has specified 4711 or 2711 perms. Feature has been
+ given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
+ a sysctl entry of ptrace_readexec
+
+commit 11a7bb25c411c9dccfdca5718639b4becdffd388
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:37:10 2012 -0500
+
+ Compilation fixes
+
+commit cd400e21c7c352baba47d6f375297a7847afb33a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:20:27 2012 -0500
+
+ Initial port of grsecurity 2.2.2 for Linux 3.2.1
+ Note that the new syscalls added to this kernel for remote process read/write
+ are subject to ptrace hardening/other relevant RBAC features
+ /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
+ as well
+ pax_track_stack has been removed from support for this kernel -- if you're running this kernel
+ you should be using a version of gcc with plugin support
+
+commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:47:31 2012 -0500
+
+ Import pax-linux-3.2.1-test5.patch
+commit bfd7db842f835f9837cd43644459b3a95b0b488d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:02:02 2012 -0500
+
+ Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
+ instead of returning -EACCES
+ thanks to Wraith from irc for the report
+
+commit 873ac13576506cd48ddb527c2540f274e249da50
+Merge: 34083dd 8a44fcc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:04:02 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:02:15 2012 -0500
+
+ Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
+ Denies executable shared memory when MPROTECT is active
+ Fixes ia32 emulation crash on 64bit host introduced in a recent patch
+
+commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 20:23:14 2012 -0500
+
+ Introduce new GRKERNSEC_SETXID implementation
+ We're not able to change the credentials of other threads in the process until at most
+ one syscall after the first thread does it, since we mark the threads as needing rescheduling
+ and such work occurs on syscall exit.
+ This does however ensure that we're only modifying the current task's credentials
+ which upholds RCU expectations
+
+ Many thanks to corsac for testing
+
+commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:42:48 2012 -0500
+
+ Simplify backport
+
+commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:08:16 2012 -0500
+
+ Commit the latest silent fix for a local privilege escalation from Linus
+ Also disable writing to /proc/pid/mem
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
+
+commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
+Merge: 0394a3f 7e6299b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:22:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e6299b4733c082dde930375dd207b63237751ec
+Merge: 83555fb 9bb1282
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:21:37 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
+Author: Jesper Juhl <jj@chaosbits.net>
+Date: Sun Jan 8 22:44:29 2012 +0100
+
+ audit: always follow va_copy() with va_end()
+
+ A call to va_copy() should always be followed by a call to va_end() in
+ the same function. In kernel/autit.c::audit_log_vformat() this is not
+ always done. This patch makes sure va_end() is always called.
+
+ Signed-off-by: Jesper Juhl <jj@chaosbits.net>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
+Author: Andi Kleen <ak@linux.intel.com>
+Date: Thu Jan 12 17:20:30 2012 -0800
+
+ panic: don't print redundant backtraces on oops
+
+ When an oops causes a panic and panic prints another backtrace it's pretty
+ common to have the original oops data be scrolled away on a 80x50 screen.
+
+ The second backtrace is quite redundant and not needed anyways.
+
+ So don't print the panic backtrace when oops_in_progress is true.
+
+ [akpm@linux-foundation.org: add comment]
+ Signed-off-by: Andi Kleen <ak@linux.intel.com>
+ Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Thu Jan 12 17:59:46 2012 +0100
+
+ fsnotify: don't BUG in fsnotify_destroy_mark()
+
+ Removing the parent of a watched file results in "kernel BUG at
+ fs/notify/mark.c:139".
+
+ To reproduce
+
+ add "-w /tmp/audit/dir/watched_file" to audit.rules
+ rm -rf /tmp/audit/dir
+
+ This is caused by fsnotify_destroy_mark() being called without an
+ extra reference taken by the caller.
+
+ Reported by Francesco Cosoleto here:
+
+ https://bugzilla.novell.com/show_bug.cgi?id=689860
+
+ Fix by removing the BUG_ON and adding a comment about not accessing mark after
+ the iput.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:28 2012 +0100
+
+ block: fail SCSI passthrough ioctls on partition devices
+
+ Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+ will pass the command to the underlying block device. This is
+ well-known, but it is also a large security problem when (via Unix
+ permissions, ACLs, SELinux or a combination thereof) a program or user
+ needs to be granted access only to part of the disk.
+
+ This patch lets partitions forward a small set of harmless ioctls;
+ others are logged with printk so that we can see which ioctls are
+ actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
+ Of course it was being sent to a (partition on a) hard disk, so it would
+ have failed with ENOTTY and the patch isn't changing anything in
+ practice. Still, I'm treating it specially to avoid spamming the logs.
+
+ In principle, this restriction should include programs running with
+ CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
+ /dev/sdb, it still should not be able to read/write outside the
+ boundaries of /dev/sda2 independent of the capabilities. However, for
+ now programs with CAP_SYS_RAWIO will still be allowed to send the
+ ioctls. Their actions will still be logged.
+
+ This patch does not affect the non-libata IDE driver. That driver
+ however already tests for bd != bd->bd_contains before issuing some
+ ioctl; it could be restricted further to forbid these ioctls even for
+ programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ [ Make it also print the command name when warning - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:27 2012 +0100
+
+ block: add and use scsi_blk_cmd_ioctl
+
+ Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
+
+ The function will then be enhanced to detect partition block devices
+ and, in that case, subject the ioctls to whitelisting.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97a79814903fc350e1d13704ea31528a42705401
+Author: Kees Cook <keescook@chromium.org>
+Date: Sat Jan 7 10:41:04 2012 -0800
+
+ audit: treat s_id as an untrusted string
+
+ The use of s_id should go through the untrusted string path, just to be
+ extra careful.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Acked-by: Mimi Zohar <zohar@us.ibm.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Dec 20 18:39:41 2011 -0500
+
+ audit: fix signedness bug in audit_log_execve_info()
+
+ In the loop, a size_t "len" is used to hold the return value of
+ audit_log_single_execve_arg(), which returns -1 on error. In that
+ case the error handling (len <= 0) will be bypassed since "len" is
+ unsigned, and the loop continues with (p += len) being wrapped.
+ Change the type of "len" to signed int to fix the error handling.
+
+ size_t len;
+ ...
+ for (...) {
+ len = audit_log_single_execve_arg(...);
+ if (len <= 0)
+ break;
+ p += len;
+ }
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Jan 17 03:28:51 2012 -0300
+
+ [media] ds3000: using logical && instead of bitwise &
+
+ The intent here was to test if the FE_HAS_LOCK was set. The current
+ test is equivalent to "if (status) { ..."
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit 36522330dc59d2fc70c042f3f081d75c32b6259a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 13:10:38 2012 -0500
+
+ Ignore the 0 signal for protected task RBAC checks
+
+commit d513acd55f7a683f6e146a4f570cdb63300479ab
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 11:56:13 2012 -0500
+
+ whitespace cleanup
+
+commit ced261c4b82818c700aff8487f647f6f3e5b5122
+Merge: d48751f 83555fb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:54 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
+Merge: fcd8129 93dad39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:43 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit d48751f3919ae855fda0ff6c149db82442329253
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 11 19:05:47 2012 -0500
+
+ Call our own set_user when forcing change to new id
+
+commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
+Merge: e6578ff fcd8129
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 16:00:10 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 15:58:43 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test23.patch
+
+commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
+Merge: 8859ec3 a120549
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:56 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a12054967a77090de1caa07c41e694a77db4e237
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:30 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test22.patch
+
+commit 8859ec32f9815c274df65448f9f2960176c380d3
+Merge: a5016b4 ddd4114
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:26:08 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/binfmt_elf.c
+ security/Kconfig
+
+commit ddd41147e158a79704983a409b7433eba797cf66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:12:42 2012 -0500
+
+ Resync with PaX patch (whitespace difference)
+
+commit 29e569df8205c5f0e043fe4803aa984406c8b118
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:09:47 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test21.patch
+
+commit a5016b4f9c09c337b17e063a7f369af1e86d944d
+Merge: 0124c92 04231d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:52:20 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
+Merge: 7bdddeb a919904
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:51:50 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ include/net/flow.h
+
+commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:33:05 2012 -0500
+
+ Make GRKERNSEC_SETXID option compatible with credential debugging
+
+commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
+Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Date: Wed Dec 28 15:57:11 2011 -0800
+
+ mm/mempolicy.c: refix mbind_range() vma issue
+
+ commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
+ slightly incorrect fix.
+
+ Why? Think following case.
+
+ 1. map 4 pages of a file at offset 0
+
+ [0123]
+
+ 2. map 2 pages just after the first mapping of the same file but with
+ page offset 2
+
+ [0123][23]
+
+ 3. mbind() 2 pages from the first mapping at offset 2.
+ mbind_range() should treat new vma is,
+
+ [0123][23]
+ |23|
+ mbind vma
+
+ but it does
+
+ [0123][23]
+ |01|
+ mbind vma
+
+ Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
+
+ This patch fixes it.
+
+ [testcase]
+ test result - before the patch
+
+ case4: 126: test failed. expect '2,4', actual '2,2,2'
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: 246: test failed. expect '4,2', actual '1,4'
+
+ ------------[ cut here ]------------
+ kernel BUG at mm/filemap.c:135!
+ invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
+
+ (snip long bug on messages)
+
+ test result - after the patch
+
+ case4: passed
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: passed
+
+ source: mbind_vma_test.c
+ ============================================================
+ #include <numaif.h>
+ #include <numa.h>
+ #include <sys/mman.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+ static unsigned long pagesize;
+ void* mmap_addr;
+ struct bitmask *nmask;
+ char buf[1024];
+ FILE *file;
+ char retbuf[10240] = "";
+ int mapped_fd;
+
+ char *rubysrc = "ruby -e '\
+ pid = %d; \
+ vstart = 0x%llx; \
+ vend = 0x%llx; \
+ s = `pmap -q #{pid}`; \
+ rary = []; \
+ s.each_line {|line|; \
+ ary=line.split(\" \"); \
+ addr = ary[0].to_i(16); \
+ if(vstart <= addr && addr < vend) then \
+ rary.push(ary[1].to_i()/4); \
+ end; \
+ }; \
+ print rary.join(\",\"); \
+ '";
+
+ void init(void)
+ {
+ void* addr;
+ char buf[128];
+
+ nmask = numa_allocate_nodemask();
+ numa_bitmask_setbit(nmask, 0);
+
+ pagesize = getpagesize();
+
+ sprintf(buf, "%s", "mbind_vma_XXXXXX");
+ mapped_fd = mkstemp(buf);
+ if (mapped_fd == -1)
+ perror("mkstemp "), exit(1);
+ unlink(buf);
+
+ if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
+ perror("lseek "), exit(1);
+ if (write(mapped_fd, "\0", 1) < 0)
+ perror("write "), exit(1);
+
+ addr = mmap(NULL, pagesize*8, PROT_NONE,
+ MAP_SHARED, mapped_fd, 0);
+ if (addr == MAP_FAILED)
+ perror("mmap "), exit(1);
+
+ if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
+ perror("mprotect "), exit(1);
+
+ mmap_addr = addr + pagesize;
+
+ /* make page populate */
+ memset(mmap_addr, 0, pagesize*6);
+ }
+
+ void fin(void)
+ {
+ void* addr = mmap_addr - pagesize;
+ munmap(addr, pagesize*8);
+
+ memset(buf, 0, sizeof(buf));
+ memset(retbuf, 0, sizeof(retbuf));
+ }
+
+ void mem_bind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_BIND, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_interleave(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_unbind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_DEFAULT, NULL, 0, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void Assert(char *expected, char *value, char *name, int line)
+ {
+ if (strcmp(expected, value) == 0) {
+ fprintf(stderr, "%s: passed\n", name);
+ return;
+ }
+ else {
+ fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
+ name, line,
+ expected, value);
+ // exit(1);
+ }
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPNNNNNNNNNN
+ case 4 below
+ */
+ void case4(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 4);
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case4", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPPPPPPPPPNN
+ case 5 below
+ */
+ void case5(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case5", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPPPPP 6
+ */
+ void case6(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("6", retbuf, "case6", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPXXXX 7
+ */
+ void case7(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case7", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPNNNNNNNN 8
+ */
+ void case8(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_interleave(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case8", __LINE__);
+
+ fin();
+ }
+
+ void case_n(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ /* make redundunt mappings [0][1234][34][7] */
+ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
+ MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
+
+ /* Expect to do nothing. */
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case_n", __LINE__);
+
+ fin();
+ }
+
+ int main(int argc, char** argv)
+ {
+ case4();
+ case5();
+ case6();
+ case7();
+ case8();
+ case_n();
+
+ return 0;
+ }
+ =============================================================
+
+ Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: Minchan Kim <minchan.kim@gmail.com>
+ Cc: Caspar Zhang <caspar@casparzhang.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Cc: Christoph Lameter <cl@linux.com>
+ Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
+ Cc: Mel Gorman <mel@csn.ul.ie>
+ Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+ Cc: <stable@vger.kernel.org> [3.1.x]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit f3a1082005781777086df235049f8c0b7efe524e
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Dec 27 22:32:41 2011 -0500
+
+ packet: fix possible dev refcnt leak when bind fail
+
+ If bind is fail when bind is called after set PACKET_FANOUT
+ sock option, the dev refcnt will leak.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 915f8b08dac68839dc7204ee81cf9852fda16d24
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Mon Dec 19 17:11:56 2011 -0800
+
+ nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
+
+ There is a potential integer overflow in nilfs_ioctl_clean_segments().
+ When a large argv[n].v_nmembs is passed from the userspace, the subsequent
+ call to vmalloc() will allocate a buffer smaller than expected, which
+ leads to out-of-bound access in nilfs_ioctl_move_blocks() and
+ lfs_clean_segments().
+
+ The following check does not prevent the overflow because nsegs is also
+ controlled by the userspace and could be very large.
+
+ if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
+ goto out_free;
+
+ This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
+ returns -EINVAL when overflow.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
+Author: Kautuk Consul <consul.kautuk@gmail.com>
+Date: Mon Dec 19 17:12:04 2011 -0800
+
+ mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
+
+ Static storage is not required for the struct vmap_area in
+ __get_vm_area_node.
+
+ Removing "static" to store this variable on the stack instead.
+
+ Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
+ Acked-by: David Rientjes <rientjes@google.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
+Author: Michel Lespinasse <walken@google.com>
+Date: Mon Dec 19 17:12:06 2011 -0800
+
+ binary_sysctl(): fix memory leak
+
+ binary_sysctl() calls sysctl_getname() which allocates from names_cache
+ slab usin __getname()
+
+ The matching function to free the name is __putname(), and not putname()
+ which should be used only to match getname() allocations.
+
+ This is because when auditing is enabled, putname() calls audit_putname
+ *instead* (not in addition) to __putname(). Then, if a syscall is in
+ progress, audit_putname does not release the name - instead, it expects
+ the name to get released when the syscall completes, but that will happen
+ only if audit_getname() was called previously, i.e. if the name was
+ allocated with getname() rather than the naked __getname(). So,
+ __getname() followed by putname() ends up leaking memory.
+
+ Signed-off-by: Michel Lespinasse <walken@google.com>
+ Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
+Author: Sean Hefty <sean.hefty@intel.com>
+Date: Tue Dec 6 21:17:11 2011 +0000
+
+ RDMA/cma: Verify private data length
+
+ private_data_len is defined as a u8. If the user specifies a large
+ private_data size (> 220 bytes), we will calculate a total length that
+ exceeds 255, resulting in private_data_len wrapping back to 0. This
+ can lead to overwriting random kernel memory. Avoid this by verifying
+ that the resulting size fits into a u8.
+
+ Reported-by: B. Thery <benjamin.thery@bull.net>
+ Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
+ Signed-off-by: Sean Hefty <sean.hefty@intel.com>
+ Signed-off-by: Roland Dreier <roland@purestorage.com>
+
+commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Sun Dec 11 23:40:56 2011 -0800
+
+ Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
+
+ The error check (intr_status < 0) didn't work because intr_status is
+ a u8. Change its type to signed int.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+
+commit e27f34e383d7863b2528a63b81b23db09781f6b6
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 16 12:44:15 2011 +0000
+
+ sctp: fix incorrect overflow check on autoclose
+
+ Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
+ limiting the autoclose value. If userspace passes in -1 on 32-bit
+ platform, the overflow check didn't work and autoclose would be set
+ to 0xffffffff.
+
+ This patch defines a max_autoclose (in seconds) for limiting the value
+ and exposes it through sysctl, with the following intentions.
+
+ 1) Avoid overflowing autoclose * HZ.
+
+ 2) Keep the default autoclose bound consistent across 32- and 64-bit
+ platforms (INT_MAX / HZ in this patch).
+
+ 3) Keep the autoclose value consistent between setsockopt() and
+ getsockopt() calls.
+
+ Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Wed Dec 21 05:18:33 2011 -0500
+
+ vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
+
+ Commit e133e737 didn't correctly fix the integer overflow issue.
+
+ - unsigned int required_size;
+ + u64 required_size;
+ ...
+ required_size = mode_cmd->pitch * mode_cmd->height;
+ - if (unlikely(required_size > dev_priv->vram_size)) {
+ + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
+
+ Note that both pitch and height are u32. Their product is still u32 and
+ would overflow before being assigned to required_size. A correct way is
+ to convert pitch and height to u64 before the multiplication.
+
+ required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
+
+ This patch calls the existing vmw_kms_validate_mode_vram() for
+ validation.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+ Conflicts:
+
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+
+commit eb8f0bd01fb994c9abc77dc84729794cd841753d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Thu Dec 22 13:35:22 2011 +0000
+
+ rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
+
+ Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
+ cause a kernel oops due to insufficient bounds checking.
+
+ if (count > 1<<30) {
+ /* Enforce a limit to prevent overflow */
+ return -EINVAL;
+ }
+ count = roundup_pow_of_two(count);
+ table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
+
+ Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
+
+ ... + (count * sizeof(struct rps_dev_flow))
+
+ where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
+ 32 bits.
+
+ This patch replaces the magic number (1 << 30) with a symbolic bound.
+
+ Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 648188958672024b616c42c1f6c98c8cfc85619d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 30 10:40:17 2011 -0500
+
+ netfilter: ctnetlink: fix timeout calculation
+
+ The sanity check (timeout < 0) never works; the dividend is unsigned
+ and so is the division, which should have been a signed division.
+
+ long timeout = (ct->timeout.expires - jiffies) / HZ;
+ if (timeout < 0)
+ timeout = 0;
+
+ This patch converts the time values to signed for the division.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit ab03a0973cee73f88655ff4981812ad316a6cd59
+Merge: 76f82df 7bdddeb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:50 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
+Merge: 3e59cb5 55cc81a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:36 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 20:15:02 2011 -0500
+
+ Only further restrict futex targeting another process -- our modified
+ permission check also happened to allow a case where a process retaining
+ uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
+ being non-zero (reported on forums by ben_w)
+
+commit 6b235a4450a5fea41663ec35fa0608988b6078c6
+Merge: 97c16f0 3e59cb5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:11:06 2011 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/hfs/btree.c
+
+commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
+Merge: 285eb4e c26f60b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:09:57 2011 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/process.c
+
+commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 19 21:54:01 2011 -0500
+
+ Add new option: "Enforce consistent multithreaded privileges"
+
+commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:58:31 2011 -0500
+
+ Remove harmless duplicate code -- exec_file would be null already so the
+ second check would never pass.
+
+commit 4e3304e94aa72737810bc50169519af157dce4ce
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:50:39 2011 -0500
+
+ Revert back to (possibly?) undocumented /proc/pid behavior that gdb
+ depended on for attaching to a thread. Entries exist in /proc for
+ threads, but are not visible in a readdir.
+
+commit 1bd899335f23815cfe8deac44c6b346398f3b95e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 18:03:28 2011 -0500
+
+ Put the already-walked path if in RCU-walk mode
+
+commit ec7ae36b7159f10649709779443a988662965d66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 17:35:21 2011 -0500
+
+ Fix memory leak introduced by recent (unpublished) commit
+ 75ab998b94a29d464518d6d501bdde3fbfcbfa14
+
+commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:56:10 2011 -0500
+
+ Explicitly check size copied to userland in override_release to silence gcc
+
+commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:54:02 2011 -0500
+
+ Initialize variable to silence erroneous gcc warning
+
+commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:47:47 2011 -0500
+
+ Future-proof other potential RCU-aware locations where we can log.
+
+commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:02:54 2011 -0500
+
+ Fix freeze reported by 'vs' on the forums. Bug occurred due to
+ MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
+ in generic_permission() was in the task's effective set but disallowed by
+ RBAC, would block when acquiring locks resulting in the freeze.
+
+ Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
+ as being required when CAP_DAC_OVERRIDE is present (consistent with
+ older patches).
+
+commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Nov 29 09:26:30 2011 +0000
+
+ sctp: better integer overflow check in sctp_auth_create_key()
+
+ The check from commit 30c2235c is incomplete and cannot prevent
+ cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
+ left-hand side of the check (INT_MAX - key_len), which is unsigned,
+ becomes 0xffffffff (UINT_MAX) and bypasses the check.
+
+ However this shouldn't be a security issue. The function is called
+ from the following two code paths:
+
+ 1) setsockopt()
+
+ 2) sctp_auth_asoc_set_secret()
+
+ In case (1), sca_keylength is never going to exceed 65535 since it's
+ bounded by a u16 from the user API. As such, the key length will
+ never overflow.
+
+ In case (2), sca_keylength is computed based on the user key (1 short)
+ and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
+ will not overflow.
+
+ In other words, this overflow check is not really necessary. Just
+ make it more correct.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit e565e28c3635a1d50f80541fbf6b606d742fec76
+Author: Josh Boyer <jwboyer@redhat.com>
+Date: Fri Aug 19 14:50:26 2011 -0400
+
+ fs/minix: Verify bitmap block counts before mounting
+
+ Newer versions of MINIX can create filesystems that allocate an extra
+ bitmap block. Mounting of this succeeds, but doing a statfs call will
+ result in an oops in count_free because of a negative number being used
+ for the bh index.
+
+ Avoid this by verifying the number of allocated blocks at mount time,
+ erroring out if there are not enough and make statfs ignore the extras
+ if there are too many.
+
+ This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
+
+ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6e134e398ec1a3f428261680e83df4319e64bed9
+Author: Julia Lawall <julia@diku.dk>
+Date: Tue Nov 15 14:53:11 2011 -0800
+
+ drivers/gpu/vga/vgaarb.c: add missing kfree
+
+ kbuf is a buffer that is local to this function, so all of the error paths
+ leaving the function should release it.
+
+ Signed-off-by: Julia Lawall <julia@diku.dk>
+ Cc: Jesper Juhl <jj@chaosbits.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit 2b9057b321e36860e8d63985b5c4e496f254b717
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:33:28 2011 -0500
+
+ Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
+
+commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+
+commit 285eb4ea45d853ae00426b3315a61c1368080dad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 10 18:33:46 2011 -0500
+
+ Import changes from pax-linux-3.1.5-test20.patch
+
+commit a6bda918fc90ec1d5c387e978d147ad2044153f1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 8 20:55:54 2011 -0500
+
+ Import changes from pax-linux-3.1.4-test19.patch
+
+commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c
+Merge: c3ccfb2 777e08c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 8 19:49:04 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 777e08c6a87ef43439f4431d8d458732ca5e17c6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 8 19:47:32 2013 -0400
+
+ Update to pax-linux-3.10.11-test26.patch:
+ - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger
+ - fixed an uninitialized read in splice, reported by hunger
+
+ fs/splice.c | 1 +
+ include/linux/syscalls.h | 14 +-
+ tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++----------------
+ 3 files changed, 247 insertions(+), 194 deletions(-)
+
+commit 5c3161364270c842d901789faac731f79a9f9cd6
+Merge: cf9c476 85cdabb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 8 19:24:25 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit c3ccfb29794a03413095422100ce90d40ef7df0f
+Author: Jakob Bornecrantz <jakob@vmware.com>
+Date: Thu Aug 29 02:32:53 2013 +0200
+
+ Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f
+
+ drm/vmwgfx: Split GMR2_REMAP commands if they are to large
+
+ This fixes the piglit test texturing/max-texture-size
+ causing the VM to die due to a too large SVGA command.
+
+ Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
+ Reviewed-by: Biran Paul <brianp@vmware.com>
+ Reviewed-by: Zack Rusin <zackr@vmware.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Dave Airlie <airlied@gmail.com>
+
+ drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++-----------
+ 1 files changed, 39 insertions(+), 19 deletions(-)
+
+commit d260badf708d6aa16c44f56f54727532dcae826e
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Tue Sep 3 19:29:12 2013 +0200
+
+ Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df
+
+ net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
+
+ In tcp_v6_do_rcv() code, when processing pkt options, we soley work
+ on our skb clone opt_skb that we've created earlier before entering
+ tcp_rcv_established() on our way. However, only in condition ...
+
+ if (np->rxopt.bits.rxtclass)
+ np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
+
+ ... we work on skb itself. As we extract every other information out
+ of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
+ already be released by tcp_rcv_established() earlier on. When we try
+ to access it in ipv6_hdr(), we will dereference freed skb.
+
+ [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
+ IP_PKTOPTIONS") ]
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Jiri Benc <jbenc@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/tcp_ipv6.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Aug 29 11:47:00 2013 +0300
+
+ Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46
+
+ mISDN: return -EINVAL on error in dsp_control_req()
+
+ If skb->len is too short then we should return an error. Otherwise we
+ read beyond the end of skb->data for several bytes.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/isdn/mISDN/dsp_core.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 19:36:23 2013 -0400
+
+ fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB
+
+ grsecurity/Kconfig | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit da68dbcd96c617923a0aedb177d36b2701f9c858
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 19:17:02 2013 -0400
+
+ Allow the deny_new_usb sysctl to be toggled off by a user with
+ CAP_SYS_ADMIN. This allows for more inventive uses of the feature
+ that would be impossible otherwise (like toggling it while the screen is
+ locked, etc)
+
+ grsecurity/grsec_sysctl.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit ce0e893adc830ee110f97071cc17e661fb35ae3d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Sep 5 18:41:49 2013 -0400
+
+ Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what
+ GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for
+ users who know they want the functionality but don't want to bother
+ with modifying init scripts
+
+ Also eliminate reset_security_ops() as a ROP target when
+ SECURITY_SELINUX_DISABLE is disabled as it's the only user
+
+ grsecurity/Kconfig | 17 ++++++++++++++++-
+ grsecurity/grsec_init.c | 3 +++
+ grsecurity/grsec_sysctl.c | 2 +-
+ security/security.c | 4 ++++
+ 4 files changed, 24 insertions(+), 2 deletions(-)
+
+commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd
+Merge: 7ee3899 cf9c476
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 1 13:56:57 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit cf9c47690fa0f3da590de766ea8c6a543984ee3c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Sep 1 13:56:16 2013 -0400
+
+ Update to pax-linux-3.10.10-test25.patch:
+ - fixed a few more REFCOUNT false positives, by Mathias Krause <minipli@googlemail.com>
+ - got inet_getid and ipv6_select_ident rid of the cmpxchg loop
+
+ block/blk-cgroup.c | 4 ++--
+ drivers/video/hyperv_fb.c | 4 ++--
+ fs/namespace.c | 4 ++--
+ include/net/inetpeer.h | 13 +++++--------
+ kernel/trace/trace_clock.c | 4 ++--
+ net/ipv6/output_core.c | 15 ++++++---------
+ net/sunrpc/auth_gss/svcauth_gss.c | 4 ++--
+ 7 files changed, 21 insertions(+), 27 deletions(-)
+
+commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa
+Merge: fd0338c 2bdeae7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 31 22:07:38 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 31 22:06:55 2013 -0400
+
+ Update to pax-linux-3.10.10-test24.patch:
+ - fixed a REFCOUNT false positive, by Mathias Krause <minipli@googlemail.com>
+ - fixed a bunch more after a quick audit of atomic_inc_return users
+
+ drivers/acpi/apei/ghes.c | 4 ++--
+ drivers/ata/libata-core.c | 4 ++--
+ drivers/ata/libata-scsi.c | 2 +-
+ drivers/ata/libata.h | 2 +-
+ drivers/block/drbd/drbd_nl.c | 4 ++--
+ drivers/crypto/hifn_795x.c | 4 ++--
+ drivers/edac/edac_device.c | 4 ++--
+ drivers/edac/edac_pci.c | 4 ++--
+ drivers/firewire/core-card.c | 4 ++--
+ drivers/hv/hv_balloon.c | 18 +++++++++---------
+ drivers/infiniband/hw/mlx4/mad.c | 2 +-
+ drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
+ drivers/input/misc/ims-pcu.c | 4 ++--
+ drivers/input/serio/serio_raw.c | 4 ++--
+ drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
+ drivers/media/radio/radio-maxiradio.c | 2 +-
+ drivers/media/radio/radio-shark.c | 2 +-
+ drivers/media/radio/radio-shark2.c | 2 +-
+ drivers/media/radio/radio-si476x.c | 2 +-
+ drivers/media/rc/rc-main.c | 4 ++--
+ drivers/media/v4l2-core/v4l2-device.c | 4 ++--
+ drivers/net/usb/sierra_net.c | 4 ++--
+ drivers/pci/hotplug/pciehp_hpc.c | 4 +---
+ drivers/regulator/core.c | 4 ++--
+ drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------
+ drivers/staging/android/timed_output.c | 6 +++---
+ drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10.h | 2 +-
+ drivers/target/sbp/sbp_target.c | 4 ++--
+ drivers/tty/hvc/hvsi.c | 12 ++++++------
+ drivers/tty/hvc/hvsi_lib.c | 6 +++---
+ drivers/tty/serial/ioc4_serial.c | 6 +++---
+ drivers/tty/serial/msm_serial.c | 4 ++--
+ drivers/usb/misc/appledisplay.c | 4 ++--
+ fs/afs/inode.c | 4 ++--
+ fs/btrfs/delayed-inode.c | 6 +++---
+ fs/btrfs/delayed-inode.h | 4 ++--
+ fs/fscache/cookie.c | 4 ++--
+ include/media/v4l2-device.h | 2 +-
+ net/ceph/messenger.c | 4 ++--
+ net/core/netpoll.c | 4 ++--
+ net/xfrm/xfrm_state.c | 4 ++--
+ security/selinux/avc.c | 6 +++---
+ 43 files changed, 93 insertions(+), 95 deletions(-)
+
+commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37
+Merge: 1bdf7ec 85099d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 31 21:07:29 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 31 21:06:55 2013 -0400
+
+ Update to pax-linux-3.10.10-test23.patch:
+ - added the necessary atomic_unchecked_t conversion for mips
+ - audited and fixed arm and sparc for proper atomic_unchecked_t usage
+
+ arch/arm/kvm/arm.c | 8 ++++----
+ arch/arm/mm/context.c | 10 +++++-----
+ arch/mips/kernel/irq.c | 6 +++---
+ arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------
+ arch/mips/sgi-ip27/ip27-nmi.c | 6 +++---
+ arch/sparc/kernel/smp_64.c | 12 ++++++------
+ arch/sparc/kernel/traps_64.c | 14 +++++++-------
+ arch/sparc/mm/init_64.c | 10 +++++-----
+ 8 files changed, 45 insertions(+), 45 deletions(-)
+
+commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34
+Merge: 995a168 38ee86c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 30 19:23:36 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 38ee86c05df0f8db582df8776b9f23f317d42bbb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 30 19:23:11 2013 -0400
+
+ Update to pax-linux-3.10.10-test22.patch:
+ - fixed !REFCOUNT/mips compilation, by Corey Minyard <cminyard@mvista.com>
+ - fixed a few more format strings
+
+ arch/mips/include/asm/atomic.h | 20 ++++++++++++++++----
+ drivers/md/bcache/super.c | 2 +-
+ drivers/net/wireless/iwlwifi/dvm/main.c | 3 +--
+ drivers/pci/hotplug/pciehp_hpc.c | 2 +-
+ drivers/platform/x86/wmi.c | 2 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/vfio/vfio.c | 4 ++--
+ fs/ntfs/super.c | 6 +++---
+ include/linux/workqueue.h | 6 +++---
+ net/mac80211/main.c | 2 +-
+ sound/pci/hda/hda_codec.c | 8 ++------
+ 11 files changed, 32 insertions(+), 25 deletions(-)
+
+commit 995a16841e2097c3a9dfc652e856469679c4a0ba
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 30 17:11:11 2013 -0400
+
+ fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast
+
+ grsecurity/grsec_sysctl.c | 7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57
+Merge: be2497c 1052971
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 29 20:44:29 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ include/linux/sched.h
+
+commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2
+Merge: e902dad 8bf3379
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 29 20:39:50 2013 -0400
+
+ Update to pax-linux-3.10.10-test21.patch
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/sys_x86_64.c
+ arch/x86/mm/mmap.c
+ include/linux/sched.h
+
+commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8
+Merge: 081c22b e902dad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 20:52:44 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e902dad6b609a176f58c1b9393b3a98f14bd4b74
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 20:51:21 2013 -0400
+
+ Update to pax-linux-3.10.9-test21.patch:
+ - removed unnecessary type cast in do_PrefetchAbort, noticed by spender
+ - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov
+ - fixed a REFCOUNT false positive in UHID
+ - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9)
+ Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout
+ (come to the 10th H2HC if you want to learn about the magic behind this and other plugins):
+ - icmpv6_filter: no memory corruption, probably just some logical error in the caller
+ - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable)
+ - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come)
+ - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now
+ - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless
+ - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network
+
+ arch/arm/mm/fault.c | 2 +-
+ arch/mips/kernel/traps.c | 2 --
+ drivers/hid/uhid.c | 6 +++---
+ drivers/isdn/gigaset/usb-gigaset.c | 2 +-
+ drivers/isdn/i4l/isdn_common.c | 2 ++
+ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
+ drivers/usb/dwc3/gadget.c | 2 --
+ net/ieee802154/6lowpan.c | 2 +-
+ net/ipv6/raw.c | 2 +-
+ net/netfilter/nf_conntrack_proto_dccp.c | 6 +++---
+ 10 files changed, 14 insertions(+), 16 deletions(-)
+
+commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 20:42:39 2013 -0400
+
+ add export of gr_handle_new_usb()
+
+ grsecurity/grsec_usb.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 19:24:47 2013 -0400
+
+ Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit
+ Kees' recent findings are motivation enough to publish it
+
+ drivers/usb/core/hub.c | 5 +++++
+ grsecurity/Kconfig | 20 ++++++++++++++++++++
+ grsecurity/Makefile | 3 ++-
+ grsecurity/grsec_init.c | 1 +
+ grsecurity/grsec_sysctl.c | 11 +++++++++++
+ grsecurity/grsec_usb.c | 13 +++++++++++++
+ include/linux/grinternal.h | 1 +
+ include/linux/grsecurity.h | 2 ++
+ 8 files changed, 55 insertions(+), 1 deletions(-)
+
+commit 8044382257ec75a03f3d784ce048ef14e94b90ca
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 09:35:07 2013 -0700
+
+ HID: zeroplus: validate output report details
+
+ The zeroplus HID driver was not checking the size of allocated values
+ in fields it used. A HID device could send a malicious output report
+ that would cause the driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
+ ...
+ [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2889
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-zpff.c | 14 ++------------
+ 1 files changed, 2 insertions(+), 12 deletions(-)
+
+commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 14:36:15 2013 -0700
+
+ HID: provide a helper for validating hid reports
+
+ Many drivers need to validate the characteristics of their HID report
+ during initialization to avoid misusing the reports. This adds a common
+ helper to perform validation of the report, its field count, and the
+ value count within the fields.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
+ include/linux/hid.h | 4 +++
+ 2 files changed, 54 insertions(+), 0 deletions(-)
+
+commit 270ba9096ddecdc3cf6c4d76e6892184820116be
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 09:14:34 2013 -0700
+
+ HID: steelseries: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ steelseries HID driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
+ ...
+ [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2891
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-steelseries.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248
+Author: Kees Cook <keescook@chromium.org>
+Date: Wed Aug 14 08:49:21 2013 -0700
+
+ HID: pantherlord: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ pantherlord HID driver to write beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
+ ...
+ [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2892
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-pl.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit 60115e8108e508060815bce5ef9504233c81898c
+Author: Kees Cook <keescook@chromium.org>
+Date: Tue Aug 13 16:49:01 2013 -0700
+
+ HID: LG: validate HID output report details
+
+ A HID device could send a malicious output report that would cause the
+ lg, lg3, and lg4 HID drivers to write beyond the output report allocation
+ during an event, causing a heap overflow:
+
+ [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
+ ...
+ [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
+
+ Additionally, while lg2 did correctly validate the report details, it was
+ cleaned up and shortened.
+
+ CVE-2013-2893
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-lg2ff.c | 19 +++----------------
+ drivers/hid/hid-lg3ff.c | 29 ++++++-----------------------
+ drivers/hid/hid-lg4ff.c | 20 +-------------------
+ drivers/hid/hid-lgff.c | 17 ++---------------
+ 4 files changed, 12 insertions(+), 73 deletions(-)
+
+commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f
+Author: Kees Cook <keescook@chromium.org>
+Date: Thu Aug 15 23:21:23 2013 -0700
+
+ HID: lenovo-tpkbd: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ lenovo-tpkbd HID driver to write just beyond the output report allocation
+ during initialization, causing a heap overflow:
+
+ [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
+ ...
+ [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2894
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-lenovo-tpkbd.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 38627769bb2b9a550e251b2caf1babda7566fb4a
+Author: Kees Cook <keescook@chromium.org>
+Date: Thu Aug 15 23:45:03 2013 -0700
+
+ HID: logitech-dj: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ logitech-dj HID driver to leak kernel memory contents to the device, or
+ trigger a NULL dereference during initialization:
+
+ [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
+ ...
+ [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
+ [ 304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
+
+ CVE-2013-2895
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-logitech-dj.c | 12 ++++++++++--
+ 1 files changed, 10 insertions(+), 2 deletions(-)
+
+commit db334388c9d3f95aeb6aacdcec72169b6edd6f07
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 00:18:15 2013 -0700
+
+ HID: ntrig: validate feature report details
+
+ A HID device could send a malicious feature report that would cause the
+ ntrig HID driver to trigger a NULL dereference during initialization:
+
+ [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
+ ...
+ [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+ [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
+
+ CVE-2013-2896
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-ntrig.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 86adcfe96ceefd7d64593a493abe07c155bb8f88
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 00:11:32 2013 -0700
+
+ HID: multitouch: validate feature report details
+
+ When working on report indexes, always validate that they are in bounds.
+ Without this, a HID device could report a malicious feature report that
+ could trick the driver into a heap overflow:
+
+ [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
+ ...
+ [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
+
+ CVE-2013-2897
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++-----
+ 1 files changed, 20 insertions(+), 5 deletions(-)
+
+commit 813f51e0881e4ea6d221da828b1cced02ad9694d
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:12:45 2013 -0700
+
+ HID: sensor-hub: validate feature report details
+
+ A HID device could send a malicious feature report that would cause the
+ sensor-hub HID driver to read past the end of heap allocation, leaking
+ kernel memory contents to the caller.
+
+ CVE-2013-2898
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-sensor-hub.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:05:10 2013 -0700
+
+ HID: picolcd_core: validate output report details
+
+ A HID device could send a malicious output report that would cause the
+ picolcd HID driver to trigger a NULL dereference during attr file writing.
+
+ CVE-2013-2899
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-picolcd_core.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 95e3cfb5a995dabe45b98cafb77e59d074de151f
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri Aug 16 08:09:54 2013 -0700
+
+ HID: check for NULL field when setting values
+
+ Defensively check that the field to be worked on is not NULL.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+
+ drivers/hid/hid-core.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 96a55ce1b2f3af376c400a02059174e79ce4399c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 18:09:18 2013 -0400
+
+ http://marc.info/?l=linux-input&m=137772180514608&q=raw
+
+ From: Kees Cook <keescook@chromium.org>
+
+ The "Report ID" field of a HID report is used to build indexes of
+ reports. The kernel's index of these is limited to 256 entries, so any
+ malicious device that sets a Report ID greater than 255 will trigger
+ memory corruption on the host:
+
+ [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
+ [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
+
+ CVE-2013-2888
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@kernel.org
+ ---
+ drivers/hid/hid-core.c | 10 +++++++---
+ include/linux/hid.h | 4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+ drivers/hid/hid-core.c | 10 +++++++---
+ include/linux/hid.h | 4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+commit eb1106eef5f17bfda833ca3cf89e315919173257
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Aug 9 12:52:31 2013 +0300
+
+ Upstream commit: 909bd5926d474e275599094acad986af79671ac9
+
+ Hostap: copying wrong data prism2_ioctl_giwaplist()
+
+ We want the data stored in "addr" and "qual", but the extra ampersands
+ mean we are copying stack data instead.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Aug 28 17:01:21 2013 -0400
+
+ fix typo in ipv6 backport
+
+ net/ipv6/addrconf.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4
+Author: Andy Lutomirski <luto@amacapital.net>
+Date: Thu Aug 22 11:39:15 2013 -0700
+
+ Upstream commit: d661684cf6820331feae71146c35da83d794467e
+
+ net: Check the correct namespace when spoofing pid over SCM_RIGHTS
+
+ This is a security bug.
+
+ The follow-up will fix nsproxy to discourage this type of issue from
+ happening again.
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+ Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/scm.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri Aug 16 13:02:27 2013 +0200
+
+ Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52
+
+ ipv6: remove max_addresses check from ipv6_create_tempaddr
+
+ Because of the max_addresses check attackers were able to disable privacy
+ extensions on an interface by creating enough autoconfigured addresses:
+
+ <http://seclists.org/oss-sec/2012/q4/292>
+
+ But the check is not actually needed: max_addresses protects the
+ kernel to install too many ipv6 addresses on an interface and guards
+ addrconf_prefix_rcv to install further addresses as soon as this limit
+ is reached. We only generate temporary addresses in direct response of
+ a new address showing up. As soon as we filled up the maximum number of
+ addresses of an interface, we stop installing more addresses and thus
+ also stop generating more temp addresses.
+
+ Even if the attacker tries to generate a lot of temporary addresses
+ by announcing a prefix and removing it again (lifetime == 0) we won't
+ install more temp addresses, because the temporary addresses do count
+ to the maximum number of addresses, thus we would stop installing new
+ autoconfigured addresses when the limit is reached.
+
+ This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
+ possible).
+
+ Thanks to Ding Tianhong to bring this topic up again.
+
+ Cc: Ding Tianhong <dingtianhong@huawei.com>
+ Cc: George Kargiotakis <kargig@void.gr>
+ Cc: P J P <ppandit@redhat.com>
+ Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Acked-by: Ding Tianhong <dingtianhong@huawei.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ net/ipv6/addrconf.c
+
+ net/ipv6/addrconf.c | 10 ++++------
+ 1 files changed, 4 insertions(+), 6 deletions(-)
+
+commit 8333e0981469a226a47d0142ff31090a48db95a4
+Author: David Vrabel <david.vrabel@citrix.com>
+Date: Thu Aug 15 13:21:06 2013 +0100
+
+ Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17
+
+ xen/events: initialize local per-cpu mask for all possible events
+
+ The sizeof() argument in init_evtchn_cpu_bindings() is incorrect
+ resulting in only the first 64 (or 32 in 32-bit guests) ports having
+ their bindings being initialized to VCPU 0.
+
+ In most cases this does not cause a problem as request_irq() will set
+ the irq affinity which will set the correct local per-cpu mask.
+ However, if the request_irq() is called on a VCPU other than 0, there
+ is a window between the unmasking of the event and the affinity being
+ set were an event may be lost because it is not locally unmasked on
+ any VCPU. If request_irq() is called on VCPU 0 then local irqs are
+ disabled during the window and the race does not occur.
+
+ Fix this by initializing all NR_EVENT_CHANNEL bits in the local
+ per-cpu masks.
+
+ Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+ Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+ CC: stable@vger.kernel.org
+
+ drivers/xen/events.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 2a9a83768433937a2b7a97001ba1627156c0efed
+Author: Roland Dreier <roland@purestorage.com>
+Date: Mon Aug 5 17:55:01 2013 -0700
+
+ Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091
+
+ [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
+
+ There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances
+ leads to one process writing data into the address space of some other
+ random unrelated process if the ioctl is interrupted by a signal.
+ What happens is the following:
+
+ - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the
+ underlying SCSI command will transfer data from the SCSI device to
+ the buffer provided in the ioctl)
+
+ - Before the command finishes, a signal is sent to the process waiting
+ in the ioctl. This will end up waking up the sg_ioctl() code:
+
+ result = wait_event_interruptible(sfp->read_wait,
+ (srp_done(sfp, srp) || sdp->detached));
+
+ but neither srp_done() nor sdp->detached is true, so we end up just
+ setting srp->orphan and returning to userspace:
+
+ srp->orphan = 1;
+ write_unlock_irq(&sfp->rq_list_lock);
+ return result; /* -ERESTARTSYS because signal hit process */
+
+ At this point the original process is done with the ioctl and
+ blithely goes ahead handling the signal, reissuing the ioctl, etc.
+
+ - Eventually, the SCSI command issued by the first ioctl finishes and
+ ends up in sg_rq_end_io(). At the end of that function, we run through:
+
+ write_lock_irqsave(&sfp->rq_list_lock, iflags);
+ if (unlikely(srp->orphan)) {
+ if (sfp->keep_orphan)
+ srp->sg_io_owned = 0;
+ else
+ done = 0;
+ }
+ srp->done = done;
+ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
+
+ if (likely(done)) {
+ /* Now wake up any sg_read() that is waiting for this
+ * packet.
+ */
+ wake_up_interruptible(&sfp->read_wait);
+ kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
+ kref_put(&sfp->f_ref, sg_remove_sfp);
+ } else {
+ INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
+ schedule_work(&srp->ew.work);
+ }
+
+ Since srp->orphan *is* set, we set done to 0 (assuming the
+ userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN
+ ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext()
+ to run in a workqueue.
+
+ - In workqueue context we go through sg_rq_end_io_usercontext() ->
+ sg_finish_rem_req() -> blk_rq_unmap_user() -> ... ->
+ bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user().
+
+ The key point here is that we are doing copy_to_user() on a
+ workqueue -- that is, we're on a kernel thread with current->mm
+ equal to whatever random previous user process was scheduled before
+ this kernel thread. So we end up copying whatever data the SCSI
+ command returned to the virtual address of the buffer passed into
+ the original ioctl, but it's quite likely we do this copying into a
+ different address space!
+
+ As suggested by James Bottomley <James.Bottomley@hansenpartnership.com>,
+ add a check for current->mm (which is NULL if we're on a kernel thread
+ without a real userspace address space) in bio_uncopy_user(), and skip
+ the copy if we're on a kernel thread.
+
+ There's no reason that I can think of for any caller of bio_uncopy_user()
+ to want to do copying on a kernel thread with a random active userspace
+ address space.
+
+ Huge thanks to Costa Sapuntzakis <costa@purestorage.com> for the
+ original pointer to this bug in the sg code.
+
+ Signed-off-by: Roland Dreier <roland@purestorage.com>
+ Tested-by: David Milburn <dmilburn@redhat.com>
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+
+ fs/bio.c | 20 +++++++++++++++-----
+ 1 files changed, 15 insertions(+), 5 deletions(-)
+
+commit e6fe57dee152671afd618d6bc8cbf23155be6c34
+Merge: cdc8f7d f2095a4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 27 18:13:35 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/mm/fault.c
+ security/Kconfig
+
+commit f2095a4787f7d332e5919f0bd00f8de6021ad612
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 27 18:08:23 2013 -0400
+
+ Update to pax-linux-3.10.9-test20.patch:
+ - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy
+ - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard <cminyard@mvista.com>
+ - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard <cminyard@mvista.com>
+ - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do
+ - added REFCOUNT support for mips, by Corey Minyard <cminyard@mvista.com>
+ - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720)
+ - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010)
+
+ arch/arm/mm/fault.c | 11 +-
+ arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++--
+ arch/mips/kernel/traps.c | 14 +-
+ arch/x86/include/asm/tlbflush.h | 4 +
+ arch/x86/include/asm/uaccess_64.h | 2 +-
+ fs/ntfs/file.c | 2 +-
+ kernel/events/internal.h | 4 +-
+ kernel/events/uprobes.c | 2 +-
+ kernel/futex.c | 2 +-
+ mm/filemap.c | 8 +-
+ security/Kconfig | 2 +-
+ tools/gcc/kernexec_plugin.c | 18 +-
+ tools/gcc/latent_entropy_plugin.c | 26 +-
+ tools/gcc/size_overflow_plugin.c | 3 +-
+ 14 files changed, 750 insertions(+), 70 deletions(-)
+
+commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9
+Merge: 5a9ae57 745975e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 26 20:27:33 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 745975e3b3b74b64e00e85778f9a22714d1274f2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 26 20:26:33 2013 -0400
+
+ Fix compilation when UDEREF is enabled and KERNEXEC is disabled,
+ as reported by fabled on the forums:
+ http://forums.grsecurity.net/viewtopic.php?f=1&t=3720
+
+ arch/arm/include/asm/pgtable.h | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36
+Merge: 486ec00 f68df21
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 20:15:20 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 20:14:50 2013 -0400
+
+ Update to pax-linux-3.10.9-test18.patch:
+ - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786)
+ - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790)
+ - forward port to 3.10.9
+
+ arch/x86/kernel/entry_64.S | 18 +++++++++---------
+ arch/x86/kernel/i386_ksyms_32.c | 4 ++++
+ arch/x86/kernel/x8664_ksyms_64.c | 4 ++++
+ 3 files changed, 17 insertions(+), 9 deletions(-)
+
+commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f
+Merge: f47a293 d8fed0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 20:12:47 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d8fed0eba89a7607afe296c0caf17bc72311d6e9
+Merge: f6ace8e 0a4b6d4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 20:12:33 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit f47a293a1440da2a3e2c239d43d636e37ca74f10
+Merge: f1e8ec7 f6ace8e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 18:20:05 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/kernel/perf_event.c
+ include/linux/sched.h
+
+commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72
+Merge: b4fa847 6f54059
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 18:18:02 2013 -0400
+
+ Update to pax-linux-3.10.8-test18.patch
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/sys_x86_64.c
+ arch/x86/mm/mmap.c
+ include/linux/sched.h
+
+commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca
+Merge: 6f88011 b4fa847
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 18:05:12 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b4fa84790ec760430818ab9b74a8b5acc6b40e63
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Aug 20 18:04:14 2013 -0400
+
+ Update to pax-linux-3.10.7-test18.patch:
+ - reverted constification of zcache, problem reported by Marcin Mirosław (https://bugs.gentoo.org/show_bug.cgi?id=481752)
+ - fixed a UDEREF resume regression due to the constification of clone_pgd_mask
+ - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause
+
+ arch/arm/kernel/process.c | 2 +-
+ arch/x86/include/asm/processor.h | 25 ++-----------------------
+ arch/x86/kernel/cpu/common.c | 4 ++++
+ arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++
+ drivers/staging/zcache/tmem.c | 4 ++--
+ drivers/staging/zcache/tmem.h | 6 ++----
+ 6 files changed, 47 insertions(+), 30 deletions(-)
+
+commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 19 22:10:04 2013 -0400
+
+ fix bad git merge (call to __cpu_disable_lazy_restore was duplicated)
+ as reported by pipacs
+
+ arch/x86/kernel/smpboot.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3
+Merge: 6eba999 5de93c8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 22:03:19 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 22:02:47 2013 -0400
+
+ Update to pax-linux-3.10.7-test15.patch:
+ - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705)
+ - fixed some new REFCOUNT false positives, caught by inspection
+
+ arch/x86/kernel/cpu/common.c | 5 +++--
+ arch/x86/kernel/entry_64.S | 11 +++++++----
+ fs/ceph/super.c | 4 ++--
+ mm/backing-dev.c | 4 ++--
+ 4 files changed, 14 insertions(+), 10 deletions(-)
+
+commit 94c119587c76723c1072237b98fff9886ccb7689
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 20:49:39 2013 -0400
+
+ fix pipacs' DEMORGAN typo
+
+ arch/x86/include/asm/tlbflush.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00
+Merge: df347f6 64a293e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 18:13:04 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 18:12:37 2013 -0400
+
+ Update to pax-linux-3.10.7-test14.patch:
+ - fixed compile error introduced by the previous PCID change
+ - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214)
+
+ arch/x86/include/asm/tlbflush.h | 2 +-
+ kernel/posix-timers.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685
+Merge: d8efbc5 e11b314
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 08:15:00 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e11b314734c5b7317f5468be75305ad812e78c2b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Aug 18 08:14:26 2013 -0400
+
+ Update to pax-linux-3.10.7-test13.patch:
+ - always enable the use of PCID and INVPCID when available in the CPU
+ - kvm guest kernels can use these features even if the host kernel lacks UDEREF
+
+ arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++----------------
+ arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++----------
+ 2 files changed, 70 insertions(+), 47 deletions(-)
+
+commit d8efbc54f5c8aba589d4d12eed9257a754a67de8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 12:00:20 2013 -0400
+
+ make kallsyms_lookup_size_offset available to approved source files
+
+ include/linux/kallsyms.h | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 6c8feffa95ce2db280160015027b52bb41a344c8
+Merge: dbf6930 0bb1c2b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 11:57:50 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 11:56:43 2013 -0400
+
+ Update to pax-linux-3.10.7-test12.patch:
+ - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause
+ - fixed some arm compile problems
+
+ arch/x86/include/asm/tlbflush.h | 2 +-
+ drivers/clocksource/bcm_kona_timer.c | 2 +-
+ kernel/signal.c | 4 ++++
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+
+commit dbf69305ad4f8a037aae95af90f9201f556dcb48
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 11:18:09 2013 -0400
+
+ allow use of kallsyms_lookup_name to approved source files
+
+ include/linux/kallsyms.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit a566c5f4dec33f410678c257e95ab6726ce8e4f9
+Merge: 68bd16f f562e3e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 10:35:02 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f562e3ef7737ea8d80431a722479b36a12504ace
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 10:34:51 2013 -0400
+
+ add uderef_64.c
+
+ arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++
+ 1 files changed, 37 insertions(+), 0 deletions(-)
+
+commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622
+Author: Asbjoern Sloth Toennesen <ast@fiberby.net>
+Date: Mon Aug 12 16:30:09 2013 +0000
+
+ Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504
+
+ rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header
+
+ Fix the iproute2 command `bridge vlan show`, after switching from
+ rtgenmsg to ifinfomsg.
+
+ Let's start with a little history:
+
+ Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in
+ the 3.9 merge window.
+ In the kernel commit 6cbdceeb, he added attribute support to
+ bridge GETLINK requests sent with rtgenmsg.
+
+ Mar 6th: Vlad got this iproute2 reference implementation of the bridge
+ vlan netlink interface accepted (iproute2 9eff0e5c)
+
+ Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca)
+ http://patchwork.ozlabs.org/patch/239602/
+ http://marc.info/?t=136680900700007
+
+ Apr 28th: Linus released 3.9
+
+ Apr 30th: Stephen released iproute2 3.9.0
+
+ The `bridge vlan show` command haven't been working since the switch to
+ ifinfomsg, or in a released version of iproute2. Since the kernel side
+ only supports rtgenmsg, which iproute2 switched away from just prior to
+ the iproute2 3.9.0 release.
+
+ I haven't been able to find any documentation, about neither rtgenmsg
+ nor ifinfomsg, and in which situation to use which, but kernel commit
+ 88c5b5ce seams to suggest that ifinfomsg should be used.
+
+ Fixing this in kernel will break compatibility, but I doubt that anybody
+ have been using it due to this bug in the user space reference
+ implementation, at least not without noticing this bug. That said the
+ functionality is still fully functional in 3.9, when reversing iproute2
+ commit 63338dca.
+
+ This could also be fixed in iproute2, but thats an ugly patch that would
+ reintroduce rtgenmsg in iproute2, and from searching in netdev it seams
+ like rtgenmsg usage is discouraged. I'm assuming that the only reason
+ that Vlad implemented the kernel side to use rtgenmsg, was because
+ iproute2 was using it at the time.
+
+ Signed-off-by: Asbjoern Sloth Toennesen <ast@fiberby.net>
+ Reviewed-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/rtnetlink.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8c7bc5bafddddff55ed4687203a977e96f72540a
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Tue Aug 13 09:04:05 2013 +0200
+
+ Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
+
+ genetlink: fix family dump race
+
+ When dumping generic netlink families, only the first dump call
+ is locked with genl_lock(), which protects the list of families,
+ and thus subsequent calls can access the data without locking,
+ racing against family addition/removal. This can cause a crash.
+ Fix it - the locking needs to be conditional because the first
+ time around it's already locked.
+
+ A similar bug was reported to me on an old kernel (3.4.47) but
+ the exact scenario that happened there is no longer possible,
+ on those kernels the first round wasn't locked either. Looking
+ at the current code I found the race described above, which had
+ also existed on the old kernel.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/netlink/genetlink.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Fri Aug 9 16:25:21 2013 +0200
+
+ Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e
+
+ net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption
+
+ Probably this one is quite unlikely to be triggered, but it's more safe
+ to do the call_rcu() at the end after we have dropped the reference on
+ the asoc and freed sctp packet chunks. The reason why is because in
+ sctp_transport_destroy_rcu() the transport is being kfree()'d, and if
+ we're unlucky enough we could run into corrupted pointers. Probably
+ that's more of theoretical nature, but it's safer to have this simple fix.
+
+ Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings
+ for deferred call_rcu's"). I also did the 8c98653f regression test and
+ it's fine that way.
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/transport.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 3925eab5483946fd746575a46f97bee9d566bb77
+Author: Stephane Grosjean <s.grosjean@peak-system.com>
+Date: Fri Aug 9 11:44:06 2013 +0200
+
+ Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e
+
+ can: pcan_usb: fix wrong memcpy() bytes length
+
+ Fix possibly wrong memcpy() bytes length since some CAN records received from
+ PCAN-USB could define a DLC field in range [9..15].
+ In that case, the real DLC value MUST be used to move forward the record pointer
+ but, only 8 bytes max. MUST be copied into the data field of the struct
+ can_frame object of the skb given to the network core.
+
+ Cc: linux-stable <stable@vger.kernel.org>
+ Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
+ Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c1ac6642baae4a400d1f87115024d1bb1ef53598
+Author: Linus Lüssing <linus.luessing@web.de>
+Date: Tue Aug 6 20:21:15 2013 +0200
+
+ Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929
+
+ batman-adv: fix potential kernel paging errors for unicast transmissions
+
+ There are several functions which might reallocate skb data. Currently
+ some places keep reusing their old ethhdr pointer regardless of whether
+ they became invalid after such a reallocation or not. This potentially
+ leads to kernel paging errors.
+
+ This patch fixes these by refetching the ethdr pointer after the
+ potential reallocations.
+
+ Signed-off-by: Linus Lüssing <linus.luessing@web.de>
+ Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
+
+ net/batman-adv/bridge_loop_avoidance.c | 2 ++
+ net/batman-adv/gateway_client.c | 13 ++++++++++++-
+ net/batman-adv/gateway_client.h | 3 +--
+ net/batman-adv/soft-interface.c | 9 ++++++++-
+ net/batman-adv/unicast.c | 13 ++++++++++---
+ 5 files changed, 33 insertions(+), 7 deletions(-)
+
+commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb
+Author: Yuchung Cheng <ycheng@google.com>
+Date: Fri Aug 9 17:21:27 2013 -0700
+
+ Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296
+
+ netfilter: nf_conntrack: fix tcp_in_window for Fast Open
+
+ Currently the conntrack checks if the ending sequence of a packet
+ falls within the observed receive window. However it does so even
+ if it has not observe any packet from the remote yet and uses an
+ uninitialized receive window (td_maxwin).
+
+ If a connection uses Fast Open to send a SYN-data packet which is
+ dropped afterward in the network. The subsequent SYNs retransmits
+ will all fail this check and be discarded, leading to a connection
+ timeout. This is because the SYN retransmit does not contain data
+ payload so
+
+ end == initial sequence number (isn) + 1
+ sender->td_end == isn + syn_data_len
+ receiver->td_maxwin == 0
+
+ The fix is to only apply this check after td_maxwin is initialized.
+
+ Reported-by: Michael Chan <mcfchan@stanford.edu>
+ Signed-off-by: Yuchung Cheng <ycheng@google.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Aug 1 12:36:57 2013 +0300
+
+ Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981
+
+ netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message
+
+ These structs have a "_pad" member. Also the "phw" structs have an 8
+ byte "hw_addr[]" array but sometimes only the first 6 bytes are
+ initialized.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nfnetlink_log.c | 6 +++++-
+ net/netfilter/nfnetlink_queue_core.c | 5 ++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f
+Author: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu Jul 25 10:46:46 2013 +0200
+
+ Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05
+
+ netfilter: xt_TCPOPTSTRIP: fix possible off by one access
+
+ Fix a possible off by one access since optlen()
+ touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1.
+
+ This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen
+ that stores the TCP header length, to save some cycles.
+
+ Reported-by: Julian Anastasov <ja@ssi.bg>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++----
+ 1 files changed, 6 insertions(+), 4 deletions(-)
+
+commit 4634def261cf5f635bc60afe8a6ad436b3ec151e
+Author: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu Jul 25 10:37:49 2013 +0200
+
+ Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd
+
+ netfilter: xt_TCPMSS: fix handling of malformed TCP header and options
+
+ Make sure the packet has enough room for the TCP header and
+ that it is not malformed.
+
+ While at it, store tcph->doff*4 in a variable, as it is used
+ several times.
+
+ This patch also fixes a possible off by one in case of malformed
+ TCP options.
+
+ Reported-by: Julian Anastasov <ja@ssi.bg>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------
+ 1 files changed, 16 insertions(+), 12 deletions(-)
+
+commit dc552b7b377b8b0cba23513ee09a2341d6714ae8
+Author: Dave Jones <davej@redhat.com>
+Date: Fri Aug 9 11:16:34 2013 -0700
+
+ Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e
+
+ 8139cp: Fix skb leak in rx_status_loop failure path.
+
+ Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96
+ ("8139cp: Add dma_mapping_error checking")
+
+ Signed-off-by: Dave Jones <davej@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/realtek/8139cp.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 227b279491a0bbcc70ca3654f34903282c378600
+Author: Timo Teräs <timo.teras@iki.fi>
+Date: Tue Aug 6 13:45:43 2013 +0300
+
+ Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b
+
+ ip_gre: fix ipgre_header to return correct offset
+
+ Fix ipgre_header() (header_ops->create) to return the correct
+ amount of bytes pushed. Most callers of dev_hard_header() seem
+ to care only if it was success, but af_packet.c uses it as
+ offset to the skb to copy from userspace only once. In practice
+ this fixes packet socket sendto()/sendmsg() to gre tunnels.
+
+ Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5
+ ("GRE: Refactor GRE tunneling code.")
+
+ Cc: Pravin B Shelar <pshelar@nicira.com>
+ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ip_gre.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb
+Author: Eric Dumazet <edumazet@google.com>
+Date: Mon Aug 5 11:18:49 2013 -0700
+
+ Upstream commit: aab515d7c32a34300312416c50314e755ea6f765
+
+ fib_trie: remove potential out of bound access
+
+ AddressSanitizer [1] dynamic checker pointed a potential
+ out of bound access in leaf_walk_rcu()
+
+ We could allocate one more slot in tnode_new() to leave the prefetch()
+ in-place but it looks not worth the pain.
+
+ Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode")
+
+ [1] :
+ https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
+
+ Reported-by: Andrey Konovalov <andreyknvl@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/fib_trie.c | 5 +----
+ 1 files changed, 1 insertions(+), 4 deletions(-)
+
+commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Mon Aug 5 12:49:35 2013 +0200
+
+ Upstream commit: 7921895a5e852fc99de347bc0600659997de9298
+
+ net: esp{4,6}: fix potential MTU calculation overflows
+
+ Commit 91657eafb ("xfrm: take net hdr len into account for esp payload
+ size calculation") introduced a possible interger overflow in
+ esp{4,6}_get_mtu() handlers in case of x->props.mode equals
+ XFRM_MODE_TUNNEL. Thus, the following expression will overflow
+
+ unsigned int net_adj;
+ ...
+ <case ipv{4,6} XFRM_MODE_TUNNEL>
+ net_adj = 0;
+ ...
+ return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
+ net_adj) & ~(align - 1)) + (net_adj - 2);
+
+ where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
+ context. Fix it by simply removing brackets as those operations here
+ do not need to have special precedence.
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Cc: Benjamin Poirier <bpoirier@suse.de>
+ Cc: Steffen Klassert <steffen.klassert@secunet.com>
+ Acked-by: Benjamin Poirier <bpoirier@suse.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/esp4.c | 2 +-
+ net/ipv6/esp6.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit f02bce292d1c2fe610be509c96593e70b3de387b
+Author: Julia Lawall <Julia.Lawall@lip6.fr>
+Date: Mon Aug 5 16:47:38 2013 +0200
+
+ Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142
+
+ net/vmw_vsock/af_vsock.c: drop unneeded semicolon
+
+ Drop the semicolon at the end of the list_for_each_entry loop header.
+
+ Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/vmw_vsock/af_vsock.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049
+Author: Tiger Yang <tiger.yang@oracle.com>
+Date: Tue Aug 13 16:00:58 2013 -0700
+
+ Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678
+
+ ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page
+
+ Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as
+ the struct file pointer, it finally result in a null pointer dereference
+ in ocfs2_duplicate_clusters_by_page.
+
+ This patch replace file pointer with inode pointer in
+ cow_duplicate_clusters to fix this issue.
+
+ [jeff.liu@oracle.com: rebased patch against linux-next tree]
+ Signed-off-by: Tiger Yang <tiger.yang@oracle.com>
+ Signed-off-by: Jie Liu <jeff.liu@oracle.com>
+ Cc: Joel Becker <jlbec@evilplan.org>
+ Cc: Mark Fasheh <mfasheh@suse.com>
+ Acked-by: Tao Ma <tm@tao.ma>
+ Tested-by: David Weber <wb@munzinger.de>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/ocfs2/aops.c | 2 +-
+ fs/ocfs2/file.c | 6 ++--
+ fs/ocfs2/move_extents.c | 2 +-
+ fs/ocfs2/refcounttree.c | 53 +++++++---------------------------------------
+ fs/ocfs2/refcounttree.h | 6 ++--
+ 5 files changed, 16 insertions(+), 53 deletions(-)
+
+commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Aug 15 15:52:57 2013 +0300
+
+ Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e
+
+ tun: signedness bug in tun_get_user()
+
+ The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
+ not totally correct. Because "len" and "sizeof()" are size_t type, that
+ means they are never less than zero.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Michael S. Tsirkin <mst@redhat.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 26ad267ddda451919357965a0cf271ca24d1bcf2
+Author: Weiping Pan <wpan@redhat.com>
+Date: Tue Aug 13 21:46:56 2013 +0800
+
+ Upstream commit: d9bf5f130946695063469749bfd190087b7fad39
+
+ tun: compare with 0 instead of total_len
+
+ Since we set "len = total_len" in the beginning of tun_get_user(),
+ so we should compare the new len with 0, instead of total_len,
+ or the if statement always returns false.
+
+ Signed-off-by: Weiping Pan <wpan@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9
+Author: Guenter Roeck <linux@roeck-us.net>
+Date: Fri Aug 16 20:50:55 2013 -0700
+
+ Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92
+
+ s390: Fix broken build
+
+ Fix this build error:
+
+ In file included from fs/exec.c:61:0:
+ arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned'
+ arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default]
+ arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu':
+ arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end'
+
+ Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range
+ invalidation corner cases").
+
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+ [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/s390/include/asm/tlb.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4e57312c2de2a25ddb181d129dafbc0251062c33
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu Aug 15 11:42:25 2013 -0700
+
+ Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce
+
+ Fix TLB gather virtual address range invalidation corner cases
+
+ Ben Tebulin reported:
+
+ "Since v3.7.2 on two independent machines a very specific Git
+ repository fails in 9/10 cases on git-fsck due to an SHA1/memory
+ failures. This only occurs on a very specific repository and can be
+ reproduced stably on two independent laptops. Git mailing list ran
+ out of ideas and for me this looks like some very exotic kernel issue"
+
+ and bisected the failure to the backport of commit 53a59fc67f97 ("mm:
+ limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT").
+
+ That commit itself is not actually buggy, but what it does is to make it
+ much more likely to hit the partial TLB invalidation case, since it
+ introduces a new case in tlb_next_batch() that previously only ever
+ happened when running out of memory.
+
+ The real bug is that the TLB gather virtual memory range setup is subtly
+ buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather:
+ enable tlb flush range in generic mmu_gather"), and the range handling
+ was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB
+ range flushed when __tlb_remove_page() runs out of slots"), but that fix
+ was not complete.
+
+ The problem with the TLB gather virtual address range is that it isn't
+ set up by the initial tlb_gather_mmu() initialization (which didn't get
+ the TLB range information), but it is set up ad-hoc later by the
+ functions that actually flush the TLB. And so any such case that forgot
+ to update the TLB range entries would potentially miss TLB invalidates.
+
+ Rather than try to figure out exactly which particular ad-hoc range
+ setup was missing (I personally suspect it's the hugetlb case in
+ zap_huge_pmd(), which didn't have the same logic as zap_pte_range()
+ did), this patch just gets rid of the problem at the source: make the
+ TLB range information available to tlb_gather_mmu(), and initialize it
+ when initializing all the other tlb gather fields.
+
+ This makes the patch larger, but conceptually much simpler. And the end
+ result is much more understandable; even if you want to play games with
+ partial ranges when invalidating the TLB contents in chunks, now the
+ range information is always there, and anybody who doesn't want to
+ bother with it won't introduce subtle bugs.
+
+ Ben verified that this fixes his problem.
+
+ Reported-bisected-and-tested-by: Ben Tebulin <tebulin@googlemail.com>
+ Build-testing-by: Stephen Rothwell <sfr@canb.auug.org.au>
+ Build-testing-by: Richard Weinberger <richard.weinberger@gmail.com>
+ Reviewed-by: Michal Hocko <mhocko@suse.cz>
+ Acked-by: Peter Zijlstra <peterz@infradead.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/arm/include/asm/tlb.h | 7 +++++--
+ arch/arm64/include/asm/tlb.h | 7 +++++--
+ arch/ia64/include/asm/tlb.h | 9 ++++++---
+ arch/s390/include/asm/tlb.h | 8 ++++++--
+ arch/sh/include/asm/tlb.h | 6 ++++--
+ arch/um/include/asm/tlb.h | 6 ++++--
+ fs/exec.c | 4 ++--
+ include/asm-generic/tlb.h | 2 +-
+ mm/hugetlb.c | 2 +-
+ mm/memory.c | 36 +++++++++++++++++++++---------------
+ mm/mmap.c | 4 ++--
+ 11 files changed, 57 insertions(+), 34 deletions(-)
+
+commit 771ed01c6027772eca1a0df8de65043e7f0d94f8
+Merge: 5568c80 ffceabf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 09:11:41 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ffceabfcc65c60109ba5fca694d78d4dc7047809
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 09:10:44 2013 -0400
+
+ Update to pax-linux-3.10.7-test11.patch:
+ - simplified some arm code
+ - disabled preemption when calling show_regs, reported by Corey Minyard
+ - added PCID based support for UDEREF on amd64 (blog will have more details)
+ - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc
+ - nopcid turns it off
+ - by default a strong form of UDEREF is used under PCID
+ - pax_weakuderef switches to the older, less secure UDEREF
+ - fixed several bugs that would also have manifested under SMAP
+ - INVPCID is used when available (Haswell)
+ - added a few more return insn instrumentation in new amd64 crypto code
+
+ Documentation/kernel-parameters.txt | 7 +
+ arch/arm/include/asm/uaccess.h | 3 +
+ arch/x86/crypto/blowfish-avx2-asm_64.S | 6 +
+ arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++
+ arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++
+ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
+ arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 +
+ arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++
+ arch/x86/crypto/sha256-avx-asm.S | 2 +
+ arch/x86/crypto/sha256-avx2-asm.S | 2 +
+ arch/x86/crypto/sha256-ssse3-asm.S | 2 +
+ arch/x86/crypto/sha512-avx-asm.S | 2 +
+ arch/x86/crypto/sha512-avx2-asm.S | 2 +
+ arch/x86/crypto/sha512-ssse3-asm.S | 2 +
+ arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++
+ arch/x86/ia32/ia32_signal.c | 2 +-
+ arch/x86/ia32/ia32entry.S | 24 ++++-
+ arch/x86/include/asm/cpufeature.h | 3 +-
+ arch/x86/include/asm/fpu-internal.h | 2 +
+ arch/x86/include/asm/futex.h | 4 +
+ arch/x86/include/asm/mmu_context.h | 80 +++++++++++---
+ arch/x86/include/asm/pgtable.h | 10 +-
+ arch/x86/include/asm/processor.h | 15 +++-
+ arch/x86/include/asm/segment.h | 5 +-
+ arch/x86/include/asm/smap.h | 64 +++++++++++-
+ arch/x86/include/asm/tlbflush.h | 63 +++++++++--
+ arch/x86/include/asm/uaccess.h | 18 +++-
+ arch/x86/include/asm/xsave.h | 4 +
+ arch/x86/kernel/cpu/common.c | 38 +++++++
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++---
+ arch/x86/kernel/head_32.S | 2 +-
+ arch/x86/kernel/head_64.S | 8 +-
+ arch/x86/kernel/process_64.c | 5 +
+ arch/x86/kernel/setup.c | 8 +-
+ arch/x86/kernel/signal.c | 4 +-
+ arch/x86/kernel/smpboot.c | 15 ++-
+ arch/x86/lib/copy_user_64.S | 50 +--------
+ arch/x86/lib/copy_user_nocache_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 11 ++-
+ arch/x86/lib/memcpy_64.S | 4 +-
+ arch/x86/lib/memmove_64.S | 2 +-
+ arch/x86/lib/memset_64.S | 4 +-
+ arch/x86/lib/usercopy_64.c | 5 +-
+ arch/x86/mm/Makefile | 4 +
+ arch/x86/mm/fault.c | 29 ++++--
+ arch/x86/mm/init.c | 7 +-
+ arch/x86/mm/init_64.c | 9 ++-
+ arch/x86/mm/pageattr.c | 2 +-
+ arch/x86/mm/pgtable.c | 3 +
+ arch/x86/platform/efi/efi_32.c | 2 +-
+ arch/x86/platform/efi/efi_64.c | 2 +-
+ arch/x86/realmode/rm/trampoline_64.S | 1 +
+ fs/exec.c | 2 +
+ include/asm-generic/uaccess.h | 8 ++
+ include/linux/compat.h | 1 +
+ include/linux/preempt.h | 19 +++
+ include/linux/signal.h | 1 +
+ include/linux/smp.h | 2 +
+ init/main.c | 14 ++-
+ kernel/signal.c | 16 +++
+ security/Kconfig | 5 +
+ tools/lib/lk/Makefile | 2 +-
+ tools/perf/Makefile | 2 +-
+ 64 files changed, 673 insertions(+), 136 deletions(-)
+
+commit 5568c8059e78d6d002815409df4e90c83b3b08a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 17 08:58:34 2013 -0400
+
+ Fix two harmless compiler warnings
+
+ arch/arm/kernel/process.c | 4 ++--
+ fs/exec.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 22:55:24 2013 -0400
+
+ Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b
+
+ arch/arm/kernel/perf_event.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 3637bc893b57a227b01852fe34685ab237285b10
+Author: Stephen Boyd <sboyd@codeaurora.org>
+Date: Wed Aug 7 16:18:08 2013 -0700
+
+ Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb
+
+ perf/arm: Fix armpmu_map_hw_event()
+
+ Fix constraint check in armpmu_map_hw_event().
+
+ Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
+ Cc: <stable@kernel.org>
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/arm/kernel/perf_event.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 11802e1f961a088c39af58d1c1b14d861eedfb35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 22:53:30 2013 -0400
+
+ More ARM backports
+
+ arch/arm/kernel/entry-armv.S | 3 ++-
+ arch/arm/kernel/fiq.c | 8 ++------
+ 2 files changed, 4 insertions(+), 7 deletions(-)
+
+commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 22:46:01 2013 -0400
+
+ Fix HIDESYM compatibility with kprobes, as reported by feandil at:
+ http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376
+
+ include/linux/kallsyms.h | 2 +-
+ kernel/kprobes.c | 3 +++
+ 2 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7
+Author: yonghua zheng <younghua.zheng@gmail.com>
+Date: Tue Aug 13 16:01:03 2013 -0700
+
+ fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
+
+ Recently we met quite a lot of random kernel panic issues after enabling
+ CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something
+ to do with following bug in pagemap:
+
+ In struct pagemapread:
+
+ struct pagemapread {
+ int pos, len;
+ pagemap_entry_t *buffer;
+ bool v2;
+ };
+
+ pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
+ buffer, it is a mistake to compare pos and len in add_page_map() for
+ checking buffer is full or not, and this can lead to buffer overflow and
+ random kernel panic issue.
+
+ Correct len to be total number of PM_ENTRY_BYTES in buffer.
+
+ [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
+ Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/task_mmu.c
+
+ fs/proc/task_mmu.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 0a3dac834746de241c10d4978bf61b4f146ba89d
+Merge: dc19474 e12de30
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 17:39:01 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e12de30aa6b575fc3c9f5cd098dd03623598cb33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 16 17:34:47 2013 -0400
+
+ Update to pax-linux-3.10.7-test9.patch:
+ - Emese fixed a size overflow false positive reported by Sven Vermeulen
+ - fixed some arm compile problems reported by spender
+ - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard <cminyard@mvista.com>
+ eventually we'll have full REFCOUNT support on mips
+
+ arch/arm/kernel/process.c | 5 ++-
+ arch/arm/mm/Kconfig | 2 +-
+ arch/arm/mm/fault.c | 3 ++
+ arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++
+ mm/internal.h | 2 +-
+ 5 files changed, 65 insertions(+), 4 deletions(-)
+
+commit dc19474d0ea6ea3c939544ae5f906067b1784a10
+Merge: 51b78c0 82266f9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 15 21:47:37 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 82266f90a3f87ab5017329fb539aebf94c42253a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 15 21:14:47 2013 -0400
+
+ Update to pax-linux-3.10.7-test9.patch
+
+ arch/arm/kernel/process.c | 6 ++----
+ 1 files changed, 2 insertions(+), 4 deletions(-)
+
+commit 51b78c06d1f41614f593cd36456b4af559e9d7fa
+Merge: e32d904 cb77ead
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 15 20:53:45 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit cb77ead0eccb5abb75f7e437a3725d0254558ccd
+Merge: 13675b8 519be45
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 15 20:50:47 2013 -0400
+
+ Update to pax-linux-3.10.7-test8.patch
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit e32d904b87292288e74e2637b900fd1115687b8e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 10 09:41:40 2013 -0400
+
+ propagate the threadstack offset through to the topdown/bottomup allocators
+ on sparc64 hugepages
+
+ arch/sparc/mm/hugetlbpage.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Thu Aug 8 18:55:32 2013 +0200
+
+ Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8
+
+ another local DoS found in reaction to the one I reported,
+ we don't allow unpriv user ns use so this doesn't matter much to us
+
+ userns: limit the maximum depth of user_namespace->parent chain
+
+ Ensure that user_namespace->parent chain can't grow too much.
+ Currently we use the hardroded 32 as limit.
+
+ Reported-by: Andy Lutomirski <luto@amacapital.net>
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ include/linux/user_namespace.h | 1 +
+ kernel/user_namespace.c | 4 ++++
+ 2 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 223ac007ef18bf3a5095ba0a56675c1f16200149
+Merge: 1c92de4 13675b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 8 20:45:24 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 13675b848cf02bffd26924b2b84d927095bc253d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 8 20:43:52 2013 -0400
+
+ Update to pax-linux-3.10.5-test8.patch:
+ - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692)
+ - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard <cminyard@mvista.com>
+ - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard <cminyard@mvista.com>
+
+ arch/arm/include/asm/pgtable-2level.h | 4 +++-
+ arch/arm/mm/proc-v7-2level.S | 3 ---
+ arch/mips/mm/fault.c | 8 ++++++++
+ arch/x86/include/asm/processor.h | 3 ++-
+ include/linux/math64.h | 2 +-
+ security/Kconfig | 2 --
+ 6 files changed, 14 insertions(+), 8 deletions(-)
+
+commit 1c92de4b8811c330af033c31d83c9c45e3d064b2
+Merge: e65aa3d 1660f49
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 18:50:45 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1660f496848b8400d263f7920989dae15e72185a
+Merge: 7f91ba1 dc51cd2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 18:50:12 2013 -0400
+
+ Update to pax-linux-3.10.5-test7.patch
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/head_64.S
+ mm/mempolicy.c
+
+commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 17:58:42 2013 -0400
+
+ Disable RANDKSTACK for a VirtualBox host as mentioned on the
+ gentoo-hardened bugzilla:
+ https://bugs.gentoo.org/show_bug.cgi?id=382793
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 60d8cffd7740fd1d527790caf9a24a35d8c45858
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Jul 30 13:23:39 2013 +0300
+
+ Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20
+
+ net_sched: info leak in atm_tc_dump_class()
+
+ The "pvc" struct has a hole after pvc.sap_family which is not cleared.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Reviewed-by: Jiri Pirko <jiri@resnulli.us>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sched/sch_atm.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 50d20ebce56b6e0b9622685930e007e46c7c04bb
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Fri Aug 2 11:32:43 2013 +0200
+
+ Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86
+
+ net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails
+
+ Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa
+ resource that was allocated via inet_alloc_ifa() unfreed when returning
+ the function with -EINVAL. Thus, free it first via inet_free_ifa().
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Reviewed-by: Jiri Pirko <jiri@resnulli.us>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/devinet.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260
+Author: Himanshu Madhani <himanshu.madhani@qlogic.com>
+Date: Fri Aug 2 23:15:56 2013 -0400
+
+ Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1
+
+ qlcnic: Free up memory in error path.
+
+ Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
+ Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a
+Author: Shahed Shaikh <shahed.shaikh@qlogic.com>
+Date: Fri Aug 2 23:15:54 2013 -0400
+
+ Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f
+
+ qlcnic: Fix MAC address filter issue on 82xx adapter
+
+ Driver was passing the address of a pointer instead of
+ the pointer itself.
+
+ Signed-off-by: Shahed Shaikh <shahed.shaikh@qlogic.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5570df953d6c143e05f1d60d9c23210e60dbbe81
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 17:26:40 2013 -0400
+
+ Move user namespace capability check to shared create_user_ns code so we
+ cover unshare() as well.
+
+ Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to
+ user namespaces!
+
+ kernel/fork.c | 17 -----------------
+ kernel/user_namespace.c | 24 ++++++++++++++++++++++--
+ 2 files changed, 22 insertions(+), 19 deletions(-)
+
+commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Aug 5 16:05:41 2013 -0400
+
+ silence a warning on older gcc
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b8966a5d577e9220fbc63306eee978f819f24e2e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Aug 3 08:31:08 2013 -0400
+
+ we only care about mmaps of the beginning of an ELF, filter out
+ all others as suggested by pipacs
+
+ mm/mmap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:54:51 2013 -0400
+
+ add include
+
+ grsecurity/grsec_log.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:49:13 2013 -0400
+
+ fix compilation
+
+ include/linux/grinternal.h | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 1704c23fdc55b68f512dc9927940e72237f3f43e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Aug 2 23:34:35 2013 -0400
+
+ Improve PaX reporting (tells when anon mapping is stack or heap)
+ Remove textrel logging option, combine into rwx logging option
+ Enhance RWX logging option to display when PT_GNU_STACK-enabled library
+ is loaded under an MPROTECTed binary
+ Enhance RWX mprotect logging to display stack/heap instead of just
+ anon mapping
+
+ fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++
+ fs/exec.c | 4 ++++
+ grsecurity/Kconfig | 21 +++++----------------
+ grsecurity/grsec_init.c | 4 ----
+ grsecurity/grsec_log.c | 14 ++++++++++++++
+ grsecurity/grsec_pax.c | 19 ++++++++++++++-----
+ grsecurity/grsec_sysctl.c | 9 ---------
+ include/linux/binfmts.h | 1 +
+ include/linux/grinternal.h | 2 +-
+ include/linux/grmsg.h | 3 ++-
+ include/linux/grsecurity.h | 3 ++-
+ mm/mmap.c | 7 +++++++
+ mm/mprotect.c | 2 +-
+ 13 files changed, 88 insertions(+), 38 deletions(-)
+
+commit faf81c100c8565524e21c9af780a0ad2ce3fd925
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 1 18:52:02 2013 -0400
+
+ add missing #define
+
+ grsecurity/gracl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit e87232d1fcb4da72df971cbc623aac6c9b3871a0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Aug 1 18:43:53 2013 -0400
+
+ fix compilation for !COMPAT as reported on the forums
+
+ grsecurity/gracl.c | 195 ++++++++++++++++++++++++++--------------------------
+ 1 files changed, 97 insertions(+), 98 deletions(-)
+
+commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c
+Merge: 65019c9 7f91ba1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 17:47:31 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 65019c9bd05f860437071cbf00e2027fd2d68615
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 17:47:20 2013 -0400
+
+ Revert "revert recent PaX change that causes boot failures with 32bit userland"
+
+ This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4.
+
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 17:46:00 2013 -0400
+
+ Update to pax-linux-3.10.4-test7.patch:
+ - added a few more missing format strings
+ - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable
+ - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time
+ - fixed a UDEREF/i386 regression, __get_user_8 would always fail
+
+ arch/x86/include/asm/processor.h | 4 +-
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/dumpstack.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/reboot_fixups_32.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/lib/getuser.S | 4 +-
+ arch/x86/xen/smp.c | 2 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++--
+ drivers/video/backlight/backlight.c | 2 +-
+ drivers/video/backlight/lcd.c | 2 +-
+ fs/binfmt_elf.c | 51 +++++++++++++++++++++++++---
+ fs/exec.c | 50 +++++++++++++--------------
+ include/linux/sched.h | 2 +
+ 14 files changed, 88 insertions(+), 47 deletions(-)
+
+commit 043130da54cb7cc8dc44e0ce889d426e889a0532
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 31 16:26:58 2013 -0400
+
+ compile fix for !COMPAT as mentioned on forums
+
+ grsecurity/gracl.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit ed0a195abd4e41c2449a020a53a19c74dc866d78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:33:14 2013 -0400
+
+ perform compat conversion of rlimit infinity
+
+ grsecurity/gracl_compat.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit a99c1b9f31678c1c72a63bea65aed1b2d3205259
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:21:40 2013 -0400
+
+ remove debugging
+
+ grsecurity/gracl_compat.c | 44 +++++++++++---------------------------------
+ 1 files changed, 11 insertions(+), 33 deletions(-)
+
+commit e75b3f504692b97960a7530ad0855d91441d79c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:20:32 2013 -0400
+
+ eliminate compat_dev_t
+
+ include/linux/gracl_compat.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit e5abbaf95313066a724e1a843d4fc902a9a6450e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 22:13:22 2013 -0400
+
+ fix compat rlimit size
+
+ grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++-------------
+ include/linux/gracl_compat.h | 4 +-
+ 2 files changed, 49 insertions(+), 23 deletions(-)
+
+commit 877d6c2f8b3518ff39601084560bb33c58d35a1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 21:20:18 2013 -0400
+
+ compile fix
+
+ grsecurity/gracl.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit a2062eae8d1dc48d338480e599fedee2dc5e2f98
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 21:14:29 2013 -0400
+
+ copy correct pointer size in new compat code
+
+ grsecurity/gracl.c | 8 ++++----
+ grsecurity/gracl_compat.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 23278a1ee1c7738dd1e7005241394d32b82196e4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:48:58 2013 -0400
+
+ revert recent PaX change that causes boot failures with 32bit userland
+
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+commit ec27f71a813656fea8ab37faecb2b485fe99d08e
+Merge: 3a11bcf 05f0a61
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:42:21 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:41:44 2013 -0400
+
+ Update to pax-linux-3.10.4-test6.patch:
+ - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender
+
+ include/linux/syscalls.h | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:15:50 2013 -0400
+
+ compile fix
+
+ grsecurity/gracl_compat.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 19:12:46 2013 -0400
+
+ remove BUILD_BUG_ONs
+
+ grsecurity/gracl_compat.c | 20 --------------------
+ 1 files changed, 0 insertions(+), 20 deletions(-)
+
+commit a283b21cbd77622383a1dcb1f7bf1080db3bae88
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:18:36 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl_compat.c | 8 ++++----
+ include/linux/gracl_compat.h | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 8b744005f8bae565e24c1fd88af77e6e619b9434
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:16:42 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl.c | 4 ++--
+ grsecurity/gracl_compat.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:13:51 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit b93b829afcc98b6108b18d99ff63c53642d0b951
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:11:03 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl_compat.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 30 00:08:21 2013 -0400
+
+ more compile fixes
+
+ grsecurity/gracl.c | 28 ++++++++++++++--------------
+ 1 files changed, 14 insertions(+), 14 deletions(-)
+
+commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:59:50 2013 -0400
+
+ more compile fixes
+
+ grsecurity/gracl.c | 10 +++++++++-
+ 1 files changed, 9 insertions(+), 1 deletions(-)
+
+commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:56:47 2013 -0400
+
+ additional compile fixes
+
+ grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++--------
+ 1 files changed, 49 insertions(+), 10 deletions(-)
+
+commit ac695a081d1124fb28bec46814535d34c5e40611
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:47:15 2013 -0400
+
+ fix typo
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:46:59 2013 -0400
+
+ compile fixes
+
+ grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++-------------
+ 1 files changed, 39 insertions(+), 14 deletions(-)
+
+commit 82631f451cc7432b6c5578cf8d24155473feb25c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 23:22:44 2013 -0400
+
+ Initial commit of compat RBAC loading
+ Permits 32bit gradm to load policy for a 64bit kernel
+
+ Also removed code duplication for copying strings into the kernel
+
+ Work performed as part of sponsorship
+
+ grsecurity/Makefile | 4 +
+ grsecurity/gracl.c | 315 +++++++++++++++++++++++-------------------
+ grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++
+ include/linux/gracl_compat.h | 156 +++++++++++++++++++++
+ 4 files changed, 603 insertions(+), 142 deletions(-)
+
+commit 84c4a433dfb096e4a1162ee5e68025122c70b421
+Merge: c9d3ed3 9fe5897
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 17:08:56 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9fe58978938e357642885866ca48090a7753d403
+Merge: 8f693ad 6f7bb6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jul 29 17:08:43 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775
+Merge: d5e5bfd 8f693ad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 28 10:03:08 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8f693ade9b3e448f92706d34148b00a087637f70
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 28 10:02:16 2013 -0400
+
+ Update to pax-linux-3.10.3-test5.patch:
+ - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm)
+ - fixed handling of faulting userland accesses for UDEREF/arm, from spender
+ - updated the size overflow hash table, from Emese
+
+ arch/arm/kernel/entry-armv.S | 3 +-
+ arch/x86/include/asm/processor.h | 4 +-
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/process_64.c | 2 +-
+ arch/x86/kernel/smpboot.c | 2 +-
+ arch/x86/xen/smp.c | 2 +-
+ tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++----
+ 7 files changed, 513 insertions(+), 55 deletions(-)
+
+commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558
+Merge: 19e077b 8a8a0d0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 25 21:05:18 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 25 21:04:09 2013 -0400
+
+ Update to pax-linux-3.10.3-test4.patch:
+ - introduced per-slab object sanitization, contributed by Mathias Krause and secunet.
+ this is finer grained sanitization than the existing per-page based approach (which
+ is still done) at a somewhat higher performance cost. the pax_sanitize_slab command
+ line option can be used to enable/disable it on boot (it's enabled by default when
+ CONFIG_PAX_MEMORY_SANITIZE is enabled).
+
+ Documentation/kernel-parameters.txt | 4 ++++
+ fs/buffer.c | 2 +-
+ fs/dcache.c | 3 ++-
+ include/linux/slab.h | 7 +++++++
+ include/linux/slab_def.h | 4 ++++
+ kernel/fork.c | 2 +-
+ mm/rmap.c | 6 ++++--
+ mm/slab.c | 27 +++++++++++++++++++++++++++
+ mm/slab.h | 12 +++++++++++-
+ mm/slab_common.c | 14 ++++++++++++++
+ mm/slob.c | 5 +++++
+ mm/slub.c | 11 +++++++++++
+ net/core/skbuff.c | 6 ++++--
+ security/Kconfig | 23 +++++++++++++++++------
+ 14 files changed, 112 insertions(+), 14 deletions(-)
+
+commit 19e077bfff54ca211d0142c07cb6dd88069a390c
+Merge: 960ec51 c8f7f51
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 25 19:53:34 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c8f7f51591207b82530214300e86277028919286
+Merge: d5142e3 81a4648
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 25 19:52:29 2013 -0400
+
+ Update to pax-linux-3.10.3-test3.patch:
+ - fixed some compile issues reported by Michael Tremer and spender
+ - fixed an i386 regression with the lower address space gap on i386, reported by cnu
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ kernel/time/tick-broadcast.c
+
+commit 960ec51ab2142544fbae563d4fd5744775408965
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Jul 20 03:13:55 2013 +0400
+
+ Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2
+
+ livelock avoidance in sget()
+
+ Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about
+ to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive,
+ ->s_active is 1. Along comes two more processes, trying to mount the same
+ thing; sget() in each is picking that superblock, bumping ->s_count and
+ trying to grab ->s_umount. ->s_active is 3 now. Original mount(2)
+ finally gets to deactivate_locked_super() on failure; ->s_active is 2,
+ superblock is still ->fs_supers because shutdown will *not* happen until
+ ->s_active hits 0. ->s_umount is dropped and now we have two processes
+ chasing each other:
+ s_active = 2, A acquired ->s_umount, B blocked
+ A sees that the damn thing is stillborn, does deactivate_locked_super()
+ s_active = 1, A drops ->s_umount, B gets it
+ A restarts the search and finds the same superblock. And bumps it ->s_active.
+ s_active = 2, B holds ->s_umount, A blocked on trying to get it
+ ... and we are in the earlier situation with A and B switched places.
+
+ The root cause, of course, is that ->s_active should not grow until we'd
+ got MS_BORN. Then failing ->mount() will have deactivate_locked_super()
+ shut the damn thing down. Fortunately, it's easy to do - the key point
+ is that grab_super() is called only for superblocks currently on ->fs_supers,
+ so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and
+ bump ->s_active; we must never increment ->s_count for superblocks past
+ ->kill_sb(), but grab_super() is never called for those.
