commit facbff181ef6e99400f215f93c3259aca442754c
Merge: 13e09e2 00d46cd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 14 21:29:40 2015 -0400

    Merge branch 'pax-stable' into grsec-stable

commit 00d46cd059b886a277793e1e972d311738a5ca9f
Merge: 92efcfe d07c3d9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 14 21:29:31 2015 -0400

    Merge branch 'linux-3.2.y' into pax-stable
    
    Conflicts:
    	lib/bitmap.c
    	mm/memory.c

commit 13e09e261792b1cdb577d89af5cdf7dafe6403b1
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sat Aug 1 15:33:26 2015 +0300

    rds: fix an integer overflow test in rds_info_getsockopt()
    
    "len" is a signed integer.  We check that len is not negative, so it
    goes from zero to INT_MAX.  PAGE_SIZE is unsigned long so the comparison
    is type promoted to unsigned long.  ULONG_MAX - 4095 is a higher than
    INT_MAX so the condition can never be true.
    
    I don't know if this is harmful but it seems safe to limit "len" to
    INT_MAX - 4095.
    
    Fixes: a8c879a7ee98 ('RDS: Info and stats')
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/info.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5f71a17e4b3f406474055ef8723e55f82118517c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 10 02:39:35 2015 -0400

    Backport virtio-net security fix by Jason Wang from:
    http://marc.info/?l=linux-netdev&m=143868216724068&w=2

 drivers/net/virtio_net.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 655452be4ba3abe1864d157001723762498432f7
Merge: a6667a3 92efcfe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 10 01:50:01 2015 -0400

    Merge branch 'pax-stable' into grsec-stable
    
    Conflicts:
    	arch/mips/kernel/irq.c
    	kernel/trace/trace_events_filter.c

commit 92efcfeca5be11a36c8a089a374d9396764e397d
Merge: 16c1a7a 058fbb1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 10 01:48:25 2015 -0400

    Update to pax-linux-3.2.70-test179.patch:
    
    Merge branch 'linux-3.2.y' into pax-stable
    
    Conflicts:
    	arch/arm/include/asm/elf.h
    	arch/powerpc/mm/mmap_64.c
    	fs/binfmt_elf.c

commit a6667a39ecfc62cad6ae68e7f38f7b40f6dd559f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 2 08:26:16 2015 -0400

    Update plugins from 4.1 tree to fix reported compilation errors

 tools/gcc/kernexec_plugin.c  |    8 ++++++--
 tools/gcc/stackleak_plugin.c |    8 ++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

commit 5088787d1a19583ff0a46387a108e3b99c11bf92
Author: Benjamin Randazzo <benjamin@randazzo.fr>
Date:   Sat Jul 25 16:36:50 2015 +0200

    md: use kzalloc() when bitmap is disabled
    
    In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
    mdu_bitmap_file_t called "file".
    
    5769         file = kmalloc(sizeof(*file), GFP_NOIO);
    5770         if (!file)
    5771                 return -ENOMEM;
    
    This structure is copied to user space at the end of the function.
    
    5786         if (err == 0 &&
    5787             copy_to_user(arg, file, sizeof(*file)))
    5788                 err = -EFAULT
    
    But if bitmap is disabled only the first byte of "file" is initialized
    with zero, so it's possible to read some bytes (up to 4095) of kernel
    space memory from user space. This is an information leak.
    
    5775         /* bitmap disabled, zero the first byte and copy out */
    5776         if (!mddev->bitmap_info.file)
    5777                 file->pathname[0] = '\0';
    
    Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
    Signed-off-by: NeilBrown <neilb@suse.com>
    
    Conflicts:
    
    	drivers/md/md.c
    
    Conflicts:
    
    	drivers/md/md.c
    
    Conflicts:
    
    	drivers/md/md.c

 drivers/md/md.c |   10 ++++------
 1 files changed, 4 insertions(+), 6 deletions(-)

commit 4e3e47675ff3f830a69f39ff1ea094563715bbcc
Author: Andy Lutomirski <luto@kernel.org>
Date:   Thu Jul 30 14:31:31 2015 -0700

    x86/xen: Probe target addresses in set_aliased_prot() before the hypercall
    
    The update_va_mapping hypercall can fail if the VA isn't present
    in the guest's page tables.  Under certain loads, this can
    result in an OOPS when the target address is in unpopulated vmap
    space.
    
    While we're at it, add comments to help explain what's going on.
    
    This isn't a great long-term fix.  This code should probably be
    changed to use something like set_memory_ro.
    
    Signed-off-by: Andy Lutomirski <luto@kernel.org>
    Cc: Andrew Cooper <andrew.cooper3@citrix.com>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Brian Gerst <brgerst@gmail.com>
    Cc: David Vrabel <dvrabel@cantab.net>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Jan Beulich <jbeulich@suse.com>
    Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Sasha Levin <sasha.levin@oracle.com>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: security@kernel.org <security@kernel.org>
    Cc: <stable@vger.kernel.org>
    Cc: xen-devel <xen-devel@lists.xen.org>
    Link: http://lkml.kernel.org/r/0b0e55b995cda11e7829f140b833ef932fcabe3a.1438291540.git.luto@kernel.org
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 arch/x86/xen/enlighten.c |   40 ++++++++++++++++++++++++++++++++++++++++
 1 files changed, 40 insertions(+), 0 deletions(-)

commit a23e976defed00e9c2f6ff7533450578d245181c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 1 14:29:08 2015 -0400

    Backport fix for another vuln the fix for which was snuck into
    the 4.1-rc1 merge process by Al Viro.  Spotted by Ben Hutchings:
    http://seclists.org/oss-sec/2015/q3/271

 drivers/scsi/sg.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 216cb9c00c93f345089a829deaa63f062d2b03d8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 12:18:43 2015 -0400

    Update to pax-linux-3.14.48-test53.patch:
    - fixed the constify plugin for gcc-5
    - Emese fixed the size_overflow plugin for gcc-5

 include/linux/compiler-gcc5.h                      |    1 -
 tools/gcc/constify_plugin.c                        |    2 +-
 tools/gcc/gcc-common.h                             |  130 +++++++++++++--
 .../insert_size_overflow_asm.c                     |  112 +++++++------
 .../insert_size_overflow_check_core.c              |   80 ++++-----
 .../insert_size_overflow_check_ipa.c               |  174 +++++++++++---------
 .../size_overflow_plugin/intentional_overflow.c    |   96 ++++++-----
 tools/gcc/size_overflow_plugin/misc.c              |   20 ++-
 .../size_overflow_plugin/remove_unnecessary_dup.c  |   19 +-
 tools/gcc/size_overflow_plugin/size_overflow.h     |   88 ++++++++--
 .../gcc/size_overflow_plugin/size_overflow_debug.c |   23 ++-
 .../size_overflow_plugin/size_overflow_plugin.c    |    7 +-
 .../size_overflow_plugin_hash.c                    |   31 ++---
 13 files changed, 491 insertions(+), 292 deletions(-)

commit 7af5bff119d8d09e14b15f8367af6bb423c0b6e7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 11:49:44 2015 -0400

    compile fix

 kernel/sysctl.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 3331b04884e8ddbbf89ee53f802cd7dbbc0d2e84
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 11:02:49 2015 -0400

    compile fix

 grsecurity/grsec_sysctl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 67eb0dfbf04d28e8591660eb199082cbd7dbd6ea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 10:59:07 2015 -0400

    compile fix

 include/linux/sysctl.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 95245366379da1cce9d960181673403479fb70d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 10:50:51 2015 -0400

    Add framework for having ambiently read-only sysctl variables.
    Add all grsecurity sysctl entries to it, as well as security-relevant
    upstream sysctl values (modules_disabled, kptr_restrict, etc)
    
    Conflicts:
    
    	kernel/printk/printk.c
    
    Conflicts:
    
    	grsecurity/grsec_init.c
    	kernel/module.c
    	kernel/printk/printk.c

 grsecurity/grsec_init.c   |  104 +-
 grsecurity/grsec_sysctl.c |  104 +-
 include/linux/sysctl.h    |    2 +
 kernel/events/core.c      |    6 +-
 kernel/module.c           |    2 +-
 kernel/printk/printk.c    | 2912 +++++++++++++++++++++++++++++++++++++++++++++
 kernel/sysctl.c           |   89 ++-
 lib/vsprintf.c            |    4 +-
 8 files changed, 3106 insertions(+), 117 deletions(-)

commit 06fa0ab59a1a4027a6531b43e9d3f8d810c2e7ae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 11:33:44 2015 -0400

    port modify_ldt code

 arch/x86/kernel/ldt.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit 069012f660f2b16c690782e96eccbbe4eaf8b206
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 11:28:15 2015 -0400

    Implement modify_ldt sysctl toggle from https://lkml.org/lkml/2015/7/25/103,
    make it not depend on CONFIG_MODIFY_LDT_SYSCALL, force modify_ldt to off
    regardless of config setting if grsec is enabled (with the allowance to
    turn it on at runtime), and harden up the implementation a bit
    
    Conflicts:
    
    	arch/x86/Kconfig
    	kernel/sysctl.c

 Documentation/sysctl/kernel.txt |   15 +++++++++++++++
 arch/x86/Kconfig                |   16 ++++++++++++++++
 arch/x86/kernel/ldt.c           |   18 ++++++++++++++++++
 kernel/sysctl.c                 |    8 ++++++++
 4 files changed, 57 insertions(+), 0 deletions(-)

commit 2235626a23679463294d505fb58c59cc6c52b1ad
Author: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Date:   Fri Jul 17 16:23:42 2015 -0700

    include, lib: add __printf attributes to several function prototypes
    
    Using __printf attributes helps to detect several format string issues
    at compile time (even though -Wformat-security is currently disabled in
    Makefile).  For example it can detect when formatting a pointer as a
    number, like the issue fixed in commit a3fa71c40f18 ("wl18xx: show
    rx_frames_per_rates as an array as it really is"), or when the arguments
    do not match the format string, c.f.  for example commit 5ce1aca81435
    ("reiserfs: fix __RASSERT format string").
    
    To prevent similar bugs in the future, add a __printf attribute to every
    function prototype which needs one in include/linux/ and lib/.  These
    functions were mostly found by using gcc's -Wsuggest-attribute=format
    flag.
    
    Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Felipe Balbi <balbi@ti.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	include/linux/clkdev.h
    	include/linux/configfs.h
    	include/linux/printk.h
    
    Conflicts:
    
    	include/linux/cpu.h
    	include/linux/device.h
    	include/linux/iommu.h
    	include/linux/printk.h
    
    Conflicts:
    
    	include/linux/clkdev.h
    	include/linux/compat.h
    	include/linux/dcache.h
    	include/linux/printk.h

 include/linux/clkdev.h    |    2 +-
 include/linux/compat.h    |    2 +-
 include/linux/configfs.h  |    3 ++-
 include/linux/dcache.h    |    3 ++-
 include/linux/device.h    |   10 ++++------
 include/linux/kernel.h    |    9 +++++----
 include/linux/kobject.h   |    5 +++--
 include/linux/mmiotrace.h |    2 +-
 lib/kobject.c             |    5 +++--
 9 files changed, 22 insertions(+), 19 deletions(-)

commit da6704ee4e2d2766937cb999d56ac9d37550937d
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Mon Jul 13 00:06:02 2015 +0200

    rtnetlink: reject non-IFLA_VF_PORT attributes inside IFLA_VF_PORTS
    
    Similarly as in commit 4f7d2cdfdde7 ("rtnetlink: verify IFLA_VF_INFO
    attributes before passing them to driver"), we have a double nesting
    of netlink attributes, i.e. IFLA_VF_PORTS only contains IFLA_VF_PORT
    that is nested itself. While IFLA_VF_PORTS is a verified attribute
    from ifla_policy[], we only check if the IFLA_VF_PORTS container has
    IFLA_VF_PORT attributes and then pass the attribute's content itself
    via nla_parse_nested(). It would be more correct to reject inner types
    other than IFLA_VF_PORT instead of continuing parsing and also similarly
    as in commit 4f7d2cdfdde7, to check for a minimum of NLA_HDRLEN.
    
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
    Cc: Scott Feldman <sfeldma@gmail.com>
    Cc: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
    Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/rtnetlink.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

commit 8c17fc6c51e1acfe973259bc8c00f83e84c37119
Author: Richard Stearn <richard@rns-stearn.demon.co.uk>
Date:   Mon Jul 13 11:38:24 2015 +0200

    NET: AX.25: Stop heartbeat timer on disconnect.
    
    This may result in a kernel panic.  The bug has always existed but
    somehow we've run out of luck now and it bites.
    
    Signed-off-by: Richard Stearn <richard@rns-stearn.demon.co.uk>
    Cc: stable@vger.kernel.org	# all branches
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ax25/ax25_subr.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 4aae781438b44e2d5af7286fe12e976f539c5174
Author: Neil Horman <nhorman@tuxdriver.com>
Date:   Tue Jul 7 14:02:18 2015 -0400

    vmxnet3: prevent receive getting out of sequence on napi poll
    
    vmxnet3's current napi path is built to count every rx descriptor we recieve,
    and use that as a count of the napi budget.  That means its possible to return
    from a napi poll halfway through recieving a fragmented packet accross multiple
    dma descriptors.  If that happens, the next napi poll will start with the
    descriptor ring in an improper state (e.g. the first descriptor we look at may
    have the end-of-packet bit set), which will cause a BUG halt in the driver.
    
    Fix the issue by only counting whole received packets in the napi poll and
    returning that value, rather than the descriptor count.
    
    Tested by the reporter and myself, successfully
    
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    CC: Shreyas Bhatewara <sbhatewara@vmware.com>
    CC: "David S. Miller" <davem@davemloft.net>
    Acked-by: Andy Gospodarek <gospo@cumulusnetworks.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/vmxnet3/vmxnet3_drv.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 617ddad89f6b3db5fdd2d00a695119d9e1075353
Author: Johannes Thumshirn <jthumshirn@suse.de>
Date:   Wed Jul 8 17:16:49 2015 +0200

    macvtap: Destroy minor_idr on module_exit
    
    Destroy minor_idr on module_exit, reclaiming the allocated memory.
    
    This was detected by the following semantic patch (written by Luis Rodriguez
    <mcgrof@suse.com>)
    <SmPL>
    @ defines_module_init @
    declarer name module_init, module_exit;
    declarer name DEFINE_IDR;
    identifier init;
    @@
    
    module_init(init);
    
    @ defines_module_exit @
    identifier exit;
    @@
    
    module_exit(exit);
    
    @ declares_idr depends on defines_module_init && defines_module_exit @
    identifier idr;
    @@
    
    DEFINE_IDR(idr);
    
    @ on_exit_calls_destroy depends on declares_idr && defines_module_exit @
    identifier declares_idr.idr, defines_module_exit.exit;
    @@
    
    exit(void)
    {
     ...
     idr_destroy(&idr);
     ...
    }
    
    @ missing_module_idr_destroy depends on declares_idr && defines_module_exit && !on_exit_calls_destroy @
    identifier declares_idr.idr, defines_module_exit.exit;
    @@
    
    exit(void)
    {
     ...
     +idr_destroy(&idr);
    }
    </SmPL>
    
    Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/macvtap.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e611dd22d8eaf06948d7782a50512b779d8e563e
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sun Jul 12 10:34:29 2015 -0400

    9p: don't leave a half-initialized inode sitting around
    
    Cc: stable@vger.kernel.org # all branches
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/9p/vfs_inode.c      |    3 +--
 fs/9p/vfs_inode_dotl.c |    3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

commit af6fe5f9223e7c99118e01025ceae0c0a2580494
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 09:20:34 2015 -0400

    Backport:
    commit 36b84539390fc30663a7a026eef598c4656124bc
    Author: Al Viro <viro@ZenIV.linux.org.uk>
    Date:   Wed Jul 8 02:42:38 2015 +0100
    
        freeing unlinked file indefinitely delayed
    
    Conflicts:
    
    	fs/dcache.c

 fs/dcache.c |   13 ++++++++-----
 1 files changed, 8 insertions(+), 5 deletions(-)

commit 61f2cbfbadebefa1849412249a912adde2a48e40
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 12 12:40:03 2015 -0400

    fix RBAC debug compilation

 grsecurity/gracl_policy.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ba90e3ffe6ba0d2d6e2e9634e676c487c79c8af4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 11 18:46:04 2015 -0400

    Add missing virtual execute() method to constify plugin for GCC 5.1.
    The missing function didn't affect the security provided by the constify
    plugin, but would prevent compilation errors from being generated
    in cases where const structures were declared as local variables.

 tools/gcc/constify_plugin.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 7b17e50ada6008a8020610830090798f1e891334
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 11 12:25:32 2015 -0400

    RANDSTRUCT fix for GCC 5.1: make sure we run our bad cast logging pass
    Doesn't affect the security provided by the plugin, is purely for informational
    purposes

 tools/gcc/randomize_layout_plugin.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 586603783933d8530faf6af7f35056a74678bcfe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 11 11:26:23 2015 -0400

    compile fix

 security/selinux/hooks.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 34ce24798d9137b7becdd1c62cf996163a4f2678
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 11 10:08:47 2015 -0400

    Backport vuln fix from Stephen Smalley for an SELinux execmem bypass:
    http://lkml.iu.edu/hypermail/linux/kernel/1507.1/02442.html
    Not marked for -stable even though its handling has been inconsistent
    since at least 3.2 (as far back as I checked).  Shared anonymous
    memory has been implemented through pseudo-files for a while now.
    One would expect fine-grained military-grade expert policy writers
    to have spotted this long ago.  Grsec is not affected.

 security/selinux/hooks.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 5689dd1f9bd31c3527069a76f05f70df40e946ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 11 10:04:18 2015 -0400

    Functionally no different than the existing code, but at least now
    we aren't comparing negative values against unsigned types as done
    by Linus:
    http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=45820c294fe1b1a9df495d57f40585ef2d069a39
    and Jan:
    http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0b08c5e5944

 kernel/auditsc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 37b1602e9cccf4f35c495c51f6173a2eefddb4ec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 5 07:26:54 2015 -0400

    Fix format string vulns in config_item_set_name (used by configfs)
    Thanks to Nicolas Iooss for the report!
    
    Conflicts:
    
    	drivers/usb/gadget/configfs.c

 fs/configfs/item.c       |    4 ++--
 include/linux/configfs.h |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit 7dbba86245ec789a322ca2e55baffc7af0958594
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 4 11:16:00 2015 -0400

    add newer socket families for logging

 grsecurity/gracl_ip.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a2020f19df7dd9424c43353ca5c5cf63468b783a
Merge: bb306ce 16c1a7a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 29 21:37:06 2015 -0400

    Merge branch 'pax-stable' into grsec-stable

commit 16c1a7a89be87b08227a8f09ced6cccf399bd1d9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 29 21:36:16 2015 -0400

    Update to pax-linux-3.2.69-test178.patch:
    - fixed incorrect lowmem mapping setup on certain amd64 memory configurations (also fixed by the never backported upstream commit 20167d3421a089a1bf1bd680b150dc69c9506810), reported and much helped by rfree@mempo.org
    - use non-deprecated cpumask accessors

 arch/x86/include/asm/mmu_context.h |    6 +++---
 arch/x86/kernel/ldt.c              |    2 +-
 arch/x86/mm/fault.c                |    2 +-
 arch/x86/mm/init_64.c              |    2 +-
 mm/mprotect.c                      |    4 ++--
 5 files changed, 8 insertions(+), 8 deletions(-)

commit bb306ce3d630da517b25c836533ef390480989e7
Author: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
Date:   Thu Jun 25 18:10:09 2015 -0400

    tracing/filter: Do not allow infix to exceed end of string
    
    While debugging a WARN_ON() for filtering, I found that it is possible
    for the filter string to be referenced after its end. With the filter:
    
     # echo '>' > /sys/kernel/debug/events/ext4/ext4_truncate_exit/filter
    
    The filter_parse() function can call infix_get_op() which calls
    infix_advance() that updates the infix filter pointers for the cnt
    and tail without checking if the filter is already at the end, which
    will put the cnt to zero and the tail beyond the end. The loop then calls
    infix_next() that has
    
    	ps->infix.cnt--;
    	return ps->infix.string[ps->infix.tail++];
    
    The cnt will now be below zero, and the tail that is returned is
    already passed the end of the filter string. So far the allocation
    of the filter string usually has some buffer that is zeroed out, but
    if the filter string is of the exact size of the allocated buffer
    there's no guarantee that the charater after the nul terminating
    character will be zero.
    
    Luckily, only root can write to the filter.
    
    Cc: stable@vger.kernel.org # 2.6.33+
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>

 kernel/trace/trace_events_filter.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 4b8f3676356d8bf9a737092ec552d2f9d230b5ea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 29 17:43:34 2015 -0400

    make DEBUG_PAGEALLOC depend on !PAX_MEMORY_SANITIZE, as done in 3.14 and 4.0 patches

 mm/Kconfig.debug |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 6e69a0460bb713319fa1d3e3bd955ea30240f686
Merge: 0abe521 80d4987
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 26 18:52:16 2015 -0400

    Merge branch 'pax-stable' into grsec-stable
    
    Conflicts:
    	arch/x86/mm/fault.c
    	fs/exec.c

commit 80d4987a12450d03431f988517281310d5497907
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 26 18:50:44 2015 -0400

    Update to pax-linux-3.2.69-test176.patch:
    - Emese fixed a size overflow compile error, reported by Daniel Micay (https://bugs.archlinux.org/task/45320)
    - the size overflow plugin caught an integer mixup in scsi_finish_command and sd_done, reported by hunger
    - changed the loglevel of our own messages that could result in a kernel panic
    - some small cleanups backported from the upcoming 4.1 port
    - the size overflow plugin caught an integer mixup in the unlzma code, reported by Vladimir Lushnikov (https://bugs.gentoo.org/show_bug.cgi?id=552642)

 arch/s390/mm/mmap.c        |    6 ++++++
 arch/x86/mm/fault.c        |    6 +++---
 drivers/scsi/scsi.c        |    2 +-
 drivers/scsi/sd.c          |    4 ++--
 drivers/scsi/sr.c          |    8 ++++----
 fs/exec.c                  |    8 ++++----
 include/scsi/scsi_driver.h |    2 +-
 lib/decompress_unlzma.c    |    4 ++--
 tools/gcc/gcc-common.h     |    4 ++--
 9 files changed, 25 insertions(+), 19 deletions(-)

commit 0abe5214ad610defd446cf0e666e1bb5f7c37797
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 23 19:26:36 2015 -0400

    compile fix

 kernel/trace/trace_events_filter.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 62272cf4a3b7c93a8a7ae81017c06934cfae7849
Author: Steven Rostedt <rostedt@goodmis.org>
Date:   Mon Jun 15 17:50:25 2015 -0400

    tracing: Have filter check for balanced ops
    
    When the following filter is used it causes a warning to trigger:
    
     # cd /sys/kernel/debug/tracing
     # echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter
    -bash: echo: write error: Invalid argument
     # cat events/ext4/ext4_truncate_exit/filter
    ((dev==1)blocks==2)
    ^
    parse_error: No error
    
     ------------[ cut here ]------------
     WARNING: CPU: 2 PID: 1223 at kernel/trace/trace_events_filter.c:1640 replace_preds+0x3c5/0x990()
     Modules linked in: bnep lockd grace bluetooth  ...
     CPU: 3 PID: 1223 Comm: bash Tainted: G        W       4.1.0-rc3-test+ #450
     Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
      0000000000000668 ffff8800c106bc98 ffffffff816ed4f9 ffff88011ead0cf0
      0000000000000000 ffff8800c106bcd8 ffffffff8107fb07 ffffffff8136b46c
      ffff8800c7d81d48 ffff8800d4c2bc00 ffff8800d4d4f920 00000000ffffffea
     Call Trace:
      [<ffffffff816ed4f9>] dump_stack+0x4c/0x6e
      [<ffffffff8107fb07>] warn_slowpath_common+0x97/0xe0
      [<ffffffff8136b46c>] ? _kstrtoull+0x2c/0x80
      [<ffffffff8107fb6a>] warn_slowpath_null+0x1a/0x20
      [<ffffffff81159065>] replace_preds+0x3c5/0x990
      [<ffffffff811596b2>] create_filter+0x82/0xb0
      [<ffffffff81159944>] apply_event_filter+0xd4/0x180
      [<ffffffff81152bbf>] event_filter_write+0x8f/0x120
      [<ffffffff811db2a8>] __vfs_write+0x28/0xe0
      [<ffffffff811dda43>] ? __sb_start_write+0x53/0xf0
      [<ffffffff812e51e0>] ? security_file_permission+0x30/0xc0
      [<ffffffff811dc408>] vfs_write+0xb8/0x1b0
      [<ffffffff811dc72f>] SyS_write+0x4f/0xb0
      [<ffffffff816f5217>] system_call_fastpath+0x12/0x6a
     ---[ end trace e11028bd95818dcd ]---
    
    Worse yet, reading the error message (the filter again) it says that
    there was no error, when there clearly was. The issue is that the
    code that checks the input does not check for balanced ops. That is,
    having an op between a closed parenthesis and the next token.
    
    This would only cause a warning, and fail out before doing any real
    harm, but it should still not caues a warning, and the error reported
    should work:
    
     # cd /sys/kernel/debug/tracing
     # echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter
    -bash: echo: write error: Invalid argument
     # cat events/ext4/ext4_truncate_exit/filter
    ((dev==1)blocks==2)
    ^
    parse_error: Meaningless filter expression
    
    And give no kernel warning.
    
    Link: http://lkml.kernel.org/r/20150615175025.7e809215@gandalf.local.home
    
    Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
    Cc: stable@vger.kernel.org # 2.6.31+
    Reported-by: Vince Weaver <vincent.weaver@maine.edu>
    Tested-by: Vince Weaver <vincent.weaver@maine.edu>
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>

 kernel/trace/trace_events_filter.c |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

commit b22ad091991bafe57d9b746ed12415bd0726893a
Author: Ben Hutchings <bhutchings@solarflare.com>
Date:   Mon Jan 16 12:38:59 2012 +0000

    net: Use device model to get driver name in skb_gso_segment()
    
    ethtool operations generally require the caller to hold RTNL and are
    not safe to call in atomic context.  The device model provides this
    information for most devices; we'll only lose it for some old ISA
    drivers.
    
    Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
    Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/core/dev.c

 net/core/dev.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 61d4a80220bc6bc70f8cf43f3ea3b4a36c1cf395
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 8 21:15:22 2015 -0400

    use -std=gnu89 for HOSTCFLAGS

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5614c872ad694f964cfbea588a55a924d4079041
Author: Helge Deller <deller@gmx.de>
Date:   Thu Jun 4 23:57:18 2015 +0200

    compat: cleanup coding in compat_get_bitmap() and compat_put_bitmap()
    
    In the functions compat_get_bitmap() and compat_put_bitmap() the
    variable nr_compat_longs stores how many compat_ulong_t words should be
    copied in a loop.
    
    The copy loop itself is this:
      if (nr_compat_longs-- > 0) {
          if (__get_user(um, umask)) return -EFAULT;
      } else {
          um = 0;
      }
    
    Since nr_compat_longs gets unconditionally decremented in each loop and
    since it's type is unsigned this could theoretically lead to out of
    bounds accesses to userspace if nr_compat_longs wraps around to
    (unsigned)(-1).
    
    Although the callers currently do not trigger out-of-bounds accesses, we
    should better implement the loop in a safe way to completely avoid such
    warp-arounds.
    
    Signed-off-by: Helge Deller <deller@gmx.de>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>

 kernel/compat.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 737ed1a5841292f8e226093cbbbb2ca7810824b3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 8 20:58:12 2015 -0400

    Backport CVE-2015-1805 fix from http://seclists.org/oss-sec/2015/q2/652

 fs/pipe.c |   55 ++++++++++++++++++++++++++++++++-----------------------
 1 files changed, 32 insertions(+), 23 deletions(-)

commit 188395da0792bc5c094f4f1c954e12d02c27b95f
Author: Rusty Russell <rusty@rustcorp.com.au>
Date:   Wed May 27 10:59:26 2015 +0930

    lguest: fix out-by-one error in address checking.
    
    This bug has been there since day 1; addresses in the top guest physical
    page weren't considered valid.  You could map that page (the check in
    check_gpte() is correct), but if a guest tried to put a pagetable there
    we'd check that address manually when walking it, and kill the guest.
    
    Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/lguest/core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c9d6e6f29bb91c3cb735fd9b73f990d7cc7ea540
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu May 28 23:09:19 2015 -0400

    d_walk() might skip too much
    
    when we find that a child has died while we'd been trying to ascend,
    we should go into the first live sibling itself, rather than its sibling.
    
    Off-by-one in question had been introduced in "deal with deadlock in
    d_walk()" and the fix needs to be backported to all branches this one
    has been backported to.
    
    Cc: stable@vger.kernel.org # 3.2 and later
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/dcache.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 04453e48d367ed485741e260c63971d56f9465df
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat May 30 09:16:53 2015 -0700

    udp: fix behavior of wrong checksums
    
    We have two problems in UDP stack related to bogus checksums :
    
    1) We return -EAGAIN to application even if receive queue is not empty.
       This breaks applications using edge trigger epoll()
    
    2) Under UDP flood, we can loop forever without yielding to other
       processes, potentially hanging the host, especially on non SMP.
    
    This patch is an attempt to make things better.
    
    We might in the future add extra support for rt applications
    wanting to better control time spent doing a recv() in a hostile
    environment. For example we could validate checksums before queuing
    packets in socket receive queue.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/udp.c |    6 ++----
 net/ipv6/udp.c |    6 ++----
 2 files changed, 4 insertions(+), 8 deletions(-)

commit 54b6695eaa28ffa87efb9fbafcbf3532484e76c2
Merge: 9610345 ad86648
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 27 19:24:17 2015 -0400

    Merge branch 'pax-stable' into grsec-stable

commit ad8664877959e5e4d027b1441f1e4a5c9abc7ec0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 27 19:21:54 2015 -0400

    Update to pax-linux-3.2.69-test175.patch:
    - fixed a regression in the structleak plugin that would disable it under LTO
    - synchronized some plugin files with the other trees

 tools/gcc/constify_plugin.c   |    3 ++-
 tools/gcc/gcc-common.h        |   23 +++++++++++++++++++++++
 tools/gcc/structleak_plugin.c |    2 +-
 3 files changed, 26 insertions(+), 2 deletions(-)

commit 96103451e5718d3cce1f504f553413b58d16639f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 18 18:01:08 2015 -0400

    Remove __inline__ from .c files, let the compiler decide

 grsecurity/gracl.c       |   12 ++++++------
 grsecurity/gracl_alloc.c |    4 ++--
 grsecurity/gracl_segv.c  |    6 +++---
 grsecurity/grsec_sock.c  |    4 ++--
 4 files changed, 13 insertions(+), 13 deletions(-)

commit 0de1c3c5cf33ca3ec42428568aaddde0b73e2a35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 18 17:54:21 2015 -0400

    Actually wire up use of the RANDSTRUCT attributes for GCC 5.1, otherwise we'd
    ICE on some Xen PARAVIRT code (and would miss explicit randomization and would
    break other code)

 include/linux/compiler-gcc5.h |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit a8d8e8106a40b50db4f5bc89f03cae550f5a4071
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 17 14:22:18 2015 -0400

    Fix an ICE in the RANDSTRUCT plugin on GCC 5.1 reported and fixed by pipacs

 tools/gcc/randomize_layout_plugin.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e0e4c89c9a105d5359b543a847cbe298bf85fe14
Merge: 577b968 72e2b50
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 13 18:21:36 2015 -0400

    Merge branch 'pax-stable' into grsec-stable

commit 72e2b500b3718849de6b7b7b52f9d573baecebc9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 13 18:21:01 2015 -0400

    Update to pax-linux-3.2.69-test174.patch:
    - fixed a size overflow false positive in squashfs, reported by Martin Vath <martin@mvath.de> (https://bugs.gentoo.org/show_bug.cgi?id=548960)
    - fixed a /proc/kcore regression to not return uninitialized memory if the requested kernel address range is not fully mapped

 arch/x86/kernel/head_64.S |   12 +++++++++---
 fs/proc/kcore.c           |   14 ++++++--------
 fs/squashfs/xattr.c       |   12 ++++++------
 3 files changed, 21 insertions(+), 17 deletions(-)

commit 577b968ed6fcf3d9e3b6de0e45e3d6cf80af15c9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 10 11:16:18 2015 -0400

    Update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 6178e173f21d9ab1121c90db3c1bfa3655c52285
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 10 10:31:54 2015 -0400

    Update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit fcf8bbbf9a815d2431fe664b917dbf44271bba35
Merge: 70fc60d 6b71bd6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 10 10:30:41 2015 -0400

    Merge branch 'pax-stable' into grsec-stable

commit 6b71bd614295b6a79680327058140dad7eafc9cd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 10 10:30:25 2015 -0400

    Update to pax-linux-3.2.69-test173.patch

 arch/x86/kernel/traps.c  |    2 +-
 include/linux/compiler.h |    8 ++++----
 kernel/trace/ftrace.c    |    2 --
 3 files changed, 5 insertions(+), 7 deletions(-)

commit 70fc60ddae5089ff56db4eafee75cfa64b63a25a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 10 09:51:57 2015 -0400

    compile fix

 arch/x86/kernel/traps.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 90052e90ee56d8def1a775eef8c1dafa10d17c4a
Merge: 321b4a8 a6ec535
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 10 08:57:35 2015 -0400

    Merge branch 'pax-stable' into grsec-stable
    
    Conflicts:
    	fs/exec.c
    	fs/udf/inode.c
    	net/ipv4/ip_sockglue.c

commit a6ec535ffc2a318ee17e3aa818204f5c0c05b527
Merge: f1cc348 d9f31c5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 10 08:49:43 2015 -0400

    Merge branch 'linux-3.2.y' into pax-stable
    
    Conflicts:
    	include/linux/compiler.h
    	kernel/trace/ftrace.c

commit 321b4a805257805ab97a4d215c3497ed0523d970
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date:   Wed May 6 15:09:40 2015 +0200

    usbnet: avoid integer overflow in start_xmit
    
    transfer_buffer_length is of type u32. It's therefore wrong to assign it
    to a signed integer. This patch avoids the overflow.
    
    It's worth noting that entry->length here is a long; perhaps it would be
    beneficial at somepoint to change this to be unsigned as well, if
    nothing else relies on its signedness for error conditions or the like.
    
    Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/usb/usbnet.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 69d7ed75345f15799589d4b91b6a4799dd6b9b58
Author: Christophe Leroy <christophe.leroy@c-s.fr>
Date:   Wed May 6 17:26:47 2015 +0200

    splice: sendfile() at once fails for big files
    
    Using sendfile with below small program to get MD5 sums of some files,
    it appear that big files (over 64kbytes with 4k pages system) get a
    wrong MD5 sum while small files get the correct sum.
    This program uses sendfile() to send a file to an AF_ALG socket
    for hashing.
    
    /* md5sum2.c */
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <string.h>
    #include <fcntl.h>
    #include <sys/socket.h>
    #include <sys/stat.h>
    #include <sys/types.h>
    #include <linux/if_alg.h>
    
    int main(int argc, char **argv)
    {
    	int sk = socket(AF_ALG, SOCK_SEQPACKET, 0);
    	struct stat st;
    	struct sockaddr_alg sa = {
    		.salg_family = AF_ALG,
    		.salg_type = "hash",
    		.salg_name = "md5",
    	};
    	int n;
    
    	bind(sk, (struct sockaddr*)&sa, sizeof(sa));
    
    	for (n = 1; n < argc; n++) {
    		int size;
    		int offset = 0;
    		char buf[4096];
    		int fd;
    		int sko;
    		int i;
    
    		fd = open(argv[n], O_RDONLY);
    		sko = accept(sk, NULL, 0);
    		fstat(fd, &st);
    		size = st.st_size;
    		sendfile(sko, fd, &offset, size);
    		size = read(sko, buf, sizeof(buf));
    		for (i = 0; i < size; i++)
    			printf("%2.2x", buf[i]);
    		printf("  %s\n", argv[n]);
    		close(fd);
    		close(sko);
    	}
    	exit(0);
    }
    
    Test below is done using official linux patch files. First result is
    with a software based md5sum. Second result is with the program above.
    
    root@vgoip:~# ls -l patch-3.6.*
    -rw-r--r--    1 root     root         64011 Aug 24 12:01 patch-3.6.2.gz
    -rw-r--r--    1 root     root         94131 Aug 24 12:01 patch-3.6.3.gz
    
    root@vgoip:~# md5sum patch-3.6.*
    b3ffb9848196846f31b2ff133d2d6443  patch-3.6.2.gz
    c5e8f687878457db77cb7158c38a7e43  patch-3.6.3.gz
    
    root@vgoip:~# ./md5sum2 patch-3.6.*
    b3ffb9848196846f31b2ff133d2d6443  patch-3.6.2.gz
    5fd77b24e68bb24dcc72d6e57c64790e  patch-3.6.3.gz
    
    After investivation, it appears that sendfile() sends the files by blocks
    of 64kbytes (16 times PAGE_SIZE). The problem is that at the end of each
    block, the SPLICE_F_MORE flag is missing, therefore the hashing operation
    is reset as if it was the end of the file.
    
    This patch adds SPLICE_F_MORE to the flags when more data is pending.
    
    With the patch applied, we get the correct sums:
    
    root@vgoip:~# md5sum patch-3.6.*
    b3ffb9848196846f31b2ff133d2d6443  patch-3.6.2.gz
    c5e8f687878457db77cb7158c38a7e43  patch-3.6.3.gz
    
    root@vgoip:~# ./md5sum2 patch-3.6.*
    b3ffb9848196846f31b2ff133d2d6443  patch-3.6.2.gz
    c5e8f687878457db77cb7158c38a7e43  patch-3.6.3.gz
    
    Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
    Signed-off-by: Jens Axboe <axboe@fb.com>

 fs/splice.c |   12 +++++++++++-
 1 files changed, 11 insertions(+), 1 deletions(-)

commit 813308a7db37854542b4452ef7808ee38f25f1d2
Merge: 9d08c90 f1cc348
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 7 18:28:38 2015 -0400

    Merge branch 'pax-stable' into grsec-stable

commit f1cc348c69051d8a58237bdbb3fdb771c0d2a4ad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 7 18:28:04 2015 -0400

    Update to pax-linux-3.2.68-test173.patch:
    - worked around a gcc induced intentional overflow in the bunzip decompressor, reported by Martin Filo (https://bugs.gentoo.org/show_bug.cgi?id=548508)
    - F_SETPIPE_SZ handling ignored pipe_min_size and could trigger the size overflow instrumentation, reported by minipli
    - fixed an integer signedness mixup in a parameter of semop and semtimedop, by minipli

 fs/pipe.c                |   13 ++++++++-----
 include/linux/compat.h   |    2 +-
 include/linux/syscalls.h |    4 ++--
 ipc/compat.c             |    2 +-
 ipc/sem.c                |    4 ++--
 lib/decompress_bunzip2.c |    3 ++-
 6 files changed, 16 insertions(+), 12 deletions(-)

commit 9d08c9084b135cacccd2fe9ea0ca7e41ae6a8d84
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 7 18:01:36 2015 -0400

    Even though in the history of autoconfig it has never tripped anyone
    up under realistic use cases (e.g. nobody starts a config, enables
    only CONFIG_GRKERNSEC, then exits menuconfig, then loads it back up
    and tries to apply an autoconfig setting) explicitly mention that you
    cannot do it and expect the autoconfig to work.  Due to how the Kbuild
    system works, we can't apply defaults and also allow them to be modified
    via custom settings -- if they're 'select'ed then they can't be modified,
    and using 'select' violates any dependencies that may exist.  Therefore
    we have to resort to using 'default', which after a user has already chosen
    all the settings by virtue of enabling CONFIG_GRKERNSEC and then saving their
    complete kernel config, cannot have any effect as the options have now all
    been chosen and there's no 'default' applicable.

 security/Kconfig |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit c1d714093f257f05e9513ea72a17d55a6d3fd3ad
Merge: ff5cfd8 bee8f9a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 4 19:36:14 2015 -0400

    Merge branch 'pax-stable' into grsec-stable

commit bee8f9a8e65a87c104f0f31c8747ff4240e5baa7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 4 19:35:53 2015 -0400

    Update to pax-linux-3.2.68-test171.patch:
    - fixed a bunch of NULL function pointer dereference regressions in the compat drm ioctl code for i915/mga/r128/radeon, reported by minipli

 drivers/gpu/drm/i915/i915_ioc32.c     |   13 ++++++-------
 drivers/gpu/drm/mga/mga_ioc32.c       |    7 +++----
 drivers/gpu/drm/r128/r128_ioc32.c     |    7 +++----
 drivers/gpu/drm/radeon/radeon_ioc32.c |    7 +++----
 4 files changed, 15 insertions(+), 19 deletions(-)

commit ff5cfd8d5e09199432ebf729d03dbd9b20c74db6
Author: David S. Miller <davem@davemloft.net>
Date:   Fri May 1 22:02:47 2015 -0400

    ipv4: Missing sk_nulls_node_init() in ping_unhash().
    
    If we don't do that, then the poison value is left in the ->pprev
    backlink.
    
    This can cause crashes if we do a disconnect, followed by a connect().
    
    Tested-by: Linus Torvalds <torvalds@linux-foundation.org>
    Reported-by: Wen Xu <hotdog3645@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ping.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 0baf8370967e9882079a3b8f4044d55e50996954
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 30 19:40:23 2015 -0400

    Fix a refcount underflow reported by Jan Hejl caused by GRKERNSEC_CHROOT_RENAME
    We failed to increment the tree in copy_fs_struct, so users of clone with
    CLONE_FS who then exited caused a decrement of the refcounts with no associated
    increment.  This would generally occur on / and took at least a month on
    a heavily-loaded system to trigger.  It shouldn't cause any security problems
    as no freeing is associated with the refcount, and the only interesting value
    is 0, which permits renames in that tree.  I've tested this fixed implementation
    to ensure the refcounts are under control in both directions.

 fs/fs_struct.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 7e576c1e0c3affc3d074d20023987068dec14dc4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 30 08:42:48 2015 -0400

    compile fix

 arch/x86/kernel/apic/io_apic.c |    2 +-
 drivers/xen/events.c           |    6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

commit 854af2d5a6205dc0140cc9a5d965c014f4713782
Merge: 1e2a5f5 1fc75df
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 30 08:42:12 2015 -0400

    Merge branch 'pax-stable' into grsec-stable

commit 1fc75dff2760dfb7a5917698577a6946fde8805c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 30 08:41:57 2015 -0400

    Update to pax-linux-3.2.68-test170.patch:
    - fixed compilation errors due to some overzealous constification of irq_chip variables, reported by spender

 arch/x86/kernel/apic/io_apic.c |    4 ++--
 drivers/xen/events.c           |    6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 1e2a5f5ad440487e4cb17e8cbd17932ebb99a88d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 30 07:16:44 2015 -0400

    compile fix

 drivers/xen/events.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 194c3cf240f1606dc51af7466646b44e4ec7da9b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 29 22:34:18 2015 -0400

    compile fix

 arch/x86/kernel/apic/io_apic.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 64d9fdff41de53618377e012b6aeca908cf656de
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 29 22:36:56 2015 -0400

    compile fix

 tools/gcc/gcc-common.h |   45 ---------------------------------------------
 1 files changed, 0 insertions(+), 45 deletions(-)

commit ef834e332e0553f1653ac11646968716bed8c3e2
Merge: def1c6f ad13b69
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 29 21:47:53 2015 -0400

    Merge branch 'pax-stable' into grsec-stable
    
    Conflicts:
    	security/Kconfig
    	tools/gcc/gcc-common.h

commit ad13b6908bd3b7d4fd3fac297c1a58b3b3120e5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 29 21:44:47 2015 -0400

    Update to pax-linux-3.2.68-test169.patch:
    - fixed a false positive size overflow bug in raid5, reported by jack mort (https://bugs.gentoo.org/show_bug.cgi?id=545492)
    - the overflow plugin caught an incorrect sign conversion in zlib, reported by Attila Tóth (https://bugs.gentoo.org/show_bug.cgi?id=545776)
    - the overflow plugin caught an incorrect sign conversion in get_user on x86, reported by Gábor Hasenfrasz (https://forums.grsecurity.net/viewtopic.php?f=3&t=4188)
    - ported all plugins to gcc-5 except size overflow
    - fixed integer signedness mixup in mmc error code handling, caught by the size overflow plugin, reported by Tom Seewald
    - fixed a few section conflicts exposed by LTO
    - fixed the latent entropy plugin for LTO
    - fixed the stackleak plugin for LTO

 arch/sparc/include/asm/uaccess_32.h            |    1 +
 arch/sparc/include/asm/uaccess_64.h            |    5 +
 arch/x86/include/asm/page_32.h                 |    2 +-
 arch/x86/include/asm/page_64_types.h           |    2 +-
 arch/x86/include/asm/uaccess.h                 |   11 +-
 arch/x86/kernel/apic/io_apic.c                 |    4 +-
 arch/x86/kernel/apm_32.c                       |    2 +-
 arch/x86/kernel/cpu/common.c                   |   14 +-
 arch/x86/kernel/reboot.c                       |    2 +-
 crypto/zlib.c                                  |    4 +-
 drivers/acpi/bus.c                             |    4 +-
 drivers/acpi/ec.c                              |    2 +-
 drivers/acpi/pci_slot.c                        |    2 +-
 drivers/acpi/processor_core.c                  |    2 +-
 drivers/acpi/sleep.c                           |    2 +-
 drivers/acpi/thermal.c                         |    2 +-
 drivers/acpi/video.c                           |    2 +-
 drivers/char/i8k.c                             |    2 +-
 drivers/char/sonypi.c                          |    2 +-
 drivers/firmware/google/gsmi.c                 |    2 +-
 drivers/firmware/google/memconsole.c           |    2 +-
 drivers/hwmon/acpi_power_meter.c               |    2 +-
 drivers/infiniband/core/uverbs_cmd.c           |    3 +
 drivers/input/touchscreen/htcpen.c             |    2 +-
 drivers/md/raid5.c                             |   12 +-
 drivers/net/ethernet/via/via-rhine.c           |    2 +-
 drivers/pci/pcie/portdrv_pci.c                 |    2 +-
 drivers/platform/x86/compal-laptop.c           |    2 +-
 drivers/platform/x86/hdaps.c                   |    2 +-
 drivers/platform/x86/ibm_rtl.c                 |    2 +-
 drivers/platform/x86/intel_oaktrail.c          |    2 +-
 drivers/platform/x86/msi-laptop.c              |    2 +-
 drivers/platform/x86/samsung-laptop.c          |    2 +-
 drivers/platform/x86/samsung-q10.c             |    2 +-
 drivers/platform/x86/sony-laptop.c             |    2 +-
 drivers/pnp/pnpbios/core.c                     |    2 +-
 drivers/xen/events.c                           |    6 +-
 include/linux/compiler-gcc5.h                  |    2 -
 include/linux/compiler.h                       |    2 +
 include/linux/mmc/core.h                       |    2 +-
 include/linux/syscalls.h                       |    3 +-
 include/net/netlink.h                          |   10 +
 kernel/trace/ring_buffer.c                     |   12 +-
 mm/madvise.c                                   |    4 +-
 net/l2tp/l2tp_ip.c                             |    2 +-
 scripts/gcc-plugin.sh                          |    2 +-
 security/Kconfig                               |    2 +-
 tools/gcc/Makefile                             |    2 +-
 tools/gcc/colorize_plugin.c                    |   11 +-
 tools/gcc/constify_plugin.c                    |   11 +-
 tools/gcc/gcc-common.h                         |  297 +++++++++++++++++++++++-
 tools/gcc/kallocstat_plugin.c                  |   11 +-
 tools/gcc/kernexec_plugin.c                    |   63 ++++--
 tools/gcc/latent_entropy_plugin.c              |   24 ++-
 tools/gcc/size_overflow_plugin/size_overflow.h |   10 +-
 tools/gcc/stackleak_plugin.c                   |   55 ++++-
 tools/gcc/structleak_plugin.c                  |   25 ++-
 57 files changed, 545 insertions(+), 123 deletions(-)

commit def1c6f2ead1dd9b1115db95a2f2c3c7b54f0bcb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 27 07:31:18 2015 -0400

    Backport GCC 5.1 support

 include/linux/compiler-gcc5.h     |    3 --
 tools/gcc/colorize_plugin.c       |    4 +-
 tools/gcc/constify_plugin.c       |   11 +++++--
 tools/gcc/gcc-common.h            |   24 ++++++++++++++-
 tools/gcc/kallocstat_plugin.c     |   11 +++++--
 tools/gcc/kernexec_plugin.c       |   59 ++++++++++++++++++++++++++----------
 tools/gcc/latent_entropy_plugin.c |   12 +++++--
 tools/gcc/stackleak_plugin.c      |   22 ++++++++++---
 tools/gcc/structleak_plugin.c     |   25 ++++++++++++----
 9 files changed, 127 insertions(+), 44 deletions(-)

commit 0a93a118992ffa23e1033e0330d2996b3203bf02
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 26 16:09:26 2015 -0400

    compile fix

 fs/exec.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 308f5d5d33b0de2e686060560055518a6ca245ff
Author: David S. Miller <davem@davemloft.net>
Date:   Fri Apr 17 15:15:40 2015 -0400

    sfc: Fix memcpy() with const destination compiler warning.
    
    drivers/net/ethernet/sfc/selftest.c: In function ‘efx_iterate_state’:
    drivers/net/ethernet/sfc/selftest.c:388:9: warning: passing argument 1 of ‘memcpy’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-array-qualifiers]
    
    This is because the msg[] member of struct efx_loopback_payload
    is marked as 'const'.  Remove that.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/sfc/selftest.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 45009beecf6ef95319de265086e78a987e3e2bfd
Author: Jann Horn <jann@thejh.net>
Date:   Sun Apr 19 02:48:39 2015 +0200

    fs: take i_mutex during prepare_binprm for set[ug]id executables
    
    This prevents a race between chown() and execve(), where chowning a
    setuid-user binary to root would momentarily make the binary setuid
    root.
    
    This patch was mostly written by Linus Torvalds.
    
    Signed-off-by: Jann Horn <jann@thejh.net>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	fs/exec.c
    
    Conflicts:
    
    	fs/exec.c

 fs/exec.c |   76 ++++++++++++++++++++++++++++++++++++-------------------------
 1 files changed, 45 insertions(+), 31 deletions(-)

commit ff8def064f6bb06ba8b176e2b402b508a1b507b0
Author: Kirill Tkhai <ktkhai@parallels.com>
Date:   Thu Apr 16 12:48:01 2015 -0700

    fs/exec.c:de_thread: move notify_count write under lock
    
    We set sig->notify_count = -1 between RELEASE and ACQUIRE operations:
    
    	spin_unlock_irq(lock);
    	...
    	if (!thread_group_leader(tsk)) {
    		...
                    for (;;) {
    			sig->notify_count = -1;
                            write_lock_irq(&tasklist_lock);
    
    There are no restriction on it so other processors may see this STORE
    mixed with other STOREs in both areas limited by the spinlocks.
    
    Probably, it may be reordered with the above
    
    	sig->group_exit_task = tsk;
    	sig->notify_count = zap_other_threads(tsk);
    
    in some way.
    
    Set it under tasklist_lock locked to be sure nothing will be reordered.
    
    Signed-off-by: Kirill Tkhai <ktkhai@parallels.com>
    Acked-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/exec.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit 533e02a98c35103cf6f0e4fc4abee6f629636530
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 25 21:37:30 2015 -0400

    Update RANDSTRUCT plugin to support GCC 5.1

 tools/gcc/randomize_layout_plugin.c |   12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

commit 87f3e57baff74dc19fe69e50b1804fc2d233ee1c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 14 22:56:35 2015 -0400

    fix escaping of unix domain paths added in previous patch

 net/unix/af_unix.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 86fbe5640b869ea4fb966382a07af30b185fbbc6
Author: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Date:   Wed Apr 8 12:33:47 2015 -0400

    RDS: make sure not to loop forever inside rds_send_xmit
    
    If a determined set of concurrent senders keep the send queue full,
    we can loop forever inside rds_send_xmit.  This fix has two parts.
    
    First we are dropping out of the while(1) loop after we've processed a
    large batch of messages.
    
    Second we add a generation number that gets bumped each time the
    xmit bit lock is acquired.  If someone else has jumped in and
    made progress in the queue, we skip our goto restart.
    
    Original patch by Chris Mason.
    
    Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/connection.c |    1 +
 net/rds/rds.h        |    1 +
 net/rds/send.c       |   33 +++++++++++++++++++++++++++++++--
 3 files changed, 33 insertions(+), 2 deletions(-)

commit 1b06d848eefdf56df8fda3a3b84ebb9dda322657
Author: Stephan Mueller <smueller@chronox.de>
Date:   Thu Mar 12 09:17:51 2015 +0100

    crypto: aesni - fix memory usage in GCM decryption
    
    The kernel crypto API logic requires the caller to provide the
    length of (ciphertext || authentication tag) as cryptlen for the
    AEAD decryption operation. Thus, the cipher implementation must
    calculate the size of the plaintext output itself and cannot simply use
    cryptlen.
    
    The RFC4106 GCM decryption operation tries to overwrite cryptlen memory
    in req->dst. As the destination buffer for decryption only needs to hold
    the plaintext memory but cryptlen references the input buffer holding
    (ciphertext || authentication tag), the assumption of the destination
    buffer length in RFC4106 GCM operation leads to a too large size. This
    patch simply uses the already calculated plaintext size.
    
    In addition, this patch fixes the offset calculation of the AAD buffer
    pointer: as mentioned before, cryptlen already includes the size of the
    tag. Thus, the tag does not need to be added. With the addition, the AAD
    will be written beyond the already allocated buffer.
    
    Note, this fixes a kernel crash that can be triggered from user space
    via AF_ALG(aead) -- simply use the libkcapi test application
    from [1] and update it to use rfc4106-gcm-aes.
    
    Using [1], the changes were tested using CAVS vectors to demonstrate
    that the crypto operation still delivers the right results.
    
    [1] http://www.chronox.de/libkcapi.html
    
    CC: Tadeusz Struk <tadeusz.struk@intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Stephan Mueller <smueller@chronox.de>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

 arch/x86/crypto/aesni-intel_glue.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 7a98a4581392b190f805dd4befd2a1d7f999b0d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 14 17:46:33 2015 -0400

    Revert this for the time being -- I want to more closely match
    the original behavior if possible, so it needs a little more
    work.
    
    This reverts commit dfe78d5f846ab72aa6d51911cf93cb5f07d4d03b.

 fs/exec.c                   |    9 ++++++-
 fs/proc/array.c             |    2 +-
 grsecurity/gracl.c          |   44 ++++++++++++++++++++++++++++++++++++++++++
 grsecurity/gracl_res.c      |   45 -------------------------------------------
 grsecurity/grsec_disabled.c |   13 ------------
 include/linux/sched.h       |    7 +----
 kernel/acct.c               |    3 --
 kernel/fork.c               |    2 +-
 kernel/posix-cpu-timers.c   |    5 ++-
 mm/mmap.c                   |    5 ++-
 10 files changed, 61 insertions(+), 74 deletions(-)

commit baa51a476eca7e76e8f31ef32e17504918f42718
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 14 17:46:24 2015 -0400

    Revert "fix typo"
    
    This reverts commit fb5a8dfe9a3061c5709941111d5d3f0f13ed96fc.

 grsecurity/gracl_res.c      |    4 ++--
 grsecurity/grsec_disabled.c |    4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

commit eb75529c98f16078376edb71a12f98e85da744f0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 14 17:46:11 2015 -0400

    Revert "compile fix"
    
    This reverts commit 70e84614b1fc0aa75de8abb24f50b478f96ef28d.

 grsecurity/gracl_res.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit cc5b3b25743b9328242ff8e111660297d72d0379
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 14 17:44:48 2015 -0400

    make the usermodehelper message more generic about paths

 kernel/kmod.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit fc4b31888ba6e1ea852382091ebda6a433f72cfb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 14 17:34:32 2015 -0400

    Prevent /proc/net/unix from containing newlines or tabs in filenames
    as used in:
    http://seclists.org/oss-sec/2015/q2/143

 net/unix/af_unix.c |   19 +++++++++++++++++--
 1 files changed, 17 insertions(+), 2 deletions(-)

commit fd3797577bfa896e6b3ff4bf884fcf783f2c4133
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 14 17:13:02 2015 -0400

    Backport gcc plugin changes from 3.14

 scripts/gcc-plugin.sh                          |    2 +-
 tools/gcc/.gitignore                           |    1 +
 tools/gcc/colorize_plugin.c                    |    7 +-
 tools/gcc/gcc-common.h                         |  149 +++++++++++++++++++++++-
 tools/gcc/latent_entropy_plugin.c              |    3 +-
 tools/gcc/size_overflow_plugin/size_overflow.h |   10 +-
 tools/gcc/stackleak_plugin.c                   |    3 +-
 7 files changed, 164 insertions(+), 11 deletions(-)

commit 70e84614b1fc0aa75de8abb24f50b478f96ef28d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 13 19:44:37 2015 -0400

    compile fix

 grsecurity/gracl_res.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit fb5a8dfe9a3061c5709941111d5d3f0f13ed96fc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 13 19:43:36 2015 -0400

    fix typo

 grsecurity/gracl_res.c      |    4 ++--
 grsecurity/grsec_disabled.c |    4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

commit dfe78d5f846ab72aa6d51911cf93cb5f07d4d03b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 13 19:23:01 2015 -0400

    Modify the resource handling of RBAC so that it doesn't actually
    modify the user-visible resource limits.  We now won't have to
    copy the entire rlimit array on each exec or have any special
    handing for setting rlimits via a subject.  Since most kernel
    code is now using rlimit() and variants, we place ourselves
    there to provide a minimum of the process' original limit
    and RBAC's mandatory limits.  This also removes the exception
    of RBAC's resource handling being capable of providing higher
    resource limits than normally possible for a given process.

 fs/exec.c                   |    9 +------
 fs/proc/array.c             |    2 +-
 grsecurity/gracl.c          |   44 ------------------------------------------
 grsecurity/gracl_res.c      |   45 +++++++++++++++++++++++++++++++++++++++++++
 grsecurity/grsec_disabled.c |   13 ++++++++++++
 include/linux/sched.h       |    7 ++++-
 kernel/acct.c               |    3 ++
 kernel/fork.c               |    2 +-
 kernel/posix-cpu-timers.c   |    5 +--
 mm/mmap.c                   |    5 +--
 10 files changed, 74 insertions(+), 61 deletions(-)

commit f36775fad604e617564de12c2a6707203512c9cd
Author: Joe Perches <joe@perches.com>
Date:   Mon Mar 23 18:01:35 2015 -0700

    selinux: fix sel_write_enforce broken return value
    
    Return a negative error value like the rest of the entries in this function.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Joe Perches <joe@perches.com>
    Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
    [PM: tweaked subject line]
    Signed-off-by: Paul Moore <pmoore@redhat.com>

 security/selinux/selinuxfs.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a94607d737d77dad48c24abe27e097846b540f42
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 13 07:43:01 2015 -0400

    Allow usermodehelper executions from /usr/bin/ for distros plagued
    by Lennart's bikeshedding, as reported in
    https://bugs.archlinux.org/task/44568

 kernel/kmod.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 798dc8036640b1e950095d9e3850f906b93adc36
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 2 17:36:28 2015 -0400

    fix typo

 kernel/trace/ring_buffer.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ba24a613272baf988cc7c73d9fce42e75dc1f636
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 2 17:25:47 2015 -0400

    backport:
    - fixed some REFCOUNT false positives in the tracing ring buffer code, reported by metarox (https://forums.grsecurity.net/viewtopic.php?f=3&t=4186)

 kernel/trace/ring_buffer.c |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

commit 75bdf38048377ce8bfd0ab24d66af39156c7248c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 2 09:38:13 2015 -0400

    move backported cpu check

 arch/x86/kernel/cpu/common.c |   20 ++++++++++----------
 1 files changed, 10 insertions(+), 10 deletions(-)

commit d08d78ee07545b194e2be3e3f6177b1614f0f6cc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 2 09:29:48 2015 -0400

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit aba4ad6f4d69a6a6c8bbd36e5e3e09dc300410d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 2 08:57:55 2015 -0400

    update size_overflow hash

 .../size_overflow_plugin/size_overflow_hash.data   |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit 57a8a7ec36812bf64d043c0df171c03bafb2541f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 2 08:28:06 2015 -0400

    compile fix

 arch/x86/kernel/cpu/common.c |    4 ----
 1 files changed, 0 insertions(+), 4 deletions(-)

commit 8d71a5684d4d64a8c9332c20d60fb24eb722e76b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 2 08:17:32 2015 -0400

    Backport fix for crash with old PAGEEXEC method and PSE, reported by Merlin

 arch/x86/kernel/cpu/common.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

commit d26a970bc14a1cf9305a927cd39fdc973f832640
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 2 08:03:59 2015 -0400

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit ca92e78bdd6e85b3ec771c9b815dd0a480a8f475
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 2 08:02:11 2015 -0400

    fix the infiniband vuln properly, since nobody seems to know how
    access_ok actually works and that it's the correct fix here

 arch/sparc/include/asm/uaccess_32.h  |    1 +
 arch/sparc/include/asm/uaccess_64.h  |    5 +++++
 drivers/infiniband/core/uverbs_cmd.c |    3 +++
 3 files changed, 9 insertions(+), 0 deletions(-)

commit b1317682ea1b680491e3939895e0b084e11d975a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 31 19:15:03 2015 -0400

    backport a fix for the skb_gso_segment() null pointer deref fixed
    in upstream commit 330966e501ffe282d7184fde4518d5e0c24bc7f8 but never
    queued up for any -stable fixes apparently.

 net/netfilter/nf_queue.c |    2 +-
 net/xfrm/xfrm_output.c   |    2 ++
 2 files changed, 3 insertions(+), 1 deletions(-)

commit eec6d0e71c80d1fb0f2418bef0930736d2b1c8aa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 31 17:14:21 2015 -0400

    add an additional guard against negative copy lengths on nla_memcpy as
    signed integers are being used with the expectation that they will always
    be positive.

 lib/nlattr.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit e2b3eb19b7b27e6542c47c9979fb97a7b5b72509
Author: Jiri Benc <jbenc@redhat.com>
Date:   Sun Mar 29 16:05:28 2015 +0200

    netlink: pad nla_memcpy dest buffer with zeroes
    
    This is especially important in cases where the kernel allocs a new
    structure and expects a field to be set from a netlink attribute. If such
    attribute is shorter than expected, the rest of the field is left containing
    previous data. When such field is read back by the user space, kernel memory
    content is leaked.
    
    Signed-off-by: Jiri Benc <jbenc@redhat.com>
    Acked-by: Thomas Graf <tgraf@suug.ch>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 lib/nlattr.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 065c1756ef21185008ece2c75e2e3a3e0fe6b583
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 30 20:57:48 2015 -0400

    compile fix

 init/main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1dd318c8b7225895a4f9b8e55bbc325369cd3aaa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 30 23:28:01 2015 -0400

    Add a boot-time parameter to disable GRKERNSEC_SYSFS_RESTRICT.
    
    To disable it at boot time (when compiled into the kernel), use
    grsec_sysfs_restrict=0
    on the kernel commandline
    
    Conflicts:
    
    	Documentation/kernel-parameters.txt
    	fs/debugfs/inode.c
    	fs/sysfs/dir.c

 Documentation/kernel-parameters.txt |    4 ++++
 fs/debugfs/inode.c                  |   15 ++++++++++-----
 fs/sysfs/dir.c                      |    6 ++++++
 init/main.c                         |   10 ++++++++++
 4 files changed, 30 insertions(+), 5 deletions(-)

commit 425f1f2051bcbd81181dc77af511a7ec74a45b8d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 25 18:40:53 2015 -0400

    Add allowance for /usr/libexec/abrt-hook-cpp to be executed as a usermode helper, as observed on some cPanel systems

 kernel/kmod.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit d8146886b870a2c72eca4c48842fa444fb1da7fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 25 18:36:57 2015 -0400

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 25a83e0374bad9573e80786c13cf12475d911400
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 25 16:53:50 2015 -0400

    Revert an incorrect fix from Dan Rosenberg for a btrfs heap overflow which
    preserved the vulnerability in some cases.
    https://lkml.org/lkml/2011/2/9/147
    
    Thanks to eswierk from the forums for spotting this!

 fs/btrfs/ioctl.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 7accd898dbf156b5350cdca7f70c81311b9957c9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 18 21:45:42 2015 -0400

    update size_overflow hash

 .../size_overflow_plugin/size_overflow_hash.data   |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 75799fc77d6af3a60e27fbe2d4dfa8b871111326
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 18 21:15:49 2015 -0400

    update size_overflow hash data

 .../size_overflow_plugin/size_overflow_hash.data   |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 8d13cad9215a109562fc24570478c2e4a9e3de5f
Merge: 4f83b92 d9d8bd4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 18 21:12:27 2015 -0400

    Merge branch 'pax-stable' into grsec-stable

commit d9d8bd4ea744fd261f219254a58afd6a1a1f5c3c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 18 21:12:01 2015 -0400

    Update to pax-linux-3.2.68-test167.patch:
    - fixed a use-after-free in AF_UNIX socket handling, by Mathias Krause <minipli@googlemail.com>, reported by coredumb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4150)
    - fixed a USERCOPY false positive and a LATENT_ENTROPY related compile error on ppc, reported by lynliuyan (https://forums.grsecurity.net/viewtopic.php?f=3&t=4158)
    - fixed a compile regression in gcc plugins under gcc 4.6, reported by Kamil Kaczkowski and spender

 arch/powerpc/kernel/Makefile  |    5 +++++
 arch/powerpc/kernel/process.c |    2 +-
 net/unix/af_unix.c            |    7 +++++--
 tools/gcc/gcc-common.h        |    4 ++--
 4 files changed, 13 insertions(+), 5 deletions(-)

commit 4f83b92bc61bfe66f15e8f0513673be08a38cacc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 18 20:14:07 2015 -0400

    update size_overflow hash

 .../size_overflow_plugin/size_overflow_hash.data   |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 93486ef652b3e7c09f735f735e6b27a57de4e332
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 18 19:54:15 2015 -0400

    From: Shachar Raindel <raindel () mellanox com>
    Date: Sun, 04 Jan 2015 18:30:32 +0200
    Subject: [PATCH] IB/core: Prevent integer overflow in ib_umem_get address arithmetic
    
    Properly verify that the resulting page aligned end address is larger
    than both the start address and the length of the memory area
    requested.
    
    Both the start and length arguments for ib_umem_get are controlled by
    the user. A misbehaving user can provide values which will cause an
    integer overflow when calculating the page aligned end address.
    
    This overflow can cause also miscalculation of the number of pages
    mapped, and additional logic issues.
    
    Signed-off-by: Shachar Raindel <raindel () mellanox com>
    Signed-off-by: Jack Morgenstein <jackm () mellanox com>
    Signed-off-by: Or Gerlitz <ogerlitz () mellanox com>

 drivers/infiniband/core/umem.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit 76f1581f1267fffe747d6345ec7c0f7fece588e8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 18 19:44:26 2015 -0400

    Fix several instances of DMA on stack in the rts5139 driver,
    as reported by z80 on the forums

 drivers/staging/rts5139/rts51x_transport.c |   50 ++++++++++++++++++++++++---
 1 files changed, 44 insertions(+), 6 deletions(-)

commit afb2306b649b4dd4249a1042f578253d2676fec0
Author: Alexey Kodanev <alexey.kodanev@oracle.com>
Date:   Wed Mar 11 14:29:17 2015 +0300

    net: sysctl_net_core: check SNDBUF and RCVBUF for min length
    
    sysctl has sysctl.net.core.rmem_*/wmem_* parameters which can be
    set to incorrect values. Given that 'struct sk_buff' allocates from
    rcvbuf, incorrectly set buffer length could result to memory
    allocation failures. For example, set them as follows:
    
        # sysctl net.core.rmem_default=64
          net.core.wmem_default = 64
        # sysctl net.core.wmem_default=64
          net.core.wmem_default = 64
        # ping localhost -s 1024 -i 0 > /dev/null
    
    This could result to the following failure:
    
    skbuff: skb_over_panic: text:ffffffff81628db4 len:-32 put:-32
    head:ffff88003a1cc200 data:ffff88003a1cc200 tail:0xffffffe0 end:0xc0 dev:<NULL>
    kernel BUG at net/core/skbuff.c:102!
    invalid opcode: 0000 [#1] SMP
    ...
    task: ffff88003b7f5550 ti: ffff88003ae88000 task.ti: ffff88003ae88000
    RIP: 0010:[<ffffffff8155fbd1>]  [<ffffffff8155fbd1>] skb_put+0xa1/0xb0
    RSP: 0018:ffff88003ae8bc68  EFLAGS: 00010296
    RAX: 000000000000008d RBX: 00000000ffffffe0 RCX: 0000000000000000
    RDX: ffff88003fdcf598 RSI: ffff88003fdcd9c8 RDI: ffff88003fdcd9c8
    RBP: ffff88003ae8bc88 R08: 0000000000000001 R09: 0000000000000000
    R10: 0000000000000001 R11: 00000000000002b2 R12: 0000000000000000
    R13: 0000000000000000 R14: ffff88003d3f7300 R15: ffff88000012a900
    FS:  00007fa0e2b4a840(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000d0f7e0 CR3: 000000003b8fb000 CR4: 00000000000006f0
    Stack:
     ffff88003a1cc200 00000000ffffffe0 00000000000000c0 ffffffff818cab1d
     ffff88003ae8bd68 ffffffff81628db4 ffff88003ae8bd48 ffff88003b7f5550
     ffff880031a09408 ffff88003b7f5550 ffff88000012aa48 ffff88000012ab00
    Call Trace:
     [<ffffffff81628db4>] unix_stream_sendmsg+0x2c4/0x470
     [<ffffffff81556f56>] sock_write_iter+0x146/0x160
     [<ffffffff811d9612>] new_sync_write+0x92/0xd0
     [<ffffffff811d9cd6>] vfs_write+0xd6/0x180
     [<ffffffff811da499>] SyS_write+0x59/0xd0
     [<ffffffff81651532>] system_call_fastpath+0x12/0x17
    Code: 00 00 48 89 44 24 10 8b 87 c8 00 00 00 48 89 44 24 08 48 8b 87 d8 00
          00 00 48 c7 c7 30 db 91 81 48 89 04 24 31 c0 e8 4f a8 0e 00 <0f> 0b
          eb fe 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 48 83
    RIP  [<ffffffff8155fbd1>] skb_put+0xa1/0xb0
    RSP <ffff88003ae8bc68>
    Kernel panic - not syncing: Fatal exception
    
    Moreover, the possible minimum is 1, so we can get another kernel panic:
    ...
    BUG: unable to handle kernel paging request at ffff88013caee5c0
    IP: [<ffffffff815604cf>] __alloc_skb+0x12f/0x1f0
    ...
    
    Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/core/sysctl_net_core.c

 net/core/sysctl_net_core.c |   14 ++++++++++----
 1 files changed, 10 insertions(+), 4 deletions(-)

commit 96a0fd06045f3ea598276a49f499b4dd838dc66c
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sun Mar 15 13:48:03 2015 +0300

    isdn: icn: use strlcpy() when parsing setup options
    
    If you pass an invalid string here then you probably deserve the memory
    corruption, but it annoys static analysis tools so lets fix it.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/icn/icn.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 94263f91d6dd8ffc67b428e8f7a6642efb01e41b
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Mar 13 09:49:59 2015 -0700

    inet_diag: fix possible overflow in inet_diag_dump_one_icsk()
    
    inet_diag_dump_one_icsk() allocates too small skb.
    
    Add inet_sk_attr_size() helper right before inet_sk_diag_fill()
    so that it can be updated if/when new attributes are added.
    
    iproute2/ss currently does not use this dump_one() interface,
    this might explain nobody noticed this problem yet.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/ipv4/inet_diag.c

 net/ipv4/inet_diag.c |   18 ++++++++++++++----
 1 files changed, 14 insertions(+), 4 deletions(-)

commit bcda2d441b6a07eb0317fb2196fa6dca8843ade5
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Wed Mar 11 22:46:59 2015 +0100

    rds: avoid potential stack overflow
    
    The rds_iw_update_cm_id function stores a large 'struct rds_sock' object
    on the stack in order to pass a pair of addresses. This happens to just
    fit withint the 1024 byte stack size warning limit on x86, but just
    exceed that limit on ARM, which gives us this warning:
    
    net/rds/iw_rdma.c:200:1: warning: the frame size of 1056 bytes is larger than 1024 bytes [-Wframe-larger-than=]
    
    As the use of this large variable is basically bogus, we can rearrange
    the code to not do that. Instead of passing an rds socket into
    rds_iw_get_device, we now just pass the two addresses that we have
    available in rds_iw_update_cm_id, and we change rds_iw_get_mr accordingly,
    to create two address structures on the stack there.
    
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/iw_rdma.c |   40 ++++++++++++++++++++++------------------
 1 files changed, 22 insertions(+), 18 deletions(-)

commit 5364315c426b0ead29ca879fbab7b7fffd1588c2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 9 18:26:00 2015 -0400

    Fix compilation with plugins, reported by Kamil Kaczkowski.  Apparently the version
    of gcc 4.6.4 being shipped with some distros is different from that produced by
    source builds in that it places the c-common.h header file in a different directory.
    We'll now choose the path used by distros for compatibility reasons.

 tools/gcc/gcc-common.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 832270da1a613c1086b9fd8032663d81fdf48051
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 9 18:24:39 2015 -0400

    Backport "console: Fix console name size mismatch" from Peter Hurley

 kernel/printk.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 691c644c696ef5bab09d73364f36f70d02f63676
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Feb 27 18:40:31 2015 +0100

    tty: fix up atime/mtime mess, take four
    
    This problem was taken care of three times already in
    * b0de59b5733d18b0d1974a060860a8b5c1b36a2e (TTY: do not update
      atime/mtime on read/write),
    * 37b7f3c76595e23257f61bd80b223de8658617ee (TTY: fix atime/mtime
      regression), and
    * b0b885657b6c8ef63a46bc9299b2a7715d19acde (tty: fix up atime/mtime
      mess, take three)
    
    But it still misses one point. As John Paul correctly points out, we
    do not care about setting date. If somebody ever changes wall
    time backwards (by mistake for example), tty timestamps are never
    updated until the original wall time passes.
    
    So check the absolute difference of times and if it large than "8
    seconds or so", always update the time. That means we will update
    immediatelly when changing time. Ergo, CAP_SYS_TIME can foul the
    check, but it was always that way.
    
    Thanks John for serving me this so nicely debugged.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Reported-by: John Paul Perry <john_paul.perry@alcatel-lucent.com>
    Cc: <stable@vger.kernel.org> # all, as b0b885657 was backported
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/tty_io.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 6f455c2bd5d38281ccb9e330a313b31c43c90142
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Sat Mar 7 21:08:46 2015 +0000

    sunrpc: fix braino in ->poll()
    
    POLL_OUT isn't what callers of ->poll() are expecting to see; it's
    actually __SI_POLL | 2 and it's a siginfo code, not a poll bitmap
    bit...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: stable@vger.kernel.org
    Cc: Bruce Fields <bfields@fieldses.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 net/sunrpc/cache.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7c14b1325c66059a4b14b8cf620d1717b078d205
Author: Johan Hovold <johan@kernel.org>
Date:   Wed Mar 4 10:39:06 2015 +0100

    TTY: fix tty_wait_until_sent on 64-bit machines
    
    Fix overflow bug in tty_wait_until_sent on 64-bit machines, where an
    infinite timeout (0) would be passed to the underlying tty-driver's
    wait_until_sent-operation as a negative timeout (-1), causing it to
    return immediately.
    
    This manifests itself for example as tcdrain() returning immediately,
    drivers not honouring the drain flags when setting terminal attributes,
    or even dropped data on close as a requested infinite closing-wait
    timeout would be ignored.
    
    The first symptom  was reported by Asier LLANO who noted that tcdrain()
    returned prematurely when using the ftdi_sio usb-serial driver.
    
    Fix this by passing 0 rather than MAX_SCHEDULE_TIMEOUT (LONG_MAX) to the
    underlying tty driver.
    
    Note that the serial-core wait_until_sent-implementation is not affected
    by this bug due to a lucky chance (comparison to an unsigned maximum
    timeout), and neither is the cyclades one that had an explicit check for
    negative timeouts, but all other tty drivers appear to be affected.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Cc: stable <stable@vger.kernel.org>	# v2.6.12
    Reported-by: ZIV-Asier Llano Palacios <asier.llano@cgglobal.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/tty_ioctl.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

commit 1f70370902c9390c3e779a7bd733e59253611d51
Merge: 48adb39 b53a4ac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 7 11:36:18 2015 -0500

    Merge branch 'pax-stable' into grsec-stable

commit b53a4acf81c7275bcf002f7d56cdfe3a36868ce5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 7 11:36:04 2015 -0500

    update to pax-linux-3.2.68-test166.patch

 include/linux/irqdesc.h |    2 +-
 kernel/irq/manage.c     |    2 +-
 kernel/irq/spurious.c   |    2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

commit 48adb39fa9933a6aa26b9582ca1f27e4219cce70
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 7 10:09:49 2015 -0500

    Revert "net: Verify permission to dest_net in newlink"
    
    This reverts commit 468169ce1059ab1ca366c19a8d499e2370e1a49c.

 net/core/rtnetlink.c |    4 ----
 1 files changed, 0 insertions(+), 4 deletions(-)

commit 468169ce1059ab1ca366c19a8d499e2370e1a49c
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Feb 26 16:19:00 2015 -0600

    net: Verify permission to dest_net in newlink
    
    When applicable verify that the caller has permision to create a
    network device in another network namespace.  This check is already
    present when moving a network device between network namespaces in
    setlink so all that is needed is to duplicate that check in newlink.
    
    This change almost backports cleanly, but there are context conflicts
    as the code that follows was added in v4.0-rc1
    
    Fixes: b51642f6d77b net: Enable a userns root rtnl calls that are safe for unprivilged users
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/core/rtnetlink.c
    
    Conflicts:
    
    	net/core/rtnetlink.c
    
    Conflicts:
    
    	net/core/rtnetlink.c

 net/core/rtnetlink.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit d17f94b4f867a86e6e94a233c923a34c066ea27a
Author: Florian Westphal <fw@strlen.de>
Date:   Tue Mar 3 13:53:31 2015 +0100

    net: bridge: add compile-time assert for cb struct size
    
    make build fail if structure no longer fits into ->cb storage.
    
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/bridge/br.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit d487b34c4dc734010d2517376b9163ef82736ef0
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Thu Mar 5 01:09:44 2015 +0100

    x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization
    
    'ret_from_fork' checks TIF_IA32 to determine whether 'pt_regs' and
    the related state make sense for 'ret_from_sys_call'.  This is
    entirely the wrong check.  TS_COMPAT would make a little more
    sense, but there's really no point in keeping this optimization
    at all.
    
    This fixes a return to the wrong user CS if we came from int
    0x80 in a 64-bit task.
    
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/r/4710be56d76ef994ddf59087aad98c000fbab9a4.1424989793.git.luto@amacapital.net
    [ Backported from tip:x86/asm. ]
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 arch/x86/kernel/entry_64.S |   13 ++++++++-----
 1 files changed, 8 insertions(+), 5 deletions(-)

commit ca805862e18a0953e810fb2d078aea571df2fe11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 7 09:27:50 2015 -0500

    Backport fix for upstream vuln in unprivileged ping from Lorenzo Colitti

 net/ipv4/ping.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 1efc2a1c892642770ddade9f0e8b5687fcd8812d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 7 09:08:54 2015 -0500

    Fix compilation with the latent entropy plugin on powerpc, as reported by
    lynliuyan at https://forums.grsecurity.net/viewtopic.php?f=3&t=4158

 arch/powerpc/kernel/Makefile |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 933755c07625e2ce468577a28b06f4c03474475d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 7 09:06:09 2015 -0500

    On architectures that use specific slabs for kernel stacks, mark them with SLAB_USERCOPY
    Reported by lynliuyan at: https://forums.grsecurity.net/viewtopic.php?f=3&t=4158

 arch/hexagon/kernel/process.c |    2 +-
 arch/powerpc/kernel/process.c |    2 +-
 arch/sh/kernel/process.c      |    2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

commit 3de9a9b74102b71d6ffaa7e77ae893e42f7bdc3a
Merge: 0edd280 5939900
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 7 09:02:58 2015 -0500

    Merge branch 'pax-stable' into grsec-stable

commit 5939900a888ff7652c7f237484459dcd4d35fe49
Merge: 4d586f9 9b81446
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 7 09:02:51 2015 -0500

    Merge branch 'linux-3.2.y' into pax-stable

commit 0edd2805942f355b5b357d4d3b9ed169a0789355
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 27 08:18:24 2015 -0500

    Fix a PAX_REFCOUNT false positive on the threads_handled statistic field
    
    Conflicts:
    
    	kernel/irq/manage.c

 include/linux/irqdesc.h |    2 +-
 kernel/irq/manage.c     |    2 +-
 kernel/irq/spurious.c   |    2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

commit 5b72f696461c6a084c739c02cc41da0e7d885ae4
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Feb 21 22:19:57 2015 -0500

    autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation
    
    X-Coverup: just ask spender
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/autofs4/dev-ioctl.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 760430f3efa04fde7fe36735e136aeef9ae5303c
Author: Sasha Levin <sasha.levin@oracle.com>
Date:   Tue Apr 8 16:04:11 2014 -0700

    autofs4: check dev ioctl size before allocating
    
    There wasn't any check of the size passed from userspace before trying
    to allocate the memory required.
    
    This meant that userspace might request more space than allowed,
    triggering an OOM.
    
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: Ian Kent <raven@themaw.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/autofs4/dev-ioctl.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit b490d57dd5c7beb00025afe37b9e78b954c856a5
Author: Sasha Levin <sasha.levin@oracle.com>
Date:   Fri Jan 23 20:47:00 2015 -0500

    net: llc: use correct size for sysctl timeout entries
    
    The timeout entries are sizeof(int) rather than sizeof(long), which
    means that when they were getting read we'd also leak kernel memory
    to userspace along with the timeout values.
    
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/llc/sysctl_net_llc.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 2292e135c382b70cc66eb0d53cd8b4181ff4bea2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 25 18:07:08 2015 -0500

    Disable a near-stack-overflow BUG() on x64 where we have
    GRKERNSEC_KSTACKOVERFLOW to use instead.  Works around a rarely reported issue
    where it seems for some driver we're executing a copy_*_user on a debug
    stack instead of on the process stack.

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 591d1e124e23119ba7ac837049ec926b81027078
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 22 11:36:26 2015 -0500

    use compat_u64 in the compat code

 include/linux/gracl_compat.h |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 3ad8ef598deeac0b1023d2235fb3e2aa5f91de3c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 22 09:48:42 2015 -0500

    Require version 3.1 gradm to load RBAC

 grsecurity/gracl_compat.c |    3 +--
 grsecurity/gracl_policy.c |    3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

commit 929a3359b424a4e27abe7584c2180eb72f95a1bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 22 08:54:26 2015 -0500

    use div_u64_rem for 32-bit archs

 include/linux/gracl.h |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 76cbe6847478796139d1a25b1a0993a48665fa2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 22 07:37:57 2015 -0500

    compile fix when grsec is disabled

 grsecurity/grsec_disabled.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 6acea99126791882cdf990aa581726c449164a91
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 22 07:25:43 2015 -0500

    Add support for 64-bit inodes: as this breaks compatibility with gradm, bump
    the grsecurity version to 3.1

 fs/namei.c                   |    8 ++--
 grsecurity/gracl.c           |   65 +++++++++++++++++++++++++----------------
 grsecurity/gracl_policy.c    |    6 ++--
 grsecurity/gracl_segv.c      |   17 +++++++++--
 grsecurity/grsec_disabled.c  |    4 +-
 include/linux/gracl.h        |   14 ++++----
 include/linux/gracl_compat.h |    6 ++--
 include/linux/grsecurity.h   |    5 ++-
 8 files changed, 76 insertions(+), 49 deletions(-)

commit 743d5c1d30694671da6492b8aef89172ed30dd48
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 20 17:58:04 2015 -0500

    clamp RLIMIT_NOFILE based on sysctl instead of enforcing a 1024 limit in userland

 grsecurity/gracl.c |   19 ++++++++++++++++---
 1 files changed, 16 insertions(+), 3 deletions(-)

commit 1614915a5e2ef3f03a5bbf00c7845a86d59dc442
Merge: eb6b485 4d586f9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 20 07:41:07 2015 -0500

    Merge branch 'pax-stable' into grsec-stable
    
    Conflicts:
    	mm/mmap.c

commit 4d586f9144673f9fa204a7b849444134895d4c62
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 20 07:38:45 2015 -0500

    revert broken upstream stack accounting code

 mm/mmap.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit eb6b485501b7937798b98a0526c9b7efacbdc46a
Merge: 25f33c2 f0eb7bf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 20 07:38:34 2015 -0500

    Merge branch 'pax-stable' into grsec-stable
    
    Conflicts:
    	fs/udf/dir.c
    	mm/mmap.c

commit f0eb7bfc24988bf0ab6fdb76ff3605a251eff502
Merge: 307172b fd62350
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 20 07:31:03 2015 -0500

    Update to pax-linux-3.2.67-test165.patch:
    - fixed a few integer type mixups that failed the size overflow checks
    - increased the early pcpu dynamic slots to survive boot with allyesconfig
    - fixed potential boot crash when applying alternatives under KERNEXEC/i386
    - fixed potential integer truncation bug in xlate_dev_mem_ptr under PAE/i386
    - fail gcc plugins a bit more gracefully on gcc-5
    - fixed a few shellcheck.net warnings in gcc-plugin.sh
    - fixed kernel oops caused by accessing invalid virtual addresses via /dev/[k]mem under USERCOPY, reported by minipli
    - added preliminary support for gcc-5 to gcc-common.h and the constify plugin
    
    Merge branch 'linux-3.2.y' into pax-stable
    
    Conflicts:
    	arch/x86/vdso/vma.c
    	fs/dcache.c
    	mm/memory.c
    	net/ipv4/tcp_output.c

commit 25f33c2df1477edbf35b18ef53367d1697b614ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 19 21:43:28 2015 -0500

    compile fix

 grsecurity/grsec_chroot.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit fc508f05156fa529dd2f71d7ad85e088d2c29bc6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 19 20:48:10 2015 -0500

    compile fix

 fs/fs_struct.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 43bbfb1faa88404081967f9b73f8b2c789fc3ccd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 27 19:51:21 2015 -0500

    compile fix for GRKERNSEC_CHROOT_RENAME

 fs/dcache.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ad4f3b52c64e1f82d9204e90187ec1e45c740045
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 19 20:03:59 2015 -0500

    add some extra enforcement that only forward jumps are permitted

 arch/x86/net/bpf_jit_comp.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit ba02e7c5a70374f5890aa0f5ad83092d2a2bbdbf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 19 19:47:08 2015 -0500

    Properly fix relative (un)conditional jumps with GRKERNSEC_JIT_HARDEN so that we
    don't land into our added breakpoint instructions

 arch/x86/net/bpf_jit_comp.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit b93889dc063e44437fd75b25a4fefaffa6f075b0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 27 17:44:11 2015 -0500

    Add GRKERNSEC_CHROOT_RENAME -- no one reported any problems with my posted
    patch, so let's introduce the more secure version
    
    Conflicts:
    
    	include/linux/grsecurity.h
    
    Conflicts:
    
    	fs/fs_struct.c
    	grsecurity/grsec_chroot.c
    	include/linux/grsecurity.h

 fs/dcache.c                |    1 +
 fs/fs_struct.c             |    7 +++-
 fs/namei.c                 |    8 ++++
 grsecurity/Kconfig         |   16 ++++++++
 grsecurity/grsec_chroot.c  |   82 ++++++++++++++++++++++++++++++++++++++++++++
 grsecurity/grsec_init.c    |    4 ++
 grsecurity/grsec_sysctl.c  |    9 +++++
 include/linux/dcache.h     |    3 ++
 include/linux/grinternal.h |    1 +
 include/linux/grmsg.h      |    1 +
 include/linux/grsecurity.h |    5 +++
 11 files changed, 136 insertions(+), 1 deletions(-)

commit da4e988d0eef8c1e2eaba9470049aec58c6ad4d9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 18 17:48:15 2015 -0500

    Fix several issues with the code generated by GRKERNSEC_JIT_HARDEN.
    