+
+ The bug is pretty old; we would've caught it by now, if not for accidental
+ exclusion between sget() for block filesystems; the things like cgroup or
+ e.g. mtd-based filesystems don't have anything of that sort, so they get
+ bitten. The right way to deal with that is obviously to fix sget()...
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/super.c | 25 ++++++++++---------------
+ 1 files changed, 10 insertions(+), 15 deletions(-)
+
+commit 3540cebbbfa4aef94527ad3e0e49097848147fb9
+Merge: ab95b58 d5142e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 21 22:47:46 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d5142e31785f8c32c7338c51fcc27313bdd4a84e
+Merge: f36ae8c 0f4a56e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 21 22:47:34 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+commit ab95b5842899d61ff5c30f4582e72029b3155be8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 21 22:28:40 2013 -0400
+
+ compile fix with constification reported by Michael Tremer
+
+ drivers/gpu/host1x/drm/dc.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 817cd2d1e7a55720326599dd8f542578eef30927
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri Jul 12 23:46:33 2013 +0200
+
+ Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494
+
+ ipv6: only static routes qualify for equal cost multipathing
+
+ Static routes in this case are non-expiring routes which did not get
+ configured by autoconf or by icmpv6 redirects.
+
+ To make sure we actually get an ecmp route while searching for the first
+ one in this fib6_node's leafs, also make sure it matches the ecmp route
+ assumptions.
+
+ v2:
+ a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF
+ already ensures that this route, even if added again without
+ RTF_EXPIRES (in case of a RA announcement with infinite timeout),
+ does not cause the rt6i_nsiblings logic to go wrong if a later RA
+ updates the expiration time later.
+
+ v3:
+ a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so,
+ because an pmtu event could update the RTF_EXPIRES flag and we would
+ not count this route, if another route joins this set. We now filter
+ only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that
+ don't get changed after rt6_info construction.
+
+ Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_fib.c | 15 +++++++++++----
+ 1 files changed, 11 insertions(+), 4 deletions(-)
+
+commit 77db8196d51b043e2e2d124094da101b0f01bccb
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Jul 12 09:39:03 2013 +0300
+
+ Upstream commit: b2781e1021525649c0b33fffd005ef219da33926
+
+ svcrdma: underflow issue in decode_write_list()
+
+ My static checker marks everything from ntohl() as untrusted and it
+ complains we could have an underflow problem doing:
+
+ return (u32 *)&ary->wc_array[nchunks];
+
+ Also on 32 bit systems the upper bound check could overflow.
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+
+ net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------
+ 1 files changed, 14 insertions(+), 6 deletions(-)
+
+commit 926473317fd7953137ef97835edd36dabc584b01
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 17 21:29:02 2013 -0400
+
+ add missing asm/pgtable.h include, reported by Michael Tremer
+
+ drivers/clk/socfpga/clk.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit c592ae0001b31932ef1491784dfa374058797c66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 16 20:40:24 2013 -0400
+
+ allow viewing of ecryptfs version under SYSFS_RESTRICT
+
+ fs/sysfs/dir.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 36db325ef3b07ea8cdb47f549e706e5d71398e14
+Merge: 9c96441 f36ae8c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 19:23:13 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f36ae8c741ae32b1caff10825be12c327792c925
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 19:22:15 2013 -0400
+
+ Update to pax-linux-3.10-test2.patch:
+ - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer
+ - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer
+ - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer
+ - spender fixed an madvise regression, reported by Peter Keel
+ - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616)
+ - fixed a headers_install regression, reported by Mathias Krause
+ - fixed a SLOB compile regression, reported by Mathias Krause
+
+ arch/arm/include/asm/uaccess.h | 4 ++--
+ arch/arm/mm/mmu.c | 15 +++++++++++++--
+ drivers/clk/socfpga/clk.c | 6 ++++--
+ mm/madvise.c | 4 ++--
+ mm/slab.c | 4 ++--
+ mm/slob.c | 4 ++--
+ scripts/headers_install.sh | 2 +-
+ 7 files changed, 26 insertions(+), 13 deletions(-)
+
+commit 9c9644156a49637050741d9165df79174e59b0ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 19:19:54 2013 -0400
+
+ Fix sparc64 compilation, reported by Blake Self
+
+ arch/sparc/kernel/sys_sparc_64.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 7bcd3db081454768542c3d741bcf32cd61a50cf5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:49:17 2013 -0400
+
+ Update PaX fix, just return the error
+
+ mm/madvise.c | 15 +++++++--------
+ 1 files changed, 7 insertions(+), 8 deletions(-)
+
+commit a10e377d0eddd37e8a3665b135e546ab03d9d171
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:36:00 2013 -0400
+
+ Fix madvise oops reported by Peter Keel
+
+ mm/madvise.c | 11 ++++++-----
+ 1 files changed, 6 insertions(+), 5 deletions(-)
+
+commit 08c5adca34d408772255b313f90d82c250c1d967
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 11:26:34 2013 -0400
+
+ don't make high vector mapping non-present on old ARM architectures, no
+ point in emulating some vector entries when the processor doesn't even support XN
+
+ arch/arm/mm/mmu.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit 2b40781d4197a89a003616af584884e36361c5b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 09:51:58 2013 -0400
+
+ Temporary compile fix for code incorrectly modifying const data
+ Wrap a cast version of the code with open/close
+
+ Thanks to Michael Tremer for the report
+
+ drivers/clk/socfpga/clk.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit a8258c1b4098c396cd4ea719e20858182feac1c1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jul 14 09:41:16 2013 -0400
+
+ Fix missing right parens in pipacs' "improvement" of my ARM code ;)
+ Thanks to Michael Tremer for reporting
+
+ arch/arm/include/asm/uaccess.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 8542e1e973be7cc9a009d2ada8033576b2890e6f
+Merge: 86f446e 2577f8e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jul 13 20:46:58 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ mm/memcontrol.c
+
+commit 2577f8e4ec41efb347706a59c6838de20f0c90da
+Merge: 75a36f0 cb5d8be
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jul 13 20:43:42 2013 -0400
+
+ Merge branch 'linux-3.10.y' into pax-test
+
+ Conflicts:
+ crypto/algapi.c
+ drivers/block/nbd.c
+
+commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jul 12 23:02:11 2013 -0400
+
+ we always want the vector page to be noaccess for userland
+ therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY
+ which turns into supervisor rwx, userland rx, we instead omit that entirely,
+ leaving it as supervisor rwx only
+
+ Fixes booting on ARMv5 and earlier, which need to write directly
+ to the high vector mapping via set_tls when context switching
+
+ Thanks to Michael Tremer for the bugreport
+
+ arch/arm/mm/mmu.c | 12 ++++++++++--
+ 1 files changed, 10 insertions(+), 2 deletions(-)
+
+commit 90cd0827eef656ec884f19c977873fefe2f2e47d
+Author: Cong Wang <amwang@redhat.com>
+Date: Sat Jun 29 12:02:59 2013 +0800
+
+ Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759
+
+ gre: fix a regression in ioctl
+
+ When testing GRE tunnel, I got:
+
+ # ip tunnel show
+ get tunnel gre0 failed: Invalid argument
+ get tunnel gre1 failed: Invalid argument
+
+ This is a regression introduced by commit c54419321455631079c7d
+ ("GRE: Refactor GRE tunneling code.") because previously we
+ only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL,
+ after that commit, the check is moved for all commands.
+
+ So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL.
+
+ After this patch I got:
+
+ # ip tunnel show
+ gre0: gre/ip remote any local any ttl inherit nopmtudisc
+ gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit
+
+ Cc: Pravin B Shelar <pshelar@nicira.com>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ip_gre.c | 9 +++++----
+ 1 files changed, 5 insertions(+), 4 deletions(-)
+
+commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5
+Author: Cong Wang <amwang@redhat.com>
+Date: Sat Jun 29 13:00:57 2013 +0800
+
+ Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7
+
+ vti: remove duplicated code to fix a memory leak
+
+ vti module allocates dev->tstats twice: in vti_fb_tunnel_init()
+ and in vti_tunnel_init(), this lead to a memory leak of
+ dev->tstats.
+
+ Just remove the duplicated operations in vti_fb_tunnel_init().
+
+ (candidate for -stable)
+
+ Cc: Stephen Hemminger <stephen@networkplumber.org>
+ Cc: Saurabh Mohan <saurabh.mohan@vyatta.com>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Acked-by: Stephen Hemminger <stephen@networkplumber.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ip_vti.c | 7 -------
+ 1 files changed, 0 insertions(+), 7 deletions(-)
+
+commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd
+Author: Michal Schmidt <mschmidt@redhat.com>
+Date: Mon Jul 1 17:23:05 2013 +0200
+
+ Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a
+
+ bnx2x: remove zeroing of dump data buffer
+
+ There is no need to initialize the dump data with zeros.
+ data is allocated with vzalloc, so it's already zero-filled.
+
+ More importantly, the memset is harmful, because dump->len (the length
+ requested by userspace) can be bigger than the allocated buffer (whose
+ size is determined by asking the driver's .get_dump_flag method).
+
+ Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 --
+ 1 files changed, 0 insertions(+), 2 deletions(-)
+
+commit c771072b72c261f9bddd6734dca6979c1b96e7df
+Author: Michal Schmidt <mschmidt@redhat.com>
+Date: Mon Jul 1 17:23:06 2013 +0200
+
+ Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318
+
+ bnx2x: fix dump flag handling
+
+ bnx2x interprets the dump flag as an index of a register preset.
+ It is important to validate the index to avoid out of bounds
+ memory accesses.
+
+ Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++
+ 2 files changed, 5 insertions(+), 0 deletions(-)
+
+commit aed315c8fad9b2044143b46b239574b1b72135ce
+Author: Michal Schmidt <mschmidt@redhat.com>
+Date: Mon Jul 1 17:23:30 2013 +0200
+
+ Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599
+
+ ethtool: make .get_dump_data() harder to misuse by drivers
+
+ As the patch "bnx2x: remove zeroing of dump data buffer" showed,
+ it is too easy implement .get_dump_data incorrectly in a driver.
+
+ Let's make sure drivers cannot get confused by userspace requesting
+ a too big dump.
+
+ Also WARN if the driver sets dump->len to something weird and make
+ sure the length reported to userspace is the actual length of data
+ copied to userspace.
+
+ Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+ Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/ethtool.c | 21 ++++++++++++++++++++-
+ 1 files changed, 20 insertions(+), 1 deletions(-)
+
+commit 5c57991e66216e386dcc875d34c33f0edd038569
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Jul 2 09:02:07 2013 +0800
+
+ Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd
+
+ l2tp: add missing .owner to struct pppox_proto
+
+ Add missing .owner of struct pppox_proto. This prevents the
+ module from being removed from underneath its users.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_ppp.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4
+Author: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Sun Jun 30 14:37:11 2013 +1000
+
+ Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423
+
+ cxgb3: Missing rtnl lock in error recovery
+
+ When exercising error injection on IBM pseries machine, I hit the
+ following warning:
+
+ [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2
+ [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142)
+ [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100
+ [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031)
+ [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19
+ [ 254.895474] Call Trace:
+ [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable)
+ [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c
+ [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230
+ [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3]
+ [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3]
+ [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0
+ [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190
+ [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330
+ [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0
+ [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0
+ [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80
+
+ It appears that t3_resume_ports() is called with the rtnl_lock held from
+ the fatal error task but not from the PCI error callbacks. This fixes it.
+
+ Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit ea8f4222cddf3250dbcfc7db0437ebf74c352370
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Jul 1 20:21:30 2013 +0200
+
+ Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1
+
+ ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
+
+ We accidentally call down to ip6_push_pending_frames when uncorking
+ pending AF_INET data on a ipv6 socket. This results in the following
+ splat (from Dave Jones):
+
+ skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
+ ------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:126!
+ invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
+ Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
+ +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
+ CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
+ task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
+ RIP: 0010:[<ffffffff816e759c>] [<ffffffff816e759c>] skb_panic+0x63/0x65
+ RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282
+ RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
+ RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
+ RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
+ R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
+ FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
+ Stack:
+ ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
+ ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
+ ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
+ Call Trace:
+ [<ffffffff8159a9aa>] skb_push+0x3a/0x40
+ [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
+ [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
+ [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
+ [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
+ [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
+ [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
+ [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
+ [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
+ [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
+ [<ffffffff816f5d54>] tracesys+0xdd/0xe2
+ Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
+ RIP [<ffffffff816e759c>] skb_panic+0x63/0x65
+ RSP <ffff8801e6431de8>
+
+ This patch adds a check if the pending data is of address family AF_INET
+ and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
+ if that is the case.
+
+ This bug was found by Dave Jones with trinity.
+
+ (Also move the initialization of fl6 below the AF_INET check, even if
+ not strictly necessary.)
+
+ Cc: Dave Jones <davej@redhat.com>
+ Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/udp.h | 1 +
+ net/ipv4/udp.c | 3 ++-
+ net/ipv6/udp.c | 7 ++++++-
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+commit cd83094a85d9bbd5a67332156407d53cf8835432
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue Jul 2 08:04:05 2013 +0200
+
+ Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be
+
+ ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
+
+ If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
+ of this when appending the second frame on a corked socket. This results
+ in the following splat:
+
+ [37598.993962] ------------[ cut here ]------------
+ [37598.994008] kernel BUG at net/core/skbuff.c:2064!
+ [37598.994008] invalid opcode: 0000 [#1] SMP
+ [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
+ +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
+ +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
+ [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
+ +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
+ [37598.994008] CPU 0
+ [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
+ [37598.994008] RIP: 0010:[<ffffffff815443a5>] [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
+ [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202
+ [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
+ [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
+ [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
+ [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
+ [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
+ [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
+ [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
+ [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
+ [37598.994008] Stack:
+ [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
+ [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
+ [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
+ [37598.994008] Call Trace:
+ [37598.994008] [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
+ [37598.994008] [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
+ [37598.994008] [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
+ [37598.994008] [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
+ [37598.994008] [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
+ [37598.994008] [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
+ [37598.994008] [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
+ [37598.994008] [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
+ [37598.994008] [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
+ [37598.994008] [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
+ [37598.994008] [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
+ [37598.994008] [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
+ [37598.994008] [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
+ [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
+ [37598.994008] RIP [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
+ [37598.994008] RSP <ffff88003670da18>
+ [37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
+
+ While there, also check if path mtu discovery is activated for this
+ socket. The logic was adapted from ip6_append_data when first writing
+ on the corked socket.
+
+ This bug was introduced with commit
+ 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
+ fragment").
+
+ v2:
+ a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
+ b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
+ feng, thanks!).
+ c) Change mtu to unsigned int, else we get a warning about
+ non-matching types because of the min()-macro type-check.
+
+ Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
+ Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_output.c | 16 ++++++++++------
+ 1 files changed, 10 insertions(+), 6 deletions(-)
+
+commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c
+Author: Michael S. Tsirkin <mst@redhat.com>
+Date: Sun Jul 7 14:26:53 2013 +0300
+
+ Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5
+
+ vhost-net: fix use-after-free in vhost_net_flush
+
+ vhost_net_ubuf_put_and_wait has a confusing name:
+ it will actually also free it's argument.
+ Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
+ "vhost-net: flush outstanding DMAs on memory change"
+ vhost_net_flush tries to use the argument after passing it
+ to vhost_net_ubuf_put_and_wait, this results
+ in use after free.
+ To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
+ add an new API for callers that want to free ubufs.
+
+ Acked-by: Asias He <asias@redhat.com>
+ Acked-by: Jason Wang <jasowang@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/vhost/net.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit 088806db74ac2f08c106202bc5498585a9ee529f
+Author: Michal Hocko <mhocko@suse.cz>
+Date: Mon Jul 8 16:00:29 2013 -0700
+
+ Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b
+
+ memcg, kmem: fix reference count handling on the error path
+
+ mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails.
+ This is not correct because only memcg_propagate_kmem takes an
+ additional reference while mem_cgroup_sockets_init is allowed to fail as
+ well (although no current implementation fails) but it doesn't take any
+ reference. This all suggests that it should be memcg_propagate_kmem
+ that should clean up after itself so this patch moves mem_cgroup_put
+ over there.
+
+ Unfortunately this is not that easy (as pointed out by Li Zefan) because
+ memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is
+ marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if
+ memcg_propagate_kmem fails so the additional reference is dropped in
+ that case in kmem_cgroup_destroy which means that the reference would be
+ dropped two times.
+
+ The easiest way then would be to simply remove mem_cgrroup_put from
+ mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right
+ thing.
+
+ Signed-off-by: Michal Hocko <mhocko@suse.cz>
+ Signed-off-by: Li Zefan <lizefan@huawei.com>
+ Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Tejun Heo <tj@kernel.org>
+ Cc: Glauber Costa <glommer@openvz.org>
+ Cc: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: <stable@vger.kernel.org> [3.8]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/memcontrol.c | 8 --------
+ 1 files changed, 0 insertions(+), 8 deletions(-)
+
+commit 08bfb6e700d13886ed722c2236e1ec10f03a95df
+Author: Michal Hocko <mhocko@suse.cz>
+Date: Mon Jul 8 16:00:27 2013 -0700
+
+ Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0
+
+ Revert "memcg: avoid dangling reference count in creation failure"
+
+ This reverts commit e4715f01be697a.
+
+ mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops
+ an additional reference from all parents so the additional
+ mem_cgrroup_put(parent) potentially causes use-after-free.
+
+ Signed-off-by: Michal Hocko <mhocko@suse.cz>
+ Signed-off-by: Li Zefan <lizefan@huawei.com>
+ Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Tejun Heo <tj@kernel.org>
+ Cc: Glauber Costa <glommer@openvz.org>
+ Cc: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: <stable@vger.kernel.org> [3.9+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/memcontrol.c | 2 --
+ 1 files changed, 0 insertions(+), 2 deletions(-)
+
+commit 3267ec559f48327a1836eccecd53215afc5810d0
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jun 20 13:13:59 2013 -0700
+
+ Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e
+
+ libceph: Fix NULL pointer dereference in auth client code
+
+ A malicious monitor can craft an auth reply message that could cause a
+ NULL function pointer dereference in the client's kernel.
+
+ To prevent this, the auth_none protocol handler needs an empty
+ ceph_auth_client_ops->build_request() function.
+
+ CVE-2013-1059
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Chanam Park <chanam.park@hkpco.kr>
+ Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
+ Reviewed-by: Sage Weil <sage@inktank.com>
+ Cc: stable@vger.kernel.org
+
+ net/ceph/auth_none.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit cdfeb4049e7cb38702215b2c356ce0407974ac79
+Author: Eric Paris <eparis@redhat.com>
+Date: Wed Jul 3 15:08:29 2013 -0700
+
+ Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53
+
+ fork: reorder permissions when violating number of processes limits
+
+ When a task is attempting to violate the RLIMIT_NPROC limit we have a
+ check to see if the task is sufficiently priviledged. The check first
+ looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0.
+
+ A result is that tasks which are allowed by the uid=0 check are first
+ checked against the security subsystem. This results in the security
+ subsystem auditting a denial for sys_admin and sys_resource and then the
+ task passing the uid=0 check.
+
+ This patch rearranges the code to first check uid=0, since if we pass that
+ we shouldn't hit the security system at all. We then check sys_resource,
+ since it is the smallest capability which will solve the problem. Lastly
+ we check the fallback everything cap_sysadmin. We don't want to give this
+ capability many places since it is so powerful.
+
+ This will eliminate many of the false positive/needless denial messages we
+ get when a root task tries to violate the nproc limit. (note that
+ kthreads count against root, so on a sufficiently large machine we can
+ actually get past the default limits before any userspace tasks are
+ launched.)
+
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/fork.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 08c87e049c8a50707908785d950fd48c334f4c09
+Author: Chen Gang <gang.chen@asianux.com>
+Date: Sat Jun 22 13:26:09 2013 +0800
+
+ Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6
+
+ arch: sparc: kernel: check the memory length before use strcpy().
+
+ For the related next strcpy(), the destination length is less than 512,
+ but the source maximize length may be 'OPROMMAXPARAM' (4096) which is
+ more than 512.
+
+ One work flow may:
+ openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT)
+ getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'.
+ opromsetopt() -> devide the buffer into 'var' and 'value'
+ of_set_property() -> pass
+ prom_setprop() -> pass
+ ldom_set_var()
+
+ And do not mind the additional 4 alignment buffer increasing, since
+ 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least.
+
+ Signed-off-by: Chen Gang <gang.chen@asianux.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/sparc/kernel/ds.c | 10 ++++++++++
+ 1 files changed, 10 insertions(+), 0 deletions(-)
+
+commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jul 12 20:38:45 2013 -0400
+
+ Fix SLAB boot errors due to PAX_USERCOPY reported on the forums
+
+ Unlike slub, slab can initally create two of the kmalloc_caches
+ which will be used later for generic kmallocs of their particular
+ aligned size (since the later loop in the unified allocator code
+ skips any already-existing kmalloc_caches)
+
+ mm/slab.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 22:04:59 2013 -0400
+
+ compile fixes
+
+ fs/exec.c | 2 +-
+ mm/mmap.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit e2d027c7e0f106be683c0c72482b8285daefcbe6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 20:58:40 2013 -0400
+
+ commit successful merges
+
+ Documentation/kernel-parameters.txt | 4 +
+ Makefile | 8 +-
+ arch/alpha/include/asm/cache.h | 4 +-
+ arch/alpha/kernel/osf_sys.c | 12 +-
+ arch/arm/include/asm/thread_info.h | 3 +-
+ arch/arm/kernel/ptrace.c | 9 +
+ arch/arm/kernel/traps.c | 7 +-
+ arch/arm/mm/fault.c | 29 +-
+ arch/arm/mm/mmap.c | 8 +-
+ arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/include/asm/cache.h | 3 +-
+ arch/cris/include/arch-v10/arch/cache.h | 3 +-
+ arch/cris/include/arch-v32/arch/cache.h | 3 +-
+ arch/frv/include/asm/cache.h | 3 +-
+ arch/frv/mm/elf-fdpic.c | 4 +-
+ arch/hexagon/include/asm/cache.h | 6 +-
+ arch/ia64/include/asm/cache.h | 3 +-
+ arch/ia64/kernel/sys_ia64.c | 2 +
+ arch/ia64/mm/hugetlbpage.c | 2 +
+ arch/m32r/include/asm/cache.h | 4 +-
+ arch/m68k/include/asm/cache.h | 4 +-
+ arch/metag/mm/hugetlbpage.c | 1 +
+ arch/microblaze/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/thread_info.h | 9 +-
+ arch/mips/kernel/ptrace.c | 9 +
+ arch/mips/kernel/scall32-o32.S | 2 +-
+ arch/mips/kernel/scall64-64.S | 2 +-
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ arch/mips/mm/mmap.c | 4 +-
+ arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
+ arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
+ arch/openrisc/include/asm/cache.h | 4 +-
+ arch/parisc/include/asm/cache.h | 5 +-
+ arch/parisc/kernel/sys_parisc.c | 17 +-
+ arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/kernel/process.c | 10 +-
+ arch/powerpc/kernel/ptrace.c | 14 +
+ arch/powerpc/kernel/traps.c | 5 +
+ arch/s390/include/asm/cache.h | 4 +-
+ arch/score/include/asm/cache.h | 4 +-
+ arch/sh/include/asm/cache.h | 3 +-
+ arch/sh/mm/mmap.c | 6 +-
+ arch/sparc/include/asm/cache.h | 4 +-
+ arch/sparc/include/asm/thread_info_64.h | 9 +-
+ arch/sparc/kernel/process_32.c | 6 +-
+ arch/sparc/kernel/process_64.c | 4 +-
+ arch/sparc/kernel/ptrace_64.c | 14 +
+ arch/sparc/kernel/sys_sparc_64.c | 8 +-
+ arch/sparc/kernel/syscalls.S | 8 +-
+ arch/sparc/kernel/traps_32.c | 8 +-
+ arch/sparc/kernel/traps_64.c | 28 +-
+ arch/sparc/kernel/unaligned_64.c | 2 +-
+ arch/sparc/mm/fault_64.c | 2 +-
+ arch/sparc/mm/hugetlbpage.c | 3 +-
+ arch/tile/include/asm/cache.h | 3 +-
+ arch/tile/mm/hugetlbpage.c | 2 +
+ arch/um/defconfig | 1 -
+ arch/um/include/asm/cache.h | 3 +-
+ arch/unicore32/include/asm/cache.h | 6 +-
+ arch/x86/Kconfig | 5 +-
+ arch/x86/ia32/ia32_aout.c | 2 +
+ arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/kernel/dumpstack.c | 8 +
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 2 +-
+ arch/x86/kernel/ioport.c | 13 +
+ arch/x86/kernel/ptrace.c | 14 +
+ arch/x86/kernel/signal.c | 9 +-
+ arch/x86/kernel/smpboot.c | 3 +
+ arch/x86/kernel/sys_i386_32.c | 9 +-
+ arch/x86/kernel/sys_x86_64.c | 8 +-
+ arch/x86/kernel/verify_cpu.S | 1 +
+ arch/x86/kernel/vm86_32.c | 1 +
+ arch/x86/mm/fault.c | 12 +-
+ arch/x86/mm/hugetlbpage.c | 15 +-
+ arch/x86/mm/init.c | 66 +-
+ arch/x86/net/bpf_jit_comp.c | 129 +-
+ arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
+ arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
+ drivers/block/cciss.c | 2 +
+ drivers/block/cpqarray.c | 1 +
+ drivers/cdrom/cdrom.c | 4 +-
+ drivers/char/Kconfig | 4 +-
+ drivers/char/genrtc.c | 1 +
+ drivers/char/mem.c | 17 +
+ drivers/char/mwave/tp3780i.c | 1 +
+ drivers/char/random.c | 12 +
+ drivers/gpu/drm/drm_info.c | 4 +
+ drivers/hid/hid-wiimote-debug.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +-
+ drivers/message/fusion/mptbase.c | 9 +
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ drivers/pci/proc.c | 9 +
+ drivers/rtc/rtc-dev.c | 3 +
+ drivers/tty/sysrq.c | 2 +-
+ drivers/tty/vt/keyboard.c | 22 +-
+ drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------
+ drivers/xen/xenfs/xenstored.c | 5 +
+ fs/attr.c | 1 +
+ fs/autofs4/waitq.c | 9 +
+ fs/binfmt_aout.c | 7 +
+ fs/binfmt_elf.c | 8 +-
+ fs/btrfs/ioctl.c | 6 +-
+ fs/compat.c | 20 +-
+ fs/coredump.c | 9 +-
+ fs/debugfs/inode.c | 4 +
+ fs/exec.c | 184 ++-
+ fs/ext2/balloc.c | 4 +-
+ fs/ext3/balloc.c | 4 +-
+ fs/ext4/resize.c | 17 +-
+ fs/fcntl.c | 5 +
+ fs/file.c | 4 +
+ fs/filesystems.c | 4 +
+ fs/fs_struct.c | 13 +-
+ fs/hugetlbfs/inode.c | 5 +-
+ fs/namei.c | 234 ++-
+ fs/namespace.c | 16 +
+ fs/notify/fanotify/fanotify_user.c | 1 +
+ fs/open.c | 38 +
+ fs/proc/Kconfig | 10 +-
+ fs/proc/array.c | 59 +-
+ fs/proc/base.c | 168 ++-
+ fs/proc/cmdline.c | 4 +
+ fs/proc/devices.c | 4 +
+ fs/proc/fd.c | 17 +-
+ fs/proc/inode.c | 4 +
+ fs/proc/kcore.c | 3 +
+ fs/proc/proc_net.c | 12 +
+ fs/proc/proc_sysctl.c | 43 +-
+ fs/proc/root.c | 8 +
+ fs/proc/task_mmu.c | 75 +-
+ fs/readdir.c | 19 +
+ fs/select.c | 2 +
+ fs/seq_file.c | 12 +-
+ fs/stat.c | 19 +-
+ fs/sysfs/dir.c | 12 +
+ fs/utimes.c | 7 +
+ fs/xattr.c | 19 +-
+ include/linux/capability.h | 5 +
+ include/linux/cred.h | 3 +
+ include/linux/fs.h | 10 +
+ include/linux/fsnotify.h | 6 +
+ include/linux/kallsyms.h | 14 +-
+ include/linux/kmod.h | 2 +
+ include/linux/mm.h | 1 +
+ include/linux/perf_event.h | 13 +-
+ include/linux/printk.h | 3 +-
+ include/linux/sched.h | 24 +-
+ include/linux/security.h | 1 +
+ include/linux/seq_file.h | 3 +
+ include/linux/shm.h | 4 +
+ include/linux/skbuff.h | 3 +
+ include/linux/slab.h | 9 -
+ include/linux/sysctl.h | 2 +
+ include/linux/thread_info.h | 2 +
+ include/linux/uidgid.h | 5 +
+ include/linux/vermagic.h | 9 +-
+ include/uapi/linux/personality.h | 1 +
+ init/Kconfig | 3 +-
+ init/main.c | 14 +
+ ipc/mqueue.c | 1 +
+ ipc/shm.c | 28 +
+ kernel/capability.c | 39 +-
+ kernel/cgroup.c | 2 +-
+ kernel/compat.c | 1 +
+ kernel/configs.c | 11 +
+ kernel/cred.c | 110 +-
+ kernel/events/core.c | 14 +-
+ kernel/exit.c | 10 +-
+ kernel/fork.c | 41 +-
+ kernel/futex.c | 1 +
+ kernel/kallsyms.c | 9 +
+ kernel/kcmp.c | 4 +
+ kernel/kmod.c | 64 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +
+ kernel/lockdep_proc.c | 10 +-
+ kernel/module.c | 81 +-
+ kernel/panic.c | 2 +-
+ kernel/pid.c | 19 +-
+ kernel/posix-timers.c | 7 +
+ kernel/printk.c | 5 +
+ kernel/ptrace.c | 20 +-
+ kernel/resource.c | 10 +
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 37 +-
+ kernel/sys.c | 45 +-
+ kernel/sysctl.c | 70 +-
+ kernel/taskstats.c | 6 +
+ kernel/time.c | 5 +
+ kernel/time/timekeeping.c | 1 +
+ kernel/time/timer_list.c | 12 +
+ kernel/time/timer_stats.c | 10 +-
+ lib/Kconfig.debug | 5 +-
+ lib/is_single_threaded.c | 3 +
+ mm/Kconfig | 4 +-
+ mm/filemap.c | 1 +
+ mm/kmemleak.c | 4 +-
+ mm/mempolicy.c | 12 +-
+ mm/migrate.c | 3 +-
+ mm/mlock.c | 3 +
+ mm/mmap.c | 63 +-
+ mm/mprotect.c | 8 +
+ mm/process_vm_access.c | 6 +
+ mm/slab.c | 2 +-
+ mm/slub.c | 14 +-
+ mm/vmalloc.c | 4 +
+ mm/vmstat.c | 18 +-
+ net/core/dev_ioctl.c | 4 +
+ net/core/sock_diag.c | 7 +
+ net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/ip_sockglue.c | 3 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_minisocks.c | 9 +-
+ net/ipv4/tcp_timer.c | 11 +
+ net/ipv4/udp.c | 24 +
+ net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/udp.c | 4 +
+ net/netfilter/Kconfig | 10 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 8 +
+ net/netrom/af_netrom.c | 1 -
+ net/phonet/af_phonet.c | 2 +-
+ net/sctp/proc.c | 3 +-
+ net/socket.c | 66 +-
+ net/sysctl_net.c | 2 +-
+ net/unix/af_unix.c | 31 +-
+ security/Kconfig | 343 +++-
+ security/apparmor/Kconfig | 9 +
+ security/apparmor/apparmorfs.c | 231 ++
+ security/commoncap.c | 29 +
+ security/min_addr.c | 2 +
+ security/security.c | 2 -
+ security/selinux/hooks.c | 2 -
+ security/tomoyo/mount.c | 4 +
+ security/yama/Kconfig | 2 +-
+ 242 files changed, 4385 insertions(+), 2042 deletions(-)
+
+commit 043a378c0f72ed92cc30182c48abce39867ac93f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 20:57:40 2013 -0400
+
+ Commit merge of new files and rejected patches
+
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/kernel/process.c | 4 +-
+ arch/powerpc/include/asm/thread_info.h | 7 +-
+ arch/powerpc/mm/slice.c | 2 +-
+ arch/sparc/kernel/process_64.c | 4 +-
+ arch/x86/kernel/vm86_32.c | 15 +
+ fs/coredump.c | 1 +
+ fs/ext4/balloc.c | 4 +-
+ fs/namei.c | 7 +
+ fs/namespace.c | 8 +
+ fs/pipe.c | 2 +-
+ fs/proc/inode.c | 13 +
+ fs/proc/internal.h | 3 +
+ grsecurity/Kconfig | 1054 +++++++++
+ grsecurity/Makefile | 38 +
+ grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++
+ grsecurity/gracl_alloc.c | 105 +
+ grsecurity/gracl_cap.c | 110 +
+ grsecurity/gracl_fs.c | 431 ++++
+ grsecurity/gracl_ip.c | 387 +++
+ grsecurity/gracl_learn.c | 207 ++
+ grsecurity/gracl_res.c | 68 +
+ grsecurity/gracl_segv.c | 305 +++
+ grsecurity/gracl_shm.c | 40 +
+ grsecurity/grsec_chdir.c | 19 +
+ grsecurity/grsec_chroot.c | 370 +++
+ grsecurity/grsec_disabled.c | 434 ++++
+ grsecurity/grsec_exec.c | 187 ++
+ grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_fork.c | 23 +
+ grsecurity/grsec_init.c | 283 +++
+ grsecurity/grsec_link.c | 58 +
+ grsecurity/grsec_log.c | 326 +++
+ grsecurity/grsec_mem.c | 40 +
+ grsecurity/grsec_mount.c | 62 +
+ grsecurity/grsec_pax.c | 36 +
+ grsecurity/grsec_ptrace.c | 30 +
+ grsecurity/grsec_sig.c | 246 ++
+ grsecurity/grsec_sock.c | 244 ++
+ grsecurity/grsec_sysctl.c | 469 ++++
+ grsecurity/grsec_time.c | 16 +
+ grsecurity/grsec_tpe.c | 73 +
+ grsecurity/grsum.c | 61 +
+ include/linux/gracl.h | 319 +++
+ include/linux/gralloc.h | 9 +
+ include/linux/grdefs.h | 140 ++
+ include/linux/grinternal.h | 227 ++
+ include/linux/grmsg.h | 112 +
+ include/linux/grsecurity.h | 241 ++
+ include/linux/grsock.h | 19 +
+ include/linux/netfilter/xt_gradm.h | 9 +
+ include/linux/proc_fs.h | 13 +
+ include/linux/sched.h | 48 +-
+ include/trace/events/fs.h | 53 +
+ kernel/kmod.c | 7 +-
+ kernel/panic.c | 2 +-
+ kernel/posix-timers.c | 1 +
+ kernel/time/timekeeping.c | 2 +
+ lib/Kconfig.debug | 2 +-
+ lib/vsprintf.c | 31 +
+ localversion-grsec | 1 +
+ mm/mmap.c | 13 +-
+ mm/shmem.c | 2 +-
+ net/core/net-procfs.c | 5 +
+ net/ipv6/udp.c | 3 +
+ net/netfilter/xt_gradm.c | 51 +
+ 66 files changed, 11184 insertions(+), 21 deletions(-)
+
+commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jul 9 17:35:47 2013 -0400
+
+ Initial import of pax-linux-3.10-test1.patch
+
+ Documentation/dontdiff | 46 +-
+ Documentation/kernel-parameters.txt | 12 +
+ Makefile | 100 +-
+ arch/alpha/include/asm/atomic.h | 10 +
+ arch/alpha/include/asm/elf.h | 7 +
+ arch/alpha/include/asm/pgalloc.h | 6 +
+ arch/alpha/include/asm/pgtable.h | 11 +
+ arch/alpha/kernel/module.c | 2 +-
+ arch/alpha/kernel/osf_sys.c | 8 +-
+ arch/alpha/mm/fault.c | 141 +-
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/atomic.h | 444 ++-
+ arch/arm/include/asm/cache.h | 5 +-
+ arch/arm/include/asm/cacheflush.h | 2 +-
+ arch/arm/include/asm/checksum.h | 14 +-
+ arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/domain.h | 33 +-
+ arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/fncpy.h | 2 +
+ arch/arm/include/asm/futex.h | 10 +
+ arch/arm/include/asm/kmap_types.h | 2 +-
+ arch/arm/include/asm/mach/dma.h | 2 +-
+ arch/arm/include/asm/mach/map.h | 7 +-
+ arch/arm/include/asm/outercache.h | 2 +-
+ arch/arm/include/asm/page.h | 2 +-
+ arch/arm/include/asm/pgalloc.h | 22 +-
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgtable-2level.h | 1 +
+ arch/arm/include/asm/pgtable-3level-hwdef.h | 2 +
+ arch/arm/include/asm/pgtable-3level.h | 2 +
+ arch/arm/include/asm/pgtable.h | 56 +-
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/include/asm/processor.h | 5 +-
+ arch/arm/include/asm/psci.h | 2 +-
+ arch/arm/include/asm/smp.h | 2 +-
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/include/asm/uaccess.h | 92 +-
+ arch/arm/include/uapi/asm/ptrace.h | 2 +-
+ arch/arm/kernel/armksyms.c | 8 +-
+ arch/arm/kernel/entry-armv.S | 107 +-
+ arch/arm/kernel/entry-common.S | 41 +-
+ arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/fiq.c | 2 +
+ arch/arm/kernel/head.S | 6 +-
+ arch/arm/kernel/hw_breakpoint.c | 2 +-
+ arch/arm/kernel/module.c | 29 +-
+ arch/arm/kernel/patch.c | 2 +
+ arch/arm/kernel/perf_event_cpu.c | 2 +-
+ arch/arm/kernel/process.c | 14 +-
+ arch/arm/kernel/psci.c | 2 +-
+ arch/arm/kernel/setup.c | 22 +-
+ arch/arm/kernel/signal.c | 24 +-
+ arch/arm/kernel/smp.c | 2 +-
+ arch/arm/kernel/traps.c | 15 +-
+ arch/arm/kernel/vmlinux.lds.S | 22 +-
+ arch/arm/lib/clear_user.S | 6 +-
+ arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/lib/copy_page.S | 1 +
+ arch/arm/lib/copy_to_user.S | 6 +-
+ arch/arm/lib/csumpartialcopyuser.S | 4 +-
+ arch/arm/lib/delay.c | 2 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 2 +-
+ arch/arm/mach-kirkwood/common.c | 19 +-
+ arch/arm/mach-omap2/board-n8x0.c | 2 +-
+ arch/arm/mach-omap2/gpmc.c | 22 +-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
+ arch/arm/mach-omap2/omap_device.c | 4 +-
+ arch/arm/mach-omap2/omap_device.h | 4 +-
+ arch/arm/mach-omap2/omap_hwmod.c | 4 +-
+ arch/arm/mach-omap2/wd_timer.c | 6 +-
+ arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
+ arch/arm/mach-ux500/setup.h | 7 -
+ arch/arm/mm/Kconfig | 3 +-
+ arch/arm/mm/alignment.c | 8 +
+ arch/arm/mm/fault.c | 91 +
+ arch/arm/mm/fault.h | 12 +
+ arch/arm/mm/init.c | 41 +
+ arch/arm/mm/ioremap.c | 4 +-
+ arch/arm/mm/mmap.c | 30 +-
+ arch/arm/mm/mmu.c | 187 +-
+ arch/arm/mm/proc-v7-2level.S | 3 +
+ arch/arm/plat-omap/sram.c | 2 +
+ arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/arm64/kernel/debug-monitors.c | 2 +-
+ arch/arm64/kernel/hw_breakpoint.c | 2 +-
+ arch/avr32/include/asm/elf.h | 8 +-
+ arch/avr32/include/asm/kmap_types.h | 4 +-
+ arch/avr32/mm/fault.c | 27 +
+ arch/frv/include/asm/atomic.h | 10 +
+ arch/frv/include/asm/kmap_types.h | 2 +-
+ arch/frv/mm/elf-fdpic.c | 3 +-
+ arch/ia64/include/asm/atomic.h | 10 +
+ arch/ia64/include/asm/elf.h | 7 +
+ arch/ia64/include/asm/pgalloc.h | 12 +
+ arch/ia64/include/asm/pgtable.h | 13 +-
+ arch/ia64/include/asm/spinlock.h | 2 +-
+ arch/ia64/include/asm/uaccess.h | 26 +-
+ arch/ia64/kernel/err_inject.c | 2 +-
+ arch/ia64/kernel/mca.c | 2 +-
+ arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/palinfo.c | 2 +-
+ arch/ia64/kernel/salinfo.c | 2 +-
+ arch/ia64/kernel/sys_ia64.c | 7 +
+ arch/ia64/kernel/topology.c | 2 +-
+ arch/ia64/kernel/vmlinux.lds.S | 2 +-
+ arch/ia64/mm/fault.c | 32 +-
+ arch/ia64/mm/init.c | 13 +
+ arch/m32r/lib/usercopy.c | 6 +
+ arch/mips/include/asm/atomic.h | 14 +
+ arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/exec.h | 2 +-
+ arch/mips/include/asm/page.h | 2 +-
+ arch/mips/include/asm/pgalloc.h | 5 +
+ arch/mips/kernel/binfmt_elfn32.c | 7 +
+ arch/mips/kernel/binfmt_elfo32.c | 7 +
+ arch/mips/kernel/process.c | 12 -
+ arch/mips/mm/fault.c | 17 +
+ arch/mips/mm/mmap.c | 51 +-
+ arch/parisc/include/asm/atomic.h | 10 +
+ arch/parisc/include/asm/elf.h | 7 +
+ arch/parisc/include/asm/pgalloc.h | 6 +
+ arch/parisc/include/asm/pgtable.h | 11 +
+ arch/parisc/include/asm/uaccess.h | 4 +-
+ arch/parisc/kernel/module.c | 50 +-
+ arch/parisc/kernel/sys_parisc.c | 9 +-
+ arch/parisc/kernel/traps.c | 4 +-
+ arch/parisc/mm/fault.c | 140 +-
+ arch/powerpc/include/asm/atomic.h | 10 +
+ arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/exec.h | 2 +-
+ arch/powerpc/include/asm/kmap_types.h | 2 +-
+ arch/powerpc/include/asm/mman.h | 2 +-
+ arch/powerpc/include/asm/page.h | 8 +-
+ arch/powerpc/include/asm/page_64.h | 7 +-
+ arch/powerpc/include/asm/pgalloc-64.h | 7 +
+ arch/powerpc/include/asm/pgtable.h | 1 +
+ arch/powerpc/include/asm/pte-hash32.h | 1 +
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/include/asm/smp.h | 2 +-
+ arch/powerpc/include/asm/uaccess.h | 140 +-
+ arch/powerpc/kernel/exceptions-64e.S | 4 +-
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/module_32.c | 13 +-
+ arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/signal_32.c | 2 +-
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ arch/powerpc/kernel/sysfs.c | 2 +-
+ arch/powerpc/kernel/vdso.c | 5 +-
+ arch/powerpc/lib/usercopy_64.c | 18 -
+ arch/powerpc/mm/fault.c | 54 +-
+ arch/powerpc/mm/mmap_64.c | 16 +
+ arch/powerpc/mm/mmu_context_nohash.c | 2 +-
+ arch/powerpc/mm/numa.c | 2 +-
+ arch/powerpc/mm/slice.c | 13 +-
+ arch/powerpc/platforms/cell/spufs/file.c | 4 +-
+ arch/powerpc/platforms/powermac/smp.c | 2 +-
+ arch/s390/include/asm/atomic.h | 10 +
+ arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/exec.h | 2 +-
+ arch/s390/include/asm/uaccess.h | 15 +-
+ arch/s390/kernel/module.c | 22 +-
+ arch/s390/kernel/process.c | 36 -
+ arch/s390/mm/mmap.c | 24 +
+ arch/score/include/asm/exec.h | 2 +-
+ arch/score/kernel/process.c | 5 -
+ arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
+ arch/sh/mm/mmap.c | 22 +-
+ arch/sparc/include/asm/atomic_64.h | 106 +-
+ arch/sparc/include/asm/cache.h | 2 +-
+ arch/sparc/include/asm/elf_32.h | 7 +
+ arch/sparc/include/asm/elf_64.h | 7 +
+ arch/sparc/include/asm/pgalloc_32.h | 1 +
+ arch/sparc/include/asm/pgalloc_64.h | 1 +
+ arch/sparc/include/asm/pgtable_32.h | 15 +-
+ arch/sparc/include/asm/pgtsrmmu.h | 5 +
+ arch/sparc/include/asm/spinlock_64.h | 35 +-
+ arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_64.h | 2 +
+ arch/sparc/include/asm/uaccess.h | 1 +
+ arch/sparc/include/asm/uaccess_32.h | 27 +-
+ arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/kernel/Makefile | 2 +-
+ arch/sparc/kernel/prom_common.c | 2 +-
+ arch/sparc/kernel/sys_sparc_32.c | 2 +-
+ arch/sparc/kernel/sys_sparc_64.c | 48 +-
+ arch/sparc/kernel/sysfs.c | 2 +-
+ arch/sparc/kernel/traps_64.c | 13 +-
+ arch/sparc/lib/Makefile | 2 +-
+ arch/sparc/lib/atomic_64.S | 136 +-
+ arch/sparc/lib/ksyms.c | 6 +
+ arch/sparc/mm/Makefile | 2 +-
+ arch/sparc/mm/fault_32.c | 292 +
+ arch/sparc/mm/fault_64.c | 486 ++
+ arch/sparc/mm/hugetlbpage.c | 21 +-
+ arch/tile/include/asm/atomic_64.h | 10 +
+ arch/tile/include/asm/uaccess.h | 4 +-
+ arch/um/Makefile | 4 +
+ arch/um/include/asm/kmap_types.h | 2 +-
+ arch/um/include/asm/page.h | 3 +
+ arch/um/include/asm/pgtable-3level.h | 1 +
+ arch/um/kernel/process.c | 16 -
+ arch/x86/Kconfig | 10 +-
+ arch/x86/Kconfig.cpu | 6 +-
+ arch/x86/Kconfig.debug | 4 +-
+ arch/x86/Makefile | 10 +
+ arch/x86/boot/Makefile | 3 +
+ arch/x86/boot/bitops.h | 4 +-
+ arch/x86/boot/boot.h | 4 +-
+ arch/x86/boot/compressed/Makefile | 3 +
+ arch/x86/boot/compressed/eboot.c | 2 -
+ arch/x86/boot/compressed/efi_stub_32.S | 16 +-
+ arch/x86/boot/compressed/head_32.S | 7 +-
+ arch/x86/boot/compressed/head_64.S | 8 +-
+ arch/x86/boot/compressed/misc.c | 4 +-
+ arch/x86/boot/cpucheck.c | 28 +-
+ arch/x86/boot/header.S | 6 +-
+ arch/x86/boot/memory.c | 2 +-
+ arch/x86/boot/video-vesa.c | 1 +
+ arch/x86/boot/video.c | 2 +-
+ arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/aesni-intel_asm.S | 22 +
+ arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/sha1_ssse3_asm.S | 2 +
+ arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 +
+ arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
+ arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/ia32/ia32_signal.c | 14 +-
+ arch/x86/ia32/ia32entry.S | 141 +-
+ arch/x86/ia32/sys_ia32.c | 4 +-
+ arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/include/asm/alternative.h | 4 +-
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/include/asm/apm.h | 4 +-
+ arch/x86/include/asm/atomic.h | 307 +-
+ arch/x86/include/asm/atomic64_32.h | 100 +
+ arch/x86/include/asm/atomic64_64.h | 202 +-
+ arch/x86/include/asm/bitops.h | 4 +-
+ arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/cache.h | 5 +-
+ arch/x86/include/asm/cacheflush.h | 2 +-
+ arch/x86/include/asm/checksum_32.h | 12 +-
+ arch/x86/include/asm/cmpxchg.h | 35 +
+ arch/x86/include/asm/compat.h | 2 +-
+ arch/x86/include/asm/cpufeature.h | 4 +-
+ arch/x86/include/asm/desc.h | 67 +-
+ arch/x86/include/asm/desc_defs.h | 6 +
+ arch/x86/include/asm/div64.h | 2 +-
+ arch/x86/include/asm/elf.h | 31 +-
+ arch/x86/include/asm/emergency-restart.h | 2 +-
+ arch/x86/include/asm/fpu-internal.h | 6 +-
+ arch/x86/include/asm/futex.h | 16 +-
+ arch/x86/include/asm/hw_irq.h | 4 +-
+ arch/x86/include/asm/i8259.h | 2 +-
+ arch/x86/include/asm/io.h | 21 +-
+ arch/x86/include/asm/irqflags.h | 5 +
+ arch/x86/include/asm/kprobes.h | 9 +-
+ arch/x86/include/asm/local.h | 142 +-
+ arch/x86/include/asm/mman.h | 15 +
+ arch/x86/include/asm/mmu.h | 16 +-
+ arch/x86/include/asm/mmu_context.h | 76 +-
+ arch/x86/include/asm/module.h | 17 +-
+ arch/x86/include/asm/nmi.h | 6 +-
+ arch/x86/include/asm/page.h | 1 +
+ arch/x86/include/asm/page_64.h | 4 +-
+ arch/x86/include/asm/paravirt.h | 46 +-
+ arch/x86/include/asm/paravirt_types.h | 17 +-
+ arch/x86/include/asm/pgalloc.h | 23 +
+ arch/x86/include/asm/pgtable-2level.h | 2 +
+ arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable.h | 122 +-
+ arch/x86/include/asm/pgtable_32.h | 14 +-
+ arch/x86/include/asm/pgtable_32_types.h | 15 +-
+ arch/x86/include/asm/pgtable_64.h | 19 +-
+ arch/x86/include/asm/pgtable_64_types.h | 5 +
+ arch/x86/include/asm/pgtable_types.h | 36 +-
+ arch/x86/include/asm/processor.h | 39 +-
+ arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/realmode.h | 4 +-
+ arch/x86/include/asm/reboot.h | 10 +-
+ arch/x86/include/asm/rwsem.h | 60 +-
+ arch/x86/include/asm/segment.h | 24 +-
+ arch/x86/include/asm/smp.h | 14 +-
+ arch/x86/include/asm/spinlock.h | 36 +-
+ arch/x86/include/asm/stackprotector.h | 4 +-
+ arch/x86/include/asm/stacktrace.h | 32 +-
+ arch/x86/include/asm/switch_to.h | 4 +-
+ arch/x86/include/asm/thread_info.h | 83 +-
+ arch/x86/include/asm/uaccess.h | 96 +-
+ arch/x86/include/asm/uaccess_32.h | 106 +-
+ arch/x86/include/asm/uaccess_64.h | 232 +-
+ arch/x86/include/asm/word-at-a-time.h | 2 +-
+ arch/x86/include/asm/x86_init.h | 10 +-
+ arch/x86/include/asm/xsave.h | 10 +-
+ arch/x86/include/uapi/asm/e820.h | 2 +-
+ arch/x86/kernel/Makefile | 2 +-
+ arch/x86/kernel/acpi/boot.c | 4 +-
+ arch/x86/kernel/acpi/sleep.c | 4 +
+ arch/x86/kernel/acpi/wakeup_32.S | 6 +-
+ arch/x86/kernel/alternative.c | 65 +-
+ arch/x86/kernel/apic/apic.c | 4 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/apic_noop.c | 2 +-
+ arch/x86/kernel/apic/bigsmp_32.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 5 +-
+ arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/numaq_32.c | 3 +-
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/summit_32.c | 2 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_phys.c | 2 +-
+ arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
+ arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/asm-offsets.c | 20 +
+ arch/x86/kernel/asm-offsets_64.c | 1 +
+ arch/x86/kernel/cpu/Makefile | 4 -
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/common.c | 75 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 33 +-
+ arch/x86/kernel/cpu/mcheck/p5.c | 3 +
+ arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
+ arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
+ arch/x86/kernel/cpu/mtrr/main.c | 2 +-
+ arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 8 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
+ arch/x86/kernel/cpuid.c | 2 +-
+ arch/x86/kernel/crash.c | 4 +-
+ arch/x86/kernel/crash_dump_64.c | 2 +-
+ arch/x86/kernel/doublefault_32.c | 8 +-
+ arch/x86/kernel/dumpstack.c | 28 +-
+ arch/x86/kernel/dumpstack_32.c | 34 +-
+ arch/x86/kernel/dumpstack_64.c | 61 +-
+ arch/x86/kernel/e820.c | 4 +-
+ arch/x86/kernel/early_printk.c | 1 +
+ arch/x86/kernel/entry_32.S | 354 +-
+ arch/x86/kernel/entry_64.S | 548 ++-
+ arch/x86/kernel/ftrace.c | 14 +-
+ arch/x86/kernel/head64.c | 13 +-
+ arch/x86/kernel/head_32.S | 237 +-
+ arch/x86/kernel/head_64.S | 143 +-
+ arch/x86/kernel/i386_ksyms_32.c | 8 +
+ arch/x86/kernel/i387.c | 2 +-
+ arch/x86/kernel/i8259.c | 10 +-
+ arch/x86/kernel/io_delay.c | 2 +-
+ arch/x86/kernel/ioport.c | 2 +-
+ arch/x86/kernel/irq.c | 8 +-
+ arch/x86/kernel/irq_32.c | 69 +-
+ arch/x86/kernel/irq_64.c | 2 +-
+ arch/x86/kernel/kdebugfs.c | 2 +-
+ arch/x86/kernel/kgdb.c | 25 +-
+ arch/x86/kernel/kprobes/core.c | 30 +-
+ arch/x86/kernel/kprobes/opt.c | 16 +-
+ arch/x86/kernel/kvm.c | 2 +-
+ arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/machine_kexec_32.c | 6 +-
+ arch/x86/kernel/microcode_core.c | 2 +-
+ arch/x86/kernel/microcode_intel.c | 4 +-
+ arch/x86/kernel/module.c | 76 +-
+ arch/x86/kernel/msr.c | 2 +-
+ arch/x86/kernel/nmi.c | 19 +-
+ arch/x86/kernel/nmi_selftest.c | 4 +-
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/kernel/paravirt.c | 43 +-
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ arch/x86/kernel/pci-iommu_table.c | 2 +-
+ arch/x86/kernel/pci-swiotlb.c | 2 +-
+ arch/x86/kernel/process.c | 55 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 15 +-
+ arch/x86/kernel/ptrace.c | 25 +-
+ arch/x86/kernel/pvclock.c | 8 +-
+ arch/x86/kernel/reboot.c | 44 +-
+ arch/x86/kernel/relocate_kernel_64.S | 2 +
+ arch/x86/kernel/setup.c | 21 +-
+ arch/x86/kernel/setup_percpu.c | 29 +-
+ arch/x86/kernel/signal.c | 15 +-
+ arch/x86/kernel/smp.c | 2 +-
+ arch/x86/kernel/smpboot.c | 15 +-
+ arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/sys_i386_32.c | 184 +
+ arch/x86/kernel/sys_x86_64.c | 22 +-
+ arch/x86/kernel/tboot.c | 14 +-
+ arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tls.c | 7 +-
+ arch/x86/kernel/traps.c | 64 +-
+ arch/x86/kernel/uprobes.c | 4 +-
+ arch/x86/kernel/vm86_32.c | 6 +-
+ arch/x86/kernel/vmlinux.lds.S | 148 +-
+ arch/x86/kernel/vsyscall_64.c | 12 +-
+ arch/x86/kernel/x8664_ksyms_64.c | 2 -
+ arch/x86/kernel/x86_init.c | 8 +-
+ arch/x86/kernel/xsave.c | 2 +
+ arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ arch/x86/kvm/lapic.c | 2 +-
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ arch/x86/kvm/svm.c | 8 +
+ arch/x86/kvm/vmx.c | 61 +-
+ arch/x86/kvm/x86.c | 8 +-
+ arch/x86/lguest/boot.c | 3 +-
+ arch/x86/lib/atomic64_386_32.S | 164 +
+ arch/x86/lib/atomic64_cx8_32.S | 103 +-
+ arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/cmpxchg16b_emu.S | 2 +
+ arch/x86/lib/copy_page_64.S | 24 +-
+ arch/x86/lib/copy_user_64.S | 47 +-
+ arch/x86/lib/copy_user_nocache_64.S | 20 +-
+ arch/x86/lib/csum-copy_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 4 +-
+ arch/x86/lib/getuser.S | 70 +-
+ arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/iomap_copy_64.S | 2 +
+ arch/x86/lib/memcpy_64.S | 18 +-
+ arch/x86/lib/memmove_64.S | 34 +-
+ arch/x86/lib/memset_64.S | 7 +-
+ arch/x86/lib/mmx_32.c | 243 +-
+ arch/x86/lib/msr-reg.S | 18 +-
+ arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/rwlock.S | 42 +
+ arch/x86/lib/rwsem.S | 6 +-
+ arch/x86/lib/thunk_64.S | 2 +
+ arch/x86/lib/usercopy_32.c | 363 +-
+ arch/x86/lib/usercopy_64.c | 13 +-
+ arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/fault.c | 556 ++-
+ arch/x86/mm/gup.c | 2 +-
+ arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/hugetlbpage.c | 30 +-
+ arch/x86/mm/init.c | 98 +-
+ arch/x86/mm/init_32.c | 113 +-
+ arch/x86/mm/init_64.c | 38 +-
+ arch/x86/mm/iomap_32.c | 4 +
+ arch/x86/mm/ioremap.c | 15 +-
+ arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
+ arch/x86/mm/mmap.c | 41 +-
+ arch/x86/mm/mmio-mod.c | 10 +-
+ arch/x86/mm/numa.c | 2 +-
+ arch/x86/mm/pageattr-test.c | 2 +-
+ arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pat.c | 12 +-
+ arch/x86/mm/pat_rbtree.c | 2 +-
+ arch/x86/mm/pf_in.c | 10 +-
+ arch/x86/mm/pgtable.c | 137 +-
+ arch/x86/mm/pgtable_32.c | 3 +
+ arch/x86/mm/physaddr.c | 4 +-
+ arch/x86/mm/setup_nx.c | 7 +
+ arch/x86/mm/tlb.c | 4 +
+ arch/x86/net/bpf_jit.S | 14 +
+ arch/x86/net/bpf_jit_comp.c | 37 +-
+ arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/oprofile/nmi_int.c | 8 +-
+ arch/x86/oprofile/op_model_amd.c | 8 +-
+ arch/x86/oprofile/op_model_ppro.c | 7 +-
+ arch/x86/oprofile/op_x86_model.h | 2 +-
+ arch/x86/pci/amd_bus.c | 2 +-
+ arch/x86/pci/irq.c | 8 +-
+ arch/x86/pci/mrst.c | 4 +-
+ arch/x86/pci/pcbios.c | 144 +-
+ arch/x86/platform/efi/efi_32.c | 24 +
+ arch/x86/platform/efi/efi_64.c | 10 +
+ arch/x86/platform/efi/efi_stub_32.S | 64 +-
+ arch/x86/platform/efi/efi_stub_64.S | 8 +
+ arch/x86/platform/mrst/mrst.c | 6 +-
+ arch/x86/platform/olpc/olpc_dt.c | 2 +-
+ arch/x86/power/cpu.c | 11 +-
+ arch/x86/realmode/init.c | 10 +-
+ arch/x86/realmode/rm/Makefile | 3 +
+ arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/trampoline_32.S | 12 +-
+ arch/x86/realmode/rm/trampoline_64.S | 2 +-
+ arch/x86/tools/Makefile | 2 +-
+ arch/x86/tools/relocs.c | 94 +-
+ arch/x86/um/tls_32.c | 2 +-
+ arch/x86/vdso/Makefile | 2 +-
+ arch/x86/vdso/vdso32-setup.c | 23 +-
+ arch/x86/vdso/vma.c | 29 +-
+ arch/x86/xen/enlighten.c | 47 +-
+ arch/x86/xen/mmu.c | 9 +
+ arch/x86/xen/smp.c | 18 +-
+ arch/x86/xen/xen-asm_32.S | 12 +-
+ arch/x86/xen/xen-head.S | 11 +
+ arch/x86/xen/xen-ops.h | 2 -
+ block/blk-iopoll.c | 4 +-
+ block/blk-map.c | 2 +-
+ block/blk-softirq.c | 4 +-
+ block/bsg.c | 12 +-
+ block/compat_ioctl.c | 2 +-
+ block/genhd.c | 11 +-
+ block/partitions/efi.c | 8 +-
+ block/scsi_ioctl.c | 27 +-
+ crypto/algapi.c | 2 +-
+ crypto/cryptd.c | 4 +-
+ crypto/pcrypt.c | 6 +-
+ drivers/acpi/apei/apei-internal.h | 2 +-
+ drivers/acpi/apei/cper.c | 8 +-
+ drivers/acpi/bgrt.c | 6 +-
+ drivers/acpi/blacklist.c | 4 +-
+ drivers/acpi/ec_sys.c | 12 +-
+ drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/sysfs.c | 4 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/ata/libata-core.c | 8 +-
+ drivers/ata/pata_arasan_cf.c | 4 +-
+ drivers/atm/adummy.c | 2 +-
+ drivers/atm/ambassador.c | 8 +-
+ drivers/atm/atmtcp.c | 14 +-
+ drivers/atm/eni.c | 10 +-
+ drivers/atm/firestream.c | 8 +-
+ drivers/atm/fore200e.c | 14 +-
+ drivers/atm/he.c | 18 +-
+ drivers/atm/horizon.c | 4 +-
+ drivers/atm/idt77252.c | 36 +-
+ drivers/atm/iphase.c | 34 +-
+ drivers/atm/lanai.c | 12 +-
+ drivers/atm/nicstar.c | 46 +-
+ drivers/atm/solos-pci.c | 4 +-
+ drivers/atm/suni.c | 4 +-
+ drivers/atm/uPD98402.c | 16 +-
+ drivers/atm/zatm.c | 6 +-
+ drivers/base/attribute_container.c | 2 +-
+ drivers/base/bus.c | 4 +-
+ drivers/base/devtmpfs.c | 8 +-
+ drivers/base/node.c | 2 +-
+ drivers/base/power/domain.c | 4 +-
+ drivers/base/power/sysfs.c | 2 +-
+ drivers/base/power/wakeup.c | 8 +-
+ drivers/base/syscore.c | 4 +-
+ drivers/block/cciss.c | 28 +-
+ drivers/block/cciss.h | 2 +-
+ drivers/block/cpqarray.c | 28 +-
+ drivers/block/cpqarray.h | 2 +-
+ drivers/block/drbd/drbd_int.h | 6 +-
+ drivers/block/drbd/drbd_main.c | 8 +-
+ drivers/block/drbd/drbd_receiver.c | 22 +-
+ drivers/block/loop.c | 2 +-
+ drivers/block/nbd.c | 2 +-
+ drivers/block/pktcdvd.c | 2 +-
+ drivers/cdrom/cdrom.c | 11 +-
+ drivers/cdrom/gdrom.c | 1 -
+ drivers/char/agp/compat_ioctl.c | 2 +-
+ drivers/char/agp/frontend.c | 4 +-
+ drivers/char/hpet.c | 2 +-
+ drivers/char/hw_random/intel-rng.c | 2 +-
+ drivers/char/ipmi/ipmi_msghandler.c | 8 +-
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
+ drivers/char/mem.c | 45 +-
+ drivers/char/nvram.c | 2 +-
+ drivers/char/pcmcia/synclink_cs.c | 18 +-
+ drivers/char/random.c | 10 +-
+ drivers/char/sonypi.c | 9 +-
+ drivers/char/tpm/tpm_acpi.c | 3 +-
+ drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/virtio_console.c | 4 +-
+ drivers/clk/clk-composite.c | 2 +-
+ drivers/clocksource/arm_arch_timer.c | 2 +-
+ drivers/clocksource/metag_generic.c | 2 +-
+ drivers/cpufreq/acpi-cpufreq.c | 20 +-
+ drivers/cpufreq/cpufreq.c | 9 +-
+ drivers/cpufreq/cpufreq_governor.c | 6 +-
+ drivers/cpufreq/cpufreq_governor.h | 2 +-
+ drivers/cpufreq/cpufreq_ondemand.c | 8 +-
+ drivers/cpufreq/cpufreq_stats.c | 2 +-
+ drivers/cpufreq/p4-clockmod.c | 12 +-
+ drivers/cpufreq/sparc-us3-cpufreq.c | 69 +-
+ drivers/cpufreq/speedstep-centrino.c | 7 +-
+ drivers/cpuidle/cpuidle.c | 2 +-
+ drivers/cpuidle/governor.c | 4 +-
+ drivers/cpuidle/sysfs.c | 2 +-
+ drivers/devfreq/devfreq.c | 6 +-
+ drivers/dma/sh/shdma.c | 2 +-
+ drivers/edac/edac_mc_sysfs.c | 12 +-
+ drivers/edac/edac_pci_sysfs.c | 22 +-
+ drivers/edac/mce_amd.h | 2 +-
+ drivers/firewire/core-card.c | 2 +-
+ drivers/firewire/core-device.c | 2 +-
+ drivers/firewire/core-transaction.c | 1 +
+ drivers/firewire/core.h | 1 +
+ drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/dmi_scan.c | 7 +-
+ drivers/firmware/efi/efi.c | 12 +-
+ drivers/firmware/efi/efivars.c | 2 +-
+ drivers/firmware/google/memconsole.c | 4 +-
+ drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpio/gpio-vr41xx.c | 2 +-
+ drivers/gpu/drm/drm_crtc_helper.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 6 +-
+ drivers/gpu/drm/drm_fops.c | 18 +-
+ drivers/gpu/drm/drm_global.c | 14 +-
+ drivers/gpu/drm/drm_info.c | 14 +-
+ drivers/gpu/drm/drm_ioc32.c | 13 +-
+ drivers/gpu/drm/drm_ioctl.c | 2 +-
+ drivers/gpu/drm/drm_lock.c | 4 +-
+ drivers/gpu/drm/drm_stub.c | 2 +-
+ drivers/gpu/drm/drm_sysfs.c | 2 +-
+ drivers/gpu/drm/i810/i810_dma.c | 8 +-
+ drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/i915_irq.c | 22 +-
+ drivers/gpu/drm/i915/intel_display.c | 26 +-
+ drivers/gpu/drm/mga/mga_drv.h | 4 +-
+ drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/mga/mga_irq.c | 8 +-
+ drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
+ drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
+ drivers/gpu/drm/r128/r128_cce.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.h | 4 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/r128/r128_irq.c | 4 +-
+ drivers/gpu/drm/r128/r128_state.c | 4 +-
+ drivers/gpu/drm/radeon/mkregtable.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
+ drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 57 +-
+ drivers/gpu/drm/radeon/rs690.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
+ drivers/gpu/drm/udl/udl_fb.c | 1 -
+ drivers/gpu/drm/via/via_drv.h | 4 +-
+ drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
+ drivers/hid/hid-core.c | 4 +-
+ drivers/hv/channel.c | 4 +-
+ drivers/hv/hv.c | 2 +-
+ drivers/hv/hyperv_vmbus.h | 2 +-
+ drivers/hv/vmbus_drv.c | 4 +-
+ drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/asus_atk0110.c | 10 +-
+ drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/ibmaem.c | 2 +-
+ drivers/hwmon/iio_hwmon.c | 2 +-
+ drivers/hwmon/pmbus/pmbus_core.c | 10 +-
+ drivers/hwmon/sht15.c | 12 +-
+ drivers/hwmon/via-cputemp.c | 2 +-
+ drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
+ drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
+ drivers/i2c/i2c-dev.c | 2 +-
+ drivers/ide/ide-cd.c | 2 +-
+ drivers/iio/industrialio-core.c | 2 +-
+ drivers/infiniband/core/cm.c | 32 +-
+ drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/hw/cxgb4/mem.c | 4 +-
+ drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
+ drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
+ drivers/infiniband/hw/nes/nes.c | 4 +-
+ drivers/infiniband/hw/nes/nes.h | 40 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 62 +-
+ drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
+ drivers/infiniband/hw/nes/nes_nic.c | 40 +-
+ drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/input/gameport/gameport.c | 4 +-
+ drivers/input/input.c | 4 +-
+ drivers/input/joystick/sidewinder.c | 1 +
+ drivers/input/joystick/xpad.c | 4 +-
+ drivers/input/mouse/psmouse.h | 2 +-
+ drivers/input/mousedev.c | 2 +-
+ drivers/input/serio/serio.c | 4 +-
+ drivers/iommu/iommu.c | 2 +-
+ drivers/iommu/irq_remapping.c | 12 +-
+ drivers/irqchip/irq-gic.c | 4 +-
+ drivers/isdn/capi/capi.c | 10 +-
+ drivers/isdn/gigaset/interface.c | 8 +-
+ drivers/isdn/hardware/avm/b1.c | 4 +-
+ drivers/isdn/i4l/isdn_tty.c | 22 +-
+ drivers/isdn/icn/icn.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/lguest/core.c | 10 +-
+ drivers/lguest/page_tables.c | 2 +-
+ drivers/lguest/x86/core.c | 12 +-
+ drivers/lguest/x86/switcher_32.S | 27 +-
+ drivers/md/bcache/closure.h | 2 +-
+ drivers/md/bitmap.c | 2 +-
+ drivers/md/dm-ioctl.c | 2 +-
+ drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-stripe.c | 10 +-
+ drivers/md/dm-table.c | 2 +-
+ drivers/md/dm-thin-metadata.c | 4 +-
+ drivers/md/dm.c | 16 +-
+ drivers/md/md.c | 26 +-
+ drivers/md/md.h | 6 +-
+ drivers/md/persistent-data/dm-space-map.h | 1 +
+ drivers/md/raid1.c | 4 +-
+ drivers/md/raid10.c | 16 +-
+ drivers/md/raid5.c | 10 +-
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ drivers/media/dvb-frontends/dib3000.h | 2 +-
+ drivers/media/pci/cx88/cx88-video.c | 6 +-
+ drivers/media/platform/omap/omap_vout.c | 11 +-
+ drivers/media/platform/s5p-tv/mixer.h | 2 +-
+ drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
+ drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 11 +-
+ drivers/message/fusion/mptsas.c | 34 +-
+ drivers/message/fusion/mptscsih.c | 19 +-
+ drivers/message/i2o/i2o_proc.c | 51 +-
+ drivers/message/i2o/iop.c | 8 +-
+ drivers/mfd/janz-cmodio.c | 1 +
+ drivers/mfd/twl4030-irq.c | 9 +-
+ drivers/mfd/twl6030-irq.c | 10 +-
+ drivers/misc/c2port/core.c | 4 +-
+ drivers/misc/kgdbts.c | 4 +-
+ drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
+ drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/sgi-gru/gruhandles.c | 4 +-
+ drivers/misc/sgi-gru/gruprocfs.c | 8 +-
+ drivers/misc/sgi-gru/grutables.h | 154 +-
+ drivers/misc/sgi-xp/xp.h | 2 +-
+ drivers/misc/sgi-xp/xpc.h | 3 +-
+ drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ drivers/mmc/host/dw_mmc.h | 2 +-
+ drivers/mmc/host/sdhci-s3c.c | 8 +-
+ drivers/mtd/nand/denali.c | 1 +
+ drivers/mtd/nftlmount.c | 1 +
+ drivers/mtd/sm_ftl.c | 2 +-
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
+ drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
+ drivers/net/ethernet/realtek/r8169.c | 8 +-
+ drivers/net/ethernet/sfc/ptp.c | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/hyperv/hyperv_net.h | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 +-
+ drivers/net/ieee802154/fakehard.c | 2 +-
+ drivers/net/macvlan.c | 18 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/ppp/ppp_generic.c | 4 +-
+ drivers/net/slip/slhc.c | 2 +-
+ drivers/net/team/team.c | 2 +-
+ drivers/net/tun.c | 5 +-
+ drivers/net/usb/hso.c | 23 +-
+ drivers/net/vxlan.c | 2 +-
+ drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
+ drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
+ drivers/net/wireless/ath/ath9k/hw.h | 4 +-
+ drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
+ drivers/net/wireless/mac80211_hwsim.c | 32 +-
+ drivers/net/wireless/rndis_wlan.c | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 8 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 6 +-
+ drivers/oprofile/buffer_sync.c | 8 +-
+ drivers/oprofile/event_buffer.c | 2 +-
+ drivers/oprofile/oprof.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/oprofile/oprofile_stats.c | 10 +-
+ drivers/oprofile/oprofile_stats.h | 10 +-
+ drivers/oprofile/oprofilefs.c | 2 +-
+ drivers/oprofile/timer_int.c | 2 +-
+ drivers/parport/procfs.c | 4 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
+ drivers/pci/hotplug/cpcihp_generic.c | 6 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
+ drivers/pci/hotplug/cpqphp_nvram.c | 4 +
+ drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/pci-sysfs.c | 6 +-
+ drivers/pci/pci.h | 2 +-
+ drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/probe.c | 2 +-
+ drivers/platform/x86/chromeos_laptop.c | 2 +-
+ drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/sony-laptop.c | 2 +-
+ drivers/platform/x86/thinkpad_acpi.c | 70 +-
+ drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/resource.c | 4 +-
+ drivers/power/pda_power.c | 7 +-
+ drivers/power/power_supply.h | 4 +-
+ drivers/power/power_supply_core.c | 7 +-
+ drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/regulator/max8660.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/rtc/rtc-cmos.c | 4 +-
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/scsi/bfa/bfa_fcpim.h | 2 +-
+ drivers/scsi/bfa/bfa_ioc.h | 4 +-
+ drivers/scsi/hosts.c | 4 +-
+ drivers/scsi/hpsa.c | 30 +-
+ drivers/scsi/hpsa.h | 2 +-
+ drivers/scsi/libfc/fc_exch.c | 50 +-
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ drivers/scsi/lpfc/lpfc.h | 8 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
+ drivers/scsi/lpfc/lpfc_init.c | 6 +-
+ drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
+ drivers/scsi/pmcraid.c | 20 +-
+ drivers/scsi/pmcraid.h | 8 +-
+ drivers/scsi/qla2xxx/qla_attr.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 6 +-
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +-
+ drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ drivers/scsi/scsi_tgt_lib.c | 2 +-
+ drivers/scsi/scsi_transport_fc.c | 8 +-
+ drivers/scsi/scsi_transport_iscsi.c | 6 +-
+ drivers/scsi/scsi_transport_srp.c | 6 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sg.c | 2 +-
+ drivers/spi/spi.c | 2 +-
+ drivers/staging/media/solo6x10/solo6x10-core.c | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/rtl8712/rtl871x_io.h | 2 +-
+ drivers/staging/sbe-2t3e3/netdev.c | 2 +-
+ drivers/staging/usbip/vhci.h | 2 +-
+ drivers/staging/usbip/vhci_hcd.c | 6 +-
+ drivers/staging/usbip/vhci_rx.c | 2 +-
+ drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/vt6656/hostap.c | 7 +-
+ drivers/staging/zcache/tmem.c | 4 +-
+ drivers/staging/zcache/tmem.h | 2 +
+ drivers/target/target_core_device.c | 2 +-
+ drivers/target/target_core_transport.c | 2 +-
+ drivers/tty/cyclades.c | 6 +-
+ drivers/tty/hvc/hvc_console.c | 14 +-
+ drivers/tty/hvc/hvcs.c | 21 +-
+ drivers/tty/ipwireless/tty.c | 27 +-
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/n_gsm.c | 4 +-
+ drivers/tty/n_tty.c | 3 +-
+ drivers/tty/pty.c | 4 +-
+ drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/kgdboc.c | 32 +-
+ drivers/tty/serial/samsung.c | 9 +-
+ drivers/tty/serial/serial_core.c | 8 +-
+ drivers/tty/synclink.c | 34 +-
+ drivers/tty/synclink_gt.c | 28 +-
+ drivers/tty/synclinkmp.c | 34 +-
+ drivers/tty/tty_io.c | 2 +-
+ drivers/tty/tty_ldisc.c | 10 +-
+ drivers/tty/tty_port.c | 22 +-
+ drivers/uio/uio.c | 21 +-
+ drivers/usb/atm/cxacru.c | 2 +-
+ drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/core/devices.c | 6 +-
+ drivers/usb/core/hcd.c | 4 +-
+ drivers/usb/core/message.c | 2 +-
+ drivers/usb/core/sysfs.c | 2 +-
+ drivers/usb/core/usb.c | 2 +-
+ drivers/usb/early/ehci-dbgp.c | 16 +-
+ drivers/usb/gadget/u_serial.c | 22 +-
+ drivers/usb/serial/console.c | 6 +-
+ drivers/usb/storage/usb.h | 2 +-
+ drivers/usb/wusbcore/wa-hc.h | 4 +-
+ drivers/usb/wusbcore/wa-xfer.c | 2 +-
+ drivers/vhost/vringh.c | 2 +-
+ drivers/video/aty/aty128fb.c | 2 +-
+ drivers/video/aty/atyfb_base.c | 8 +-
+ drivers/video/aty/mach64_cursor.c | 5 +-
+ drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/fb_defio.c | 6 +-
+ drivers/video/fbcmap.c | 3 +-
+ drivers/video/fbmem.c | 6 +-
+ drivers/video/i810/i810_accel.c | 1 +
+ drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
+ drivers/video/nvidia/nvidia.c | 27 +-
+ drivers/video/output.c | 2 +-
+ drivers/video/s1d13xxxfb.c | 6 +-
+ drivers/video/smscufx.c | 4 +-
+ drivers/video/udlfb.c | 36 +-
+ drivers/video/uvesafb.c | 53 +-
+ drivers/video/vesafb.c | 58 +-
+ drivers/video/via/via_clock.h | 2 +-
+ fs/9p/vfs_addr.c | 2 +-
+ fs/9p/vfs_inode.c | 2 +-
+ fs/Kconfig.binfmt | 2 +-
+ fs/aio.c | 12 +-
+ fs/autofs4/waitq.c | 2 +-
+ fs/befs/endian.h | 4 +-
+ fs/befs/linuxvfs.c | 2 +-
+ fs/binfmt_aout.c | 23 +-
+ fs/binfmt_elf.c | 607 ++-
+ fs/binfmt_flat.c | 6 +
+ fs/bio.c | 6 +-
+ fs/block_dev.c | 2 +-
+ fs/btrfs/ctree.c | 9 +-
+ fs/btrfs/super.c | 2 +-
+ fs/cachefiles/bind.c | 6 +-
+ fs/cachefiles/daemon.c | 8 +-
+ fs/cachefiles/internal.h | 12 +-
+ fs/cachefiles/namei.c | 2 +-
+ fs/cachefiles/proc.c | 12 +-
+ fs/cachefiles/rdwr.c | 2 +-
+ fs/ceph/dir.c | 2 +-
+ fs/cifs/cifs_debug.c | 12 +-
+ fs/cifs/cifsfs.c | 8 +-
+ fs/cifs/cifsglob.h | 54 +-
+ fs/cifs/link.c | 2 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb1ops.c | 80 +-
+ fs/cifs/smb2ops.c | 84 +-
+ fs/cifs/smb2pdu.c | 3 +-
+ fs/coda/cache.c | 10 +-
+ fs/compat.c | 6 +-
+ fs/compat_binfmt_elf.c | 2 +
+ fs/compat_ioctl.c | 12 +-
+ fs/configfs/dir.c | 10 +-
+ fs/coredump.c | 24 +-
+ fs/dcache.c | 2 +-
+ fs/ecryptfs/inode.c | 4 +-
+ fs/ecryptfs/miscdev.c | 2 +-
+ fs/exec.c | 362 ++-
+ fs/ext4/ext4.h | 20 +-
+ fs/ext4/mballoc.c | 44 +-
+ fs/ext4/mmp.c | 2 +-
+ fs/ext4/super.c | 4 +-
+ fs/fhandle.c | 3 +-
+ fs/fs_struct.c | 8 +-
+ fs/fscache/cookie.c | 36 +-
+ fs/fscache/internal.h | 196 +-
+ fs/fscache/object.c | 28 +-
+ fs/fscache/operation.c | 30 +-
+ fs/fscache/page.c | 110 +-
+ fs/fscache/stats.c | 344 +-
+ fs/fuse/cuse.c | 10 +-
+ fs/fuse/dev.c | 4 +-
+ fs/fuse/dir.c | 2 +-
+ fs/gfs2/inode.c | 2 +-
+ fs/hugetlbfs/inode.c | 13 +-
+ fs/inode.c | 4 +-
+ fs/jffs2/erase.c | 3 +-
+ fs/jffs2/wbuf.c | 3 +-
+ fs/jfs/super.c | 2 +-
+ fs/libfs.c | 10 +-
+ fs/lockd/clntproc.c | 4 +-
+ fs/lockd/svc.c | 2 +-
+ fs/locks.c | 8 +-
+ fs/namei.c | 15 +-
+ fs/namespace.c | 10 +-
+ fs/nfs/callback.c | 4 +-
+ fs/nfs/callback_xdr.c | 2 +-
+ fs/nfs/inode.c | 6 +-
+ fs/nfs/nfs4state.c | 2 +-
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfs4xdr.c | 6 +-
+ fs/nfsd/nfscache.c | 9 +-
+ fs/nfsd/vfs.c | 6 +-
+ fs/nls/nls_base.c | 18 +-
+ fs/nls/nls_euc-jp.c | 6 +-
+ fs/nls/nls_koi8-ru.c | 6 +-
+ fs/notify/fanotify/fanotify_user.c | 4 +-
+ fs/notify/notification.c | 4 +-
+ fs/ntfs/dir.c | 2 +-
+ fs/ntfs/file.c | 4 +-
+ fs/ocfs2/localalloc.c | 2 +-
+ fs/ocfs2/ocfs2.h | 10 +-
+ fs/ocfs2/suballoc.c | 12 +-
+ fs/ocfs2/super.c | 20 +-
+ fs/pipe.c | 61 +-
+ fs/proc/array.c | 20 +
+ fs/proc/base.c | 4 +-
+ fs/proc/kcore.c | 32 +-
+ fs/proc/meminfo.c | 2 +-
+ fs/proc/nommu.c | 2 +-
+ fs/proc/proc_sysctl.c | 18 +-
+ fs/proc/self.c | 2 +-
+ fs/proc/task_mmu.c | 39 +-
+ fs/proc/task_nommu.c | 4 +-
+ fs/proc/vmcore.c | 12 +-
+ fs/qnx6/qnx6.h | 4 +-
+ fs/quota/netlink.c | 4 +-
+ fs/read_write.c | 2 +-
+ fs/readdir.c | 2 +-
+ fs/reiserfs/do_balan.c | 2 +-
+ fs/reiserfs/procfs.c | 2 +-
+ fs/reiserfs/reiserfs.h | 4 +-
+ fs/seq_file.c | 2 +-
+ fs/splice.c | 40 +-
+ fs/sysfs/bin.c | 6 +-
+ fs/sysfs/dir.c | 2 +-
+ fs/sysfs/file.c | 10 +-
+ fs/sysfs/symlink.c | 2 +-
+ fs/sysv/sysv.h | 2 +-
+ fs/ubifs/io.c | 2 +-
+ fs/udf/misc.c | 2 +-
+ fs/ufs/swab.h | 4 +-
+ fs/xattr.c | 21 +
+ fs/xattr_acl.c | 4 +-
+ fs/xfs/xfs_bmap.c | 2 +-
+ fs/xfs/xfs_dir2_sf.c | 10 +-
+ fs/xfs/xfs_ioctl.c | 2 +-
+ fs/xfs/xfs_iops.c | 2 +-
+ include/asm-generic/4level-fixup.h | 2 +
+ include/asm-generic/atomic-long.h | 210 +
+ include/asm-generic/atomic.h | 2 +-
+ include/asm-generic/atomic64.h | 12 +
+ include/asm-generic/cache.h | 4 +-
+ include/asm-generic/emergency-restart.h | 2 +-
+ include/asm-generic/kmap_types.h | 4 +-
+ include/asm-generic/local.h | 13 +
+ include/asm-generic/pgtable-nopmd.h | 18 +-
+ include/asm-generic/pgtable-nopud.h | 15 +-
+ include/asm-generic/pgtable.h | 8 +
+ include/asm-generic/vmlinux.lds.h | 10 +-
+ include/crypto/algapi.h | 2 +-
+ include/drm/drmP.h | 17 +-
+ include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/ttm/ttm_memory.h | 2 +-
+ include/keys/asymmetric-subtype.h | 2 +-
+ include/linux/atmdev.h | 4 +-
+ include/linux/binfmts.h | 3 +-
+ include/linux/blkdev.h | 2 +-
+ include/linux/blktrace_api.h | 2 +-
+ include/linux/cache.h | 4 +
+ include/linux/cdrom.h | 1 -
+ include/linux/cleancache.h | 2 +-
+ include/linux/clk-provider.h | 1 +
+ include/linux/compat.h | 4 +-
+ include/linux/compiler-gcc4.h | 20 +
+ include/linux/compiler.h | 65 +-
+ include/linux/completion.h | 6 +-
+ include/linux/configfs.h | 2 +-
+ include/linux/cpu.h | 2 +-
+ include/linux/cpufreq.h | 3 +-
+ include/linux/cpuidle.h | 5 +-
+ include/linux/cpumask.h | 12 +-
+ include/linux/crypto.h | 6 +-
+ include/linux/ctype.h | 2 +-
+ include/linux/decompress/mm.h | 2 +-
+ include/linux/devfreq.h | 2 +-
+ include/linux/device.h | 7 +-
+ include/linux/dma-mapping.h | 2 +-
+ include/linux/dmaengine.h | 4 +-
+ include/linux/efi.h | 1 +
+ include/linux/elf.h | 2 +
+ include/linux/err.h | 4 +-
+ include/linux/extcon.h | 2 +-
+ include/linux/fb.h | 2 +-
+ include/linux/filter.h | 4 +
+ include/linux/frontswap.h | 2 +-
+ include/linux/fs.h | 3 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/fscache-cache.h | 4 +-
+ include/linux/fscache.h | 2 +-
+ include/linux/fsnotify.h | 2 +-
+ include/linux/genhd.h | 2 +-
+ include/linux/genl_magic_func.h | 2 +-
+ include/linux/gfp.h | 12 +-
+ include/linux/highmem.h | 12 +
+ include/linux/hwmon-sysfs.h | 5 +-
+ include/linux/i2c.h | 1 +
+ include/linux/i2o.h | 2 +-
+ include/linux/if_pppox.h | 2 +-
+ include/linux/init.h | 33 +-
+ include/linux/init_task.h | 7 +
+ include/linux/interrupt.h | 8 +-
+ include/linux/iommu.h | 2 +-
+ include/linux/ioport.h | 2 +-
+ include/linux/irq.h | 3 +-
+ include/linux/irqchip/arm-gic.h | 4 +-
+ include/linux/key-type.h | 2 +-
+ include/linux/kgdb.h | 6 +-
+ include/linux/kobject.h | 3 +-
+ include/linux/kobject_ns.h | 2 +-
+ include/linux/kref.h | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ include/linux/libata.h | 2 +-
+ include/linux/list.h | 15 +
+ include/linux/math64.h | 6 +-
+ include/linux/mm.h | 116 +-
+ include/linux/mm_types.h | 20 +
+ include/linux/mmiotrace.h | 4 +-
+ include/linux/mmzone.h | 2 +-
+ include/linux/mod_devicetable.h | 6 +-
+ include/linux/module.h | 60 +-
+ include/linux/moduleloader.h | 16 +
+ include/linux/moduleparam.h | 4 +-
+ include/linux/namei.h | 6 +-
+ include/linux/net.h | 2 +-
+ include/linux/netdevice.h | 3 +-
+ include/linux/netfilter.h | 2 +-
+ include/linux/netfilter/ipset/ip_set.h | 2 +-
+ include/linux/netfilter/nfnetlink.h | 2 +-
+ include/linux/nls.h | 2 +-
+ include/linux/notifier.h | 3 +-
+ include/linux/oprofile.h | 4 +-
+ include/linux/pci_hotplug.h | 3 +-
+ include/linux/perf_event.h | 12 +-
+ include/linux/pipe_fs_i.h | 8 +-
+ include/linux/platform_data/usb-ehci-s5p.h | 2 +-
+ include/linux/platform_data/usb-ohci-exynos.h | 2 +-
+ include/linux/pm_domain.h | 2 +-
+ include/linux/pm_runtime.h | 2 +-
+ include/linux/pnp.h | 2 +-
+ include/linux/poison.h | 4 +-
+ include/linux/power/smartreflex.h | 2 +-
+ include/linux/ppp-comp.h | 2 +-
+ include/linux/proc_ns.h | 2 +-
+ include/linux/random.h | 5 +
+ include/linux/rculist.h | 16 +
+ include/linux/reboot.h | 14 +-
+ include/linux/regset.h | 3 +-
+ include/linux/relay.h | 2 +-
+ include/linux/rio.h | 2 +-
+ include/linux/rmap.h | 4 +-
+ include/linux/sched.h | 65 +-
+ include/linux/sched/sysctl.h | 1 +
+ include/linux/seq_file.h | 1 +
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 42 +-
+ include/linux/slab_def.h | 28 +-
+ include/linux/slob_def.h | 4 +-
+ include/linux/slub_def.h | 8 +-
+ include/linux/sock_diag.h | 2 +-
+ include/linux/sonet.h | 2 +-
+ include/linux/sunrpc/addr.h | 8 +-
+ include/linux/sunrpc/clnt.h | 2 +-
+ include/linux/sunrpc/svc.h | 2 +-
+ include/linux/sunrpc/svc_rdma.h | 18 +-
+ include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swiotlb.h | 3 +-
+ include/linux/syscalls.h | 10 +-
+ include/linux/syscore_ops.h | 2 +-
+ include/linux/sysctl.h | 6 +-
+ include/linux/sysfs.h | 10 +-
+ include/linux/sysrq.h | 3 +-
+ include/linux/thread_info.h | 7 +
+ include/linux/tty.h | 4 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/tty_ldisc.h | 2 +-
+ include/linux/types.h | 16 +
+ include/linux/uaccess.h | 6 +-
+ include/linux/unaligned/access_ok.h | 24 +-
+ include/linux/usb.h | 4 +-
+ include/linux/usb/renesas_usbhs.h | 2 +-
+ include/linux/vermagic.h | 21 +-
+ include/linux/vmalloc.h | 11 +-
+ include/linux/vmstat.h | 20 +-
+ include/linux/xattr.h | 5 +-
+ include/linux/zlib.h | 3 +-
+ include/media/v4l2-dev.h | 2 +-
+ include/net/9p/transport.h | 2 +-
+ include/net/bluetooth/l2cap.h | 2 +-
+ include/net/caif/cfctrl.h | 6 +-
+ include/net/flow.h | 2 +-
+ include/net/genetlink.h | 2 +-
+ include/net/gro_cells.h | 2 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/inetpeer.h | 8 +-
+ include/net/ip.h | 2 +-
+ include/net/ip_fib.h | 2 +-
+ include/net/ip_vs.h | 8 +-
+ include/net/irda/ircomm_tty.h | 1 +
+ include/net/iucv/af_iucv.h | 2 +-
+ include/net/llc_c_ac.h | 2 +-
+ include/net/llc_c_ev.h | 4 +-
+ include/net/llc_c_st.h | 2 +-
+ include/net/llc_s_ac.h | 2 +-
+ include/net/llc_s_st.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 12 +-
+ include/net/netdma.h | 2 +-
+ include/net/netlink.h | 2 +-
+ include/net/netns/conntrack.h | 6 +-
+ include/net/netns/ipv4.h | 2 +-
+ include/net/netns/ipv6.h | 2 +-
+ include/net/protocol.h | 4 +-
+ include/net/rtnetlink.h | 2 +-
+ include/net/sctp/sctp.h | 6 +-
+ include/net/sctp/sm.h | 4 +-
+ include/net/sctp/structs.h | 2 +-
+ include/net/sock.h | 6 +-
+ include/net/tcp.h | 8 +-
+ include/net/xfrm.h | 8 +-
+ include/rdma/iw_cm.h | 2 +-
+ include/scsi/libfc.h | 3 +-
+ include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_transport_fc.h | 3 +-
+ include/sound/compress_driver.h | 2 +-
+ include/sound/soc.h | 4 +-
+ include/target/target_core_base.h | 2 +-
+ include/trace/events/irq.h | 4 +-
+ include/uapi/linux/a.out.h | 8 +
+ include/uapi/linux/byteorder/little_endian.h | 28 +-
+ include/uapi/linux/elf.h | 28 +
+ include/uapi/linux/screen_info.h | 3 +-
+ include/uapi/linux/swab.h | 6 +-
+ include/uapi/linux/sysctl.h | 6 +-
+ include/uapi/linux/xattr.h | 4 +
+ include/video/udlfb.h | 8 +-
+ include/video/uvesafb.h | 1 +
+ init/Kconfig | 2 +-
+ init/Makefile | 3 +
+ init/do_mounts.c | 14 +-
+ init/do_mounts.h | 8 +-
+ init/do_mounts_initrd.c | 30 +-
+ init/do_mounts_md.c | 6 +-
+ init/init_task.c | 4 +
+ init/initramfs.c | 42 +-
+ init/main.c | 83 +-
+ ipc/ipc_sysctl.c | 10 +-
+ ipc/mq_sysctl.c | 2 +-
+ ipc/msg.c | 11 +-
+ ipc/sem.c | 11 +-
+ ipc/shm.c | 17 +-
+ kernel/acct.c | 2 +-
+ kernel/audit.c | 8 +-
+ kernel/auditfilter.c | 2 +-
+ kernel/auditsc.c | 4 +-
+ kernel/capability.c | 3 +
+ kernel/compat.c | 38 +-
+ kernel/debug/debug_core.c | 16 +-
+ kernel/debug/kdb/kdb_main.c | 4 +-
+ kernel/events/core.c | 30 +-
+ kernel/events/internal.h | 10 +-
+ kernel/exit.c | 4 +-
+ kernel/fork.c | 167 +-
+ kernel/futex.c | 9 +
+ kernel/futex_compat.c | 2 +-
+ kernel/gcov/base.c | 7 +-
+ kernel/hrtimer.c | 4 +-
+ kernel/irq_work.c | 7 +-
+ kernel/jump_label.c | 5 +
+ kernel/kallsyms.c | 39 +-
+ kernel/kexec.c | 3 +-
+ kernel/kmod.c | 4 +-
+ kernel/kprobes.c | 8 +-
+ kernel/ksysfs.c | 2 +-
+ kernel/lockdep.c | 7 +-
+ kernel/module.c | 337 +-
+ kernel/mutex-debug.c | 12 +-
+ kernel/mutex-debug.h | 4 +-
+ kernel/mutex.c | 11 +-
+ kernel/notifier.c | 17 +-
+ kernel/panic.c | 3 +-
+ kernel/pid.c | 2 +-
+ kernel/pid_namespace.c | 2 +-
+ kernel/posix-cpu-timers.c | 4 +-
+ kernel/posix-timers.c | 22 +-
+ kernel/power/process.c | 12 +-
+ kernel/profile.c | 14 +-
+ kernel/ptrace.c | 8 +-
+ kernel/rcupdate.c | 4 +-
+ kernel/rcutiny.c | 4 +-
+ kernel/rcutiny_plugin.h | 2 +-
+ kernel/rcutorture.c | 56 +-
+ kernel/rcutree.c | 76 +-
+ kernel/rcutree.h | 24 +-
+ kernel/rcutree_plugin.h | 20 +-
+ kernel/rcutree_trace.c | 22 +-
+ kernel/rtmutex-tester.c | 24 +-
+ kernel/sched/auto_group.c | 4 +-
+ kernel/sched/core.c | 51 +-
+ kernel/sched/fair.c | 4 +-
+ kernel/sched/sched.h | 2 +-
+ kernel/signal.c | 12 +-
+ kernel/smp.c | 2 +-
+ kernel/smpboot.c | 4 +-
+ kernel/softirq.c | 18 +-
+ kernel/srcu.c | 4 +-
+ kernel/sys.c | 10 +-
+ kernel/sysctl.c | 39 +-
+ kernel/time.c | 2 +-
+ kernel/time/alarmtimer.c | 2 +-
+ kernel/time/tick-broadcast.c | 2 +-
+ kernel/time/timer_stats.c | 10 +-
+ kernel/timer.c | 6 +-
+ kernel/trace/blktrace.c | 6 +-
+ kernel/trace/ftrace.c | 18 +-
+ kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/trace.c | 2 +-
+ kernel/trace/trace.h | 2 +-
+ kernel/trace/trace_events.c | 25 +-
+ kernel/trace/trace_mmiotrace.c | 8 +-
+ kernel/trace/trace_output.c | 12 +-
+ kernel/trace/trace_stack.c | 2 +-
+ kernel/user_namespace.c | 2 +-
+ kernel/utsname_sysctl.c | 2 +-
+ kernel/watchdog.c | 2 +-
+ kernel/workqueue.c | 2 +-
+ lib/Kconfig.debug | 8 +-
+ lib/Makefile | 2 +-
+ lib/bitmap.c | 8 +-
+ lib/bug.c | 2 +
+ lib/debugobjects.c | 2 +-
+ lib/devres.c | 4 +-
+ lib/div64.c | 4 +-
+ lib/dma-debug.c | 4 +-
+ lib/inflate.c | 2 +-
+ lib/ioremap.c | 4 +-
+ lib/kobject.c | 6 +-
+ lib/list_debug.c | 126 +-
+ lib/radix-tree.c | 2 +-
+ lib/strncpy_from_user.c | 2 +-
+ lib/strnlen_user.c | 2 +-
+ lib/swiotlb.c | 2 +-
+ lib/usercopy.c | 6 +
+ lib/vsprintf.c | 12 +-
+ mm/Kconfig | 6 +-
+ mm/backing-dev.c | 4 +-
+ mm/filemap.c | 2 +-
+ mm/fremap.c | 5 +
+ mm/highmem.c | 7 +-
+ mm/hugetlb.c | 70 +-
+ mm/internal.h | 1 +
+ mm/maccess.c | 4 +-
+ mm/madvise.c | 41 +
+ mm/memory-failure.c | 26 +-
+ mm/memory.c | 424 ++-
+ mm/mempolicy.c | 26 +
+ mm/mlock.c | 15 +-
+ mm/mmap.c | 606 ++-
+ mm/mprotect.c | 139 +-
+ mm/mremap.c | 44 +-
+ mm/nommu.c | 21 +-
+ mm/page-writeback.c | 4 +-
+ mm/page_alloc.c | 41 +-
+ mm/page_io.c | 2 +-
+ mm/percpu.c | 2 +-
+ mm/process_vm_access.c | 14 +-
+ mm/rmap.c | 38 +-
+ mm/shmem.c | 19 +-
+ mm/slab.c | 79 +-
+ mm/slab.h | 5 +-
+ mm/slab_common.c | 46 +-
+ mm/slob.c | 201 +-
+ mm/slub.c | 79 +-
+ mm/sparse-vmemmap.c | 4 +-
+ mm/sparse.c | 2 +-
+ mm/swap.c | 3 +
+ mm/swapfile.c | 12 +-
+ mm/util.c | 6 +
+ mm/vmalloc.c | 77 +-
+ mm/vmstat.c | 12 +-
+ net/8021q/vlan.c | 5 +-
+ net/9p/mod.c | 4 +-
+ net/9p/trans_fd.c | 2 +-
+ net/atm/atm_misc.c | 8 +-
+ net/atm/lec.h | 2 +-
+ net/atm/proc.c | 6 +-
+ net/atm/resources.c | 4 +-
+ net/ax25/sysctl_net_ax25.c | 2 +-
+ net/batman-adv/bat_iv_ogm.c | 8 +-
+ net/batman-adv/hard-interface.c | 4 +-
+ net/batman-adv/soft-interface.c | 4 +-
+ net/batman-adv/types.h | 6 +-
+ net/batman-adv/unicast.c | 2 +-
+ net/bluetooth/hci_core.c | 8 +-
+ net/bluetooth/hci_sock.c | 2 +-
+ net/bluetooth/l2cap_core.c | 6 +-
+ net/bluetooth/l2cap_sock.c | 12 +-
+ net/bluetooth/rfcomm/sock.c | 4 +-
+ net/bluetooth/rfcomm/tty.c | 10 +-
+ net/bridge/netfilter/ebtables.c | 6 +-
+ net/caif/cfctrl.c | 11 +-
+ net/can/af_can.c | 2 +-
+ net/can/gw.c | 6 +-
+ net/compat.c | 34 +-
+ net/core/datagram.c | 2 +-
+ net/core/dev.c | 16 +-
+ net/core/flow.c | 8 +-
+ net/core/iovec.c | 4 +-
+ net/core/neighbour.c | 2 +-
+ net/core/net-sysfs.c | 2 +-
+ net/core/net_namespace.c | 8 +-
+ net/core/rtnetlink.c | 13 +-
+ net/core/scm.c | 8 +-
+ net/core/sock.c | 24 +-
+ net/core/sock_diag.c | 9 +-
+ net/core/sysctl_net_core.c | 18 +-
+ net/decnet/af_decnet.c | 1 +
+ net/decnet/sysctl_net_decnet.c | 4 +-
+ net/ipv4/af_inet.c | 8 +-
+ net/ipv4/ah4.c | 2 +-
+ net/ipv4/devinet.c | 18 +-
+ net/ipv4/esp4.c | 2 +-
+ net/ipv4/fib_frontend.c | 6 +-
+ net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inet_connection_sock.c | 2 +-
+ net/ipv4/inetpeer.c | 4 +-
+ net/ipv4/ip_fragment.c | 15 +-
+ net/ipv4/ip_gre.c | 6 +-
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ip_vti.c | 4 +-
+ net/ipv4/ipcomp.c | 2 +-
+ net/ipv4/ipconfig.c | 6 +-
+ net/ipv4/ipip.c | 4 +-
+ net/ipv4/netfilter/arp_tables.c | 12 +-
+ net/ipv4/netfilter/ip_tables.c | 12 +-
+ net/ipv4/ping.c | 2 +-
+ net/ipv4/raw.c | 14 +-
+ net/ipv4/route.c | 18 +-
+ net/ipv4/sysctl_net_ipv4.c | 45 +-
+ net/ipv4/tcp_input.c | 2 +-
+ net/ipv4/tcp_probe.c | 2 +-
+ net/ipv4/udp.c | 10 +-
+ net/ipv4/xfrm4_policy.c | 14 +-
+ net/ipv6/addrconf.c | 12 +-
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_gre.c | 8 +-
+ net/ipv6/ip6_tunnel.c | 4 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 12 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
+ net/ipv6/raw.c | 19 +-
+ net/ipv6/reassembly.c | 13 +-
+ net/ipv6/route.c | 2 +-
+ net/ipv6/sit.c | 4 +-
+ net/ipv6/sysctl_net_ipv6.c | 2 +-
+ net/ipv6/udp.c | 8 +-
+ net/ipv6/xfrm6_policy.c | 13 +-
+ net/irda/ircomm/ircomm_tty.c | 18 +-
+ net/iucv/af_iucv.c | 4 +-
+ net/iucv/iucv.c | 2 +-
+ net/key/af_key.c | 4 +-
+ net/mac80211/cfg.c | 8 +-
+ net/mac80211/ieee80211_i.h | 3 +-
+ net/mac80211/iface.c | 16 +-
+ net/mac80211/main.c | 2 +-
+ net/mac80211/pm.c | 6 +-
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/rc80211_pid_debugfs.c | 2 +-
+ net/mac80211/util.c | 4 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/ipvs/ip_vs_conn.c | 6 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ net/netfilter/ipvs/ip_vs_sync.c | 6 +-
+ net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
+ net/netfilter/nf_conntrack_acct.c | 2 +-
+ net/netfilter/nf_conntrack_ecache.c | 2 +-
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nf_conntrack_timestamp.c | 2 +-
+ net/netfilter/nf_log.c | 10 +-
+ net/netfilter/nf_sockopt.c | 4 +-
+ net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/xt_statistic.c | 8 +-
+ net/netlink/af_netlink.c | 4 +-
+ net/netlink/genetlink.c | 16 +-
+ net/packet/af_packet.c | 12 +-
+ net/phonet/pep.c | 6 +-
+ net/phonet/socket.c | 2 +-
+ net/phonet/sysctl.c | 2 +-
+ net/rds/cong.c | 6 +-
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 4 +-
+ net/rds/iw.h | 2 +-
+ net/rds/iw_cm.c | 2 +-
+ net/rds/iw_recv.c | 4 +-
+ net/rds/rds.h | 2 +-
+ net/rds/tcp.c | 2 +-
+ net/rds/tcp_send.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/rxrpc/ar-ack.c | 14 +-
+ net/rxrpc/ar-call.c | 2 +-
+ net/rxrpc/ar-connection.c | 2 +-
+ net/rxrpc/ar-connevent.c | 2 +-
+ net/rxrpc/ar-input.c | 4 +-
+ net/rxrpc/ar-internal.h | 8 +-
+ net/rxrpc/ar-local.c | 2 +-
+ net/rxrpc/ar-output.c | 4 +-
+ net/rxrpc/ar-peer.c | 2 +-
+ net/rxrpc/ar-proc.c | 4 +-
+ net/rxrpc/ar-transport.c | 2 +-
+ net/rxrpc/rxkad.c | 4 +-
+ net/sctp/ipv6.c | 6 +-
+ net/sctp/protocol.c | 10 +-
+ net/sctp/sm_sideeffect.c | 2 +-
+ net/sctp/socket.c | 21 +-
+ net/sctp/sysctl.c | 4 +-
+ net/socket.c | 18 +-
+ net/sunrpc/clnt.c | 4 +-
+ net/sunrpc/sched.c | 4 +-
+ net/sunrpc/svc.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/link.c | 6 +-
+ net/tipc/msg.c | 2 +-
+ net/tipc/subscr.c | 2 +-
+ net/unix/sysctl_net_unix.c | 2 +-
+ net/wireless/wext-core.c | 19 +-
+ net/xfrm/xfrm_policy.c | 27 +-
+ net/xfrm/xfrm_state.c | 29 +-
+ net/xfrm/xfrm_sysctl.c | 2 +-
+ scripts/Makefile.build | 2 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.host | 28 +-
+ scripts/basic/fixdep.c | 12 +-
+ scripts/gcc-plugin.sh | 17 +
+ scripts/headers_install.sh | 1 +
+ scripts/link-vmlinux.sh | 2 +-
+ scripts/mod/file2alias.c | 14 +-
+ scripts/mod/modpost.c | 25 +-
+ scripts/mod/modpost.h | 6 +-
+ scripts/mod/sumversion.c | 2 +-
+ scripts/package/builddeb | 1 +
+ scripts/pnmtologo.c | 6 +-
+ scripts/sortextable.h | 6 +-
+ security/Kconfig | 676 +++-
+ security/apparmor/lsm.c | 2 +-
+ security/integrity/ima/ima.h | 4 +-
+ security/integrity/ima/ima_api.c | 2 +-
+ security/integrity/ima/ima_fs.c | 4 +-
+ security/integrity/ima/ima_queue.c | 2 +-
+ security/keys/compat.c | 2 +-
+ security/keys/internal.h | 2 +-
+ security/keys/key.c | 18 +-
+ security/keys/keyctl.c | 8 +-
+ security/keys/keyring.c | 6 +-
+ security/security.c | 9 +-
+ security/selinux/hooks.c | 2 +-
+ security/selinux/include/xfrm.h | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ security/tomoyo/tomoyo.c | 2 +-
+ security/yama/yama_lsm.c | 22 +-
+ sound/aoa/codecs/onyx.c | 7 +-
+ sound/aoa/codecs/onyx.h | 1 +
+ sound/core/oss/pcm_oss.c | 18 +-
+ sound/core/pcm_compat.c | 2 +-
+ sound/core/pcm_native.c | 4 +-
+ sound/core/seq/seq_device.c | 8 +-
+ sound/core/sound.c | 2 +-
+ sound/drivers/mts64.c | 14 +-
+ sound/drivers/opl4/opl4_lib.c | 2 +-
+ sound/drivers/portman2x4.c | 3 +-
+ sound/firewire/amdtp.c | 4 +-
+ sound/firewire/amdtp.h | 2 +-
+ sound/firewire/isight.c | 10 +-
+ sound/firewire/scs1x.c | 8 +-
+ sound/oss/sb_audio.c | 2 +-
+ sound/oss/swarm_cs4297a.c | 6 +-
+ sound/pci/ymfpci/ymfpci.h | 2 +-
+ sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ sound/soc/fsl/fsl_ssi.c | 2 +-
+ sound/sound_core.c | 2 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 45 +
+ tools/gcc/checker_plugin.c | 172 +
+ tools/gcc/colorize_plugin.c | 151 +
+ tools/gcc/constify_plugin.c | 560 ++
+ tools/gcc/generate_size_overflow_hash.sh | 94 +
+ tools/gcc/kallocstat_plugin.c | 170 +
+ tools/gcc/kernexec_plugin.c | 465 ++
+ tools/gcc/latent_entropy_plugin.c | 327 ++
+ tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++
+ tools/gcc/size_overflow_plugin.c | 2114 +++++++
+ tools/gcc/stackleak_plugin.c | 327 ++
+ tools/gcc/structleak_plugin.c | 277 +
+ tools/perf/util/include/asm/alternative-asm.h | 3 +
+ tools/perf/util/include/linux/compiler.h | 8 +
+ virt/kvm/kvm_main.c | 32 +-
+ 1607 files changed, 30734 insertions(+), 7318 deletions(-)
+commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
+Merge: 0949bd4 fc53d63
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:03:44 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fc53d6338964741b368070ec5c935bc579b8c2a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:02:45 2012 -0400
+
+ Update to pax-linux-3.2.12-test33.patch
+
+commit 0949bd46a6455b308f66ad7c993bfee62412db35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 16:56:09 2012 -0400
+
+ Use current_umask() instead of current->fs->umask
+
+commit 22f6432d0fe733619cfcb523782ed7d80c46d645
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:42:42 2012 -0400
+
+ compile fix
+
+commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:34:56 2012 -0400
+
+ Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
+ uses of domains with particular hash collisions
+
+commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 20:25:49 2012 -0400
+
+ zero kernel_role
+
+commit b00953b43c69238d181d21121ef1577c988d5f6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:29:34 2012 -0400
+
+ zero real_root after releasing it
+
+commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
+Merge: b724f59 273f98e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:11:26 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 273f98e58cdac555d3b5dce5c1ca168349f95878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:10:52 2012 -0400
+
+ Temporary workaround for (most) size_overflow plugin false-positives
+ Increase randomization for brk-managed heap to 21 bits
+ Update to pax-linux-3.2.12-test32.patch
+
+commit b724f59125304460c2af8bd4b02921993afbb5d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:58:53 2012 -0400
+
+ compile fix
+
+commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:52:23 2012 -0400
+
+ Require default and kernel role
+
+commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:47:28 2012 -0400
+
+ Allow policies without special roles
+ don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
+
+commit 402ec3d24d66d38403dc543c84851f5e72d39e22
+Merge: 8e012dc f14661a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:06:59 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/namei.c
+
+commit f14661aaf202155c97f66626cea0269017bb7775
+Merge: eae671f 058b017
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:05:44 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
+Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Date: Fri Mar 16 17:08:39 2012 -0700
+
+ nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
+
+ According to the report from Slicky Devil, nilfs caused kernel oops at
+ nilfs_load_super_block function during mount after he shrank the
+ partition without resizing the filesystem:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000048
+ IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
+ *pde = 00000000
+ Oops: 0000 [#1] PREEMPT SMP
+ ...
+ Call Trace:
+ [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
+ [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
+ [<c0226636>] mount_fs+0x36/0x180
+ [<c023d961>] vfs_kern_mount+0x51/0xa0
+ [<c023ddae>] do_kern_mount+0x3e/0xe0
+ [<c023f189>] do_mount+0x169/0x700
+ [<c023fa9b>] sys_mount+0x6b/0xa0
+ [<c04abd1f>] sysenter_do_call+0x12/0x28
+ Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
+ 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
+ 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
+ EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
+ CR2: 0000000000000048
+
+ This turned out due to a defect in an error path which runs if the
+ calculated location of the secondary super block was invalid.
+
+ This patch fixes it and eliminates the reported oops.
+
+ Reported-by: Slicky Devil <slicky.dvl@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Tested-by: Slicky Devil <slicky.dvl@gmail.com>
+ Cc: <stable@vger.kernel.org> [2.6.30+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Fri Mar 16 17:08:38 2012 -0700
+
+ nilfs2: clamp ns_r_segments_percentage to [1, 99]
+
+ ns_r_segments_percentage is read from the disk. Bogus or malicious
+ value could cause integer overflow and malfunction due to meaningless
+ disk usage calculation. This patch reports error when mounting such
+ bogus volumes.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e1a90645643f9b0194a5984ec8febd06360d5c8b
+Author: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Sat Mar 10 09:20:21 2012 +0000
+
+ tcp: fix syncookie regression
+
+ commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
+ added a serious regression on synflood handling.
+
+ Simon Kirby discovered a successful connection was delayed by 20 seconds
+ before being responsive.
+
+ In my tests, I discovered that xmit frames were lost, and needed ~4
+ retransmits and a socket dst rebuild before being really sent.
+
+ In case of syncookie initiated connection, we use a different path to
+ initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
+
+ As ip_queue_xmit() now depends on inet flow being setup, fix this by
+ copying the temp flowi4 we use in cookie_v4_check().
+
+ Reported-by: Simon Kirby <sim@netnation.com>
+ Bisected-by: Simon Kirby <sim@netnation.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
+Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Mon Mar 12 02:59:41 2012 +0000
+
+ tun: don't hold network namespace by tun sockets
+
+ v3: added previously removed sock_put() to the tun_release() callback, because
+ sk_release_kernel() doesn't drop the socket reference.
+
+ v2: sk_release_kernel() used for socket release. Dummy tun_release() is
+ required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
+ call.
+
+ TUN was designed to destroy it's socket on network namesapce shutdown. But this
+ will never happen for persistent device, because it's socket holds network
+ namespace.
+ This patch removes of holding network namespace by TUN socket and replaces it
+ by creating socket in init_net and then changing it's net it to desired one. On
+ shutdown socket is moved back to init_net prior to final put.
+
+ Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon Dec 12 10:02:30 2011 -0600
+
+ vfs: Correctly set the dir i_mutex lockdep class
+
+ 9a7aa12f3911853a introduced additional logic around setting the i_mutex
+ lockdep class for directory inodes. The idea was that some filesystems
+ may want their own special lockdep class for different directory
+ inodes and calling unlock_new_inode() should not clobber one of
+ those special classes.
+
+ I believe that the added conditional, around the *negated* return value
+ of lockdep_match_class(), caused directory inodes to be placed in the
+ wrong lockdep class.
+
+ inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
+ all inodes. If the filesystem did not change the class during inode
+ initialization, then the conditional mentioned above was false and the
+ directory inode was incorrectly left in the non-directory lockdep class.
+ If the filesystem did set a special lockdep class, then the conditional
+ mentioned above was true and that class was clobbered with
+ i_mutex_dir_key.
+
+ This patch removes the negation from the conditional so that the i_mutex
+ lockdep class is properly set for directory inodes. Special classes are
+ preserved and directory inodes with unmodified classes are set with
+ i_mutex_dir_key.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 603590b0d2eca61ce26499eac9c563bc567a18c9
+Author: Jan Kara <jack@suse.cz>
+Date: Mon Feb 20 17:54:00 2012 +0100
+
+ udf: Fix deadlock in udf_release_file()
+
+ udf_release_file() can be called from munmap() path with mmap_sem held. Thus
+ we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
+ i_mutex is not needed in udf_release_file() anymore since protection by
+ i_data_sem is enough to protect from races with write and truncate.
+
+ Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:33 2012 +0100
+
+ vfs: fix double put after complete_walk()
+
+ complete_walk() already puts nd->path, no need to do it again at cleanup time.
+
+ This would result in Oopses if triggered, apparently the codepath is not too
+ well exercised.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 13885ba2b18400f3ef6540497d30f1af896605e5
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:34 2012 +0100
+
+ vfs: fix return value from do_last()
+
+ complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
+ ECHILD unconditionally. If not in RCU mode, this error will reach userspace
+ which is complete nonsense.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/namei.c
+
+commit f5ab7572c99ffb58953eb1070622307e904c3b7f
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Mar 10 17:07:28 2012 -0500
+
+ restore smp_mb() in unlock_new_inode()
+
+ wait_on_inode() doesn't have ->i_lock
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
+Author: David S. Miller <davem@davemloft.net>
+Date: Tue Mar 13 18:19:51 2012 -0700
+
+ sparc32: Add -Av8 to assembler command line.
+
+ Newer version of binutils are more strict about specifying the
+ correct options to enable certain classes of instructions.
+
+ The sparc32 build is done for v7 in order to support sun4c systems
+ which lack hardware integer multiply and divide instructions.
+
+ So we have to pass -Av8 when building the assembler routines that
+ use these instructions and get patched into the kernel when we find
+ out that we have a v8 capable cpu.
+
+ Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
+Author: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri Mar 9 20:55:10 2012 +0100
+
+ x86: Derandom delay_tsc for 64 bit
+
+ Commit f0fbf0abc093 ("x86: integrate delay functions") converted
+ delay_tsc() into a random delay generator for 64 bit. The reason is
+ that it merged the mostly identical versions of delay_32.c and
+ delay_64.c. Though the subtle difference of the result was:
+
+ static void delay_tsc(unsigned long loops)
+ {
+ - unsigned bclock, now;
+ + unsigned long bclock, now;
+
+ Now the function uses rdtscl() which returns the lower 32bit of the
+ TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
+ bit this fails when the lower 32bit are close to wrap around when
+ bclock is read, because the following check
+
+ if ((now - bclock) >= loops)
+ break;
+
+ evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
+ because the unsigned long (now - bclock) of these values results in
+ 0xffffffff00000001 which is definitely larger than the loops
+ value. That explains Tvortkos observation:
+
+ "Because I am seeing udelay(500) (_occasionally_) being short, and
+ that by delaying for some duration between 0us (yep) and 491us."
+
+ Make those variables explicitely u32 again, so this works for both 32
+ and 64 bit.
+
+ Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: stable@vger.kernel.org # >= 2.6.27
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu Mar 8 17:51:19 2012 +0000
+
+ aio: fix the "too late munmap()" race
+
+ Current code has put_ioctx() called asynchronously from aio_fput_routine();
+ that's done *after* we have killed the request that used to pin ioctx,
+ so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
+ from progressing. As the result, we can end up with async call of
+ put_ioctx() being the last one and possibly happening during exit_mmap()
+ or elf_core_dump(), neither of which expects stray munmap() being done
+ to them...
+
+ We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
+ with that, but that's all we care about - neither io_destroy() nor
+ exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
+ does really_put_req(), so the ioctx teardown won't be done until then
+ and we don't care about the contents of ioctx past that point.
+
+ Since actual freeing of these suckers is RCU-delayed, we don't need to
+ bump ioctx refcount when request goes into list for async removal.
+ All we need is rcu_read_lock held just over the ->ctx_lock-protected
+ area in aio_fput_routine().
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 002124c055afbf09b52226af65621999e8316448
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Wed Mar 7 05:16:35 2012 +0000
+
+ aio: fix io_setup/io_destroy race
+
+ Have ioctx_alloc() return an extra reference, so that caller would drop it
+ on success and not bother with re-grabbing it on failure exit. The current
+ code is obviously broken - io_destroy() from another thread that managed
+ to guess the address io_setup() would've returned would free ioctx right
+ under us; gets especially interesting if aio_context_t * we pass to
+ io_setup() points to PROT_READ mapping, so put_user() fails and we end
+ up doing io_destroy() on kioctx another thread has just got freed...
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Mar 15 15:17:12 2012 -0700
+
+ drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
+
+ strict_strtoul() writes a long but ->gamma_mode only has space to store an
+ int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
+ well. I've changed it to use kstrtouint() instead.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Inki Dae <inki.dae@samsung.com>
+ Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
+Merge: e4b05b6 eae671f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 21:04:27 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit eae671fafe93f04685c04a089cc13efebc05d600
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 20:58:01 2012 -0400
+
+ Update to pax-linux-3.2.11-test31.patch
+ Introduction of the size_overflow plugin from Emese Revfy
+ Many thanks to Emese for her hard work :)
+
+commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
+Merge: e55aa68 258c015
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:19 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:05 2012 -0400
+
+ fix ARM compilation
+
+commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
+Merge: 8f95ea9 55b7573
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:41 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:15 2012 -0400
+
+ Update to pax-linux-3.2.10-test28.patch
+
+commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
+Merge: c8786a2 886ac5e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:38:13 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
+
+commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:37:44 2012 -0400
+
+ Update to pax-linux-3.2.10-test26.patch
+
+commit c8786a2abed5e5327f68efa520c04db99bb6a63a
+Merge: 219c982 c061fcf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:06 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
+Merge: 89373d2 3f4b3b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:02 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
+Merge: 54e19a3 89373d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:57 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
+Merge: a778588 7459f11
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:49 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
+Merge: c4650f1 a778588
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:25 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:12 2012 -0400
+
+ Update to pax-linux-3.2.9-test24.patch
+
+commit c4650f14b13f84735fe3de06a1f3ff5776473eff
+Merge: fb2abee 1015790
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:08:28 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 101579028a736c224e590c7e12a7357018c424e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:07:27 2012 -0400
+
+ Update to pax-linux-3.2.9-test22.patch
+
+commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 11:02:17 2012 -0400
+
+ Allow 4096 CPUs
+
+commit 96bae28cbe6a41d48e3b56e5904814096e956000
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 10:25:58 2012 -0400
+
+ Use a per-cpu 48-bit counter instead of a global atomic64
+ Initialize each counter to have the cpu number in the lower 16 bits
+ instead of incrementing the counter each time by 1, perform the increments
+ above the cpu number so that wrapping/exhausting the counter doesn't corrupt
+ any state
+ idea from PaX Team
+
+commit b975688101da6e966aebb1bc6b8c5c5983974f9c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 20:33:12 2012 -0500
+
+ Special vnsec edition! :)
+ Further reduce argv/env allowance for suid/sgid apps to 512KB
+ Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
+ Clear 3GB personality on suid/sgid binaries
+ Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
+ with the main purpose of throwing off program stack -> arg/env alignment
+ Update documentation
+
+commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 19:54:47 2012 -0500
+
+ Resolve skbuff.h warnings that turn into errors during compilation in
+ the grsecurity directory with -Werror
+
+commit 2023210ad43a944033fcacc660ce410888f562ee
+Merge: ece4383 5f66adf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:48:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:47:06 2012 -0500
+
+ Add colorize plugin
+
+commit ece4383e5e91c92d138c4df84225a70b552f4d69
+Merge: a366d0e ab4a5a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:46 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:26 2012 -0500
+
+ Update to pax-linux-3.2.9-test21.patch
+
+commit a366d0ed963ce93fce10121c1100989d5f064e75
+Author: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun Mar 4 19:52:03 2012 -0500
+
+ mm: fix find_vma_prev
+
+ Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
+ management on PA-RISC.
+
+ After application of the patch, programs that allocate big arrays on the
+ stack crash with segfault, for example, this will crash if compiled
+ without optimization:
+
+ int main()
+ {
+ char array[200000];
+ array[199999] = 0;
+ return 0;
+ }
+
+ The reason is that PA-RISC has up-growing stack and the stack is usually
+ the last memory area. In the above example, a page fault happens above
+ the stack.
+
+ Previously, if we passed too high address to find_vma_prev, it returned
+ NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
+ change, it stores NULL in *pprev. Consequently, the stack area is not
+ found and it is not expanded, as it used to be before the change.
+
+ This patch restores the old behavior and makes it return the last VMA in
+ *pprev if the requested address is higher than address of any other VMA.
+
+ Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+ Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
+Author: Hugh Dickins <hughd@google.com>
+Date: Tue Mar 6 12:28:52 2012 -0800
+
+ mmap: EINVAL not ENOMEM when rejecting VM_GROWS
+
+ Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
+ from shared anonymous: hoist the file case's -EINVAL up for both.
+
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:38:42 2012 +0000
+
+ aout: move setup_arg_pages() prior to reading/mapping the binary
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Mon Mar 5 16:49:24 2012 +0000
+
+ vsprintf: make %pV handling compatible with kasprintf()
+
+ kasprintf() (and potentially other functions that I didn't run across so
+ far) want to evaluate argument lists twice. Caring to do so for the
+ primary list is obviously their job, but they can't reasonably be
+ expected to check the format string for instances of %pV, which however
+ need special handling too: On architectures like x86-64 (as opposed to
+ e.g. ix86), using the same argument list twice doesn't produce the
+ expected results, as an internally managed cursor gets updated during
+ the first run.
+
+ Fix the problem by always acting on a copy of the original list when
+ handling %pV.
+
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:39:47 2012 +0000
+
+ VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a831bd53764695ea680cc1fa3c98759a610ed2ac
+Author: Christian König <deathsimple@vodafone.de>
+Date: Tue Feb 28 23:19:20 2012 +0100
+
+ drm/radeon: fix uninitialized variable
+
+ Without this fix the driver randomly treats
+ textures as arrays and I'm really wondering
+ why gcc isn't complaining about it.
+
+ Signed-off-by: Christian König <deathsimple@vodafone.de>
+ Reviewed-by: Jerome Glisse <jglisse@redhat.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
+Author: H. Peter Anvin <hpa@zytor.com>
+Date: Fri Mar 2 10:43:48 2012 -0800
+
+ regset: Prevent null pointer reference on readonly regsets
+
+ The regset common infrastructure assumed that regsets would always
+ have .get and .set methods, but not necessarily .active methods.
+ Unfortunately people have since written regsets without .set methods.
+
+ Rather than putting in stub functions everywhere, handle regsets with
+ null .get or .set methods explicitly.
+
+ Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+ Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+ Acked-by: Roland McGrath <roland@hack.frob.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 072ddd99401c79b53c6bf6bff9deb93022124c79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 18:12:57 2012 -0500
+
+ Fix compiler errors reported on forums
+
+commit 1606774b48af24e6f99d99c624c0e447d4b66474
+Merge: 3127bd5 4ca2ffd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:35 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:21 2012 -0500
+
+ Update to pax-linux-3.2.9-test20.patch
+
+commit 3127bd581a292966b1057c7433219dac188c3720
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 21:30:37 2012 -0500
+
+ Fix memory leak on logged exec_id check failure in /proc/pid/statm
+ Thanks to Djalal Harouni for the report
+
+commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
+Merge: 0a56be8 9aa8288
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:38:22 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:37:43 2012 -0500
+
+ Update to pax-linux-3.2.9-test19.patch
+
+commit 0a56be884bbd7ce733cac0b879c45383494d73b0
+Merge: 9e66745 3f5c52a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:18:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:16:56 2012 -0500
+
+ Update to pax-linux-3.2.9-test18.patch
+
+commit ae53ec231d12719a36bf871f8c5841020ed692ee
+Merge: b255baf 44fb317
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:15:31 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 9e667456c03eadea2f305be761abe4de9a5877a3
+Merge: 5e4e200 b255baf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:59 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b255baf50365d39b406f43aab2c64745607baaa2
+Merge: 340ce90 1de504e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:29 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+ Update to pax-linux-3.2.8-test17.patch
+
+ Conflicts:
+ arch/x86/include/asm/i387.h
+ arch/x86/kernel/process_32.c
+ arch/x86/kernel/traps.c
+
+commit 5e4e200ac530452884b625cb75de240e1e98c731
+Merge: 44306d7 340ce90
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:02:13 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:01:48 2012 -0500
+
+ Update to pax-linux-3.2.7-test17.patch
+
+commit 44306d7b3097f77e73040dd25f4f6750751bae7a
+Merge: 29d0b07 521c411
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:04:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ Makefile
+
+commit 521c411bb4ca66ce01146fde8bac9dd22414076d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:03:33 2012 -0500
+
+ Update to pax-linux-3.2.7-test16.patch
+
+commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 17:12:44 2012 -0500
+
+ fix typo
+
+commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
+Merge: f45b3be caa8f83
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:27 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit caa8f83456c4d0b204beefffaa1d1993f2348d08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:12 2012 -0500
+
+ Update to pax-linux-3.2.7-test15.patch
+
+commit f45b3be34a345502a302e736af9a65742ddef7cb
+Merge: 62f35fd 9f1309b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:40:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:39:57 2012 -0500
+
+ Update to pax-linux-3.2.7-test14.patch
+
+commit 62f35fdbecc58f2988fe13638d907b87a15776bb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 09:08:55 2012 -0500
+
+ We could log on attempted exploits of writing /proc/self/mem, but the current
+ log function declares the access a read, so just swap the ordering for now
+
+commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:46:14 2012 -0500
+
+ Log /proc/pid/mem attempts
+
+commit 674471e581893a94d475acac3e3c4496209b3ac9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:15:00 2012 -0500
+
+ Make use of f_version for protecting /proc file structs (fine since we're not a directory
+ or seq_file)
+
+commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 20:02:19 2012 -0500
+
+ Fix ia64 compilation
+
+commit 50dfea412fd395e0183c2ade368efa525d38b267
+Merge: 12db845 4c6f99b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:53 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4c6f99bf338e03966356b147d0360cb3b522a44f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:36 2012 -0500
+
+ (6:57:09 PM) pipacs: but you can be proactive
+ (Fix other-arch atomic64/REFCOUNT compilation failures)
+
+commit 12db8453f6bb0a756f369c9151668ba1249bc478
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 21:10:12 2012 -0500
+
+ Remove unnecessary copies, as suggested by solar
+
+commit cc02cab84368467ea03cb35f861a8a7092d91ab4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 20:59:35 2012 -0500
+
+ Make global_exec_counter static, as suggested by solar
+
+commit e642091a475ebb3a30e81f85e7751233d0c2af43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 19:00:26 2012 -0500
+
+ sync with stable tree
+
+commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:48:47 2012 -0500
+
+ Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
+ Remove handling of old kludge in chmod/fchmod
+
+commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:18:49 2012 -0500
+
+ Apply umask checks to chmod/fchmod as well, as requested by sponsor
+ Union the enforced umask with the existing one to produce minimal privilege
+ Change umask type to u16
+
+commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 22 18:16:11 2012 -0500
+
+ Add per-role umask enforcement to RBAC, requested by a sponsor
+
+commit ad5ac943fe58199f1cc475912a39edb157acb77b
+Merge: dda0bb5 41722e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:42 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 41722e342e116d95f3d3556d66c97c888d752d39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:00 2012 -0500
+
+ Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
+ KERNEXEC plugin
+
+commit dda0bb57137846a476a866c60db2681aaf6052c0
+Merge: 4fd554e d70927a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:41 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d70927afec977d489a54c106a3c3ddc32e953050
+Merge: 1daebf1 9d0231c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:33 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 4fd554e3a097b22c5049fcdc423897477deff5ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 09:17:57 2012 -0500
+
+ Fix wrong logic on capability checks for switching roles, broke policies
+ Thanks to Richard Kojedzinszky for reporting
+
+commit 12f97d52ac603f24344f8d71569c412a307e9422
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 21:20:10 2012 -0500
+
+ sparc64 compile fix
+
+commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:38:32 2012 -0500
+
+ Update configuration help and name for GRKERNSEC_PROC_MEMMAP
+
+commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:18:01 2012 -0500
+
+ optimize the check a bit
+
+commit 03159050f64989be44ae03be769cbed62a7cd2e5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:00:45 2012 -0500
+
+ smile VUPEN :D
+ (limit argv+env to 1MB for suid/sgid binaries)
+
+commit dd759d8800d225a397e4de49fe729c7d601298d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:49:33 2012 -0500
+
+ Address Space Protection -> Memory Protections (suggested on IRC for consistency)
+
+commit 4de635bda8ebfb85312e3bf851bdbff93de400da
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:45:06 2012 -0500
+
+ Change the long long type for exec_id to the proper u64
+
+commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Feb 9 00:46:47 2012 +0000
+
+ isdn: type bug in isdn_net_header()
+
+ We use len to store the return value from eth_header(). eth_header()
+ can return -ETH_HLEN (-14). We want to pass this back instead of
+ truncating it to 65522 and returning that.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
+Author: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Sat Feb 4 10:47:10 2012 +0100
+
+ exec: fix use-after-free bug in setup_new_exec()
+
+ Setting the task name is done within setup_new_exec() by accessing
+ bprm->filename. However this happens after flush_old_exec().
+ This may result in a use after free bug, flush_old_exec() may
+ "complete" vfork_done, which will wake up the parent which in turn
+ may free the passed in filename.
+ To fix this add a new tcomm field in struct linux_binprm which
+ contains the now early generated task name until it is used.
+
+ Fixes this bug on s390:
+
+ Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
+ Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
+ Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
+ Call Trace:
+ ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
+ [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
+ [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
+ [<0000000000282b6c>] do_execve_common+0x410/0x514
+ [<0000000000282cb6>] do_execve+0x46/0x58
+ [<00000000005bce58>] kernel_execve+0x28/0x70
+ [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
+ [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
+ [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
+ Last Breaking-Event-Address:
+ [<00000000002830f0>] setup_new_exec+0x2fc/0x374
+
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+ Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+ Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d758ee9f5230893dabb5aab737b3109684bde196
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Feb 10 09:03:58 2012 +0100
+
+ relay: prevent integer overflow in relay_open()
+
+ "subbuf_size" and "n_subbufs" come from the user and they need to be
+ capped to prevent an integer overflow.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
+Merge: b1baadf 1daebf1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:47:04 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/proc/base.c
+
+commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
+Merge: 1413df2 c2db2e2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:45:54 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:44:05 2012 -0500
+
+ add missing declaration
+
+commit 3981059c35e8463002517935c28f3d74b8e3703c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:36:04 2012 -0500
+
+ Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
+ in addition to existing checks (this handles the setresuid ruid = euid case)
+
+commit 0beab03263c773f463412c350ad9064b44b6ede0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:13:40 2012 -0500
+
+ Revert setreuid changes when RBAC is enabled, breaks freeradius
+ I'll fix the learning issue Lavish reported a different way through
+ gradm modifications
+
+ This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
+
+commit 0c61cb1cfbbfec7d07647268c922d51434d22621
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 11 14:22:46 2012 -0500
+
+ copy exec_id on fork
+
+commit 000c08e0890630086b2ed04084050ed856a7ec31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 20:00:36 2012 -0500
+
+ compile fix
+
+commit 54b8c8f54484e5ee18040657827158bc4b63bccc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 19:19:52 2012 -0500
+
+ Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
+ denies reading of sensitive /proc/pid entries where the file descriptor
+ was opened in a different task than the one performing the read
+
+commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 17:43:24 2012 -0500
+
+ Remove duplicate signal check
+
+commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
+Merge: 4eba97e 1413df2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:34 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:08 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test11.patch
+
+commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
+Merge: 0e058dd 8dd90a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:50:12 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:49:07 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
+
+commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
+Merge: 7e4169c 6133971
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:48:57 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 19:24:45 2012 -0500
+
+ We now allow configurations with no PaX markings, giving the system no way to override the defaults
+
+commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 10:01:23 2012 -0500
+
+ Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
+
+commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 4 21:01:16 2012 -0500
+
+ Improve security of ptrace-based monitoring/sandboxing
+ See:
+ http://article.gmane.org/gmane.linux.kernel.lsm/15156
+
+commit ca4ca5a1027b41f9528794e52a53ce9c47926101
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:42:55 2012 -0500
+
+ fix typo
+
+commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:25:38 2012 -0500
+
+ Reported by lavish on IRC:
+ If a suid/sgid binary did not learn any setuid/setgid call during learning,
+ we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
+ any restrictions on uid/gid changes. uid and gid can however be changed
+ within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
+ euid/egid.
+
+ My fix:
+ POSIX doesn't specify whether unprivileged users can perform the above
+ setresuid/setresgid as an unprivileged user, though Linux has historically
+ permitted them. Modify this behavior when RBAC is enabled to require
+ CAP_SETUID/CAP_SETGID for these operations.
+
+ Thanks to Lavish for the report!
+
+ Conflicts:
+
+ kernel/sys.c
+
+commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
+Merge: ba586eb 7e4169c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:21 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:05 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test9.patch
+
+commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
+Author: Christopher Yeoh <cyeoh@au1.ibm.com>
+Date: Thu Feb 2 11:34:09 2012 +1030
+
+ Fix race in process_vm_rw_core
+
+ This fixes the race in process_vm_core found by Oleg (see
+
+ http://article.gmane.org/gmane.linux.kernel/1235667/
+
+ for details).
+
+ This has been updated since I last sent it as the creation of the new
+ mm_access() function did almost exactly the same thing as parts of the
+ previous version of this patch did.
+
+ In order to use mm_access() even when /proc isn't enabled, we move it to
+ kernel/fork.c where other related process mm access functions already
+ are.
+
+ Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+ mm/process_vm_access.c
+
+commit b9194d60fb9fe579f5c34817ed822abde18939a0
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:15:11 2012 +0100
+
+ proc: make sure mem_open() doesn't pin the target's memory
+
+ Once /proc/pid/mem is opened, the memory can't be released until
+ mem_release() even if its owner exits.
+
+ Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
+ pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
+ before access_remote_vm(), this verifies that this mm is still alive.
+
+ I am not sure what should mem_rw() return if atomic_inc_not_zero()
+ fails. With this patch it returns zero to match the "mm == NULL" case,
+ may be it should return -EINVAL like it did before e268337d.
+
+ Perhaps it makes sense to add the additional fatal_signal_pending()
+ check into the main loop, to ensure we do not hold this memory if
+ the target task was oom-killed.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:38 2012 +0100
+
+ proc: mem_release() should check mm != NULL
+
+ mem_release() can hit mm == NULL, add the necessary check.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:54 2012 +0100
+
+ note: redisabled mem_write
+
+ proc: unify mem_read() and mem_write()
+
+ No functional changes, cleanup and preparation.
+
+ mem_read() and mem_write() are very similar. Move this code into the
+ new common helper, mem_rw(), which takes the additional "int write"
+ argument.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+
+commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
+Merge: 3903f01 01fee18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:50:40 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 01fee1851aef26b898ccba5312cabf1f919b74cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:46 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test8.patch
+
+commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
+Merge: 201c0db 141936c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:01 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 3903f0172ecadf7a575ba3535402a1506133640a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 30 23:26:44 2012 -0500
+
+ Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
+
+ We'll whitelist required directories for compatibility instead of requiring
+ that people disable the feature entirely if they use SELinux, fuse, etc
+
+ Conflicts:
+
+ fs/sysfs/mount.c
+
+commit e3618feaa7e63807f1b88c199882075b3ec9bd05
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 29 01:12:19 2012 -0500
+
+ perform RBAC check if TPE is on but match fails, matches previous behavior
+
+commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 28 13:17:06 2012 -0500
+
+ log more information about the reason for a TPE denial for novice users, requested by a sponsor
+
+commit efefd67008cbad8a8591e2484410966a300a39a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:58:53 2012 -0500
+
+ merge upstream sha512 changes
+
+commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:49:07 2012 -0500
+
+ drop lock on error in xfs_readlink
+
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
+
+commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
+Author: Li Wang <liwang@nudt.edu.cn>
+Date: Thu Jan 19 09:44:36 2012 +0800
+
+ eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+
+ ecryptfs_write() can enter an infinite loop when truncating a file to a
+ size larger than 4G. This only happens on architectures where size_t is
+ represented by 32 bits.
+
+ This was caused by a size_t overflow due to it incorrectly being used to
+ store the result of a calculation which uses potentially large values of
+ type loff_t.
+
+ [tyhicks@canonical.com: rewrite subject and commit message]
+ Signed-off-by: Li Wang <liwang@nudt.edu.cn>
+ Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
+ Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+
+commit a7607747d0f74f357d78bb796d70635dd05f46e8
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 19 20:33:44 2012 -0600
+
+ eCryptfs: Check inode changes in setattr
+
+ Most filesystems call inode_change_ok() very early in ->setattr(), but
+ eCryptfs didn't call it at all. It allowed the lower filesystem to make
+ the call in its ->setattr() function. Then, eCryptfs would copy the
+ appropriate inode attributes from the lower inode to the eCryptfs inode.
+
+ This patch changes that and actually calls inode_change_ok() on the
+ eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
+ would happen earlier in ecryptfs_setattr(), but there are some possible
+ inode initialization steps that must happen first.
+
+ Since the call was already being made on the lower inode, the change in
+ functionality should be minimal, except for the case of a file extending
+ truncate call. In that case, inode_newsize_ok() was never being
+ called on the eCryptfs inode. Rather than inode_newsize_ok() catching
+ maximum file size errors early on, eCryptfs would encrypt zeroed pages
+ and write them to the lower filesystem until the lower filesystem's
+ write path caught the error in generic_write_checks(). This patch
+ introduces a new function, called ecryptfs_inode_newsize_ok(), which
+ checks if the new lower file size is within the appropriate limits when
+ the truncate operation will be growing the lower file.
+
+ In summary this change prevents eCryptfs truncate operations (and the
+ resulting page encryptions), which would exceed the lower filesystem
+ limits or FSIZE rlimits, from ever starting.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Li Wang <liwang@nudt.edu.cn>
+ Cc: <stable@vger.kernel.org>
+
+commit 0d96f190a39505254ace4e9330219aaeda9b64e3
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Wed Jan 18 18:30:04 2012 -0600
+
+ eCryptfs: Make truncate path killable
+
+ ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
+ page, zeroes out the appropriate portions, and then encrypts the page
+ before writing it to the lower filesystem. It was unkillable and due to
+ the lack of sparse file support could result in tying up a large portion
+ of system resources, while encrypting pages of zeros, with no way for
+ the truncate operation to be stopped from userspace.
+
+ This patch adds the ability for ecryptfs_write() to detect a pending
+ fatal signal and return as gracefully as possible. The intent is to
+ leave the lower file in a useable state, while still allowing a user to
+ break out of the encryption loop. If a pending fatal signal is detected,
+ the eCryptfs inode size is updated to reflect the modified inode size
+ and then -EINTR is returned.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: <stable@vger.kernel.org>
+
+commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Tue Jan 24 10:02:22 2012 -0600
+
+ eCryptfs: Fix oops when printing debug info in extent crypto functions
+
+ If pages passed to the eCryptfs extent-based crypto functions are not
+ mapped and the module parameter ecryptfs_verbosity=1 was specified at
+ loading time, a NULL pointer dereference will occur.
+
+ Note that this wouldn't happen on a production system, as you wouldn't
+ pass ecryptfs_verbosity=1 on a production system. It leaks private
+ information to the system logs and is for debugging only.
+
+ The debugging info printed in these messages is no longer very useful
+ and rather than doing a kmap() in these debugging paths, it will be
+ better to simply remove the debugging paths completely.
+
+ https://launchpad.net/bugs/913651
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Daniel DeFreez
+ Cc: <stable@vger.kernel.org>
+
+commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 12 11:30:44 2012 +0100
+
+ eCryptfs: Sanitize write counts of /dev/ecryptfs
+
+ A malicious count value specified when writing to /dev/ecryptfs may
+ result in a a very large kernel memory allocation.
+
+ This patch peeks at the specified packet payload size, adds that to the
+ size of the packet headers and compares the result with the write count
+ value. The resulting maximum memory allocation size is approximately 532
+ bytes.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Sasha Levin <levinsasha928@gmail.com>
+ Cc: <stable@vger.kernel.org>
+
+commit 96dcb7282d323813181a1791f51c0ab7696b675b
+Merge: 6c09fa5 201c0db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:44:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 201c0dbf177527367676028151e36d340923f033
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:43:24 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
+ on loading modules with empty sections
+
+commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:42:13 2012 -0500
+
+ compile fix
+
+commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:39:28 2012 -0500
+
+ use LSM flags instead of duplicating checks
+
+commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
+Merge: 44b9f11 558718b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:23 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 558718b2217beff69edf60f34a6f9893d910e9ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:04 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch
+
+commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:53:55 2012 -0500
+
+ don't increase the size of task_struct when unnecessary
+ change ptrace_readexec log message
+
+commit a9c9626e054adb885883aa64f85506852894dd33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:16:28 2012 -0500
+
+ Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
+ the protection applies to all unreadable binaries.
+
+commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
+Merge: 7b3f3af 05a1349
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:52:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ block/scsi_ioctl.c
+ drivers/scsi/sd.c
+ fs/proc/base.c
+
+commit 05a134966efb9cb9346ad3422888969ffc79ac1d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:47:36 2012 -0500
+
+ Resync with pax-linux-3.2.2-test5.patch
+
+commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
+Merge: c6d443d 3499d64
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:45:16 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
+
+ Conflicts:
+ ipc/shm.c
+
+commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 24 19:42:01 2012 -0500
+
+ Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
+ (may be changed if it breaks some userland), the other has its own
+ config option
+
+ First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
+ the syscall or /proc/sys.
+
+ Second feature requires read access to a suid/sgid binary in order
+ to ptrace it, preventing infoleaking of binaries in situations where
+ the admin has specified 4711 or 2711 perms. Feature has been
+ given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
+ a sysctl entry of ptrace_readexec
+
+commit 11a7bb25c411c9dccfdca5718639b4becdffd388
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:37:10 2012 -0500
+
+ Compilation fixes
+
+commit cd400e21c7c352baba47d6f375297a7847afb33a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:20:27 2012 -0500
+
+ Initial port of grsecurity 2.2.2 for Linux 3.2.1
+ Note that the new syscalls added to this kernel for remote process read/write
+ are subject to ptrace hardening/other relevant RBAC features
+ /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
+ as well
+ pax_track_stack has been removed from support for this kernel -- if you're running this kernel
+ you should be using a version of gcc with plugin support
+
+commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:47:31 2012 -0500
+
+ Import pax-linux-3.2.1-test5.patch
+commit bfd7db842f835f9837cd43644459b3a95b0b488d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:02:02 2012 -0500
+
+ Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
+ instead of returning -EACCES
+ thanks to Wraith from irc for the report
+
+commit 873ac13576506cd48ddb527c2540f274e249da50
+Merge: 34083dd 8a44fcc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:04:02 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:02:15 2012 -0500
+
+ Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
+ Denies executable shared memory when MPROTECT is active
+ Fixes ia32 emulation crash on 64bit host introduced in a recent patch
+
+commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 20:23:14 2012 -0500
+
+ Introduce new GRKERNSEC_SETXID implementation
+ We're not able to change the credentials of other threads in the process until at most
+ one syscall after the first thread does it, since we mark the threads as needing rescheduling
+ and such work occurs on syscall exit.
+ This does however ensure that we're only modifying the current task's credentials
+ which upholds RCU expectations
+
+ Many thanks to corsac for testing
+
+commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:42:48 2012 -0500
+
+ Simplify backport
+
+commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:08:16 2012 -0500
+
+ Commit the latest silent fix for a local privilege escalation from Linus
+ Also disable writing to /proc/pid/mem
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
+
+commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
+Merge: 0394a3f 7e6299b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:22:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e6299b4733c082dde930375dd207b63237751ec
+Merge: 83555fb 9bb1282
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:21:37 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
+Author: Jesper Juhl <jj@chaosbits.net>
+Date: Sun Jan 8 22:44:29 2012 +0100
+
+ audit: always follow va_copy() with va_end()
+
+ A call to va_copy() should always be followed by a call to va_end() in
+ the same function. In kernel/autit.c::audit_log_vformat() this is not
+ always done. This patch makes sure va_end() is always called.
+
+ Signed-off-by: Jesper Juhl <jj@chaosbits.net>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
+Author: Andi Kleen <ak@linux.intel.com>
+Date: Thu Jan 12 17:20:30 2012 -0800
+
+ panic: don't print redundant backtraces on oops
+
+ When an oops causes a panic and panic prints another backtrace it's pretty
+ common to have the original oops data be scrolled away on a 80x50 screen.
+
+ The second backtrace is quite redundant and not needed anyways.
+
+ So don't print the panic backtrace when oops_in_progress is true.
+
+ [akpm@linux-foundation.org: add comment]
+ Signed-off-by: Andi Kleen <ak@linux.intel.com>
+ Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Thu Jan 12 17:59:46 2012 +0100
+
+ fsnotify: don't BUG in fsnotify_destroy_mark()
+
+ Removing the parent of a watched file results in "kernel BUG at
+ fs/notify/mark.c:139".
+
+ To reproduce
+
+ add "-w /tmp/audit/dir/watched_file" to audit.rules
+ rm -rf /tmp/audit/dir
+
+ This is caused by fsnotify_destroy_mark() being called without an
+ extra reference taken by the caller.
+
+ Reported by Francesco Cosoleto here:
+
+ https://bugzilla.novell.com/show_bug.cgi?id=689860
+
+ Fix by removing the BUG_ON and adding a comment about not accessing mark after
+ the iput.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:28 2012 +0100
+
+ block: fail SCSI passthrough ioctls on partition devices
+
+ Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+ will pass the command to the underlying block device. This is
+ well-known, but it is also a large security problem when (via Unix
+ permissions, ACLs, SELinux or a combination thereof) a program or user
+ needs to be granted access only to part of the disk.
+
+ This patch lets partitions forward a small set of harmless ioctls;
+ others are logged with printk so that we can see which ioctls are
+ actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
+ Of course it was being sent to a (partition on a) hard disk, so it would
+ have failed with ENOTTY and the patch isn't changing anything in
+ practice. Still, I'm treating it specially to avoid spamming the logs.
+
+ In principle, this restriction should include programs running with
+ CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
+ /dev/sdb, it still should not be able to read/write outside the
+ boundaries of /dev/sda2 independent of the capabilities. However, for
+ now programs with CAP_SYS_RAWIO will still be allowed to send the
+ ioctls. Their actions will still be logged.
+
+ This patch does not affect the non-libata IDE driver. That driver
+ however already tests for bd != bd->bd_contains before issuing some
+ ioctl; it could be restricted further to forbid these ioctls even for
+ programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ [ Make it also print the command name when warning - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:27 2012 +0100
+
+ block: add and use scsi_blk_cmd_ioctl
+
+ Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
+
+ The function will then be enhanced to detect partition block devices
+ and, in that case, subject the ioctls to whitelisting.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97a79814903fc350e1d13704ea31528a42705401
+Author: Kees Cook <keescook@chromium.org>
+Date: Sat Jan 7 10:41:04 2012 -0800
+
+ audit: treat s_id as an untrusted string
+
+ The use of s_id should go through the untrusted string path, just to be
+ extra careful.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Acked-by: Mimi Zohar <zohar@us.ibm.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Dec 20 18:39:41 2011 -0500
+
+ audit: fix signedness bug in audit_log_execve_info()
+
+ In the loop, a size_t "len" is used to hold the return value of
+ audit_log_single_execve_arg(), which returns -1 on error. In that
+ case the error handling (len <= 0) will be bypassed since "len" is
+ unsigned, and the loop continues with (p += len) being wrapped.
+ Change the type of "len" to signed int to fix the error handling.
+
+ size_t len;
+ ...
+ for (...) {
+ len = audit_log_single_execve_arg(...);
+ if (len <= 0)
+ break;
+ p += len;
+ }
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Jan 17 03:28:51 2012 -0300
+
+ [media] ds3000: using logical && instead of bitwise &
+
+ The intent here was to test if the FE_HAS_LOCK was set. The current
+ test is equivalent to "if (status) { ..."
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit 36522330dc59d2fc70c042f3f081d75c32b6259a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 13:10:38 2012 -0500
+
+ Ignore the 0 signal for protected task RBAC checks
+
+commit d513acd55f7a683f6e146a4f570cdb63300479ab
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 11:56:13 2012 -0500
+
+ whitespace cleanup
+
+commit ced261c4b82818c700aff8487f647f6f3e5b5122
+Merge: d48751f 83555fb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:54 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
+Merge: fcd8129 93dad39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:43 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit d48751f3919ae855fda0ff6c149db82442329253
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 11 19:05:47 2012 -0500
+
+ Call our own set_user when forcing change to new id
+
+commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
+Merge: e6578ff fcd8129
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 16:00:10 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 15:58:43 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test23.patch
+
+commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
+Merge: 8859ec3 a120549
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:56 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a12054967a77090de1caa07c41e694a77db4e237
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:30 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test22.patch
+
+commit 8859ec32f9815c274df65448f9f2960176c380d3
+Merge: a5016b4 ddd4114
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:26:08 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/binfmt_elf.c
+ security/Kconfig
+
+commit ddd41147e158a79704983a409b7433eba797cf66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:12:42 2012 -0500
+
+ Resync with PaX patch (whitespace difference)
+
+commit 29e569df8205c5f0e043fe4803aa984406c8b118
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:09:47 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test21.patch
+
+commit a5016b4f9c09c337b17e063a7f369af1e86d944d
+Merge: 0124c92 04231d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:52:20 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
+Merge: 7bdddeb a919904
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:51:50 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ include/net/flow.h
+
+commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:33:05 2012 -0500
+
+ Make GRKERNSEC_SETXID option compatible with credential debugging
+
+commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
+Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Date: Wed Dec 28 15:57:11 2011 -0800
+
+ mm/mempolicy.c: refix mbind_range() vma issue
+
+ commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
+ slightly incorrect fix.
+
+ Why? Think following case.
+
+ 1. map 4 pages of a file at offset 0
+
+ [0123]
+
+ 2. map 2 pages just after the first mapping of the same file but with
+ page offset 2
+
+ [0123][23]
+
+ 3. mbind() 2 pages from the first mapping at offset 2.
+ mbind_range() should treat new vma is,
+
+ [0123][23]
+ |23|
+ mbind vma
+
+ but it does
+
+ [0123][23]
+ |01|
+ mbind vma
+
+ Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
+
+ This patch fixes it.
+
+ [testcase]
+ test result - before the patch
+
+ case4: 126: test failed. expect '2,4', actual '2,2,2'
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: 246: test failed. expect '4,2', actual '1,4'
+
+ ------------[ cut here ]------------
+ kernel BUG at mm/filemap.c:135!
+ invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
+
+ (snip long bug on messages)
+
+ test result - after the patch
+
+ case4: passed
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: passed
+
+ source: mbind_vma_test.c
+ ============================================================
+ #include <numaif.h>
+ #include <numa.h>
+ #include <sys/mman.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+ static unsigned long pagesize;
+ void* mmap_addr;
+ struct bitmask *nmask;
+ char buf[1024];
+ FILE *file;
+ char retbuf[10240] = "";
+ int mapped_fd;
+
+ char *rubysrc = "ruby -e '\
+ pid = %d; \
+ vstart = 0x%llx; \
+ vend = 0x%llx; \
+ s = `pmap -q #{pid}`; \
+ rary = []; \
+ s.each_line {|line|; \
+ ary=line.split(\" \"); \
+ addr = ary[0].to_i(16); \
+ if(vstart <= addr && addr < vend) then \
+ rary.push(ary[1].to_i()/4); \
+ end; \
+ }; \
+ print rary.join(\",\"); \
+ '";
+
+ void init(void)
+ {
+ void* addr;
+ char buf[128];
+
+ nmask = numa_allocate_nodemask();
+ numa_bitmask_setbit(nmask, 0);
+
+ pagesize = getpagesize();
+
+ sprintf(buf, "%s", "mbind_vma_XXXXXX");
+ mapped_fd = mkstemp(buf);
+ if (mapped_fd == -1)
+ perror("mkstemp "), exit(1);
+ unlink(buf);
+
+ if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
+ perror("lseek "), exit(1);
+ if (write(mapped_fd, "\0", 1) < 0)
+ perror("write "), exit(1);
+
+ addr = mmap(NULL, pagesize*8, PROT_NONE,
+ MAP_SHARED, mapped_fd, 0);
+ if (addr == MAP_FAILED)
+ perror("mmap "), exit(1);
+
+ if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
+ perror("mprotect "), exit(1);
+
+ mmap_addr = addr + pagesize;
+
+ /* make page populate */
+ memset(mmap_addr, 0, pagesize*6);
+ }
+
+ void fin(void)
+ {
+ void* addr = mmap_addr - pagesize;
+ munmap(addr, pagesize*8);
+
+ memset(buf, 0, sizeof(buf));
+ memset(retbuf, 0, sizeof(retbuf));
+ }
+
+ void mem_bind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_BIND, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_interleave(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_unbind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_DEFAULT, NULL, 0, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void Assert(char *expected, char *value, char *name, int line)
+ {
+ if (strcmp(expected, value) == 0) {
+ fprintf(stderr, "%s: passed\n", name);
+ return;
+ }
+ else {
+ fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
+ name, line,
+ expected, value);
+ // exit(1);
+ }
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPNNNNNNNNNN
+ case 4 below
+ */
+ void case4(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 4);
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case4", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPPPPPPPPPNN
+ case 5 below
+ */
+ void case5(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case5", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPPPPP 6
+ */
+ void case6(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("6", retbuf, "case6", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPXXXX 7
+ */
+ void case7(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case7", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPNNNNNNNN 8
+ */
+ void case8(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_interleave(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case8", __LINE__);
+
+ fin();
+ }
+
+ void case_n(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ /* make redundunt mappings [0][1234][34][7] */
+ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
+ MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
+
+ /* Expect to do nothing. */
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case_n", __LINE__);
+
+ fin();
+ }
+
+ int main(int argc, char** argv)
+ {
+ case4();
+ case5();
+ case6();
+ case7();
+ case8();
+ case_n();
+
+ return 0;
+ }
+ =============================================================
+
+ Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: Minchan Kim <minchan.kim@gmail.com>
+ Cc: Caspar Zhang <caspar@casparzhang.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Cc: Christoph Lameter <cl@linux.com>
+ Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
+ Cc: Mel Gorman <mel@csn.ul.ie>
+ Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+ Cc: <stable@vger.kernel.org> [3.1.x]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit f3a1082005781777086df235049f8c0b7efe524e
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Dec 27 22:32:41 2011 -0500
+
+ packet: fix possible dev refcnt leak when bind fail
+
+ If bind is fail when bind is called after set PACKET_FANOUT
+ sock option, the dev refcnt will leak.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 915f8b08dac68839dc7204ee81cf9852fda16d24
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Mon Dec 19 17:11:56 2011 -0800
+
+ nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
+
+ There is a potential integer overflow in nilfs_ioctl_clean_segments().
+ When a large argv[n].v_nmembs is passed from the userspace, the subsequent
+ call to vmalloc() will allocate a buffer smaller than expected, which
+ leads to out-of-bound access in nilfs_ioctl_move_blocks() and
+ lfs_clean_segments().
+
+ The following check does not prevent the overflow because nsegs is also
+ controlled by the userspace and could be very large.
+
+ if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
+ goto out_free;
+
+ This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
+ returns -EINVAL when overflow.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
+Author: Kautuk Consul <consul.kautuk@gmail.com>
+Date: Mon Dec 19 17:12:04 2011 -0800
+
+ mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
+
+ Static storage is not required for the struct vmap_area in
+ __get_vm_area_node.
+
+ Removing "static" to store this variable on the stack instead.
+
+ Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
+ Acked-by: David Rientjes <rientjes@google.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
+Author: Michel Lespinasse <walken@google.com>
+Date: Mon Dec 19 17:12:06 2011 -0800
+
+ binary_sysctl(): fix memory leak
+
+ binary_sysctl() calls sysctl_getname() which allocates from names_cache
+ slab usin __getname()
+
+ The matching function to free the name is __putname(), and not putname()
+ which should be used only to match getname() allocations.
+
+ This is because when auditing is enabled, putname() calls audit_putname
+ *instead* (not in addition) to __putname(). Then, if a syscall is in
+ progress, audit_putname does not release the name - instead, it expects
+ the name to get released when the syscall completes, but that will happen
+ only if audit_getname() was called previously, i.e. if the name was
+ allocated with getname() rather than the naked __getname(). So,
+ __getname() followed by putname() ends up leaking memory.
+
+ Signed-off-by: Michel Lespinasse <walken@google.com>
+ Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
+Author: Sean Hefty <sean.hefty@intel.com>
+Date: Tue Dec 6 21:17:11 2011 +0000
+
+ RDMA/cma: Verify private data length
+
+ private_data_len is defined as a u8. If the user specifies a large
+ private_data size (> 220 bytes), we will calculate a total length that
+ exceeds 255, resulting in private_data_len wrapping back to 0. This
+ can lead to overwriting random kernel memory. Avoid this by verifying
+ that the resulting size fits into a u8.
+
+ Reported-by: B. Thery <benjamin.thery@bull.net>
+ Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
+ Signed-off-by: Sean Hefty <sean.hefty@intel.com>
+ Signed-off-by: Roland Dreier <roland@purestorage.com>
+
+commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Sun Dec 11 23:40:56 2011 -0800
+
+ Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
+
+ The error check (intr_status < 0) didn't work because intr_status is
+ a u8. Change its type to signed int.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+
+commit e27f34e383d7863b2528a63b81b23db09781f6b6
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 16 12:44:15 2011 +0000
+
+ sctp: fix incorrect overflow check on autoclose
+
+ Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
+ limiting the autoclose value. If userspace passes in -1 on 32-bit
+ platform, the overflow check didn't work and autoclose would be set
+ to 0xffffffff.
+
+ This patch defines a max_autoclose (in seconds) for limiting the value
+ and exposes it through sysctl, with the following intentions.
+
+ 1) Avoid overflowing autoclose * HZ.
+
+ 2) Keep the default autoclose bound consistent across 32- and 64-bit
+ platforms (INT_MAX / HZ in this patch).
+
+ 3) Keep the autoclose value consistent between setsockopt() and
+ getsockopt() calls.
+
+ Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Wed Dec 21 05:18:33 2011 -0500
+
+ vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
+
+ Commit e133e737 didn't correctly fix the integer overflow issue.
+
+ - unsigned int required_size;
+ + u64 required_size;
+ ...
+ required_size = mode_cmd->pitch * mode_cmd->height;
+ - if (unlikely(required_size > dev_priv->vram_size)) {
+ + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
+
+ Note that both pitch and height are u32. Their product is still u32 and
+ would overflow before being assigned to required_size. A correct way is
+ to convert pitch and height to u64 before the multiplication.
+
+ required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
+
+ This patch calls the existing vmw_kms_validate_mode_vram() for
+ validation.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+ Conflicts:
+
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+
+commit eb8f0bd01fb994c9abc77dc84729794cd841753d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Thu Dec 22 13:35:22 2011 +0000
+
+ rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
+
+ Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
+ cause a kernel oops due to insufficient bounds checking.
+
+ if (count > 1<<30) {
+ /* Enforce a limit to prevent overflow */
+ return -EINVAL;
+ }
+ count = roundup_pow_of_two(count);
+ table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
+
+ Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
+
+ ... + (count * sizeof(struct rps_dev_flow))
+
+ where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
+ 32 bits.
+
+ This patch replaces the magic number (1 << 30) with a symbolic bound.
+
+ Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 648188958672024b616c42c1f6c98c8cfc85619d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 30 10:40:17 2011 -0500
+
+ netfilter: ctnetlink: fix timeout calculation
+
+ The sanity check (timeout < 0) never works; the dividend is unsigned
+ and so is the division, which should have been a signed division.
+
+ long timeout = (ct->timeout.expires - jiffies) / HZ;
+ if (timeout < 0)
+ timeout = 0;
+
+ This patch converts the time values to signed for the division.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit ab03a0973cee73f88655ff4981812ad316a6cd59
+Merge: 76f82df 7bdddeb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:50 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
+Merge: 3e59cb5 55cc81a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:36 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 20:15:02 2011 -0500
+
+ Only further restrict futex targeting another process -- our modified
+ permission check also happened to allow a case where a process retaining
+ uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
+ being non-zero (reported on forums by ben_w)
+
+commit 6b235a4450a5fea41663ec35fa0608988b6078c6
+Merge: 97c16f0 3e59cb5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:11:06 2011 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/hfs/btree.c
+
+commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
+Merge: 285eb4e c26f60b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:09:57 2011 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/process.c
+
+commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 19 21:54:01 2011 -0500
+
+ Add new option: "Enforce consistent multithreaded privileges"
+
+commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:58:31 2011 -0500
+
+ Remove harmless duplicate code -- exec_file would be null already so the
+ second check would never pass.
+
+commit 4e3304e94aa72737810bc50169519af157dce4ce
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:50:39 2011 -0500
+
+ Revert back to (possibly?) undocumented /proc/pid behavior that gdb
+ depended on for attaching to a thread. Entries exist in /proc for
+ threads, but are not visible in a readdir.
+
+commit 1bd899335f23815cfe8deac44c6b346398f3b95e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 18:03:28 2011 -0500
+
+ Put the already-walked path if in RCU-walk mode
+
+commit ec7ae36b7159f10649709779443a988662965d66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 17:35:21 2011 -0500
+
+ Fix memory leak introduced by recent (unpublished) commit
+ 75ab998b94a29d464518d6d501bdde3fbfcbfa14
+
+commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:56:10 2011 -0500
+
+ Explicitly check size copied to userland in override_release to silence gcc
+
+commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:54:02 2011 -0500
+
+ Initialize variable to silence erroneous gcc warning
+
+commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:47:47 2011 -0500
+
+ Future-proof other potential RCU-aware locations where we can log.
+
+commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:02:54 2011 -0500
+
+ Fix freeze reported by 'vs' on the forums. Bug occurred due to
+ MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
+ in generic_permission() was in the task's effective set but disallowed by
+ RBAC, would block when acquiring locks resulting in the freeze.
+
+ Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
+ as being required when CAP_DAC_OVERRIDE is present (consistent with
+ older patches).
+
+commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Nov 29 09:26:30 2011 +0000
+
+ sctp: better integer overflow check in sctp_auth_create_key()
+
+ The check from commit 30c2235c is incomplete and cannot prevent
+ cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
+ left-hand side of the check (INT_MAX - key_len), which is unsigned,
+ becomes 0xffffffff (UINT_MAX) and bypasses the check.
+
+ However this shouldn't be a security issue. The function is called
+ from the following two code paths:
+
+ 1) setsockopt()
+
+ 2) sctp_auth_asoc_set_secret()
+
+ In case (1), sca_keylength is never going to exceed 65535 since it's
+ bounded by a u16 from the user API. As such, the key length will
+ never overflow.
+
+ In case (2), sca_keylength is computed based on the user key (1 short)
+ and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
+ will not overflow.
+
+ In other words, this overflow check is not really necessary. Just
+ make it more correct.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit e565e28c3635a1d50f80541fbf6b606d742fec76
+Author: Josh Boyer <jwboyer@redhat.com>
+Date: Fri Aug 19 14:50:26 2011 -0400
+
+ fs/minix: Verify bitmap block counts before mounting
+
+ Newer versions of MINIX can create filesystems that allocate an extra
+ bitmap block. Mounting of this succeeds, but doing a statfs call will
+ result in an oops in count_free because of a negative number being used
+ for the bh index.
+
+ Avoid this by verifying the number of allocated blocks at mount time,
+ erroring out if there are not enough and make statfs ignore the extras
+ if there are too many.
+
+ This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
+
+ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6e134e398ec1a3f428261680e83df4319e64bed9
+Author: Julia Lawall <julia@diku.dk>
+Date: Tue Nov 15 14:53:11 2011 -0800
+
+ drivers/gpu/vga/vgaarb.c: add missing kfree
+
+ kbuf is a buffer that is local to this function, so all of the error paths
+ leaving the function should release it.
+
+ Signed-off-by: Julia Lawall <julia@diku.dk>
+ Cc: Jesper Juhl <jj@chaosbits.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit 2b9057b321e36860e8d63985b5c4e496f254b717
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:33:28 2011 -0500
+
+ Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
+
+commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+
+commit 285eb4ea45d853ae00426b3315a61c1368080dad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 10 18:33:46 2011 -0500
+
+ Import changes from pax-linux-3.1.5-test20.patch
+
+commit a6bda918fc90ec1d5c387e978d147ad2044153f1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 8 20:55:54 2011 -0500
+
+ Import changes from pax-linux-3.1.4-test19.patch
+
+commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 23:05:14 2013 -0400
+
+ always enforce a non-zero gap for RAND_THREADSTACK
+
+ mm/mmap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 40d67e38a42d4e94b43b3d7400addc662b9857dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 16:09:28 2013 -0400
+
+ fix up file comparisons
+
+ grsecurity/gracl_segv.c | 2 +-
+ grsecurity/grsec_sig.c | 4 ++--
+ include/linux/grinternal.h | 12 ++++++++++++
+ 3 files changed, 15 insertions(+), 3 deletions(-)
+
+commit a1fff2c95162314626dd96bec71d951a8c1c4708
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 15:33:18 2013 -0400
+
+ fix suid binary matching
+
+ grsecurity/grsec_sig.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 00131c458eea5200971c8fc326e90fdb6c2d0baa
+Merge: 37b97a9 47beb61
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 15:02:31 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 15:01:37 2013 -0400
+
+ Update to pax-linux-3.9.9-test13.patch:
+ - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626)
+ - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587)
+
+ arch/arm/include/asm/uaccess.h | 20 ++++++++++----------
+ arch/arm/kernel/armksyms.c | 2 +-
+ arch/arm/kernel/entry-armv.S | 4 ++--
+ arch/arm/mm/Kconfig | 2 +-
+ arch/x86/ia32/ia32entry.S | 4 ++--
+ arch/x86/include/asm/page.h | 1 +
+ arch/x86/kernel/entry_32.S | 4 ++--
+ arch/x86/kernel/entry_64.S | 8 ++++----
+ arch/x86/kernel/head64.c | 12 ++++++------
+ arch/x86/kernel/head_64.S | 16 ++++++++++++----
+ arch/x86/mm/init.c | 8 ++++++++
+ arch/x86/mm/init_32.c | 6 ------
+ arch/x86/mm/init_64.c | 6 ------
+ arch/x86/platform/efi/efi_32.c | 5 +++++
+ arch/x86/platform/efi/efi_64.c | 10 ++++++++++
+ 15 files changed, 64 insertions(+), 44 deletions(-)
+
+commit 89085d2d0643813a62f23d1199a335dc1e129bc0
+Merge: 963af7f 0adf2e7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 14:55:44 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 13:46:02 2013 -0400
+
+ fix typo
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 32538dba4959a290a1de81a7f8eeaba99f952aa6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 13:29:51 2013 -0400
+
+ update log arguments
+
+ grsecurity/grsec_sig.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 13:20:23 2013 -0400
+
+ Update logging of suid exec ban
+
+ Conflicts:
+
+ grsecurity/grsec_sig.c
+
+ grsecurity/grsec_sig.c | 3 +--
+ include/linux/grmsg.h | 1 +
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit ef808866c070aa1901bd2224521baaf5d145a3a7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jul 4 12:58:33 2013 -0400
+
+ Additional improvements to the user banning code:
+
+ Separate the kernel-bruteforcing case from the suid bruteforcing case
+ In the suid bruteforcing case, only kill existing copies of the bruteforced
+ binary. Instead of preventing all future execs by this user, prevent them
+ from executing any suid/sgid binaries for the next 15 minutes.
+
+ Kernel case is mostly unchanged from before, except the task trying to change
+ real uid to the banned user will be terminated instead of failing the setuid
+ call.
+
+ Configuration help has been updated to reflect the new changes.
+
+ fs/exec.c | 13 +++++---
+ grsecurity/Kconfig | 5 ++-
+ grsecurity/gracl.c | 6 ++--
+ grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------
+ include/linux/grsecurity.h | 1 -
+ include/linux/sched.h | 9 +++--
+ 6 files changed, 65 insertions(+), 45 deletions(-)
+
+commit 0f0b6c9d67d429364621b8784ef4a048b7e40736
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 3 16:14:09 2013 -0400
+
+ fix renamed export of csum_partial_copy_from_user, as reported by fabled
+ on the forums
+
+ arch/arm/kernel/armksyms.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 318235973c2a548c3d25562645d6b69f66e85934
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 3 16:09:16 2013 -0400
+
+ make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error
+ reported on the forums by fabled
+
+ arch/arm/mm/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b569a7f60fab7a522d8c142765c8b847bbce8a1e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jul 3 15:53:12 2013 -0400
+
+ Revise the user ban code to kill the process issuing a banned
+ set*id instead of returning an error. For the sake of keeping
+ unified user banning between the suid and kernel bruteforce case,
+ we will apply this killing to the suid bruteforce case, despite
+ a check just at exec time (that already existed) being sufficient.
+
+ Returning an error could enable exploitation of the "failure to check
+ setuid return value" case which was recently effectively closed
+ upstream, albeit in a rare situation with a suitable binary and
+ two colluding users.
+
+ Many thanks to stealth for reviewing the user ban code.
+
+ grsecurity/gracl.c | 4 ++--
+ grsecurity/grsec_sig.c | 16 +++++++++++++---
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f
+Author: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Date: Fri Jun 28 14:15:15 2013 +0300
+
+ Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d
+
+ UBIFS: fix a horrid bug
+
+ Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
+ mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
+ in the middle of 'ubifs_readdir()'.
+
+ This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
+ it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
+ but this may corrupt memory and lead to all kinds of problems like crashes an
+ security holes.
+
+ This patch fixes the problem by using the 'file->f_version' field, which
+ '->llseek()' always unconditionally sets to zero. We set it to 1 in
+ 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
+ seek and it is time to clear the state saved in 'file->private_data'.
+
+ I tested this patch by writing a user-space program which runds readdir and
+ seek in parallell. I could easily crash the kernel without these patches, but
+ could not crash it with these patches.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+ Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+ Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++---
+ 1 files changed, 27 insertions(+), 3 deletions(-)
+
+commit c22280b85088978bd8b45bd23096879459b48008
+Author: Stephane Eranian <eranian@google.com>
+Date: Thu Jun 20 11:36:28 2013 +0200
+
+ Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89
+
+ perf: Disable monitoring on setuid processes for regular users
+
+ There was a a bug in setup_new_exec(), whereby
+ the test to disabled perf monitoring was not
+ correct because the new credentials for the
+ process were not yet committed and therefore
+ the get_dumpable() test was never firing.
+
+ The patch fixes the problem by moving the
+ perf_event test until after the credentials
+ are committed.
+
+ Signed-off-by: Stephane Eranian <eranian@google.com>
+ Tested-by: Jiri Olsa <jolsa@redhat.com>
+ Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+ Cc: <stable@kernel.org>
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+ fs/exec.c | 16 +++++++++-------
+ 1 files changed, 9 insertions(+), 7 deletions(-)
+
+commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 29 13:10:02 2013 -0400
+
+ on context switch, make sure we switch DACR when domain support and
+ KERNEXEC is disabled but UDEREF is enabled
+
+ arch/arm/kernel/entry-armv.S | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 08d017fa51370921694ce087b28c96fec92993d4
+Author: Michael S. Tsirkin <mst@redhat.com>
+Date: Sun Jun 23 17:26:58 2013 +0300
+
+ Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2
+
+ macvtap: fix recovery from gup errors
+
+ get user pages might fail partially in macvtap zero copy
+ mode. To recover we need to put all pages that we got,
+ but code used a wrong index resulting in double-free
+ errors.
+
+ Reported-by: Brad Hubbard <bhubbard@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+ Acked-by: Jason Wang <jasowang@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/macvtap.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be
+Author: Michael S. Tsirkin <mst@redhat.com>
+Date: Sun Jun 23 17:19:03 2013 +0300
+
+ Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86
+
+ tun: fix recovery from gup errors
+
+ get user pages might fail partially in tun zero copy
+ mode. To recover we need to put all pages that we got,
+ but code used a wrong index resulting in double-free
+ errors.
+
+ Reported-by: Brad Hubbard <bhubbard@redhat.com>
+ Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+ Acked-by: Jason Wang <jasowang@redhat.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28
+Author: Balazs Peter Odor <balazs@obiserver.hu>
+Date: Sat Jun 22 19:24:43 2013 +0200
+
+ Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773
+
+ netfilter: nf_nat_sip: fix mangling
+
+ In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets)
+ there were some missing brackets around the logging information, thus
+ always returning drop.
+
+ Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061
+
+ Signed-off-by: Balazs Peter Odor <balazs@obiserver.hu>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nf_nat_sip.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 87c18924aecb841586b8972fabb20c5b75ca2fc9
+Author: Anderson Lizardo <anderson.lizardo@openbossa.org>
+Date: Sun Jun 2 16:30:40 2013 -0400
+
+ Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d
+
+ Bluetooth: Fix crash in l2cap_build_cmd() with small MTU
+
+ If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
+ controller, memory corruption happens due to a memcpy() call with
+ negative length.
+
+ Fix this crash on either incoming or outgoing connections with a MTU
+ smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:
+
+ [ 46.885433] BUG: unable to handle kernel paging request at f56ad000
+ [ 46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40
+ [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
+ [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
+ [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
+ [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
+ [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
+ [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
+ [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
+ [ 46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0
+ [ 46.888037] EIP is at memcpy+0x1d/0x40
+ [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
+ [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
+ [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
+ [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
+ [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
+ [ 46.888037] DR6: ffff0ff0 DR7: 00000400
+ [ 46.888037] Stack:
+ [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
+ [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
+ [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
+ [ 46.888037] Call Trace:
+ [ 46.888037] [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
+ [ 46.888037] [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
+ [ 46.888037] [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth]
+ [ 46.888037] [<c019b37b>] ? trace_hardirqs_off+0xb/0x10
+ [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
+ [ 46.888037] [<c064ad20>] ? mutex_lock_nested+0x280/0x360
+ [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
+ [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
+ [ 46.888037] [<c064ad08>] ? mutex_lock_nested+0x268/0x360
+ [ 46.888037] [<c01a125b>] ? trace_hardirqs_on+0xb/0x10
+ [ 46.888037] [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
+ [ 46.888037] [<c01a0ff8>] ? mark_held_locks+0x68/0x110
+ [ 46.888037] [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
+ [ 46.888037] [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
+ [ 46.888037] [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
+ [ 46.888037] [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth]
+ [ 46.888037] [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth]
+ [ 46.888037] [<c0158979>] process_one_work+0x1a9/0x600
+ [ 46.888037] [<c01588fb>] ? process_one_work+0x12b/0x600
+ [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
+ [ 46.888037] [<c015922e>] ? worker_thread+0x19e/0x320
+ [ 46.888037] [<c0159187>] worker_thread+0xf7/0x320
+ [ 46.888037] [<c0159090>] ? rescuer_thread+0x290/0x290
+ [ 46.888037] [<c01602f8>] kthread+0xa8/0xb0
+ [ 46.888037] [<c0656777>] ret_from_kernel_thread+0x1b/0x28
+ [ 46.888037] [<c0160250>] ? flush_kthread_worker+0x120/0x120
+ [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
+ [ 46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
+ [ 46.888037] CR2: 00000000f56ad000
+ [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]---
+
+ Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ net/bluetooth/l2cap_core.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit b0471b6c1160858fc646d8e94628fd1299f61692
+Author: Jaganath Kanakkassery <jaganath.k@samsung.com>
+Date: Fri Jun 21 19:55:11 2013 +0530
+
+ Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112
+
+ Bluetooth: Fix invalid length check in l2cap_information_rsp()
+
+ The length check is invalid since the length varies with type of
+ info response.
+
+ This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
+
+ Because of this, l2cap info rsp is not handled and command reject is sent.
+
+ > ACL data: handle 11 flags 0x02 dlen 16
+ L2CAP(s): Info rsp: type 2 result 0
+ Extended feature mask 0x00b8
+ Enhanced Retransmission mode
+ Streaming mode
+ FCS Option
+ Fixed Channels
+ < ACL data: handle 11 flags 0x00 dlen 10
+ L2CAP(s): Command rej: reason 0
+ Command not understood
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
+ Signed-off-by: Chan-Yeol Park <chanyeol.park@samsung.com>
+ Acked-by: Johan Hedberg <johan.hedberg@intel.com>
+ Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+
+ net/bluetooth/l2cap_core.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4184af98c360d825e638b268b1a9847232e8d299
+Author: Eric Dumazet <edumazet@google.com>
+Date: Wed Jun 26 04:15:07 2013 -0700
+
+ Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3
+
+ ipv6: ip6_sk_dst_check() must not assume ipv6 dst
+
+ It's possible to use AF_INET6 sockets and to connect to an IPv4
+ destination. After this, socket dst cache is a pointer to a rtable,
+ not rt6_info.
+
+ ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
+ various corruptions/crashes can happen.
+
+ Dave Jones can reproduce immediate crash with
+ trinity -q -l off -n -c sendmsg -c connect
+
+ With help from Hannes Frederic Sowa
+
+ Reported-by: Dave Jones <davej@redhat.com>
+ Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_output.c | 8 +++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2
+Author: Zefan Li <lizefan@huawei.com>
+Date: Wed Jun 26 15:29:54 2013 +0800
+
+ Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5
+
+ dlci: acquire rtnl_lock before calling __dev_get_by_name()
+
+ Otherwise the net device returned can be freed at anytime.
+
+ Signed-off-by: Li Zefan <lizefan@huawei.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/wan/dlci.c | 14 +++++++++-----
+ 1 files changed, 9 insertions(+), 5 deletions(-)
+
+commit 1fe6f23c9acd14d832d056909ff326bde418e645
+Author: Zefan Li <lizefan@huawei.com>
+Date: Wed Jun 26 15:31:58 2013 +0800
+
+ Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a
+
+ dlci: validate the net device in dlci_del()
+
+ We triggered an oops while running trinity with 3.4 kernel:
+
+ BUG: unable to handle kernel paging request at 0000000100000d07
+ IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
+ PGD 640c0d067 PUD 0
+ Oops: 0000 [#1] PREEMPT SMP
+ CPU 3
+ ...
+ Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA
+ RIP: 0010:[<ffffffffa0109738>] [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
+ ...
+ Call Trace:
+ [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
+ [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
+ [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
+ [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
+ [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
+ ...
+
+ It's because the net device is not a dlci device.
+
+ Reported-by: Li Jinyue <lijinyue@huawei.com>
+ Signed-off-by: Li Zefan <lizefan@huawei.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/wan/dlci.c | 12 ++++++++++++
+ 1 files changed, 12 insertions(+), 0 deletions(-)
+
+commit 4d4464407611527ef6b6b5475cfcab6121b3da66
+Merge: 59571a9 963af7f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 27 18:54:52 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 963af7f7f591759b731ce6325ceb583a72fcf423
+Merge: c51e25a 55db48a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 27 18:54:42 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 59571a9db7485f530a1e865a13cacc4c991ec41f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 26 18:39:08 2013 -0400
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: Steffen Klassert <steffen.klassert@secunet.com>,
+ "David S. Miller" <davem@davemloft.net>
+ Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org,
+ Herbert Xu <herbert@gondor.apana.org.au>
+ Subject: [PATCH] af_key: fix info leaks in notify messages
+
+ key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
+ the sadb_msg_reserved member of the broadcasted message and thereby
+ leak 2 bytes of heap memory to listeners. Fix that.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+ Cc: Steffen Klassert <steffen.klassert@secunet.com>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Cc: Herbert Xu <herbert@gondor.apana.org.au>
+
+ net/key/af_key.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 26 18:33:06 2013 -0400
+
+ update rand_threadstack code to continue the search for a gap if the first
+ choice doesn't have enough space, instead of returning ENOMEM
+
+ mm/mmap.c | 17 ++++++++++-------
+ 1 files changed, 10 insertions(+), 7 deletions(-)
+
+commit 87020d4a4d83038d65ff1fd519938840f6888b9e
+Merge: 2682346 c51e25a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 26 18:25:32 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c51e25a23f30a1198076bd085f19b2073caf164d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 26 18:24:54 2013 -0400
+
+ Update to pax-linux-3.9.7-test12.patch:
+ - fixed a regression on PARAVIRT/amd64 kernels
+ - simplified the recent vm_unmapped_area_info based change
+
+ arch/x86/kernel/entry_64.S | 8 ++++----
+ mm/mmap.c | 22 ++++++++++++----------
+ 2 files changed, 16 insertions(+), 14 deletions(-)
+
+commit 26823469a08e59cb67bea18d448d9e8c65f82e08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 25 21:26:51 2013 -0400
+
+ re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX
+ vm_unmapped_area code is complete
+
+ arch/x86/kernel/sys_i386_32.c | 5 +++++
+ grsecurity/Kconfig | 2 +-
+ mm/mmap.c | 11 ++++++++++-
+ 3 files changed, 16 insertions(+), 2 deletions(-)
+
+commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7
+Merge: e58fe8c c4e0704
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 25 19:08:52 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/x86/kernel/sys_i386_32.c
+
+commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 25 19:05:39 2013 -0400
+
+ Update to pax-linux-3.9.7-test11.patch:
+ - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111)
+ - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure
+ - fixed the recent nested nmi related fixes some more
+ - fixed a regression in kernel memory initialization on relocatable i386 kernels
+ - empty_zero_page can be read-only on amd64 as well
+
+ arch/arm/mm/mmap.c | 6 --
+ arch/x86/kernel/entry_64.S | 8 +--
+ arch/x86/kernel/head_64.S | 1 -
+ arch/x86/kernel/setup.c | 2 +-
+ arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++----------------------------
+ drivers/lguest/core.c | 2 +-
+ include/linux/mm.h | 6 +-
+ include/linux/vmalloc.h | 2 +-
+ mm/mmap.c | 30 +++++++-
+ 9 files changed, 83 insertions(+), 134 deletions(-)
+
+commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 23 14:37:14 2013 -0400
+
+ second compile fix, reported by forsaken on forums
+
+ include/linux/vmalloc.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 23 14:36:35 2013 -0400
+
+ compile fix, reported by KDE on forums
+
+ kernel/printk.c | 7 -------
+ 1 files changed, 0 insertions(+), 7 deletions(-)
+
+commit 1fc9a5e2e267205d28302e1e86ca0da434561111
+Author: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun Jun 16 21:27:12 2013 +0100
+
+ Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d
+
+ x86/efi: Fix dummy variable buffer allocation
+
+ 1. Check for allocation failure
+ 2. Clear the buffer contents, as they may actually be written to flash
+ 3. Don't leak the buffer
+
+ Compile-tested only.
+
+ [ Tested successfully on my buggy ASUS machine - Matt ]
+
+ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Matt Fleming <matt.fleming@intel.com>
+
+ arch/x86/platform/efi/efi.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 83e15c8baaa620d8c777e84aa037b4302f0487c5
+Author: Dave Kleikamp <dave.kleikamp@oracle.com>
+Date: Tue Jun 18 09:05:36 2013 -0500
+
+ Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441
+
+ sparc: tsb must be flushed before tlb
+
+ This fixes a race where a cpu may re-load a tlb from a stale tsb right
+ after it has been flushed by a remote function call.
+
+ I still see some instability when stressing the system with parallel
+ kernel builds while creating memory pressure by writing to
+ /proc/sys/vm/nr_hugepages, but this patch improves the stability
+ significantly.
+
+ Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+ Acked-by: Bob Picco <bob.picco@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/sparc/mm/tlb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d93b62f6485db9aadda34322a6867868db07f56f
+Merge: 4ef62f5 71d83e9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 21 16:52:55 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 71d83e97c936563913bcfb5a25c45b2021a331eb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 21 16:48:42 2013 -0400
+
+ Update to pax-linux-3.9.7-test10.patch:
+ - fixed a few format string problems uncovered by -Wformat-nonliteral
+ - another attempt at fixing the nested nmi/cr0.wp problem
+ - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866)
+ - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274)
+ - fixed a locking issue with track_exec_limit reported by spender
+ - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/)
+
+ Documentation/dontdiff | 1 +
+ arch/x86/boot/compressed/efi_stub_32.S | 16 ++-----
+ arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
+ arch/x86/kernel/e820.c | 4 +-
+ arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------
+ arch/x86/kernel/vmlinux.lds.S | 2 +-
+ block/genhd.c | 11 +++--
+ crypto/algapi.c | 2 +-
+ crypto/pcrypt.c | 6 +-
+ drivers/base/attribute_container.c | 2 +-
+ drivers/base/power/sysfs.c | 2 +-
+ drivers/block/nbd.c | 2 +-
+ drivers/cdrom/cdrom.c | 2 +-
+ drivers/char/hw_random/intel-rng.c | 2 +-
+ drivers/char/mem.c | 2 +-
+ drivers/devfreq/devfreq.c | 2 +-
+ drivers/gpu/drm/drm_encoder_slave.c | 6 +--
+ drivers/gpu/drm/drm_sysfs.c | 2 +-
+ drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
+ drivers/iommu/irq_remapping.c | 2 +-
+ drivers/video/output.c | 2 +-
+ fs/ext4/mmp.c | 2 +-
+ fs/ext4/super.c | 2 +-
+ fs/lockd/svc.c | 2 +-
+ fs/nfs/callback.c | 4 +-
+ fs/nfs/nfs4state.c | 2 +-
+ fs/nfsd/nfscache.c | 3 +-
+ init/initramfs.c | 2 +-
+ kernel/rcutree.c | 2 +-
+ lib/kobject.c | 2 +-
+ mm/backing-dev.c | 4 +-
+ mm/mmap.c | 4 +-
+ mm/slub.c | 2 +-
+ mm/vmalloc.c | 15 +++----
+ net/bluetooth/hci_core.c | 8 ++--
+ net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
+ net/sunrpc/svc.c | 2 +-
+ security/Kconfig | 15 +++---
+ sound/core/sound.c | 2 +-
+ sound/sound_core.c | 2 +-
+ 40 files changed, 116 insertions(+), 111 deletions(-)
+
+commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c
+Merge: 39efd8f 256eff7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jun 21 16:45:15 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ kernel/printk.c
+
+commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6
+Merge: e6e3059 485f25f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 20 22:14:24 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 18 17:20:18 2013 -0400
+
+ add apparmor compat patch
+
+ security/apparmor/Kconfig | 9 ++
+ security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 240 insertions(+), 0 deletions(-)
+
+commit 49bee3c5341687504669bf62becf4a419a226ba0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 17 18:48:04 2013 -0400
+
+ Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db"
+
+ This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444.