    In the mov/test imm case we would generate incorrect instructions in
    the JIT -> the move case is relatively harmless as it would simply
    load an incorrect value into the accumulator, but the test case would
    result in a movs, allowing for the skb the BPF program is attached to
    to be clobbered.
    
    In a case of conditional jumps, the size of the jump
    instruction wasn't computed properly, leading to the code jumping
    into a breakpoint instruction and triggering an OOPs.
    
    Thanks to rfree@mempo.org and avvs@mempo.org for reporting an OOPs
    that led to the discovery of these problems.  The BPF JIT is disabled
    by default (only able to be enabled by an administrator) and they are
    likely the first and only users to ever use this feature as any JIT'd
    BPF program containing a conditional jump would crash the system.

 arch/x86/net/bpf_jit_comp.c |   19 +++++++++++++++----
 1 files changed, 15 insertions(+), 4 deletions(-)

commit f1986bd9a8a034a02336c795443a4bb243ebefcb
Author: David Jeffery <djeffery@redhat.com>
Date:   Thu Feb 12 16:45:31 2015 +0000

    Don't leak a key reference if request_key() tries to use a revoked keyring
    
    If a request_key() call to allocate and fill out a key attempts to insert the
    key structure into a revoked keyring, the key will leak, using memory and part
    of the user's key quota until the system reboots. This is from a failure of
    construct_alloc_key() to decrement the key's reference count after the attempt
    to insert into the requested keyring is rejected.
    
    key_put() needs to be called in the link_prealloc_failed callpath to ensure
    the unused key is released.
    
    Signed-off-by: David Jeffery <djeffery@redhat.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: James Morris <james.l.morris@oracle.com>

 security/keys/request_key.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 379b0a4d3e2ae5095796d2def99e47b5253fac19
Merge: ad89d65 307172b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 5 22:31:35 2015 -0500

    Merge branch 'pax-stable' into grsec-stable

commit 307172b4c08144555935a189c6599a681cb7a24c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 5 22:30:49 2015 -0500

    Update to pax-linux-3.2.66-test164.patch:
    - fixed STACKLEAK and stack overflow checking interference, reported by Toralf Förster (https://bugs.gentoo.org/show_bug.cgi?id=536514) and KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=4121)
    - fixed early crash of Xen domU when SSP is enabled (e.g., the default Arch kernel), reported by badchemist
    - fixed cc-ldoption to work with the HJL fork of binutils, reported by Rogelio M. Serrano Jr.
    - bring is_valid_bugaddr on amd64 in line with the i386 version, should fix BUG() backtraces
    - fixed rcu lock imbalance in have_submounts, by Steven Rostedt <rostedt@goodmis.org> (https://lkml.org/lkml/2015/1/17/71), reported by rfree@mempo.org

 arch/x86/kernel/dumpstack_64.c |    2 +-
 arch/x86/kernel/entry_32.S     |    1 +
 arch/x86/kernel/entry_64.S     |    1 +
 arch/x86/kernel/process_32.c   |    2 +-
 arch/x86/kernel/process_64.c   |    2 +-
 arch/x86/xen/enlighten.c       |    3 +++
 fs/dcache.c                    |    4 +++-
 fs/exec.c                      |    2 +-
 scripts/Kbuild.include         |    2 +-
 9 files changed, 13 insertions(+), 6 deletions(-)

commit ad89d65da4bfbea5fa820fe56ed5e70fabc8247d
Author: Giel van Schijndel <me@mortis.eu>
Date:   Tue Jan 6 22:37:00 2015 +0100

    cifs: use memzero_explicit to clear stack buffer
    
    When leaving a function use memzero_explicit instead of memset(0) to
    clear stack allocated buffers. memset(0) may be optimized away.
    
    This particular buffer is highly likely to contain sensitive data which
    we shouldn't leak (it's named 'passwd' after all).
    
    Signed-off-by: Giel van Schijndel <me@mortis.eu>
    Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
    Reported-at: http://www.viva64.com/en/b/0299/
    Reported-by: Andrey Karpov
    Reported-by: Svyatoslav Razmyslov
    Signed-off-by: Steve French <steve.french@primarydata.com>

 fs/cifs/smbencrypt.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 896d0cda0f8bceefe92052c5dfd7ea5d4f51e5ad
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Thu Jan 15 16:34:35 2015 +0100

    net: sctp: fix race for one-to-many sockets in sendmsg's auto associate
    
    I.e. one-to-many sockets in SCTP are not required to explicitly
    call into connect(2) or sctp_connectx(2) prior to data exchange.
    Instead, they can directly invoke sendmsg(2) and the SCTP stack
    will automatically trigger connection establishment through 4WHS
    via sctp_primitive_ASSOCIATE(). However, this in its current
    implementation is racy: INIT is being sent out immediately (as
    it cannot be bundled anyway) and the rest of the DATA chunks are
    queued up for later xmit when connection is established, meaning
    sendmsg(2) will return successfully. This behaviour can result
    in an undesired side-effect that the kernel made the application
    think the data has already been transmitted, although none of it
    has actually left the machine, worst case even after close(2)'ing
    the socket.
    
    Instead, when the association from client side has been shut down
    e.g. first gracefully through SCTP_EOF and then close(2), the
    client could afterwards still receive the server's INIT_ACK due
    to a connection with higher latency. This INIT_ACK is then considered
    out of the blue and hence responded with ABORT as there was no
    alive assoc found anymore. This can be easily reproduced f.e.
    with sctp_test application from lksctp. One way to fix this race
    is to wait for the handshake to actually complete.
    
    The fix defers waiting after sctp_primitive_ASSOCIATE() and
    sctp_primitive_SEND() succeeded, so that DATA chunks cooked up
    from sctp_sendmsg() have already been placed into the output
    queue through the side-effect interpreter, and therefore can then
    be bundeled together with COOKIE_ECHO control chunks.
    
    strace from example application (shortened):
    
    socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP) = 3
    sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
               msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
    sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
               msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
    sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
               msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
    sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
               msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
    sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
               msg_iov(0)=[], msg_controllen=48, {cmsg_len=48, cmsg_level=0x84 /* SOL_??? */, cmsg_type=, ...},
               msg_flags=0}, 0) = 0 // graceful shutdown for SOCK_SEQPACKET via SCTP_EOF
    close(3) = 0
    
    tcpdump before patch (fooling the application):
    
    22:33:36.306142 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 3879023686] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3139201684]
    22:33:36.316619 IP 192.168.1.115.8888 > 192.168.1.114.41462: sctp (1) [INIT ACK] [init tag: 3345394793] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 3380109591]
    22:33:36.317600 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [ABORT]
    
    tcpdump after patch:
    
    14:28:58.884116 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 438593213] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3092969729]
    14:28:58.888414 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [INIT ACK] [init tag: 381429855] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 2141904492]
    14:28:58.888638 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [COOKIE ECHO] , (2) [DATA] (B)(E) [TSN: 3092969729] [...]
    14:28:58.893278 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [COOKIE ACK] , (2) [SACK] [cum ack 3092969729] [a_rwnd 106491] [#gap acks 0] [#dup tsns 0]
    14:28:58.893591 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969730] [...]
    14:28:59.096963 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969730] [a_rwnd 106496] [#gap acks 0] [#dup tsns 0]
    14:28:59.097086 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969731] [...] , (2) [DATA] (B)(E) [TSN: 3092969732] [...]
    14:28:59.103218 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969732] [a_rwnd 106486] [#gap acks 0] [#dup tsns 0]
    14:28:59.103330 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN]
    14:28:59.107793 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SHUTDOWN ACK]
    14:28:59.107890 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN COMPLETE]
    
    Looks like this bug is from the pre-git history museum. ;)
    
    Fixes: 08707d5482df ("lksctp-2_5_31-0_5_1.patch")
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/sctp/socket.c
    
    Conflicts:
    
    	net/sctp/socket.c

 net/sctp/socket.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 28e7551a10df3b00676519fa269fc9f21562eefd
Author: Sasha Levin <sasha.levin@oracle.com>
Date:   Tue Feb 3 08:55:58 2015 -0500

    net: rds: use correct size for max unacked packets and bytes
    
    Max unacked packets/bytes is an int while sizeof(long) was used in the
    sysctl table.
    
    This means that when they were getting read we'd also leak kernel memory
    to userspace along with the timeout values.
    
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/sysctl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit ebb75bc888f1613c4e332a48b883b463e492ed63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 5 08:09:18 2015 -0500

    Fix another upstream bug, rcu lock imbalance causing OOPses since
    an upstream 3.2 backport.
    Reported and fixed here: https://lkml.org/lkml/2015/1/17/71
    Presumably will be fixed in 3.2.67, but since we have users hitting
    it already, let's fix it now.
    Thanks to rfree@mempo.org for the oops reports

 fs/dcache.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit d14bff6a2ee562e886a34069980ae2c6956fdd24
Author: Florian Westphal <fw@strlen.de>
Date:   Wed Jan 28 10:56:04 2015 +0100

    ppp: deflate: never return len larger than output buffer
    
    When we've run out of space in the output buffer to store more data, we
    will call zlib_deflate with a NULL output buffer until we've consumed
    remaining input.
    
    When this happens, olen contains the size the output buffer would have
    consumed iff we'd have had enough room.
    
    This can later cause skb_over_panic when ppp_generic skb_put()s
    the returned length.
    
    Reported-by: Iain Douglas <centos@1n6.org.uk>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ppp/ppp_deflate.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8dbb050410cd847d7e34cb058f71ce30f8b91310
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 2 17:43:03 2015 -0500

    Backport fix for CVE-2015-1420:
    http://marc.info/?l=linux-kernel&m=142247707318982&w=2
    
    Though it requires CAP_DAC_READ_SEARCH and (additionally in grsec)
    cannot be performed in a chroot

 fs/fhandle.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit bea8d87e4fd8c70bd96aeaa09378fde6852efe44
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 2 16:57:54 2015 -0500

    Backport from PaX patch:
    - fixed cc-ldoption to work with the HJL fork of binutils, reported by Rogelio M. Serrano Jr.

 scripts/Kbuild.include |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 46d784468156a0712d4973b03d7cd6448834851e
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Thu Jan 22 11:27:59 2015 -0800

    x86, tls: Interpret an all-zero struct user_desc as "no segment"
    
    The Witcher 2 did something like this to allocate a TLS segment index:
    
            struct user_desc u_info;
            bzero(&u_info, sizeof(u_info));
            u_info.entry_number = (uint32_t)-1;
    
            syscall(SYS_set_thread_area, &u_info);
    
    Strictly speaking, this code was never correct.  It should have set
    read_exec_only and seg_not_present to 1 to indicate that it wanted
    to find a free slot without putting anything there, or it should
    have put something sensible in the TLS slot if it wanted to allocate
    a TLS entry for real.  The actual effect of this code was to
    allocate a bogus segment that could be used to exploit espfix.
    
    The set_thread_area hardening patches changed the behavior, causing
    set_thread_area to return -EINVAL and crashing the game.
    
    This changes set_thread_area to interpret this as a request to find
    a free slot and to leave it empty, which isn't *quite* what the game
    expects but should be close enough to keep it working.  In
    particular, using the code above to allocate two segments will
    allocate the same segment both times.
    
    According to FrostbittenKing on Github, this fixes The Witcher 2.
    
    If this somehow still causes problems, we could instead allocate
    a limit==0 32-bit data segment, but that seems rather ugly to me.
    
    Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Cc: stable@vger.kernel.org
    Cc: torvalds@linux-foundation.org
    Link: http://lkml.kernel.org/r/0cb251abe1ff0958b8e468a9a9a905b80ae3a746.1421954363.git.luto@amacapital.net
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

 arch/x86/include/asm/desc.h |   13 +++++++++++++
 arch/x86/kernel/tls.c       |   25 +++++++++++++++++++++++--
 2 files changed, 36 insertions(+), 2 deletions(-)

commit fbfda9617d4e349cb55343f5b265db7ada6b28f9
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Thu Jan 22 11:27:58 2015 -0800

    x86, tls, ldt: Stop checking lm in LDT_empty
    
    32-bit programs don't have an lm bit in their ABI, so they can't
    reliably cause LDT_empty to return true without resorting to memset.
    They shouldn't need to do this.
    
    This should fix a longstanding, if minor, issue in all 64-bit kernels
    as well as a potential regression in the TLS hardening code.
    
    Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix
    Cc: stable@vger.kernel.org
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Cc: torvalds@linux-foundation.org
    Link: http://lkml.kernel.org/r/72a059de55e86ad5e2935c80aa91880ddf19d07c.1421954363.git.luto@amacapital.net
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

 arch/x86/include/asm/desc.h |    9 ++-------
 1 files changed, 2 insertions(+), 7 deletions(-)

commit 512a4bad2a5fff934aa1855ba0fa64cd5357733b
Author: Nadav Amit <namit@cs.technion.ac.il>
Date:   Thu Jan 1 23:11:11 2015 +0200

    KVM: x86: SYSENTER emulation is broken
    
    SYSENTER emulation is broken in several ways:
    1. It misses the case of 16-bit code segments completely (CVE-2015-0239).
    2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can
       still be set without causing #GP).
    3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in
       legacy-mode.
    4. There is some unneeded code.
    
    Fix it.
    
    Cc: stable@vger.linux.org
    Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    
    Conflicts:
    
    	arch/x86/kvm/emulate.c
    
    Conflicts:
    
    	arch/x86/kvm/emulate.c

 arch/x86/kvm/emulate.c |   23 +++++++----------------
 1 files changed, 7 insertions(+), 16 deletions(-)

commit 7a964f0b7ee8c4641cc39ea736e551e24f3fddba
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Thu Jan 22 18:26:54 2015 +0100

    net: sctp: fix slab corruption from use after free on INIT collisions
    
    When hitting an INIT collision case during the 4WHS with AUTH enabled, as
    already described in detail in commit 1be9a950c646 ("net: sctp: inherit
    auth_capable on INIT collisions"), it can happen that we occasionally
    still remotely trigger the following panic on server side which seems to
    have been uncovered after the fix from commit 1be9a950c646 ...
    
    [  533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff
    [  533.913657] IP: [<ffffffff811ac385>] __kmalloc+0x95/0x230
    [  533.940559] PGD 5030f2067 PUD 0
    [  533.957104] Oops: 0000 [#1] SMP
    [  533.974283] Modules linked in: sctp mlx4_en [...]
    [  534.939704] Call Trace:
    [  534.951833]  [<ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0
    [  534.984213]  [<ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0
    [  535.015025]  [<ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170
    [  535.045661]  [<ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0
    [  535.074593]  [<ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50
    [  535.105239]  [<ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp]
    [  535.138606]  [<ffffffff814e43bd>] SyS_listen+0x9d/0xb0
    [  535.166848]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
    
    ... or depending on the the application, for example this one:
    
    [ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff
    [ 1370.026506] IP: [<ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0
    [ 1370.054568] PGD 633c94067 PUD 0
    [ 1370.070446] Oops: 0000 [#1] SMP
    [ 1370.085010] Modules linked in: sctp kvm_amd kvm [...]
    [ 1370.963431] Call Trace:
    [ 1370.974632]  [<ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960
    [ 1371.000863]  [<ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960
    [ 1371.027154]  [<ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170
    [ 1371.054679]  [<ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130
    [ 1371.080183]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
    
    With slab debugging enabled, we can see that the poison has been overwritten:
    
    [  669.826368] BUG kmalloc-128 (Tainted: G        W     ): Poison overwritten
    [  669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b
    [  669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494
    [  669.826424]  __slab_alloc+0x4bf/0x566
    [  669.826433]  __kmalloc+0x280/0x310
    [  669.826453]  sctp_auth_create_key+0x23/0x50 [sctp]
    [  669.826471]  sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp]
    [  669.826488]  sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp]
    [  669.826505]  sctp_do_sm+0x29d/0x17c0 [sctp] [...]
    [  669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494
    [  669.826635]  __slab_free+0x39/0x2a8
    [  669.826643]  kfree+0x1d6/0x230
    [  669.826650]  kzfree+0x31/0x40
    [  669.826666]  sctp_auth_key_put+0x19/0x20 [sctp]
    [  669.826681]  sctp_assoc_update+0x1ee/0x2d0 [sctp]
    [  669.826695]  sctp_do_sm+0x674/0x17c0 [sctp]
    
    Since this only triggers in some collision-cases with AUTH, the problem at
    heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice
    when having refcnt 1, once directly in sctp_assoc_update() and yet again
    from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on
    the already kzfree'd memory, which is also consistent with the observation
    of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected
    at a later point in time when poison is checked on new allocation).
    
    Reference counting of auth keys revisited:
    
    Shared keys for AUTH chunks are being stored in endpoints and associations
    in endpoint_shared_keys list. On endpoint creation, a null key is being
    added; on association creation, all endpoint shared keys are being cached
    and thus cloned over to the association. struct sctp_shared_key only holds
    a pointer to the actual key bytes, that is, struct sctp_auth_bytes which
    keeps track of users internally through refcounting. Naturally, on assoc
    or enpoint destruction, sctp_shared_key are being destroyed directly and
    the reference on sctp_auth_bytes dropped.
    
    User space can add keys to either list via setsockopt(2) through struct
    sctp_authkey and by passing that to sctp_auth_set_key() which replaces or
    adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes
    with refcount 1 and in case of replacement drops the reference on the old
    sctp_auth_bytes. A key can be set active from user space through setsockopt()
    on the id via sctp_auth_set_active_key(), which iterates through either
    endpoint_shared_keys and in case of an assoc, invokes (one of various places)
    sctp_auth_asoc_init_active_key().
    
    sctp_auth_asoc_init_active_key() computes the actual secret from local's
    and peer's random, hmac and shared key parameters and returns a new key
    directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops
    the reference if there was a previous one. The secret, which where we
    eventually double drop the ref comes from sctp_auth_asoc_set_secret() with
    intitial refcount of 1, which also stays unchanged eventually in
    sctp_assoc_update(). This key is later being used for crypto layer to
    set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac().
    
    To close the loop: asoc->asoc_shared_key is freshly allocated secret
    material and independant of the sctp_shared_key management keeping track
    of only shared keys in endpoints and assocs. Hence, also commit 4184b2a79a76
    ("net: sctp: fix memory leak in auth key management") is independant of
    this bug here since it concerns a different layer (though same structures
    being used eventually). asoc->asoc_shared_key is reference dropped correctly
    on assoc destruction in sctp_association_free() and when active keys are
    being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount
    of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is
    to remove that sctp_auth_key_put() from there which fixes these panics.
    
    Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/associola.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 1301d30706a83116f0c74659878d291fc6608a0e
Author: subashab@codeaurora.org <subashab@codeaurora.org>
Date:   Fri Jan 23 22:26:02 2015 +0000

    ping: Fix race in free in receive path
    
    An exception is seen in ICMP ping receive path where the skb
    destructor sock_rfree() tries to access a freed socket. This happens
    because ping_rcv() releases socket reference with sock_put() and this
    internally frees up the socket. Later icmp_rcv() will try to free the
    skb and as part of this, skb destructor is called and which leads
    to a kernel panic as the socket is freed already in ping_rcv().
    
    -->|exception
    -007|sk_mem_uncharge
    -007|sock_rfree
    -008|skb_release_head_state
    -009|skb_release_all
    -009|__kfree_skb
    -010|kfree_skb
    -011|icmp_rcv
    -012|ip_local_deliver_finish
    
    Fix this incorrect free by cloning this skb and processing this cloned
    skb instead.
    
    This patch was suggested by Eric Dumazet
    
    Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
    Cc: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ping.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit 27e359f049d7304d2e306ca97db6e89eb1255586
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 27 18:31:25 2015 -0500

    Make it easier to work with inherited subjects that change roles.
    If a subject of the same name of the current inherited subject
    exists in the role being changed to with a similar object
    in it that would trigger inheritance on execution of the current process'
    binary, then we'll use that subject instead of the normal one obtained
    through lookup.
    
    See:
    https://forums.grsecurity.net/viewtopic.php?f=3&t=4129
    
    Conflicts:
    
    	grsecurity/gracl_policy.c

 grsecurity/gracl.c        |   42 ++++++++++++++++++++++++++++++------------
 grsecurity/gracl_policy.c |   10 +++++-----
 2 files changed, 35 insertions(+), 17 deletions(-)

commit f16802f0823a3a303b18789c57a4b7c35449174a
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Jan 19 22:34:51 2015 +0300

    s2io: use snprintf() as a safety feature
    
    "sp->desc[i]" has 25 characters.  "dev->name" has 15 characters.  If we
    used all 15 characters then the sprintf() would overflow.
    
    I changed the "sprintf(sp->name, "%s Neterion %s"" to snprintf(), as
    well, even though it can't overflow just to be consistent.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/neterion/s2io.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

commit 2e4a361a46dab6bc80f948e4dda9c100d8550adb
Author: Willem de Bruijn <willemb@google.com>
Date:   Thu Jan 15 13:18:40 2015 -0500

    ip: zero sockaddr returned on error queue
    
    The sockaddr is returned in IP(V6)_RECVERR as part of errhdr. That
    structure is defined and allocated on the stack as
    
        struct {
                struct sock_extended_err ee;
                struct sockaddr_in(6)    offender;
        } errhdr;
    
    The second part is only initialized for certain SO_EE_ORIGIN values.
    Always initialize it completely.
    
    An MTU exceeded error on a SOCK_RAW/IPPROTO_RAW is one example that
    would return uninitialized bytes.
    
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    
    ----
    
    Also verified that there is no padding between errhdr.ee and
    errhdr.offender that could leak additional kernel data.
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/ipv4/ip_sockglue.c
    	net/ipv6/datagram.c
    
    Conflicts:
    
    	net/ipv6/datagram.c

 net/ipv4/ip_sockglue.c |    9 +++------
 net/ipv6/datagram.c    |   10 +++-------
 2 files changed, 6 insertions(+), 13 deletions(-)

commit 81b2008552c0bb59b762bec69a0e5e4922baba24
Author: Hagen Paul Pfeifer <hagen@jauu.net>
Date:   Thu Jan 15 22:34:25 2015 +0100

    ipv6: stop sending PTB packets for MTU < 1280
    
    Reduce the attack vector and stop generating IPv6 Fragment Header for
    paths with an MTU smaller than the minimum required IPv6 MTU
    size (1280 byte) - called atomic fragments.
    
    See IETF I-D "Deprecating the Generation of IPv6 Atomic Fragments" [1]
    for more information and how this "feature" can be misused.
    
    [1] https://tools.ietf.org/html/draft-ietf-6man-deprecate-atomfrag-generation-00
    
    Signed-off-by: Fernando Gont <fgont@si6networks.com>
    Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/route.c |    7 ++-----
 1 files changed, 2 insertions(+), 5 deletions(-)

commit 9840c41643e27ad6593d7cb9c5015bf64ee769ec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 14 22:48:11 2015 -0500

    Allow the admin role and subjects with ptrace override ability to
    view /proc/pid/mem, /proc/pid/fd, and /proc/pid/cmdline of tasks
    with "d" in their subject mode.  Thanks to tjh for the report!

 grsecurity/gracl_fs.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit b893083b6fe3ec6ec22acfc6f22d9d29c2252b39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 14 21:47:00 2015 -0500

    Fix some instances of dma-on-stack reported by xxterry1xx on the forums

 drivers/staging/line6/driver.c   |   16 ++++++++++++----
 drivers/staging/line6/toneport.c |   13 ++++++++++---
 2 files changed, 22 insertions(+), 7 deletions(-)

commit 3f4ac907f2f59cbcaeaeedbea222241309d28b0b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 11 09:46:33 2015 -0500

    squelch a harmless compiler warning

 drivers/iommu/amd_iommu.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 9759066f743d84a8f7faeec2600d864fa0b3c663
Merge: 293330c a63b181
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 5 18:18:42 2015 -0500

    Merge branch 'pax-stable' into grsec-stable
    
    Conflicts:
    	arch/x86/kernel/espfix_64.c

commit a63b181acea3b68bfb509aa9d566c05f29d82ace
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 5 18:16:35 2015 -0500

    Update to pax-linux-3.2.66-test163.patch:
    - added a temporary workaround for a few size overflow false positives when REFCOUNT was disabled until the new plugin is ready, by Mathias Krause <mathias.krause@secunet.com>
    - preliminary fix by Steffen Klassert (http://marc.info/?l=linux-netdev&m=141768340108789) for an upstream bug in the ipv6 tunnel code caught by the size overflow plugin, reported by Alexander Wetzel (https://forums.grsecurity.net/viewtopic.php?f=1&t=4083) and Colton Reeder (https://bugs.gentoo.org/show_bug.cgi?id=529352)
    - fixed a few REFCOUNT accessors on arm/sparc
    - fixed a few section mismatches for CONSTIFY
    - fixed a (probably harmless) integer underflow in ttm_page_pool_free, caught by the size overflow plugin, reported by hunger
    - fixed a REFCOUNT false positive in ftrace
    - fixed ESPFIX crash under per-cpu PGD configs (KERNEXEC/UDEREF on amd64), reported by Andy Lutomirski <luto@amacapital.net>
    - constified a few variables
    - removed superfluous section attr on espfix_pud_page, reported by spender

 arch/arm/include/asm/atomic.h        |    2 +-
 arch/sparc/include/asm/atomic_64.h   |    4 ++--
 arch/x86/include/asm/atomic.h        |    4 ++--
 arch/x86/kernel/entry_64.S           |   10 +++++-----
 arch/x86/kernel/espfix_64.c          |   13 +++++++------
 arch/x86/kvm/emulate.c               |    2 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c |   16 ++++++++--------
 drivers/net/can/dev.c                |    2 +-
 drivers/net/can/vcan.c               |    2 +-
 drivers/net/dummy.c                  |    2 +-
 drivers/net/ifb.c                    |    2 +-
 drivers/net/macvtap.c                |    2 +-
 drivers/net/tun.c                    |    2 +-
 include/asm-generic/atomic-long.h    |    2 +-
 include/drm/ttm/ttm_page_alloc.h     |    2 +-
 include/linux/linkage.h              |    1 +
 include/linux/sched.h                |    2 +-
 kernel/trace/ftrace.c                |    4 ++--
 kernel/trace/trace_functions_graph.c |    4 ++--
 net/8021q/vlan_netlink.c             |    2 +-
 net/bridge/br_netlink.c              |    2 +-
 net/caif/chnl_net.c                  |    2 +-
 net/ieee802154/6lowpan.c             |    2 +-
 net/ipv6/xfrm6_policy.c              |    2 +-
 24 files changed, 45 insertions(+), 43 deletions(-)

commit 293330cf03806f4cbd887e76e557089b3722fbaa
Merge: eb2c0a0 574ca55
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 4 21:30:56 2015 -0500

    Merge branch 'pax-stable' into grsec-stable

commit 574ca556bcef707872bfc8c02c43d1a33f5bee13
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 4 19:09:32 2015 -0500

    Update to pax-linux-3.2.66-test162.patch:
    - fixed kernel stack corruption in iret fault handling under RANDKSTACK/amd64, triggered by Andy Lutomirski's linux-clock-tests suite (sigreturn_32)

 arch/x86/kernel/traps.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit eb2c0a0021b1ce8a9f877aa380d1b5873d232fab
Author: Jan Kara <jack@suse.cz>
Date:   Thu Sep 4 16:15:51 2014 +0200

    udf: Make udf_read_inode() and udf_iget() return error
    
    Currently __udf_read_inode() wasn't returning anything and we found out
    whether we succeeded reading inode by checking whether inode is bad or
    not. udf_iget() returned NULL on failure and inode pointer otherwise.
    Make these two functions properly propagate errors up the call stack and
    use the return value in callers.
    
    Signed-off-by: Jan Kara <jack@suse.cz>
    
    Conflicts:
    
    	fs/udf/super.c

 fs/udf/inode.c   |   99 +++++++++++++++++++++++++-----------------------------
 fs/udf/namei.c   |   22 +++++-------
 fs/udf/super.c   |   72 ++++++++++++++++++++++-----------------
 fs/udf/udfdecl.h |    1 -
 4 files changed, 96 insertions(+), 98 deletions(-)

commit cde4c9834629a063ab39d606cc61b735a57341eb
Author: Jan Kara <jack@suse.cz>
Date:   Fri Dec 19 14:27:55 2014 +0100

    udf: Check component length before reading it
    
    Check that length specified in a component of a symlink fits in the
    input buffer we are reading. Also properly ignore component length for
    component types that do not use it. Otherwise we read memory after end
    of buffer for corrupted udf image.
    
    Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
    CC: stable@vger.kernel.org
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/udf/symlink.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit 4901723ff94fa2e1da789f24abb8598071a15476
Author: Jan Kara <jack@suse.cz>
Date:   Thu Dec 18 22:37:50 2014 +0100

    udf: Check path length when reading symlink
    
    Symlink reading code does not check whether the resulting path fits into
    the page provided by the generic code. This isn't as easy as just
    checking the symlink size because of various encoding conversions we
    perform on path. So we have to check whether there is still enough space
    in the buffer on the fly.
    
    CC: stable@vger.kernel.org
    Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
    Signed-off-by: Jan Kara <jack@suse.cz>
    
    Conflicts:
    
    	fs/udf/dir.c
    	fs/udf/symlink.c

 fs/udf/dir.c     |    3 ++-
 fs/udf/namei.c   |    3 ++-
 fs/udf/symlink.c |   45 ++++++++++++++++++++++++++++++++++++---------
 fs/udf/udfdecl.h |    3 ++-
 fs/udf/unicode.c |   28 ++++++++++++++++------------
 5 files changed, 58 insertions(+), 24 deletions(-)

commit bcac5b9ecb07f540878ae65bd955193795c276d4
Author: Jan Kara <jack@suse.cz>
Date:   Fri Dec 19 12:21:47 2014 +0100

    udf: Verify symlink size before loading it
    
    UDF specification allows arbitrarily large symlinks. However we support
    only symlinks at most one block large. Check the length of the symlink
    so that we don't access memory beyond end of the symlink block.
    
    CC: stable@vger.kernel.org
    Reported-by: Carl Henrik Lunde <chlunde@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/udf/symlink.c |   17 +++++++++++++----
 1 files changed, 13 insertions(+), 4 deletions(-)

commit 2e3b3d6033e7fc145bccad33ba3899f968e6cc87
Author: Jan Kara <jack@suse.cz>
Date:   Fri Dec 19 12:03:53 2014 +0100

    udf: Verify i_size when loading inode
    
    Verify that inode size is sane when loading inode with data stored in
    ICB. Otherwise we may get confused later when working with the inode and
    inode size is too big.
    
    CC: stable@vger.kernel.org
    Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/udf/inode.c |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

commit fe0706647ef89092fe98ebfc5cd24f2f11d41af9
Author: Jan Kara <jack@suse.cz>
Date:   Thu Dec 18 17:26:10 2014 +0100

    isofs: Fix unchecked printing of ER records
    
    We didn't check length of rock ridge ER records before printing them.
    Thus corrupted isofs image can cause us to access and print some memory
    behind the buffer with obvious consequences.
    
    Reported-and-tested-by: Carl Henrik Lunde <chlunde@ping.uio.no>
    CC: stable@vger.kernel.org
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/isofs/rock.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 6b0d4654592f127bfedb7afb992ff3ebf5b4220a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 1 09:23:42 2015 -0500

    compile fix

 fs/udf/inode.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 0fd452435279b1fb6cc47a5b04ac6fff6d06eb42
Merge: f2986d3 f531dba
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 1 09:06:40 2015 -0500

    Merge branch 'pax-stable' into grsec-stable
    
    Conflicts:
    	arch/x86/kernel/tls.c
    	fs/udf/inode.c
    	include/linux/dcache.h

commit f531dba1bb6dce85eda2444a6ae670865c696b6c
Merge: a7bdd00 ac4619ec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 1 09:03:34 2015 -0500

    Merge branch 'linux-3.2.y' into pax-stable
    
    Conflicts:
    	fs/libfs.c

commit f2986d3f727a4a226a2b73b96e185a0cbae32288
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 30 23:57:25 2014 -0500

    resync with PaX

 arch/x86/kernel/entry_64.S |   10 +++++-----
 arch/x86/kvm/emulate.c     |    2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

commit d5d88b95dc4e700e694fe96816a83c008e865c67
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 27 17:24:20 2014 -0500

    remove the %preun step, we don't want to remove old kernels installed from the paid kernel service

 scripts/package/mkspec |    7 -------
 1 files changed, 0 insertions(+), 7 deletions(-)

commit cc567a0ec5edd4ec396ec7926e1a9df48ada4926
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 23 23:28:21 2014 -0500

    invoke new-kernel-pkg directly instead of using installkernel, which fixes some
    issues beta testers experienced with the new paid kernel service.
    
    suggested by a sponsor

 scripts/package/mkspec |   17 +++++++++++------
 1 files changed, 11 insertions(+), 6 deletions(-)

commit 56c9ae9491243eca1455c8d5fd15a0cade6099be
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 21 17:30:42 2014 -0500

    compile fix

 arch/x86/kernel/espfix_64.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e145fe4a0c6e6d977555818423c13f0384bdc76f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 21 17:27:00 2014 -0500

    compile fix

 arch/x86/kernel/espfix_64.c |    3 +--
 include/linux/linkage.h     |    1 +
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 08122cf232f4d74b3d08973fc6a8bd4459d2d8f8
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Fri Dec 5 19:03:28 2014 -0800

    x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit
    
    paravirt_enabled has the following effects:
    
     - Disables the F00F bug workaround warning.  There is no F00F bug
       workaround any more because Linux's standard IDT handling already
       works around the F00F bug, but the warning still exists.  This
       is only cosmetic, and, in any event, there is no such thing as
       KVM on a CPU with the F00F bug.
    
     - Disables 32-bit APM BIOS detection.  On a KVM paravirt system,
       there should be no APM BIOS anyway.
    
     - Disables tboot.  I think that the tboot code should check the
       CPUID hypervisor bit directly if it matters.
    
     - paravirt_enabled disables espfix32.  espfix32 should *not* be
       disabled under KVM paravirt.
    
    The last point is the purpose of this patch.  It fixes a leak of the
    high 16 bits of the kernel stack address on 32-bit KVM paravirt
    guests.  Fixes CVE-2014-8134.
    
    Cc: stable@vger.kernel.org
    Suggested-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 arch/x86/kernel/kvm.c      |    9 ++++++++-
 arch/x86/kernel/kvmclock.c |    1 -
 2 files changed, 8 insertions(+), 2 deletions(-)

commit c1bd6f4031572a1c6c7241cf7e63fb0be3bb2503
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Wed Dec 17 14:48:30 2014 -0800

    x86/tls: Don't validate lm in set_thread_area() after all
    
    It turns out that there's a lurking ABI issue.  GCC, when
    compiling this in a 32-bit program:
    
    struct user_desc desc = {
    	.entry_number    = idx,
    	.base_addr       = base,
    	.limit           = 0xfffff,
    	.seg_32bit       = 1,
    	.contents        = 0, /* Data, grow-up */
    	.read_exec_only  = 0,
    	.limit_in_pages  = 1,
    	.seg_not_present = 0,
    	.useable         = 0,
    };
    
    will leave .lm uninitialized.  This means that anything in the
    kernel that reads user_desc.lm for 32-bit tasks is unreliable.
    
    Revert the .lm check in set_thread_area().  The value never did
    anything in the first place.
    
    Fixes: 0e58af4e1d21 ("x86/tls: Disallow unusual TLS segments")
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Acked-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org # Only if 0e58af4e1d21 is backported
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Link: http://lkml.kernel.org/r/d7875b60e28c512f6a6fc0baf5714d58e7eaadbb.1418856405.git.luto@amacapital.net
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 arch/x86/include/asm/ldt.h |    7 +++++++
 arch/x86/kernel/tls.c      |    6 ------
 2 files changed, 7 insertions(+), 6 deletions(-)

commit 99b684c2de95f411e5f5605a2ed4221457910507
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Thu Dec 4 16:48:17 2014 -0800

    x86/tls: Disallow unusual TLS segments
    
    Users have no business installing custom code segments into the
    GDT, and segments that are not present but are otherwise valid
    are a historical source of interesting attacks.
    
    For completeness, block attempts to set the L bit.  (Prior to
    this patch, the L bit would have been silently dropped.)
    
    This is an ABI break.  I've checked glibc, musl, and Wine, and
    none of them look like they'll have any trouble.
    
    Note to stable maintainers: this is a hardening patch that fixes
    no known bugs.  Given the possibility of ABI issues, this
    probably shouldn't be backported quickly.
    
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Acked-by: H. Peter Anvin <hpa@zytor.com>
    Cc: stable@vger.kernel.org # optional
    Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: security@kernel.org <security@kernel.org>
    Cc: Willy Tarreau <w@1wt.eu>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 arch/x86/kernel/tls.c |   22 ++++++++++++++++++++++
 1 files changed, 22 insertions(+), 0 deletions(-)

commit 2f0fbd6f26487aedb0083b41f3f4934e07862f8b
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Thu Dec 4 16:48:16 2014 -0800

    x86/tls: Validate TLS entries to protect espfix
    
    Installing a 16-bit RW data segment into the GDT defeats espfix.
    AFAICT this will not affect glibc, Wine, or dosemu at all.
    
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Acked-by: H. Peter Anvin <hpa@zytor.com>
    Cc: stable@vger.kernel.org
    Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: security@kernel.org <security@kernel.org>
    Cc: Willy Tarreau <w@1wt.eu>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 arch/x86/kernel/tls.c |   23 +++++++++++++++++++++++
 1 files changed, 23 insertions(+), 0 deletions(-)

commit 2e25e863b7f60a472ff9b1696adbae7ed910dc8a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 21 16:32:08 2014 -0500

    Fix a long-standing incompatibility between x64 UDEREF and CONFIG_PARAVIRT
    on PCID-capable systems.  Generally it resulted in userland crashes preventing
    boot of the system which were able to be worked around by booting with nopcid
    and receiving a weaker UDEREF implementation.  The source of the problem
    was paravirt-specific asm alternatives for flush_tlb_single rewriting the
    pv_mm_ops's native code with a single invlpg.
    
    As of this patch, no recommendations should be made to boot with nopcid, as
    it results in a weaker UDEREF implementation.

 arch/x86/kernel/paravirt_patch_64.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit ff52bcb704eaf2c42535ef6390240d7ad82c1061
Author: Nadav Amit <namit@cs.technion.ac.il>
Date:   Sun Nov 2 11:54:52 2014 +0200

    KVM: x86: MOV to CR3 can set bit 63
    
    Although Intel SDM mentions bit 63 is reserved, MOV to CR3 can have bit 63 set.
    As Intel SDM states in section 4.10.4 "Invalidation of TLBs and
    Paging-Structure Caches": " MOV to CR3. ... If CR4.PCIDE = 1 and bit 63 of the
    instruction’s source operand is 0 ..."
    
    In other words, bit 63 is not reserved. KVM emulator currently consider bit 63
    as reserved. Fix it.
    
    Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    
    Conflicts:
    
    	arch/x86/include/asm/kvm_host.h
    	arch/x86/kvm/emulate.c

 arch/x86/include/asm/kvm_host.h |    1 +
 arch/x86/kvm/emulate.c          |    2 +-
 arch/x86/kvm/x86.c              |    2 ++
 3 files changed, 4 insertions(+), 1 deletions(-)

commit 07cd66dcab9820195bb99e167c11b34ed61e4cba
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 20 11:50:30 2014 -0500

    force off X86_16BIT if grsecurity is enabled -- nobody cares about
    running Windows 3.1 apps under wine, it's not worth the risk

 arch/x86/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 8dc9f1ed790cd8cc213aee401ef257b091528ec9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 17 18:30:48 2014 -0500

    make the statically allocated pud page read-only while we're at it

 arch/x86/kernel/espfix_64.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8d1d3b044d7f714045bd5788612867a2ccf9a715
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 17 18:28:16 2014 -0500

    Fix doublefault in espfix code when PAX_PER_CPU_PGD is enabled,
    reported by Andy Lutomirski

 arch/x86/kernel/espfix_64.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

commit 7a8c1daa8e4494ee211b54c8ae3850a4b9f1e1d1
Author: Jan Kara <jack@suse.cz>
Date:   Mon Dec 15 14:22:46 2014 +0100

    isofs: Fix infinite looping over CE entries
    
    Rock Ridge extensions define so called Continuation Entries (CE) which
    define where is further space with Rock Ridge data. Corrupted isofs
    image can contain arbitrarily long chain of these, including a one
    containing loop and thus causing kernel to end in an infinite loop when
    traversing these entries.
    
    Limit the traversal to 32 entries which should be more than enough space
    to store all the Rock Ridge data.
    
    Reported-by: P J P <ppandit@redhat.com>
    CC: stable@vger.kernel.org
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/isofs/rock.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit f0141de20a94881331289127085a3c37ee055eb1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 16 17:18:16 2014 -0500

    Force support on for user extended attributes for filesystems that currently
    don't default to on to match up with other filesystems like ext4/xfs that do.
    
    We'll need this to make an upcoming addition to the paid kernel packages work
    without any additional configuration by the user.
    
    If there's a particular mountpoint you don't want to have user extended attributes
    enabled on for whatever reason, the "nouser_xattr" mount option will honor it.

 fs/ext2/super.c     |    8 +++-----
 fs/ext3/super.c     |    8 +++-----
 fs/reiserfs/super.c |    4 ++++
 3 files changed, 10 insertions(+), 10 deletions(-)

commit 72dae807fa5ee98838514b3e98893f016d312314
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 14 19:47:05 2014 -0500

    propagate count type

 drivers/gpu/drm/ttm/ttm_tt.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5e14f99f5da1d757a48818411de3717e4f121aa4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 14 19:46:01 2014 -0500

    compile fix

 include/drm/ttm/ttm_page_alloc.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0cd9e3b10d0ae52c4893aa8accb1c9011fbcefd5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 14 19:20:27 2014 -0500

    Point the AMD IOMMU driver to the lowmem-mapped stack instead of allowing
    it to wrongly acquire the physical address of the vmap'd kernel stack
    under KSTACKOVERFLOW.
    
    Thanks to Victor <silentworks@gmail.com> for the report

 drivers/iommu/amd_iommu.c |   14 ++++++++++++--
 1 files changed, 12 insertions(+), 2 deletions(-)

commit 009d1343a7e0e21404c9aa39aae05f08e9ea56f7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 14 19:02:25 2014 -0500

    backport ttm size_overflow fix

 drivers/gpu/drm/ttm/ttm_page_alloc.c |   16 ++++++++--------
 1 files changed, 8 insertions(+), 8 deletions(-)

commit a0aa6c14e7e1f4f4f59498ea2c5c3745a1d857f4
Merge: 731b0ef a7bdd00
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 14 16:45:04 2014 -0500

    Merge branch 'pax-stable' into grsec-stable

commit a7bdd005ae63b9365f583e7fc6d29372780f184a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 14 16:44:52 2014 -0500

    resync with PaX

 arch/x86/kernel/traps.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 731b0efae7f14c75bef16ba212a830dfb584e3d6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 14 16:42:01 2014 -0500

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit dc57f3974edd8a4ada205091f42c48d5773d6386
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 7 08:56:31 2014 -0500

    compilation fix

 arch/x86/kernel/traps.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ece1a66d2ea871e810f35001c97fa9e47f3b3755
Merge: 2a8622f 778b494
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 14 16:20:50 2014 -0500

    Merge branch 'pax-stable' into grsec-stable
    
    Conflicts:
    	include/linux/string.h

commit 778b4949f1e05f5b569c4596eec6f23c2d3b491f
Merge: d8acbe5 6a367cd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 14 16:20:18 2014 -0500

    Merge branch 'linux-3.2.y' into pax-stable
    
    Conflicts:
    	arch/x86/kernel/entry_64.S
    	mm/mmap.c
    	net/mac80211/iface.c

commit 2a8622fcdbfb7b0cfb763402d9de6c2cdc1f8d85
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 4 20:42:21 2014 -0500

    Subject: [PATCH] xfrm6: Fix transport header offset in _decode_session6.
    
    skb->transport_header might not be valid when we do a reverse
    decode because the ipv6 tunnel error handlers don't update it
    to the inner transport header. This leads to a wrong offset
    calculation and to wrong layer 4 informations. We fix this
    by using the size of the ipv6 header as the first offset.
    
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    
    Bug found with the size_overflow plugin

 net/ipv6/xfrm6_policy.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e9af2431bc80e5761a320f0fd0ff7390ebb067a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 2 07:26:25 2014 -0500

    change name

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c3fe56a44a2e747e512f49eed7c4a02c5e09f987
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 2 07:24:49 2014 -0500

    add Hyper-V to auto-configuration

 security/Kconfig |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit fc12e990aeafab216e27899a3d91b8a6b62d99ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 26 00:57:50 2014 -0500

    add the exclusion back

 scripts/package/mkspec |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 0096b982d885bcf5a24ab25aacf0712c816d4f4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Nov 25 23:39:17 2014 -0500

    install symlinks in -devel package properly

 scripts/package/mkspec |   12 +++++-------
 1 files changed, 5 insertions(+), 7 deletions(-)

commit c59c87659cd7d8cca18bc29646d043d5f980f235
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Nov 25 22:13:24 2014 -0500

    Give the files in the tarball used by the source rpm root.root ownership

 scripts/package/Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 26ef1245da16a6ac5831188d754ab220a0a2103e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Nov 25 22:09:09 2014 -0500

    Revert "Give the files in the tarball used by the source rpm root.root ownership"
    
    This reverts commit a49bfe985435a279361feb9c1e53ad65736f4af6.

 scripts/package/Makefile |   47 ++++++++++++++++++++++++++-------------------
 1 files changed, 27 insertions(+), 20 deletions(-)

commit a49bfe985435a279361feb9c1e53ad65736f4af6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Nov 25 21:52:00 2014 -0500

    Give the files in the tarball used by the source rpm root.root ownership
    
    Conflicts:
    
    	scripts/package/Makefile

 scripts/package/Makefile |   47 +++++++++++++++++++--------------------------
 1 files changed, 20 insertions(+), 27 deletions(-)

commit 0925f49db68edea999a3dffaba8a2d4622c7accb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 23 14:08:10 2014 -0500

    move our make rpm chmods to %pre

 scripts/package/mkspec |   22 ++++++++++++----------
 1 files changed, 12 insertions(+), 10 deletions(-)

commit 345f3be3c9beb7182fd9654917783f9a13566057
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 23 09:54:26 2014 -0500

    Harden network settings by default since most users won't bother
    modifying /etc/sysctl.conf.
    
    Specifically we're now setting rp_filter = 1 and accept_redirects = 0

 net/ipv4/devinet.c  |    6 ++++--
 net/ipv6/addrconf.c |    4 ++--
 2 files changed, 6 insertions(+), 4 deletions(-)

commit ea07aca49c23771bf88fea479b505997856e45b9
Author: Laura Abbott <lauraa@codeaurora.org>
Date:   Sat Dec 21 01:03:06 2013 +0100

    ARM: 7931/1: Correct virt_addr_valid
    
    The definition of virt_addr_valid is that virt_addr_valid should
    return true if and only if virt_to_page returns a valid pointer.
    The current definition of virt_addr_valid only checks against the
    virtual address range. There's no guarantee that just because a
    virtual address falls bewteen PAGE_OFFSET and high_memory the
    associated physical memory has a valid backing struct page. Follow
    the example of other architectures and convert to pfn_valid to
    verify that the virtual address is actually valid. The check for
    an address between PAGE_OFFSET and high_memory is still necessary
    as vmalloc/highmem addresses are not valid with virt_to_page.
    
    Cc: Will Deacon <will.deacon@arm.com>
    Cc: Nicolas Pitre <nico@linaro.org>
    Acked-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

 arch/arm/include/asm/memory.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit a8d06d0a75f9576c2cee14268e8150a54bb87975
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 19 17:25:18 2014 -0500

    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>, Dmitry
            Kozlov <xeb@mail.ru>
    Subject: [PATCH net] pptp: fix stack info leak in pptp_getname()
    
    pptp_getname() only partially initializes the stack variable sa,
    particularly only fills the pptp part of the sa_addr union. The code
    thereby discloses 16 bytes of kernel stack memory via getsockname().
    
    Fix this by memset(0)'ing the union before.
    
    Cc: Dmitry Kozlov <xeb@mail.ru>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    ---
    Probably material for stable, too -- v2.6.37+.

 drivers/net/ppp/pptp.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 364afa01eb7e1e31eab44addf8f7563c3db2ae8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 19 08:37:05 2014 -0500

    increase amount of memory reserved for modules in server configs

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ff71f599298edb9e77adbb8785931ee9d48832f4
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Mon Nov 10 18:00:09 2014 +0100

    net: sctp: fix memory leak in auth key management
    
    A very minimal and simple user space application allocating an SCTP
    socket, setting SCTP_AUTH_KEY setsockopt(2) on it and then closing
    the socket again will leak the memory containing the authentication
    key from user space:
    
    unreferenced object 0xffff8800837047c0 (size 16):
      comm "a.out", pid 2789, jiffies 4296954322 (age 192.258s)
      hex dump (first 16 bytes):
        01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00  ................
      backtrace:
        [<ffffffff816d7e8e>] kmemleak_alloc+0x4e/0xb0
        [<ffffffff811c88d8>] __kmalloc+0xe8/0x270
        [<ffffffffa0870c23>] sctp_auth_create_key+0x23/0x50 [sctp]
        [<ffffffffa08718b1>] sctp_auth_set_key+0xa1/0x140 [sctp]
        [<ffffffffa086b383>] sctp_setsockopt+0xd03/0x1180 [sctp]
        [<ffffffff815bfd94>] sock_common_setsockopt+0x14/0x20
        [<ffffffff815beb61>] SyS_setsockopt+0x71/0xd0
        [<ffffffff816e58a9>] system_call_fastpath+0x12/0x17
        [<ffffffffffffffff>] 0xffffffffffffffff
    
    This is bad because of two things, we can bring down a machine from
    user space when auth_enable=1, but also we would leave security sensitive
    keying material in memory without clearing it after use. The issue is
    that sctp_auth_create_key() already sets the refcount to 1, but after
    allocation sctp_auth_set_key() does an additional refcount on it, and
    thus leaving it around when we free the socket.
    
    Fixes: 65b07e5d0d0 ("[SCTP]: API updates to suport SCTP-AUTH extensions.")
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Vlad Yasevich <vyasevich@gmail.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/auth.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit 93687bc50e84e3466e54149ffe09df189097c2b4
Author: Nadav Amit <namit@cs.technion.ac.il>
Date:   Wed Sep 17 02:50:50 2014 +0300

    KVM: x86: Don't report guest userspace emulation error to userspace
    
    Commit fc3a9157d314 ("KVM: X86: Don't report L2 emulation failures to
    user-space") disabled the reporting of L2 (nested guest) emulation failures to
    userspace due to race-condition between a vmexit and the instruction emulator.
    The same rational applies also to userspace applications that are permitted by
    the guest OS to access MMIO area or perform PIO.
    
    This patch extends the current behavior - of injecting a #UD instead of
    reporting it to userspace - also for guest userspace code.
    
    Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 arch/x86/kvm/x86.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 10271c71740c76a8d9f05529d66476818245d289
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Mon Nov 10 17:54:26 2014 +0100

    net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet
    
    An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
    in the form of:
    
      ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
    
    While the INIT chunk parameter verification dissects through many things
    in order to detect malformed input, it misses to actually check parameters
    inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
    IP address' parameter in ASCONF, which has as a subparameter an address
    parameter.
    
    So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
    or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
    and thus sctp_get_af_specific() returns NULL, too, which we then happily
    dereference unconditionally through af->from_addr_param().
    
    The trace for the log:
    
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
    IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
    PGD 0
    Oops: 0000 [#1] SMP
    [...]
    Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
    RIP: 0010:[<ffffffffa01e9c62>]  [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
    [...]
    Call Trace:
     <IRQ>
     [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
     [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
     [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
     [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
     [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
     [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
     [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
     [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
     [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
     [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
     [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
     [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
    [...]
    
    A minimal way to address this is to check for NULL as we do on all
    other such occasions where we know sctp_get_af_specific() could
    possibly return with NULL.
    
    Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Vlad Yasevich <vyasevich@gmail.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/sm_make_chunk.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit cf03f413cb7a521f972d043fd44dd3286e02faa5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 14 23:06:29 2014 -0500

    Backport:
    Author: Dan Carpenter <dan.carpenter@oracle.com>
    Date:   Fri Sep 5 09:09:28 2014 -0300
    
        [media] ttusb-dec: buffer overflow in ioctl
    
        We need to add a limit check here so we don't overflow the buffer.
    
        Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
        Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

 drivers/media/dvb/ttusb-dec/ttusbdecfe.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 0a3190868b001a2defe98eac355a39bbfe01d772
Author: Ilya Dryomov <idryomov@redhat.com>
Date:   Thu Oct 23 00:25:22 2014 +0400

    libceph: do not crash on large auth tickets
    
    Large (greater than 32k, the value of PAGE_ALLOC_COSTLY_ORDER) auth
    tickets will have their buffers vmalloc'ed, which leads to the
    following crash in crypto:
    
    [   28.685082] BUG: unable to handle kernel paging request at ffffeb04000032c0
    [   28.686032] IP: [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80
    [   28.686032] PGD 0
    [   28.688088] Oops: 0000 [#1] PREEMPT SMP
    [   28.688088] Modules linked in:
    [   28.688088] CPU: 0 PID: 878 Comm: kworker/0:2 Not tainted 3.17.0-vm+ #305
    [   28.688088] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
    [   28.688088] Workqueue: ceph-msgr con_work
    [   28.688088] task: ffff88011a7f9030 ti: ffff8800d903c000 task.ti: ffff8800d903c000
    [   28.688088] RIP: 0010:[<ffffffff81392b42>]  [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80
    [   28.688088] RSP: 0018:ffff8800d903f688  EFLAGS: 00010286
    [   28.688088] RAX: ffffeb04000032c0 RBX: ffff8800d903f718 RCX: ffffeb04000032c0
    [   28.688088] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8800d903f750
    [   28.688088] RBP: ffff8800d903f688 R08: 00000000000007de R09: ffff8800d903f880
    [   28.688088] R10: 18df467c72d6257b R11: 0000000000000000 R12: 0000000000000010
    [   28.688088] R13: ffff8800d903f750 R14: ffff8800d903f8a0 R15: 0000000000000000
    [   28.688088] FS:  00007f50a41c7700(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
    [   28.688088] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    [   28.688088] CR2: ffffeb04000032c0 CR3: 00000000da3f3000 CR4: 00000000000006b0
    [   28.688088] Stack:
    [   28.688088]  ffff8800d903f698 ffffffff81392ca8 ffff8800d903f6e8 ffffffff81395d32
    [   28.688088]  ffff8800dac96000 ffff880000000000 ffff8800d903f980 ffff880119b7e020
    [   28.688088]  ffff880119b7e010 0000000000000000 0000000000000010 0000000000000010
    [   28.688088] Call Trace:
    [   28.688088]  [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40
    [   28.688088]  [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40
    [   28.688088]  [<ffffffff81395d32>] blkcipher_walk_done+0x182/0x220
    [   28.688088]  [<ffffffff813990bf>] crypto_cbc_encrypt+0x15f/0x180
    [   28.688088]  [<ffffffff81399780>] ? crypto_aes_set_key+0x30/0x30
    [   28.688088]  [<ffffffff8156c40c>] ceph_aes_encrypt2+0x29c/0x2e0
    [   28.688088]  [<ffffffff8156d2a3>] ceph_encrypt2+0x93/0xb0
    [   28.688088]  [<ffffffff8156d7da>] ceph_x_encrypt+0x4a/0x60
    [   28.688088]  [<ffffffff8155b39d>] ? ceph_buffer_new+0x5d/0xf0
    [   28.688088]  [<ffffffff8156e837>] ceph_x_build_authorizer.isra.6+0x297/0x360
    [   28.688088]  [<ffffffff8112089b>] ? kmem_cache_alloc_trace+0x11b/0x1c0
    [   28.688088]  [<ffffffff8156b496>] ? ceph_auth_create_authorizer+0x36/0x80
    [   28.688088]  [<ffffffff8156ed83>] ceph_x_create_authorizer+0x63/0xd0
    [   28.688088]  [<ffffffff8156b4b4>] ceph_auth_create_authorizer+0x54/0x80
    [   28.688088]  [<ffffffff8155f7c0>] get_authorizer+0x80/0xd0
    [   28.688088]  [<ffffffff81555a8b>] prepare_write_connect+0x18b/0x2b0
    [   28.688088]  [<ffffffff81559289>] try_read+0x1e59/0x1f10
    
    This is because we set up crypto scatterlists as if all buffers were
    kmalloc'ed.  Fix it.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Ilya Dryomov <idryomov@redhat.com>
    Reviewed-by: Sage Weil <sage@redhat.com>

 net/ceph/crypto.c |  169 +++++++++++++++++++++++++++++++++++++++++------------
 1 files changed, 132 insertions(+), 37 deletions(-)

commit aafa4475f259b57627560b2bc4ab940d1cee8175
Author: Stefan Richter <stefanr@s5r6.in-berlin.de>
Date:   Tue Nov 11 17:16:44 2014 +0100

    firewire: cdev: prevent kernel stack leaking into ioctl arguments
    
    Found by the UC-KLEE tool:  A user could supply less input to
    firewire-cdev ioctls than write- or write/read-type ioctl handlers
    expect.  The handlers used data from uninitialized kernel stack then.
    
    This could partially leak back to the user if the kernel subsequently
    generated fw_cdev_event_'s (to be read from the firewire-cdev fd)
    which notably would contain the _u64 closure field which many of the
    ioctl argument structures contain.
    
    The fact that the handlers would act on random garbage input is a
    lesser issue since all handlers must check their input anyway.
    
    The fix simply always null-initializes the entire ioctl argument buffer
    regardless of the actual length of expected user input.  That is, a
    runtime overhead of memset(..., 40) is added to each firewirew-cdev
    ioctl() call.  [Comment from Clemens Ladisch:  This part of the stack is
    most likely to be already in the cache.]
    
    Remarks:
      - There was never any leak from kernel stack to the ioctl output
        buffer itself.  IOW, it was not possible to read kernel stack by a
        read-type or write/read-type ioctl alone; the leak could at most
        happen in combination with read()ing subsequent event data.
      - The actual expected minimum user input of each ioctl from
        include/uapi/linux/firewire-cdev.h is, in bytes:
        [0x00] = 32, [0x05] =  4, [0x0a] = 16, [0x0f] = 20, [0x14] = 16,
        [0x01] = 36, [0x06] = 20, [0x0b] =  4, [0x10] = 20, [0x15] = 20,
        [0x02] = 20, [0x07] =  4, [0x0c] =  0, [0x11] =  0, [0x16] =  8,
        [0x03] =  4, [0x08] = 24, [0x0d] = 20, [0x12] = 36, [0x17] = 12,
        [0x04] = 20, [0x09] = 24, [0x0e] =  4, [0x13] = 40, [0x18] =  4.
    
    Reported-by: David Ramos <daramos@stanford.edu>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>

 drivers/firewire/core-cdev.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit e2af9fe7a51667cabae68a142529a2db2fd4ccdc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 12 18:06:32 2014 -0500

    fix a case of DMA-on-stack reported here:
    https://bugs.archlinux.org/task/42756
    
    Conflicts:
    
    	drivers/staging/line6/driver.c

 drivers/staging/line6/driver.c |   17 ++++++++++++-----
 1 files changed, 12 insertions(+), 5 deletions(-)

commit df8edaa95c47032e8fe57fe7222b829d76c02e63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 9 17:51:13 2014 -0500

    update mkspec to also chmod /boot, etc since we have no control over generated initrd images

 scripts/package/mkspec |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

commit a212bffcabd3bfc120a967d10703f9510ae461c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 9 08:51:17 2014 -0500

    set directory mode to 500

 scripts/package/mkspec |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 5d086b901dee6040ed285aab22ccefc5c8f75d3a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 9 07:56:51 2014 -0500

    force make rpm to install sensitive files with 0400

 scripts/package/mkspec |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 11f4f37191435da7708d941b0299a94ad10678b5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 8 21:54:19 2014 -0500

    backport mkspec

 scripts/package/mkspec |   48 +++++++++++++++++++++++++++++++++++++++++-------
 1 files changed, 41 insertions(+), 7 deletions(-)

commit 4eef462cd7f38a5e1a1efa098c8f17c4d4474652
Author: Mike Marciniszyn <mike.marciniszyn@intel.com>
Date:   Mon Jun 24 08:48:37 2013 -0400

    kbuild: fix error when building from src rpm
    
    The following issue can be reproduced with Linus' tree on
    an x86_64 server.
    
    >+ cp /home/user/rpmbuild-test/BUILDROOT/kernel-3.9.2.x86_64/boot/vmlinuz-3.9.2
    >cp: missing destination file operand after
    >/home/user/rpmbuild-test/BUILDROOT/kernel-3.9.2-1.x86_64/boot/vmlinuz-3.9.2'
    >Try `cp --help' for more information.
    >error: Bad exit status from /var/tmp/rpm-tmp.R4o0iI (%install)
    
    Here are the commands to reproduce:
    
    make defconfig
    make rpm-pkg
    
    Use the resulting src rpm to build as follows:
    
    mkdir ~/rpmbuild-test
    cd ~/rpmbuild-test
    rpmbuild --rebuild --define "_topdir `pwd`" -vv ~/rpmbuild/SRPMS/kernel-3.10.0_rc1+-1.src.rpm
    
    The issue is because the %install script uses $KBUILD_IMAGE and it hasn't
    been set since it is only available in the kbuild system and not in the
    %install script.
    
    This patch adds a Makefile target to emit the image_name that can be used
    and modifies the mkspec to use the dynamic name in %install.
    
    Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
    Signed-off-by: Michal Marek <mmarek@suse.cz>
    
    Conflicts:
    
    	Makefile

 Makefile               |   15 ++++++++++++++-
 scripts/package/mkspec |    1 +
 2 files changed, 15 insertions(+), 1 deletions(-)

commit 76503f668448645f0026a0aaabee4d2517c41d55
Author: Robert Richter <robert.richter@calxeda.com>
Date:   Thu May 2 14:50:37 2013 +0200

    Makefile: Fix install error with make -j option
    
    Make modules_install fails with -j option:
    
       DEPMOD
     Usage: .../.source/linux/scripts/depmod.sh /sbin/depmod <kernelrelease>
     make[1]: *** [_modinst_post] Error 1
    
    Adding kernelrelease dependency to fix this.
    
    Signed-off-by: Robert Richter <robert.richter@calxeda.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Michal Marek <mmarek@suse.cz>

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1fcf40a8dc8791d0609c26ea638172acbdc977c8
Author: å¼ å¿ å±± <zzs0213@gmail.com>
Date:   Sun Jun 30 17:09:28 2013 +0800

    kbuild: create directory for dir/file.o
    
    When add a obj with dir to obj-y, like this
    
        obj-y += dir/file.o
    
    The $(obj)/dir not created, this patch fix this.
    
    When try to add a file(which in a subdir) to my board's obj-y, the build
    progress crashed.
    
    For example, I use at91rm9200ek board, and in kernel dir run:
    
      mkdir objtree
      make O=objtree at91rm9200_defconfig
      mkdir arch/arm/mach-at91/dir
      touch arch/arm/mach-at91/dir/file.c
    
    and edit arch/arm/mach-at91/dir/file.c to add some code.
    then edit arch/arm/mach-at91/Makefile, change the following line:
    
      obj-$(CONFIG_MACH_AT91RM9200EK) += board-rm9200ek.o
    
    to:
    
      obj-$(CONFIG_MACH_AT91RM9200EK) += board-rm9200ek.o dir/file.o
    
    Now build it:
    
      make O=objtree
    
    Then the error appears:
      ...
      CC      arch/arm/mach-at91/board-rm9200dk.o
      CC      arch/arm/mach-at91/board-rm9200ek.o
      CC      arch/arm/mach-at91/dir/file.o
      linux-2.6/arch/arm/mach-at91/dir/file.c:5:
        fatal error: opening dependency file
        arch/arm/mach-at91/dir/.file.o.d: No such file or directory
    
    Check the objtree:
      LANG=en ls objtree/arch/arm/mach-at91/dir
      ls: cannot access objtree/arch/arm/mach-at91/dir: No such file or directory
    
    It's apparently that the target dir not created for file.o
    
    Check kbuild source code. It seems that kbuild create dirs for that in
    $(obj-dirs).  But if the dir need not to create a built-in.o, It should
    never in  $(obj-dirs).
    
    So I make this patch to make sure It in  $(obj-dirs)
    
    this bug caused by commit
       f5fb976520a53f45f8bbf2e851f16b3b5558d485
    
    Signed-off-by: å¼ å¿ å±± <zzs0213@gmail.com>
    Signed-off-by: Michal Marek <mmarek@suse.cz>

 scripts/Makefile.lib |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 45244eed041187d7d0646fc706b5b6aa42cfb0f5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 6 19:32:02 2014 -0500

    add additional unnecessary checks

 kernel/trace/trace_syscalls.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit 4a99fd4808d62e255d9ca9eee53b22548409b184
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 6 19:26:53 2014 -0500

    add additional unnecessary checks

 kernel/trace/trace_syscalls.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 8a0f199e3ee0e27d0ec77b508f8fedbfd4b416c3
Author: Rabin Vincent <rabin@rab.in>
Date:   Wed Oct 29 23:06:58 2014 +0100

    tracing/syscalls: Ignore numbers outside NR_syscalls' range
    
    ARM has some private syscalls (for example, set_tls(2)) which lie
    outside the range of NR_syscalls.  If any of these are called while
    syscall tracing is being performed, out-of-bounds array access will
    occur in the ftrace and perf sys_{enter,exit} handlers.
    
     # trace-cmd record -e raw_syscalls:* true && trace-cmd report
     ...
     true-653   [000]   384.675777: sys_enter:            NR 192 (0, 1000, 3, 4000022, ffffffff, 0)
     true-653   [000]   384.675812: sys_exit:             NR 192 = 1995915264
     true-653   [000]   384.675971: sys_enter:            NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1)
     true-653   [000]   384.675988: sys_exit:             NR 983045 = 0
     ...
    
     # trace-cmd record -e syscalls:* true
     [   17.289329] Unable to handle kernel paging request at virtual address aaaaaace
     [   17.289590] pgd = 9e71c000
     [   17.289696] [aaaaaace] *pgd=00000000
     [   17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
     [   17.290169] Modules linked in:
     [   17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21
     [   17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000
     [   17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8
     [   17.290866] LR is at syscall_trace_enter+0x124/0x184
    
    Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers.
    
    Commit cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
    added the check for less than zero, but it should have also checked
    for greater than NR_syscalls.
    
    Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in
    
    Fixes: cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
    Cc: stable@vger.kernel.org # 2.6.33+
    Signed-off-by: Rabin Vincent <rabin@rab.in>
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
    
    Conflicts:
    
    	kernel/trace/trace_syscalls.c

 kernel/trace/trace_syscalls.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 2266e7f10843e5604f5bad64cf5ffcf3bc682ec1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 5 18:58:28 2014 -0500

    remove duplicate definition of alarm_expires_remaining()

 kernel/time/alarmtimer.c |    6 ------
 1 files changed, 0 insertions(+), 6 deletions(-)

commit 84ce6cc8416f8efdd4e89f2e315f4856b4074573
Merge: 2ce01ec d8acbe5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 5 17:58:45 2014 -0500

    Merge branch 'pax-stable' into grsec-stable
    
    Conflicts:
    	net/ceph/mon_client.c

commit d8acbe5f02ec899be4eb1dd4e2cc28b2c9db7694
Merge: 0ae27fae 7d039b9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 5 17:57:14 2014 -0500

    Merge branch 'linux-3.2.y' into pax-stable
    
    Conflicts:
    	arch/x86/kvm/vmx.c

commit 2ce01ec7e2fa13e6127ead8d3ff2b9f25328a3eb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 2 07:48:21 2014 -0500

    Apply https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=12;filename=ipv6-reuse-ip6_frag_id-from-ip6_ufo_append_data.patch;att=1;bug=766195

 net/ipv6/udp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6d89098a102aa6e390bd81afc0251481153a0000
Merge: d1aabff 0ae27fae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 31 20:01:33 2014 -0400

    Merge branch 'pax-stable' into grsec-stable
    
    Conflicts:
    	tools/gcc/size_overflow_plugin/size_overflow_hash.data

commit 0ae27fae60a294e66c123c86514a703755ba0a7f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 31 20:00:03 2014 -0400

    Update to pax-linux-3.2.63-test161.patch:
    - added pax_sanitize_slab=full mode, by Mathias Krause <minipli@googlemail.com>
    - fixed pax_sanitize_slab breakage on SLAB_DESTROY_BY_RCU slabs, by Mathias Krause <minipli@googlemail.com>
      - this should fix several reports:
        - https://forums.grsecurity.net/viewtopic.php?f=1&t=4020
        - https://forums.grsecurity.net/viewtopic.php?f=3&t=4037
        - https://forums.grsecurity.net/viewtopic.php?f=1&t=4071
    - updated size overflow hash table

 Documentation/kernel-parameters.txt                |    9 ++++-
 include/linux/slab.h                               |    7 +++-
 mm/mm_init.c                                       |   24 ++++++++++---
 mm/slab.c                                          |   22 +++++++----
 mm/slob.c                                          |   37 ++++++++++++--------
 mm/slub.c                                          |   13 ++++++-
 security/Kconfig                                   |    8 +++-
 .../size_overflow_plugin/size_overflow_hash.data   |    6 +++-
 8 files changed, 91 insertions(+), 35 deletions(-)

commit d1aabffb4f6d13f860ddf15a44d69f0a2cb6f6f2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Oct 25 09:04:00 2014 -0400

    remove memweight prototype added in recent backport, thanks to minipli

 include/linux/string.h |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit aa0ebeb5f62bea5736cbc2ad48383398ad2edbe8
Author: Cesar Eduardo Barros <cesarb@cesarb.eti.br>
Date:   Mon Nov 25 22:00:41 2013 -0200

    Backport OPTIMIZER_HIDE_VAR from cesarb@cesarb.eti.br
    
    Conflicts:
    
    	crypto/memneq.c
    	include/linux/compiler.h

 include/linux/compiler-gcc.h   |    3 +++
 include/linux/compiler-intel.h |    7 +++++++
 include/linux/compiler.h       |    4 ++++
 3 files changed, 14 insertions(+), 0 deletions(-)

commit 33ae23dc594e91d4a7456e5c4921b49391d93f97
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 24 22:14:37 2014 -0400

    compile fix

 net/ipv4/ipmr.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit 52630e6e12591ebb415b3921b285eeabcae752f2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 24 21:53:05 2014 -0400

    compile fix

 fs/xfs/xfs_iget.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 95b3935d5b5e01119d49aba3c2043907d505ac20
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 24 21:39:40 2014 -0400

    add missing rcu_read_unlock() to upstream code

 fs/xfs/xfs_iget.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 2263a7d02fa8569eb4ec15d8f5440be3157e4dc1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 24 21:38:14 2014 -0400

    add missing rcu_read_unlock() to upstream code

 net/ipv4/ipmr.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 4dbd1dfaac8b2935eb0232076dbcdee22bc2c2b0
Author: Hugh Dickins <hughd@google.com>
Date:   Mon Mar 3 15:38:23 2014 -0800

    lib/radix-tree.c: swapoff tmpfs radix_tree: remember to rcu_read_unlock
    
    Running fsx on tmpfs with concurrent memhog-swapoff-swapon, lots of
    
      BUG: sleeping function called from invalid context at kernel/fork.c:606
      in_atomic(): 0, irqs_disabled(): 0, pid: 1394, name: swapoff
      1 lock held by swapoff/1394:
       #0:  (rcu_read_lock){.+.+.+}, at: [<ffffffff812520a1>] radix_tree_locate_item+0x1f/0x2b6
    
    followed by
    
      ================================================
      [ BUG: lock held when returning to user space! ]
      3.14.0-rc1 #3 Not tainted
      ------------------------------------------------
      swapoff/1394 is leaving the kernel with locks still held!
      1 lock held by swapoff/1394:
       #0:  (rcu_read_lock){.+.+.+}, at: [<ffffffff812520a1>] radix_tree_locate_item+0x1f/0x2b6
    
    after which the system recovered nicely.
    
    Whoops, I long ago forgot the rcu_read_unlock() on one unlikely branch.
    
    Fixes e504f3fdd63d ("tmpfs radix_tree: locate_item to speed up swapoff")
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/radix-tree.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit e98b77860805307f14a4a2dd28d0c2be1a6a1fa8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 24 21:04:47 2014 -0400

    add missing rcu_read_unlock() to upstream code

 block/blk-throttle.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 9b86430ca1bb41a884684c6973dd855d5cb9a9ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 24 21:02:44 2014 -0400

    add missing rcu_read_unlock() to upstream code

 drivers/acpi/atomicio.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e5f58ab0435a2de85281a5f0381ae8fc42f4cb53
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 24 21:02:07 2014 -0400

    add missing rcu_read_unlock() to upstream code

 drivers/acpi/atomicio.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit fc16ca66e9b6650d822767836eb118169400987c
Author: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Date:   Fri Oct 17 22:55:59 2014 +0200

    kvm: fix excessive pages un-pinning in kvm_iommu_map error path.
    
    The third parameter of kvm_unpin_pages() when called from
    kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
    and not the page size.
    
    This error was facilitated with an inconsistent API: kvm_pin_pages() takes
    a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
    by matching the two.
    
    This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter
    of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
    un-pinning for pages intended to be un-pinned (i.e. memory leak) but
    unfortunately potentially aggravated the number of pages we un-pin that
    should have stayed pinned. As far as I understand though, the same
    practical mitigations apply.
    
    This issue was found during review of Red Hat 6.6 patches to prepare
    Ksplice rebootless updates.
    
    Thanks to Vegard for his time on a late Friday evening to help me in
    understanding this code.
    
    Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
    Cc: stable@vger.kernel.org
    Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
    Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
    Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
    Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    
    Conflicts:
    
    	virt/kvm/iommu.c

 virt/kvm/iommu.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 27cf85cd00dbaf29559b9a497fefbd49e888b031
Author: David S. Miller <davem@davemloft.net>
Date:   Thu Oct 23 12:58:13 2014 -0700

    sparc64: Fix register corruption in top-most kernel stack frame during boot.
    
    Meelis Roos reported that kernels built with gcc-4.9 do not boot, we
    eventually narrowed this down to only impacting machines using
    UltraSPARC-III and derivitive cpus.
    
    The crash happens right when the first user process is spawned:
    
    [   54.451346] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000004
    [   54.451346]
    [   54.571516] CPU: 1 PID: 1 Comm: init Not tainted 3.16.0-rc2-00211-gd7933ab #96
    [   54.666431] Call Trace:
    [   54.698453]  [0000000000762f8c] panic+0xb0/0x224
    [   54.759071]  [000000000045cf68] do_exit+0x948/0x960
    [   54.823123]  [000000000042cbc0] fault_in_user_windows+0xe0/0x100
    [   54.902036]  [0000000000404ad0] __handle_user_windows+0x0/0x10
    [   54.978662] Press Stop-A (L1-A) to return to the boot prom
    [   55.050713] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000004
    
    Further investigation showed that compiling only per_cpu_patch() with
    an older compiler fixes the boot.
    
    Detailed analysis showed that the function is not being miscompiled by
    gcc-4.9, but it is using a different register allocation ordering.
    
    With the gcc-4.9 compiled function, something during the code patching
    causes some of the %i* input registers to get corrupted.  Perhaps
    we have a TLB miss path into the firmware that is deep enough to
    cause a register window spill and subsequent restore when we get
    back from the TLB miss trap.
    
    Let's plug this up by doing two things:
    
    1) Stop using the firmware stack for client interface calls into
       the firmware.  Just use the kernel's stack.
    
    2) As soon as we can, call into a new function "start_early_boot()"
       to put a one-register-window buffer between the firmware's
       deepest stack frame and the top-most initial kernel one.
    
    Reported-by: Meelis Roos <mroos@linux.ee>
    Tested-by: Meelis Roos <mroos@linux.ee>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	arch/sparc/include/asm/oplib_64.h
    	arch/sparc/include/asm/setup.h
    	arch/sparc/kernel/entry.h
    
    Conflicts:
    
    	arch/sparc/include/asm/setup.h
    	arch/sparc/kernel/entry.h
    	arch/sparc/kernel/setup_64.c

 arch/sparc/include/asm/oplib_64.h |    3 +-
 arch/sparc/include/asm/setup.h    |    4 +++
 arch/sparc/kernel/entry.h         |   11 +++------
 arch/sparc/kernel/head_64.S       |   40 +++---------------------------------
 arch/sparc/kernel/hvtramp.S       |    1 -
 arch/sparc/kernel/setup_64.c      |   28 ++++++++++++++++++-------
 arch/sparc/kernel/trampoline_64.S |   12 ++++++----
 arch/sparc/prom/cif.S             |    5 +--
 arch/sparc/prom/init_64.c         |    6 ++--
 arch/sparc/prom/p1275.c           |    2 -
 10 files changed, 46 insertions(+), 66 deletions(-)

commit ae29f67b96cc0744b9860cf92f14f75c651d123b
Author: David S. Miller <davem@davemloft.net>
Date:   Fri Oct 24 09:59:02 2014 -0700

    sparc64: Implement __get_user_pages_fast().
    
    It is not sufficient to only implement get_user_pages_fast(), you
    must also implement the atomic version __get_user_pages_fast()
    otherwise you end up using the weak symbol fallback implementation
    which simply returns zero.
    
    This is dangerous, because it causes the futex code to loop forever
    if transparent hugepages are supported (see get_futex_key()).
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/mm/gup.c |   30 ++++++++++++++++++++++++++++++
 1 files changed, 30 insertions(+), 0 deletions(-)

commit 15bd5778f6b3afd30e34de674ec90f0137e9fefb
Author: Bjorn Helgaas <bhelgaas@google.com>
Date:   Mon Oct 13 18:59:09 2014 -0600

    clocksource: Remove "weak" from clocksource_default_clock() declaration
    
    kernel/time/jiffies.c provides a default clocksource_default_clock()
    definition explicitly marked "weak".  arch/s390 provides its own definition
    intended to override the default, but the "weak" attribute on the
    declaration applied to the s390 definition as well, so the linker chose one
    based on link order (see 10629d711ed7 ("PCI: Remove __weak annotation from
    pcibios_get_phb_of_node decl")).
    
    Remove the "weak" attribute from the clocksource_default_clock()
    declaration so we always prefer a non-weak definition over the weak one,
    independent of link order.
    
    Fixes: f1b82746c1e9 ("clocksource: Cleanup clocksource selection")
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Acked-by: John Stultz <john.stultz@linaro.org>
    Acked-by: Ingo Molnar <mingo@kernel.org>
    CC: Daniel Lezcano <daniel.lezcano@linaro.org>
    CC: Martin Schwidefsky <schwidefsky@de.ibm.com>

 include/linux/clocksource.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 424b26633455d26d7239285884ea38185f7c0bea
Author: Bjorn Helgaas <bhelgaas@google.com>
Date:   Mon Oct 13 19:00:25 2014 -0600

    kgdb: Remove "weak" from kgdb_arch_pc() declaration
    
    kernel/debug/debug_core.c provides a default kgdb_arch_pc() definition
    explicitly marked "weak".  Several architectures provide their own
    definitions intended to override the default, but the "weak" attribute on
    the declaration applied to the arch definitions as well, so the linker
    chose one based on link order (see 10629d711ed7 ("PCI: Remove __weak
    annotation from pcibios_get_phb_of_node decl")).
    
    Remove the "weak" attribute from the declaration so we always prefer a
    non-weak definition over the weak one, independent of link order.
    
    Fixes: 688b744d8bc8 ("kgdb: fix signedness mixmatches, add statics, add declaration to header")
    Tested-by: Vineet Gupta <vgupta@synopsys.com>	# for ARC build
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Reviewed-by: Harvey Harrison <harvey.harrison@gmail.com>

 include/linux/kgdb.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit cd6d89dd9f50d38c331519ae5b5727f744679480
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Tue Aug 26 23:16:35 2014 -0400

    random: add and use memzero_explicit() for clearing data
    
    zatimend has reported that in his environment (3.16/gcc4.8.3/corei7)
    memset() calls which clear out sensitive data in extract_{buf,entropy,
    entropy_user}() in random driver are being optimized away by gcc.
    
    Add a helper memzero_explicit() (similarly as explicit_bzero() variants)
    that can be used in such cases where a variable with sensitive data is
    being cleared out in the end. Other use cases might also be in crypto
    code. [ I have put this into lib/string.c though, as it's always built-in
    and doesn't need any dependencies then. ]
    
    Fixes kernel bugzilla: 82041
    
    Reported-by: zatimend@hotmail.co.uk
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Cc: Alexey Dobriyan <adobriyan@gmail.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: stable@vger.kernel.org
    
    Conflicts:
    
    	drivers/char/random.c
    	include/linux/string.h

 drivers/char/random.c  |   10 +++++-----
 include/linux/string.h |    6 +++++-
 lib/string.c           |   16 ++++++++++++++++
 3 files changed, 26 insertions(+), 6 deletions(-)

commit 1eca6943de770d5ac058934e455cec897306ea41
Author: Li RongQing <roy.qing.li@gmail.com>
Date:   Wed Oct 22 17:09:53 2014 +0800

    xfrm6: fix a potential use after free in xfrm6_policy.c
    
    pskb_may_pull() maybe change skb->data and make nh and exthdr pointer
    oboslete, so recompute the nd and exthdr
    
    Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/xfrm6_policy.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

commit 956456e7076fcfd07485e0f2684d0e5a190a3c73
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 22 20:20:21 2014 -0400

    compile fix

 net/ipv4/inet_hashtables.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 120ea2af6c8332faf60d13774ec9c3794d70e425
Author: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Date:   Thu Jun 28 02:57:49 2012 +0000

    netfilter: nfnetlink: fix missing rcu_read_unlock in nfnetlink_rcv_msg
    
    Bug added in commit 6b75e3e8d664a9a (netfilter: nfnetlink: add RCU in
    nfnetlink_rcv_msg())
    
    Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nfnetlink.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 056a85cc432d465ef8a51bb69a6b01366466e717
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 22 18:36:16 2014 -0400

    Remove argument from gr_update_task_in_ip_table, as it's always called with 'current'

 grsecurity/grsec_sock.c    |    4 ++--
 net/ipv4/inet_hashtables.c |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit b27761767932b4052399e4722dc3fb412e2eed24
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 22 18:19:01 2014 -0400

    hold sighand lock while accessing ->signal

 fs/proc/array.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

commit 822662d8112a3078613bef60e41c2e0266526c65
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Oct 20 17:34:00 2014 -0400

    Revert "x86,kvm,vmx: Preserve CR4 across VM entry"
    
    This reverts commit ae21ca789a180a1146d84440d0293f9f8dce5875.

 arch/x86/kvm/vmx.c |   16 ++--------------
 1 files changed, 2 insertions(+), 14 deletions(-)

commit 47b962c93d130853fdadd9b27a14b26068c599e6
Author: David S. Miller <davem@davemloft.net>
Date:   Sat Oct 18 23:12:33 2014 -0400

    sparc64: Do not define thread fpregs save area as zero-length array.
    
    This breaks the stack end corruption detection facility.
    
    What that facility does it write a magic value to "end_of_stack()"
    and checking to see if it gets overwritten.
    
    "end_of_stack()" is "task_thread_info(p) + 1", which for sparc64 is
    the beginning of the FPU register save area.
    
    So once the user uses the FPU, the magic value is overwritten and the
    debug checks trigger.
    
    Fix this by making the size explicit.
    
    Due to the size we use for the fpsaved[], gsr[], and xfsr[] arrays we
    are limited to 7 levels of FPU state saves.  So each FPU register set
    is 256 bytes, allocate 256 * 7 for the fpregs area.
    
    Reported-by: Meelis Roos <mroos@linux.ee>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	arch/sparc/include/asm/thread_info_64.h

 arch/sparc/include/asm/thread_info_64.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit ae21ca789a180a1146d84440d0293f9f8dce5875
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Wed Oct 8 09:02:13 2014 -0700

    x86,kvm,vmx: Preserve CR4 across VM entry
    
    CR4 isn't constant; at least the TSD and PCE bits can vary.
    
    TBH, treating CR0 and CR3 as constant scares me a bit, too, but it looks
    like it's correct.
    
    This adds a branch and a read from cr4 to each vm entry.  Because it is
    extremely likely that consecutive entries into the same vcpu will have
    the same host cr4 value, this fixes up the vmcs instead of restoring cr4
    after the fact.  A subsequent patch will add a kernel-wide cr4 shadow,
    reducing the overhead in the common case to just two memory reads and a
    branch.
    
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Acked-by: Paolo Bonzini <pbonzini@redhat.com>
    Cc: stable@vger.kernel.org
    Cc: Petr Matousek <pmatouse@redhat.com>
    Cc: Gleb Natapov <gleb@kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	arch/x86/kvm/vmx.c
    
    Conflicts:
    
    	arch/x86/kvm/vmx.c
    
    Conflicts:
    
    	arch/x86/kvm/vmx.c

 arch/x86/kvm/vmx.c |   16 ++++++++++++++--
 1 files changed, 14 insertions(+), 2 deletions(-)

commit b025a1925f7ea22127022fba62cf4f7abb9abc91
Author: Catalin Marinas <catalin.marinas@arm.com>
Date:   Fri Oct 17 17:38:49 2014 +0100

    futex: Ensure get_futex_key_refs() always implies a barrier
    
    Commit b0c29f79ecea (futexes: Avoid taking the hb->lock if there's
    nothing to wake up) changes the futex code to avoid taking a lock when
    there are no waiters. This code has been subsequently fixed in commit
    11d4616bd07f (futex: revert back to the explicit waiter counting code).
    Both the original commit and the fix-up rely on get_futex_key_refs() to
    always imply a barrier.
    
    However, for private futexes, none of the cases in the switch statement
    of get_futex_key_refs() would be hit and the function completes without
    a memory barrier as required before checking the "waiters" in
    futex_wake() -> hb_waiters_pending(). The consequence is a race with a
    thread waiting on a futex on another CPU, allowing the waker thread to
    read "waiters == 0" while the waiter thread to have read "futex_val ==
    locked" (in kernel).
    
    Without this fix, the problem (user space deadlocks) can be seen with
    Android bionic's mutex implementation on an arm64 multi-cluster system.
    
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
    Reported-by: Matteo Franchin <Matteo.Franchin@arm.com>
    Fixes: b0c29f79ecea (futexes: Avoid taking the hb->lock if there's nothing to wake up)
    Acked-by: Davidlohr Bueso <dave@stgolabs.net>
    Tested-by: Mike Galbraith <umgwanakikbuti@gmail.com>
    Cc: <stable@vger.kernel.org>
    Cc: Darren Hart <dvhart@linux.intel.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/futex.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 7dcfaa72177dd7ea055b02d7132e06032a46feea
Author: Stephen Smalley <sds@tycho.nsa.gov>
Date:   Mon Oct 6 16:32:52 2014 -0400

    selinux: fix inode security list corruption
    
    sb_finish_set_opts() can race with inode_free_security()
    when initializing inode security structures for inodes
    created prior to initial policy load or by the filesystem
    during ->mount().   This appears to have always been
    a possible race, but commit 3dc91d4 ("SELinux:  Fix possible
    NULL pointer dereference in selinux_inode_permission()")
    made it more evident by immediately reusing the unioned
    list/rcu element  of the inode security structure for call_rcu()
    upon an inode_free_security().  But the underlying issue
    was already present before that commit as a possible use-after-free
    of isec.
    