+
+ kernel/sys.c | 29 +++--------------------------
+ 1 files changed, 3 insertions(+), 26 deletions(-)
+
+commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Sun Jun 16 18:06:06 2013 +0100
+
+ Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5
+
+ lseek(fd, n, SEEK_END) does *not* go to eof - n
+
+ When you copy some code, you are supposed to read it. If nothing else,
+ there's a chance to spot and fix an obvious bug instead of sharing it...
+
+ X-Song: "I Got It From Agnes", by Tom Lehrer
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ [ Tom Lehrer? You're dating yourself, Al ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +-
+ drivers/scsi/bfa/bfad_debugfs.c | 2 +-
+ drivers/scsi/fnic/fnic_debugfs.c | 2 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 5a450f1c46f0c84379518aee878993d3f4a331b6
+Author: Theodore Ts'o <tytso@mit.edu>
+Date: Thu Jun 6 11:14:31 2013 -0400
+
+ Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50
+
+ ext4: verify group number in verify_group_input() before using it
+
+ Check the group number for sanity earilier, before calling routines
+ such as ext4_bg_has_super() or ext4_group_overhead_blocks().
+
+ Reported-by: Jonathan Salwan <jonathan.salwan@gmail.com>
+ Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+
+ fs/ext4/resize.c | 17 +++++++++++------
+ 1 files changed, 11 insertions(+), 6 deletions(-)
+
+commit e2700ce1305cc746d2d9000392f00d96fdf28fb8
+Author: Neil Horman <nhorman@tuxdriver.com>
+Date: Wed Jun 12 14:26:44 2013 -0400
+
+ Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69
+
+ sctp: fully initialize sctp_outq in sctp_outq_init
+
+ In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86
+ (refactor sctp_outq_teardown to insure proper re-initalization)
+ we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the
+ outq structure. Steve West recently asked me why I removed the q->error = 0
+ initalization from sctp_outq_teardown. I did so because I was operating under
+ the impression that sctp_outq_init would properly initalize that value for us,
+ but it doesn't. sctp_outq_init operates under the assumption that the outq
+ struct is all 0's (as it is when called from sctp_association_init), but using
+ it in __sctp_outq_teardown violates that assumption. We should do a memset in
+ sctp_outq_init to ensure that the entire structure is in a known state there
+ instead.
+
+ Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+ Reported-by: "West, Steve (NSN - US/Fort Worth)" <steve.west@nsn.com>
+ CC: Vlad Yasevich <vyasevich@gmail.com>
+ CC: netdev@vger.kernel.org
+ CC: davem@davemloft.net
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ net/sctp/outqueue.c
+
+ net/sctp/outqueue.c | 8 ++------
+ 1 files changed, 2 insertions(+), 6 deletions(-)
+
+commit e13515ad7a9c7634599a105b2527752e527a905d
+Author: Saurabh Mohan <saurabh@vyatta.com>
+Date: Mon Jun 10 17:45:10 2013 -0700
+
+ Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817
+
+ net/ipv4: ip_vti clear skb cb before tunneling.
+
+ If users apply shaper to vti tunnel then it will cause a kernel crash. The
+ problem seems to be due to the vti_tunnel_xmit function not clearing
+ skb->opt field before passing the packet to xfrm tunneling code.
+
+ Signed-off-by: Saurabh Mohan <saurabh@vyatta.com>
+ Acked-by: Stephen Hemminger <stephen@networkplumber.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/ip_vti.c | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4
+Author: Guillaume Nault <g.nault@alphalink.fr>
+Date: Wed Jun 12 16:07:36 2013 +0200
+
+ Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984
+
+ l2tp: Fix sendmsg() return value
+
+ PPPoL2TP sockets should comply with the standard send*() return values
+ (i.e. return number of bytes sent instead of 0 upon success).
+
+ Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_ppp.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit af361b412e816e894fb42ddff7a0545b7def64c0
+Author: Guillaume Nault <g.nault@alphalink.fr>
+Date: Wed Jun 12 16:07:23 2013 +0200
+
+ Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64
+
+ l2tp: Fix PPP header erasure and memory leak
+
+ Copy user data after PPP framing header. This prevents erasure of the
+ added PPP header and avoids leaking two bytes of uninitialised memory
+ at the end of skb's data buffer.
+
+ Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_ppp.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 1f43aca088c35dda35abf76e08544e534c71fed4
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Wed Jun 12 16:02:27 2013 +0200
+
+ Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe
+
+ packet: packet_getname_spkt: make sure string is always 0-terminated
+
+ uaddr->sa_data is exactly of size 14, which is hard-coded here and
+ passed as a size argument to strncpy(). A device name can be of size
+ IFNAMSIZ (== 16), meaning we might leave the destination string
+ unterminated. Thus, use strlcpy() and also sizeof() while we're
+ at it. We need to memset the data area beforehand, since strlcpy
+ does not padd the remaining buffer with zeroes for user space, so
+ that we do not possibly leak anything.
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/packet/af_packet.c | 5 ++---
+ 1 files changed, 2 insertions(+), 3 deletions(-)
+
+commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f
+Author: Andy Lutomirski <luto@amacapital.net>
+Date: Wed Jun 5 19:38:26 2013 +0000
+
+ Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab
+
+ net: Unbreak compat_sys_{send,recv}msg
+
+ I broke them in this commit:
+
+ commit 1be374a0518a288147c6a7398792583200a67261
+ Author: Andy Lutomirski <luto@amacapital.net>
+ Date: Wed May 22 14:07:44 2013 -0700
+
+ net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
+
+ This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept
+ MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It
+ also reverts some unnecessary checks in sys_socketcall.
+
+ Apparently I was suffering from underscore blindness the first time around.
+
+ Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+ Tested-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/linux/socket.h | 3 ++
+ net/compat.c | 13 +++++++-
+ net/socket.c | 72 ++++++++++++++++++++++--------------------------
+ 3 files changed, 47 insertions(+), 41 deletions(-)
+
+commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f
+Author: Andy Lutomirski <luto@amacapital.net>
+Date: Wed May 22 14:07:44 2013 -0700
+
+ Upstream commit: 1be374a0518a288147c6a7398792583200a67261
+
+ net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
+
+ To: linux-kernel@vger.kernel.org
+ Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski <luto@amacapital.net>, netdev@vger.kernel.org, "David S.
+ Miller" <davem@davemloft.net>
+ Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
+
+ MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API --
+ it's a hack that steals a bit to indicate to other networking code
+ that a compat entry was used. So don't allow it from a non-compat
+ syscall.
+
+ This prevents an oops when running this code:
+
+ int main()
+ {
+ int s;
+ struct sockaddr_in addr;
+ struct msghdr *hdr;
+
+ char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096,
+ PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
+ if (highpage == MAP_FAILED)
+ err(1, "mmap");
+
+ s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ if (s == -1)
+ err(1, "socket");
+
+ addr.sin_family = AF_INET;
+ addr.sin_port = htons(1);
+ addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+ if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0)
+ err(1, "connect");
+
+ void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE;
+ printf("Evil address is %p\n", evil);
+
+ if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0)
+ err(1, "sendmmsg");
+
+ return 0;
+ }
+
+ Cc: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/socket.c | 33 +++++++++++++++++++++++++++++++--
+ 1 files changed, 31 insertions(+), 2 deletions(-)
+
+commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e
+Author: Kees Cook <keescook@chromium.org>
+Date: Fri May 10 14:48:21 2013 -0700
+
+ Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c
+
+ b43: stop format string leaking into error msgs
+
+ The module parameter "fwpostfix" is userspace controllable, unfiltered,
+ and is used to define the firmware filename. b43_do_request_fw() populates
+ ctx->errors[] on error, containing the firmware filename. b43err()
+ parses its arguments as a format string. For systems with b43 hardware,
+ this could lead to a uid-0 to ring-0 escalation.
+
+ CVE-2013-2852
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ drivers/net/wireless/b43/main.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit dfb67a67049ace7b94ad7e2febfac69816d50d85
+Author: Mark A. Greer <mgreer@animalcreek.com>
+Date: Wed May 29 12:25:34 2013 -0700
+
+ Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5
+
+ mwifiex: debugfs: Fix out of bounds array access
+
+ When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
+ the following panic occurs:
+
+ $ cat /sys/kernel/debug/mwifiex/p2p0/info
+ Unable to handle kernel paging request at virtual address 74706164
+ pgd = de530000
+ [74706164] *pgd=00000000
+ Internal error: Oops: 5 [#1] SMP ARM
+ Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
+ CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
+ task: de16b6c0 ti: de048000 task.ti: de048000
+ PC is at strnlen+0xc/0x4c
+ LR is at string+0x3c/0xf8
+ pc : [<c02c123c>] lr : [<c02c2d1c>] psr: a0000013
+ sp : de049e10 ip : c06efba0 fp : de6d2092
+ r10: bf01a260 r9 : ffffffff r8 : 74706164
+ r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000
+ r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164
+ Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+ Control: 10c5387d Table: 9e530019 DAC: 00000015
+ Process cat (pid: 1635, stack limit = 0xde048240)
+ Stack: (0xde049e10 to 0xde04a000)
+ 9e00: de6d2092 00000002 bf01a25e de6d209c
+ 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
+ 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
+ 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
+ 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
+ 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
+ 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
+ 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
+ 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
+ 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
+ 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
+ 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
+ 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
+ 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
+ [<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
+ [<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
+ [<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
+ [<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
+ [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
+ [<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
+ [<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
+ Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
+ ---[ end trace ca98273dc605a04f ]---
+
+ The panic is caused by the mwifiex_info_read() routine assuming that
+ there can only be four modes (0-3) which is an invalid assumption.
+ For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
+ code accesses data beyond the bounds of the bss_modes[] array which
+ causes the panic. Fix this by updating bss_modes[] to support the
+ current list of modes and adding a check to prevent the out-of-bounds
+ access from occuring in the future when more modes are added.
+
+ Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
+ Acked-by: Bing Zhao <bzhao@marvell.com>
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++-----
+ 1 files changed, 17 insertions(+), 5 deletions(-)
+
+commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52
+Author: Johan Hedberg <johan.hedberg@intel.com>
+Date: Tue May 28 13:46:30 2013 +0300
+
+ Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888
+
+ Bluetooth: Fix missing length checks for L2CAP signalling PDUs
+
+ There has been code in place to check that the L2CAP length header
+ matches the amount of data received, but many PDU handlers have not been
+ checking that the data received actually matches that expected by the
+ specific PDU. This patch adds passing the length header to the specific
+ handler functions and ensures that those functions fail cleanly in the
+ case of an incorrect amount of data.
+
+ Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++-----------
+ 1 files changed, 52 insertions(+), 18 deletions(-)
+
+commit 628be2427afb241b5a1aa24bc5907d05287e1f25
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon Jun 3 12:00:49 2013 +0300
+
+ Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1
+
+ ipvs: info leak in __ip_vs_get_dest_entries()
+
+ The entry struct has a 2 byte hole after ->port and another 4 byte
+ hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your
+ namespace to hit this information leak.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Julian Anastasov <ja@ssi.bg>
+ Signed-off-by: Simon Horman <horms@verge.net.au>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/ipvs/ip_vs_ctl.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 066d9226bc6c569d5f420c978b758e0bddd23444
+Author: Robin Holt <holt@sgi.com>
+Date: Wed Jun 12 14:04:37 2013 -0700
+
+ Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db
+
+ reboot: rigrate shutdown/reboot to boot cpu
+
+ We recently noticed that reboot of a 1024 cpu machine takes approx 16
+ minutes of just stopping the cpus. The slowdown was tracked to commit
+ f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in
+ kernel_restart()").
+
+ The current implementation does all the work of hot removing the cpus
+ before halting the system. We are switching to just migrating to the
+ boot cpu and then continuing with shutdown/reboot.
+
+ This also has the effect of not breaking x86's command line parameter
+ for specifying the reboot cpu. Note, this code was shamelessly copied
+ from arch/x86/kernel/reboot.c with bits removed pertaining to the
+ reboot_cpu command line parameter.
+
+ Signed-off-by: Robin Holt <holt@sgi.com>
+ Tested-by: Shawn Guo <shawn.guo@linaro.org>
+ Cc: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
+ Cc: H. Peter Anvin <hpa@zytor.com>
+ Cc: Thomas Gleixner <tglx@linutronix.de>
+ Cc: Ingo Molnar <mingo@elte.hu>
+ Cc: Russ Anderson <rja@sgi.com>
+ Cc: Robin Holt <holt@sgi.com>
+ Cc: Russell King <linux@arm.linux.org.uk>
+ Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/sys.c | 29 ++++++++++++++++++++++++++---
+ 1 files changed, 26 insertions(+), 3 deletions(-)
+
+commit 94e2a91600b07d39825e7059195f35eb611a39a2
+Merge: 20cc761 e6e3059
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 13 16:23:46 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a
+Merge: c6aadb1 4b73feb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jun 13 16:23:39 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 20cc7613e38cde07adc73179a91d6c15292e8d43
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Thu Jun 6 15:53:47 2013 +0200
+
+ Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c
+
+ net: sctp: fix NULL pointer dereference in socket destruction
+
+ While stress testing sctp sockets, I hit the following panic:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
+ IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
+ PGD 7cead067 PUD 7ce76067 PMD 0
+ Oops: 0000 [#1] SMP
+ Modules linked in: sctp(F) libcrc32c(F) [...]
+ CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1
+ Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
+ task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000
+ RIP: 0010:[<ffffffffa0490c4e>] [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
+ RSP: 0018:ffff88007b569e08 EFLAGS: 00010292
+ RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200
+ RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000
+ RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001
+ R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+ R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00
+ FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ Stack:
+ ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded
+ ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e
+ 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e
+ Call Trace:
+ [<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp]
+ [<ffffffff8145b60e>] sk_common_release+0x1e/0xf0
+ [<ffffffff814df36e>] inet_create+0x2ae/0x350
+ [<ffffffff81455a6f>] __sock_create+0x11f/0x240
+ [<ffffffff81455bf0>] sock_create+0x30/0x40
+ [<ffffffff8145696c>] SyS_socket+0x4c/0xc0
+ [<ffffffff815403be>] ? do_page_fault+0xe/0x10
+ [<ffffffff8153cb32>] ? page_fault+0x22/0x30
+ [<ffffffff81544e02>] system_call_fastpath+0x16/0x1b
+ Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f
+ 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48>
+ 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48
+ RIP [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
+ RSP <ffff88007b569e08>
+ CR2: 0000000000000020
+ ---[ end trace e0d71ec1108c1dd9 ]---
+
+ I did not hit this with the lksctp-tools functional tests, but with a
+ small, multi-threaded test program, that heavily allocates, binds,
+ listens and waits in accept on sctp sockets, and then randomly kills
+ some of them (no need for an actual client in this case to hit this).
+ Then, again, allocating, binding, etc, and then killing child processes.
+
+ This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable''
+ is set. The cause for that is actually very simple: in sctp_endpoint_init()
+ we enter the path of sctp_auth_init_hmacs(). There, we try to allocate
+ our crypto transforms through crypto_alloc_hash(). In our scenario,
+ it then can happen that crypto_alloc_hash() fails with -EINTR from
+ crypto_larval_wait(), thus we bail out and release the socket via
+ sk_common_release(), sctp_destroy_sock() and hit the NULL pointer
+ dereference as soon as we try to access members in the endpoint during
+ sctp_endpoint_free(), since endpoint at that time is still NULL. Now,
+ if we have that case, we do not need to do any cleanup work and just
+ leave the destruction handler.
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/socket.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit 386ba837978cc8a1111440bdcd8600f2df4634a4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jun 12 20:37:48 2013 -0400
+
+ fix deadlock when booting i386 kernel without NX
+
+ mm/mmap.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 11 22:18:07 2013 -0400
+
+ fix elif / elif defined() typo in recent change
+
+ kernel/events/core.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit bc43377e1e757cd37a06be0187884a42af718aab
+Merge: 3cdea63 c6aadb1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 11 18:50:39 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 11 18:49:36 2013 -0400
+
+ Update to pax-linux-3.9.4-test9.patch:
+ - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506)
+ - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort
+
+ arch/x86/kernel/setup.c | 2 +-
+ mm/mlock.c | 1 -
+ 2 files changed, 1 insertions(+), 2 deletions(-)
+
+commit 3cdea63e90607d8d55820b101854091623feedb8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 21:21:44 2013 -0400
+
+ Fix fanotify infoleak reported by Dan Carpenter at:
+ https://lkml.org/lkml/2013/6/3/128
+
+ Requires CAP_SYS_ADMIN, so this is about as low priority as it gets
+
+ fs/notify/fanotify/fanotify_user.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 373a2b5df78f82b9d3db72bd6577e29a71591323
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 21:16:46 2013 -0400
+
+ Backport infoleak fix by Dan Carpenter in cpqarray:
+ https://lkml.org/lkml/2013/6/3/131
+
+ drivers/block/cpqarray.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 251e84b9b05e063981b20be154c9389862f94759
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 21:04:17 2013 -0400
+
+ Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2
+
+ drivers/cdrom/cdrom.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 383d89bf95818b05a485a6e8b118963b5bcbc83e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 18:34:32 2013 -0400
+
+ change const to __read_only
+
+ kernel/sysctl.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
+
+commit 8f08f803f605649e63f0857a1b9a9805b629eaa4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 17:34:13 2013 -0400
+
+ compile fix, make const values const
+
+ kernel/sysctl.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
+
+commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jun 10 17:37:13 2013 -0400
+
+ Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a
+
+ drivers/char/mwave/tp3780i.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 1c590aa70c95ebd76ba9672aa23d800b81780615
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 9 19:50:35 2013 -0400
+
+ allow -1 perf_event_paranoid
+
+ kernel/sysctl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584
+Merge: 4e85539 117c3fa
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 9 17:30:12 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 117c3fa8d26c3806103123560f807d99071b60b6
+Merge: ed9b427 5dd2e98
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jun 9 17:30:00 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42
+Author: Eric Dumazet <edumazet@google.com>
+Date: Mon May 13 21:25:52 2013 +0000
+
+ Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e
+
+ tcp: fix tcp_md5_hash_skb_data()
+
+ TCP md5 communications fail [1] for some devices, because sg/crypto code
+ assume page offsets are below PAGE_SIZE.
+
+ This was discovered using mlx4 driver [2], but I suspect loopback
+ might trigger the same bug now we use order-3 pages in tcp_sendmsg()
+
+ [1] Failure is giving following messages.
+
+ huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100,
+ exited with 00000101?
+
+ [2] mlx4 driver uses order-2 pages to allocate RX frags
+
+ Reported-by: Matt Schnall <mischnal@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Bernhard Beck <bbeck@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/tcp.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb
+Author: Eric Dumazet <edumazet@google.com>
+Date: Fri May 17 04:53:13 2013 +0000
+
+ Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a
+
+ ipv6: fix possible crashes in ip6_cork_release()
+
+ commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data")
+ added some code duplication and bad error recovery, leading to potential
+ crash in ip6_cork_release() as kfree() could be called with garbage.
+
+ use kzalloc() to make sure this wont happen.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Cc: Herbert Xu <herbert@gondor.apana.org.au>
+ Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
+ Cc: Neal Cardwell <ncardwell@google.com>
+
+ net/ipv6/ip6_output.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5771263fe368cd384127dd17d7596a7e1a4e2eec
+Author: Chen Gang <gang.chen@asianux.com>
+Date: Thu May 16 23:13:04 2013 +0000
+
+ Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211
+
+ net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue.
+
+ 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the
+ strncpy() will always left the last byte of 'discovery->data.info'
+ uninitialized.
+
+ When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left
+ the last byte of 'discovery->data.info' uninitialized, the next
+ strlen() will cause issue.
+
+ Also 'discovery->data' is 'struct irda_device_info' which defined in
+ "include/uapi/...", it may copy to user mode, so need whole initialized.
+
+ All together, need use kzalloc() instead of kmalloc() to initialize all
+ members firstly.
+
+ Signed-off-by: Chen Gang <gang.chen@asianux.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/irda/irlap_frame.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c01c9af268cb066f240aec53454b8b74d8d01688
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sun May 19 08:36:36 2013 +0000
+
+ Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5
+
+ isdn/kcapi: fix a small underflow
+
+ In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes
+ from skb->data. The current code can underflow to one space before the
+ start of the array.
+
+ The sanity check isn't needed in __get_capi_appl_by_nr() but I changed
+ it to match the others.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/isdn/capi/kcapi.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66
+Author: Timo Teräs <timo.teras@iki.fi>
+Date: Wed May 22 01:40:47 2013 +0000
+
+ Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0
+
+ xfrm: properly handle invalid states as an error
+
+ The error exit path needs err explicitly set. Otherwise it
+ returns success and the only caller, xfrm_output_resume(),
+ would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is
+ NULL.
+
+ Bug introduced in commit bb65a9cb (xfrm: removes a superfluous
+ check and add a statistic).
+
+ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+ Cc: Li RongQing <roy.qing.li@gmail.com>
+ Cc: Steffen Klassert <steffen.klassert@secunet.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/xfrm/xfrm_output.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd
+Author: Jeff Mahoney <jeffm@jeffreymahoney.com>
+Date: Fri May 31 15:07:52 2013 -0400
+
+ Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab
+
+ reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry
+
+ After sleeping for filldir(), we check to see if the file system has
+ changed and research. The next_pos pointer is updated but its value
+ isn't pushed into the key used for the search itself. As a result,
+ the search returns the same item that the last cycle of the loop did
+ and filldir() is called multiple times with the same data.
+
+ The end result is that the buffer can contain the same name multiple
+ times. This can be returned to userspace or used internally in the
+ xattr code where it can manifest with the following warning:
+
+ jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2)
+
+ reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over
+ the xattr names and ends up trying to unlink the same name twice. The
+ second attempt fails with -ENOENT and the error is returned. At some
+ point I'll need to add support into reiserfsck to remove the orphaned
+ directories left behind when this occurs.
+
+ The fix is to push the value into the key before researching.
+
+ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+
+ fs/reiserfs/dir.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit ca0746bf380eec77d75d1741ac4742ded0e55ec7
+Author: Jeff Mahoney <jeffm@suse.com>
+Date: Fri May 31 15:51:17 2013 -0400
+
+ Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc
+
+ reiserfs: fix deadlock with nfs racing on create/lookup
+
+ Reiserfs is currently able to be deadlocked by having two NFS clients
+ where one has removed and recreated a file and another is accessing the
+ file with an open file handle.
+
+ If one client deletes and recreates a file with timing such that the
+ recreated file obtains the same [dirid, objectid] pair as the original
+ file while another client accesses the file via file handle, the create
+ and lookup can race and deadlock if the lookup manages to create the
+ in-memory inode first.
+
+ The create thread, in insert_inode_locked4, will hold the write lock
+ while waiting on the other inode to be unlocked. The lookup thread,
+ anywhere in the iget path, will release and reacquire the write lock while
+ it schedules. If it needs to reacquire the lock while the create thread
+ has it, it will never be able to make forward progress because it needs
+ to reacquire the lock before ultimately unlocking the inode.
+
+ This patch drops the write lock across the insert_inode_locked4 call so
+ that the ordering of inode_wait -> write lock is retained. Since this
+ would have been the case before the BKL push-down, this is safe.
+
+ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+
+ fs/reiserfs/inode.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit cd21c0eb4950498be46a07257426c0cea4aa2bf1
+Author: Jeff Mahoney <jeffm@suse.com>
+Date: Fri May 31 15:54:17 2013 -0400
+
+ Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b
+
+ reiserfs: fix problems with chowning setuid file w/ xattrs
+
+ reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr
+ and uses it to iterate over all the attrs associated with a file to change
+ ownership of xattrs (and transfer quota associated with the xattr files).
+
+ When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode
+ are passed to all the xattrs as well. This means that the xattr directory
+ will have S_IFREG added to its mode bits.
+
+ This has been prevented in practice by a missing IS_PRIVATE check
+ in reiserfs_acl_chmod, which caused a double-lock to occur while holding
+ the write lock. Since the file system was completely locked up, the
+ writeout of the corrupted mode never happened.
+
+ This patch temporarily clears everything but ATTR_UID|ATTR_GID for the
+ calls to reiserfs_setattr and adds the missing IS_PRIVATE check.
+
+ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+
+ fs/reiserfs/xattr.c | 14 +++++++++++++-
+ fs/reiserfs/xattr_acl.c | 3 +++
+ 2 files changed, 16 insertions(+), 1 deletions(-)
+
+commit c18cef940310c06bdf86d64d8cb227e56e165300
+Author: Dave Chinner <dchinner@redhat.com>
+Date: Mon May 27 16:38:25 2013 +1000
+
+ Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b
+
+ xfs: kill suid/sgid through the truncate path.
+
+ XFS has failed to kill suid/sgid bits correctly when truncating
+ files of non-zero size since commit c4ed4243 ("xfs: split
+ xfs_setattr") introduced in the 3.1 kernel. Fix it.
+
+ Fix it.
+
+ cc: stable kernel <stable@vger.kernel.org>
+ Signed-off-by: Dave Chinner <dchinner@redhat.com>
+ Reviewed-by: Brian Foster <bfoster@redhat.com>
+ Signed-off-by: Ben Myers <bpm@sgi.com>
+
+ (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6)
+
+ fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++---------------
+ 1 files changed, 32 insertions(+), 15 deletions(-)
+
+commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Wed May 29 15:36:40 2013 -0400
+
+ Upstream commit: f448badd34700ae728a32ba024249626d49c10e1
+
+ NFSv4: Fix a thinko in nfs4_try_open_cached
+
+ We need to pass the full open mode flags to nfs_may_open() when doing
+ a delegated open.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Cc: stable@vger.kernel.org
+
+ fs/nfs/nfs4proc.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c47de62893a9f269be0a272c2840aac1e2a35c68
+Author: Chen Gang <gang.chen@asianux.com>
+Date: Thu May 30 01:18:43 2013 +0000
+
+ Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8
+
+ parisc: kernel: using strlcpy() instead of strcpy()
+
+ 'boot_args' is an input args, and 'boot_command_line' has a fix length.
+ So use strlcpy() instead of strcpy() to avoid memory overflow.
+
+ Signed-off-by: Chen Gang <gang.chen@asianux.com>
+ Acked-by: Kyle McMartin <kyle@mcmartin.ca>
+ Signed-off-by: Helge Deller <deller@gmx.de>
+
+ arch/parisc/kernel/setup.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit ce869e6f799f95fcac340420ba3612503df80dbf
+Author: Chen Gang <gang.chen@asianux.com>
+Date: Mon May 27 04:57:09 2013 +0000
+
+ Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95
+
+ parisc: memory overflow, 'name' length is too short for using
+
+ 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6
+ * "%u:" + "%u" + '\0') may be 21.
+
+ Since 'name' length is 20, it may be memory overflow.
+
+ And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the
+ max length of 'name' must be less than 28.
+
+ So simplify thinking, we can use 28 instead of 20 directly, and do not
+ think of whether 'patchc.bc[i]' can '> 100'.
+
+ Signed-off-by: Chen Gang <gang.chen@asianux.com>
+ Signed-off-by: Helge Deller <deller@gmx.de>
+
+ arch/parisc/kernel/drivers.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5dc65cd34d442783118a17c518e2daedb90a31d0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 4 17:52:23 2013 -0400
+
+ add PERF_HARDEN recommendation
+
+ grsecurity/Kconfig | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jun 4 17:22:44 2013 -0400
+
+ Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN
+
+ grsecurity/Kconfig | 19 +++++++++++++++++++
+ include/linux/perf_event.h | 5 +++++
+ kernel/events/core.c | 10 +++++++++-
+ kernel/sysctl.c | 9 ++++++++-
+ 4 files changed, 41 insertions(+), 2 deletions(-)
+
+commit 84619a3501fd38285a72d9e963f58d1827beedd6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 1 14:23:31 2013 -0400
+
+ remove user-triggerable BUG_ON in do_munlockall()
+
+ mm/mlock.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit f4bcf6087bd7b9a5b9c9021790396865c5362da0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 1 13:44:05 2013 -0400
+
+ Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456
+
+ From: Kees Cook <keescook@chromium.org>
+ Date: Thu, 23 May 2013 17:32:17 +0000
+ Subject: iscsi-target: fix heap buffer overflow on error
+
+ If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
+ error response packet, generated by iscsi_add_notunderstood_response(),
+ would still attempt to copy the entire key into the packet, overflowing
+ the structure on the heap.
+
+ Remote preauthentication kernel memory corruption was possible if a
+ target was configured and listening on the network.
+
+ CVE-2013-2850
+
+ Embargo-screwup-by: Kees Cook <keescook@chromium.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+
+ drivers/target/iscsi/iscsi_target_parameters.c | 8 +++-----
+ drivers/target/iscsi/iscsi_target_parameters.h | 4 +++-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 1 13:43:26 2013 -0400
+
+ Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters"
+ Applying upstream fix instead
+
+ This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291.
+
+ drivers/target/iscsi/iscsi_target_parameters.c | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sun May 19 21:52:20 2013 +0300
+
+ Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431
+
+ USB: cxacru: potential underflow in cxacru_cm_get_array()
+
+ commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream.
+
+ The value of "offd" comes off the instance->rcv_buf[] and we used it as
+ the offset into an array. The problem is that we check the upper bound
+ but not for negative values.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+
+ drivers/usb/atm/cxacru.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jun 1 11:30:17 2013 -0400
+
+ Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters
+
+ drivers/target/iscsi/iscsi_target_parameters.c | 5 ++---
+ 1 files changed, 2 insertions(+), 3 deletions(-)
+
+commit 8578566969d91678a3d7d5251b4eafc6d7775314
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 30 17:44:15 2013 -0400
+
+ Apply compatibility fix to previous RLIMIT_NPROC change
+ don't enforce the rlimit check at exec time if the user is root
+ Prevents problems with sudo if root is listed as part of a group
+ in limits.conf with process limits enforced
+
+ kernel/sys.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7
+Merge: 643b294 ed9b427
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 19:19:28 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ed9b4276488528d0c3803df1dc0df804238241e0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 19:18:45 2013 -0400
+
+ Updated to pax-linux-3.9.4-test8.patch:
+ - fixed some fallout detected by the checker plugin
+
+ arch/x86/kernel/crash_dump_64.c | 2 +-
+ drivers/base/devtmpfs.c | 6 +++---
+ drivers/char/agp/compat_ioctl.c | 2 +-
+ drivers/char/agp/frontend.c | 2 +-
+ drivers/char/mem.c | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++--
+ drivers/i2c/i2c-dev.c | 2 +-
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++---
+ drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++--------
+ fs/9p/vfs_addr.c | 2 +-
+ fs/binfmt_elf.c | 4 ++--
+ fs/compat_ioctl.c | 4 ++--
+ fs/exec.c | 2 +-
+ fs/namespace.c | 8 ++++----
+ fs/proc/vmcore.c | 12 ++++++++----
+ fs/read_write.c | 2 +-
+ include/linux/syscalls.h | 8 ++++----
+ init/do_mounts_initrd.c | 8 ++++----
+ init/main.c | 4 ++--
+ kernel/events/core.c | 2 +-
+ kernel/events/internal.h | 10 +++++-----
+ mm/page_io.c | 2 +-
+ security/keys/internal.h | 2 +-
+ tools/gcc/checker_plugin.c | 1 +
+ 24 files changed, 63 insertions(+), 54 deletions(-)
+
+commit 643b294b41c6adcad1cf107efe4ae52a834e6f15
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 18:51:31 2013 -0400
+
+ eliminate gcc warning
+
+ fs/exec.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 18:30:20 2013 -0400
+
+ use BUILD_BUG() instead of BUILD_BUG_ON(1)
+
+ arch/x86/net/bpf_jit_comp.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 5343410354267368e5809f3ad8d9a264f141be18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 29 17:57:41 2013 -0400
+
+ defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON
+ for unknown opcodes
+
+ arch/x86/net/bpf_jit_comp.c | 11 +++++++----
+ 1 files changed, 7 insertions(+), 4 deletions(-)
+
+commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d
+Author: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
+Date: Fri May 24 15:55:11 2013 -0700
+
+ Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83
+
+ mm: mmu_notifier: re-fix freed page still mapped in secondary MMU
+
+ Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and
+ multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier:
+ fix freed page still mapped in secondary MMU").
+
+ Since hlist_for_each_entry_rcu() is changed now, we can not revert that
+ patch directly, so this patch reverts the commit and simply fix the bug
+ spotted by that patch
+
+ This bug spotted by commit 751efd8610d3 is:
+
+ There is a race condition between mmu_notifier_unregister() and
+ __mmu_notifier_release().
+
+ Assume two tasks, one calling mmu_notifier_unregister() as a result
+ of a filp_close() ->flush() callout (task A), and the other calling
+ mmu_notifier_release() from an mmput() (task B).
+
+ A B
+ t1 srcu_read_lock()
+ t2 if (!hlist_unhashed())
+ t3 srcu_read_unlock()
+ t4 srcu_read_lock()
+ t5 hlist_del_init_rcu()
+ t6 synchronize_srcu()
+ t7 srcu_read_unlock()
+ t8 hlist_del_rcu() <--- NULL pointer deref.
+
+ This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu.
+
+ The another issue spotted in the commit is "multiple ->release()
+ callouts", we needn't care it too much because it is really rare (e.g,
+ can not happen on kvm since mmu-notify is unregistered after
+ exit_mmap()) and the later call of multiple ->release should be fast
+ since all the pages have already been released by the first call.
+ Anyway, this issue should be fixed in a separate patch.
+
+ -stable suggestions: Any version that has commit 751efd8610d3 need to be
+ backported. I find the oldest version has this commit is 3.0-stable.
+
+ [akpm@linux-foundation.org: tweak comments]
+ Signed-off-by: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
+ Tested-by: Robin Holt <holt@sgi.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++---------------------------
+ 1 files changed, 39 insertions(+), 40 deletions(-)
+
+commit 163a5539b36247865d39b2bcfa8efc03a62124a6
+Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Date: Fri May 24 15:55:21 2013 -0700
+
+ Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18
+
+ mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
+
+ We should not use set_pmd_at to update pmd_t with pgtable_t pointer.
+ set_pmd_at is used to set pmd with huge pte entries and architectures
+ like ppc64, clear few flags from the pte when saving a new entry.
+ Without this change we observe bad pte errors like below on ppc64 with
+ THP enabled.
+
+ BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000
+
+ Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+ Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/huge_memory.c | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+commit 3e54faf888d324d5f362dcba16173ea7bba61e8a
+Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Date: Fri May 24 15:55:08 2013 -0700
+
+ Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995
+
+ fat: fix possible overflow for fat_clusters
+
+ Intermediate value of fat_clusters can be overflowed on 32bits arch.
+
+ Reported-by: Krzysztof Strasburger <strasbur@chkw386.ch.pwr.wroc.pl>
+ Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/fat/inode.c | 15 ++++++++++++++-
+ 1 files changed, 14 insertions(+), 1 deletions(-)
+
+commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d
+Author: Jarod Wilson <jarod@redhat.com>
+Date: Fri May 24 15:55:31 2013 -0700
+
+ Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53
+
+ drivers/char/random.c: fix priming of last_data
+
+ Commit ec8f02da9ea5 ("random: prime last_data value per fips
+ requirements") added priming of last_data per fips requirements.
+
+ Unfortuantely, it did so in a way that can lead to multiple threads all
+ incrementing nbytes, but only one actually doing anything with the extra
+ data, which leads to some fun random corruption and panics.
+
+ The fix is to simply do everything needed to prime last_data in a single
+ shot, so there's no window for multiple cpus to increment nbytes -- in
+ fact, we won't even increment or decrement nbytes anymore, we'll just
+ extract the needed EXTRACT_SIZE one time per pool and then carry on with
+ the normal routine.
+
+ All these changes have been tested across multiple hosts and
+ architectures where panics were previously encoutered. The code changes
+ are are strictly limited to areas only touched when when booted in fips
+ mode.
+
+ This change should also go into 3.8-stable, to make the myriads of fips
+ users on 3.8.x happy.
+
+ Signed-off-by: Jarod Wilson <jarod@redhat.com>
+ Tested-by: Jan Stancek <jstancek@redhat.com>
+ Tested-by: Jan Stodola <jstodola@redhat.com>
+ Cc: Herbert Xu <herbert@gondor.apana.org.au>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Cc: Matt Mackall <mpm@selenic.com>
+ Cc: "Theodore Ts'o" <tytso@mit.edu>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/char/random.c | 30 +++++++++++++++---------------
+ 1 files changed, 15 insertions(+), 15 deletions(-)
+
+commit 2d74639040ba6ce47f57ec010714ec06529c4b42
+Author: Jiri Kosina <jkosina@suse.cz>
+Date: Fri May 24 15:55:33 2013 -0700
+
+ Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68
+
+ random: fix accounting race condition with lockless irq entropy_count update
+
+ Commit 902c098a3663 ("random: use lockless techniques in the interrupt
+ path") turned IRQ path from being spinlock protected into lockless
+ cmpxchg-retry update.
+
+ That commit removed r->lock serialization between crediting entropy bits
+ from IRQ context and accounting when extracting entropy on userspace
+ read path, but didn't turn the r->entropy_count reads/updates in
+ account() to use cmpxchg as well.
+
+ It has been observed, that under certain circumstances this leads to
+ read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets
+ corrupted and becomes negative, which in turn results in propagating 0
+ all the way from account() to the actual read() call.
+
+ Convert the accounting code to be the proper lockless counterpart of
+ what has been partially done by 902c098a3663.
+
+ Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+ Cc: Theodore Ts'o <tytso@mit.edu>
+ Cc: Greg KH <greg@kroah.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/char/random.c | 26 +++++++++++++++++---------
+ 1 files changed, 17 insertions(+), 9 deletions(-)
+
+commit 65d05c7ea468c23c175105526dd4f163302a92cf
+Merge: 1a98d0a 6ce3a135
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat May 25 07:48:15 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/x86/kernel/vm86_32.c
+
+commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166
+Merge: 79bdd65 0bfd8ff
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat May 25 07:46:55 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 23 18:42:23 2013 -0400
+
+ use existing local variable
+
+ fs/exec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b2b80ef8586061e32e986b31608717c25d1e7c54
+Merge: cb45fbd 79bdd65
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 23 17:58:53 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 79bdd65dac68267bc1b201c6b4a99966a373c305
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 23 17:57:46 2013 -0400
+
+ Update to pax-linux-3.9.3-test7.patch:
+ - fixed some size overflow related warnings (hash table, attributes)
+ - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html
+
+ arch/x86/include/asm/page_64.h | 2 +-
+ arch/x86/kernel/head64.c | 2 +-
+ tools/gcc/constify_plugin.c | 48 ++-
+ tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------
+ 4 files changed, 651 insertions(+), 592 deletions(-)
+
+commit cb45fbda4967b1b544a754fbdc92d73283379522
+Merge: 62588fa 57c11b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 20 17:32:17 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 57c11b85acd841a088aa4df8e60be337880df8cd
+Merge: 0598b37 4bb0869
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 20 17:32:08 2013 -0400
+
+ Merge branch 'linux-3.9.y' into pax-test
+
+commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53
+Merge: e261c7b 0598b37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 17 22:57:36 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0598b3778624dbc6c3887af025c040dbd6e92ba5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 17 22:57:07 2013 -0400
+
+ Update to pax-linux-3.9.2-test6.patch:
+ - fixed a gcc assert in the structleak plugin, reported by Emese Revfy
+ - fixed pfn extraction from pud/pgd entries, reported by ousado
+
+ arch/x86/include/asm/pgtable.h | 9 +++++++--
+ tools/gcc/structleak_plugin.c | 3 ++-
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+commit e261c7bc611e9127bbb7bd95cddd51524bf255ae
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 22:54:12 2013 -0400
+
+ add offset to topdown check, fixes compilation
+
+ arch/x86/kernel/sys_x86_64.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 455c5ed5279cf546f5d5c3844fb16f17300b2219
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 20:57:41 2013 -0400
+
+ CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY,
+ reported by lulzh3ad on irc
+
+ security/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 0d4593e84707cdf6deb6b925c18c676a476b1613
+Merge: 43cd0c0 39a877f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 20:39:11 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 39a877f192ed305d88edac10a14a9e8e1e161f3f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 20:37:35 2013 -0400
+
+ Update to pax-linux-3.9.2-test105.patch:
+ - fixed !EFI boot problem, reported by spender
+ - fixed a few compile warnings
+ - fixed some more compile errors due to constification
+ - fixed some arm fallout, reported by Michael Tremer
+
+ arch/arm/include/asm/psci.h | 2 +-
+ arch/arm/kernel/psci.c | 2 +-
+ arch/x86/kernel/sys_x86_64.c | 3 +--
+ arch/x86/realmode/init.c | 2 +-
+ drivers/hwmon/pmbus/pmbus_core.c | 10 +++++-----
+ drivers/irqchip/irq-gic.c | 2 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++---
+ drivers/platform/x86/chromeos_laptop.c | 2 +-
+ fs/jfs/super.c | 4 ++--
+ include/linux/irqchip/arm-gic.h | 2 ++
+ include/sound/compress_driver.h | 2 +-
+ net/mac80211/cfg.c | 4 ++--
+ sound/soc/fsl/fsl_ssi.c | 2 +-
+ 14 files changed, 31 insertions(+), 22 deletions(-)
+
+commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 16 20:35:22 2013 -0400
+
+ Fix usercopy false positive under gcc 4.1
+
+ arch/x86/kernel/signal.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+commit 56a166129d817f6634c8c230e6ec497669bdfaca
+Author: Amerigo Wang <amwang@redhat.com>
+Date: Thu May 9 21:56:37 2013 +0000
+
+ Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f
+
+ ipv6,gre: do not leak info to user-space
+
+ There is a hole in struct ip6_tnl_parm2, so we have to
+ zero the struct on stack before copying it to user-space.
+
+ Cc: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_gre.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit d6f50dae2653ad912952da40417a8ccbd59c7699
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue May 14 16:52:35 2013 -0400
+
+ disable unprivileged kernel profiling under HIDESYM, rename
+ the variable to something more appropriate
+
+ include/linux/perf_event.h | 8 ++++----
+ kernel/events/core.c | 6 +++++-
+ kernel/sysctl.c | 4 ++--
+ 3 files changed, 11 insertions(+), 7 deletions(-)
+
+commit 01322c6951bed4eedefbd2178dbd99292b365d99
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 17:19:57 2013 -0400
+
+ mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its
+ existing stack-heap gap code for the new unified vm_unmapped_area
+
+ grsecurity/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 15:40:32 2013 -0400
+
+ fix NX fault on early boot
+
+ arch/x86/realmode/init.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:48:13 2013 -0400
+
+ compile fix, we weren't using %pa anyway and it's now being used
+ by upstream for physical address printing
+
+ lib/vsprintf.c | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:39:52 2013 -0400
+
+ compile fix
+
+ grsecurity/grsec_chroot.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:35:36 2013 -0400
+
+ compile fixes
+
+ grsecurity/grsec_chroot.c | 2 +-
+ include/linux/grinternal.h | 8 ++++----
+ include/linux/grsecurity.h | 4 ++--
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+commit f92047409f0a843ec0b44033ca4c37e539f9a1d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:27:18 2013 -0400
+
+ compile fix
+
+ fs/exec.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 10:23:17 2013 -0400
+
+ Initial port of grsecurity for 3.9.2
+
+ Documentation/kernel-parameters.txt | 4 +
+ Makefile | 8 +-
+ arch/alpha/include/asm/cache.h | 4 +-
+ arch/alpha/kernel/osf_sys.c | 12 +-
+ arch/arm/include/asm/thread_info.h | 9 +-
+ arch/arm/kernel/process.c | 4 +-
+ arch/arm/kernel/ptrace.c | 9 +
+ arch/arm/kernel/traps.c | 7 +-
+ arch/arm/mm/fault.c | 29 +-
+ arch/arm/mm/mmap.c | 8 +-
+ arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/include/asm/cache.h | 3 +-
+ arch/cris/include/arch-v10/arch/cache.h | 3 +-
+ arch/cris/include/arch-v32/arch/cache.h | 3 +-
+ arch/frv/include/asm/cache.h | 3 +-
+ arch/frv/mm/elf-fdpic.c | 4 +-
+ arch/hexagon/include/asm/cache.h | 6 +-
+ arch/ia64/include/asm/cache.h | 3 +-
+ arch/ia64/kernel/sys_ia64.c | 2 +
+ arch/ia64/mm/hugetlbpage.c | 2 +
+ arch/m32r/include/asm/cache.h | 4 +-
+ arch/m68k/include/asm/cache.h | 4 +-
+ arch/metag/mm/hugetlbpage.c | 1 +
+ arch/microblaze/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/thread_info.h | 9 +-
+ arch/mips/kernel/ptrace.c | 9 +
+ arch/mips/kernel/scall32-o32.S | 2 +-
+ arch/mips/kernel/scall64-64.S | 2 +-
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ arch/mips/mm/mmap.c | 4 +-
+ arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
+ arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
+ arch/openrisc/include/asm/cache.h | 4 +-
+ arch/parisc/include/asm/cache.h | 5 +-
+ arch/parisc/kernel/sys_parisc.c | 17 +-
+ arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/include/asm/thread_info.h | 8 +-
+ arch/powerpc/kernel/process.c | 10 +-
+ arch/powerpc/kernel/ptrace.c | 14 +
+ arch/powerpc/kernel/traps.c | 5 +
+ arch/powerpc/mm/slice.c | 8 +-
+ arch/s390/include/asm/cache.h | 4 +-
+ arch/score/include/asm/cache.h | 4 +-
+ arch/sh/include/asm/cache.h | 3 +-
+ arch/sh/mm/mmap.c | 6 +-
+ arch/sparc/include/asm/cache.h | 4 +-
+ arch/sparc/include/asm/thread_info_64.h | 9 +-
+ arch/sparc/kernel/process_32.c | 6 +-
+ arch/sparc/kernel/process_64.c | 8 +-
+ arch/sparc/kernel/ptrace_64.c | 14 +
+ arch/sparc/kernel/sys_sparc_64.c | 8 +-
+ arch/sparc/kernel/syscalls.S | 8 +-
+ arch/sparc/kernel/traps_32.c | 8 +-
+ arch/sparc/kernel/traps_64.c | 28 +-
+ arch/sparc/kernel/unaligned_64.c | 2 +-
+ arch/sparc/mm/fault_64.c | 2 +-
+ arch/sparc/mm/hugetlbpage.c | 3 +-
+ arch/tile/include/asm/cache.h | 3 +-
+ arch/tile/mm/hugetlbpage.c | 2 +
+ arch/um/defconfig | 1 -
+ arch/um/include/asm/cache.h | 3 +-
+ arch/unicore32/include/asm/cache.h | 6 +-
+ arch/x86/Kconfig | 5 +-
+ arch/x86/Kconfig.debug | 2 +-
+ arch/x86/ia32/ia32_aout.c | 2 +
+ arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/kernel/dumpstack.c | 8 +
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 2 +-
+ arch/x86/kernel/ioport.c | 13 +
+ arch/x86/kernel/ptrace.c | 14 +
+ arch/x86/kernel/smpboot.c | 3 +
+ arch/x86/kernel/sys_i386_32.c | 14 +-
+ arch/x86/kernel/sys_x86_64.c | 6 +-
+ arch/x86/kernel/verify_cpu.S | 1 +
+ arch/x86/kernel/vm86_32.c | 16 +
+ arch/x86/mm/fault.c | 12 +-
+ arch/x86/mm/hugetlbpage.c | 15 +-
+ arch/x86/mm/init.c | 66 +-
+ arch/x86/net/bpf_jit_comp.c | 126 +-
+ arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
+ arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
+ drivers/block/cciss.c | 2 +
+ drivers/char/Kconfig | 4 +-
+ drivers/char/genrtc.c | 1 +
+ drivers/char/mem.c | 17 +
+ drivers/char/random.c | 12 +
+ drivers/gpu/drm/drm_info.c | 4 +
+ drivers/hid/hid-wiimote-debug.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +-
+ drivers/message/fusion/mptbase.c | 9 +
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ drivers/pci/proc.c | 9 +
+ drivers/rtc/rtc-dev.c | 3 +
+ drivers/tty/sysrq.c | 2 +-
+ drivers/tty/vt/keyboard.c | 22 +-
+ drivers/usb/storage/realtek_cr.c | 2 +-
+ drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
+ drivers/xen/xenfs/xenstored.c | 5 +
+ fs/attr.c | 1 +
+ fs/autofs4/waitq.c | 9 +
+ fs/binfmt_aout.c | 7 +
+ fs/binfmt_elf.c | 8 +-
+ fs/btrfs/ioctl.c | 6 +-
+ fs/compat.c | 20 +-
+ fs/coredump.c | 10 +-
+ fs/debugfs/inode.c | 4 +
+ fs/exec.c | 181 +-
+ fs/ext2/balloc.c | 4 +-
+ fs/ext3/balloc.c | 4 +-
+ fs/ext4/balloc.c | 4 +-
+ fs/fcntl.c | 5 +
+ fs/file.c | 4 +
+ fs/filesystems.c | 4 +
+ fs/fs_struct.c | 13 +-
+ fs/hugetlbfs/inode.c | 5 +-
+ fs/namei.c | 241 ++-
+ fs/namespace.c | 24 +
+ fs/open.c | 38 +
+ fs/pipe.c | 2 +-
+ fs/proc/Kconfig | 10 +-
+ fs/proc/array.c | 59 +-
+ fs/proc/base.c | 168 +-
+ fs/proc/cmdline.c | 4 +
+ fs/proc/devices.c | 4 +
+ fs/proc/fd.c | 17 +-
+ fs/proc/inode.c | 17 +
+ fs/proc/internal.h | 3 +
+ fs/proc/kcore.c | 3 +
+ fs/proc/proc_net.c | 12 +
+ fs/proc/proc_sysctl.c | 43 +-
+ fs/proc/root.c | 8 +
+ fs/proc/task_mmu.c | 75 +-
+ fs/readdir.c | 19 +
+ fs/select.c | 2 +
+ fs/seq_file.c | 12 +-
+ fs/stat.c | 19 +-
+ fs/sysfs/dir.c | 12 +
+ fs/utimes.c | 7 +
+ fs/xattr.c | 19 +-
+ grsecurity/Kconfig | 1031 +++++
+ grsecurity/Makefile | 38 +
+ grsecurity/gracl.c | 4073 ++++++++++++++++++++
+ grsecurity/gracl_alloc.c | 105 +
+ grsecurity/gracl_cap.c | 110 +
+ grsecurity/gracl_fs.c | 431 +++
+ grsecurity/gracl_ip.c | 387 ++
+ grsecurity/gracl_learn.c | 207 +
+ grsecurity/gracl_res.c | 68 +
+ grsecurity/gracl_segv.c | 305 ++
+ grsecurity/gracl_shm.c | 40 +
+ grsecurity/grsec_chdir.c | 19 +
+ grsecurity/grsec_chroot.c | 370 ++
+ grsecurity/grsec_disabled.c | 434 +++
+ grsecurity/grsec_exec.c | 187 +
+ grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_fork.c | 23 +
+ grsecurity/grsec_init.c | 283 ++
+ grsecurity/grsec_link.c | 58 +
+ grsecurity/grsec_log.c | 326 ++
+ grsecurity/grsec_mem.c | 40 +
+ grsecurity/grsec_mount.c | 62 +
+ grsecurity/grsec_pax.c | 36 +
+ grsecurity/grsec_ptrace.c | 30 +
+ grsecurity/grsec_sig.c | 222 ++
+ grsecurity/grsec_sock.c | 244 ++
+ grsecurity/grsec_sysctl.c | 469 +++
+ grsecurity/grsec_time.c | 16 +
+ grsecurity/grsec_tpe.c | 73 +
+ grsecurity/grsum.c | 61 +
+ include/linux/capability.h | 5 +
+ include/linux/cred.h | 3 +
+ include/linux/fs.h | 10 +
+ include/linux/fsnotify.h | 6 +
+ include/linux/gracl.h | 319 ++
+ include/linux/gralloc.h | 9 +
+ include/linux/grdefs.h | 140 +
+ include/linux/grinternal.h | 215 +
+ include/linux/grmsg.h | 111 +
+ include/linux/grsecurity.h | 242 ++
+ include/linux/grsock.h | 19 +
+ include/linux/kallsyms.h | 14 +-
+ include/linux/kmod.h | 2 +
+ include/linux/mm.h | 1 +
+ include/linux/netfilter/xt_gradm.h | 9 +
+ include/linux/printk.h | 3 +-
+ include/linux/proc_fs.h | 12 +
+ include/linux/sched.h | 68 +-
+ include/linux/security.h | 1 +
+ include/linux/seq_file.h | 3 +
+ include/linux/shm.h | 4 +
+ include/linux/skbuff.h | 3 +
+ include/linux/slab.h | 9 -
+ include/linux/sysctl.h | 2 +
+ include/linux/thread_info.h | 2 +
+ include/linux/uidgid.h | 5 +
+ include/linux/vermagic.h | 9 +-
+ include/net/secure_seq.h | 1 +
+ include/trace/events/fs.h | 53 +
+ include/uapi/linux/personality.h | 1 +
+ init/Kconfig | 3 +-
+ init/main.c | 14 +
+ ipc/mqueue.c | 1 +
+ ipc/shm.c | 28 +
+ kernel/capability.c | 39 +-
+ kernel/cgroup.c | 2 +-
+ kernel/compat.c | 1 +
+ kernel/configs.c | 11 +
+ kernel/cred.c | 110 +-
+ kernel/exit.c | 10 +-
+ kernel/fork.c | 41 +-
+ kernel/futex.c | 1 +
+ kernel/kallsyms.c | 9 +
+ kernel/kcmp.c | 4 +
+ kernel/kmod.c | 71 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +
+ kernel/lockdep_proc.c | 10 +-
+ kernel/module.c | 81 +-
+ kernel/panic.c | 4 +-
+ kernel/pid.c | 19 +-
+ kernel/posix-timers.c | 8 +
+ kernel/printk.c | 13 +-
+ kernel/ptrace.c | 20 +-
+ kernel/resource.c | 10 +
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 37 +-
+ kernel/sys.c | 45 +-
+ kernel/sysctl.c | 39 +-
+ kernel/taskstats.c | 6 +
+ kernel/time.c | 5 +
+ kernel/time/timekeeping.c | 3 +
+ kernel/time/timer_list.c | 12 +
+ kernel/time/timer_stats.c | 10 +-
+ lib/Kconfig.debug | 5 +-
+ lib/is_single_threaded.c | 3 +
+ lib/vsprintf.c | 35 +-
+ localversion-grsec | 1 +
+ mm/Kconfig | 4 +-
+ mm/filemap.c | 1 +
+ mm/kmemleak.c | 4 +-
+ mm/mempolicy.c | 12 +-
+ mm/migrate.c | 3 +-
+ mm/mlock.c | 3 +
+ mm/mmap.c | 64 +-
+ mm/mprotect.c | 8 +
+ mm/process_vm_access.c | 6 +
+ mm/shmem.c | 2 +-
+ mm/slab.c | 2 +-
+ mm/slub.c | 14 +-
+ mm/vmalloc.c | 4 +
+ mm/vmstat.c | 18 +-
+ net/8021q/vlan.c | 7 +
+ net/core/dev_ioctl.c | 4 +
+ net/core/net-procfs.c | 5 +
+ net/core/secure_seq.c | 4 +-
+ net/core/sock_diag.c | 7 +
+ net/ipv4/af_inet.c | 5 +-
+ net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/ip_sockglue.c | 3 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_minisocks.c | 9 +-
+ net/ipv4/tcp_timer.c | 11 +
+ net/ipv4/udp.c | 24 +
+ net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/udp.c | 7 +
+ net/netfilter/Kconfig | 10 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 8 +
+ net/netfilter/xt_gradm.c | 51 +
+ net/netrom/af_netrom.c | 2 +-
+ net/phonet/af_phonet.c | 2 +-
+ net/sctp/probe.c | 2 +-
+ net/sctp/proc.c | 3 +-
+ net/socket.c | 66 +-
+ net/sysctl_net.c | 2 +-
+ net/tipc/link.c | 11 +-
+ net/unix/af_unix.c | 31 +-
+ security/Kconfig | 342 ++-
+ security/commoncap.c | 29 +
+ security/min_addr.c | 2 +
+ security/security.c | 2 -
+ security/selinux/hooks.c | 2 -
+ security/tomoyo/mount.c | 4 +
+ security/yama/Kconfig | 2 +-
+ 291 files changed, 15221 insertions(+), 2052 deletions(-)
+
+commit 88854c350c899bceca4a94598c42bed44d0dc91b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon May 13 07:37:47 2013 -0400
+
+ Initial import of pax-linux-3.9.2-test2.patch
+
+ Documentation/dontdiff | 45 +-
+ Documentation/kernel-parameters.txt | 12 +
+ Makefile | 100 +-
+ arch/alpha/include/asm/atomic.h | 10 +
+ arch/alpha/include/asm/elf.h | 7 +
+ arch/alpha/include/asm/pgalloc.h | 6 +
+ arch/alpha/include/asm/pgtable.h | 11 +
+ arch/alpha/kernel/module.c | 2 +-
+ arch/alpha/kernel/osf_sys.c | 8 +-
+ arch/alpha/mm/fault.c | 141 +-
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/atomic.h | 421 ++-
+ arch/arm/include/asm/cache.h | 5 +-
+ arch/arm/include/asm/cacheflush.h | 2 +-
+ arch/arm/include/asm/checksum.h | 14 +-
+ arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/domain.h | 33 +-
+ arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/fncpy.h | 2 +
+ arch/arm/include/asm/futex.h | 10 +
+ arch/arm/include/asm/kmap_types.h | 2 +-
+ arch/arm/include/asm/mach/dma.h | 2 +-
+ arch/arm/include/asm/mach/map.h | 7 +-
+ arch/arm/include/asm/outercache.h | 2 +-
+ arch/arm/include/asm/page.h | 2 +-
+ arch/arm/include/asm/pgalloc.h | 22 +-
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgtable-2level.h | 1 +
+ arch/arm/include/asm/pgtable-3level-hwdef.h | 2 +
+ arch/arm/include/asm/pgtable-3level.h | 2 +
+ arch/arm/include/asm/pgtable.h | 56 +-
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/include/asm/processor.h | 5 +-
+ arch/arm/include/asm/smp.h | 2 +-
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/include/asm/uaccess.h | 92 +-
+ arch/arm/include/uapi/asm/ptrace.h | 2 +-
+ arch/arm/kernel/armksyms.c | 6 +-
+ arch/arm/kernel/entry-armv.S | 107 +-
+ arch/arm/kernel/entry-common.S | 41 +-
+ arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/fiq.c | 2 +
+ arch/arm/kernel/head.S | 6 +-
+ arch/arm/kernel/hw_breakpoint.c | 2 +-
+ arch/arm/kernel/module.c | 29 +-
+ arch/arm/kernel/patch.c | 2 +
+ arch/arm/kernel/perf_event_cpu.c | 2 +-
+ arch/arm/kernel/process.c | 15 +-
+ arch/arm/kernel/setup.c | 22 +-
+ arch/arm/kernel/signal.c | 24 +-
+ arch/arm/kernel/smp.c | 2 +-
+ arch/arm/kernel/traps.c | 15 +-
+ arch/arm/kernel/vmlinux.lds.S | 22 +-
+ arch/arm/lib/clear_user.S | 6 +-
+ arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/lib/copy_page.S | 1 +
+ arch/arm/lib/copy_to_user.S | 6 +-
+ arch/arm/lib/csumpartialcopyuser.S | 4 +-
+ arch/arm/lib/delay.c | 2 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 2 +-
+ arch/arm/mach-kirkwood/common.c | 19 +-
+ arch/arm/mach-omap2/board-n8x0.c | 2 +-
+ arch/arm/mach-omap2/gpmc.c | 22 +-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
+ arch/arm/mach-omap2/omap_device.c | 4 +-
+ arch/arm/mach-omap2/omap_device.h | 4 +-
+ arch/arm/mach-omap2/omap_hwmod.c | 4 +-
+ arch/arm/mach-omap2/wd_timer.c | 6 +-
+ arch/arm/mach-ux500/include/mach/setup.h | 7 -
+ arch/arm/mm/Kconfig | 3 +-
+ arch/arm/mm/alignment.c | 8 +
+ arch/arm/mm/fault.c | 91 +
+ arch/arm/mm/fault.h | 12 +
+ arch/arm/mm/init.c | 41 +
+ arch/arm/mm/ioremap.c | 4 +-
+ arch/arm/mm/mmap.c | 36 +-
+ arch/arm/mm/mmu.c | 187 +-
+ arch/arm/mm/proc-v7-2level.S | 3 +
+ arch/arm/plat-omap/sram.c | 2 +
+ arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/arm64/kernel/debug-monitors.c | 2 +-
+ arch/arm64/kernel/hw_breakpoint.c | 2 +-
+ arch/avr32/include/asm/elf.h | 8 +-
+ arch/avr32/include/asm/kmap_types.h | 4 +-
+ arch/avr32/mm/fault.c | 27 +
+ arch/frv/include/asm/atomic.h | 10 +
+ arch/frv/include/asm/kmap_types.h | 2 +-
+ arch/frv/mm/elf-fdpic.c | 3 +-
+ arch/ia64/include/asm/atomic.h | 10 +
+ arch/ia64/include/asm/elf.h | 7 +
+ arch/ia64/include/asm/pgalloc.h | 12 +
+ arch/ia64/include/asm/pgtable.h | 13 +-
+ arch/ia64/include/asm/spinlock.h | 2 +-
+ arch/ia64/include/asm/uaccess.h | 26 +-
+ arch/ia64/kernel/err_inject.c | 2 +-
+ arch/ia64/kernel/mca.c | 2 +-
+ arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/palinfo.c | 2 +-
+ arch/ia64/kernel/salinfo.c | 2 +-
+ arch/ia64/kernel/sys_ia64.c | 7 +
+ arch/ia64/kernel/topology.c | 2 +-
+ arch/ia64/kernel/vmlinux.lds.S | 2 +-
+ arch/ia64/mm/fault.c | 32 +-
+ arch/ia64/mm/init.c | 13 +
+ arch/m32r/lib/usercopy.c | 6 +
+ arch/mips/include/asm/atomic.h | 14 +
+ arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/exec.h | 2 +-
+ arch/mips/include/asm/page.h | 2 +-
+ arch/mips/include/asm/pgalloc.h | 5 +
+ arch/mips/kernel/binfmt_elfn32.c | 7 +
+ arch/mips/kernel/binfmt_elfo32.c | 7 +
+ arch/mips/kernel/process.c | 12 -
+ arch/mips/mm/fault.c | 17 +
+ arch/mips/mm/mmap.c | 51 +-
+ arch/parisc/include/asm/atomic.h | 10 +
+ arch/parisc/include/asm/elf.h | 7 +
+ arch/parisc/include/asm/pgalloc.h | 6 +
+ arch/parisc/include/asm/pgtable.h | 11 +
+ arch/parisc/include/asm/uaccess.h | 4 +-
+ arch/parisc/kernel/module.c | 50 +-
+ arch/parisc/kernel/sys_parisc.c | 9 +-
+ arch/parisc/kernel/traps.c | 4 +-
+ arch/parisc/mm/fault.c | 140 +-
+ arch/powerpc/include/asm/atomic.h | 10 +
+ arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/exec.h | 2 +-
+ arch/powerpc/include/asm/kmap_types.h | 2 +-
+ arch/powerpc/include/asm/mman.h | 2 +-
+ arch/powerpc/include/asm/page.h | 8 +-
+ arch/powerpc/include/asm/page_64.h | 7 +-
+ arch/powerpc/include/asm/pgalloc-64.h | 7 +
+ arch/powerpc/include/asm/pgtable.h | 1 +
+ arch/powerpc/include/asm/pte-hash32.h | 1 +
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/include/asm/smp.h | 2 +-
+ arch/powerpc/include/asm/uaccess.h | 140 +-
+ arch/powerpc/kernel/exceptions-64e.S | 4 +-
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/module_32.c | 13 +-
+ arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/signal_32.c | 2 +-
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ arch/powerpc/kernel/sysfs.c | 2 +-
+ arch/powerpc/kernel/vdso.c | 5 +-
+ arch/powerpc/lib/usercopy_64.c | 18 -
+ arch/powerpc/mm/fault.c | 54 +-
+ arch/powerpc/mm/mmap_64.c | 16 +
+ arch/powerpc/mm/mmu_context_nohash.c | 2 +-
+ arch/powerpc/mm/numa.c | 2 +-
+ arch/powerpc/mm/slice.c | 23 +-
+ arch/powerpc/platforms/cell/spufs/file.c | 4 +-
+ arch/powerpc/platforms/powermac/smp.c | 2 +-
+ arch/s390/include/asm/atomic.h | 10 +
+ arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/exec.h | 2 +-
+ arch/s390/include/asm/uaccess.h | 15 +-
+ arch/s390/kernel/module.c | 22 +-
+ arch/s390/kernel/process.c | 36 -
+ arch/s390/mm/mmap.c | 24 +
+ arch/score/include/asm/exec.h | 2 +-
+ arch/score/kernel/process.c | 5 -
+ arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
+ arch/sh/mm/mmap.c | 22 +-
+ arch/sparc/include/asm/atomic_64.h | 106 +-
+ arch/sparc/include/asm/cache.h | 2 +-
+ arch/sparc/include/asm/elf_32.h | 7 +
+ arch/sparc/include/asm/elf_64.h | 7 +
+ arch/sparc/include/asm/pgalloc_32.h | 1 +
+ arch/sparc/include/asm/pgalloc_64.h | 1 +
+ arch/sparc/include/asm/pgtable_32.h | 15 +-
+ arch/sparc/include/asm/pgtsrmmu.h | 5 +
+ arch/sparc/include/asm/spinlock_64.h | 35 +-
+ arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_64.h | 2 +
+ arch/sparc/include/asm/uaccess.h | 1 +
+ arch/sparc/include/asm/uaccess_32.h | 27 +-
+ arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/kernel/Makefile | 2 +-
+ arch/sparc/kernel/prom_common.c | 2 +-
+ arch/sparc/kernel/sys_sparc_32.c | 2 +-
+ arch/sparc/kernel/sys_sparc_64.c | 48 +-
+ arch/sparc/kernel/sysfs.c | 2 +-
+ arch/sparc/kernel/traps_64.c | 13 +-
+ arch/sparc/kernel/us3_cpufreq.c | 69 +-
+ arch/sparc/lib/Makefile | 2 +-
+ arch/sparc/lib/atomic_64.S | 136 +-
+ arch/sparc/lib/ksyms.c | 6 +
+ arch/sparc/mm/Makefile | 2 +-
+ arch/sparc/mm/fault_32.c | 292 ++
+ arch/sparc/mm/fault_64.c | 486 ++
+ arch/sparc/mm/hugetlbpage.c | 21 +-
+ arch/tile/include/asm/atomic_64.h | 10 +
+ arch/tile/include/asm/uaccess.h | 4 +-
+ arch/um/Makefile | 4 +
+ arch/um/include/asm/kmap_types.h | 2 +-
+ arch/um/include/asm/page.h | 3 +
+ arch/um/include/asm/pgtable-3level.h | 1 +
+ arch/um/kernel/process.c | 16 -
+ arch/x86/Kconfig | 10 +-
+ arch/x86/Kconfig.cpu | 6 +-
+ arch/x86/Kconfig.debug | 6 +-
+ arch/x86/Makefile | 10 +
+ arch/x86/boot/Makefile | 3 +
+ arch/x86/boot/bitops.h | 4 +-
+ arch/x86/boot/boot.h | 4 +-
+ arch/x86/boot/compressed/Makefile | 3 +
+ arch/x86/boot/compressed/eboot.c | 2 -
+ arch/x86/boot/compressed/head_32.S | 7 +-
+ arch/x86/boot/compressed/head_64.S | 8 +-
+ arch/x86/boot/compressed/misc.c | 4 +-
+ arch/x86/boot/cpucheck.c | 28 +-
+ arch/x86/boot/header.S | 6 +-
+ arch/x86/boot/memory.c | 2 +-
+ arch/x86/boot/video-vesa.c | 1 +
+ arch/x86/boot/video.c | 2 +-
+ arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/aesni-intel_asm.S | 21 +
+ arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/sha1_ssse3_asm.S | 2 +
+ arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 +
+ arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
+ arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/ia32/ia32_signal.c | 14 +-
+ arch/x86/ia32/ia32entry.S | 141 +-
+ arch/x86/ia32/sys_ia32.c | 6 +-
+ arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/include/asm/alternative.h | 4 +-
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/include/asm/apm.h | 4 +-
+ arch/x86/include/asm/atomic.h | 307 ++-
+ arch/x86/include/asm/atomic64_32.h | 100 +
+ arch/x86/include/asm/atomic64_64.h | 202 +-
+ arch/x86/include/asm/bitops.h | 4 +-
+ arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/cache.h | 5 +-
+ arch/x86/include/asm/cacheflush.h | 2 +-
+ arch/x86/include/asm/checksum_32.h | 12 +-
+ arch/x86/include/asm/cmpxchg.h | 35 +
+ arch/x86/include/asm/compat.h | 2 +-
+ arch/x86/include/asm/cpufeature.h | 4 +-
+ arch/x86/include/asm/desc.h | 67 +-
+ arch/x86/include/asm/desc_defs.h | 6 +
+ arch/x86/include/asm/div64.h | 2 +-
+ arch/x86/include/asm/elf.h | 31 +-
+ arch/x86/include/asm/emergency-restart.h | 2 +-
+ arch/x86/include/asm/fpu-internal.h | 6 +-
+ arch/x86/include/asm/futex.h | 16 +-
+ arch/x86/include/asm/hw_irq.h | 4 +-
+ arch/x86/include/asm/i8259.h | 2 +-
+ arch/x86/include/asm/io.h | 21 +-
+ arch/x86/include/asm/irqflags.h | 5 +
+ arch/x86/include/asm/kprobes.h | 9 +-
+ arch/x86/include/asm/local.h | 142 +-
+ arch/x86/include/asm/mman.h | 15 +
+ arch/x86/include/asm/mmu.h | 16 +-
+ arch/x86/include/asm/mmu_context.h | 76 +-
+ arch/x86/include/asm/module.h | 17 +-
+ arch/x86/include/asm/nmi.h | 6 +-
+ arch/x86/include/asm/page_64.h | 2 +-
+ arch/x86/include/asm/paravirt.h | 46 +-
+ arch/x86/include/asm/paravirt_types.h | 17 +-
+ arch/x86/include/asm/pgalloc.h | 23 +
+ arch/x86/include/asm/pgtable-2level.h | 2 +
+ arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable.h | 113 +-
+ arch/x86/include/asm/pgtable_32.h | 14 +-
+ arch/x86/include/asm/pgtable_32_types.h | 15 +-
+ arch/x86/include/asm/pgtable_64.h | 19 +-
+ arch/x86/include/asm/pgtable_64_types.h | 5 +
+ arch/x86/include/asm/pgtable_types.h | 36 +-
+ arch/x86/include/asm/processor.h | 39 +-
+ arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/realmode.h | 4 +-
+ arch/x86/include/asm/reboot.h | 10 +-
+ arch/x86/include/asm/rwsem.h | 60 +-
+ arch/x86/include/asm/segment.h | 24 +-
+ arch/x86/include/asm/smp.h | 14 +-
+ arch/x86/include/asm/spinlock.h | 36 +-
+ arch/x86/include/asm/stackprotector.h | 4 +-
+ arch/x86/include/asm/stacktrace.h | 32 +-
+ arch/x86/include/asm/switch_to.h | 4 +-
+ arch/x86/include/asm/thread_info.h | 83 +-
+ arch/x86/include/asm/uaccess.h | 96 +-
+ arch/x86/include/asm/uaccess_32.h | 106 +-
+ arch/x86/include/asm/uaccess_64.h | 232 +-
+ arch/x86/include/asm/word-at-a-time.h | 2 +-
+ arch/x86/include/asm/x86_init.h | 10 +-
+ arch/x86/include/asm/xsave.h | 10 +-
+ arch/x86/include/uapi/asm/e820.h | 2 +-
+ arch/x86/kernel/Makefile | 2 +-
+ arch/x86/kernel/acpi/boot.c | 4 +-
+ arch/x86/kernel/acpi/sleep.c | 4 +
+ arch/x86/kernel/acpi/wakeup_32.S | 6 +-
+ arch/x86/kernel/alternative.c | 65 +-
+ arch/x86/kernel/apic/apic.c | 4 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/apic_noop.c | 2 +-
+ arch/x86/kernel/apic/bigsmp_32.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 5 +-
+ arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/numaq_32.c | 3 +-
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/summit_32.c | 2 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_phys.c | 2 +-
+ arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
+ arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/asm-offsets.c | 20 +
+ arch/x86/kernel/asm-offsets_64.c | 1 +
+ arch/x86/kernel/cpu/Makefile | 4 -
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/common.c | 75 +-
+ arch/x86/kernel/cpu/intel.c | 2 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
+ arch/x86/kernel/cpu/mcheck/p5.c | 3 +
+ arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
+ arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
+ arch/x86/kernel/cpu/mtrr/main.c | 2 +-
+ arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 8 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
+ arch/x86/kernel/cpuid.c | 2 +-
+ arch/x86/kernel/crash.c | 4 +-
+ arch/x86/kernel/doublefault_32.c | 8 +-
+ arch/x86/kernel/dumpstack.c | 30 +-
+ arch/x86/kernel/dumpstack_32.c | 34 +-
+ arch/x86/kernel/dumpstack_64.c | 63 +-
+ arch/x86/kernel/early_printk.c | 1 +
+ arch/x86/kernel/entry_32.S | 354 ++-
+ arch/x86/kernel/entry_64.S | 530 ++-
+ arch/x86/kernel/ftrace.c | 14 +-
+ arch/x86/kernel/head64.c | 1 -
+ arch/x86/kernel/head_32.S | 237 +-
+ arch/x86/kernel/head_64.S | 120 +-
+ arch/x86/kernel/i386_ksyms_32.c | 8 +
+ arch/x86/kernel/i387.c | 2 +-
+ arch/x86/kernel/i8259.c | 10 +-
+ arch/x86/kernel/io_delay.c | 2 +-
+ arch/x86/kernel/ioport.c | 2 +-
+ arch/x86/kernel/irq.c | 8 +-
+ arch/x86/kernel/irq_32.c | 69 +-
+ arch/x86/kernel/irq_64.c | 2 +-
+ arch/x86/kernel/kdebugfs.c | 2 +-
+ arch/x86/kernel/kgdb.c | 25 +-
+ arch/x86/kernel/kprobes/core.c | 30 +-
+ arch/x86/kernel/kprobes/opt.c | 16 +-
+ arch/x86/kernel/kvm.c | 2 +-
+ arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/machine_kexec_32.c | 6 +-
+ arch/x86/kernel/microcode_core.c | 2 +-
+ arch/x86/kernel/microcode_intel.c | 4 +-
+ arch/x86/kernel/module.c | 76 +-
+ arch/x86/kernel/msr.c | 2 +-
+ arch/x86/kernel/nmi.c | 19 +-
+ arch/x86/kernel/nmi_selftest.c | 4 +-
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/kernel/paravirt.c | 43 +-
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ arch/x86/kernel/pci-iommu_table.c | 2 +-
+ arch/x86/kernel/pci-swiotlb.c | 2 +-
+ arch/x86/kernel/process.c | 57 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 15 +-
+ arch/x86/kernel/ptrace.c | 25 +-
+ arch/x86/kernel/pvclock.c | 8 +-
+ arch/x86/kernel/reboot.c | 44 +-
+ arch/x86/kernel/relocate_kernel_64.S | 4 +-
+ arch/x86/kernel/setup.c | 19 +-
+ arch/x86/kernel/setup_percpu.c | 29 +-
+ arch/x86/kernel/signal.c | 15 +-
+ arch/x86/kernel/smp.c | 2 +-
+ arch/x86/kernel/smpboot.c | 15 +-
+ arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/sys_i386_32.c | 248 +
+ arch/x86/kernel/sys_x86_64.c | 19 +-
+ arch/x86/kernel/tboot.c | 14 +-
+ arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tls.c | 7 +-
+ arch/x86/kernel/traps.c | 64 +-
+ arch/x86/kernel/uprobes.c | 2 +-
+ arch/x86/kernel/vm86_32.c | 6 +-
+ arch/x86/kernel/vmlinux.lds.S | 148 +-
+ arch/x86/kernel/vsyscall_64.c | 12 +-
+ arch/x86/kernel/x8664_ksyms_64.c | 2 -
+ arch/x86/kernel/x86_init.c | 8 +-
+ arch/x86/kernel/xsave.c | 2 +
+ arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ arch/x86/kvm/lapic.c | 2 +-
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ arch/x86/kvm/svm.c | 8 +
+ arch/x86/kvm/vmx.c | 57 +-
+ arch/x86/kvm/x86.c | 10 +-
+ arch/x86/lguest/boot.c | 3 +-
+ arch/x86/lib/atomic64_386_32.S | 164 +
+ arch/x86/lib/atomic64_cx8_32.S | 103 +-
+ arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/cmpxchg16b_emu.S | 2 +
+ arch/x86/lib/copy_page_64.S | 24 +-
+ arch/x86/lib/copy_user_64.S | 47 +-
+ arch/x86/lib/copy_user_nocache_64.S | 20 +-
+ arch/x86/lib/csum-copy_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 4 +-
+ arch/x86/lib/getuser.S | 70 +-
+ arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/iomap_copy_64.S | 2 +
+ arch/x86/lib/memcpy_64.S | 18 +-
+ arch/x86/lib/memmove_64.S | 34 +-
+ arch/x86/lib/memset_64.S | 7 +-
+ arch/x86/lib/mmx_32.c | 243 +-
+ arch/x86/lib/msr-reg.S | 18 +-
+ arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/rwlock.S | 42 +
+ arch/x86/lib/rwsem.S | 6 +-
+ arch/x86/lib/thunk_64.S | 2 +
+ arch/x86/lib/usercopy_32.c | 376 +-
+ arch/x86/lib/usercopy_64.c | 25 +-
+ arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/fault.c | 556 ++-
+ arch/x86/mm/gup.c | 2 +-
+ arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/hugetlbpage.c | 30 +-
+ arch/x86/mm/init.c | 90 +-
+ arch/x86/mm/init_32.c | 119 +-
+ arch/x86/mm/init_64.c | 44 +-
+ arch/x86/mm/iomap_32.c | 4 +
+ arch/x86/mm/ioremap.c | 15 +-
+ arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
+ arch/x86/mm/mmap.c | 41 +-
+ arch/x86/mm/mmio-mod.c | 10 +-
+ arch/x86/mm/numa.c | 2 +-
+ arch/x86/mm/pageattr-test.c | 2 +-
+ arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pat.c | 12 +-
+ arch/x86/mm/pf_in.c | 10 +-
+ arch/x86/mm/pgtable.c | 137 +-
+ arch/x86/mm/pgtable_32.c | 3 +
+ arch/x86/mm/physaddr.c | 4 +-
+ arch/x86/mm/setup_nx.c | 7 +
+ arch/x86/mm/tlb.c | 4 +
+ arch/x86/net/bpf_jit.S | 14 +
+ arch/x86/net/bpf_jit_comp.c | 37 +-
+ arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/oprofile/nmi_int.c | 8 +-
+ arch/x86/oprofile/op_model_amd.c | 8 +-
+ arch/x86/oprofile/op_model_ppro.c | 7 +-
+ arch/x86/oprofile/op_x86_model.h | 2 +-
+ arch/x86/pci/amd_bus.c | 2 +-
+ arch/x86/pci/irq.c | 8 +-
+ arch/x86/pci/mrst.c | 4 +-
+ arch/x86/pci/pcbios.c | 144 +-
+ arch/x86/platform/efi/efi_32.c | 19 +
+ arch/x86/platform/efi/efi_stub_32.S | 64 +-
+ arch/x86/platform/efi/efi_stub_64.S | 8 +
+ arch/x86/platform/mrst/mrst.c | 6 +-
+ arch/x86/platform/olpc/olpc_dt.c | 2 +-
+ arch/x86/power/cpu.c | 4 +-
+ arch/x86/realmode/init.c | 8 +-
+ arch/x86/realmode/rm/Makefile | 3 +
+ arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/trampoline_32.S | 12 +-
+ arch/x86/realmode/rm/trampoline_64.S | 2 +-
+ arch/x86/tools/relocs.c | 95 +-
+ arch/x86/vdso/Makefile | 2 +-
+ arch/x86/vdso/vdso32-setup.c | 23 +-
+ arch/x86/vdso/vma.c | 29 +-
+ arch/x86/xen/enlighten.c | 47 +-
+ arch/x86/xen/mmu.c | 9 +
+ arch/x86/xen/smp.c | 18 +-
+ arch/x86/xen/xen-asm_32.S | 12 +-
+ arch/x86/xen/xen-head.S | 11 +
+ arch/x86/xen/xen-ops.h | 2 -
+ block/blk-iopoll.c | 4 +-
+ block/blk-map.c | 2 +-
+ block/blk-softirq.c | 4 +-
+ block/bsg.c | 12 +-
+ block/compat_ioctl.c | 2 +-
+ block/partitions/efi.c | 8 +-
+ block/scsi_ioctl.c | 27 +-
+ crypto/cryptd.c | 4 +-
+ drivers/acpi/apei/apei-internal.h | 2 +-
+ drivers/acpi/apei/cper.c | 8 +-
+ drivers/acpi/bgrt.c | 6 +-
+ drivers/acpi/blacklist.c | 4 +-
+ drivers/acpi/ec_sys.c | 12 +-
+ drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/sysfs.c | 4 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/ata/libata-core.c | 8 +-
+ drivers/ata/pata_arasan_cf.c | 4 +-
+ drivers/atm/adummy.c | 2 +-
+ drivers/atm/ambassador.c | 8 +-
+ drivers/atm/atmtcp.c | 14 +-
+ drivers/atm/eni.c | 10 +-
+ drivers/atm/firestream.c | 8 +-
+ drivers/atm/fore200e.c | 14 +-
+ drivers/atm/he.c | 18 +-
+ drivers/atm/horizon.c | 4 +-
+ drivers/atm/idt77252.c | 36 +-
+ drivers/atm/iphase.c | 34 +-
+ drivers/atm/lanai.c | 12 +-
+ drivers/atm/nicstar.c | 46 +-
+ drivers/atm/solos-pci.c | 4 +-
+ drivers/atm/suni.c | 4 +-
+ drivers/atm/uPD98402.c | 16 +-
+ drivers/atm/zatm.c | 6 +-
+ drivers/base/bus.c | 4 +-
+ drivers/base/devtmpfs.c | 2 +-
+ drivers/base/node.c | 2 +-
+ drivers/base/power/domain.c | 4 +-
+ drivers/base/power/wakeup.c | 8 +-
+ drivers/base/syscore.c | 4 +-
+ drivers/block/cciss.c | 28 +-
+ drivers/block/cciss.h | 2 +-
+ drivers/block/cpqarray.c | 28 +-
+ drivers/block/cpqarray.h | 2 +-
+ drivers/block/drbd/drbd_int.h | 6 +-
+ drivers/block/drbd/drbd_main.c | 8 +-
+ drivers/block/drbd/drbd_receiver.c | 22 +-
+ drivers/block/loop.c | 2 +-
+ drivers/block/pktcdvd.c | 2 +-
+ drivers/cdrom/cdrom.c | 9 +-
+ drivers/cdrom/gdrom.c | 1 -
+ drivers/char/agp/frontend.c | 2 +-
+ drivers/char/hpet.c | 2 +-
+ drivers/char/ipmi/ipmi_msghandler.c | 8 +-
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
+ drivers/char/mem.c | 41 +-
+ drivers/char/nvram.c | 2 +-
+ drivers/char/pcmcia/synclink_cs.c | 18 +-
+ drivers/char/random.c | 10 +-
+ drivers/char/sonypi.c | 9 +-
+ drivers/char/tpm/tpm_acpi.c | 3 +-
+ drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/virtio_console.c | 4 +-
+ drivers/clocksource/arm_arch_timer.c | 2 +-
+ drivers/clocksource/metag_generic.c | 2 +-
+ drivers/cpufreq/acpi-cpufreq.c | 20 +-
+ drivers/cpufreq/cpufreq.c | 9 +-
+ drivers/cpufreq/cpufreq_governor.c | 4 +-
+ drivers/cpufreq/cpufreq_governor.h | 2 +-
+ drivers/cpufreq/cpufreq_stats.c | 2 +-
+ drivers/cpufreq/p4-clockmod.c | 12 +-
+ drivers/cpufreq/speedstep-centrino.c | 7 +-
+ drivers/cpuidle/cpuidle.c | 2 +-
+ drivers/cpuidle/governor.c | 4 +-
+ drivers/cpuidle/sysfs.c | 2 +-
+ drivers/devfreq/devfreq.c | 4 +-
+ drivers/dma/sh/shdma.c | 2 +-
+ drivers/edac/edac_mc_sysfs.c | 12 +-
+ drivers/edac/edac_pci_sysfs.c | 22 +-
+ drivers/edac/mce_amd.h | 2 +-
+ drivers/firewire/core-card.c | 2 +-
+ drivers/firewire/core-cdev.c | 3 +-
+ drivers/firewire/core-device.c | 2 +-
+ drivers/firewire/core-transaction.c | 1 +
+ drivers/firewire/core.h | 1 +
+ drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/dmi_scan.c | 7 +-
+ drivers/firmware/efivars.c | 4 +-
+ drivers/firmware/google/memconsole.c | 4 +-
+ drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpio/gpio-vr41xx.c | 2 +-
+ drivers/gpu/drm/drm_crtc_helper.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 6 +-
+ drivers/gpu/drm/drm_fops.c | 18 +-
+ drivers/gpu/drm/drm_global.c | 14 +-
+ drivers/gpu/drm/drm_info.c | 14 +-
+ drivers/gpu/drm/drm_ioc32.c | 13 +-
+ drivers/gpu/drm/drm_ioctl.c | 2 +-
+ drivers/gpu/drm/drm_lock.c | 4 +-
+ drivers/gpu/drm/drm_stub.c | 2 +-
+ drivers/gpu/drm/i810/i810_dma.c | 8 +-
+ drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/i915_irq.c | 22 +-
+ drivers/gpu/drm/i915/intel_display.c | 26 +-
+ drivers/gpu/drm/mga/mga_drv.h | 4 +-
+ drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/mga/mga_irq.c | 8 +-
+ drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
+ drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/r128/r128_cce.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.h | 4 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/r128/r128_irq.c | 4 +-
+ drivers/gpu/drm/r128/r128_state.c | 4 +-
+ drivers/gpu/drm/radeon/mkregtable.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
+ drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 37 +-
+ drivers/gpu/drm/radeon/rs690.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
+ drivers/gpu/drm/udl/udl_fb.c | 1 -
+ drivers/gpu/drm/via/via_drv.h | 4 +-
+ drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
+ drivers/hid/hid-core.c | 4 +-
+ drivers/hv/channel.c | 4 +-
+ drivers/hv/hv.c | 2 +-
+ drivers/hv/hyperv_vmbus.h | 2 +-
+ drivers/hv/vmbus_drv.c | 4 +-
+ drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/asus_atk0110.c | 10 +-
+ drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/ibmaem.c | 2 +-
+ drivers/hwmon/sht15.c | 12 +-
+ drivers/hwmon/via-cputemp.c | 2 +-
+ drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
+ drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
+ drivers/ide/ide-cd.c | 2 +-
+ drivers/iio/industrialio-core.c | 2 +-
+ drivers/infiniband/core/cm.c | 32 +-
+ drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/hw/cxgb4/mem.c | 4 +-
+ drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
+ drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
+ drivers/infiniband/hw/nes/nes.c | 4 +-
+ drivers/infiniband/hw/nes/nes.h | 40 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 62 +-
+ drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
+ drivers/infiniband/hw/nes/nes_nic.c | 40 +-
+ drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/input/gameport/gameport.c | 4 +-
+ drivers/input/input.c | 4 +-
+ drivers/input/joystick/sidewinder.c | 1 +
+ drivers/input/joystick/xpad.c | 4 +-
+ drivers/input/mouse/psmouse.h | 2 +-
+ drivers/input/mousedev.c | 2 +-
+ drivers/input/serio/serio.c | 4 +-
+ drivers/iommu/iommu.c | 2 +-
+ drivers/iommu/irq_remapping.c | 10 +-
+ drivers/irqchip/irq-gic.c | 4 +-
+ drivers/isdn/capi/capi.c | 10 +-
+ drivers/isdn/gigaset/interface.c | 8 +-
+ drivers/isdn/hardware/avm/b1.c | 4 +-
+ drivers/isdn/i4l/isdn_tty.c | 22 +-
+ drivers/isdn/icn/icn.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/lguest/core.c | 10 +-
+ drivers/lguest/page_tables.c | 2 +-
+ drivers/lguest/x86/core.c | 12 +-
+ drivers/lguest/x86/switcher_32.S | 27 +-
+ drivers/md/bitmap.c | 2 +-
+ drivers/md/dm-ioctl.c | 2 +-
+ drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-stripe.c | 10 +-
+ drivers/md/dm-table.c | 2 +-
+ drivers/md/dm-thin-metadata.c | 4 +-
+ drivers/md/dm.c | 16 +-
+ drivers/md/md.c | 26 +-
+ drivers/md/md.h | 6 +-
+ drivers/md/persistent-data/dm-space-map.h | 1 +
+ drivers/md/raid1.c | 4 +-
+ drivers/md/raid10.c | 16 +-
+ drivers/md/raid5.c | 10 +-
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ drivers/media/dvb-frontends/dib3000.h | 2 +-
+ drivers/media/pci/cx88/cx88-video.c | 6 +-
+ drivers/media/platform/omap/omap_vout.c | 11 +-
+ drivers/media/platform/s5p-tv/mixer.h | 2 +-
+ drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
+ drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
+ drivers/message/fusion/mptsas.c | 34 +-
+ drivers/message/fusion/mptscsih.c | 19 +-
+ drivers/message/i2o/i2o_proc.c | 51 +-
+ drivers/message/i2o/iop.c | 8 +-
+ drivers/mfd/janz-cmodio.c | 1 +
+ drivers/mfd/twl4030-irq.c | 9 +-
+ drivers/mfd/twl6030-irq.c | 10 +-
+ drivers/misc/c2port/core.c | 4 +-
+ drivers/misc/kgdbts.c | 4 +-
+ drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
+ drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/sgi-gru/gruhandles.c | 4 +-
+ drivers/misc/sgi-gru/gruprocfs.c | 8 +-
+ drivers/misc/sgi-gru/grutables.h | 154 +-
+ drivers/misc/sgi-xp/xp.h | 2 +-
+ drivers/misc/sgi-xp/xpc.h | 3 +-
+ drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ drivers/mmc/host/dw_mmc.h | 2 +-
+ drivers/mmc/host/sdhci-s3c.c | 8 +-
+ drivers/mtd/devices/doc2000.c | 2 +-
+ drivers/mtd/nand/denali.c | 1 +
+ drivers/mtd/nftlmount.c | 1 +
+ drivers/mtd/sm_ftl.c | 2 +-
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
+ drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
+ drivers/net/ethernet/realtek/r8169.c | 8 +-
+ drivers/net/ethernet/sfc/ptp.c | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/hyperv/hyperv_net.h | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 +-
+ drivers/net/ieee802154/fakehard.c | 2 +-
+ drivers/net/macvlan.c | 18 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/ppp/ppp_generic.c | 4 +-
+ drivers/net/slip/slhc.c | 2 +-
+ drivers/net/team/team.c | 2 +-
+ drivers/net/tun.c | 5 +-
+ drivers/net/usb/hso.c | 23 +-
+ drivers/net/vxlan.c | 2 +-
+ drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
+ drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
+ drivers/net/wireless/ath/ath9k/hw.h | 4 +-
+ drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
+ drivers/net/wireless/mac80211_hwsim.c | 32 +-
+ drivers/net/wireless/rndis_wlan.c | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 8 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 6 +-
+ drivers/oprofile/buffer_sync.c | 8 +-
+ drivers/oprofile/event_buffer.c | 2 +-
+ drivers/oprofile/oprof.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/oprofile/oprofile_stats.c | 10 +-
+ drivers/oprofile/oprofile_stats.h | 10 +-
+ drivers/oprofile/oprofilefs.c | 2 +-
+ drivers/oprofile/timer_int.c | 2 +-
+ drivers/parport/procfs.c | 4 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
+ drivers/pci/hotplug/cpcihp_generic.c | 6 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
+ drivers/pci/hotplug/cpqphp_nvram.c | 4 +
+ drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/pci-sysfs.c | 6 +-
+ drivers/pci/pci.h | 2 +-
+ drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/probe.c | 2 +-
+ drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/sony-laptop.c | 2 +-
+ drivers/platform/x86/thinkpad_acpi.c | 70 +-
+ drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/resource.c | 4 +-
+ drivers/power/pda_power.c | 7 +-
+ drivers/power/power_supply.h | 4 +-
+ drivers/power/power_supply_core.c | 7 +-
+ drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/regulator/max8660.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/rtc/rtc-cmos.c | 4 +-
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/scsi/bfa/bfa_fcpim.h | 2 +-
+ drivers/scsi/bfa/bfa_ioc.h | 4 +-
+ drivers/scsi/hosts.c | 4 +-
+ drivers/scsi/hpsa.c | 30 +-
+ drivers/scsi/hpsa.h | 2 +-
+ drivers/scsi/libfc/fc_exch.c | 50 +-
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ drivers/scsi/lpfc/lpfc.h | 8 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
+ drivers/scsi/lpfc/lpfc_init.c | 6 +-
+ drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
+ drivers/scsi/pmcraid.c | 20 +-
+ drivers/scsi/pmcraid.h | 8 +-
+ drivers/scsi/qla2xxx/qla_attr.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 6 +-
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +-
+ drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ drivers/scsi/scsi_tgt_lib.c | 2 +-
+ drivers/scsi/scsi_transport_fc.c | 8 +-
+ drivers/scsi/scsi_transport_iscsi.c | 6 +-
+ drivers/scsi/scsi_transport_srp.c | 6 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sg.c | 2 +-
+ drivers/spi/spi.c | 2 +-
+ drivers/staging/iio/iio_hwmon.c | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/rtl8712/rtl871x_io.h | 2 +-
+ drivers/staging/sbe-2t3e3/netdev.c | 2 +-
+ drivers/staging/usbip/vhci.h | 2 +-
+ drivers/staging/usbip/vhci_hcd.c | 6 +-
+ drivers/staging/usbip/vhci_rx.c | 2 +-
+ drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/vt6656/hostap.c | 7 +-
+ drivers/staging/zcache/tmem.c | 4 +-
+ drivers/staging/zcache/tmem.h | 2 +
+ drivers/target/target_core_device.c | 2 +-
+ drivers/target/target_core_transport.c | 2 +-
+ drivers/tty/cyclades.c | 6 +-
+ drivers/tty/hvc/hvc_console.c | 14 +-
+ drivers/tty/hvc/hvcs.c | 21 +-
+ drivers/tty/ipwireless/tty.c | 27 +-
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/n_gsm.c | 4 +-
+ drivers/tty/n_tty.c | 3 +-
+ drivers/tty/pty.c | 4 +-
+ drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/kgdboc.c | 32 +-
+ drivers/tty/serial/samsung.c | 9 +-
+ drivers/tty/serial/serial_core.c | 8 +-
+ drivers/tty/synclink.c | 34 +-
+ drivers/tty/synclink_gt.c | 28 +-
+ drivers/tty/synclinkmp.c | 34 +-
+ drivers/tty/tty_io.c | 2 +-
+ drivers/tty/tty_ldisc.c | 10 +-
+ drivers/tty/tty_port.c | 22 +-
+ drivers/uio/uio.c | 21 +-
+ drivers/usb/atm/cxacru.c | 2 +-
+ drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/core/devices.c | 6 +-
+ drivers/usb/core/hcd.c | 4 +-
+ drivers/usb/core/message.c | 2 +-
+ drivers/usb/core/sysfs.c | 2 +-
+ drivers/usb/core/usb.c | 2 +-
+ drivers/usb/early/ehci-dbgp.c | 16 +-
+ drivers/usb/gadget/u_serial.c | 22 +-
+ drivers/usb/serial/console.c | 6 +-
+ drivers/usb/storage/usb.h | 2 +-
+ drivers/usb/wusbcore/wa-hc.h | 4 +-
+ drivers/usb/wusbcore/wa-xfer.c | 2 +-
+ drivers/video/aty/aty128fb.c | 2 +-
+ drivers/video/aty/atyfb_base.c | 8 +-
+ drivers/video/aty/mach64_cursor.c | 5 +-
+ drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/fb_defio.c | 6 +-
+ drivers/video/fbcmap.c | 3 +-
+ drivers/video/fbmem.c | 6 +-
+ drivers/video/i810/i810_accel.c | 1 +
+ drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
+ drivers/video/nvidia/nvidia.c | 27 +-
+ drivers/video/s1d13xxxfb.c | 6 +-
+ drivers/video/smscufx.c | 4 +-
+ drivers/video/udlfb.c | 36 +-
+ drivers/video/uvesafb.c | 53 +-
+ drivers/video/vesafb.c | 58 +-
+ drivers/video/via/via_clock.h | 2 +-
+ fs/9p/vfs_inode.c | 2 +-
+ fs/Kconfig.binfmt | 2 +-
+ fs/aio.c | 11 +-
+ fs/autofs4/waitq.c | 2 +-
+ fs/befs/endian.h | 4 +-
+ fs/befs/linuxvfs.c | 2 +-
+ fs/binfmt_aout.c | 23 +-
+ fs/binfmt_elf.c | 605 +++-
+ fs/binfmt_flat.c | 6 +
+ fs/bio.c | 6 +-
+ fs/block_dev.c | 2 +-
+ fs/btrfs/ctree.c | 9 +-
+ fs/btrfs/super.c | 2 +-
+ fs/cachefiles/bind.c | 6 +-
+ fs/cachefiles/daemon.c | 8 +-
+ fs/cachefiles/internal.h | 12 +-
+ fs/cachefiles/namei.c | 2 +-
+ fs/cachefiles/proc.c | 12 +-
+ fs/cachefiles/rdwr.c | 2 +-
+ fs/ceph/dir.c | 2 +-
+ fs/cifs/cifs_debug.c | 12 +-
+ fs/cifs/cifsfs.c | 8 +-
+ fs/cifs/cifsglob.h | 54 +-
+ fs/cifs/link.c | 2 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb1ops.c | 80 +-
+ fs/cifs/smb2ops.c | 84 +-
+ fs/cifs/smb2pdu.c | 3 +-
+ fs/coda/cache.c | 10 +-
+ fs/compat.c | 6 +-
+ fs/compat_binfmt_elf.c | 2 +
+ fs/compat_ioctl.c | 8 +-
+ fs/configfs/dir.c | 10 +-
+ fs/coredump.c | 24 +-
+ fs/dcache.c | 2 +-
+ fs/ecryptfs/inode.c | 4 +-
+ fs/ecryptfs/miscdev.c | 2 +-
+ fs/ecryptfs/read_write.c | 2 +-
+ fs/exec.c | 362 ++-
+ fs/ext4/ext4.h | 20 +-