    Shivnandan Kumar reported the list corruption and proposed
    a patch to split the list and rcu elements out of the union
    as separate fields of the inode_security_struct so that setting
    the rcu element would not affect the list element.  However,
    this would merely hide the issue and not truly fix the code.
    
    This patch instead moves up the deletion of the list entry
    prior to dropping the sbsec->isec_lock initially.  Then,
    if the inode is dropped subsequently, there will be no further
    references to the isec.
    
    Reported-by: Shivnandan Kumar <shivnandan.k@samsung.com>
    Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Moore <pmoore@redhat.com>

 security/selinux/hooks.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 9ead2f4f82f8812b5e708c69df0f35a43303cdd6
Author: Emil Tantilov <emil.s.tantilov@intel.com>
Date:   Thu Oct 16 15:49:02 2014 +0000

    ixgbe: check for vfs outside of sriov_num_vfs before dereference
    
    The check for vfinfo is not sufficient because it does not protect
    against specifying vf that is outside of sriov_num_vfs range.
    All of the ndo functions have a check for it except for
    ixgbevf_ndo_set_spoofcheck().
    
    The following patch is all we need to protect against this panic:
    
    ip link set p96p1 vf 0 spoofchk off
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000052
    IP: [<ffffffffa044a1c1>]
    ixgbe_ndo_set_vf_spoofchk+0x51/0x150 [ixgbe]
    
    Reported-by: Thierry Herbelot <thierry.herbelot@6wind.com>
    Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
    Acked-by: Thierry Herbelot <thierry.herbelot@6wind.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>

 drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit b339b27c54edc34ab000ed44750fd2a6f2a92d71
Author: Cong Wang <cwang@twopensource.com>
Date:   Tue Oct 14 12:35:08 2014 -0700

    rds: avoid calling sock_kfree_s() on allocation failure
    
    It is okay to free a NULL pointer but not okay to mischarge the socket optmem
    accounting. Compile test only.
    
    Reported-by: rucsoftsec@gmail.com
    Cc: Chien Yen <chien.yen@oracle.com>
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: Cong Wang <cwang@twopensource.com>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/rdma.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit 8cb7feae433dcd9c588fa06511999428dc2523bd
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Oct 14 17:02:37 2014 -0400

    net: Trap attempts to call sock_kfree_s() with a NULL pointer.
    
    Unlike normal kfree() it is never right to call sock_kfree_s() with
    a NULL pointer, because sock_kfree_s() also has the side effect of
    discharging the memory from the sockets quota.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/sock.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 715a5366c9682a82390ada6325b9e69502eeeaf9
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Wed Oct 8 23:44:00 2014 -0400

    fix misuses of f_count() in ppp
    
    we used to check for "nobody else could start doing anything with
    that opened file" by checking that refcount was 2 or less - one
    for descriptor table and one we'd acquired in fget() on the way to
    wherever we are.  That was race-prone (somebody else might have
    had a reference to descriptor table and do fget() just as we'd
    been checking) and it had become flat-out incorrect back when
    we switched to fget_light() on those codepaths - unlike fget(),
    it doesn't grab an extra reference unless the descriptor table
    is shared.  The same change allowed a race-free check, though -
    we are safe exactly when refcount is less than 2.
    
    It was a long time ago; pre-2.6.12 for ioctl() (the codepath leading
    to ppp one) and 2.6.17 for sendmsg() (netlink one).  OTOH,
    netlink hadn't grown that check until 3.9 and ppp used to live
    in drivers/net, not drivers/net/ppp until 3.1.  The bug existed
    well before that, though, and the same fix used to apply in old
    location of file.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
    	net/netlink/af_netlink.c

 drivers/net/ppp/ppp_generic.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ade236d58652fa8f628280e4063af42ed0711124
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Sun Jul 27 13:00:41 2014 -0400

    fs: make cont_expand_zero interruptible
    
    This patch makes it possible to kill a process looping in
    cont_expand_zero. A process may spend a lot of time in this function, so
    it is desirable to be able to kill it.
    
    It happened to me that I wanted to copy a piece data from the disk to a
    file. By mistake, I used the "seek" parameter to dd instead of "skip". Due
    to the "seek" parameter, dd attempted to extend the file and became stuck
    doing so - the only possibility was to reset the machine or wait many
    hours until the filesystem runs out of space and cont_expand_zero fails.
    We need this patch to be able to terminate the process.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/buffer.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 99897cc1fd3d5db9f99e304eaf9384e173b7f014
Author: Sasha Levin <sasha.levin@oracle.com>
Date:   Thu Oct 9 15:24:37 2014 -0700

    fsnotify: don't put user context if it was never assigned
    
    On some failure paths we may attempt to free user context even if it
    wasn't assigned yet.  This will cause a NULL ptr deref and a kernel BUG.
    
    The path I was looking at is in inotify_new_group():
    
            oevent = kmalloc(sizeof(struct inotify_event_info), GFP_KERNEL);
            if (unlikely(!oevent)) {
                    fsnotify_destroy_group(group);
                    return ERR_PTR(-ENOMEM);
            }
    
    fsnotify_destroy_group() would get called here, but
    group->inotify_data.user is only getting assigned later:
    
    	group->inotify_data.user = get_current_user();
    
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
    Cc: John McCutchan <john@johnmccutchan.com>
    Cc: Robert Love <rlove@rlove.org>
    Cc: Eric Paris <eparis@parisplace.org>
    Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/notify/inotify/inotify_fsnotify.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit cc70da15da095551dfa374da20202ece530aa8f9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Oct 13 19:31:03 2014 -0400

    compile fix

 net/ipv4/ip_input.c  |    4 ++++
 net/ipv4/tcp_input.c |    4 ----
 2 files changed, 4 insertions(+), 4 deletions(-)

commit 68a280187838ca8f9f403f7e1762cfcc8a95147b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Oct 13 19:16:43 2014 -0400

    add reference to grsec_enable_blackhole

 net/ipv4/tcp_input.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit c165ea4f4f4e91311d13d97aa11e2759c6b8b06f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Oct 13 19:11:12 2014 -0400

    Fix RANDSTRUCT compilation with brcm80211 driver

 drivers/net/wireless/brcm80211/brcmsmac/otp.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 24fa7d5a380deef772813033a93928994f458a88
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Oct 12 21:07:48 2014 -0400

    update GRKERNSEC_BLACKHOLE documentation

 grsecurity/Kconfig |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 180f8243abab1f9be35e3126cb661dc86e710919
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Oct 12 21:03:37 2014 -0400

    Though it can be done easily enough with iptables by dropping
    packets of unknown protocols, when GRKERNSEC_BLACKHOLE is enabled
    avoid sending icmp protocol unreachable for unknown protocols except
    on the loopback interface.
    
    Suggested by @NoAgendaIT

 net/ipv4/ip_input.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 0167ef50b08f65e4d6568f935bbb39051ac051f1
Author: Mel Gorman <mgorman@suse.de>
Date:   Thu Oct 2 19:47:41 2014 +0100

    mm: migrate: Close race between migration completion and mprotect
    
    A migration entry is marked as write if pte_write was true at the time the
    entry was created. The VMA protections are not double checked when migration
    entries are being removed as mprotect marks write-migration-entries as
    read. It means that potentially we take a spurious fault to mark PTEs write
    again but it's straight-forward. However, there is a race between write
    migrations being marked read and migrations finishing. This potentially
    allows a PTE to be write that should have been read. Close this race by
    double checking the VMA permissions using maybe_mkwrite when migration
    completes.
    
    [torvalds@linux-foundation.org: use maybe_mkwrite]
    Cc: stable@vger.kernel.org
    Signed-off-by: Mel Gorman <mgorman@suse.de>
    Acked-by: Rik van Riel <riel@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	mm/migrate.c

 mm/migrate.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit ccf387045d784306de13eb2d2d72286f486ae2aa
Author: Herton R. Krzesinski <herton@redhat.com>
Date:   Wed Oct 1 18:49:54 2014 -0300

    net/rds: fix possible double free on sock tear down
    
    I got a report of a double free happening at RDS slab cache. One
    suspicion was that may be somewhere we were doing a sock_hold/sock_put
    on an already freed sock. Thus after providing a kernel with the
    following change:
    
     static inline void sock_hold(struct sock *sk)
     {
    -       atomic_inc(&sk->sk_refcnt);
    +       if (!atomic_inc_not_zero(&sk->sk_refcnt))
    +               WARN(1, "Trying to hold sock already gone: %p (family: %hd)\n",
    +                       sk, sk->sk_family);
     }
    
    The warning successfuly triggered:
    
    Trying to hold sock already gone: ffff81f6dda61280 (family: 21)
    WARNING: at include/net/sock.h:350 sock_hold()
    Call Trace:
    <IRQ>  [<ffffffff8adac135>] :rds:rds_send_remove_from_sock+0xf0/0x21b
    [<ffffffff8adad35c>] :rds:rds_send_drop_acked+0xbf/0xcf
    [<ffffffff8addf546>] :rds_rdma:rds_ib_recv_tasklet_fn+0x256/0x2dc
    [<ffffffff8009899a>] tasklet_action+0x8f/0x12b
    [<ffffffff800125a2>] __do_softirq+0x89/0x133
    [<ffffffff8005f30c>] call_softirq+0x1c/0x28
    [<ffffffff8006e644>] do_softirq+0x2c/0x7d
    [<ffffffff8006e4d4>] do_IRQ+0xee/0xf7
    [<ffffffff8005e625>] ret_from_intr+0x0/0xa
    <EOI>
    
    Looking at the call chain above, the only way I think this would be
    possible is if somewhere we already released the same socket->sock which
    is assigned to the rds_message at rds_send_remove_from_sock. Which seems
    only possible to happen after the tear down done on rds_release.
    
    rds_release properly calls rds_send_drop_to to drop the socket from any
    rds_message, and some proper synchronization is in place to avoid race
    with rds_send_drop_acked/rds_send_remove_from_sock. However, I still see
    a very narrow window where it may be possible we touch a sock already
    released: when rds_release races with rds_send_drop_acked, we check
    RDS_MSG_ON_CONN to avoid cleanup on the same rds_message, but in this
    specific case we don't clear rm->m_rs. In this case, it seems we could
    then go on at rds_send_drop_to and after it returns, the sock is freed
    by last sock_put on rds_release, with concurrently we being at
    rds_send_remove_from_sock; then at some point in the loop at
    rds_send_remove_from_sock we process an rds_message which didn't have
    rm->m_rs unset for a freed sock, and a possible sock_hold on an sock
    already gone at rds_release happens.
    
    This hopefully address the described condition above and avoids a double
    free on "second last" sock_put. In addition, I removed the comment about
    socket destruction on top of rds_send_drop_acked: we call rds_send_drop_to
    in rds_release and we should have things properly serialized there, thus
    I can't see the comment being accurate there.
    
    Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/send.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

commit 814084597d04dad0a63fa31ec62843d1be0c1b35
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Thu Oct 2 16:17:02 2014 -0700

    perf: fix perf bug in fork()
    
    Oleg noticed that a cleanup by Sylvain actually uncovered a bug; by
    calling perf_event_free_task() when failing sched_fork() we will not yet
    have done the memset() on ->perf_event_ctxp[] and will therefore try and
    'free' the inherited contexts, which are still in use by the parent
    process.  This is bad..
    
    Suggested-by: Oleg Nesterov <oleg@redhat.com>
    Reported-by: Oleg Nesterov <oleg@redhat.com>
    Reported-by: Sylvain 'ythier' Hitier <sylvain.hitier@gmail.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/events/core.c |    4 +++-
 kernel/fork.c        |    5 +++--
 2 files changed, 6 insertions(+), 3 deletions(-)

commit f9bbaa2d511c409c33108afc8d95be1458a8b399
Author: Mel Gorman <mgorman@suse.de>
Date:   Thu Oct 2 19:47:42 2014 +0100

    mm: numa: Do not mark PTEs pte_numa when splitting huge pages
    
    This patch reverts 1ba6e0b50b ("mm: numa: split_huge_page: transfer the
    NUMA type from the pmd to the pte"). If a huge page is being split due
    a protection change and the tail will be in a PROT_NONE vma then NUMA
    hinting PTEs are temporarily created in the protected VMA.
    
     VM_RW|VM_PROTNONE
    |-----------------|
          ^
          split here
    
    In the specific case above, it should get fixed up by change_pte_range()
    but there is a window of opportunity for weirdness to happen. Similarly,
    if a huge page is shrunk and split during a protection update but before
    pmd_numa is cleared then a pte_numa can be left behind.
    
    Instead of adding complexity trying to deal with the case, this patch
    will not mark PTEs NUMA when splitting a huge page. NUMA hinting faults
    will not be triggered which is marginal in comparison to the complexity
    in dealing with the corner cases during THP split.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Mel Gorman <mgorman@suse.de>
    Acked-by: Rik van Riel <riel@redhat.com>
    Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/huge_memory.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit ed22c82434784ecdb766ce2ca5b08f8271a2887a
Merge: c8b7520 a072601
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Oct 6 18:28:59 2014 -0400

    Merge branch 'pax-stable' into grsec-stable

commit a072601054f8387ccd9ca7b25e1b852194053a60
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Oct 6 18:28:19 2014 -0400

    Update to pax-linux-3.2.63-test160.patch:
    - fixed a potential miscompile with certain gcc versions in pax_open_kernel/pax_close_kernel, reported by gyurix and hunger

 arch/x86/include/asm/pgtable.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit c8b75207af997e24ce98faba23fdf4bf53058562
Merge: 415d00a be01ef4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 28 13:57:15 2014 -0400

    Merge branch 'pax-stable' into grsec-stable

commit be01ef4bda6b1918b5623d98ef83ca56065bf818
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 28 13:56:35 2014 -0400

    Update to pax-linux-3.2.63-test159.patch:
    - made mmap_rnd use the passed down mm on ppc
    - fixed some REFCOUNT false positives in drbd, reported by schiffi (https://forums.grsecurity.net/viewtopic.php?f=3&t=3786)
    - removed bash dependence from scripts/gcc-plugin.sh

 arch/powerpc/mm/mmap_64.c          |   10 +++++-----
 arch/x86/include/asm/atomic.h      |    4 ++--
 drivers/block/drbd/drbd_bitmap.c   |    2 +-
 drivers/block/drbd/drbd_int.h      |    4 ++--
 drivers/block/drbd/drbd_main.c     |    4 ++--
 drivers/block/drbd/drbd_receiver.c |   12 ++++++------
 drivers/block/drbd/drbd_worker.c   |    8 ++++----
 scripts/gcc-plugin.sh              |   28 ++++++++++++++++++----------
 8 files changed, 40 insertions(+), 32 deletions(-)

commit 415d00aaae1b4639be3059a87fd1aadb40ad5fd9
Author: Mike Christie <michaelc@cs.wisc.edu>
Date:   Wed Sep 3 00:00:39 2014 -0500

    [SCSI] libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu
    
    This patches fixes a potential buffer overrun in __iscsi_conn_send_pdu.
    This function is used by iscsi drivers and userspace to send iscsi PDUs/
    commands. For login commands, we have a set buffer size. For all other
    commands we do not support data buffers.
    
    This was reported by Dan Carpenter here:
    http://www.spinics.net/lists/linux-scsi/msg66838.html
    
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
    Reviewed-by: Sagi Grimberg <sagig@mellanox.com>
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>

 drivers/scsi/libiscsi.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

commit 5f973d4bb62ee99e0282101e5a86045c6a71517d
Author: Anton Altaparmakov <aia21@cam.ac.uk>
Date:   Mon Sep 22 01:53:03 2014 +0100

    Fix nasty 32-bit overflow bug in buffer i/o code.
    
    On 32-bit architectures, the legacy buffer_head functions are not always
    handling the sector number with the proper 64-bit types, and will thus
    fail on 4TB+ disks.
    
    Any code that uses __getblk() (and thus bread(), breadahead(),
    sb_bread(), sb_breadahead(), sb_getblk()), and calls it using a 64-bit
    block on a 32-bit arch (where "long" is 32-bit) causes an inifinite loop
    in __getblk_slow() with an infinite stream of errors logged to dmesg
    like this:
    
      __find_get_block_slow() failed. block=6740375944, b_blocknr=2445408648
      b_state=0x00000020, b_size=512
      device sda1 blocksize: 512
    
    Note how in hex block is 0x191C1F988 and b_blocknr is 0x91C1F988 i.e. the
    top 32-bits are missing (in this case the 0x1 at the top).
    
    This is because grow_dev_page() is broken and has a 32-bit overflow due
    to shifting the page index value (a pgoff_t - which is just 32 bits on
    32-bit architectures) left-shifted as the block number.  But the top
    bits to get lost as the pgoff_t is not type cast to sector_t / 64-bit
    before the shift.
    
    This patch fixes this issue by type casting "index" to sector_t before
    doing the left shift.
    
    Note this is not a theoretical bug but has been seen in the field on a
    4TiB hard drive with logical sector size 512 bytes.
    
    This patch has been verified to fix the infinite loop problem on 3.17-rc5
    kernel using a 4TB disk image mounted using "-o loop".  Without this patch
    doing a "find /nt" where /nt is an NTFS volume causes the inifinite loop
    100% reproducibly whilst with the patch it works fine as expected.
    
    Signed-off-by: Anton Altaparmakov <aia21@cantab.net>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/buffer.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 28c151879ad50651c4d1d55bb0bcd42d8b92d462
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Wed Sep 24 17:56:17 2014 +0200

    shmem: fix nlink for rename overwrite directory
    
    If overwriting an empty directory with rename, then need to drop the extra
    nlink.
    
    Test prog:
    
    #include <stdio.h>
    #include <fcntl.h>
    #include <err.h>
    #include <sys/stat.h>
    
    int main(void)
    {
    	const char *test_dir1 = "test-dir1";
    	const char *test_dir2 = "test-dir2";
    	int res;
    	int fd;
    	struct stat statbuf;
    
    	res = mkdir(test_dir1, 0777);
    	if (res == -1)
    		err(1, "mkdir(\"%s\")", test_dir1);
    
    	res = mkdir(test_dir2, 0777);
    	if (res == -1)
    		err(1, "mkdir(\"%s\")", test_dir2);
    
    	fd = open(test_dir2, O_RDONLY);
    	if (fd == -1)
    		err(1, "open(\"%s\")", test_dir2);
    
    	res = rename(test_dir1, test_dir2);
    	if (res == -1)
    		err(1, "rename(\"%s\", \"%s\")", test_dir1, test_dir2);
    
    	res = fstat(fd, &statbuf);
    	if (res == -1)
    		err(1, "fstat(%i)", fd);
    
    	if (statbuf.st_nlink != 0) {
    		fprintf(stderr, "nlink is %lu, should be 0\n", statbuf.st_nlink);
    		return 1;
    	}
    
    	return 0;
    }
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 mm/shmem.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit e87359e46a367c3d502ec4b61ae16a344afc8bf0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 18 08:55:03 2014 -0400

    update documentation

 security/Kconfig |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 67bcf446004cbaff424450d0943fb0321e505493
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 18 07:42:34 2014 -0400

    update documentation

 security/Kconfig |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit b8d9c7f895650cec62bc43a9a2eb5a3a913aadff
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Sep 17 23:36:38 2014 -0400

    reorganize EFI backport

 arch/x86/include/asm/efi.h     |    1 +
 arch/x86/platform/efi/efi.c    |   15 ++-------------
 arch/x86/platform/efi/efi_32.c |    4 ++++
 arch/x86/platform/efi/efi_64.c |   16 ++++++++++++++++
 4 files changed, 23 insertions(+), 13 deletions(-)

commit 767429f32d1557e71f1ea6b271c9ff9bb470f58c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Sep 17 23:17:07 2014 -0400

    Backport a best-effort variant of minipli's KERNEXEC/EFI patch to 3.2.
    Only if EFI runtime services are active will we allow the physmap to be
    RWX -- shouldn't be the case for most users, but this at least protects
    those blindly using distro configs.

 arch/x86/kernel/head_64.S   |    8 ++++++--
 arch/x86/platform/efi/efi.c |   13 +++++++++++++
 security/Kconfig            |    3 +++
 3 files changed, 22 insertions(+), 2 deletions(-)

commit 0163725f9f230f4b58641a875a7de730afc80c74
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 15 08:30:05 2014 -0400

    exempt atomic_[inc|add]_return_unchecked() from size_overflow

 arch/x86/include/asm/atomic.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 9056786e17d0bbeebf5ad5a8554ba8c8a76960dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 14 18:41:06 2014 -0400

    update hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit ab9e7ecf3984d4e5ef4ff3a45278710aacd396ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 14 17:17:26 2014 -0400

    compile fix

 kernel/time/alarmtimer.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit f838dc40b8e11a24b7075f0c978f4fab134c831b
Author: Richard Larocque <rlarocque@google.com>
Date:   Tue Sep 9 18:31:03 2014 -0700

    alarmtimer: Return relative times in timer_gettime
    
    Returns the time remaining for an alarm timer, rather than the time at
    which it is scheduled to expire.  If the timer has already expired or it
    is not currently scheduled, the it_value's members are set to zero.
    
    This new behavior matches that of the other posix-timers and the POSIX
    specifications.
    
    This is a change in user-visible behavior, and may break existing
    applications.  Hopefully, few users rely on the old incorrect behavior.
    
    Cc: stable@vger.kernel.org
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Richard Cochran <richardcochran@gmail.com>
    Cc: Prarit Bhargava <prarit@redhat.com>
    Cc: Sharvil Nanavati <sharvil@google.com>
    Signed-off-by: Richard Larocque <rlarocque@google.com>
    [jstultz: minor style tweak]
    Signed-off-by: John Stultz <john.stultz@linaro.org>

 kernel/time/alarmtimer.c |   18 +++++++++++-------
 1 files changed, 11 insertions(+), 7 deletions(-)

commit 0b0613996b5978239272e4204191848027ed5b89
Author: Richard Larocque <rlarocque@google.com>
Date:   Tue Sep 9 18:31:05 2014 -0700

    alarmtimer: Lock k_itimer during timer callback
    
    Locks the k_itimer's it_lock member when handling the alarm timer's
    expiry callback.
    
    The regular posix timers defined in posix-timers.c have this lock held
    during timout processing because their callbacks are routed through
    posix_timer_fn().  The alarm timers follow a different path, so they
    ought to grab the lock somewhere else.
    
    Cc: stable@vger.kernel.org
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Richard Cochran <richardcochran@gmail.com>
    Cc: Prarit Bhargava <prarit@redhat.com>
    Cc: Sharvil Nanavati <sharvil@google.com>
    Signed-off-by: Richard Larocque <rlarocque@google.com>
    Signed-off-by: John Stultz <john.stultz@linaro.org>

 kernel/time/alarmtimer.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 8117fc080568e6aa32ff446c070100a6eab6272b
Author: Richard Larocque <rlarocque@google.com>
Date:   Tue Sep 9 18:31:04 2014 -0700

    alarmtimer: Do not signal SIGEV_NONE timers
    
    Avoids sending a signal to alarm timers created with sigev_notify set to
    SIGEV_NONE by checking for that special case in the timeout callback.
    
    The regular posix timers avoid sending signals to SIGEV_NONE timers by
    not scheduling any callbacks for them in the first place.  Although it
    would be possible to do something similar for alarm timers, it's simpler
    to handle this as a special case in the timeout.
    
    Prior to this patch, the alarm timer would ignore the sigev_notify value
    and try to deliver signals to the process anyway.  Even worse, the
    sanity check for the value of sigev_signo is skipped when SIGEV_NONE was
    specified, so the signal number could be bogus.  If sigev_signo was an
    unitialized value (as it often would be if SIGEV_NONE is used), then
    it's hard to predict which signal will be sent.
    
    Cc: stable@vger.kernel.org
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Richard Cochran <richardcochran@gmail.com>
    Cc: Prarit Bhargava <prarit@redhat.com>
    Cc: Sharvil Nanavati <sharvil@google.com>
    Signed-off-by: Richard Larocque <rlarocque@google.com>
    Signed-off-by: John Stultz <john.stultz@linaro.org>

 kernel/time/alarmtimer.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 038a6c21fd91be8221651495d280f60a4a252444
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 14 13:22:45 2014 -0400

    compile fix

 kernel/futex.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 51ae12a86010d07565a351852e4205c7b4bc6f6e
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Thu Sep 11 23:44:35 2014 +0200

    futex: Unlock hb->lock in futex_wait_requeue_pi() error path
    
    futex_wait_requeue_pi() calls futex_wait_setup(). If
    futex_wait_setup() succeeds it returns with hb->lock held and
    preemption disabled. Now the sanity check after this does:
    
            if (match_futex(&q.key, &key2)) {
    	   	ret = -EINVAL;
    		goto out_put_keys;
    	}
    
    which releases the keys but does not release hb->lock.
    
    So we happily return to user space with hb->lock held and therefor
    preemption disabled.
    
    Unlock hb->lock before taking the exit route.
    
    Reported-by: Dave "Trinity" Jones <davej@redhat.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Darren Hart <dvhart@linux.intel.com>
    Reviewed-by: Davidlohr Bueso <dave@stgolabs.net>
    Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: stable@vger.kernel.org
    Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1409112318500.4178@nanos
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

 kernel/futex.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 7044939f80c7cc215bfdf67010793989ea099a7a
Merge: df4e799 c312fd4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 14 11:43:48 2014 -0400

    Merge branch 'pax-stable' into grsec-stable
    
    Conflicts:
    	include/net/secure_seq.h
    	tools/gcc/size_overflow_plugin/size_overflow_hash.data

commit c312fd4b91bc9dd81a4c8732ab1ddef762f9c827
Merge: 31cded1 de9ba61
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 14 11:39:36 2014 -0400

    Update to pax-linux-3.2.63-test157.patch:
    - forward port to 3.2.63
    - updated the size overflow hash table
    - hopefully fixed a build race on ia64, reported by Dennis Schridde (https://bugs.gentoo.org/show_bug.cgi?id=503878)
    
    Merge branch 'linux-3.2.y' into pax-stable
    
    Conflicts:
    	arch/sparc/mm/fault_64.c
    	arch/x86/include/asm/pgtable_64_types.h
    	arch/x86/kernel/entry_64.S
    	arch/x86/kernel/ldt.c
    	drivers/gpu/drm/ttm/ttm_page_alloc.c
    	include/net/inetpeer.h
    	net/ipv4/inetpeer.c
    	net/ipv4/route.c
    	net/ipv6/ip6_output.c

commit df4e7992d0535f0fd5ac23e766a05934fa5c1e5f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 11 22:12:35 2014 -0400

    compile fix

 net/ceph/mon_client.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit ee18422bf9260f9fb20f33197fb32261b47530d8
Author: Ilya Dryomov <ilya.dryomov@inktank.com>
Date:   Tue Sep 9 19:39:15 2014 +0400

    libceph: do not hard code max auth ticket len
    
    We hard code cephx auth ticket buffer size to 256 bytes.  This isn't
    enough for any moderate setups and, in case tickets themselves are not
    encrypted, leads to buffer overflows (ceph_x_decrypt() errors out, but
    ceph_decode_copy() doesn't - it's just a memcpy() wrapper).  Since the
    buffer is allocated dynamically anyway, allocated it a bit later, at
    the point where we know how much is going to be needed.
    
    Fixes: http://tracker.ceph.com/issues/8979
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com>
    Reviewed-by: Sage Weil <sage@redhat.com>

 net/ceph/auth_x.c |   64 ++++++++++++++++++++++++-----------------------------
 1 files changed, 29 insertions(+), 35 deletions(-)

commit 4dfa313156b7147936b3bad7f2807a1f74a421bd
Author: Ilya Dryomov <ilya.dryomov@inktank.com>
Date:   Mon Sep 8 17:25:34 2014 +0400

    libceph: add process_one_ticket() helper
    
    Add a helper for processing individual cephx auth tickets.  Needed for
    the next commit, which deals with allocating ticket buffers.  (Most of
    the diff here is whitespace - view with git diff -b).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com>
    Reviewed-by: Sage Weil <sage@redhat.com>

 net/ceph/auth_x.c |  228 +++++++++++++++++++++++++++++------------------------
 1 files changed, 124 insertions(+), 104 deletions(-)

commit d0840d5576f29f2f51c18aef2e5c3e825a9a3025
Author: Sage Weil <sage@redhat.com>
Date:   Mon Aug 4 07:01:54 2014 -0700

    libceph: gracefully handle large reply messages from the mon
    
    We preallocate a few of the message types we get back from the mon.  If we
    get a larger message than we are expecting, fall back to trying to allocate
    a new one instead of blindly using the one we have.
    
    CC: stable@vger.kernel.org
    Signed-off-by: Sage Weil <sage@redhat.com>
    Reviewed-by: Ilya Dryomov <ilya.dryomov@inktank.com>

 net/ceph/mon_client.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit 1cf74ebe958195a7dc114e56f0100bc3ca97d9a8
Author: Jan Kara <jack@suse.cz>
Date:   Thu Sep 4 14:06:55 2014 +0200

    udf: Avoid infinite loop when processing indirect ICBs
    
    We did not implement any bound on number of indirect ICBs we follow when
    loading inode. Thus corrupted medium could cause kernel to go into an
    infinite loop, possibly causing a stack overflow.
    
    Fix the possible stack overflow by removing recursion from
    __udf_read_inode() and limit number of indirect ICBs we follow to avoid
    infinite loops.
    
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/udf/inode.c |   35 +++++++++++++++++++++--------------
 1 files changed, 21 insertions(+), 14 deletions(-)

commit 617f4c4872b809c6b6ea651d5198b7820b3e0abf
Author: Jan Kara <jack@suse.cz>
Date:   Thu Sep 4 13:32:50 2014 +0200

    udf: Fold udf_fill_inode() into __udf_read_inode()
    
    There's no good reason to separate these since udf_fill_inode() is
    called only from __udf_read_inode() and both do part of the same thing.
    
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/udf/inode.c |   22 +++++-----------------
 1 files changed, 5 insertions(+), 17 deletions(-)

commit df842208ddd1fae7409c4bc8e8e008e88ede1f46
Author: Ashish Sangwan <ashishsangwan2@gmail.com>
Date:   Tue Jun 26 19:33:11 2012 +0530

    UDF: Remove unnecessary variable "offset" from udf_fill_inode
    
    The variable "offset" is not needed. Remove it.
    
    Signed-off-by: Ashish Sangwan <ashish.sangwan2@gmail.com>
    Signed-off-by: Namjae Jeon <linkinjeon@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    
    Conflicts:
    
    	fs/udf/inode.c

 fs/udf/inode.c |    4 ----
 1 files changed, 0 insertions(+), 4 deletions(-)

commit fc485c36ac5e9d60f2dec3fa5b338271aaeda71b
Author: Jan Kara <jack@suse.cz>
Date:   Thu Sep 4 11:47:51 2014 +0200

    udf: Avoid dir link count to go negative
    
    If we are writing back inode of unlinked directory, its link count ends
    up being (u16)-1. Although the inode is deleted, udf_iget() can load the
    inode when NFS uses stale file handle and get confused.
    
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/udf/inode.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 148f1629b2c5874e0159a8770c9d119265b698ed
Author: Ani Sinha <ani@arista.com>
Date:   Mon Sep 8 14:49:59 2014 -0700

    net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland.
    
    Linux manpage for recvmsg and sendmsg calls does not explicitly mention setting msg_namelen to 0 when
    msg_name passed set as NULL. When developers don't set msg_namelen member in msghdr, it might contain garbage
    value which will fail the validation check and sendmsg and recvmsg calls from kernel will return EINVAL. This will
    break old binaries and any code for which there is no access to source code.
    To fix this, we set msg_namelen to 0 when msg_name is passed as NULL from userland.
    
    Signed-off-by: Ani Sinha <ani@arista.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/socket.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 3edd6b95bf89a262d09ac87c05e2e2432db18bd0
Merge: ca5c222 31cded1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 11 18:30:45 2014 -0400

    Merge branch 'pax-stable' into grsec-stable

commit 31cded121ad293acd7ddb47a01d20bfbc59aff0c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 11 18:30:03 2014 -0400

    Update to pax-linux-3.2.62-test157.patch:
    - fixed an assert in the latent entropy plugin under gcc 4.5, reported by Emese

 tools/gcc/latent_entropy_plugin.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit ca5c222c961d8336eff035e27432a714c27cf674
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 11 18:20:33 2014 -0400

    3.2 didn't need this deferring
    
    Revert "pax: defer KERNEXEC instrumentation in IRQ return path"
    
    This reverts commit 188e7e319dfbd150d27d1d7451ebad1834000ce5.

 arch/x86/kernel/entry_64.S |   19 -------------------
 1 files changed, 0 insertions(+), 19 deletions(-)

commit 77c5c6e41bc486fc92de079882048cdfeb88558b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 8 20:59:54 2014 -0400

    compile fix

 drivers/media/dvb/dvb-usb/cinergyT2-fe.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit e35a79ff36f8d1822a12f64784e886260bf472e4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 8 20:36:10 2014 -0400

    fix several more cases of DMA-on-stack

 drivers/media/dvb/dvb-usb/cinergyT2-fe.c |  179 ++++++++++++++++++++++--------
 1 files changed, 132 insertions(+), 47 deletions(-)

commit c5584f68b79036abf8b615a828c83844babeef86
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 8 19:28:37 2014 -0400

    compile fix

 drivers/media/dvb/dvb-usb/cinergyT2-core.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 4da912717213ddce20610d7c73a166ff19943bd6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 8 19:09:58 2014 -0400

    Fix yet another DMA-on-stack case in the driver for the DVB-T TerraTec
    Cinergy T2, reported by sainz76 on the forums.

 drivers/media/dvb/dvb-usb/cinergyT2-core.c |   90 +++++++++++++++++++++++-----
 1 files changed, 74 insertions(+), 16 deletions(-)

commit 188e7e319dfbd150d27d1d7451ebad1834000ce5
Author: Mathias Krause <mathias.krause@secunet.com>
Date:   Mon Sep 8 13:13:02 2014 +0200

    pax: defer KERNEXEC instrumentation in IRQ return path
    
    The EFI runtime service to relocate, well, the EFI runtime services
    (SetVirtualAddressMap) gets called with a physical mapping and with
    interrupts enabled. If an IRQ triggers while we're executing code in
    the EFI region, the KERNEXEC instrumentation will set the MSB of the
    return address. But this address is actually located in the lower 4GB,
    thereby setting the MSB makes the CPU #GP as the return address just
    got non-canonical.
    
    Fix this by deferring the KERNEXEC instrumentation for the iret path
    until alternatives are applied. This allows this early EFI runtime
    service calls to get interrupted not only by IRQs but also NMIs and
    activates the instrumentation before any userland code will be
    executed -- even before the other APs are started.
    
    Signed-off-by: Mathias Krause <mathias.krause@secunet.com>

 arch/x86/kernel/entry_64.S |   19 +++++++++++++++++++
 1 files changed, 19 insertions(+), 0 deletions(-)

commit 224a98d17f5ece6294e223cbce0a94cf171ca861
Author: Jiri Kosina <jkosina@suse.cz>
Date:   Wed Aug 27 09:12:24 2014 +0200

    HID: magicmouse: sanity check report size in raw_event() callback
    
    The report passed to us from transport driver could potentially be
    arbitrarily large, therefore we better sanity-check it so that
    magicmouse_emit_touch() gets only valid values of raw_id.
    
    Cc: stable@vger.kernel.org
    Reported-by: Steven Vittitoe <scvitti@google.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>

 drivers/hid/hid-magicmouse.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

commit bb7484b97c9ca1fffe1f2b75a67731f1d3f7ea2c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 26 00:35:30 2014 -0400

    add comment

 mm/mmap.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 3b450781121defb7f48dc7274dd721fe978e497b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 25 23:30:08 2014 -0400

    reuse mm instead of current->mm

 mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 08c93cf28f505aaebda320de06909f3652e9a640
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 25 23:19:09 2014 -0400

    Kill Chris Evans' ulimit -d 1 technique to slightly reduce heap ASLR
    entropy on suid/sgid binaries.
    
    Time he spent developing the entire exploit: who knows
    Time I spent adding another way in addition to the 6 or so existing
    ways his exploit is prevented: ~ 5 minutes
    
    Hashtag: ProjectZeroImpact

 mm/mmap.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 7175f416f0740888987a185618501d7eb44d25b6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 25 19:40:32 2014 -0400

    make sure in every case where we would end up performing a role
    transition in the full-learned policy that we log the necessary
    CAP_SETUID/CAP_SETGID.  This will happen regardless of the
    process actually having CAP_SETUID or CAP_SETGID set, as the
    check on role transition is done only against the subject's permitted
    capabilities, not actual active capabilities
    
    This fixes full-learning on sshd and likely other applications
    
    Thanks to Stephane from the forums for the report!
    
    Conflicts:
    
    	grsecurity/gracl_cap.c
    	kernel/sys.c

 grsecurity/gracl_cap.c      |   41 +++++++++++++++++++++++++++++------------
 grsecurity/grsec_disabled.c |    6 ++++++
 include/linux/grsecurity.h  |    2 ++
 kernel/sys.c                |   19 +++++++++++++++++++
 4 files changed, 56 insertions(+), 12 deletions(-)

commit d8c343125b0c9b5c17fbe8f5b52d44d698b81c68
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 24 14:48:12 2014 -0400

    remove makefile entry for no-longer-used file

 scripts/Makefile |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit c6a1f020e3e659e55605294bd33d3e917cf3d6f8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 22 16:41:15 2014 -0400

    Introduce an experimental change to TPE -- reject execution of binaries that
    are world-writable.  Contributed by Mickaël Salaün

 grsecurity/grsec_tpe.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 7534afe048b5291c6282a204f5884b164395c5e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 21 23:53:18 2014 -0400

    If no cgroup agent release path is specified, don't bother trying to
    exec any nonexistent usermode helper -- prevents a waste of resources
    and fixes some annoying grsec logs detecting this case.
    
    Thanks to ice9 from the forums for help with testing.
    
    Conflicts:
    
    	kernel/cgroup.c

 kernel/cgroup.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit ca6848c4921b08cfaf698337f5f83a555f74c5ce
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Aug 15 09:16:04 2014 -0700

    Upstream commit: dc808110bb62b64a448696ecac3938902c92e1ab
    
    packet: handle too big packets for PACKET_V3
    
    af_packet can currently overwrite kernel memory by out of bound
    accesses, because it assumed a [new] block can always hold one frame.
    
    This is not generally the case, even if most existing tools do it right.
    
    This patch clamps too long frames as API permits, and issue a one time
    error on syslog.
    
    [  394.357639] tpacket_rcv: packet too big, clamped from 5042 to 3966. macoff=82
    
    In this example, packet header tp_snaplen was set to 3966,
    and tp_len was set to 5042 (skb->len)
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
    Acked-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/packet/internal.h

 net/packet/af_packet.c |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

commit 913589f0f9f214fc738582b3a12542ab67923704
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 21 20:33:45 2014 -0400

    Remove GRKERNSEC_RANDNET -- it has been unnecessary for quite some
    time now, at least since get_random_bytes started to be used directly
    for filling of AT_RANDOM on each exec -- it's not really possible
    anymore to store up sufficient entropy such that this option would
    have any effect.
    
    Conflicts:
    
    	drivers/char/random.c

 drivers/char/random.c |   15 ---------------
 grsecurity/Kconfig    |   10 ----------
 2 files changed, 0 insertions(+), 25 deletions(-)

commit df7e0d44063474bfa491b4b59fb2e1bcf300c440
Author: Jiri Kosina <jkosina@suse.cz>
Date:   Thu Aug 21 09:57:17 2014 -0500

    Upstream commit: ad3e14d7c5268c2e24477c6ef54bbdf88add5d36
    
    HID: logitech: perform bounds checking on device_id early enough
    
    device_index is a char type and the size of paired_dj_deivces is 7
    elements, therefore proper bounds checking has to be applied to
    device_index before it is used.
    
    We are currently performing the bounds checking in
    logi_dj_recv_add_djhid_device(), which is too late, as malicious device
    could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
    problem in one of the report forwarding functions called from
    logi_dj_raw_event().
    
    Fix this by performing the check at the earliest possible ocasion in
    logi_dj_raw_event().
    
    Cc: stable@vger.kernel.org
    Reported-by: Ben Hawkes <hawkes@google.com>
    Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>

 drivers/hid/hid-logitech-dj.c |   13 ++++++-------
 1 files changed, 6 insertions(+), 7 deletions(-)

commit bee2e71c3211342d70b2aef3c066ba8c815e4b2c
Author: Jiri Kosina <jkosina@suse.cz>
Date:   Thu Aug 21 09:57:48 2014 -0500

    Upstream commit: 4ab25786c87eb20857bbb715c3ae34ec8fd6a214
    
    HID: fix a couple of off-by-ones
    
    There are a few very theoretical off-by-one bugs in report descriptor size
    checking when performing a pre-parsing fixup. Fix those.
    
    Cc: stable@vger.kernel.org
    Reported-by: Ben Hawkes <hawkes@google.com>
    Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    
    Conflicts:
    
    	drivers/hid/hid-kye.c
    	drivers/hid/hid-lg.c

 drivers/hid/hid-cherry.c   |    2 +-
 drivers/hid/hid-kye.c      |    2 +-
 drivers/hid/hid-lg.c       |    4 ++--
 drivers/hid/hid-monterey.c |    2 +-
 drivers/hid/hid-petalynx.c |    2 +-
 drivers/hid/hid-sunplus.c  |    2 +-
 6 files changed, 7 insertions(+), 7 deletions(-)

commit 610012c53a64d9b9ef0b8ea589c19066a31ebe1e
Author: Jan Kara <jack@suse.cz>
Date:   Sun Aug 17 11:49:57 2014 +0200

    Upstream commit: 410dd3cf4c9b36f27ed4542ee18b1af5e68645a4
    
    isofs: Fix unbounded recursion when processing relocated directories
    
    We did not check relocated directory in any way when processing Rock
    Ridge 'CL' tag. Thus a corrupted isofs image can possibly have a CL
    entry pointing to another CL entry leading to possibly unbounded
    recursion in kernel code and thus stack overflow or deadlocks (if there
    is a loop created from CL entries).
    
    Fix the problem by not allowing CL entry to point to a directory entry
    with CL entry (such use makes no good sense anyway) and by checking
    whether CL entry doesn't point to itself.
    
    CC: stable@vger.kernel.org
    Reported-by: Chris Evans <cevans@google.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/isofs/inode.c |   15 ++++++++-------
 fs/isofs/isofs.h |   23 +++++++++++++++++++----
 fs/isofs/rock.c  |   39 ++++++++++++++++++++++++++++-----------
 3 files changed, 55 insertions(+), 22 deletions(-)

commit 06c94f632931f42ee57420627ca758d6ce85f111
Author: NeilBrown <neilb@suse.de>
Date:   Wed Aug 13 09:57:07 2014 +1000

    Upstream commit: 9c4bdf697c39805078392d5ddbbba5ae5680e0dd
    
    md/raid6: avoid data corruption during recovery of double-degraded RAID6
    
    During recovery of a double-degraded RAID6 it is possible for
    some blocks not to be recovered properly, leading to corruption.
    
    If a write happens to one block in a stripe that would be written to a
    missing device, and at the same time that stripe is recovering data
    to the other missing device, then that recovered data may not be written.
    
    This patch skips, in the double-degraded case, an optimisation that is
    only safe for single-degraded arrays.
    
    Bug was introduced in 2.6.32 and fix is suitable for any kernel since
    then.  In an older kernel with separate handle_stripe5() and
    handle_stripe6() functions the patch must change handle_stripe6().
    
    Cc: stable@vger.kernel.org (2.6.32+)
    Fixes: 6c0069c0ae9659e3a91b68eaed06a5c6c37f45c8
    Cc: Yuri Tikhonov <yur@emcraft.com>
    Cc: Dan Williams <dan.j.williams@intel.com>
    Reported-by: "Manibalan P" <pmanibalan@amiindia.co.in>
    Tested-by: "Manibalan P" <pmanibalan@amiindia.co.in>
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1090423
    Signed-off-by: NeilBrown <neilb@suse.de>
    Acked-by: Dan Williams <dan.j.williams@intel.com>

 drivers/md/raid5.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit d5379a8db503082781c6cec4938eed956f24d1df
Author: Jiri Kosina <jkosina@suse.cz>
Date:   Wed Aug 6 16:08:43 2014 -0700

    Upstream commit: 69102311a57d1fd65cdc4002c55c5d551c799044
    
    ./Makefile: tell gcc optimizer to never introduce new data races
    
    We have been chasing a memory corruption bug, which turned out to be
    caused by very old gcc (4.3.4), which happily turned conditional load
    into a non-conditional one, and that broke correctness (the condition
    was met only if lock was held) and corrupted memory.
    
    This particular problem with that particular code did not happen when
    never gccs were used.  I've brought this up with our gcc folks, as I
    wanted to make sure that this can't really happen again, and it turns
    out it actually can.
    
    Quoting Martin Jambor <mjambor@suse.cz>:
     "More current GCCs are more careful when it comes to replacing a
      conditional load with a non-conditional one, most notably they check
      that a store happens in each iteration of _a_ loop but they assume
      loops are executed.  They also perform a simple check whether the
      store cannot trap which currently passes only for non-const
      variables.  A simple testcase demonstrating it on an x86_64 is for
      example the following:
    
      $ cat cond_store.c
    
      int g_1 = 1;
    
      int g_2[1024] __attribute__((section ("safe_section"), aligned (4096)));
    
      int c = 4;
    
      int __attribute__ ((noinline))
      foo (void)
      {
        int l;
        for (l = 0; (l != 4); l++) {
          if (g_1)
            return l;
          for (g_2[0] = 0; (g_2[0] >= 26); ++g_2[0])
            ;
        }
        return 2;
      }
    
      int main (int argc, char* argv[])
      {
        if (mprotect (g_2, sizeof(g_2), PROT_READ) == -1)
          {
            int e = errno;
            error (e, e, "mprotect error %i", e);
          }
        foo ();
        __builtin_printf("OK\n");
        return 0;
      }
      /* EOF */
      $ ~/gcc/trunk/inst/bin/gcc cond_store.c -O2 --param allow-store-data-races=0
      $ ./a.out
      OK
      $ ~/gcc/trunk/inst/bin/gcc cond_store.c -O2 --param allow-store-data-races=1
      $ ./a.out
      Segmentation fault
    
      The testcase fails the same at least with 4.9, 4.8 and 4.7.  Therefore
      I would suggest building kernels with this parameter set to zero. I
      also agree with Jikos that the default should be changed for -O2.  I
      have run most of the SPEC 2k6 CPU benchmarks (gamess and dealII
      failed, at -O2, not sure why) compiled with and without this option
      and did not see any real difference between respective run-times"
    
    Hopefully the default will be changed in newer gccs, but let's force it
    for kernel builds so that we are on a safe side even when older gcc are
    used.
    
    The code in question was out-of-tree printk-in-NMI (yeah, surprise
    suprise, once again) patch written by Petr Mladek, let me quote his
    comment from our internal bugzilla:
    
     "I have spent few days investigating inconsistent state of kernel ring buffer.
      It went out that it was caused by speculative store generated by
      gcc-4.3.4.
    
      The problem is in assembly generated for make_free_space(). The functions is
      called the following way:
    
      + vprintk_emit();
          + log = MAIN_LOG; // with logbuf_lock
             or
             log = NMI_LOG; // with nmi_logbuf_lock
             cont_add(log, ...);
              + cont_flush(log, ...);
                  + log_store(log, ...);
                        + log_make_free_space(log, ...);
    
      If called with log = NMI_LOG then only nmi_log_* global variables are safe to
      modify but the generated code does store also into (main_)log_* global
      variables:
    
      <log_make_free_space>:
             55                      push   %rbp
             89 f6                   mov    %esi,%esi
    
             48 8b 05 03 99 51 01    mov    0x1519903(%rip),%rax       # ffffffff82620868 <nmi_log_next_id>
             44 8b 1d ec 98 51 01    mov    0x15198ec(%rip),%r11d      # ffffffff82620858 <log_next_idx>
             8b 35 36 60 14 01       mov    0x1146036(%rip),%esi       # ffffffff8224cfa8 <log_buf_len>
             44 8b 35 33 60 14 01    mov    0x1146033(%rip),%r14d      # ffffffff8224cfac <nmi_log_buf_len>
             4c 8b 2d d0 98 51 01    mov    0x15198d0(%rip),%r13       # ffffffff82620850 <log_next_seq>
             4c 8b 25 11 61 14 01    mov    0x1146111(%rip),%r12       # ffffffff8224d098 <log_buf>
             49 89 c2                mov    %rax,%r10
             48 21 c2                and    %rax,%rdx
             48 8b 1d 0c 99 55 01    mov    0x155990c(%rip),%rbx       # ffffffff826608a0 <nmi_log_buf>
             49 c1 ea 20             shr    $0x20,%r10
             48 89 55 d0             mov    %rdx,-0x30(%rbp)
             44 29 de                sub    %r11d,%esi
             45 29 d6                sub    %r10d,%r14d
             4c 8b 0d 97 98 51 01    mov    0x1519897(%rip),%r9	# ffffffff82620840 <log_first_seq>
             eb 7e                   jmp    ffffffff81107029	<log_make_free_space+0xe9>
      [...]
             85 ff                   test   %edi,%edi                  # edi = 1 for NMI_LOG
             4c 89 e8                mov    %r13,%rax
             4c 89 ca                mov    %r9,%rdx
             74 0a                   je     ffffffff8110703d	<log_make_free_space+0xfd>
             8b 15 27 98 51 01       mov    0x1519827(%rip),%edx       # ffffffff82620860 <nmi_log_first_id>
             48 8b 45 d0             mov    -0x30(%rbp),%rax
             48 39 c2                cmp    %rax,%rdx                  # end of loop
             0f 84 da 00 00 00       je     ffffffff81107120 <log_make_free_space+0x1e0>
      [...]
             85 ff                   test   %edi,%edi                  # edi = 1 for NMI_LOG
             4c 89 0d 17 97 51 01    mov    %r9,0x1519717(%rip)        # ffffffff82620840 <log_first_seq>
                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^
                                     KABOOOM
             74 35                   je     ffffffff81107160		 <log_make_free_space+0x220>
    
      It stores log_first_seq when edi == NMI_LOG. This instructions are used also
      when edi == MAIN_LOG but the store is done speculatively before the condition
      is decided.  It is unsafe because we do not have "logbuf_lock" in NMI context
      and some other process migh modify "log_first_seq" in parallel"
    
    I believe that the best course of action is both
    
     - building kernel (and anything multi-threaded, I guess) with that
       optimization turned off
     - persuade gcc folks to change the default for future releases
    
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Cc: Martin Jambor <mjambor@suse.cz>
    Cc: Petr Mladek <pmladek@suse.cz>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Marek Polacek <polacek@redhat.com>
    Cc: Jakub Jelinek <jakub@redhat.com>
    Cc: Steven Noonan <steven@uplinklabs.net>
    Cc: Richard Biener <richard.guenther@gmail.com>
    Cc: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	Makefile

 Makefile |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit e86025ad7d01a84c9ba3f313938722ef23ba2b79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 10 23:24:39 2014 -0400

    error on a brain-damaged configuration seen on the forums:
    https://forums.grsecurity.net/viewtopic.php?f=3&t=4026

 include/linux/grsecurity.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 885b2e50d6ddb86aacd68ee62e51d0e24ab42395
Merge: 5c8425c 07f56cf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 10 23:00:26 2014 -0400

    Merge branch 'pax-stable' into grsec-stable
    
    Conflicts:
    	arch/x86/Kconfig
    	include/linux/slab.h
    	net/sctp/ulpevent.c

commit 07f56cf38dc1df04ad4fcbe3523be248c146ec12
Merge: 38d7c9d 73886aa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 10 22:58:31 2014 -0400

    Merge branch 'linux-3.2.y' into pax-stable
    
    Conflicts:
    	arch/x86/kernel/entry_32.S
    	arch/x86/mm/ioremap.c
    	include/linux/slab.h

commit 5c8425c91ff3a1c03c49f76bf83c500e4a4bb73b
Merge: 939438a 38d7c9d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 3 19:57:57 2014 -0400

    Merge branch 'pax-stable' into grsec-stable

commit 38d7c9d5ef23ecea2a93849d3a13f5401f6d7786
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 3 19:57:21 2014 -0400

    Update to pax-linux-3.2.61-test156.patch:
    - fixed an incompatiblity between STACKLEAK and Xen, reported by joe (http://forums.grsecurity.net/viewtopic.php?f=3&t=3997#p14241)
    - fixed the ESPFIX SS limit on i386 so that it actually works instead of triggering a double fault, reported by Oscon

 arch/x86/kernel/head_32.S    |    2 +-
 tools/gcc/stackleak_plugin.c |   21 ++++++++++++++++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)

commit 939438a85bbd7b4b4cf5256a9d1696c5de45ed10
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 3 10:20:05 2014 -0400

    compile fix

 grsecurity/grsum.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f603c29fb37dfa40aaaab54756561819eeaf2270
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 3 10:15:31 2014 -0400

    fix retval

 grsecurity/grsum.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 6e4064de66c5d780617b50f2ec7586d485e833c3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 3 10:00:44 2014 -0400

    Mark the right declarations __read_only

 grsecurity/gracl_policy.c |    6 +++---
 grsecurity/grsec_init.c   |    6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

commit 87f27b2d88b0f6da9dd581ec23e7e3ea3c8cc52a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 3 09:52:39 2014 -0400

    While on x86/x64 scatterlists can be created from kernel image buffers,
    on sparc64 this is apparently invalid and causes a system hang.
    Convert gr_usermode, gr_system_sum, and gr_system_salt back to using
    memory allocated at init.

 grsecurity/gracl_policy.c |   60 ++++++++++++++++++++++----------------------
 grsecurity/grsec_init.c   |   14 ++++++++++
 grsecurity/grsum.c        |   37 +++++++++++++--------------
 3 files changed, 62 insertions(+), 49 deletions(-)

commit 940d0f2a492432cbe173439a6badd36fb2f356d1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 2 18:21:02 2014 -0400

    cleanup

 arch/sparc/include/asm/thread_info_64.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 22492b445ac341dd4bb7f80df5499f7a70819f17
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 2 18:18:48 2014 -0400

    Fix KSTACKOVERFLOW compilation on sparc64

 arch/sparc/include/asm/thread_info_64.h |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 3c38d5b731571fc80f97eae431ec85fbd46b0e99
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 31 19:06:01 2014 -0400

    fix compile error

 tools/gcc/randomize_layout_plugin.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 24710f447a99053e6ce35a8dce8c102b5a506825
Author: James Bottomley <JBottomley@Parallels.com>
Date:   Thu Jul 3 19:17:34 2014 +0200

    Upstream commit: 89fb4cd1f717a871ef79fa7debbe840e3225cd54
    
    scsi: handle flush errors properly
    
    Flush commands don't transfer data and thus need to be special cased
    in the I/O completion handler so that we can propagate errors to
    the block layer and filesystem.
    
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>
    Reported-by: Steven Haber <steven@qumulo.com>
    Tested-by: Steven Haber <steven@qumulo.com>
    Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Christoph Hellwig <hch@lst.de>

 drivers/scsi/scsi_lib.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit 22af163d0654be43242c6d4b1681ab9875b1ab6e
Author: Christoph Paasch <christoph.paasch@uclouvain.be>
Date:   Tue Jul 29 12:07:27 2014 +0200

    Upstream commit: 45a07695bc64b3ab5d6d2215f9677e5b8c05a7d0
    
    tcp: Fix integer-overflows in TCP veno
    
    In veno we do a multiplication of the cwnd and the rtt. This
    may overflow and thus their result is stored in a u64. However, we first
    need to cast the cwnd so that actually 64-bit arithmetic is done.
    
    A first attempt at fixing 76f1017757aa0 ([TCP]: TCP Veno congestion
    control) was made by 159131149c2 (tcp: Overflow bug in Vegas), but it
    failed to add the required cast in tcp_veno_cong_avoid().
    
    Fixes: 76f1017757aa0 ([TCP]: TCP Veno congestion control)
    Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp_veno.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e304749a01bdb4bc8695674a5f247013a5b13d54
Author: Milan Broz <gmazyland@gmail.com>
Date:   Tue Jul 29 18:41:09 2014 +0000

    Upstream commit: 4c63f83c2c2e16a13ce274ee678e28246bd33645
    
    crypto: af_alg - properly label AF_ALG socket
    
    Th AF_ALG socket was missing a security label (e.g. SELinux)
    which means that socket was in "unlabeled" state.
    
    This was recently demonstrated in the cryptsetup package
    (cryptsetup v1.6.5 and later.)
    See https://bugzilla.redhat.com/show_bug.cgi?id=1115120
    
    This patch clones the sock's label from the parent sock
    and resolves the issue (similar to AF_BLUETOOTH protocol family).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Milan Broz <gmazyland@gmail.com>
    Acked-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

 crypto/af_alg.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 805577529b565c454ed6acb56c879fdc4614350f
Author: Christoph Paasch <christoph.paasch@uclouvain.be>
Date:   Tue Jul 29 13:40:57 2014 +0200

    Upstream commit: 1f74e613ded11517db90b2bd57e9464d9e0fb161
    
    tcp: Fix integer-overflow in TCP vegas
    
    In vegas we do a multiplication of the cwnd and the rtt. This
    may overflow and thus their result is stored in a u64. However, we first
    need to cast the cwnd so that actually 64-bit arithmetic is done.
    
    Then, we need to do do_div to allow this to be used on 32-bit arches.
    
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Cc: Neal Cardwell <ncardwell@google.com>
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Cc: David Laight <David.Laight@ACULAB.COM>
    Cc: Doug Leith <doug.leith@nuim.ie>
    Fixes: 8d3a564da34e (tcp: tcp_vegas cong avoid fix)
    Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp_vegas.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 017aa069e797bfeefaf5d4f846f81a5b02aac423
Author: Sven Wegener <sven.wegener@stealer.net>
Date:   Tue Jul 22 10:26:06 2014 +0200

    Upstream commit: 80705fca953d4f2983d5197401de4ce7af7699d3
    
    x86_32, entry: Store badsys error code in %eax
    
    commit 8142b215501f8b291a108a202b3a053a265b03dd upstream.
    
    Commit 554086d ("x86_32, entry: Do syscall exit work on badsys
    (CVE-2014-4508)") introduced a regression in the x86_32 syscall entry
    code, resulting in syscall() not returning proper errors for undefined
    syscalls on CPUs supporting the sysenter feature.
    
    The following code:
    
    > int result = syscall(666);
    > printf("result=%d errno=%d error=%s\n", result, errno, strerror(errno));
    
    results in:
    
    > result=666 errno=0 error=Success
    
    Obviously, the syscall return value is the called syscall number, but it
    should have been an ENOSYS error. When run under ptrace it behaves
    correctly, which makes it hard to debug in the wild:
    
    > result=-1 errno=38 error=Function not implemented
    
    The %eax register is the return value register. For debugging via ptrace
    the syscall entry code stores the complete register context on the
    stack. The badsys handlers only store the ENOSYS error code in the
    ptrace register set and do not set %eax like a regular syscall handler
    would. The old resume_userspace call chain contains code that clobbers
    %eax and it restores %eax from the ptrace registers afterwards. The same
    goes for the ptrace-enabled call chain. When ptrace is not used, the
    syscall return value is the passed-in syscall number from the untouched
    %eax register.
    
    Use %eax as the return value register in syscall_badsys and
    sysenter_badsys, like a real syscall handler does, and have the caller
    push the value onto the stack for ptrace access.
    
    Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
    Link: http://lkml.kernel.org/r/alpine.LNX.2.11.1407221022380.31021@titan.int.lan.stealer.net
    Reviewed-and-tested-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: H. Peter Anvin <hpa@zytor.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    
    Conflicts:
    
    	arch/x86/kernel/entry_32.S

 arch/x86/kernel/entry_32.S |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

commit 1b7dd9b4c864a650c87c0b2f4ee428d8a58cb0fc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 31 18:02:05 2014 -0400

    Work around a compatibility issue between the VirtualBox drivers and RANDSTRUCT.
    Two of its ops structs, INTNETTRUNKFACTORY and RAWPCIFACTORY, were chosen for
    randomization, but these seem to be part of a public interface used by code
    not compiled by RANDSTRUCT.  To resolve this, omit these two type names from
    randomization.  Thanks to Pedro Ribeiro for the report.

 tools/gcc/randomize_layout_plugin.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 32ab0eb3774f2b04ec7d412dce297ecc77081cd8
Author: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Date:   Sat Jul 26 21:26:58 2014 +0400

    Upstream commit: 40eea803c6b2cfaab092f053248cbeab3f368412
    
    net: sendmsg: fix NULL pointer dereference
    
    Sasha's report:
    	> While fuzzing with trinity inside a KVM tools guest running the latest -next
    	> kernel with the KASAN patchset, I've stumbled on the following spew:
    	>
    	> [ 4448.949424] ==================================================================
    	> [ 4448.951737] AddressSanitizer: user-memory-access on address 0
    	> [ 4448.952988] Read of size 2 by thread T19638:
    	> [ 4448.954510] CPU: 28 PID: 19638 Comm: trinity-c76 Not tainted 3.16.0-rc4-next-20140711-sasha-00046-g07d3099-dirty #813
    	> [ 4448.956823]  ffff88046d86ca40 0000000000000000 ffff880082f37e78 ffff880082f37a40
    	> [ 4448.958233]  ffffffffb6e47068 ffff880082f37a68 ffff880082f37a58 ffffffffb242708d
    	> [ 4448.959552]  0000000000000000 ffff880082f37a88 ffffffffb24255b1 0000000000000000
    	> [ 4448.961266] Call Trace:
    	> [ 4448.963158] dump_stack (lib/dump_stack.c:52)
    	> [ 4448.964244] kasan_report_user_access (mm/kasan/report.c:184)
    	> [ 4448.965507] __asan_load2 (mm/kasan/kasan.c:352)
    	> [ 4448.966482] ? netlink_sendmsg (net/netlink/af_netlink.c:2339)
    	> [ 4448.967541] netlink_sendmsg (net/netlink/af_netlink.c:2339)
    	> [ 4448.968537] ? get_parent_ip (kernel/sched/core.c:2555)
    	> [ 4448.970103] sock_sendmsg (net/socket.c:654)
    	> [ 4448.971584] ? might_fault (mm/memory.c:3741)
    	> [ 4448.972526] ? might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3740)
    	> [ 4448.973596] ? verify_iovec (net/core/iovec.c:64)
    	> [ 4448.974522] ___sys_sendmsg (net/socket.c:2096)
    	> [ 4448.975797] ? put_lock_stats.isra.13 (./arch/x86/include/asm/preempt.h:98 kernel/locking/lockdep.c:254)
    	> [ 4448.977030] ? lock_release_holdtime (kernel/locking/lockdep.c:273)
    	> [ 4448.978197] ? lock_release_non_nested (kernel/locking/lockdep.c:3434 (discriminator 1))
    	> [ 4448.979346] ? check_chain_key (kernel/locking/lockdep.c:2188)
    	> [ 4448.980535] __sys_sendmmsg (net/socket.c:2181)
    	> [ 4448.981592] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2600)
    	> [ 4448.982773] ? trace_hardirqs_on (kernel/locking/lockdep.c:2607)
    	> [ 4448.984458] ? syscall_trace_enter (arch/x86/kernel/ptrace.c:1500 (discriminator 2))
    	> [ 4448.985621] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2600)
    	> [ 4448.986754] SyS_sendmmsg (net/socket.c:2201)
    	> [ 4448.987708] tracesys (arch/x86/kernel/entry_64.S:542)
    	> [ 4448.988929] ==================================================================
    
    This reports means that we've come to netlink_sendmsg() with msg->msg_name == NULL and msg->msg_namelen > 0.
    
    After this report there was no usual "Unable to handle kernel NULL pointer dereference"
    and this gave me a clue that address 0 is mapped and contains valid socket address structure in it.
    
    This bug was introduced in f3d3342602f8bcbf37d7c46641cb9bca7618eb1c
    (net: rework recvmsg handler msg_name and msg_namelen logic).
    Commit message states that:
    	"Set msg->msg_name = NULL if user specified a NULL in msg_name but had a
    	 non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't
    	 affect sendto as it would bail out earlier while trying to copy-in the
    	 address."
    But in fact this affects sendto when address 0 is mapped and contains
    socket address structure in it. In such case copy-in address will succeed,
    verify_iovec() function will successfully exit with msg->msg_namelen > 0
    and msg->msg_name == NULL.
    
    This patch fixes it by setting msg_namelen to 0 if msg_name == NULL.
    
    Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Cc: Eric Dumazet <edumazet@google.com>
    Cc: <stable@vger.kernel.org>
    Reported-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/compat.c     |    9 +++++----
 net/core/iovec.c |    6 +++---
 2 files changed, 8 insertions(+), 7 deletions(-)

commit 4197e21dff54db8838d8bb2bb54cde06a4c50596
Merge: 97419e4 039d801
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 27 19:57:21 2014 -0400

    Merge branch 'pax-stable' into grsec-stable

commit 039d8018a40cd3baf7dab410155e19af5fe28a5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 27 19:56:53 2014 -0400

    Update to pax-linux-3.2.61-test155.patch:
    - fixed an incorrect get_user cast, reported by Corey Minyard
      - there're a few more instances in the kernel still
    - Emese fixed a compile error in the size overflow plugin that manifested under gcc 4.9

 fs/compat_ioctl.c                                  |    2 +-
 .../insert_size_overflow_asm.c                     |   42 --------------------
 .../insert_size_overflow_check_core.c              |   41 +++++++++++++++++++
 .../insert_size_overflow_check_ipa.c               |    2 +-
 .../size_overflow_plugin/intentional_overflow.c    |    3 +
 .../size_overflow_plugin/size_overflow_plugin.c    |    2 +-
 6 files changed, 47 insertions(+), 45 deletions(-)

commit 97419e41b6d1530da186ecfa5b7db9214ca93b94
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sat Jul 26 14:52:01 2014 -0700

    Upstream commit: 2062afb4f804afef61cbe62a30cac9a46e58e067
    
    Fix gcc-4.9.0 miscompilation of load_balance()  in scheduler
    
    Michel Dänzer and a couple of other people reported inexplicable random
    oopses in the scheduler, and the cause turns out to be gcc mis-compiling
    the load_balance() function when debugging is enabled.  The gcc bug
    apparently goes back to gcc-4.5, but slight optimization changes means
    that it now showed up as a problem in 4.9.0 and 4.9.1.
    
    The instruction scheduling problem causes gcc to schedule a spill
    operation to before the stack frame has been created, which in turn can
    corrupt the spilled value if an interrupt comes in.  There may be other
    effects of this bug too, but that's the code generation problem seen in
    Michel's case.
    
    This is fixed in current gcc HEAD, but the workaround as suggested by
    Markus Trippelsdorf is pretty simple: use -fno-var-tracking-assignments
    when compiling the kernel, which disables the gcc code that causes the
    problem.  This can result in slightly worse debug information for
    variable accesses, but that is infinitely preferable to actual code
    generation problems.
    
    Doing this unconditionally (not just for CONFIG_DEBUG_INFO) also allows
    non-debug builds to verify that the debug build would be identical: we
    can do
    
        export GCC_COMPARE_DEBUG=1
    
    to make gcc internally verify that the result of the build is
    independent of the "-g" flag (it will make the compiler build everything
    twice, toggling the debug flag, and compare the results).
    
    Without the "-fno-var-tracking-assignments" option, the build would fail
    (even with 4.8.3 that didn't show the actual stack frame bug) with a gcc
    compare failure.
    
    See also gcc bugzilla:
    
      https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61801
    
    Reported-by: Michel Dänzer <michel@daenzer.net>
    Suggested-by: Markus Trippelsdorf <markus@trippelsdorf.de>
    Cc: Jakub Jelinek <jakub@redhat.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 Makefile |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 17acc2739760940b289b18da5efd01d928494ce0
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Mon Jul 21 00:06:48 2014 +0100

    Upstream commit: 640d7efe4c08f06c4ae5d31b79bd8740e7f6790a
    
    dns_resolver: Null-terminate the right string
    
    *_result[len] is parsed as *(_result[len]) which is not at all what we
    want to touch here.
    
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Fixes: 84a7c0b1db1c ("dns_resolver: assure that dns_query() result is null-terminated")
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/dns_resolver/dns_query.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 9c203f84a04ea62b9f78b07039b32ddf4dac2283
Author: Manuel Schölling <manuel.schoelling@gmx.de>
Date:   Sat Jun 7 23:57:25 2014 +0200

    Upstream commit: 84a7c0b1db1c17d5ded8d3800228a608e1070b40
    
    dns_resolver: assure that dns_query() result is null-terminated
    
    dns_query() credulously assumes that keys are null-terminated and
    returns a copy of a memory block that is off by one.
    
    Signed-off-by: Manuel Schölling <manuel.schoelling@gmx.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/dns_resolver/dns_query.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 7da80c789c04170dd8219da791d0f4423bc53b56
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Fri Jul 18 17:26:41 2014 -0400

    Upstream commit: 79a8468747c5f95ed3d5ce8376a3e82e0c5857fc
    
    random: check for increase of entropy_count because of signed conversion
    
    The expression entropy_count -= ibytes << (ENTROPY_SHIFT + 3) could
    actually increase entropy_count if during assignment of the unsigned
    expression on the RHS (mind the -=) we reduce the value modulo
    2^width(int) and assign it to entropy_count. Trinity found this.
    
    [ Commit modified by tytso to add an additional safety check for a
      negative entropy_count -- which should never happen, and to also add
      an additional paranoia check to prevent overly large count values to
      be passed into urandom_read().  ]
    
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: stable@vger.kernel.org

 drivers/char/random.c |   17 ++++++++++++++---
 1 files changed, 14 insertions(+), 3 deletions(-)

commit 2e174f924f1136bc3ae13d1efb49344199327432
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Jul 17 13:50:45 2014 +0300

    Upstream commit: a28d0e873d2899bd750ae495f84fe9c1a2f53809
    
    wan/x25_asy: integer overflow in x25_asy_change_mtu()
    
    If "newmtu * 2 + 4" is too large then it can cause an integer overflow
    leading to memory corruption.  Eric Dumazet suggests that 65534 is a
    reasonable upper limit.
    
    Btw, "newmtu" is not allowed to be a negative number because of the
    check in dev_set_mtu(), so that's ok.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/x25_asy.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit ca73e57546661064611d6add30c4cf030df1292b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 23 20:38:57 2014 -0400

    Backport actual fixes from 8f2e5ae40ec193bc0a0ed99e95315c3eebca84ea
    not sure why upstream saw it necessary to lump in over a dozen
    comment and noop formatting changes into the same patch

 net/sctp/ulpevent.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit dcd31ea940876862f32f91290b483c85bdaa0dca
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Tue Jul 22 15:22:45 2014 +0200

    Upstream commit: 1be9a950c646c9092fb3618197f7b6bfb50e82aa
    
    net: sctp: inherit auth_capable on INIT collisions
    
    Jason reported an oops caused by SCTP on his ARM machine with
    SCTP authentication enabled:
    
    Internal error: Oops: 17 [#1] ARM
    CPU: 0 PID: 104 Comm: sctp-test Not tainted 3.13.0-68744-g3632f30c9b20-dirty #1
    task: c6eefa40 ti: c6f52000 task.ti: c6f52000
    PC is at sctp_auth_calculate_hmac+0xc4/0x10c
    LR is at sg_init_table+0x20/0x38
    pc : [<c024bb80>]    lr : [<c00f32dc>]    psr: 40000013
    sp : c6f538e8  ip : 00000000  fp : c6f53924
    r10: c6f50d80  r9 : 00000000  r8 : 00010000
    r7 : 00000000  r6 : c7be4000  r5 : 00000000  r4 : c6f56254
    r3 : c00c8170  r2 : 00000001  r1 : 00000008  r0 : c6f1e660
    Flags: nZcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
    Control: 0005397f  Table: 06f28000  DAC: 00000015
    Process sctp-test (pid: 104, stack limit = 0xc6f521c0)
    Stack: (0xc6f538e8 to 0xc6f54000)
    [...]
    Backtrace:
    [<c024babc>] (sctp_auth_calculate_hmac+0x0/0x10c) from [<c0249af8>] (sctp_packet_transmit+0x33c/0x5c8)
    [<c02497bc>] (sctp_packet_transmit+0x0/0x5c8) from [<c023e96c>] (sctp_outq_flush+0x7fc/0x844)
    [<c023e170>] (sctp_outq_flush+0x0/0x844) from [<c023ef78>] (sctp_outq_uncork+0x24/0x28)
    [<c023ef54>] (sctp_outq_uncork+0x0/0x28) from [<c0234364>] (sctp_side_effects+0x1134/0x1220)
    [<c0233230>] (sctp_side_effects+0x0/0x1220) from [<c02330b0>] (sctp_do_sm+0xac/0xd4)
    [<c0233004>] (sctp_do_sm+0x0/0xd4) from [<c023675c>] (sctp_assoc_bh_rcv+0x118/0x160)
    [<c0236644>] (sctp_assoc_bh_rcv+0x0/0x160) from [<c023d5bc>] (sctp_inq_push+0x6c/0x74)
    [<c023d550>] (sctp_inq_push+0x0/0x74) from [<c024a6b0>] (sctp_rcv+0x7d8/0x888)
    
    While we already had various kind of bugs in that area
    ec0223ec48a9 ("net: sctp: fix sctp_sf_do_5_1D_ce to verify if
    we/peer is AUTH capable") and b14878ccb7fa ("net: sctp: cache
    auth_enable per endpoint"), this one is a bit of a different
    kind.
    
    Giving a bit more background on why SCTP authentication is
    needed can be found in RFC4895:
    
      SCTP uses 32-bit verification tags to protect itself against
      blind attackers. These values are not changed during the
      lifetime of an SCTP association.
    
      Looking at new SCTP extensions, there is the need to have a
      method of proving that an SCTP chunk(s) was really sent by
      the original peer that started the association and not by a
      malicious attacker.
    
    To cause this bug, we're triggering an INIT collision between
    peers; normal SCTP handshake where both sides intent to
    authenticate packets contains RANDOM; CHUNKS; HMAC-ALGO
    parameters that are being negotiated among peers:
    
      ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
      <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
      -------------------- COOKIE-ECHO -------------------->
      <-------------------- COOKIE-ACK ---------------------
    
    RFC4895 says that each endpoint therefore knows its own random
    number and the peer's random number *after* the association
    has been established. The local and peer's random number along
    with the shared key are then part of the secret used for
    calculating the HMAC in the AUTH chunk.
    
    Now, in our scenario, we have 2 threads with 1 non-blocking
    SEQ_PACKET socket each, setting up common shared SCTP_AUTH_KEY
    and SCTP_AUTH_ACTIVE_KEY properly, and each of them calling
    sctp_bindx(3), listen(2) and connect(2) against each other,
    thus the handshake looks similar to this, e.g.:
    
      ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
      <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
      <--------- INIT[RANDOM; CHUNKS; HMAC-ALGO] -----------
      -------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] -------->
      ...
    
    Since such collisions can also happen with verification tags,
    the RFC4895 for AUTH rather vaguely says under section 6.1:
    
      In case of INIT collision, the rules governing the handling
      of this Random Number follow the same pattern as those for
      the Verification Tag, as explained in Section 5.2.4 of
      RFC 2960 [5]. Therefore, each endpoint knows its own Random
      Number and the peer's Random Number after the association
      has been established.
    
    In RFC2960, section 5.2.4, we're eventually hitting Action B:
    
      B) In this case, both sides may be attempting to start an
         association at about the same time but the peer endpoint
         started its INIT after responding to the local endpoint's
         INIT. Thus it may have picked a new Verification Tag not
         being aware of the previous Tag it had sent this endpoint.
         The endpoint should stay in or enter the ESTABLISHED
         state but it MUST update its peer's Verification Tag from
         the State Cookie, stop any init or cookie timers that may
         running and send a COOKIE ACK.
    
    In other words, the handling of the Random parameter is the
    same as behavior for the Verification Tag as described in
    Action B of section 5.2.4.
    
    Looking at the code, we exactly hit the sctp_sf_do_dupcook_b()
    case which triggers an SCTP_CMD_UPDATE_ASSOC command to the
    side effect interpreter, and in fact it properly copies over
    peer_{random, hmacs, chunks} parameters from the newly created
    association to update the existing one.
    
    Also, the old asoc_shared_key is being released and based on
    the new params, sctp_auth_asoc_init_active_key() updated.
    However, the issue observed in this case is that the previous
    asoc->peer.auth_capable was 0, and has *not* been updated, so
    that instead of creating a new secret, we're doing an early
    return from the function sctp_auth_asoc_init_active_key()
    leaving asoc->asoc_shared_key as NULL. However, we now have to
    authenticate chunks from the updated chunk list (e.g. COOKIE-ACK).
    
    That in fact causes the server side when responding with ...
    
      <------------------ AUTH; COOKIE-ACK -----------------
    
    ... to trigger a NULL pointer dereference, since in
    sctp_packet_transmit(), it discovers that an AUTH chunk is
    being queued for xmit, and thus it calls sctp_auth_calculate_hmac().
    
    Since the asoc->active_key_id is still inherited from the
    endpoint, and the same as encoded into the chunk, it uses
    asoc->asoc_shared_key, which is still NULL, as an asoc_key
    and dereferences it in ...
    
      crypto_hash_setkey(desc.tfm, &asoc_key->data[0], asoc_key->len)
    
    ... causing an oops. All this happens because sctp_make_cookie_ack()
    called with the *new* association has the peer.auth_capable=1
    and therefore marks the chunk with auth=1 after checking
    sctp_auth_send_cid(), but it is *actually* sent later on over
    the then *updated* association's transport that didn't initialize
    its shared key due to peer.auth_capable=0. Since control chunks
    in that case are not sent by the temporary association which
    are scheduled for deletion, they are issued for xmit via
    SCTP_CMD_REPLY in the interpreter with the context of the
    *updated* association. peer.auth_capable was 0 in the updated
    association (which went from COOKIE_WAIT into ESTABLISHED state),
    since all previous processing that performed sctp_process_init()
    was being done on temporary associations, that we eventually
    throw away each time.
    
    The correct fix is to update to the new peer.auth_capable
    value as well in the collision case via sctp_assoc_update(),
    so that in case the collision migrated from 0 -> 1,
    sctp_auth_asoc_init_active_key() can properly recalculate
    the secret. This therefore fixes the observed server panic.
    
    Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
    Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
    Cc: Vlad Yasevich <vyasevich@gmail.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/associola.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 723a9740df77f121e66b66279e43e7737f4795d1
Author: Sasha Levin <sasha.levin@oracle.com>
Date:   Mon Jul 14 17:02:31 2014 -0700

    Upstream commit: 3cf521f7dc87c031617fd47e4b7aa2593c2f3daf
    
    Yet another upstream silent security fix
    
    net/l2tp: don't fall back on UDP [get|set]sockopt
    
    The l2tp [get|set]sockopt() code has fallen back to the UDP functions
    for socket option levels != SOL_PPPOL2TP since day one, but that has
    never actually worked, since the l2tp socket isn't an inet socket.
    
    As David Miller points out:
    
      "If we wanted this to work, it'd have to look up the tunnel and then
       use tunnel->sk, but I wonder how useful that would be"
    
    Since this can never have worked so nobody could possibly have depended
    on that functionality, just remove the broken code and return -EINVAL.
    
    Reported-by: Sasha Levin <sasha.levin@oracle.com>
    Acked-by: James Chapman <jchapman@katalix.com>
    Acked-by: David Miller <davem@davemloft.net>
    Cc: Phil Turnbull <phil.turnbull@oracle.com>
    Cc: Vegard Nossum <vegard.nossum@oracle.com>
    Cc: Willy Tarreau <w@1wt.eu>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 net/l2tp/l2tp_ppp.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit c86a686a85e05591c1f88282f3e22f48802c911a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 15 16:40:36 2014 -0400

    fix more DMA-on-stack cases

 drivers/media/dvb/dvb-usb/dvb-usb-firmware.c |   37 ++++++++++++++++++-------
 1 files changed, 26 insertions(+), 11 deletions(-)

commit 862b3b49a8fed0720d62674f5ead9bd5eec69fa0
Merge: 0b43139 9f35dc2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 13 19:37:28 2014 -0400

    Merge branch 'pax-stable' into grsec-stable

commit 9f35dc281dd37d104be973ad3bd47066b4662865
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 13 19:35:52 2014 -0400

    Update to pax-linux-3.2.61-test154.patch:
    - Emese fixed a size overflow false positive, reported by joe (http://forums.grsecurity.net/viewtopic.php?f=3&t=3997)
    - reverted an old compiler warning fix now causing problems with PCI device enumeration, reported by /dev/random (http://forums.grsecurity.net/viewtopic.php?f=3&t=3989)

 include/linux/mod_devicetable.h                    |    2 +-
 .../insert_size_overflow_check_ipa.c               |   18 +++++++++++++-----
 .../size_overflow_plugin/size_overflow_plugin.c    |    2 +-
 3 files changed, 15 insertions(+), 7 deletions(-)

commit 0b4313939d0db675558bb5320fa3c981c0e26d44
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 13 11:30:26 2014 -0400

    fix another DMA-on-stack case
    
    Conflicts:
    
    	drivers/usb/host/hwa-hc.c

 drivers/usb/host/hwa-hc.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit 3cd4f741d3fd7c8242c0449f63961f5ec3032058
Author: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
Date:   Wed Aug 21 01:43:19 2013 -0700

    hso: Fix stack corruption on some architectures
    
    As Sergei Shtylyov explained in the #mipslinux IRC channel:
    [Mon 2013-08-19 12:28:21 PM PDT] <headless> guys, are you sure it's not "DMA off stack" case?
    [Mon 2013-08-19 12:28:35 PM PDT] <headless> it's a known stack corruptor on non-coherent arches
    [Mon 2013-08-19 12:31:48 PM PDT] <DonkeyHotei> headless: for usb/ehci?
    [Mon 2013-08-19 12:34:11 PM PDT] <DonkeyHotei> headless: explain
    [Mon 2013-08-19 12:35:38 PM PDT] <headless> usb_control_msg() (or other such func) should not use buffer on stack. DMA from/to stack is prohibited
    [Mon 2013-08-19 12:35:58 PM PDT] <headless> and EHCI uses DMA on control xfers (as well as all the others)
    
    Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
    Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/usb/hso.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit ecbc9370398c612d176b2f55b5e18d68f7a79824
Merge: eced417 37db411
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jul 11 21:32:28 2014 -0400

    Merge branch 'pax-stable' into grsec-stable
    
    Conflicts:
    	arch/mips/kernel/scall32-o32.S
    	arch/mips/kernel/scall64-64.S
    	arch/mips/kernel/scall64-n32.S
    	arch/mips/kernel/scall64-o32.S
    	lib/lzo/lzo1x_decompress.c

commit 37db411be348f02b54e131e560216f65fd8c7858
Merge: 9a2f790 e9b1a5c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jul 11 21:25:42 2014 -0400

    Merge branch 'linux-3.2.y' into pax-stable
    
    Conflicts:
    	arch/x86/kernel/entry_32.S
    	include/net/inetpeer.h
    	net/ipv6/ip6_output.c

commit eced417d64539e2cdd3488aa6380a868345f9bff
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 10 00:07:03 2014 -0400

    compile fix

 net/ipv6/addrconf.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f36ba2a503a679875cb23d5ae46c6dabb5ea0804
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 9 23:14:19 2014 -0400

    Allow /proc/net/if_inet6 to be visible by non-root users -- it is needed
    on Fedora 20 and the contents are similar to those of the already-allowed
    /proc/net/dev
    
    Conflicts:
    
    	fs/proc/proc_net.c
    	net/ipv6/addrconf.c

 fs/proc/proc_net.c  |   22 +++++++++++++++++++++-
 net/ipv6/addrconf.c |   11 +++++++++--
 2 files changed, 30 insertions(+), 3 deletions(-)

commit 58f7da419b21858b8f8589015e3442cfc92916b1
Author: nikolay@redhat.com <nikolay@redhat.com>
Date:   Sat Apr 6 00:54:37 2013 +0000

    Revert "bonding: remove sysfs before removing devices"
    
    This reverts commit 4de79c737b200492195ebc54a887075327e1ec1d.
    
    This patch introduces a new bug which causes access to freed memory.
    In bond_uninit: list_del(&bond->bond_list);
    bond_list is linked in bond_net's dev_list which is freed by
    unregister_pernet_subsys.
    
    Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/bonding/bond_main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f79fb7679dacc533e16aec452ca10d181205b636
Author: David S. Miller <davem@davemloft.net>
Date:   Wed Nov 14 22:32:15 2012 -0500

    Revert "drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free"
    
    This reverts commit aa731872f7d33dcb8b54dad0cfb82d4e4d195d7e.
    
    As pointed out by Ben Hutchings, this change is not correct.
    
    mdiobus_unregister() can't be called if the bus isn't registered yet,
    however this change can result in situations which cause that to
    happen.
    
    Part of the confusion here revolves around the fact that the
    callers of this module control registration/unregistration,
    rather than the module itself.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/phy/mdio-bitbang.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 4526f7c8009b81c1de66725f95122217316050e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 7 17:22:16 2014 -0400

    fix gcc warning

 net/netfilter/nf_conntrack_core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f754fafe847590003a676629746d0b76e6b34a4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 7 16:07:41 2014 -0400

    Backport extra commit for safety sake:
    commit f302b21ee907f65af6434d8618d2c1a921c02d48
    Author: Andy Lutomirski <luto@amacapital.net>
    Date:   Wed Jul 2 14:52:55 2014 -0700
    
        x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    
        Don't allow ptrace to set RIP to a value that couldn't happen by
        ordinary control flow. There are CPU bugs^Wfeatures that can have
        interesting effects if RIP is non-canonical.
    
        I didn't make the corresponding x86_32 change, since x86_32 has no
        concept of canonical addresses.
    
        putreg32 doesn't need this fix: value is only 32 bits, so it can't
        be non-canonical.
    
        Fixes CVE-2014-4699.  There are arguably still bugs here, but this
        fixes the major issue.
    
        Signed-off-by: Andy Lutomirski <luto@amacapital.net>
        CVE-2014-4699
        BugLink: http://bugs.launchpad.net/bugs/1337339
        Acked-by: Andy Whitcroft <apw@canonical.com>
        Signed-off-by: John Johansen <john.johansen@canonical.com>
        Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

 arch/x86/kernel/ptrace.c |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

commit fa5713f5b0214732cd02a8d155daa2077bffbfa0
Author: Tejun Heo <tj@kernel.org>
Date:   Thu Jul 3 15:43:15 2014 -0400

    Upstream commit: b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a
    
    ptrace,x86: force IRET path after a ptrace_stop()
    
    The 'sysret' fastpath does not correctly restore even all regular
    registers, much less any segment registers or reflags values.  That is
    very much part of why it's faster than 'iret'.
    
    Normally that isn't a problem, because the normal ptrace() interface
    catches the process using the signal handler infrastructure, which
    always returns with an iret.
    
    However, some paths can get caught using ptrace_event() instead of the
    signal path, and for those we need to make sure that we aren't going to
    return to user space using 'sysret'.  Otherwise the modifications that
    may have been done to the register set by the tracer wouldn't
    necessarily take effect.
    