+ fs/ext4/mballoc.c | 44 +-
+ fs/ext4/super.c | 2 +-
+ fs/fhandle.c | 3 +-
+ fs/fifo.c | 22 +-
+ fs/fs_struct.c | 8 +-
+ fs/fscache/cookie.c | 36 +-
+ fs/fscache/internal.h | 196 +-
+ fs/fscache/object.c | 28 +-
+ fs/fscache/operation.c | 30 +-
+ fs/fscache/page.c | 110 +-
+ fs/fscache/stats.c | 344 +-
+ fs/fuse/cuse.c | 10 +-
+ fs/fuse/dev.c | 2 +-
+ fs/fuse/dir.c | 2 +-
+ fs/gfs2/inode.c | 2 +-
+ fs/hugetlbfs/inode.c | 13 +-
+ fs/inode.c | 4 +-
+ fs/jffs2/erase.c | 3 +-
+ fs/jffs2/wbuf.c | 3 +-
+ fs/jfs/super.c | 6 +-
+ fs/libfs.c | 10 +-
+ fs/lockd/clntproc.c | 4 +-
+ fs/locks.c | 8 +-
+ fs/namei.c | 15 +-
+ fs/namespace.c | 2 +-
+ fs/nfs/callback_xdr.c | 2 +-
+ fs/nfs/inode.c | 6 +-
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfs4xdr.c | 6 +-
+ fs/nfsd/nfscache.c | 8 +-
+ fs/nfsd/vfs.c | 6 +-
+ fs/nls/nls_base.c | 18 +-
+ fs/nls/nls_euc-jp.c | 6 +-
+ fs/nls/nls_koi8-ru.c | 6 +-
+ fs/notify/fanotify/fanotify_user.c | 4 +-
+ fs/notify/notification.c | 4 +-
+ fs/ntfs/dir.c | 2 +-
+ fs/ntfs/file.c | 4 +-
+ fs/ocfs2/localalloc.c | 2 +-
+ fs/ocfs2/ocfs2.h | 10 +-
+ fs/ocfs2/suballoc.c | 12 +-
+ fs/ocfs2/super.c | 20 +-
+ fs/pipe.c | 33 +-
+ fs/proc/array.c | 20 +
+ fs/proc/base.c | 4 +-
+ fs/proc/kcore.c | 32 +-
+ fs/proc/meminfo.c | 2 +-
+ fs/proc/nommu.c | 2 +-
+ fs/proc/proc_sysctl.c | 18 +-
+ fs/proc/self.c | 2 +-
+ fs/proc/task_mmu.c | 39 +-
+ fs/proc/task_nommu.c | 4 +-
+ fs/qnx6/qnx6.h | 4 +-
+ fs/quota/netlink.c | 4 +-
+ fs/readdir.c | 2 +-
+ fs/reiserfs/do_balan.c | 2 +-
+ fs/reiserfs/procfs.c | 2 +-
+ fs/reiserfs/reiserfs.h | 4 +-
+ fs/seq_file.c | 2 +-
+ fs/splice.c | 36 +-
+ fs/sysfs/bin.c | 6 +-
+ fs/sysfs/dir.c | 2 +-
+ fs/sysfs/file.c | 10 +-
+ fs/sysfs/symlink.c | 2 +-
+ fs/sysv/sysv.h | 2 +-
+ fs/ubifs/io.c | 2 +-
+ fs/udf/misc.c | 2 +-
+ fs/ufs/swab.h | 4 +-
+ fs/xattr.c | 21 +
+ fs/xattr_acl.c | 4 +-
+ fs/xfs/xfs_bmap.c | 2 +-
+ fs/xfs/xfs_dir2_sf.c | 10 +-
+ fs/xfs/xfs_ioctl.c | 2 +-
+ fs/xfs/xfs_iops.c | 2 +-
+ include/asm-generic/4level-fixup.h | 2 +
+ include/asm-generic/atomic-long.h | 210 +
+ include/asm-generic/atomic.h | 2 +-
+ include/asm-generic/atomic64.h | 12 +
+ include/asm-generic/cache.h | 4 +-
+ include/asm-generic/emergency-restart.h | 2 +-
+ include/asm-generic/kmap_types.h | 4 +-
+ include/asm-generic/local.h | 13 +
+ include/asm-generic/pgtable-nopmd.h | 18 +-
+ include/asm-generic/pgtable-nopud.h | 15 +-
+ include/asm-generic/pgtable.h | 8 +
+ include/asm-generic/vmlinux.lds.h | 10 +-
+ include/crypto/algapi.h | 2 +-
+ include/drm/drmP.h | 17 +-
+ include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/ttm/ttm_memory.h | 2 +-
+ include/keys/asymmetric-subtype.h | 2 +-
+ include/linux/atmdev.h | 4 +-
+ include/linux/binfmts.h | 3 +-
+ include/linux/blkdev.h | 2 +-
+ include/linux/blktrace_api.h | 2 +-
+ include/linux/cache.h | 4 +
+ include/linux/cdrom.h | 1 -
+ include/linux/cleancache.h | 2 +-
+ include/linux/compat.h | 6 +-
+ include/linux/compiler-gcc4.h | 20 +
+ include/linux/compiler.h | 65 +-
+ include/linux/completion.h | 6 +-
+ include/linux/configfs.h | 2 +-
+ include/linux/cpu.h | 2 +-
+ include/linux/cpufreq.h | 3 +-
+ include/linux/cpuidle.h | 5 +-
+ include/linux/cpumask.h | 12 +-
+ include/linux/crypto.h | 6 +-
+ include/linux/ctype.h | 2 +-
+ include/linux/decompress/mm.h | 2 +-
+ include/linux/devfreq.h | 2 +-
+ include/linux/device.h | 7 +-
+ include/linux/dma-mapping.h | 2 +-
+ include/linux/dmaengine.h | 4 +-
+ include/linux/efi.h | 1 +
+ include/linux/elf.h | 2 +
+ include/linux/err.h | 4 +-
+ include/linux/extcon.h | 2 +-
+ include/linux/fb.h | 2 +-
+ include/linux/filter.h | 4 +
+ include/linux/frontswap.h | 2 +-
+ include/linux/fs.h | 3 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/fscache-cache.h | 4 +-
+ include/linux/fscache.h | 2 +-
+ include/linux/fsnotify.h | 2 +-
+ include/linux/ftrace_event.h | 2 +-
+ include/linux/genhd.h | 2 +-
+ include/linux/genl_magic_func.h | 2 +-
+ include/linux/gfp.h | 12 +-
+ include/linux/highmem.h | 12 +
+ include/linux/hwmon-sysfs.h | 5 +-
+ include/linux/i2c.h | 1 +
+ include/linux/i2o.h | 2 +-
+ include/linux/if_pppox.h | 2 +-
+ include/linux/init.h | 33 +-
+ include/linux/init_task.h | 7 +
+ include/linux/interrupt.h | 8 +-
+ include/linux/iommu.h | 2 +-
+ include/linux/ioport.h | 2 +-
+ include/linux/irq.h | 3 +-
+ include/linux/irqchip/arm-gic.h | 2 +-
+ include/linux/key-type.h | 2 +-
+ include/linux/kgdb.h | 6 +-
+ include/linux/kobject.h | 3 +-
+ include/linux/kobject_ns.h | 2 +-
+ include/linux/kref.h | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ include/linux/libata.h | 2 +-
+ include/linux/list.h | 15 +
+ include/linux/math64.h | 6 +-
+ include/linux/mm.h | 110 +-
+ include/linux/mm_types.h | 20 +
+ include/linux/mmiotrace.h | 4 +-
+ include/linux/mmzone.h | 2 +-
+ include/linux/mod_devicetable.h | 6 +-
+ include/linux/module.h | 60 +-
+ include/linux/moduleloader.h | 16 +
+ include/linux/moduleparam.h | 4 +-
+ include/linux/namei.h | 6 +-
+ include/linux/net.h | 2 +-
+ include/linux/netdevice.h | 3 +-
+ include/linux/netfilter.h | 2 +-
+ include/linux/netfilter/ipset/ip_set.h | 2 +-
+ include/linux/netfilter/nfnetlink.h | 2 +-
+ include/linux/nls.h | 2 +-
+ include/linux/notifier.h | 3 +-
+ include/linux/oprofile.h | 4 +-
+ include/linux/pci_hotplug.h | 3 +-
+ include/linux/perf_event.h | 12 +-
+ include/linux/pipe_fs_i.h | 6 +-
+ include/linux/platform_data/usb-ehci-s5p.h | 2 +-
+ include/linux/platform_data/usb-exynos.h | 2 +-
+ include/linux/pm_domain.h | 2 +-
+ include/linux/pm_runtime.h | 2 +-
+ include/linux/pnp.h | 2 +-
+ include/linux/poison.h | 4 +-
+ include/linux/power/smartreflex.h | 2 +-
+ include/linux/ppp-comp.h | 2 +-
+ include/linux/proc_fs.h | 2 +-
+ include/linux/random.h | 5 +
+ include/linux/rculist.h | 16 +
+ include/linux/reboot.h | 14 +-
+ include/linux/regset.h | 3 +-
+ include/linux/relay.h | 2 +-
+ include/linux/rio.h | 2 +-
+ include/linux/rmap.h | 4 +-
+ include/linux/sched.h | 67 +-
+ include/linux/sched/sysctl.h | 1 +
+ include/linux/seq_file.h | 1 +
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 36 +-
+ include/linux/slab_def.h | 33 +-
+ include/linux/slob_def.h | 4 +-
+ include/linux/slub_def.h | 10 +-
+ include/linux/sock_diag.h | 2 +-
+ include/linux/sonet.h | 2 +-
+ include/linux/sunrpc/addr.h | 8 +-
+ include/linux/sunrpc/clnt.h | 2 +-
+ include/linux/sunrpc/svc.h | 2 +-
+ include/linux/sunrpc/svc_rdma.h | 18 +-
+ include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swiotlb.h | 3 +-
+ include/linux/syscalls.h | 2 +-
+ include/linux/syscore_ops.h | 2 +-
+ include/linux/sysctl.h | 6 +-
+ include/linux/sysfs.h | 10 +-
+ include/linux/sysrq.h | 3 +-
+ include/linux/thread_info.h | 7 +
+ include/linux/tty.h | 4 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/tty_ldisc.h | 2 +-
+ include/linux/types.h | 16 +
+ include/linux/uaccess.h | 6 +-
+ include/linux/unaligned/access_ok.h | 24 +-
+ include/linux/usb.h | 4 +-
+ include/linux/usb/renesas_usbhs.h | 2 +-
+ include/linux/vermagic.h | 21 +-
+ include/linux/vmalloc.h | 11 +-
+ include/linux/vmstat.h | 20 +-
+ include/linux/xattr.h | 5 +-
+ include/linux/zlib.h | 3 +-
+ include/media/v4l2-dev.h | 2 +-
+ include/media/v4l2-ioctl.h | 1 -
+ include/net/9p/transport.h | 2 +-
+ include/net/bluetooth/l2cap.h | 2 +-
+ include/net/caif/cfctrl.h | 6 +-
+ include/net/flow.h | 2 +-
+ include/net/genetlink.h | 2 +-
+ include/net/gro_cells.h | 2 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/inetpeer.h | 8 +-
+ include/net/ip.h | 2 +-
+ include/net/ip_fib.h | 2 +-
+ include/net/ip_vs.h | 8 +-
+ include/net/irda/ircomm_tty.h | 1 +
+ include/net/iucv/af_iucv.h | 2 +-
+ include/net/llc_c_ac.h | 2 +-
+ include/net/llc_c_ev.h | 4 +-
+ include/net/llc_c_st.h | 2 +-
+ include/net/llc_s_ac.h | 2 +-
+ include/net/llc_s_st.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 12 +-
+ include/net/netdma.h | 2 +-
+ include/net/netlink.h | 2 +-
+ include/net/netns/conntrack.h | 6 +-
+ include/net/netns/ipv4.h | 2 +-
+ include/net/protocol.h | 4 +-
+ include/net/rtnetlink.h | 2 +-
+ include/net/sctp/sctp.h | 6 +-
+ include/net/sctp/sm.h | 4 +-
+ include/net/sctp/structs.h | 2 +-
+ include/net/sock.h | 6 +-
+ include/net/tcp.h | 8 +-
+ include/net/xfrm.h | 8 +-
+ include/rdma/iw_cm.h | 2 +-
+ include/scsi/libfc.h | 3 +-
+ include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_transport_fc.h | 3 +-
+ include/sound/soc.h | 4 +-
+ include/target/target_core_base.h | 2 +-
+ include/trace/events/irq.h | 4 +-
+ include/uapi/linux/a.out.h | 8 +
+ include/uapi/linux/byteorder/little_endian.h | 28 +-
+ include/uapi/linux/elf.h | 28 +
+ include/uapi/linux/screen_info.h | 3 +-
+ include/uapi/linux/swab.h | 6 +-
+ include/uapi/linux/sysctl.h | 6 +-
+ include/uapi/linux/xattr.h | 4 +
+ include/video/udlfb.h | 8 +-
+ include/video/uvesafb.h | 1 +
+ init/Kconfig | 2 +-
+ init/Makefile | 3 +
+ init/do_mounts.c | 14 +-
+ init/do_mounts.h | 8 +-
+ init/do_mounts_initrd.c | 22 +-
+ init/do_mounts_md.c | 6 +-
+ init/init_task.c | 4 +
+ init/initramfs.c | 40 +-
+ init/main.c | 77 +-
+ ipc/ipc_sysctl.c | 10 +-
+ ipc/mq_sysctl.c | 2 +-
+ ipc/msg.c | 11 +-
+ ipc/sem.c | 11 +-
+ ipc/shm.c | 17 +-
+ kernel/acct.c | 2 +-
+ kernel/audit.c | 8 +-
+ kernel/auditsc.c | 4 +-
+ kernel/capability.c | 3 +
+ kernel/compat.c | 40 +-
+ kernel/debug/debug_core.c | 16 +-
+ kernel/debug/kdb/kdb_main.c | 4 +-
+ kernel/events/core.c | 28 +-
+ kernel/exit.c | 4 +-
+ kernel/fork.c | 167 +-
+ kernel/futex.c | 9 +
+ kernel/futex_compat.c | 2 +-
+ kernel/gcov/base.c | 7 +-
+ kernel/hrtimer.c | 4 +-
+ kernel/irq_work.c | 7 +-
+ kernel/jump_label.c | 5 +
+ kernel/kallsyms.c | 39 +-
+ kernel/kexec.c | 3 +-
+ kernel/kmod.c | 4 +-
+ kernel/kprobes.c | 8 +-
+ kernel/ksysfs.c | 2 +-
+ kernel/lockdep.c | 7 +-
+ kernel/module.c | 337 +-
+ kernel/mutex-debug.c | 12 +-
+ kernel/mutex-debug.h | 4 +-
+ kernel/mutex.c | 7 +-
+ kernel/notifier.c | 17 +-
+ kernel/panic.c | 3 +-
+ kernel/pid.c | 2 +-
+ kernel/pid_namespace.c | 2 +-
+ kernel/posix-cpu-timers.c | 4 +-
+ kernel/posix-timers.c | 20 +-
+ kernel/power/process.c | 12 +-
+ kernel/profile.c | 14 +-
+ kernel/ptrace.c | 8 +-
+ kernel/rcupdate.c | 4 +-
+ kernel/rcutiny.c | 4 +-
+ kernel/rcutiny_plugin.h | 2 +-
+ kernel/rcutorture.c | 56 +-
+ kernel/rcutree.c | 68 +-
+ kernel/rcutree.h | 24 +-
+ kernel/rcutree_plugin.h | 20 +-
+ kernel/rcutree_trace.c | 22 +-
+ kernel/rtmutex-tester.c | 24 +-
+ kernel/sched/auto_group.c | 4 +-
+ kernel/sched/core.c | 51 +-
+ kernel/sched/fair.c | 4 +-
+ kernel/signal.c | 12 +-
+ kernel/smp.c | 2 +-
+ kernel/smpboot.c | 4 +-
+ kernel/softirq.c | 18 +-
+ kernel/srcu.c | 4 +-
+ kernel/sys.c | 10 +-
+ kernel/sysctl.c | 39 +-
+ kernel/time.c | 2 +-
+ kernel/time/alarmtimer.c | 2 +-
+ kernel/time/tick-broadcast.c | 2 +-
+ kernel/time/timer_stats.c | 10 +-
+ kernel/timer.c | 6 +-
+ kernel/trace/blktrace.c | 6 +-
+ kernel/trace/ftrace.c | 20 +-
+ kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/trace.c | 8 +-
+ kernel/trace/trace.h | 2 +-
+ kernel/trace/trace_events.c | 25 +-
+ kernel/trace/trace_mmiotrace.c | 8 +-
+ kernel/trace/trace_output.c | 12 +-
+ kernel/trace/trace_stack.c | 2 +-
+ kernel/user_namespace.c | 2 +-
+ kernel/utsname_sysctl.c | 2 +-
+ kernel/watchdog.c | 2 +-
+ lib/Kconfig.debug | 6 +-
+ lib/Makefile | 2 +-
+ lib/bitmap.c | 8 +-
+ lib/bug.c | 2 +
+ lib/debugobjects.c | 2 +-
+ lib/devres.c | 4 +-
+ lib/div64.c | 4 +-
+ lib/dma-debug.c | 4 +-
+ lib/inflate.c | 2 +-
+ lib/ioremap.c | 4 +-
+ lib/kobject.c | 4 +-
+ lib/list_debug.c | 126 +-
+ lib/radix-tree.c | 2 +-
+ lib/strncpy_from_user.c | 2 +-
+ lib/strnlen_user.c | 2 +-
+ lib/swiotlb.c | 2 +-
+ lib/vsprintf.c | 12 +-
+ mm/Kconfig | 6 +-
+ mm/filemap.c | 2 +-
+ mm/fremap.c | 5 +
+ mm/highmem.c | 7 +-
+ mm/hugetlb.c | 70 +-
+ mm/internal.h | 1 +
+ mm/maccess.c | 4 +-
+ mm/madvise.c | 41 +
+ mm/memory-failure.c | 26 +-
+ mm/memory.c | 424 ++-
+ mm/mempolicy.c | 26 +
+ mm/mlock.c | 16 +-
+ mm/mmap.c | 576 ++-
+ mm/mprotect.c | 139 +-
+ mm/mremap.c | 44 +-
+ mm/nommu.c | 21 +-
+ mm/page-writeback.c | 4 +-
+ mm/page_alloc.c | 41 +-
+ mm/percpu.c | 2 +-
+ mm/process_vm_access.c | 14 +-
+ mm/rmap.c | 38 +-
+ mm/shmem.c | 19 +-
+ mm/slab.c | 105 +-
+ mm/slab.h | 5 +-
+ mm/slab_common.c | 11 +-
+ mm/slob.c | 201 +-
+ mm/slub.c | 99 +-
+ mm/sparse-vmemmap.c | 4 +-
+ mm/sparse.c | 2 +-
+ mm/swap.c | 3 +
+ mm/swapfile.c | 12 +-
+ mm/util.c | 6 +
+ mm/vmalloc.c | 82 +-
+ mm/vmstat.c | 12 +-
+ net/8021q/vlan.c | 5 +-
+ net/9p/mod.c | 4 +-
+ net/9p/trans_fd.c | 2 +-
+ net/atm/atm_misc.c | 8 +-
+ net/atm/lec.h | 2 +-
+ net/atm/proc.c | 6 +-
+ net/atm/resources.c | 4 +-
+ net/ax25/sysctl_net_ax25.c | 2 +-
+ net/batman-adv/bat_iv_ogm.c | 8 +-
+ net/batman-adv/hard-interface.c | 4 +-
+ net/batman-adv/soft-interface.c | 4 +-
+ net/batman-adv/types.h | 6 +-
+ net/batman-adv/unicast.c | 2 +-
+ net/bluetooth/hci_sock.c | 2 +-
+ net/bluetooth/l2cap_core.c | 6 +-
+ net/bluetooth/l2cap_sock.c | 12 +-
+ net/bluetooth/rfcomm/sock.c | 4 +-
+ net/bluetooth/rfcomm/tty.c | 10 +-
+ net/bridge/netfilter/ebtables.c | 6 +-
+ net/caif/cfctrl.c | 11 +-
+ net/can/af_can.c | 2 +-
+ net/can/gw.c | 6 +-
+ net/compat.c | 34 +-
+ net/core/datagram.c | 2 +-
+ net/core/dev.c | 16 +-
+ net/core/flow.c | 8 +-
+ net/core/iovec.c | 4 +-
+ net/core/neighbour.c | 2 +-
+ net/core/net-sysfs.c | 2 +-
+ net/core/net_namespace.c | 8 +-
+ net/core/rtnetlink.c | 13 +-
+ net/core/scm.c | 8 +-
+ net/core/sock.c | 24 +-
+ net/core/sock_diag.c | 9 +-
+ net/core/sysctl_net_core.c | 18 +-
+ net/decnet/af_decnet.c | 1 +
+ net/decnet/sysctl_net_decnet.c | 4 +-
+ net/ipv4/af_inet.c | 8 +-
+ net/ipv4/ah4.c | 2 +-
+ net/ipv4/devinet.c | 14 +-
+ net/ipv4/esp4.c | 2 +-
+ net/ipv4/fib_frontend.c | 6 +-
+ net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inet_connection_sock.c | 2 +-
+ net/ipv4/inetpeer.c | 4 +-
+ net/ipv4/ip_fragment.c | 15 +-
+ net/ipv4/ip_gre.c | 6 +-
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ip_vti.c | 4 +-
+ net/ipv4/ipcomp.c | 2 +-
+ net/ipv4/ipconfig.c | 6 +-
+ net/ipv4/ipip.c | 4 +-
+ net/ipv4/netfilter/arp_tables.c | 12 +-
+ net/ipv4/netfilter/ip_tables.c | 12 +-
+ net/ipv4/ping.c | 2 +-
+ net/ipv4/raw.c | 14 +-
+ net/ipv4/route.c | 18 +-
+ net/ipv4/sysctl_net_ipv4.c | 45 +-
+ net/ipv4/tcp_input.c | 2 +-
+ net/ipv4/tcp_probe.c | 2 +-
+ net/ipv4/udp.c | 10 +-
+ net/ipv4/xfrm4_policy.c | 14 +-
+ net/ipv6/addrconf.c | 6 +-
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_gre.c | 8 +-
+ net/ipv6/ip6_tunnel.c | 4 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 12 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +-
+ net/ipv6/raw.c | 19 +-
+ net/ipv6/reassembly.c | 13 +-
+ net/ipv6/route.c | 2 +-
+ net/ipv6/sit.c | 4 +-
+ net/ipv6/sysctl_net_ipv6.c | 2 +-
+ net/ipv6/udp.c | 8 +-
+ net/ipv6/xfrm6_policy.c | 13 +-
+ net/irda/ircomm/ircomm_tty.c | 18 +-
+ net/iucv/af_iucv.c | 4 +-
+ net/iucv/iucv.c | 2 +-
+ net/key/af_key.c | 4 +-
+ net/mac80211/cfg.c | 8 +-
+ net/mac80211/ieee80211_i.h | 3 +-
+ net/mac80211/iface.c | 14 +-
+ net/mac80211/main.c | 2 +-
+ net/mac80211/pm.c | 6 +-
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/rc80211_pid_debugfs.c | 2 +-
+ net/mac80211/util.c | 2 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/ipvs/ip_vs_conn.c | 6 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 14 +-
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ net/netfilter/ipvs/ip_vs_sync.c | 6 +-
+ net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
+ net/netfilter/nf_conntrack_acct.c | 2 +-
+ net/netfilter/nf_conntrack_ecache.c | 2 +-
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nf_conntrack_timestamp.c | 2 +-
+ net/netfilter/nf_log.c | 10 +-
+ net/netfilter/nf_sockopt.c | 4 +-
+ net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/xt_statistic.c | 8 +-
+ net/netlink/af_netlink.c | 4 +-
+ net/netlink/genetlink.c | 16 +-
+ net/packet/af_packet.c | 12 +-
+ net/phonet/pep.c | 6 +-
+ net/phonet/socket.c | 2 +-
+ net/phonet/sysctl.c | 2 +-
+ net/rds/cong.c | 6 +-
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 4 +-
+ net/rds/iw.h | 2 +-
+ net/rds/iw_cm.c | 2 +-
+ net/rds/iw_recv.c | 4 +-
+ net/rds/rds.h | 2 +-
+ net/rds/tcp.c | 2 +-
+ net/rds/tcp_send.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/rxrpc/ar-ack.c | 14 +-
+ net/rxrpc/ar-call.c | 2 +-
+ net/rxrpc/ar-connection.c | 2 +-
+ net/rxrpc/ar-connevent.c | 2 +-
+ net/rxrpc/ar-input.c | 4 +-
+ net/rxrpc/ar-internal.h | 8 +-
+ net/rxrpc/ar-local.c | 2 +-
+ net/rxrpc/ar-output.c | 4 +-
+ net/rxrpc/ar-peer.c | 2 +-
+ net/rxrpc/ar-proc.c | 4 +-
+ net/rxrpc/ar-transport.c | 2 +-
+ net/rxrpc/rxkad.c | 4 +-
+ net/sctp/ipv6.c | 6 +-
+ net/sctp/protocol.c | 10 +-
+ net/sctp/sm_sideeffect.c | 2 +-
+ net/sctp/socket.c | 21 +-
+ net/sctp/sysctl.c | 4 +-
+ net/socket.c | 18 +-
+ net/sunrpc/clnt.c | 4 +-
+ net/sunrpc/sched.c | 4 +-
+ net/sunrpc/svc.c | 4 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/link.c | 6 +-
+ net/tipc/msg.c | 2 +-
+ net/tipc/subscr.c | 2 +-
+ net/unix/sysctl_net_unix.c | 2 +-
+ net/wireless/wext-core.c | 19 +-
+ net/xfrm/xfrm_policy.c | 27 +-
+ net/xfrm/xfrm_state.c | 29 +-
+ net/xfrm/xfrm_sysctl.c | 2 +-
+ scripts/Makefile.build | 2 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.host | 28 +-
+ scripts/basic/fixdep.c | 12 +-
+ scripts/gcc-plugin.sh | 17 +
+ scripts/headers_install.pl | 1 +
+ scripts/link-vmlinux.sh | 2 +-
+ scripts/mod/file2alias.c | 14 +-
+ scripts/mod/modpost.c | 25 +-
+ scripts/mod/modpost.h | 6 +-
+ scripts/mod/sumversion.c | 2 +-
+ scripts/package/builddeb | 1 +
+ scripts/pnmtologo.c | 6 +-
+ scripts/sortextable.h | 6 +-
+ security/Kconfig | 675 +++-
+ security/apparmor/lsm.c | 2 +-
+ security/integrity/ima/ima.h | 4 +-
+ security/integrity/ima/ima_api.c | 2 +-
+ security/integrity/ima/ima_fs.c | 4 +-
+ security/integrity/ima/ima_queue.c | 2 +-
+ security/keys/compat.c | 2 +-
+ security/keys/key.c | 18 +-
+ security/keys/keyctl.c | 8 +-
+ security/keys/keyring.c | 6 +-
+ security/security.c | 9 +-
+ security/selinux/hooks.c | 2 +-
+ security/selinux/include/xfrm.h | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ security/tomoyo/tomoyo.c | 2 +-
+ security/yama/yama_lsm.c | 22 +-
+ sound/aoa/codecs/onyx.c | 7 +-
+ sound/aoa/codecs/onyx.h | 1 +
+ sound/core/oss/pcm_oss.c | 18 +-
+ sound/core/pcm_compat.c | 2 +-
+ sound/core/pcm_native.c | 4 +-
+ sound/core/seq/seq_device.c | 8 +-
+ sound/drivers/mts64.c | 14 +-
+ sound/drivers/opl4/opl4_lib.c | 2 +-
+ sound/drivers/portman2x4.c | 3 +-
+ sound/firewire/amdtp.c | 4 +-
+ sound/firewire/amdtp.h | 2 +-
+ sound/firewire/isight.c | 10 +-
+ sound/firewire/scs1x.c | 8 +-
+ sound/oss/sb_audio.c | 2 +-
+ sound/oss/swarm_cs4297a.c | 6 +-
+ sound/pci/ymfpci/ymfpci.h | 2 +-
+ sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 45 +
+ tools/gcc/checker_plugin.c | 171 +
+ tools/gcc/colorize_plugin.c | 151 +
+ tools/gcc/constify_plugin.c | 518 ++
+ tools/gcc/generate_size_overflow_hash.sh | 94 +
+ tools/gcc/kallocstat_plugin.c | 170 +
+ tools/gcc/kernexec_plugin.c | 465 ++
+ tools/gcc/latent_entropy_plugin.c | 327 ++
+ tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++
+ tools/gcc/size_overflow_plugin.c | 2114 ++++++++
+ tools/gcc/stackleak_plugin.c | 327 ++
+ tools/gcc/structleak_plugin.c | 276 +
+ tools/perf/util/include/asm/alternative-asm.h | 3 +
+ tools/perf/util/include/linux/compiler.h | 8 +
+ virt/kvm/kvm_main.c | 32 +-
+ 1555 files changed, 30474 insertions(+), 7126 deletions(-)
+commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
+Merge: 0949bd4 fc53d63
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:03:44 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fc53d6338964741b368070ec5c935bc579b8c2a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:02:45 2012 -0400
+
+ Update to pax-linux-3.2.12-test33.patch
+
+commit 0949bd46a6455b308f66ad7c993bfee62412db35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 16:56:09 2012 -0400
+
+ Use current_umask() instead of current->fs->umask
+
+commit 22f6432d0fe733619cfcb523782ed7d80c46d645
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:42:42 2012 -0400
+
+ compile fix
+
+commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:34:56 2012 -0400
+
+ Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
+ uses of domains with particular hash collisions
+
+commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 20:25:49 2012 -0400
+
+ zero kernel_role
+
+commit b00953b43c69238d181d21121ef1577c988d5f6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:29:34 2012 -0400
+
+ zero real_root after releasing it
+
+commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
+Merge: b724f59 273f98e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:11:26 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 273f98e58cdac555d3b5dce5c1ca168349f95878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:10:52 2012 -0400
+
+ Temporary workaround for (most) size_overflow plugin false-positives
+ Increase randomization for brk-managed heap to 21 bits
+ Update to pax-linux-3.2.12-test32.patch
+
+commit b724f59125304460c2af8bd4b02921993afbb5d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:58:53 2012 -0400
+
+ compile fix
+
+commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:52:23 2012 -0400
+
+ Require default and kernel role
+
+commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:47:28 2012 -0400
+
+ Allow policies without special roles
+ don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
+
+commit 402ec3d24d66d38403dc543c84851f5e72d39e22
+Merge: 8e012dc f14661a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:06:59 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/namei.c
+
+commit f14661aaf202155c97f66626cea0269017bb7775
+Merge: eae671f 058b017
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:05:44 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
+Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Date: Fri Mar 16 17:08:39 2012 -0700
+
+ nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
+
+ According to the report from Slicky Devil, nilfs caused kernel oops at
+ nilfs_load_super_block function during mount after he shrank the
+ partition without resizing the filesystem:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000048
+ IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
+ *pde = 00000000
+ Oops: 0000 [#1] PREEMPT SMP
+ ...
+ Call Trace:
+ [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
+ [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
+ [<c0226636>] mount_fs+0x36/0x180
+ [<c023d961>] vfs_kern_mount+0x51/0xa0
+ [<c023ddae>] do_kern_mount+0x3e/0xe0
+ [<c023f189>] do_mount+0x169/0x700
+ [<c023fa9b>] sys_mount+0x6b/0xa0
+ [<c04abd1f>] sysenter_do_call+0x12/0x28
+ Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
+ 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
+ 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
+ EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
+ CR2: 0000000000000048
+
+ This turned out due to a defect in an error path which runs if the
+ calculated location of the secondary super block was invalid.
+
+ This patch fixes it and eliminates the reported oops.
+
+ Reported-by: Slicky Devil <slicky.dvl@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Tested-by: Slicky Devil <slicky.dvl@gmail.com>
+ Cc: <stable@vger.kernel.org> [2.6.30+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Fri Mar 16 17:08:38 2012 -0700
+
+ nilfs2: clamp ns_r_segments_percentage to [1, 99]
+
+ ns_r_segments_percentage is read from the disk. Bogus or malicious
+ value could cause integer overflow and malfunction due to meaningless
+ disk usage calculation. This patch reports error when mounting such
+ bogus volumes.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e1a90645643f9b0194a5984ec8febd06360d5c8b
+Author: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Sat Mar 10 09:20:21 2012 +0000
+
+ tcp: fix syncookie regression
+
+ commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
+ added a serious regression on synflood handling.
+
+ Simon Kirby discovered a successful connection was delayed by 20 seconds
+ before being responsive.
+
+ In my tests, I discovered that xmit frames were lost, and needed ~4
+ retransmits and a socket dst rebuild before being really sent.
+
+ In case of syncookie initiated connection, we use a different path to
+ initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
+
+ As ip_queue_xmit() now depends on inet flow being setup, fix this by
+ copying the temp flowi4 we use in cookie_v4_check().
+
+ Reported-by: Simon Kirby <sim@netnation.com>
+ Bisected-by: Simon Kirby <sim@netnation.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
+Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Mon Mar 12 02:59:41 2012 +0000
+
+ tun: don't hold network namespace by tun sockets
+
+ v3: added previously removed sock_put() to the tun_release() callback, because
+ sk_release_kernel() doesn't drop the socket reference.
+
+ v2: sk_release_kernel() used for socket release. Dummy tun_release() is
+ required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
+ call.
+
+ TUN was designed to destroy it's socket on network namesapce shutdown. But this
+ will never happen for persistent device, because it's socket holds network
+ namespace.
+ This patch removes of holding network namespace by TUN socket and replaces it
+ by creating socket in init_net and then changing it's net it to desired one. On
+ shutdown socket is moved back to init_net prior to final put.
+
+ Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon Dec 12 10:02:30 2011 -0600
+
+ vfs: Correctly set the dir i_mutex lockdep class
+
+ 9a7aa12f3911853a introduced additional logic around setting the i_mutex
+ lockdep class for directory inodes. The idea was that some filesystems
+ may want their own special lockdep class for different directory
+ inodes and calling unlock_new_inode() should not clobber one of
+ those special classes.
+
+ I believe that the added conditional, around the *negated* return value
+ of lockdep_match_class(), caused directory inodes to be placed in the
+ wrong lockdep class.
+
+ inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
+ all inodes. If the filesystem did not change the class during inode
+ initialization, then the conditional mentioned above was false and the
+ directory inode was incorrectly left in the non-directory lockdep class.
+ If the filesystem did set a special lockdep class, then the conditional
+ mentioned above was true and that class was clobbered with
+ i_mutex_dir_key.
+
+ This patch removes the negation from the conditional so that the i_mutex
+ lockdep class is properly set for directory inodes. Special classes are
+ preserved and directory inodes with unmodified classes are set with
+ i_mutex_dir_key.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 603590b0d2eca61ce26499eac9c563bc567a18c9
+Author: Jan Kara <jack@suse.cz>
+Date: Mon Feb 20 17:54:00 2012 +0100
+
+ udf: Fix deadlock in udf_release_file()
+
+ udf_release_file() can be called from munmap() path with mmap_sem held. Thus
+ we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
+ i_mutex is not needed in udf_release_file() anymore since protection by
+ i_data_sem is enough to protect from races with write and truncate.
+
+ Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:33 2012 +0100
+
+ vfs: fix double put after complete_walk()
+
+ complete_walk() already puts nd->path, no need to do it again at cleanup time.
+
+ This would result in Oopses if triggered, apparently the codepath is not too
+ well exercised.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 13885ba2b18400f3ef6540497d30f1af896605e5
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:34 2012 +0100
+
+ vfs: fix return value from do_last()
+
+ complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
+ ECHILD unconditionally. If not in RCU mode, this error will reach userspace
+ which is complete nonsense.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/namei.c
+
+commit f5ab7572c99ffb58953eb1070622307e904c3b7f
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Mar 10 17:07:28 2012 -0500
+
+ restore smp_mb() in unlock_new_inode()
+
+ wait_on_inode() doesn't have ->i_lock
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
+Author: David S. Miller <davem@davemloft.net>
+Date: Tue Mar 13 18:19:51 2012 -0700
+
+ sparc32: Add -Av8 to assembler command line.
+
+ Newer version of binutils are more strict about specifying the
+ correct options to enable certain classes of instructions.
+
+ The sparc32 build is done for v7 in order to support sun4c systems
+ which lack hardware integer multiply and divide instructions.
+
+ So we have to pass -Av8 when building the assembler routines that
+ use these instructions and get patched into the kernel when we find
+ out that we have a v8 capable cpu.
+
+ Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
+Author: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri Mar 9 20:55:10 2012 +0100
+
+ x86: Derandom delay_tsc for 64 bit
+
+ Commit f0fbf0abc093 ("x86: integrate delay functions") converted
+ delay_tsc() into a random delay generator for 64 bit. The reason is
+ that it merged the mostly identical versions of delay_32.c and
+ delay_64.c. Though the subtle difference of the result was:
+
+ static void delay_tsc(unsigned long loops)
+ {
+ - unsigned bclock, now;
+ + unsigned long bclock, now;
+
+ Now the function uses rdtscl() which returns the lower 32bit of the
+ TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
+ bit this fails when the lower 32bit are close to wrap around when
+ bclock is read, because the following check
+
+ if ((now - bclock) >= loops)
+ break;
+
+ evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
+ because the unsigned long (now - bclock) of these values results in
+ 0xffffffff00000001 which is definitely larger than the loops
+ value. That explains Tvortkos observation:
+
+ "Because I am seeing udelay(500) (_occasionally_) being short, and
+ that by delaying for some duration between 0us (yep) and 491us."
+
+ Make those variables explicitely u32 again, so this works for both 32
+ and 64 bit.
+
+ Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: stable@vger.kernel.org # >= 2.6.27
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu Mar 8 17:51:19 2012 +0000
+
+ aio: fix the "too late munmap()" race
+
+ Current code has put_ioctx() called asynchronously from aio_fput_routine();
+ that's done *after* we have killed the request that used to pin ioctx,
+ so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
+ from progressing. As the result, we can end up with async call of
+ put_ioctx() being the last one and possibly happening during exit_mmap()
+ or elf_core_dump(), neither of which expects stray munmap() being done
+ to them...
+
+ We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
+ with that, but that's all we care about - neither io_destroy() nor
+ exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
+ does really_put_req(), so the ioctx teardown won't be done until then
+ and we don't care about the contents of ioctx past that point.
+
+ Since actual freeing of these suckers is RCU-delayed, we don't need to
+ bump ioctx refcount when request goes into list for async removal.
+ All we need is rcu_read_lock held just over the ->ctx_lock-protected
+ area in aio_fput_routine().
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 002124c055afbf09b52226af65621999e8316448
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Wed Mar 7 05:16:35 2012 +0000
+
+ aio: fix io_setup/io_destroy race
+
+ Have ioctx_alloc() return an extra reference, so that caller would drop it
+ on success and not bother with re-grabbing it on failure exit. The current
+ code is obviously broken - io_destroy() from another thread that managed
+ to guess the address io_setup() would've returned would free ioctx right
+ under us; gets especially interesting if aio_context_t * we pass to
+ io_setup() points to PROT_READ mapping, so put_user() fails and we end
+ up doing io_destroy() on kioctx another thread has just got freed...
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Mar 15 15:17:12 2012 -0700
+
+ drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
+
+ strict_strtoul() writes a long but ->gamma_mode only has space to store an
+ int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
+ well. I've changed it to use kstrtouint() instead.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Inki Dae <inki.dae@samsung.com>
+ Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
+Merge: e4b05b6 eae671f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 21:04:27 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit eae671fafe93f04685c04a089cc13efebc05d600
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 20:58:01 2012 -0400
+
+ Update to pax-linux-3.2.11-test31.patch
+ Introduction of the size_overflow plugin from Emese Revfy
+ Many thanks to Emese for her hard work :)
+
+commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
+Merge: e55aa68 258c015
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:19 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:05 2012 -0400
+
+ fix ARM compilation
+
+commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
+Merge: 8f95ea9 55b7573
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:41 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:15 2012 -0400
+
+ Update to pax-linux-3.2.10-test28.patch
+
+commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
+Merge: c8786a2 886ac5e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:38:13 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
+
+commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:37:44 2012 -0400
+
+ Update to pax-linux-3.2.10-test26.patch
+
+commit c8786a2abed5e5327f68efa520c04db99bb6a63a
+Merge: 219c982 c061fcf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:06 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
+Merge: 89373d2 3f4b3b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:02 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
+Merge: 54e19a3 89373d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:57 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
+Merge: a778588 7459f11
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:49 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
+Merge: c4650f1 a778588
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:25 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:12 2012 -0400
+
+ Update to pax-linux-3.2.9-test24.patch
+
+commit c4650f14b13f84735fe3de06a1f3ff5776473eff
+Merge: fb2abee 1015790
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:08:28 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 101579028a736c224e590c7e12a7357018c424e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:07:27 2012 -0400
+
+ Update to pax-linux-3.2.9-test22.patch
+
+commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 11:02:17 2012 -0400
+
+ Allow 4096 CPUs
+
+commit 96bae28cbe6a41d48e3b56e5904814096e956000
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 10:25:58 2012 -0400
+
+ Use a per-cpu 48-bit counter instead of a global atomic64
+ Initialize each counter to have the cpu number in the lower 16 bits
+ instead of incrementing the counter each time by 1, perform the increments
+ above the cpu number so that wrapping/exhausting the counter doesn't corrupt
+ any state
+ idea from PaX Team
+
+commit b975688101da6e966aebb1bc6b8c5c5983974f9c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 20:33:12 2012 -0500
+
+ Special vnsec edition! :)
+ Further reduce argv/env allowance for suid/sgid apps to 512KB
+ Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
+ Clear 3GB personality on suid/sgid binaries
+ Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
+ with the main purpose of throwing off program stack -> arg/env alignment
+ Update documentation
+
+commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 19:54:47 2012 -0500
+
+ Resolve skbuff.h warnings that turn into errors during compilation in
+ the grsecurity directory with -Werror
+
+commit 2023210ad43a944033fcacc660ce410888f562ee
+Merge: ece4383 5f66adf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:48:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:47:06 2012 -0500
+
+ Add colorize plugin
+
+commit ece4383e5e91c92d138c4df84225a70b552f4d69
+Merge: a366d0e ab4a5a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:46 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:26 2012 -0500
+
+ Update to pax-linux-3.2.9-test21.patch
+
+commit a366d0ed963ce93fce10121c1100989d5f064e75
+Author: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun Mar 4 19:52:03 2012 -0500
+
+ mm: fix find_vma_prev
+
+ Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
+ management on PA-RISC.
+
+ After application of the patch, programs that allocate big arrays on the
+ stack crash with segfault, for example, this will crash if compiled
+ without optimization:
+
+ int main()
+ {
+ char array[200000];
+ array[199999] = 0;
+ return 0;
+ }
+
+ The reason is that PA-RISC has up-growing stack and the stack is usually
+ the last memory area. In the above example, a page fault happens above
+ the stack.
+
+ Previously, if we passed too high address to find_vma_prev, it returned
+ NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
+ change, it stores NULL in *pprev. Consequently, the stack area is not
+ found and it is not expanded, as it used to be before the change.
+
+ This patch restores the old behavior and makes it return the last VMA in
+ *pprev if the requested address is higher than address of any other VMA.
+
+ Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+ Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
+Author: Hugh Dickins <hughd@google.com>
+Date: Tue Mar 6 12:28:52 2012 -0800
+
+ mmap: EINVAL not ENOMEM when rejecting VM_GROWS
+
+ Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
+ from shared anonymous: hoist the file case's -EINVAL up for both.
+
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:38:42 2012 +0000
+
+ aout: move setup_arg_pages() prior to reading/mapping the binary
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Mon Mar 5 16:49:24 2012 +0000
+
+ vsprintf: make %pV handling compatible with kasprintf()
+
+ kasprintf() (and potentially other functions that I didn't run across so
+ far) want to evaluate argument lists twice. Caring to do so for the
+ primary list is obviously their job, but they can't reasonably be
+ expected to check the format string for instances of %pV, which however
+ need special handling too: On architectures like x86-64 (as opposed to
+ e.g. ix86), using the same argument list twice doesn't produce the
+ expected results, as an internally managed cursor gets updated during
+ the first run.
+
+ Fix the problem by always acting on a copy of the original list when
+ handling %pV.
+
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:39:47 2012 +0000
+
+ VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a831bd53764695ea680cc1fa3c98759a610ed2ac
+Author: Christian König <deathsimple@vodafone.de>
+Date: Tue Feb 28 23:19:20 2012 +0100
+
+ drm/radeon: fix uninitialized variable
+
+ Without this fix the driver randomly treats
+ textures as arrays and I'm really wondering
+ why gcc isn't complaining about it.
+
+ Signed-off-by: Christian König <deathsimple@vodafone.de>
+ Reviewed-by: Jerome Glisse <jglisse@redhat.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
+Author: H. Peter Anvin <hpa@zytor.com>
+Date: Fri Mar 2 10:43:48 2012 -0800
+
+ regset: Prevent null pointer reference on readonly regsets
+
+ The regset common infrastructure assumed that regsets would always
+ have .get and .set methods, but not necessarily .active methods.
+ Unfortunately people have since written regsets without .set methods.
+
+ Rather than putting in stub functions everywhere, handle regsets with
+ null .get or .set methods explicitly.
+
+ Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+ Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+ Acked-by: Roland McGrath <roland@hack.frob.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 072ddd99401c79b53c6bf6bff9deb93022124c79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 18:12:57 2012 -0500
+
+ Fix compiler errors reported on forums
+
+commit 1606774b48af24e6f99d99c624c0e447d4b66474
+Merge: 3127bd5 4ca2ffd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:35 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:21 2012 -0500
+
+ Update to pax-linux-3.2.9-test20.patch
+
+commit 3127bd581a292966b1057c7433219dac188c3720
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 21:30:37 2012 -0500
+
+ Fix memory leak on logged exec_id check failure in /proc/pid/statm
+ Thanks to Djalal Harouni for the report
+
+commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
+Merge: 0a56be8 9aa8288
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:38:22 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:37:43 2012 -0500
+
+ Update to pax-linux-3.2.9-test19.patch
+
+commit 0a56be884bbd7ce733cac0b879c45383494d73b0
+Merge: 9e66745 3f5c52a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:18:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:16:56 2012 -0500
+
+ Update to pax-linux-3.2.9-test18.patch
+
+commit ae53ec231d12719a36bf871f8c5841020ed692ee
+Merge: b255baf 44fb317
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:15:31 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 9e667456c03eadea2f305be761abe4de9a5877a3
+Merge: 5e4e200 b255baf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:59 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b255baf50365d39b406f43aab2c64745607baaa2
+Merge: 340ce90 1de504e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:29 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+ Update to pax-linux-3.2.8-test17.patch
+
+ Conflicts:
+ arch/x86/include/asm/i387.h
+ arch/x86/kernel/process_32.c
+ arch/x86/kernel/traps.c
+
+commit 5e4e200ac530452884b625cb75de240e1e98c731
+Merge: 44306d7 340ce90
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:02:13 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:01:48 2012 -0500
+
+ Update to pax-linux-3.2.7-test17.patch
+
+commit 44306d7b3097f77e73040dd25f4f6750751bae7a
+Merge: 29d0b07 521c411
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:04:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ Makefile
+
+commit 521c411bb4ca66ce01146fde8bac9dd22414076d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:03:33 2012 -0500
+
+ Update to pax-linux-3.2.7-test16.patch
+
+commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 17:12:44 2012 -0500
+
+ fix typo
+
+commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
+Merge: f45b3be caa8f83
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:27 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit caa8f83456c4d0b204beefffaa1d1993f2348d08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:12 2012 -0500
+
+ Update to pax-linux-3.2.7-test15.patch
+
+commit f45b3be34a345502a302e736af9a65742ddef7cb
+Merge: 62f35fd 9f1309b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:40:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:39:57 2012 -0500
+
+ Update to pax-linux-3.2.7-test14.patch
+
+commit 62f35fdbecc58f2988fe13638d907b87a15776bb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 09:08:55 2012 -0500
+
+ We could log on attempted exploits of writing /proc/self/mem, but the current
+ log function declares the access a read, so just swap the ordering for now
+
+commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:46:14 2012 -0500
+
+ Log /proc/pid/mem attempts
+
+commit 674471e581893a94d475acac3e3c4496209b3ac9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:15:00 2012 -0500
+
+ Make use of f_version for protecting /proc file structs (fine since we're not a directory
+ or seq_file)
+
+commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 20:02:19 2012 -0500
+
+ Fix ia64 compilation
+
+commit 50dfea412fd395e0183c2ade368efa525d38b267
+Merge: 12db845 4c6f99b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:53 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4c6f99bf338e03966356b147d0360cb3b522a44f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:36 2012 -0500
+
+ (6:57:09 PM) pipacs: but you can be proactive
+ (Fix other-arch atomic64/REFCOUNT compilation failures)
+
+commit 12db8453f6bb0a756f369c9151668ba1249bc478
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 21:10:12 2012 -0500
+
+ Remove unnecessary copies, as suggested by solar
+
+commit cc02cab84368467ea03cb35f861a8a7092d91ab4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 20:59:35 2012 -0500
+
+ Make global_exec_counter static, as suggested by solar
+
+commit e642091a475ebb3a30e81f85e7751233d0c2af43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 19:00:26 2012 -0500
+
+ sync with stable tree
+
+commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:48:47 2012 -0500
+
+ Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
+ Remove handling of old kludge in chmod/fchmod
+
+commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:18:49 2012 -0500
+
+ Apply umask checks to chmod/fchmod as well, as requested by sponsor
+ Union the enforced umask with the existing one to produce minimal privilege
+ Change umask type to u16
+
+commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 22 18:16:11 2012 -0500
+
+ Add per-role umask enforcement to RBAC, requested by a sponsor
+
+commit ad5ac943fe58199f1cc475912a39edb157acb77b
+Merge: dda0bb5 41722e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:42 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 41722e342e116d95f3d3556d66c97c888d752d39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:00 2012 -0500
+
+ Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
+ KERNEXEC plugin
+
+commit dda0bb57137846a476a866c60db2681aaf6052c0
+Merge: 4fd554e d70927a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:41 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d70927afec977d489a54c106a3c3ddc32e953050
+Merge: 1daebf1 9d0231c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:33 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 4fd554e3a097b22c5049fcdc423897477deff5ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 09:17:57 2012 -0500
+
+ Fix wrong logic on capability checks for switching roles, broke policies
+ Thanks to Richard Kojedzinszky for reporting
+
+commit 12f97d52ac603f24344f8d71569c412a307e9422
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 21:20:10 2012 -0500
+
+ sparc64 compile fix
+
+commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:38:32 2012 -0500
+
+ Update configuration help and name for GRKERNSEC_PROC_MEMMAP
+
+commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:18:01 2012 -0500
+
+ optimize the check a bit
+
+commit 03159050f64989be44ae03be769cbed62a7cd2e5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:00:45 2012 -0500
+
+ smile VUPEN :D
+ (limit argv+env to 1MB for suid/sgid binaries)
+
+commit dd759d8800d225a397e4de49fe729c7d601298d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:49:33 2012 -0500
+
+ Address Space Protection -> Memory Protections (suggested on IRC for consistency)
+
+commit 4de635bda8ebfb85312e3bf851bdbff93de400da
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:45:06 2012 -0500
+
+ Change the long long type for exec_id to the proper u64
+
+commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Feb 9 00:46:47 2012 +0000
+
+ isdn: type bug in isdn_net_header()
+
+ We use len to store the return value from eth_header(). eth_header()
+ can return -ETH_HLEN (-14). We want to pass this back instead of
+ truncating it to 65522 and returning that.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
+Author: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Sat Feb 4 10:47:10 2012 +0100
+
+ exec: fix use-after-free bug in setup_new_exec()
+
+ Setting the task name is done within setup_new_exec() by accessing
+ bprm->filename. However this happens after flush_old_exec().
+ This may result in a use after free bug, flush_old_exec() may
+ "complete" vfork_done, which will wake up the parent which in turn
+ may free the passed in filename.
+ To fix this add a new tcomm field in struct linux_binprm which
+ contains the now early generated task name until it is used.
+
+ Fixes this bug on s390:
+
+ Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
+ Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
+ Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
+ Call Trace:
+ ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
+ [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
+ [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
+ [<0000000000282b6c>] do_execve_common+0x410/0x514
+ [<0000000000282cb6>] do_execve+0x46/0x58
+ [<00000000005bce58>] kernel_execve+0x28/0x70
+ [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
+ [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
+ [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
+ Last Breaking-Event-Address:
+ [<00000000002830f0>] setup_new_exec+0x2fc/0x374
+
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+ Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+ Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d758ee9f5230893dabb5aab737b3109684bde196
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Feb 10 09:03:58 2012 +0100
+
+ relay: prevent integer overflow in relay_open()
+
+ "subbuf_size" and "n_subbufs" come from the user and they need to be
+ capped to prevent an integer overflow.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
+Merge: b1baadf 1daebf1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:47:04 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/proc/base.c
+
+commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
+Merge: 1413df2 c2db2e2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:45:54 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:44:05 2012 -0500
+
+ add missing declaration
+
+commit 3981059c35e8463002517935c28f3d74b8e3703c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:36:04 2012 -0500
+
+ Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
+ in addition to existing checks (this handles the setresuid ruid = euid case)
+
+commit 0beab03263c773f463412c350ad9064b44b6ede0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:13:40 2012 -0500
+
+ Revert setreuid changes when RBAC is enabled, breaks freeradius
+ I'll fix the learning issue Lavish reported a different way through
+ gradm modifications
+
+ This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
+
+commit 0c61cb1cfbbfec7d07647268c922d51434d22621
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 11 14:22:46 2012 -0500
+
+ copy exec_id on fork
+
+commit 000c08e0890630086b2ed04084050ed856a7ec31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 20:00:36 2012 -0500
+
+ compile fix
+
+commit 54b8c8f54484e5ee18040657827158bc4b63bccc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 19:19:52 2012 -0500
+
+ Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
+ denies reading of sensitive /proc/pid entries where the file descriptor
+ was opened in a different task than the one performing the read
+
+commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 17:43:24 2012 -0500
+
+ Remove duplicate signal check
+
+commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
+Merge: 4eba97e 1413df2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:34 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:08 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test11.patch
+
+commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
+Merge: 0e058dd 8dd90a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:50:12 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:49:07 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
+
+commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
+Merge: 7e4169c 6133971
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:48:57 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 19:24:45 2012 -0500
+
+ We now allow configurations with no PaX markings, giving the system no way to override the defaults
+
+commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 10:01:23 2012 -0500
+
+ Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
+
+commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 4 21:01:16 2012 -0500
+
+ Improve security of ptrace-based monitoring/sandboxing
+ See:
+ http://article.gmane.org/gmane.linux.kernel.lsm/15156
+
+commit ca4ca5a1027b41f9528794e52a53ce9c47926101
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:42:55 2012 -0500
+
+ fix typo
+
+commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:25:38 2012 -0500
+
+ Reported by lavish on IRC:
+ If a suid/sgid binary did not learn any setuid/setgid call during learning,
+ we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
+ any restrictions on uid/gid changes. uid and gid can however be changed
+ within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
+ euid/egid.
+
+ My fix:
+ POSIX doesn't specify whether unprivileged users can perform the above
+ setresuid/setresgid as an unprivileged user, though Linux has historically
+ permitted them. Modify this behavior when RBAC is enabled to require
+ CAP_SETUID/CAP_SETGID for these operations.
+
+ Thanks to Lavish for the report!
+
+ Conflicts:
+
+ kernel/sys.c
+
+commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
+Merge: ba586eb 7e4169c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:21 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:05 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test9.patch
+
+commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
+Author: Christopher Yeoh <cyeoh@au1.ibm.com>
+Date: Thu Feb 2 11:34:09 2012 +1030
+
+ Fix race in process_vm_rw_core
+
+ This fixes the race in process_vm_core found by Oleg (see
+
+ http://article.gmane.org/gmane.linux.kernel/1235667/
+
+ for details).
+
+ This has been updated since I last sent it as the creation of the new
+ mm_access() function did almost exactly the same thing as parts of the
+ previous version of this patch did.
+
+ In order to use mm_access() even when /proc isn't enabled, we move it to
+ kernel/fork.c where other related process mm access functions already
+ are.
+
+ Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+ mm/process_vm_access.c
+
+commit b9194d60fb9fe579f5c34817ed822abde18939a0
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:15:11 2012 +0100
+
+ proc: make sure mem_open() doesn't pin the target's memory
+
+ Once /proc/pid/mem is opened, the memory can't be released until
+ mem_release() even if its owner exits.
+
+ Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
+ pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
+ before access_remote_vm(), this verifies that this mm is still alive.
+
+ I am not sure what should mem_rw() return if atomic_inc_not_zero()
+ fails. With this patch it returns zero to match the "mm == NULL" case,
+ may be it should return -EINVAL like it did before e268337d.
+
+ Perhaps it makes sense to add the additional fatal_signal_pending()
+ check into the main loop, to ensure we do not hold this memory if
+ the target task was oom-killed.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:38 2012 +0100
+
+ proc: mem_release() should check mm != NULL
+
+ mem_release() can hit mm == NULL, add the necessary check.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:54 2012 +0100
+
+ note: redisabled mem_write
+
+ proc: unify mem_read() and mem_write()
+
+ No functional changes, cleanup and preparation.
+
+ mem_read() and mem_write() are very similar. Move this code into the
+ new common helper, mem_rw(), which takes the additional "int write"
+ argument.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+
+commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
+Merge: 3903f01 01fee18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:50:40 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 01fee1851aef26b898ccba5312cabf1f919b74cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:46 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test8.patch
+
+commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
+Merge: 201c0db 141936c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:01 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 3903f0172ecadf7a575ba3535402a1506133640a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 30 23:26:44 2012 -0500
+
+ Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
+
+ We'll whitelist required directories for compatibility instead of requiring
+ that people disable the feature entirely if they use SELinux, fuse, etc
+
+ Conflicts:
+
+ fs/sysfs/mount.c
+
+commit e3618feaa7e63807f1b88c199882075b3ec9bd05
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 29 01:12:19 2012 -0500
+
+ perform RBAC check if TPE is on but match fails, matches previous behavior
+
+commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 28 13:17:06 2012 -0500
+
+ log more information about the reason for a TPE denial for novice users, requested by a sponsor
+
+commit efefd67008cbad8a8591e2484410966a300a39a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:58:53 2012 -0500
+
+ merge upstream sha512 changes
+
+commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:49:07 2012 -0500
+
+ drop lock on error in xfs_readlink
+
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
+
+commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
+Author: Li Wang <liwang@nudt.edu.cn>
+Date: Thu Jan 19 09:44:36 2012 +0800
+
+ eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+
+ ecryptfs_write() can enter an infinite loop when truncating a file to a
+ size larger than 4G. This only happens on architectures where size_t is
+ represented by 32 bits.
+
+ This was caused by a size_t overflow due to it incorrectly being used to
+ store the result of a calculation which uses potentially large values of
+ type loff_t.
+
+ [tyhicks@canonical.com: rewrite subject and commit message]
+ Signed-off-by: Li Wang <liwang@nudt.edu.cn>
+ Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
+ Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+
+commit a7607747d0f74f357d78bb796d70635dd05f46e8
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 19 20:33:44 2012 -0600
+
+ eCryptfs: Check inode changes in setattr
+
+ Most filesystems call inode_change_ok() very early in ->setattr(), but
+ eCryptfs didn't call it at all. It allowed the lower filesystem to make
+ the call in its ->setattr() function. Then, eCryptfs would copy the
+ appropriate inode attributes from the lower inode to the eCryptfs inode.
+
+ This patch changes that and actually calls inode_change_ok() on the
+ eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
+ would happen earlier in ecryptfs_setattr(), but there are some possible
+ inode initialization steps that must happen first.
+
+ Since the call was already being made on the lower inode, the change in
+ functionality should be minimal, except for the case of a file extending
+ truncate call. In that case, inode_newsize_ok() was never being
+ called on the eCryptfs inode. Rather than inode_newsize_ok() catching
+ maximum file size errors early on, eCryptfs would encrypt zeroed pages
+ and write them to the lower filesystem until the lower filesystem's
+ write path caught the error in generic_write_checks(). This patch
+ introduces a new function, called ecryptfs_inode_newsize_ok(), which
+ checks if the new lower file size is within the appropriate limits when
+ the truncate operation will be growing the lower file.
+
+ In summary this change prevents eCryptfs truncate operations (and the
+ resulting page encryptions), which would exceed the lower filesystem
+ limits or FSIZE rlimits, from ever starting.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Li Wang <liwang@nudt.edu.cn>
+ Cc: <stable@vger.kernel.org>
+
+commit 0d96f190a39505254ace4e9330219aaeda9b64e3
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Wed Jan 18 18:30:04 2012 -0600
+
+ eCryptfs: Make truncate path killable
+
+ ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
+ page, zeroes out the appropriate portions, and then encrypts the page
+ before writing it to the lower filesystem. It was unkillable and due to
+ the lack of sparse file support could result in tying up a large portion
+ of system resources, while encrypting pages of zeros, with no way for
+ the truncate operation to be stopped from userspace.
+
+ This patch adds the ability for ecryptfs_write() to detect a pending
+ fatal signal and return as gracefully as possible. The intent is to
+ leave the lower file in a useable state, while still allowing a user to
+ break out of the encryption loop. If a pending fatal signal is detected,
+ the eCryptfs inode size is updated to reflect the modified inode size
+ and then -EINTR is returned.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: <stable@vger.kernel.org>
+
+commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Tue Jan 24 10:02:22 2012 -0600
+
+ eCryptfs: Fix oops when printing debug info in extent crypto functions
+
+ If pages passed to the eCryptfs extent-based crypto functions are not
+ mapped and the module parameter ecryptfs_verbosity=1 was specified at
+ loading time, a NULL pointer dereference will occur.
+
+ Note that this wouldn't happen on a production system, as you wouldn't
+ pass ecryptfs_verbosity=1 on a production system. It leaks private
+ information to the system logs and is for debugging only.
+
+ The debugging info printed in these messages is no longer very useful
+ and rather than doing a kmap() in these debugging paths, it will be
+ better to simply remove the debugging paths completely.
+
+ https://launchpad.net/bugs/913651
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Daniel DeFreez
+ Cc: <stable@vger.kernel.org>
+
+commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 12 11:30:44 2012 +0100
+
+ eCryptfs: Sanitize write counts of /dev/ecryptfs
+
+ A malicious count value specified when writing to /dev/ecryptfs may
+ result in a a very large kernel memory allocation.
+
+ This patch peeks at the specified packet payload size, adds that to the
+ size of the packet headers and compares the result with the write count
+ value. The resulting maximum memory allocation size is approximately 532
+ bytes.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Sasha Levin <levinsasha928@gmail.com>
+ Cc: <stable@vger.kernel.org>
+
+commit 96dcb7282d323813181a1791f51c0ab7696b675b
+Merge: 6c09fa5 201c0db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:44:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 201c0dbf177527367676028151e36d340923f033
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:43:24 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
+ on loading modules with empty sections
+
+commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:42:13 2012 -0500
+
+ compile fix
+
+commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:39:28 2012 -0500
+
+ use LSM flags instead of duplicating checks
+
+commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
+Merge: 44b9f11 558718b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:23 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 558718b2217beff69edf60f34a6f9893d910e9ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:04 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch
+
+commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:53:55 2012 -0500
+
+ don't increase the size of task_struct when unnecessary
+ change ptrace_readexec log message
+
+commit a9c9626e054adb885883aa64f85506852894dd33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:16:28 2012 -0500
+
+ Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
+ the protection applies to all unreadable binaries.
+
+commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
+Merge: 7b3f3af 05a1349
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:52:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ block/scsi_ioctl.c
+ drivers/scsi/sd.c
+ fs/proc/base.c
+
+commit 05a134966efb9cb9346ad3422888969ffc79ac1d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:47:36 2012 -0500
+
+ Resync with pax-linux-3.2.2-test5.patch
+
+commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
+Merge: c6d443d 3499d64
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:45:16 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
+
+ Conflicts:
+ ipc/shm.c
+
+commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 24 19:42:01 2012 -0500
+
+ Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
+ (may be changed if it breaks some userland), the other has its own
+ config option
+
+ First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
+ the syscall or /proc/sys.
+
+ Second feature requires read access to a suid/sgid binary in order
+ to ptrace it, preventing infoleaking of binaries in situations where
+ the admin has specified 4711 or 2711 perms. Feature has been
+ given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
+ a sysctl entry of ptrace_readexec
+
+commit 11a7bb25c411c9dccfdca5718639b4becdffd388
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:37:10 2012 -0500
+
+ Compilation fixes
+
+commit cd400e21c7c352baba47d6f375297a7847afb33a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:20:27 2012 -0500
+
+ Initial port of grsecurity 2.2.2 for Linux 3.2.1
+ Note that the new syscalls added to this kernel for remote process read/write
+ are subject to ptrace hardening/other relevant RBAC features
+ /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
+ as well
+ pax_track_stack has been removed from support for this kernel -- if you're running this kernel
+ you should be using a version of gcc with plugin support
+
+commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:47:31 2012 -0500
+
+ Import pax-linux-3.2.1-test5.patch
+commit bfd7db842f835f9837cd43644459b3a95b0b488d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:02:02 2012 -0500
+
+ Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
+ instead of returning -EACCES
+ thanks to Wraith from irc for the report
+
+commit 873ac13576506cd48ddb527c2540f274e249da50
+Merge: 34083dd 8a44fcc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:04:02 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:02:15 2012 -0500
+
+ Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
+ Denies executable shared memory when MPROTECT is active
+ Fixes ia32 emulation crash on 64bit host introduced in a recent patch
+
+commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 20:23:14 2012 -0500
+
+ Introduce new GRKERNSEC_SETXID implementation
+ We're not able to change the credentials of other threads in the process until at most
+ one syscall after the first thread does it, since we mark the threads as needing rescheduling
+ and such work occurs on syscall exit.
+ This does however ensure that we're only modifying the current task's credentials
+ which upholds RCU expectations
+
+ Many thanks to corsac for testing
+
+commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:42:48 2012 -0500
+
+ Simplify backport
+
+commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:08:16 2012 -0500
+
+ Commit the latest silent fix for a local privilege escalation from Linus
+ Also disable writing to /proc/pid/mem
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
+
+commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
+Merge: 0394a3f 7e6299b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:22:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e6299b4733c082dde930375dd207b63237751ec
+Merge: 83555fb 9bb1282
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:21:37 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
+Author: Jesper Juhl <jj@chaosbits.net>
+Date: Sun Jan 8 22:44:29 2012 +0100
+
+ audit: always follow va_copy() with va_end()
+
+ A call to va_copy() should always be followed by a call to va_end() in
+ the same function. In kernel/autit.c::audit_log_vformat() this is not
+ always done. This patch makes sure va_end() is always called.
+
+ Signed-off-by: Jesper Juhl <jj@chaosbits.net>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
+Author: Andi Kleen <ak@linux.intel.com>
+Date: Thu Jan 12 17:20:30 2012 -0800
+
+ panic: don't print redundant backtraces on oops
+
+ When an oops causes a panic and panic prints another backtrace it's pretty
+ common to have the original oops data be scrolled away on a 80x50 screen.
+
+ The second backtrace is quite redundant and not needed anyways.
+
+ So don't print the panic backtrace when oops_in_progress is true.
+
+ [akpm@linux-foundation.org: add comment]
+ Signed-off-by: Andi Kleen <ak@linux.intel.com>
+ Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Thu Jan 12 17:59:46 2012 +0100
+
+ fsnotify: don't BUG in fsnotify_destroy_mark()
+
+ Removing the parent of a watched file results in "kernel BUG at
+ fs/notify/mark.c:139".
+
+ To reproduce
+
+ add "-w /tmp/audit/dir/watched_file" to audit.rules
+ rm -rf /tmp/audit/dir
+
+ This is caused by fsnotify_destroy_mark() being called without an
+ extra reference taken by the caller.
+
+ Reported by Francesco Cosoleto here:
+
+ https://bugzilla.novell.com/show_bug.cgi?id=689860
+
+ Fix by removing the BUG_ON and adding a comment about not accessing mark after
+ the iput.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:28 2012 +0100
+
+ block: fail SCSI passthrough ioctls on partition devices
+
+ Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+ will pass the command to the underlying block device. This is
+ well-known, but it is also a large security problem when (via Unix
+ permissions, ACLs, SELinux or a combination thereof) a program or user
+ needs to be granted access only to part of the disk.
+
+ This patch lets partitions forward a small set of harmless ioctls;
+ others are logged with printk so that we can see which ioctls are
+ actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
+ Of course it was being sent to a (partition on a) hard disk, so it would
+ have failed with ENOTTY and the patch isn't changing anything in
+ practice. Still, I'm treating it specially to avoid spamming the logs.
+
+ In principle, this restriction should include programs running with
+ CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
+ /dev/sdb, it still should not be able to read/write outside the
+ boundaries of /dev/sda2 independent of the capabilities. However, for
+ now programs with CAP_SYS_RAWIO will still be allowed to send the
+ ioctls. Their actions will still be logged.
+
+ This patch does not affect the non-libata IDE driver. That driver
+ however already tests for bd != bd->bd_contains before issuing some
+ ioctl; it could be restricted further to forbid these ioctls even for
+ programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ [ Make it also print the command name when warning - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:27 2012 +0100
+
+ block: add and use scsi_blk_cmd_ioctl
+
+ Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
+
+ The function will then be enhanced to detect partition block devices
+ and, in that case, subject the ioctls to whitelisting.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97a79814903fc350e1d13704ea31528a42705401
+Author: Kees Cook <keescook@chromium.org>
+Date: Sat Jan 7 10:41:04 2012 -0800
+
+ audit: treat s_id as an untrusted string
+
+ The use of s_id should go through the untrusted string path, just to be
+ extra careful.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Acked-by: Mimi Zohar <zohar@us.ibm.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Dec 20 18:39:41 2011 -0500
+
+ audit: fix signedness bug in audit_log_execve_info()
+
+ In the loop, a size_t "len" is used to hold the return value of
+ audit_log_single_execve_arg(), which returns -1 on error. In that
+ case the error handling (len <= 0) will be bypassed since "len" is
+ unsigned, and the loop continues with (p += len) being wrapped.
+ Change the type of "len" to signed int to fix the error handling.
+
+ size_t len;
+ ...
+ for (...) {
+ len = audit_log_single_execve_arg(...);
+ if (len <= 0)
+ break;
+ p += len;
+ }
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Jan 17 03:28:51 2012 -0300
+
+ [media] ds3000: using logical && instead of bitwise &
+
+ The intent here was to test if the FE_HAS_LOCK was set. The current
+ test is equivalent to "if (status) { ..."
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit 36522330dc59d2fc70c042f3f081d75c32b6259a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 13:10:38 2012 -0500
+
+ Ignore the 0 signal for protected task RBAC checks
+
+commit d513acd55f7a683f6e146a4f570cdb63300479ab
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 11:56:13 2012 -0500
+
+ whitespace cleanup
+
+commit ced261c4b82818c700aff8487f647f6f3e5b5122
+Merge: d48751f 83555fb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:54 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
+Merge: fcd8129 93dad39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:43 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit d48751f3919ae855fda0ff6c149db82442329253
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 11 19:05:47 2012 -0500
+
+ Call our own set_user when forcing change to new id
+
+commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
+Merge: e6578ff fcd8129
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 16:00:10 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 15:58:43 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test23.patch
+
+commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
+Merge: 8859ec3 a120549
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:56 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a12054967a77090de1caa07c41e694a77db4e237
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:30 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test22.patch
+
+commit 8859ec32f9815c274df65448f9f2960176c380d3
+Merge: a5016b4 ddd4114
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:26:08 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/binfmt_elf.c
+ security/Kconfig
+
+commit ddd41147e158a79704983a409b7433eba797cf66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:12:42 2012 -0500
+
+ Resync with PaX patch (whitespace difference)
+
+commit 29e569df8205c5f0e043fe4803aa984406c8b118
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:09:47 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test21.patch
+
+commit a5016b4f9c09c337b17e063a7f369af1e86d944d
+Merge: 0124c92 04231d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:52:20 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
+Merge: 7bdddeb a919904
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:51:50 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ include/net/flow.h
+
+commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:33:05 2012 -0500
+
+ Make GRKERNSEC_SETXID option compatible with credential debugging
+
+commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
+Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Date: Wed Dec 28 15:57:11 2011 -0800
+
+ mm/mempolicy.c: refix mbind_range() vma issue
+
+ commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
+ slightly incorrect fix.
+
+ Why? Think following case.
+
+ 1. map 4 pages of a file at offset 0
+
+ [0123]
+
+ 2. map 2 pages just after the first mapping of the same file but with
+ page offset 2
+
+ [0123][23]
+
+ 3. mbind() 2 pages from the first mapping at offset 2.
+ mbind_range() should treat new vma is,
+
+ [0123][23]
+ |23|
+ mbind vma
+
+ but it does
+
+ [0123][23]
+ |01|
+ mbind vma
+
+ Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
+
+ This patch fixes it.
+
+ [testcase]
+ test result - before the patch
+
+ case4: 126: test failed. expect '2,4', actual '2,2,2'
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: 246: test failed. expect '4,2', actual '1,4'
+
+ ------------[ cut here ]------------
+ kernel BUG at mm/filemap.c:135!
+ invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
+
+ (snip long bug on messages)
+
+ test result - after the patch
+
+ case4: passed
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: passed
+
+ source: mbind_vma_test.c
+ ============================================================
+ #include <numaif.h>
+ #include <numa.h>
+ #include <sys/mman.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+ static unsigned long pagesize;
+ void* mmap_addr;
+ struct bitmask *nmask;
+ char buf[1024];
+ FILE *file;
+ char retbuf[10240] = "";
+ int mapped_fd;
+
+ char *rubysrc = "ruby -e '\
+ pid = %d; \
+ vstart = 0x%llx; \
+ vend = 0x%llx; \
+ s = `pmap -q #{pid}`; \
+ rary = []; \
+ s.each_line {|line|; \
+ ary=line.split(\" \"); \
+ addr = ary[0].to_i(16); \
+ if(vstart <= addr && addr < vend) then \
+ rary.push(ary[1].to_i()/4); \
+ end; \
+ }; \
+ print rary.join(\",\"); \
+ '";
+
+ void init(void)
+ {
+ void* addr;
+ char buf[128];
+
+ nmask = numa_allocate_nodemask();
+ numa_bitmask_setbit(nmask, 0);
+
+ pagesize = getpagesize();
+
+ sprintf(buf, "%s", "mbind_vma_XXXXXX");
+ mapped_fd = mkstemp(buf);
+ if (mapped_fd == -1)
+ perror("mkstemp "), exit(1);
+ unlink(buf);
+
+ if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
+ perror("lseek "), exit(1);
+ if (write(mapped_fd, "\0", 1) < 0)
+ perror("write "), exit(1);
+
+ addr = mmap(NULL, pagesize*8, PROT_NONE,
+ MAP_SHARED, mapped_fd, 0);
+ if (addr == MAP_FAILED)
+ perror("mmap "), exit(1);
+
+ if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
+ perror("mprotect "), exit(1);
+
+ mmap_addr = addr + pagesize;
+
+ /* make page populate */
+ memset(mmap_addr, 0, pagesize*6);
+ }
+
+ void fin(void)
+ {
+ void* addr = mmap_addr - pagesize;
+ munmap(addr, pagesize*8);
+
+ memset(buf, 0, sizeof(buf));
+ memset(retbuf, 0, sizeof(retbuf));
+ }
+
+ void mem_bind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_BIND, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_interleave(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_unbind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_DEFAULT, NULL, 0, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void Assert(char *expected, char *value, char *name, int line)
+ {
+ if (strcmp(expected, value) == 0) {
+ fprintf(stderr, "%s: passed\n", name);
+ return;
+ }
+ else {
+ fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
+ name, line,
+ expected, value);
+ // exit(1);
+ }
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPNNNNNNNNNN
+ case 4 below
+ */
+ void case4(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 4);
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case4", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPPPPPPPPPNN
+ case 5 below
+ */
+ void case5(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case5", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPPPPP 6
+ */
+ void case6(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("6", retbuf, "case6", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPXXXX 7
+ */
+ void case7(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case7", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPNNNNNNNN 8
+ */
+ void case8(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_interleave(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case8", __LINE__);
+
+ fin();
+ }
+
+ void case_n(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ /* make redundunt mappings [0][1234][34][7] */
+ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
+ MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
+
+ /* Expect to do nothing. */
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case_n", __LINE__);
+
+ fin();
+ }
+
+ int main(int argc, char** argv)
+ {
+ case4();
+ case5();
+ case6();
+ case7();
+ case8();
+ case_n();
+
+ return 0;
+ }
+ =============================================================
+
+ Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: Minchan Kim <minchan.kim@gmail.com>
+ Cc: Caspar Zhang <caspar@casparzhang.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Cc: Christoph Lameter <cl@linux.com>
+ Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
+ Cc: Mel Gorman <mel@csn.ul.ie>
+ Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+ Cc: <stable@vger.kernel.org> [3.1.x]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit f3a1082005781777086df235049f8c0b7efe524e
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Dec 27 22:32:41 2011 -0500
+
+ packet: fix possible dev refcnt leak when bind fail
+
+ If bind is fail when bind is called after set PACKET_FANOUT
+ sock option, the dev refcnt will leak.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 915f8b08dac68839dc7204ee81cf9852fda16d24
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Mon Dec 19 17:11:56 2011 -0800
+
+ nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
+
+ There is a potential integer overflow in nilfs_ioctl_clean_segments().
+ When a large argv[n].v_nmembs is passed from the userspace, the subsequent
+ call to vmalloc() will allocate a buffer smaller than expected, which
+ leads to out-of-bound access in nilfs_ioctl_move_blocks() and
+ lfs_clean_segments().
+
+ The following check does not prevent the overflow because nsegs is also
+ controlled by the userspace and could be very large.
+
+ if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
+ goto out_free;
+
+ This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
+ returns -EINVAL when overflow.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
+Author: Kautuk Consul <consul.kautuk@gmail.com>
+Date: Mon Dec 19 17:12:04 2011 -0800
+
+ mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
+
+ Static storage is not required for the struct vmap_area in
+ __get_vm_area_node.
+
+ Removing "static" to store this variable on the stack instead.
+
+ Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
+ Acked-by: David Rientjes <rientjes@google.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
+Author: Michel Lespinasse <walken@google.com>
+Date: Mon Dec 19 17:12:06 2011 -0800
+
+ binary_sysctl(): fix memory leak
+
+ binary_sysctl() calls sysctl_getname() which allocates from names_cache
+ slab usin __getname()
+
+ The matching function to free the name is __putname(), and not putname()
+ which should be used only to match getname() allocations.
+
+ This is because when auditing is enabled, putname() calls audit_putname
+ *instead* (not in addition) to __putname(). Then, if a syscall is in
+ progress, audit_putname does not release the name - instead, it expects
+ the name to get released when the syscall completes, but that will happen
+ only if audit_getname() was called previously, i.e. if the name was
+ allocated with getname() rather than the naked __getname(). So,
+ __getname() followed by putname() ends up leaking memory.
+
+ Signed-off-by: Michel Lespinasse <walken@google.com>
+ Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
+Author: Sean Hefty <sean.hefty@intel.com>
+Date: Tue Dec 6 21:17:11 2011 +0000
+
+ RDMA/cma: Verify private data length
+
+ private_data_len is defined as a u8. If the user specifies a large
+ private_data size (> 220 bytes), we will calculate a total length that
+ exceeds 255, resulting in private_data_len wrapping back to 0. This
+ can lead to overwriting random kernel memory. Avoid this by verifying
+ that the resulting size fits into a u8.
+
+ Reported-by: B. Thery <benjamin.thery@bull.net>
+ Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
+ Signed-off-by: Sean Hefty <sean.hefty@intel.com>
+ Signed-off-by: Roland Dreier <roland@purestorage.com>
+
+commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Sun Dec 11 23:40:56 2011 -0800
+
+ Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
+
+ The error check (intr_status < 0) didn't work because intr_status is
+ a u8. Change its type to signed int.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+
+commit e27f34e383d7863b2528a63b81b23db09781f6b6
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 16 12:44:15 2011 +0000
+
+ sctp: fix incorrect overflow check on autoclose
+
+ Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
+ limiting the autoclose value. If userspace passes in -1 on 32-bit
+ platform, the overflow check didn't work and autoclose would be set
+ to 0xffffffff.
+
+ This patch defines a max_autoclose (in seconds) for limiting the value
+ and exposes it through sysctl, with the following intentions.
+
+ 1) Avoid overflowing autoclose * HZ.
+
+ 2) Keep the default autoclose bound consistent across 32- and 64-bit
+ platforms (INT_MAX / HZ in this patch).
+
+ 3) Keep the autoclose value consistent between setsockopt() and
+ getsockopt() calls.
+
+ Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Wed Dec 21 05:18:33 2011 -0500
+
+ vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
+
+ Commit e133e737 didn't correctly fix the integer overflow issue.
+
+ - unsigned int required_size;
+ + u64 required_size;
+ ...
+ required_size = mode_cmd->pitch * mode_cmd->height;
+ - if (unlikely(required_size > dev_priv->vram_size)) {
+ + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
+
+ Note that both pitch and height are u32. Their product is still u32 and
+ would overflow before being assigned to required_size. A correct way is
+ to convert pitch and height to u64 before the multiplication.
+
+ required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
+
+ This patch calls the existing vmw_kms_validate_mode_vram() for
+ validation.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+ Conflicts:
+
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+
+commit eb8f0bd01fb994c9abc77dc84729794cd841753d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Thu Dec 22 13:35:22 2011 +0000
+
+ rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
+
+ Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
+ cause a kernel oops due to insufficient bounds checking.
+
+ if (count > 1<<30) {
+ /* Enforce a limit to prevent overflow */
+ return -EINVAL;
+ }
+ count = roundup_pow_of_two(count);
+ table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
+
+ Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
+
+ ... + (count * sizeof(struct rps_dev_flow))
+
+ where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
+ 32 bits.
+
+ This patch replaces the magic number (1 << 30) with a symbolic bound.
+
+ Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 648188958672024b616c42c1f6c98c8cfc85619d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 30 10:40:17 2011 -0500
+
+ netfilter: ctnetlink: fix timeout calculation
+
+ The sanity check (timeout < 0) never works; the dividend is unsigned
+ and so is the division, which should have been a signed division.
+
+ long timeout = (ct->timeout.expires - jiffies) / HZ;
+ if (timeout < 0)
+ timeout = 0;
+
+ This patch converts the time values to signed for the division.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit ab03a0973cee73f88655ff4981812ad316a6cd59
+Merge: 76f82df 7bdddeb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:50 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
+Merge: 3e59cb5 55cc81a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:36 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 20:15:02 2011 -0500
+
+ Only further restrict futex targeting another process -- our modified
+ permission check also happened to allow a case where a process retaining
+ uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
+ being non-zero (reported on forums by ben_w)
+
+commit 6b235a4450a5fea41663ec35fa0608988b6078c6
+Merge: 97c16f0 3e59cb5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:11:06 2011 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/hfs/btree.c
+
+commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
+Merge: 285eb4e c26f60b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:09:57 2011 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/process.c
+
+commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 19 21:54:01 2011 -0500
+
+ Add new option: "Enforce consistent multithreaded privileges"
+
+commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:58:31 2011 -0500
+
+ Remove harmless duplicate code -- exec_file would be null already so the
+ second check would never pass.
+
+commit 4e3304e94aa72737810bc50169519af157dce4ce
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:50:39 2011 -0500
+
+ Revert back to (possibly?) undocumented /proc/pid behavior that gdb
+ depended on for attaching to a thread. Entries exist in /proc for
+ threads, but are not visible in a readdir.
+
+commit 1bd899335f23815cfe8deac44c6b346398f3b95e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 18:03:28 2011 -0500
+
+ Put the already-walked path if in RCU-walk mode
+
+commit ec7ae36b7159f10649709779443a988662965d66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 17:35:21 2011 -0500
+
+ Fix memory leak introduced by recent (unpublished) commit
+ 75ab998b94a29d464518d6d501bdde3fbfcbfa14
+
+commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:56:10 2011 -0500
+
+ Explicitly check size copied to userland in override_release to silence gcc
+
+commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:54:02 2011 -0500
+
+ Initialize variable to silence erroneous gcc warning
+
+commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:47:47 2011 -0500
+
+ Future-proof other potential RCU-aware locations where we can log.
+
+commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:02:54 2011 -0500
+
+ Fix freeze reported by 'vs' on the forums. Bug occurred due to
+ MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
+ in generic_permission() was in the task's effective set but disallowed by
+ RBAC, would block when acquiring locks resulting in the freeze.
+
+ Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
+ as being required when CAP_DAC_OVERRIDE is present (consistent with
+ older patches).
+
+commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Nov 29 09:26:30 2011 +0000
+
+ sctp: better integer overflow check in sctp_auth_create_key()
+
+ The check from commit 30c2235c is incomplete and cannot prevent
+ cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
+ left-hand side of the check (INT_MAX - key_len), which is unsigned,
+ becomes 0xffffffff (UINT_MAX) and bypasses the check.
+
+ However this shouldn't be a security issue. The function is called
+ from the following two code paths:
+
+ 1) setsockopt()
+
+ 2) sctp_auth_asoc_set_secret()
+
+ In case (1), sca_keylength is never going to exceed 65535 since it's
+ bounded by a u16 from the user API. As such, the key length will
+ never overflow.
+
+ In case (2), sca_keylength is computed based on the user key (1 short)
+ and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
+ will not overflow.
+
+ In other words, this overflow check is not really necessary. Just
+ make it more correct.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit e565e28c3635a1d50f80541fbf6b606d742fec76
+Author: Josh Boyer <jwboyer@redhat.com>
+Date: Fri Aug 19 14:50:26 2011 -0400
+
+ fs/minix: Verify bitmap block counts before mounting
+
+ Newer versions of MINIX can create filesystems that allocate an extra
+ bitmap block. Mounting of this succeeds, but doing a statfs call will
+ result in an oops in count_free because of a negative number being used
+ for the bh index.
+
+ Avoid this by verifying the number of allocated blocks at mount time,
+ erroring out if there are not enough and make statfs ignore the extras
+ if there are too many.
+
+ This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
+
+ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6e134e398ec1a3f428261680e83df4319e64bed9
+Author: Julia Lawall <julia@diku.dk>
+Date: Tue Nov 15 14:53:11 2011 -0800
+
+ drivers/gpu/vga/vgaarb.c: add missing kfree
+
+ kbuf is a buffer that is local to this function, so all of the error paths
+ leaving the function should release it.
+
+ Signed-off-by: Julia Lawall <julia@diku.dk>
+ Cc: Jesper Juhl <jj@chaosbits.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit 2b9057b321e36860e8d63985b5c4e496f254b717
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:33:28 2011 -0500
+
+ Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
+
+commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+
+commit 285eb4ea45d853ae00426b3315a61c1368080dad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 10 18:33:46 2011 -0500
+
+ Import changes from pax-linux-3.1.5-test20.patch
+
+commit a6bda918fc90ec1d5c387e978d147ad2044153f1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 8 20:55:54 2011 -0500
+
+ Import changes from pax-linux-3.1.4-test19.patch
+
+commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7
+Merge: 814820a 3a59a59
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 21:51:18 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 21:50:07 2013 -0400
+
+ Update to pax-linux-3.8.13-test24.patch:
+ - fixed sparc/constification compile error, reported by blake
+ - UDEREF/amd64 should be a bit more efficient when disabled at boot time
+ - fixed some unnecessary integer truncations that could trip up the size overflow plugin
+
+ arch/arm/kernel/vmlinux.lds.S | 4 ++--
+ arch/sparc/kernel/us3_cpufreq.c | 4 ++--
+ arch/x86/ia32/ia32entry.S | 4 ++--
+ arch/x86/include/asm/pgtable.h | 6 ++++--
+ arch/x86/include/asm/uaccess.h | 6 +++---
+ arch/x86/kernel/kprobes-opt.c | 4 ++++
+ arch/x86/lib/copy_user_nocache_64.S | 2 +-
+ arch/x86/lib/getuser.S | 8 ++++----
+ arch/x86/lib/putuser.S | 8 ++++----
+ arch/x86/mm/fault.c | 6 +++---
+ drivers/net/slip/slhc.c | 2 +-
+ drivers/staging/iio/ring_sw.c | 2 +-
+ fs/binfmt_elf.c | 6 +++---
+ fs/nfsd/nfscache.c | 2 +-
+ fs/xattr.c | 21 +++++++++++++++++++++
+ include/linux/syscalls.h | 2 +-
+ include/linux/xattr.h | 3 +++
+ init/main.c | 3 +++
+ kernel/futex_compat.c | 2 +-
+ kernel/trace/trace.h | 2 +-
+ net/socket.c | 2 +-
+ security/Kconfig | 2 +-
+ 22 files changed, 67 insertions(+), 34 deletions(-)
+
+commit 814820abfe5b9a34401d838b2510431a4cd92be9
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon May 6 09:31:17 2013 +0000
+
+ Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa
+
+ tipc: potential divide by zero in tipc_link_recv_fragment()
+
+ The worry here is that fragm_sz could be zero since it comes from
+ skb->data.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/tipc/link.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon May 6 08:28:41 2013 +0000
+
+ Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc
+
+ tipc: add a bounds check in link_recv_changeover_msg()
+
+ The bearer_id here comes from skb->data and it can be a number from 0 to
+ 7. The problem is that the ->links[] array has only 2 elements so I
+ have added a range check.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/tipc/link.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit ed0428c4ef6c5498870772f212ac651216eb8d0c
+Merge: 2452d8d dbf932a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 21:18:25 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c
+ arch/x86/mm/init.c
+
+commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 20:24:01 2013 -0400
+
+ compile fix
+
+ grsecurity/gracl.c | 1 +
+ grsecurity/gracl_segv.c | 1 +
+ 2 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 18:25:26 2013 -0400
+
+ fix btrfs support here as well
+
+ grsecurity/gracl_segv.c | 17 +++++++++--------
+ 1 files changed, 9 insertions(+), 8 deletions(-)
+
+commit c75e4664fe4d20da1639f70d9def097c4f20856b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun May 12 18:12:57 2013 -0400
+
+ Fix RBAC compatibility with btrfs compiled as a module, as
+ reported on the forums by YuHg at:
+ http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952
+
+ fs/btrfs/inode.c | 11 +----------
+ grsecurity/gracl.c | 19 ++++++++++---------
+ grsecurity/gracl_segv.c | 2 +-
+ grsecurity/grsec_disabled.c | 2 +-
+ 4 files changed, 13 insertions(+), 21 deletions(-)
+
+commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat May 11 12:12:00 2013 -0400
+
+ allow copies just up to the start of kernel code
+
+ fs/exec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 04638852588cf243f865f5a73aa9dab94fab53b7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 10 16:53:07 2013 -0400
+
+ MODULES_EXEC_VADDR is a virtual address
+
+ fs/exec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri May 10 16:51:03 2013 -0400
+
+ exempt module rx areas from usercopy protection under i386 kernexec
+ their .rodata will be placed between stext/etext causing copies of
+ constant strings to trigger usercopy reports/terminations
+
+ fs/exec.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 8 20:25:52 2013 -0400
+
+ User jorgus on the forums:
+ http://forums.grsecurity.net/viewtopic.php?f=3&t=3446
+ discovered that the upstreamed version of enforcing RLIMIT_NPROC
+ at setuid/exec time missed an important corner case:
+ If RLIMIT_NPROC is set after a setuid occurs and the user's process
+ limit is reached elsewhere, no enforcement of RLIMIT_NPROC will
+ happen at exec time for the task with a modified RLIMIT_NPROC.
+
+ This patch fixes that.
+
+ kernel/sys.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff
+Merge: 539fff0 2452d8d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 8 18:13:41 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a
+Merge: 6c850d8 9c9ab76
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 8 18:13:31 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/irq.c
+ kernel/trace/trace_stack.c
+
+commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue May 7 21:43:00 2013 -0400
+
+ turn counter into a flag
+
+ grsecurity/Kconfig | 2 +-
+ grsecurity/grsec_chroot.c | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 3da48c0f89377e1ef76470d4b19f19df793fdf32
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue May 7 21:02:39 2013 -0400
+
+ add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity
+ useful for Fedora/RHEL users
+
+ grsecurity/Kconfig | 10 ++++++++++
+ grsecurity/grsec_chroot.c | 17 +++++++++++++++--
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+commit 418102925c0cfb0de51b0a021abaa575e28fafa6
+Author: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Date: Fri May 3 14:11:25 2013 +0200
+
+ Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717
+
+ perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL
+
+ We should always have proper privileges when requesting kernel
+ data.
+
+ Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+ Cc: <stable@kernel.org>
+ Cc: Andi Kleen <ak@linux.intel.com>
+ Cc: eranian@google.com
+ Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl
+ [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ]
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+ Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org
+
+ arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++---
+ 1 files changed, 10 insertions(+), 3 deletions(-)
+
+commit f9e1af27cca1722a4c6a801000b5b3b5410401a2
+Author: Eric Dumazet <edumazet@google.com>
+Date: Mon Apr 29 05:58:52 2013 +0000
+
+ Upstream commit: aebda156a570782a86fc4426842152237a19427d
+
+ net: defer net_secret[] initialization
+
+ Instead of feeding net_secret[] at boot time, defer the init
+ at the point first socket is created.
+
+ This permits some platforms to use better entropy sources than
+ the ones available at boot time.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/secure_seq.h | 1 +
+ net/core/secure_seq.c | 4 +---
+ net/ipv4/af_inet.c | 5 ++++-
+ 3 files changed, 6 insertions(+), 4 deletions(-)
+
+commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac
+Author: Daniel Borkmann <dborkman@redhat.com>
+Date: Wed May 1 02:59:23 2013 +0000
+
+ Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48
+
+ net: sctp: attribute printl with __printf for gcc fmt checks
+
+ Let GCC check for format string errors in sctp's probe printl
+ function. This patch fixes the warning when compiled with W=1:
+
+ net/sctp/probe.c:73:2: warning: function might be possible candidate
+ for 'gnu_printf' format attribute [-Wmissing-format-attribute]
+
+ Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/probe.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 81b98190c66a90f0ed2de4560f542b1dea7664f2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 2 19:58:54 2013 -0400
+
+ remove no-longer-needed vmware 8 compat fix
+
+ mm/page_alloc.c | 6 ------
+ 1 files changed, 0 insertions(+), 6 deletions(-)
+
+commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu May 2 19:55:23 2013 -0400
+
+ remove unnecessary < 0 check
+
+ net/phonet/af_phonet.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 1 18:30:48 2013 -0400
+
+ remove references to CONFIG_X86_WP_WORKS_OK
+
+ arch/um/defconfig | 1 -
+ security/Kconfig | 2 +-
+ 2 files changed, 1 insertions(+), 2 deletions(-)
+
+commit 408da6791f93ffe00d26bfe919f1b2218fe0804d
+Merge: a8dbe8e 6c850d8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 1 18:28:44 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/sparc/mm/ultra.S
+ drivers/tty/tty_io.c
+
+commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf
+Merge: cdbcbef 9fa1d01
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed May 1 18:25:18 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 29 18:44:23 2013 -0400
+
+ add module.h to silence compiler warning, thanks to
+ Sergei Trofimovich
+
+ fs/btrfs/inode.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 55eba82aca97aa56378e000840c48965557721e8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 29 18:43:03 2013 -0400
+
+ compilation fix
+
+ kernel/trace/trace.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit e3bf912b54af6df7fbebc68b5999554562056c5c
+Merge: 5b72e37 cdbcbef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 29 18:34:42 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit cdbcbef45c4f003cbee11e10668a35d424c17c60
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 29 18:33:35 2013 -0400
+
+ Update to pax-linux-3.8.10-test21.patch:
+ - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
+ - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438
+ note that the false positive is not fixed yet
+ - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin
+ - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444)
+ - reverted the nested NMI fix in search for a real one
+ - simplified the arm_delay_ops constification
+
+ arch/arm/include/asm/delay.h | 8 ++++----
+ arch/arm/lib/delay.c | 17 +++++------------
+ arch/x86/kernel/entry_64.S | 11 ++++++++++-
+ arch/x86/kernel/i8259.c | 2 +-
+ arch/x86/kernel/pci-calgary_64.c | 2 +-
+ arch/x86/kvm/vmx.c | 4 ++--
+ drivers/block/pktcdvd.c | 2 +-
+ fs/btrfs/extent-tree.c | 2 +-
+ fs/nfsd/nfscache.c | 6 ++++--
+ kernel/trace/trace.c | 2 +-
+ tools/gcc/structleak_plugin.c | 4 ++++
+ 11 files changed, 34 insertions(+), 26 deletions(-)
+
+commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 26 20:53:06 2013 -0400
+
+ don't use file_inode()
+
+ drivers/tty/tty_io.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946
+Author: Jiri Slaby <jslaby@suse.cz>
+Date: Fri Apr 26 13:48:53 2013 +0200
+
+ Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee
+
+ TTY: fix atime/mtime regression
+
+ In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
+ we removed timestamps from tty inodes to fix a security issue and waited
+ if something breaks. Well, 'w', the utility to find out logged users
+ and their inactivity time broke. It shows that users are inactive since
+ the time they logged in.
+
+ To revert to the old behaviour while still preventing attackers to
+ guess the password length, we update the timestamps in one-minute
+ intervals by this patch.
+
+ Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ drivers/tty/tty_io.c
+
+ drivers/tty/tty_io.c | 15 ++++++++++++++-
+ 1 files changed, 14 insertions(+), 1 deletions(-)
+
+commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec
+Author: Jiri Slaby <jslaby@suse.cz>
+Date: Fri Feb 15 15:25:05 2013 +0100
+
+ Upstream commit: b0de59b5733d
+
+ TTY: do not update atime/mtime on read/write
+
+ On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
+ out length of a password using timestamps of /dev/ptmx. It is
+ documented in "Timing Analysis of Keystrokes and Timing Attacks on
+ SSH". To avoid that problem, do not update time when reading
+ from/writing to a TTY.
+
+ I am afraid of regressions as this is a behavior we have since 0.97
+ and apps may expect the time to be current, e.g. for monitoring
+ whether there was a change on the TTY. Now, there is no change. So
+ this would better have a lot of testing before it goes upstream.
+
+ References: CVE-2013-0160
+
+ Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+ Cc: stable <stable@vger.kernel.org> # after 3.9 is out
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ drivers/tty/tty_io.c | 8 ++------
+ 1 files changed, 2 insertions(+), 6 deletions(-)
+
+commit 5344a24e2320d61dbdb88aae04922f0799deefd0
+Author: Zhao Hongjiang <zhaohongjiang@huawei.com>
+Date: Fri Apr 26 11:03:53 2013 +0800
+
+ Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad
+
+ aio: fix possible invalid memory access when DEBUG is enabled
+
+ dprintk() shouldn't access @ring after it's unmapped.
+
+ Signed-off-by: Zhao Hongjiang <zhaohongjiang@huawei.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/aio.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 786841cb279bbd8e458d67e112a1d01a3d4598a7
+Author: John David Anglin <dave.anglin@bell.net>
+Date: Tue Apr 23 22:42:07 2013 +0200
+
+ Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78
+
+ parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates
+
+ User applications running on SMP kernels have long suffered from instability
+ and random segmentation faults. This patch improves the situation although
+ there is more work to be done.
+
+ One of the problems is the various routines in pgtable.h that update page table
+ entries use different locking mechanisms, or no lock at all (set_pte_at). This
+ change modifies the routines to all use the same lock pa_dbit_lock. This lock
+ is used for dirty bit updates in the interruption code. The patch also purges
+ the TLB entries associated with the PTE to ensure that inconsistent values are
+ not used after the page table entry is updated. The UP and SMP code are now
+ identical.
+
+ The change also includes a minor update to the purge_tlb_entries function in
+ cache.c to improve its efficiency.
+
+ Signed-off-by: John David Anglin <dave.anglin@bell.net>
+ Cc: Helge Deller <deller@gmx.de>
+ Signed-off-by: Helge Deller <deller@gmx.de>
+
+ arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++-----------------
+ arch/parisc/kernel/cache.c | 5 +---
+ 2 files changed, 26 insertions(+), 26 deletions(-)
+
+commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1
+Merge: ba54c97 4d05084
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 26 18:17:20 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/x86/kvm/x86.c
+ include/linux/capability.h
+
+commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21
+Merge: c664779 bb8dd67
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 26 18:15:45 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2
+Author: David S. Miller <davem@davemloft.net>
+Date: Wed Apr 24 16:52:18 2013 -0700
+
+ Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee
+
+ sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching.
+
+ Reported-by: Meelis Roos <mroos@linux.ee>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/sparc/mm/tlb.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8
+Author: David S. Miller <davem@davemloft.net>
+Date: Fri Apr 19 17:26:26 2013 -0400
+
+ Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847
+
+ sparc64: Fix race in TLB batch processing.
+
+ As reported by Dave Kleikamp, when we emit cross calls to do batched
+ TLB flush processing we have a race because we do not synchronize on
+ the sibling cpus completing the cross call.
+
+ So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.)
+ and either flushes are missed or flushes will flush the wrong
+ addresses.
+
+ Fix this by using generic infrastructure to synchonize on the
+ completion of the cross call.
+
+ This first required getting the flush_tlb_pending() call out from
+ switch_to() which operates with locks held and interrupts disabled.
+ The problem is that smp_call_function_many() cannot be invoked with
+ IRQs disabled and this is explicitly checked for with WARN_ON_ONCE().
+
+ We get the batch processing outside of locked IRQ disabled sections by
+ using some ideas from the powerpc port. Namely, we only batch inside
+ of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a
+ region, we flush TLBs synchronously.
+
+ 1) Get rid of xcall_flush_tlb_pending and per-cpu type
+ implementations.
+
+ 2) Do TLB batch cross calls instead via:
+
+ smp_call_function_many()
+ tlb_pending_func()
+ __flush_tlb_pending()
+
+ 3) Batch only in lazy mmu sequences:
+
+ a) Add 'active' member to struct tlb_batch
+ b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE
+ c) Set 'active' in arch_enter_lazy_mmu_mode()
+ d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode()
+ e) Check 'active' in tlb_batch_add_one() and do a synchronous
+ flush if it's clear.
+
+ 4) Add infrastructure for synchronous TLB page flushes.
+
+ a) Implement __flush_tlb_page and per-cpu variants, patch
+ as needed.
+ b) Likewise for xcall_flush_tlb_page.
+ c) Implement smp_flush_tlb_page() to invoke the cross-call.
+ d) Wire up global_flush_tlb_page() to the right routine based
+ upon CONFIG_SMP
+
+ 5) It turns out that singleton batches are very common, 2 out of every
+ 3 batch flushes have only a single entry in them.
+
+ The batch flush waiting is very expensive, both because of the poll
+ on sibling cpu completeion, as well as because passing the tlb batch
+ pointer to the sibling cpus invokes a shared memory dereference.
+
+ Therefore, in flush_tlb_pending(), if there is only one entry in
+ the batch perform a completely asynchronous global_flush_tlb_page()
+ instead.
+
+ Reported-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Acked-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+
+ arch/sparc/include/asm/pgtable_64.h | 1 +
+ arch/sparc/include/asm/switch_to_64.h | 3 +-
+ arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++--
+ arch/sparc/kernel/smp_64.c | 41 ++++++++++-
+ arch/sparc/mm/tlb.c | 38 +++++++++-
+ arch/sparc/mm/tsb.c | 57 ++++++++++++----
+ arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++-------
+ 7 files changed, 241 insertions(+), 55 deletions(-)
+
+commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri Apr 19 15:32:32 2013 +0000
+
+ Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494
+
+ net: fix incorrect credentials passing
+
+ Commit 257b5358b32f ("scm: Capture the full credentials of the scm
+ sender") changed the credentials passing code to pass in the effective
+ uid/gid instead of the real uid/gid.
+
+ Obviously this doesn't matter most of the time (since normally they are
+ the same), but it results in differences for suid binaries when the wrong
+ uid/gid ends up being used.
+
+ This just undoes that (presumably unintentional) part of the commit.
+
+ Reported-by: Andy Lutomirski <luto@amacapital.net>
+ Cc: Eric W. Biederman <ebiederm@xmission.com>
+ Cc: Serge E. Hallyn <serge@hallyn.com>
+ Cc: David S. Miller <davem@davemloft.net>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/scm.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Apr 18 19:22:40 2013 -0400
+
+ move _etext to only cover kernel code, not read-only data, as reported by Gu1
+
+ arch/arm/kernel/vmlinux.lds.S | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 98ad6adbc48759e4f9eae435d3e51ba487155685
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Apr 18 19:17:24 2013 -0400
+
+ add asm/sections.h for USERCOPY change
+
+ fs/exec.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10
+Author: Dmitry Popov <dp@highloadlab.com>
+Date: Thu Apr 11 08:55:07 2013 +0000
+
+ Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6
+
+ tcp: incoming connections might use wrong route under synflood
+
+ There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
+ flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
+ RT_SCOPE_UNIVERSE, IPPROTO_TCP,
+ inet_sk_flowi_flags(sk),
+ (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
+ ireq->loc_addr, th->source, th->dest);
+
+ Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
+ taken. This dst_entry is used by new socket (get_cookie_sock ->
+ tcp_v4_syn_recv_sock), so its packets may take the wrong path.
+
+ Signed-off-by: Dmitry Popov <dp@highloadlab.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/syncookies.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 3600395e8fef3ae712e72f9b68c3609639616df8
+Author: Thomas Graf <tgraf@suug.ch>
+Date: Thu Apr 11 10:57:18 2013 +0000
+
+ Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413
+
+ tcp: Reallocate headroom if it would overflow csum_start
+
+ If a TCP retransmission gets partially ACKed and collapsed multiple
+ times it is possible for the headroom to grow beyond 64K which will
+ overflow the 16bit skb->csum_start which is based on the start of
+ the headroom. It has been observed rarely in the wild with IPoIB due
+ to the 64K MTU.
+
+ Verify if the acking and collapsing resulted in a headroom exceeding
+ what csum_start can cover and reallocate the headroom if so.
+
+ A big thank you to Jim Foraker <foraker1@llnl.gov> and the team at
+ LLNL for helping out with the investigation and testing.
+
+ Reported-by: Jim Foraker <foraker1@llnl.gov>
+ Signed-off-by: Thomas Graf <tgraf@suug.ch>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/tcp_output.c | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61
+Author: Ivan Vecera <ivecera@redhat.com>
+Date: Fri Apr 12 16:49:24 2013 +0200
+
+ Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f
+
+ be2net: take care of __vlan_put_tag return value
+
+ The driver should use return value of __vlan_put_tag with appropriate
+ NULL-check instead of old skb pointer.
+
+ Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/emulex/benet/be_main.c | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Fri Apr 12 03:17:12 2013 +0000
+
+ Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73
+
+ tuntap: fix error return code in tun_set_iff()
+
+ Fix to return a negative error code from the error handling
+ case instead of 0, as returned elsewhere in this function.
+
+ [ Bug added in linux-3.8 , commit 4008e97f866db665
+ ("tuntap: fix ambigious multiqueue API") ]
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/tun.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Sat Apr 13 15:49:03 2013 +0000
+
+ Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93
+
+ esp4: fix error return code in esp_output()
+
+ Fix to return a negative error code from the error handling
+ case instead of 0, as returned elsewhere in this function.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/esp4.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 2b45b5f52c2a8930f80c62de392a62516c83e225
+Author: Bjørn Mork <bjorn@mork.no>
+Date: Tue Apr 16 00:17:07 2013 +0000
+
+ Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1
+
+ net: cdc_mbim: remove bogus sizeof()
+
+ The intention was to test against the constant, not the size of
+ the constant.
+
+ Signed-off-by: Bjørn Mork <bjorn@mork.no>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/usb/cdc_mbim.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 17d7408795519037a5a1272c7888238e20830bfe
+Author: Vyacheslav Dubeyko <slava@dubeyko.com>
+Date: Wed Apr 17 15:58:33 2013 -0700
+
+ Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4
+
+ hfsplus: fix potential overflow in hfsplus_file_truncate()
+
+ Change a u32 to loff_t hfsplus_file_truncate().
+
+ Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/hfsplus/extents.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b
+Author: Emese Revfy <re.emese@gmail.com>
+Date: Wed Apr 17 15:58:36 2013 -0700
+
+ Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f
+
+ kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
+
+ This fixes a kernel memory contents leak via the tkill and tgkill syscalls
+ for compat processes.
+
+ This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
+ when handling signals delivered from tkill.
+
+ The place of the infoleak:
+
+ int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
+ {
+ ...
+ put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
+ ...
+ }
+
+ Signed-off-by: Emese Revfy <re.emese@gmail.com>
+ Reviewed-by: PaX Team <pageexec@freemail.hu>
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Oleg Nesterov <oleg@redhat.com>
+ Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+ Cc: Serge Hallyn <serge.hallyn@canonical.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/signal.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 20:17:00 2013 -0400
+
+ Improve PAX_USERCOPY to reject direct copies to/from main kernel text
+
+ fs/exec.c | 29 +++++++++++++++++++++++++++--
+ 1 files changed, 27 insertions(+), 2 deletions(-)
+
+commit 3cb37d0c0c77dc3928ff8417f982139f95366eba
+Merge: e87c19f c664779
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 20:06:08 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c664779987cb0c27a242029f0e0db812e3236203
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 19:54:09 2013 -0400
+
+ add intentional_overflow marking for resource_size() as reasoned by:
+ http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
+
+ include/linux/ioport.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit e87c19f8312355b8658e5138c16bfa6043a379c8
+Merge: 802d119 d0c636c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 16:57:12 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d0c636ceaaf406e606898ce3e770e32fb043ea8a
+Merge: bc88628 2396403
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 17 16:57:01 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/paravirt.c
+
+commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 14 21:39:51 2013 -0400
+
+ move location of RBAC user check on setfsuid until after capability checks
+ for consistency with other checks
+
+ kernel/sys.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 1a860d7d67051559ab2e6d10f9888649c92904e6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 14 21:34:46 2013 -0400
+
+ A denied setfsuid by the RBAC system would result in an abort_creds() being called
+ with an uninitalized pointer, introduced by a bad forward-port
+
+ kernel/sys.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9
+Merge: c38d142 bc88628
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 14 21:28:33 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit bc88628a6a8fcccaabb90908640809b0540df225
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 14 21:26:41 2013 -0400
+
+ Update to pax-linux-3.8.7-test20.patch:
+ - fixed KERNEXEC and NMI nesting problem reported by stef&hunger
+ - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414
+ - CONSTIFY depends on KERNEXEC (for the kernel open/close feature)
+ - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364)
+
+ arch/powerpc/include/asm/smp.h | 2 +-
+ arch/x86/Kconfig | 4 ++--
+ arch/x86/kernel/entry_64.S | 8 ++++----
+ security/Kconfig | 2 +-
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+commit c38d142744489fc4d9be80188b6435a278438fd9
+Author: Suleiman Souhlal <suleiman@google.com>
+Date: Sat Apr 13 16:03:06 2013 -0700
+
+ Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1
+
+ vfs: Revert spurious fix to spinning prevention in prune_icache_sb
+
+ Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb").
+
+ This commit doesn't look right: since we are looking at the tail of the
+ list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
+ it back at the head of the list instead of the tail, otherwise we will
+ keep spinning on it.
+
+ Discovered when investigating why prune_icache_sb came top in perf
+ reports of a swapping load.
+
+ Signed-off-by: Suleiman Souhlal <suleiman@google.com>
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Cc: stable@vger.kernel.org # v3.2+
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/inode.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 93019624b80ba59798393942798d7f6ed0c1dbc6
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat Apr 13 15:15:30 2013 -0700
+
+ Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979
+
+ kobject: fix kset_find_obj() race with concurrent last kobject_put()
+
+ Anatol Pomozov identified a race condition that hits module unloading
+ and re-loading. To quote Anatol:
+
+ "This is a race codition that exists between kset_find_obj() and
+ kobject_put(). kset_find_obj() might return kobject that has refcount
+ equal to 0 if this kobject is freeing by kobject_put() in other
+ thread.
+
+ Here is timeline for the crash in case if kset_find_obj() searches for
+ an object tht nobody holds and other thread is doing kobject_put() on
+ the same kobject:
+
+ THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put())
+ splin_lock()
+ atomic_dec_return(kobj->kref), counter gets zero here
+ ... starts kobject cleanup ....
+ spin_lock() // WAIT thread A in kobj_kset_leave()
+ iterate over kset->list
+ atomic_inc(kobj->kref) (counter becomes 1)
+ spin_unlock()
+ spin_lock() // taken
+ // it does not know that thread A increased counter so it
+ remove obj from list
+ spin_unlock()
+ vfree(module) // frees module object with containing kobj
+
+ // kobj points to freed memory area!!
+ kobject_put(kobj) // OOPS!!!!
+
+ The race above happens because module.c tries to use kset_find_obj()
+ when somebody unloads module. The module.c code was introduced in
+ commit 6494a93d55fa"
+
+ Anatol supplied a patch specific for module.c that worked around the
+ problem by simply not using kset_find_obj() at all, but rather than make
+ a local band-aid, this just fixes kset_find_obj() to be thread-safe
+ using the proper model of refusing the get a new reference if the
+ refcount has already dropped to zero.
+
+ See examples of this proper refcount handling not only in the kref
+ documentation, but in various other equivalent uses of this pattern by
+ grepping for atomic_inc_not_zero().
+
+ [ Side note: the module race does indicate that module loading and
+ unloading is not properly serialized wrt sysfs information using the
+ module mutex. That may require further thought, but this is the
+ correct fix at the kobject layer regardless. ]
+
+ Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com>
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ lib/kobject.c | 9 ++++++++-
+ 1 files changed, 8 insertions(+), 1 deletions(-)
+
+commit 5277b052b5fab36729e1255fb3b12f47a4b12867
+Author: Dave Hansen <dave@sr71.net>
+Date: Fri Apr 12 16:23:54 2013 -0700
+
+ Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9
+
+ x86-32: Fix possible incomplete TLB invalidate with PAE pagetables
+
+ This patch attempts to fix:
+
+ https://bugzilla.kernel.org/show_bug.cgi?id=56461
+
+ The symptom is a crash and messages like this:
+
+ chrome: Corrupted page table at address 34a03000
+ *pdpt = 0000000000000000 *pde = 0000000000000000
+ Bad pagetable: 000f [#1] PREEMPT SMP
+
+ Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb:
+ enable tlb flush range support for x86") since that code started to free
+ unused pagetables.
+
+ On x86-32 PAE kernels, that new code has the potential to free an entire
+ PMD page and will clear one of the four page-directory-pointer-table
+ (aka pgd_t entries).
+
+ The hardware aggressively "caches" these top-level entries and invlpg
+ does not actually affect the CPU's copy. If we clear one we *HAVE* to
+ do a full TLB flush, otherwise we might continue using a freed pmd page.
+ (note, we do this properly on the population side in pud_populate()).
+
+ This patch tracks whenever we clear one of these entries in the 'struct
+ mmu_gather', and ensures that we follow up with a full tlb flush.
+
+ BTW, I disassembled and checked that:
+
+ if (tlb->fullmm == 0)
+ and
+ if (!tlb->fullmm && !tlb->need_flush_all)
+
+ generate essentially the same code, so there should be zero impact there
+ to the !PAE case.
+
+ Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+ Cc: Peter Anvin <hpa@zytor.com>
+ Cc: Ingo Molnar <mingo@kernel.org>
+ Cc: Artem S Tashkinov <t.artem@mailcity.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ arch/x86/include/asm/tlb.h | 2 +-
+ arch/x86/mm/pgtable.c | 7 +++++++
+ include/asm-generic/tlb.h | 7 ++++++-
+ mm/memory.c | 1 +
+ 4 files changed, 15 insertions(+), 2 deletions(-)
+
+commit 521e573fc77d1783c1d4636dfbb4617a922f043d
+Merge: 032f626 f807619
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 12 19:29:34 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f80761993b85df96fc142dfc3a317cadc0f8eae5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 12 19:28:21 2013 -0400
+
+ Update to pax-linux-3.8.7-test19.patch:
+ - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld
+ - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411)
+ - fixed the structleak plugin to compile for gcc 4.5-4.6 as well
+
+ Makefile | 2 +-
+ arch/x86/xen/enlighten.c | 6 +++---
+ tools/gcc/structleak_plugin.c | 5 +++--
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+commit 032f626a4ae9bc3196313a2e762650c3d9abdc96
+Merge: a3a770e 89886f5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 12 18:38:40 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89886f561cc0d1c42a99624ec8c3704711088155
+Merge: 9123489 531ec28
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 12 18:38:30 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit a3a770e18578841e4fbe2aa0831a22811b4812cf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Apr 11 20:46:20 2013 -0400
+
+ Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot"
+ Will be fixed with the next PaX patch
+
+ This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7.
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit fc98763e4f1f1487928750b26a63098b9e0ed5b1
+Author: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Fri Mar 29 10:20:56 2013 -0400
+
+ Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16
+
+ xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables.
+
+ Occassionaly on a DL380 G4 the guest would crash quite early with this:
+
+ (XEN) d244:v0: unhandled page fault (ec=0003)
+ (XEN) Pagetable walk from ffffffff84dc7000:
+ (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789
+ (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d
+ (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def
+ (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7
+ (XEN) domain_crash_sync called from entry.S
+ (XEN) Domain 244 (vcpu#0) crashed on cpu#3:
+ (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]----
+ (XEN) CPU: 3
+ (XEN) RIP: e033:[<ffffffff81263f22>]
+ (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest
+ (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f
+ (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000
+
+ The offending code shows it to be a loop writting the value zero
+ (%rax) in the %rdi (the L4 provided by Xen) register:
+
+ 0: 44 00 00 add %r8b,(%rax)
+ 3: 31 c0 xor %eax,%eax
+ 5: b9 40 00 00 00 mov $0x40,%ecx
+ a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
+ 11: 00 00
+ 13: ff c9 dec %ecx
+ 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction
+ 18: 48 89 47 08 mov %rax,0x8(%rdi)
+ 1c: 48 89 47 10 mov %rax,0x10(%rdi)
+
+ which fails. xen_setup_kernel_pagetable recycles some of the Xen's
+ page-table entries when it has switched over to its Linux page-tables.
+
+ Right before try to clear the page, we make a hypercall to change
+ it from _RO to _RW and that works (otherwise we would hit an BUG()).
+ And the _RW flag is set for that page:
+ (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7
+
+ The error code is 3, so PFEC_page_present and PFEC_write_access, so page is
+ present (correct), and we tried to write to the page, but a violation
+ occurred. The one theory is that the the page entries in hardware
+ (which are cached) are not up to date with what we just set. Especially
+ as we have just done an CR3 write and flushed the multicalls.
+
+ This patch does solve the problem by flusing out the TLB page
+ entry after changing it from _RO to _RW and we don't hit this
+ issue anymore.
+
+ Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO
+ 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4]
+ Reported-and-Tested-by: Saar Maoz <Saar.Maoz@oracle.com>
+ Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+ arch/x86/xen/mmu.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11
+Author: Namhyung Kim <namhyung.kim@lge.com>
+Date: Mon Apr 1 21:46:23 2013 +0900
+
+ Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1
+
+ tracing: Fix double free when function profile init failed
+
+ On the failure path, stat->start and stat->pages will refer same page.
+ So it'll attempt to free the same page again and get kernel panic.
+
+ Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org
+
+ Cc: Frederic Weisbecker <fweisbec@gmail.com>
+ Cc: Namhyung Kim <namhyung.kim@lge.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+
+ kernel/trace/ftrace.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb
+Author: Neil Horman <nhorman@tuxdriver.com>
+Date: Tue Apr 9 23:19:00 2013 +0000
+
+ Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6
+
+ e100: Add dma mapping error check
+
+ e100 uses pci_map_single, but fails to check for a dma mapping error after its
+ use, resulting in a stack trace:
+
+ [ 46.656594] ------------[ cut here ]------------
+ [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950()
+ [ 46.657004] Hardware name: To Be Filled By O.E.M.
+ [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map
+ error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single]
+ [ 46.657004] Modules linked in:
+ [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus
+ snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc
+ e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp
+ k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd
+ sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit
+ drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core
+ sata_promise crc_itu_t
+ [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1
+ [ 46.657004] Call Trace:
+ [ 46.657004] <IRQ> [<ffffffff81065ed0>] warn_slowpath_common+0x70/0xa0
+ [ 46.657004] [<ffffffff81065f4c>] warn_slowpath_fmt+0x4c/0x50
+ [ 46.657004] [<ffffffff81364cfb>] check_unmap+0x47b/0x950
+ [ 46.657004] [<ffffffff8136522f>] debug_dma_unmap_page+0x5f/0x70
+ [ 46.657004] [<ffffffffa030f0f0>] ? e100_tx_clean+0x30/0x210 [e100]
+ [ 46.657004] [<ffffffffa030f1a8>] e100_tx_clean+0xe8/0x210 [e100]
+ [ 46.657004] [<ffffffffa030fc6f>] e100_poll+0x56f/0x6c0 [e100]
+ [ 46.657004] [<ffffffff8159dce1>] ? net_rx_action+0xa1/0x370
+ [ 46.657004] [<ffffffff8159ddb2>] net_rx_action+0x172/0x370
+ [ 46.657004] [<ffffffff810703bf>] __do_softirq+0xef/0x3d0
+ [ 46.657004] [<ffffffff816e4ebc>] call_softirq+0x1c/0x30
+ [ 46.657004] [<ffffffff8101c485>] do_softirq+0x85/0xc0
+ [ 46.657004] [<ffffffff81070885>] irq_exit+0xd5/0xe0
+ [ 46.657004] [<ffffffff816e5756>] do_IRQ+0x56/0xc0
+ [ 46.657004] [<ffffffff816dacb2>] common_interrupt+0x72/0x72
+ [ 46.657004] <EOI> [<ffffffff816da1eb>] ?
+ _raw_spin_unlock_irqrestore+0x3b/0x70
+ [ 46.657004] [<ffffffff816d124d>] __slab_free+0x58/0x38b
+ [ 46.657004] [<ffffffff81214424>] ? fsnotify_clear_marks_by_inode+0x34/0x120
+ [ 46.657004] [<ffffffff811b0417>] ? kmem_cache_free+0x97/0x320
+ [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
+ [ 46.657004] [<ffffffff8157fc14>] ? sock_destroy_inode+0x34/0x40
+ [ 46.657004] [<ffffffff811b0692>] kmem_cache_free+0x312/0x320
+ [ 46.657004] [<ffffffff8157fc14>] sock_destroy_inode+0x34/0x40
+ [ 46.657004] [<ffffffff811e8c28>] destroy_inode+0x38/0x60
+ [ 46.657004] [<ffffffff811e8d5e>] evict+0x10e/0x1a0
+ [ 46.657004] [<ffffffff811e9605>] iput+0xf5/0x180
+ [ 46.657004] [<ffffffff811e4338>] dput+0x248/0x310
+ [ 46.657004] [<ffffffff811ce0e1>] __fput+0x171/0x240
+ [ 46.657004] [<ffffffff811ce26e>] ____fput+0xe/0x10
+ [ 46.657004] [<ffffffff8108d54c>] task_work_run+0xac/0xe0
+ [ 46.657004] [<ffffffff8106c6ed>] do_exit+0x26d/0xc30
+ [ 46.657004] [<ffffffff8109eccc>] ? finish_task_switch+0x7c/0x120
+ [ 46.657004] [<ffffffff816dad58>] ? retint_swapgs+0x13/0x1b
+ [ 46.657004] [<ffffffff8106d139>] do_group_exit+0x49/0xc0
+ [ 46.657004] [<ffffffff8106d1c4>] sys_exit_group+0x14/0x20
+ [ 46.657004] [<ffffffff816e3b19>] system_call_fastpath+0x16/0x1b
+ [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]---
+ [ 46.657004] Mapped at:
+ [ 46.657004] [<ffffffff813663d1>] debug_dma_map_page+0x91/0x140
+ [ 46.657004] [<ffffffffa030e8eb>] e100_xmit_prepare+0x12b/0x1c0 [e100]
+ [ 46.657004] [<ffffffffa030c924>] e100_exec_cb+0x84/0x140 [e100]
+ [ 46.657004] [<ffffffffa030e56a>] e100_xmit_frame+0x3a/0x190 [e100]
+ [ 46.657004] [<ffffffff8159ee89>] dev_hard_start_xmit+0x259/0x6c0
+
+ Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the
+ dma_mapping_error check in the obvious place
+
+ This was reported previously here:
+ http://article.gmane.org/gmane.linux.network/257893
+
+ But nobody stepped up and fixed it.
+
+ CC: Josh Boyer <jwboyer@redhat.com>
+ CC: e1000-devel@lists.sourceforge.net
+ Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+ Reported-by: Michal Jaegermann <michal@harddata.com>
+ Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+ Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++-----------
+ 1 files changed, 25 insertions(+), 11 deletions(-)
+
+commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Wed Apr 10 12:44:18 2013 -0400
+
+ Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67
+
+ NFSv4: Doh! Typo in the fix to nfs41_walk_client_list
+
+ Make sure that we set the status to 0 on success. Missed in testing
+ because it never appears when doing multiple mounts to _different_
+ servers.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Cc: <stable@vger.kernel.org> # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
+
+ fs/nfs/nfs4client.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea
+Author: Yuval Mintz <yuvalmin@broadcom.com>
+Date: Wed Apr 10 13:34:39 2013 +0300
+
+ Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b
+
+ bnx2x: Prevent null pointer dereference in AFEX mode
+
+ The cnic module is responsible for initializing various bnx2x structs
+ via callbacks provided by the bnx2x module.
+ One such struct is the queue object for the FCoE queue.
+
+ If a device is working in AFEX mode and its configuration allows FCoE yet
+ the cnic module is not loaded, it's very likely a null pointer dereference
+ will occur, as the bnx2x will erroneously access the FCoE's queue object.
+
+ Prevent said access until cnic properly registers itself.
+
+ Signed-off-by: Yuval Mintz <yuvalmin@broadcom.com>
+ Signed-off-by: Ariel Elior <ariele@broadcom.com>
+ Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 2908830232725db624aaa052f7ad38d1f98bf541
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Apr 9 14:16:04 2013 +0800
+
+ Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc
+
+ can: gw: use kmem_cache_free() instead of kfree()
+
+ Memory allocated by kmem_cache_alloc() should be freed using
+ kmem_cache_free(), not kfree().
+
+ Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+ Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+
+ net/can/gw.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit d40b572e845a5fb561e3c4a80cc306cd38888a4e
+Author: Christoph Paasch <christoph.paasch@uclouvain.be>
+Date: Sun Apr 7 04:53:15 2013 +0000
+
+ Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd
+
+ ipv6/tcp: Stop processing ICMPv6 redirect messages
+
+ Tetja Rediske found that if the host receives an ICMPv6 redirect message
+ after sending a SYN+ACK, the connection will be reset.
+
+ He bisected it down to 093d04d (ipv6: Change skb->data before using
+ icmpv6_notify() to propagate redirect), but the origin of the bug comes
+ from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error
+ handlers.). The bug simply did not trigger prior to 093d04d, because
+ skb->data did not point to the inner IP header and thus icmpv6_notify
+ did not call the correct err_handler.
+
+ This patch adds the missing "goto out;" in tcp_v6_err. After receiving
+ an ICMPv6 Redirect, we should not continue processing the ICMP in
+ tcp_v6_err, as this may trigger the removal of request-socks or setting
+ sk_err(_soft).
+
+ Reported-by: Tetja Rediske <tetja@tetja.de>
+ Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/tcp_ipv6.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit c7d5c2524456ef3ea9194840e7a9a75069a46824
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 10 20:32:54 2013 -0400
+
+ - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411)
+
+ Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit acac2380fd97acee4367d2aa24c74322dcf1d22b
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Fri Apr 5 16:11:11 2013 -0400
+
+ Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc
+
+ NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list
+
+ It is unsafe to use list_for_each_entry_safe() here, because
+ when we drop the nn->nfs_client_lock, we pin the _current_ list
+ entry and ensure that it stays in the list, but we don't do the
+ same for the _next_ list entry. Use of list_for_each_entry() is
+ therefore the correct thing to do.
+
+ Also fix the refcounting in nfs41_walk_client_list().
+
+ Finally, ensure that the nfs_client has finished being initialised
+ and, in the case of NFSv4.1, that the session is set up.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+ Cc: Chuck Lever <chuck.lever@oracle.com>
+ Cc: Bryan Schumaker <bjschuma@netapp.com>
+ Cc: stable@vger.kernel.org [>= 3.7]
+
+ fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++----------------
+ 1 files changed, 28 insertions(+), 16 deletions(-)
+
+commit a6cf5f387b882ac0ce655b75f623f86c075517be
+Author: Chuck Lever <chuck.lever@oracle.com>
+Date: Fri Mar 22 12:52:59 2013 -0400
+
+ Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e
+
+ SUNRPC: Remove extra xprt_put()
+
+ While testing error cases where rpc_new_client() fails, I saw
+ some oopses.
+
+ If rpc_new_client() fails, it already invokes xprt_put(). Thus
+ __rpc_clone_client() does not need to invoke it again.
+
+ Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()"
+ Fri Sep 14, 2012.
+
+ Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+ Cc: stable@vger.kernel.org [>=3.7]
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+ net/sunrpc/clnt.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00
+Author: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Fri Apr 5 14:13:21 2013 -0400
+
+ Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7
+
+ SUNRPC: Fix a potential memory leak in rpc_new_client
+
+ If the call to rpciod_up() fails, we currently leak a reference to the
+ struct rpc_xprt.
+ As part of the fix, we also remove the redundant check for xprt!=NULL.
+ This is already taken care of by the callers.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+ net/sunrpc/clnt.c | 7 ++-----
+ 1 files changed, 2 insertions(+), 5 deletions(-)
+
+commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 10 19:16:05 2013 -0400
+
+ From https://lkml.org/lkml/2013/4/8/469:
+ [PATCH] rtnetlink: call nlmsg_parse() with correct header length
+
+ net/core/rtnetlink.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 9529169b8c405874fd543b785f53c74fa0501c2a
+Author: Christopher Harvey <charvey@matrox.com>
+Date: Fri Apr 5 10:51:15 2013 -0400
+
+ Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546
+
+ drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal.
+
+ This change properly enables the "requester" in G200ER cards that is
+ responsible for getting pixels out of memory and clocking them out to
+ the screen.
+
+ Signed-off-by: Christopher Harvey <charvey@matrox.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+ drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++----------
+ 1 files changed, 3 insertions(+), 10 deletions(-)
+
+commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu Mar 28 13:30:23 2013 -0400
+
+ Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee
+
+ ecryptfs: close rmmod race
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/ecryptfs/miscdev.c | 14 ++------------
+ 1 files changed, 2 insertions(+), 12 deletions(-)
+
+commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 10 19:03:45 2013 -0400
+
+ Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1
+
+ arch/ia64/kernel/palinfo.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 83280e384ae3ceadad30369ced111dc7d4b46085
+Author: Andrey Vagin <avagin@openvz.org>
+Date: Tue Apr 9 17:33:29 2013 +0400
+
+ Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676
+
+ mnt: release locks on error path in do_loopback
+
+ do_loopback calls lock_mount(path) and forget to unlock_mount
+ if clone_mnt or copy_mnt fails.
+
+ [ 77.661566] ================================================
+ [ 77.662939] [ BUG: lock held when returning to user space! ]
+ [ 77.664104] 3.9.0-rc5+ #17 Not tainted
+ [ 77.664982] ------------------------------------------------
+ [ 77.666488] mount/514 is leaving the kernel with locks still held!
+ [ 77.668027] 2 locks held by mount/514:
+ [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [<ffffffff811cca22>] lock_mount+0x32/0xe0
+ [ 77.671755] #1: (&namespace_sem){+++++.}, at: [<ffffffff811cca3a>] lock_mount+0x4a/0xe0
+
+ Signed-off-by: Andrey Vagin <avagin@openvz.org>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/namespace.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 679e536b9d9536d804f049fe942367a596253e6d
+Author: Alex Williamson <alex.williamson@redhat.com>
+Date: Tue Mar 26 11:33:16 2013 -0600
+
+ Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c
+
+ vfio-pci: Fix possible integer overflow
+
+ The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both
+ of which are unsigned. We attempt to bounds check these, but fail to
+ account for the case where start is a very large number, allowing
+ start + count to wrap back into the valid range. Bounds check both
+ start and start + count.
+
+ Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+
+ drivers/vfio/pci/vfio_pci.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 10 18:48:45 2013 -0400
+
+ Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b5261a6384ee42499b29495aaae40b271e77d394
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 9 17:30:45 2013 -0400
+
+ some undefined behavior fixups
+
+ grsecurity/gracl.c | 4 ++--
+ grsecurity/gracl_ip.c | 10 +++++-----
+ grsecurity/gracl_segv.c | 4 ++--
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+commit 9f83caa35e78be1f3e753586ab217555c3b21ff4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 9 17:28:54 2013 -0400
+
+ don't whine about denied ipv6 when it's not enabled
+
+ grsecurity/gracl_ip.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61
+Merge: 97bca88 9123489
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 9 17:18:45 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9123489428c58668a89f316db6619739cbdd2c2a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 9 17:17:46 2013 -0400
+
+ Update to pax-linux-3.8.6-test18.patch:
+ - new size overflow plugin from Emese to work around a gcc optimization
+ resulting in an intentional overflow, reported by Carlos Carvalho
+ (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409)
+
+ tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++-
+ 1 files changed, 66 insertions(+), 2 deletions(-)
+
+commit 97bca8889e0f1e853f16b7026c39c6729a8587ab
+Merge: 675a41e e9d6073
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 8 21:32:59 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/sparc/kernel/us3_cpufreq.c
+
+commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Apr 8 21:19:03 2013 -0400
+
+ Update to pax-linux-3.8.6-test17.patch:
+ - fixed ia64/ppc/sparc compilation by spender
+ - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport)
+
+ arch/ia64/include/asm/uaccess.h | 2 -
+ arch/powerpc/include/asm/uaccess.h | 2 -
+ arch/sparc/include/asm/uaccess.h | 7 ----
+ arch/sparc/kernel/prom_common.c | 2 +-
+ arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++--------------------------
+ tools/gcc/structleak_plugin.c | 15 ++++----
+ 6 files changed, 28 insertions(+), 69 deletions(-)
+
+commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Apr 7 12:00:50 2013 -0400
+
+ fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin
+
+ net/socket.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5a216624a06429488f24ce47db093da042f90e48
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Apr 6 13:22:24 2013 -0400
+
+ fix typo
+
+ arch/sparc/kernel/us3_cpufreq.c | 5 +----
+ 1 files changed, 1 insertions(+), 4 deletions(-)
+
+commit e476ca18d21788898cd3acd1b57049971a2fb70f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Apr 6 13:16:13 2013 -0400
+
+ properly fix cpufreq_driver for ultrasparc III with constification
+
+ arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------
+ 1 files changed, 17 insertions(+), 18 deletions(-)
+
+commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Apr 6 12:58:48 2013 -0400
+
+ mark prom_sparc_ops __initconst
+
+ arch/sparc/kernel/prom_common.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Apr 6 12:53:16 2013 -0400
+
+ fix ia64/powerpc/sparc compilation
+
+ arch/ia64/include/asm/uaccess.h | 2 --
+ arch/powerpc/include/asm/uaccess.h | 2 --
+ arch/sparc/include/asm/uaccess.h | 7 -------
+ 3 files changed, 0 insertions(+), 11 deletions(-)
+
+commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Tue Mar 19 20:26:57 2013 +0100
+
+ Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d
+
+ cfg80211: fix wdev tracing crash
+
+ Arend reported a crash in tracing if the driver returns an
+ ERR_PTR() value from the add_virtual_intf() callback. This
+ is due to the tracing then still attempting to dereference
+ the "pointer", fix this by using IS_ERR_OR_NULL().
+
+ Reported-by: Arend van Spriel <arend@broadcom.com>
+ Tested-by: Arend van Spriel <arend@broadcom.com>
+ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+
+ net/wireless/trace.h | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Mon Mar 25 11:51:14 2013 +0100
+
+ Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b
+
+ mac80211: fix remain-on-channel cancel crash
+
+ If a ROC item is canceled just as it expires, the work
+ struct may be scheduled while it is running (and waiting
+ for the mutex). This results in it being run after being
+ freed, which obviously crashes.
+
+ To fix this don't free it when aborting is requested but
+ instead mark it as "to be freed", which makes the work a
+ no-op and allows freeing it outside.
+
+ Cc: stable@vger.kernel.org [3.6+]
+ Reported-by: Jouni Malinen <j@w1.fi>
+ Tested-by: Jouni Malinen <j@w1.fi>
+ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+
+ net/mac80211/cfg.c | 6 ++++--
+ net/mac80211/ieee80211_i.h | 3 ++-
+ net/mac80211/offchannel.c | 23 +++++++++++++++++------
+ 3 files changed, 23 insertions(+), 9 deletions(-)
+
+commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4
+Author: Stone Piao <piaoyun@marvell.com>
+Date: Fri Mar 29 19:21:21 2013 -0700
+
+ Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f
+
+ mwifiex: limit channel number not to overflow memory
+
+ Limit the channel number in scan request, or the driver scan
+ config structure memory will be overflowed.
+
+ Cc: <stable@vger.kernel.org> # 3.5+
+ Signed-off-by: Stone Piao <piaoyun@marvell.com>
+ Signed-off-by: Bing Zhao <bzhao@marvell.com>
+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
+
+ drivers/net/wireless/mwifiex/cfg80211.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 207c411512bdaf0e4271f93ecac6ca26588da36f
+Author: Gao feng <gaofeng@cn.fujitsu.com>
+Date: Thu Mar 21 19:48:41 2013 +0000
+
+ Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe
+
+ netfilter: reset nf_trace in nf_reset
+
+ We forgot to clear the nf_trace of sk_buff in nf_reset,
+ When we use veth device, this nf_trace information will
+ be leaked from one net namespace to another net namespace.
+
+ Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ include/linux/skbuff.h | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Fri Mar 22 01:28:18 2013 +0000
+
+ Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c
+
+ netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init()
+
+ Fix to return a negative error code from the error handling
+ case instead of 0, as returned elsewhere in this function.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nfnetlink_queue_core.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit a79feb7d3251eca577d83d7f69eee2b961ab2924
+Author: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sat Mar 23 16:57:59 2013 +0100
+
+ Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7
+
+ netfilter: nfnetlink_acct: return -EINVAL if object name is empty
+
+ If user-space tries to create accounting object with an empty
+ name, then return -EINVAL.
+
+ Reported-by: Michael Zintakis <michael.zintakis@googlemail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/nfnetlink_acct.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7
+Author: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sat Mar 30 10:23:12 2013 +0000
+
+ Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756
+
+ netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths
+
+ The bitmask used for the prefix mangling was being calculated
+ incorrectly, leading to the wrong part of the address being replaced
+ when the prefix length wasn't a multiple of 32.
+
+ Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/ipv6/netfilter/ip6t_NPT.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e
+Author: Veaceslav Falico <vfalico@redhat.com>
+Date: Wed Apr 3 05:46:33 2013 +0000
+
+ Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d
+
+ bonding: remove sysfs before removing devices
+
+ We have a race condition if we try to rmmod bonding and simultaneously add
+ a bond master through sysfs. In bonding_exit() we first remove the devices
+ (through rtnl_link_unregister() ) and only after that we remove the sysfs.
+ If we manage to add a device through sysfs after that the devices were
+ removed - we'll end up with that device/sysfs structure and with the module
+ unloaded.
+
+ Fix this by first removing the sysfs and only after that calling
+ rtnl_link_unregister().
+
+ Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d12cae44a9d12441d81c489178803237219d403d
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Wed Apr 3 16:14:47 2013 +0000
+
+ Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2
+
+ af_unix: If we don't care about credentials coallesce all messages
+
+ It was reported that the following LSB test case failed
+ https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
+ were not coallescing unix stream messages when the application was
+ expecting us to.
+
+ The problem was that the first send was before the socket was accepted
+ and thus sock->sk_socket was NULL in maybe_add_creds, and the second
+ send after the socket was accepted had a non-NULL value for sk->socket
+ and thus we could tell the credentials were not needed so we did not
+ bother.
+
+ The unnecessary credentials on the first message cause
+ unix_stream_recvmsg to start verifying that all messages had the same
+ credentials before coallescing and then the coallescing failed because
+ the second message had no credentials.
+
+ Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
+ long standing pessimization which would fail to coallesce messages when
+ reading from a unix stream socket if the senders were different even if
+ we did not care about their credentials.
+
+ I have tested this and verified that the in the LSB test case mentioned
+ above that the messages do coallesce now, while the were failing to
+ coallesce without this change.
+
+ Reported-by: Karel Srot <ksrot@redhat.com>
+ Reported-by: Ding Tianhong <dingtianhong@huawei.com>
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Wed Apr 3 16:13:35 2013 +0000
+
+ Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1
+
+ Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
+
+ This reverts commit 14134f6584212d585b310ce95428014b653dfaf6.
+
+ The problem that the above patch was meant to address is that af_unix
+ messages are not being coallesced because we are sending unnecesarry
+ credentials. Not sending credentials in maybe_add_creds totally
+ breaks unconnected unix domain sockets that wish to send credentails
+ to other sockets.
+
+ In practice this break some versions of udev because they receive a
+ message and the sending uid is bogus so they drop the message.
+
+ Reported-by: Sven Joachim <svenjoac@gmx.de>
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Wed Mar 20 21:31:42 2013 +0000
+
+ Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e
+
+ lantiq_etop: use free_netdev(netdev) instead of kfree()
+
+ Freeing netdev without free_netdev() leads to net, tx leaks.
+ And it may lead to dereferencing freed pointer.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/lantiq_etop.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f
+Author: Cong Wang <amwang@redhat.com>
+Date: Fri Mar 22 19:14:07 2013 +0000
+
+ Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb
+
+ 8021q: fix a potential use-after-free
+
+ vlan_vid_del() could possibly free ->vlan_info after a RCU grace
+ period, however, we may still refer to the freed memory area
+ by 'grp' pointer. Found by code inspection.
+
+ This patch moves vlan_vid_del() as behind as possible.
+
+ Cc: Patrick McHardy <kaber@trash.net>
+ Cc: "David S. Miller" <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/8021q/vlan.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit fff29c277024a39845d4b535083c8dafc21b45d9
+Author: Hong zhi guo <honkiko@gmail.com>
+Date: Sat Mar 23 02:27:50 2013 +0000
+
+ Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7
+
+ bridge: fix crash when set mac address of br interface
+
+ When I tried to set mac address of a bridge interface to a mac
+ address which already learned on this bridge, I got system hang.
+
+ The cause is straight forward: function br_fdb_change_mac_address
+ calls fdb_insert with NULL source nbp. Then an fdb lookup is
+ performed. If an fdb entry is found and it's local, it's OK. But
+ if it's not local, source is dereferenced for printk without NULL
+ check.
+
+ Signed-off-by: Hong Zhiguo <honkiko@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/bridge/br_fdb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349
+Author: Kumar Amit Mehta <gmate.amit@gmail.com>
+Date: Sat Mar 23 20:10:25 2013 +0000
+
+ Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a
+
+ bnx2x: fix assignment of signed expression to unsigned variable
+
+ fix for incorrect assignment of signed expression to unsigned variable.
+
+ Signed-off-by: Kumar Amit Mehta <gmate.amit@gmail.com>
+ Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
+
+commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e
+Author: dingtianhong <dingtianhong@huawei.com>
+Date: Mon Mar 25 17:02:04 2013 +0000
+
+ Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6
+
+ af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
+
+ SCM_SCREDENTIALS should apply to write() syscalls only either source or destination
+ socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong,
+ and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom).
+
+ Origionally-authored-by: Karel Srot <ksrot@redhat.com>
+ Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit b964e1e61f0f0ccaa380be3342f956c604054bdc
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Thu Mar 21 02:30:41 2013 -0700
+
+ Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015
+
+ yama: Better permission check for ptraceme
+
+ Change the permission check for yama_ptrace_ptracee to the standard
+ ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
+ in the tracees user namespace.
+
+ Reviewed-by: Kees Cook <keescook@chromium.org>
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+
+ security/yama/yama_lsm.c | 4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+commit b94e71c7b6abe75989edff18aca2781233fa143b
+Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Mon Apr 1 11:40:51 2013 +0400
+
+ Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d
+
+ ipc: set msg back to -EAGAIN if copy wasn't performed
+
+ Make sure that msg pointer is set back to error value in case of
+ MSG_COPY flag is set and desired message to copy wasn't found. This
+ garantees that msg is either a error pointer or a copy address.
+
+ Otherwise the last message in queue will be freed without unlinking from
+ the queue (which leads to memory corruption) and the dummy allocated
+ copy won't be released.
+
+ Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ ipc/msg.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit a997fbbe7a37ffd805f4784a18b8e530da6978d1
+Author: Jan Kara <jack@suse.cz>
+Date: Fri Mar 29 15:39:16 2013 +0100
+
+ Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6
+
+ reiserfs: Fix warning and inode leak when deleting inode with xattrs
+
+ After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
+ started failing to delete xattrs from inode. This was due to a buggy
+ test for '.' and '..' in fill_with_dentries() which resulted in passing
+ '.' and '..' entries to lookup_one_len() in some cases. That returned
+ error and so we failed to iterate over all xattrs of and inode.
+
+ Fix the test in fill_with_dentries() along the lines of the one in
+ lookup_one_len().
+
+ Reported-by: Pawel Zawora <pzawora@gmail.com>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Jan Kara <jack@suse.cz>
+
+ fs/reiserfs/xattr.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 9f07957378e0f55abb81da8e23b124a608fbe1cc
+Author: Paul Bolle <pebolle@tiscali.nl>
+Date: Wed Apr 3 12:24:45 2013 +0100
+
+ Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2
+
+ ARM: 7690/1: mm: fix CONFIG_LPAE typos
+
+ CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix
+ up the two typos under arch/arm/.
+
+ The fix to head.S is slightly scary, but this is just for setting up
+ an early io-mapping for the serial port when running on a big-endian,
+ LPAE system. Since these systems don't exist in the wild (at least, I
+ have no access to one outside of kvmtool, which doesn't provide a serial
+ port suitable for earlyprintk), then we can revisit the code later if it
+ causes any problems.
+
+ Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
+ Signed-off-by: Will Deacon <will.deacon@arm.com>
+ Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+
+ arch/arm/kernel/head.S | 2 +-
+ arch/arm/kernel/setup.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 984ba346b2d8f158473e9723ba145031368431ed
+Author: Catalin Marinas <catalin.marinas@arm.com>
+Date: Tue Mar 26 23:35:04 2013 +0100
+
+ Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb
+
+ ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations)
+
+ On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down
+ all use of the old entries. This patch implements the erratum workaround
+ which consists of:
+
+ 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation.
+ 2. Send IPI to the CPUs that are running the same mm (and ASID) as the
+ one being invalidated (or all the online CPUs for global pages).
+ 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception
+ return code already).
+
+ Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+ Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+
+ Conflicts:
+
+ arch/arm/include/asm/tlbflush.h
+ arch/arm/kernel/smp_tlb.c
+ arch/arm/mm/context.c
+
+ arch/arm/Kconfig | 10 +++++
+ arch/arm/include/asm/highmem.h | 7 ++++
+ arch/arm/include/asm/mmu_context.h | 2 +
+ arch/arm/include/asm/tlbflush.h | 15 ++++++++
+ arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++
+ arch/arm/mm/context.c | 6 ++-
+ 6 files changed, 104 insertions(+), 2 deletions(-)
+
+commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286
+Author: Jan Stancek <jstancek@redhat.com>
+Date: Thu Apr 4 11:35:10 2013 -0700
+
+ Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c
+
+ mm: prevent mmap_cache race in find_vma()
+
+ find_vma() can be called by multiple threads with read lock
+ held on mm->mmap_sem and any of them can update mm->mmap_cache.
+ Prevent compiler from re-fetching mm->mmap_cache, because other
+ readers could update it in the meantime:
+
+ thread 1 thread 2
+ |
+ find_vma() | find_vma()
+ struct vm_area_struct *vma = NULL; |
+ vma = mm->mmap_cache; |
+ if (!(vma && vma->vm_end > addr |
+ && vma->vm_start <= addr)) { |
+ | mm->mmap_cache = vma;
+ return vma; |
+ ^^ compiler may optimize this |
+ local variable out and re-read |
+ mm->mmap_cache |
+
+ This issue can be reproduced with gcc-4.8.0-1 on s390x by running
+ mallocstress testcase from LTP, which triggers:
+
+ kernel BUG at mm/rmap.c:1088!
+ Call Trace:
+ ([<000003d100c57000>] 0x3d100c57000)
+ [<000000000023a1c0>] do_wp_page+0x2fc/0xa88
+ [<000000000023baae>] handle_pte_fault+0x41a/0xac8
+ [<000000000023d832>] handle_mm_fault+0x17a/0x268
+ [<000000000060507a>] do_protection_exception+0x1e2/0x394
+ [<0000000000603a04>] pgm_check_handler+0x138/0x13c
+ [<000003fffcf1f07a>] 0x3fffcf1f07a
+ Last Breaking-Event-Address:
+ [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
+
+ Thanks to Jakub Jelinek for his insight on gcc and helping to
+ track this down.
+
+ Signed-off-by: Jan Stancek <jstancek@redhat.com>
+ Acked-by: David Rientjes <rientjes@google.com>
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mmap.c | 2 +-
+ mm/nommu.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 53f5096daa14967938bc154e6c41f9119863fb36
+Merge: e988d7c 0a45285
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 5 17:32:31 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/net/ethernet/broadcom/tg3.c
+
+commit 0a452855444d02502df6eb21ef3083cf303f71e1
+Merge: 0277fa1 00cfbb8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Apr 5 17:31:15 2013 -0400
+
+ Update to pax-linux-3.8.6-test16.patch:
+ - fixed some attribute leakage into userland headers, patch by Mathias Krause
+ - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ drivers/gpu/drm/i915/intel_display.c
+
+commit e988d7c8d946c816a2cb97f0d38048a1584966b8
+Merge: baec40e 0277fa1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 3 22:05:41 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0277fa123b486cf11420967e4568d7653e225fd3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Apr 3 22:04:48 2013 -0400
+
+ Update to pax-linux-3.8.5-test15.patch:
+ - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391)
+ - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394)
+
+ drivers/media/pci/cx88/cx88-video.c | 6 +++---
+ include/net/net_namespace.h | 4 ++++
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+commit baec40e6708fd5ae2000cad6c70c5980c998b91c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 2 19:50:32 2013 -0400
+
+ fix compilation as reported on forums for gcc versions lacking plugin
+ support
+
+ include/net/net_namespace.h | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095
+Merge: 6b69c35 0db9d15
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 2 17:47:27 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0db9d156826bdd50510086fde837648a3dfd370e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 2 17:46:05 2013 -0400
+
+ Update to pax-linux-3.8.5-test14.patch:
+ - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table
+
+ arch/x86/include/asm/uaccess_64.h | 6 +-
+ include/linux/moduleloader.h | 4 +-
+ tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++----------------
+ 3 files changed, 61 insertions(+), 47 deletions(-)
+
+commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Apr 2 17:35:06 2013 -0400
+
+ remove duplicate compiler.h
+
+ include/linux/sysrq.h | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit 01e1d503fd2220adaaec0b92ea19441bdff73555
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 19:53:50 2013 -0400
+
+ fix intentional_overflow marking on sys_sendto
+
+ include/linux/syscalls.h | 2 +-
+ net/socket.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit cd5ff114d958470f471c63775278e8c05e774630
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 18:46:16 2013 -0400
+
+ fix size_overflow false positive
+
+ kernel/futex_compat.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 295ba16cc53df2375261accbedd6575ea327770a
+Merge: 18340f1 278a989
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:36:18 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/exec.c
+ include/linux/thread_info.h
+
+commit 278a989c831d62193c7b3d119fe2302babd45d12
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:34:34 2013 -0400
+
+ Resync with pax-linux-3.8.5-test13.patch
+
+ arch/arm/include/asm/pgtable.h | 3 ++-
+ arch/arm/lib/delay.c | 1 +
+ fs/exec.c | 8 ++++----
+ include/linux/compiler.h | 1 +
+ include/linux/proc_fs.h | 2 +-
+ include/linux/thread_info.h | 6 +++---
+ include/linux/zlib.h | 3 ++-
+ init/main.c | 4 ++--
+ kernel/user_namespace.c | 2 +-
+ lib/list_debug.c | 4 ++--
+ mm/slab.c | 1 +
+ mm/slob.c | 1 +
+ mm/slub.c | 1 +
+ net/core/sysctl_net_core.c | 3 +--
+ tools/gcc/constify_plugin.c | 1 +
+ 15 files changed, 24 insertions(+), 17 deletions(-)
+
+commit 18340f14bd42d06c60995ab04cf6bb235bcaade6
+Merge: 05f01ae e8cfeae
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:30:57 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9
+Merge: b461cb7 aa4cfde
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:30:44 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c
+ fs/nfsd/vfs.c
+
+commit 05f01ae4c3479541586a2387f916a6620889c479
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 29 17:05:39 2013 -0400
+
+ Another infoleak, up to 128 bytes on the stack in __sys_recvmsg
+ takes user-provided length, copies up to that amount in a sockaddr_storage
+ struct on the stack, then takes an upper-bounded-only user-provided length
+ and copies the sockaddr_storage struct back out to userland, complete with
+ uninitialized data
+
+ net/socket.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit eea6ade59490784e83e08ec67322288fcf14cb31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 23:07:37 2013 -0400
+
+ return a proper error, otherwise we could be accessing uninitialized data
+ (previous define was a positive value)
+
+ drivers/usb/storage/realtek_cr.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e
+Merge: c3dc9a6 b461cb7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:54:24 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b461cb7b1d85490430ef7896c247794af72c3749
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:54:11 2013 -0400
+
+ Add structleak plugin
+
+ tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 270 insertions(+), 0 deletions(-)
+
+commit c3dc9a6ef10782894bb11fd088fd712db44d8062
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:53:22 2013 -0400
+
+ Enable structleak by default for the security auto-config
+
+ security/Kconfig | 11 +++++++----
+ 1 files changed, 7 insertions(+), 4 deletions(-)
+
+commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e
+Merge: d8503a3 74bec16
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:47:10 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 74bec16b657147a5575b1f14f4423a717ba317a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:46:13 2013 -0400
+
+ Update to pax-linux-3.8.4-test13.patch:
+ - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722)
+ - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland
+
+ Makefile | 5 +++-
+ arch/x86/include/asm/compat.h | 2 +-
+ arch/x86/mm/fault.c | 3 +-
+ fs/binfmt_elf.c | 2 +-
+ include/linux/compiler.h | 42 ++++++++++++++--------------------------
+ security/Kconfig | 16 +++++++++++++++
+ tools/gcc/Makefile | 2 +
+ tools/gcc/constify_plugin.c | 7 +++++-
+ 8 files changed, 47 insertions(+), 32 deletions(-)
+
+commit d8503a3a35d68b9ba1615d29335aef3f70d51465
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 28 20:02:40 2013 -0400
+
+ Fix 8-byte stack infoleak in ia32_rt_sigpending
+ User controls length, kernel only performs check on the upper bound, will
+ fill in any amount less than sizeof(sigset_t) via a copy_to_user under
+ KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t
+ regardless of whether the sigset_t content copied into it has been initialized
+ or not
+
+ arch/x86/ia32/sys_ia32.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 26 21:05:05 2013 -0400
+
+ commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576
+ Author: J. Bruce Fields <bfields@redhat.com>
+ Date: Tue Mar 26 14:11:13 2013 -0400
+
+ nfsd4: reject "negative" acl lengths
+
+ Since we only enforce an upper bound, not a lower bound, a "negative"
+ length can get through here.
+
+ The symptom seen was a warning when we attempt to a kmalloc with an
+ excessive size.
+
+ Reported-by: Toralf Förster <toralf.foerster@gmx.de>
+ Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+
+ fs/nfsd/nfs4xdr.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89
+Author: Jeff Layton <jlayton@redhat.com>
+Date: Mon Mar 11 09:52:19 2013 -0400
+
+ Upstream commit: f853c616883a8de966873a1dab283f1369e275a1
+
+ cifs: ignore everything in SPNEGO blob after mechTypes
+
+ We've had several reports of people attempting to mount Windows 8 shares
+ and getting failures with a return code of -EINVAL. The default sec=
+ mode changed recently to sec=ntlmssp. With that, we expect and parse a
+ SPNEGO blob from the server in the NEGOTIATE reply.
+
+ The current decode_negTokenInit function first parses all of the
+ mechTypes and then tries to parse the rest of the negTokenInit reply.
+ The parser however currently expects a mechListMIC or nothing to follow the
+ mechTypes, but Windows 8 puts a mechToken field there instead to carry
+ some info for the new NegoEx stuff.
+
+ In practice, we don't do anything with the fields after the mechTypes
+ anyway so I don't see any real benefit in continuing to parse them.
+ This patch just has the kernel ignore the fields after the mechTypes.
+ We'll probably need to reinstate some of this if we ever want to support
+ NegoEx.
+
+ Reported-by: Jason Burgess <jason@jacknife2.dns2go.com>
+ Reported-by: Yan Li <elliot.li.tech@gmail.com>
+ Signed-off-by: Jeff Layton <jlayton@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Steve French <sfrench@us.ibm.com>
+
+ fs/cifs/asn1.c | 53 +++++------------------------------------------------
+ 1 files changed, 5 insertions(+), 48 deletions(-)
+
+commit 0b1c6223105a05d5a84e39a5e951868e37610e1c
+Merge: 93ff726 0deb54c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 18:35:15 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 18:35:05 2013 -0400
+
+ fix typo
+
+ arch/x86/mm/ioremap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 93ff72680353534d4b0b213aecb61f1fc2f9a152
+Merge: be9f8b8 f95e53a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 18:30:06 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit f95e53abadb6e4665866e4502ff9f518514193e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 18:29:25 2013 -0400
+
+ Update to pax-linux-3.8.4-test12.patch:
+
+ - fixed perf compilation reported by Michael Tremer
+ - fixed USERCOPY reports triggered by SCTP, reported by mcp
+ - last fix for aslr gap accounting, promise (thanks to spender)
+
+ arch/x86/mm/ioremap.c | 3 +++
+ fs/binfmt_elf.c | 5 ++---
+ mm/mmap.c | 2 +-
+ net/sctp/socket.c | 19 +++++++++++++++----
+ tools/perf/util/include/linux/compiler.h | 8 ++++++++
+ 5 files changed, 29 insertions(+), 8 deletions(-)
+
+commit be9f8b82b0d8a21d7515fb6e44a907623381c5df
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 25 16:48:34 2013 -0400
+
+ From: Al Viro <viro@ZenIV.linux.org.uk>
+ To: Brad Spengler <spender@grsecurity.net>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Umm... I see what you are describing, and AFAICS you are correct; let me
+ see if I am misreading your analysis:
+ * vfsmount_lock may act fair; A holding it shared, with B spinning
+ on attempt to take it exclusive may lead to C spinning on attempt to take
+ it shared.
+ * path_is_under() tries get rename_lock while holding vfsmount_lock
+ shared.
+ * d_path() et.al. try to take vfsmount_lock shared, while holding
+ rename_lock.
+
+ All true and yes, it's a bug (I'd probably classify it as a livelock, but
+ that doesn't make any real difference). There are three possible solutions,
+ AFAICS:
+ 1) two-liner in path_is_under() replacing the use of vfsmount_lock
+ with that of namespace_sem; trivial, but results in function unexpectedly
+ blocking. The current callers are fine with that, but it's a trouble
+ waiting to happen.
+ 2) replace write_seqlock() in prepend_path() callers with
+ read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike
+ is_subdir() we need more than just ->d_parent not pointing to something
+ freed - we also care about ->d_name.len being in sync with ->d_name.name.
+ It probably can be worked around, but...
+
+ 3) declare that rename_lock nests inside vfsmount_lock and let
+ the callers of prepend_path() take vfsmount_lock(). I'd probably prefer
+ that one...
+
+ Nest rename_lock inside vfsmount_lock
+
+ ... lest we get livelocks between path_is_under() and d_path() and friends.
+
+ [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing
+ the issue ]
+
+ Spotted-by: Brad Spengler <spender@grsecurity.net>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/dcache.c | 16 +++++++++++-----
+ grsecurity/gracl.c | 20 ++++++++++----------
+ 2 files changed, 21 insertions(+), 15 deletions(-)
+
+commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri Mar 22 11:44:04 2013 -0700
+
+ Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353
+
+ vfs,proc: guarantee unique inodes in /proc
+
+ Dave Jones found another /proc issue with his Trinity tool: thanks to
+ the namespace model, we can have multiple /proc dentries that point to
+ the same inode, aliasing directories in /proc/<pid>/net/ for example.
+
+ This ends up being a total disaster, because it acts like hardlinked
+ directories, and causes locking problems. We rely on the topological
+ sort of the inodes pointed to by dentries, and if we have aliased
+ directories, that odering becomes unreliable.
+
+ In short: don't do this. Multiple dentries with the same (directory)
+ inode is just a bad idea, and the namespace code should never have
+ exposed things this way. But we're kind of stuck with it.
+
+ This solves things by just always allocating a new inode during /proc
+ dentry lookup, instead of using "iget_locked()" to look up existing
+ inodes by superblock and number. That actually simplies the code a bit,
+ at the cost of potentially doing more inode [de]allocations.
+
+ That said, the inode lookup wasn't free either (and did a lot of locking
+ of inodes), so it is probably not that noticeable. We could easily keep
+ the old lookup model for non-directory entries, but rather than try to
+ be excessively clever this just implements the minimal and simplest
+ workaround for the problem.
+
+ Reported-and-tested-by: Dave Jones <davej@redhat.com>
+ Analyzed-by: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/inode.c
+
+ fs/proc/inode.c | 9 +++------
+ 1 files changed, 3 insertions(+), 6 deletions(-)
+
+commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb
+Author: Vladimir Davydov <vdavydov@parallels.com>
+Date: Fri Mar 22 15:04:51 2013 -0700
+
+ Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301
+
+ mqueue: sys_mq_open: do not call mnt_drop_write() if read-only
+
+ mnt_drop_write() must be called only if mnt_want_write() succeeded,
+ otherwise the mnt_writers counter will diverge.
+
+ mnt_writers counters are used to check if remounting FS as read-only is
+ OK, so after an extra mnt_drop_write() call, it would be impossible to
+ remount mqueue FS as read-only. Besides, on umount a warning would be
+ printed like this one:
+
+ =====================================
+ [ BUG: bad unlock balance detected! ]
+ 3.9.0-rc3 #5 Not tainted
+ -------------------------------------
+ a.out/12486 is trying to release lock (sb_writers) at:
+ mnt_drop_write+0x1f/0x30
+ but there are no more locks to release!
+
+ Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
+ Cc: Doug Ledford <dledford@redhat.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ ipc/mqueue.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 23 13:02:32 2013 -0400
+
+ Don't use constify plugin if not enabled in config,
+ reported by Alexey Vlasov
+
+ Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 3afb82e020593249ac394e9859397c3e0ef5341c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 23 12:50:13 2013 -0400
+
+ oded 0day #2
+ http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
+ slide 20
+
+ drivers/net/ethernet/broadcom/tg3.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 4cc4b98b29faff2530540be16e0fcd8a74800b06
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 23 12:15:50 2013 -0400
+
+ oded 0day #1
+ http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
+ slide 18
+
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 23 12:13:12 2013 -0400
+
+ remove warning on accessing this /proc entry, HIDESYM already caught the infoleak
+
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 44cb11a9470f72157601d0ad4d572d111f90f504
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 22 18:11:42 2013 -0400
+
+ use VM_DONTDUMP
+
+ fs/binfmt_elf.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 22 17:53:09 2013 -0400
+
+ fix recent RLIMIT_AS changes (due to vm_flags typo)
+
+ Conflicts:
+
+ fs/binfmt_elf.c
+
+ fs/binfmt_elf.c | 2 +-
+ mm/mmap.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit fd5f0d92b0fbec02029dad124501a9c80e527a32
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 22 17:08:48 2013 -0400
+
+ complete_walk drops rcu-walk mode, no need for our own dropping
+ method outside of generic_permission
+
+ fs/namei.c | 30 ------------------------------
+ 1 files changed, 0 insertions(+), 30 deletions(-)
+
+commit b49ab1c73edb6442eec609b26bba4d850b3111b6
+Merge: 5e9a707 783ade9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 21 21:56:28 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 21 21:55:31 2013 -0400
+
+ Update to pax-linux-3.8.3-test11.patch:
+ - rewrote the ASLR gap accounting code once again
+ - fixed ptrace compat bug found by the size overflow plugin
+
+ fs/binfmt_elf.c | 25 ++++++++++++-------------
+ fs/exec.c | 7 ++-----
+ include/linux/compat.h | 2 +-
+ include/linux/mm.h | 5 +++++
+ include/linux/mm_types.h | 2 +-
+ kernel/ptrace.c | 2 +-
+ mm/mmap.c | 15 ++++++++++-----
+ 7 files changed, 32 insertions(+), 26 deletions(-)
+
+commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 21 19:37:33 2013 -0400
+
+ Make the constify plugin usage actually depend on the introduced config option
+ (it was still forced on)
+
+ tools/gcc/Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 1974b4f58d9d729c80ac1987785446115304a54c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 21 16:12:38 2013 -0400
+
+ fix failed merge
+
+ arch/arm/mm/fault.c | 15 +++------------
+ 1 files changed, 3 insertions(+), 12 deletions(-)
+
+commit 675a8ab4a8fe8315df348735a37a302a7535224c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 20 23:36:14 2013 -0400
+
+ From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001
+ From: Kees Cook <keescook@chromium.org>
+ Date: Sun, 10 Mar 2013 20:09:31 +0000
+ Subject: drm/i915: bounds check execbuffer relocation count
+
+ It is possible to wrap the counter used to allocate the buffer for
+ relocation copies. This could lead to heap writing overflows.
+
+ CVE-2013-0913
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Reported-by: Pinkie Pie
+ Cc: stable@vger.kernel.org
+
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
+ 1 files changed, 8 insertions(+), 3 deletions(-)
+
+commit ddeac12cbb9076bffd51c544e03463f94c9eaa39
+Author: Andy Honig <ahonig@google.com>
+Date: Wed Feb 20 14:48:10 2013 -0800
+
+ Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1
+
+ KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)
+
+ There is a potential use after free issue with the handling of
+ MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable
+ memory such as frame buffers then KVM might continue to write to that
+ address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins
+ the page in memory so it's unlikely to cause an issue, but if the user
+ space component re-purposes the memory previously used for the guest, then
+ the guest will be able to corrupt that memory.
+
+ Tested: Tested against kvmclock unit test
+
+ Signed-off-by: Andrew Honig <ahonig@google.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+
+ arch/x86/include/asm/kvm_host.h | 4 +-
+ arch/x86/kvm/x86.c | 47 ++++++++++++++++----------------------
+ 2 files changed, 22 insertions(+), 29 deletions(-)
+
+commit 0bcac31b57c381001feb69fd6ec8069e61e03432
+Author: Andy Honig <ahonig@google.com>
+Date: Mon Mar 11 09:34:52 2013 -0700
+
+ Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9
+
+ KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
+
+ If the guest sets the GPA of the time_page so that the request to update the
+ time straddles a page then KVM will write onto an incorrect page. The
+ write is done byusing kmap atomic to get a pointer to the page for the time
+ structure and then performing a memcpy to that page starting at an offset
+ that the guest controls. Well behaved guests always provide a 32-byte aligned
+ address, however a malicious guest could use this to corrupt host kernel
+ memory.
+
+ Tested: Tested against kvmclock unit test.
+
+ Signed-off-by: Andrew Honig <ahonig@google.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+
+ arch/x86/kvm/x86.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 695c59887e4ec10b0b695ab4f645d1226c433be0
+Author: Andy Honig <ahonig@google.com>
+Date: Wed Feb 20 14:49:16 2013 -0800
+
+ Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55
+
+ KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)
+
+ If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
+ that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
+ that request. ioapic_read_indirect contains an
+ ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
+ non-debug builds. In recent kernels this allows a guest to cause a kernel
+ oops by reading invalid memory. In older kernels (pre-3.3) this allows a
+ guest to read from large ranges of host memory.
+
+ Tested: tested against apic unit tests.
+
+ Signed-off-by: Andrew Honig <ahonig@google.com>
+ Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+
+ virt/kvm/ioapic.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e
+Merge: aec3cd4 c522e3a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 20 19:38:25 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3
+Merge: c57d855 405acc3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 20 19:38:11 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 19:56:04 2013 -0400
+
+ include linux/compiler.h
+
+ include/linux/zlib.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 18:42:20 2013 -0400
+
+ fix missing sock_release()
+
+ net/irda/af_irda.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit dd65c05cd24faf8946d4941434a553ee285c35a3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 18:36:17 2013 -0400
+
+ fix mpt fusion infoleak
+
+ drivers/message/fusion/mptbase.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit e297b4f150b769efdc4c547d3caf1e3c0f24735f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 18:33:45 2013 -0400
+
+ Fix size_overflow false positive reported by slashbeast
+
+ include/linux/zlib.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 17:35:36 2013 -0400
+
+ fix up failed merge
+
+ arch/arm/mm/fault.c | 9 ++-------
+ 1 files changed, 2 insertions(+), 7 deletions(-)
+
+commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 17:34:36 2013 -0400
+
+ update documentation on consequences of building without gcc plugin support
+
+ Makefile | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 19 17:18:13 2013 -0400
+
+ fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums
+
+ init/main.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit f00195c633f91cfbd8c1f530d2c371b713026e20
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 18 22:27:33 2013 -0400
+
+ Fix compile error reported by KDE on the forums
+
+ kernel/user_namespace.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 2979c6ee78aabb4421873ea53581380c6bb6ed05
+Merge: 0949569 c57d855
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 18 22:20:46 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/mm/fault.c
+ arch/x86/mm/fault.c
+ fs/exec.c
+
+commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 18 21:22:03 2013 -0400
+
+ Update to pax-linux-3.8.2-test9.patch:
+ arm changes from spender
+ - removed userland access to the vectors page
+ - removed obsolete sigreturn trampoline handling
+ - added emulation for __kuser_get_tls
+ - fixed missing uderef instrumentation in unaligned memory accessors (failed safe)
+ - fixed recent sysfs/power_supply attr breakage reported by Steven Allen
+ - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960)
+ - changed debian packager rules to include the compiler plugins, from Tyler Coumbes <coumbes@gmail.com>
+ - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956)
+ - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values
+ and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913.
+
+ arch/arm/kernel/process.c | 5 +-
+ arch/arm/kernel/signal.c | 24 +-
+ arch/arm/kernel/traps.c | 7 -
+ arch/arm/mm/alignment.c | 8 +
+ arch/arm/mm/fault.c | 23 +-
+ arch/arm/mm/mmu.c | 2 +-
+ arch/x86/include/asm/bitops.h | 2 +-
+ arch/x86/include/asm/desc.h | 2 +-
+ arch/x86/include/asm/div64.h | 2 +-
+ arch/x86/include/asm/io.h | 8 +-
+ arch/x86/include/asm/paravirt.h | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +-
+ arch/x86/kernel/setup_percpu.c | 2 +-
+ arch/x86/mm/fault.c | 4 +-
+ arch/x86/mm/numa.c | 2 +-
+ arch/x86/mm/physaddr.c | 4 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +-
+ drivers/infiniband/hw/mthca/mthca_mr.c | 2 +-
+ drivers/lguest/page_tables.c | 2 +-
+ drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/power/power_supply_core.c | 1 +
+ drivers/usb/core/message.c | 2 +-
+ fs/befs/endian.h | 4 +-
+ fs/binfmt_elf.c | 5 +-
+ fs/exec.c | 4 +-
+ fs/qnx6/qnx6.h | 4 +-
+ fs/sysv/sysv.h | 2 +-
+ fs/ubifs/io.c | 2 +-
+ fs/ufs/swab.h | 4 +-
+ include/linux/compat.h | 4 +-
+ include/linux/completion.h | 6 +-
+ include/linux/cpumask.h | 12 +-
+ include/linux/ctype.h | 2 +-
+ include/linux/err.h | 4 +-
+ include/linux/math64.h | 6 +-
+ include/linux/sched.h | 2 +-
+ include/linux/unaligned/access_ok.h | 12 +-
+ include/linux/usb.h | 2 +-
+ include/uapi/linux/byteorder/little_endian.h | 4 +-
+ include/uapi/linux/swab.h | 6 +-
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 3 +
+ kernel/time.c | 2 +-
+ kernel/timer.c | 2 +-
+ lib/div64.c | 4 +-
+ mm/page-writeback.c | 2 +-
+ net/socket.c | 2 +
+ scripts/package/builddeb | 1 +
+ tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++----------
+ tools/gcc/size_overflow_plugin.c | 1072 ++--
+ 53 files changed, 6227 insertions(+), 3951 deletions(-)
+
+commit 09495691bb31f11ec14d9127429f9a0f3f716f22
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 17 20:51:50 2013 -0400
+
+ fix typo
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit deb85b00d0f9f886e264e116313f298401ec5c59
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 17 20:03:33 2013 -0400
+
+ Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task
+ with a subject applied to it with RES_CPU. Otherwise, the limit will only
+ begin to be applied at fork time.
+
+ Thanks to Bjornar Ness for the report.
+
+ grsecurity/gracl.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 2126421f123513f604ceef2b23ba9ed516de7e58
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 16 22:07:43 2013 -0400
+
+ Move inode auditing prior to our refcnt dropping
+
+ fs/namei.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4d4e665885aab4bacfe662ad6d2190fc9d817146
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 16 22:00:30 2013 -0400
+
+ Drop reference on completed path walked in RCU mode or when violating
+ the chroot fchdir check inside a chroot -- possible culprit for a reported
+ vfsmount_lock hang during unmount
+
+ fs/namei.c | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+commit 53a8a413f45340ee176dd36dd283de3a1ebb7417
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 16 16:43:45 2013 -0400
+
+ add user_arg_ptr back to exec.c
+
+ fs/exec.c | 12 ++++++++++++
+ 1 files changed, 12 insertions(+), 0 deletions(-)
+
+commit 83d285953c7e75db388c7f65be5cf1e16fcedec8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 16 11:22:36 2013 -0400
+
+ Don't globally include compat.h -- with the new X32 support it
+ changes some definitions involving ELF binaries resulting in invalid
+ coredumps, as reported by KDE on the forums:
+ http://forums.grsecurity.net/viewtopic.php?f=3&t=3310
+ Thanks to the PaX Team for debugging
+
+ fs/exec.c | 3 +++
+ grsecurity/grsec_exec.c | 13 +++++++++++++
+ include/linux/grsecurity.h | 15 ---------------
+ 3 files changed, 16 insertions(+), 15 deletions(-)
+
+commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 14 20:59:26 2013 -0400
+
+ Add peer information to /proc/net/unix from Kenan Kalajdzic:
+ http://marc.info/?l=linux-netdev&m=126745636809191&w=2
+
+ We use a "P" prefix to the inode number instead of "peer=". This
+ additional information can be used, for instance, to find what processes
+ are connected to MySQL's unix domain socket.
+
+ net/unix/af_unix.c | 12 +++++++++---
+ 1 files changed, 9 insertions(+), 3 deletions(-)
+
+commit 1cd623d11a462d151ea8a5cace4521e1724911a3
+Author: Oliver Neukum <oneukum@suse.de>
+Date: Tue Mar 12 14:52:42 2013 +0100
+
+ Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa
+
+ USB: cdc-wdm: fix buffer overflow
+
+ The buffer for responses must not overflow.
+ If this would happen, set a flag, drop the data and return
+ an error after user space has read all remaining data.
+
+ Signed-off-by: Oliver Neukum <oliver@neukum.org>
+ CC: stable@kernel.org
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++---
+ 1 files changed, 20 insertions(+), 3 deletions(-)
+
+commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc
+Merge: 9cdf9bc db4cb92
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 14 20:23:14 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/keys/compat.c
+
+commit db4cb924546e3fec3a59f78d056f48176eaf7100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 14 20:22:24 2013 -0400
+
+ Update to pax-linux-3.8.2-test8.patch
+
+ arch/arm/include/asm/cache.h | 2 ++
+ arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++----------
+ arch/arm/mach-omap2/omap_device.c | 4 ++--
+ arch/arm/mach-omap2/omap_device.h | 4 ++--
+ arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
+ 5 files changed, 19 insertions(+), 15 deletions(-)
+
+commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae
+Merge: 3c865f9 1a45c31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 14 20:20:54 2013 -0400
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+ Conflicts:
+ arch/arm/include/asm/delay.h
+ arch/arm/include/asm/pgtable.h
+ arch/arm/lib/delay.c
+ security/keys/compat.c
+
+commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Tue Mar 12 02:59:49 2013 +0000
+
+ Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512
+
+ vfs: fix pipe counter breakage
+
+ If you open a pipe for neither read nor write, the pipe code will not
+ add any usage counters to the pipe, causing the 'struct pipe_inode_info"
+ to be potentially released early.
+
+ That doesn't normally matter, since you cannot actually use the pipe,
+ but the pipe release code - particularly fasync handling - still expects
+ the actual pipe infrastructure to all be there. And rather than adding
+ NULL pointer checks, let's just disallow this case, the same way we
+ already do for the named pipe ("fifo") case.
+
+ This is ancient going back to pre-2.4 days, and until trinity, nobody
+ naver noticed.
+
+ Reported-by: Dave Jones <davej@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/pipe.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit c11fa4be226659a40a6c73f0fa09fee074fba1b2
+Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Mon Feb 25 10:20:36 2013 -0500
+
+ Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49
+
+ Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
+
+ Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
+ compat_process_vm_rw() shows that the compatibility code requires an
+ explicit "access_ok()" check before calling
+ compat_rw_copy_check_uvector(). The same difference seems to appear when
+ we compare fs/read_write.c:do_readv_writev() to
+ fs/compat.c:compat_do_readv_writev().
+
+ This subtle difference between the compat and non-compat requirements
+ should probably be debated, as it seems to be error-prone. In fact,
+ there are two others sites that use this function in the Linux kernel,
+ and they both seem to get it wrong:
+
+ Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
+ also ends up calling compat_rw_copy_check_uvector() through
+ aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
+ be missing. Same situation for
+ security/keys/compat.c:compat_keyctl_instantiate_key_iov().
+
+ I propose that we add the access_ok() check directly into
+ compat_rw_copy_check_uvector(), so callers don't have to worry about it,
+ and it therefore makes the compat call code similar to its non-compat
+ counterpart. Place the access_ok() check in the same location where
+ copy_from_user() can trigger a -EFAULT error in the non-compat code, so
+ the ABI behaviors are alike on both compat and non-compat.
+
+ While we are here, fix compat_do_readv_writev() so it checks for
+ compat_rw_copy_check_uvector() negative return values.
+
+ And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
+ handling.
+
+ Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ security/keys/compat.c
+
+ fs/compat.c | 15 +++++++--------
+ mm/process_vm_access.c | 8 --------
+ security/keys/compat.c | 3 ++-
+ 3 files changed, 9 insertions(+), 17 deletions(-)
+
+commit 13487f197ab2d5bc76156224c24c45a44bbd6a11
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 11 18:38:38 2013 -0400
+
+ Fix leak of signal handler addresses across execve, found by Emese Revfy
+
+ kernel/signal.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 79b130c4b11c7940daf2b33d653a17666331c634
+Merge: 6480ce9 3c865f9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 10 20:04:03 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 10 20:03:12 2013 -0400
+
+ Update to pax-linux-3.8.2-test7.patch:
+ - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342)
+ - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268)
+
+ fs/binfmt_elf.c | 3 ++-
+ fs/exec.c | 3 +++
+ include/linux/mm_types.h | 2 +-
+ init/main.c | 4 ++--
+ mm/mmap.c | 2 +-
+ mm/page_alloc.c | 4 ++--
+ tools/gcc/latent_entropy_plugin.c | 11 +++++++----
+ 7 files changed, 18 insertions(+), 11 deletions(-)
+
+commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491
+Merge: 4a5305e 25b3569
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 10 10:41:16 2013 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 25b356980568bed9958315bb5a551fdc610055ed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 10 10:40:48 2013 -0400
+
+ Update to pax-linux-3.8.2-test6.patch:
+ - fixed a KERNEXEC false positive on arm reported by Gu1
+ - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340)
+ - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339)
+ - added fix from spender for some namespace breakage reported by zakalwe
+ - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot
+
+ Documentation/kernel-parameters.txt | 5 +++++
+ arch/arm/kernel/patch.c | 2 ++
+ arch/x86/kernel/sys_i386_32.c | 5 +++--
+ drivers/acpi/blacklist.c | 2 +-
+ drivers/video/aty/mach64_cursor.c | 1 +
+ init/main.c | 4 ----
+ mm/page_alloc.c | 27 +++++++++++++++++++++++++++
+ net/ipv4/ip_fragment.c | 2 +-
+ security/Kconfig | 5 +++++
+ tools/gcc/latent_entropy_plugin.c | 7 +++++--
+ 10 files changed, 50 insertions(+), 10 deletions(-)
+
+commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 9 11:19:06 2013 -0500
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: "David S. Miller" <davem@davemloft.net>
+ Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
+ Stephen Hemminger <stephen@networkplumber.org>
+ Subject: [PATCH 1/3] bridge: fix mdb info leaks
+ Date: Sat, 9 Mar 2013 16:52:19 +0100
+
+ The bridging code discloses heap and stack bytes via the RTM_GETMDB
+ netlink interface and via the notify messages send to group RTNLGRP_MDB
+ afer a successful add/del.
+
+ Fix both cases by initializing all unset members/padding bytes with
+ memset(0).