    Fix it by forcing IRET path by setting TIF_NOTIFY_RESUME from
    arch_ptrace_stop_needed() which is invoked from ptrace_stop().
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Reported-by: Andy Lutomirski <luto@amacapital.net>
    Acked-by: Oleg Nesterov <oleg@redhat.com>
    Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/x86/include/asm/ptrace.h |   16 ++++++++++++++++
 include/linux/ptrace.h        |    3 +++
 2 files changed, 19 insertions(+), 0 deletions(-)

commit 0f3319928845248bff4ec7a52a8574c1eaef951d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 29 18:11:08 2014 -0400

    revert PCI_ANY_ID change to fix problem with vgaswitcheroo as reported by
    /dev/random here:
    https://forums.grsecurity.net/viewtopic.php?f=3&t=3989

 include/linux/mod_devicetable.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ac3cb18307b0e019e2d0df3e81f793ef5f128174
Author: Zhaowei Yuan <zhaowei.yuan@samsung.com>
Date:   Wed Jun 18 14:33:59 2014 +0800

    Upstream commit: 1539fb9bd405ee32282ea0a38404f9e008ac5b7a
    
    drm: fix NULL pointer access by wrong ioctl
    
    If user uses wrong ioctl command with _IOC_NONE and argument size
    greater than 0, it can cause NULL pointer access from memset of line
    463. If _IOC_NONE, don't memset to 0 for kdata.
    
    Signed-off-by: Zhaowei Yuan <zhaowei.yuan@samsung.com>
    Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    
    Conflicts:
    
    	drivers/gpu/drm/drm_drv.c

 drivers/gpu/drm/drm_drv.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 74a3bdf236caeaaf6584578ca3182ca56042f1a7
Author: Lars-Peter Clausen <lars@metafoo.de>
Date:   Wed Jun 18 13:32:31 2014 +0200

    Upstream commit: 07f4d9d74a04aa7c72c5dae0ef97565f28f17b92
    
    ALSA: control: Protect user controls against concurrent access
    
    The user-control put and get handlers as well as the tlv do not protect against
    concurrent access from multiple threads. Since the state of the control is not
    updated atomically it is possible that either two write operations or a write
    and a read operation race against each other. Both can lead to arbitrary memory
    disclosure. This patch introduces a new lock that protects user-controls from
    concurrent access. Since applications typically access controls sequentially
    than in parallel a single lock per card should be fine.
    
    Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
    Acked-by: Jaroslav Kysela <perex@perex.cz>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>

 include/sound/core.h |    2 ++
 sound/core/control.c |   31 +++++++++++++++++++++++++------
 sound/core/init.c    |    1 +
 3 files changed, 28 insertions(+), 6 deletions(-)

commit 507712085e5ea6cd7900444b79762ec3961faf3e
Author: Lars-Peter Clausen <lars@metafoo.de>
Date:   Wed Jun 18 13:32:33 2014 +0200

    Upstream commit: fd9f26e4eca5d08a27d12c0933fceef76ed9663d
    
    ALSA: control: Don't access controls outside of protected regions
    
    A control that is visible on the card->controls list can be freed at any time.
    This means we must not access any of its memory while not holding the
    controls_rw_lock. Otherwise we risk a use after free access.
    
    Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
    Acked-by: Jaroslav Kysela <perex@perex.cz>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>

 sound/core/control.c |   15 ++++++++++-----
 1 files changed, 10 insertions(+), 5 deletions(-)

commit 23e0b172e9dcaebbd9aa378f8bfa6a0371d43830
Author: Lars-Peter Clausen <lars@metafoo.de>
Date:   Wed Jun 18 13:32:32 2014 +0200

    Upstream commit: 82262a46627bebb0febcc26664746c25cef08563
    
    ALSA: control: Fix replacing user controls
    
    There are two issues with the current implementation for replacing user
    controls. The first is that the code does not check if the control is actually a
    user control and neither does it check if the control is owned by the process
    that tries to remove it. That allows userspace applications to remove arbitrary
    controls, which can cause a user after free if a for example a driver does not
    expect a control to be removed from under its feed.
    
    The second issue is that on one hand when a control is replaced the
    user_ctl_count limit is not checked and on the other hand the user_ctl_count is
    increased (even though the number of user controls does not change). This allows
    userspace, once the user_ctl_count limit as been reached, to repeatedly replace
    a control until user_ctl_count overflows. Once that happens new controls can be
    added effectively bypassing the user_ctl_count limit.
    
    Both issues can be fixed by instead of open-coding the removal of the control
    that is to be replaced to use snd_ctl_remove_user_ctl(). This function does
    proper permission checks as well as decrements user_ctl_count after the control
    has been removed.
    
    Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at
    beginning of the function if the control already exists is removed. This is not
    a problem though since the check is quite useless, because the lock that is
    protecting the control list is released between the check and before adding the
    new control to the list, which means that it is possible that a different
    control with the same settings is added to the list after the check. Luckily
    there is another check that is done while holding the lock in snd_ctl_add(), so
    we'll rely on that to make sure that the same control is not added twice.
    
    Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
    Acked-by: Jaroslav Kysela <perex@perex.cz>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>

 sound/core/control.c |   25 +++++++++----------------
 1 files changed, 9 insertions(+), 16 deletions(-)

commit 97213774257d345f19783dfee25261b24924d09c
Author: Lars-Peter Clausen <lars@metafoo.de>
Date:   Wed Jun 18 13:32:35 2014 +0200

    Upstream commit: 883a1d49f0d77d30012f114b2e19fc141beb3e8e
    
    ALSA: control: Make sure that id->index does not overflow
    
    The ALSA control code expects that the range of assigned indices to a control is
    continuous and does not overflow. Currently there are no checks to enforce this.
    If a control with a overflowing index range is created that control becomes
    effectively inaccessible and unremovable since snd_ctl_find_id() will not be
    able to find it. This patch adds a check that makes sure that controls with a
    overflowing index range can not be created.
    
    Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
    Acked-by: Jaroslav Kysela <perex@perex.cz>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>

 sound/core/control.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 71b51afcc4fee7852d4381360de4e6335e8b2726
Author: Lars-Peter Clausen <lars@metafoo.de>
Date:   Wed Jun 18 13:32:34 2014 +0200

    Upstream commit: ac902c112d90a89e59916f751c2745f4dbdbb4bd
    
    ALSA: control: Handle numid overflow
    
    Each control gets automatically assigned its numids when the control is created.
    The allocation is done by incrementing the numid by the amount of allocated
    numids per allocation. This means that excessive creation and destruction of
    controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to
    eventually overflow. Currently when this happens for the control that caused the
    overflow kctl->id.numid + kctl->count will also over flow causing it to be
    smaller than kctl->id.numid. Most of the code assumes that this is something
    that can not happen, so we need to make sure that it won't happen
    
    Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
    Acked-by: Jaroslav Kysela <perex@perex.cz>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>

 sound/core/control.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 6a8b19ad31ebc2f7522a292c6195cc5dc92ab750
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 26 18:19:44 2014 -0400

    Upstream commit: 206a81c18401c0cde6e579164f752c4b147324ce
    
    lzo: properly check for overruns
    
    The lzo decompressor can, if given some really crazy data, possibly
    overrun some variable types.  Modify the checking logic to properly
    detect overruns before they happen.
    
    Reported-by: "Don A. Bailey" <donb@securitymouse.com>
    Tested-by: "Don A. Bailey" <donb@securitymouse.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 lib/lzo/lzo1x_decompress.c |   62 +++++++++++++++++++++++++++++---------------
 1 files changed, 41 insertions(+), 21 deletions(-)

commit 00767c94053d15f23871ba7d6cbc35ee5da8fddb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 26 18:16:38 2014 -0400

    upstream commit 8b975bd3f9089f8ee5d7bbfd798537b992bbc7e7
    Author: Markus F.X.J. Oberhumer <markus@oberhumer.com>
    Date:   Mon Aug 13 17:25:44 2012 +0200
    
        lib/lzo: Update LZO compression to current upstream version
    
        This commit updates the kernel LZO code to the current upsteam version
        which features a significant speed improvement - benchmarking the Calgary
        and Silesia test corpora typically shows a doubled performance in
        both compression and decompression on modern i386/x86_64/powerpc machines.
    
        Signed-off-by: Markus F.X.J. Oberhumer <markus@oberhumer.com>

 include/linux/lzo.h        |   15 +-
 lib/lzo/lzo1x_compress.c   |  335 ++++++++++++++++++++++++------------------
 lib/lzo/lzo1x_decompress.c |  350 +++++++++++++++++++++-----------------------
 lib/lzo/lzodefs.h          |   38 ++++--
 4 files changed, 395 insertions(+), 343 deletions(-)

commit 742ec59022c7a0b84482c868fd7334a2b7d8c7cd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 23 21:07:10 2014 -0400

    change vunmap documentation back, it was changed when I was exploring
    a simpler approach to the KSTACKOVERFLOW problem

 mm/vmalloc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit fbe6bbb49405c4f392ecaaeeb16940daf33be713
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 22 17:45:49 2014 -0400

    apply patch from http://marc.info/?l=linux-fsdevel&m=140128600801771&w=2
    to ensure "hidden" files can't be created due to get_next_ino returning an inode of 0

 fs/inode.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit 801f7094c71d49b78d05f5055fd22b0b6b271f49
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 22 12:28:46 2014 -0400

    move grkernsec_setxid flag on mips into the LSW to match header documentation

 arch/mips/include/asm/thread_info.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit a20924dd0fb5655c3bdbbb9ced629ceb0d50e6fa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 22 00:47:05 2014 -0400

    fix !GRKERNSEC_KSTACKOVERFLOW compilation

 include/linux/vmalloc.h |    2 ++
 mm/vmalloc.c            |   10 ++++++++++
 2 files changed, 12 insertions(+), 0 deletions(-)

commit b4a3ab65850c171ca72716ad05a39d16158e45e4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 21 23:17:23 2014 -0400

    Fix GRKERNSEC_KSTACKOVERFLOW incompatibility with virtio_net and other more
    rare drivers.  Unfortunately to resolve the problem we had to choose between
    invasive changes to dozens of call-sites and continued future maintenance work,
    or rearchitecting the feature to be able to handle the uses seamlessly.  With
    some tips from pipacs, I chose the latter.
    
    Various drivers including virtio_net use scatterlists derived from stack-based
    buffers (e.g. as an argument to sg_set_buf/sg_init_one).  The scatterlist API
    requires that these buffers be in the kernel image or in kmalloc'd buffers,
    which caused a problem when vmalloc'd stacks were used due to
    GRKERNSEC_KSTACKOVERFLOW.  What we do now is keep the original lowmem kstack
    allocation and then perform a THREAD_SIZE-aligned vmapped alias of the lowmem
    kstack's physical pages.  We also restore kernel stack accounting by using
    this method.  The downside is the existence of the lowmem kstack mapping, but
    the security guarantees of the feature are preserved.
    
    In sg_set_buf() (called by sg_init_one and directly) we now check to see if
    the buffer is on the current kernel stack.  If it is, then we redirect the API
    to the lowmem alias of the kernel stack, preserving its assumptions.
    
    Since the unmapping of the virtual alias can sleep, we need to schedule it
    when called in interrupt context similar to before with vfree.  Unlike before
    however, the contents of the alias depend on the lowmem physical pages, so
    we also need to defer the execution of free_thread_info().
    
    We also have added a temporary debugging measure for this feature by
    adding a BUG_ON() to virt_to_page() to ensure we're not using a vmapped kernel
    stack address for APIs needing lowmem buffers -- this way we can be notified
    of any other APIs that need similar redirection.
    
    Thanks to kocka for assisting with some initial qemu/kernel debugging.

 arch/x86/include/asm/page.h |   12 ++++++-
 include/linux/scatterlist.h |    7 ++++
 include/linux/sched.h       |    5 ++-
 include/linux/vmalloc.h     |    3 +-
 kernel/fork.c               |   53 +++++++++++++++++++++++--------
 mm/vmalloc.c                |   72 ++++++++++++++++++++++++++++++++++---------
 6 files changed, 120 insertions(+), 32 deletions(-)

commit 5fc86e48c1652e5cb320f0e45d03532403588cfb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 19 13:43:33 2014 -0400

        Add _TIF_SECCOMP flag to _TIF_WORK_SYSCALL_ENTRY to indicate
        that the system call needs to be checked against a seccomp filter.
    
        Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
        Reviewed-by: Paul Burton <paul.burton@imgtec.com>
        Reviewed-by: James Hogan <james.hogan@imgtec.com>
        Cc: linux-mips@linux-mips.org
        Patchwork: https://patchwork.linux-mips.org/patch/6405/
        Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
        Cc: Ben Hutchings <ben@decadent.org.uk>
        Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 arch/mips/include/asm/thread_info.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit cb15c793e2be50234c292ef81bfb65b36c12d5b4
Merge: 9e9978f 9a2f790
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 19 12:20:34 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 9a2f7909dafce8ab50c0c78b11f2b12fd832ebc2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 19 12:19:44 2014 -0400

    Update to pax-linux-3.2.60-test153.patch:
    - fixed wrong asm constraint in __range_not_ok, reported by klimo (http://forums.grsecurity.net/viewtopic.php?f=3&t=3979)
    - added detection for more broken CC/HOSTCC combinations, reported by GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3973)

 arch/x86/include/asm/uaccess.h |    2 +-
 scripts/gcc-plugin.sh          |   35 +++++++++++++++++++++++++++++++----
 2 files changed, 32 insertions(+), 5 deletions(-)

commit 9e9978fb35dea4711690cb540ea250efe8adb923
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 19 11:57:30 2014 -0400

    fix infoleak in raid5 slab cache names reported by Philippe Ganon

 drivers/md/raid5.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit 92c9055a72ac0a516df262888f0bd6ea9ce23f9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 19 11:16:51 2014 -0400

    Revert "as reported by Mathias Krause, perf needs to use copy_to/from_user in"
    
    We don't need this for 3.2, as the copy_from_user_nmi will never reach check_object_size
    
    This reverts commit 9509274ffaeabd8053b3aface3ea8c77d8c1b3a1.

 fs/exec.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 9509274ffaeabd8053b3aface3ea8c77d8c1b3a1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 19 10:34:21 2014 -0400

    as reported by Mathias Krause, perf needs to use copy_to/from_user in
    NMI context, using the appropriate _nmi versions of the routines.  Only
    BUG() if we're not in NMI context

 fs/exec.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 0f248003a96710667425681f7e21f4d57c51da0a
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Sun Jun 15 21:04:32 2014 -0400

    Upstream commit: e33ba5fa7afce1a9f159704121d4e4d110df8185
    
    (this should have already been fixed by previous commit in May:
    f9c6d4987b23e0a514464bae6771933a48e4cd01, and the size_overflow
    plugin should have caught the bad case)
    
    random: fix nasty entropy accounting bug
    
    Commit 0fb7a01af5b0 "random: simplify accounting code", introduced in
    v3.15, has a very nasty accounting problem when the entropy pool has
    has fewer bytes of entropy than the number of requested reserved
    bytes.  In that case, "have_bytes - reserved" goes negative, and since
    size_t is unsigned, the expression:
    
           ibytes = min_t(size_t, ibytes, have_bytes - reserved);
    
    ... does not do the right thing.  This is rather bad, because it
    defeats the catastrophic reseeding feature in the
    xfer_secondary_pool() path.
    
    It also can cause the "BUG: spinlock trylock failure on UP" for some
    kernel configurations when prandom_reseed() calls get_random_bytes()
    in the early init, since when the entropy count gets corrupted,
    credit_entropy_bits() erroneously believes that the nonblocking pool
    has been fully initialized (when in fact it is not), and so it calls
    prandom_reseed(true) recursively leading to the spinlock BUG.
    
    The logic is *not* the same it was originally, but in the cases where
    it matters, the behavior is the same, and the resulting code is
    hopefully easier to read and understand.
    
    Fixes: 0fb7a01af5b0 "random: simplify accounting code"
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: Greg Price <price@mit.edu>
    Cc: stable@vger.kernel.org  #v3.15
    
    Conflicts:
    
    	drivers/char/random.c

 drivers/char/random.c |   17 +++++++++--------
 1 files changed, 9 insertions(+), 8 deletions(-)

commit 0e1bd8028f5abd9e28e28d322ab06ef7f1a83c0a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 19 10:01:17 2014 -0400

    add missing include

 fs/fhandle.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 6d168543c94235cb6669de01c1a6e686cd1b94ae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 19 09:51:38 2014 -0400

    Disable access to file handles inside chroots as part of GRKERNSEC_CHROOT_FCHDIR, as
    stealth's attack on docker containers also works against grsec chroots with uid 0 and
    CAP_DAC_READ_SEARCH inside.  Contrary to the changelog in the test branch, the
    stable tree was affected as well.

 fs/fhandle.c               |    2 +-
 grsecurity/Kconfig         |    8 +++++---
 grsecurity/grsec_chroot.c  |   17 +++++++++++++++++
 include/linux/grmsg.h      |    1 +
 include/linux/grsecurity.h |    1 +
 5 files changed, 25 insertions(+), 4 deletions(-)

commit 96f72e4c712c55b8ea0011994c7139f5026c62f7
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Wed May 28 23:09:58 2014 -0400

    Upstream commit: a3c54931199565930d6d84f4c3456f6440aefd41
    
    auditsc: audit_krule mask accesses need bounds checking
    
    Fixes an easy DoS and possible information disclosure.
    
    This does nothing about the broken state of x32 auditing.
    
    eparis: If the admin has enabled auditd and has specifically loaded
    audit rules.  This bug has been around since before git.  Wow...
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: Eric Paris <eparis@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	kernel/auditsc.c

 kernel/auditsc.c |   25 ++++++++++++++++++-------
 1 files changed, 18 insertions(+), 7 deletions(-)

commit d20f2736b8c185c0dccb03d2c600a51c7131ee8d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 10 12:25:17 2014 -0400

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 4b4e8eb16b000f63b26b530d442ca4566336d015
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 10 10:01:00 2014 -0400

    fix !x86 compilation, reported by Blake Self

 fs/exec.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit b17ed609e4b3ee5244faf36a2f5d4b802baf626d
Merge: bc7622c 3ceecde
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 10 09:43:02 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	net/core/filter.c
    	net/ipv4/ping.c
    	security/Kconfig

commit 3ceecde1a9ba0b5d3d250561445b279b11d87a5c
Merge: 9aa785b0 6b3965a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 10 09:33:31 2014 -0400

    Update to pax-linux-3.2.60-test152.patch:
    - backported 'x86_64: expand kernel stack to 16K', commit 6538b8ea886e472f4431db8ca1d60478f838d14b upstream
    - backported 'mm: rmap: fix use-after-free in __put_anon_vma', commit 624483f3ea82598ab0f62f1bdb9177f531ab1892 upstream
    - CPUs are switched to the percpu pgd earlier to support early vmalloc faults (needed for grsecurity's KSTACKOVERFLOW)
    - cleaned up some unnecessary hunks
    - folded RANDUSTACK into RANDMMAP as supporting them separately isn't worth it, reported by Roy Li <rongqing.li@windriver.com>
    
    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	mm/memory-failure.c

commit bc7622c3ee8df64e72a925fcb1973701e14e3dc8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 5 21:57:02 2014 -0400

    Fix KSTACKOVERFLOW harder -- if we didn't get a cr3 reload event
    prior to the first vmalloc fault, PaX's per-cpu pgd sanity checking
    would BUG() on detecting cr3 being set to init_level4_pgt.
    
    Fix this by switching to the per-cpu pgds immediately after
    starting up secondary CPUs.
    
    Reported by the mempo team, fixed by pipacs

 arch/x86/kernel/smpboot.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit a3d64cfb85e859de3464c2dcf94f33a3a32dbfd5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 5 12:33:38 2014 -0400

    randomize layouts of two futex structs

 kernel/futex.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit c806e64af3e3c62c371707ceaebe8dcd64a89501
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Mon May 12 20:45:35 2014 +0000

    Upstream commit: f0d71b3dcb8332f7971b5f2363632573e6d9486a
    
    futex: Prevent attaching to kernel threads
    
    We happily allow userspace to declare a random kernel thread to be the
    owner of a user space PI futex.
    
    Found while analysing the fallout of Dave Jones syscall fuzzer.
    
    We also should validate the thread group for private futexes and find
    some fast way to validate whether the "alleged" owner has RW access on
    the file which backs the SHM, but that's a separate issue.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: Dave Jones <davej@redhat.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Darren Hart <darren@dvhart.com>
    Cc: Davidlohr Bueso <davidlohr@hp.com>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: Clark Williams <williams@redhat.com>
    Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
    Cc: Lai Jiangshan <laijs@cn.fujitsu.com>
    Cc: Roland McGrath <roland@hack.frob.com>
    Cc: Carlos ODonell <carlos@redhat.com>
    Cc: Jakub Jelinek <jakub@redhat.com>
    Cc: Michael Kerrisk <mtk.manpages@gmail.com>
    Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    Link: http://lkml.kernel.org/r/20140512201701.194824402@linutronix.de
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org

 kernel/futex.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 0bb5fb443fb3ec3e5430cc63c42f835b7e8dbcaa
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Tue Jun 3 12:27:08 2014 +0000

    futex: Make lookup_pi_state more robust
    
    The current implementation of lookup_pi_state has ambigous handling of
    the TID value 0 in the user space futex. We can get into the kernel
    even if the TID value is 0, because either there is a stale waiters
    bit or the owner died bit is set or we are called from the requeue_pi
    path or from user space just for fun.
    
    The current code avoids an explicit sanity check for pid = 0 in case
    that kernel internal state (waiters) are found for the user space
    address. This can lead to state leakage and worse under some
    circumstances.
    
    Handle the cases explicit:
    
         Waiter | pi_state | pi->owner | uTID      | uODIED | ?
    
    [1]  NULL   | ---      | ---       | 0         | 0/1    | Valid
    [2]  NULL   | ---      | ---       | >0        | 0/1    | Valid
    
    [3]  Found  | NULL     | --        | Any       | 0/1    | Invalid
    
    [4]  Found  | Found    | NULL      | 0         | 1      | Valid
    [5]  Found  | Found    | NULL      | >0        | 1      | Invalid
    
    [6]  Found  | Found    | task      | 0         | 1      | Valid
    
    [7]  Found  | Found    | NULL      | Any       | 0      | Invalid
    
    [8]  Found  | Found    | task      | ==taskTID | 0/1    | Valid
    [9]  Found  | Found    | task      | 0         | 0      | Invalid
    [10] Found  | Found    | task      | !=taskTID | 0/1    | Invalid
    
    [1]  Indicates that the kernel can acquire the futex atomically. We
         came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
    
    [2]  Valid, if TID does not belong to a kernel thread. If no matching
         thread is found then it indicates that the owner TID has died.
    
    [3]  Invalid. The waiter is queued on a non PI futex
    
    [4]  Valid state after exit_robust_list(), which sets the user space
         value to FUTEX_WAITERS | FUTEX_OWNER_DIED.
    
    [5]  The user space value got manipulated between exit_robust_list()
         and exit_pi_state_list()
    
    [6]  Valid state after exit_pi_state_list() which sets the new owner in
         the pi_state but cannot access the user space value.
    
    [7]  pi_state->owner can only be NULL when the OWNER_DIED bit is set.
    
    [8]  Owner and user space value match
    
    [9]  There is no transient state which sets the user space TID to 0
         except exit_robust_list(), but this is indicated by the
         FUTEX_OWNER_DIED bit. See [4]
    
    [10] There is no transient state which leaves owner and user space
         TID out of sync.
    
    Backport to 3.13
      conflicts: kernel/futex.c
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: John Johansen <john.johansen@canonical.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Will Drewry <wad@chromium.org>
    Cc: Darren Hart <dvhart@linux.intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/futex.c |  123 ++++++++++++++++++++++++++++++++++++++++++++++++--------
 1 files changed, 106 insertions(+), 17 deletions(-)

commit 2df614887f85813e24ae89492efd29d66b959f57
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Tue Jun 3 12:27:07 2014 +0000

    futex: Always cleanup owner tid in unlock_pi
    
    If the owner died bit is set at futex_unlock_pi, we currently do not
    cleanup the user space futex. So the owner TID of the current owner
    (the unlocker) persists. That's observable inconsistant state,
    especially when the ownership of the pi state got transferred.
    
    Clean it up unconditionally.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Will Drewry <wad@chromium.org>
    Cc: Darren Hart <dvhart@linux.intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/futex.c |   40 ++++++++++++++++++----------------------
 1 files changed, 18 insertions(+), 22 deletions(-)

commit 348e435c71215446448474427c173801cc509a63
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Tue Jun 3 12:27:06 2014 +0000

    futex: Validate atomic acquisition in futex_lock_pi_atomic()
    
    We need to protect the atomic acquisition in the kernel against rogue
    user space which sets the user space futex to 0, so the kernel side
    acquisition succeeds while there is existing state in the kernel
    associated to the real owner.
    
    Verify whether the futex has waiters associated with kernel state. If
    it has, return -EINVAL. The state is corrupted already, so no point in
    cleaning it up. Subsequent calls will fail as well. Not our problem.
    
    [ tglx: Use futex_top_waiter() and explain why we do not need to try
      	restoring the already corrupted user space state. ]
    
    Signed-off-by: Darren Hart <dvhart@linux.intel.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Will Drewry <wad@chromium.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/futex.c |   14 +++++++++++---
 1 files changed, 11 insertions(+), 3 deletions(-)

commit 8688b2037d58dc0d5b105abb9621e7194cf83815
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Tue Jun 3 12:27:06 2014 +0000

    futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1)
    
    If uaddr == uaddr2, then we have broken the rule of only requeueing
    from a non-pi futex to a pi futex with this call. If we attempt this,
    then dangling pointers may be left for rt_waiter resulting in an
    exploitable condition.
    
    This change brings futex_requeue() into line with
    futex_wait_requeue_pi() which performs the same check as per commit
    6f7b0a2a5 (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi())
    
    [ tglx: Compare the resulting keys as well, as uaddrs might be
      	different depending on the mapping ]
    
    Fixes CVE-2014-3153.
    
    Reported-by: Pinkie Pie
    Signed-off-by: Will Drewry <wad@chromium.org>
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/futex.c |   25 +++++++++++++++++++++++++
 1 files changed, 25 insertions(+), 0 deletions(-)

commit 8798a53cd1e84e1b2c0ecee1afed25a08648041d
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Mon Jul 8 16:00:08 2013 -0700

    vfree: don't schedule free_work() if llist_add() returns false
    
    vfree() only needs schedule_work(&p->wq) if p->list was empty, otherwise
    vfree_deferred->wq is already pending or it is running and didn't do
    llist_del_all() yet.
    
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	mm/vmalloc.c

 mm/vmalloc.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit 8a62a7ce273800b19fb3626a7c6b3005dd7b5577
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sun Mar 10 20:14:08 2013 -0400

    make vfree() safe to call from interrupt contexts
    
    A bunch of RCU callbacks want to be able to do vfree() and end up with
    rather kludgy schemes.  Just let vfree() do the right thing - put the
    victim on llist and schedule actual __vunmap() via schedule_work(), so
    that it runs from non-interrupt context.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 mm/vmalloc.c |   45 ++++++++++++++++++++++++++++++++++++++++-----
 1 files changed, 40 insertions(+), 5 deletions(-)

commit 966a25b66eefc148cb927aae1bb9551a576b82e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 3 09:49:01 2014 -0400

    fix compiler warning

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ba92b6c35509ac0b667d9ba1d425de47a65ee7a7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 3 07:23:49 2014 -0400

    Revert "mark KSTACKOVERFLOW as broken on 3.2 until it is fixed.  Wasn't caught by"
    
    This reverts commit 6bbd3978f194a25e2317f229cdf3985e9daee35c.

 grsecurity/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6bbd3978f194a25e2317f229cdf3985e9daee35c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 3 07:13:32 2014 -0400

    mark KSTACKOVERFLOW as broken on 3.2 until it is fixed.  Wasn't caught by
    my automated testing due to a bug in my build scripts

 grsecurity/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f0006cb4e64a5083cd3def0718c3cf9522a81102
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 3 06:29:37 2014 -0400

    add another populate_stack under switch_mm()

 mm/mmu_context.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e684d267aa65130a25bb0355bf08f15d748e8971
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 2 16:50:02 2014 -0400

    update hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit dec01c65a1c17bba1c39964df0b8acbf40ed5af5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 2 16:18:35 2014 -0400

    compile fix

 kernel/fork.c |   41 ++++++++++++++++++++++++++---------------
 mm/vmalloc.c  |    4 ++--
 2 files changed, 28 insertions(+), 17 deletions(-)

commit 409239ea3d7a8e95dccb66a1732bd995c48626e0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 2 15:36:59 2014 -0400

    compile fix

 mm/vmalloc.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

commit b9bdbdf615bc879205c4e8e9d8c6c3bc40a330d4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 2 15:29:48 2014 -0400

    Add a new feature for 64-bit kernels to defend against stack overflows
    GRKERNSEC_KSTACKOVERFLOW
    
    Contrary to some naive suggestions on Twitter, it's not just a simple
    process of "adding guard pages" due to how kernel stacks are allocated
    on Linux and the fact that just adding guard pages to that existing
    allocation mechanism would require breaking up large pages, adding a
    large maintenance and performance cost.  Instead we allocate the kernel
    process stacks using vmalloc which provides us with the "guard pages"
    for free, though we only do this on 64-bit architectures (other than Itanium)
    due to the limited space for vmalloc allocations on 32-bit.
    
    We've been working on some other approaches for solving this problem,
    including one that required several advances in GCC plugin analysis, but
    this will exist for now as a stopgap until another approach replaces it.

 arch/x86/kernel/traps.c |    5 +++++
 fs/exec.c               |    1 +
 grsecurity/Kconfig      |   13 +++++++++++++
 include/linux/sched.h   |   19 +++++++++++++++++++
 include/linux/vmalloc.h |    1 +
 kernel/fork.c           |   15 +++++++++++++++
 kernel/sched.c          |    8 ++++++--
 mm/vmalloc.c            |    6 ++++++
 8 files changed, 66 insertions(+), 2 deletions(-)

commit 7f9eb5130b5ca75efc0cdbd5090d1bed9bbeeb16
Merge: 265e351 9aa785b0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 2 15:11:37 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	Makefile
    	tools/gcc/Makefile

commit 9aa785b03e380493c4c8ca31af2c49b2e276fb40
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 2 15:06:29 2014 -0400

    Update to pax-linux-3.2.59-test151.patch:
    - Emese refactored the size overflow plugin and also fixed several integer constant related false positives
      - https://forums.grsecurity.net/viewtopic.php?f=3&t=3940
      - https://forums.grsecurity.net/viewtopic.php?f=3&t=3942
      - https://forums.grsecurity.net/viewtopic.php?f=3&t=3943
      - https://forums.grsecurity.net/viewtopic.php?f=3&t=3949
      - https://forums.grsecurity.net/viewtopic.php?f=3&t=3950
    - Emese fixed an assert in the size overflow plugin that could trigger while compiling on 32 bit archs, reported by spender
    - Emese fixed the handling of more intentional overflows in unsigned/signed casts, reported by minipli
    - updated the mrproper target for the new location of the overflow plugin headers, by minipli
    - fixed an off-by-one in the prefault code in access_ok on x86, reported by Roy Li <rongqing.li@windriver.com>
      it'd cause a prefault attempt on address 0 and other unmapped addresses and fail the current syscall
    - updated gcc-common.h

 Makefile                                           |    6 +-
 arch/x86/include/asm/uaccess.h                     |   34 +-
 tools/gcc/.gitignore                               |    1 -
 tools/gcc/Makefile                                 |   29 +-
 tools/gcc/gcc-common.h                             |   10 +-
 tools/gcc/generate_size_overflow_hash.sh           |   97 -
 tools/gcc/size_overflow_hash.data                  | 4429 --------------------
 tools/gcc/size_overflow_hash_aux.data              |   91 -
 tools/gcc/size_overflow_plugin.c                   | 4169 ------------------
 tools/gcc/size_overflow_plugin/.gitignore          |    1 +
 tools/gcc/size_overflow_plugin/Makefile            |   20 +
 .../generate_size_overflow_hash.sh                 |  102 +
 .../insert_size_overflow_asm.c                     |  790 ++++
 .../insert_size_overflow_check_core.c              |  902 ++++
 .../insert_size_overflow_check_ipa.c               | 1133 +++++
 .../size_overflow_plugin/intentional_overflow.c    |  733 ++++
 tools/gcc/size_overflow_plugin/misc.c              |  203 +
 .../size_overflow_plugin/remove_unnecessary_dup.c  |  138 +
 tools/gcc/size_overflow_plugin/size_overflow.h     |  127 +
 .../gcc/size_overflow_plugin/size_overflow_debug.c |  116 +
 .../size_overflow_plugin/size_overflow_hash.data   | 4429 ++++++++++++++++++++
 .../size_overflow_hash_aux.data                    |   91 +
 .../size_overflow_plugin/size_overflow_plugin.c    |  259 ++
 .../size_overflow_plugin_hash.c                    |  364 ++
 24 files changed, 9448 insertions(+), 8826 deletions(-)

commit 265e3519eb88d6eee96d14afe7bdb26691fd471b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 2 14:35:00 2014 -0400

    backport ntpd fix for GRKERNSEC_SETXID

 include/linux/cred.h |    1 +
 kernel/cred.c        |    8 +++++++-
 2 files changed, 8 insertions(+), 1 deletions(-)

commit f7a7ffb4dd3c028442edee5ad7405aa9fc3bb974
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 2 06:51:24 2014 -0400

    avoid include hell by moving the stack check to fs/exec.c and passing
    in an extra bool to the function specifying whether the length is const
    or not.  we'll also perform this check regardless of USERCOPY status
    
    Conflicts:
    
    	include/linux/thread_info.h

 fs/exec.c                   |   17 +++++++++++++++--
 include/linux/thread_info.h |   16 +++-------------
 2 files changed, 18 insertions(+), 15 deletions(-)

commit 58fe3a791c09108f829e729952aff4fcbaf4f3a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 1 12:43:42 2014 -0400

    We can use an even stricter check on the stack for copy*user as it should
    only ever be called in process context -- this allows us not only to check
    for potential future overflow but actual overflow
    
    Conflicts:
    
    	include/linux/thread_info.h

 include/linux/thread_info.h |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

commit d123ba06b839092349c0e774e857f1ab1e8fc6b6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 1 11:14:01 2014 -0400

    remove my backport of the pty fix as it's now fixed upstream
    
    reported by rfree/mempo

 drivers/tty/n_tty.c |    9 ---------
 1 files changed, 0 insertions(+), 9 deletions(-)

commit 63466f8f452573994ad1373c54de36ff73b711f3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 30 21:38:31 2014 -0400

    fix DEBUG_STACKOVERFLOW properly, reported by jeff on IRC

 arch/x86/kernel/irq_64.c |   15 ++++++++-------
 1 files changed, 8 insertions(+), 7 deletions(-)

commit 44f972e59e9d10b9a249977ae066949f2c2180ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 28 18:16:00 2014 -0400

    don't force on DEBUG_STACKOVERFLOW as we now have the better STACKLEAK
    improvements and KSTACKOVERFLOW

 security/Kconfig |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit c66753f04e015df79161be0daab7b7a7cea145b6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 28 17:04:39 2014 -0400

    fix bad WARN_ON and triggering of kernel bruteforce logic in the
    x64 DEBUG_STACKOVERFLOW case, reported by jeff on IRC

 arch/x86/kernel/irq_64.c |   13 ++++++-------
 1 files changed, 6 insertions(+), 7 deletions(-)

commit 47be0d85ed13e8cfeec42f612c08319ca27c8e6d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 27 12:54:48 2014 -0400

    make pax_track_stack BUG() immediately if it notices the stack getting
    too deep -- this will happen separately to its later check that we're
    clearing too much stack on syscall exit

 fs/exec.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 61685e688b41d0d914736e99750ff034af9f8a60
Author: Anthony Iliopoulos <anthony.iliopoulos@huawei.com>
Date:   Wed May 14 11:29:48 2014 +0200

    Upstream commit: 9844f5462392b53824e8b86726e7c33b5ecbb676
    
    x86, mm, hugetlb: Add missing TLB page invalidation for hugetlb_cow()
    
    The invalidation is required in order to maintain proper semantics
    under CoW conditions. In scenarios where a process clones several
    threads, a thread operating on a core whose DTLB entry for a
    particular hugepage has not been invalidated, will be reading from
    the hugepage that belongs to the forked child process, even after
    hugetlb_cow().
    
    The thread will not see the updated page as long as the stale DTLB
    entry remains cached, the thread attempts to write into the page,
    the child process exits, or the thread gets migrated to a different
    processor.
    
    Signed-off-by: Anthony Iliopoulos <anthony.iliopoulos@huawei.com>
    Link: http://lkml.kernel.org/r/20140514092948.GA17391@server-36.huawei.corp
    Suggested-by: Shay Goikhman <shay.goikhman@huawei.com>
    Acked-by: Dave Hansen <dave.hansen@intel.com>
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Cc: <stable@vger.kernel.org> # v2.6.16+ (!)

 arch/x86/include/asm/hugetlb.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 9386cb913f41ad5fddc2782a3245a70c6cb74d50
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed May 14 16:33:54 2014 -0700

    Upstream commit: fa81511bb0bbb2b1aace3695ce869da9762624ff
    
    x86-64, modify_ldt: Make support for 16-bit segments a runtime option
    
    Checkin:
    
    b3b42ac2cbae x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels
    
    disabled 16-bit segments on 64-bit kernels due to an information
    leak.  However, it does seem that people are genuinely using Wine to
    run old 16-bit Windows programs on Linux.
    
    A proper fix for this ("espfix64") is coming in the upcoming merge
    window, but as a temporary fix, create a sysctl to allow the
    administrator to re-enable support for 16-bit segments.
    
    It adds a "/proc/sys/abi/ldt16" sysctl that defaults to zero (off). If
    you hit this issue and care about your old Windows program more than
    you care about a kernel stack address information leak, you can do
    
       echo 1 > /proc/sys/abi/ldt16
    
    as root (add it to your startup scripts), and you should be ok.
    
    The sysctl table is only added if you have COMPAT support enabled on
    x86-64, but I assume anybody who runs old windows binaries very much
    does that ;)
    
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Link: http://lkml.kernel.org/r/CA%2B55aFw9BPoD10U1LfHbOMpHWZkvJTkMcfCs9s3urPr1YyWBxw@mail.gmail.com
    Cc: <stable@vger.kernel.org>

 arch/x86/kernel/ldt.c        |    4 +++-
 arch/x86/vdso/vdso32-setup.c |    8 ++++++++
 2 files changed, 11 insertions(+), 1 deletions(-)

commit 58edf59a3ee94bbbe27c3967db6a5d283f4e01fa
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Fri May 16 21:40:41 2014 -0400

    Upstream commit: f9c6d4987b23e0a514464bae6771933a48e4cd01
    
    random: fix BUG_ON caused by accounting simplification
    
    Commit ee1de406ba6eb1 ("random: simplify accounting logic") simplified
    things too much, in that it allows the following to trigger an
    overflow that results in a BUG_ON crash:
    
    dd if=/dev/urandom of=/dev/zero bs=67108707 count=1
    
    Thanks to Peter Zihlstra for discovering the crash, and Hannes
    Frederic for analyizing the root cause.
    
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Reported-by: Peter Zijlstra <peterz@infradead.org>
    Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Cc: Greg Price <price@mit.edu>

 drivers/char/random.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit bd1f060663648057d1a1662c7d788058b8ac417a
Merge: 5249b28 abe5854
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 25 11:56:37 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit abe585404d0fe8c70e29ad4296ea21b698a610ec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 25 11:56:10 2014 -0400

    Update to pax-linux-3.2.59-test150.patch

 arch/x86/kernel/paravirt.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c6e6e2ee5f4722da22512eac57077dafad9da608
Merge: 6fed70a 382ae9d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 25 11:45:58 2014 -0400

    Merge branch 'linux-3.2.y' into pax-stable2

commit 5249b288c860d8ad83335db0bd44a0529782c3a8
Author: David S. Miller <davem@davemloft.net>
Date:   Mon Apr 28 23:50:08 2014 -0700

    Upstream commit: d037d16372bbe4d580342bebbb8826821ad9edf0
    
    sparc64: Handle 32-bit tasks properly in compute_effective_address().
    
    If we have a 32-bit task we must chop off the top 32-bits of the
    64-bit value just as the cpu would.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/kernel/unaligned_64.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

commit 1bd029b6a18a5f97ee1284a61bef4cd3381e0d35
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 11 12:40:46 2014 -0400

    fix compilation, reported by mcp

 fs/proc/stat.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 578116be14bf158bc2e340952bd8a28afa5cc0f9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 10 17:31:17 2014 -0400

    fix compilation

 include/linux/thread_info.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit e62d30699e81b93e65213ee3275e7c8e855ad7ed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 10 17:24:47 2014 -0400

    force DEBUG_STACKOVERFLOW on on grsec kernels and make it
    trigger the bruteforce logic
    
    Conflicts:
    
    	arch/powerpc/kernel/irq.c
    	arch/x86/kernel/irq_32.c
    	arch/x86/kernel/irq_64.c

 arch/mips/kernel/irq.c    |    4 ++++
 arch/powerpc/kernel/irq.c |    3 +++
 arch/x86/kernel/irq_32.c  |    4 ++++
 arch/x86/kernel/irq_64.c  |    3 +++
 security/Kconfig          |    1 +
 5 files changed, 15 insertions(+), 0 deletions(-)

commit 495a3bb3c5488519188cf3da926aff5ea0eac2eb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 10 16:46:48 2014 -0400

    always perform the stack overflow check, not just for non-fixed size copies

 fs/exec.c                   |   16 +---------------
 include/linux/thread_info.h |    8 ++++++++
 2 files changed, 9 insertions(+), 15 deletions(-)

commit 434193e5563a158139ecdb479865728af57f048a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 10 16:26:25 2014 -0400

    compile fix

 fs/proc/stat.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

commit d44fc35cea3e921ce6c0e6de16b539dafbb1e99b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 10 15:52:44 2014 -0400

    improve PAX_USERCOPY on x86 to detect attempted copies when the current
    stack has overflowed

 arch/x86/kernel/dumpstack_32.c |    2 +-
 arch/x86/kernel/dumpstack_64.c |    2 +-
 fs/exec.c                      |   17 ++++++++++++++++-
 3 files changed, 18 insertions(+), 3 deletions(-)

commit 7997ac44201621628c670827226bb393ed4b0187
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 10 15:29:13 2014 -0400

    relax /proc/stat restrictions
    
    Conflicts:
    
    	fs/proc/stat.c

 fs/proc/stat.c |   49 +++++++++++++++++++++++++++----------------------
 1 files changed, 27 insertions(+), 22 deletions(-)

commit df5c216e9ab4541d08dd7a45ea5701d75b78df9b
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sat May 3 23:27:00 2014 +0300

    Upstream commit: 3cf0b0311e746a26dcc7c0b5ba0756f61d636a33
    
    agp: info leak in agpioc_info_wrap()
    
    On 64 bit systems the agp_info struct has a 4 byte hole between
    ->agp_mode and ->aper_base.  We need to clear it to avoid disclosing
    stack information to userspace.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

 drivers/char/agp/frontend.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 02a5d53352be8c02a37d4b533dc9b57a6434fa68
Author: Matthew Daley <mattd@bugfuzz.com>
Date:   Mon Apr 28 19:05:20 2014 +1200

    Upstream commit: ef87dbe7614341c2e7bfe8d32fcb7028cc97442c
    
    floppy: ignore kernel-only members in FDRAWCMD ioctl input
    
    Always clear out these floppy_raw_cmd struct members after copying the
    entire structure from userspace so that the in-kernel version is always
    valid and never left in an interdeterminate state.
    
    Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/block/floppy.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 0b505d92305c57ad572115a67665b530c449496b
Author: Matthew Daley <mattd@bugfuzz.com>
Date:   Mon Apr 28 19:05:21 2014 +1200

    Upstream commit: 2145e15e0557a01b9195d1c7199a1b92cb9be81f
    
    floppy: don't write kernel-only members to FDRAWCMD ioctl output
    
    Do not leak kernel-only floppy_raw_cmd structure members to userspace.
    This includes the linked-list pointer and the pointer to the allocated
    DMA space.
    
    Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/block/floppy.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit fba8cb418be22f02333b5fe4d7ddfdbba3f1f82a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 6 17:04:33 2014 -0400

    fix compilation with older gcc (redefinition of pid_alive)

 include/linux/sched.h |   26 ++++++++++++--------------
 1 files changed, 12 insertions(+), 14 deletions(-)

commit ee26ef6fe974459d501d2583a7d3d605f1073934
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 5 18:21:03 2014 -0400

    backport fix (there is no n_tty_data in 3.2)

 drivers/tty/n_tty.c |    9 ++++-----
 1 files changed, 4 insertions(+), 5 deletions(-)

commit e74da1fee4e283ea2b847a5176bb97453e661e11
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 5 18:12:30 2014 -0400

    Backport fix for heap overflow in the tty layer, CVE-2014-0196
    http://bugzillafiles.novell.org/attachment.cgi?id=588355

 drivers/tty/n_tty.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

commit f06aa00fbffaf0d80f041e6b25fad80f6e6ac0ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 4 12:03:07 2014 -0400

    restrict rt_cache

 net/ipv4/route.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit bf1dd6158696947c5bc8d84df33574c4d21d44e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 4 11:41:02 2014 -0400

    use ERR_PTR

 fs/proc/generic.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6e84b936802845f9e27020b45e5dfadd90cdb033
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 4 10:50:33 2014 -0400

    fix warnings

 net/core/dev.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 4d9e583020590b209f4aad6fa4c2cf4e2bcb3e0b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 4 10:47:36 2014 -0400

    reuse the format string to preserve padding

 net/core/dev.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 4be476f6b229508e218e4942c4ff16ba9dce933f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 4 10:41:45 2014 -0400

    compile fix

 fs/proc/generic.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit d46294dd750ab1ec8621c0f978315f6c42398059
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 4 10:35:58 2014 -0400

    refactor the code for the previous commit and sanitize /proc/net/dev output

 fs/proc/generic.c          |   21 ++-------------------
 fs/proc/proc_net.c         |   21 +++------------------
 fs/seq_file.c              |   23 +++--------------------
 grsecurity/Makefile        |    2 +-
 grsecurity/grsec_proc.c    |   20 ++++++++++++++++++++
 include/linux/grsecurity.h |    2 ++
 net/core/dev.c             |    5 ++++-
 7 files changed, 35 insertions(+), 59 deletions(-)

commit 1e13912f8215757a9d42d6b9e915ceb3072968a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 4 10:00:07 2014 -0400

    Previously all of /proc/net was inaccessible under GRKERNSEC_PROC except
    for a special group (under GRKERNSEC_PROC_USERGROUP) but which also required
    that that process be able to see all other processes in /proc.  Several
    programs need to access /proc/net/dev and /proc/net/dev only.  Matlab for
    instance needs it and will crash if it can't open it.  The interface list in
    /proc/net/dev is not sensitive (we will zero out packet counts in the
    next commit) and the same information can be obtained via netlink.  So now we
    will allow /proc/net/dev to anyone and restrict access to all other entries in
    /proc/net.
    
    Requested by a commercial support customer.

 fs/proc/generic.c                  |   82 +++++++++++++++++++++++++++++++++++-
 fs/proc/internal.h                 |    2 +
 fs/proc/proc_net.c                 |   35 ++++++++++-----
 fs/seq_file.c                      |   39 +++++++++++++++++
 include/linux/proc_fs.h            |    2 +
 include/linux/seq_file.h           |    2 +
 net/appletalk/atalk_proc.c         |    2 +-
 net/can/bcm.c                      |    2 +-
 net/can/proc.c                     |    2 +-
 net/core/dev.c                     |    4 +-
 net/core/pktgen.c                  |    2 +-
 net/ipv4/netfilter/ipt_CLUSTERIP.c |    2 +-
 net/ipv6/proc.c                    |    2 +-
 net/ipx/ipx_proc.c                 |    2 +-
 net/irda/irproc.c                  |    2 +-
 net/llc/llc_proc.c                 |    2 +-
 net/netfilter/core.c               |    2 +-
 net/netfilter/xt_hashlimit.c       |    4 +-
 net/netfilter/xt_recent.c          |    2 +-
 net/sctp/protocol.c                |    2 +-
 net/sunrpc/cache.c                 |    2 +-
 net/sunrpc/stats.c                 |    2 +-
 net/wanrouter/wanproc.c            |    2 +-
 net/x25/x25_proc.c                 |    2 +-
 24 files changed, 169 insertions(+), 33 deletions(-)

commit 4a458454aa859a2715e11d0db51e5226c152d8e5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 1 17:46:13 2014 -0400

    Fix CVE-2014-1739, upstream vuln in media_enum_entities()
    Author Salva Peiró
    Date April 2014 - Discovery of the vulnerability.
    Impact The vulnerability discloses 200 bytes of kernel process stack.
    Affected Version From linux-2.6.38 to linux-3.15-rc3
    Bug Timespan 3 years: 2011-03-23 to 2014-04-29 commit 1651333b
    
    (Deleted) blog post at: http://speirofr.appspot.com/cve-2014-1739-kernel-infoleak-vulnerability-in-media_enum_entities.html

 drivers/media/media-device.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 000428a7bbab546333e4c42222846c91e3be0a22
Merge: b8f4923 6fed70a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 30 19:00:04 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 6fed70ad4afb6a9b3f8b45b375da62c0ec554410
Merge: 76178e3 f453538
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 30 18:59:36 2014 -0400

    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	arch/x86/kernel/ldt.c

commit b8f492389e6c99083e043ace700dfeed56879043
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 29 20:23:46 2014 -0400

    update gitignore

 tools/gcc/.gitignore |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 21f5c3f135f6387d594f583853919d32455b9f3c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 29 20:20:28 2014 -0400

    update size_overflow hash table

 tools/gcc/size_overflow_hash.data |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 16c404220e8f5c1970cdbb94a1ec8501bb837ce7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 29 18:55:26 2014 -0400

    Include backported virtio SCSI driver from Debian, thanks to Ben Hutchings

 drivers/scsi/Kconfig         |    8 +
 drivers/scsi/Makefile        |    1 +
 drivers/scsi/virtio_scsi.c   |  838 ++++++++++++++++++++++++++++++++++++++++++
 drivers/virtio/virtio.c      |    5 +-
 drivers/virtio/virtio_ring.c |   60 +++-
 include/linux/virtio.h       |    5 +
 include/linux/virtio_ids.h   |    1 +
 include/linux/virtio_scsi.h  |  125 +++++++
 8 files changed, 1035 insertions(+), 8 deletions(-)

commit 2be3acc4be4e2f1aa47d1d73104cc29668b022ba
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 24 00:02:59 2014 -0400

    Update size_overflow hash table

 tools/gcc/size_overflow_hash.data |  777 ++++++++++++++++++++++++++++++++++---
 1 files changed, 726 insertions(+), 51 deletions(-)

commit 0191ef479be656defb1a7c54e36dea0a7745edff
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue Apr 22 13:49:40 2014 -0700

    Upstream commit: 1b17844b29ae042576bea588164f2f1e9590a8bc
    
    mm: make fixup_user_fault() check the vma access rights too
    
    fixup_user_fault() is used by the futex code when the direct user access
    fails, and the futex code wants it to either map in the page in a usable
    form or return an error.  It relied on handle_mm_fault() to map the
    page, and correctly checked the error return from that, but while that
    does map the page, it doesn't actually guarantee that the page will be
    mapped with sufficient permissions to be then accessed.
    
    So do the appropriate tests of the vma access rights by hand.
    
    [ Side note: arguably handle_mm_fault() could just do that itself, but
      we have traditionally done it in the caller, because some callers -
      notably get_user_pages() - have been able to access pages even when
      they are mapped with PROT_NONE.  Maybe we should re-visit that design
      decision, but in the meantime this is the minimal patch. ]
    
    Found by Dave Jones running his trinity tool.
    
    Reported-by: Dave Jones <davej@redhat.com>
    Acked-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/memory.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit f2d509f7f0c1ef9b59e2ff990225a5afe58118cc
Merge: 2013ce2 76178e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 23 19:11:10 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	tools/gcc/size_overflow_hash.data

commit 76178e36bfd7964195812cc79c8f49bbacb248cd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 23 19:09:00 2014 -0400

    Update to pax-linux-3.2.57-test150.patch:
    - changed the colorize plugin to be similar to -fdiagnostics-color in gcc 4.9
      - http://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Language-Independent-Options.html
      - by default colorization is off
      - if GCC_COLORS exists in the environment then stderr will be colored if it's a terminal
      - -fplugin-arg-colorize_plugin-color= takes the same arguments as -fdiagnostics-color=
        - e.g., the old behaviour is equivalent to EXTRA_CFLAGS=-fplugin-arg-colorize_plugin-color=always
      - the value of GCC_COLORS isn't parsed yet, the existing colors (red/yellow/blue) are used instead
    - fixed all warnings on the gcc plugins reported by clang
    - Emese regenerated the size overflow hash table from scratch

 Makefile                          |    2 +-
 arch/x86/kernel/traps.c           |    4 +-
 tools/gcc/colorize_plugin.c       |   77 +-
 tools/gcc/constify_plugin.c       |   13 +-
 tools/gcc/kallocstat_plugin.c     |    9 +-
 tools/gcc/kernexec_plugin.c       |   27 +-
 tools/gcc/latent_entropy_plugin.c |   13 +-
 tools/gcc/size_overflow_hash.data | 2347 ++++++-------------------------------
 tools/gcc/size_overflow_plugin.c  |   27 +-
 tools/gcc/stackleak_plugin.c      |   18 +-
 tools/gcc/structleak_plugin.c     |    9 +-
 11 files changed, 519 insertions(+), 2027 deletions(-)

commit 2013ce2b93ee8217b2e2133d1a5ef60034ebda47
Merge: e0ce59a 3187a79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 18 21:09:07 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 3187a798b98447aba2a4b3eacbd8b459c05c4a54
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 18 21:08:32 2014 -0400

    Update to pax-linux-3.2.57-test149.patch:
    - temporarily reverted the previous fix of the overflow plugin as it triggers more problems than it solves

 tools/gcc/size_overflow_hash.data |    1 -
 tools/gcc/size_overflow_plugin.c  |    4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

commit e0ce59a56f1e59eaab4f2aec82461a442e1d740d
Merge: f669ea3 0980044
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 17 18:56:30 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 0980044f49cfc2eeb3cc4ef226ec228a4c0bf5e7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 17 18:56:10 2014 -0400

    fix compilation

 tools/gcc/size_overflow_hash_aux.data |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit f669ea3f27b8efa83d91315b79508f6b1c1151b4
Merge: b3ca5e6 4dc7a2c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 17 17:57:25 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 4dc7a2cafe7bc6c0cc025c2bfa0990c051c345aa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 17 17:56:59 2014 -0400

    Update to pax-linux-3.2.57-test148.patch:
    - Emese fixed a size overflow false positive due to intentional overflow, reported by 7LL (https://forums.grsecurity.net/viewtopic.php?f=3&t=3940)

 tools/gcc/size_overflow_hash_aux.data |    9 +++++
 tools/gcc/size_overflow_plugin.c      |   58 ++++++++++++++++++++++++++++++++-
 2 files changed, 66 insertions(+), 1 deletions(-)

commit b3ca5e6b6f1919adebd5f0f224973d00e207a8a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 17 17:12:50 2014 -0400

    fix an off-by-one triggerable on 32bit kernels with PAX_USERCOPY on
    specific shmemfs reads that end up copying from empty_zero_page,
    which on 32bit x86 has the same address as _etext.  Fix up some
    other harmless instances of this error as well
    
    Thanks to 'jy' from IRC for reporting this

 arch/x86/mm/init_32.c |    6 +++---
 fs/exec.c             |    4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 1c930d360ce624a56b857812faa6d577209fdc9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 13 12:47:57 2014 -0400

    From: Mathias Krause <minipli@googlemail.com>
    [PATCH net] filter: prevent nla extensions to peek beyond the end of
            the message
    
    The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check
    for a minimal message length before testing the supplied offset to be
    within the bounds of the message. This allows the subtraction of the nla
    header to underflow and therefore -- as the data type is unsigned --
    allowing far to big offset and length values for the search of the
    netlink attribute.
    
    The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is
    also wrong. It has the minuend und subtrahend mixed up, therefore
    calculates a huge length value, allowing to overrun the end of the
    message while looking for the netlink attribute.
    
    The following three BPF snippets will trigger the bugs when attached to
    a UNIX datagram socket and parsing a message with length 1, 2 or 3.
    
     ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]--
     | ld   #0x87654321
     | ldx  #42
     | ld   #nla
     | ret  a
     `---
    
     ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]--
     | ld   #0x87654321
     | ldx  #42
     | ld   #nlan
     | ret  a
     `---
    
     ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]--
     | ; (needs a fake netlink header at offset 0)
     | ld   #0
     | ldx  #42
     | ld   #nlan
     | ret  a
     `---
    
    Fix the first issue by ensuring the message length fulfills the minimal
    size constrains of a nla header. Fix the second bug by getting the math
    for the remainder calculation right.
    
    Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction")
    Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..")
    Cc: Patrick McHardy <kaber@trash.net>
    Cc: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 net/core/filter.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

commit 3970fc037238549eb27d4e9b85ce987c6980c54c
Author: Andrey Vagin <avagin@openvz.org>
Date:   Fri Mar 28 13:54:32 2014 +0400

    Upstream commit: 223b02d923ecd7c84cf9780bb3686f455d279279
    
    netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len
    
    "len" contains sizeof(nf_ct_ext) and size of extensions. In a worst
    case it can contain all extensions. Bellow you can find sizes for all
    types of extensions. Their sum is definitely bigger than 256.
    
    nf_ct_ext_types[0]->len = 24
    nf_ct_ext_types[1]->len = 32
    nf_ct_ext_types[2]->len = 24
    nf_ct_ext_types[3]->len = 32
    nf_ct_ext_types[4]->len = 152
    nf_ct_ext_types[5]->len = 2
    nf_ct_ext_types[6]->len = 16
    nf_ct_ext_types[7]->len = 8
    
    I have seen "len" up to 280 and my host has crashes w/o this patch.
    
    The right way to fix this problem is reducing the size of the ecache
    extension (4) and Florian is going to do this, but these changes will
    be quite large to be appropriate for a stable tree.
    
    Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable)
    Cc: Pablo Neira Ayuso <pablo@netfilter.org>
    Cc: Patrick McHardy <kaber@trash.net>
    Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
    Cc: "David S. Miller" <davem@davemloft.net>
    Signed-off-by: Andrey Vagin <avagin@openvz.org>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 include/net/netfilter/nf_conntrack_extend.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 90cdd94d118ebd1be0383b0e56cb7467f6dc99c8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 11 17:19:35 2014 -0400

    Upstream commit: 7563487cbf865284dcd35e9ef5a95380da046737
    
    isdnloop: several buffer overflows
    There are three buffer overflows addressed in this patch.
    
    1) In isdnloop_fake_err() we add an 'E' to a 60 character string and
    then copy it into a 60 character buffer.  I have made the destination
    buffer 64 characters and I'm changed the sprintf() to a snprintf().
    
    2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60
    character buffer so we have 54 characters.  The ->eazlist[] is 11
    characters long.  I have modified the code to return if the source
    buffer is too long.
    
    3) In isdnloop_command() the cbuf[] array was 60 characters long but the
    max length of the string then can be up to 79 characters.  I made the
    cbuf array 80 characters long and changed the sprintf() to snprintf().
    I also removed the temporary "dial" buffer and changed it to use "p"
    directly.
    
    Unfortunately, we pass the "cbuf" string from isdnloop_command() to
    isdnloop_writecmd() which truncates anything over 60 characters to make
    it fit in card->omsg[].  (It can accept values up to 255 characters so
    long as there is a '\n' character every 60 characters).  For now I have
    just fixed the memory corruption bug and left the other problems in this
    driver alone.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/isdnloop/isdnloop.c |   17 +++++++++--------
 1 files changed, 9 insertions(+), 8 deletions(-)

commit acd45ebd8972ce66191c2005f59c25da91b439fc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 11 16:57:17 2014 -0400

    Apply: https://lkml.org/lkml/2014/4/10/736
    
    PAX_REFCOUNT makes this unexploitable, turning it into a harmless memleak
    
    Conflicts:
    
    	net/ipv4/ping.c

 net/ipv4/ping.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

commit 46314ee3485b6d11360e51b1a89fc8cdcc45da9c
Author: H. Peter Anvin <hpa@linux.intel.com>
Date:   Sun Mar 16 15:31:54 2014 -0700

    Upstream commit: b3b42ac2cbae1f3cecbb6229964a4d48af31d382
    
    x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels
    
    The IRET instruction, when returning to a 16-bit segment, only
    restores the bottom 16 bits of the user space stack pointer.  We have
    a software workaround for that ("espfix") for the 32-bit kernel, but
    it relies on a nonzero stack segment base which is not available in
    32-bit mode.
    
    Since 16-bit support is somewhat crippled anyway on a 64-bit kernel
    (no V86 mode), and most (if not quite all) 64-bit processors support
    virtualization for the users who really need it, simply reject
    attempts at creating a 16-bit segment when running on top of a 64-bit
    kernel.
    
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Link: http://lkml.kernel.org/n/tip-kicdm89kzw9lldryb1br9od0@git.kernel.org
    Cc: <stable@vger.kernel.org>
    
    Conflicts:
    
    	arch/x86/kernel/ldt.c

 arch/x86/kernel/ldt.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

commit 96e52f165fa1db9241275603db6bfa12f1409caf
Merge: c325dfd 986375e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 9 17:16:27 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 986375eaf9ddfb549dee39703b5a7afd6f4fe733
Merge: d46def7 a2601fc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 9 17:15:51 2014 -0400

    Update to pax-linux-3.2.57-test147.patch
    
    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	scripts/package/builddeb

commit c325dfd10e11e8f3d12fa7ead45b5ffaa7fba4b6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 7 18:41:45 2014 -0400

    Update GRKERNSEC_IO documentation

 grsecurity/Kconfig |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 936f7cbd75a811dc46bee8b6edde793398c1a090
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 18:59:00 2014 -0400

    add compiler.h to path.h

 include/linux/path.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 01256430ba03319966146dcd8eea67521770ec5e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 18:38:42 2014 -0400

    fix tomoyo compilation

 security/tomoyo/tomoyo.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4468372984e9faa4f3ccda3f6190a5b8341368ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 17:58:39 2014 -0400

    fix tomoyo compilation with RANDSTRUCT

 security/tomoyo/tomoyo.c |   22 +++++++++++-----------
 1 files changed, 11 insertions(+), 11 deletions(-)

commit 9380e23fd600b64d5d1fb6920b4cf29c197075c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 17:50:38 2014 -0400

    fix tomoyo compilation with RANDSTRUCT

 security/tomoyo/file.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit d711e2f0ef5392b6a555411d92fd662d0f0647d9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 17:43:47 2014 -0400

    Fix tomoyo compilation with RANDSTRUCT

 security/tomoyo/file.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit d4886c92a23273e0362c0660a987745410460d55
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 17:23:09 2014 -0400

    fix apparmor compilation with RANDSTRUCT

 security/apparmor/file.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit dbfdaec0a04221391d22ad10651d2a31bfe38c0c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 17:11:40 2014 -0400

    fix apparmor compilation with RANDSTRUCT

 security/apparmor/lsm.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 3b6b32eafd2f773f971c777174328b98198d6ca2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 16:58:35 2014 -0400

    add __randomize_layout to more important structures

 include/linux/binfmts.h    |    4 ++--
 include/linux/filter.h     |    2 +-
 include/linux/path.h       |    2 +-
 include/linux/security.h   |    2 +-
 include/linux/tty_driver.h |    2 +-
 include/net/af_unix.h      |    2 +-
 include/net/sock.h         |    4 ++--
 7 files changed, 9 insertions(+), 9 deletions(-)

commit d563f80fb8783c3fb4d571dd9e72f35497ac3db1
Merge: 63680ac d46def7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 09:30:06 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/x86/boot/compressed/misc.c
    	tools/gcc/Makefile

commit d46def7c02984f06b0a9479b186569763afd4613
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 09:26:52 2014 -0400

    Update to pax-linux-3.2.56-test147.patch:
    - actually applied the changes meant for test146 :P
    - updated the hash database for external modules, by Emese
    - fixed regression in gcc plugin compilation when compiling with ccache, reported by ncopa
    - proper fix for 309944be296efbb3ca4737d12ef49d2ba97cbecc upstream
    - fixed plugin compilation under gcc 4.5, reported by Emese Revfy
    - Emese added support for out-of-tree modules for the size overflow plugin, fixes https://bugs.gentoo.org/show_bug.cgi?id=505594

 arch/x86/boot/compressed/misc.c          |    7 ++-
 scripts/gcc-plugin.sh                    |    4 +-
 tools/gcc/Makefile                       |   12 +++-
 tools/gcc/gcc-common.h                   |    1 +
 tools/gcc/generate_size_overflow_hash.sh |    5 ++-
 tools/gcc/size_overflow_hash.data        |    1 +
 tools/gcc/size_overflow_hash_aux.data    |   83 ++++++++++++++++++++++++++++++
 tools/gcc/size_overflow_plugin.c         |   25 ++++++---
 8 files changed, 122 insertions(+), 16 deletions(-)

commit 63680ac0edd9a72295df07b792096d4f84570e78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 6 08:34:08 2014 -0400

    This reverts commit 31dee23268ac47eaaafacb186229bc14fb84fa9b.

 net/socket.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit d20a625ed406f6bb5c9be627993798b0e259284d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 3 16:42:54 2014 -0400

    change clearing char to 0xff

 arch/x86/boot/compressed/misc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 9f64dbb310f8d4e1f893b0d85e3d50c077cfdb86
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 3 16:33:52 2014 -0400

    Zero out the difference between file size and mapped size for kernel
    elf sections mapped by the loader -- proper fix by pipacs for:
    http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=309944be296efbb3ca4737d12ef49d2ba97cbecc

 arch/x86/boot/compressed/misc.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 3f69f5d8d98b1641e897c09b88bd86f07843ba0d
Author: Pablo Neira <pablo@netfilter.org>
Date:   Tue Apr 1 19:38:44 2014 +0200

    Upstream commit: 8b7b932434f5eee495b91a2804f5b64ebb2bc835
    
    netlink: don't compare the nul-termination in nla_strcmp
    
    nla_strcmp compares the string length plus one, so it's implicitly
    including the nul-termination in the comparison.
    
     int nla_strcmp(const struct nlattr *nla, const char *str)
     {
            int len = strlen(str) + 1;
            ...
                    d = memcmp(nla_data(nla), str, len);
    
    However, if NLA_STRING is used, userspace can send us a string without
    the nul-termination. This is a problem since the string
    comparison will not match as the last byte may be not the
    nul-termination.
    
    Fix this by skipping the comparison of the nul-termination if the
    attribute data is nul-terminated. Suggested by Thomas Graf.
    
    Cc: Florian Westphal <fw@strlen.de>
    Cc: Thomas Graf <tgraf@suug.ch>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 lib/nlattr.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 06d25eda5d0c46184e9454900a2b6fd3fde8e5a3
Author: YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org>
Date:   Wed Apr 2 12:48:42 2014 +0900

    Upstream commit: 77bc6bed7121936bb2e019a8c336075f4c8eef62
    
    isdnloop: Validate NUL-terminated strings from user.
    
    Return -EINVAL unless all of user-given strings are correctly
    NUL-terminated.
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/isdnloop/isdnloop.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 0857ee882e7f5b2218917237e8d05d9ea52232c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 3 11:34:13 2014 -0400

    revert last change
    
    Conflicts:
    
    	net/core/filter.c

 net/core/filter.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

commit b8c5f11b66edabec0d652bf0a8c79ed8fbee71e4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 3 11:01:13 2014 -0400

    add additional checking, convert WARN to a BUG since we should be able to filter
    out any invalid ops at filter install time -- finding them during runtime is
    a sign of memory corruption

 net/core/filter.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

commit c57bdff374931d151bdc31758b21a7355d9889c9
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Fri Dec 28 10:50:17 2012 +0000

    net: filter: return -EINVAL if BPF_S_ANC* operation is not supported
    
    Currently, we return -EINVAL for malformed or wrong BPF filters.
    However, this is not done for BPF_S_ANC* operations, which makes it
    more difficult to detect if it's actually supported or not by the
    BPF machine. Therefore, we should also return -EINVAL if K is within
    the SKF_AD_OFF universe and the ancillary operation did not match.
    
    Why exactly is it needed? If tools such as libpcap/tcpdump want to
    make use of new ancillary operations (like filtering VLAN in kernel
    space), there is currently no sane way to test if this feature /
    BPF_S_ANC* op is present or not, since no error is returned. This
    patch will make life easier for that and allow for a proper usage
    for user space applications.
    
    There was concern, if this patch will break userland. Short answer: Yes
    and no. Long answer: It will "break" only for code that calls ...
    
      { BPF_LD | BPF_(W|H|B) | BPF_ABS, 0, 0, <K> },
    
    ... where <K> is in [0xfffff000, 0xffffffff] _and_ <K> is *not* an
    ancillary. And here comes the BUT: assuming some *old* code will have
    such an instruction where <K> is between [0xfffff000, 0xffffffff] and
    it doesn't know ancillary operations, then this will give a
    non-expected / unwanted behavior as well (since we do not return the
    BPF machine with 0 after a failed load_pointer(), which was the case
    before introducing ancillary operations, but load sth. into the
    accumulator instead, and continue with the next instruction, for
    instance). Thus, user space code would already have been broken by
    introducing ancillary operations into the BPF machine per se. Code
    that does such a direct load, e.g. "load word at packet offset
    0xffffffff into accumulator" ("ld [0xffffffff]") is quite broken,
    isn't it? The whole assumption of ancillary operations is that no-one
    intentionally calls things like "ld [0xffffffff]" and expect this
    word to be loaded from such a packet offset. Hence, we can also safely
    make use of this feature testing patch and facilitate application
    development. Therefore, at least from this patch onwards, we have
    *for sure* a check whether current or in future implemented BPF_S_ANC*
    ops are supported in the kernel. Patch was tested on x86_64.
    
    (Thanks to Eric for the previous review.)
    
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Reported-by: Ani Sinha <ani@aristanetworks.com>
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/filter.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 624e48d1690d1445df3e5d9f45fd65bd8db10d03
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 3 10:38:55 2014 -0400

    harden non-JIT socket filters against memory corruption occuring after
    check time

 net/core/filter.c |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

commit 00dd52f2bd219d4769ce3570b9ad7936a953e175
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 3 07:39:34 2014 -0400

    Update documentation on chroot to notify users that chrooting to
    a bind mount of the root filesystem provides no security benefits
    and will not trigger the chroot protections.

 grsecurity/Kconfig |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 07ed3feb4141ee0441d60b31d4771f6e7f651a55
Merge: 0630786 0f43a2c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 1 21:16:34 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	fs/btrfs/ioctl.c

commit 0f43a2cc05a01f468913b2927a46ae970b5decd9
Merge: fac950d e08e945
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 1 21:12:09 2014 -0400

    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	include/linux/compiler-gcc4.h

commit 0630786e5f4978b96aa483dfd6b02d691b61efe7
Author: Sasha Levin <sasha.levin@oracle.com>
Date:   Fri Mar 28 17:38:42 2014 +0100

    Upstream commit: 05efa8c943b1d5d90fa8c8147571837573338bb6
    
    random32: avoid attempt to late reseed if in the middle of seeding
    
    Commit 4af712e8df ("random32: add prandom_reseed_late() and call when
    nonblocking pool becomes initialized") has added a late reseed stage
    that happens as soon as the nonblocking pool is marked as initialized.
    
    This fails in the case that the nonblocking pool gets initialized
    during __prandom_reseed()'s call to get_random_bytes(). In that case
    we'd double back into __prandom_reseed() in an attempt to do a late
    reseed - deadlocking on 'lock' early on in the boot process.
    
    Instead, just avoid even waiting to do a reseed if a reseed is already
    occuring.
    
    Fixes: 4af712e8df99 ("random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized")
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 lib/random32.c |   13 ++++++++++++-
 1 files changed, 12 insertions(+), 1 deletions(-)

commit 132e47979cd891bea6e19e829dd32fbb2c2f17d5
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Thu Mar 27 12:00:26 2014 +0200

    Upstream commit: d8316f3991d207fe32881a9ac20241be8fa2bad0
    
    vhost: fix total length when packets are too short
    
    When mergeable buffers are disabled, and the
    incoming packet is too large for the rx buffer,
    get_rx_bufs returns success.
    
    This was intentional in order for make recvmsg
    truncate the packet and then handle_rx would
    detect err != sock_len and drop it.
    
    Unfortunately we pass the original sock_len to
    recvmsg - which means we use parts of iov not fully
    validated.
    
    Fix this up by detecting this overrun and doing packet drop
    immediately.
    
    CVE-2014-0077
    
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/vhost/net.c |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

commit bee2386b7a0e6c383f64a907e389afb818086a49
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 30 21:25:24 2014 -0400

    Backport upstream fix for 21f8aaee0c62708654988ce092838aa7df4d25d8

 drivers/net/wireless/ath/ath9k/xmit.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

commit dc28ecec3de1fa56f56c841339fc8bc3785d03bd
Merge: 7ea86bf fac950d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 30 13:24:00 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit fac950dfb075c6a5bfc8c62ba04ceff2f0a7cd4b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 30 13:22:54 2014 -0400

    Update to pax-linux-3.2.55-test145.patch:
    - fixed a regression in gcc-plugin.sh that could make cross-compilation fail, reported by Aniem
    - hardened the hyper-v hypercall page access rights (rwx -> r-x), reported and tested by Hunger
    - fixed a regression in the previous latent entropy plugin change, reported by spender

 drivers/hv/hv.c                   |    2 +-
 scripts/gcc-plugin.sh             |    4 ++--
 tools/gcc/latent_entropy_plugin.c |    6 +++++-
 3 files changed, 8 insertions(+), 4 deletions(-)

commit 7ea86bf9cb6158a59aa8996bd804a89051b4c840
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 30 08:43:49 2014 -0400

    This fix is inappropriate for 3.2 without additional backports,
    as register_filesystem performed a needed list initialization
    which was eliminated in 3.13 with some other fixups.  Without
    the initialization, the kernel will crash on mounting this filesystem
    in list_add(&s->s_instances, &type->fs_supers); in sget() from mount_pseudo().
    
    Thanks to forum user androsyn for the report!
    
    Revert "Upstream commit: d6f2589ad561aa5fa39f347eca6942668b7560a1"
    
    This reverts commit 07944030e3c21211bb0c663084340c7929d0a90c.

 fs/anon_inodes.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 3ab717680394fa4e16d1c97bec37c7c3b7ff8cb5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 30 08:43:23 2014 -0400

    Revert "remove the unregister_filesystem as well"
    
    This reverts commit 5a4843494d3fc45c4c346c72fe96faf3c65f76b6.

 fs/anon_inodes.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 5a4843494d3fc45c4c346c72fe96faf3c65f76b6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 28 18:17:59 2014 -0400

    remove the unregister_filesystem as well

 fs/anon_inodes.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit 4c4a12f4f8b9ca9a98ae07f6fef8a78e2b03d06c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 27 21:54:11 2014 -0400

    ignore noreturn functions for now in the latent_entropy plugin

 tools/gcc/latent_entropy_plugin.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 14247221534cfd15a959eb854a3b5c3fc3d7c084
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 27 21:27:56 2014 -0400

    update config help for GRKERNSEC_KMEM to reflect recent change to only deny writes to /dev/cpu/*/msr instead of denying access entirely, allows powertop etc to continue to work while denying/logging the malicious activity

 grsecurity/Kconfig |   12 +++++-------
 1 files changed, 5 insertions(+), 7 deletions(-)

commit e6ed884cf964d4a49223ead5b574de68500e5ba0
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Mar 25 18:42:27 2014 -0700

    Upstream commit: de1443916791d75fdd26becb116898277bb0273f
    
    net: unix: non blocking recvmsg() should not return -EINTR
    
    Some applications didn't expect recvmsg() on a non blocking socket
    could return -EINTR. This possibility was added as a side effect
    of commit b3ca9b02b00704 ("net: fix multithreaded signal handling in
    unix recv routines").
    
    To hit this bug, you need to be a bit unlucky, as the u->readlock
    mutex is usually held for very small periods.
    
    Fixes: b3ca9b02b00704 ("net: fix multithreaded signal handling in unix recv routines")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |   17 ++++++++++++-----
 1 files changed, 12 insertions(+), 5 deletions(-)

commit 07944030e3c21211bb0c663084340c7929d0a90c
Author: Jan Kara <jack@suse.cz>
Date:   Tue Mar 25 21:37:09 2014 +0100

    Upstream commit: d6f2589ad561aa5fa39f347eca6942668b7560a1
    
    fs: Avoid userspace mounting anon_inodefs filesystem
    
    anon_inodefs filesystem is a kernel internal filesystem userspace
    shouldn't mess with. Remove registration of it so userspace cannot
    even try to mount it (which would fail anyway because the filesystem is
    MS_NOUSER).
    
    This fixes an oops triggered by trinity when it tried mounting
    anon_inodefs which overwrote anon_inode_inode pointer while other CPU
    has been in anon_inode_getfile() between ihold() and d_instantiate().
    Thus effectively creating dentry pointing to an inode without holding a
    reference to it.
    
    Reported-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/anon_inodes.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

commit 7e85ceede0437c0834dfff8393e8d528937462a1
Merge: f9f77b1 348f1cc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 27 20:11:47 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	fs/hugetlbfs/inode.c

commit 348f1cc2d45d23d1a1e2fa7221f395b87caf3059
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 27 20:10:11 2014 -0400

    Update to pax-linux-3.2.55-test143.patch:
    - fixed the gcc plugin capability detector script for gcc 4.9
    - fixed the latent entropy plugin to use the intended successor blocks instead of what happens to be next in the block list
    - changed the initial task's and the idle tasks' starting stack address to be consistent with the other stacks (top 2 slots are unused)
    - removed the pointless retaddr instrumentation from the low level kernel relocator code
    (already included in grsec:)
    - compile fixes for various archs, by spender
    - backported 3fa10cc83fb92750af11fab81e11ad96dc75d656 that upstream 'forgot' about as usual,
      it's a user triggerable DoS (without a CVE) that got caught by Emese's new fuzzer as well

 Makefile                                   |    2 +-
 arch/arm/include/asm/uaccess.h             |    1 +
 arch/ia64/include/asm/uaccess.h            |    1 +
 arch/mips/cavium-octeon/dma-octeon.c       |    2 +-
 arch/mips/include/asm/local.h              |   14 ++++++++++++++
 arch/mips/include/asm/pgtable.h            |    3 +++
 arch/mips/include/asm/uaccess.h            |    1 +
 arch/powerpc/include/asm/local.h           |   15 +++++++++++++++
 arch/powerpc/include/asm/uaccess.h         |    1 +
 arch/powerpc/kvm/powerpc.c                 |    2 +-
 arch/powerpc/mm/numa.c                     |    2 +-
 arch/powerpc/platforms/pseries/eeh_event.c |    2 +-
 arch/s390/include/asm/uaccess.h            |    1 +
 arch/sparc/include/asm/pgtable.h           |    4 ++++
 arch/x86/include/asm/uaccess.h             |    2 +-
 arch/x86/include/asm/uaccess_64.h          |   12 ++++++------
 arch/x86/kernel/head_64.S                  |    2 +-
 arch/x86/kernel/relocate_kernel_64.S       |    2 --
 arch/x86/kernel/smpboot.c                  |    2 +-
 arch/x86/mm/gup.c                          |    4 ++--
 drivers/tty/n_tty.c                        |    9 +++++----
 fs/hugetlbfs/inode.c                       |    3 +--
 scripts/gcc-plugin.sh                      |   17 ++++++++---------
 tools/gcc/latent_entropy_plugin.c          |   10 ++++++----
 virt/kvm/kvm_main.c                        |    2 +-
 25 files changed, 78 insertions(+), 38 deletions(-)

commit f9f77b161478fa4ba8ce6f3d64eea4b0d333dad6
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Mar 19 21:02:21 2014 -0700

    Upstream commit: 632623153196bf183a69686ed9c07eee98ff1bf8
    
    tcp: syncookies: do not use getnstimeofday()
    
    While it is true that getnstimeofday() uses about 40 cycles if TSC
    is available, it can use 1600 cycles if hpet is the clocksource.
    
    Switch to get_jiffies_64(), as this is more than enough, and
    go back to 60 seconds periods.
    
    Fixes: 8c27bd75f04f ("tcp: syncookies: reduce cookie lifetime to 128 seconds")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Florian Westphal <fw@strlen.de>
    Acked-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/tcp.h |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

commit 1eab38a527e74fcf503b534ad0680eb84f6172da
Author: Dave Kleikamp <dave.kleikamp@oracle.com>
Date:   Fri Mar 14 10:42:01 2014 -0500

    Upstream commit: 1535bd8adbdedd60a0ee62e28fd5225d66434371
    
    sparc64: don't treat 64-bit syscall return codes as 32-bit
    
    When checking a system call return code for an error,
    linux_sparc_syscall was sign-extending the lower 32-bit value and
    comparing it to -ERESTART_RESTARTBLOCK. lseek can return valid return
    codes whose lower 32-bits alone would indicate a failure (such as 4G-1).
    Use the whole 64-bit value to check for errors. Only the 32-bit path
    should sign extend the lower 32-bit value.
    
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Acked-by: Bob Picco <bob.picco@oracle.com>
    Acked-by: Allen Pais <allen.pais@oracle.com>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: sparclinux@vger.kernel.org
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/kernel/syscalls.S |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 2bb7f15b77583841e2474dcd2a5488624c63109e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 22:53:31 2014 -0400

    add local_unchecked_t accessors to fix ppc64 compilation

 arch/powerpc/include/asm/local.h |   15 +++++++++++++++
 1 files changed, 15 insertions(+), 0 deletions(-)

commit 3ac2b53a0ac70c9912c4ea451e8314c5e66fd8ee
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 22:34:36 2014 -0400

    Backport addition of access_ok_noprefault() to fix ppc64+kvm compilation

 arch/arm/include/asm/uaccess.h     |    1 +
 arch/ia64/include/asm/uaccess.h    |    1 +
 arch/mips/include/asm/uaccess.h    |    1 +
 arch/powerpc/include/asm/uaccess.h |    1 +
 arch/s390/include/asm/uaccess.h    |    1 +
 arch/x86/include/asm/uaccess.h     |    2 +-
 arch/x86/include/asm/uaccess_64.h  |   12 ++++++------
 arch/x86/mm/gup.c                  |    4 ++--
 virt/kvm/kvm_main.c                |    2 +-
 9 files changed, 15 insertions(+), 10 deletions(-)

commit c247bdf26ed9eaa4f15802d77501f7649ded746b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 21:53:32 2014 -0400

    correct function definition for kvm_arch_init() to fix compilation on ppc64
    
    Conflicts:
    
    	arch/powerpc/kvm/powerpc.c

 arch/powerpc/kvm/powerpc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 9363de8ee4955fda333ae0c1fc44f8bc2dd15ee5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 21:47:35 2014 -0400

    fix ppc64 allyesconfig compilation with RANDSTRUCT

 arch/powerpc/platforms/cell/celleb_scc_pciex.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 85bd970b782af453919deddf34abbacdcf432677
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 21:36:39 2014 -0400

    use $(LATENT_ENTROPY_PLUGIN_CFLAGS)

 arch/powerpc/kernel/Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7d2471aa1d26823a3c771e29a74b8cf7217072b9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 21:24:01 2014 -0400

    move REMOVE_CFLAGS

 arch/powerpc/kernel/Makefile |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit feb2f7c4c43e22cae4bed82f1fa30a39890eaa4f
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Thu Apr 26 20:13:00 2012 +0200

    Upstream commit: 3fa10cc83fb92750af11fab81e11ad96dc75d656
    
    TTY: n_tty, do not dereference user buffer
    
    copy_from_read_buf currently copies data to a user buffer and then
    checks if the data is single EOF. But it checks it by accessing the
    user buffer. First, the buffer may be changed by other threads of the
    user program already. Second, it accesses the buffer without any
    checks. It might be write-only for example.
    
    Fix this by inspecting contents of the tty (kernel) buffer instead.
    Note that "n == 1" is necessary, but not sufficient. But we check
    later that there is nothing left by "!tty->read_cnt" condition.
    
    There is still an issue with the current code that EOF being wrapped
    to the start of the circular buffer will result in an inappropriate
    losing of the EOF character. But this is not intended to be fixed by
    this patch.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Reported-by: Emil Goode <emilgoode@gmail.com>
    Cc: Howard Chu <hyc@symas.com>
    Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/n_tty.c |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

commit ed00c53dd1d944beb8e4ddc16995b8aa347d1d49
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 20:45:17 2014 -0400

    use correct args to set_task_comm()

 arch/powerpc/platforms/pseries/eeh_event.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ecbb706d65834b62e31749432ab95863a0d62ed1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 20:41:08 2014 -0400

    another ppc64 fix for upstream compile failure

 arch/powerpc/mm/numa.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 948f3c653b20e1e955c648eb7ab0dbee2a98ec79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 20:37:24 2014 -0400

    eliminate use of daemonize in eeh_event.c:
    http://linuxppc.10917.n7.nabble.com/patch-1-2-powerpc-eeh-remove-eeh-event-handler-gt-daemonize-td9403.html
    Patch from Oleg Nesterov

 arch/powerpc/platforms/pseries/eeh_event.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a56c2c4a9b7884b2bfdc169081095d24850e7b6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 20:33:21 2014 -0400

    export LATENT_ENTROPY_PLUGIN_CFLAGS so we can remove it from prom_init.c on ppc64

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit def660628f288d9328a8b32893ad707c76c63e4a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 20 20:30:35 2014 -0400

    fix compilation by removing the latent entropy plugin from prom_init.c -- there's
    a script for ppc64 that checks the object file for a whitelisted set of
    exported symbols, code is very fragile

 arch/powerpc/kernel/Makefile |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit fcab911b30166093d24e64cad30b54adb871afeb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 19 21:53:12 2014 -0400

    add ktla_ktva/ktva_ktla to sparc to fix compilation

 arch/sparc/include/asm/pgtable.h |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit a4cc0b1f96cd70448c08c00398a470072dc22c24
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 19 21:01:40 2014 -0400

    add ktla_ktva/ktva_ktla macros to MIPS

 arch/mips/include/asm/pgtable.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 600c2114235c825e36e9b85714e8be3d8bd24539
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 19 20:42:35 2014 -0400

    include linux/prefetch.h to fix mips64 compilation

 grsecurity/gracl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit cd45e08e934be6363832ca553719a367b94f5736
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 19 19:48:31 2014 -0400

    convert back to check_heap_stack_gap in hugetlbfs code

 fs/hugetlbfs/inode.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit 61875786196a3d6275e41b5d78ca7b1a6d09b62e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 19 19:42:20 2014 -0400

    fix more mips compilation failures/warnings

 arch/mips/cavium-octeon/dma-octeon.c |    2 +-
 fs/hugetlbfs/inode.c                 |    3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

commit 1218f040385d88ee78fe77471d1e579c32b2d3df
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 19 19:29:56 2014 -0400

    fix mips64 octeon compilation due to missing local_*_unchecked() functions

 arch/mips/include/asm/local.h |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

commit c82fbb8b487f786afad13d1837affd4eeca855de
Merge: 4d7b6e5 5bdb728
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 19:55:41 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 5bdb728f63eb2e8308b0a77d235ddfd06e93456b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 19:55:02 2014 -0400

    Update to pax-linux-3.2.55-test141.patch:
    - fixed several compilation problems on arm all*configs, by spender
    - small update to gcc-common.h
    - Emese fixed a compile time infinite loop in the size overflow plugin (triggered by the upcoming 3.14 kernel only)

 arch/arm/include/asm/page.h      |    1 +
 arch/arm/include/asm/pgtable.h   |    3 +
 tools/gcc/gcc-common.h           |   12 ++++
 tools/gcc/size_overflow_plugin.c |  116 +++++++++++++++++++++++++++-----------
 4 files changed, 99 insertions(+), 33 deletions(-)

commit 4d7b6e5e786b011718fbcf853378bd990a2e7935
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 19:12:04 2014 -0400

    move the location of the include to suit pipacs' OCD

 arch/arm/include/asm/page.h |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit 9f9b68ce8dd5b1e8387a06067e032e893bbe162e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 18:00:13 2014 -0400

    fix ARM compilation with constify plugin

 arch/arm/include/asm/page.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 772976a300403f5ef01758469ee25ccfd9f1e382
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 17:14:12 2014 -0400

    Remove use of dma_cache_sync to fix ARM allyesconfig compilation:
    See: http://www.spinics.net/lists/linux-scsi/msg36488.html

 drivers/scsi/advansys.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit b6729a8eeab2eb47d212af946dbdd2f3089e15ef
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Fri Sep 28 22:36:00 2012 +0100

    Upstream commit: 65cb587d7058441c8c910e8766ee86538c7274d8
    
    staging/iio/lis3l02dq: fix building without irq_to_gpio
    
    The driver has not been building for some time after the
    irq_to_gpio function has been removed from the kernel.
    
    The only board in the upstream kernel that provides
    this device is the "Stargate 2", which is also maintained
    by Jonathan Cameron. Rather than working around the problem
    by adding new platform data for this driver, this patch
    uses the of_gpio framework to get to the gpio number.
    
    However, the stargate2 code does not (yet) use DT based
    probing, so it is still broken, but at least building
    allyesconfig works again.
    
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Cc: Lars-Peter Clausen <lars@metafoo.de>
    Cc: Jonathan Cameron <jic23@kernel.org>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Jonathan Cameron <jic23@kernel.org>
    
    Conflicts:
    
    	drivers/staging/iio/accel/lis3l02dq_core.c

 drivers/staging/iio/accel/lis3l02dq.h      |    1 +
 drivers/staging/iio/accel/lis3l02dq_core.c |    8 +++++---
 drivers/staging/iio/accel/lis3l02dq_ring.c |    2 +-
 3 files changed, 7 insertions(+), 4 deletions(-)

commit f6e6bd54b67bf0aa6c7bc2de942b4a4657072f15
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 17 15:05:15 2014 -0400

    add ktla_ktva/ktva_ktla macros to ARM

 arch/arm/include/asm/pgtable.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit d0056efec1a24df487171cb7c949ca0a84d499fb
Merge: 6e0e4a2 f369295
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 14 20:22:29 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/mips/mm/mmap.c

commit f36929517cb8dc68ac8ec01d4ded477be85d9413
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 14 20:19:29 2014 -0400

    Update to pax-linux-3.2.55-test140.patch:
    - fixed a few compilation errors on MIPS, by Hinnerk van Bruinehsen <h.v.bruinehsen@fu-berlin.de>

 arch/mips/cavium-octeon/dma-octeon.c |    2 +-
 arch/mips/include/asm/hw_irq.h       |    2 +-
 arch/mips/kernel/i8259.c             |    2 +-
 arch/mips/kernel/irq-gt641xx.c       |    2 +-
 arch/mips/kernel/reset.c             |    4 ++++
 arch/mips/mm/mmap.c                  |    8 ++++----
 arch/mips/pci/pci-octeon.c           |    4 ++--
 arch/mips/pci/pcie-octeon.c          |    8 ++++----
 arch/mips/sni/rm200.c                |    2 +-
 arch/mips/vr41xx/common/icu.c        |    2 +-
 arch/mips/vr41xx/common/irq.c        |    4 ++--
 drivers/staging/octeon/ethernet-rx.c |    2 +-
 12 files changed, 23 insertions(+), 19 deletions(-)

commit 6e0e4a26033721ed98dc5fa0f5ae1a1c93610080
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 14 20:12:02 2014 -0400

    add /usr/share/apport/apport to the allowed userland exec paths --
    because apparently some distros have no problem just throwing
    critical binaries around anywhere.

 kernel/kmod.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 0a6f9ab046be3c00d4ddbd0471432884e7f7327a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 12 22:54:32 2014 -0400

    add support for PAX_EMUTRAMP by default in the autoconfig

 security/Kconfig |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 467ec4a97de57f5c2f2112c19eba759f89ae5667
Author: Matthew Leach <matthew.leach@arm.com>
Date:   Tue Mar 11 11:58:27 2014 +0000

    Upstream commit: dbb490b96584d4e958533fb637f08b557f505657
    
    net: socket: error on a negative msg_namelen
    
    When copying in a struct msghdr from the user, if the user has set the
    msg_namelen parameter to a negative value it gets clamped to a valid
    size due to a comparison between signed and unsigned values.
    
    Ensure the syscall errors when the user passes in a negative value.
    
    Signed-off-by: Matthew Leach <matthew.leach@arm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/socket.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 8f1e1f746120187e085ac3daa5dc6fda7ecf9d11
Author: Florian Westphal <fw@strlen.de>
Date:   Fri Sep 20 22:32:55 2013 +0200

    Upstream commit: 8c27bd75f04fb9cb70c69c3cfe24f4e6d8e15906
    
    tcp: syncookies: reduce cookie lifetime to 128 seconds
    
    We currently accept cookies that were created less than 4 minutes ago
    (ie, cookies with counter delta 0-3).  Combined with the 8 mss table
    values, this yields 32 possible values (out of 2**32) that will be valid.
    
    Reducing the lifetime to < 2 minutes halves the guessing chance while
    still providing a large enough period.
    
    While at it, get rid of jiffies value -- they overflow too quickly on
    32 bit platforms.
    
    getnstimeofday is used to create a counter that increments every 64s.
    perf shows getnstimeofday cost is negible compared to sha_transform;
    normal tcp initial sequence number generation uses getnstimeofday, too.
    
    Reported-by: Jakob Lell <jakob@jakoblell.com>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	include/net/tcp.h

 include/net/tcp.h     |   18 ++++++++++++++++++
 net/ipv4/syncookies.c |   31 ++++++++++---------------------
 net/ipv6/syncookies.c |   24 +++++++-----------------
 3 files changed, 35 insertions(+), 38 deletions(-)

commit ddb0025bc2ebf8210d8bb7ddde2c0276e867706c
Author: Florian Westphal <fw@strlen.de>
Date:   Fri Sep 20 22:32:56 2013 +0200

    Upstream commit: 086293542b991fb88a2e41ae7b4f82ac65a20e1a
    
    tcp: syncookies: reduce mss table to four values
    
    Halve mss table size to make blind cookie guessing more difficult.
    This is sad since the tables were already small, but there
    is little alternative except perhaps adding more precise mss information
    in the tcp timestamp.  Timestamps are unfortunately not ubiquitous.
    
    Guessing all possible cookie values still has 8-in 2**32 chance.
    
    Reported-by: Jakob Lell <jakob@jakoblell.com>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/syncookies.c |   22 +++++++++++-----------
 net/ipv6/syncookies.c |   15 +++++++++------
 2 files changed, 20 insertions(+), 17 deletions(-)

commit 3d3f10f578c0b06d1e5db054f77de4fa5e9bf6d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 12 19:21:43 2014 -0400

    Improve GRKERNSEC_JIT_HARDEN against a theoretical attack I dreamed up --
    if an attacker had an arbitrary read vuln and ability to redirect control flow,
    he could, in ~2,000,000,000 attempts have a 50% chance of pre-selecting a
    32bit random key which the attacker has XORed with his desired immediates to
    cause the constant blinding to produce a potentially useful instruction stream
    (which he could verify by abusing the infoleak).  Instead of using one key
    per instruction stream, generate a new key for each instruction using prandom_u32().
    
    The downside is some performance impact during JIT compilation, though this
    shouldn't be so common an event for anyone to notice.
    
    Conflicts:
    
    	arch/x86/net/bpf_jit_comp.c

 arch/x86/net/bpf_jit_comp.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit b5e68c162e96b387b1b55e7af4cf8081c758e9be
Author: Sabrina Dubroca <sd@queasysnail.net>
Date:   Thu Mar 6 17:51:57 2014 +0100

    Upstream commit: c88507fbad8055297c1d1e21e599f46960cbee39
    
    ipv6: don't set DST_NOCOUNT for remotely added routes
    
    DST_NOCOUNT should only be used if an authorized user adds routes
    locally. In case of routes which are added on behalf of router
    advertisments this flag must not get used as it allows an unlimited
    number of routes getting added remotely.
    
    Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/ipv6/route.c

 net/ipv6/route.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c06bf0f41727850ef4d9e28e382307d4c057115f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 4 18:26:06 2014 -0500

    sctp_sf_pdiscard() doesn't take a net namespace argument

 net/sctp/sm_statefuns.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c5e5c2b5abf12c5c787fa5307e7d58c5832fba8f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 4 18:22:12 2014 -0500

    backport sctp DoS fix to an older kernel without per-net namespace
    sctp sysctl entries

 net/sctp/sm_statefuns.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 59e0ec7d2c9f1fe1ad1c93ef98f7659f80f4eea2
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Mon Mar 3 17:23:04 2014 +0100

    Upstream commit: ec0223ec48a90cb605244b45f7c62de856403729
    Remote DoS fix
    
    net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable
    
    RFC4895 introduced AUTH chunks for SCTP; during the SCTP
    handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS
    being optional though):
    
      ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
      <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
      -------------------- COOKIE-ECHO -------------------->
      <-------------------- COOKIE-ACK ---------------------
    
    A special case is when an endpoint requires COOKIE-ECHO
    chunks to be authenticated:
    
      ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
      <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
      ------------------ AUTH; COOKIE-ECHO ---------------->
      <-------------------- COOKIE-ACK ---------------------
    
    RFC4895, section 6.3. Receiving Authenticated Chunks says:
    
      The receiver MUST use the HMAC algorithm indicated in
      the HMAC Identifier field. If this algorithm was not
      specified by the receiver in the HMAC-ALGO parameter in
      the INIT or INIT-ACK chunk during association setup, the
      AUTH chunk and all the chunks after it MUST be discarded
      and an ERROR chunk SHOULD be sent with the error cause
      defined in Section 4.1. [...] If no endpoint pair shared
      key has been configured for that Shared Key Identifier,
      all authenticated chunks MUST be silently discarded. [...]
    
      When an endpoint requires COOKIE-ECHO chunks to be
      authenticated, some special procedures have to be followed
      because the reception of a COOKIE-ECHO chunk might result
      in the creation of an SCTP association. If a packet arrives
      containing an AUTH chunk as a first chunk, a COOKIE-ECHO
      chunk as the second chunk, and possibly more chunks after
      them, and the receiver does not have an STCB for that
      packet, then authentication is based on the contents of
      the COOKIE-ECHO chunk. In this situation, the receiver MUST
      authenticate the chunks in the packet by using the RANDOM
      parameters, CHUNKS parameters and HMAC_ALGO parameters
      obtained from the COOKIE-ECHO chunk, and possibly a local
      shared secret as inputs to the authentication procedure
      specified in Section 6.3. If authentication fails, then
      the packet is discarded. If the authentication is successful,
      the COOKIE-ECHO and all the chunks after the COOKIE-ECHO
      MUST be processed. If the receiver has an STCB, it MUST
      process the AUTH chunk as described above using the STCB
      from the existing association to authenticate the
      COOKIE-ECHO chunk and all the chunks after it. [...]
    
    Commit bbd0d59809f9 introduced the possibility to receive
    and verification of AUTH chunk, including the edge case for
    authenticated COOKIE-ECHO. On reception of COOKIE-ECHO,
    the function sctp_sf_do_5_1D_ce() handles processing,
    unpacks and creates a new association if it passed sanity
    checks and also tests for authentication chunks being
    present. After a new association has been processed, it
    invokes sctp_process_init() on the new association and
    walks through the parameter list it received from the INIT
    chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO
    and SCTP_PARAM_CHUNKS, and copies them into asoc->peer
    meta data (peer_random, peer_hmacs, peer_chunks) in case
    sysctl -w net.sctp.auth_enable=1 is set. If in INIT's
    SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set,
    peer_random != NULL and peer_hmacs != NULL the peer is to be
    assumed asoc->peer.auth_capable=1, in any other case
    asoc->peer.auth_capable=0.
    
    Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is
    available, we set up a fake auth chunk and pass that on to
    sctp_sf_authenticate(), which at latest in
    sctp_auth_calculate_hmac() reliably dereferences a NULL pointer
    at position 0..0008 when setting up the crypto key in
    crypto_hash_setkey() by using asoc->asoc_shared_key that is
    NULL as condition key_id == asoc->active_key_id is true if
    the AUTH chunk was injected correctly from remote. This
    happens no matter what net.sctp.auth_enable sysctl says.
    
    The fix is to check for net->sctp.auth_enable and for
    asoc->peer.auth_capable before doing any operations like
    sctp_sf_authenticate() as no key is activated in
    sctp_auth_asoc_init_active_key() for each case.
    
    Now as RFC4895 section 6.3 states that if the used HMAC-ALGO
    passed from the INIT chunk was not used in the AUTH chunk, we
    SHOULD send an error; however in this case it would be better
    to just silently discard such a maliciously prepared handshake
    as we didn't even receive a parameter at all. Also, as our
    endpoint has no shared key configured, section 6.3 says that
    MUST silently discard, which we are doing from now onwards.
    
    Before calling sctp_sf_pdiscard(), we need not only to free
    the association, but also the chunk->auth_chunk skb, as
    commit bbd0d59809f9 created a skb clone in that case.
    
    I have tested this locally by using netfilter's nfqueue and
    re-injecting packets into the local stack after maliciously
    modifying the INIT chunk (removing RANDOM; HMAC-ALGO param)
    and the SCTP packet containing the COOKIE_ECHO (injecting
    AUTH chunk before COOKIE_ECHO). Fixed with this patch applied.
    
    Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk")
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Vlad Yasevich <yasevich@gmail.com>
    Cc: Neil Horman <nhorman@tuxdriver.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/sm_statefuns.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit ebb74b079b791bb0c34fc6866c18890247a96707
Author: Mike Pecovnik <mike.pecovnik@gmail.com>
Date:   Mon Feb 24 21:11:16 2014 +0100

    Upstream commit: 46833a86f7ab30101096d81117dd250bfae74c6f
    
    net: Fix permission check in netlink_connect()
    
    netlink_sendmsg() was changed to prevent non-root processes from sending
    messages with dst_pid != 0.
    netlink_connect() however still only checks if nladdr->nl_groups is set.
    This patch modifies netlink_connect() to check for the same condition.
    
    Signed-off-by: Mike Pecovnik <mike.pecovnik@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/netlink/af_netlink.c

 net/netlink/af_netlink.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit a1743153058a5d94d3bd3531fdb0a6ed26601644
Author: Eric Paris <eparis@redhat.com>
Date:   Thu Feb 20 10:56:45 2014 -0500

    Upstream commit: 9085a6422900092886da8c404e1c5340c4ff1cbf
    
    SELinux: bigendian problems with filename trans rules
    
    When writing policy via /sys/fs/selinux/policy I wrote the type and class
    of filename trans rules in CPU endian instead of little endian.  On
    x86_64 this works just fine, but it means that on big endian arch's like
    ppc64 and s390 userspace reads the policy and converts it from
    le32_to_cpu.  So the values are all screwed up.  Write the values in le
    format like it should have been to start.
    
    Signed-off-by: Eric Paris <eparis@redhat.com>
    Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Moore <pmoore@redhat.com>

 security/selinux/ss/policydb.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit e016024e4b1eaad7ec8c0bbde0fda59dfca3f5c7
Merge: 199dec0 e32eebb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 2 17:34:51 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit e32eebb1908d8f0d9715cbb4cbcdff4ac1a4d69b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 2 17:34:16 2014 -0500

    Update to pax-linux-3.2.55-test139.patch:
    - the latent entropy plugin can now initialize structure variables as well

 lib/random32.c                    |    2 +-
 tools/gcc/latent_entropy_plugin.c |   68 +++++++++++++++++++++++++++++++-----
 2 files changed, 59 insertions(+), 11 deletions(-)

commit 199dec0e64f023d5e0a63dfa3591afe84319c5da
Author: Stanislav Kinsbursky <skinsbursky@parallels.com>
Date:   Thu Aug 9 02:50:40 2012 +0000

    Upstream commit: 66d1b9263a371abd15806c53f486f0645ef31a8f
    
    tun: don't zeroize sock->file on detach
    
    This is a fix for bug, introduced in 3.4 kernel by commit
    1ab5ecb90cb6a3df1476e052f76a6e8f6511cb3d ("tun: don't hold network
    namespace by tun sockets"), which, among other things, replaced simple
    sock_put() by sk_release_kernel(). Below is sequence, which leads to
    oops for non-persistent devices:
    
    tun_chr_close()
    tun_detach()				<== tun->socket.file = NULL
    tun_free_netdev()
    sk_release_sock()
    sock_release(sock->file == NULL)
    iput(SOCK_INODE(sock))			<== dereference on NULL pointer
    
    This patch just removes zeroing of socket's file from __tun_detach().
    sock_release() will do this.
    
    Cc: stable@vger.kernel.org
    Reported-by: Ruan Zhijie <ruanzhijie@hotmail.com>
    Tested-by: Ruan Zhijie <ruanzhijie@hotmail.com>
    Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Yuchung Cheng <ycheng@google.com>
    Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 6c1789f469de5e8f2248dcd1b4bfe9168ccdd0af
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 1 23:27:45 2014 -0500

    Apply role_umask RBAC restrictions to POSIX ACLs as well

 fs/posix_acl.c |    7 +++++--
 fs/xattr_acl.c |   12 +++++++++++-
 2 files changed, 16 insertions(+), 3 deletions(-)

commit 2e99bfdd2df6bc2974a10e586f002c841c058366
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 24 21:57:37 2014 -0500

    mention in config help that gcc 4.6.4 or higher is needed for RANDSTRUCT

 grsecurity/Kconfig |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit a54c7d3b74b92cd53e50d65ccf1a3103279cecbc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 24 17:16:47 2014 -0500

    when IPC hardening is disabled via sysctl, we shouldn't be imposing
    any additional restrictions
    thanks to Mathias Krause (minipli) for the report

 grsecurity/grsec_ipc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 04e245bec848573e1c83eaa4f564f429e876e86d
Merge: adfe7d4 a26891a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 20 21:42:56 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	drivers/char/random.c

commit a26891a7915f8fa411d5c97b57def5d55b0cd1f5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 20 21:41:22 2014 -0500

    Update to pax-linux-3.2.55-test138.patch:
    - fixed asm goto for all gcc versions, backport from upstream (https://git.kernel.org/linus/a9f180345f5378ac87)
    - fixed a size overflow false positive in the ELF loader (needs a non-0 based PIE to trigger), reported by spender
    - the latent entropy plugin will now insert some entropy at compile time into the random pools

 drivers/char/random.c             |    6 +-
 fs/binfmt_elf.c                   |    2 +-
 include/linux/compiler-gcc4.h     |    4 --
 tools/gcc/gcc-common.h            |   10 ++++-
 tools/gcc/latent_entropy_plugin.c |   84 +++++++++++++++++++++++++++++++++----
 tools/gcc/stackleak_plugin.c      |    5 +-
 6 files changed, 90 insertions(+), 21 deletions(-)

commit adfe7d47a64d54abe96f8de64c4222b6e6e4ef61
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 20 18:42:11 2014 -0500

    work around pipacs' latent_entropy plugin

 tools/gcc/randomize_layout_plugin.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit f66c18371cdf6b5579848acee9768e413216aa9b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 20 17:57:36 2014 -0500

    .data takes the address of the ints, not their values
    
    Conflicts:
    
    	net/core/neighbour.c

 net/core/neighbour.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 2804b884e0da1b9f9f901efe7dd9af66e3662616
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 20 16:59:26 2014 -0500

    Fix a 16+ year old hack in Linux that exposed itself when RANDSTRUCT was
    enabled, reported by jacekalex on the forums
    
    Conflicts:
    
    	net/core/neighbour.c

 include/net/neighbour.h |    1 -
 net/core/neighbour.c    |    9 +++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 6996b07c1b542eadf9a05bbe756b2a254cbff380
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Sun Feb 16 19:29:32 2014 -0500

    Upstream commit: 19ea80603715d473600cd993b9987bc97d042e02
    
    ext4: don't leave i_crtime.tv_sec uninitialized
    
    If the i_crtime field is not present in the inode, don't leave the
    field uninitialized.
    
    Fixes: ef7f38359 ("ext4: Add nanosecond timestamps")
    Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
    Tested-by: Vegard Nossum <vegard.nossum@oracle.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Cc: stable@vger.kernel.org

 fs/ext4/ext4.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit cdfe5f0424a44c95fc48d8ecda35ee8a23ab2ea1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 19 20:39:37 2014 -0500

    While a Xen dom0 is technically a guest, it's perceived as a host by many
    and there's really no Linux "host" for Xen, so allow PARAVIRT to be
    enabled on "host" kernels only when Xen is selected
    
    Thanks to gaima on the forums for the report

 arch/x86/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 86d245898feca3788abd59400a6190e5d9e89439
Merge: 9550679 08d74bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 15 19:38:45 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/x86/kernel/traps.c
    	mm/mmap.c
    	net/ipv4/inet_diag.c

commit 08d74bbf2389cb14cebeb54cf5a6f2c4413c06b6
Merge: 3c749fc 39716f2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 15 19:35:37 2014 -0500

    Update to pax-linux-3.2.55-test137.patch
    
    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	mm/memory-failure.c
    	mm/mmap.c

commit 9550679471718fb7082fc40068a81a580ac34eca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 15 14:43:58 2014 -0500

    add note on how to disable rate limiting on log messages

 grsecurity/Kconfig |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 3d39f46966283b73145304c1fa69b2ee12d39077
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 16:50:39 2014 -0500

    Force off all virtualization guest options if the autoconfig choice
    was not for the kernel to be used for vm guests
    likewise force off Xen if it wasn't mentioned in the autoconfig
    
    Conflicts:
    
    	arch/x86/Kconfig
    	arch/x86/xen/Kconfig

 arch/x86/Kconfig     |    1 +
 arch/x86/xen/Kconfig |    1 +
 2 files changed, 2 insertions(+), 0 deletions(-)

commit e9c1e89ad6c783d5d9b1068bb0cf86c0eb185775
Merge: 3239e60 3c749fc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 15:26:38 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 3c749fc72f906ba0db476db1ab0cad2edb2e698e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 15:25:58 2014 -0500

    Update to pax-linux-3.2.54-test137.patch:
    - fixed some gcc plugins to work in low-memory environments as well, reported by many, big thanks to niv <n@e-ix.net> for help

 tools/gcc/Makefile                |    2 +-
 tools/gcc/latent_entropy_plugin.c |   18 +++++++++--
 tools/gcc/size_overflow_plugin.c  |   19 +++++++++--
 tools/gcc/stackleak_plugin.c      |   58 ++++++++++++++++++++++++++++--------
 4 files changed, 76 insertions(+), 21 deletions(-)

commit 3239e609887cec3078527d1a8ed3feae24d017c9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 12:35:16 2014 -0500

    add missing header

 grsecurity/grsec_mem.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 9ddf6ee010dcd333077a1e6b2b9d3f2e4623608c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 12:04:44 2014 -0500

    export msr_write logging function and convert all exported symbols to EXPORT_SYMBOL_GPL

 grsecurity/gracl.c          |    8 ++++----
 grsecurity/grsec_chroot.c   |    2 +-
 grsecurity/grsec_disabled.c |    6 +++---
 grsecurity/grsec_exec.c     |    4 ++--
 grsecurity/grsec_init.c     |    2 +-
 grsecurity/grsec_mem.c      |    1 +
 grsecurity/grsec_sock.c     |   12 ++++++------
 grsecurity/grsec_time.c     |    2 +-
 8 files changed, 19 insertions(+), 18 deletions(-)

commit 73ce22c244ede935910517a418e1b3fa3a020407
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 11:28:26 2014 -0500

    add missing header

 arch/x86/kernel/msr.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 83fa54221c9ce274117fb8a828c60b8fae7ae6d1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 11:12:36 2014 -0500

    fix typo

 arch/x86/kernel/msr.c      |    4 ++--
 include/linux/grsecurity.h |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit e6fdb064145e3cf3f077c453acfdcdd72f05749b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 10:57:06 2014 -0500

    PLUGIN_FINISH_DECL is an enum, so use explicit gcc version checking instead

 tools/gcc/randomize_layout_plugin.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 64c804f844b66c2e8cc651d4cdafd4367ee6284f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 09:23:29 2014 -0500

    Relax MSR restrictions under GRKERNSEC_KMEM, allow MSR reads but not writes.  Log all writing attempts.

 arch/x86/Kconfig           |    1 -
 arch/x86/kernel/msr.c      |    9 +++++++++
 grsecurity/grsec_mem.c     |    6 ++++++
 include/linux/grmsg.h      |    1 +
 include/linux/grsecurity.h |    1 +
 5 files changed, 17 insertions(+), 1 deletions(-)

commit 2a81ca372d0e3dc8d944782c6c653b78757abd96
Author: Richard Yao <ryao@gentoo.org>
Date:   Sat Feb 8 19:32:01 2014 -0500

    Upstream commit: b6f52ae2f0d32387bde2b89883e3b64d88b9bfe8
    
    9p/trans_virtio.c: Fix broken zero-copy on vmalloc() buffers
    
    The 9p-virtio transport does zero copy on things larger than 1024 bytes
    in size. It accomplishes this by returning the physical addresses of
    pages to the virtio-pci device. At present, the translation is usually a
    bit shift.
    
    That approach produces an invalid page address when we read/write to
    vmalloc buffers, such as those used for Linux kernel modules. Any
    attempt to load a Linux kernel module from 9p-virtio produces the
    following stack.
    
    [<ffffffff814878ce>] p9_virtio_zc_request+0x45e/0x510
    [<ffffffff814814ed>] p9_client_zc_rpc.constprop.16+0xfd/0x4f0
    [<ffffffff814839dd>] p9_client_read+0x15d/0x240
    [<ffffffff811c8440>] v9fs_fid_readn+0x50/0xa0
    [<ffffffff811c84a0>] v9fs_file_readn+0x10/0x20
    [<ffffffff811c84e7>] v9fs_file_read+0x37/0x70
    [<ffffffff8114e3fb>] vfs_read+0x9b/0x160
    [<ffffffff81153571>] kernel_read+0x41/0x60
    [<ffffffff810c83ab>] copy_module_from_fd.isra.34+0xfb/0x180
    
    Subsequently, QEMU will die printing:
    
    qemu-system-x86_64: virtio: trying to map MMIO memory
    
    This patch enables 9p-virtio to correctly handle this case. This not
    only enables us to load Linux kernel modules off virtfs, but also
    enables ZFS file-based vdevs on virtfs to be used without killing QEMU.
    
    Special thanks to both Avi Kivity and Alexander Graf for their
    interpretation of QEMU backtraces. Without their guidence, tracking down
    this bug would have taken much longer. Also, special thanks to Linus
    Torvalds for his insightful explanation of why this should use
    is_vmalloc_addr() instead of is_vmalloc_or_module_addr():
    
    https://lkml.org/lkml/2014/2/8/272
    
    Signed-off-by: Richard Yao <ryao@gentoo.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/9p/trans_virtio.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit b2844ed398049b161754f5d4744b198b967be788
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 13 08:38:14 2014 -0500

    rename finish_decl function to fix compat with gcc 4.7.2 that exposed too much of its internals
    add a useful compile error if we try building with < gcc 4.6.4

 tools/gcc/randomize_layout_plugin.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 2f04aaaaed6bc1a63152202d4013d21653f01005
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Feb 11 17:33:49 2014 -0500

    [PATCH] random: fix overflow for big nbits values in credit_entropy_bits()
    
    Commit 30e37ec516ae "random: account for entropy loss due to overwrites"
    introduced an overflow in the arithmetics of credit_entropy_bits() when
    CONFIG_GRKERNSEC_RANDNET is enabled as the latter quadruples the pool
    size and therefore invalidates the assumptions of the "nifty" formula.
    
    Fix the overflow by using 64bit arithmetics.
    
    Reported-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
    Signed-off-by: Mathias Krause <mathias.krause@secunet.com>
    
    This bug is at worst a privileged DoS -- with RANDNET enabled, an admin
    with CAP_SYS_ADMIN feeding large amounts of entropy into the pool at once
    can cause less than expected entropy to be credited (but this doesn't
    affect how much is actually added).  For specific buffer sizes, this
    can result in 0 entropy being credited and end in a situation in which
    the kernel can't recover, causing future reads from /dev/random to stall.
    
    Many thanks to Torsten and Mathias for the report!

 drivers/char/random.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

commit 464ca7e89e3a1e5833a6877ead67662caf3ecf6a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 9 11:30:53 2014 -0500

    just ignore the seed file, the hash is in a different dir

 tools/gcc/.gitignore |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit e6c2635a2bc4e5d9b60559ffb58d8939d399f80c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 9 11:27:22 2014 -0500

    Don't pass the hashed seed via build commandline, generate a header to include in vermagic.h instead
    
    Conflicts:
    
    	Makefile

 Documentation/dontdiff       |    2 +-
 Makefile                     |    4 +---
 include/linux/vermagic.h     |    1 +
 tools/gcc/.gitignore         |    4 ++--
 tools/gcc/Makefile           |    9 ++++-----
 tools/gcc/gen-random-seed.sh |    3 ++-
 6 files changed, 11 insertions(+), 12 deletions(-)

commit f7928dccf4c16676ff44d067e7d6eb64d1b2a37c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 31 18:11:51 2014 -0500

    force on modversion support if RANDSTRUCT is enabled so that we're sure
    no modules can be loaded that were built with a different seed

 grsecurity/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 74bc16d2da44b78a8f08cceafb7f4c6e1e2581a0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 8 23:37:13 2014 -0500

    compile fix for RANDSTRUCT

 drivers/staging/media/solo6x10/g723.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 55487724150cf128355dc5a2dd14bbab9e066c1b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 8 23:20:07 2014 -0500

    fix initializers for use with RANDSTRUCT

 drivers/gpu/drm/nouveau/nouveau_mem.c |   20 ++++++++++----------
 1 files changed, 10 insertions(+), 10 deletions(-)

commit d12a71b090b59adf1e97e22731d6116fddcbb295
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 8 23:10:16 2014 -0500

    compile fix for ipc hardening

 grsecurity/grsec_ipc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b4fc8d77c9a707b6759f775d0b901de5c70a2061
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 8 23:01:58 2014 -0500

    backport IPC hardening for 3.2 which has no proper user namespaces

 grsecurity/grsec_ipc.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 1f49c8104f89773d4e34c89e884cf9677101d8e3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 30 11:13:49 2013 -0500

    Update to phase two of the IPC hardening.  I've heard no complaints about
    the patch I released, but including it here will generate better information.

 grsecurity/Kconfig     |   16 ++++++++++------
 grsecurity/grsec_ipc.c |   32 +++++++++++++++++++++++++++++---
 include/linux/grmsg.h  |    2 +-
 ipc/util.c             |    3 ++-
 4 files changed, 42 insertions(+), 11 deletions(-)

commit 31da7adbf5c68ddb3cf5ff8deb9e9d71074fd8da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 20:15:51 2013 -0500

    GRKERNSEC_HARDEN_IPC should depend on SYSVIPC
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 grsecurity/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit bc7dcd78312d954f28bd7ed3bb305aaf3fb6b0d8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 19:01:59 2013 -0500

    Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
    
    No reported problems while this has been present in -test
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>
    
    Conflicts:
    
    	ipc/util.c

 grsecurity/Kconfig         |   17 +++++++++++++++++
 grsecurity/Makefile        |    2 +-
 grsecurity/grsec_init.c    |    4 ++++
 grsecurity/grsec_ipc.c     |   22 ++++++++++++++++++++++
 grsecurity/grsec_sysctl.c  |    9 +++++++++
 include/linux/grinternal.h |    1 +
 include/linux/grmsg.h      |    1 +
 ipc/util.c                 |    5 +++++
 8 files changed, 60 insertions(+), 1 deletions(-)

commit 421cc90d6b0897702b319dcfb91120d8c9cf64d6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 8 22:50:50 2014 -0500

    GRKERNSEC_JIT_HARDEN exists only for x86/x64, restrict Kconfig appropriately

 grsecurity/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 50aff165b5427d039fb24f8f654cedde1c1417de
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 3 19:39:04 2013 -0500

    Update documentation for GRKERNSEC_KMEM and GRKERNSEC_IO,
    see: http://forums.grsecurity.net/viewtopic.php?f=3&t=3879
    The previous info was many years outdated.
    
    Disable KEXEC when GRKERNSEC_KMEM is enabled:
    http://mjg59.dreamwidth.org/28746.html
    
    Also workaround the GRKERNSEC_IO incompatibility with Xorg by returning
    -ENODEV instead of -EPERM in the cases where CAP_SYS_RAWIO is present
    
    Conflicts:
    
    	arch/arm/Kconfig
    	arch/ia64/Kconfig
    	arch/mips/Kconfig
    	arch/powerpc/Kconfig

 arch/arm/Kconfig         |    1 +
 arch/ia64/Kconfig        |    1 +
 arch/mips/Kconfig        |    1 +
 arch/powerpc/Kconfig     |    1 +
 arch/tile/Kconfig        |    1 +
 arch/x86/Kconfig         |    1 +
 arch/x86/kernel/ioport.c |   12 ++++++------
 grsecurity/Kconfig       |   27 +++++++++++----------------
 8 files changed, 23 insertions(+), 22 deletions(-)

commit f287dcd432b99d6365e7609472b77fa867559b4f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 11:26:44 2014 -0500

    Force HIDESYM on if RANDSTRUCT is used, just in case there is a user
    who already isn't enabling it (to prevent the seed from potentially being
    visible to other users if compiled on the same machine).
    Suggested by minipli

 grsecurity/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 51675df74ad0bac7abdeafaaa4d3ec5792983324
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 14:54:11 2014 -0500

    Fix another compiler error caught by RANDSTRUCT
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 sound/isa/sb/emu8000_synth.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 96d1e15dead6eb84b4ffd6c513b01dab5b90cb86
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 14:34:12 2014 -0500

    Fix another compiler error caught by RANDSTRUCT
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 drivers/net/wan/z85230.c |   24 ++++++++++++------------
 1 files changed, 12 insertions(+), 12 deletions(-)

commit 052f770e6d9118a4f097d1d4fde81763a086881a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 14:30:46 2014 -0500

    fix compilation with RANDSTRUCT plugin
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 sound/drivers/opl4/opl4_seq.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit e8b62b046ded4a3322b55b4eae617d0d4285a139
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 5 23:43:27 2014 -0500

    avoid printing jibberish in some instances with RANDSTRUCT and modules
    built with other seeds, as the kernel's module loader trusts the
    module layout
    
    Conflicts:
    
    	kernel/module.c

 kernel/module.c |   31 +++++++++++++++++++++++++++----
 1 files changed, 27 insertions(+), 4 deletions(-)

commit d195dd1b7432aab2602aa5f68a382f5e0175f4aa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 8 22:32:57 2014 -0500

    compile fix

 include/linux/moduleparam.h |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit a4840142ad7a2f0aa0ea23fcf74a8b2604ce0814
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 8 22:25:21 2014 -0500

    fix some 3.2-specific initializers for RANDSTRUCT

 arch/x86/kernel/setup.c     |   12 ++++++++++--
 include/linux/moduleparam.h |    2 +-
 2 files changed, 11 insertions(+), 3 deletions(-)

commit e008742fbfcfdf661c9f82e15a56f7ee279399f8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 8 21:57:10 2014 -0500

    update RANDSTRUCT .gitignore

 tools/gcc/.gitignore |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit fc39b489d6b44c9189601d0873d8bcbd3bd7d6ed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 6 21:26:51 2014 -0500

    gcc 4.9 update for RANDSTRUCT plugin part 1

 tools/gcc/randomize_layout_plugin.c |    7 +------
 1 files changed, 1 insertions(+), 6 deletions(-)

commit 9bf4a234f85ecd0ab80c5640c35f0d1e1505b83f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 6 20:16:57 2014 -0500

    don't pass the seed via build commandline, store it in a header file instead
    and build it into the RANDSTRUCT plugin.
    set up proper dependencies for the generated files used by the RANDSTRUCT plugin,
    fixing some race conditions in the build process
    support O= argument to make and place generated files in the target directory tree
    update RANDSTRUCT documentation
    
    Conflicts:
    
    	Makefile

 Makefile                            |    8 +++-----
 grsecurity/Kconfig                  |    2 +-
 scripts/gen-random-seed.sh          |    8 --------
 tools/gcc/Makefile                  |   10 +++++++++-
 tools/gcc/gen-random-seed.sh        |    7 +++++++
 tools/gcc/randomize_layout_plugin.c |   23 ++++++++---------------
 6 files changed, 28 insertions(+), 30 deletions(-)

commit a1c274bf9f3c731b545e1d4d2390b6e96612aad0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 5 23:32:26 2014 -0500

    Introduce the non-performance mode -- the performance mode had previously been
    inadvertently forced on regardless of config setting
    
    Resolve an issue with gcc completing declarations for recently finished
    types *before* the plugin's finish_type being called to randomize that structure.
    This resulted in too small a structure size being emitted for this_module
    and generally crashes whenever modules were loaded.
    
    Conflicts:
    
    	Makefile

 Makefile                            |    4 ++--
 tools/gcc/randomize_layout_plugin.c |   23 +++++++++++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)

commit a7db043cf43a7882ce1edf31d3340fe748d689bc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 1 19:53:04 2014 -0500

    update RANDSTRUCT plugin to eliminate false posities on struct type mismatches
    resulting from an IS_ERR() sequence
    add checks for bad casts in local and global variable initializers
    use the main variant when comparing types

 tools/gcc/randomize_layout_plugin.c |  150 +++++++++++++++++++++++++++++++++--
 1 files changed, 144 insertions(+), 6 deletions(-)

commit 9e5a1a80d623574b24c55f57e40b5b7707999cca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 1 15:13:06 2014 -0500

    remove unnecessary TODO_* flags for our passive bad cast gimple pass

 tools/gcc/randomize_layout_plugin.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 9ba79cc1a206b24d68e0818776044338f510b060
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 1 10:55:36 2014 -0500

    fix RANDSTRUCT plugin compatibility with gcc 4.9

 tools/gcc/randomize_layout_plugin.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1b7af865815f4a208f7ac681d2c18f96bd88cfe1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 31 21:52:14 2014 -0500

    sanity check to make sure we never randomize a struct in include/uapi/*

 scripts/gen-random-seed.sh          |    2 +-
 tools/gcc/randomize_layout_plugin.c |    7 +++++++
 2 files changed, 8 insertions(+), 1 deletions(-)

commit 3b37eecf6f83d264aaab51c12e98bbbd27dcb1a3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 12:44:21 2014 -0500

    add a sha256-hashed version of the seed to modversion to ensure no
    modules compiled with another seed can be loaded
    
    Conflicts:
    
    	Documentation/dontdiff
    	Makefile

 Makefile                   |    4 +++-
 include/linux/vermagic.h   |    8 +++++++-
 scripts/gen-random-seed.sh |    2 +-
 tools/gcc/.gitignore       |    1 +
 4 files changed, 12 insertions(+), 3 deletions(-)

commit f1d2e403be5bf1842428a9161e17f274c431bf71
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 27 20:33:30 2014 -0500

    Relicense RANDSTRUCT plugin as GPLv2, removing the GPLv3 option

 tools/gcc/randomize_layout_plugin.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b2c3736f6f9a648e6c7a66c6833370debdc2cb3b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 18:24:44 2014 -0500

    fix typo

 tools/gcc/randomize_layout_plugin.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8f2d87da2eda2d510e543080d42accc9cb4b4c63
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 26 18:22:33 2014 -0500

    Update RANDSTRUCT plugin for gcc 4.9 and gcc-common.h

 tools/gcc/randomize_layout_plugin.c |   77 +++++++++++++++++++----------------
 1 files changed, 42 insertions(+), 35 deletions(-)

commit e66f5494154f0b1708c3f8a374fce9ea7bb50846
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 14:16:18 2014 -0500

    avoid problems by just building our fake field decl node from scratch
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 tools/gcc/randomize_layout_plugin.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

commit 1d8ebfacb2d536ed3019a4214c1539fa72b5f362
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 13:45:18 2014 -0500

    while in non-debug mode, don't emit notes for non-randomized struct types
    
    clear all signs from our fake field decl of being a bitfield
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 tools/gcc/randomize_layout_plugin.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

commit e98e8b1fa16cbf5c0d85790b18ea813d52c208ae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 12:56:05 2014 -0500

    revert change to read-only marking of fake struct field
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 tools/gcc/randomize_layout_plugin.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ce8b04272f6016c11d2d03a06f11784fe213f231
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 12:42:48 2014 -0500

    Update RANDSTRUCT plugin help
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 tools/gcc/randomize_layout_plugin.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit db7d20642a7ad48f3db9426e665a672a2ceadf56
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 25 12:25:43 2014 -0500

    Initial backport of RANDSTRUCT to 3.2
    
    Introduce GRKERNSEC_RANDSTRUCT: automatic structure layout randomization of pure ops structs randomization of marked sensitive kernel structures
    
    automatically enabled by GRKERNSEC_CONFIG_AUTO
    performance mode is activated if the config priority is set to performance
    
    Signed-off-by: Brad Spengler <spender@grsecurity.net>
    
    Conflicts:
    
    	Documentation/dontdiff
    	Makefile
    	arch/x86/include/asm/paravirt_types.h
    	drivers/acpi/acpica/hwxfsleep.c
    	drivers/block/drbd/drbd_interval.c
    	drivers/gpu/drm/nouveau/nouveau_ttm.c
    	drivers/scsi/bfa/bfa_fcs_lport.c
    	drivers/staging/lustre/lustre/ldlm/ldlm_flock.c
    	drivers/staging/lustre/lustre/libcfs/module.c
    	drivers/staging/media/solo6x10/solo6x10-g723.c
    	fs/mount.h
    	fs/proc/internal.h
    	include/linux/cred.h
    	include/linux/dcache.h
    	include/linux/fs.h
    	include/linux/ipc_namespace.h
    	include/linux/module.h
    	include/linux/mount.h
    	include/linux/pid_namespace.h
    	include/linux/proc_ns.h
    	include/linux/rbtree_augmented.h
    	include/linux/sched.h
    	include/linux/user_namespace.h
    	include/linux/utsname.h
    	include/net/net_namespace.h
    	lib/rbtree.c
    	net/vmw_vsock/vmci_transport_notify.c
    	net/vmw_vsock/vmci_transport_notify_qstate.c

 Documentation/dontdiff                        |    2 +
 Makefile                                      |   10 +
 arch/x86/include/asm/floppy.h                 |   20 +-
 arch/x86/include/asm/paravirt_types.h         |   23 +-
 arch/x86/include/asm/processor.h              |    2 +-
 drivers/block/cciss.h                         |   30 +-
 drivers/block/smart1,2.h                      |   40 +-
 drivers/gpu/drm/ttm/ttm_bo_manager.c          |   10 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c |   10 +-
 drivers/infiniband/hw/ipath/ipath_dma.c       |   26 +-
 drivers/infiniband/hw/nes/nes_cm.c            |   22 +-
 drivers/isdn/gigaset/bas-gigaset.c            |   32 +-
 drivers/isdn/gigaset/ser-gigaset.c            |   32 +-
 drivers/isdn/gigaset/usb-gigaset.c            |   32 +-
 drivers/isdn/i4l/isdn_concap.c                |    6 +-
 drivers/isdn/i4l/isdn_x25iface.c              |   16 +-
 drivers/misc/sgi-xp/xp_main.c                 |   12 +-
 drivers/net/ethernet/brocade/bna/bna_enet.c   |    8 +-
 drivers/net/wan/lmc/lmc_media.c               |   97 ++--
 drivers/scsi/bfa/bfa_fcs.c                    |   19 +-
 drivers/scsi/bfa/bfa_fcs_lport.c              |   22 +-
 drivers/scsi/bfa/bfa_modules.h                |   12 +-
 drivers/scsi/hpsa.h                           |   20 +-
 drivers/video/matrox/matroxfb_DAC1064.c       |   10 +-
 drivers/video/matrox/matroxfb_Ti3026.c        |    5 +-
 fs/reiserfs/item_ops.c                        |   24 +-
 grsecurity/Kconfig                            |   31 +-
 include/linux/compiler-gcc4.h                 |    5 +
 include/linux/compiler.h                      |    8 +
 include/linux/cred.h                          |    4 +-
 include/linux/dcache.h                        |    2 +-
 include/linux/fs.h                            |   14 +-
 include/linux/fs_struct.h                     |    2 +-
 include/linux/ipc_namespace.h                 |    2 +-
 include/linux/kobject.h                       |    2 +-
 include/linux/mm_types.h                      |    4 +-
 include/linux/module.h                        |    4 +-
 include/linux/mount.h                         |    2 +-
 include/linux/pid_namespace.h                 |    2 +-
 include/linux/proc_fs.h                       |    4 +-
 include/linux/sched.h                         |    6 +-
 include/linux/sysctl.h                        |    2 +-
 include/linux/tty.h                           |    2 +-
 include/linux/tty_driver.h                    |    2 +-
 include/linux/user_namespace.h                |    2 +-
 include/linux/utsname.h                       |    2 +-
 include/net/neighbour.h                       |    2 +-
 include/net/net_namespace.h                   |    2 +-
 net/atm/lec.c                                 |    6 +-
 net/atm/mpoa_caches.c                         |   42 +-
 net/decnet/dn_dev.c                           |    2 +-
 net/x25/sysctl_net_x25.c                      |    2 +-
 scripts/Makefile                              |    2 +
 scripts/gen-random-seed.sh                    |    8 +
 sound/core/seq/oss/seq_oss.c                  |    4 +-
 sound/core/seq/seq_midi.c                     |    4 +-
 sound/drivers/opl3/opl3_seq.c                 |    4 +-
 sound/pci/emu10k1/emu10k1_synth.c             |    4 +-
 sound/synth/emux/emux_seq.c                   |   14 +-
 tools/gcc/.gitignore                          |    1 +
 tools/gcc/Makefile                            |    2 +
 tools/gcc/randomize_layout_plugin.c           |  726 +++++++++++++++++++++++++
 62 files changed, 1147 insertions(+), 322 deletions(-)

commit 6c1dfb8e0c4342aafaf3da38143aff565f74e357
Merge: c0c1e89 f6b9aab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 8 21:25:13 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit f6b9aab54f0b4b4b99dbe494cb56ed6fcab3c7fe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 8 21:24:26 2014 -0500

    Update to pax-linux-3.2.54-test136.patch:
    - fixed the PLUGIN_START_UNIT callback names in the latent entropy and size overflow plugins, reported by spender
    - added a new header to gcc-common.h, reported by spender
    - some useful backports from upstream 3.14:
      - debug info for .S: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7db436325db821b400328563ed693b09f8c4c46c
      - make v4 -s handling: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e36aaea28972c57a32a3ba5365e61633739719b9

 Makefile                          |    8 +++++++-
 tools/gcc/gcc-common.h            |    1 +
 tools/gcc/latent_entropy_plugin.c |    2 +-
 tools/gcc/size_overflow_plugin.c  |    2 +-
 4 files changed, 10 insertions(+), 3 deletions(-)

commit c0c1e8928b192455d42a54f54198ad5ffcafef6d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 8 20:30:40 2014 -0500

    on 3.2 the proper routine is task_times()

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5d09902d41934e044fcf68dd00b5f4ad77148ca3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 8 20:02:12 2014 -0500

    don't divide cputime by HZ as some architectures can't handle this
    use proper task_cputime and cputime_to_secs wrappers
    Thanks to Michael Tremer for the report

 grsecurity/gracl.c |   23 ++++++++++++-----------
 1 files changed, 12 insertions(+), 11 deletions(-)

commit 799f4942cecf292385820730dd7d253cc27df988
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 6 18:15:24 2014 -0500

    make GRKERNSEC_HIDESYM also protect the target directory specified with the O= arg to 'make'

 grsecurity/Makefile |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 23a8287c65bb4933e3e6c28242b0dad3be1bc8bd
Author: David Sterba <dsterba@suse.cz>
Date:   Wed Jan 15 18:15:52 2014 +0100

    Upstream commit: b572f9aaacdcb9b22ee6483fecaaa7a38c757896
    
    btrfs: restrict snapshotting to own subvolumes
    
    commit d024206133ce21936b3d5780359afc00247655b7 upstream.
    
    Currently, any user can snapshot any subvolume if the path is accessible and
    thus indirectly create and keep files he does not own under his direcotries.
    This is not possible with traditional directories.
    
    In security context, a user can snapshot root filesystem and pin any
    potentially buggy binaries, even if the updates are applied.
    
    All the snapshots are visible to the administrator, so it's possible to
    verify if there are suspicious snapshots.
    
    Another more practical problem is that any user can pin the space used
    by eg. root and cause ENOSPC.
    
    Original report:
    https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/484786
    
    Signed-off-by: David Sterba <dsterba@suse.cz>
    Signed-off-by: Josef Bacik <jbacik@fb.com>
    Signed-off-by: Chris Mason <clm@fb.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    
    Conflicts:
    
    	fs/btrfs/ioctl.c

 fs/btrfs/ioctl.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit bf11284994657b38a9066c95146b5f2d726b1c27
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 6 20:20:41 2014 -0500

    Backport SELinux DoS fix from http://marc.info/?l=selinux&m=139110025203759&w=2

 security/selinux/ss/services.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 026e375ba60b6866de10b3238e083ef9d35846dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 3 17:28:44 2014 -0500

    select DEBUG_KERNEL in addition to DEBUG_LIST

 security/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 4f18c21f3dbcc85b0d65746ac1ef57fe820af6ae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 2 21:23:30 2014 -0500

    update copyright date

 grsecurity/Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8386e86f2202ea78b3f552c2446946d44799a46f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 2 21:23:08 2014 -0500

    update copyright message

 grsecurity/Makefile |   22 ++++++++++++++++------
 1 files changed, 16 insertions(+), 6 deletions(-)

commit 6ad9fb0b598b5e77be4578116cde54a39aada70a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 1 09:46:46 2014 -0500

    disable verbose random debugging messages at boot

 drivers/char/random.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 9a257eeac61664e3a7b17f6e89e10bd8e3dc8285
Author: Weston Andros Adamson <dros@netapp.com>
Date:   Tue Dec 17 12:16:11 2013 -0500

    Upstream commit: 6ff33b7dd0228b7d7ed44791bbbc98b03fd15d9d
    
    sunrpc: Fix infinite loop in RPC state machine
    
    When a task enters call_refreshresult with status 0 from call_refresh and
    !rpcauth_uptodatecred(task) it enters call_refresh again with no rate-limiting
    or max number of retries.
    
    Instead of trying forever, make use of the retry path that other errors use.
    
    This only seems to be possible when the crrefresh callback is gss_refresh_null,
    which only happens when destroying the context.
    
    To reproduce:
    
    1) mount with sec=krb5 (or sec=sys with krb5 negotiated for non FSID specific
       operations).
    
    2) reboot - the client will be stuck and will need to be hard rebooted
    
    BUG: soft lockup - CPU#0 stuck for 22s! [kworker/0:2:46]
    Modules linked in: rpcsec_gss_krb5 nfsv4 nfs fscache ppdev crc32c_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd serio_raw i2c_piix4 i2c_core e1000 parport_pc parport shpchp nfsd auth_rpcgss oid_registry exportfs nfs_acl lockd sunrpc autofs4 mptspi scsi_transport_spi mptscsih mptbase ata_generic floppy
    irq event stamp: 195724
    hardirqs last  enabled at (195723): [<ffffffff814a925c>] restore_args+0x0/0x30
    hardirqs last disabled at (195724): [<ffffffff814b0a6a>] apic_timer_interrupt+0x6a/0x80
    softirqs last  enabled at (195722): [<ffffffff8103f583>] __do_softirq+0x1df/0x276
    softirqs last disabled at (195717): [<ffffffff8103f852>] irq_exit+0x53/0x9a
    CPU: 0 PID: 46 Comm: kworker/0:2 Not tainted 3.13.0-rc3-branch-dros_testing+ #4
    Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013
    Workqueue: rpciod rpc_async_schedule [sunrpc]
    task: ffff8800799c4260 ti: ffff880079002000 task.ti: ffff880079002000
    RIP: 0010:[<ffffffffa0064fd4>]  [<ffffffffa0064fd4>] __rpc_execute+0x8a/0x362 [sunrpc]
    RSP: 0018:ffff880079003d18  EFLAGS: 00000246
    RAX: 0000000000000005 RBX: 0000000000000007 RCX: 0000000000000007
    RDX: 0000000000000007 RSI: ffff88007aecbae8 RDI: ffff8800783d8900
    RBP: ffff880079003d78 R08: ffff88006e30e9f8 R09: ffffffffa005a3d7
    R10: ffff88006e30e7b0 R11: ffff8800783d8900 R12: ffffffffa006675e
    R13: ffff880079003ce8 R14: ffff88006e30e7b0 R15: ffff8800783d8900
    FS:  0000000000000000(0000) GS:ffff88007f200000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f3072333000 CR3: 0000000001a0b000 CR4: 00000000001407f0
    Stack:
     ffff880079003d98 0000000000000246 0000000000000000 ffff88007a9a4830
     ffff880000000000 ffffffff81073f47 ffff88007f212b00 ffff8800799c4260
     ffff8800783d8988 ffff88007f212b00 ffffe8ffff604800 0000000000000000
    Call Trace:
     [<ffffffff81073f47>] ? trace_hardirqs_on_caller+0x145/0x1a1
     [<ffffffffa00652d3>] rpc_async_schedule+0x27/0x32 [sunrpc]
     [<ffffffff81052974>] process_one_work+0x211/0x3a5
     [<ffffffff810528d5>] ? process_one_work+0x172/0x3a5
     [<ffffffff81052eeb>] worker_thread+0x134/0x202
     [<ffffffff81052db7>] ? rescuer_thread+0x280/0x280
     [<ffffffff81052db7>] ? rescuer_thread+0x280/0x280
     [<ffffffff810584a0>] kthread+0xc9/0xd1
     [<ffffffff810583d7>] ? __kthread_parkme+0x61/0x61
     [<ffffffff814afd6c>] ret_from_fork+0x7c/0xb0
     [<ffffffff810583d7>] ? __kthread_parkme+0x61/0x61
    Code: e8 87 63 fd e0 c6 05 10 dd 01 00 01 48 8b 43 70 4c 8d 6b 70 45 31 e4 a8 02 0f 85 d5 02 00 00 4c 8b 7b 48 48 c7 43 48 00 00 00 00 <4c> 8b 4b 50 4d 85 ff 75 0c 4d 85 c9 4d 89 cf 0f 84 32 01 00 00
    
    And the output of "rpcdebug -m rpc -s all":
    
    RPC:    61 call_refresh (status 0)
    RPC:    61 call_refresh (status 0)
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    RPC:    61 call_refreshresult (status 0)
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    RPC:    61 call_refreshresult (status 0)
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    RPC:    61 call_refresh (status 0)
    RPC:    61 call_refreshresult (status 0)
    RPC:    61 call_refresh (status 0)
    RPC:    61 call_refresh (status 0)
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    RPC:    61 call_refreshresult (status 0)
    RPC:    61 call_refresh (status 0)
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    RPC:    61 call_refresh (status 0)
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    RPC:    61 call_refreshresult (status 0)
    RPC:    61 call_refresh (status 0)
    RPC:    61 call_refresh (status 0)
    RPC:    61 call_refresh (status 0)
    RPC:    61 call_refresh (status 0)
    RPC:    61 call_refreshresult (status 0)
    RPC:    61 refreshing RPCSEC_GSS cred ffff88007a413cf0
    
    Signed-off-by: Weston Andros Adamson <dros@netapp.com>
    Cc: stable@vger.kernel.org # 2.6.37+
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>

 net/sunrpc/clnt.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit fd1beb50c5eaa0858d30d8f9699857daea7c98db
Merge: aaf7afa 49b27c8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 28 18:26:23 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 49b27c8baad9a11219a62bffe9fd9c26a395e8bc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 28 18:25:38 2014 -0500

    Update to pax-linux-3.2.54-test135.patch:
    - fixed a constify plugin regression for real, reported by spender
    - fixed the TRACE_IRQFLAGS/KERNEXEC problem for real, 3rd time's a charm, by minipli
    - fixed a size overflow false positive in skb_network_offset due to an intentional overflow, by Emese Revfy, reported by Nikita Matovs

 arch/x86/kernel/entry_64.S |   22 ++++++++++++----------
 include/linux/skbuff.h     |    2 +-
 2 files changed, 13 insertions(+), 11 deletions(-)

commit aaf7afa0bc1a4d10383c863dbbeab107168c8228
Merge: df449a2 944ffc0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 27 23:30:39 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 944ffc0c46fb368461f52f3520f7876b8db6e175
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 27 23:30:12 2014 -0500

    backport gcc assert fix from 3.13 constify plugin

 tools/gcc/constify_plugin.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit df449a264e347238c119b0fdcdb3e5d83c08d61e
Merge: 1b28d35 99f43f7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 27 23:16:35 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 99f43f743906732e811f76041355a4e460571223
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 27 23:15:52 2014 -0500

    Update to pax-linux-3.2.54-test134.patch:
    - gcc plugin updates
      - ported them to gcc trunk (future 4.9)
      - introduced gcc-common.h to simplify gcc version dependencies
      - updated size overflow hash table from spender
      - fixed kallocstat to detect constant size arguments early
      - fixed constify to preserve type qualifiers on pointer-to-self fields
    - added a few sparse/checker annotations and changes to satisfy gcc's address space logic
    - fixed the TRACE_IRQFLAGS problem reported by minipli again
    - fixed a constify plugin regression, reported by spender
    - updated gcc-common.h
    - fixed the size overflow plugin for gcc 4.9, by Emese Revfy

 arch/x86/ia32/ia32_signal.c               |    6 +-
 arch/x86/kernel/entry_64.S                |   86 ++-----
 arch/x86/kernel/tboot.c                   |    2 +-
 block/compat_ioctl.c                      |    2 +-
 drivers/gpu/drm/drm_crtc.c                |    2 +-
 drivers/media/video/v4l2-compat-ioctl32.c |   10 +-
 drivers/media/video/v4l2-ctrls.c          |    4 +-
 drivers/media/video/v4l2-ioctl.c          |    2 +-
 drivers/mmc/card/block.c                  |    2 +-
 drivers/net/macvtap.c                     |    2 +-
 drivers/video/fbmem.c                     |    2 +-
 fs/compat_ioctl.c                         |    2 +-
 fs/exec.c                                 |    2 +-
 include/linux/videodev2.h                 |    2 +-
 net/9p/client.c                           |    6 +-
 net/socket.c                              |    6 +-
 tools/gcc/Makefile                        |    2 +-
 tools/gcc/checker_plugin.c                |   30 +--
 tools/gcc/colorize_plugin.c               |   62 +++--
 tools/gcc/constify_plugin.c               |  105 ++++----
 tools/gcc/gcc-common.h                    |  267 +++++++++++++++++++
 tools/gcc/kallocstat_plugin.c             |  164 +++++++------
 tools/gcc/kernexec_plugin.c               |  333 ++++++++++++++-----------
 tools/gcc/latent_entropy_plugin.c         |  146 +++++------
 tools/gcc/size_overflow_plugin.c          |  400 +++++++++++++----------------
 tools/gcc/stackleak_plugin.c              |  236 +++++++++--------
 tools/gcc/structleak_plugin.c             |   90 +++----
 27 files changed, 1108 insertions(+), 865 deletions(-)

commit 1b28d3560eaa3295b735bcc4c6d61b320a1cba9a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 27 20:30:10 2014 -0500

    Make all grsecurity code GPLv2 only for future releases.  Not really
    important as grsecurity is a derivative work of the Linux kernel and
    thus forced to be GPLv2, the "or higher" was superfluous.

 grsecurity/Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c904fd3f64736a669cc112e7c1efe8f2e544cc0c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 19 08:42:54 2014 -0500

    update size_overflow hash table

 tools/gcc/size_overflow_hash.data |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 9ad0ac28c8d7407657f7685eaa00a6f18f9039ee
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Tue Dec 17 21:16:39 2013 -0500

    Upstream commit: a9f069e38cc36d6c4ab3c831bc4bef2ae1a16e96
    
    random: use the architectural HWRNG for the SHA's IV in extract_buf()
    
    To help assuage the fears of those who think the NSA can introduce a
    massive hack into the instruction decode and out of order execution
    engine in the CPU without hundreds of Intel engineers knowing about
    it (only one of which woud need to have the conscience and courage of
    Edward Snowden to spill the beans to the public), use the HWRNG to
    initialize the SHA starting value, instead of xor'ing it in
    afterwards.
    
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>

 drivers/char/random.c |   16 ++++++++--------
 1 files changed, 8 insertions(+), 8 deletions(-)

commit bc3de2373709b9c953076c1496be6e871c777036
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 18 20:43:43 2014 -0500

    Since the reworking of recvmsg handlers by Hannes Frederic Sowa,
    it should be safe to revert our workaround for large number of
    infoleaks the previous interface made possible, restoring some
    performance to these syscalls

 net/socket.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit f0d137f2b202f4b2c7cb4bdbf89888e5c3f2751d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 18 20:09:43 2014 -0500

    sync with PaX code from 3.12

 arch/x86/kernel/traps.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7978ab13fe239d3dd6d27d868c9fd4c67f9f77cf
Merge: 34e52ab 0623c43
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 18 17:26:44 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 34e52ab70ab870616b6c3714f5ed7d39f66c48ec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 18 17:26:32 2014 -0500

    Revert "Revert recent PaX marking change that broke a significant number"
    
    This reverts commit 40065cc405e7c8bf859610ce7b10e94b7292564b.

 fs/binfmt_elf.c |   53 ++++++++++++++++++++++++++++++-----------------------
 1 files changed, 30 insertions(+), 23 deletions(-)

commit 0623c43f4c0a9a0817d514139bf9a054bbfb8f99
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 18 17:25:12 2014 -0500

    Update to pax-linux-3.2.54-test133.patch:
    - new size overflow plugin and hash table from Emese
    - reworked the interaction between the various PaX control flag mechanisms for better consistency
    - fixed type attribute handling in the constify plugin, reported by spender

 fs/binfmt_elf.c                  |  144 +++++++++++++++++++++-----------------
 include/linux/sched.h            |    1 +
 include/linux/sysctl.h           |    6 --
 tools/gcc/constify_plugin.c      |   20 +++---
 tools/gcc/size_overflow_plugin.c |   64 +++++++++++------
 5 files changed, 132 insertions(+), 103 deletions(-)

commit 78348f5b6093f576ea68aa18c23f15750c08c0e3
Author: Steven Rostedt <rostedt@goodmis.org>
Date:   Thu Jan 9 21:46:34 2014 -0500

    Upstream commit: 3dc91d4338d698ce77832985f9cb183d8eeaf6be
    
    SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()
    
    While running stress tests on adding and deleting ftrace instances I hit
    this bug:
    
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
      IP: selinux_inode_permission+0x85/0x160
      PGD 63681067 PUD 7ddbe067 PMD 0
      Oops: 0000 [#1] PREEMPT
      CPU: 0 PID: 5634 Comm: ftrace-test-mki Not tainted 3.13.0-rc4-test-00033-gd2a6dde-dirty #20
      Hardware name:                  /DG965MQ, BIOS MQ96510J.86A.0372.2006.0605.1717 06/05/2006
      task: ffff880078375800 ti: ffff88007ddb0000 task.ti: ffff88007ddb0000
      RIP: 0010:[<ffffffff812d8bc5>]  [<ffffffff812d8bc5>] selinux_inode_permission+0x85/0x160
      RSP: 0018:ffff88007ddb1c48  EFLAGS: 00010246
      RAX: 0000000000000000 RBX: 0000000000800000 RCX: ffff88006dd43840
      RDX: 0000000000000001 RSI: 0000000000000081 RDI: ffff88006ee46000
      RBP: ffff88007ddb1c88 R08: 0000000000000000 R09: ffff88007ddb1c54
      R10: 6e6576652f6f6f66 R11: 0000000000000003 R12: 0000000000000000
      R13: 0000000000000081 R14: ffff88006ee46000 R15: 0000000000000000
      FS:  00007f217b5b6700(0000) GS:ffffffff81e21000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M
      CR2: 0000000000000020 CR3: 000000006a0fe000 CR4: 00000000000007f0
      Call Trace:
        security_inode_permission+0x1c/0x30
        __inode_permission+0x41/0xa0
        inode_permission+0x18/0x50
        link_path_walk+0x66/0x920
        path_openat+0xa6/0x6c0
        do_filp_open+0x43/0xa0
        do_sys_open+0x146/0x240
        SyS_open+0x1e/0x20
        system_call_fastpath+0x16/0x1b
      Code: 84 a1 00 00 00 81 e3 00 20 00 00 89 d8 83 c8 02 40 f6 c6 04 0f 45 d8 40 f6 c6 08 74 71 80 cf 02 49 8b 46 38 4c 8d 4d cc 45 31 c0 <0f> b7 50 20 8b 70 1c 48 8b 41 70 89 d9 8b 78 04 e8 36 cf ff ff
      RIP  selinux_inode_permission+0x85/0x160
      CR2: 0000000000000020
    
    Investigating, I found that the inode->i_security was NULL, and the
    dereference of it caused the oops.
    
    in selinux_inode_permission():
    
    	isec = inode->i_security;
    
    	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
    
    Note, the crash came from stressing the deletion and reading of debugfs
    files.  I was not able to recreate this via normal files.  But I'm not
    sure they are safe.  It may just be that the race window is much harder
    to hit.
    
    What seems to have happened (and what I have traced), is the file is
    being opened at the same time the file or directory is being deleted.
    As the dentry and inode locks are not held during the path walk, nor is
    the inodes ref counts being incremented, there is nothing saving these
    structures from being discarded except for an rcu_read_lock().
    
    The rcu_read_lock() protects against freeing of the inode, but it does
    not protect freeing of the inode_security_struct.  Now if the freeing of
    the i_security happens with a call_rcu(), and the i_security field of
    the inode is not changed (it gets freed as the inode gets freed) then
    there will be no issue here.  (Linus Torvalds suggested not setting the
    field to NULL such that we do not need to check if it is NULL in the
    permission check).
    
    Note, this is a hack, but it fixes the problem at hand.  A real fix is
    to restructure the destroy_inode() to call all the destructor handlers
    from the RCU callback.  But that is a major job to do, and requires a
    lot of work.  For now, we just band-aid this bug with this fix (it
    works), and work on a more maintainable solution in the future.
    
    Link: http://lkml.kernel.org/r/20140109101932.0508dec7@gandalf.local.home
    Link: http://lkml.kernel.org/r/20140109182756.17abaaa8@gandalf.local.home
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 security/selinux/hooks.c          |   20 ++++++++++++++++++--
 security/selinux/include/objsec.h |    5 ++++-
 2 files changed, 22 insertions(+), 3 deletions(-)

commit e23872879b4d23dc790ccad86aaf9ec2e9ae8e6f
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Jan 13 02:45:22 2014 +0100

    Upstream commit: 95f4a45de1a0f172b35451fc52283290adb21f6e
    
    net: avoid reference counter overflows on fib_rules in multicast forwarding
    
    Bob Falken reported that after 4G packets, multicast forwarding stopped
    working. This was because of a rule reference counter overflow which
    freed the rule as soon as the overflow happend.
    
    This patch solves this by adding the FIB_LOOKUP_NOREF flag to
    fib_rules_lookup calls. This is safe even from non-rcu locked sections
    as in this case the flag only implies not taking a reference to the rule,
    which we don't need at all.
    
    Rules only hold references to the namespace, which are guaranteed to be
    available during the call of the non-rcu protected function reg_vif_xmit
    because of the interface reference which itself holds a reference to
    the net namespace.
    
    Fixes: f0ad0860d01e47 ("ipv4: ipmr: support multiple tables")
    Fixes: d1db275dd3f6e4 ("ipv6: ip6mr: support multiple tables")
    Reported-by: Bob Falken <NetFestivalHaveFun@gmx.com>
    Cc: Patrick McHardy <kaber@trash.net>
    Cc: Thomas Graf <tgraf@suug.ch>
    Cc: Julian Anastasov <ja@ssi.bg>
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ipmr.c  |    7 +++++--
 net/ipv6/ip6mr.c |    7 +++++--
 2 files changed, 10 insertions(+), 4 deletions(-)

commit 78d6bf0dd1b3d5512b8a5f8ef0655f1e15bfcd7d
Author: NeilBrown <neilb@suse.de>
Date:   Mon Jan 6 10:35:34 2014 +1100

    Upstream commit: e8b849158508565e0cd6bc80061124afc5879160
    
    md/raid10: fix bug when raid10 recovery fails to recover a block.
    
    commit e875ecea266a543e643b19e44cf472f1412708f9
        md/raid10 record bad blocks as needed during recovery.
    
    added code to the "cannot recover this block" path to record a bad
    block rather than fail the whole recovery.
    Unfortunately this new case was placed *after* r10bio was freed rather
    than *before*, yet it still uses r10bio.
    This is will crash with a null dereference.
    
    So move the freeing of r10bio down where it is safe.
    
    Cc: stable@vger.kernel.org (v3.1+)
    Fixes: e875ecea266a543e643b19e44cf472f1412708f9
    Reported-by: Damian Nowak <spam@nowaker.net>
    URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181
    Signed-off-by: NeilBrown <neilb@suse.de>

 drivers/md/raid10.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 19ce1cd7bf18f03cf143d7cc12ae3f52e6ba3dd9
Author: NeilBrown <neilb@suse.de>
Date:   Tue Jan 14 10:38:09 2014 +1100

    Upstream commit: b50c259e25d9260b9108dc0c2964c26e5ecbe1c1
    
    md/raid10: fix two bugs in handling of known-bad-blocks.
    
    If we discover a bad block when reading we split the request and
    potentially read some of it from a different device.
    
    The code path of this has two bugs in RAID10.
    1/ we get a spin_lock with _irq, but unlock without _irq!!
    2/ The calculation of 'sectors_handled' is wrong, as can be clearly
       seen by comparison with raid1.c
    
    This leads to at least 2 warnings and a probable crash is a RAID10
    ever had known bad blocks.
    
    Cc: stable@vger.kernel.org (v3.1+)
    Fixes: 856e08e23762dfb92ffc68fd0a8d228f9e152160
    Reported-by: Damian Nowak <spam@nowaker.net>
    URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181
    Signed-off-by: NeilBrown <neilb@suse.de>

 drivers/md/raid10.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 84b9921ab57d01dc6ef681fbc7aed654431af347
Author: Andreas Rohner <andreas.rohner@gmx.net>
Date:   Tue Jan 14 17:56:36 2014 -0800

    Upstream commit: 70f2fe3a26248724d8a5019681a869abdaf3e89a
    
    nilfs2: fix segctor bug that causes file system corruption
    
    There is a bug in the function nilfs_segctor_collect, which results in
    active data being written to a segment, that is marked as clean.  It is
    possible, that this segment is selected for a later segment
    construction, whereby the old data is overwritten.
    
    The problem shows itself with the following kernel log message:
    
      nilfs_sufile_do_cancel_free: segment 6533 must be clean
    
    Usually a few hours later the file system gets corrupted:
    
      NILFS: bad btree node (blocknr=8748107): level = 0, flags = 0x0, nchildren = 0
      NILFS error (device sdc1): nilfs_bmap_last_key: broken bmap (inode number=114660)
    
    The issue can be reproduced with a file system that is nearly full and
    with the cleaner running, while some IO intensive task is running.
    Although it is quite hard to reproduce.
    
    This is what happens:
    
     1. The cleaner starts the segment construction
     2. nilfs_segctor_collect is called
     3. sc_stage is on NILFS_ST_SUFILE and segments are freed
     4. sc_stage is on NILFS_ST_DAT current segment is full
     5. nilfs_segctor_extend_segments is called, which
        allocates a new segment
     6. The new segment is one of the segments freed in step 3
     7. nilfs_sufile_cancel_freev is called and produces an error message
     8. Loop around and the collection starts again
     9. sc_stage is on NILFS_ST_SUFILE and segments are freed
        including the newly allocated segment, which will contain active
        data and can be allocated at a later time
    10. A few hours later another segment construction allocates the
        segment and causes file system corruption
    
    This can be prevented by simply reordering the statements.  If
    nilfs_sufile_cancel_freev is called before nilfs_segctor_extend_segments
    the freed segments are marked as dirty and cannot be allocated any more.
    
    Signed-off-by: Andreas Rohner <andreas.rohner@gmx.net>
    Reviewed-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Tested-by: Andreas Rohner <andreas.rohner@gmx.net>
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/nilfs2/segment.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

commit b5081910f95ef6c358d157e59a8dda19fcf9c64a
Author: Salva Peiró <speiro@ai2.upv.es>
Date:   Tue Dec 17 10:06:30 2013 +0100

    Upstream commit: 8e3fbf870481eb53b2d3a322d1fc395ad8b367ed
    
    hamradio/yam: fix info leak in ioctl
    
    The yam_ioctl() code fails to initialise the cmd field
    of the struct yamdrv_ioctl_cfg. Add an explicit memset(0)
    before filling the structure to avoid the 4-byte info leak.
    
    Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/hamradio/yam.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit f36c812008cc490985bd62198500e2555edf7cce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 18 16:31:17 2014 -0500

    Upstream commit: 807a0c12941850ddaff2ed62ba26a748e542c599
    
    x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround
    commit 26bef1318adc1b3a530ecc807ef99346db2aa8b0 upstream.
    
    Before we do an EMMS in the AMD FXSAVE information leak workaround we
    need to clear any pending exceptions, otherwise we trap with a
    floating-point exception inside this code.
    
    Reported-by: halfdog <me@halfdog.net>
    Tested-by: Borislav Petkov <bp@suse.de>
    Link: http://lkml.kernel.org/r/CA%2B55aFxQnY_PCG_n4=0w-VG=YLXL-yr7oMxyy0WU2gCBAf3ydg@mail.gmail.com
    Signed-off-by: H. Peter Anvin <hpa@zytor.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 arch/x86/kernel/traps.c |   13 +++++++------
 1 files changed, 7 insertions(+), 6 deletions(-)

commit 40065cc405e7c8bf859610ce7b10e94b7292564b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 26 19:23:25 2013 -0500

    Revert recent PaX marking change that broke a significant number
    of existing systems.  The marking system will be revamped in a later
    patch to fix softmode support while making XT markings more usable.

 fs/binfmt_elf.c |   53 +++++++++++++++++++++++------------------------------
 1 files changed, 23 insertions(+), 30 deletions(-)

commit 7e6ea015eb7f3d172b7cd9a458fff143c35e794b
Merge: 841a673 bec704a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 16 07:03:53 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit bec704a790bd9b7e3b3906849cc164c4c67eef67
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 16 07:02:25 2014 -0500

    Update to pax-linux-3.2.54-test132.patch:
    - fixed an inconsistency in handling softmode and user.pax.flags, reported by jacekalex (http://forums.grsecurity.net/viewtopic.php?f=3&t=3877)
    - fixed silly code in kvm_clear_guest_page detected by USERCOPY, reported by remnix (http://forums.grsecurity.net/viewtopic.php?f=3&t=3899)
    - Emese worked around a few intentional overflows that triggered the size overflow plugin
      - in cpuset_common_file_read, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=496490) and boris64 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3907)
    - fixed powerpc compilation, by Purushothama Siddaiah <psiddaiah@mvista.com>
    - fixed incorrent module parameter type in vivi, caught by the size overflow plugin
    - use plugins while building more kernel targets (asm-offsets.c, etc)
    - small cleanup in no_const attribute handling, reported by spender

 Makefile                               |    2 +
 arch/powerpc/kernel/module_32.c        |    2 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c |    2 +-
 drivers/media/video/vivi.c             |    4 +-
 drivers/usb/core/devio.c               |    2 +-
 fs/binfmt_elf.c                        |   53 ++++++----
 include/linux/devfreq.h                |    2 +-
 include/linux/netfilter/ipset/ip_set.h |    2 +-
 security/Kconfig                       |    1 -
 tools/gcc/constify_plugin.c            |   47 ++++-----
 tools/gcc/size_overflow_hash.data      |   71 +++++++------
 tools/gcc/size_overflow_plugin.c       |  173 +++++++++++++++++++++++++++-----
 virt/kvm/kvm_main.c                    |   13 ++-
 13 files changed, 258 insertions(+), 116 deletions(-)

commit 841a673ac30f4c753efec687702296ccbdd04f90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 8 17:46:46 2014 -0500

    back out recently-added capability checks to various pci write methods
    as they break Xorg radeon drivers

 drivers/pci/pci-sysfs.c |    9 ---------
 drivers/pci/proc.c      |    3 ---
 2 files changed, 0 insertions(+), 12 deletions(-)

commit eb25c5db7c0818cefe240318557152a2300100e0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 2 17:02:24 2014 -0500

    Back off recent PCI BAR restrictions as they break various existing
    necessary functionality (Xorg with VMware video driver, etc)
    
    Add CAP_SYS_RAWIO checks instead to code operating off just uid == 0
    checks currently

 drivers/pci/pci-sysfs.c |   17 +++++++----------
 drivers/pci/proc.c      |   13 ++-----------
 drivers/pci/syscall.c   |    4 ----
 3 files changed, 9 insertions(+), 25 deletions(-)

commit 21e33201b298da74f9b923d174d02a072cc71d96
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 5 16:29:52 2014 -0500

    Update size_overflow hash table

 tools/gcc/size_overflow_hash.data |   71 +++++++++++++++++++-----------------
 1 files changed, 37 insertions(+), 34 deletions(-)

commit 0871ae45aefdad82a1dbd4ff5229938f9fa907ec
Merge: caf7b9f 633e6b5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 5 12:43:58 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/arm/lib/getuser.S
    	arch/arm/lib/putuser.S
    	arch/ia64/include/asm/processor.h
    	arch/x86/kvm/lapic.c
    	drivers/isdn/isdnloop/isdnloop.c
    	include/linux/random.h
    	include/linux/sched.h
    	kernel/ptrace.c
    	lib/random32.c

commit 633e6b5550a806435021b29919c341e940a7a035
Merge: cc54d65 260716c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 5 12:29:48 2014 -0500

    Update to pax-linux-3.2.4-test131.patch
    
    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	arch/x86/boot/Makefile
    	kernel/trace/ftrace.c
    	net/compat.c
    	net/socket.c

commit caf7b9fdeebd673bbabff35ad80cd224e1a69f8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 26 19:20:26 2013 -0500

    add missing #include

 grsecurity/grsec_mount.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit be0a834a86d6537c9765f02d439d06b54b89b7ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 26 15:51:51 2013 -0500

    Update config help to reflect requirements for proper security, similar
    to what we mention for GRKERNSEC_KMEM or GRKERNSEC_HIDESYM

 grsecurity/Kconfig |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit d2f83733f77ca492032bde4546d37227fad5b14b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 26 15:35:31 2013 -0500

    Whenever we perform checks against block devices we should also test for
    raw character devices provided by CONFIG_RAW_DRIVER.  Unlike other OSes,
    Linux's raw device support has been obsoleted many years ago and is unlikely
    to be present in a given kernel config (modulo an allyesconfig).

 grsecurity/gracl.c       |    2 +-
 grsecurity/grsec_mount.c |    4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

commit 8b2adc3db34a65c9d08847d8eeefec806d43f97d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 25 16:37:02 2013 -0500

    Add some of the more obscure, config-dependent kernel modification
    defenses to GRKERNSEC_KMEM, to be split out into a separate option
    if this causes any compatibility problems.  From Matthew Garrett:
    https://lkml.org/lkml/2013/9/9/532
    
    Also make make hibernation depend on !PAX_MEMORY_SANITIZE and not
    the other way around (to produce more secure settings when distro
    configs are used as a base)

 drivers/acpi/custom_method.c    |    4 ++++
 drivers/pci/pci-sysfs.c         |   12 ++++++++++++
 drivers/pci/proc.c              |   12 ++++++++++++
 drivers/pci/syscall.c           |    4 ++++
 drivers/platform/x86/asus-wmi.c |   12 ++++++++++++
 kernel/power/Kconfig            |    2 ++
 security/Kconfig                |    1 -
 7 files changed, 46 insertions(+), 1 deletions(-)

commit 4a06a3f6f69a4cc4b3de858c26024c16f4ad9c23
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Mon Dec 23 17:45:01 2013 -0500

    Upstream commit: c0c1439541f5305b57a83d599af32b74182933fe
    
    selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock()
    
    selinux_setprocattr() does ptrace_parent(p) under task_lock(p),
    but task_struct->alloc_lock doesn't pin ->parent or ->ptrace,
    this looks confusing and triggers the "suspicious RCU usage"
    warning because ptrace_parent() does rcu_dereference_check().
    
    And in theory this is wrong, spin_lock()->preempt_disable()
    doesn't necessarily imply rcu_read_lock() we need to access
    the ->parent.
    
    Reported-by: Evan McNabb <emcnabb@redhat.com>
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Moore <pmoore@redhat.com>

 security/selinux/hooks.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 37b546741a7d559c8e27814b6254dd4748a6824f
Author: Chad Hanson <chanson@trustedcs.com>
Date:   Mon Dec 23 17:45:01 2013 -0500

    Upstream commit: 46d01d63221c3508421dd72ff9c879f61053cffc
    
    selinux: fix broken peer recv check
    
    Fix a broken networking check. Return an error if peer recv fails.  If
    secmark is active and the packet recv succeeds the peer recv error is
    ignored.
    
    Signed-off-by: Chad Hanson <chanson@trustedcs.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Moore <pmoore@redhat.com>

 security/selinux/hooks.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit a5e2af896b4a8817e37cb71c83c1652e7650b4a9
Author: Jianguo Wu <wujianguo@huawei.com>
Date:   Wed Dec 18 17:08:59 2013 -0800

    Upstream commit: 98398c32f6687ee1e1f3ae084effb4b75adb0747
    
    mm/hugetlb: check for pte NULL pointer in __page_check_address()
    
    In __page_check_address(), if address's pud is not present,
    huge_pte_offset() will return NULL, we should check the return value.
    
    Signed-off-by: Jianguo Wu <wujianguo@huawei.com>
    Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    Cc: Mel Gorman <mgorman@suse.de>
    Cc: qiuxishi <qiuxishi@huawei.com>
    Cc: Hanjun Guo <guohanjun@huawei.com>
    Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	mm/rmap.c

 mm/rmap.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 8b11198e4d492f6a0b8da7e4352391ddfa9216d7
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Tue Dec 17 00:38:39 2013 +0100

    Upstream commit: b1aac815c0891fe4a55a6b0b715910142227700f
    
    net: inet_diag: zero out uninitialized idiag_{src,dst} fields
    
    Jakub reported while working with nlmon netlink sniffer that parts of
    the inet_diag_sockid are not initialized when r->idiag_family != AF_INET6.
    That is, fields of r->id.idiag_src[1 ... 3], r->id.idiag_dst[1 ... 3].
    
    In fact, it seems that we can leak 6 * sizeof(u32) byte of kernel [slab]
    memory through this. At least, in udp_dump_one(), we allocate a skb in ...
    
      rep = nlmsg_new(sizeof(struct inet_diag_msg) + ..., GFP_KERNEL);
    
    ... and then pass that to inet_sk_diag_fill() that puts the whole struct
    inet_diag_msg into the skb, where we only fill out r->id.idiag_src[0],
    r->id.idiag_dst[0] and leave the rest untouched:
    
      r->id.idiag_src[0] = inet->inet_rcv_saddr;
      r->id.idiag_dst[0] = inet->inet_daddr;
    
    struct inet_diag_msg embeds struct inet_diag_sockid that is correctly /
    fully filled out in IPv6 case, but for IPv4 not.
    
    So just zero them out by using plain memset (for this little amount of
    bytes it's probably not worth the extra check for idiag_family == AF_INET).
    
    Similarly, fix also other places where we fill that out.
    
    Reported-by: Jakub Zawadzki <darkjames-ws@darkjames.pl>
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/ipv4/inet_diag.c
    
    Conflicts:
    
    	net/ipv4/inet_diag.c

 net/ipv4/inet_diag.c |   15 +++++++++++++++
 1 files changed, 15 insertions(+), 0 deletions(-)

commit 366e01844ca2caf68345eaaf5f70ba5a8621928a
Author: Wenliang Fan <fanwlexca@gmail.com>
Date:   Tue Dec 17 11:25:28 2013 +0800

    Upstream commit: e9db5c21d3646a6454fcd04938dd215ac3ab620a
    
    drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()
    
    The local variable 'bi' comes from userspace. If userspace passed a
    large number to 'bi.data.calibrate', there would be an integer overflow
    in the following line:
    	s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
    
    Signed-off-by: Wenliang Fan <fanwlexca@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/hamradio/hdlcdrv.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 873c7a6b4bb04970de0b4eabcae099d2809eb4d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 25 15:03:13 2013 -0500

    Add RBAC mediation of *removexattr(), as this has security implications
    in the case of PaX with softmode enabled or the rare case of RBAC+SELinux
    use.
    
    Conflicts:
    
    	fs/xattr.c

 fs/xattr.c                  |   19 +++++++++++--------
 grsecurity/gracl_fs.c       |    6 ++++++
 grsecurity/grsec_disabled.c |    6 ++++++
 include/linux/grmsg.h       |    3 ++-
 include/linux/grsecurity.h  |    2 ++
 5 files changed, 27 insertions(+), 9 deletions(-)

commit 88fe8224029ead97ec2a16caaa5ee5b89130cfa9
Merge: cd84f8c cc54d65
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 19 17:19:13 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit cc54d65662807e8a22b45724e337e93169649ef6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 19 17:18:26 2013 -0500

    Update to pax-linux-3.2.53-test131.patch:
    - fixed some more size overflow reports
      - gratuitous int/uint conversion in expand_files and expand_fdtable, reported by wizeman (http://forums.grsecurity.net/viewtopic.php?f=3&t=3898)
      - better fix for the gcc induced intentional overflow in usbdev_read
      - updated hash table from spender

 arch/x86/include/asm/atomic.h      |    4 ++--
 arch/x86/include/asm/atomic64_32.h |    2 +-
 arch/x86/include/asm/atomic64_64.h |    2 +-
 drivers/usb/core/devio.c           |    2 +-
 fs/file.c                          |    4 ++--
 include/asm-generic/atomic-long.h  |    2 +-
 include/linux/fdtable.h            |    2 +-
 tools/gcc/size_overflow_hash.data  |   16 ++++++++++++++--
 8 files changed, 23 insertions(+), 11 deletions(-)

commit cd84f8c580fc31535dcabea0ba8b562697a43d6e
Merge: 33d1bff 9c07653
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 15 11:58:18 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 9c07653f39572a5fc12e025a8ae170a9d0fe3b18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 15 11:58:01 2013 -0500

    compile fix

 arch/x86/kernel/entry_64.S |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 33d1bff83bef36441aac0cfd8a6b409d71f0d876
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 15 10:54:40 2013 -0500

    Backport upstream commit:
    http://lkml.indiana.edu/hypermail/linux/kernel/1312.1/04774.html
    
    This overflow is harmless except to think about, but it's best
    to fix it. If userspace does a giant read from /dev/urandom,
    bigger than INT_MAX, then that size gets passed straight
    through extract_entropy_user and xfer_secondary_pool to
    _xfer_secondary_pool as nbytes, and we would store it into
    bytes, which is an int. The result could be negative.
    
    The consequence is pretty small -- we would pull only the minimum
    amount of entropy, rather than as much as we could up to the size
    of the output pool, and this is urandom so that's fine. But the
    code is a little easier to read if we make it clear that overflow
    isn't an issue. Also we might be less likely to make mistakes like
    the one fixed in the previous commit.
    
    As a bonus, give a name to the minimum number of bytes to pull,
    which we use twice.
    
    Signed-off-by: Greg Price <price@xxxxxxx>

 drivers/char/random.c |   11 +++++------
 1 files changed, 5 insertions(+), 6 deletions(-)

commit 092cfa5d608aff41b9db65f39404a21bb864f86e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 15 10:49:31 2013 -0500

    Backport of commit:
    http://lkml.indiana.edu/hypermail/linux/kernel/1312.1/04773.html
    Negative numbers and size_t don't mix. When the total entropy
    available was less than 'reserved', we would fail to enforce any limit
    at all. Fix that. We never care how negative have_bytes - reserved
    is, so just flatten it to zero if negative.
    