+
+ Cc: Stephen Hemminger <stephen@networkplumber.org>
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: "David S. Miller" <davem@davemloft.net>
+ Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
+ Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices
+ Date: Sat, 9 Mar 2013 16:52:20 +0100
+
+ Initialize the mac address buffer with 0 as the driver specific function
+ will probably not fill the whole buffer. In fact, all in-kernel drivers
+ fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
+ bytes. Therefore we currently leak 26 bytes of stack memory to userland
+ via the netlink interface.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ From: Mathias Krause <minipli@googlemail.com>
+ To: "David S. Miller" <davem@davemloft.net>
+ Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
+ Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks
+ Date: Sat, 9 Mar 2013 16:52:21 +0100
+
+ The dcb netlink interface leaks stack memory in various places:
+ * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
+ copied completely,
+ * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
+ so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
+ for ieee_pfc structs, etc.,
+ * the same is true for CEE -- no in-kernel driver fills the whole
+ struct,
+
+ Prevent all of the above stack info leaks by properly initializing the
+ buffers/structures involved.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ net/bridge/br_mdb.c | 4 ++++
+ net/core/rtnetlink.c | 1 +
+ net/dcb/dcbnl.c | 8 ++++++++
+ 3 files changed, 13 insertions(+), 0 deletions(-)
+
+commit 601dd446f896e3a362f706943df18a68d50420a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 9 09:35:25 2013 -0500
+
+ add open/close wrappers in __patch_text() as reported by Gu1 on IRC
+
+ arch/arm/kernel/patch.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit ae39966fd85a493e9079b357e3faa62245a41222
+Author: Peter Hurley <peter@hurleysoftware.com>
+Date: Fri Mar 8 12:43:27 2013 -0800
+
+ Upstream commit: 88b9e456b1649722673ffa147914299799dc9041
+
+ ipc: don't allocate a copy larger than max
+
+ When MSG_COPY is set, a duplicate message must be allocated for the copy
+ before locking the queue. However, the copy could not be larger than was
+ sent which is limited to msg_ctlmax.
+
+ Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+ Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ ipc/msg.c | 6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 61240e99650ea3e540a03a3e994349c5086f166b
+Author: Peter Hurley <peter@hurleysoftware.com>
+Date: Fri Mar 8 12:43:26 2013 -0800
+
+ Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19
+
+ ipc: fix potential oops when src msg > 4k w/ MSG_COPY
+
+ If the src msg is > 4k, then dest->next points to the
+ next allocated segment; resetting it just prior to dereferencing
+ is bad.
+
+ Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+ Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ ipc/msgutil.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+commit 51727f602a267f34fb2e0dc9557f1714028d51a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 8 22:14:06 2013 -0500
+
+ add missing 'else' in recent constify fixups
+
+ net/ipv4/ip_fragment.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a38c1a640729b3d8e584d1ab98e908c221bc12cf
+Merge: 1580bb3 47c3f47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 8 18:18:37 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 8 18:17:22 2013 -0500
+
+ Update to pax-linux-3.8.2-test5.patch:
+ - fixed some fallout after the last round of constification changes, reported by several people
+
+ arch/arm/common/gic.c | 4 ++--
+ arch/arm/include/asm/hardware/gic.h | 3 ++-
+ arch/x86/include/asm/nmi.h | 2 +-
+ arch/x86/kernel/nmi.c | 2 +-
+ arch/x86/pci/irq.c | 2 +-
+ drivers/base/power/domain.c | 4 ++--
+ drivers/cpufreq/cpufreq_governor.c | 4 ++--
+ drivers/mfd/twl4030-irq.c | 1 +
+ drivers/video/vesafb.c | 7 +++++--
+ include/linux/irq.h | 1 +
+ include/linux/pm_domain.h | 2 +-
+ kernel/sched/core.c | 4 ++++
+ lib/Kconfig.debug | 4 ++--
+ net/core/sysctl_net_core.c | 2 +-
+ net/decnet/af_decnet.c | 1 +
+ net/ipv4/devinet.c | 2 +-
+ net/ipv4/ip_fragment.c | 2 +-
+ net/ipv4/route.c | 2 +-
+ net/ipv4/sysctl_net_ipv4.c | 2 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +-
+ net/ipv6/reassembly.c | 2 +-
+ scripts/sortextable.h | 6 +++---
+ 22 files changed, 36 insertions(+), 25 deletions(-)
+
+commit 1580bb38b4db0bf2a46316599815e8b234edad81
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 22:02:59 2013 -0500
+
+ add an additional open/close wrapper
+
+ kernel/sched/core.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 21622672d28d58e0d93a805cd1f9650a894a752a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 21:58:24 2013 -0500
+
+ fix oops at shutdown with new constify code
+
+ kernel/sched/core.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 21:18:44 2013 -0500
+
+ Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally
+ it currently conflicts with some lock debugging options, so made as an
+ option to allow for debugging when necessary
+
+ Makefile | 2 --
+ lib/Kconfig.debug | 6 +++---
+ security/Kconfig | 18 ++++++++++++++++++
+ 3 files changed, 21 insertions(+), 5 deletions(-)
+
+commit 0885b00b8373a1597b69c38032a0c9eee279303b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 20:55:19 2013 -0500
+
+ disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify
+
+ lib/Kconfig.debug | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c8a2617165e7127a54f293cbf57d22d50dd83abd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 20:30:41 2013 -0500
+
+ Fix error:
+ drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object
+ with cast and proper kernexec accessors
+
+ drivers/video/vesafb.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 20:20:28 2013 -0500
+
+ fix typo
+
+ grsecurity/gracl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 399674de6c42bbcae2d01b082d6d9ce9d183b000
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 20:12:17 2013 -0500
+
+ fix compilation error -- no reason for task_pid_nr to not take a const task ptr
+
+ include/linux/sched.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f
+Author: Kees Cook <keescook@chromium.org>
+Date: Mon Feb 25 21:32:25 2013 +0000
+
+ Upstream commit: e70ab977991964a5a7ad1182799451d067e62669
+
+ proc connector: reject unprivileged listener bumps
+
+ While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
+ for an unprivileged user to turn off notifications for all listeners by
+ sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
+ required for a multicast bind.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Cc: Evgeniy Polyakov <zbr@ioremap.net>
+ Cc: Matt Helsley <matthltc@us.ibm.com>
+ Cc: stable@vger.kernel.org
+ Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
+ Acked-by: Matt Helsley <matthltc@us.ibm.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/connector/cn_proc.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+commit ac6014ded57101e3e608941555ff507e20c1ece3
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Feb 26 19:15:02 2013 +0000
+
+ Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a
+
+ irda: small read beyond end of array in debug code
+
+ charset comes from skb->data. It's a number in the 0-255 range.
+ If we have debugging turned on then this could cause a read beyond
+ the end of the array.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/irda/iriap.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe
+Author: Guenter Roeck <linux@roeck-us.net>
+Date: Wed Feb 27 10:57:31 2013 +0000
+
+ Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1
+
+ net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
+
+ Building sctp may fail with:
+
+ In function ‘copy_from_user’,
+ inlined from ‘sctp_getsockopt_assoc_stats’ at
+ net/sctp/socket.c:5656:20:
+ arch/x86/include/asm/uaccess_32.h:211:26: error: call to
+ ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
+ buffer size is not provably correct
+
+ if built with W=1 due to a missing parameter size validation
+ before the call to copy_from_user.
+
+ Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/socket.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c
+Author: Guillaume Nault <g.nault@alphalink.fr>
+Date: Fri Mar 1 05:02:02 2013 +0000
+
+ Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a
+
+ l2tp: Restore socket refcount when sendmsg succeeds
+
+ The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
+ reference counter after successful transmissions. Any successful
+ sendmsg() call from userspace will then increase the reference counter
+ forever, thus preventing the kernel's session and tunnel data from
+ being freed later on.
+
+ The problem only happens when writing directly on L2TP sockets.
+ PPP sockets attached to L2TP are unaffected as the PPP subsystem
+ uses pppol2tp_xmit() which symmetrically increase/decrease reference
+ counters.
+
+ This patch adds the missing call to sock_put() before returning from
+ pppol2tp_sendmsg().
+
+ Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/l2tp/l2tp_ppp.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 98a9a5f981f5deda4059a255c1196886f2f27e2f
+Author: Cong Wang <amwang@redhat.com>
+Date: Sun Mar 3 16:18:11 2013 +0000
+
+ Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0
+
+ rds: limit the size allocated by rds_message_alloc()
+
+ Dave Jones reported the following bug:
+
+ "When fed mangled socket data, rds will trust what userspace gives it,
+ and tries to allocate enormous amounts of memory larger than what
+ kmalloc can satisfy."
+
+ WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
+ Hardware name: GA-MA78GM-S2H
+ Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
+ Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
+ Call Trace:
+ [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
+ [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
+ [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
+ [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
+ [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
+ [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
+ [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
+ [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
+ [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
+ [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
+ [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
+ [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
+ [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
+ [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
+ [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
+ [<ffffffff81567f30>] sys_sendto+0x130/0x180
+ [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
+ [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
+ [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
+ [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
+ [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
+ [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
+ ---[ end trace eed6ae990d018c8b ]---
+
+ Reported-by: Dave Jones <davej@redhat.com>
+ Cc: Dave Jones <davej@redhat.com>
+ Cc: David S. Miller <davem@davemloft.net>
+ Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/rds/message.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit b46df323e01c63c62fdb82cf2c47e4386f5a0499
+Author: Cong Wang <amwang@redhat.com>
+Date: Sun Mar 3 16:28:27 2013 +0000
+
+ Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e
+
+ sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE
+
+ Don't definite its own MAX_KMALLOC_SIZE, use the one
+ defined in mm.
+
+ Cc: Vlad Yasevich <vyasevich@gmail.com>
+ Cc: Sridhar Samudrala <sri@us.ibm.com>
+ Cc: Neil Horman <nhorman@tuxdriver.com>
+ Cc: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Cong Wang <amwang@redhat.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/ssnmap.c | 8 +++-----
+ 1 files changed, 3 insertions(+), 5 deletions(-)
+
+commit 4295a024e812f903fc580c81de5e81cc149503fa
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 17:57:49 2013 -0500
+
+ Upstream commit: https://lkml.org/lkml/2013/3/6/535
+
+ security/keys/process_keys.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 33edd486a9899a145a15586d7134636b0300aaee
+Merge: 4eeeaf3 a2a2094
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 17:53:00 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/arm/include/asm/domain.h
+
+commit a2a20947f5e1332e474160a39af520738b3c8c19
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 7 17:51:04 2013 -0500
+
+ Update to pax-linux-3.8.2-test4.patch:
+ fixed arm compilation problems reported by Michael Tremer
+ - the constify plugin got smarter that enabled, with some additional patching,
+ the elimination of about half the static function pointers on amd64/allmod
+ (up from about 18%), depending on the kernel config it can be even more (70%)
+
+ Documentation/dontdiff | 2 +
+ arch/arm/include/asm/domain.h | 1 +
+ arch/x86/include/asm/i8259.h | 2 +-
+ arch/x86/include/asm/nmi.h | 4 +-
+ arch/x86/kernel/acpi/boot.c | 4 +-
+ arch/x86/kernel/apic/apic_noop.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 2 +-
+ arch/x86/kernel/apic/io_apic.c | 10 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
+ arch/x86/kernel/i8259.c | 6 +-
+ arch/x86/kernel/io_delay.c | 2 +-
+ arch/x86/kernel/nmi.c | 6 +-
+ arch/x86/kernel/nmi_selftest.c | 4 +-
+ arch/x86/kernel/pci-swiotlb.c | 2 +-
+ arch/x86/oprofile/nmi_int.c | 8 +-
+ arch/x86/oprofile/op_model_amd.c | 8 +-
+ arch/x86/oprofile/op_model_ppro.c | 7 +-
+ arch/x86/oprofile/op_x86_model.h | 2 +-
+ arch/x86/pci/irq.c | 6 +-
+ drivers/acpi/apei/apei-internal.h | 2 +-
+ drivers/acpi/bgrt.c | 6 +-
+ drivers/acpi/blacklist.c | 2 +-
+ drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/sysfs.c | 4 +-
+ drivers/base/bus.c | 4 +-
+ drivers/base/node.c | 2 +-
+ drivers/base/syscore.c | 4 +-
+ drivers/block/drbd/drbd_receiver.c | 4 +-
+ drivers/char/random.c | 2 +-
+ drivers/cpufreq/acpi-cpufreq.c | 20 ++-
+ drivers/cpufreq/cpufreq.c | 7 +-
+ drivers/cpufreq/cpufreq_governor.c | 4 +-
+ drivers/cpufreq/cpufreq_governor.h | 2 +-
+ drivers/cpufreq/p4-clockmod.c | 12 +-
+ drivers/cpufreq/speedstep-centrino.c | 7 +-
+ drivers/cpuidle/cpuidle.c | 2 +-
+ drivers/cpuidle/governor.c | 4 +-
+ drivers/cpuidle/sysfs.c | 2 +-
+ drivers/devfreq/devfreq.c | 4 +-
+ drivers/edac/edac_mc_sysfs.c | 2 +-
+ drivers/edac/edac_pci_sysfs.c | 2 +-
+ drivers/firewire/core-device.c | 2 +-
+ drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/efivars.c | 2 +-
+ drivers/firmware/google/memconsole.c | 4 +-
+ drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 2 +-
+ drivers/gpu/drm/drm_ioc32.c | 9 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/intel_display.c | 26 ++-
+ drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++--
+ drivers/gpu/drm/udl/udl_fb.c | 1 -
+ drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/applesmc.c | 2 +-
+ drivers/hwmon/asus_atk0110.c | 10 +-
+ drivers/hwmon/ibmaem.c | 2 +-
+ drivers/hwmon/pmbus/pmbus_core.c | 2 +-
+ drivers/iio/industrialio-core.c | 2 +-
+ drivers/input/mouse/psmouse.h | 2 +-
+ drivers/iommu/iommu.c | 2 +-
+ drivers/leds/leds-clevo-mail.c | 2 +-
+ drivers/leds/leds-ss4200.c | 2 +-
+ drivers/media/v4l2-core/v4l2-ioctl.c | 5 +-
+ drivers/mfd/twl4030-irq.c | 8 +-
+ drivers/mfd/twl6030-irq.c | 10 +-
+ drivers/misc/c2port/core.c | 4 +-
+ drivers/mtd/sm_ftl.c | 2 +-
+ drivers/net/bonding/bond_main.c | 2 +-
+ drivers/net/macvlan.c | 16 +-
+ drivers/net/vxlan.c | 2 +-
+ drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
+ drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/pci-sysfs.c | 6 +-
+ drivers/pci/pci.h | 2 +-
+ drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/sony-laptop.c | 2 +-
+ drivers/power/power_supply.h | 4 +-
+ drivers/power/power_supply_core.c | 6 +-
+ drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/rtc/rtc-cmos.c | 4 +-
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/scsi/bfa/bfa.h | 2 +-
+ drivers/staging/iio/iio_hwmon.c | 2 +-
+ drivers/usb/storage/usb.h | 2 +-
+ drivers/video/aty/atyfb_base.c | 8 +-
+ drivers/video/aty/mach64_cursor.c | 4 +-
+ drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/fb_defio.c | 6 +-
+ drivers/video/mb862xx/mb862xxfb_accel.c | 16 +-
+ drivers/video/nvidia/nvidia.c | 27 ++-
+ drivers/video/s1d13xxxfb.c | 6 +-
+ drivers/video/smscufx.c | 4 +-
+ drivers/video/udlfb.c | 4 +-
+ drivers/video/uvesafb.c | 14 +-
+ fs/exec.c | 6 +-
+ fs/ext4/super.c | 2 +-
+ fs/jfs/super.c | 4 +-
+ fs/nfs/callback_xdr.c | 2 +-
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfs4xdr.c | 6 +-
+ fs/nls/nls_base.c | 18 +-
+ fs/nls/nls_euc-jp.c | 6 +-
+ fs/nls/nls_koi8-ru.c | 6 +-
+ fs/proc/proc_sysctl.c | 18 +-
+ include/drm/drmP.h | 12 +-
+ include/keys/asymmetric-subtype.h | 2 +-
+ include/linux/atmdev.h | 2 +-
+ include/linux/binfmts.h | 2 +-
+ include/linux/configfs.h | 2 +-
+ include/linux/cpufreq.h | 3 +-
+ include/linux/cpuidle.h | 5 +-
+ include/linux/devfreq.h | 2 +-
+ include/linux/device.h | 7 +-
+ include/linux/extcon.h | 2 +-
+ include/linux/fb.h | 2 +-
+ include/linux/fscache.h | 2 +-
+ include/linux/genl_magic_func.h | 2 +-
+ include/linux/hwmon-sysfs.h | 5 +-
+ include/linux/iommu.h | 2 +-
+ include/linux/irq.h | 2 +-
+ include/linux/key-type.h | 2 +-
+ include/linux/kobject.h | 1 +
+ include/linux/kobject_ns.h | 2 +-
+ include/linux/list.h | 14 +-
+ include/linux/mod_devicetable.h | 2 +-
+ include/linux/module.h | 5 +-
+ include/linux/net.h | 2 +-
+ include/linux/netfilter.h | 2 +-
+ include/linux/nls.h | 2 +-
+ include/linux/pci_hotplug.h | 3 +-
+ include/linux/platform_data/usb-exynos.h | 2 +-
+ include/linux/pnp.h | 2 +-
+ include/linux/ppp-comp.h | 2 +-
+ include/linux/rculist.h | 16 ++
+ include/linux/sched.h | 2 +-
+ include/linux/sock_diag.h | 2 +-
+ include/linux/sunrpc/clnt.h | 2 +-
+ include/linux/sunrpc/svc.h | 2 +-
+ include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swiotlb.h | 3 +-
+ include/linux/syscore_ops.h | 2 +-
+ include/linux/sysctl.h | 6 +-
+ include/linux/sysfs.h | 10 +-
+ include/linux/sysrq.h | 1 +
+ include/linux/xattr.h | 2 +-
+ include/net/9p/transport.h | 2 +-
+ include/net/bluetooth/l2cap.h | 2 +-
+ include/net/genetlink.h | 2 +-
+ include/net/ip.h | 2 +-
+ include/net/ip_vs.h | 4 +-
+ include/net/llc_c_ac.h | 2 +-
+ include/net/llc_c_ev.h | 4 +-
+ include/net/llc_c_st.h | 2 +-
+ include/net/llc_s_ac.h | 2 +-
+ include/net/llc_s_st.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/net_namespace.h | 2 +-
+ include/net/netns/conntrack.h | 6 +-
+ include/net/rtnetlink.h | 2 +-
+ include/net/sctp/sm.h | 4 +-
+ include/net/sctp/structs.h | 2 +-
+ include/net/xfrm.h | 4 +-
+ ipc/ipc_sysctl.c | 10 +-
+ ipc/mq_sysctl.c | 2 +-
+ kernel/kmod.c | 2 +-
+ kernel/ksysfs.c | 2 +-
+ kernel/module.c | 4 +-
+ kernel/pid_namespace.c | 2 +-
+ kernel/rcutree_plugin.h | 2 +-
+ kernel/sched/core.c | 39 ++--
+ kernel/smpboot.c | 4 +-
+ kernel/softirq.c | 2 +-
+ kernel/sysctl.c | 2 +-
+ kernel/utsname_sysctl.c | 2 +-
+ kernel/watchdog.c | 2 +-
+ lib/Kconfig.debug | 2 +-
+ lib/kobject.c | 4 +-
+ lib/list_debug.c | 57 ++++-
+ lib/swiotlb.c | 2 +-
+ mm/hugetlb.c | 16 +-
+ mm/memory-failure.c | 2 +-
+ mm/slab_common.c | 2 +-
+ net/9p/mod.c | 4 +-
+ net/ax25/sysctl_net_ax25.c | 2 +-
+ net/core/neighbour.c | 2 +-
+ net/core/net-sysfs.c | 2 +-
+ net/core/net_namespace.c | 8 +-
+ net/core/rtnetlink.c | 11 +-
+ net/core/sock_diag.c | 9 +-
+ net/core/sysctl_net_core.c | 15 +-
+ net/ipv4/af_inet.c | 8 +-
+ net/ipv4/devinet.c | 12 +-
+ net/ipv4/inet_connection_sock.c | 2 +-
+ net/ipv4/ip_fragment.c | 9 +-
+ net/ipv4/ip_gre.c | 6 +-
+ net/ipv4/ip_vti.c | 4 +-
+ net/ipv4/ipip.c | 4 +-
+ net/ipv4/route.c | 14 +-
+ net/ipv4/sysctl_net_ipv4.c | 43 ++--
+ net/ipv6/addrconf.c | 4 +-
+ net/ipv6/icmp.c | 2 +-
+ net/ipv6/ip6_gre.c | 6 +-
+ net/ipv6/ip6_tunnel.c | 4 +-
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +-
+ net/ipv6/reassembly.c | 11 +-
+ net/ipv6/route.c | 2 +-
+ net/ipv6/sit.c | 4 +-
+ net/ipv6/sysctl_net_ipv6.c | 2 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 4 +-
+ net/netfilter/ipvs/ip_vs_lblc.c | 2 +-
+ net/netfilter/ipvs/ip_vs_lblcr.c | 2 +-
+ net/netfilter/nf_conntrack_acct.c | 2 +-
+ net/netfilter/nf_conntrack_ecache.c | 2 +-
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nf_conntrack_timestamp.c | 2 +-
+ net/netfilter/nf_log.c | 10 +-
+ net/netfilter/nf_sockopt.c | 4 +-
+ net/netlink/genetlink.c | 16 +-
+ net/phonet/sysctl.c | 2 +-
+ net/rds/rds.h | 2 +-
+ net/sctp/ipv6.c | 6 +-
+ net/sctp/protocol.c | 10 +-
+ net/sctp/sm_sideeffect.c | 2 +-
+ net/sctp/sysctl.c | 4 +-
+ net/sunrpc/clnt.c | 4 +-
+ net/sunrpc/svc.c | 4 +-
+ net/unix/sysctl_net_unix.c | 2 +-
+ net/xfrm/xfrm_policy.c | 11 +-
+ net/xfrm/xfrm_state.c | 29 ++-
+ net/xfrm/xfrm_sysctl.c | 2 +-
+ security/apparmor/lsm.c | 2 +-
+ security/keys/key.c | 18 +-
+ security/yama/yama_lsm.c | 22 +-
+ tools/gcc/Makefile | 4 +-
+ tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------
+ tools/gcc/size_overflow_plugin.c | 7 +-
+ 248 files changed, 994 insertions(+), 668 deletions(-)
+
+commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 6 12:58:21 2013 -0500
+
+ Make slab_state __read_only, it's only written to during init
+
+ mm/slab_common.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 6 12:31:35 2013 -0500
+
+ Make two new helper functions:
+ gr_is_global_root() and gr_is_global_nonroot()
+
+ grsecurity/gracl.c | 10 +++++-----
+ grsecurity/gracl_segv.c | 2 +-
+ grsecurity/grsec_link.c | 4 ++--
+ grsecurity/grsec_sig.c | 10 +++++-----
+ grsecurity/grsec_tpe.c | 6 +++---
+ include/linux/uidgid.h | 2 ++
+ 6 files changed, 18 insertions(+), 16 deletions(-)
+
+commit d45d88eddd4998b280b1e5b5384289ee11ca7088
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 6 12:14:41 2013 -0500
+
+ convert remaining task->pid to task_pid_nr(task)
+
+ grsecurity/gracl.c | 22 +++++++++++-----------
+ grsecurity/gracl_shm.c | 2 +-
+ grsecurity/grsec_chroot.c | 4 ++--
+ grsecurity/grsec_sig.c | 4 ++--
+ 4 files changed, 16 insertions(+), 16 deletions(-)
+
+commit c877f2ece03ee2232dd281c1977ae59507297124
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 5 17:29:54 2013 -0500
+
+ compat-log is only used anymore by vm86-on-64bit and allows unlimited
+ spamming of the kernel log buffer (and since it includes the changable
+ process name, can avoid syslog log deduplication)
+ Turn it off by default
+
+ fs/compat.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 7c1964c4b7276889d7967bee70e46918cdca1b14
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 4 17:19:10 2013 -0500
+
+ fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP
+ is enabled, introduced with recent userns support
+
+ init/main.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit c3ce01b94d8dd42b9c7942c0d513b152613e0656
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 18:46:12 2013 -0500
+
+ Prevent TOMOYO from auto-loading modules by unprivileged users
+ (Only reachable if TOMOYO is actually used)
+
+ security/tomoyo/mount.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 79e142f9455b398759ff9d93d4963a21b98dddda
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 18:28:45 2013 -0500
+
+ For now, don't permit any special access to /proc in a user namespace
+ Later we can go back and allow a userns-uid0 special access to a /proc
+ with a non-global pid namespace
+
+ fs/proc/base.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8b91fb393049ce5f3c0a86f62247409853fd9700
+Merge: d931eb8 603ef05
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:42:09 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:41:31 2013 -0500
+
+ Fix compilation error on ARM reported by Michael Tremer
+
+ arch/arm/mach-omap2/wd_timer.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit b4c9ce81fdd7839a150c97873c710c479e788280
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:39:53 2013 -0500
+
+ Fix compilation error on ARM reported by Michael Tremer
+
+ arch/arm/kernel/armksyms.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d931eb81ab3da46896268fd61373a6aa7bbea930
+Merge: bfa7f44 5948f93
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:34:36 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0
+Merge: ab30472 19b00d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 17:34:08 2013 -0500
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit bfa7f445c5d484de51a5828b92ad2ff65053cc87
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 3 15:12:12 2013 -0500
+
+ Initial support for user namespaces, as we previously didn't allow
+ the option to be enabled at all.
+
+ RBAC will act on the global uids/gids only, so all uids/gids in user
+ namespaces will be converted
+
+ Because Eric Biederman is insulted that I didn't support his
+ backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN
+ check in for user namespaces, so this is generally irrelevant.
+
+ fs/exec.c | 6 +-
+ fs/proc/base.c | 2 +-
+ fs/proc/proc_net.c | 4 +-
+ grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++-------------
+ grsecurity/gracl_cap.c | 4 +-
+ grsecurity/gracl_ip.c | 16 +++---
+ grsecurity/gracl_segv.c | 12 +++-
+ grsecurity/gracl_shm.c | 4 +-
+ grsecurity/grsec_disabled.c | 10 ++--
+ grsecurity/grsec_fifo.c | 6 +-
+ grsecurity/grsec_init.c | 24 ++++----
+ grsecurity/grsec_log.c | 3 -
+ grsecurity/grsec_tpe.c | 6 +-
+ include/linux/grinternal.h | 12 ++--
+ include/linux/grsecurity.h | 12 ++--
+ include/linux/uidgid.h | 3 +
+ init/Kconfig | 2 -
+ ipc/shm.c | 2 +-
+ kernel/cred.c | 5 +-
+ kernel/kallsyms.c | 2 +-
+ kernel/kmod.c | 6 +-
+ kernel/sys.c | 12 ++--
+ 22 files changed, 166 insertions(+), 115 deletions(-)
+
+commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed Feb 27 08:36:04 2013 -0800
+
+ Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0
+
+ mm: do not grow the stack vma just because of an overrun on preceding vma
+
+ The stack vma is designed to grow automatically (marked with VM_GROWSUP
+ or VM_GROWSDOWN depending on architecture) when an access is made beyond
+ the existing boundary. However, particularly if you have not limited
+ your stack at all ("ulimit -s unlimited"), this can cause the stack to
+ grow even if the access was really just one past *another* segment.
+
+ And that's wrong, especially since we first grow the segment, but then
+ immediately later enforce the stack guard page on the last page of the
+ segment. So _despite_ first growing the stack segment as a result of
+ the access, the kernel will then make the access cause a SIGSEGV anyway!
+
+ So do the same logic as the guard page check does, and consider an
+ access to within one page of the next segment to be a bad access, rather
+ than growing the stack to abut the next segment.
+
+ Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mmap.c | 27 +++++++++++++++++++++++++++
+ 1 files changed, 27 insertions(+), 0 deletions(-)
+
+commit 5596211af754867ca825f58e6e0300a8439950fe
+Author: H. Peter Anvin <hpa@linux.intel.com>
+Date: Wed Feb 27 12:46:40 2013 -0800
+
+ Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c
+
+ x86: Make sure we can boot in the case the BDA contains pure garbage
+
+ On non-BIOS platforms it is possible that the BIOS data area contains
+ garbage instead of being zeroed or something equivalent (firmware
+ people: we are talking of 1.5K here, so please do the sane thing.)
+
+ We need on the order of 20-30K of low memory in order to boot, which
+ may grow up to < 64K in the future. We probably want to avoid the
+ lowest of the low memory. At the same time, it seems extremely
+ unlikely that a legitimate EBDA would ever reach down to the 128K
+ (which would require it to be over half a megabyte in size.) Thus,
+ pick 128K as the cutoff for "this is insane, ignore." We may still
+ end up reserving a bunch of extra memory on the low megabyte, but that
+ is not really a major issue these days. In the worst case we lose
+ 512K of RAM.
+
+ This code really should be merged with trim_bios_range() in
+ arch/x86/kernel/setup.c, but that is a bigger patch for a later merge
+ window.
+
+ Reported-by: Darren Hart <dvhart@linux.intel.com>
+ Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+ Cc: Matt Fleming <matt.fleming@intel.com>
+ Cc: <stable@vger.kernel.org>
+ Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org
+
+ arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++-----------------
+ 1 files changed, 34 insertions(+), 19 deletions(-)
+
+commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Wed Feb 27 17:05:46 2013 -0800
+
+ Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469
+
+ memstick: move the dereference below the NULL test
+
+ The dereference should be moved below the NULL test.
+
+ spatch with a semantic match is used to found this.
+ (http://coccinelle.lip6.fr/)
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Cc: Maxim Levitsky <maximlevitsky@gmail.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/memstick/host/r592.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Wed Feb 27 17:05:21 2013 -0800
+
+ Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560
+
+ sysctl: fix null checking in bin_dn_node_address()
+
+ The null check of `strchr() + 1' is broken, which is always non-null,
+ leading to OOB read. Instead, check the result of strchr().
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/sysctl_binary.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 7ca96db0817416fd40761e7437d1939fc0731380
+Author: Tejun Heo <tj@kernel.org>
+Date: Wed Feb 27 17:03:34 2013 -0800
+
+ Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24
+
+ idr: fix a subtle bug in idr_get_next()
+
+ The iteration logic of idr_get_next() is borrowed mostly verbatim from
+ idr_for_each(). It walks down the tree looking for the slot matching
+ the current ID. If the matching slot is not found, the ID is
+ incremented by the distance of single slot at the given level and
+ repeats.
+
+ The implementation assumes that during the whole iteration id is aligned
+ to the layer boundaries of the level closest to the leaf, which is true
+ for all iterations starting from zero or an existing element and thus is
+ fine for idr_for_each().
+
+ However, idr_get_next() may be given any point and if the starting id
+ hits in the middle of a non-existent layer, increment to the next layer
+ will end up skipping the same offset into it. For example, an IDR with
+ IDs filled between [64, 127] would look like the following.
+
+ [ 0 64 ... ]
+ /----/ |
+ | |
+ NULL [ 64 ... 127 ]
+
+ If idr_get_next() is called with 63 as the starting point, it will try
+ to follow down the pointer from 0. As it is NULL, it will then try to
+ proceed to the next slot in the same level by adding the slot distance
+ at that level which is 64 - making the next try 127. It goes around the
+ loop and finds and returns 127 skipping [64, 126].
+
+ Note that this bug also triggers in idr_for_each_entry() loop which
+ deletes during iteration as deletions can make layers go away leaving
+ the iteration with unaligned ID into missing layers.
+
+ Fix it by ensuring proceeding to the next slot doesn't carry over the
+ unaligned offset - ie. use round_up(id + 1, slot_distance) instead of
+ id += slot_distance.
+
+ Signed-off-by: Tejun Heo <tj@kernel.org>
+ Reported-by: David Teigland <teigland@redhat.com>
+ Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ lib/idr.c | 9 ++++++++-
+ 1 files changed, 8 insertions(+), 1 deletions(-)
+
+commit 745362f28034f54242ba2e64eaa7374ab9869613
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 1 20:31:42 2013 -0500
+
+ Fix dentry use-after-free after failed complete_walk() with RBAC enabled
+ Many thanks to zakalwe from #grsecurity for the report and debugging help
+
+ fs/namei.c | 8 +++-----
+ 1 files changed, 3 insertions(+), 5 deletions(-)
+
+commit b53b3b14330920c6f7cfb74c8508a3026e1be620
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 28 18:29:26 2013 -0500
+
+ Fix bad git merge
+
+ fs/namespace.c | 8 --------
+ 1 files changed, 0 insertions(+), 8 deletions(-)
+
+commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede
+Merge: 1cce1dd ab30472
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 28 17:45:14 2013 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ net/core/sock_diag.c
+
+commit ab3047280e1dfb43f1b301a296123757b4ac4f6e
+Merge: 4b61d21 4c91a0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 28 17:43:56 2013 -0500
+
+ Merge branch 'linux-3.8.y' into pax-test
+
+commit 1cce1ddd17c584c80465521834c3faf1a7c607d7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 27 22:20:22 2013 -0500
+
+ add compiler.h to sysrq.h to fix compilation problem reported by micu on forums
+
+ include/linux/sysrq.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 9f1e7fe130803fde83eb903b575335f59cd2bd18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 27 17:52:31 2013 -0500
+
+ declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel
+
+ kernel/printk.c | 12 +++++++-----
+ 1 files changed, 7 insertions(+), 5 deletions(-)
+
+commit 11dd499888fa76f3466821ce4daa5e0c55e43d39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 27 17:23:46 2013 -0500
+
+ Fix upstream vulnerability from addition of a /dev/kmsg device
+ while neglecting to add the same set of existing permission checks
+ from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG.
+ A temporary workaround without this patch would be to
+ chmod 0600 /dev/kmsg (and is likely a good idea anyway).
+
+ Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek
+ Initially reported to Redhat bugzilla by Christian Kujau:
+ https://bugzilla.redhat.com/show_bug.cgi?id=903192
+
+ kernel/printk.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 66c04806f5660988c3cb4855e60de294e77e3d0e
+Author: David Howells <dhowells@redhat.com>
+Date: Thu Feb 21 12:00:25 2013 +0000
+
+ Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f
+
+ KEYS: Revert one application of "Fix unreachable code" patch
+
+ A patch to fix some unreachable code in search_my_process_keyrings() got
+ applied twice by two different routes upstream as commits e67eab39bee2
+ and b010520ab3d2 (both "fix unreachable code").
+
+ Unfortunately, the second application removed something it shouldn't
+ have and this wasn't detected by GIT. This is due to the patch not
+ having sufficient lines of context to distinguish the two places of
+ application.
+
+ The effect of this is relatively minor: inside the kernel, the keyring
+ search routines may search multiple keyrings and then prioritise the
+ errors if no keys or negative keys are found in any of them. With the
+ extra deletion, the presence of a negative key in the thread keyring
+ (causing ENOKEY) is incorrectly overridden by an error searching the
+ process keyring.
+
+ So revert the second application of the patch.
+
+ Signed-off-by: David Howells <dhowells@redhat.com>
+ Cc: Jiri Kosina <jkosina@suse.cz>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ security/keys/process_keys.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 954b0c8a95b08c09c3d15ec38106ce403bf714da
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Thu Feb 21 16:42:43 2013 -0800
+
+ Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a
+
+ configfs: move the dereference below the NULL test
+
+ The dereference should be moved below the NULL test.
+
+ spatch with a semantic match is used to found this.
+ (http://coccinelle.lip6.fr/)
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Cc: Joel Becker <jlbec@evilplan.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/configfs/dir.c | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+commit d16d42c4fdc8baca5816d75b4a115102bf3d3423
+Author: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Sun Feb 24 20:06:09 2013 -0500
+
+ Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541
+
+ tty vt: fix character insertion overflow
+
+ Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on
+ command line edition") broke insert_char() in multiple ways. Then
+ commit b1a925f44a3a ("tty vt: Fix a regression in command line edition")
+ partially fixed it. However, the buffer being moved is still too large
+ and overflowing beyond the end of the current line, corrupting existing
+ characters on the next line.
+
+ Example test case:
+
+ echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B"
+
+ Expected result:
+
+ ab c
+ de
+
+ Current result:
+
+ ab c
+ e
+
+ Needless to say that this is very annoying when inserting words in the
+ middle of paragraphs with certain text editors.
+
+ Signed-off-by: Nicolas Pitre <nico@linaro.org>
+ Cc: Jean-François Moine <moinejf@free.fr>
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ drivers/tty/vt/vt.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 6cda35071669b4aabde081bd039e0ffea36f997a
+Author: Robin Holt <holt@sgi.com>
+Date: Fri Feb 22 16:35:34 2013 -0800
+
+ Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7
+
+ mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts
+
+ There is a race condition between mmu_notifier_unregister() and
+ __mmu_notifier_release().
+
+ Assume two tasks, one calling mmu_notifier_unregister() as a result of a
+ filp_close() ->flush() callout (task A), and the other calling
+ mmu_notifier_release() from an mmput() (task B).
+
+ A B
+ t1 srcu_read_lock()
+ t2 if (!hlist_unhashed())
+ t3 srcu_read_unlock()
+ t4 srcu_read_lock()
+ t5 hlist_del_init_rcu()
+ t6 synchronize_srcu()
+ t7 srcu_read_unlock()
+ t8 hlist_del_rcu() <--- NULL pointer deref.
+
+ Additionally, the list traversal in __mmu_notifier_release() is not
+ protected by the by the mmu_notifier_mm->hlist_lock which can result in
+ callouts to the ->release() notifier from both mmu_notifier_unregister()
+ and __mmu_notifier_release().
+
+ -stable suggestions:
+
+ The stable trees prior to 3.7.y need commits 21a92735f660 and
+ 70400303ce0c cherry-picked in that order prior to cherry-picking this
+ commit. The 3.7.y tree already has those two commits.
+
+ Signed-off-by: Robin Holt <holt@sgi.com>
+ Cc: Andrea Arcangeli <aarcange@redhat.com>
+ Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
+ Cc: Xiao Guangrong <xiaoguangrong@linux.vnet.ibm.com>
+ Cc: Avi Kivity <avi@redhat.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Marcelo Tosatti <mtosatti@redhat.com>
+ Cc: Sagi Grimberg <sagig@mellanox.co.il>
+ Cc: Haggai Eran <haggaie@mellanox.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++--------------------------
+ 1 files changed, 42 insertions(+), 40 deletions(-)
+
+commit bf5167ed78ba6131c6874887f714bda50c2cab83
+Author: Mike Galbraith <bitbucket@online.de>
+Date: Mon Jan 28 12:19:25 2013 +0100
+
+ Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6
+
+ sched: Fix select_idle_sibling() bouncing cow syndrome
+
+ If the previous CPU is cache affine and idle, select it.
+
+ The current implementation simply traverses the sd_llc domain,
+ taking the first idle CPU encountered, which walks buddy pairs
+ hand in hand over the package, inflicting excruciating pain.
+
+ 1 tbench pair (worst case) in a 10 core + SMT package:
+
+ pre 15.22 MB/sec 1 procs
+ post 252.01 MB/sec 1 procs
+
+ Signed-off-by: Mike Galbraith <bitbucket@online.de>
+ Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+ Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+ kernel/sched/fair.c | 21 +++++++--------------
+ 1 files changed, 7 insertions(+), 14 deletions(-)
+
+commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Fri Dec 28 18:58:39 2012 -0800
+
+ Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f
+
+ userns: Avoid recursion in put_user_ns
+
+ When freeing a deeply nested user namespace free_user_ns calls
+ put_user_ns on it's parent which may in turn call free_user_ns again.
+ When -fno-optimize-sibling-calls is passed to gcc one stack frame per
+ user namespace is left on the stack, potentially overflowing the
+ kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls
+ so we can't count on gcc to optimize this code.
+
+ Remove struct kref and use a plain atomic_t. Making the code more
+ flexible and easier to comprehend. Make the loop in free_user_ns
+ explict to guarantee that the stack does not overflow with
+ CONFIG_FRAME_POINTER enabled.
+
+ I have tested this fix with a simple program that uses unshare to
+ create a deeply nested user namespace structure and then calls exit.
+ With 1000 nesteuser namespaces before this change running my test
+ program causes the kernel to die a horrible death. With 10,000,000
+ nested user namespaces after this change my test program runs to
+ completion and causes no harm.
+
+ Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
+ Pointed-out-by: Vasily Kulikov <segoon@openwall.com>
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+
+ include/linux/user_namespace.h | 10 +++++-----
+ kernel/user.c | 4 +---
+ kernel/user_namespace.c | 17 +++++++++--------
+ 3 files changed, 15 insertions(+), 16 deletions(-)
+
+commit 81501c7106ccc186c94806f4db954626295b5ebe
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Feb 26 17:12:30 2013 -0500
+
+ Pass the same flags to kern_path_create as the original function
+
+ fs/namei.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit a677c8eee35afe48868f92c7d6745bfe809cd481
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri Feb 22 22:45:42 2013 -0500
+
+ Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559
+
+ get rid of unprotected dereferencing of mnt->mnt_ns
+
+ It's safe only under namespace_sem or vfsmount_lock; all places
+ in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use
+ current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in
+ there).
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/namespace.c | 29 +++++++++++++++++------------
+ 1 files changed, 17 insertions(+), 12 deletions(-)
+
+commit 89298124d0c96dc34a60377e7a1308f8f532ff75
+Author: Greg Thelen <gthelen@google.com>
+Date: Fri Feb 22 16:36:01 2013 -0800
+
+ Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987
+
+ tmpfs: fix use-after-free of mempolicy object
+
+ The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
+ option is not specified in the remount request. A new policy can be
+ specified if mpol=M is given.
+
+ Before this patch remounting an mpol bound tmpfs without specifying
+ mpol= mount option in the remount request would set the filesystem's
+ mempolicy object to a freed mempolicy object.
+
+ To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
+ # mkdir /tmp/x
+
+ # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
+
+ # grep /tmp/x /proc/mounts
+ nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
+
+ # mount -o remount,size=200M nodev /tmp/x
+
+ # grep /tmp/x /proc/mounts
+ nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
+ # note ? garbage in mpol=... output above
+
+ # dd if=/dev/zero of=/tmp/x/f count=1
+ # panic here
+
+ Panic:
+ BUG: unable to handle kernel NULL pointer dereference at (null)
+ IP: [< (null)>] (null)
+ [...]
+ Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
+ Call Trace:
+ mpol_shared_policy_init+0xa5/0x160
+ shmem_get_inode+0x209/0x270
+ shmem_mknod+0x3e/0xf0
+ shmem_create+0x18/0x20
+ vfs_create+0xb5/0x130
+ do_last+0x9a1/0xea0
+ path_openat+0xb3/0x4d0
+ do_filp_open+0x42/0xa0
+ do_sys_open+0xfe/0x1e0
+ compat_sys_open+0x1b/0x20
+ cstar_dispatch+0x7/0x1f
+
+ Non-debug kernels will not crash immediately because referencing the
+ dangling mpol will not cause a fault. Instead the filesystem will
+ reference a freed mempolicy object, which will cause unpredictable
+ behavior.
+
+ The problem boils down to a dropped mpol reference below if
+ shmem_parse_options() does not allocate a new mpol:
+
+ config = *sbinfo
+ shmem_parse_options(data, &config, true)
+ mpol_put(sbinfo->mpol)
+ sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */
+
+ This patch avoids the crash by not releasing the mempolicy if
+ shmem_parse_options() doesn't create a new mpol.
+
+ How far back does this issue go? I see it in both 2.6.36 and 3.3. I did
+ not look back further.
+
+ Signed-off-by: Greg Thelen <gthelen@google.com>
+ Acked-by: Hugh Dickins <hughd@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/shmem.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 23 11:08:05 2013 -0500
+
+ Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
+ with a family greater or equal then AF_MAX -- the array size of
+ sock_diag_handlers[]. The current code does not test for this
+ condition therefore is vulnerable to an out-of-bound access opening
+ doors for a privilege escalation.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ The sock_diag_lock_handler() and sock_diag_unlock_handler() actually
+ make the code less readable. Get rid of them and make the lock usage
+ and access to sock_diag_handlers[] clear on the first sight.
+
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+
+ net/core/sock_diag.c | 27 ++++++++++-----------------
+ 1 files changed, 10 insertions(+), 17 deletions(-)
+
+commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 23 10:58:52 2013 -0500
+
+ Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined
+
+ arch/arm/include/asm/domain.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 7b729586eb81f344fdedf0942fab0acc738a6725
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 22 19:02:51 2013 -0500
+
+ Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users.
+
+ kernel/fork.c | 17 +++++++++++++++++
+ 1 files changed, 17 insertions(+), 0 deletions(-)
+
+commit fadc560d0c486af88da83177735f5515e88acdcc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 23:06:48 2013 -0500
+
+ put is_hugetlbfs_mnt inside ifdefs
+
+ grsecurity/gracl.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 8252176922d405484f986eb2cc350b7cd3ae586e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 23:02:07 2013 -0500
+
+ remove unused label
+
+ kernel/module.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit dad4a980f0b625059e215d13da728aa7fd02a374
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 23:00:52 2013 -0500
+
+ compile fix
+
+ fs/open.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 22:57:49 2013 -0500
+
+ remove kmalloc_array_error for the same reasons as kcalloc_error
+
+ include/linux/slab.h | 9 ---------
+ 1 files changed, 0 insertions(+), 9 deletions(-)
+
+commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 21 22:49:35 2013 -0500
+
+ Initial port of grsecurity for Linux 3.8
+
+ Documentation/kernel-parameters.txt | 4 +
+ Makefile | 10 +-
+ arch/alpha/include/asm/cache.h | 4 +-
+ arch/alpha/kernel/osf_sys.c | 14 +-
+ arch/arm/include/asm/cache.h | 2 +
+ arch/arm/include/asm/thread_info.h | 9 +-
+ arch/arm/kernel/process.c | 4 +-
+ arch/arm/kernel/ptrace.c | 9 +
+ arch/arm/kernel/traps.c | 7 +-
+ arch/arm/mm/fault.c | 27 +-
+ arch/arm/mm/mmap.c | 6 +-
+ arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/include/asm/cache.h | 3 +-
+ arch/cris/include/arch-v10/arch/cache.h | 3 +-
+ arch/cris/include/arch-v32/arch/cache.h | 3 +-
+ arch/frv/include/asm/cache.h | 3 +-
+ arch/frv/mm/elf-fdpic.c | 7 +-
+ arch/hexagon/include/asm/cache.h | 6 +-
+ arch/ia64/include/asm/cache.h | 3 +-
+ arch/ia64/kernel/sys_ia64.c | 3 +-
+ arch/ia64/mm/hugetlbpage.c | 3 +-
+ arch/m32r/include/asm/cache.h | 4 +-
+ arch/m68k/include/asm/cache.h | 4 +-
+ arch/microblaze/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/cache.h | 3 +-
+ arch/mips/include/asm/thread_info.h | 9 +-
+ arch/mips/kernel/ptrace.c | 9 +
+ arch/mips/kernel/scall32-o32.S | 2 +-
+ arch/mips/kernel/scall64-64.S | 2 +-
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ arch/mips/mm/mmap.c | 3 +-
+ arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
+ arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +-
+ arch/openrisc/include/asm/cache.h | 4 +-
+ arch/parisc/include/asm/cache.h | 5 +-
+ arch/parisc/kernel/sys_parisc.c | 19 +-
+ arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/include/asm/thread_info.h | 8 +-
+ arch/powerpc/kernel/process.c | 10 +-
+ arch/powerpc/kernel/ptrace.c | 14 +
+ arch/powerpc/kernel/traps.c | 5 +
+ arch/powerpc/mm/slice.c | 8 +-
+ arch/s390/include/asm/cache.h | 4 +-
+ arch/score/include/asm/cache.h | 4 +-
+ arch/sh/include/asm/cache.h | 3 +-
+ arch/sh/mm/mmap.c | 6 +-
+ arch/sparc/include/asm/cache.h | 4 +-
+ arch/sparc/include/asm/thread_info_64.h | 9 +-
+ arch/sparc/kernel/process_32.c | 6 +-
+ arch/sparc/kernel/process_64.c | 8 +-
+ arch/sparc/kernel/ptrace_64.c | 14 +
+ arch/sparc/kernel/sys_sparc_64.c | 6 +-
+ arch/sparc/kernel/syscalls.S | 8 +-
+ arch/sparc/kernel/traps_32.c | 8 +-
+ arch/sparc/kernel/traps_64.c | 28 +-
+ arch/sparc/kernel/unaligned_64.c | 2 +-
+ arch/sparc/mm/fault_64.c | 2 +-
+ arch/sparc/mm/hugetlbpage.c | 3 +-
+ arch/tile/include/asm/cache.h | 3 +-
+ arch/um/include/asm/cache.h | 3 +-
+ arch/unicore32/include/asm/cache.h | 6 +-
+ arch/x86/Kconfig | 5 +-
+ arch/x86/Kconfig.debug | 2 +-
+ arch/x86/ia32/ia32_aout.c | 2 +
+ arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/kernel/dumpstack.c | 8 +
+ arch/x86/kernel/entry_32.S | 2 +-
+ arch/x86/kernel/entry_64.S | 2 +-
+ arch/x86/kernel/ioport.c | 13 +
+ arch/x86/kernel/ptrace.c | 14 +
+ arch/x86/kernel/smpboot.c | 3 +
+ arch/x86/kernel/sys_i386_32.c | 14 +-
+ arch/x86/kernel/sys_x86_64.c | 3 +-
+ arch/x86/kernel/verify_cpu.S | 1 +
+ arch/x86/kernel/vm86_32.c | 16 +
+ arch/x86/mm/fault.c | 12 +-
+ arch/x86/mm/hugetlbpage.c | 3 +-
+ arch/x86/mm/init.c | 66 +-
+ arch/x86/net/bpf_jit_comp.c | 126 +-
+ arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
+ arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
+ crypto/ablkcipher.c | 12 +-
+ crypto/aead.c | 9 +-
+ crypto/ahash.c | 2 +-
+ crypto/blkcipher.c | 6 +-
+ crypto/crypto_user.c | 38 +-
+ crypto/pcompress.c | 3 +-
+ crypto/rng.c | 2 +-
+ crypto/shash.c | 3 +-
+ drivers/block/cciss.c | 2 +
+ drivers/char/Kconfig | 4 +-
+ drivers/char/genrtc.c | 1 +
+ drivers/char/mem.c | 17 +
+ drivers/char/random.c | 12 +
+ drivers/gpu/drm/drm_info.c | 4 +
+ drivers/hid/hid-wiimote-debug.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +-
+ drivers/message/fusion/mptbase.c | 5 +
+ drivers/net/phy/mdio-bitbang.c | 1 +
+ drivers/pci/proc.c | 9 +
+ drivers/rtc/rtc-dev.c | 3 +
+ drivers/tty/sysrq.c | 2 +-
+ drivers/tty/vt/keyboard.c | 22 +-
+ drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++--------
+ drivers/xen/xenfs/xenstored.c | 5 +
+ fs/attr.c | 1 +
+ fs/autofs4/waitq.c | 9 +
+ fs/binfmt_aout.c | 7 +
+ fs/binfmt_elf.c | 6 +
+ fs/btrfs/inode.c | 10 +-
+ fs/btrfs/ioctl.c | 6 +-
+ fs/compat.c | 18 +
+ fs/coredump.c | 10 +-
+ fs/debugfs/inode.c | 4 +
+ fs/exec.c | 155 +-
+ fs/ext2/balloc.c | 4 +-
+ fs/ext3/balloc.c | 4 +-
+ fs/ext4/balloc.c | 4 +-
+ fs/fcntl.c | 5 +
+ fs/file.c | 4 +
+ fs/filesystems.c | 5 +
+ fs/fs_struct.c | 26 +-
+ fs/hugetlbfs/inode.c | 5 +-
+ fs/namei.c | 269 ++-
+ fs/namespace.c | 24 +
+ fs/open.c | 38 +
+ fs/pipe.c | 2 +-
+ fs/proc/Kconfig | 10 +-
+ fs/proc/array.c | 59 +-
+ fs/proc/base.c | 168 +-
+ fs/proc/cmdline.c | 4 +
+ fs/proc/devices.c | 4 +
+ fs/proc/fd.c | 17 +-
+ fs/proc/inode.c | 17 +
+ fs/proc/internal.h | 3 +
+ fs/proc/kcore.c | 3 +
+ fs/proc/proc_net.c | 12 +
+ fs/proc/proc_sysctl.c | 43 +-
+ fs/proc/root.c | 8 +
+ fs/proc/task_mmu.c | 75 +-
+ fs/readdir.c | 19 +
+ fs/select.c | 2 +
+ fs/seq_file.c | 12 +-
+ fs/stat.c | 19 +-
+ fs/sysfs/dir.c | 12 +
+ fs/utimes.c | 7 +
+ fs/xattr.c | 19 +-
+ grsecurity/Kconfig | 1021 +++++
+ grsecurity/Makefile | 38 +
+ grsecurity/gracl.c | 4017 ++++++++++++++++++++
+ grsecurity/gracl_alloc.c | 105 +
+ grsecurity/gracl_cap.c | 110 +
+ grsecurity/gracl_fs.c | 431 +++
+ grsecurity/gracl_ip.c | 384 ++
+ grsecurity/gracl_learn.c | 207 +
+ grsecurity/gracl_res.c | 68 +
+ grsecurity/gracl_segv.c | 299 ++
+ grsecurity/gracl_shm.c | 40 +
+ grsecurity/grsec_chdir.c | 19 +
+ grsecurity/grsec_chroot.c | 357 ++
+ grsecurity/grsec_disabled.c | 434 +++
+ grsecurity/grsec_exec.c | 174 +
+ grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_fork.c | 23 +
+ grsecurity/grsec_init.c | 283 ++
+ grsecurity/grsec_link.c | 58 +
+ grsecurity/grsec_log.c | 329 ++
+ grsecurity/grsec_mem.c | 40 +
+ grsecurity/grsec_mount.c | 62 +
+ grsecurity/grsec_pax.c | 36 +
+ grsecurity/grsec_ptrace.c | 30 +
+ grsecurity/grsec_sig.c | 222 ++
+ grsecurity/grsec_sock.c | 244 ++
+ grsecurity/grsec_sysctl.c | 469 +++
+ grsecurity/grsec_time.c | 16 +
+ grsecurity/grsec_tpe.c | 73 +
+ grsecurity/grsum.c | 61 +
+ include/linux/capability.h | 5 +
+ include/linux/cred.h | 3 +
+ include/linux/fs.h | 10 +
+ include/linux/fsnotify.h | 6 +
+ include/linux/gracl.h | 319 ++
+ include/linux/gralloc.h | 9 +
+ include/linux/grdefs.h | 140 +
+ include/linux/grinternal.h | 215 ++
+ include/linux/grmsg.h | 111 +
+ include/linux/grsecurity.h | 257 ++
+ include/linux/grsock.h | 19 +
+ include/linux/kallsyms.h | 14 +-
+ include/linux/kmod.h | 2 +
+ include/linux/netfilter/xt_gradm.h | 9 +
+ include/linux/printk.h | 3 +-
+ include/linux/proc_fs.h | 12 +
+ include/linux/sched.h | 66 +-
+ include/linux/security.h | 1 +
+ include/linux/seq_file.h | 3 +
+ include/linux/shm.h | 4 +
+ include/linux/sysctl.h | 2 +
+ include/linux/thread_info.h | 2 +
+ include/linux/vermagic.h | 9 +-
+ include/trace/events/fs.h | 53 +
+ include/uapi/linux/personality.h | 1 +
+ init/Kconfig | 5 +-
+ init/main.c | 14 +
+ ipc/mqueue.c | 1 +
+ ipc/shm.c | 28 +
+ kernel/capability.c | 39 +-
+ kernel/cgroup.c | 2 +-
+ kernel/compat.c | 1 +
+ kernel/configs.c | 11 +
+ kernel/cred.c | 109 +-
+ kernel/exit.c | 10 +-
+ kernel/fork.c | 24 +-
+ kernel/futex.c | 1 +
+ kernel/kallsyms.c | 9 +
+ kernel/kcmp.c | 4 +
+ kernel/kmod.c | 71 +-
+ kernel/kprobes.c | 4 +-
+ kernel/ksysfs.c | 2 +
+ kernel/lockdep_proc.c | 10 +-
+ kernel/module.c | 80 +-
+ kernel/panic.c | 4 +-
+ kernel/pid.c | 19 +-
+ kernel/posix-timers.c | 8 +
+ kernel/printk.c | 5 +
+ kernel/ptrace.c | 20 +-
+ kernel/resource.c | 10 +
+ kernel/sched/core.c | 6 +-
+ kernel/signal.c | 37 +-
+ kernel/sys.c | 38 +-
+ kernel/sysctl.c | 39 +-
+ kernel/taskstats.c | 6 +
+ kernel/time.c | 5 +
+ kernel/time/timekeeping.c | 3 +
+ kernel/time/timer_list.c | 12 +
+ kernel/time/timer_stats.c | 10 +-
+ lib/Kconfig.debug | 5 +-
+ lib/is_single_threaded.c | 3 +
+ lib/vsprintf.c | 35 +-
+ localversion-grsec | 1 +
+ mm/Kconfig | 4 +-
+ mm/filemap.c | 1 +
+ mm/kmemleak.c | 4 +-
+ mm/mempolicy.c | 12 +-
+ mm/migrate.c | 3 +-
+ mm/mlock.c | 3 +
+ mm/mmap.c | 62 +-
+ mm/mprotect.c | 8 +
+ mm/page_alloc.c | 6 +
+ mm/process_vm_access.c | 6 +
+ mm/shmem.c | 2 +-
+ mm/slab.c | 2 +-
+ mm/slub.c | 14 +-
+ mm/vmalloc.c | 4 +
+ mm/vmstat.c | 18 +-
+ net/core/dev.c | 9 +
+ net/core/sock_diag.c | 7 +
+ net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/ip_sockglue.c | 3 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_minisocks.c | 9 +-
+ net/ipv4/tcp_timer.c | 11 +
+ net/ipv4/udp.c | 24 +
+ net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/udp.c | 7 +
+ net/netfilter/Kconfig | 10 +
+ net/netfilter/Makefile | 1 +
+ net/netfilter/nf_conntrack_core.c | 8 +
+ net/netfilter/xt_gradm.c | 51 +
+ net/netrom/af_netrom.c | 2 +-
+ net/phonet/af_phonet.c | 4 +-
+ net/sctp/proc.c | 3 +-
+ net/socket.c | 62 +-
+ net/sysctl_net.c | 2 +-
+ net/unix/af_unix.c | 19 +
+ security/Kconfig | 320 ++-
+ security/apparmor/lsm.c | 2 +-
+ security/commoncap.c | 29 +
+ security/min_addr.c | 2 +
+ security/security.c | 2 -
+ security/selinux/hooks.c | 2 -
+ security/yama/Kconfig | 2 +-
+ tools/gcc/Makefile | 2 +-
+ 286 files changed, 15083 insertions(+), 2067 deletions(-)
+
+commit 4b61d2188de70da9dc9b3e67fc0565077370eb27
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 20 21:00:42 2013 -0500
+
+ Initial import of pax-linux-3.8-test3.patch
+
+ Documentation/dontdiff | 43 +-
+ Documentation/kernel-parameters.txt | 7 +
+ Makefile | 97 +-
+ arch/alpha/include/asm/atomic.h | 10 +
+ arch/alpha/include/asm/elf.h | 7 +
+ arch/alpha/include/asm/pgalloc.h | 6 +
+ arch/alpha/include/asm/pgtable.h | 11 +
+ arch/alpha/kernel/module.c | 2 +-
+ arch/alpha/kernel/osf_sys.c | 10 +-
+ arch/alpha/mm/fault.c | 141 +-
+ arch/arm/Kconfig | 2 +-
+ arch/arm/include/asm/atomic.h | 421 +++-
+ arch/arm/include/asm/cache.h | 3 +-
+ arch/arm/include/asm/cacheflush.h | 2 +-
+ arch/arm/include/asm/checksum.h | 14 +-
+ arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/delay.h | 8 +-
+ arch/arm/include/asm/domain.h | 32 +-
+ arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/fncpy.h | 2 +
+ arch/arm/include/asm/futex.h | 10 +
+ arch/arm/include/asm/kmap_types.h | 2 +-
+ arch/arm/include/asm/mach/dma.h | 2 +-
+ arch/arm/include/asm/mach/map.h | 7 +-
+ arch/arm/include/asm/outercache.h | 2 +-
+ arch/arm/include/asm/page.h | 2 +-
+ arch/arm/include/asm/pgalloc.h | 22 +-
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgtable-2level.h | 1 +
+ arch/arm/include/asm/pgtable-3level-hwdef.h | 4 +
+ arch/arm/include/asm/pgtable-3level.h | 2 +
+ arch/arm/include/asm/pgtable.h | 56 +-
+ arch/arm/include/asm/proc-fns.h | 2 +-
+ arch/arm/include/asm/processor.h | 5 +-
+ arch/arm/include/asm/smp.h | 2 +-
+ arch/arm/include/asm/thread_info.h | 6 +-
+ arch/arm/include/asm/uaccess.h | 92 +-
+ arch/arm/include/uapi/asm/ptrace.h | 2 +-
+ arch/arm/kernel/armksyms.c | 4 +-
+ arch/arm/kernel/entry-armv.S | 107 +-
+ arch/arm/kernel/entry-common.S | 41 +-
+ arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/fiq.c | 2 +
+ arch/arm/kernel/head.S | 6 +-
+ arch/arm/kernel/hw_breakpoint.c | 2 +-
+ arch/arm/kernel/module.c | 29 +-
+ arch/arm/kernel/perf_event_cpu.c | 2 +-
+ arch/arm/kernel/process.c | 10 +-
+ arch/arm/kernel/setup.c | 22 +-
+ arch/arm/kernel/smp.c | 2 +-
+ arch/arm/kernel/traps.c | 8 +-
+ arch/arm/kernel/vmlinux.lds.S | 20 +-
+ arch/arm/lib/clear_user.S | 6 +-
+ arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/lib/copy_page.S | 1 +
+ arch/arm/lib/copy_to_user.S | 6 +-
+ arch/arm/lib/csumpartialcopyuser.S | 4 +-
+ arch/arm/lib/delay.c | 14 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 2 +-
+ arch/arm/mach-kirkwood/common.c | 19 +-
+ arch/arm/mach-omap2/board-n8x0.c | 2 +-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
+ arch/arm/mach-omap2/omap_hwmod.c | 4 +-
+ arch/arm/mach-ux500/include/mach/setup.h | 7 -
+ arch/arm/mm/Kconfig | 3 +-
+ arch/arm/mm/fault.c | 78 +
+ arch/arm/mm/fault.h | 12 +
+ arch/arm/mm/init.c | 41 +
+ arch/arm/mm/ioremap.c | 4 +-
+ arch/arm/mm/mmap.c | 36 +-
+ arch/arm/mm/mmu.c | 186 +-
+ arch/arm/mm/proc-v7-2level.S | 3 +
+ arch/arm/plat-omap/sram.c | 2 +
+ arch/arm/plat-orion/include/plat/addr-map.h | 2 +-
+ arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/arm64/kernel/debug-monitors.c | 2 +-
+ arch/arm64/kernel/hw_breakpoint.c | 2 +-
+ arch/avr32/include/asm/elf.h | 8 +-
+ arch/avr32/include/asm/kmap_types.h | 4 +-
+ arch/avr32/mm/fault.c | 27 +
+ arch/frv/include/asm/atomic.h | 10 +
+ arch/frv/include/asm/kmap_types.h | 2 +-
+ arch/frv/mm/elf-fdpic.c | 7 +-
+ arch/ia64/include/asm/atomic.h | 10 +
+ arch/ia64/include/asm/elf.h | 7 +
+ arch/ia64/include/asm/pgalloc.h | 12 +
+ arch/ia64/include/asm/pgtable.h | 13 +-
+ arch/ia64/include/asm/spinlock.h | 2 +-
+ arch/ia64/include/asm/uaccess.h | 28 +-
+ arch/ia64/kernel/err_inject.c | 2 +-
+ arch/ia64/kernel/mca.c | 2 +-
+ arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/palinfo.c | 2 +-
+ arch/ia64/kernel/salinfo.c | 2 +-
+ arch/ia64/kernel/sys_ia64.c | 13 +-
+ arch/ia64/kernel/topology.c | 2 +-
+ arch/ia64/kernel/vmlinux.lds.S | 2 +-
+ arch/ia64/mm/fault.c | 32 +-
+ arch/ia64/mm/hugetlbpage.c | 2 +-
+ arch/ia64/mm/init.c | 13 +
+ arch/m32r/lib/usercopy.c | 6 +
+ arch/mips/include/asm/atomic.h | 14 +
+ arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/exec.h | 2 +-
+ arch/mips/include/asm/page.h | 2 +-
+ arch/mips/include/asm/pgalloc.h | 5 +
+ arch/mips/kernel/binfmt_elfn32.c | 7 +
+ arch/mips/kernel/binfmt_elfo32.c | 7 +
+ arch/mips/kernel/process.c | 12 -
+ arch/mips/mm/fault.c | 17 +
+ arch/mips/mm/mmap.c | 51 +-
+ arch/parisc/include/asm/atomic.h | 10 +
+ arch/parisc/include/asm/elf.h | 7 +
+ arch/parisc/include/asm/pgalloc.h | 6 +
+ arch/parisc/include/asm/pgtable.h | 11 +
+ arch/parisc/include/asm/uaccess.h | 4 +-
+ arch/parisc/kernel/module.c | 50 +-
+ arch/parisc/kernel/sys_parisc.c | 6 +-
+ arch/parisc/kernel/traps.c | 4 +-
+ arch/parisc/mm/fault.c | 140 +-
+ arch/powerpc/include/asm/atomic.h | 10 +
+ arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/exec.h | 2 +-
+ arch/powerpc/include/asm/kmap_types.h | 2 +-
+ arch/powerpc/include/asm/mman.h | 2 +-
+ arch/powerpc/include/asm/page.h | 8 +-
+ arch/powerpc/include/asm/page_64.h | 7 +-
+ arch/powerpc/include/asm/pgalloc-64.h | 7 +
+ arch/powerpc/include/asm/pgtable.h | 1 +
+ arch/powerpc/include/asm/pte-hash32.h | 1 +
+ arch/powerpc/include/asm/reg.h | 1 +
+ arch/powerpc/include/asm/uaccess.h | 142 +-
+ arch/powerpc/kernel/exceptions-64e.S | 4 +-
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ arch/powerpc/kernel/module_32.c | 13 +-
+ arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/signal_32.c | 2 +-
+ arch/powerpc/kernel/signal_64.c | 2 +-
+ arch/powerpc/kernel/sysfs.c | 2 +-
+ arch/powerpc/kernel/vdso.c | 5 +-
+ arch/powerpc/lib/usercopy_64.c | 18 -
+ arch/powerpc/mm/fault.c | 54 +-
+ arch/powerpc/mm/mmap_64.c | 16 +
+ arch/powerpc/mm/mmu_context_nohash.c | 2 +-
+ arch/powerpc/mm/numa.c | 2 +-
+ arch/powerpc/mm/slice.c | 23 +-
+ arch/powerpc/platforms/powermac/smp.c | 2 +-
+ arch/s390/include/asm/atomic.h | 10 +
+ arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/exec.h | 2 +-
+ arch/s390/include/asm/uaccess.h | 15 +-
+ arch/s390/kernel/module.c | 22 +-
+ arch/s390/kernel/process.c | 36 -
+ arch/s390/mm/mmap.c | 24 +
+ arch/score/include/asm/exec.h | 2 +-
+ arch/score/kernel/process.c | 5 -
+ arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +-
+ arch/sh/mm/mmap.c | 22 +-
+ arch/sparc/include/asm/atomic_64.h | 106 +-
+ arch/sparc/include/asm/cache.h | 2 +-
+ arch/sparc/include/asm/elf_32.h | 7 +
+ arch/sparc/include/asm/elf_64.h | 7 +
+ arch/sparc/include/asm/pgalloc_32.h | 1 +
+ arch/sparc/include/asm/pgalloc_64.h | 1 +
+ arch/sparc/include/asm/pgtable_32.h | 15 +-
+ arch/sparc/include/asm/pgtsrmmu.h | 5 +
+ arch/sparc/include/asm/spinlock_64.h | 35 +-
+ arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_64.h | 2 +
+ arch/sparc/include/asm/uaccess.h | 8 +
+ arch/sparc/include/asm/uaccess_32.h | 27 +-
+ arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/kernel/Makefile | 2 +-
+ arch/sparc/kernel/sys_sparc_32.c | 2 +-
+ arch/sparc/kernel/sys_sparc_64.c | 48 +-
+ arch/sparc/kernel/sysfs.c | 2 +-
+ arch/sparc/kernel/traps_64.c | 13 +-
+ arch/sparc/lib/Makefile | 2 +-
+ arch/sparc/lib/atomic_64.S | 136 +-
+ arch/sparc/lib/ksyms.c | 6 +
+ arch/sparc/mm/Makefile | 2 +-
+ arch/sparc/mm/fault_32.c | 292 ++
+ arch/sparc/mm/fault_64.c | 486 +++
+ arch/sparc/mm/hugetlbpage.c | 21 +-
+ arch/tile/include/asm/atomic_64.h | 10 +
+ arch/tile/include/asm/uaccess.h | 4 +-
+ arch/um/Makefile | 4 +
+ arch/um/include/asm/kmap_types.h | 2 +-
+ arch/um/include/asm/page.h | 3 +
+ arch/um/include/asm/pgtable-3level.h | 1 +
+ arch/um/kernel/process.c | 16 -
+ arch/x86/Kconfig | 10 +-
+ arch/x86/Kconfig.cpu | 6 +-
+ arch/x86/Kconfig.debug | 6 +-
+ arch/x86/Makefile | 10 +
+ arch/x86/boot/Makefile | 3 +
+ arch/x86/boot/bitops.h | 4 +-
+ arch/x86/boot/boot.h | 4 +-
+ arch/x86/boot/compressed/Makefile | 3 +
+ arch/x86/boot/compressed/eboot.c | 2 -
+ arch/x86/boot/compressed/head_32.S | 7 +-
+ arch/x86/boot/compressed/head_64.S | 4 +-
+ arch/x86/boot/compressed/misc.c | 4 +-
+ arch/x86/boot/cpucheck.c | 28 +-
+ arch/x86/boot/header.S | 6 +-
+ arch/x86/boot/memory.c | 2 +-
+ arch/x86/boot/video-vesa.c | 1 +
+ arch/x86/boot/video.c | 2 +-
+ arch/x86/crypto/aes-x86_64-asm_64.S | 4 +
+ arch/x86/crypto/aesni-intel_asm.S | 31 +
+ arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/camellia-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 +
+ arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 +
+ arch/x86/crypto/sha1_ssse3_asm.S | 3 +
+ arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 +
+ arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 +
+ arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/ia32/ia32_signal.c | 14 +-
+ arch/x86/ia32/ia32entry.S | 141 +-
+ arch/x86/ia32/sys_ia32.c | 12 +-
+ arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/include/asm/alternative.h | 4 +-
+ arch/x86/include/asm/apic.h | 2 +-
+ arch/x86/include/asm/apm.h | 4 +-
+ arch/x86/include/asm/atomic.h | 307 ++-
+ arch/x86/include/asm/atomic64_32.h | 100 +
+ arch/x86/include/asm/atomic64_64.h | 202 ++-
+ arch/x86/include/asm/bitops.h | 2 +-
+ arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/cache.h | 5 +-
+ arch/x86/include/asm/cacheflush.h | 2 +-
+ arch/x86/include/asm/checksum_32.h | 12 +-
+ arch/x86/include/asm/cmpxchg.h | 35 +
+ arch/x86/include/asm/cpufeature.h | 4 +-
+ arch/x86/include/asm/desc.h | 65 +-
+ arch/x86/include/asm/desc_defs.h | 6 +
+ arch/x86/include/asm/elf.h | 31 +-
+ arch/x86/include/asm/emergency-restart.h | 2 +-
+ arch/x86/include/asm/fpu-internal.h | 6 +-
+ arch/x86/include/asm/futex.h | 16 +-
+ arch/x86/include/asm/hw_irq.h | 4 +-
+ arch/x86/include/asm/io.h | 13 +-
+ arch/x86/include/asm/irqflags.h | 5 +
+ arch/x86/include/asm/kprobes.h | 9 +-
+ arch/x86/include/asm/local.h | 142 +-
+ arch/x86/include/asm/mman.h | 15 +
+ arch/x86/include/asm/mmu.h | 16 +-
+ arch/x86/include/asm/mmu_context.h | 76 +-
+ arch/x86/include/asm/module.h | 17 +-
+ arch/x86/include/asm/page_64_types.h | 2 +-
+ arch/x86/include/asm/paravirt.h | 44 +-
+ arch/x86/include/asm/paravirt_types.h | 17 +-
+ arch/x86/include/asm/pgalloc.h | 23 +
+ arch/x86/include/asm/pgtable-2level.h | 2 +
+ arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable.h | 110 +-
+ arch/x86/include/asm/pgtable_32.h | 14 +-
+ arch/x86/include/asm/pgtable_32_types.h | 15 +-
+ arch/x86/include/asm/pgtable_64.h | 19 +-
+ arch/x86/include/asm/pgtable_64_types.h | 5 +
+ arch/x86/include/asm/pgtable_types.h | 36 +-
+ arch/x86/include/asm/processor.h | 39 +-
+ arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/realmode.h | 4 +-
+ arch/x86/include/asm/reboot.h | 10 +-
+ arch/x86/include/asm/rwsem.h | 60 +-
+ arch/x86/include/asm/segment.h | 24 +-
+ arch/x86/include/asm/smp.h | 14 +-
+ arch/x86/include/asm/spinlock.h | 36 +-
+ arch/x86/include/asm/stackprotector.h | 4 +-
+ arch/x86/include/asm/stacktrace.h | 32 +-
+ arch/x86/include/asm/switch_to.h | 4 +-
+ arch/x86/include/asm/thread_info.h | 83 +-
+ arch/x86/include/asm/uaccess.h | 96 +-
+ arch/x86/include/asm/uaccess_32.h | 106 +-
+ arch/x86/include/asm/uaccess_64.h | 232 +-
+ arch/x86/include/asm/word-at-a-time.h | 2 +-
+ arch/x86/include/asm/x86_init.h | 10 +-
+ arch/x86/include/asm/xsave.h | 10 +-
+ arch/x86/include/uapi/asm/e820.h | 2 +-
+ arch/x86/kernel/Makefile | 2 +-
+ arch/x86/kernel/acpi/sleep.c | 4 +
+ arch/x86/kernel/acpi/wakeup_32.S | 6 +-
+ arch/x86/kernel/alternative.c | 65 +-
+ arch/x86/kernel/apic/apic.c | 6 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/bigsmp_32.c | 2 +-
+ arch/x86/kernel/apic/es7000_32.c | 5 +-
+ arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/numaq_32.c | 3 +-
+ arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/summit_32.c | 2 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_phys.c | 2 +-
+ arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
+ arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/asm-offsets.c | 20 +
+ arch/x86/kernel/asm-offsets_64.c | 1 +
+ arch/x86/kernel/cpu/Makefile | 4 -
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ arch/x86/kernel/cpu/common.c | 75 +-
+ arch/x86/kernel/cpu/intel.c | 2 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 29 +-
+ arch/x86/kernel/cpu/mcheck/p5.c | 3 +
+ arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +-
+ arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
+ arch/x86/kernel/cpu/mtrr/main.c | 2 +-
+ arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
+ arch/x86/kernel/cpu/perf_event.c | 4 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
+ arch/x86/kernel/cpuid.c | 2 +-
+ arch/x86/kernel/crash.c | 4 +-
+ arch/x86/kernel/doublefault_32.c | 8 +-
+ arch/x86/kernel/dumpstack.c | 30 +-
+ arch/x86/kernel/dumpstack_32.c | 34 +-
+ arch/x86/kernel/dumpstack_64.c | 63 +-
+ arch/x86/kernel/early_printk.c | 1 +
+ arch/x86/kernel/entry_32.S | 354 ++-
+ arch/x86/kernel/entry_64.S | 512 +++-
+ arch/x86/kernel/ftrace.c | 14 +-
+ arch/x86/kernel/head32.c | 4 +-
+ arch/x86/kernel/head_32.S | 237 ++-
+ arch/x86/kernel/head_64.S | 158 +-
+ arch/x86/kernel/i386_ksyms_32.c | 8 +
+ arch/x86/kernel/i387.c | 2 +-
+ arch/x86/kernel/i8259.c | 2 +-
+ arch/x86/kernel/ioport.c | 2 +-
+ arch/x86/kernel/irq.c | 10 +-
+ arch/x86/kernel/irq_32.c | 69 +-
+ arch/x86/kernel/irq_64.c | 2 +-
+ arch/x86/kernel/kdebugfs.c | 2 +-
+ arch/x86/kernel/kgdb.c | 25 +-
+ arch/x86/kernel/kprobes-opt.c | 12 +-
+ arch/x86/kernel/kprobes.c | 30 +-
+ arch/x86/kernel/kvm.c | 2 +-
+ arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/machine_kexec_32.c | 6 +-
+ arch/x86/kernel/microcode_core.c | 2 +-
+ arch/x86/kernel/microcode_intel.c | 4 +-
+ arch/x86/kernel/module.c | 76 +-
+ arch/x86/kernel/msr.c | 2 +-
+ arch/x86/kernel/nmi.c | 11 +
+ arch/x86/kernel/paravirt-spinlocks.c | 2 +-
+ arch/x86/kernel/paravirt.c | 43 +-
+ arch/x86/kernel/pci-iommu_table.c | 2 +-
+ arch/x86/kernel/process.c | 57 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 15 +-
+ arch/x86/kernel/ptrace.c | 25 +-
+ arch/x86/kernel/pvclock.c | 8 +-
+ arch/x86/kernel/reboot.c | 44 +-
+ arch/x86/kernel/relocate_kernel_64.S | 4 +-
+ arch/x86/kernel/setup.c | 14 +-
+ arch/x86/kernel/setup_percpu.c | 27 +-
+ arch/x86/kernel/signal.c | 15 +-
+ arch/x86/kernel/smp.c | 2 +-
+ arch/x86/kernel/smpboot.c | 15 +-
+ arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/sys_i386_32.c | 247 ++
+ arch/x86/kernel/sys_x86_64.c | 19 +-
+ arch/x86/kernel/tboot.c | 14 +-
+ arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tls.c | 7 +-
+ arch/x86/kernel/traps.c | 64 +-
+ arch/x86/kernel/uprobes.c | 2 +-
+ arch/x86/kernel/vm86_32.c | 6 +-
+ arch/x86/kernel/vmlinux.lds.S | 148 +-
+ arch/x86/kernel/vsyscall_64.c | 12 +-
+ arch/x86/kernel/x8664_ksyms_64.c | 2 -
+ arch/x86/kernel/x86_init.c | 8 +-
+ arch/x86/kernel/xsave.c | 2 +
+ arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ arch/x86/kvm/lapic.c | 2 +-
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ arch/x86/kvm/svm.c | 8 +
+ arch/x86/kvm/vmx.c | 47 +-
+ arch/x86/kvm/x86.c | 10 +-
+ arch/x86/lguest/boot.c | 3 +-
+ arch/x86/lib/atomic64_386_32.S | 164 +
+ arch/x86/lib/atomic64_cx8_32.S | 103 +-
+ arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/cmpxchg16b_emu.S | 2 +
+ arch/x86/lib/copy_page_64.S | 24 +-
+ arch/x86/lib/copy_user_64.S | 47 +-
+ arch/x86/lib/copy_user_nocache_64.S | 20 +-
+ arch/x86/lib/csum-copy_64.S | 2 +
+ arch/x86/lib/csum-wrappers_64.c | 4 +-
+ arch/x86/lib/getuser.S | 68 +-
+ arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/iomap_copy_64.S | 2 +
+ arch/x86/lib/memcpy_64.S | 18 +-
+ arch/x86/lib/memmove_64.S | 34 +-
+ arch/x86/lib/memset_64.S | 7 +-
+ arch/x86/lib/mmx_32.c | 243 +-
+ arch/x86/lib/msr-reg.S | 18 +-
+ arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/rwlock.S | 42 +
+ arch/x86/lib/rwsem.S | 6 +-
+ arch/x86/lib/thunk_64.S | 2 +
+ arch/x86/lib/usercopy_32.c | 376 ++-
+ arch/x86/lib/usercopy_64.c | 25 +-
+ arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/fault.c | 555 +++-
+ arch/x86/mm/gup.c | 2 +-
+ arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/hugetlbpage.c | 30 +-
+ arch/x86/mm/init.c | 92 +-
+ arch/x86/mm/init_32.c | 122 +-
+ arch/x86/mm/init_64.c | 48 +-
+ arch/x86/mm/iomap_32.c | 4 +
+ arch/x86/mm/ioremap.c | 12 +-
+ arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
+ arch/x86/mm/mmap.c | 41 +-
+ arch/x86/mm/mmio-mod.c | 10 +-
+ arch/x86/mm/pageattr-test.c | 2 +-
+ arch/x86/mm/pageattr.c | 33 +-
+ arch/x86/mm/pat.c | 12 +-
+ arch/x86/mm/pf_in.c | 10 +-
+ arch/x86/mm/pgtable.c | 137 +-
+ arch/x86/mm/pgtable_32.c | 3 +
+ arch/x86/mm/setup_nx.c | 7 +
+ arch/x86/mm/tlb.c | 4 +
+ arch/x86/net/bpf_jit.S | 14 +
+ arch/x86/net/bpf_jit_comp.c | 37 +-
+ arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/pci/amd_bus.c | 2 +-
+ arch/x86/pci/mrst.c | 4 +-
+ arch/x86/pci/pcbios.c | 144 +-
+ arch/x86/platform/efi/efi_32.c | 19 +
+ arch/x86/platform/efi/efi_stub_32.S | 64 +-
+ arch/x86/platform/efi/efi_stub_64.S | 8 +
+ arch/x86/platform/mrst/mrst.c | 6 +-
+ arch/x86/platform/olpc/olpc_dt.c | 2 +-
+ arch/x86/power/cpu.c | 4 +-
+ arch/x86/realmode/init.c | 8 +-
+ arch/x86/realmode/rm/Makefile | 3 +
+ arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/trampoline_32.S | 12 +-
+ arch/x86/realmode/rm/trampoline_64.S | 2 +-
+ arch/x86/tools/relocs.c | 95 +-
+ arch/x86/vdso/Makefile | 2 +-
+ arch/x86/vdso/vdso32-setup.c | 23 +-
+ arch/x86/vdso/vma.c | 29 +-
+ arch/x86/xen/enlighten.c | 47 +-
+ arch/x86/xen/mmu.c | 9 +
+ arch/x86/xen/smp.c | 18 +-
+ arch/x86/xen/xen-asm_32.S | 12 +-
+ arch/x86/xen/xen-head.S | 11 +
+ arch/x86/xen/xen-ops.h | 2 -
+ block/blk-iopoll.c | 4 +-
+ block/blk-map.c | 2 +-
+ block/blk-softirq.c | 4 +-
+ block/bsg.c | 12 +-
+ block/compat_ioctl.c | 2 +-
+ block/partitions/efi.c | 8 +-
+ block/scsi_ioctl.c | 27 +-
+ crypto/cryptd.c | 4 +-
+ drivers/acpi/apei/cper.c | 8 +-
+ drivers/acpi/ec_sys.c | 12 +-
+ drivers/acpi/processor_driver.c | 2 +-
+ drivers/ata/libata-core.c | 8 +-
+ drivers/ata/pata_arasan_cf.c | 4 +-
+ drivers/atm/adummy.c | 2 +-
+ drivers/atm/ambassador.c | 8 +-
+ drivers/atm/atmtcp.c | 14 +-
+ drivers/atm/eni.c | 10 +-
+ drivers/atm/firestream.c | 8 +-
+ drivers/atm/fore200e.c | 14 +-
+ drivers/atm/he.c | 18 +-
+ drivers/atm/horizon.c | 4 +-
+ drivers/atm/idt77252.c | 36 +-
+ drivers/atm/iphase.c | 34 +-
+ drivers/atm/lanai.c | 12 +-
+ drivers/atm/nicstar.c | 46 +-
+ drivers/atm/solos-pci.c | 4 +-
+ drivers/atm/suni.c | 4 +-
+ drivers/atm/uPD98402.c | 16 +-
+ drivers/atm/zatm.c | 6 +-
+ drivers/base/devtmpfs.c | 2 +-
+ drivers/base/power/wakeup.c | 8 +-
+ drivers/block/cciss.c | 28 +-
+ drivers/block/cciss.h | 2 +-
+ drivers/block/cpqarray.c | 28 +-
+ drivers/block/cpqarray.h | 2 +-
+ drivers/block/drbd/drbd_int.h | 6 +-
+ drivers/block/drbd/drbd_main.c | 8 +-
+ drivers/block/drbd/drbd_receiver.c | 18 +-
+ drivers/block/loop.c | 2 +-
+ drivers/cdrom/cdrom.c | 9 +-
+ drivers/cdrom/gdrom.c | 1 -
+ drivers/char/agp/frontend.c | 2 +-
+ drivers/char/hpet.c | 2 +-
+ drivers/char/ipmi/ipmi_msghandler.c | 8 +-
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
+ drivers/char/mem.c | 41 +-
+ drivers/char/nvram.c | 2 +-
+ drivers/char/pcmcia/synclink_cs.c | 18 +-
+ drivers/char/random.c | 8 +-
+ drivers/char/sonypi.c | 9 +-
+ drivers/char/tpm/tpm.c | 2 +-
+ drivers/char/tpm/tpm_acpi.c | 3 +-
+ drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/virtio_console.c | 4 +-
+ drivers/clocksource/arm_generic.c | 2 +-
+ drivers/cpufreq/cpufreq.c | 2 +-
+ drivers/cpufreq/cpufreq_stats.c | 2 +-
+ drivers/dma/sh/shdma.c | 2 +-
+ drivers/edac/edac_pci_sysfs.c | 20 +-
+ drivers/edac/mce_amd.h | 2 +-
+ drivers/firewire/core-card.c | 2 +-
+ drivers/firewire/core-cdev.c | 3 +-
+ drivers/firewire/core-transaction.c | 1 +
+ drivers/firewire/core.h | 1 +
+ drivers/firmware/dmi_scan.c | 7 +-
+ drivers/firmware/efivars.c | 2 +-
+ drivers/gpio/gpio-vr41xx.c | 2 +-
+ drivers/gpu/drm/drm_crtc_helper.c | 2 +-
+ drivers/gpu/drm/drm_drv.c | 4 +-
+ drivers/gpu/drm/drm_fops.c | 18 +-
+ drivers/gpu/drm/drm_global.c | 14 +-
+ drivers/gpu/drm/drm_info.c | 14 +-
+ drivers/gpu/drm/drm_ioc32.c | 4 +-
+ drivers/gpu/drm/drm_ioctl.c | 2 +-
+ drivers/gpu/drm/drm_lock.c | 4 +-
+ drivers/gpu/drm/drm_stub.c | 2 +-
+ drivers/gpu/drm/i810/i810_dma.c | 8 +-
+ drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.h | 6 +-
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
+ drivers/gpu/drm/i915/i915_irq.c | 22 +-
+ drivers/gpu/drm/i915/intel_display.c | 9 +-
+ drivers/gpu/drm/mga/mga_drv.h | 4 +-
+ drivers/gpu/drm/mga/mga_irq.c | 8 +-
+ drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/r128/r128_cce.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.h | 4 +-
+ drivers/gpu/drm/r128/r128_irq.c | 4 +-
+ drivers/gpu/drm/r128/r128_state.c | 4 +-
+ drivers/gpu/drm/radeon/mkregtable.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_device.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 4 +-
+ drivers/gpu/drm/radeon/radeon_ttm.c | 4 +-
+ drivers/gpu/drm/radeon/rs690.c | 4 +-
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +-
+ drivers/gpu/drm/via/via_drv.h | 4 +-
+ drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
+ drivers/hid/hid-core.c | 4 +-
+ drivers/hv/channel.c | 4 +-
+ drivers/hv/hv.c | 2 +-
+ drivers/hv/hyperv_vmbus.h | 2 +-
+ drivers/hv/vmbus_drv.c | 4 +-
+ drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/sht15.c | 12 +-
+ drivers/hwmon/via-cputemp.c | 2 +-
+ drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
+ drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
+ drivers/ide/ide-cd.c | 2 +-
+ drivers/infiniband/core/cm.c | 32 +-
+ drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/hw/cxgb4/mem.c | 4 +-
+ drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
+ drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
+ drivers/infiniband/hw/nes/nes.c | 4 +-
+ drivers/infiniband/hw/nes/nes.h | 40 +-
+ drivers/infiniband/hw/nes/nes_cm.c | 62 +-
+ drivers/infiniband/hw/nes/nes_mgt.c | 8 +-
+ drivers/infiniband/hw/nes/nes_nic.c | 40 +-
+ drivers/infiniband/hw/nes/nes_verbs.c | 10 +-
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/input/gameport/gameport.c | 4 +-
+ drivers/input/input.c | 4 +-
+ drivers/input/joystick/sidewinder.c | 1 +
+ drivers/input/joystick/xpad.c | 4 +-
+ drivers/input/mousedev.c | 2 +-
+ drivers/input/serio/serio.c | 4 +-
+ drivers/isdn/capi/capi.c | 10 +-
+ drivers/isdn/gigaset/interface.c | 8 +-
+ drivers/isdn/hardware/avm/b1.c | 4 +-
+ drivers/isdn/i4l/isdn_tty.c | 22 +-
+ drivers/isdn/icn/icn.c | 2 +-
+ drivers/lguest/core.c | 10 +-
+ drivers/lguest/x86/core.c | 12 +-
+ drivers/lguest/x86/switcher_32.S | 27 +-
+ drivers/md/bitmap.c | 2 +-
+ drivers/md/dm-ioctl.c | 2 +-
+ drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-stripe.c | 10 +-
+ drivers/md/dm-table.c | 2 +-
+ drivers/md/dm-thin-metadata.c | 4 +-
+ drivers/md/dm.c | 16 +-
+ drivers/md/md.c | 26 +-
+ drivers/md/md.h | 6 +-
+ drivers/md/persistent-data/dm-space-map.h | 1 +
+ drivers/md/raid1.c | 4 +-
+ drivers/md/raid10.c | 16 +-
+ drivers/md/raid5.c | 10 +-
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ drivers/media/dvb-frontends/dib3000.h | 2 +-
+ drivers/media/platform/omap/omap_vout.c | 11 +-
+ drivers/media/platform/s5p-tv/mixer.h | 2 +-
+ drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_reg.c | 2 +-
+ drivers/media/platform/s5p-tv/mixer_video.c | 24 +-
+ drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +-
+ drivers/media/radio/radio-cadet.c | 2 +
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/message/fusion/mptsas.c | 34 +-
+ drivers/message/fusion/mptscsih.c | 19 +-
+ drivers/message/i2o/i2o_proc.c | 51 +-
+ drivers/message/i2o/iop.c | 8 +-
+ drivers/mfd/janz-cmodio.c | 1 +
+ drivers/misc/kgdbts.c | 4 +-
+ drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
+ drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/sgi-gru/gruhandles.c | 4 +-
+ drivers/misc/sgi-gru/gruprocfs.c | 8 +-
+ drivers/misc/sgi-gru/grutables.h | 154 +-
+ drivers/misc/sgi-xp/xp.h | 2 +-
+ drivers/misc/sgi-xp/xpc.h | 3 +-
+ drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/mmc/core/mmc_ops.c | 2 +-
+ drivers/mmc/host/dw_mmc.h | 2 +-
+ drivers/mmc/host/sdhci-s3c.c | 8 +-
+ drivers/mtd/devices/doc2000.c | 2 +-
+ drivers/mtd/nand/denali.c | 1 +
+ drivers/mtd/nftlmount.c | 1 +
+ drivers/net/ethernet/8390/ax88796.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
+ drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
+ drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
+ drivers/net/ethernet/faraday/ftgmac100.c | 2 +
+ drivers/net/ethernet/faraday/ftmac100.c | 2 +
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
+ drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
+ drivers/net/ethernet/realtek/r8169.c | 8 +-
+ drivers/net/ethernet/sfc/ptp.c | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/hyperv/hyperv_net.h | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 4 +-
+ drivers/net/ieee802154/fakehard.c | 2 +-
+ drivers/net/macvlan.c | 2 +-
+ drivers/net/macvtap.c | 2 +-
+ drivers/net/ppp/ppp_generic.c | 4 +-
+ drivers/net/team/team.c | 2 +-
+ drivers/net/tun.c | 5 +-
+ drivers/net/usb/hso.c | 23 +-
+ drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +-
+ drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +-
+ drivers/net/wireless/ath/ath9k/hw.h | 4 +-
+ drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +-
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +-
+ drivers/net/wireless/mac80211_hwsim.c | 32 +-
+ drivers/net/wireless/rndis_wlan.c | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00.h | 2 +-
+ drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +-
+ drivers/net/wireless/ti/wl1251/sdio.c | 12 +-
+ drivers/net/wireless/ti/wl12xx/main.c | 8 +-
+ drivers/net/wireless/ti/wl18xx/main.c | 6 +-
+ drivers/oprofile/buffer_sync.c | 8 +-
+ drivers/oprofile/event_buffer.c | 2 +-
+ drivers/oprofile/oprof.c | 2 +-
+ drivers/oprofile/oprofile_stats.c | 10 +-
+ drivers/oprofile/oprofile_stats.h | 10 +-
+ drivers/oprofile/oprofilefs.c | 2 +-
+ drivers/oprofile/timer_int.c | 2 +-
+ drivers/parport/procfs.c | 4 +-
+ drivers/pci/hotplug/cpcihp_generic.c | 6 +-
+ drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
+ drivers/pci/hotplug/cpqphp_nvram.c | 4 +
+ drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/probe.c | 2 +-
+ drivers/platform/x86/thinkpad_acpi.c | 70 +-
+ drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/resource.c | 4 +-
+ drivers/power/pda_power.c | 7 +-
+ drivers/regulator/max8660.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/scsi/bfa/bfa.h | 2 +-
+ drivers/scsi/bfa/bfa_fcpim.h | 2 +-
+ drivers/scsi/bfa/bfa_ioc.h | 4 +-
+ drivers/scsi/hosts.c | 4 +-
+ drivers/scsi/hpsa.c | 30 +-
+ drivers/scsi/hpsa.h | 2 +-
+ drivers/scsi/libfc/fc_exch.c | 50 +-
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ drivers/scsi/lpfc/lpfc.h | 8 +-
+ drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
+ drivers/scsi/lpfc/lpfc_init.c | 6 +-
+ drivers/scsi/lpfc/lpfc_scsi.c | 16 +-
+ drivers/scsi/pmcraid.c | 20 +-
+ drivers/scsi/pmcraid.h | 8 +-
+ drivers/scsi/qla2xxx/qla_attr.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gbl.h | 4 +-
+ drivers/scsi/qla2xxx/qla_os.c | 6 +-
+ drivers/scsi/qla4xxx/ql4_def.h | 2 +-
+ drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
+ drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ drivers/scsi/scsi_tgt_lib.c | 2 +-
+ drivers/scsi/scsi_transport_fc.c | 8 +-
+ drivers/scsi/scsi_transport_iscsi.c | 6 +-
+ drivers/scsi/scsi_transport_srp.c | 6 +-
+ drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sg.c | 2 +-
+ drivers/spi/spi.c | 2 +-
+ drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/ramster/tmem.c | 54 +-
+ drivers/staging/rtl8712/rtl871x_io.h | 2 +-
+ drivers/staging/sbe-2t3e3/netdev.c | 2 +-
+ drivers/staging/usbip/vhci.h | 2 +-
+ drivers/staging/usbip/vhci_hcd.c | 6 +-
+ drivers/staging/usbip/vhci_rx.c | 2 +-
+ drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/vt6656/hostap.c | 7 +-
+ drivers/staging/zcache/tmem.c | 4 +-
+ drivers/staging/zcache/tmem.h | 2 +
+ drivers/target/target_core_device.c | 2 +-
+ drivers/target/target_core_transport.c | 2 +-
+ drivers/tty/cyclades.c | 6 +-
+ drivers/tty/hvc/hvc_console.c | 14 +-
+ drivers/tty/hvc/hvcs.c | 21 +-
+ drivers/tty/ipwireless/tty.c | 27 +-
+ drivers/tty/moxa.c | 2 +-
+ drivers/tty/n_gsm.c | 4 +-
+ drivers/tty/n_tty.c | 3 +-
+ drivers/tty/pty.c | 4 +-
+ drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/kgdboc.c | 32 +-
+ drivers/tty/serial/samsung.c | 9 +-
+ drivers/tty/serial/serial_core.c | 8 +-
+ drivers/tty/synclink.c | 34 +-
+ drivers/tty/synclink_gt.c | 28 +-
+ drivers/tty/synclinkmp.c | 34 +-
+ drivers/tty/tty_io.c | 2 +-
+ drivers/tty/tty_ldisc.c | 10 +-
+ drivers/tty/tty_port.c | 22 +-
+ drivers/uio/uio.c | 21 +-
+ drivers/usb/atm/cxacru.c | 2 +-
+ drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/core/devices.c | 6 +-
+ drivers/usb/core/hcd.c | 4 +-
+ drivers/usb/core/sysfs.c | 2 +-
+ drivers/usb/core/usb.c | 2 +-
+ drivers/usb/early/ehci-dbgp.c | 16 +-
+ drivers/usb/gadget/u_serial.c | 22 +-
+ drivers/usb/serial/console.c | 6 +-
+ drivers/usb/wusbcore/wa-hc.h | 4 +-
+ drivers/usb/wusbcore/wa-xfer.c | 2 +-
+ drivers/video/aty/aty128fb.c | 2 +-
+ drivers/video/fbcmap.c | 3 +-
+ drivers/video/fbmem.c | 6 +-
+ drivers/video/i810/i810_accel.c | 1 +
+ drivers/video/udlfb.c | 32 +-
+ drivers/video/uvesafb.c | 39 +-
+ drivers/video/vesafb.c | 51 +-
+ drivers/video/via/via_clock.h | 2 +-
+ fs/9p/vfs_inode.c | 2 +-
+ fs/Kconfig.binfmt | 2 +-
+ fs/aio.c | 11 +-
+ fs/autofs4/waitq.c | 2 +-
+ fs/befs/linuxvfs.c | 2 +-
+ fs/binfmt_aout.c | 23 +-
+ fs/binfmt_elf.c | 604 ++++-
+ fs/binfmt_flat.c | 6 +
+ fs/bio.c | 6 +-
+ fs/block_dev.c | 2 +-
+ fs/btrfs/ctree.c | 9 +-
+ fs/btrfs/relocation.c | 2 +-
+ fs/btrfs/super.c | 2 +-
+ fs/cachefiles/bind.c | 6 +-
+ fs/cachefiles/daemon.c | 8 +-
+ fs/cachefiles/internal.h | 12 +-
+ fs/cachefiles/namei.c | 2 +-
+ fs/cachefiles/proc.c | 12 +-
+ fs/cachefiles/rdwr.c | 2 +-
+ fs/ceph/dir.c | 2 +-
+ fs/cifs/cifs_debug.c | 12 +-
+ fs/cifs/cifsfs.c | 8 +-
+ fs/cifs/cifsglob.h | 54 +-
+ fs/cifs/link.c | 2 +-
+ fs/cifs/misc.c | 4 +-
+ fs/cifs/smb1ops.c | 80 +-
+ fs/cifs/smb2ops.c | 84 +-
+ fs/cifs/smb2pdu.c | 3 +-
+ fs/coda/cache.c | 10 +-
+ fs/compat.c | 6 +-
+ fs/compat_binfmt_elf.c | 2 +
+ fs/compat_ioctl.c | 8 +-
+ fs/configfs/dir.c | 10 +-
+ fs/coredump.c | 24 +-
+ fs/dcache.c | 2 +-
+ fs/ecryptfs/inode.c | 4 +-
+ fs/ecryptfs/miscdev.c | 2 +-
+ fs/ecryptfs/read_write.c | 4 +-
+ fs/exec.c | 356 ++-
+ fs/ext4/ext4.h | 20 +-
+ fs/ext4/mballoc.c | 44 +-
+ fs/fhandle.c | 3 +-
+ fs/fifo.c | 22 +-
+ fs/fs_struct.c | 8 +-
+ fs/fscache/cookie.c | 36 +-
+ fs/fscache/internal.h | 196 +-
+ fs/fscache/object.c | 28 +-
+ fs/fscache/operation.c | 30 +-
+ fs/fscache/page.c | 110 +-
+ fs/fscache/stats.c | 344 +-
+ fs/fuse/cuse.c | 10 +-
+ fs/fuse/dev.c | 2 +-
+ fs/fuse/dir.c | 2 +-
+ fs/gfs2/inode.c | 2 +-
+ fs/hugetlbfs/inode.c | 13 +-
+ fs/inode.c | 4 +-
+ fs/jffs2/erase.c | 3 +-
+ fs/jffs2/wbuf.c | 3 +-
+ fs/jfs/super.c | 2 +-
+ fs/libfs.c | 10 +-
+ fs/lockd/clntproc.c | 4 +-
+ fs/locks.c | 8 +-
+ fs/namei.c | 15 +-
+ fs/namespace.c | 2 +-
+ fs/nfs/inode.c | 6 +-
+ fs/nfsd/vfs.c | 6 +-
+ fs/notify/fanotify/fanotify_user.c | 4 +-
+ fs/notify/notification.c | 4 +-
+ fs/ntfs/dir.c | 2 +-
+ fs/ntfs/file.c | 4 +-
+ fs/ocfs2/localalloc.c | 2 +-
+ fs/ocfs2/ocfs2.h | 10 +-
+ fs/ocfs2/suballoc.c | 12 +-
+ fs/ocfs2/super.c | 20 +-
+ fs/pipe.c | 33 +-
+ fs/proc/array.c | 20 +
+ fs/proc/kcore.c | 32 +-
+ fs/proc/meminfo.c | 2 +-
+ fs/proc/nommu.c | 2 +-
+ fs/proc/self.c | 2 +-
+ fs/proc/task_mmu.c | 39 +-
+ fs/proc/task_nommu.c | 4 +-
+ fs/quota/netlink.c | 4 +-
+ fs/readdir.c | 2 +-
+ fs/reiserfs/do_balan.c | 2 +-
+ fs/reiserfs/procfs.c | 2 +-
+ fs/reiserfs/reiserfs.h | 4 +-
+ fs/seq_file.c | 2 +-
+ fs/splice.c | 36 +-
+ fs/sysfs/file.c | 10 +-
+ fs/sysfs/symlink.c | 2 +-
+ fs/udf/misc.c | 2 +-
+ fs/xattr_acl.c | 4 +-
+ fs/xfs/xfs_bmap.c | 2 +-
+ fs/xfs/xfs_dir2_sf.c | 10 +-
+ fs/xfs/xfs_ioctl.c | 2 +-
+ fs/xfs/xfs_iops.c | 2 +-
+ include/asm-generic/4level-fixup.h | 2 +
+ include/asm-generic/atomic-long.h | 210 ++
+ include/asm-generic/atomic.h | 2 +-
+ include/asm-generic/atomic64.h | 12 +
+ include/asm-generic/cache.h | 4 +-
+ include/asm-generic/emergency-restart.h | 2 +-
+ include/asm-generic/kmap_types.h | 4 +-
+ include/asm-generic/local.h | 13 +
+ include/asm-generic/pgtable-nopmd.h | 18 +-
+ include/asm-generic/pgtable-nopud.h | 15 +-
+ include/asm-generic/pgtable.h | 8 +
+ include/asm-generic/vmlinux.lds.h | 10 +-
+ include/crypto/algapi.h | 2 +-
+ include/drm/drmP.h | 5 +-
+ include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/ttm/ttm_memory.h | 2 +-
+ include/linux/atmdev.h | 2 +-
+ include/linux/binfmts.h | 1 +
+ include/linux/blkdev.h | 2 +-
+ include/linux/blktrace_api.h | 2 +-
+ include/linux/cache.h | 4 +
+ include/linux/cdrom.h | 1 -
+ include/linux/cleancache.h | 2 +-
+ include/linux/compiler-gcc4.h | 20 +
+ include/linux/compiler.h | 72 +-
+ include/linux/cpu.h | 2 +-
+ include/linux/crypto.h | 6 +-
+ include/linux/decompress/mm.h | 2 +-
+ include/linux/dma-mapping.h | 2 +-
+ include/linux/dmaengine.h | 4 +-
+ include/linux/efi.h | 1 +
+ include/linux/elf.h | 2 +
+ include/linux/filter.h | 4 +
+ include/linux/frontswap.h | 2 +-
+ include/linux/fs.h | 3 +-
+ include/linux/fs_struct.h | 2 +-
+ include/linux/fscache-cache.h | 4 +-
+ include/linux/fsnotify.h | 2 +-
+ include/linux/ftrace_event.h | 2 +-
+ include/linux/genhd.h | 2 +-
+ include/linux/gfp.h | 12 +-
+ include/linux/highmem.h | 12 +
+ include/linux/i2c.h | 1 +
+ include/linux/i2o.h | 2 +-
+ include/linux/if_pppox.h | 2 +-
+ include/linux/init.h | 33 +-
+ include/linux/init_task.h | 7 +
+ include/linux/interrupt.h | 8 +-
+ include/linux/kgdb.h | 6 +-
+ include/linux/kobject.h | 2 +-
+ include/linux/kref.h | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ include/linux/libata.h | 2 +-