    This behavior entered in 987cd8c30 "random: simplify accounting code"
    a few commits ago. Before that, for a long time we would compare
    have_bytes - reserved (or equivalent) to ibytes or store it into ibytes,
    but only inside a condition that guaranteed it wasn't negative.
    
    Signed-off-by: Greg Price <price@xxxxxxx>
    ---
    drivers/char/random.c | 3 ++-
    1 file changed, 2 insertions(+), 1 deletion(-)

 drivers/char/random.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b75e5e057346017f9a71f63fcc4d8f7bda13567b
Merge: f3e7ef6 33db4e5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 15 10:46:17 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	include/linux/random.h

commit 33db4e57263f16ed44ff12c370b1a1a0c97cfd6e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 15 10:44:24 2013 -0500

    Update to pax-linux-3.2.53-test130.patch:
    - Emese fixed a bug in the size overflow plugin resulting in false positives on downcasts from 64 bit variables on i386, reported by Huub Reuver
    - added a bit more amd64 kernel page table hardening
    - fixed bad interactions between the KERNEXEC plugin and some gcc features, reported by Amadeusz Sławiński (https://bugs.gentoo.org/show_bug.cgi?id=487938)
      - the mask register has been changed from r10 (used by DRAP) to r12
      - all kernel entry points now allocate a full pt_regs area (it required some non-trivial surgery, some fallout is possible)
    - fixed 32 bit apps executing certain 64 bit ones, reported by Ronny Meeus
    - updated size oveflow plugin from Emese, fixes some false positives reported by Tim Harman and Huub Reuver

 arch/x86/crypto/aes-x86_64-asm_64.S          |    2 +-
 arch/x86/crypto/aesni-intel_asm.S            |  124 +++++++-------
 arch/x86/crypto/blowfish-x86_64-asm_64.S     |   12 +-
 arch/x86/crypto/salsa20-x86_64-asm_64.S      |    2 +-
 arch/x86/crypto/sha1_ssse3_asm.S             |   10 +-
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S |    6 +-
 arch/x86/crypto/twofish-x86_64-asm_64.S      |    4 +-
 arch/x86/ia32/ia32entry.S                    |   16 +-
 arch/x86/include/asm/alternative-asm.h       |    6 +-
 arch/x86/include/asm/atomic64_32.h           |    2 +-
 arch/x86/include/asm/atomic64_64.h           |    2 +-
 arch/x86/include/asm/bitops.h                |    4 +-
 arch/x86/include/asm/calling.h               |  118 +++++++------
 arch/x86/include/asm/ptrace-abi.h            |    1 -
 arch/x86/kernel/entry_64.S                   |   71 ++++----
 arch/x86/kernel/head_64.S                    |   18 ++-
 arch/x86/lib/copy_page_64.S                  |   20 +-
 arch/x86/lib/copy_user_64.S                  |    8 +-
 arch/x86/lib/copy_user_nocache_64.S          |    8 +-
 arch/x86/lib/csum-copy_64.S                  |   18 +-
 arch/x86/lib/memcpy_64.S                     |   12 +-
 arch/x86/lib/memmove_64.S                    |   32 ++--
 arch/x86/lib/memset_64.S                     |    4 +-
 arch/x86/lib/msr-reg.S                       |   16 +-
 arch/x86/lib/thunk_64.S                      |   10 +-
 arch/x86/mm/gup.c                            |    4 +
 drivers/usb/core/devio.c                     |    6 +-
 fs/binfmt_elf.c                              |   17 +-
 fs/cifs/file.c                               |   10 +-
 include/asm-generic/bitops/__fls.h           |    2 +-
 include/asm-generic/bitops/fls.h             |    2 +-
 include/asm-generic/bitops/fls64.h           |    4 +-
 include/linux/bitops.h                       |    2 +-
 include/linux/random.h                       |    6 +-
 include/linux/vmstat.h                       |    4 +-
 tools/gcc/kernexec_plugin.c                  |   29 ++--
 tools/gcc/size_overflow_hash.data            |    7 -
 tools/gcc/size_overflow_plugin.c             |  239 ++++++++++++++++++--------
 38 files changed, 484 insertions(+), 374 deletions(-)

commit f3e7ef6cc6db1ee01870db9006caa48d8989fd26
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Dec 13 21:41:46 2013 -0500

    fix typo in backport

 arch/x86/kvm/lapic.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit ff05ea76cb5dac2a76cc53a6be2e438f293d183d
Author: Andy Honig <ahonig@google.com>
Date:   Tue Nov 19 14:12:18 2013 -0800

    Upstream commit: b963a22e6d1a266a67e9eecc88134713fd54775c
    
    KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
    
    Under guest controllable circumstances apic_get_tmcct will execute a
    divide by zero and cause a crash.  If the guest cpuid support
    tsc deadline timers and performs the following sequence of requests
    the host will crash.
    - Set the mode to periodic
    - Set the TMICT to 0
    - Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
    - Set the TMICT to non-zero.
    Then the lapic_timer.period will be 0, but the TMICT will not be.  If the
    guest then reads from the TMCCT then the host will perform a divide by 0.
    
    This patch ensures that if the lapic_timer.period is 0, then the division
    does not occur.
    
    Reported-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    
    Conflicts:
    
    	arch/x86/kvm/lapic.c

 arch/x86/kvm/lapic.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit c762a14fdf5622d16bf1c63d4f4fc69f64761daa
Author: Andy Honig <ahonig@google.com>
Date:   Mon Nov 18 16:09:22 2013 -0800

    Upstream commit: 338c7dbadd2671189cec7faf64c84d01071b3f96
    
    KVM: Improve create VCPU parameter (CVE-2013-4587)
    
    In multiple functions the vcpu_id is used as an offset into a bitfield.  Ag
    malicious user could specify a vcpu_id greater than 255 in order to set or
    clear bits in kernel memory.  This could be used to elevate priveges in the
    kernel.  This patch verifies that the vcpu_id provided is less than 255.
    The api documentation already specifies that the vcpu_id must be less than
    max_vcpus, but this is currently not checked.
    
    Reported-by: Andrew Honig <ahonig@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 virt/kvm/kvm_main.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 1e61a4a03c7b68ca586c8df560c5d17c0683d549
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Thu Dec 12 09:38:42 2013 -0800

    Upstream commit: f12d5bfceb7e1f9051563381ec047f7f13956c3c
    
    futex: fix handling of read-only-mapped hugepages
    
    The hugepage code had the exact same bug that regular pages had in
    commit 7485d0d3758e ("futexes: Remove rw parameter from
    get_futex_key()").
    
    The regular page case was fixed by commit 9ea71503a8ed ("futex: Fix
    regression with read only mappings"), but the transparent hugepage case
    (added in a5b338f2b0b1: "thp: update futex compound knowledge") case
    remained broken.
    
    Found by Dave Jones and his trinity tool.
    
    Reported-and-tested-by: Dave Jones <davej@fedoraproject.org>
    Cc: stable@kernel.org # v2.6.38+
    Acked-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: Mel Gorman <mgorman@suse.de>
    Cc: Darren Hart <dvhart@linux.intel.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/futex.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8076aceaa44345fb14ba048e4c51a4dd976ed92a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Dec 13 19:39:54 2013 -0500

    Fix a use-after-free on fakefs_obj_rw/fakefs_obj_rwx introduced by the recent
    atomic reload improvement.  These two objects are used only for "files" private
    to the kernel which don't exist on any mounted filesystem and have no visible
    path.  Only the mode field of these objects is ever used, and we would never
    attempt to free these objects a second time (due to their being allocated
    into the memory manager associated with the initial policy)
    
    In practice this causes bogus auditing messages for / and could potentially
    cause a subject without executable shared memory support to permit executable
    shared memory (if PaX is disabled on the binary).
    
    Instead just allocate these two special objects with kzalloc at enable time
    and free them at disable time.
    
    Thanks to nyt@countercultured.net for the report

 grsecurity/gracl_policy.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit dacca7ad7b3303ae2ec9c85c60d10c9a8e4bdc0a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Dec 13 20:34:22 2013 -0500

    Convert wholesale to the random driver from 3.13.  As
    GRKERNSEC_RANDNET uses one of the commented polynomials
    from the random TGFSR code, it likely needs to be fixed
    to use a primitive and irreducible polynomial as the uncommented
    polynomials were (see: http://eprint.iacr.org/2012/251.pdf).  Though
    this results in a smaller maximal period for the input entropy pool,
    this period is still much larger than the default kernel's period.
    It's thus not security-relevant, but will be fixed in a later update.

 drivers/char/random.c         |  805 ++++++++++++++++++++++++-----------------
 include/linux/random.h        |   19 +-
 include/trace/events/random.h |  315 ++++++++++++++++
 lib/random32.c                |  313 ++++++++++++++--
 4 files changed, 1087 insertions(+), 365 deletions(-)

commit 27afcd4f45384f64e4ac27acd6756cc2633f88fd
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Sat Jul 14 20:27:52 2012 -0400

    Upstream commit: c5857ccf293968348e5eb4ebedc68074de3dcda6
    
    random: remove rand_initialize_irq()
    
    With the new interrupt sampling system, we are no longer using the
    timer_rand_state structure in the irq descriptor, so we can stop
    initializing it now.
    
    [ Merged in fixes from Sedat to find some last missing references to
      rand_initialize_irq() ]
    
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Signed-off-by: Sedat Dilek <sedat.dilek@gmail.com>

 arch/ia64/kernel/irq_ia64.c |    1 -
 drivers/char/random.c       |   55 -------------------------------------------
 drivers/mfd/ab3100-core.c   |    3 --
 include/linux/irqdesc.h     |    1 -
 include/linux/random.h      |    2 -
 kernel/irq/manage.c         |   17 -------------
 6 files changed, 0 insertions(+), 79 deletions(-)

commit 3d9774a245d90548a252969abcf77d662ca2b494
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Mon Nov 11 12:20:32 2013 +0100

    Upstream commit: d8b3693c2e8727131f4bc0c2b6000e7f563064fb
    
    random32: fix off-by-one in seeding requirement
    
    [ Upstream commit 51c37a70aaa3f95773af560e6db3073520513912 ]
    
    For properly initialising the Tausworthe generator [1], we have
    a strict seeding requirement, that is, s1 > 1, s2 > 7, s3 > 15.
    
    Commit 697f8d0348 ("random32: seeding improvement") introduced
    a __seed() function that imposes boundary checks proposed by the
    errata paper [2] to properly ensure above conditions.
    
    However, we're off by one, as the function is implemented as:
    "return (x < m) ? x + m : x;", and called with __seed(X, 1),
    __seed(X, 7), __seed(X, 15). Thus, an unwanted seed of 1, 7, 15
    would be possible, whereas the lower boundary should actually
    be of at least 2, 8, 16, just as GSL does. Fix this, as otherwise
    an initialization with an unwanted seed could have the effect
    that Tausworthe's PRNG properties cannot not be ensured.
    
    Note that this PRNG is *not* used for cryptography in the kernel.
    
     [1] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme.ps
     [2] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme2.ps
    
    Joint work with Hannes Frederic Sowa.
    
    Fixes: 697f8d0348a6 ("random32: seeding improvement")
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Cc: Florian Weimer <fweimer@redhat.com>
    Cc: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 include/linux/random.h |    6 +++---
 lib/random32.c         |   14 +++++++-------
 2 files changed, 10 insertions(+), 10 deletions(-)

commit 7717d878dd8db4b2a7217c1f5c1c990159bf4b00
Author: Akinobu Mita <akinobu.mita@gmail.com>
Date:   Mon Dec 17 16:04:25 2012 -0800

    Upstream commit: 6582c665d6b882dad8329e05749fbcf119f1ab88
    
    prandom: introduce prandom_bytes() and prandom_bytes_state()
    
    Add functions to get the requested number of pseudo-random bytes.
    
    The difference from get_random_bytes() is that it generates pseudo-random
    numbers by prandom_u32().  It doesn't consume the entropy pool, and the
    sequence is reproducible if the same rnd_state is used.  So it is suitable
    for generating random bytes for testing.
    
    Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
    Cc: "Theodore Ts'o" <tytso@mit.edu>
    Cc: Artem Bityutskiy <dedekind1@gmail.com>
    Cc: Adrian Hunter <adrian.hunter@intel.com>
    Cc: David Woodhouse <dwmw2@infradead.org>
    Cc: Eilon Greenstein <eilong@broadcom.com>
    Cc: David Laight <david.laight@aculab.com>
    Cc: Michel Lespinasse <walken@google.com>
    Cc: Robert Love <robert.w.love@intel.com>
    Cc: Valdis Kletnieks <valdis.kletnieks@vt.edu>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 include/linux/random.h |    2 +
 lib/random32.c         |   49 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 0 deletions(-)

commit d431aa89213f6e692a1cf39b5d288115775c84ed
Author: Akinobu Mita <akinobu.mita@gmail.com>
Date:   Mon Dec 17 16:04:23 2012 -0800

    Upstream commit: 496f2f93b1cc286f5a4f4f9acdc1e5314978683f
    
    random32: rename random32 to prandom
    
    This renames all random32 functions to have 'prandom_' prefix as follows:
    
      void prandom_seed(u32 seed);	/* rename from srandom32() */
      u32 prandom_u32(void);		/* rename from random32() */
      void prandom_seed_state(struct rnd_state *state, u64 seed);
      				/* rename from prandom32_seed() */
      u32 prandom_u32_state(struct rnd_state *state);
      				/* rename from prandom32() */
    
    The purpose of this renaming is to prevent some kernel developers from
    assuming that prandom32() and random32() might imply that only
    prandom32() was the one using a pseudo-random number generator by
    prandom32's "p", and the result may be a very embarassing security
    exposure.  This concern was expressed by Theodore Ts'o.
    
    And furthermore, I'm going to introduce new functions for getting the
    requested number of pseudo-random bytes.  If I continue to use both
    prandom32 and random32 prefixes for these functions, the confusion
    is getting worse.
    
    As a result of this renaming, "prandom_" is the common prefix for
    pseudo-random number library.
    
    Currently, srandom32() and random32() are preserved because it is
    difficult to rename too many users at once.
    
    Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
    Cc: "Theodore Ts'o" <tytso@mit.edu>
    Cc: Robert Love <robert.w.love@intel.com>
    Cc: Michel Lespinasse <walken@google.com>
    Cc: Valdis Kletnieks <valdis.kletnieks@vt.edu>
    Cc: David Laight <david.laight@aculab.com>
    Cc: Adrian Hunter <adrian.hunter@intel.com>
    Cc: Artem Bityutskiy <dedekind1@gmail.com>
    Cc: David Woodhouse <dwmw2@infradead.org>
    Cc: Eilon Greenstein <eilong@broadcom.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	lib/interval_tree_test_main.c
    	lib/rbtree_test.c

 drivers/scsi/fcoe/fcoe_ctlr.c     |    4 +-
 include/linux/random.h            |   17 +++++++++----
 lib/random32.c                    |   48 ++++++++++++++++++------------------
 tools/gcc/size_overflow_hash.data |    1 -
 4 files changed, 38 insertions(+), 32 deletions(-)

commit a892fe4f0743f54cf9358b1933119d54c0cb2411
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Nov 27 15:40:21 2013 +0300

    net: clamp ->msg_namelen instead of returning an error
    
    [ Upstream commit db31c55a6fb245fdbb752a2ca4aefec89afabb06 ]
    
    If kmsg->msg_namelen > sizeof(struct sockaddr_storage) then in the
    original code that would lead to memory corruption in the kernel if you
    had audit configured.  If you didn't have audit configured it was
    harmless.
    
    There are some programs such as beta versions of Ruby which use too
    large of a buffer and returning an error code breaks them.  We should
    clamp the ->msg_namelen value instead.
    
    Fixes: 1661bf364ae9 ("net: heap overflow in __audit_sockaddr()")
    Reported-by: Eric Wong <normalperson@yhbt.net>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Tested-by: Eric Wong <normalperson@yhbt.net>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    
    Conflicts:
    
    	net/compat.c

 net/compat.c |    2 +-
 net/socket.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 80dedee580d6c2d163fc9f746f367009dcb2c863
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 8 16:12:01 2013 -0500

    Backport of:
    
    If we allocate less than sizeof(struct attrlist) then we end up
    corrupting memory or doing a ZERO_PTR_SIZE dereference.
    
    This can only be triggered with CAP_SYS_ADMIN.
    
    Reported-by: Nico Golde <nico@xxxxxxxxx>
    Reported-by: Fabian Yamaguchi <fabs@xxxxxxxxx>
    Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

 fs/xfs/xfs_ioctl.c   |    3 ++-
 fs/xfs/xfs_ioctl32.c |    3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

commit e4e1c22256b81ead2e3c4a43c2c9910ab21e9895
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Oct 30 20:12:51 2013 +0300

    Upstream commit: a497e47d4aec37aaf8f13509f3ef3d1f6a717d88
    
    libertas: potential oops in debugfs
    
    If we do a zero size allocation then it will oops.  Also we can't be
    sure the user passes us a NUL terminated string so I've added a
    terminator.
    
    This code can only be triggered by root.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Reported-by: Fabian Yamaguchi <fabs@goesec.de>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Dan Williams <dcbw@redhat.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/libertas/debugfs.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit 90d2846d83850ce24d151b58fb82216e8809e2e3
Author: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
Date:   Thu Oct 31 14:01:02 2013 +0530

    Upstream commit: b4789b8e6be3151a955ade74872822f30e8cd914
    
    aacraid: prevent invalid pointer dereference
    
    It appears that driver runs into a problem here if fibsize is too small
    because we allocate user_srbcmd with fibsize size only but later we
    access it until user_srbcmd->sg.count to copy it over to srbcmd.
    
    It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
    structure already includes one sg element and this is not needed for
    commands without data.  So, we would recommend to add the following
    (instead of test for fibsize == 0).
    
    Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
    Reported-by: Nico Golde <nico@ngolde.de>
    Reported-by: Fabian Yamaguchi <fabs@goesec.de>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/scsi/aacraid/commctrl.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 8716499e83d7633f218949eb4cf902f0bcfded0a
Author: Ursula Braun <ursula.braun@de.ibm.com>
Date:   Wed Nov 6 09:04:52 2013 +0100

    Upstream commit: 6fb392b1a63ae36c31f62bc3fc8630b49d602b62
    
    qeth: avoid buffer overflow in snmp ioctl
    
    Check user-defined length in snmp ioctl request and allow request
    only if it fits into a qeth command buffer.
    
    Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
    Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com>
    Reviewed-by: Heiko Carstens <heicars2@linux.vnet.ibm.com>
    Reported-by: Nico Golde <nico@ngolde.de>
    Reported-by: Fabian Yamaguchi <fabs@goesec.de>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/s390/net/qeth_core_main.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit 37d835c576744e5e4e27a1f13e7f7f1853e65758
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Mon Dec 2 11:50:37 2013 -0800

    Upstream commit: b65502879556d041b45104c6a35abbbba28c8f2d
    
    uio: we cannot mmap unaligned page contents
    
    In commit 7314e613d5ff ("Fix a few incorrectly checked
    [io_]remap_pfn_range() calls") the uio driver started more properly
    checking the passed-in user mapping arguments against the size of the
    actual uio driver data.
    
    That in turn exposed that some driver authors apparently didn't realize
    that mmap can only work on a page granularity, and had tried to use it
    with smaller mappings, with the new size check catching that out.
    
    So since it's not just the user mmap() arguments that can be confused,
    make the uio mmap code also verify that the uio driver has the memory
    allocated at page boundaries in order for mmap to work.  If the device
    memory isn't properly aligned, we return
    
      [ENODEV]
        The fildes argument refers to a file whose type is not supported by mmap().
    
    as per the open group documentation on mmap.
    
    Reported-by: Holger Brunck <holger.brunck@keymile.com>
    Acked-by: Greg KH <gregkh@linuxfoundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/uio/uio.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit e623ce4afbdb00565321a7f2f8603e79f4fcc9f6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 4 17:51:53 2013 -0500

    Backport upstream commit d049f74f2dbe71354d43d393ac3a188947811348
    We were using SUID_DUMPABLE_*, so remove the one occurrence of
    SUID_DUMP_USER and replace it with the appropriate enum

 arch/ia64/include/asm/processor.h |    2 +-
 fs/exec.c                         |    2 +-
 grsecurity/grsec_sig.c            |    5 +++--
 include/linux/binfmts.h           |    3 ---
 kernel/ptrace.c                   |    2 +-
 5 files changed, 6 insertions(+), 8 deletions(-)

commit 520565f1644600041be905dacbf1188bd3875a6b
Merge: fb614dc 3e2e783
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 2 17:26:15 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 3e2e78377a049faeac2dab06f889c8024fc5e08e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 2 17:22:13 2013 -0500

    Update to pax-linux-3.2.53-test128.patch:
    - worked around a false positive int truncation in xlog_grant_push_ail, reported by jorgus (http://forums.grsecurity.net/viewtopic.php?f=3&t=3885)
    
    This caused filesystem corruption in the reported XFS case, problem
    introduced with Nov 24th patch (IPA-based size overflow plugin)

 arch/x86/include/asm/atomic64_32.h |    2 +-
 arch/x86/include/asm/atomic64_64.h |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit fb614dcdf2655b2a2b286a4744a9959bfa342833
Merge: 59d80a9 6b0b183
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 30 10:54:27 2013 -0500

    Should have been many more security backports in 3.2.53, but that's
    the expected results of upstream's silent fix policy and why I do
    my own independent backports
    
    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	drivers/connector/cn_proc.c
            ^ whitespace
    	drivers/staging/wlags49_h2/wl_priv.c
            ^ Ben's version is whitespace-broken from copy+paste
    	fs/ecryptfs/keystore.c
            ^ no need to check for non-null before a kfree, kept my version

commit 6b0b1836bfbfce7fb3c4c381aa68923a47920725
Merge: 501523e 66c8d27
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 30 10:49:59 2013 -0500

    Update to pax-linux-3.2.53-test127.patch:
    - forward port to 3.2.53
    - added some missing entries to the size overflow hash table
    - fixed a false positive intentional overflow in count_history_pages, reported by Olivier Mauras
    
    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	net/compat.c

commit 59d80a9950846c7b3f67a5deb98d2eb1d063f3e6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Nov 26 15:16:48 2013 -0500

    Fix null deref on application of the shutdown role, reported by zakalwe
    
    Conflicts:
    
    	grsecurity/gracl_policy.c

 grsecurity/gracl.c        |   58 ++++++++++++++++++++++++++++++++++++++++++++-
 grsecurity/gracl_policy.c |   58 ++++-----------------------------------------
 2 files changed, 62 insertions(+), 54 deletions(-)

commit aca6ec1a3fa4e812a225e08748ee408cd6a5476e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Nov 26 13:04:07 2013 -0500

    Add system library paths to allowed areas for usermode helper calls,
    later we will also add checks to ensure the file is owned by root

 kernel/kmod.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit bf8a8329b446e9d1541b3d19e5e3cd0e04a3846f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Nov 26 12:59:00 2013 -0500

    Fix gr_policy_state -> gr_reload_state typo that clobbered the oldalloc pointer
    causing a NULL deref on RBAC reload, reported by zakalwe

 grsecurity/gracl_policy.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 31d3745f06548847d88e8a87bb63fbb00a950a3d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 25 12:01:21 2013 -0500

    Conventions exist for a reason -- systemd knows better though
    and decides to put security-sensitive system administration utilities
    into /usr/lib/systemd in contrast to *every* other user of usermode
    helpers.  Work around this stupidity

 kernel/kmod.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit c908d26d687adb2c69c594ed7f3545a310610668
Merge: 4f48151 501523e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 19:59:24 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 501523e239e8fb85aa9fcb3e69205c3436c6f72b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 19:58:28 2013 -0500

    Update to pax-linux-3.2.52-test126.patch:
    - new rewritten size overflow plugin from Emese Revfy
      - internally reorganized based on interprocedural analysis
      - bugfixes resulting in better coverage (expect more false positives initially)
    - fixed some calloc calls with swapped arguments
    - fixed a KERNEXEC open/close nesting problem in ftrace
    - fixed a gcc-4.6 crash caused by a recent change in the latent entropy plugin, reported by Marko Randjelovic and mckinney (http://forums.grsecurity.net/viewtopic.php?f=3&t=3878)

 arch/x86/Makefile                             |    3 +-
 arch/x86/include/asm/bitops.h                 |    4 +-
 arch/x86/include/asm/processor.h              |    4 +-
 arch/x86/include/asm/uaccess_32.h             |   10 +-
 arch/x86/include/asm/uaccess_64.h             |    8 +-
 arch/x86/include/asm/xen/page.h               |    2 +-
 arch/x86/kernel/ftrace.c                      |    2 -
 arch/x86/kernel/kdebugfs.c                    |    2 +-
 arch/x86/kernel/module.c                      |    1 -
 arch/x86/lib/usercopy_32.c                    |    6 +-
 arch/x86/xen/mmu.c                            |    2 +-
 block/scsi_ioctl.c                            |    2 +-
 drivers/i2c/busses/i2c-diolan-u2c.c           |    2 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c       |    6 +-
 drivers/infiniband/hw/mthca/mthca_main.c      |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c        |    4 +-
 drivers/infiniband/hw/mthca/mthca_provider.c  |    2 +-
 drivers/isdn/mISDN/dsp_cmx.c                  |    2 +-
 drivers/media/video/saa7164/saa7164-encoder.c |    2 -
 drivers/media/video/saa7164/saa7164-vbi.c     |    2 -
 drivers/usb/core/message.c                    |    4 +-
 fs/ext2/xattr.c                               |    5 +-
 fs/ext3/xattr.c                               |    5 +-
 fs/ext4/xattr.c                               |    5 +-
 fs/seq_file.c                                 |    2 +-
 fs/ufs/swab.h                                 |    2 +-
 include/linux/bitops.h                        |    4 +-
 include/linux/completion.h                    |    4 +-
 include/linux/jiffies.h                       |    6 +-
 include/linux/math64.h                        |    4 +-
 include/linux/mm.h                            |    2 +-
 include/linux/semaphore.h                     |    2 +-
 include/linux/slab.h                          |    4 +-
 include/linux/slab_def.h                      |    4 +-
 include/linux/slob_def.h                      |    4 +-
 include/linux/slub_def.h                      |    7 +-
 include/linux/uaccess.h                       |    2 +-
 include/linux/vmalloc.h                       |    4 +-
 kernel/auditsc.c                              |    2 +-
 kernel/time.c                                 |    2 +-
 mm/vmalloc.c                                  |    2 +-
 net/ipv4/tcp_output.c                         |    2 +-
 net/rxrpc/ar-key.c                            |    4 +-
 net/sunrpc/svcauth_unix.c                     |    2 +-
 tools/gcc/size_overflow_hash.data             | 3125 +++++++++++++++++--------
 tools/gcc/size_overflow_plugin.c              | 2983 +++++++++++++++++++-----
 46 files changed, 4594 insertions(+), 1666 deletions(-)

commit 4f48151d49f2697c3e2e108a50513a8d61fb150d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 24 17:47:14 2013 -0500

    Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous
    features have been added since then)
    
    Introduce new atomic RBAC reload method, developed as part of sponsorship
    by EIG
    
    This is accompanied by an updated 3.0 gradm which will use the new reload
    method when -R is passed to gradm.  The old method will still be available
    via gradm -r (which is what a 2.9.1 gradm will continue to use).
    
    The new RBAC reload method is atomic in the sense that at no point in the
    reload process will the system not be covered by a coherent full policy.
    In contrast to previous reload behavior, it also preserves inherited subjects
    and special roles.
    
    The old RBAC reload method has also been made atomic.  Both methods have
    been updated to perform role_allowed_ip checks only against the IP tagged
    to the task at the time its role was first applied or changed.  This resolves
    long-standing usability problems with the use of role_allowed_ip and matches
    the policies created by learning.

 grsecurity/Makefile         |    2 +-
 grsecurity/gracl.c          | 3792 +++++++++++++------------------------------
 grsecurity/gracl_alloc.c    |   42 +-
 grsecurity/gracl_compat.c   |    3 +-
 grsecurity/gracl_policy.c   | 1824 +++++++++++++++++++++
 grsecurity/gracl_segv.c     |   12 +-
 grsecurity/grsec_disabled.c |    7 -
 grsecurity/grsec_init.c     |   15 -
 include/linux/gracl.h       |   43 +-
 include/linux/grinternal.h  |    1 -
 include/linux/grsecurity.h  |    1 -
 include/linux/sched.h       |    3 +-
 kernel/exit.c               |   53 -
 13 files changed, 3011 insertions(+), 2787 deletions(-)

commit 589fe82539886fa6f2502595ba494be7a66548bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 18:27:37 2013 -0500

    Make the recent usermode_helper protection race-free as far as userland
    is concerned by creating a copy of the path to be executed, then check against
    that copied path instead of the still-mutable original path

 include/linux/kmod.h |    3 +++
 kernel/kmod.c        |   13 +++++++++++++
 2 files changed, 16 insertions(+), 0 deletions(-)

commit 28fe486725b8fb447d81045930fa9ab8f183ac23
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 16:56:46 2013 -0500

    Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option,
    Also make sure we mark init as run if no initrd was used. Though this
    should already be enforced in grsec_chroot.c, this should future-proof
    the feature a bit in case userland somehow changes drastically.

 grsecurity/Kconfig        |    2 +-
 grsecurity/grsec_chroot.c |    2 +-
 init/main.c               |    9 +++++++++
 3 files changed, 11 insertions(+), 2 deletions(-)

commit e2821245fc6b55b9dcfaf59432695c3ed0324ca4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 16:33:20 2013 -0500

    limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected

 kernel/kmod.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit 9545d5e41f06442704a6624f36cfcf50eb241891
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 23 16:02:01 2013 -0500

    perform USERCOPY kernel text checks against the linear mapping on amd64 as well
    
    Conflicts:
    
    	fs/exec.c

 fs/exec.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

commit 12ec6d9bab66c3b097214351b3af03db0cde4c80
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 22 20:34:40 2013 -0500

    Revert "Backport the not-marked-for-stable: bceaa90240b6019ed73b49965eac7d167610be69"
    
    This reverts commit 2283514a75d7881b0e3617c126edb2717105f7fa.

 net/ipv4/ping.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit af830a028cf17bb1b884774436b756544950f0f3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 22 20:34:06 2013 -0500

    Revert "Additional backports of: bceaa90240b6019ed73b49965eac7d167610be69"
    
    This reverts commit 794e1b8f4fc2d5bf67dc5c677730b9e8d6d17603.

 net/ipv4/raw.c        |    4 +++-
 net/ipv4/udp.c        |    7 ++++++-
 net/ipv6/raw.c        |    4 +++-
 net/ipv6/udp.c        |    5 ++++-
 net/l2tp/l2tp_ip.c    |    4 +++-
 net/phonet/datagram.c |    9 +++++----
 6 files changed, 24 insertions(+), 9 deletions(-)

commit 3f4ccdc2c657e0c7fd09999c8f282519a549bff5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 22:45:12 2013 -0500

    Revert "Upstream commit: b291f1b1c86aa0c7bc3df2994e6a1a4e53f1fde0"
    
    This reverts commit 149ffec96673ad2a4d69959ccd675b8ff32bbfb4.

 fs/nfs/nfs4proc.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

commit e8bba4f8ad2391ff3446fff477c361cb5c4fc274
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 22:44:53 2013 -0500

    Revert "Upstream commit: 4517d526c8aa31b5c14165ef180cc19518ff0a35"
    
    This reverts commit a3b3e44eb097d1c12826c21d8867779d035da600.

 include/linux/sunrpc/xdr.h |    1 -
 net/sunrpc/xdr.c           |   10 ----------
 2 files changed, 0 insertions(+), 11 deletions(-)

commit d64ad90da6413a4793f37d4b1014e5692c3b8f62
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 22:44:40 2013 -0500

    Revert "Upstream commit: 5a00689930ab975fdd1b37b034475017e460cf2a"
    
    This reverts commit 114bf830ab3dd9591edd67e99f6743d1c45e9016.

 fs/nfs/nfs4xdr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 21538eafee0399b190d46ab15231b20893710d02
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 22:44:29 2013 -0500

    Revert "NFSv4: Simplify the GETATTR attribute length calculation"
    
    This reverts commit e9931dac69669549b1b7ec7dbdaf80173636b14f.

 fs/nfs/nfs4xdr.c |   24 +++++++++++-------------
 1 files changed, 11 insertions(+), 13 deletions(-)

commit 71873621f4553b3abca77db9d891b420599f21df
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 22:44:17 2013 -0500

    Revert "Avoid beyond bounds copy while caching ACL"
    
    This reverts commit 79f9773e406c46d4c2673a2ebc70a82d05849777.

 fs/nfs/nfs4xdr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b7fc2b5eef17e9cbf9ade546d5c45e4f8cc394c6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 22:44:03 2013 -0500

    Revert "Upstream commit: 519d3959e30a98f8e135e7a16647c10af5ad63d5"
    
    This reverts commit 5a5974678e1def63cbd534b70f37bf419f594f93.

 fs/nfs/nfs4proc.c |    2 +-
 fs/nfs/nfs4xdr.c  |   22 +++++++++++++++-------
 2 files changed, 16 insertions(+), 8 deletions(-)

commit 8e60ef3740f22ef2dd81b87c52d8141c8d2493b5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 22:43:52 2013 -0500

    Revert "Upstream commit: cff298c721099c9ac4cea7196a37097ba2847946"
    
    This reverts commit ee6b64d2aa63433f8aaf72471c9ac4ac9005248b.

 fs/nfs/nfs4xdr.c |   11 +++++------
 1 files changed, 5 insertions(+), 6 deletions(-)

commit aea93502024ada3682a91b924ff23c96f8e20bee
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 22:43:42 2013 -0500

    Revert "Upstream commit: 21f498c2f73bd6150d82931f09965826dca0b5f2"
    
    This reverts commit 74cf9ab003176366d07b38cb43dcce6d91328cca.

 fs/nfs/nfs4proc.c |   20 +++++++++-----------
 1 files changed, 9 insertions(+), 11 deletions(-)

commit 7897110ca371a6775bfa6e65099d5b86ffe58eb5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 22:43:25 2013 -0500

    Revert "Upstream commit: 1f1ea6c2d9d8c0be9ec56454b05315273b5de8ce"
    
    This reverts commit 092fb39f0bf49bc33b866a3fbea6fe76b20f8697.

 fs/nfs/nfs4proc.c       |   31 +++++++++++++++++++------------
 fs/nfs/nfs4xdr.c        |   14 +++++++++-----
 include/linux/nfs_xdr.h |    2 +-
 3 files changed, 29 insertions(+), 18 deletions(-)

commit 54f8f36fb33ef37eee66fd18a7da7fbd124cf97a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 22:43:07 2013 -0500

    Revert "Upstream commit: 7d3e91a89b7adbc2831334def9e494dd9892f9af"
    
    This reverts commit 716314beb98602bd771199bf3b814f7be16a0e8f.

 fs/nfs/nfs4proc.c |    7 +------
 1 files changed, 1 insertions(+), 6 deletions(-)

commit 794e1b8f4fc2d5bf67dc5c677730b9e8d6d17603
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Nov 18 04:20:45 2013 +0100

    Additional backports of: bceaa90240b6019ed73b49965eac7d167610be69
    
    inet: prevent leakage of uninitialized memory to user in recv syscalls
    
    Only update *addr_len when we actually fill in sockaddr, otherwise we
    can return uninitialized memory from the stack to the caller in the
    recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)
    checks because we only get called with a valid addr_len pointer either
    from sock_common_recvmsg or inet_recvmsg.
    
    If a blocking read waits on a socket which is concurrently shut down we
    now return zero and set msg_msgnamelen to 0.
    
    Reported-by: mpb <mpb.mail@gmail.com>
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/ieee802154/dgram.c
    	net/ipv4/ping.c
    	net/ipv6/raw.c
    	net/ipv6/udp.c

 net/ipv4/raw.c        |    4 +---
 net/ipv4/udp.c        |    7 +------
 net/ipv6/raw.c        |    4 +---
 net/ipv6/udp.c        |    5 +----
 net/l2tp/l2tp_ip.c    |    4 +---
 net/phonet/datagram.c |    9 ++++-----
 6 files changed, 9 insertions(+), 24 deletions(-)

commit 2283514a75d7881b0e3617c126edb2717105f7fa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 21:34:32 2013 -0500

    Backport the not-marked-for-stable: bceaa90240b6019ed73b49965eac7d167610be69

 net/ipv4/ping.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit 716314beb98602bd771199bf3b814f7be16a0e8f
Author: Sven Wegener <sven.wegener@stealer.net>
Date:   Sat Dec 8 15:30:18 2012 +0100

    Upstream commit: 7d3e91a89b7adbc2831334def9e494dd9892f9af
    
    NFSv4: Check for buffer length in __nfs4_get_acl_uncached
    
    Commit 1f1ea6c "NFSv4: Fix buffer overflow checking in
    __nfs4_get_acl_uncached" accidently dropped the checking for too small
    result buffer length.
    
    If someone uses getxattr on "system.nfs4_acl" on an NFSv4 mount
    supporting ACLs, the ACL has not been cached and the buffer suplied is
    too short, we still copy the complete ACL, resulting in kernel and user
    space memory corruption.
    
    Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
    Cc: stable@kernel.org
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 fs/nfs/nfs4proc.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 092fb39f0bf49bc33b866a3fbea6fe76b20f8697
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Sun Aug 26 11:44:43 2012 -0700

    Upstream commit: 1f1ea6c2d9d8c0be9ec56454b05315273b5de8ce
    
    NFSv4: Fix buffer overflow checking in __nfs4_get_acl_uncached
    
    Pass the checks made by decode_getacl back to __nfs4_get_acl_uncached
    so that it knows if the acl has been truncated.
    
    The current overflow checking is broken, resulting in Oopses on
    user-triggered nfs4_getfacl calls, and is opaque to the point
    where several attempts at fixing it have failed.
    This patch tries to clean up the code in addition to fixing the
    Oopses by ensuring that the overflow checks are performed in
    a single place (decode_getacl). If the overflow check failed,
    we will still be able to report the acl length, but at least
    we will no longer attempt to cache the acl or copy the
    truncated contents to user space.
    
    Reported-by: Sachin Prabhu <sprabhu@redhat.com>
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Tested-by: Sachin Prabhu <sprabhu@redhat.com>

 fs/nfs/nfs4proc.c       |   31 ++++++++++++-------------------
 fs/nfs/nfs4xdr.c        |   14 +++++---------
 include/linux/nfs_xdr.h |    2 +-
 3 files changed, 18 insertions(+), 29 deletions(-)

commit 74cf9ab003176366d07b38cb43dcce6d91328cca
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Fri Aug 24 10:59:25 2012 -0400

    Upstream commit: 21f498c2f73bd6150d82931f09965826dca0b5f2
    
    NFSv4: Fix range checking in __nfs4_get_acl_uncached and __nfs4_proc_set_acl
    
    Ensure that the user supplied buffer size doesn't cause us to overflow
    the 'pages' array.
    
    Also fix up some confusion between the use of PAGE_SIZE and
    PAGE_CACHE_SIZE when calculating buffer sizes. We're not using
    the page cache for anything here.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 fs/nfs/nfs4proc.c |   20 +++++++++++---------
 1 files changed, 11 insertions(+), 9 deletions(-)

commit ee6b64d2aa63433f8aaf72471c9ac4ac9005248b
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Tue Aug 14 17:14:17 2012 -0400

    Upstream commit: cff298c721099c9ac4cea7196a37097ba2847946
    
    NFSv4: Don't use private xdr_stream fields in decode_getacl
    
    Instead of using the private field xdr->p from struct xdr_stream,
    use the public xdr_stream_pos().
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 fs/nfs/nfs4xdr.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

commit 5a5974678e1def63cbd534b70f37bf419f594f93
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Tue Aug 14 17:30:10 2012 -0400

    Upstream commit: 519d3959e30a98f8e135e7a16647c10af5ad63d5
    
    NFSv4: Fix pointer arithmetic in decode_getacl
    
    Resetting the cursor xdr->p to a previous value is not a safe
    practice: if the xdr_stream has crossed out of the initial iovec,
    then a bunch of other fields would need to be reset too.
    
    Fix this issue by using xdr_enter_page() so that the buffer gets
    page aligned at the bitmap _before_ we decode it.
    
    Also fix the confusion of the ACL length with the page buffer length
    by not adding the base offset to the ACL length...
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: stable@vger.kernel.org
    
    Conflicts:
    
    	fs/nfs/nfs4xdr.c

 fs/nfs/nfs4proc.c |    2 +-
 fs/nfs/nfs4xdr.c  |   22 +++++++---------------
 2 files changed, 8 insertions(+), 16 deletions(-)

commit 79f9773e406c46d4c2673a2ebc70a82d05849777
Author: Sachin Prabhu <sprabhu@redhat.com>
Date:   Tue Apr 17 14:36:40 2012 +0100

    Avoid beyond bounds copy while caching ACL
    
    When attempting to cache ACLs returned from the server, if the bitmap
    size + the ACL size is greater than a PAGE_SIZE but the ACL size itself
    is smaller than a PAGE_SIZE, we can read past the buffer page boundary.
    
    Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
    Reported-by: Jian Li <jiali@redhat.com>
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    
    Conflicts:
    
    	fs/nfs/nfs4proc.c

 fs/nfs/nfs4xdr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e9931dac69669549b1b7ec7dbdaf80173636b14f
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Thu Jun 21 11:18:13 2012 -0400

    NFSv4: Simplify the GETATTR attribute length calculation
    
    Use the xdr_stream position counter as the basis for the calculation
    instead of assuming that we can calculate an offset to the start
    of the iovec.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    
    Conflicts:
    
    	fs/nfs/nfs4xdr.c

 fs/nfs/nfs4xdr.c |   24 +++++++++++++-----------
 1 files changed, 13 insertions(+), 11 deletions(-)

commit 114bf830ab3dd9591edd67e99f6743d1c45e9016
Author: Sachin Prabhu <sprabhu@redhat.com>
Date:   Tue Apr 17 14:35:39 2012 +0100

    Upstream commit: 5a00689930ab975fdd1b37b034475017e460cf2a
    
    Avoid reading past buffer when calling GETACL
    
    Bug noticed in commit
    bf118a342f10dafe44b14451a1392c3254629a1f
    
    When calling GETACL, if the size of the bitmap array, the length
    attribute and the acl returned by the server is greater than the
    allocated buffer(args.acl_len), we can Oops with a General Protection
    fault at _copy_from_pages() when we attempt to read past the pages
    allocated.
    
    This patch allocates an extra PAGE for the bitmap and checks to see that
    the bitmap + attribute_length + ACLs don't exceed the buffer space
    allocated to it.
    
    Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
    Reported-by: Jian Li <jiali@redhat.com>
    [Trond: Fixed a size_t vs unsigned int printk() warning]
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    
    Conflicts:
    
    	fs/nfs/nfs4xdr.c

 fs/nfs/nfs4xdr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a3b3e44eb097d1c12826c21d8867779d035da600
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Thu Jun 21 17:14:46 2012 -0400

    Upstream commit: 4517d526c8aa31b5c14165ef180cc19518ff0a35
    
    SUNRPC: Add the helper xdr_stream_pos
    
    Add a helper to report the current offset from the start of the
    xdr_stream.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 include/linux/sunrpc/xdr.h |    1 +
 net/sunrpc/xdr.c           |   10 ++++++++++
 2 files changed, 11 insertions(+), 0 deletions(-)

commit 2b808a58b9c7fe7652de10de611cc68d43805d11
Author: Alex Williamson <alex.williamson@redhat.com>
Date:   Mon Dec 10 10:32:57 2012 -0700

    Upstream commit: e40f193f5bb022e927a57a4f5d5194e4f12ddb74
    
    KVM: Fix iommu map/unmap to handle memory slot moves
    
    The iommu integration into memory slots expects memory slots to be
    added or removed and doesn't handle the move case.  We can unmap
    slots from the iommu after we mark them invalid and map them before
    installing the final memslot array.  Also re-order the kmemdup vs
    map so we don't leave iommu mappings if we get ENOMEM.
    
    Reviewed-by: Gleb Natapov <gleb@redhat.com>
    Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 virt/kvm/kvm_main.c |   19 +++++++++++--------
 1 files changed, 11 insertions(+), 8 deletions(-)

commit 15a897ba31a1df69d33b4087dd50ccea95eec124
Author: Marcelo Tosatti <mtosatti@redhat.com>
Date:   Fri Aug 24 15:54:58 2012 -0300

    Upstream commit: 12d6e7538e2d418c08f082b1b44ffa5fb7270ed8
    
    KVM: perform an invalid memslot step for gpa base change
    
    PPC must flush all translations before the new memory slot
    is visible.
    
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    
    Conflicts:
    
    	virt/kvm/kvm_main.c

 virt/kvm/kvm_main.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 149ffec96673ad2a4d69959ccd675b8ff32bbfb4
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Tue Aug 14 18:30:41 2012 -0400

    Upstream commit: b291f1b1c86aa0c7bc3df2994e6a1a4e53f1fde0
    
    NFSv4: Fix the acl cache size calculation
    
    Currently, we do not take into account the size of the 16 byte
    struct nfs4_cached_acl header, when deciding whether or not we should
    cache the acl data.  Consequently, we will end up allocating an
    8k buffer in order to fit a maximum size 4k acl.
    
    This patch adjusts the calculation so that we limit the cache size
    to 4k for the acl header+data.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 fs/nfs/nfs4proc.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit dcb899d00e1ba139f0d5441df4e17b43f7d92a3b
Author: Steve French <smfrench@gmail.com>
Date:   Fri Nov 15 20:41:32 2013 -0600

    Upstream commit: b1d93356427be6f050dc55c86eb019d173700af6
    
    setfacl removes part of ACL when setting POSIX ACLs to Samba
    
    setfacl over cifs mounts can remove the default ACL when setting the
    (non-default part of) the ACL and vice versa (we were leaving at 0
    rather than setting to -1 the count field for the unaffected
    half of the ACL.  For example notice the setfacl removed
    the default ACL in this sequence:
    
    steven@steven-GA-970A-DS3:~/cifs-2.6$ getfacl /mnt/test-dir ; setfacl
    -m default:user:test:rwx,user:test:rwx /mnt/test-dir
    getfacl: Removing leading '/' from absolute path names
    user::rwx
    group::r-x
    other::r-x
    default:user::rwx
    default:user:test:rwx
    default:group::r-x
    default:mask::rwx
    default:other::r-x
    
    steven@steven-GA-970A-DS3:~/cifs-2.6$ getfacl /mnt/test-dir
    getfacl: Removing leading '/' from absolute path names
    user::rwx
    user:test:rwx
    group::r-x
    mask::rwx
    other::r-x
    
    CC: Stable <stable@kernel.org>
    Signed-off-by: Steve French <smfrench@gmail.com>
    Acked-by: Jeremy Allison <jra@samba.org>
    
    Conflicts:
    
    	fs/cifs/cifssmb.c

 fs/cifs/cifssmb.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

commit 4ec2d737b61615dcc547663e085d0eed15dd458c
Merge: c3e2399 8780214
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 19:10:16 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 8780214daf625764b7fd7019aafacc4b22c2d496
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 18 19:09:26 2013 -0500

    Backport latent entropy plugin fix from 3.11.8 for an ICE in gcc 4.6

 mm/page_alloc.c                   |    2 +-
 tools/gcc/latent_entropy_plugin.c |   34 ++++++++++++++++++++++++----------
 2 files changed, 25 insertions(+), 11 deletions(-)

commit c3e23994b4b167256ded79a3dfd5caf3d27289cd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 20:51:54 2013 -0500

    Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796
    
    isdnloop: use strlcpy() instead of strcpy()
    These strings come from a copy_from_user() and there is no way to be
    sure they are NUL terminated.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/isdnloop/isdnloop.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 680af9c1f6fd6853904405ddff00b6804e18f8d9
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Nov 14 13:37:54 2013 -0800

    Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf
    
    ipv4: fix possible seqlock deadlock
    
    ip4_datagram_connect() being called from process context,
    it should use IP_INC_STATS() instead of IP_INC_STATS_BH()
    otherwise we can deadlock on 32bit arches, or get corruptions of
    SNMP counters.
    
    Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/datagram.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a28a6771f9e3a8e0df73aef0a2fd9934e1e7159b
Merge: f6dd5fe 5a1d5ae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 20:32:41 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 5a1d5ae1c42f6e82657dc92a0704d88afac5d5e9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 14 20:31:31 2013 -0500

    Update to pax-linux-3.2.52-test124.patch:
    - fixed a few incorrect uses of static local variables based on an analysis plugin written by Emese Revfy

 drivers/bluetooth/btwilink.c         |    2 +-
 drivers/md/dm-table.c                |    2 +-
 drivers/message/i2o/i2o_proc.c       |   16 ++++++++--------
 drivers/mfd/max8925-i2c.c            |    2 +-
 drivers/mtd/chips/cfi_cmdset_0020.c  |    2 +-
 drivers/net/wireless/airo.c          |    2 +-
 drivers/net/wireless/b43/phy_lp.c    |    2 +-
 drivers/nfc/nfcwilink.c              |    2 +-
 drivers/platform/x86/msi-wmi.c       |    2 +-
 drivers/scsi/aic7xxx/aic79xx_pci.c   |   18 +++++-------------
 drivers/scsi/mpt2sas/mpt2sas_scsih.c |    8 ++++----
 drivers/usb/serial/console.c         |    2 +-
 kernel/audit.c                       |    2 +-
 mm/mremap.c                          |    1 -
 14 files changed, 27 insertions(+), 36 deletions(-)

commit f6dd5fe403291ded95feb18167228de9b091c78a
Author: Russell King <rmk+kernel@arm.linux.org.uk>
Date:   Fri Sep 7 18:22:28 2012 +0100

    Upstream commit: 8404663f
    (though anyone using ARM should have been using the test patch with KERNEXEC/UDEREF
    which was unaffected by this)
    
    ARM: 7527/1: uaccess: explicitly check __user pointer when !CPU_USE_DOMAINS
    
    The {get,put}_user macros don't perform range checking on the provided
    __user address when !CPU_HAS_DOMAINS.
    
    This patch reworks the out-of-line assembly accessors to check the user
    address against a specified limit, returning -EFAULT if is is out of
    range.
    
    [will: changed get_user register allocation to match put_user]
    [rmk: fixed building on older ARM architectures]
    
    Reported-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

 arch/arm/include/asm/assembler.h |    8 +++++++
 arch/arm/include/asm/uaccess.h   |   40 +++++++++++++++++++++++++------------
 arch/arm/lib/getuser.S           |   23 ++++++++++++++-------
 arch/arm/lib/putuser.S           |    6 +++++
 4 files changed, 56 insertions(+), 21 deletions(-)

commit 1200113a5c6fd6a83101cf8b6732dcda33928f83
Author: Catalin Marinas <catalin.marinas@arm.com>
Date:   Wed Jan 25 11:38:13 2012 +0100

    Upstream commit: 4e7682d0
    
    ARM: 7301/1: Rename the T() macro to TUSER() to avoid namespace conflicts
    
    This macro is used to generate unprivileged accesses (LDRT/STRT) to user
    space.
    
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
    Acked-by: Nicolas Pitre <nico@linaro.org>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

 arch/arm/include/asm/assembler.h |    4 +-
 arch/arm/include/asm/domain.h    |    8 ++--
 arch/arm/include/asm/futex.h     |    8 ++--
 arch/arm/include/asm/uaccess.h   |   16 ++++----
 arch/arm/lib/getuser.S           |   12 +++---
 arch/arm/lib/putuser.S           |   28 ++++++------
 arch/arm/lib/uaccess.S           |   82 +++++++++++++++++++-------------------
 7 files changed, 79 insertions(+), 79 deletions(-)

commit bee81e6898799c5002cd31cdd41cadcf38fd70a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Nov 11 10:48:10 2013 -0500

    Fix the overflowable range check just to be correct.
    Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt
    but I believe this to be unexploitable due to bounds checks on 'count'
    from rw_verify_area() in fs/read_write.c

 drivers/video/arcfb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d2c1f624b3ce5796b5ea047f2580c13f6ef1e526
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 22:01:33 2013 -0500

    Add missing include
    
    Conflicts:
    
    	fs/proc/proc_sysctl.c

 fs/proc/proc_sysctl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit f37b50415b86363a3e732de2c430917eeec001fd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 15:19:27 2013 -0500

    On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr
    was disabled in config.  This caused non-root execs to fail in some cases (via SIGKILL during ELF
    loading).  Fix this by setting a proper default on these architectures like set on the LSM-based
    mmap_min_addr.
    
    Thanks to acez from IRC for debugging.

 mm/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit de322e5dc505ccfc15428aebd72dfad5d84b9a02
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 10 13:54:25 2013 -0500

    Compatibility fix for LXC:
    Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values,
    use a CAP_NET_ADMIN check within the user namespace of the process performing the modification
    CAP_SYS_ADMIN is still required for any other sysctl modification, including modification
    of sysctls of a net namespace other than our own
    
    This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's
    networking
    
    Thanks to ncopa from IRC for testing
    
    Conflicts:
    
    	fs/proc/proc_sysctl.c

 fs/proc/proc_sysctl.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit be3f3539e5745da7f0a4322e0cef77d763a91793
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 6 16:23:36 2013 -0500

    Force on DEBUG_LIST so all users can benefit from safe linking/unlinking

 security/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 1457cd7c50771a37f297e5d5963a003f08134793
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 6 16:19:21 2013 -0500

    change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel
    bruteforce deterrence
    
    Conflicts:
    
    	lib/list_debug.c

 lib/list_debug.c |   65 ++++++++++++++++++++++++++++++++++-------------------
 1 files changed, 42 insertions(+), 23 deletions(-)

commit 3b039667e9f82697a42754d5e78a3772757097d5
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Oct 29 22:06:04 2013 +0300

    Upstream commit: 201f99f170df14ba52ea4c52847779042b7a623b
    
    uml: check length in exitcode_proc_write()
    
    We don't cap the size of buffer from the user so we could write past the
    end of the array here.  Only root can write to this file.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Reported-by: Fabian Yamaguchi <fabs@goesec.de>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/um/kernel/exitcode.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 3806af3fc3da19e1fafd934d2bb0344cae8fbac5
Author: Ming Lei <ming.lei@canonical.com>
Date:   Thu Oct 31 16:34:17 2013 -0700

    Upstream commit: 3d77b50c5874b7e923be946ba793644f82336b75
    
    lib/scatterlist.c: don't flush_kernel_dcache_page on slab page
    
    Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper
    functions") introduces two sg buffer copy helpers, and calls
    flush_kernel_dcache_page() on pages in SG list after these pages are
    written to.
    
    Unfortunately, the commit may introduce a potential bug:
    
     - Before sending some SCSI commands, kmalloc() buffer may be passed to
       block layper, so flush_kernel_dcache_page() can see a slab page
       finally
    
     - According to cachetlb.txt, flush_kernel_dcache_page() is only called
       on "a user page", which surely can't be a slab page.
    
     - ARCH's implementation of flush_kernel_dcache_page() may use page
       mapping information to do optimization so page_mapping() will see the
       slab page, then VM_BUG_ON() is triggered.
    
    Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled,
    and this patch fixes the bug by adding test of '!PageSlab(miter->page)'
    before calling flush_kernel_dcache_page().
    
    Signed-off-by: Ming Lei <ming.lei@canonical.com>
    Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
    Tested-by: Simon Baatz <gmbnomis@gmail.com>
    Cc: Russell King - ARM Linux <linux@arm.linux.org.uk>
    Cc: Will Deacon <will.deacon@arm.com>
    Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
    Acked-by: Catalin Marinas <catalin.marinas@arm.com>
    Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: "James E.J. Bottomley" <JBottomley@parallels.com>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: <stable@vger.kernel.org>	[3.2+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/scatterlist.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 8c68b396467a3235a2396a69cdb3238a6f5fdb14
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Oct 29 23:01:11 2013 +0300

    Upstream commit: 8d1e72250c847fa96498ec029891de4dc638a5ba
    
    Staging: bcm: info leak in ioctl
    
    The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel
    information to user space.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Reported-by: Fabian Yamaguchi <fabs@goesec.de>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/staging/bcm/Bcmchar.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit a705b2ffd5021ce3aeede89b61acca32531e7b93
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Oct 29 22:11:06 2013 +0300

    Upstream commit: f856567b930dfcdbc3323261bf77240ccdde01f5
    
    aacraid: missing capable() check in compat ioctl
    
    In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we
    added a check on CAP_SYS_RAWIO to the ioctl.  The compat ioctls need the
    check as well.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/scsi/aacraid/linit.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 7575100bfd44edff669603c0f5384f6c5588c7ee
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Oct 29 23:00:15 2013 +0300

    Upstream commit: b5e2f339865fb443107e5b10603e53bbc92dc054
    
    staging: wlags49_h2: buffer overflow setting station name
    
    We need to check the length parameter before doing the memcpy().  I've
    actually changed it to strlcpy() as well so that it's NUL terminated.
    
    You need CAP_NET_ADMIN to trigger these so it's not the end of the
    world.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Reported-by: Fabian Yamaguchi <fabs@goesec.de>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	drivers/staging/wlags49_h2/wl_priv.c

 drivers/staging/wlags49_h2/wl_priv.c |   21 ++++++++++++---------
 1 files changed, 12 insertions(+), 9 deletions(-)

commit 9fec71b334742781b1fa12c096ab79ae7e8627bd
Author: Luis Henriques <luis.henriques@canonical.com>
Date:   Tue Dec 4 14:33:20 2012 +0000

    UBUNTU: SAUCE: SECCOMP: audit: fix build on archs without CONFIG_AUDITSYSCALL
    
    BugLink: http://bugs.launchpad.net/bugs/1079469
    
    Build is broken for armel or armhf because they don't define
    __audit_seccomp(), required by:
    
    3479c36 seccomp: forcing auditing of kill condition
    
    This fixes the builds defining an empty macro for this function.
    
    Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
    Cc: Kees Cook <kees@ubuntu.com>
    Acked-by: Colin King <colin.king@canonical.com>
    Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

 include/linux/audit.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 29eac4dc6013fb3f3434fecfdb5b63d28b90dd7e
Author: Kees Cook <kees@ubuntu.com>
Date:   Thu Nov 15 16:33:59 2012 -0800

    seccomp: forcing auditing of kill condition
    
    BugLink: http://bugs.launchpad.net/bugs/1079469
    
    Instead of auditing all seccomp actions, only force the reporting of
    those that kill a process. All others should be checked for an existing
    audit context on the process. (This improves the adjustment that
    commit 426ae7eee59e3de2a4c14ccfc30df0a7d64709fe was attempting.)
    
    Signed-off-by: Kees Cook <kees@ubuntu.com>
    Acked-by: Herton Krzesinski <herton.krzesinski@canonical.com>
    Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

 kernel/seccomp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit eedb353cf9693ff4940c4646cb25d650696f546c
Author: Kees Cook <kees@ubuntu.com>
Date:   Fri Mar 30 13:20:07 2012 -0700

    UBUNTU: SAUCE: SECCOMP: adjust prctl constant
    
    3.4-rc1 contains new prctl values that conflict with the ones chosen for
    nnp, so push them forward with the hopes that we will align with the future.
    
    Signed-off-by: Kees Cook <kees@ubuntu.com>
    Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>

 include/linux/prctl.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit f9890fabed98fb2841b3d578187df7a2503e9f43
Author: Will Drewry <wad@chromium.org>
Date:   Thu Feb 9 11:28:23 2012 -0600

    UBUNTU: SAUCE: SECCOMP: x86: Enable HAVE_ARCH_SECCOMP_FILTER
    
    Enable support for seccomp filter on x86:
    - asm/tracehook.h exists
    - syscall_get_arguments() works
    - syscall_rollback() works
    - ptrace_report_syscall() works
    - secure_computing() return value is honored (see below)
    
    This also adds support for honoring the return
    value from secure_computing().
    
    SECCOMP_RET_TRACE and SECCOMP_RET_TRAP may result in seccomp needing to
    skip a system call without killing the process.  This is done by
    returning a non-zero (-1) value from secure_computing.  This change
    makes x86 respect that return value.
    
    To ensure that minimal kernel code is exposed, a non-zero return value
    results in an immediate return to user space (with an invalid syscall
    number).
    
    Signed-off-by: Will Drewry <wad@chromium.org>
    Signed-off-by: Kees Cook <kees@ubuntu.com>

 arch/x86/Kconfig         |    1 +
 arch/x86/kernel/ptrace.c |    7 ++++++-
 2 files changed, 7 insertions(+), 1 deletions(-)

commit 5aaf8c4b0bfa4035e02e53458d44895e50755cb7
Author: Will Drewry <wad@chromium.org>
Date:   Thu Feb 9 12:08:39 2012 -0600

    UBUNTU: SAUCE: SECCOMP: ptrace,seccomp: Add PTRACE_SECCOMP support
    
    This change adds support for a new ptrace option, PTRACE_O_TRACESECCOMP,
    and a new return value for seccomp BPF programs, SECCOMP_RET_TRACE.
    
    When a tracer specifies the PTRACE_O_TRACESECCOMP ptrace option, the
    tracer will be notified, via PTRACE_EVENT_SECCOMP, for any syscall that
    results in a BPF program returning SECCOMP_RET_TRACE.  The 16-bit
    SECCOMP_RET_DATA mask of the BPF program return value will be passed as
    the ptrace_message and may be retrieved using PTRACE_GETEVENTMSG.
    
    If the subordinate process is not using seccomp filter, then no
    system call notifications will occur even if the option is specified.
    
    If there is no tracer with PTRACE_O_TRACESECCOMP when SECCOMP_RET_TRACE
    is returned, the system call will not be executed and an -ENOSYS errno
    will be returned to userspace.
    
    This change adds a dependency on the system call slow path.  Any future
    efforts to use the system call fast path for seccomp filter will need to
    address this restriction.
    
    v16: - update PT_TRACE_MASK to 0xbf4 so that STOP isn't clear on SETOPTIONS call (indan@nul.nu)
           [note PT_TRACE_MASK disappears in linux-next]
    v15: - add audit support for non-zero return codes
         - clean up style (indan@nul.nu)
    v14: - rebase/nochanges
    v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc
           (Brings back a change to ptrace.c and the masks.)
    v12: - rebase to linux-next
         - use ptrace_event and update arch/Kconfig to mention slow-path dependency
         - drop all tracehook changes and inclusion (oleg@redhat.com)
    v11: - invert the logic to just make it a PTRACE_SYSCALL accelerator
           (indan@nul.nu)
    v10: - moved to PTRACE_O_SECCOMP / PT_TRACE_SECCOMP
    v9:  - n/a
    v8:  - guarded PTRACE_SECCOMP use with an ifdef
    v7:  - introduced
    
    Signed-off-by: Will Drewry <wad@chromium.org>
    Signed-off-by: Kees Cook <kees@ubuntu.com>

 arch/Kconfig            |   11 ++++++-----
 include/linux/ptrace.h  |    7 +++++--
 include/linux/seccomp.h |    1 +
 kernel/ptrace.c         |    3 +++
 kernel/seccomp.c        |   13 +++++++++++--
 5 files changed, 26 insertions(+), 9 deletions(-)

commit 825511ce9b132c1bbd8b6c73a91272ad2521efbc
Author: Will Drewry <wad@chromium.org>
Date:   Thu Feb 9 12:01:37 2012 -0600

    UBUNTU: SAUCE: SECCOMP: seccomp: Add SECCOMP_RET_TRAP
    
    Adds a new return value to seccomp filters that triggers a SIGSYS to be
    delivered with the new SYS_SECCOMP si_code.
    
    This allows in-process system call emulation, including just specifying
    an errno or cleanly dumping core, rather than just dying.
    
    v15: - use audit_seccomp/skip
         - pad out error spacing; clean up switch (indan@nul.nu)
    v14: - n/a
    v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc
    v12: - rebase on to linux-next
    v11: - clarify the comment (indan@nul.nu)
         - s/sigtrap/sigsys
    v10: - use SIGSYS, syscall_get_arch, updates arch/Kconfig
           note suggested-by (though original suggestion had other behaviors)
    v9:  - changes to SIGILL
    v8:  - clean up based on changes to dependent patches
    v7:  - introduction
    
    Suggested-by: Markus Gutschke <markus@chromium.org>
    Suggested-by: Julien Tinnes <jln@chromium.org>
    Signed-off-by: Will Drewry <wad@chromium.org>
    Signed-off-by: Kees Cook <kees@ubuntu.com>

 arch/Kconfig                  |   14 +++++++++-----
 include/asm-generic/siginfo.h |    2 +-
 include/linux/seccomp.h       |    1 +
 kernel/seccomp.c              |   26 ++++++++++++++++++++++++++
 4 files changed, 37 insertions(+), 6 deletions(-)

commit 62445946c127cfd0de0e3b93dcbfcf6c87d191dc
Author: Will Drewry <wad@chromium.org>
Date:   Fri Feb 17 11:50:27 2012 -0600

    UBUNTU: SAUCE: SECCOMP: signal, x86: add SIGSYS info and make it synchronous.
    
    This change enables SIGSYS, defines _sigfields._sigsys, and adds
    x86 (compat) arch support.  _sigsys defines fields which allow
    a signal handler to receive the triggering system call number,
    the relevant AUDIT_ARCH_* value for that number, and the address
    of the callsite.
    
    SIGSYS is added to the SYNCHRONOUS_MASK because it is desirable for it
    to have setup_frame() called for it. The goal is to ensure that
    ucontext_t reflects the machine state from the time-of-syscall and not
    from another signal handler.
    
    The first consumer of SIGSYS would be seccomp filter.  In particular,
    a filter program could specify a new return value, SECCOMP_RET_TRAP,
    which would result in the system call being denied and the calling
    thread signaled.  This also means that implementing arch-specific
    support can be dependent upon HAVE_ARCH_SECCOMP_FILTER.
    
    v14: - rebase/nochanges
    v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc
    v12: - reworded changelog (oleg@redhat.com)
    v11: - fix dropped words in the change description
         - added fallback copy_siginfo support.
         - added __ARCH_SIGSYS define to allow stepped arch support.
    v10: - first version based on suggestion
    
    Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
    Suggested-by: H. Peter Anvin <hpa@zytor.com>
    Signed-off-by: Will Drewry <wad@chromium.org>
    Signed-off-by: Kees Cook <kees@ubuntu.com>

 arch/x86/ia32/ia32_signal.c   |    4 ++++
 arch/x86/include/asm/ia32.h   |    6 ++++++
 include/asm-generic/siginfo.h |   22 ++++++++++++++++++++++
 kernel/signal.c               |    9 ++++++++-
 4 files changed, 40 insertions(+), 1 deletions(-)

commit 5f14190caf5f9fc29e1cdc5a245258f0e07bbba5
Author: Will Drewry <wad@chromium.org>
Date:   Wed Feb 15 20:45:54 2012 -0600

    UBUNTU: SAUCE: SECCOMP: seccomp: add SECCOMP_RET_ERRNO
    
    This change adds the SECCOMP_RET_ERRNO as a valid return value from a
    seccomp filter.  Additionally, it makes the first use of the lower
    16-bits for storing a filter-supplied errno.  16-bits is more than
    enough for the errno-base.h calls.
    
    Returning errors instead of immediately terminating processes that
    violate seccomp policy allow for broader use of this functionality
    for kernel attack surface reduction.  For example, a linux container
    could maintain a whitelist of pre-existing system calls but drop
    all new ones with errnos.  This would keep a logically static attack
    surface while providing errnos that may allow for graceful failure
    without the downside of do_exit() on a bad call.
    
    v15: - use audit_seccomp and add a skip label. (eparis@redhat.com)
         - clean up and pad out return codes (indan@nul.nu)
    v14: - no change/rebase
    v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc
    v12: - move to WARN_ON if filter is NULL
           (oleg@redhat.com, luto@mit.edu, keescook@chromium.org)
         - return immediately for filter==NULL (keescook@chromium.org)
         - change evaluation to only compare the ACTION so that layered
           errnos don't result in the lowest one being returned.
           (keeschook@chromium.org)
    v11: - check for NULL filter (keescook@chromium.org)
    v10: - change loaders to fn
     v9: - n/a
     v8: - update Kconfig to note new need for syscall_set_return_value.
         - reordered such that TRAP behavior follows on later.
         - made the for loop a little less indent-y
     v7: - introduced
    
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
    Signed-off-by: Will Drewry <wad@chromium.org>
    Signed-off-by: Kees Cook <kees@ubuntu.com>

 arch/Kconfig            |    6 ++++--
 include/linux/seccomp.h |   15 +++++++++++----
 kernel/seccomp.c        |   47 ++++++++++++++++++++++++++++++++++++++---------
 3 files changed, 53 insertions(+), 15 deletions(-)

commit e83d1482e89d9725831fdee2984efab3734d3c45
Author: Kees Cook <keescook@chromium.org>
Date:   Sun Feb 26 11:56:12 2012 -0800

    UBUNTU: SAUCE: SECCOMP: seccomp: remove duplicated failure logging
    
    This consolidates the seccomp filter error logging path and adds more
    details to the audit log.
    
    v15: added a return code to the audit_seccomp path by wad@chromium.org
         (suggested by eparis@redhat.com)
    v*: original by keescook@chromium.org
    
    Signed-off-by: Will Drewry <wad@chromium.org>
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Kees Cook <kees@ubuntu.com>

 include/linux/audit.h |    8 ++++----
 kernel/auditsc.c      |   10 ++++++++--
 kernel/seccomp.c      |   15 +--------------
 3 files changed, 13 insertions(+), 20 deletions(-)

commit 19a18a4844a7d16174a8ef4d2780e45ae6c812c8
Author: Will Drewry <wad@chromium.org>
Date:   Thu Feb 9 11:50:58 2012 -0600

    UBUNTU: SAUCE: SECCOMP: seccomp: add system call filtering using BPF
    
    [This patch depends on luto@mit.edu's no_new_privs patch:
       https://lkml.org/lkml/2012/1/30/264
     The whole series including Andrew's patches can be found here:
       https://github.com/redpig/linux/tree/seccomp
     Complete diff here:
       https://github.com/redpig/linux/compare/1dc65fed...seccomp
     A GPG signed tag 'seccomp/v14/posted' will be pushed shortly.
    ]
    
    This patch adds support for seccomp mode 2.  Mode 2 introduces the
    ability for unprivileged processes to install system call filtering
    policy expressed in terms of a Berkeley Packet Filter (BPF) program.
    This program will be evaluated in the kernel for each system call
    the task makes and computes a result based on data in the format
    of struct seccomp_data.
    
    A filter program may be installed by calling:
      struct sock_fprog fprog = { ... };
      ...
      prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fprog);
    
    The return value of the filter program determines if the system call is
    allowed to proceed or denied.  If the first filter program installed
    allows prctl(2) calls, then the above call may be made repeatedly
    by a task to further reduce its access to the kernel.  All attached
    programs must be evaluated before a system call will be allowed to
    proceed.
    
    Filter programs will be inherited across fork/clone and execve.
    However, if the task attaching the filter is unprivileged
    (!CAP_SYS_ADMIN) the no_new_privs bit will be set on the task.  This
    ensures that unprivileged tasks cannot attach filters that affect
    privileged tasks (e.g., setuid binary).
    
    There are a number of benefits to this approach. A few of which are
    as follows:
    - BPF has been exposed to userland for a long time
    - BPF optimization (and JIT'ing) are well understood
    - Userland already knows its ABI: system call numbers and desired
      arguments
    - No time-of-check-time-of-use vulnerable data accesses are possible.
    - system call arguments are loaded on access only to minimize copying
      required for system call policy decisions.
    
    Mode 2 support is restricted to architectures that enable
    HAVE_ARCH_SECCOMP_FILTER.  In this patch, the primary dependency is on
    syscall_get_arguments().  The full desired scope of this feature will
    add a few minor additional requirements expressed later in this series.
    Based on discussion, SECCOMP_RET_ERRNO and SECCOMP_RET_TRACE seem to be
    the desired additional functionality.
    
    No architectures are enabled in this patch.
    
    v15: - add a 4 instr penalty when counting a path to account for seccomp_filter
           size (indan@nul.nu)
         - drop the max insns to 256KB (indan@nul.nu)
         - return ENOMEM if the max insns limit has been hit (indan@nul.nu)
         - move IP checks after args (indan@nul.nu)
         - drop !user_filter check (indan@nul.nu)
         - only allow explicit bpf codes (indan@nul.nu)
         - exit_code -> exit_sig
    v14: - put/get_seccomp_filter takes struct task_struct
           (indan@nul.nu,keescook@chromium.org)
         - adds seccomp_chk_filter and drops general bpf_run/chk_filter user
         - add seccomp_bpf_load for use by net/core/filter.c
         - lower max per-process/per-hierarchy: 1MB
         - moved nnp/capability check prior to allocation
           (all of the above: indan@nul.nu)
    v13: - rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc
    v12: - added a maximum instruction count per path (indan@nul.nu,oleg@redhat.com)
         - removed copy_seccomp (keescook@chromium.org,indan@nul.nu)
         - reworded the prctl_set_seccomp comment (indan@nul.nu)
    v11: - reorder struct seccomp_data to allow future args expansion (hpa@zytor.com)
         - style clean up, @compat dropped, compat_sock_fprog32 (indan@nul.nu)
         - do_exit(SIGSYS) (keescook@chromium.org, luto@mit.edu)
         - pare down Kconfig doc reference.
         - extra comment clean up
    v10: - seccomp_data has changed again to be more aesthetically pleasing
           (hpa@zytor.com)
         - calling convention is noted in a new u32 field using syscall_get_arch.
           This allows for cross-calling convention tasks to use seccomp filters.
           (hpa@zytor.com)
         - lots of clean up (thanks, Indan!)
     v9: - n/a
     v8: - use bpf_chk_filter, bpf_run_filter. update load_fns
         - Lots of fixes courtesy of indan@nul.nu:
         -- fix up load behavior, compat fixups, and merge alloc code,
         -- renamed pc and dropped __packed, use bool compat.
         -- Added a hidden CONFIG_SECCOMP_FILTER to synthesize non-arch
            dependencies
     v7:  (massive overhaul thanks to Indan, others)
         - added CONFIG_HAVE_ARCH_SECCOMP_FILTER
         - merged into seccomp.c
         - minimal seccomp_filter.h
         - no config option (part of seccomp)
         - no new prctl
         - doesn't break seccomp on systems without asm/syscall.h
           (works but arg access always fails)
         - dropped seccomp_init_task, extra free functions, ...
         - dropped the no-asm/syscall.h code paths
         - merges with network sk_run_filter and sk_chk_filter
     v6: - fix memory leak on attach compat check failure
         - require no_new_privs || CAP_SYS_ADMIN prior to filter
           installation. (luto@mit.edu)
         - s/seccomp_struct_/seccomp_/ for macros/functions (amwang@redhat.com)
         - cleaned up Kconfig (amwang@redhat.com)
         - on block, note if the call was compat (so the # means something)
     v5: - uses syscall_get_arguments
           (indan@nul.nu,oleg@redhat.com, mcgrathr@chromium.org)
          - uses union-based arg storage with hi/lo struct to
            handle endianness.  Compromises between the two alternate
            proposals to minimize extra arg shuffling and account for
            endianness assuming userspace uses offsetof().
            (mcgrathr@chromium.org, indan@nul.nu)
          - update Kconfig description
          - add include/seccomp_filter.h and add its installation
          - (naive) on-demand syscall argument loading
          - drop seccomp_t (eparis@redhat.com)
     v4:  - adjusted prctl to make room for PR_[SG]ET_NO_NEW_PRIVS
          - now uses current->no_new_privs
            (luto@mit.edu,torvalds@linux-foundation.com)
          - assign names to seccomp modes (rdunlap@xenotime.net)
          - fix style issues (rdunlap@xenotime.net)
          - reworded Kconfig entry (rdunlap@xenotime.net)
     v3:  - macros to inline (oleg@redhat.com)
          - init_task behavior fixed (oleg@redhat.com)
          - drop creator entry and extra NULL check (oleg@redhat.com)
          - alloc returns -EINVAL on bad sizing (serge.hallyn@canonical.com)
          - adds tentative use of "always_unprivileged" as per
            torvalds@linux-foundation.org and luto@mit.edu
     v2:  - (patch 2 only)
    
    Reviewed-by: Indan Zupancic <indan@nul.nu>
    Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
    Signed-off-by: Will Drewry <wad@chromium.org>
    Signed-off-by: Kees Cook <kees@ubuntu.com>

 arch/Kconfig            |   17 ++
 include/linux/Kbuild    |    1 +
 include/linux/seccomp.h |   76 +++++++++-
 kernel/fork.c           |    3 +
 kernel/seccomp.c        |  393 ++++++++++++++++++++++++++++++++++++++++++++--
 kernel/sys.c            |    2 +-
 6 files changed, 469 insertions(+), 23 deletions(-)

commit d5d317ef3be9869343903ee59e485eaf939865cf
Author: Eric Paris <eparis@redhat.com>
Date:   Tue Jan 3 14:23:05 2012 -0500

    seccomp: audit abnormal end to a process due to seccomp
    
    The audit system likes to collect information about processes that end
    abnormally (SIGSEGV) as this may me useful intrusion detection information.
    This patch adds audit support to collect information when seccomp forces a
    task to exit because of misbehavior in a similar way.
    
    Signed-off-by: Eric Paris <eparis@redhat.com>
    (cherry picked from commit 85e7bac33b8d5edafc4e219c7dfdb3d48e0b4e31)
    
    Signed-off-by: Kees Cook <kees@ubuntu.com>

 include/linux/audit.h |    8 +++++++
 kernel/auditsc.c      |   52 ++++++++++++++++++++++++++++--------------------
 kernel/seccomp.c      |    2 +
 3 files changed, 40 insertions(+), 22 deletions(-)

commit c9614d621d49f2c8e1d4832758579da457136418
Author: Will Drewry <wad@chromium.org>
Date:   Fri Feb 17 15:03:37 2012 -0600

    UBUNTU: SAUCE: SECCOMP: asm/syscall.h: add syscall_get_arch
    
    Adds a stub for a function that will return the AUDIT_ARCH_*
    value appropriate to the supplied task based on the system
    call convention.
    
    For audit's use, the value can generally be hard-coded at the
    audit-site.  However, for other functionality not inlined into
    syscall entry/exit, this makes that information available.
    seccomp_filter is the first planned consumer and, as such,
    the comment indicates a tie to HAVE_ARCH_SECCOMP_FILTER.  That
    is probably an unneeded detail.
    
    v14: rebase/nochanges
    v13: rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc
    v12: rebase on to linux-next
    v11: fixed improper return type
    v10: introduced
    
    Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
    Suggested-by: Roland McGrath <mcgrathr@chromium.org>
    Signed-off-by: Will Drewry <wad@chromium.org>
    Signed-off-by: Kees Cook <kees@ubuntu.com>

 include/asm-generic/syscall.h |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

commit 65acde58c865720cf4cab6890efe8f31d5bec60f
Author: Will Drewry <wad@chromium.org>
Date:   Wed Jan 18 15:00:56 2012 -0600

    UBUNTU: SAUCE: SECCOMP: arch/x86: add syscall_get_arch to syscall.h
    
    Add syscall_get_arch() to export the current AUDIT_ARCH_* based on system call
    entry path.
    
    v14: rebase/nochanges
    v13: rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc
    
    Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
    Signed-off-by: Will Drewry <wad@chromium.org>
    Signed-off-by: Kees Cook <kees@ubuntu.com>

 arch/x86/include/asm/syscall.h |   23 +++++++++++++++++++++++
 1 files changed, 23 insertions(+), 0 deletions(-)

commit 5b564226379332f09c4f3765394eca26c1e8d1e1
Author: Will Drewry <wad@chromium.org>
Date:   Fri Jan 13 14:40:01 2012 -0600

    UBUNTU: SAUCE: SECCOMP: seccomp: kill the seccomp_t typedef
    
    Replaces the seccomp_t typedef with struct seccomp to match modern
    kernel style.
    
    v14: rebase/nochanges
    v13: rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc
    v12: rebase on to linux-next
    v8-v11: no changes
    v7: struct seccomp_struct -> struct seccomp
    v6: original inclusion in this series.
    
    Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
    Reviewed-by: James Morris <jmorris@namei.org>
    Signed-off-by: Will Drewry <wad@chromium.org>
    Signed-off-by: Kees Cook <kees@ubuntu.com>

 include/linux/sched.h   |    2 +-
 include/linux/seccomp.h |   10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

commit 8f10416cbf0a71df0d851fdba18ea9b3187f616c
Author: Will Drewry <wad@chromium.org>
Date:   Wed Feb 22 10:59:31 2012 -0600

    UBUNTU: SAUCE: SECCOMP: net/compat.c,linux/filter.h: share compat_sock_fprog
    
    Any other users of bpf_*_filter that take a struct sock_fprog from
    userspace will need to be able to also accept a compat_sock_fprog
    if the arch supports compat calls.  This change let's the existing
    compat_sock_fprog be shared.
    
    v14: rebase/nochanges
    v13: rebase on to 88ebdda6159ffc15699f204c33feb3e431bf9bdc
    v12: rebase on to linux-next
    v11: introduction
    
    Signed-off-by: Will Drewry <wad@chromium.org>
    Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
    Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Kees Cook <kees@ubuntu.com>

 include/linux/filter.h |   11 +++++++++++
 net/compat.c           |    8 --------
 2 files changed, 11 insertions(+), 8 deletions(-)

commit 508e69eac8c0f6089ae2f317122f2509ce2c922d
Author: Will Drewry <wad@chromium.org>
Date:   Fri Mar 9 10:43:50 2012 -0600

    UBUNTU: SAUCE: SECCOMP: sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W
    
    Introduces a new BPF ancillary instruction that all LD calls will be
    mapped through when skb_run_filter() is being used for seccomp BPF.  The
    rewriting will be done using a secondary chk_filter function that is run
    after skb_chk_filter.
    
    The code change is guarded by CONFIG_SECCOMP_FILTER which is added,
    along with the seccomp_bpf_load() function later in this series.
    
    This is based on http://lkml.org/lkml/2012/3/2/141
    
    v15: include seccomp.h explicitly for when seccomp_bpf_load exists.
    v14: First cut using a single additional instruction
    ... v13: made bpf functions generic.
    
    Suggested-by: Indan Zupancic <indan@nul.nu>
    Signed-off-by: Will Drewry <wad@chromium.org>
    Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Kees Cook <kees@ubuntu.com>

 include/linux/filter.h |    1 +
 net/core/filter.c      |    6 ++++++
 2 files changed, 7 insertions(+), 0 deletions(-)

commit 29fb0afcb3dbc9563ebc3f2ab26acaa52e5c209f
Author: John Johansen <john.johansen@canonical.com>
Date:   Mon Jan 30 08:17:27 2012 -0800

    UBUNTU: SAUCE: SECCOMP: Fix apparmor for PR_{GET,SET}_NO_NEW_PRIVS
    
    Signed-off-by: John Johansen <john.johansen@canonical.com>
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: Kees Cook <kees@ubuntu.com>

 security/apparmor/domain.c |   39 +++++++++++++++++++++++++++++++++++----
 1 files changed, 35 insertions(+), 4 deletions(-)

commit 2ccd05f2a7d8c59be2381399da61865deb7aa540
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Mon Jan 30 08:17:26 2012 -0800

    UBUNTU: SAUCE: SECCOMP: Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
    
    With this set, a lot of dangerous operations (chroot, unshare, etc)
    become a lot less dangerous because there is no possibility of
    subverting privileged binaries.
    
    This patch completely breaks apparmor.  Someone who understands (and
    uses) apparmor should fix it or at least give me a hint.
    
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: Kees Cook <kees@ubuntu.com>
    
    Conflicts:
    
    	include/linux/prctl.h

 fs/exec.c                  |   10 +++++++++-
 include/linux/prctl.h      |   15 +++++++++++++++
 include/linux/sched.h      |    2 ++
 include/linux/security.h   |    1 +
 kernel/sys.c               |   10 ++++++++++
 security/apparmor/domain.c |    4 ++++
 security/commoncap.c       |    7 +++++--
 security/selinux/hooks.c   |   10 +++++++++-
 8 files changed, 55 insertions(+), 4 deletions(-)

commit 5041458714dba17a379e8f68ccc7a620878933b5
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue Oct 29 10:21:34 2013 -0700

    Fixed a little differently than Linus...
    
    Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1
    
    Fix a few incorrectly checked [io_]remap_pfn_range() calls
    
    Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that
    really should use the vm_iomap_memory() helper.  This trivially converts
    two of them to the helper, and comments about why the third one really
    needs to continue to use remap_pfn_range(), and adds the missing size
    check.
    
    Reported-by: Nico Golde <nico@ngolde.de>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org.
    
    Conflicts:
    
    	drivers/uio/uio.c
    
    Conflicts:
    
    	drivers/video/au1100fb.c
    	drivers/video/au1200fb.c

 drivers/uio/uio.c        |   19 +++++++++++++++++--
 drivers/video/au1100fb.c |   28 +---------------------------
 drivers/video/au1200fb.c |   27 +--------------------------
 3 files changed, 19 insertions(+), 55 deletions(-)

commit 03676684cf5899178a256001a98845d6c95c0b62
Merge: 8c82885 8e0d793
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Oct 27 15:15:03 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 8e0d7934f8f3995920b52aebbfaa35d8d9710aa4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Oct 27 15:14:41 2013 -0400

    Update to pax-linux-3.2.52-test123.patch

 mm/mremap.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit 8c82885408023041feb6020fd0aa1c12fe02c3b9
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Oct 1 21:04:11 2013 -0700

    Upstream commit: 80ad1d61e72d626e30ebe8529a0455e660ca4693
    
    net: do not call sock_put() on TIMEWAIT sockets
    
    commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU /
    hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets.
    
    We should instead use inet_twsk_put()
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/ipv4/inet_hashtables.c
    	net/ipv6/inet6_hashtables.c

 net/ipv4/inet_hashtables.c  |    2 +-
 net/ipv6/inet6_hashtables.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit fddae6370b7e281ef7d80522d7ffcd89a34de74b
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Oct 3 00:27:20 2013 +0300

    Upstream commit: 1661bf364ae9c506bc8795fef70d1532931be1e8
    
    net: heap overflow in __audit_sockaddr()
    
    We need to cap ->msg_namelen or it leads to a buffer overflow when we
    to the memcpy() in __audit_sockaddr().  It requires CAP_AUDIT_CONTROL to
    exploit this bug.
    
    The call tree is:
    ___sys_recvmsg()
      move_addr_to_user()
        audit_sockaddr()
          __audit_sockaddr()
    
    Reported-by: Jüri Aedla <juri.aedla@gmail.com>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/compat.c

 net/compat.c |    2 ++
 net/socket.c |   24 ++++++++++++++++++++----
 2 files changed, 22 insertions(+), 4 deletions(-)

commit d77bb8ded8c2498b6def94c132aecdcb8fea6997
Author: Salva Peiró <speiro@ai2.upv.es>
Date:   Wed Oct 16 12:46:50 2013 +0200

    Upstream commit: 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1
    
    wanxl: fix info leak in ioctl
    
    The wanxl_ioctl() code fails to initialize the two padding bytes of
    struct sync_serial_settings after the ->loopback member. Add an explicit
    memset(0) before filling the structure to avoid the info leak.
    
    Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/wanxl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit ee64f2b6a4fc12e106140a04a86a04fee5b5d268
Author: Geyslan G. Bem <geyslan@gmail.com>
Date:   Fri Oct 11 16:49:16 2013 -0300

    Upstream commit: 3edc8376c06133e3386265a824869cad03a4efd4
    
    ecryptfs: Fix memory leakage in keystore.c
    
    In 'decrypt_pki_encrypted_session_key' function:
    
    Initializes 'payload' pointer and releases it on exit.
    