+ include/linux/list.h | 3 +
+ include/linux/mm.h | 91 +-
+ include/linux/mm_types.h | 22 +-
+ include/linux/mmiotrace.h | 4 +-
+ include/linux/mmzone.h | 2 +-
+ include/linux/mod_devicetable.h | 4 +-
+ include/linux/module.h | 55 +-
+ include/linux/moduleloader.h | 18 +-
+ include/linux/moduleparam.h | 4 +-
+ include/linux/namei.h | 6 +-
+ include/linux/netdevice.h | 3 +-
+ include/linux/netfilter/ipset/ip_set.h | 2 +-
+ include/linux/netfilter/nfnetlink.h | 2 +-
+ include/linux/notifier.h | 3 +-
+ include/linux/oprofile.h | 4 +-
+ include/linux/perf_event.h | 10 +-
+ include/linux/pipe_fs_i.h | 6 +-
+ include/linux/platform_data/usb-ehci-s5p.h | 2 +-
+ include/linux/pm_runtime.h | 2 +-
+ include/linux/poison.h | 4 +-
+ include/linux/power/smartreflex.h | 2 +-
+ include/linux/random.h | 5 +
+ include/linux/reboot.h | 14 +-
+ include/linux/regset.h | 3 +-
+ include/linux/relay.h | 2 +-
+ include/linux/rio.h | 2 +-
+ include/linux/rmap.h | 4 +-
+ include/linux/sched.h | 64 +-
+ include/linux/seq_file.h | 1 +
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 36 +-
+ include/linux/slab_def.h | 33 +-
+ include/linux/slob_def.h | 4 +-
+ include/linux/slub_def.h | 10 +-
+ include/linux/sonet.h | 2 +-
+ include/linux/sunrpc/clnt.h | 8 +-
+ include/linux/sunrpc/svc_rdma.h | 18 +-
+ include/linux/sysrq.h | 2 +-
+ include/linux/thread_info.h | 7 +
+ include/linux/tty.h | 4 +-
+ include/linux/tty_driver.h | 2 +-
+ include/linux/tty_ldisc.h | 2 +-
+ include/linux/types.h | 16 +
+ include/linux/uaccess.h | 6 +-
+ include/linux/unaligned/access_ok.h | 12 +-
+ include/linux/usb.h | 2 +-
+ include/linux/usb/renesas_usbhs.h | 2 +-
+ include/linux/vermagic.h | 21 +-
+ include/linux/vmalloc.h | 11 +-
+ include/linux/vmstat.h | 20 +-
+ include/media/v4l2-dev.h | 2 +-
+ include/media/v4l2-ioctl.h | 1 -
+ include/net/caif/cfctrl.h | 6 +-
+ include/net/flow.h | 2 +-
+ include/net/gro_cells.h | 6 +-
+ include/net/inet_connection_sock.h | 2 +-
+ include/net/inetpeer.h | 8 +-
+ include/net/ip_fib.h | 2 +-
+ include/net/ip_vs.h | 4 +-
+ include/net/irda/ircomm_tty.h | 1 +
+ include/net/iucv/af_iucv.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ include/net/net_namespace.h | 6 +-
+ include/net/netdma.h | 2 +-
+ include/net/netlink.h | 2 +-
+ include/net/netns/ipv4.h | 2 +-
+ include/net/protocol.h | 4 +-
+ include/net/sctp/sctp.h | 6 +-
+ include/net/sctp/structs.h | 4 +-
+ include/net/sock.h | 6 +-
+ include/net/tcp.h | 8 +-
+ include/net/xfrm.h | 4 +-
+ include/rdma/iw_cm.h | 2 +-
+ include/scsi/libfc.h | 3 +-
+ include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_transport_fc.h | 3 +-
+ include/sound/soc.h | 4 +-
+ include/target/target_core_base.h | 2 +-
+ include/trace/events/irq.h | 4 +-
+ include/uapi/linux/a.out.h | 8 +
+ include/uapi/linux/byteorder/little_endian.h | 24 +-
+ include/uapi/linux/elf.h | 28 +
+ include/uapi/linux/screen_info.h | 3 +-
+ include/uapi/linux/sysctl.h | 6 +-
+ include/uapi/linux/xattr.h | 4 +
+ include/video/udlfb.h | 8 +-
+ include/video/uvesafb.h | 1 +
+ init/Kconfig | 2 +-
+ init/Makefile | 3 +
+ init/do_mounts.c | 14 +-
+ init/do_mounts.h | 8 +-
+ init/do_mounts_initrd.c | 22 +-
+ init/do_mounts_md.c | 6 +-
+ init/init_task.c | 4 +
+ init/initramfs.c | 40 +-
+ init/main.c | 78 +-
+ ipc/msg.c | 11 +-
+ ipc/sem.c | 11 +-
+ ipc/shm.c | 17 +-
+ kernel/acct.c | 2 +-
+ kernel/audit.c | 8 +-
+ kernel/auditsc.c | 4 +-
+ kernel/capability.c | 3 +
+ kernel/compat.c | 40 +-
+ kernel/debug/debug_core.c | 16 +-
+ kernel/debug/kdb/kdb_main.c | 4 +-
+ kernel/events/core.c | 28 +-
+ kernel/exit.c | 4 +-
+ kernel/fork.c | 167 +-
+ kernel/futex.c | 9 +
+ kernel/gcov/base.c | 7 +-
+ kernel/hrtimer.c | 4 +-
+ kernel/jump_label.c | 5 +
+ kernel/kallsyms.c | 39 +-
+ kernel/kexec.c | 3 +-
+ kernel/kmod.c | 2 +-
+ kernel/kprobes.c | 8 +-
+ kernel/lockdep.c | 7 +-
+ kernel/module.c | 333 ++-
+ kernel/mutex-debug.c | 12 +-
+ kernel/mutex-debug.h | 4 +-
+ kernel/mutex.c | 7 +-
+ kernel/notifier.c | 17 +-
+ kernel/panic.c | 3 +-
+ kernel/pid.c | 2 +-
+ kernel/posix-cpu-timers.c | 4 +-
+ kernel/posix-timers.c | 20 +-
+ kernel/power/process.c | 12 +-
+ kernel/profile.c | 14 +-
+ kernel/ptrace.c | 6 +-
+ kernel/rcutiny.c | 4 +-
+ kernel/rcutiny_plugin.h | 2 +-
+ kernel/rcutorture.c | 56 +-
+ kernel/rcutree.c | 72 +-
+ kernel/rcutree.h | 24 +-
+ kernel/rcutree_plugin.h | 18 +-
+ kernel/rcutree_trace.c | 22 +-
+ kernel/rtmutex-tester.c | 24 +-
+ kernel/sched/auto_group.c | 4 +-
+ kernel/sched/core.c | 2 +-
+ kernel/sched/fair.c | 4 +-
+ kernel/signal.c | 12 +-
+ kernel/smp.c | 2 +-
+ kernel/softirq.c | 16 +-
+ kernel/srcu.c | 6 +-
+ kernel/stop_machine.c | 2 +-
+ kernel/sys.c | 12 +-
+ kernel/sysctl.c | 37 +-
+ kernel/sysctl_binary.c | 14 +-
+ kernel/time/alarmtimer.c | 2 +-
+ kernel/time/tick-broadcast.c | 2 +-
+ kernel/time/timer_stats.c | 10 +-
+ kernel/timer.c | 4 +-
+ kernel/trace/blktrace.c | 6 +-
+ kernel/trace/ftrace.c | 20 +-
+ kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/trace.c | 6 +-
+ kernel/trace/trace_events.c | 25 +-
+ kernel/trace/trace_mmiotrace.c | 8 +-
+ kernel/trace/trace_output.c | 12 +-
+ kernel/trace/trace_stack.c | 2 +-
+ lib/Makefile | 2 +-
+ lib/bitmap.c | 8 +-
+ lib/bug.c | 2 +
+ lib/debugobjects.c | 2 +-
+ lib/devres.c | 4 +-
+ lib/dma-debug.c | 4 +-
+ lib/inflate.c | 2 +-
+ lib/ioremap.c | 4 +-
+ lib/list_debug.c | 89 +-
+ lib/radix-tree.c | 2 +-
+ lib/strncpy_from_user.c | 2 +-
+ lib/strnlen_user.c | 2 +-
+ lib/vsprintf.c | 12 +-
+ mm/Kconfig | 6 +-
+ mm/filemap.c | 2 +-
+ mm/fremap.c | 5 +
+ mm/highmem.c | 7 +-
+ mm/hugetlb.c | 54 +
+ mm/internal.h | 1 +
+ mm/maccess.c | 4 +-
+ mm/madvise.c | 41 +
+ mm/memory-failure.c | 18 +-
+ mm/memory.c | 404 ++-
+ mm/mempolicy.c | 26 +
+ mm/mlock.c | 16 +-
+ mm/mmap.c | 573 +++-
+ mm/mprotect.c | 138 +-
+ mm/mremap.c | 44 +-
+ mm/nommu.c | 11 +-
+ mm/page-writeback.c | 2 +-
+ mm/page_alloc.c | 14 +-
+ mm/percpu.c | 2 +-
+ mm/process_vm_access.c | 14 +-
+ mm/rmap.c | 38 +-
+ mm/shmem.c | 19 +-
+ mm/slab.c | 104 +-
+ mm/slab.h | 5 +-
+ mm/slab_common.c | 9 +-
+ mm/slob.c | 200 +-
+ mm/slub.c | 98 +-
+ mm/sparse-vmemmap.c | 4 +-
+ mm/sparse.c | 2 +-
+ mm/swap.c | 3 +
+ mm/swapfile.c | 12 +-
+ mm/util.c | 6 +
+ mm/vmalloc.c | 82 +-
+ mm/vmstat.c | 12 +-
+ net/8021q/vlan.c | 5 +-
+ net/9p/trans_fd.c | 2 +-
+ net/atm/atm_misc.c | 8 +-
+ net/atm/lec.h | 2 +-
+ net/atm/proc.c | 6 +-
+ net/atm/resources.c | 4 +-
+ net/batman-adv/bat_iv_ogm.c | 8 +-
+ net/batman-adv/hard-interface.c | 4 +-
+ net/batman-adv/soft-interface.c | 4 +-
+ net/batman-adv/types.h | 6 +-
+ net/batman-adv/unicast.c | 2 +-
+ net/bluetooth/hci_sock.c | 2 +-
+ net/bluetooth/l2cap_core.c | 6 +-
+ net/bluetooth/l2cap_sock.c | 12 +-
+ net/bluetooth/rfcomm/sock.c | 4 +-
+ net/bluetooth/rfcomm/tty.c | 10 +-
+ net/bridge/netfilter/ebtables.c | 6 +-
+ net/caif/cfctrl.c | 11 +-
+ net/can/af_can.c | 2 +-
+ net/can/gw.c | 6 +-
+ net/compat.c | 34 +-
+ net/core/datagram.c | 2 +-
+ net/core/dev.c | 16 +-
+ net/core/flow.c | 8 +-
+ net/core/iovec.c | 4 +-
+ net/core/rtnetlink.c | 2 +-
+ net/core/scm.c | 8 +-
+ net/core/sock.c | 24 +-
+ net/decnet/sysctl_net_decnet.c | 4 +-
+ net/ipv4/ah4.c | 2 +-
+ net/ipv4/esp4.c | 2 +-
+ net/ipv4/fib_frontend.c | 6 +-
+ net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inetpeer.c | 4 +-
+ net/ipv4/ip_fragment.c | 2 +-
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ipcomp.c | 2 +-
+ net/ipv4/ipconfig.c | 6 +-
+ net/ipv4/netfilter/arp_tables.c | 12 +-
+ net/ipv4/netfilter/ip_tables.c | 12 +-
+ net/ipv4/ping.c | 2 +-
+ net/ipv4/raw.c | 14 +-
+ net/ipv4/route.c | 2 +-
+ net/ipv4/tcp_input.c | 2 +-
+ net/ipv4/tcp_probe.c | 2 +-
+ net/ipv4/udp.c | 10 +-
+ net/ipv6/addrconf.c | 2 +-
+ net/ipv6/ip6_gre.c | 2 +-
+ net/ipv6/ipv6_sockglue.c | 2 +-
+ net/ipv6/netfilter/ip6_tables.c | 12 +-
+ net/ipv6/raw.c | 19 +-
+ net/ipv6/udp.c | 8 +-
+ net/irda/ircomm/ircomm_tty.c | 18 +-
+ net/iucv/af_iucv.c | 4 +-
+ net/iucv/iucv.c | 2 +-
+ net/key/af_key.c | 4 +-
+ net/mac80211/cfg.c | 4 +-
+ net/mac80211/ieee80211_i.h | 3 +-
+ net/mac80211/iface.c | 14 +-
+ net/mac80211/main.c | 2 +-
+ net/mac80211/pm.c | 6 +-
+ net/mac80211/rate.c | 2 +-
+ net/mac80211/rc80211_pid_debugfs.c | 2 +-
+ net/mac80211/util.c | 2 +-
+ net/netfilter/ipvs/ip_vs_conn.c | 6 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 +-
+ net/netfilter/ipvs/ip_vs_ctl.c | 10 +-
+ net/netfilter/ipvs/ip_vs_sync.c | 6 +-
+ net/netfilter/ipvs/ip_vs_xmit.c | 4 +-
+ net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/xt_statistic.c | 8 +-
+ net/netlink/af_netlink.c | 4 +-
+ net/packet/af_packet.c | 12 +-
+ net/phonet/pep.c | 6 +-
+ net/phonet/socket.c | 2 +-
+ net/rds/cong.c | 6 +-
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 4 +-
+ net/rds/iw.h | 2 +-
+ net/rds/iw_cm.c | 2 +-
+ net/rds/iw_recv.c | 4 +-
+ net/rds/tcp.c | 2 +-
+ net/rds/tcp_send.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/rxrpc/ar-ack.c | 14 +-
+ net/rxrpc/ar-call.c | 2 +-
+ net/rxrpc/ar-connection.c | 2 +-
+ net/rxrpc/ar-connevent.c | 2 +-
+ net/rxrpc/ar-input.c | 4 +-
+ net/rxrpc/ar-internal.h | 8 +-
+ net/rxrpc/ar-local.c | 2 +-
+ net/rxrpc/ar-output.c | 4 +-
+ net/rxrpc/ar-peer.c | 2 +-
+ net/rxrpc/ar-proc.c | 4 +-
+ net/rxrpc/ar-transport.c | 2 +-
+ net/rxrpc/rxkad.c | 4 +-
+ net/sctp/ipv6.c | 2 +-
+ net/sctp/protocol.c | 8 +-
+ net/sctp/socket.c | 2 +
+ net/socket.c | 34 +-
+ net/sunrpc/sched.c | 4 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +-
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/link.c | 6 +-
+ net/tipc/msg.c | 2 +-
+ net/tipc/subscr.c | 2 +-
+ net/wireless/wext-core.c | 19 +-
+ net/xfrm/xfrm_policy.c | 16 +-
+ net/xfrm/xfrm_state.c | 4 +-
+ scripts/Makefile.build | 2 +-
+ scripts/Makefile.clean | 3 +-
+ scripts/Makefile.host | 28 +-
+ scripts/basic/fixdep.c | 12 +-
+ scripts/gcc-plugin.sh | 17 +
+ scripts/link-vmlinux.sh | 2 +-
+ scripts/mod/file2alias.c | 14 +-
+ scripts/mod/modpost.c | 25 +-
+ scripts/mod/modpost.h | 6 +-
+ scripts/mod/sumversion.c | 2 +-
+ scripts/pnmtologo.c | 6 +-
+ security/Kconfig | 654 ++++-
+ security/integrity/ima/ima.h | 4 +-
+ security/integrity/ima/ima_api.c | 2 +-
+ security/integrity/ima/ima_fs.c | 4 +-
+ security/integrity/ima/ima_queue.c | 2 +-
+ security/keys/compat.c | 2 +-
+ security/keys/keyctl.c | 8 +-
+ security/keys/keyring.c | 6 +-
+ security/security.c | 9 +-
+ security/selinux/hooks.c | 2 +-
+ security/selinux/include/xfrm.h | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ security/tomoyo/tomoyo.c | 2 +-
+ sound/aoa/codecs/onyx.c | 7 +-
+ sound/aoa/codecs/onyx.h | 1 +
+ sound/core/oss/pcm_oss.c | 18 +-
+ sound/core/pcm_compat.c | 2 +-
+ sound/core/pcm_native.c | 4 +-
+ sound/core/seq/seq_device.c | 8 +-
+ sound/drivers/mts64.c | 14 +-
+ sound/drivers/opl4/opl4_lib.c | 2 +-
+ sound/drivers/portman2x4.c | 3 +-
+ sound/firewire/amdtp.c | 4 +-
+ sound/firewire/amdtp.h | 2 +-
+ sound/firewire/isight.c | 10 +-
+ sound/firewire/scs1x.c | 8 +-
+ sound/oss/sb_audio.c | 2 +-
+ sound/oss/swarm_cs4297a.c | 6 +-
+ sound/pci/ymfpci/ymfpci.h | 2 +-
+ sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ tools/gcc/.gitignore | 1 +
+ tools/gcc/Makefile | 43 +
+ tools/gcc/checker_plugin.c | 171 +
+ tools/gcc/colorize_plugin.c | 151 +
+ tools/gcc/constify_plugin.c | 359 +++
+ tools/gcc/generate_size_overflow_hash.sh | 94 +
+ tools/gcc/kallocstat_plugin.c | 170 +
+ tools/gcc/kernexec_plugin.c | 465 +++
+ tools/gcc/latent_entropy_plugin.c | 321 ++
+ tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++
+ tools/gcc/size_overflow_plugin.c | 1941 +++++++++++
+ tools/gcc/stackleak_plugin.c | 327 ++
+ tools/perf/util/include/asm/alternative-asm.h | 3 +
+ virt/kvm/kvm_main.c | 32 +-
+ 1311 files changed, 26668 insertions(+), 6394 deletions(-)
+commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b
+Merge: 0949bd4 fc53d63
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:03:44 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fc53d6338964741b368070ec5c935bc579b8c2a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 19:02:45 2012 -0400
+
+ Update to pax-linux-3.2.12-test33.patch
+
+commit 0949bd46a6455b308f66ad7c993bfee62412db35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 22 16:56:09 2012 -0400
+
+ Use current_umask() instead of current->fs->umask
+
+commit 22f6432d0fe733619cfcb523782ed7d80c46d645
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:42:42 2012 -0400
+
+ compile fix
+
+commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 21 19:34:56 2012 -0400
+
+ Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain
+ uses of domains with particular hash collisions
+
+commit 47fc52e0a068a29d6cca2f809daf0679cba33c44
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 20:25:49 2012 -0400
+
+ zero kernel_role
+
+commit b00953b43c69238d181d21121ef1577c988d5f6b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:29:34 2012 -0400
+
+ zero real_root after releasing it
+
+commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1
+Merge: b724f59 273f98e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:11:26 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 273f98e58cdac555d3b5dce5c1ca168349f95878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 19:10:52 2012 -0400
+
+ Temporary workaround for (most) size_overflow plugin false-positives
+ Increase randomization for brk-managed heap to 21 bits
+ Update to pax-linux-3.2.12-test32.patch
+
+commit b724f59125304460c2af8bd4b02921993afbb5d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:58:53 2012 -0400
+
+ compile fix
+
+commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:52:23 2012 -0400
+
+ Require default and kernel role
+
+commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 20 18:47:28 2012 -0400
+
+ Allow policies without special roles
+ don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
+
+commit 402ec3d24d66d38403dc543c84851f5e72d39e22
+Merge: 8e012dc f14661a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:06:59 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/namei.c
+
+commit f14661aaf202155c97f66626cea0269017bb7775
+Merge: eae671f 058b017
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 19 18:05:44 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75
+Author: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Date: Fri Mar 16 17:08:39 2012 -0700
+
+ nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
+
+ According to the report from Slicky Devil, nilfs caused kernel oops at
+ nilfs_load_super_block function during mount after he shrank the
+ partition without resizing the filesystem:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000048
+ IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
+ *pde = 00000000
+ Oops: 0000 [#1] PREEMPT SMP
+ ...
+ Call Trace:
+ [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
+ [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
+ [<c0226636>] mount_fs+0x36/0x180
+ [<c023d961>] vfs_kern_mount+0x51/0xa0
+ [<c023ddae>] do_kern_mount+0x3e/0xe0
+ [<c023f189>] do_mount+0x169/0x700
+ [<c023fa9b>] sys_mount+0x6b/0xa0
+ [<c04abd1f>] sysenter_do_call+0x12/0x28
+ Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
+ 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
+ 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
+ EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
+ CR2: 0000000000000048
+
+ This turned out due to a defect in an error path which runs if the
+ calculated location of the secondary super block was invalid.
+
+ This patch fixes it and eliminates the reported oops.
+
+ Reported-by: Slicky Devil <slicky.dvl@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Tested-by: Slicky Devil <slicky.dvl@gmail.com>
+ Cc: <stable@vger.kernel.org> [2.6.30+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 8067d7f69bf27dc08057a771cf125e71e4575bf2
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Fri Mar 16 17:08:38 2012 -0700
+
+ nilfs2: clamp ns_r_segments_percentage to [1, 99]
+
+ ns_r_segments_percentage is read from the disk. Bogus or malicious
+ value could cause integer overflow and malfunction due to meaningless
+ disk usage calculation. This patch reports error when mounting such
+ bogus volumes.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e1a90645643f9b0194a5984ec8febd06360d5c8b
+Author: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Sat Mar 10 09:20:21 2012 +0000
+
+ tcp: fix syncookie regression
+
+ commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
+ added a serious regression on synflood handling.
+
+ Simon Kirby discovered a successful connection was delayed by 20 seconds
+ before being responsive.
+
+ In my tests, I discovered that xmit frames were lost, and needed ~4
+ retransmits and a socket dst rebuild before being really sent.
+
+ In case of syncookie initiated connection, we use a different path to
+ initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.
+
+ As ip_queue_xmit() now depends on inet flow being setup, fix this by
+ copying the temp flowi4 we use in cookie_v4_check().
+
+ Reported-by: Simon Kirby <sim@netnation.com>
+ Bisected-by: Simon Kirby <sim@netnation.com>
+ Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Tested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65
+Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Date: Mon Mar 12 02:59:41 2012 +0000
+
+ tun: don't hold network namespace by tun sockets
+
+ v3: added previously removed sock_put() to the tun_release() callback, because
+ sk_release_kernel() doesn't drop the socket reference.
+
+ v2: sk_release_kernel() used for socket release. Dummy tun_release() is
+ required for sk_release_kernel() ---> sock_release() ---> sock->ops->release()
+ call.
+
+ TUN was designed to destroy it's socket on network namesapce shutdown. But this
+ will never happen for persistent device, because it's socket holds network
+ namespace.
+ This patch removes of holding network namespace by TUN socket and replaces it
+ by creating socket in init_net and then changing it's net it to desired one. On
+ shutdown socket is moved back to init_net prior to final put.
+
+ Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 46ae7374bd387c58d673a9e58852a9fd31042c5c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon Dec 12 10:02:30 2011 -0600
+
+ vfs: Correctly set the dir i_mutex lockdep class
+
+ 9a7aa12f3911853a introduced additional logic around setting the i_mutex
+ lockdep class for directory inodes. The idea was that some filesystems
+ may want their own special lockdep class for different directory
+ inodes and calling unlock_new_inode() should not clobber one of
+ those special classes.
+
+ I believe that the added conditional, around the *negated* return value
+ of lockdep_match_class(), caused directory inodes to be placed in the
+ wrong lockdep class.
+
+ inode_init_always() sets the i_mutex lockdep class with i_mutex_key for
+ all inodes. If the filesystem did not change the class during inode
+ initialization, then the conditional mentioned above was false and the
+ directory inode was incorrectly left in the non-directory lockdep class.
+ If the filesystem did set a special lockdep class, then the conditional
+ mentioned above was true and that class was clobbered with
+ i_mutex_dir_key.
+
+ This patch removes the negation from the conditional so that the i_mutex
+ lockdep class is properly set for directory inodes. Special classes are
+ preserved and directory inodes with unmodified classes are set with
+ i_mutex_dir_key.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 603590b0d2eca61ce26499eac9c563bc567a18c9
+Author: Jan Kara <jack@suse.cz>
+Date: Mon Feb 20 17:54:00 2012 +0100
+
+ udf: Fix deadlock in udf_release_file()
+
+ udf_release_file() can be called from munmap() path with mmap_sem held. Thus
+ we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
+ i_mutex is not needed in udf_release_file() anymore since protection by
+ i_data_sem is enough to protect from races with write and truncate.
+
+ Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+ Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:33 2012 +0100
+
+ vfs: fix double put after complete_walk()
+
+ complete_walk() already puts nd->path, no need to do it again at cleanup time.
+
+ This would result in Oopses if triggered, apparently the codepath is not too
+ well exercised.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 13885ba2b18400f3ef6540497d30f1af896605e5
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Tue Mar 6 13:56:34 2012 +0100
+
+ vfs: fix return value from do_last()
+
+ complete_walk() returns either ECHILD or ESTALE. do_last() turns this into
+ ECHILD unconditionally. If not in RCU mode, this error will reach userspace
+ which is complete nonsense.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/namei.c
+
+commit f5ab7572c99ffb58953eb1070622307e904c3b7f
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat Mar 10 17:07:28 2012 -0500
+
+ restore smp_mb() in unlock_new_inode()
+
+ wait_on_inode() doesn't have ->i_lock
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872
+Author: David S. Miller <davem@davemloft.net>
+Date: Tue Mar 13 18:19:51 2012 -0700
+
+ sparc32: Add -Av8 to assembler command line.
+
+ Newer version of binutils are more strict about specifying the
+ correct options to enable certain classes of instructions.
+
+ The sparc32 build is done for v7 in order to support sun4c systems
+ which lack hardware integer multiply and divide instructions.
+
+ So we have to pass -Av8 when building the assembler routines that
+ use these instructions and get patched into the kernel when we find
+ out that we have a v8 capable cpu.
+
+ Reported-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4
+Author: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri Mar 9 20:55:10 2012 +0100
+
+ x86: Derandom delay_tsc for 64 bit
+
+ Commit f0fbf0abc093 ("x86: integrate delay functions") converted
+ delay_tsc() into a random delay generator for 64 bit. The reason is
+ that it merged the mostly identical versions of delay_32.c and
+ delay_64.c. Though the subtle difference of the result was:
+
+ static void delay_tsc(unsigned long loops)
+ {
+ - unsigned bclock, now;
+ + unsigned long bclock, now;
+
+ Now the function uses rdtscl() which returns the lower 32bit of the
+ TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
+ bit this fails when the lower 32bit are close to wrap around when
+ bclock is read, because the following check
+
+ if ((now - bclock) >= loops)
+ break;
+
+ evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
+ because the unsigned long (now - bclock) of these values results in
+ 0xffffffff00000001 which is definitely larger than the loops
+ value. That explains Tvortkos observation:
+
+ "Because I am seeing udelay(500) (_occasionally_) being short, and
+ that by delaying for some duration between 0us (yep) and 491us."
+
+ Make those variables explicitely u32 again, so this works for both 32
+ and 64 bit.
+
+ Reported-by: Tvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: stable@vger.kernel.org # >= 2.6.27
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu Mar 8 17:51:19 2012 +0000
+
+ aio: fix the "too late munmap()" race
+
+ Current code has put_ioctx() called asynchronously from aio_fput_routine();
+ that's done *after* we have killed the request that used to pin ioctx,
+ so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
+ from progressing. As the result, we can end up with async call of
+ put_ioctx() being the last one and possibly happening during exit_mmap()
+ or elf_core_dump(), neither of which expects stray munmap() being done
+ to them...
+
+ We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
+ with that, but that's all we care about - neither io_destroy() nor
+ exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
+ does really_put_req(), so the ioctx teardown won't be done until then
+ and we don't care about the contents of ioctx past that point.
+
+ Since actual freeing of these suckers is RCU-delayed, we don't need to
+ bump ioctx refcount when request goes into list for async removal.
+ All we need is rcu_read_lock held just over the ->ctx_lock-protected
+ area in aio_fput_routine().
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 002124c055afbf09b52226af65621999e8316448
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Wed Mar 7 05:16:35 2012 +0000
+
+ aio: fix io_setup/io_destroy race
+
+ Have ioctx_alloc() return an extra reference, so that caller would drop it
+ on success and not bother with re-grabbing it on failure exit. The current
+ code is obviously broken - io_destroy() from another thread that managed
+ to guess the address io_setup() would've returned would free ioctx right
+ under us; gets especially interesting if aio_context_t * we pass to
+ io_setup() points to PROT_READ mapping, so put_user() fails and we end
+ up doing io_destroy() on kioctx another thread has just got freed...
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Acked-by: Benjamin LaHaise <bcrl@kvack.org>
+ Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Mar 15 15:17:12 2012 -0700
+
+ drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode
+
+ strict_strtoul() writes a long but ->gamma_mode only has space to store an
+ int, so on 64 bit systems we end up scribbling over ->gamma_table_count as
+ well. I've changed it to use kstrtouint() instead.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Inki Dae <inki.dae@samsung.com>
+ Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit cf83f735a5571f4341ee6eab947a1f7d833cea6e
+Merge: e4b05b6 eae671f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 21:04:27 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit eae671fafe93f04685c04a089cc13efebc05d600
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 16 20:58:01 2012 -0400
+
+ Update to pax-linux-3.2.11-test31.patch
+ Introduction of the size_overflow plugin from Emese Revfy
+ Many thanks to Emese for her hard work :)
+
+commit e4b05b65c645c412eceb9c950ee7b4771627e6b1
+Merge: e55aa68 258c015
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:19 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 15 20:59:05 2012 -0400
+
+ fix ARM compilation
+
+commit e55aa68f4bb20e75cd7423123aa612c2a69590c0
+Merge: 8f95ea9 55b7573
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:41 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Mar 14 19:33:15 2012 -0400
+
+ Update to pax-linux-3.2.10-test28.patch
+
+commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64
+Merge: c8786a2 886ac5e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:38:13 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :)
+
+commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:37:44 2012 -0400
+
+ Update to pax-linux-3.2.10-test26.patch
+
+commit c8786a2abed5e5327f68efa520c04db99bb6a63a
+Merge: 219c982 c061fcf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:06 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c061fcfa6b78f3774800821144d8ac2d94d7da3e
+Merge: 89373d2 3f4b3b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Mar 13 17:25:02 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f
+Merge: 54e19a3 89373d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:57 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 89373d2abafb9bda97f78bdb157d1d05cf21e008
+Merge: a778588 7459f11
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 17:23:49 2012 -0400
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 54e19a3979978fca902b14ae25125f26fbbbc7a7
+Merge: c4650f1 a778588
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:25 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a778588c9d1b75c48c1f09aac98c1b28bd87a749
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 12 16:51:12 2012 -0400
+
+ Update to pax-linux-3.2.9-test24.patch
+
+commit c4650f14b13f84735fe3de06a1f3ff5776473eff
+Merge: fb2abee 1015790
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:08:28 2012 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ security/Kconfig
+
+commit 101579028a736c224e590c7e12a7357018c424e1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 21:07:27 2012 -0400
+
+ Update to pax-linux-3.2.9-test22.patch
+
+commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 11:02:17 2012 -0400
+
+ Allow 4096 CPUs
+
+commit 96bae28cbe6a41d48e3b56e5904814096e956000
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Mar 11 10:25:58 2012 -0400
+
+ Use a per-cpu 48-bit counter instead of a global atomic64
+ Initialize each counter to have the cpu number in the lower 16 bits
+ instead of incrementing the counter each time by 1, perform the increments
+ above the cpu number so that wrapping/exhausting the counter doesn't corrupt
+ any state
+ idea from PaX Team
+
+commit b975688101da6e966aebb1bc6b8c5c5983974f9c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 20:33:12 2012 -0500
+
+ Special vnsec edition! :)
+ Further reduce argv/env allowance for suid/sgid apps to 512KB
+ Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
+ Clear 3GB personality on suid/sgid binaries
+ Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
+ with the main purpose of throwing off program stack -> arg/env alignment
+ Update documentation
+
+commit e5cfa902c4e891d11dd2086543d2555aa0c27d33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Mar 10 19:54:47 2012 -0500
+
+ Resolve skbuff.h warnings that turn into errors during compilation in
+ the grsecurity directory with -Werror
+
+commit 2023210ad43a944033fcacc660ce410888f562ee
+Merge: ece4383 5f66adf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:48:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 19:47:06 2012 -0500
+
+ Add colorize plugin
+
+commit ece4383e5e91c92d138c4df84225a70b552f4d69
+Merge: a366d0e ab4a5a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:46 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 9 17:56:26 2012 -0500
+
+ Update to pax-linux-3.2.9-test21.patch
+
+commit a366d0ed963ce93fce10121c1100989d5f064e75
+Author: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun Mar 4 19:52:03 2012 -0500
+
+ mm: fix find_vma_prev
+
+ Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory
+ management on PA-RISC.
+
+ After application of the patch, programs that allocate big arrays on the
+ stack crash with segfault, for example, this will crash if compiled
+ without optimization:
+
+ int main()
+ {
+ char array[200000];
+ array[199999] = 0;
+ return 0;
+ }
+
+ The reason is that PA-RISC has up-growing stack and the stack is usually
+ the last memory area. In the above example, a page fault happens above
+ the stack.
+
+ Previously, if we passed too high address to find_vma_prev, it returned
+ NULL and stored the last VMA in *pprev. After "simplify find_vma_prev"
+ change, it stores NULL in *pprev. Consequently, the stack area is not
+ found and it is not expanded, as it used to be before the change.
+
+ This patch restores the old behavior and makes it return the last VMA in
+ *pprev if the requested address is higher than address of any other VMA.
+
+ Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+ Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604
+Author: Hugh Dickins <hughd@google.com>
+Date: Tue Mar 6 12:28:52 2012 -0800
+
+ mmap: EINVAL not ENOMEM when rejecting VM_GROWS
+
+ Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP
+ from shared anonymous: hoist the file case's -EINVAL up for both.
+
+ Signed-off-by: Hugh Dickins <hughd@google.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:38:42 2012 +0000
+
+ aout: move setup_arg_pages() prior to reading/mapping the binary
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Mon Mar 5 16:49:24 2012 +0000
+
+ vsprintf: make %pV handling compatible with kasprintf()
+
+ kasprintf() (and potentially other functions that I didn't run across so
+ far) want to evaluate argument lists twice. Caring to do so for the
+ primary list is obviously their job, but they can't reasonably be
+ expected to check the format string for instances of %pV, which however
+ need special handling too: On architectures like x86-64 (as opposed to
+ e.g. ix86), using the same argument list twice doesn't produce the
+ expected results, as an internally managed cursor gets updated during
+ the first run.
+
+ Fix the problem by always acting on a copy of the original list when
+ handling %pV.
+
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb
+Author: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon Mar 5 06:39:47 2012 +0000
+
+ VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit a831bd53764695ea680cc1fa3c98759a610ed2ac
+Author: Christian König <deathsimple@vodafone.de>
+Date: Tue Feb 28 23:19:20 2012 +0100
+
+ drm/radeon: fix uninitialized variable
+
+ Without this fix the driver randomly treats
+ textures as arrays and I'm really wondering
+ why gcc isn't complaining about it.
+
+ Signed-off-by: Christian König <deathsimple@vodafone.de>
+ Reviewed-by: Jerome Glisse <jglisse@redhat.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc
+Author: H. Peter Anvin <hpa@zytor.com>
+Date: Fri Mar 2 10:43:48 2012 -0800
+
+ regset: Prevent null pointer reference on readonly regsets
+
+ The regset common infrastructure assumed that regsets would always
+ have .get and .set methods, but not necessarily .active methods.
+ Unfortunately people have since written regsets without .set methods.
+
+ Rather than putting in stub functions everywhere, handle regsets with
+ null .get or .set methods explicitly.
+
+ Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+ Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+ Acked-by: Roland McGrath <roland@hack.frob.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 072ddd99401c79b53c6bf6bff9deb93022124c79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 18:12:57 2012 -0500
+
+ Fix compiler errors reported on forums
+
+commit 1606774b48af24e6f99d99c624c0e447d4b66474
+Merge: 3127bd5 4ca2ffd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:35 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Mar 5 17:31:21 2012 -0500
+
+ Update to pax-linux-3.2.9-test20.patch
+
+commit 3127bd581a292966b1057c7433219dac188c3720
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 21:30:37 2012 -0500
+
+ Fix memory leak on logged exec_id check failure in /proc/pid/statm
+ Thanks to Djalal Harouni for the report
+
+commit d9f1a3be0e97e0632f97379322712d8deeb3ce23
+Merge: 0a56be8 9aa8288
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:38:22 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Mar 2 18:37:43 2012 -0500
+
+ Update to pax-linux-3.2.9-test19.patch
+
+commit 0a56be884bbd7ce733cac0b879c45383494d73b0
+Merge: 9e66745 3f5c52a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:18:01 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3f5c52aba100b3bb252980f9d363aafde52da1a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:16:56 2012 -0500
+
+ Update to pax-linux-3.2.9-test18.patch
+
+commit ae53ec231d12719a36bf871f8c5841020ed692ee
+Merge: b255baf 44fb317
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Mar 1 20:15:31 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 9e667456c03eadea2f305be761abe4de9a5877a3
+Merge: 5e4e200 b255baf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:59 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit b255baf50365d39b406f43aab2c64745607baaa2
+Merge: 340ce90 1de504e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 20:53:29 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+ Update to pax-linux-3.2.8-test17.patch
+
+ Conflicts:
+ arch/x86/include/asm/i387.h
+ arch/x86/kernel/process_32.c
+ arch/x86/kernel/traps.c
+
+commit 5e4e200ac530452884b625cb75de240e1e98c731
+Merge: 44306d7 340ce90
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:02:13 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 27 18:01:48 2012 -0500
+
+ Update to pax-linux-3.2.7-test17.patch
+
+commit 44306d7b3097f77e73040dd25f4f6750751bae7a
+Merge: 29d0b07 521c411
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:04:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ Makefile
+
+commit 521c411bb4ca66ce01146fde8bac9dd22414076d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 19:03:33 2012 -0500
+
+ Update to pax-linux-3.2.7-test16.patch
+
+commit 29d0b07290bb9a10cdfcc3c30058e16265330dea
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 26 17:12:44 2012 -0500
+
+ fix typo
+
+commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef
+Merge: f45b3be caa8f83
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:27 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit caa8f83456c4d0b204beefffaa1d1993f2348d08
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 20:59:12 2012 -0500
+
+ Update to pax-linux-3.2.7-test15.patch
+
+commit f45b3be34a345502a302e736af9a65742ddef7cb
+Merge: 62f35fd 9f1309b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:40:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 11:39:57 2012 -0500
+
+ Update to pax-linux-3.2.7-test14.patch
+
+commit 62f35fdbecc58f2988fe13638d907b87a15776bb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 09:08:55 2012 -0500
+
+ We could log on attempted exploits of writing /proc/self/mem, but the current
+ log function declares the access a read, so just swap the ordering for now
+
+commit 066ee8f9c26f1549b4ad893508777b549c8d4b79
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:46:14 2012 -0500
+
+ Log /proc/pid/mem attempts
+
+commit 674471e581893a94d475acac3e3c4496209b3ac9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 25 08:15:00 2012 -0500
+
+ Make use of f_version for protecting /proc file structs (fine since we're not a directory
+ or seq_file)
+
+commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 20:02:19 2012 -0500
+
+ Fix ia64 compilation
+
+commit 50dfea412fd395e0183c2ade368efa525d38b267
+Merge: 12db845 4c6f99b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:53 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 4c6f99bf338e03966356b147d0360cb3b522a44f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 24 19:00:36 2012 -0500
+
+ (6:57:09 PM) pipacs: but you can be proactive
+ (Fix other-arch atomic64/REFCOUNT compilation failures)
+
+commit 12db8453f6bb0a756f369c9151668ba1249bc478
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 21:10:12 2012 -0500
+
+ Remove unnecessary copies, as suggested by solar
+
+commit cc02cab84368467ea03cb35f861a8a7092d91ab4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 20:59:35 2012 -0500
+
+ Make global_exec_counter static, as suggested by solar
+
+commit e642091a475ebb3a30e81f85e7751233d0c2af43
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 19:00:26 2012 -0500
+
+ sync with stable tree
+
+commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:48:47 2012 -0500
+
+ Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod
+ Remove handling of old kludge in chmod/fchmod
+
+commit 815cb62f2ca7b58efc39778b3a855feb675ab56c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 23 18:18:49 2012 -0500
+
+ Apply umask checks to chmod/fchmod as well, as requested by sponsor
+ Union the enforced umask with the existing one to produce minimal privilege
+ Change umask type to u16
+
+commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 22 18:16:11 2012 -0500
+
+ Add per-role umask enforcement to RBAC, requested by a sponsor
+
+commit ad5ac943fe58199f1cc475912a39edb157acb77b
+Merge: dda0bb5 41722e3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:42 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 41722e342e116d95f3d3556d66c97c888d752d39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:04:00 2012 -0500
+
+ Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with
+ KERNEXEC plugin
+
+commit dda0bb57137846a476a866c60db2681aaf6052c0
+Merge: 4fd554e d70927a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:41 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d70927afec977d489a54c106a3c3ddc32e953050
+Merge: 1daebf1 9d0231c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 20:01:33 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 4fd554e3a097b22c5049fcdc423897477deff5ef
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 20 09:17:57 2012 -0500
+
+ Fix wrong logic on capability checks for switching roles, broke policies
+ Thanks to Richard Kojedzinszky for reporting
+
+commit 12f97d52ac603f24344f8d71569c412a307e9422
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 21:20:10 2012 -0500
+
+ sparc64 compile fix
+
+commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:38:32 2012 -0500
+
+ Update configuration help and name for GRKERNSEC_PROC_MEMMAP
+
+commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:18:01 2012 -0500
+
+ optimize the check a bit
+
+commit 03159050f64989be44ae03be769cbed62a7cd2e5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 18:00:45 2012 -0500
+
+ smile VUPEN :D
+ (limit argv+env to 1MB for suid/sgid binaries)
+
+commit dd759d8800d225a397e4de49fe729c7d601298d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:49:33 2012 -0500
+
+ Address Space Protection -> Memory Protections (suggested on IRC for consistency)
+
+commit 4de635bda8ebfb85312e3bf851bdbff93de400da
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Feb 16 17:45:06 2012 -0500
+
+ Change the long long type for exec_id to the proper u64
+
+commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu Feb 9 00:46:47 2012 +0000
+
+ isdn: type bug in isdn_net_header()
+
+ We use len to store the return value from eth_header(). eth_header()
+ can return -ETH_HLEN (-14). We want to pass this back instead of
+ truncating it to 65522 and returning that.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Acked-by: Neil Horman <nhorman@tuxdriver.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748
+Author: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Sat Feb 4 10:47:10 2012 +0100
+
+ exec: fix use-after-free bug in setup_new_exec()
+
+ Setting the task name is done within setup_new_exec() by accessing
+ bprm->filename. However this happens after flush_old_exec().
+ This may result in a use after free bug, flush_old_exec() may
+ "complete" vfork_done, which will wake up the parent which in turn
+ may free the passed in filename.
+ To fix this add a new tcomm field in struct linux_binprm which
+ contains the now early generated task name until it is used.
+
+ Fixes this bug on s390:
+
+ Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000
+ Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818)
+ Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374)
+ Call Trace:
+ ([<0000000000282e2c>] setup_new_exec+0x38/0x374)
+ [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4
+ [<0000000000280a42>] search_binary_handler+0x38e/0x5bc
+ [<0000000000282b6c>] do_execve_common+0x410/0x514
+ [<0000000000282cb6>] do_execve+0x46/0x58
+ [<00000000005bce58>] kernel_execve+0x28/0x70
+ [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140
+ [<00000000005bc8da>] kernel_thread_starter+0x6/0xc
+ [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc
+ Last Breaking-Event-Address:
+ [<00000000002830f0>] setup_new_exec+0x2fc/0x374
+
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+ Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+ Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d758ee9f5230893dabb5aab737b3109684bde196
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri Feb 10 09:03:58 2012 +0100
+
+ relay: prevent integer overflow in relay_open()
+
+ "subbuf_size" and "n_subbufs" come from the user and they need to be
+ capped to prevent an integer overflow.
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Cc: stable@kernel.org
+ Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c
+Merge: b1baadf 1daebf1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:47:04 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/proc/base.c
+
+commit 1daebf1d623fe5b0efdd329f78562eb7078bc772
+Merge: 1413df2 c2db2e2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 13 17:45:54 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:44:05 2012 -0500
+
+ add missing declaration
+
+commit 3981059c35e8463002517935c28f3d74b8e3703c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:36:04 2012 -0500
+
+ Require CAP_SETUID/CAP_SETGID in a subject in order to change roles
+ in addition to existing checks (this handles the setresuid ruid = euid case)
+
+commit 0beab03263c773f463412c350ad9064b44b6ede0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 12 16:13:40 2012 -0500
+
+ Revert setreuid changes when RBAC is enabled, breaks freeradius
+ I'll fix the learning issue Lavish reported a different way through
+ gradm modifications
+
+ This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111.
+
+commit 0c61cb1cfbbfec7d07647268c922d51434d22621
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 11 14:22:46 2012 -0500
+
+ copy exec_id on fork
+
+commit 000c08e0890630086b2ed04084050ed856a7ec31
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 20:00:36 2012 -0500
+
+ compile fix
+
+commit 54b8c8f54484e5ee18040657827158bc4b63bccc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 19:19:52 2012 -0500
+
+ Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP
+ denies reading of sensitive /proc/pid entries where the file descriptor
+ was opened in a different task than the one performing the read
+
+commit dd19579049186e2648b9ae5e42af04cfda7ab2dc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 10 17:43:24 2012 -0500
+
+ Remove duplicate signal check
+
+commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6
+Merge: 4eba97e 1413df2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:34 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 8 19:24:08 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test11.patch
+
+commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044
+Merge: 0e058dd 8dd90a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:50:12 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:49:07 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free
+
+commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc
+Merge: 7e4169c 6133971
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Feb 6 17:48:57 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 19:24:45 2012 -0500
+
+ We now allow configurations with no PaX markings, giving the system no way to override the defaults
+
+commit 9afb0110287e31c3c56d861b4927f64f8dbd7857
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 5 10:01:23 2012 -0500
+
+ Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory
+
+commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 4 21:01:16 2012 -0500
+
+ Improve security of ptrace-based monitoring/sandboxing
+ See:
+ http://article.gmane.org/gmane.linux.kernel.lsm/15156
+
+commit ca4ca5a1027b41f9528794e52a53ce9c47926101
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:42:55 2012 -0500
+
+ fix typo
+
+commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:25:38 2012 -0500
+
+ Reported by lavish on IRC:
+ If a suid/sgid binary did not learn any setuid/setgid call during learning,
+ we would not any CAP_SETUID/CAP_SETGID capability to the task, nor
+ any restrictions on uid/gid changes. uid and gid can however be changed
+ within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to
+ euid/egid.
+
+ My fix:
+ POSIX doesn't specify whether unprivileged users can perform the above
+ setresuid/setresgid as an unprivileged user, though Linux has historically
+ permitted them. Modify this behavior when RBAC is enabled to require
+ CAP_SETUID/CAP_SETGID for these operations.
+
+ Thanks to Lavish for the report!
+
+ Conflicts:
+
+ kernel/sys.c
+
+commit e55be1f30908f1ad4450cb0558cde71ff5c7247f
+Merge: ba586eb 7e4169c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:21 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e4169c6c880ec9641f1178c88545913c8a21e1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 20:10:05 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test9.patch
+
+commit ba586ebbcd0ed781e38a99c580a757a00347c6eb
+Author: Christopher Yeoh <cyeoh@au1.ibm.com>
+Date: Thu Feb 2 11:34:09 2012 +1030
+
+ Fix race in process_vm_rw_core
+
+ This fixes the race in process_vm_core found by Oleg (see
+
+ http://article.gmane.org/gmane.linux.kernel/1235667/
+
+ for details).
+
+ This has been updated since I last sent it as the creation of the new
+ mm_access() function did almost exactly the same thing as parts of the
+ previous version of this patch did.
+
+ In order to use mm_access() even when /proc isn't enabled, we move it to
+ kernel/fork.c where other related process mm access functions already
+ are.
+
+ Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+ mm/process_vm_access.c
+
+commit b9194d60fb9fe579f5c34817ed822abde18939a0
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:15:11 2012 +0100
+
+ proc: make sure mem_open() doesn't pin the target's memory
+
+ Once /proc/pid/mem is opened, the memory can't be released until
+ mem_release() even if its owner exits.
+
+ Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
+ pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
+ before access_remote_vm(), this verifies that this mm is still alive.
+
+ I am not sure what should mem_rw() return if atomic_inc_not_zero()
+ fails. With this patch it returns zero to match the "mm == NULL" case,
+ may be it should return -EINVAL like it did before e268337d.
+
+ Perhaps it makes sense to add the additional fatal_signal_pending()
+ check into the main loop, to ensure we do not hold this memory if
+ the target task was oom-killed.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit d4500134f9363bc79556e0e7a1fd811cd8552cc4
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:38 2012 +0100
+
+ proc: mem_release() should check mm != NULL
+
+ mem_release() can hit mm == NULL, add the necessary check.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 5d1c11221a86f233fdbb232312a561f85d0a3a05
+Author: Oleg Nesterov <oleg@redhat.com>
+Date: Tue Jan 31 17:14:54 2012 +0100
+
+ note: redisabled mem_write
+
+ proc: unify mem_read() and mem_write()
+
+ No functional changes, cleanup and preparation.
+
+ mem_read() and mem_write() are very similar. Move this code into the
+ new common helper, mem_rw(), which takes the additional "int write"
+ argument.
+
+ Cc: stable@kernel.org
+ Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ fs/proc/base.c
+
+commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0
+Merge: 3903f01 01fee18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:50:40 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 01fee1851aef26b898ccba5312cabf1f919b74cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:46 2012 -0500
+
+ Merge changes from pax-linux-3.2.4-test8.patch
+
+commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879
+Merge: 201c0db 141936c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Feb 3 19:49:01 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test
+
+commit 3903f0172ecadf7a575ba3535402a1506133640a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 30 23:26:44 2012 -0500
+
+ Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT
+
+ We'll whitelist required directories for compatibility instead of requiring
+ that people disable the feature entirely if they use SELinux, fuse, etc
+
+ Conflicts:
+
+ fs/sysfs/mount.c
+
+commit e3618feaa7e63807f1b88c199882075b3ec9bd05
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 29 01:12:19 2012 -0500
+
+ perform RBAC check if TPE is on but match fails, matches previous behavior
+
+commit 627b7fe22799a86e2f81a74f0e0c53474bec3100
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 28 13:17:06 2012 -0500
+
+ log more information about the reason for a TPE denial for novice users, requested by a sponsor
+
+commit efefd67008cbad8a8591e2484410966a300a39a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:58:53 2012 -0500
+
+ merge upstream sha512 changes
+
+commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:49:07 2012 -0500
+
+ drop lock on error in xfs_readlink
+
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0
+
+commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a
+Author: Li Wang <liwang@nudt.edu.cn>
+Date: Thu Jan 19 09:44:36 2012 +0800
+
+ eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+
+ ecryptfs_write() can enter an infinite loop when truncating a file to a
+ size larger than 4G. This only happens on architectures where size_t is
+ represented by 32 bits.
+
+ This was caused by a size_t overflow due to it incorrectly being used to
+ store the result of a calculation which uses potentially large values of
+ type loff_t.
+
+ [tyhicks@canonical.com: rewrite subject and commit message]
+ Signed-off-by: Li Wang <liwang@nudt.edu.cn>
+ Signed-off-by: Yunchuan Wen <wenyunchuan@kylinos.com.cn>
+ Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+
+commit a7607747d0f74f357d78bb796d70635dd05f46e8
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 19 20:33:44 2012 -0600
+
+ eCryptfs: Check inode changes in setattr
+
+ Most filesystems call inode_change_ok() very early in ->setattr(), but
+ eCryptfs didn't call it at all. It allowed the lower filesystem to make
+ the call in its ->setattr() function. Then, eCryptfs would copy the
+ appropriate inode attributes from the lower inode to the eCryptfs inode.
+
+ This patch changes that and actually calls inode_change_ok() on the
+ eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call
+ would happen earlier in ecryptfs_setattr(), but there are some possible
+ inode initialization steps that must happen first.
+
+ Since the call was already being made on the lower inode, the change in
+ functionality should be minimal, except for the case of a file extending
+ truncate call. In that case, inode_newsize_ok() was never being
+ called on the eCryptfs inode. Rather than inode_newsize_ok() catching
+ maximum file size errors early on, eCryptfs would encrypt zeroed pages
+ and write them to the lower filesystem until the lower filesystem's
+ write path caught the error in generic_write_checks(). This patch
+ introduces a new function, called ecryptfs_inode_newsize_ok(), which
+ checks if the new lower file size is within the appropriate limits when
+ the truncate operation will be growing the lower file.
+
+ In summary this change prevents eCryptfs truncate operations (and the
+ resulting page encryptions), which would exceed the lower filesystem
+ limits or FSIZE rlimits, from ever starting.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reviewed-by: Li Wang <liwang@nudt.edu.cn>
+ Cc: <stable@vger.kernel.org>
+
+commit 0d96f190a39505254ace4e9330219aaeda9b64e3
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Wed Jan 18 18:30:04 2012 -0600
+
+ eCryptfs: Make truncate path killable
+
+ ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
+ page, zeroes out the appropriate portions, and then encrypts the page
+ before writing it to the lower filesystem. It was unkillable and due to
+ the lack of sparse file support could result in tying up a large portion
+ of system resources, while encrypting pages of zeros, with no way for
+ the truncate operation to be stopped from userspace.
+
+ This patch adds the ability for ecryptfs_write() to detect a pending
+ fatal signal and return as gracefully as possible. The intent is to
+ leave the lower file in a useable state, while still allowing a user to
+ break out of the encryption loop. If a pending fatal signal is detected,
+ the eCryptfs inode size is updated to reflect the modified inode size
+ and then -EINTR is returned.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Cc: <stable@vger.kernel.org>
+
+commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Tue Jan 24 10:02:22 2012 -0600
+
+ eCryptfs: Fix oops when printing debug info in extent crypto functions
+
+ If pages passed to the eCryptfs extent-based crypto functions are not
+ mapped and the module parameter ecryptfs_verbosity=1 was specified at
+ loading time, a NULL pointer dereference will occur.
+
+ Note that this wouldn't happen on a production system, as you wouldn't
+ pass ecryptfs_verbosity=1 on a production system. It leaks private
+ information to the system logs and is for debugging only.
+
+ The debugging info printed in these messages is no longer very useful
+ and rather than doing a kmap() in these debugging paths, it will be
+ better to simply remove the debugging paths completely.
+
+ https://launchpad.net/bugs/913651
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Daniel DeFreez
+ Cc: <stable@vger.kernel.org>
+
+commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c
+Author: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu Jan 12 11:30:44 2012 +0100
+
+ eCryptfs: Sanitize write counts of /dev/ecryptfs
+
+ A malicious count value specified when writing to /dev/ecryptfs may
+ result in a a very large kernel memory allocation.
+
+ This patch peeks at the specified packet payload size, adds that to the
+ size of the packet headers and compares the result with the write count
+ value. The resulting maximum memory allocation size is approximately 532
+ bytes.
+
+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+ Reported-by: Sasha Levin <levinsasha928@gmail.com>
+ Cc: <stable@vger.kernel.org>
+
+commit 96dcb7282d323813181a1791f51c0ab7696b675b
+Merge: 6c09fa5 201c0db
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:44:15 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 201c0dbf177527367676028151e36d340923f033
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:43:24 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors
+ on loading modules with empty sections
+
+commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:42:13 2012 -0500
+
+ compile fix
+
+commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 19:39:28 2012 -0500
+
+ use LSM flags instead of duplicating checks
+
+commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8
+Merge: 44b9f11 558718b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:23 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 558718b2217beff69edf60f34a6f9893d910e9ac
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:56:04 2012 -0500
+
+ Merge changes from pax-linux-3.2.2-test6.patch
+
+commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:53:55 2012 -0500
+
+ don't increase the size of task_struct when unnecessary
+ change ptrace_readexec log message
+
+commit a9c9626e054adb885883aa64f85506852894dd33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 27 18:16:28 2012 -0500
+
+ Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC --
+ the protection applies to all unreadable binaries.
+
+commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f
+Merge: 7b3f3af 05a1349
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:52:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ block/scsi_ioctl.c
+ drivers/scsi/sd.c
+ fs/proc/base.c
+
+commit 05a134966efb9cb9346ad3422888969ffc79ac1d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:47:36 2012 -0500
+
+ Resync with pax-linux-3.2.2-test5.patch
+
+commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a
+Merge: c6d443d 3499d64
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 25 20:45:16 2012 -0500
+
+ Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch)
+
+ Conflicts:
+ ipc/shm.c
+
+commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 24 19:42:01 2012 -0500
+
+ Add two new features, one is automatic by enabling CONFIG_GRKERNSEC
+ (may be changed if it breaks some userland), the other has its own
+ config option
+
+ First feature requires CAP_SYS_ADMIN to write to any sysctl entry via
+ the syscall or /proc/sys.
+
+ Second feature requires read access to a suid/sgid binary in order
+ to ptrace it, preventing infoleaking of binaries in situations where
+ the admin has specified 4711 or 2711 perms. Feature has been
+ given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and
+ a sysctl entry of ptrace_readexec
+
+commit 11a7bb25c411c9dccfdca5718639b4becdffd388
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:37:10 2012 -0500
+
+ Compilation fixes
+
+commit cd400e21c7c352baba47d6f375297a7847afb33a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 14:20:27 2012 -0500
+
+ Initial port of grsecurity 2.2.2 for Linux 3.2.1
+ Note that the new syscalls added to this kernel for remote process read/write
+ are subject to ptrace hardening/other relevant RBAC features
+ /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default
+ as well
+ pax_track_stack has been removed from support for this kernel -- if you're running this kernel
+ you should be using a version of gcc with plugin support
+
+commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:47:31 2012 -0500
+
+ Import pax-linux-3.2.1-test5.patch
+commit bfd7db842f835f9837cd43644459b3a95b0b488d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 22 11:02:02 2012 -0500
+
+ Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data)
+ instead of returning -EACCES
+ thanks to Wraith from irc for the report
+
+commit 873ac13576506cd48ddb527c2540f274e249da50
+Merge: 34083dd 8a44fcc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:04:02 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 20 18:02:15 2012 -0500
+
+ Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch
+ Denies executable shared memory when MPROTECT is active
+ Fixes ia32 emulation crash on 64bit host introduced in a recent patch
+
+commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 20:23:14 2012 -0500
+
+ Introduce new GRKERNSEC_SETXID implementation
+ We're not able to change the credentials of other threads in the process until at most
+ one syscall after the first thread does it, since we mark the threads as needing rescheduling
+ and such work occurs on syscall exit.
+ This does however ensure that we're only modifying the current task's credentials
+ which upholds RCU expectations
+
+ Many thanks to corsac for testing
+
+commit 5f900ad54d3992a4e1cda88273acc2f897a42e71
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:42:48 2012 -0500
+
+ Simplify backport
+
+commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Jan 19 17:08:16 2012 -0500
+
+ Commit the latest silent fix for a local privilege escalation from Linus
+ Also disable writing to /proc/pid/mem
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc
+
+commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c
+Merge: 0394a3f 7e6299b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:22:09 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7e6299b4733c082dde930375dd207b63237751ec
+Merge: 83555fb 9bb1282
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 18 20:21:37 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7
+Author: Jesper Juhl <jj@chaosbits.net>
+Date: Sun Jan 8 22:44:29 2012 +0100
+
+ audit: always follow va_copy() with va_end()
+
+ A call to va_copy() should always be followed by a call to va_end() in
+ the same function. In kernel/autit.c::audit_log_vformat() this is not
+ always done. This patch makes sure va_end() is always called.
+
+ Signed-off-by: Jesper Juhl <jj@chaosbits.net>
+ Cc: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9
+Author: Andi Kleen <ak@linux.intel.com>
+Date: Thu Jan 12 17:20:30 2012 -0800
+
+ panic: don't print redundant backtraces on oops
+
+ When an oops causes a panic and panic prints another backtrace it's pretty
+ common to have the original oops data be scrolled away on a 80x50 screen.
+
+ The second backtrace is quite redundant and not needed anyways.
+
+ So don't print the panic backtrace when oops_in_progress is true.
+
+ [akpm@linux-foundation.org: add comment]
+ Signed-off-by: Andi Kleen <ak@linux.intel.com>
+ Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f
+Author: Miklos Szeredi <mszeredi@suse.cz>
+Date: Thu Jan 12 17:59:46 2012 +0100
+
+ fsnotify: don't BUG in fsnotify_destroy_mark()
+
+ Removing the parent of a watched file results in "kernel BUG at
+ fs/notify/mark.c:139".
+
+ To reproduce
+
+ add "-w /tmp/audit/dir/watched_file" to audit.rules
+ rm -rf /tmp/audit/dir
+
+ This is caused by fsnotify_destroy_mark() being called without an
+ extra reference taken by the caller.
+
+ Reported by Francesco Cosoleto here:
+
+ https://bugzilla.novell.com/show_bug.cgi?id=689860
+
+ Fix by removing the BUG_ON and adding a comment about not accessing mark after
+ the iput.
+
+ Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 1a90cff66ed00cd57bf00a990d13e95060fa362c
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:28 2012 +0100
+
+ block: fail SCSI passthrough ioctls on partition devices
+
+ Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
+ will pass the command to the underlying block device. This is
+ well-known, but it is also a large security problem when (via Unix
+ permissions, ACLs, SELinux or a combination thereof) a program or user
+ needs to be granted access only to part of the disk.
+
+ This patch lets partitions forward a small set of harmless ioctls;
+ others are logged with printk so that we can see which ioctls are
+ actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred.
+ Of course it was being sent to a (partition on a) hard disk, so it would
+ have failed with ENOTTY and the patch isn't changing anything in
+ practice. Still, I'm treating it specially to avoid spamming the logs.
+
+ In principle, this restriction should include programs running with
+ CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and
+ /dev/sdb, it still should not be able to read/write outside the
+ boundaries of /dev/sda2 independent of the capabilities. However, for
+ now programs with CAP_SYS_RAWIO will still be allowed to send the
+ ioctls. Their actions will still be logged.
+
+ This patch does not affect the non-libata IDE driver. That driver
+ however already tests for bd != bd->bd_contains before issuing some
+ ioctl; it could be restricted further to forbid these ioctls even for
+ programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ [ Make it also print the command name when warning - Linus ]
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu Jan 12 16:01:27 2012 +0100
+
+ block: add and use scsi_blk_cmd_ioctl
+
+ Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
+
+ The function will then be enhanced to detect partition block devices
+ and, in that case, subject the ioctls to whitelisting.
+
+ Cc: linux-scsi@vger.kernel.org
+ Cc: Jens Axboe <axboe@kernel.dk>
+ Cc: James Bottomley <JBottomley@parallels.com>
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 97a79814903fc350e1d13704ea31528a42705401
+Author: Kees Cook <keescook@chromium.org>
+Date: Sat Jan 7 10:41:04 2012 -0800
+
+ audit: treat s_id as an untrusted string
+
+ The use of s_id should go through the untrusted string path, just to be
+ extra careful.
+
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+ Acked-by: Mimi Zohar <zohar@us.ibm.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Dec 20 18:39:41 2011 -0500
+
+ audit: fix signedness bug in audit_log_execve_info()
+
+ In the loop, a size_t "len" is used to hold the return value of
+ audit_log_single_execve_arg(), which returns -1 on error. In that
+ case the error handling (len <= 0) will be bypassed since "len" is
+ unsigned, and the loop continues with (p += len) being wrapped.
+ Change the type of "len" to signed int to fix the error handling.
+
+ size_t len;
+ ...
+ for (...) {
+ len = audit_log_single_execve_arg(...);
+ if (len <= 0)
+ break;
+ p += len;
+ }
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+
+commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue Jan 17 03:28:51 2012 -0300
+
+ [media] ds3000: using logical && instead of bitwise &
+
+ The intent here was to test if the FE_HAS_LOCK was set. The current
+ test is equivalent to "if (status) { ..."
+
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+
+commit 36522330dc59d2fc70c042f3f081d75c32b6259a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 13:10:38 2012 -0500
+
+ Ignore the 0 signal for protected task RBAC checks
+
+commit d513acd55f7a683f6e146a4f570cdb63300479ab
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Jan 16 11:56:13 2012 -0500
+
+ whitespace cleanup
+
+commit ced261c4b82818c700aff8487f647f6f3e5b5122
+Merge: d48751f 83555fb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:54 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9
+Merge: fcd8129 93dad39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 13 20:12:43 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit d48751f3919ae855fda0ff6c149db82442329253
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 11 19:05:47 2012 -0500
+
+ Call our own set_user when forcing change to new id
+
+commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0
+Merge: e6578ff fcd8129
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 16:00:10 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 10 15:58:43 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test23.patch
+
+commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5
+Merge: 8859ec3 a120549
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:56 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a12054967a77090de1caa07c41e694a77db4e237
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:45:30 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test22.patch
+
+commit 8859ec32f9815c274df65448f9f2960176c380d3
+Merge: a5016b4 ddd4114
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:26:08 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/binfmt_elf.c
+ security/Kconfig
+
+commit ddd41147e158a79704983a409b7433eba797cf66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:12:42 2012 -0500
+
+ Resync with PaX patch (whitespace difference)
+
+commit 29e569df8205c5f0e043fe4803aa984406c8b118
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 21:09:47 2012 -0500
+
+ Merge changes from pax-linux-3.1.8-test21.patch
+
+commit a5016b4f9c09c337b17e063a7f369af1e86d944d
+Merge: 0124c92 04231d5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:52:20 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097
+Merge: 7bdddeb a919904
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:51:50 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ include/net/flow.h
+
+commit 0124c9264234c450904a0a5fa2f8c608ab8e3796
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 6 18:33:05 2012 -0500
+
+ Make GRKERNSEC_SETXID option compatible with credential debugging
+
+commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe
+Author: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Date: Wed Dec 28 15:57:11 2011 -0800
+
+ mm/mempolicy.c: refix mbind_range() vma issue
+
+ commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the
+ slightly incorrect fix.
+
+ Why? Think following case.
+
+ 1. map 4 pages of a file at offset 0
+
+ [0123]
+
+ 2. map 2 pages just after the first mapping of the same file but with
+ page offset 2
+
+ [0123][23]
+
+ 3. mbind() 2 pages from the first mapping at offset 2.
+ mbind_range() should treat new vma is,
+
+ [0123][23]
+ |23|
+ mbind vma
+
+ but it does
+
+ [0123][23]
+ |01|
+ mbind vma
+
+ Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar).
+
+ This patch fixes it.
+
+ [testcase]
+ test result - before the patch
+
+ case4: 126: test failed. expect '2,4', actual '2,2,2'
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: 246: test failed. expect '4,2', actual '1,4'
+
+ ------------[ cut here ]------------
+ kernel BUG at mm/filemap.c:135!
+ invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC
+
+ (snip long bug on messages)
+
+ test result - after the patch
+
+ case4: passed
+ case5: passed
+ case6: passed
+ case7: passed
+ case8: passed
+ case_n: passed
+
+ source: mbind_vma_test.c
+ ============================================================
+ #include <numaif.h>
+ #include <numa.h>
+ #include <sys/mman.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+ static unsigned long pagesize;
+ void* mmap_addr;
+ struct bitmask *nmask;
+ char buf[1024];
+ FILE *file;
+ char retbuf[10240] = "";
+ int mapped_fd;
+
+ char *rubysrc = "ruby -e '\
+ pid = %d; \
+ vstart = 0x%llx; \
+ vend = 0x%llx; \
+ s = `pmap -q #{pid}`; \
+ rary = []; \
+ s.each_line {|line|; \
+ ary=line.split(\" \"); \
+ addr = ary[0].to_i(16); \
+ if(vstart <= addr && addr < vend) then \
+ rary.push(ary[1].to_i()/4); \
+ end; \
+ }; \
+ print rary.join(\",\"); \
+ '";
+
+ void init(void)
+ {
+ void* addr;
+ char buf[128];
+
+ nmask = numa_allocate_nodemask();
+ numa_bitmask_setbit(nmask, 0);
+
+ pagesize = getpagesize();
+
+ sprintf(buf, "%s", "mbind_vma_XXXXXX");
+ mapped_fd = mkstemp(buf);
+ if (mapped_fd == -1)
+ perror("mkstemp "), exit(1);
+ unlink(buf);
+
+ if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0)
+ perror("lseek "), exit(1);
+ if (write(mapped_fd, "\0", 1) < 0)
+ perror("write "), exit(1);
+
+ addr = mmap(NULL, pagesize*8, PROT_NONE,
+ MAP_SHARED, mapped_fd, 0);
+ if (addr == MAP_FAILED)
+ perror("mmap "), exit(1);
+
+ if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0)
+ perror("mprotect "), exit(1);
+
+ mmap_addr = addr + pagesize;
+
+ /* make page populate */
+ memset(mmap_addr, 0, pagesize*6);
+ }
+
+ void fin(void)
+ {
+ void* addr = mmap_addr - pagesize;
+ munmap(addr, pagesize*8);
+
+ memset(buf, 0, sizeof(buf));
+ memset(retbuf, 0, sizeof(retbuf));
+ }
+
+ void mem_bind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_BIND, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_interleave(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void mem_unbind(int index, int len)
+ {
+ int err;
+
+ err = mbind(mmap_addr+pagesize*index, pagesize*len,
+ MPOL_DEFAULT, NULL, 0, 0);
+ if (err)
+ perror("mbind "), exit(err);
+ }
+
+ void Assert(char *expected, char *value, char *name, int line)
+ {
+ if (strcmp(expected, value) == 0) {
+ fprintf(stderr, "%s: passed\n", name);
+ return;
+ }
+ else {
+ fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n",
+ name, line,
+ expected, value);
+ // exit(1);
+ }
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPNNNNNNNNNN
+ case 4 below
+ */
+ void case4(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 4);
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case4", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPPPNNNNNN
+ might become
+ PPPPPPPPPPNN
+ case 5 below
+ */
+ void case5(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case5", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPPPPP 6
+ */
+ void case6(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_bind(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("6", retbuf, "case6", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPPPPPXXXX 7
+ */
+ void case7(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_bind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case7", __LINE__);
+
+ fin();
+ }
+
+ /*
+ AAAA
+ PPPPNNNNXXXX
+ might become
+ PPPPNNNNNNNN 8
+ */
+ void case8(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ mem_bind(0, 2);
+ mem_interleave(4, 2);
+ mem_interleave(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("2,4", retbuf, "case8", __LINE__);
+
+ fin();
+ }
+
+ void case_n(void)
+ {
+ init();
+ sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6);
+
+ /* make redundunt mappings [0][1234][34][7] */
+ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE,
+ MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3);
+
+ /* Expect to do nothing. */
+ mem_unbind(2, 2);
+
+ file = popen(buf, "r");
+ fread(retbuf, sizeof(retbuf), 1, file);
+ Assert("4,2", retbuf, "case_n", __LINE__);
+
+ fin();
+ }
+
+ int main(int argc, char** argv)
+ {
+ case4();
+ case5();
+ case6();
+ case7();
+ case8();
+ case_n();
+
+ return 0;
+ }
+ =============================================================
+
+ Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+ Cc: Minchan Kim <minchan.kim@gmail.com>
+ Cc: Caspar Zhang <caspar@casparzhang.com>
+ Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+ Cc: Christoph Lameter <cl@linux.com>
+ Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
+ Cc: Mel Gorman <mel@csn.ul.ie>
+ Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+ Cc: <stable@vger.kernel.org> [3.1.x]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit f3a1082005781777086df235049f8c0b7efe524e
+Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Tue Dec 27 22:32:41 2011 -0500
+
+ packet: fix possible dev refcnt leak when bind fail
+
+ If bind is fail when bind is called after set PACKET_FANOUT
+ sock option, the dev refcnt will leak.
+
+ Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 915f8b08dac68839dc7204ee81cf9852fda16d24
+Author: Haogang Chen <haogangchen@gmail.com>
+Date: Mon Dec 19 17:11:56 2011 -0800
+
+ nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()
+
+ There is a potential integer overflow in nilfs_ioctl_clean_segments().
+ When a large argv[n].v_nmembs is passed from the userspace, the subsequent
+ call to vmalloc() will allocate a buffer smaller than expected, which
+ leads to out-of-bound access in nilfs_ioctl_move_blocks() and
+ lfs_clean_segments().
+
+ The following check does not prevent the overflow because nsegs is also
+ controlled by the userspace and could be very large.
+
+ if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment)
+ goto out_free;
+
+ This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and
+ returns -EINVAL when overflow.
+
+ Signed-off-by: Haogang Chen <haogangchen@gmail.com>
+ Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72
+Author: Kautuk Consul <consul.kautuk@gmail.com>
+Date: Mon Dec 19 17:12:04 2011 -0800
+
+ mm/vmalloc.c: remove static declaration of va from __get_vm_area_node
+
+ Static storage is not required for the struct vmap_area in
+ __get_vm_area_node.
+
+ Removing "static" to store this variable on the stack instead.
+
+ Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com>
+ Acked-by: David Rientjes <rientjes@google.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66
+Author: Michel Lespinasse <walken@google.com>
+Date: Mon Dec 19 17:12:06 2011 -0800
+
+ binary_sysctl(): fix memory leak
+
+ binary_sysctl() calls sysctl_getname() which allocates from names_cache
+ slab usin __getname()
+
+ The matching function to free the name is __putname(), and not putname()
+ which should be used only to match getname() allocations.
+
+ This is because when auditing is enabled, putname() calls audit_putname
+ *instead* (not in addition) to __putname(). Then, if a syscall is in
+ progress, audit_putname does not release the name - instead, it expects
+ the name to get released when the syscall completes, but that will happen
+ only if audit_getname() was called previously, i.e. if the name was
+ allocated with getname() rather than the naked __getname(). So,
+ __getname() followed by putname() ends up leaking memory.
+
+ Signed-off-by: Michel Lespinasse <walken@google.com>
+ Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+ Cc: Christoph Hellwig <hch@infradead.org>
+ Cc: Eric Paris <eparis@redhat.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56
+Author: Sean Hefty <sean.hefty@intel.com>
+Date: Tue Dec 6 21:17:11 2011 +0000
+
+ RDMA/cma: Verify private data length
+
+ private_data_len is defined as a u8. If the user specifies a large
+ private_data size (> 220 bytes), we will calculate a total length that
+ exceeds 255, resulting in private_data_len wrapping back to 0. This
+ can lead to overwriting random kernel memory. Avoid this by verifying
+ that the resulting size fits into a u8.
+
+ Reported-by: B. Thery <benjamin.thery@bull.net>
+ Addresses: <http://bugs.openfabrics.org/bugzilla/show_bug.cgi?id=2335>
+ Signed-off-by: Sean Hefty <sean.hefty@intel.com>
+ Signed-off-by: Roland Dreier <roland@purestorage.com>
+
+commit 6b618c54aaec99078629ec5b9575cb7d6fc31176
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Sun Dec 11 23:40:56 2011 -0800
+
+ Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq()
+
+ The error check (intr_status < 0) didn't work because intr_status is
+ a u8. Change its type to signed int.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
+
+commit e27f34e383d7863b2528a63b81b23db09781f6b6
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 16 12:44:15 2011 +0000
+
+ sctp: fix incorrect overflow check on autoclose
+
+ Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for
+ limiting the autoclose value. If userspace passes in -1 on 32-bit
+ platform, the overflow check didn't work and autoclose would be set
+ to 0xffffffff.
+
+ This patch defines a max_autoclose (in seconds) for limiting the value
+ and exposes it through sysctl, with the following intentions.
+
+ 1) Avoid overflowing autoclose * HZ.
+
+ 2) Keep the default autoclose bound consistent across 32- and 64-bit
+ platforms (INT_MAX / HZ in this patch).
+
+ 3) Keep the autoclose value consistent between setsockopt() and
+ getsockopt() calls.
+
+ Suggested-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Wed Dec 21 05:18:33 2011 -0500
+
+ vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create()
+
+ Commit e133e737 didn't correctly fix the integer overflow issue.
+
+ - unsigned int required_size;
+ + u64 required_size;
+ ...
+ required_size = mode_cmd->pitch * mode_cmd->height;
+ - if (unlikely(required_size > dev_priv->vram_size)) {
+ + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
+
+ Note that both pitch and height are u32. Their product is still u32 and
+ would overflow before being assigned to required_size. A correct way is
+ to convert pitch and height to u64 before the multiplication.
+
+ required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
+
+ This patch calls the existing vmw_kms_validate_mode_vram() for
+ validation.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Reviewed-and-tested-by: Thomas Hellstrom <thellstrom@vmware.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+ Conflicts:
+
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+
+commit eb8f0bd01fb994c9abc77dc84729794cd841753d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Thu Dec 22 13:35:22 2011 +0000
+
+ rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
+
+ Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
+ cause a kernel oops due to insufficient bounds checking.
+
+ if (count > 1<<30) {
+ /* Enforce a limit to prevent overflow */
+ return -EINVAL;
+ }
+ count = roundup_pow_of_two(count);
+ table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
+
+ Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
+
+ ... + (count * sizeof(struct rps_dev_flow))
+
+ where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
+ 32 bits.
+
+ This patch replaces the magic number (1 << 30) with a symbolic bound.
+
+ Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 648188958672024b616c42c1f6c98c8cfc85619d
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Fri Dec 30 10:40:17 2011 -0500
+
+ netfilter: ctnetlink: fix timeout calculation
+
+ The sanity check (timeout < 0) never works; the dividend is unsigned
+ and so is the division, which should have been a signed division.
+
+ long timeout = (ct->timeout.expires - jiffies) / HZ;
+ if (timeout < 0)
+ timeout = 0;
+
+ This patch converts the time values to signed for the division.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit ab03a0973cee73f88655ff4981812ad316a6cd59
+Merge: 76f82df 7bdddeb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:50 2012 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7bdddebd9d274a344a1c57a561152160c9e9a32a
+Merge: 3e59cb5 55cc81a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 3 17:42:36 2012 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+commit 76f82df18ba181687f454426fa9ced7a92b2ac1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 20:15:02 2011 -0500
+
+ Only further restrict futex targeting another process -- our modified
+ permission check also happened to allow a case where a process retaining
+ uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid
+ being non-zero (reported on forums by ben_w)
+
+commit 6b235a4450a5fea41663ec35fa0608988b6078c6
+Merge: 97c16f0 3e59cb5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:11:06 2011 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ fs/hfs/btree.c
+
+commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50
+Merge: 285eb4e c26f60b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 22 19:09:57 2011 -0500
+
+ Merge branch 'linux-3.1.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/process.c
+
+commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 19 21:54:01 2011 -0500
+
+ Add new option: "Enforce consistent multithreaded privileges"
+
+commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:58:31 2011 -0500
+
+ Remove harmless duplicate code -- exec_file would be null already so the
+ second check would never pass.
+
+commit 4e3304e94aa72737810bc50169519af157dce4ce
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 7 19:50:39 2011 -0500
+
+ Revert back to (possibly?) undocumented /proc/pid behavior that gdb
+ depended on for attaching to a thread. Entries exist in /proc for
+ threads, but are not visible in a readdir.
+
+commit 1bd899335f23815cfe8deac44c6b346398f3b95e
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 18:03:28 2011 -0500
+
+ Put the already-walked path if in RCU-walk mode
+
+commit ec7ae36b7159f10649709779443a988662965d66
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 17:35:21 2011 -0500
+
+ Fix memory leak introduced by recent (unpublished) commit
+ 75ab998b94a29d464518d6d501bdde3fbfcbfa14
+
+commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:56:10 2011 -0500
+
+ Explicitly check size copied to userland in override_release to silence gcc
+
+commit c30a85d0fff67e0724e726febb934c0b6fa01c6c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:54:02 2011 -0500
+
+ Initialize variable to silence erroneous gcc warning
+
+commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:47:47 2011 -0500
+
+ Future-proof other potential RCU-aware locations where we can log.
+
+commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 4 13:02:54 2011 -0500
+
+ Fix freeze reported by 'vs' on the forums. Bug occurred due to
+ MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used
+ in generic_permission() was in the task's effective set but disallowed by
+ RBAC, would block when acquiring locks resulting in the freeze.
+
+ Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged
+ as being required when CAP_DAC_OVERRIDE is present (consistent with
+ older patches).
+
+commit ab694e5eccfbc369baa593ebc1269d1908cf16dc
+Author: Xi Wang <xi.wang@gmail.com>
+Date: Tue Nov 29 09:26:30 2011 +0000
+
+ sctp: better integer overflow check in sctp_auth_create_key()
+
+ The check from commit 30c2235c is incomplete and cannot prevent
+ cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
+ left-hand side of the check (INT_MAX - key_len), which is unsigned,
+ becomes 0xffffffff (UINT_MAX) and bypasses the check.
+
+ However this shouldn't be a security issue. The function is called
+ from the following two code paths:
+
+ 1) setsockopt()
+
+ 2) sctp_auth_asoc_set_secret()
+
+ In case (1), sca_keylength is never going to exceed 65535 since it's
+ bounded by a u16 from the user API. As such, the key length will
+ never overflow.
+
+ In case (2), sca_keylength is computed based on the user key (1 short)
+ and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
+ will not overflow.
+
+ In other words, this overflow check is not really necessary. Just
+ make it more correct.
+
+ Signed-off-by: Xi Wang <xi.wang@gmail.com>
+ Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit e565e28c3635a1d50f80541fbf6b606d742fec76
+Author: Josh Boyer <jwboyer@redhat.com>
+Date: Fri Aug 19 14:50:26 2011 -0400
+
+ fs/minix: Verify bitmap block counts before mounting
+
+ Newer versions of MINIX can create filesystems that allocate an extra
+ bitmap block. Mounting of this succeeds, but doing a statfs call will
+ result in an oops in count_free because of a negative number being used
+ for the bh index.
+
+ Avoid this by verifying the number of allocated blocks at mount time,
+ erroring out if there are not enough and make statfs ignore the extras
+ if there are too many.
+
+ This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
+
+ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6e134e398ec1a3f428261680e83df4319e64bed9
+Author: Julia Lawall <julia@diku.dk>
+Date: Tue Nov 15 14:53:11 2011 -0800
+
+ drivers/gpu/vga/vgaarb.c: add missing kfree
+
+ kbuf is a buffer that is local to this function, so all of the error paths
+ leaving the function should release it.
+
+ Signed-off-by: Julia Lawall <julia@diku.dk>
+ Cc: Jesper Juhl <jj@chaosbits.net>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+commit 2b9057b321e36860e8d63985b5c4e496f254b717
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:33:28 2011 -0500
+
+ Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch
+
+commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
+
+commit 285eb4ea45d853ae00426b3315a61c1368080dad
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 10 18:33:46 2011 -0500
+
+ Import changes from pax-linux-3.1.5-test20.patch
+
+commit a6bda918fc90ec1d5c387e978d147ad2044153f1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Dec 8 20:55:54 2011 -0500
+
+ Import changes from pax-linux-3.1.4-test19.patch
+
+commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Dec 3 21:29:37 2011 -0500
+
+ Import pax-linux-3.1.4-test18.patch
projects / thirdparty / grsecurity-scrape.git / commitdiff