    Signed-off-by: Geyslan G. Bem <geyslan@gmail.com>
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Cc: stable@vger.kernel.org # v2.6.28+
    
    Conflicts:
    
    	fs/ecryptfs/keystore.c

 fs/ecryptfs/keystore.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 69d8bba850fbf1acbd367763caf969d52c13e9c6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Oct 27 13:29:49 2013 -0400

    This is a replacement patch only for stable which does fix the problems
    handled by the following two commits in -net:
    
    "ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9)
    "ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b)
    
    Three frames are written on a corked udp socket for which the output
    netdevice has UFO enabled.  If the first and third frame are smaller than
    the mtu and the second one is bigger, we enqueue the second frame with
    skb_append_datato_frags without initializing the gso fields. This leads
    to the third frame appended regulary and thus constructing an invalid skb.
    
    This fixes the problem by always using skb_append_datato_frags as soon
    as the first frag got enqueued to the skb without marking the packet
    as SKB_GSO_UDP.
    
    The problem with only two frames for ipv6 was fixed by "ipv6: udp
    packets following an UFO enqueued packet need also be handled by UFO"
    (2811ebac2521ceac84f2bdae402455baa6a7fb47).
    
    Cc: Jiri Pirko <jiri@resnulli.us>
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Cc: David Miller <davem@davemloft.net>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>

 include/linux/skbuff.h |    5 +++++
 net/ipv4/ip_output.c   |    2 +-
 net/ipv6/ip6_output.c  |    2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

commit a6106104c857d0c99cc68db7299cf6d78164c64d
Merge: f489195e 036f7dd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Oct 27 12:59:48 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	drivers/hid/hid-core.c
    	drivers/hid/hid-lg2ff.c
    	drivers/hid/hid-lg3ff.c
    	drivers/hid/hid-lg4ff.c
    	drivers/hid/hid-lgff.c
    	drivers/hid/hid-zpff.c
    	include/linux/hid.h
    	net/sctp/ipv6.c

commit 036f7dd38cc46327a6e79debc5268514c479b99f
Merge: dd49aee 8b5ed99
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Oct 27 12:56:31 2013 -0400

    Merge branch 'linux-3.2.y' into pax-stable2

commit f489195e6de890ee1b1d2276da13fdfcdba4ff4c
Merge: f049ec9 dd49aee
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Oct 26 08:46:57 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	security/Kconfig

commit dd49aee1dfcb51b636f5eb8bb0c523d1d563997e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Oct 26 08:44:55 2013 -0400

    - fixed miscompilation caused by a kernexec plugin related change in copy_user_generic, by Timo Teräs <timo.teras@iki.f> and Natanael Copa <ncopa@alpinelinux.org> (https://github.com/ncopa/linux-stable-grsec/commit/b8bf456d13988fb38cfe248676327f44a2d2ed2e)
    - updated config help for latent entropy to reflect recent changes

 arch/x86/include/asm/uaccess_64.h |    2 +-
 security/Kconfig                  |    6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

commit f049ec9ba734ee867a06d55df02c569e2d76e6df
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Oct 14 15:28:38 2013 +0300

    Upstream commit: 9e5f1721907fcfbd4b575bcafa0314188f7330a5
    
    yam: integer underflow in yam_ioctl()
    
    We cap bitrate at YAM_MAXBITRATE in yam_ioctl(), but it could also be
    negative.  I don't know the impact of using a negative bitrate but let's
    prevent it.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/linux/yam.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 34c978ee09e1c278e003c3de72904c509dffe516
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 18 19:37:48 2013 -0400

    fix up len for tty_set case, from minipli

 kernel/audit.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1e34acd4e5bc1fb0b6f9c290211917dff44b9678
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:43:01 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: netfilter-devel@vger.kernel.org
    Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik
            <kadlec@blackhole.kfki.hu>
    Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks
    
    The ulog messages leak heap bytes by the means of padding bytes and
    incompletely filled string arrays. Fix those by memset(0)'ing the
    whole struct before filling it.
    
    Cc: Pablo Neira Ayuso <pablo@netfilter.org>
    Cc: Patrick McHardy <kaber@trash.net>
    Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 net/ipv4/netfilter/ipt_ULOG.c |    7 +------
 1 files changed, 1 insertions(+), 6 deletions(-)

commit 7d16536e5aec23a39995a0eac31e28c15f8450ba
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:41:01 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: netfilter-devel@vger.kernel.org
    Cc: Mathias Krause <minipli@googlemail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, Jozsef Kadlecsik
            <kadlec@blackhole.kfki.hu>, Bart De Schuymer <bart.de.schuymer@pandora.be>
    Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks
    
    The ulog messages leak heap bytes by the means of padding bytes and
    incompletely filled string arrays. Fix those by memset(0)'ing the
    whole struct before filling it.
    
    Cc: Bart De Schuymer <bart.de.schuymer@pandora.be>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 net/bridge/netfilter/ebt_ulog.c |    9 +++------
 1 files changed, 3 insertions(+), 6 deletions(-)

commit 2314e3da07152cfabd1b64ec24e7f4a68328568f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:37:59 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: linux-audit@redhat.com
    Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>
    Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length
    
    Using the nlmsg_len member of the netlink header to test if the message
    is valid is wrong as it includes the size of the netlink header itself.
    Thereby allowing to send short netlink messages that pass those checks.
    
    Use nlmsg_len() instead to test for the right message length. The result
    of nlmsg_len() is guaranteed to be non-negative as the netlink message
    already passed the checks of nlmsg_ok().
    
    Also switch to min_t() to please checkpatch.pl.
    
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: stable@vger.kernel.org  # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd

 kernel/audit.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit df8f0cdfc0f9c62bab6e4ea113b5c64449e6006e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:36:25 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: linux-audit@redhat.com
    Cc: Mathias Krause <minipli@googlemail.com>, Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>
    Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests
    
    We leak 4 bytes of kernel stack in response to an AUDIT_GET request as
    we miss to initialize the mask member of status_set. Fix that.
    
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Eric Paris <eparis@redhat.com>
    Cc: stable@vger.kernel.org  # v2.6.6+
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 kernel/audit.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 612bf8e03d3abc3dad934275e917910cd11af911
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 16 18:35:00 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: Evgeniy Polyakov <zbr@ioremap.net>
    Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org
    Subject: [PATCH 2/4] connector: use nlmsg_len() to check message length
    
    The current code tests the length of the whole netlink message to be
    at least as long to fit a cn_msg. This is wrong as nlmsg_len includes
    the length of the netlink message header. Use nlmsg_len() instead to
    fix this "off-by-NLMSG_HDRLEN" size check.
    
    Cc: stable@vger.kernel.org  # v2.6.14+
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 drivers/connector/connector.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit 27b743c54cd24429ea4240f658d5619adb95e748
Author: Mathias Krause <minipli@googlemail.com>
Date:   Mon Sep 30 22:03:06 2013 +0200

    Upstream commit: e727ca82e0e9616ab4844301e6bae60ca7327682
    
    proc connector: fix info leaks
    
    Initialize event_data for all possible message types to prevent leaking
    kernel stack contents to userland (up to 20 bytes). Also set the flags
    member of the connector message to 0 to prevent leaking two more stack
    bytes this way.
    
    Cc: stable@vger.kernel.org  # v2.6.15+
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	drivers/connector/cn_proc.c

 drivers/connector/cn_proc.c |   36 ++++++++++++++++++++++++++----------
 1 files changed, 26 insertions(+), 10 deletions(-)

commit c9d7d5d95e0415f61bbf33e11b8beb6c4af0aa74
Author: Dave Jones <davej@redhat.com>
Date:   Thu Oct 10 20:05:35 2013 -0400

    Upstream commit: 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc
    
    ext4: fix memory leak in xattr
    
    If we take the 2nd retry path in ext4_expand_extra_isize_ea, we
    potentionally return from the function without having freed these
    allocations.  If we don't do the return, we over-write the previous
    allocation pointers, so we leak either way.
    
    Spotted with Coverity.
    
    [ Fixed by tytso to set is and bs to NULL after freeing these
      pointers, in case in the retry loop we later end up triggering an
      error causing a jump to cleanup, at which point we could have a double
      free bug. -- Ted ]
    
    Signed-off-by: Dave Jones <davej@fedoraproject.org>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Reviewed-by: Eric Sandeen <sandeen@redhat.com>
    Cc: stable@vger.kernel.org

 fs/ext4/xattr.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 15f94d4047a32fb443c1ba1f6b0437e4c886ee1a
Author: Salva Peiró <speiro@ai2.upv.es>
Date:   Fri Oct 11 12:50:03 2013 +0300

    Upstream commit: 96b340406724d87e4621284ebac5e059d67b2194
    
    farsync: fix info leak in ioctl
    
    The fst_get_iface() code fails to initialize the two padding bytes of
    struct sync_serial_settings after the ->loopback member. Add an explicit
    memset(0) before filling the structure to avoid the info leak.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/farsync.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 5712ae2e739b97d3b7319769efd56a6f28d11d27
Author: Fan Du <fan.du@windriver.com>
Date:   Tue Sep 17 15:14:13 2013 +0800

    Upstream commit: 33fce60d6a6e137035f8e23a89d7fd55f3a24cda
    
    xfrm: Guard IPsec anti replay window against replay bitmap
    
    For legacy IPsec anti replay mechanism:
    
    bitmap in struct xfrm_replay_state could only provide a 32 bits
    window size limit in current design, thus user level parameter
    sadb_sa_replay should honor this limit, otherwise misleading
    outputs("replay=244") by setkey -D will be:
    
    192.168.25.2 192.168.22.2
    	esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000)
    	E: aes-cbc  9a8d7468 7655cf0b 719d27be b0ddaac2
    	A: hmac-sha1  2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331
    	seq=0x00000000 replay=244 flags=0x00000000 state=mature
    	created: Sep 17 14:00:00 2013	current: Sep 17 14:00:22 2013
    	diff: 22(s)	hard: 30(s)	soft: 26(s)
    	last: Sep 17 14:00:00 2013	hard: 0(s)	soft: 0(s)
    	current: 1408(bytes)	hard: 0(bytes)	soft: 0(bytes)
    	allocated: 22	hard: 0	soft: 0
    	sadb_seq=1 pid=4854 refcnt=0
    192.168.22.2 192.168.25.2
    	esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000)
    	E: aes-cbc  6485d990 f61a6bd5 e5660252 608ad282
    	A: hmac-sha1  0cca811a eb4fa893 c47ae56c 98f6e413 87379a88
    	seq=0x00000000 replay=244 flags=0x00000000 state=mature
    	created: Sep 17 14:00:00 2013	current: Sep 17 14:00:22 2013
    	diff: 22(s)	hard: 30(s)	soft: 26(s)
    	last: Sep 17 14:00:00 2013	hard: 0(s)	soft: 0(s)
    	current: 1408(bytes)	hard: 0(bytes)	soft: 0(bytes)
    	allocated: 22	hard: 0	soft: 0
    	sadb_seq=0 pid=4854 refcnt=0
    
    And also, optimizing xfrm_replay_check window checking by setting the
    desirable x->props.replay_window with only doing the comparison once
    for all when xfrm_state is first born.
    
    Signed-off-by: Fan Du <fan.du@windriver.com>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

 net/key/af_key.c       |    3 ++-
 net/xfrm/xfrm_replay.c |    3 +--
 net/xfrm/xfrm_user.c   |    3 ++-
 3 files changed, 5 insertions(+), 4 deletions(-)

commit d1a548f9ae91ab63b92668b0bab71841802fc1c0
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Oct 4 10:31:41 2013 -0700

    Upstream commit: 5e8a402f831dbe7ee831340a91439e46f0d38acd
    
    tcp: do not forget FIN in tcp_shifted_skb()
    
    Yuchung found following problem :
    
     There are bugs in the SACK processing code, merging part in
     tcp_shift_skb_data(), that incorrectly resets or ignores the sacked
     skbs FIN flag. When a receiver first SACK the FIN sequence, and later
     throw away ofo queue (e.g., sack-reneging), the sender will stop
     retransmitting the FIN flag, and hangs forever.
    
    Following packetdrill test can be used to reproduce the bug.
    
    $ cat sack-merge-bug.pkt
    `sysctl -q net.ipv4.tcp_fack=0`
    
    // Establish a connection and send 10 MSS.
    0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
    +.000 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
    +.000 bind(3, ..., ...) = 0
    +.000 listen(3, 1) = 0
    
    +.050 < S 0:0(0) win 32792 <mss 1000,sackOK,nop,nop,nop,wscale 7>
    +.000 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 6>
    +.001 < . 1:1(0) ack 1 win 1024
    +.000 accept(3, ..., ...) = 4
    
    +.100 write(4, ..., 12000) = 12000
    +.000 shutdown(4, SHUT_WR) = 0
    +.000 > . 1:10001(10000) ack 1
    +.050 < . 1:1(0) ack 2001 win 257
    +.000 > FP. 10001:12001(2000) ack 1
    +.050 < . 1:1(0) ack 2001 win 257 <sack 10001:11001,nop,nop>
    +.050 < . 1:1(0) ack 2001 win 257 <sack 10001:12002,nop,nop>
    // SACK reneg
    +.050 < . 1:1(0) ack 12001 win 257
    +0 %{ print "unacked: ",tcpi_unacked }%
    +5 %{ print "" }%
    
    First, a typo inverted left/right of one OR operation, then
    code forgot to advance end_seq if the merged skb carried FIN.
    
    Bug was added in 2.6.29 by commit 832d11c5cd076ab
    ("tcp: Try to restore large SKBs while SACK processing")
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Yuchung Cheng <ycheng@google.com>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
    Acked-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp_input.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit dfe73820c672cf0ee9b39969359023e4921618d1
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Sep 24 15:27:45 2013 -0700

    Just a whitespace fix to sync with upstream as we already applied this fix
    via Vasiliy Kulikov in 2010.  It fell through the cracks upstream
    
    cciss: fix info leak in cciss_ioctl32_passthru()
    
    The arg64 struct has a hole after ->buf_size which isn't cleared.  Or if
    any of the calls to copy_from_user() fail then that would cause an
    information leak as well.
    
    This was assigned CVE-2013-2147.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Mike Miller <mike.miller@hp.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	drivers/block/cciss.c

 drivers/block/cciss.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 8a0a3f1c6c95ebc20c8b992388c114376faa8dcd
Author: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Date:   Tue Sep 24 18:29:11 2013 -0700

    Upstream commit: 22356f447ceb8d97a4885792e7d9e4607f712e1b
    
    mm: Place preemption point in do_mlockall() loop
    
    There is a loop in do_mlockall() that lacks a preemption point, which
    means that the following can happen on non-preemptible builds of the
    kernel. Dave Jones reports:
    
     "My fuzz tester keeps hitting this.  Every instance shows the non-irq
      stack came in from mlockall.  I'm only seeing this on one box, but
      that has more ram (8gb) than my other machines, which might explain
      it.
    
        INFO: rcu_preempt self-detected stall on CPU { 3}  (t=6500 jiffies g=470344 c=470343 q=0)
        sending NMI to all CPUs:
        NMI backtrace for cpu 3
        CPU: 3 PID: 29664 Comm: trinity-child2 Not tainted 3.11.0-rc1+ #32
        Call Trace:
          lru_add_drain_all+0x15/0x20
          SyS_mlockall+0xa5/0x1a0
          tracesys+0xdd/0xe2"
    
    This commit addresses this problem by inserting the required preemption
    point.
    
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@gmail.com>
    Cc: Michel Lespinasse <walken@google.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mlock.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 76f841370db07c0bccd906a4749eca8c6bd51da2
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Sat Sep 21 06:27:00 2013 +0200

    Upstream commit: 2811ebac2521ceac84f2bdae402455baa6a7fb47
    
    ipv6: udp packets following an UFO enqueued packet need also be handled by UFO
    
    In the following scenario the socket is corked:
    If the first UDP packet is larger then the mtu we try to append it to the
    write queue via ip6_ufo_append_data. A following packet, which is smaller
    than the mtu would be appended to the already queued up gso-skb via
    plain ip6_append_data. This causes random memory corruptions.
    
    In ip6_ufo_append_data we also have to be careful to not queue up the
    same skb multiple times. So setup the gso frame only when no first skb
    is available.
    
    This also fixes a shortcoming where we add the current packet's length to
    cork->length but return early because of a packet > mtu with dontfrag set
    (instead of sutracting it again).
    
    Found with trinity.
    
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_output.c |   53 ++++++++++++++++++++----------------------------
 1 files changed, 22 insertions(+), 31 deletions(-)

commit b1d8b0c3e1570d868dfe92adb7ee9129da6287bd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Sep 27 21:06:17 2013 -0400

    Don't log attempts to create a socket with a family that the kernel doesn't
    support
    Further, if the kernel doesn't support the socket family, instead of returning
    -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6
    sockets in RBAC policy despite a kernel that doesn't support ipv6
    observed during a Debian userland update necessitating a policy change

 grsecurity/gracl_ip.c |    7 +++----
 net/socket.c          |   26 +++++++++++++++-----------
 2 files changed, 18 insertions(+), 15 deletions(-)

commit e3cebf5c349362b3049691d7dcd90b91362105d4
Merge: 132b250 db0cbbc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Sep 27 20:41:08 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit db0cbbc8fa03a6a74130892082c8e60d6f67d091
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Sep 27 20:40:06 2013 -0400

    Update to pax-linux-3.2.51-test122.patch:
    - fixed an integer overflow in the ELF loader that happens to be harmless due to another overflow, found by Emese Revfy's new size overflow plugin (not yet released)
    - beefed up latent entropy extraction
      - latent_entropy itself will be initialized to a compile-time random value (instead of 0)
      - entropy will be collected from various irq and softirq handlers

 block/blk-iopoll.c                |    2 +-
 block/blk-softirq.c               |    2 +-
 fs/binfmt_elf.c                   |   12 +++++++-----
 include/linux/genhd.h             |    2 +-
 include/linux/random.h            |    4 ++--
 kernel/hrtimer.c                  |    2 +-
 kernel/rcutiny.c                  |    2 +-
 kernel/rcutree.c                  |    2 +-
 kernel/sched_fair.c               |    2 +-
 kernel/softirq.c                  |    4 ++--
 kernel/timer.c                    |    2 +-
 net/core/dev.c                    |    4 ++--
 tools/gcc/latent_entropy_plugin.c |    2 +-
 13 files changed, 22 insertions(+), 20 deletions(-)

commit 132b250814211848e5e9f898dab35d17ce16723c
Merge: f257bde 5339a03
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Sep 18 19:05:52 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 5339a032c210e775ccd1664e4492dd620b77499c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Sep 18 19:05:10 2013 -0400

    Update to pax-linux-3.2.51-test121.patch:
    - better implementation of __read_only for modules

 arch/x86/include/asm/cache.h             |    4 ----
 drivers/net/ethernet/chelsio/cxgb3/sge.c |    6 +++---
 include/linux/cache.h                    |    4 ++++
 scripts/module-common.lds                |    4 ++++
 4 files changed, 11 insertions(+), 7 deletions(-)

commit f257bde95a137146c035b37610149f130bef245c
Merge: f817668 9117d25
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 16 20:41:20 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	security/security.c

commit 9117d25f8898cdb5c462372820eebfb74471fcc7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 16 20:40:00 2013 -0400

    Update to pax-linux-3.2.51-test120.patch:
    - added some latent entropy extraction to fork
    - got rid of reset_security_ops
    - added compile time checking for unavailable KERNEXEC accessors
    - backported 1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (pud leak in alloc_new_pmd)
    - build_string doesn't need to account for the null terminator, fix some usage in the kernexec plugin
    - fixed NULL deref due to some xfrm constification, reported by marcin1j (http://forums.grsecurity.net/viewtopic.php?f=3&t=3743)
    - latent entropy will now be gathered from module init code as well (i.e., at module load/init time)
    - __read_only will now be enforced in modules as well
    - removed unneccessary __read_only from ntfs

 arch/x86/include/asm/cache.h  |    4 ++++
 fs/namespace.c                |    2 +-
 fs/ntfs/file.c                |    4 ++--
 include/asm-generic/pgtable.h |    8 ++++++++
 include/linux/fdtable.h       |    2 +-
 include/linux/init.h          |    7 -------
 include/linux/random.h        |   10 ++++++++++
 include/linux/security.h      |    2 --
 include/net/xfrm.h            |    6 +++++-
 init/main.c                   |   17 +++--------------
 kernel/fork.c                 |    5 +++--
 mm/mremap.c                   |    5 ++++-
 mm/page_alloc.c               |    1 +
 net/ipv4/xfrm4_policy.c       |    4 ++--
 net/ipv6/xfrm6_policy.c       |    4 ++--
 net/xfrm/xfrm_policy.c        |   11 ++---------
 security/security.c           |   13 ++-----------
 security/selinux/hooks.c      |    9 ++++++---
 tools/gcc/kernexec_plugin.c   |    4 ++--
 19 files changed, 58 insertions(+), 60 deletions(-)

commit f8176689855dc2f85ee4fc35d5078e5aeb6e5f02
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 16 14:20:46 2013 -0400

    compile fix for sctp/ipv6 backport

 net/sctp/ipv6.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b17a4d698ffa497a8aa2c241a2f9ded6b1e7b713
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 16 12:53:22 2013 -0400

    Backport commit from https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec.git/commit/?h=testing&id=4479ff76c43607b680f9349128d8493228b49dce
    
    author	Steffen Klassert <steffen.klassert@secunet.com>	2013-09-09 07:39:01 (GMT)
    committer	 Steffen Klassert <steffen.klassert@secunet.com>	2013-09-16 07:39:37 (GMT)
    
    xfrm: Fix replay size checking on async events
    We pass the wrong netlink attribute to xfrm_replay_verify_len().
    It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as
    we currently doing. This causes memory corruptions if the
    replay esn attribute has incorrect length. Fix this by passing
    the right attribute to xfrm_replay_verify_len().
    
    Reported-by: Michael Rossberg <michael.rossberg@tu-ilmenau.de>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

 net/xfrm/xfrm_user.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f34821983f5328309b3eddc734df6c43cc455b72
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Wed Sep 11 16:58:36 2013 +0200

    Upstream commit: 95ee62083cb6453e056562d91f597552021e6ae7
    
    net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit
    
    Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not
    being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport
    does not seem to have the desired effect:
    
    SCTP + IPv4:
    
      22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116)
        192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72
      22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340)
        192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1):
    
    SCTP + IPv6:
    
      22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364)
        fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp
        1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10]
    
    Moreover, Alan says:
    
      This problem was seen with both Racoon and Racoon2. Other people have seen
      this with OpenSwan. When IPsec is configured to encrypt all upper layer
      protocols the SCTP connection does not initialize. After using Wireshark to
      follow packets, this is because the SCTP packet leaves Box A unencrypted and
      Box B believes all upper layer protocols are to be encrypted so it drops
      this packet, causing the SCTP connection to fail to initialize. When IPsec
      is configured to encrypt just SCTP, the SCTP packets are observed unencrypted.
    
    In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext"
    string on the other end, results in cleartext on the wire where SCTP eventually
    does not report any errors, thus in the latter case that Alan reports, the
    non-paranoid user might think he's communicating over an encrypted transport on
    SCTP although he's not (tcpdump ... -X):
    
      ...
      0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000  ]p.......}.l....
      0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000  ....plaintext...
    
    Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the
    receiver side. Initial follow-up analysis from Alan's bug report was done by
    Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this.
    
    SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit().
    This has the implication that it probably never really got updated along with
    changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers.
    
    SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since
    a call to inet6_csk_xmit() would solve this problem, but result in unecessary
    route lookups, let us just use the cached flowi6 instead that we got through
    sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(),
    we do the route lookup / flow caching in sctp_transport_route(), hold it in
    tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in
    sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect
    of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst()
    instead to get the correct source routed dst entry, which we assign to the skb.
    
    Also source address routing example from 625034113 ("sctp: fix sctp to work with
    ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095
    it is actually 'recommended' to not use that anyway due to traffic amplification [1].
    So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if
    we overwrite the flow destination here, the lower IPv6 layer will be unable to
    put the correct destination address into IP header, as routing header is added in
    ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside,
    result of this patch is that we do not have any XfrmInTmplMismatch increase plus on
    the wire with this patch it now looks like:
    
    SCTP + IPv6:
    
      08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba:
        AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72
      08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a:
        AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296
    
    This fixes Kernel Bugzilla 24412. This security issue seems to be present since
    2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have
    its fun with that. lksctp-tools IPv6 regression test suite passes as well with
    this patch.
    
     [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
    
    Reported-by: Alan Chester <alan.chester@tekelec.com>
    Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/sctp/ipv6.c

 net/sctp/ipv6.c |   45 ++++++++++++++-------------------------------
 1 files changed, 14 insertions(+), 31 deletions(-)

commit 7afcbda7be5e7ccf2e341659213a1f389c7e7aa4
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Sun Sep 8 14:33:50 2013 +1000

    Upstream commit: 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa
    
    crypto: api - Fix race condition in larval lookup
    
    crypto_larval_lookup should only return a larval if it created one.
    Any larval created by another entity must be processed through
    crypto_larval_wait before being returned.
    
    Otherwise this will lead to a larval being killed twice, which
    will most likely lead to a crash.
    
    Cc: stable@vger.kernel.org
    Reported-by: Kees Cook <keescook@chromium.org>
    Tested-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    
    Conflicts:
    
    	crypto/api.c

 crypto/api.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit e8bcf1cecc667aaedb3b804adc3cdfab81609bff
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Sep 14 16:36:24 2013 -0400

    Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux

 grsecurity/Kconfig |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 3d59df50f23eab65c537bc4937a78b08fa0095da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Sep 10 18:33:38 2013 -0400

    as mentioned in previous revert, undo the change to kmalloc_array
    that causes build errors on older GCC versions

 include/linux/slab.h |   10 ----------
 1 files changed, 0 insertions(+), 10 deletions(-)

commit 34a2ff67396d9588db478e26e9a4ca87443a0faf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Sep 10 18:30:42 2013 -0400

    Revert "reverse ordering of kcalloc call with two constant expression args that"
    
    This reverts commit 39c4503ed6669ac69268bede8a6ee4b90c2de60c.
    
    As already done with the 3.10 patch, undo this change and instead
    use a follow-up patch to undo the entire change to kmalloc_array
    as it causes build errors with older GCC versions

 drivers/net/ethernet/intel/e1000e/netdev.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 39c4503ed6669ac69268bede8a6ee4b90c2de60c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Sep 10 18:19:50 2013 -0400

    reverse ordering of kcalloc call with two constant expression args that
    exposes a GCC bug for all but the latest version

 drivers/net/ethernet/intel/e1000e/netdev.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

commit 3fb04bec531de5182fa823ec1bbd25645715af49
Merge: c9bdd44 fa5e8ff
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Sep 10 17:15:39 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	fs/bio.c
    	include/linux/slab.h

commit fa5e8ff550a8ba177aceb989316b2a4c69baeeff
Merge: a8bb97c c3f403c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Sep 10 17:10:33 2013 -0400

    Update to pax-linux-3.2.51-test119.patch
    
    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	arch/x86/kernel/sys_x86_64.c
    	arch/x86/mm/mmap.c
    	include/linux/slab.h

commit c9bdd441c8d58e463af7cb1350a95b4f072d233a
Merge: 0d37569 a8bb97c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 8 19:50:56 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit a8bb97c7b26562d5be23bdbd37982950861325fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 8 19:50:26 2013 -0400

    - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger
    - fixed an uninitialized read in splice, reported by hunger

 fs/splice.c              |    1 +
 include/linux/syscalls.h |   20 ++++++++++++++------
 2 files changed, 15 insertions(+), 6 deletions(-)

commit 0d375691d6accab268a660e738cd6d7e3d16a9a8
Author: Jakob Bornecrantz <jakob@vmware.com>
Date:   Thu Aug 29 02:32:53 2013 +0200

    Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f
    
    drm/vmwgfx: Split GMR2_REMAP commands if they are to large
    
    This fixes the piglit test texturing/max-texture-size
    causing the VM to die due to a too large SVGA command.
    
    Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
    Reviewed-by: Biran Paul <brianp@vmware.com>
    Reviewed-by: Zack Rusin <zackr@vmware.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Dave Airlie <airlied@gmail.com>

 drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c |   58 +++++++++++++++++++++++-----------
 1 files changed, 39 insertions(+), 19 deletions(-)

commit a4e9394a69199853445956ef2cb94030f6bf5abe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:36:23 2013 -0400

    fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB

 grsecurity/Kconfig |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 15e432fd1c539aa78522636e5359099ef66f8e9b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 19:17:02 2013 -0400

    Allow the deny_new_usb sysctl to be toggled off by a user with
    CAP_SYS_ADMIN.  This allows for more inventive uses of the feature
    that would be impossible otherwise (like toggling it while the screen is
    locked, etc)

 grsecurity/grsec_sysctl.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit d4f5c9517a4c6fb244992dd5bec318c48914f5c3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 5 18:41:49 2013 -0400

    Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what
    GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for
    users who know they want the functionality but don't want to bother
    with modifying init scripts
    
    Also eliminate reset_security_ops() as a ROP target when
    SECURITY_SELINUX_DISABLE is disabled as it's the only user

 grsecurity/Kconfig        |   17 ++++++++++++++++-
 grsecurity/grsec_init.c   |    3 +++
 grsecurity/grsec_sysctl.c |    2 +-
 security/security.c       |    4 ++++
 4 files changed, 24 insertions(+), 2 deletions(-)

commit a4a416ebee17db0240a8ed8ca64b204b613205ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 30 17:11:11 2013 -0400

    fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast

 grsecurity/grsec_sysctl.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit 9e6662d6335ffbe8ab2c33f0f98bd40b4465d39b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 20:42:39 2013 -0400

    add export of gr_handle_new_usb()

 grsecurity/grsec_usb.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 90280ce227d81e81004d3871a930fe5207c6604b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 19:24:47 2013 -0400

    Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit
    Kees' recent findings are motivation enough to publish it
    
    Conflicts:
    
    	drivers/usb/core/hub.c

 drivers/usb/core/hub.c     |    4 ++++
 grsecurity/Kconfig         |   20 ++++++++++++++++++++
 grsecurity/Makefile        |    3 ++-
 grsecurity/grsec_init.c    |    1 +
 grsecurity/grsec_sysctl.c  |   11 +++++++++++
 grsecurity/grsec_usb.c     |   13 +++++++++++++
 include/linux/grinternal.h |    1 +
 include/linux/grsecurity.h |    2 ++
 8 files changed, 54 insertions(+), 1 deletions(-)

commit 2247ff86d4ee11fb96e70bea4b2c60a52e03974f
Merge: 6414043 0c7e99e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 1 15:15:57 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 0c7e99e26011b88ded65c1c1ebeb715193620827
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 1 15:15:13 2013 -0400

    Update to pax-linux-3.2.50-test118.patch:
    - fixed a REFCOUNT false positive, by Mathias Krause <minipli@googlemail.com>
    - fixed a bunch more after a quick audit of atomic_inc_return users
    - fixed a few more REFCOUNT false positives, by Mathias Krause <minipli@googlemail.com>
    - got inet_getid and ipv6_select_ident rid of the cmpxchg loop

 drivers/crypto/hifn_795x.c             |    4 ++--
 drivers/edac/edac_device.c             |    4 ++--
 drivers/edac/edac_pci.c                |    4 ++--
 drivers/firewire/core-card.c           |    4 ++--
 drivers/input/serio/serio_raw.c        |    4 ++--
 drivers/media/rc/rc-main.c             |    4 ++--
 drivers/media/video/ivtv/ivtv-driver.c |    2 +-
 drivers/media/video/v4l2-device.c      |    4 ++--
 drivers/net/usb/sierra_net.c           |    4 ++--
 drivers/regulator/core.c               |    4 ++--
 drivers/tty/hvc/hvsi.c                 |   14 +++++++-------
 drivers/tty/hvc/hvsi_lib.c             |    6 +++---
 drivers/tty/serial/ioc4_serial.c       |    6 +++---
 drivers/tty/serial/msm_serial.c        |    4 ++--
 drivers/usb/misc/appledisplay.c        |    4 ++--
 fs/afs/inode.c                         |    4 ++--
 fs/fscache/cookie.c                    |    4 ++--
 include/media/v4l2-device.h            |    2 +-
 include/net/inetpeer.h                 |   13 +++++--------
 kernel/trace/trace_clock.c             |    4 ++--
 net/ipv6/ip6_output.c                  |   15 ++++++---------
 net/xfrm/xfrm_state.c                  |    4 ++--
 security/selinux/avc.c                 |    6 +++---
 23 files changed, 59 insertions(+), 65 deletions(-)

commit 6414043ca36390f651f66a33eb5e1c7a553efa0b
Merge: ef56283 70a6353
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 21:05:24 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 70a6353af67a7a54baf9c659bb4486b3fd1b1143
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 31 21:04:42 2013 -0400

    Update to pax-linux-3.2.50-test117.patch:
    - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy
    - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do
    - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9)
      Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout
      (come to the 10th H2HC if you want to learn about the magic behind this and other plugins):
      - icmpv6_filter: no memory corruption, probably just some logical error in the caller
      - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable)
      - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come)
      - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now
      - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network
    - fixed a few more format strings
    - audited and fixed arm and sparc for proper atomic_unchecked_t usage

 arch/sparc/kernel/smp_64.c                 |   12 ++++++------
 arch/sparc/kernel/traps_64.c               |   14 +++++++-------
 arch/sparc/mm/init_64.c                    |   10 +++++-----
 arch/x86/include/asm/uaccess_64.h          |    2 +-
 drivers/isdn/gigaset/usb-gigaset.c         |    2 +-
 drivers/isdn/i4l/isdn_common.c             |    2 ++
 drivers/net/wireless/hostap/hostap_ioctl.c |    4 ++--
 drivers/platform/x86/wmi.c                 |    2 +-
 drivers/scsi/sd.c                          |    2 +-
 fs/ntfs/file.c                             |    2 +-
 fs/ntfs/super.c                            |    6 +++---
 kernel/events/internal.h                   |    2 +-
 kernel/futex.c                             |    2 +-
 mm/filemap.c                               |    8 ++++----
 net/ieee802154/6lowpan.c                   |    2 +-
 net/ipv6/raw.c                             |    2 +-
 net/netfilter/nf_conntrack_proto_dccp.c    |    6 +++---
 sound/pci/hda/hda_codec.c                  |    8 ++------
 tools/gcc/kernexec_plugin.c                |   18 ++++++++++++------
 tools/gcc/latent_entropy_plugin.c          |   26 ++++++++++----------------
 tools/gcc/size_overflow_plugin.c           |    3 +--
 21 files changed, 66 insertions(+), 69 deletions(-)

commit ef5628372d9892795dd0a8696ddc8fab4a74ff3d
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 08:09:54 2013 -0700

    HID: check for NULL field when setting values
    
    Defensively check that the field to be worked on is not NULL.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-core.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit c8d4736c691ad51231517cc4b10b88d504b10bae
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 00:11:32 2013 -0700

    HID: multitouch: validate feature report details
    
    When working on report indexes, always validate that they are in bounds.
    Without this, a HID device could report a malicious feature report that
    could trick the driver into a heap overflow:
    
    [  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
    ...
    [  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2897
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    
    Conflicts:
    
    	drivers/hid/hid-multitouch.c

 drivers/hid/hid-multitouch.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 04c18a2f5869c41af7c7ca6bcdd362f26c427f88
Author: Kees Cook <keescook@chromium.org>
Date:   Fri Aug 16 00:18:15 2013 -0700

    HID: ntrig: validate feature report details
    
    A HID device could send a malicious feature report that would cause the
    ntrig HID driver to trigger a NULL dereference during initialization:
    
    [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
    ...
    [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
    [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
    
    CVE-2013-2896
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-ntrig.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 803ebf6239ea33a14617b9254883a1e5f3d6107b
Author: Kees Cook <keescook@chromium.org>
Date:   Tue Aug 13 16:49:01 2013 -0700

    HID: LG: validate HID output report details
    
    A HID device could send a malicious output report that would cause the
    lg, lg3, and lg4 HID drivers to write beyond the output report allocation
    during an event, causing a heap overflow:
    
    [  325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
    ...
    [  414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
    
    Additionally, while lg2 did correctly validate the report details, it was
    cleaned up and shortened.
    
    CVE-2013-2893
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-lg2ff.c |   19 +++----------------
 drivers/hid/hid-lg3ff.c |   29 ++++++-----------------------
 drivers/hid/hid-lg4ff.c |   20 +-------------------
 drivers/hid/hid-lgff.c  |   17 ++---------------
 4 files changed, 12 insertions(+), 73 deletions(-)

commit 72799ee97b29034f3f22825044dac1f5da6c8b1a
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 08:49:21 2013 -0700

    HID: pantherlord: validate output report details
    
    A HID device could send a malicious output report that would cause the
    pantherlord HID driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [  310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
    ...
    [  315.980774] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2892
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-pl.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit cd970c289f9917510cf33ab0625b8f0d92aeb12b
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 09:35:07 2013 -0700

    HID: zeroplus: validate output report details
    
    The zeroplus HID driver was not checking the size of allocated values
    in fields it used. A HID device could send a malicious output report
    that would cause the driver to write beyond the output report allocation
    during initialization, causing a heap overflow:
    
    [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
    ...
    [ 1466.243173] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
    
    CVE-2013-2889
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org

 drivers/hid/hid-zpff.c |   14 ++------------
 1 files changed, 2 insertions(+), 12 deletions(-)

commit 18895733eb62abaad36afe16b7cfdea8bfd9fce0
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Aug 14 14:36:15 2013 -0700

    HID: provide a helper for validating hid reports
    
    Many drivers need to validate the characteristics of their HID report
    during initialization to avoid misusing the reports. This adds a common
    helper to perform validation of the report, its field count, and the
    value count within the fields.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    
    Conflicts:
    
    	drivers/hid/hid-core.c
    	include/linux/hid.h

 drivers/hid/hid-core.c |   50 ++++++++++++++++++++++++++++++++++++++++++++++++
 include/linux/hid.h    |    4 +++
 2 files changed, 54 insertions(+), 0 deletions(-)

commit 7830d35b25b97bc978d7e1cd7d9e34d8776dc591
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 18:07:26 2013 -0400

    http://marc.info/?l=linux-input&m=137772180514608&q=raw
    
    From: Kees Cook <keescook@chromium.org>
    
    The "Report ID" field of a HID report is used to build indexes of
    reports. The kernel's index of these is limited to 256 entries, so any
    malicious device that sets a Report ID greater than 255 will trigger
    memory corruption on the host:
    
    [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
    [ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
    
    CVE-2013-2888
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@kernel.org
    ---
     drivers/hid/hid-core.c |   10 +++++++---
     include/linux/hid.h    |    4 +++-
     2 files changed, 10 insertions(+), 4 deletions(-)

 drivers/hid/hid-core.c |   10 +++++++---
 include/linux/hid.h    |    4 +++-
 2 files changed, 10 insertions(+), 4 deletions(-)

commit 1a60670ca0d3e2175e708b8d7c9739d96113ae3c
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Aug 9 12:52:31 2013 +0300

    Upstream commit: 909bd5926d474e275599094acad986af79671ac9
    
    Hostap: copying wrong data prism2_ioctl_giwaplist()
    
    We want the data stored in "addr" and "qual", but the extra ampersands
    mean we are copying stack data instead.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/hostap/hostap_ioctl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit f6f0309783be6c4bb46dff80398eb4a944a26f03
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 28 17:00:03 2013 -0400

    fix typo in ipv6 backport

 net/ipv6/addrconf.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 800d64cf6f4a9dd14722be1a247dcb490db7e920
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 27 21:25:10 2013 -0400

    second compile fix for backported fix

 fs/bio.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit dcb28104a359cbabfb6750f0fc00e7a6d2096e5a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 27 19:35:11 2013 -0400

    compile fix for backported fix

 fs/bio.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c0f11a5a77a475a5f64774a3f2fa65ddc484dfb7
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Fri Aug 16 13:02:27 2013 +0200

    Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52
    
    ipv6: remove max_addresses check from ipv6_create_tempaddr
    
    Because of the max_addresses check attackers were able to disable privacy
    extensions on an interface by creating enough autoconfigured addresses:
    
    <http://seclists.org/oss-sec/2012/q4/292>
    
    But the check is not actually needed: max_addresses protects the
    kernel to install too many ipv6 addresses on an interface and guards
    addrconf_prefix_rcv to install further addresses as soon as this limit
    is reached. We only generate temporary addresses in direct response of
    a new address showing up. As soon as we filled up the maximum number of
    addresses of an interface, we stop installing more addresses and thus
    also stop generating more temp addresses.
    
    Even if the attacker tries to generate a lot of temporary addresses
    by announcing a prefix and removing it again (lifetime == 0) we won't
    install more temp addresses, because the temporary addresses do count
    to the maximum number of addresses, thus we would stop installing new
    autoconfigured addresses when the limit is reached.
    
    This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
    possible).
    
    Thanks to Ding Tianhong to bring this topic up again.
    
    Cc: Ding Tianhong <dingtianhong@huawei.com>
    Cc: George Kargiotakis <kargig@void.gr>
    Cc: P J P <ppandit@redhat.com>
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Acked-by: Ding Tianhong <dingtianhong@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/ipv6/addrconf.c
    
    Conflicts:
    
    	net/ipv6/addrconf.c

 net/ipv6/addrconf.c |   10 ++++------
 1 files changed, 4 insertions(+), 6 deletions(-)

commit de53c8d09bfe74bdcf3d649191882a6e0b816e83
Author: Roland Dreier <roland@purestorage.com>
Date:   Mon Aug 5 17:55:01 2013 -0700

    Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091
    
    [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
    
    There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances
    leads to one process writing data into the address space of some other
    random unrelated process if the ioctl is interrupted by a signal.
    What happens is the following:
    
     - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the
       underlying SCSI command will transfer data from the SCSI device to
       the buffer provided in the ioctl)
    
     - Before the command finishes, a signal is sent to the process waiting
       in the ioctl.  This will end up waking up the sg_ioctl() code:
    
    		result = wait_event_interruptible(sfp->read_wait,
    			(srp_done(sfp, srp) || sdp->detached));
    
       but neither srp_done() nor sdp->detached is true, so we end up just
       setting srp->orphan and returning to userspace:
    
    		srp->orphan = 1;
    		write_unlock_irq(&sfp->rq_list_lock);
    		return result;	/* -ERESTARTSYS because signal hit process */
    
       At this point the original process is done with the ioctl and
       blithely goes ahead handling the signal, reissuing the ioctl, etc.
    
     - Eventually, the SCSI command issued by the first ioctl finishes and
       ends up in sg_rq_end_io().  At the end of that function, we run through:
    
    	write_lock_irqsave(&sfp->rq_list_lock, iflags);
    	if (unlikely(srp->orphan)) {
    		if (sfp->keep_orphan)
    			srp->sg_io_owned = 0;
    		else
    			done = 0;
    	}
    	srp->done = done;
    	write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
    
    	if (likely(done)) {
    		/* Now wake up any sg_read() that is waiting for this
    		 * packet.
    		 */
    		wake_up_interruptible(&sfp->read_wait);
    		kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
    		kref_put(&sfp->f_ref, sg_remove_sfp);
    	} else {
    		INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
    		schedule_work(&srp->ew.work);
    	}
    
       Since srp->orphan *is* set, we set done to 0 (assuming the
       userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN
       ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext()
       to run in a workqueue.
    
     - In workqueue context we go through sg_rq_end_io_usercontext() ->
       sg_finish_rem_req() -> blk_rq_unmap_user() -> ... ->
       bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user().
    
       The key point here is that we are doing copy_to_user() on a
       workqueue -- that is, we're on a kernel thread with current->mm
       equal to whatever random previous user process was scheduled before
       this kernel thread.  So we end up copying whatever data the SCSI
       command returned to the virtual address of the buffer passed into
       the original ioctl, but it's quite likely we do this copying into a
       different address space!
    
    As suggested by James Bottomley <James.Bottomley@hansenpartnership.com>,
    add a check for current->mm (which is NULL if we're on a kernel thread
    without a real userspace address space) in bio_uncopy_user(), and skip
    the copy if we're on a kernel thread.
    
    There's no reason that I can think of for any caller of bio_uncopy_user()
    to want to do copying on a kernel thread with a random active userspace
    address space.
    
    Huge thanks to Costa Sapuntzakis <costa@purestorage.com> for the
    original pointer to this bug in the sg code.
    
    Signed-off-by: Roland Dreier <roland@purestorage.com>
    Tested-by: David Milburn <dmilburn@redhat.com>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>

 fs/bio.c |   20 +++++++++++++++-----
 1 files changed, 15 insertions(+), 5 deletions(-)

commit bdf13155a365a0c7a3d53bbd43188fd7f9b61996
Merge: 5c8a915 ada87c4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 27 18:18:08 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit ada87c4bd0c29b60728b3bc2e9d99d8b82adbdf7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 27 18:17:28 2013 -0400

    Update to pax-linux-3.2.50-test116.patch:
    - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214)
    - fixed some new REFCOUNT false positives, caught by inspection

 fs/ceph/super.c       |    4 ++--
 kernel/posix-timers.c |    2 +-
 mm/backing-dev.c      |    4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

commit 5c8a915cc3dff9738d0a40a3b099fa8f17277ae3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 20 20:17:14 2013 -0400

    Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db"
    
    This reverts commit e2ea872bcfef59633a5600c1da2c4ea08bb70b57.

 net/netlink/genetlink.c |    7 -------
 1 files changed, 0 insertions(+), 7 deletions(-)

commit 2a9496a83ed15db6423d2d347bbccdeae50f4cf3
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jun 12 10:37:08 2012 +0300

    Upstream commit: 0439f31c35d1da0b28988b308ea455e38e6a350d
    
    NFSv4.1: integer overflow in decode_cb_sequence_args()
    
    This seems like it could overflow on 32 bits.  Use kmalloc_array() which
    has overflow protection built in.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 fs/nfs/callback_xdr.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 87e36df7119c5c2c6f1931d8ecd4f3e44f052147
Author: Xi Wang <xi.wang@gmail.com>
Date:   Mon Mar 5 15:14:41 2012 -0800

    Upstream commit: a8203725dfded5c1f79dca3368a4a273e24b59bb
    
    slab: introduce kmalloc_array()
    
    Introduce a kmalloc_array() wrapper that performs integer overflow
    checking without zeroing the memory.
    
    Suggested-by: Andrew Morton <akpm@linux-foundation.org>
    Suggested-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Pekka Enberg <penberg@kernel.org>

 include/linux/slab.h |   17 ++++++++++++++---
 1 files changed, 14 insertions(+), 3 deletions(-)

commit 463c66be36e70bbaeeff2d474595f20c40fc05db
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Jun 26 10:52:20 2013 +0300

    Upstream commit: bd5fe738e388ceaa32e5171481e0d3ec59f0ccfe
    
    ALSA: ak4xx-adda: info leak in ak4xxx_capture_source_info()
    
    "idx" is controled by the user and can be a negative offset into the
    input_names[] array.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>

 sound/i2c/other/ak4xxx-adda.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a1170de58f01454514217ac0afe5c1f2d31f8921
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Sep 27 22:21:19 2012 +0000

    Upstream commit: f674e72ff1aad23a99c7c205473cf02c85c2ac33
    
    net/key/af_key.c: add range checks on ->sadb_x_policy_len
    
    Because sizeof() is size_t then if "len" is negative, it counts as a
    large positive value.
    
    The call tree looks like:
    pfkey_sendmsg()
    -> pfkey_process()
       -> pfkey_spdadd()
          -> parse_ipsecrequests()
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/key/af_key.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 857e093b0c208917ab38c9251b71c8ea3f712ef0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 12:00:20 2013 -0400

    make kallsyms_lookup_size_offset available to approved source files

 include/linux/kallsyms.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit f07d461b42dc443d9d909148f69a4e62ab261e1b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 11:18:09 2013 -0400

    allow use of kallsyms_lookup_name to approved source files

 include/linux/kallsyms.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit a8274f87643dfb5dbc08c30d7a1b7947d2419463
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 10:52:15 2013 -0400

    Backported version of:
    
        Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e
    
        tun: signedness bug in tun_get_user()
    
        The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
        not totally correct.  Because "len" and "sizeof()" are size_t type, that
        means they are never less than zero.
    
        Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
        Acked-by: Michael S. Tsirkin <mst@redhat.com>
        Acked-by: Neil Horman <nhorman@tuxdriver.com>
        Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/tun.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 82b9361dfb58aae965d82e52310acb5a4451b541
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Mon Aug 5 12:49:35 2013 +0200

    Upstream commit: 7921895a5e852fc99de347bc0600659997de9298
    
    net: esp{4,6}: fix potential MTU calculation overflows
    
    Commit 91657eafb ("xfrm: take net hdr len into account for esp payload
    size calculation") introduced a possible interger overflow in
    esp{4,6}_get_mtu() handlers in case of x->props.mode equals
    XFRM_MODE_TUNNEL. Thus, the following expression will overflow
    
      unsigned int net_adj;
      ...
      <case ipv{4,6} XFRM_MODE_TUNNEL>
             net_adj = 0;
      ...
      return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) -
               net_adj) & ~(align - 1)) + (net_adj - 2);
    
    where (net_adj - 2) would be evaluated as <foo> + (0 - 2) in an unsigned
    context. Fix it by simply removing brackets as those operations here
    do not need to have special precedence.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Benjamin Poirier <bpoirier@suse.de>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Acked-by: Benjamin Poirier <bpoirier@suse.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/esp4.c |    2 +-
 net/ipv6/esp6.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 37dcd45822cb5be56c9deeea40e5a81910b5965a
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Aug 5 11:18:49 2013 -0700

    Upstream commit: aab515d7c32a34300312416c50314e755ea6f765
    
    fib_trie: remove potential out of bound access
    
    AddressSanitizer [1] dynamic checker pointed a potential
    out of bound access in leaf_walk_rcu()
    
    We could allocate one more slot in tnode_new() to leave the prefetch()
    in-place but it looks not worth the pain.
    
    Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode")
    
    [1] :
    https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
    
    Reported-by: Andrey Konovalov <andreyknvl@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/fib_trie.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

commit 99d235022ef6b4a40301bb285dbf6561e25dd8a0
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Thu Jul 25 10:37:49 2013 +0200

    Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd
    
    netfilter: xt_TCPMSS: fix handling of malformed TCP header and options
    
    Make sure the packet has enough room for the TCP header and
    that it is not malformed.
    
    While at it, store tcph->doff*4 in a variable, as it is used
    several times.
    
    This patch also fixes a possible off by one in case of malformed
    TCP options.
    
    Reported-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/xt_TCPMSS.c |   28 ++++++++++++++++------------
 1 files changed, 16 insertions(+), 12 deletions(-)

commit 417e051f405ad586533ac9a0856c428f052373ff
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Aug 1 12:36:57 2013 +0300

    Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981
    
    netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message
    
    These structs have a "_pad" member.  Also the "phw" structs have an 8
    byte "hw_addr[]" array but sometimes only the first 6 bytes are
    initialized.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    
    Conflicts:
    
    	net/netfilter/nfnetlink_queue_core.c

 net/netfilter/nfnetlink_log.c   |    6 +++++-
 net/netfilter/nfnetlink_queue.c |    5 ++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

commit e55c78bca09694350aed5690876dd018916a6e15
Author: Yuchung Cheng <ycheng@google.com>
Date:   Fri Aug 9 17:21:27 2013 -0700

    Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296
    
    netfilter: nf_conntrack: fix tcp_in_window for Fast Open
    
    Currently the conntrack checks if the ending sequence of a packet
    falls within the observed receive window. However it does so even
    if it has not observe any packet from the remote yet and uses an
    uninitialized receive window (td_maxwin).
    
    If a connection uses Fast Open to send a SYN-data packet which is
    dropped afterward in the network. The subsequent SYNs retransmits
    will all fail this check and be discarded, leading to a connection
    timeout. This is because the SYN retransmit does not contain data
    payload so
    
    end == initial sequence number (isn) + 1
    sender->td_end == isn + syn_data_len
    receiver->td_maxwin == 0
    
    The fix is to only apply this check after td_maxwin is initialized.
    
    Reported-by: Michael Chan <mcfchan@stanford.edu>
    Signed-off-by: Yuchung Cheng <ycheng@google.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nf_conntrack_proto_tcp.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit e2ea872bcfef59633a5600c1da2c4ea08bb70b57
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Aug 13 09:04:05 2013 +0200

    Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db
    
    genetlink: fix family dump race
    
    When dumping generic netlink families, only the first dump call
    is locked with genl_lock(), which protects the list of families,
    and thus subsequent calls can access the data without locking,
    racing against family addition/removal. This can cause a crash.
    Fix it - the locking needs to be conditional because the first
    time around it's already locked.
    
    A similar bug was reported to me on an old kernel (3.4.47) but
    the exact scenario that happened there is no longer possible,
    on those kernels the first round wasn't locked either. Looking
    at the current code I found the race described above, which had
    also existed on the old kernel.
    
    Cc: stable@vger.kernel.org
    Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/netlink/genetlink.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 820289eae39d1945d5fb84913c3dfc4e8c0e33d8
Author: Stephen Boyd <sboyd@codeaurora.org>
Date:   Wed Aug 7 16:18:08 2013 -0700

    Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb
    
    perf/arm: Fix armpmu_map_hw_event()
    
    Fix constraint check in armpmu_map_hw_event().
    
    Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
    Cc: <stable@kernel.org>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/arm/kernel/perf_event.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 4ab64e69bc1dc398e4f511e06a29dd2647f1f3ec
Merge: 9e87b47 7653058
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 09:17:40 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	fs/exec.c
    	security/Kconfig

commit 765305847a7259e4ca5d577e8c9a778c9f454aec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 09:15:16 2013 -0400

    Update to pax-linux-3.2.50-test115.patch:
    - added a few more missing format strings
    - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable
    - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time
    - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692)
    - disabled preemption when calling show_regs, reported by Corey Minyard

 arch/x86/include/asm/processor.h           |    3 +-
 arch/x86/kernel/dumpstack.c                |    2 +-
 arch/x86/kernel/reboot_fixups_32.c         |    2 +-
 drivers/net/wireless/iwlwifi/iwl-debugfs.c |    8 ++--
 drivers/video/backlight/backlight.c        |    2 +-
 drivers/video/backlight/lcd.c              |    2 +-
 fs/binfmt_elf.c                            |   51 ++++++++++++++++++++++++---
 fs/exec.c                                  |   52 ++++++++++++++--------------
 include/linux/math64.h                     |    2 +-
 include/linux/sched.h                      |    2 +
 security/Kconfig                           |    2 -
 11 files changed, 85 insertions(+), 43 deletions(-)

commit 9e87b47004741f7a5b4a9e3f4508ff1b0a4587df
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 17 08:58:34 2013 -0400

    Fix two harmless compiler warnings
    
    Conflicts:
    
    	arch/arm/kernel/process.c
    	fs/exec.c

 arch/arm/kernel/process.c |    4 ++--
 fs/exec.c                 |    3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

commit 804a8eb5f0c84b00927bee2644d976c349ba9159
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 16 22:46:01 2013 -0400

    Fix HIDESYM compatibility with kprobes, as reported by feandil at:
    http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376

 include/linux/kallsyms.h |    2 +-
 kernel/kprobes.c         |    3 +++
 2 files changed, 4 insertions(+), 1 deletions(-)

commit 20fd4b46f7b4f0c43f6e5c58738c75c9c7693fbd
Author: yonghua zheng <younghua.zheng@gmail.com>
Date:   Tue Aug 13 16:01:03 2013 -0700

    fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
    
    Recently we met quite a lot of random kernel panic issues after enabling
    CONFIG_PROC_PAGE_MONITOR.  After debuggind we found this has something
    to do with following bug in pagemap:
    
    In struct pagemapread:
    
      struct pagemapread {
          int pos, len;
          pagemap_entry_t *buffer;
          bool v2;
      };
    
    pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
    buffer, it is a mistake to compare pos and len in add_page_map() for
    checking buffer is full or not, and this can lead to buffer overflow and
    random kernel panic issue.
    
    Correct len to be total number of PM_ENTRY_BYTES in buffer.
    
    [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
    Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	fs/proc/task_mmu.c
    
    Conflicts:
    
    	fs/proc/task_mmu.c

 fs/proc/task_mmu.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit a07c5eedb6844c751a6148014846beaf83d1be7c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 10 09:45:03 2013 -0400

    Fix compilation of sparc64 hugetlbpage support as reported by @tweetkiba
    Also pass through the same offset from the main function instead of
    recomputing it for bottomup/topdown

 arch/sparc/mm/hugetlbpage.c |   14 +++++++-------
 1 files changed, 7 insertions(+), 7 deletions(-)

commit 6dcdcd3d6777018c50df4fbd17c279ccf4a27d24
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:54:51 2013 -0400

    add include

 grsecurity/grsec_log.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e615489ea0edd10937af2f818db3262e4c7c7bf6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 23:49:13 2013 -0400

    fix compilation

 include/linux/grinternal.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit bdd549716c40da0eb8962c9c81f42c0a828b68ed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 19:00:24 2013 -0400

    Improve PaX reporting (tells when anon mapping is stack or heap)
    Remove textrel logging option, combine into rwx logging option
    Enhance RWX logging option to display when PT_GNU_STACK-enabled library
    is loaded under an MPROTECTed binary
    Enhance RWX mprotect logging to display stack/heap instead of just
    anon mapping

 fs/binfmt_elf.c            |   37 +++++++++++++++++++++++++++++++++++++
 fs/exec.c                  |    6 +++++-
 grsecurity/Kconfig         |   21 +++++----------------
 grsecurity/grsec_init.c    |    4 ----
 grsecurity/grsec_log.c     |   14 ++++++++++++++
 grsecurity/grsec_pax.c     |   19 ++++++++++++++-----
 grsecurity/grsec_sysctl.c  |    9 ---------
 include/linux/binfmts.h    |    1 +
 include/linux/grinternal.h |    2 +-
 include/linux/grmsg.h      |    3 ++-
 include/linux/grsecurity.h |    3 ++-
 mm/mmap.c                  |    7 +++++++
 mm/mprotect.c              |    2 +-
 13 files changed, 89 insertions(+), 39 deletions(-)

commit 0062d20760262f571ea73d7552f3b988b1462d02
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 17:58:42 2013 -0400

    Disable RANDKSTACK for a VirtualBox host as mentioned on the
    gentoo-hardened bugzilla:
    https://bugs.gentoo.org/show_bug.cgi?id=382793

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 251569e894236166173f1428d0d1832fe796030b
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jul 30 13:23:39 2013 +0300

    Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20
    
    net_sched: info leak in atm_tc_dump_class()
    
    The "pvc" struct has a hole after pvc.sap_family which is not cleared.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sched/sch_atm.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 94ae607f84326bd66b84e3e5b1609ba167886885
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 5 16:05:41 2013 -0400

    silence a warning on older gcc

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f45d2cfb34e95d5b5c656df2b26613cb9d3d97ea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 21:42:55 2013 -0400

    Backport compat policy loading code

 grsecurity/Makefile          |    4 +
 grsecurity/gracl.c           |  409 ++++++++++++++++++++++++++----------------
 grsecurity/gracl_compat.c    |  269 +++++++++++++++++++++++++++
 include/linux/gracl_compat.h |  156 ++++++++++++++++
 4 files changed, 686 insertions(+), 152 deletions(-)

commit 9c7605f64b02c6b94db832f4a57290c38f72e54d
Merge: 6fadc6a 1df70ea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 21:31:12 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 1df70eaa47fb609dbdec1960452b9482d59d54e0
Merge: 5bb2b04 401390f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 2 21:31:02 2013 -0400

    Merge branch 'linux-3.2.y' into pax-stable2

commit 6fadc6ac32eec19ee132b4edec3ed7f5243e7028
Merge: 68e0df3 5bb2b04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 28 10:14:30 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	fs/ubifs/dir.c

commit 5bb2b04b9c745a794f2ed2d3e5b2130e302067c6
Merge: f76df1c 66421b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 28 10:13:28 2013 -0400

    Update to pax-linux-3.2.49-test113.patch
    
    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	crypto/algapi.c
    	drivers/block/nbd.c

commit 68e0df31eefcf4b051a84f8d3e6b52da64f7afdf
Merge: a0dc481 f76df1c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jul 26 13:05:11 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit f76df1c7c91cdd37d8d7b71b6b4e276ca1bc306c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jul 26 13:04:44 2013 -0400

    Update to pax-linux-3.2.47-test113.patch:
    - introduced per-slab object sanitization, contributed by Mathias Krause and secunet.
      this is finer grained sanitization than the existing per-page based approach (which
      is still done) at a somewhat higher performance cost. the pax_sanitize_slab command
      line option can be used to enable/disable it on boot (it's enabled by default when
      CONFIG_PAX_MEMORY_SANITIZE is enabled).

 Documentation/kernel-parameters.txt |    4 +++
 fs/buffer.c                         |    2 +-
 fs/dcache.c                         |    3 +-
 include/linux/slab.h                |   16 +++++++++++++++
 include/linux/slab_def.h            |    4 +++
 kernel/fork.c                       |    2 +-
 mm/mm_init.c                        |   11 ++++++++++
 mm/rmap.c                           |    6 +++-
 mm/slab.c                           |   36 ++++++++++++++++++++++++++++++++--
 mm/slob.c                           |    5 ++++
 mm/slub.c                           |    8 +++++++
 net/core/skbuff.c                   |    6 +++-
 security/Kconfig                    |   23 ++++++++++++++++-----
 13 files changed, 110 insertions(+), 16 deletions(-)

commit a0dc48125e39f7b495a1df2335207447fea46cc2
Merge: 9c4c539 189cbbf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 19:58:08 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 189cbbf2e2a4b7688a23770c9dd9528599848333
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 25 19:57:01 2013 -0400

    Update to pax-linux-3.2.47-test112.patch:
    - fixed an i386 regression with the lower address space gap on i386, reported by cnu

 arch/sparc/kernel/sys_sparc_64.c |    6 +++---
 fs/exec.c                        |    2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

commit 9c4c5396a7d5d1fc90820fe2ed85c31e51051532
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Jul 20 03:13:55 2013 +0400

    Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2
    
    livelock avoidance in sget()
    
    Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about
    to fail.  The superblock is on ->fs_supers, ->s_umount is held exclusive,
    ->s_active is 1.  Along comes two more processes, trying to mount the same
    thing; sget() in each is picking that superblock, bumping ->s_count and
    trying to grab ->s_umount.  ->s_active is 3 now.  Original mount(2)
    finally gets to deactivate_locked_super() on failure; ->s_active is 2,
    superblock is still ->fs_supers because shutdown will *not* happen until
    ->s_active hits 0.  ->s_umount is dropped and now we have two processes
    chasing each other:
    s_active = 2, A acquired ->s_umount, B blocked
    A sees that the damn thing is stillborn, does deactivate_locked_super()
    s_active = 1, A drops ->s_umount, B gets it
    A restarts the search and finds the same superblock.  And bumps it ->s_active.
    s_active = 2, B holds ->s_umount, A blocked on trying to get it
    ... and we are in the earlier situation with A and B switched places.
    
    The root cause, of course, is that ->s_active should not grow until we'd
    got MS_BORN.  Then failing ->mount() will have deactivate_locked_super()
    shut the damn thing down.  Fortunately, it's easy to do - the key point
    is that grab_super() is called only for superblocks currently on ->fs_supers,
    so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and
    bump ->s_active; we must never increment ->s_count for superblocks past
    ->kill_sb(), but grab_super() is never called for those.
    
    The bug is pretty old; we would've caught it by now, if not for accidental
    exclusion between sget() for block filesystems; the things like cgroup or
    e.g. mtd-based filesystems don't have anything of that sort, so they get
    bitten.  The right way to deal with that is obviously to fix sget()...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/super.c |   25 ++++++++++---------------
 1 files changed, 10 insertions(+), 15 deletions(-)

commit 65937dd498b405c91885085f7de8af39282f1de1
Author: Xi Wang <xi.wang@gmail.com>
Date:   Thu May 31 16:26:04 2012 -0700

    introduce SIZE_MAX
    
    ULONG_MAX is often used to check for integer overflow when calculating
    allocation size.  While ULONG_MAX happens to work on most systems, there
    is no guarantee that `size_t' must be the same size as `long'.
    
    This patch introduces SIZE_MAX, the maximum value of `size_t', to improve
    portability and readability for allocation size validation.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Acked-by: Alex Elder <elder@dreamhost.com>
    Cc: David Airlie <airlied@linux.ie>
    Cc: Pekka Enberg <penberg@kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	fs/ceph/snap.c
    	include/linux/slab.h

 include/drm/drm_mem_util.h |    4 ++--
 include/linux/kernel.h     |    1 +
 include/linux/slab.h       |    3 +--
 3 files changed, 4 insertions(+), 4 deletions(-)

commit 671c16c479adef3ba3f041e7a684896eafa030f4
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Jul 12 09:39:03 2013 +0300

    Upstream commit: b2781e1021525649c0b33fffd005ef219da33926
    
    svcrdma: underflow issue in decode_write_list()
    
    My static checker marks everything from ntohl() as untrusted and it
    complains we could have an underflow problem doing:
    
    	return (u32 *)&ary->wc_array[nchunks];
    
    Also on 32 bit systems the upper bound check could overflow.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>

 net/sunrpc/xprtrdma/svc_rdma_marshal.c |   20 ++++++++++++++------
 1 files changed, 14 insertions(+), 6 deletions(-)

commit 03f98d656f32436ab6fdac890dfb7772db30245c
Author: Tom Tucker <tom@ogc.us>
Date:   Wed Feb 15 11:30:00 2012 -0600

    Upstream commit: cec56c8ff5e28f58ff13041dca7853738ae577a1
    
    svcrdma: Cleanup sparse warnings in the svcrdma module
    
    The svcrdma transport was un-marshalling requests in-place. This resulted
    in sparse warnings due to __beXX data containing both NBO and HBO data.
    
    The code has been restructured to do byte-swapping as the header is
    parsed instead of when the header is validated immediately after receipt.
    
    Also moved extern declarations for the workqueue and memory pools to the
    private header file.
    
    Signed-off-by: Tom Tucker <tom@ogc.us>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>

 include/linux/sunrpc/svc_rdma.h          |    2 +-
 net/sunrpc/xprtrdma/svc_rdma.c           |    1 +
 net/sunrpc/xprtrdma/svc_rdma_marshal.c   |   66 +++++++----------------------
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c  |   20 +++++----
 net/sunrpc/xprtrdma/svc_rdma_sendto.c    |   26 ++++++-----
 net/sunrpc/xprtrdma/svc_rdma_transport.c |   10 +----
 net/sunrpc/xprtrdma/xprt_rdma.h          |    7 +++
 7 files changed, 51 insertions(+), 81 deletions(-)

commit 868ce42c85265f226d92eb8a4f7de2323cf909e6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 16 20:40:24 2013 -0400

    allow viewing of ecryptfs version under SYSFS_RESTRICT

 fs/sysfs/dir.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1260485ad5ba01ffbe8061990b016bbe4f5341a1
Author: Michal Schmidt <mschmidt@redhat.com>
Date:   Mon Jul 1 17:23:30 2013 +0200

    ethtool: make .get_dump_data() harder to misuse by drivers
    
    As the patch "bnx2x: remove zeroing of dump data buffer" showed,
    it is too easy implement .get_dump_data incorrectly in a driver.
    
    Let's make sure drivers cannot get confused by userspace requesting
    a too big dump.
    
    Also WARN if the driver sets dump->len to something weird and make
    sure the length reported to userspace is the actual length of data
    copied to userspace.
    
    Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
    Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/ethtool.c |   21 ++++++++++++++++++++-
 1 files changed, 20 insertions(+), 1 deletions(-)

commit a4f05ca2e193b208add48dd0bf2102d5c9389ca2
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Jul 2 09:02:07 2013 +0800

    l2tp: add missing .owner to struct pppox_proto
    
    Add missing .owner of struct pppox_proto. This prevents the
    module from being removed from underneath its users.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 1bc0c45722231b226f08ed71ad8a5366fe57743f
Author: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Date:   Sun Jun 30 14:37:11 2013 +1000

    cxgb3: Missing rtnl lock in error recovery
    
    When exercising error injection on IBM pseries machine, I hit the
    following warning:
    
    [  251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2
    [  253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142)
    [  253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100
    [  254.895437] RTNL: assertion failed at net/core/dev.c (2031)
    [  254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G        W    3.10.0-rc7-00157-gea461ab #19
    [  254.895474] Call Trace:
    [  254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable)
    [  254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c
    [  254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230
    [  254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3]
    [  254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3]
    [  254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0
    [  254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190
    [  254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330
    [  254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0
    [  254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0
    [  254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80
    
    It appears that t3_resume_ports() is called with the rtnl_lock held from
    the fatal error task but not from the PCI error callbacks. This fixes it.
    
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit fee9f261fe65cb61c0469180ccb82a9348b03812
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Jul 1 20:21:30 2013 +0200

    ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
    
    We accidentally call down to ip6_push_pending_frames when uncorking
    pending AF_INET data on a ipv6 socket. This results in the following
    splat (from Dave Jones):
    
    skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
    ------------[ cut here ]------------
    kernel BUG at net/core/skbuff.c:126!
    invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
    Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
    +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
    CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
    task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
    RIP: 0010:[<ffffffff816e759c>]  [<ffffffff816e759c>] skb_panic+0x63/0x65
    RSP: 0018:ffff8801e6431de8  EFLAGS: 00010282
    RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
    RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
    RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
    R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
    FS:  00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
    Stack:
     ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
     ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
     ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
    Call Trace:
     [<ffffffff8159a9aa>] skb_push+0x3a/0x40
     [<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
     [<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
     [<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
     [<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
     [<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
     [<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
     [<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
     [<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
     [<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
     [<ffffffff816f5d54>] tracesys+0xdd/0xe2
    Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
    RIP  [<ffffffff816e759c>] skb_panic+0x63/0x65
     RSP <ffff8801e6431de8>
    
    This patch adds a check if the pending data is of address family AF_INET
    and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
    if that is the case.
    
    This bug was found by Dave Jones with trinity.
    
    (Also move the initialization of fl6 below the AF_INET check, even if
    not strictly necessary.)
    
    Cc: Dave Jones <davej@redhat.com>
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/udp.h |    1 +
 net/ipv4/udp.c    |    3 ++-
 net/ipv6/udp.c    |    7 ++++++-
 3 files changed, 9 insertions(+), 2 deletions(-)

commit 4c257cabf004ccfb84605d8fab7bba27aa4673b7
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Tue Jul 2 08:04:05 2013 +0200

    ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
    
    If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
    of this when appending the second frame on a corked socket. This results
    in the following splat:
    
    [37598.993962] ------------[ cut here ]------------
    [37598.994008] kernel BUG at net/core/skbuff.c:2064!
    [37598.994008] invalid opcode: 0000 [#1] SMP
    [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
    +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
    +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
    [37598.994008]  snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
    +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
    [37598.994008] CPU 0
    [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
    [37598.994008] RIP: 0010:[<ffffffff815443a5>]  [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
    [37598.994008] RSP: 0018:ffff88003670da18  EFLAGS: 00010202
    [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
    [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
    [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
    [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
    [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
    [37598.994008] FS:  00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
    [37598.994008] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
    [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
    [37598.994008] Stack:
    [37598.994008]  ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
    [37598.994008]  ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
    [37598.994008]  0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
    [37598.994008] Call Trace:
    [37598.994008]  [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
    [37598.994008]  [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
    [37598.994008]  [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
    [37598.994008]  [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
    [37598.994008]  [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
    [37598.994008]  [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
    [37598.994008]  [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
    [37598.994008]  [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
    [37598.994008]  [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
    [37598.994008]  [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
    [37598.994008]  [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
    [37598.994008]  [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
    [37598.994008]  [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
    [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
    [37598.994008] RIP  [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
    [37598.994008]  RSP <ffff88003670da18>
    [37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
    
    While there, also check if path mtu discovery is activated for this
    socket. The logic was adapted from ip6_append_data when first writing
    on the corked socket.
    
    This bug was introduced with commit
    0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
    fragment").
    
    v2:
    a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
    b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
       feng, thanks!).
    c) Change mtu to unsigned int, else we get a warning about
       non-matching types because of the min()-macro type-check.
    
    Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
    Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_output.c |   16 ++++++++++------
 1 files changed, 10 insertions(+), 6 deletions(-)

commit 51eda273360f39fb15e6b1ec548379d88046a780
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Thu Jun 20 13:13:59 2013 -0700

    libceph: Fix NULL pointer dereference in auth client code
    
    A malicious monitor can craft an auth reply message that could cause a
    NULL function pointer dereference in the client's kernel.
    
    To prevent this, the auth_none protocol handler needs an empty
    ceph_auth_client_ops->build_request() function.
    
    CVE-2013-1059
    
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reported-by: Chanam Park <chanam.park@hkpco.kr>
    Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
    Reviewed-by: Sage Weil <sage@inktank.com>
    Cc: stable@vger.kernel.org

 net/ceph/auth_none.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 27d9c8c8bc887a5a9eae1e420cb68bd226a305e1
Author: Eric Paris <eparis@redhat.com>
Date:   Wed Jul 3 15:08:29 2013 -0700

    fork: reorder permissions when violating number of processes limits
    
    When a task is attempting to violate the RLIMIT_NPROC limit we have a
    check to see if the task is sufficiently priviledged.  The check first
    looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0.
    
    A result is that tasks which are allowed by the uid=0 check are first
    checked against the security subsystem.  This results in the security
    subsystem auditting a denial for sys_admin and sys_resource and then the
    task passing the uid=0 check.
    
    This patch rearranges the code to first check uid=0, since if we pass that
    we shouldn't hit the security system at all.  We then check sys_resource,
    since it is the smallest capability which will solve the problem.  Lastly
    we check the fallback everything cap_sysadmin.  We don't want to give this
    capability many places since it is so powerful.
    
    This will eliminate many of the false positive/needless denial messages we
    get when a root task tries to violate the nproc limit.  (note that
    kthreads count against root, so on a sufficiently large machine we can
    actually get past the default limits before any userspace tasks are
    launched.)
    
    Signed-off-by: Eric Paris <eparis@redhat.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/fork.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 49aae3c3a876328afdd7a94cda92b7bb906ce109
Author: Chen Gang <gang.chen@asianux.com>
Date:   Sat Jun 22 13:26:09 2013 +0800

    arch: sparc: kernel: check the memory length before use strcpy().
    
    For the related next strcpy(), the destination length is less than 512,
    but the source maximize length may be 'OPROMMAXPARAM' (4096) which is
    more than 512.
    
    One work flow may:
      openprom_sunos_ioctl() ->  if (cmd == OPROMSETOPT)
        getstrings() ->  will alloc buffer with size 'OPROMMAXPARAM'.
        opromsetopt() ->  devide the buffer into 'var' and 'value'
          of_set_property() -> pass
            prom_setprop() -> pass
              ldom_set_var()
    
    And do not mind the additional 4 alignment buffer increasing, since
    'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/kernel/ds.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

commit 7b838c7bb44f6ab7c39040d8421af2c40c466499
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 9 21:00:14 2013 -0400

    increase requested size for module arguments, previous size was off-by-one
    but not an issue due to it being a fixed size in a larger fixed-size slab cache

 kernel/kmod.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit dca099b162dadc36cc39e44fd607ea06b5530cc9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jul 5 00:02:38 2013 -0400

    remove extra case we don't need to handle with RAND_THREADSTACK as we
    only act on ASLR-enabled binaries

 mm/mmap.c |   10 +++-------
 1 files changed, 3 insertions(+), 7 deletions(-)

commit 65505689cfb68197e5bb1ab9fe70149146eabac6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 23:05:14 2013 -0400

    always enforce a non-zero gap for RAND_THREADSTACK

 mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 231d8e775ff3ba8d5364641f726f112428af6912
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 22:49:10 2013 -0400

    move location of RAND_THREADSTACK handling in relation to the
    heap/stack gap code

 mm/mmap.c |   20 +++++++++++---------
 1 files changed, 11 insertions(+), 9 deletions(-)

commit 64f38101ea14d7e72ef6004dbd409f21de9871fa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 22:28:08 2013 -0400

    compile fix

 mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 172164199f87ba97b6a84b082373dcf650388c11
Merge: bc5dba0 eac2752
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 22:23:28 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit bc5dba0401cc28f8fa9d6acedbc84a091b5b713e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 22:01:44 2013 -0400

    Modify the probe addr in the new heap/stack gap code

 mm/mmap.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 40a20777f12984e72a98a28bc577e9503c5e59e4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 21:44:54 2013 -0400

    Update GRKERNSEC_RAND_THREADSTACK for the new heap-stack gap code

 arch/alpha/kernel/osf_sys.c      |    2 +-
 arch/arm/mm/mmap.c               |    4 ++--
 arch/frv/mm/elf-fdpic.c          |    6 +++---
 arch/ia64/kernel/sys_ia64.c      |    2 +-
 arch/ia64/mm/hugetlbpage.c       |    2 +-
 arch/mips/mm/mmap.c              |   13 +++++++------
 arch/parisc/kernel/sys_parisc.c  |    4 ++--
 arch/powerpc/mm/slice.c          |    6 +++---
 arch/sh/mm/mmap.c                |   15 ++++++++-------
 arch/sparc/kernel/sys_sparc_32.c |    2 +-
 arch/sparc/kernel/sys_sparc_64.c |   15 ++++++++-------
 arch/sparc/mm/hugetlbpage.c      |   13 +++++++------
 arch/x86/kernel/head_64.S        |    1 -
 arch/x86/kernel/sys_i386_32.c    |   15 ++++++++-------
 arch/x86/kernel/sys_x86_64.c     |   10 +++++-----
 arch/x86/mm/hugetlbpage.c        |    6 +++---
 arch/x86/mm/init.c               |    7 +++++++
 arch/x86/mm/init_32.c            |    6 ------
 arch/x86/mm/init_64.c            |    6 ------
 arch/x86/platform/efi/efi_32.c   |    5 +++++
 arch/x86/platform/efi/efi_64.c   |   10 ++++++++++
 fs/hugetlbfs/inode.c             |    2 +-
 include/linux/sched.h            |    2 +-
 mm/mmap.c                        |   36 ++++++++++++++++++++++--------------
 24 files changed, 106 insertions(+), 84 deletions(-)

commit eac2752de8a4e15d65bb08f9186e5171bc46c466
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 20:58:16 2013 -0400

    Update to pax-linux-3.2.47-test110.patch:
    - fixed the heap-stack gap enforcement logic under STACK_GROWSUP, reported by spender
    - backported the EFI boot fix (https://bugs.gentoo.org/show_bug.cgi?id=471626)

 arch/alpha/kernel/osf_sys.c      |    2 +-
 arch/arm/mm/mmap.c               |    4 ++--
 arch/frv/mm/elf-fdpic.c          |    6 +++---
 arch/ia64/kernel/sys_ia64.c      |    2 +-
 arch/ia64/mm/hugetlbpage.c       |    2 +-
 arch/mips/mm/mmap.c              |   13 +++++++------
 arch/parisc/kernel/sys_parisc.c  |    4 ++--
 arch/powerpc/mm/slice.c          |    6 +++---
 arch/sh/mm/mmap.c                |   15 ++++++++-------
 arch/sparc/kernel/sys_sparc_32.c |    2 +-
 arch/sparc/kernel/sys_sparc_64.c |   15 ++++++++-------
 arch/sparc/mm/hugetlbpage.c      |   13 +++++++------
 arch/x86/kernel/head_64.S        |    1 -
 arch/x86/kernel/sys_i386_32.c    |   15 ++++++++-------
 arch/x86/kernel/sys_x86_64.c     |   10 +++++-----
 arch/x86/mm/hugetlbpage.c        |    6 +++---
 arch/x86/mm/init.c               |    7 +++++++
 arch/x86/mm/init_32.c            |    6 ------
 arch/x86/mm/init_64.c            |    6 ------
 arch/x86/platform/efi/efi_32.c   |    5 +++++
 arch/x86/platform/efi/efi_64.c   |   10 ++++++++++
 fs/hugetlbfs/inode.c             |    2 +-
 include/linux/sched.h            |    2 +-
 mm/mmap.c                        |   36 ++++++++++++++++++++++--------------
 24 files changed, 106 insertions(+), 84 deletions(-)

commit 5116eda98f4fc1c2f8f05158950fcfccaade35d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 16:09:28 2013 -0400

    fix up file comparisons
    
    Conflicts:
    
    	grsecurity/grsec_sig.c
    	include/linux/grinternal.h

 grsecurity/gracl_segv.c    |    2 +-
 grsecurity/grsec_sig.c     |    4 ++--
 include/linux/grinternal.h |   12 ++++++++++++
 3 files changed, 15 insertions(+), 3 deletions(-)

commit e1706f8c3936210478a8d6aa4fd2f4ecbb81f421
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 15:33:18 2013 -0400

    fix suid binary matching
    
    Conflicts:
    
    	grsecurity/grsec_sig.c

 grsecurity/grsec_sig.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f07120add1c9c50b6d2d2d754573386a4d69e3dd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 13:46:02 2013 -0400

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 935d800c28279a4d17015038957584d6716ebe59
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 13:31:24 2013 -0400

    update log arguments

 grsecurity/grsec_sig.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f2adf4ab53097ebb464339c8537f514a9dfb9b0d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 13:20:23 2013 -0400

    Update logging of suid exec ban

 grsecurity/grsec_sig.c |    2 +-
 include/linux/grmsg.h  |    1 +
 2 files changed, 2 insertions(+), 1 deletions(-)

commit d4d5bb0d8b7008c0bf328e6bd8ffab2887681204
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 4 12:58:33 2013 -0400

    Additional improvements to the user banning code:
    
    Separate the kernel-bruteforcing case from the suid bruteforcing case
    In the suid bruteforcing case, only kill existing copies of the bruteforced
    binary.  Instead of preventing all future execs by this user, prevent them
    from executing any suid/sgid binaries for the next 15 minutes.
    
    Kernel case is mostly unchanged from before, except the task trying to change
    real uid to the banned user will be terminated instead of failing the setuid
    call.
    
    Configuration help has been updated to reflect the new changes.
    
    Conflicts:
    
    	fs/exec.c
    	grsecurity/grsec_sig.c

 fs/exec.c                  |   13 +++++---
 grsecurity/Kconfig         |    5 ++-
 grsecurity/gracl.c         |    6 ++--
 grsecurity/grsec_sig.c     |   76 ++++++++++++++++++++++++++------------------
 include/linux/grsecurity.h |    1 -
 include/linux/sched.h      |    9 +++--
 6 files changed, 65 insertions(+), 45 deletions(-)

commit b2b8faa9d72b5ec7c1c03df07e03432dde4f1328
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 3 15:53:12 2013 -0400

    Revise the user ban code to kill the process issuing a banned
    set*id instead of returning an error.  For the sake of keeping
    unified user banning between the suid and kernel bruteforce case,
    we will apply this killing to the suid bruteforce case, despite
    a check just at exec time (that already existed) being sufficient.
    
    Returning an error could enable exploitation of the "failure to check
    setuid return value" case which was recently effectively closed
    upstream, albeit in a rare situation with a suitable binary and
    two colluding users.
    
    Many thanks to stealth for reviewing the user ban code.

 grsecurity/gracl.c     |    4 ++--
 grsecurity/grsec_sig.c |   16 +++++++++++++---
 2 files changed, 15 insertions(+), 5 deletions(-)

commit bfe2238de5574cb5de1ce785ccfc50af30f2d92f
Author: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Date:   Fri Jun 28 14:15:15 2013 +0300

    Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d
    
    UBIFS: fix a horrid bug
    
    Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
    mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
    in the middle of 'ubifs_readdir()'.
    
    This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
    it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
    but this may corrupt memory and lead to all kinds of problems like crashes an
    security holes.
    
    This patch fixes the problem by using the 'file->f_version' field, which
    '->llseek()' always unconditionally sets to zero. We set it to 1 in
    'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
    seek and it is time to clear the state saved in 'file->private_data'.
    
    I tested this patch by writing a user-space program which runds readdir and
    seek in parallell. I could easily crash the kernel without these patches, but
    could not crash it with these patches.
    
    Cc: stable@vger.kernel.org
    Reported-by: Al Viro <viro@zeniv.linux.org.uk>
    Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
    	fs/ubifs/dir.c

 fs/ubifs/dir.c |   34 +++++++++++++++++++++++++++++-----
 1 files changed, 29 insertions(+), 5 deletions(-)

commit f79f5b6bfa34cd409c1981be16afcf3732904ea1
Author: Stephane Eranian <eranian@google.com>
Date:   Thu Jun 20 11:36:28 2013 +0200

    Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89
    
    perf: Disable monitoring on setuid processes for regular users
    
    There was a a bug in setup_new_exec(), whereby
    the test to disabled perf monitoring was not
    correct because the new credentials for the
    process were not yet committed and therefore
    the get_dumpable() test was never firing.
    
    The patch fixes the problem by moving the
    perf_event test until after the credentials
    are committed.
    
    Signed-off-by: Stephane Eranian <eranian@google.com>
    Tested-by: Jiri Olsa <jolsa@redhat.com>
    Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: <stable@kernel.org>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 fs/exec.c |   16 +++++++++-------
 1 files changed, 9 insertions(+), 7 deletions(-)

commit cf2a89740a86b7c8ac8729f418481075b4395ee0
Merge: 9ffe336 e1d9efc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 29 14:13:56 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit e1d9efc71e735c8b9c1295d3f1f6753a465bcbff
Merge: 895dd8e c93f6a9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 29 14:13:45 2013 -0400

    Merge branch 'linux-3.2.y' into pax-stable2

commit 9ffe336a36a734e1981ec11511f2a54c8988a398
Author: Zefan Li <lizefan@huawei.com>
Date:   Wed Jun 26 15:31:58 2013 +0800

    Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a
    
    dlci: validate the net device in dlci_del()
    
    We triggered an oops while running trinity with 3.4 kernel:
    
    BUG: unable to handle kernel paging request at 0000000100000d07
    IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
    PGD 640c0d067 PUD 0
    Oops: 0000 [#1] PREEMPT SMP
    CPU 3
    ...
    Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285          /BC11BTSA
    RIP: 0010:[<ffffffffa0109738>]  [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
    ...
    Call Trace:
      [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
      [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
      [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
      [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
      [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
    ...
    
    It's because the net device is not a dlci device.
    
    Reported-by: Li Jinyue <lijinyue@huawei.com>
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/dlci.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

commit e2b9a5997ae75b9b21de26a2a1c89759752c57d8
Author: Zefan Li <lizefan@huawei.com>
Date:   Wed Jun 26 15:29:54 2013 +0800

    Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5
    
    dlci: acquire rtnl_lock before calling __dev_get_by_name()
    
    Otherwise the net device returned can be freed at anytime.
    
    Signed-off-by: Li Zefan <lizefan@huawei.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/dlci.c |   14 +++++++++-----
 1 files changed, 9 insertions(+), 5 deletions(-)

commit 605dbdeebdde60826f427405fb83aa11dd5ed417
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Jun 26 04:15:07 2013 -0700

    Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3
    
    ipv6: ip6_sk_dst_check() must not assume ipv6 dst
    
    It's possible to use AF_INET6 sockets and to connect to an IPv4
    destination. After this, socket dst cache is a pointer to a rtable,
    not rt6_info.
    
    ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
    various corruptions/crashes can happen.
    
    Dave Jones can reproduce immediate crash with
    trinity -q -l off -n -c sendmsg -c connect
    
    With help from Hannes Frederic Sowa
    
    Reported-by: Dave Jones <davej@redhat.com>
    Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_output.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

commit 0964a26ec130f2b3fbea72a82861e8831f993c4b
Author: Anderson Lizardo <anderson.lizardo@openbossa.org>
Date:   Sun Jun 2 16:30:40 2013 -0400

    Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d
    
    Bluetooth: Fix crash in l2cap_build_cmd() with small MTU
    
    If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus
    controller, memory corruption happens due to a memcpy() call with
    negative length.
    
    Fix this crash on either incoming or outgoing connections with a MTU
    smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE:
    
    [   46.885433] BUG: unable to handle kernel paging request at f56ad000
    [   46.888037] IP: [<c03d94cd>] memcpy+0x1d/0x40
    [   46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060
    [   46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
    [   46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common
    [   46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12
    [   46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
    [   46.888037] Workqueue: hci0 hci_rx_work [bluetooth]
    [   46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000
    [   46.888037] EIP: 0060:[<c03d94cd>] EFLAGS: 00010212 CPU: 0
    [   46.888037] EIP is at memcpy+0x1d/0x40
    [   46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2
    [   46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c
    [   46.888037]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
    [   46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0
    [   46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
    [   46.888037] DR6: ffff0ff0 DR7: 00000400
    [   46.888037] Stack:
    [   46.888037]  fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000
    [   46.888037]  f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560
    [   46.888037]  f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2
    [   46.888037] Call Trace:
    [   46.888037]  [<f8c6a54c>] l2cap_send_cmd+0x1cc/0x230 [bluetooth]
    [   46.888037]  [<f8c69eb2>] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth]
    [   46.888037]  [<f8c6f4c7>] l2cap_connect+0x3f7/0x540 [bluetooth]
    [   46.888037]  [<c019b37b>] ? trace_hardirqs_off+0xb/0x10
    [   46.888037]  [<c01a0ff8>] ? mark_held_locks+0x68/0x110
    [   46.888037]  [<c064ad20>] ? mutex_lock_nested+0x280/0x360
    [   46.888037]  [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
    [   46.888037]  [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
    [   46.888037]  [<c064ad08>] ? mutex_lock_nested+0x268/0x360
    [   46.888037]  [<c01a125b>] ? trace_hardirqs_on+0xb/0x10
    [   46.888037]  [<f8c72f8d>] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth]
    [   46.888037]  [<c01a0ff8>] ? mark_held_locks+0x68/0x110
    [   46.888037]  [<c064b9d9>] ? __mutex_unlock_slowpath+0xa9/0x150
    [   46.888037]  [<c01a118c>] ? trace_hardirqs_on_caller+0xec/0x1b0
    [   46.888037]  [<f8c754f1>] l2cap_recv_acldata+0x2a1/0x320 [bluetooth]
    [   46.888037]  [<f8c491d8>] hci_rx_work+0x518/0x810 [bluetooth]
    [   46.888037]  [<f8c48df2>] ? hci_rx_work+0x132/0x810 [bluetooth]
    [   46.888037]  [<c0158979>] process_one_work+0x1a9/0x600
    [   46.888037]  [<c01588fb>] ? process_one_work+0x12b/0x600
    [   46.888037]  [<c015922e>] ? worker_thread+0x19e/0x320
    [   46.888037]  [<c015922e>] ? worker_thread+0x19e/0x320
    [   46.888037]  [<c0159187>] worker_thread+0xf7/0x320
    [   46.888037]  [<c0159090>] ? rescuer_thread+0x290/0x290
    [   46.888037]  [<c01602f8>] kthread+0xa8/0xb0
    [   46.888037]  [<c0656777>] ret_from_kernel_thread+0x1b/0x28
    [   46.888037]  [<c0160250>] ? flush_kthread_worker+0x120/0x120
    [   46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
    [   46.888037] EIP: [<c03d94cd>] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c
    [   46.888037] CR2: 00000000f56ad000
    [   46.888037] ---[ end trace 0217c1f4d78714a9 ]---
    
    Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 net/bluetooth/l2cap_core.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit bb971f8f82da9ff1de8f4eb5fd678d2e168f46c4
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Sun Jun 23 17:26:58 2013 +0300

    Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2
    
    macvtap: fix recovery from gup errors
    
    get user pages might fail partially in macvtap zero copy
    mode. To recover we need to put all pages that we got,
    but code used a wrong index resulting in double-free
    errors.
    
    Reported-by: Brad Hubbard <bhubbard@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/macvtap.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit f970b222b0c93836dc7f808c9002b47db2356ea7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:39:08 2013 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: Steffen Klassert <steffen.klassert@secunet.com>,
            "David S. Miller" <davem@davemloft.net>
    Cc: Mathias Krause <minipli@googlemail.com>, netdev@vger.kernel.org,
            Herbert Xu <herbert@gondor.apana.org.au>
    Subject: [PATCH] af_key: fix info leaks in notify messages
    
    key_notify_sa_flush() and key_notify_policy_flush() miss to initialize
    the sadb_msg_reserved member of the broadcasted message and thereby
    leak 2 bytes of heap memory to listeners. Fix that.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>

 net/key/af_key.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit a769864b55228b10420922319b039383eb978825
Merge: e0272f0 895dd8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:36:21 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 895dd8ef5f161df49c4c9bb7f4a217a2bfe5de6a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 26 18:35:49 2013 -0400

    Update to pax-linux-3.2.47-test109.patch:
    - fixed a regression on PARAVIRT/amd64 kernels

 arch/x86/kernel/entry_64.S |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit e0272f02cfe4cc20756485ce82f99ba8fae18dd5
Merge: ea55c83 7a64c90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 25 19:03:39 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 7a64c90976856ef4d967c12257a74aa405b7217c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 25 19:02:48 2013 -0400

    Updated to pax-linux-3.2.47-test108.patch:
    - fixed an ftrace regression on KERNEXEC/i386
    - reverted the nmi changes, 3.2 doesn't need them
    - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111)
    - empty_zero_page can be read-only on amd64 as well

 arch/x86/kernel/entry_64.S |   61 ++++++++++++++++++++-----------------------
 arch/x86/kernel/ftrace.c   |    4 +-
 arch/x86/kernel/head_64.S  |    1 -
 drivers/lguest/core.c      |    2 +-
 include/linux/vmalloc.h    |    2 +-
 5 files changed, 32 insertions(+), 38 deletions(-)

commit ea55c8335283c3f20b5cc6a5373382ae98cd8c3b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 23 14:37:14 2013 -0400

    second compile fix, reported by forsaken on forums

 include/linux/vmalloc.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 257868861c1bd28e5162eacdcd1a836db01dde7d
Merge: 4413dcd bd61657
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 21 17:00:02 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	security/Kconfig

commit bd6165733a5124425d675a6bb9f81026d14e73a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 21 16:57:05 2013 -0400

    Update to pax-linux-3.2.47-test107.patch:
    - fixed some fallout detected by the checker plugin
    - removed a user-triggerable BUG_ON reported by spender, fixing it properly wasn't worth the effort
    - fixed a few format string problems uncovered by -Wformat-nonliteral
    - another attempt at fixing the nested nmi/cr0.wp problem
    - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866)
    - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274)
    - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/)

 Documentation/dontdiff                    |    1 +
 arch/x86/kernel/cpu/mcheck/mce.c          |    2 +-
 arch/x86/kernel/crash_dump_64.c           |    2 +-
 arch/x86/kernel/e820.c                    |    4 +-
 arch/x86/kernel/entry_64.S                |   81 ++++++++++++++++-------------
 arch/x86/kernel/vmlinux.lds.S             |    2 +-
 block/genhd.c                             |   11 +++--
 crypto/algapi.c                           |    2 +-
 crypto/pcrypt.c                           |    2 +-
 drivers/base/attribute_container.c        |    2 +-
 drivers/base/devtmpfs.c                   |    6 +-
 drivers/base/power/sysfs.c                |    2 +-
 drivers/block/nbd.c                       |    2 +-
 drivers/cdrom/cdrom.c                     |    2 +-
 drivers/char/agp/compat_ioctl.c           |    2 +-
 drivers/char/agp/frontend.c               |    2 +-
 drivers/char/hw_random/intel-rng.c        |    2 +-
 drivers/char/mem.c                        |    4 +-
 drivers/devfreq/devfreq.c                 |    2 +-
 drivers/gpu/drm/drm_encoder_slave.c       |    6 +--
 drivers/gpu/drm/drm_sysfs.c               |    2 +-
 drivers/gpu/drm/ttm/ttm_memory.c          |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c     |    4 +-
 drivers/i2c/i2c-dev.c                     |    2 +-
 drivers/media/video/v4l2-compat-ioctl32.c |    4 +-
 drivers/media/video/v4l2-ioctl.c          |    6 +-
 drivers/video/output.c                    |    2 +-
 fs/9p/vfs_addr.c                          |    2 +-
 fs/binfmt_elf.c                           |    2 +-
 fs/compat_ioctl.c                         |    4 +-
 fs/exec.c                                 |    2 +-
 fs/ext4/mmp.c                             |    2 +-
 fs/ext4/super.c                           |    2 +-
 fs/lockd/svc.c                            |    2 +-
 fs/namespace.c                            |    8 ++--
 fs/nfs/callback.c                         |    4 +-
 fs/nfsd/nfscache.c                        |    3 +-
 fs/proc/vmcore.c                          |   12 +++--
 include/linux/syscalls.h                  |    8 ++--
 init/initramfs.c                          |    2 +-
 lib/kobject.c                             |    2 +-
 mm/backing-dev.c                          |    4 +-
 mm/mlock.c                                |    1 -
 mm/slub.c                                 |    2 +-
 mm/vmalloc.c                              |   15 ++---
 net/netfilter/nf_conntrack_proto_dccp.c   |    4 +-
 net/sunrpc/svc.c                          |    2 +-
 security/Kconfig                          |   15 +++---
 sound/core/sound.c                        |    2 +-
 sound/sound_core.c                        |    2 +-
 tools/gcc/checker_plugin.c                |    1 +
 51 files changed, 137 insertions(+), 129 deletions(-)

commit 4413dcd8180864f36e0036c1c7edf3f06b727404
Merge: 4945f4f 30d75a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 19 17:45:40 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 30d75a248c66a76546683054768ddc6b1a1cfafa
Merge: 7a96ff7 398cabc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 19 17:45:34 2013 -0400

    Merge branch 'linux-3.2.y' into pax-stable2

commit 4945f4fbcb3bccf03be6cc7cc1e7450263fcb576
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 18 16:45:39 2013 -0400

    fix compile error in apparmor compat patch

 security/apparmor/apparmorfs.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 460085b551067106461d75913d655b393827588f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 17 18:48:31 2013 -0400

    Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db"
    
    This reverts commit 81d3b89d5990029633d5bdc5439feebffcb4ff36.

 kernel/sys.c |   29 +++--------------------------
 1 files changed, 3 insertions(+), 26 deletions(-)

commit 696689eb6fd63c678783a1281e879c90ddca41b4
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Sun Jun 16 18:06:06 2013 +0100

    Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5
    
    lseek(fd, n, SEEK_END) does *not* go to eof - n
    
    When you copy some code, you are supposed to read it.  If nothing else,
    there's a chance to spot and fix an obvious bug instead of sharing it...
    
    X-Song: "I Got It From Agnes", by Tom Lehrer
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    [ Tom Lehrer? You're dating yourself, Al ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	drivers/net/ethernet/brocade/bna/bnad_debugfs.c
    	drivers/scsi/fnic/fnic_debugfs.c

 drivers/scsi/bfa/bfad_debugfs.c  |    2 +-
 drivers/scsi/lpfc/lpfc_debugfs.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 5b28db552055eee1aa180a48cd58cc3a0c2ae978
Author: Neil Horman <nhorman@tuxdriver.com>
Date:   Wed Jun 12 14:26:44 2013 -0400

    Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69
    
    sctp: fully initialize sctp_outq in sctp_outq_init
    
    In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86
    (refactor sctp_outq_teardown to insure proper re-initalization)
    we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the
    outq structure.  Steve West recently asked me why I removed the q->error = 0
    initalization from sctp_outq_teardown.  I did so because I was operating under
    the impression that sctp_outq_init would properly initalize that value for us,
    but it doesn't.  sctp_outq_init operates under the assumption that the outq
    struct is all 0's (as it is when called from sctp_association_init), but using
    it in __sctp_outq_teardown violates that assumption. We should do a memset in
    sctp_outq_init to ensure that the entire structure is in a known state there
    instead.
    
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    Reported-by: "West, Steve (NSN - US/Fort Worth)" <steve.west@nsn.com>
    CC: Vlad Yasevich <vyasevich@gmail.com>
    CC: netdev@vger.kernel.org
    CC: davem@davemloft.net
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/sctp/outqueue.c

 net/sctp/outqueue.c |    8 ++------
 1 files changed, 2 insertions(+), 6 deletions(-)

commit 41aa7d04ce71af7eb74fa71e09561db267a3ea1e
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Wed Jun 12 16:07:36 2013 +0200

    Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984
    
    l2tp: Fix sendmsg() return value
    
    PPPoL2TP sockets should comply with the standard send*() return values
    (i.e. return number of bytes sent instead of 0 upon success).
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 319647551ef498b5b840bb977db749b502de72c8
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Wed Jun 12 16:07:23 2013 +0200

    Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64
    
    l2tp: Fix PPP header erasure and memory leak
    
    Copy user data after PPP framing header. This prevents erasure of the
    added PPP header and avoids leaking two bytes of uninitialised memory
    at the end of skb's data buffer.
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 18497f14a6f69a4c29fbb87c89c71e418d34384f
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Wed Jun 12 16:02:27 2013 +0200

    Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe
    
    packet: packet_getname_spkt: make sure string is always 0-terminated
    
    uaddr->sa_data is exactly of size 14, which is hard-coded here and
    passed as a size argument to strncpy(). A device name can be of size
    IFNAMSIZ (== 16), meaning we might leave the destination string
    unterminated. Thus, use strlcpy() and also sizeof() while we're
    at it. We need to memset the data area beforehand, since strlcpy
    does not padd the remaining buffer with zeroes for user space, so
    that we do not possibly leak anything.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/packet/af_packet.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

commit 7bacaeb02c37d814d5fbfe1298bad3b5c36f47df
Author: Kees Cook <keescook@chromium.org>
Date:   Fri May 10 14:48:21 2013 -0700

    Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c
    
    b43: stop format string leaking into error msgs
    
    The module parameter "fwpostfix" is userspace controllable, unfiltered,
    and is used to define the firmware filename. b43_do_request_fw() populates
    ctx->errors[] on error, containing the firmware filename. b43err()
    parses its arguments as a format string. For systems with b43 hardware,
    this could lead to a uid-0 to ring-0 escalation.
    
    CVE-2013-2852
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/b43/main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 9a59fa112e3421c7a80c21671745273aafa4ea64
Author: Mark A. Greer <mgreer@animalcreek.com>
Date:   Wed May 29 12:25:34 2013 -0700

    Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5
    
    mwifiex: debugfs: Fix out of bounds array access
    
    When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
    the following panic occurs:
    
    $ cat /sys/kernel/debug/mwifiex/p2p0/info
    Unable to handle kernel paging request at virtual address 74706164
    pgd = de530000
    [74706164] *pgd=00000000
    Internal error: Oops: 5 [#1] SMP ARM
    Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
    CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
    task: de16b6c0 ti: de048000 task.ti: de048000
    PC is at strnlen+0xc/0x4c
    LR is at string+0x3c/0xf8
    pc : [<c02c123c>]    lr : [<c02c2d1c>]    psr: a0000013
    sp : de049e10  ip : c06efba0  fp : de6d2092
    r10: bf01a260  r9 : ffffffff  r8 : 74706164
    r7 : 0000ffff  r6 : ffffffff  r5 : de6d209c  r4 : 00000000
    r3 : ff0a0004  r2 : 74706164  r1 : ffffffff  r0 : 74706164
    Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
    Control: 10c5387d  Table: 9e530019  DAC: 00000015
    Process cat (pid: 1635, stack limit = 0xde048240)
    Stack: (0xde049e10 to 0xde04a000)
    9e00:                                     de6d2092 00000002 bf01a25e de6d209c
    9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
    9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
    9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
    9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
    9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
    9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
    9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
    9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
    9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
    9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
    9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
    9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
    9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
    [<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
    [<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
    [<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
    [<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
    [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
    [<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
    [<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
    Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
    ---[ end trace ca98273dc605a04f ]---
    
    The panic is caused by the mwifiex_info_read() routine assuming that
    there can only be four modes (0-3) which is an invalid assumption.
    For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
    code accesses data beyond the bounds of the bss_modes[] array which
    causes the panic.  Fix this by updating bss_modes[] to support the
    current list of modes and adding a check to prevent the out-of-bounds
    access from occuring in the future when more modes are added.
    
    Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
    Acked-by: Bing Zhao <bzhao@marvell.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

 drivers/net/wireless/mwifiex/debugfs.c |   22 +++++++++++++++++-----
 1 files changed, 17 insertions(+), 5 deletions(-)

commit fb7250a986652ac8f0ef176e24003bc31707bfe0
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Jun 3 12:00:49 2013 +0300

    Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1
    
    ipvs: info leak in __ip_vs_get_dest_entries()
    
    The entry struct has a 2 byte hole after ->port and another 4 byte
    hole after ->stats.outpkts.  You must have CAP_NET_ADMIN in your
    namespace to hit this information leak.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Simon Horman <horms@verge.net.au>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/ipvs/ip_vs_ctl.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 81d3b89d5990029633d5bdc5439feebffcb4ff36
Author: Robin Holt <holt@sgi.com>
Date:   Wed Jun 12 14:04:37 2013 -0700

    Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db
    
    reboot: rigrate shutdown/reboot to boot cpu
    
    We recently noticed that reboot of a 1024 cpu machine takes approx 16
    minutes of just stopping the cpus.  The slowdown was tracked to commit
    f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in
    kernel_restart()").
    
    The current implementation does all the work of hot removing the cpus
    before halting the system.  We are switching to just migrating to the
    boot cpu and then continuing with shutdown/reboot.
    
    This also has the effect of not breaking x86's command line parameter
    for specifying the reboot cpu.  Note, this code was shamelessly copied
    from arch/x86/kernel/reboot.c with bits removed pertaining to the
    reboot_cpu command line parameter.
    
    Signed-off-by: Robin Holt <holt@sgi.com>
    Tested-by: Shawn Guo <shawn.guo@linaro.org>
    Cc: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@elte.hu>
    Cc: Russ Anderson <rja@sgi.com>
    Cc: Robin Holt <holt@sgi.com>
    Cc: Russell King <linux@arm.linux.org.uk>
    Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/sys.c |   29 ++++++++++++++++++++++++++---
 1 files changed, 26 insertions(+), 3 deletions(-)

commit 5c9ad383676e3caf69be4bb7ca2868fc8600ecb2
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Thu Jun 6 15:53:47 2013 +0200

    Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c
    
    net: sctp: fix NULL pointer dereference in socket destruction
    
    While stress testing sctp sockets, I hit the following panic:
    
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
    IP: [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
    PGD 7cead067 PUD 7ce76067 PMD 0
    Oops: 0000 [#1] SMP
    Modules linked in: sctp(F) libcrc32c(F) [...]
    CPU: 7 PID: 2950 Comm: acc Tainted: GF            3.10.0-rc2+ #1
    Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011
    task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000
    RIP: 0010:[<ffffffffa0490c4e>]  [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
    RSP: 0018:ffff88007b569e08  EFLAGS: 00010292
    RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200
    RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000
    RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001
    R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
    R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00
    FS:  00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Stack:
     ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded
     ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e
     0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e
    Call Trace:
     [<ffffffffa049fded>] sctp_destroy_sock+0x3d/0x80 [sctp]
     [<ffffffff8145b60e>] sk_common_release+0x1e/0xf0
     [<ffffffff814df36e>] inet_create+0x2ae/0x350
     [<ffffffff81455a6f>] __sock_create+0x11f/0x240
     [<ffffffff81455bf0>] sock_create+0x30/0x40
     [<ffffffff8145696c>] SyS_socket+0x4c/0xc0
     [<ffffffff815403be>] ? do_page_fault+0xe/0x10
     [<ffffffff8153cb32>] ? page_fault+0x22/0x30
     [<ffffffff81544e02>] system_call_fastpath+0x16/0x1b
    Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f
          1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48>
          8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48
    RIP  [<ffffffffa0490c4e>] sctp_endpoint_free+0xe/0x40 [sctp]
     RSP <ffff88007b569e08>
    CR2: 0000000000000020
    ---[ end trace e0d71ec1108c1dd9 ]---
    
    I did not hit this with the lksctp-tools functional tests, but with a
    small, multi-threaded test program, that heavily allocates, binds,
    listens and waits in accept on sctp sockets, and then randomly kills
    some of them (no need for an actual client in this case to hit this).
    Then, again, allocating, binding, etc, and then killing child processes.
    
    This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable''
    is set. The cause for that is actually very simple: in sctp_endpoint_init()
    we enter the path of sctp_auth_init_hmacs(). There, we try to allocate
    our crypto transforms through crypto_alloc_hash(). In our scenario,
    it then can happen that crypto_alloc_hash() fails with -EINTR from
    crypto_larval_wait(), thus we bail out and release the socket via
    sk_common_release(), sctp_destroy_sock() and hit the NULL pointer
    dereference as soon as we try to access members in the endpoint during
    sctp_endpoint_free(), since endpoint at that time is still NULL. Now,
    if we have that case, we do not need to do any cleanup work and just
    leave the destruction handler.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/socket.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit acb80176534ccb057aa7e51d288f14876c35d162
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 13 07:21:08 2013 -0400

    Include apparmor compatibility patches

 include/linux/lsm_audit.h              |    4 +
 security/apparmor/Kconfig              |    9 +
 security/apparmor/Makefile             |   20 ++-
 security/apparmor/apparmorfs-24.c      |  287 ++++++++++++++++++++++++++++++++
 security/apparmor/apparmorfs.c         |   18 ++-
 security/apparmor/include/apparmorfs.h |    6 +
 security/apparmor/include/net.h        |   40 +++++
 security/apparmor/include/policy.h     |    3 +
 security/apparmor/lsm.c                |  112 +++++++++++++
 security/apparmor/match.c              |   17 ++
 security/apparmor/net.c                |  170 +++++++++++++++++++
 security/apparmor/policy.c             |    1 +
 security/apparmor/policy_unpack.c      |   48 +++++-
 13 files changed, 730 insertions(+), 5 deletions(-)

commit e5d063dcb67baeeb5a653263e492cf00ed0146f9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 12 20:42:08 2013 -0400

    compile fix

 drivers/rapidio/devices/tsi721.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7a6ba65dab9a09622cc9d42140ae84beada7e1b4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 11 22:18:07 2013 -0400

    fix elif / elif defined() typo in recent change

 kernel/events/core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f48fb8ff57789c37136a324529e0802e441bc530
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 21:21:44 2013 -0400

    Fix fanotify infoleak reported by Dan Carpenter at:
    https://lkml.org/lkml/2013/6/3/128
    
    Requires CAP_SYS_ADMIN, so this is about as low priority as it gets

 fs/notify/fanotify/fanotify_user.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 18f8fde4c604473d31b7f99ba0a23c6587242aad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 21:04:17 2013 -0400

    Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2

 drivers/cdrom/cdrom.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 5122ae69a3f6dc576c34fa790639036aa6a0453d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 18:34:32 2013 -0400

    change const to __read_only

 kernel/sysctl.c |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

commit 8de405dd1acb9edb19462af23e0d92a2c919dd7b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 17:37:13 2013 -0400

    Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a

 drivers/char/mwave/tp3780i.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit cf9a55518e3ec8c15ae14b1c973ae2be1e018304
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 10 17:34:13 2013 -0400

    compile fix, make const values const

 kernel/sysctl.c |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

commit aaabbf8ef0eefecac0802518a318faa5daab0cf3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 9 19:50:35 2013 -0400

    allow -1 perf_event_paranoid

 kernel/sysctl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b98c7753401000d29c9e6e78dcfd0398581fb5d2
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sun May 19 08:36:36 2013 +0000

    Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5
    
    isdn/kcapi: fix a small underflow
    
    In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes
    from skb->data.  The current code can underflow to one space before the
    start of the array.
    
    The sanity check isn't needed in __get_capi_appl_by_nr() but I changed
    it to match the others.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/capi/kcapi.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit b72f43b99b44835e3f92d34ef96ecfb72de62bc0
Author: Chen Gang <gang.chen@asianux.com>
Date:   Thu May 16 23:13:04 2013 +0000

    Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211
    
    net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue.
    
    'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the
    strncpy() will always left the last byte of 'discovery->data.info'
    uninitialized.
    
    When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left
    the last byte of 'discovery->data.info' uninitialized, the next
    strlen() will cause issue.
    
    Also 'discovery->data' is 'struct irda_device_info' which defined in
    "include/uapi/...", it may copy to user mode, so need whole initialized.
    
    All together, need use kzalloc() instead of kmalloc() to initialize all
    members firstly.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/irda/irlap_frame.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2e75234abba290b9e1271ad9de34789fe6294474
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri May 17 04:53:13 2013 +0000

    Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a
    
    ipv6: fix possible crashes in ip6_cork_release()
    
    commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data")
    added some code duplication and bad error recovery, leading to potential
    crash in ip6_cork_release() as kfree() could be called with garbage.
    
    use kzalloc() to make sure this wont happen.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
    Cc: Neal Cardwell <ncardwell@google.com>

 net/ipv6/ip6_output.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b2f5d74b7b418d9bbdfb201cc7b84f83272f7910
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon May 13 21:25:52 2013 +0000

    Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e
    
    tcp: fix tcp_md5_hash_skb_data()
    
    TCP md5 communications fail [1] for some devices, because sg/crypto code
    assume page offsets are below PAGE_SIZE.
    
    This was discovered using mlx4 driver [2], but I suspect loopback
    might trigger the same bug now we use order-3 pages in tcp_sendmsg()
    
    [1] Failure is giving following messages.
    
    huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100,
    exited with 00000101?
    
    [2] mlx4 driver uses order-2 pages to allocate RX frags
    
    Reported-by: Matt Schnall <mischnal@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Bernhard Beck <bbeck@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit bdefc94992170319c687d21004953f47068bda0f
Author: Jeff Mahoney <jeffm@jeffreymahoney.com>
Date:   Fri May 31 15:07:52 2013 -0400

    Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab
    
    reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry
    
    After sleeping for filldir(), we check to see if the file system has
    changed and research. The next_pos pointer is updated but its value
    isn't pushed into the key used for the search itself. As a result,
    the search returns the same item that the last cycle of the loop did
    and filldir() is called multiple times with the same data.
    
    The end result is that the buffer can contain the same name multiple
    times. This can be returned to userspace or used internally in the
    xattr code where it can manifest with the following warning:
    
    jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2)
    
    reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over
    the xattr names and ends up trying to unlink the same name twice. The
    second attempt fails with -ENOENT and the error is returned. At some
    point I'll need to add support into reiserfsck to remove the orphaned
    directories left behind when this occurs.
    
    The fix is to push the value into the key before researching.
    
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/dir.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 569c1db757aaac584f4df9e0b206ecd553a7cf55
Author: Jeff Mahoney <jeffm@suse.com>
Date:   Fri May 31 15:51:17 2013 -0400

    Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc
    
    reiserfs: fix deadlock with nfs racing on create/lookup
    
    Reiserfs is currently able to be deadlocked by having two NFS clients
    where one has removed and recreated a file and another is accessing the
    file with an open file handle.
    
    If one client deletes and recreates a file with timing such that the
    recreated file obtains the same [dirid, objectid] pair as the original
    file while another client accesses the file via file handle, the create
    and lookup can race and deadlock if the lookup manages to create the
    in-memory inode first.
    
    The create thread, in insert_inode_locked4, will hold the write lock
    while waiting on the other inode to be unlocked. The lookup thread,
    anywhere in the iget path, will release and reacquire the write lock while
    it schedules. If it needs to reacquire the lock while the create thread
    has it, it will never be able to make forward progress because it needs
    to reacquire the lock before ultimately unlocking the inode.
    
    This patch drops the write lock across the insert_inode_locked4 call so
    that the ordering of inode_wait -> write lock is retained. Since this
    would have been the case before the BKL push-down, this is safe.
    
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/inode.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit cf9cf7713ce43c0f6e8656c1fae9dc06898c1cd9
Author: Jeff Mahoney <jeffm@suse.com>
Date:   Fri May 31 15:54:17 2013 -0400

    Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b
    
    reiserfs: fix problems with chowning setuid file w/ xattrs
    
    reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr
    and uses it to iterate over all the attrs associated with a file to change
    ownership of xattrs (and transfer quota associated with the xattr files).
    
    When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode
    are passed to all the xattrs as well. This means that the xattr directory
    will have S_IFREG added to its mode bits.
    
    This has been prevented in practice by a missing IS_PRIVATE check
    in reiserfs_acl_chmod, which caused a double-lock to occur while holding
    the write lock. Since the file system was completely locked up, the
    writeout of the corrupted mode never happened.
    
    This patch temporarily clears everything but ATTR_UID|ATTR_GID for the
    calls to reiserfs_setattr and adds the missing IS_PRIVATE check.
    
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/xattr.c     |   14 +++++++++++++-
 fs/reiserfs/xattr_acl.c |    3 +++
 2 files changed, 16 insertions(+), 1 deletions(-)

commit d7bdf58f3629468378d20ccc78370e1a690dbe24
Author: Dave Chinner <dchinner@redhat.com>
Date:   Mon May 27 16:38:25 2013 +1000

    Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b
    
    xfs: kill suid/sgid through the truncate path.
    
    XFS has failed to kill suid/sgid bits correctly when truncating
    files of non-zero size since commit c4ed4243 ("xfs: split
    xfs_setattr") introduced in the 3.1 kernel. Fix it.
    
    Fix it.
    
    cc: stable kernel <stable@vger.kernel.org>
    Signed-off-by: Dave Chinner <dchinner@redhat.com>
    Reviewed-by: Brian Foster <bfoster@redhat.com>
    Signed-off-by: Ben Myers <bpm@sgi.com>
    
    (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6)

 fs/xfs/xfs_iops.c |   47 ++++++++++++++++++++++++++++++++---------------
 1 files changed, 32 insertions(+), 15 deletions(-)

commit aad838f744fe6dd7d33b3250bf89df4cb6adfd1b
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Wed May 29 15:36:40 2013 -0400

    Upstream commit: f448badd34700ae728a32ba024249626d49c10e1
    
    NFSv4: Fix a thinko in nfs4_try_open_cached
    
    We need to pass the full open mode flags to nfs_may_open() when doing
    a delegated open.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Cc: stable@vger.kernel.org
    
    Conflicts:
    
    	fs/nfs/nfs4proc.c

 fs/nfs/nfs4proc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit be831ad596a7582eb067bec6ee448cf2c6944e11
Author: Chen Gang <gang.chen@asianux.com>
Date:   Thu May 30 01:18:43 2013 +0000

    Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8
    
    parisc: kernel: using strlcpy() instead of strcpy()
    
    'boot_args' is an input args, and 'boot_command_line' has a fix length.
    So use strlcpy() instead of strcpy() to avoid memory overflow.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Acked-by: Kyle McMartin <kyle@mcmartin.ca>
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/kernel/setup.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 0cb3d9db210606a12b30754f290472d17471ba3c
Author: Chen Gang <gang.chen@asianux.com>
Date:   Mon May 27 04:57:09 2013 +0000

    Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95
    
    parisc: memory overflow, 'name' length is too short for using
    
    'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6
    * "%u:" + "%u" + '\0') may be 21.
    
    Since 'name' length is 20, it may be memory overflow.
    
    And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the
    max length of 'name' must be less than 28.
    
    So simplify thinking, we can use 28 instead of 20 directly, and do not
    think of whether 'patchc.bc[i]' can '> 100'.
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/kernel/drivers.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2de5e49b6e0f7beca6e0727907a3451f22c0c2fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 4 17:52:23 2013 -0400

    add PERF_HARDEN recommendation

 grsecurity/Kconfig |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 91c8a2424087b7911379f269df64b596e6c1ad45
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 4 17:22:44 2013 -0400

    Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN

 grsecurity/Kconfig         |   19 +++++++++++++++++++
 include/linux/perf_event.h |    5 +++++
 kernel/events/core.c       |   10 +++++++++-
 kernel/sysctl.c            |    9 ++++++++-
 4 files changed, 41 insertions(+), 2 deletions(-)

commit b020761abd650320700a7253bfda3830557101f7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 14:23:31 2013 -0400

    remove user-triggerable BUG_ON in do_munlockall()
    
    Conflicts:
    
    	mm/mlock.c

 mm/mlock.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit b755f62d899d6cfeebccb7b8f5f98565c36d8dc9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 13:44:05 2013 -0400

    Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456
    
    From: Kees Cook <keescook@chromium.org>
    Date: Thu, 23 May 2013 17:32:17 +0000
    Subject: iscsi-target: fix heap buffer overflow on error
    
    If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
    error response packet, generated by iscsi_add_notunderstood_response(),
    would still attempt to copy the entire key into the packet, overflowing
    the structure on the heap.
    
    Remote preauthentication kernel memory corruption was possible if a
    target was configured and listening on the network.
    
    CVE-2013-2850
    
    Embargo-screwup-by: Kees Cook <keescook@chromium.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>

 drivers/target/iscsi/iscsi_target_parameters.c |    8 +++-----
 drivers/target/iscsi/iscsi_target_parameters.h |    4 +++-
 2 files changed, 6 insertions(+), 6 deletions(-)

commit 2453666d1b0a5fed341ea80957105ffa4a8c3994
Merge: af153f5 7a96ff7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 11:29:13 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	drivers/char/random.c

commit 7a96ff72e1697e1765ee31fdd212c2929446bb67
Merge: ee5b3c4 a2d09e9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 1 11:27:03 2013 -0400

    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	arch/x86/kernel/irq.c

commit af153f5604a3c61e5fee6618c63d5dd66735e96b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 30 17:44:15 2013 -0400

    Apply compatibility fix to previous RLIMIT_NPROC change
    don't enforce the rlimit check at exec time if the user is root
    Prevents problems with sudo if root is listed as part of a group
    in limits.conf with process limits enforced

 kernel/sys.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8bd4639abbd4d694d8d643555070ae7a35e98f80
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 20:43:47 2013 -0400

    backport BUILD_BUG_ON() fix

 include/linux/kernel.h |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 202eb229439fb2f78da738f13d6a55a344d388b4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 20:25:12 2013 -0400

    backport some BUILD_BUG_ON() changes

 include/linux/compiler.h |    4 ++++
 include/linux/kernel.h   |   31 +++++++++++++++++++------------
 2 files changed, 23 insertions(+), 12 deletions(-)

commit 9eef4295cf417370627622016dd3b8ea3d05bc45
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 20:10:58 2013 -0400

    eliminate unused case

 arch/x86/net/bpf_jit_comp.c |   11 +++--------
 1 files changed, 3 insertions(+), 8 deletions(-)

commit 763c4bb3f5033b4477be897d0e97ab0fa7315cf0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 19:54:55 2013 -0400

    BUILD_BUG() does not exist in 3.2, use BUILD_BUG_ON(1) instead

 arch/x86/net/bpf_jit_comp.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 93f93cdc0fca0b6dfa02da00a1c13619fcb36d42
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 19:43:45 2013 -0400

    fix typo

 arch/x86/net/bpf_jit_comp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7d6b07f5714338fa82e69eae4e3b46618dc7f34e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 18 19:22:40 2013 -0400

    move _etext to only cover kernel code, not read-only data, as reported by Gu1
    
    Conflicts:
    
    	arch/arm/kernel/vmlinux.lds.S

 arch/arm/kernel/vmlinux.lds.S |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 29ad510ef848c5afab671f4b86f84b0f90411057
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 11 12:12:00 2013 -0400

    allow copies just up to the start of kernel code

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit cbc64d2ef1ecb4b80c71ae77cd028d193afbc441
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 10 16:53:07 2013 -0400

    MODULES_EXEC_VADDR is a virtual address

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c26bdbabafdc77f63793f490146f071da059ba8b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 10 16:51:03 2013 -0400

    exempt module rx areas from usercopy protection under i386 kernexec
    their .rodata will be placed between stext/etext causing copies of
    constant strings to trigger usercopy reports/terminations

 fs/exec.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit c82b29f9dc7639d480113ed3573ac5cbf6378cb6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 18 19:17:24 2013 -0400

    add asm/sections.h for USERCOPY change

 fs/exec.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 5b7c5de5df05a7aef18f1996a453869a047193e9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 20:17:00 2013 -0400

    Improve PAX_USERCOPY to reject direct copies to/from main kernel text
    
    Conflicts:
    
    	fs/exec.c

 fs/exec.c |   33 +++++++++++++++++++++++++++++----
 1 files changed, 29 insertions(+), 4 deletions(-)

commit be6910ed9a42be5f57ff23ba0b8ba0a9c951c6f5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 29 18:33:33 2013 -0400

    defensively guard against BPF JIT additions by adding BUILD_BUG() to unhandled cases

 arch/x86/net/bpf_jit_comp.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

commit c2dfcdab89f09767b8839d5f77943895d6d48013
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 28 23:52:08 2013 -0400

    remove tracepoint

 drivers/char/random.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit a65835c4273b02a8bf4b8b7ec8e76e54dc87d27e
Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Date:   Fri May 24 15:55:21 2013 -0700

    Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18
    
    mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
    
    We should not use set_pmd_at to update pmd_t with pgtable_t pointer.
    set_pmd_at is used to set pmd with huge pte entries and architectures
    like ppc64, clear few flags from the pte when saving a new entry.
    Without this change we observe bad pte errors like below on ppc64 with
    THP enabled.
    
      BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000
    
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/huge_memory.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit 0c0e0761dd558af8d47d30e667b13892e84eb4f1
Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Date:   Fri May 24 15:55:08 2013 -0700

    Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995
    
    fat: fix possible overflow for fat_clusters
    
    Intermediate value of fat_clusters can be overflowed on 32bits arch.
    
    Reported-by: Krzysztof Strasburger <strasbur@chkw386.ch.pwr.wroc.pl>
    Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/fat/inode.c |   15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletions(-)

commit 55cc5b0ea757afe52543135b2d658797fba02540
Author: Jarod Wilson <jarod@redhat.com>
Date:   Fri May 24 15:55:31 2013 -0700

    Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53
    
    drivers/char/random.c: fix priming of last_data
    
    Commit ec8f02da9ea5 ("random: prime last_data value per fips
    requirements") added priming of last_data per fips requirements.
    
    Unfortuantely, it did so in a way that can lead to multiple threads all
    incrementing nbytes, but only one actually doing anything with the extra
    data, which leads to some fun random corruption and panics.
    
    The fix is to simply do everything needed to prime last_data in a single
    shot, so there's no window for multiple cpus to increment nbytes -- in
    fact, we won't even increment or decrement nbytes anymore, we'll just
    extract the needed EXTRACT_SIZE one time per pool and then carry on with
    the normal routine.
    
    All these changes have been tested across multiple hosts and
    architectures where panics were previously encoutered.  The code changes
    are are strictly limited to areas only touched when when booted in fips
    mode.
    
    This change should also go into 3.8-stable, to make the myriads of fips
    users on 3.8.x happy.
    
    Signed-off-by: Jarod Wilson <jarod@redhat.com>
    Tested-by: Jan Stancek <jstancek@redhat.com>
    Tested-by: Jan Stodola <jstodola@redhat.com>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Matt Mackall <mpm@selenic.com>
    Cc: "Theodore Ts'o" <tytso@mit.edu>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/char/random.c |   30 +++++++++++++++---------------
 1 files changed, 15 insertions(+), 15 deletions(-)

commit 6b6f31f49fafd14a54175a1aa17bedd2d8521def
Author: Jiri Kosina <jkosina@suse.cz>
Date:   Fri May 24 15:55:33 2013 -0700

    Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68
    
    random: fix accounting race condition with lockless irq entropy_count update
    
    Commit 902c098a3663 ("random: use lockless techniques in the interrupt
    path") turned IRQ path from being spinlock protected into lockless
    cmpxchg-retry update.
    
    That commit removed r->lock serialization between crediting entropy bits
    from IRQ context and accounting when extracting entropy on userspace
    read path, but didn't turn the r->entropy_count reads/updates in
    account() to use cmpxchg as well.
    
    It has been observed, that under certain circumstances this leads to
    read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets
    corrupted and becomes negative, which in turn results in propagating 0
    all the way from account() to the actual read() call.
    
    Convert the accounting code to be the proper lockless counterpart of
    what has been partially done by 902c098a3663.
    
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Cc: Theodore Ts'o <tytso@mit.edu>
    Cc: Greg KH <greg@kroah.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/char/random.c |   26 +++++++++++++++++---------
 1 files changed, 17 insertions(+), 9 deletions(-)

commit 96ff338de32b01effbac6c36c634afe44c528e68
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Mon Mar 4 11:59:12 2013 -0500

    Upstream commit: b980955236922ae6106774511c5c05003d3ad225
    
    random: fix locking dependency with the tasklist_lock
    
    Commit 6133705494bb introduced a circular lock dependency because
    posix_cpu_timers_exit() is called by release_task(), which is holding
    a writer lock on tasklist_lock, and this can cause a deadlock since
    kill_fasync() gets called with nonblocking_pool.lock taken.
    
    There's no reason why kill_fasync() needs to be taken while the random
    pool is locked, so move it out to fix this locking dependency.
    
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Reported-by: Russ Dill <Russ.Dill@gmail.com>
    Cc: stable@kernel.org

 drivers/char/random.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

commit 466d8b9a7aa0e929c30095557a98b14e058b09db
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 23 18:41:33 2013 -0400

    use existing local variable

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5c28916388cc04e38e16536a4b24dbe7c2466cf1
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Thu May 16 17:43:55 2013 +0200

    Upstream commit: 264b83c07a84223f0efd0d1db9ccc66d6f88288f
    
    usermodehelper: check subprocess_info->path != NULL
    
    argv_split(empty_or_all_spaces) happily succeeds, it simply returns
    argc == 0 and argv[0] == NULL. Change call_usermodehelper_exec() to
    check sub_info->path != NULL to avoid the crash.
    
    This is the minimal fix, todo:
    
     - perhaps we should change argv_split() to return NULL or change the
       callers.
    
     - kill or justify ->path[0] check
    
     - narrow the scope of helper_lock()
    
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Acked-By: Lucas De Marchi <lucas.demarchi@intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/kmod.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit f9172f77b731f27cbafed27dee134b9f04eb13eb
Author: Chen Gang <gang.chen@asianux.com>
Date:   Thu May 16 14:04:25 2013 -0500

    Upstream commit: a5f2b3d6a738e7d4180012fe7b541172f8c8dcea
    
    drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow
    
    When calling memcpy, read_data and write_data need additional 2 bytes.
    
      write_data:
        for checking:  "if (size > IPMI_MAX_MSG_LENGTH)"
        for operating: "memcpy(bt->write_data + 3, data + 1, size - 1)"
    
      read_data:
        for checking:  "if (msg_len < 3 || msg_len > IPMI_MAX_MSG_LENGTH)"
        for operating: "memcpy(data + 2, bt->read_data + 4, msg_len - 2)"
    
    Signed-off-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: Corey Minyard <cminyard@mvista.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/char/ipmi/ipmi_bt_sm.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit ae433caec330f8527c9609bf3f9120e3582afb86
Merge: f1fb081 ee5b3c4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 23 18:18:32 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit ee5b3c47d06095052597ab0b52e80b8ef6dc3ede
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 23 18:17:54 2013 -0400

    Update to pax-linux-3.2.45-test106.patch:
    - fixed a gcc assert in the structleak plugin, reported by Emese Revfy
    - fixed pfn extraction from pud/pgd entries, reported by ousado
    - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html

 arch/x86/include/asm/pgtable.h |    9 +++++-
 fs/jfs/super.c                 |    4 +-
 sound/soc/fsl/fsl_ssi.c        |    2 +-
 tools/gcc/constify_plugin.c    |   48 +++++++++++++++++++++++++++++++++++++--
 tools/gcc/structleak_plugin.c  |    3 +-
 5 files changed, 57 insertions(+), 9 deletions(-)

commit f1fb0815610c45f938f19c3868341d09ae657f9d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 16 20:30:37 2013 -0400

    Fix usercopy false positive under gcc 4.1

 arch/x86/kernel/signal.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

commit 9e7f7ca888e699d9081791fb60927042f0202e39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 14 16:52:35 2013 -0400

    disable unprivileged kernel profiling under HIDESYM, rename
    the variable to something more appropriate

 include/linux/perf_event.h |    8 ++++----
 kernel/events/core.c       |    6 +++++-
 kernel/sysctl.c            |    4 ++--
 3 files changed, 11 insertions(+), 7 deletions(-)

commit 92c947dcfe310d0c4bcfb68f6f06ca43fcfdca19
Merge: 1979685 e16fea9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 14 17:05:08 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	drivers/tty/tty_io.c
    	net/ipv4/tcp_input.c

commit e16fea9e43ae863fabe00f770e329a87575e98d0
Merge: 1ef16b8 88fd5f3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 14 17:01:35 2013 -0400

    Update to pax-linux-3.2.45-test105.patch
    
    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	arch/x86/mm/init.c
    	kernel/trace/trace_stack.c

commit 197968500d67cfd144658613250837810b109025
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 20:10:59 2013 -0400

    compile fix for PaX

 arch/x86/lib/usercopy_64.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit a63fa11bbcb3f49cedd1057f9f7c7693f755a91a
Merge: 63253e2 1ef16b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 11:03:12 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 1ef16b89f336b44710a321b7afc7172873efaa82
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 13 11:01:58 2013 -0400

    Update to pax-linux-3.2.44-test105.patch:
    - another fix for kprobes under KERNEXEC
    - enabled user.pax.flags access for non-readable executables, fixes https://bugs.gentoo.org/show_bug.cgi?id=463170#c21
    - fixed some size overflow false positives, including the one in nfsd_cache_update
    - fixed sparc/constification compile error, reported by blake
    - UDEREF/amd64 should be a bit more efficient when disabled at boot time
    - fixed some unnecessary integer truncations that could trip up the size overflow plugin

 arch/sparc/kernel/us3_cpufreq.c     |    4 ++--
 arch/x86/ia32/ia32entry.S           |    4 ++--
 arch/x86/include/asm/pgtable.h      |    6 ++++--
 arch/x86/include/asm/uaccess.h      |    6 +++---
 arch/x86/kernel/kprobes.c           |    4 ++++
 arch/x86/lib/copy_user_nocache_64.S |    2 +-
 arch/x86/lib/getuser.S              |    8 ++++----
 arch/x86/lib/putuser.S              |    8 ++++----
 arch/x86/mm/fault.c                 |    6 +++---
 drivers/net/slip/slhc.c             |    2 +-
 drivers/staging/iio/ring_sw.c       |    2 +-
 fs/binfmt_elf.c                     |    6 +++---
 fs/nfsd/nfscache.c                  |    2 +-
 fs/xattr.c                          |   21 +++++++++++++++++++++
 include/linux/syscalls.h            |    2 +-
 include/linux/xattr.h               |    3 +++
 init/main.c                         |    3 +++
 kernel/futex_compat.c               |    2 +-
 net/socket.c                        |    2 +-
 19 files changed, 63 insertions(+), 30 deletions(-)

commit 63253e283e46877c692d2f78c82b3b48f55226cd
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon May 6 09:31:17 2013 +0000

    Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa
    
    tipc: potential divide by zero in tipc_link_recv_fragment()
    
    The worry here is that fragm_sz could be zero since it comes from
    skb->data.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/tipc/link.c

 net/tipc/link.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 51b67cb3637685f46c75a6e94b7780ec65ae9818
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon May 6 08:28:41 2013 +0000

    Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc
    
    tipc: add a bounds check in link_recv_changeover_msg()
    
    The bearer_id here comes from skb->data and it can be a number from 0 to
    7.  The problem is that the ->links[] array has only 2 elements so I
    have added a range check.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/tipc/link.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit 3034fc8b9176afee27071b95c97544dbf5c50ef5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 20:22:50 2013 -0400

    compile fix

 grsecurity/gracl.c      |    1 +
 grsecurity/gracl_segv.c |    1 +
 2 files changed, 2 insertions(+), 0 deletions(-)

commit 6b33a780cf58cdfc61c36be566d8136a92d7f94c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 18:25:26 2013 -0400

    fix btrfs support here as well

 grsecurity/gracl_segv.c |   17 +++++++++--------
 1 files changed, 9 insertions(+), 8 deletions(-)

commit 2a986549f6e0db61321d565ca5c9b88a6fc5b354
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 12 18:12:57 2013 -0400

    Fix RBAC compatibility with btrfs compiled as a module, as
    reported on the forums by YuHg at:
    http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952
    
    Conflicts:
    
    	grsecurity/gracl.c

 fs/btrfs/inode.c            |   11 +----------
 grsecurity/gracl.c          |   19 ++++++++++---------
 grsecurity/gracl_segv.c     |    2 +-
 grsecurity/grsec_disabled.c |    2 +-
 4 files changed, 13 insertions(+), 21 deletions(-)

commit 68e0711ebaecaed5071acc4798c22154722be985
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 8 20:25:52 2013 -0400

    User jorgus on the forums:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3446
    discovered that the upstreamed version of enforcing RLIMIT_NPROC
    at setuid/exec time missed an important corner case:
    If RLIMIT_NPROC is set after a setuid occurs and the user's process
    limit is reached elsewhere, no enforcement of RLIMIT_NPROC will
    happen at exec time for the task with a modified RLIMIT_NPROC.
    
    This patch fixes that.

 kernel/sys.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 908bad69fe301caf37ef42d268b0db7d861e991e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 7 21:02:39 2013 -0400

    add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity
    useful for Fedora/RHEL users
    
    Conflicts:
    
    	grsecurity/grsec_chroot.c

 grsecurity/Kconfig        |   10 ++++++++++
 grsecurity/grsec_chroot.c |   17 +++++++++++++++--
 2 files changed, 25 insertions(+), 2 deletions(-)

commit 706f9f987e260e56ff3e7850616967a12b99e367
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Apr 29 05:58:52 2013 +0000

    Upstream commit: aebda156a570782a86fc4426842152237a19427d
    
    net: defer net_secret[] initialization
    
    Instead of feeding net_secret[] at boot time, defer the init
    at the point first socket is created.
    
    This permits some platforms to use better entropy sources than
    the ones available at boot time.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/secure_seq.h |    1 +
 net/core/secure_seq.c    |    4 +---
 net/ipv4/af_inet.c       |    5 ++++-
 3 files changed, 6 insertions(+), 4 deletions(-)

commit 0dfbb30c4754e3c1e51dc1f207b764050941081d
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Wed May 1 02:59:23 2013 +0000

    Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48
    
    net: sctp: attribute printl with __printf for gcc fmt checks
    
    Let GCC check for format string errors in sctp's probe printl
    function. This patch fixes the warning when compiled with W=1:
    
    net/sctp/probe.c:73:2: warning: function might be possible candidate
    for 'gnu_printf' format attribute [-Wmissing-format-attribute]
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/probe.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a6fd34e3030e4e1521255bf6563795ff310f54dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 2 19:58:54 2013 -0400

    remove no-longer-needed vmware 8 compat fix

 mm/page_alloc.c |    6 ------
 1 files changed, 0 insertions(+), 6 deletions(-)

commit 162b6fbcca854849113574740e89d0df86d9002f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 2 19:55:23 2013 -0400

    remove unnecessary < 0 check

 net/phonet/af_phonet.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3fbdd6071dbb0cee76b29eb12b7b79606a248a94
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:44:23 2013 -0400

    add module.h to silence compiler warning, thanks to
    Sergei Trofimovich

 fs/btrfs/inode.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e0966e03b7fd8f9b47b039e2576fc159259738d2
Merge: 1ecc5df fe7a9b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:54:49 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit fe7a9b2587887771bd585d060916d19ff7f8a2da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 29 18:54:02 2013 -0400

    Update to pax-linux-3.2.44-test104.patch:
    - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414
    - CONSTIFY depends on KERNEXEC (for the kernel open/close feature)
    - fixed CONSTIFY and powerpc interference, reported by  John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364)
    - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412
    - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438
      note that the false positive is not fixed yet
    - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin
    - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444)

 arch/x86/kernel/entry_64.S       |   11 ++++++++++-
 arch/x86/kernel/i8259.c          |    2 +-
 arch/x86/kernel/pci-calgary_64.c |    2 +-
 arch/x86/kvm/vmx.c               |    4 ++--
 drivers/block/pktcdvd.c          |    2 +-
 fs/btrfs/extent-tree.c           |    2 +-
 fs/nfsd/nfscache.c               |    6 ++++--
 kernel/trace/trace.c             |    2 +-
 kernel/trace/trace.h             |    2 +-
 tools/gcc/structleak_plugin.c    |    4 ++++
 10 files changed, 26 insertions(+), 11 deletions(-)

commit 1ecc5dfab4c47eea0e0357243576023a6e41e53f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 27 19:15:22 2013 -0400

    Revert "Upstream commit: 9c603e53d380459fb62fec7cd085acb0b74ac18f"
    
    This reverts commit 28e7b00ea53db22a3b92d719c1e021ed852ec714.
    
    Conflicts:
    
    	drivers/mtd/mtdchar.c

 drivers/mtd/mtdchar.c |   41 ++---------------------------------------
 1 files changed, 2 insertions(+), 39 deletions(-)

commit 530893e5207bae101e817ba6ab2ef48d14ec8c3c
Merge: 42c9be5 5de7ed2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 22:12:15 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/x86/kvm/x86.c
    	drivers/mtd/mtdchar.c

commit 5de7ed2fff9bb3b17552237250cdcfd1c206a5cf
Merge: 5707e86 7771ca8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 22:11:11 2013 -0400

    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	arch/x86/kernel/paravirt.c

commit 42c9be5fdf608055a57f2a92a6bbbc12b690cc9c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 26 20:53:06 2013 -0400

    don't use file_inode()

 drivers/tty/tty_io.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e8fee09093c382486ee1c3278c97efe8f32c456a
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Apr 26 13:48:53 2013 +0200

    TTY: fix atime/mtime regression
    
    In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
    we removed timestamps from tty inodes to fix a security issue and waited
    if something breaks.  Well, 'w', the utility to find out logged users
    and their inactivity time broke.  It shows that users are inactive since
    the time they logged in.
    
    To revert to the old behaviour while still preventing attackers to
    guess the password length, we update the timestamps in one-minute
    intervals by this patch.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	drivers/tty/tty_io.c

 drivers/tty/tty_io.c |   15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletions(-)

commit 9d29ed3eecbc0a798ca8c520937fefb6799516c9
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Feb 15 15:25:05 2013 +0100

    Upstream commit: b0de59b5733d
    
    TTY: do not update atime/mtime on read/write
    
    On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
    out length of a password using timestamps of /dev/ptmx. It is
    documented in "Timing Analysis of Keystrokes and Timing Attacks on
    SSH". To avoid that problem, do not update time when reading
    from/writing to a TTY.
    
    I am afraid of regressions as this is a behavior we have since 0.97
    and apps may expect the time to be current, e.g. for monitoring
    whether there was a change on the TTY. Now, there is no change. So
    this would better have a lot of testing before it goes upstream.
    
    References: CVE-2013-0160
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Cc: stable <stable@vger.kernel.org> # after 3.9 is out
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/tty_io.c |    8 ++------
 1 files changed, 2 insertions(+), 6 deletions(-)

commit e9eb3139908b27837f7b0500b856fd23943e9667
Author: John David Anglin <dave.anglin@bell.net>
Date:   Tue Apr 23 22:42:07 2013 +0200

    Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78
    
    parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates
    
    User applications running on SMP kernels have long suffered from instability
    and random segmentation faults.  This patch improves the situation although
    there is more work to be done.
    
    One of the problems is the various routines in pgtable.h that update page table
    entries use different locking mechanisms, or no lock at all (set_pte_at).  This
    change modifies the routines to all use the same lock pa_dbit_lock.  This lock
    is used for dirty bit updates in the interruption code. The patch also purges
    the TLB entries associated with the PTE to ensure that inconsistent values are
    not used after the page table entry is updated.  The UP and SMP code are now
    identical.
    
    The change also includes a minor update to the purge_tlb_entries function in
    cache.c to improve its efficiency.
    
    Signed-off-by: John David Anglin <dave.anglin@bell.net>
    Cc: Helge Deller <deller@gmx.de>
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/include/asm/pgtable.h |   47 +++++++++++++++++++-----------------
 arch/parisc/kernel/cache.c        |    5 +---
 2 files changed, 26 insertions(+), 26 deletions(-)

commit 82d0eec7c3686baedab4883c8bdc52cc0d1aae83
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 22 17:43:40 2013 -0400

    Fix typo in KVM fix

 arch/x86/kvm/x86.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d23f8b0f7e082db3a761f053605069e7cd833a75
Author: David Woodhouse <David.Woodhouse@intel.com>
Date:   Tue Oct 9 15:08:10 2012 +0100

    Upstream commit: f5cf8f07423b2677cebebcebc863af77223a4972
    
    mtd: Disable mtdchar mmap on MMU systems
    
    This code was broken because it assumed that all MTD devices were map-based.
    Disable it for now, until it can be fixed properly for the next merge window.
    
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

 drivers/mtd/mtdchar.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit 9a687b8f40800c7dcc014c1682658f594a560bef
Author: Dmitry Popov <dp@highloadlab.com>
Date:   Thu Apr 11 08:55:07 2013 +0000

    Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6
    
    tcp: incoming connections might use wrong route under synflood
    
    There is a bug in cookie_v4_check (net/ipv4/syncookies.c):
    	flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
    			   RT_SCOPE_UNIVERSE, IPPROTO_TCP,
    			   inet_sk_flowi_flags(sk),
    			   (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
    			   ireq->loc_addr, th->source, th->dest);
    
    Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be
    taken. This dst_entry is used by new socket (get_cookie_sock ->
    tcp_v4_syn_recv_sock), so its packets may take the wrong path.
    
    Signed-off-by: Dmitry Popov <dp@highloadlab.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/syncookies.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 1810425af631fcf556767742f0267d8b5c8a6247
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Sat Apr 13 15:49:03 2013 +0000

    Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93
    
    esp4: fix error return code in esp_output()
    
    Fix to return a negative error code from the error handling
    case instead of 0, as returned elsewhere in this function.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/esp4.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 6196ec48aa33bb128829ff029f201dd7670cc0af
Author: Vyacheslav Dubeyko <slava@dubeyko.com>
Date:   Wed Apr 17 15:58:33 2013 -0700

    Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4
    
    hfsplus: fix potential overflow in hfsplus_file_truncate()
    
    Change a u32 to loff_t hfsplus_file_truncate().
    
    Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/hfsplus/extents.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3634aee165fd35c7180e7fe4b0d9b4fb17ea3efe
Author: Emese Revfy <re.emese@gmail.com>
Date:   Wed Apr 17 15:58:36 2013 -0700

    Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f
    
    kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
    
    This fixes a kernel memory contents leak via the tkill and tgkill syscalls
    for compat processes.
    
    This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
    when handling signals delivered from tkill.
    
    The place of the infoleak:
    
    int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
    {
            ...
            put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
            ...
    }
    
    Signed-off-by: Emese Revfy <re.emese@gmail.com>
    Reviewed-by: PaX Team <pageexec@freemail.hu>
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Serge Hallyn <serge.hallyn@canonical.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/signal.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit cb7e3814af19241d361b4e01c1f3038506336f63
Merge: 3a0b578 5707e86
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 20:13:23 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	security/Kconfig

commit 5707e86ddf7438639dd210a7bb6d144847e52b58
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 20:10:00 2013 -0400

      - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414
      - CONSTIFY depends on KERNEXEC (for the kernel open/close feature)
      - fixed CONSTIFY and powerpc interference, reported by  John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364)

 arch/powerpc/include/asm/smp.h |    2 +-
 arch/x86/Kconfig               |    4 ++--
 security/Kconfig               |    2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

commit 4b49d904b0132e7af83f9799c7814e37f881cbee
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 17 19:54:09 2013 -0400

    add intentional_overflow marking for resource_size() as reasoned by:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3412

 include/linux/ioport.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3a0b578ba3c9bbc3f4d6c4f688961277a26847b0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 15 19:01:09 2013 -0400

    Check that address+len does not cross a page boundary instead
    of enforcing 32-byte alignment for compatibility with RHEL5
    
    As suggested by Andrew Honig via email

 arch/x86/kvm/x86.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit e373e5698bf9f7fefc61f3afbe016dba92bce72e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 15 18:54:44 2013 -0400

    rom: Andy Honig <ahonig@google.com>
    Date: Wed, 20 Feb 2013 14:48:10 -0800
    Subject: KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache
     functions (CVE-2013-1797)
    
    commit 0b79459b482e85cb7426aa7da683a9f2c97aeae1 upstream.
    
    There is a potential use after free issue with the handling of
    MSR_KVM_SYSTEM_TIME.  If the guest specifies a GPA in a movable or removable
    memory such as frame buffers then KVM might continue to write to that
    address even after it's removed via KVM_SET_USER_MEMORY_REGION.  KVM pins
    the page in memory so it's unlikely to cause an issue, but if the user
    space component re-purposes the memory previously used for the guest, then
    the guest will be able to corrupt that memory.
    
    Tested: Tested against kvmclock unit test
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
    [bwh: Backported to 3.2:
     - Adjust context
     - We do not implement the PVCLOCK_GUEST_STOPPED flag]
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

 arch/x86/include/asm/kvm_host.h |    4 ++--
 arch/x86/kvm/x86.c              |   39 ++++++++++++++-------------------------
 2 files changed, 16 insertions(+), 27 deletions(-)

commit 33eaaf68c9ba22cbb2e1a363cb6d05204b3e6964
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 21:43:23 2013 -0400

    move location of RBAC user check on setfsuid until after capability checks for consistency with other checks

 kernel/sys.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 6bb27b76b385e8f0efb17836b5ee3a8085da2bc8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 13:36:33 2013 -0400

    include linux/atomic.h instead

 include/linux/kref.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 25b19e54f94e5aa8fdbe60a6810f5a8fa0535f99
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 14 13:18:13 2013 -0400

    include asm/atomic.h

 include/linux/kref.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit aaded14f791e07bfc297101e10c85c9cae320640
Author: Thomas Hellstrom <thellstrom@vmware.com>
Date:   Tue Nov 6 11:31:49 2012 +0000

    Upstream commit: 4b20db3d
    
    kref: Implement kref_get_unless_zero v3
    
    This function is intended to simplify locking around refcounting for
    objects that can be looked up from a lookup structure, and which are
    removed from that lookup structure in the object destructor.
    Operations on such objects require at least a read lock around
    lookup + kref_get, and a write lock around kref_put + remove from lookup
    structure. Furthermore, RCU implementations become extremely tricky.
    With a lookup followed by a kref_get_unless_zero *with return value check*
    locking in the kref_put path can be deferred to the actual removal from
    the lookup structure and RCU lookups become trivial.
    
    v2: Formatting fixes.
    v3: Invert the return value.
    
    Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    
    Conflicts:
    
    	include/linux/kref.h

 include/linux/kref.h |   20 ++++++++++++++++++++
 1 files changed, 20 insertions(+), 0 deletions(-)

commit f03c3e83de84db3f6c4c3737a11a6ee50beb7825
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sat Apr 13 15:15:30 2013 -0700

    kobject: fix kset_find_obj() race with concurrent last kobject_put()
    
    Anatol Pomozov identified a race condition that hits module unloading
    and re-loading.  To quote Anatol:
    
     "This is a race codition that exists between kset_find_obj() and
      kobject_put().  kset_find_obj() might return kobject that has refcount
      equal to 0 if this kobject is freeing by kobject_put() in other
      thread.
    
      Here is timeline for the crash in case if kset_find_obj() searches for
      an object tht nobody holds and other thread is doing kobject_put() on
      the same kobject:
    
        THREAD A (calls kset_find_obj())     THREAD B (calls kobject_put())
        splin_lock()
                                             atomic_dec_return(kobj->kref), counter gets zero here
                                             ... starts kobject cleanup ....
                                             spin_lock() // WAIT thread A in kobj_kset_leave()
        iterate over kset->list
        atomic_inc(kobj->kref) (counter becomes 1)
        spin_unlock()
                                             spin_lock() // taken
                                             // it does not know that thread A increased counter so it
                                             remove obj from list
                                             spin_unlock()
                                             vfree(module) // frees module object with containing kobj
    
        // kobj points to freed memory area!!
        kobject_put(kobj) // OOPS!!!!
    
      The race above happens because module.c tries to use kset_find_obj()
      when somebody unloads module.  The module.c code was introduced in
      commit 6494a93d55fa"
    
    Anatol supplied a patch specific for module.c that worked around the
    problem by simply not using kset_find_obj() at all, but rather than make
    a local band-aid, this just fixes kset_find_obj() to be thread-safe
    using the proper model of refusing the get a new reference if the
    refcount has already dropped to zero.
    
    See examples of this proper refcount handling not only in the kref
    documentation, but in various other equivalent uses of this pattern by
    grepping for atomic_inc_not_zero().
    
    [ Side note: the module race does indicate that module loading and
      unloading is not properly serialized wrt sysfs information using the
      module mutex.  That may require further thought, but this is the
      correct fix at the kobject layer regardless. ]
    
    Reported-analyzed-and-tested-by: Anatol Pomozov <anatol.pomozov@gmail.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/kobject.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

commit b6491bfc44289a525a87f1ec7523f618f40a9e76
Author: Suleiman Souhlal <suleiman@google.com>
Date:   Sat Apr 13 16:03:06 2013 -0700

    Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1
    
    vfs: Revert spurious fix to spinning prevention in prune_icache_sb
    
    Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb").
    
    This commit doesn't look right: since we are looking at the tail of the
    list (sb->s_inode_lru.prev) if we want to skip an inode, we should put
    it back at the head of the list instead of the tail, otherwise we will
    keep spinning on it.
    
    Discovered when investigating why prune_icache_sb came top in perf
    reports of a swapping load.
    
    Signed-off-by: Suleiman Souhlal <suleiman@google.com>
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org # v3.2+
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/inode.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 92c34d083eb1173fccf1fdbabbfe124e1ee16708
Merge: 2c7f5fd 1b30816
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 19:21:50 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 1b3081653b80d0562ac563f890064fa6d60dbd8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Apr 12 19:20:33 2013 -0400

    Update to pax-linux-3.2.43-test103.patch:
    - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld
    - fixed the structleak plugin to compile for gcc 4.5-4.6 as well

 arch/x86/xen/enlighten.c      |    6 +++---
 tools/gcc/structleak_plugin.c |    5 +++--
 2 files changed, 6 insertions(+), 5 deletions(-)

commit 2c7f5fdcbd2788b193bf780f2cb4d12bc75a3534
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Tue Mar 12 18:27:41 2013 -0700

    Upstream commit: fa7614dd
    
    fs: Readd the fs module aliases.
    
    I had assumed that the only use of module aliases for filesystems
    prior to "fs: Limit sys_mount to only request filesystem modules."
    was in request_module.  It turns out I was wrong.  At least mkinitcpio
    in Arch linux uses these aliases.
    
    So readd the preexising aliases, to keep from breaking userspace.
    
    Userspace eventually will have to follow and use the same aliases the
    kernel does.  So at some point we may be delete these aliases without
    problems.  However that day is not today.
    
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    
    Conflicts:
    
    	fs/nfs/super.c

 fs/ext4/super.c          |    2 ++
 fs/freevxfs/vxfs_super.c |    1 +
 fs/isofs/inode.c         |    1 +
 fs/nfs/super.c           |    1 +
 fs/sysv/super.c          |    1 +
 net/sunrpc/rpc_pipe.c    |    1 +
 6 files changed, 7 insertions(+), 0 deletions(-)

commit e1ec1a6caeaffa29b412703642757ba3d6224bb5
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Mon Mar 11 07:05:42 2013 -0700

    Upstream commit: 3e64fe5
    
    fs: Limit sys_mount to only request filesystem modules. (Part 3)
    
    Somehow I failed to add the MODULE_ALIAS_FS for cifs, hostfs, hpfs,
    squashfs, and udf despite what I thought were my careful checks :(
    
    Add them now.
    
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

 fs/cifs/cifsfs.c        |    1 +
 fs/hostfs/hostfs_kern.c |    1 +
 fs/hpfs/super.c         |    1 +
 fs/squashfs/super.c     |    1 +
 fs/udf/super.c          |    1 +
 5 files changed, 5 insertions(+), 0 deletions(-)

commit de01bedefe0f655a15289b9e2b6c19b9b81286b1
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Mar 7 01:08:55 2013 -0800

    Upstream commit: 9141770
    
    fs: Limit sys_mount to only request filesystem modules (Part 2).
    
    Add missing MODULE_ALIAS_FS("ocfs2") how did I miss that?
    Remove unnecessary MODULE_ALIAS_FS("devpts") devpts can not be modular.
    
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

 fs/devpts/inode.c |    1 -
 fs/ocfs2/super.c  |    1 +
 2 files changed, 1 insertions(+), 1 deletions(-)

commit c1a56ee0c7821a507acb263b8fc52b75b8784abd
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Sat Mar 2 19:39:14 2013 -0800

    Upstream commit: 7f78e03
    (Not needed due to MODHARDEN, but doesn't hurt the !MODHARDEN case)
    
    fs: Limit sys_mount to only request filesystem modules.
    
    Modify the request_module to prefix the file system type with "fs-"
    and add aliases to all of the filesystems that can be built as modules
    to match.
    
    A common practice is to build all of the kernel code and leave code
    that is not commonly needed as modules, with the result that many
    users are exposed to any bug anywhere in the kernel.
    
    Looking for filesystems with a fs- prefix limits the pool of possible
    modules that can be loaded by mount to just filesystems trivially
    making things safer with no real cost.
    
    Using aliases means user space can control the policy of which
    filesystem modules are auto-loaded by editing /etc/modprobe.d/*.conf
    with blacklist and alias directives.  Allowing simple, safe,
    well understood work-arounds to known problematic software.
    
    This also addresses a rare but unfortunate problem where the filesystem
    name is not the same as it's module name and module auto-loading
    would not work.  While writing this patch I saw a handful of such
    cases.  The most significant being autofs that lives in the module
    autofs4.
    
    This is relevant to user namespaces because we can reach the request
    module in get_fs_type() without having any special permissions, and
    people get uncomfortable when a user specified string (in this case
    the filesystem type) goes all of the way to request_module.
    
    After having looked at this issue I don't think there is any
    particular reason to perform any filtering or permission checks beyond
    making it clear in the module request that we want a filesystem
    module.  The common pattern in the kernel is to call request_module()
    without regards to the users permissions.  In general all a filesystem
    module does once loaded is call register_filesystem() and go to sleep.
    Which means there is not much attack surface exposed by loading a
    filesytem module unless the filesystem is mounted.  In a user
    namespace filesystems are not mounted unless .fs_flags = FS_USERNS_MOUNT,
    which most filesystems do not set today.
    
    Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
    Acked-by: Kees Cook <keescook@chromium.org>
    Reported-by: Kees Cook <keescook@google.com>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    
    Conflicts:
    
    	drivers/firmware/efivars.c
    	drivers/staging/ccg/f_fs.c
    	fs/f2fs/super.c
    	fs/filesystems.c
    	fs/gfs2/ops_fstype.c
    	fs/nfs/super.c
    	fs/qnx6/inode.c

 arch/ia64/kernel/perfmon.c                |    1 +
 arch/powerpc/platforms/cell/spufs/inode.c |    1 +
 arch/s390/hypfs/inode.c                   |    1 +
 drivers/infiniband/hw/ipath/ipath_fs.c    |    1 +
 drivers/infiniband/hw/qib/qib_fs.c        |    1 +
 drivers/misc/ibmasm/ibmasmfs.c            |    1 +
 drivers/mtd/mtdchar.c                     |    1 +
 drivers/oprofile/oprofilefs.c             |    1 +
 drivers/usb/gadget/f_fs.c                 |    1 +
 drivers/usb/gadget/inode.c                |    1 +
 drivers/xen/xenfs/super.c                 |    1 +
 fs/9p/vfs_super.c                         |    1 +
 fs/adfs/super.c                           |    1 +
 fs/affs/super.c                           |    1 +
 fs/afs/super.c                            |    1 +
 fs/autofs4/init.c                         |    1 +
 fs/befs/linuxvfs.c                        |    1 +
 fs/bfs/inode.c                            |    1 +
 fs/binfmt_misc.c                          |    1 +
 fs/btrfs/super.c                          |    1 +
 fs/ceph/super.c                           |    1 +
 fs/coda/inode.c                           |    1 +
 fs/configfs/mount.c                       |    1 +
 fs/cramfs/inode.c                         |    1 +
 fs/debugfs/inode.c                        |    1 +
 fs/devpts/inode.c                         |    1 +
 fs/ecryptfs/main.c                        |    1 +
 fs/efs/super.c                            |    1 +
 fs/exofs/super.c                          |    1 +
 fs/ext2/super.c                           |    1 +
 fs/ext3/super.c                           |    1 +
 fs/ext4/super.c                           |    5 +++--
 fs/fat/namei_msdos.c                      |    1 +
 fs/fat/namei_vfat.c                       |    1 +
 fs/filesystems.c                          |    4 ++--
 fs/freevxfs/vxfs_super.c                  |    2 +-
 fs/fuse/control.c                         |    1 +
 fs/fuse/inode.c                           |    2 ++
 fs/gfs2/ops_fstype.c                      |    4 +++-
 fs/hfs/super.c                            |    1 +
 fs/hfsplus/super.c                        |    1 +
 fs/hppfs/hppfs.c                          |    1 +
 fs/hugetlbfs/inode.c                      |    1 +
 fs/isofs/inode.c                          |    3 +--
 fs/jffs2/super.c                          |    1 +
 fs/jfs/super.c                            |    1 +
 fs/logfs/super.c                          |    1 +
 fs/minix/inode.c                          |    1 +
 fs/ncpfs/inode.c                          |    1 +
 fs/nfs/super.c                            |    4 ++--
 fs/nfsd/nfsctl.c                          |    1 +
 fs/nilfs2/super.c                         |    1 +
 fs/ntfs/super.c                           |    1 +
 fs/ocfs2/dlmfs/dlmfs.c                    |    1 +
 fs/omfs/inode.c                           |    1 +
 fs/openpromfs/inode.c                     |    1 +
 fs/qnx4/inode.c                           |    1 +
 fs/reiserfs/super.c                       |    1 +
 fs/romfs/super.c                          |    1 +
 fs/sysv/super.c                           |    3 ++-
 fs/ubifs/super.c                          |    1 +
 fs/ufs/super.c                            |    1 +
 fs/xfs/xfs_super.c                        |    1 +
 include/linux/fs.h                        |    2 ++
 net/sunrpc/rpc_pipe.c                     |    4 +---
 65 files changed, 74 insertions(+), 14 deletions(-)

commit 8e627953f34cc19d7256ecb0374db2eede4d1322
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 11 20:46:20 2013 -0400

    Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot"
    Will be fixed with the next PaX patch
    
    This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7.

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 91962806fe3f514525e4e202efb80405d2b9d37a
Author: Namhyung Kim <namhyung.kim@lge.com>
Date:   Mon Apr 1 21:46:23 2013 +0900

    Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1
    
    tracing: Fix double free when function profile init failed
    
    On the failure path, stat->start and stat->pages will refer same page.
    So it'll attempt to free the same page again and get kernel panic.
    
    Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org
    
    Cc: Frederic Weisbecker <fweisbec@gmail.com>
    Cc: Namhyung Kim <namhyung.kim@lge.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Namhyung Kim <namhyung@kernel.org>
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>

 kernel/trace/ftrace.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit c236ac47c432fad0db9ecb6ecafd04b08c06251e
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Tue Apr 9 14:16:04 2013 +0800

    Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc
    
    can: gw: use kmem_cache_free() instead of kfree()
    
    Memory allocated by kmem_cache_alloc() should be freed using
    kmem_cache_free(), not kfree().
    
    Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

 net/can/gw.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 6fdd44d115f9c6888d0dd467c534c200c143e3eb
Merge: 382ecea 599997c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 20:29:34 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	drivers/net/ethernet/broadcom/tg3.c

commit 599997cbbf8ec576f1ad62b2778827d55ddbc20b
Merge: 5dab237 93dfb87
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 20:28:44 2013 -0400

    Update to pax-linux-3.2.43-test102.patch:
    - forward port to 3.2.43
    - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411)
    
    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	security/keys/keyctl.c

commit 382ecea042ea79fd3fa332bd0779db629eb0efab
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Fri Apr 5 14:13:21 2013 -0400

    Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7
    
    SUNRPC: Fix a potential memory leak in rpc_new_client
    
    If the call to rpciod_up() fails, we currently leak a reference to the
    struct rpc_xprt.
    As part of the fix, we also remove the redundant check for xprt!=NULL.
    This is already taken care of by the callers.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

 net/sunrpc/clnt.c |    7 ++-----
 1 files changed, 2 insertions(+), 5 deletions(-)

commit d0d863b56668a493ac19a760310a2d4deb61365d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 19:16:05 2013 -0400

    From https://lkml.org/lkml/2013/4/8/469:
    [PATCH] rtnetlink: call nlmsg_parse() with correct header length

 net/core/rtnetlink.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit ef198eb8dac9f1d95677fc4f010a3c8abdc12738
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 19:03:45 2013 -0400

    Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1

 arch/ia64/kernel/palinfo.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6a986136288577b9e3902d8cc639692e3386edbf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 10 18:48:45 2013 -0400

    Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7eed843ed74774c28c16a0bc2fdb22eba6d7656a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:30:45 2013 -0400

    some undefined behavior fixups

 grsecurity/gracl.c      |    4 ++--
 grsecurity/gracl_ip.c   |   10 +++++-----
 grsecurity/gracl_segv.c |    4 ++--
 3 files changed, 9 insertions(+), 9 deletions(-)

commit 8c27a1f4bb64d955244986e67a638174aff04f5b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:28:54 2013 -0400

    don't whine about denied ipv6 when it's not enabled

 grsecurity/gracl_ip.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 1d07aafca54b96e1b2ae95d4c3d3e4b45717a3c6
Merge: 37fca32 5dab237
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:20:20 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 5dab2378fd342ff8660aa55ed9a833b0ea98bff9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 9 17:19:35 2013 -0400

    Update to pax-linux-3.2.42-test102.patch:
    - new size overflow plugin from Emese to work around a gcc optimization
      resulting in an intentional overflow, reported by Carlos Carvalho
      (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409)

 tools/gcc/size_overflow_plugin.c |   68 ++++++++++++++++++++++++++++++++++++-
 1 files changed, 66 insertions(+), 2 deletions(-)

commit 37fca32e3fda5f755fa583d2c6e60856fa0f88e8
Merge: 8d5c7f0 356f77d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 8 21:31:20 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/sparc/kernel/us3_cpufreq.c
    	fs/proc/base.c

commit 356f77d7ff0e77de3427b9c2d937f5aaa83b7337
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 8 21:20:54 2013 -0400

    Update to pax-linux-3.2.42-test101.patch:
    - fixed some attribute leakage into userland headers, patch by Mathias Krause
    - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger
    - fixed ia64/ppc/sparc compilation by spender
    - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for bugreport)

 arch/ia64/include/asm/uaccess.h          |    2 -
 arch/powerpc/include/asm/uaccess.h       |    2 -
 arch/powerpc/platforms/cell/spufs/file.c |    4 +-
 arch/sparc/include/asm/uaccess.h         |    7 ---
 arch/sparc/kernel/prom_common.c          |    2 +-
 arch/sparc/kernel/us3_cpufreq.c          |   69 ++++++++---------------------
 fs/proc/base.c                           |    4 +-
 fs/sysfs/bin.c                           |    6 +-
 include/linux/mm.h                       |   16 +++---
 mm/memory.c                              |   24 +++++-----
 mm/nommu.c                               |   10 ++--
 scripts/headers_install.pl               |    1 +
 tools/gcc/structleak_plugin.c            |   15 +++---
 13 files changed, 61 insertions(+), 101 deletions(-)

commit 8d5c7f020311362114d3277387ce048b70f9375a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 7 12:00:50 2013 -0400

    fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin

 net/socket.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7546fbf0ac395d1887cef119f9e7e62075bda9d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 13:22:24 2013 -0400

    fix typo

 arch/sparc/kernel/us3_cpufreq.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

commit f202ef5319d8fa6378f8c4a88d3b8c44bfdba1f2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 13:16:13 2013 -0400

    properly fix cpufreq_driver for ultrasparc III with constification

 arch/sparc/kernel/us3_cpufreq.c |   35 +++++++++++++++++------------------
 1 files changed, 17 insertions(+), 18 deletions(-)

commit aa996193316fb0982ddaeee6a1075ed0ea9aec6f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 12:58:48 2013 -0400

    mark prom_sparc_ops __initconst

 arch/sparc/kernel/prom_common.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 65426c8d526fc5defac58420208cc1e5971cd173
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 6 12:53:16 2013 -0400

    fix ia64/powerpc/sparc compilation

 arch/ia64/include/asm/uaccess.h    |    2 --
 arch/powerpc/include/asm/uaccess.h |    2 --
 arch/sparc/include/asm/uaccess.h   |    7 -------
 3 files changed, 0 insertions(+), 11 deletions(-)

commit 3d91c631538e8555f4a0635ce700f97948502c3e
Author: Gao feng <gaofeng@cn.fujitsu.com>
Date:   Thu Mar 21 19:48:41 2013 +0000

    Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe
    
    netfilter: reset nf_trace in nf_reset
    
    We forgot to clear the nf_trace of sk_buff in nf_reset,
    When we use veth device, this nf_trace information will
    be leaked from one net namespace to another net namespace.
    
    Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 include/linux/skbuff.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit fa6be64c855d765934f77fb718ca53ad48f85763
Author: Veaceslav Falico <vfalico@redhat.com>
Date:   Wed Apr 3 05:46:33 2013 +0000

    Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d
    
    bonding: remove sysfs before removing devices
    
    We have a race condition if we try to rmmod bonding and simultaneously add
    a bond master through sysfs. In bonding_exit() we first remove the devices
    (through rtnl_link_unregister() ) and only after that we remove the sysfs.
    If we manage to add a device through sysfs after that the devices were
    removed - we'll end up with that device/sysfs structure and with the module
    unloaded.
    
    Fix this by first removing the sysfs and only after that calling
    rtnl_link_unregister().
    
    Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/bonding/bond_main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit fc39b6e20764dadc51e037953604c55e4e79221c
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Wed Apr 3 16:13:35 2013 +0000

    Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1
    
    Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL"
    
    This reverts commit 14134f6584212d585b310ce95428014b653dfaf6.
    
    The problem that the above patch was meant to address is that af_unix
    messages are not being coallesced because we are sending unnecesarry
    credentials.  Not sending credentials in maybe_add_creds totally
    breaks unconnected unix domain sockets that wish to send credentails
    to other sockets.
    
    In practice this break some versions of udev because they receive a
    message and the sending uid is bogus so they drop the message.
    
    Reported-by: Sven Joachim <svenjoac@gmx.de>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 7a5df42472eb5c890fdedec7e908d900056f5e07
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Wed Apr 3 16:14:47 2013 +0000

    Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2
    
    af_unix: If we don't care about credentials coallesce all messages
    
    It was reported that the following LSB test case failed
    https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we
    were not coallescing unix stream messages when the application was
    expecting us to.
    
    The problem was that the first send was before the socket was accepted
    and thus sock->sk_socket was NULL in maybe_add_creds, and the second
    send after the socket was accepted had a non-NULL value for sk->socket
    and thus we could tell the credentials were not needed so we did not
    bother.
    
    The unnecessary credentials on the first message cause
    unix_stream_recvmsg to start verifying that all messages had the same
    credentials before coallescing and then the coallescing failed because
    the second message had no credentials.
    
    Ignoring credentials when we don't care in unix_stream_recvmsg fixes a
    long standing pessimization which would fail to coallesce messages when
    reading from a unix stream socket if the senders were different even if
    we did not care about their credentials.
    
    I have tested this and verified that the in the LSB test case mentioned
    above that the messages do coallesce now, while the were failing to
    coallesce without this change.
    
    Reported-by: Karel Srot <ksrot@redhat.com>
    Reported-by: Ding Tianhong <dingtianhong@huawei.com>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6b3784b0882efc88d2c1288172b0f7026520a207
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Wed Mar 20 21:31:42 2013 +0000

    Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e
    
    lantiq_etop: use free_netdev(netdev) instead of kfree()
    
    Freeing netdev without free_netdev() leads to net, tx leaks.
    And it may lead to dereferencing freed pointer.
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/lantiq_etop.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit da949a89aafce8033dfaf7426d3bf8c7086d82e9
Author: Paul Moore <pmoore@redhat.com>
Date:   Mon Mar 25 03:18:33 2013 +0000

    Upstream commit: ded34e0fe8fe8c2d595bfa30626654e4b87621e0
    
    unix: fix a race condition in unix_release()
    
    As reported by Jan, and others over the past few years, there is a
    race condition caused by unix_release setting the sock->sk pointer
    to NULL before properly marking the socket as dead/orphaned.  This
    can cause a problem with the LSM hook security_unix_may_send() if
    there is another socket attempting to write to this partially
    released socket in between when sock->sk is set to NULL and it is
    marked as dead/orphaned.  This patch fixes this by only setting
    sock->sk to NULL after the socket has been marked as dead; I also
    take the opportunity to make unix_release_sock() a void function
    as it only ever returned 0/success.
    
    Dave, I think this one should go on the -stable pile.
    
    Special thanks to Jan for coming up with a reproducer for this
    problem.
    
    Reported-by: Jan Stancek <jan.stancek@gmail.com>
    Signed-off-by: Paul Moore <pmoore@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    7 +++----
 1 files changed, 3 insertions(+), 4 deletions(-)

commit 93cd5f6a0d0b0804b743ca39b1a2bc467c6dbec5
Author: dingtianhong <dingtianhong@huawei.com>
Date:   Mon Mar 25 17:02:04 2013 +0000

    Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6
    
    af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
    
    SCM_SCREDENTIALS should apply to write() syscalls only either source or destination
    socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong,
    and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom).
    
    Origionally-authored-by: Karel Srot <ksrot@redhat.com>
    Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/unix/af_unix.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit ae76e7e59f8e4fbb589a56922d3e253dde5d92e8
Author: Josef Bacik <jbacik@fusionio.com>
Date:   Fri Mar 29 08:09:34 2013 -0600

    Upstream commit: d8fe29e9dea8d7d61fd140d8779326856478fc62
    
    Btrfs: don't drop path when printing out tree errors in scrub
    
    A user reported a panic where we were panicing somewhere in
    tree_backref_for_extent from scrub_print_warning.  He only captured the trace
    but looking at scrub_print_warning we drop the path right before we mess with
    the extent buffer to print out a bunch of stuff, which isn't right.  So fix this
    by dropping the path after we use the eb if we need to.  Thanks,
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Josef Bacik <jbacik@fusionio.com>
    Signed-off-by: Chris Mason <chris.mason@fusionio.com>

 fs/btrfs/scrub.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 286d305aa7cedb85d0f203fbed2239453c1d0b8a
Author: Jan Kara <jack@suse.cz>
Date:   Fri Mar 29 15:39:16 2013 +0100

    Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6
    
    reiserfs: Fix warning and inode leak when deleting inode with xattrs
    
    After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
    started failing to delete xattrs from inode. This was due to a buggy
    test for '.' and '..' in fill_with_dentries() which resulted in passing
    '.' and '..' entries to lookup_one_len() in some cases. That returned
    error and so we failed to iterate over all xattrs of and inode.
    
    Fix the test in fill_with_dentries() along the lines of the one in
    lookup_one_len().
    
    Reported-by: Pawel Zawora <pzawora@gmail.com>
    CC: stable@vger.kernel.org
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/reiserfs/xattr.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 0b8487a7c1cbf9dcdab5e4d5e2817226bd28f5f2
Author: Jan Stancek <jstancek@redhat.com>
Date:   Thu Apr 4 11:35:10 2013 -0700

    Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c
    
    mm: prevent mmap_cache race in find_vma()
    
    find_vma() can be called by multiple threads with read lock
    held on mm->mmap_sem and any of them can update mm->mmap_cache.
    Prevent compiler from re-fetching mm->mmap_cache, because other
    readers could update it in the meantime:
    
                   thread 1                             thread 2
                                            |
      find_vma()                            |  find_vma()
        struct vm_area_struct *vma = NULL;  |
        vma = mm->mmap_cache;               |
        if (!(vma && vma->vm_end > addr     |
            && vma->vm_start <= addr)) {    |
                                            |    mm->mmap_cache = vma;
        return vma;                         |
         ^^ compiler may optimize this      |
            local variable out and re-read  |
            mm->mmap_cache                  |
    
    This issue can be reproduced with gcc-4.8.0-1 on s390x by running
    mallocstress testcase from LTP, which triggers:
    
      kernel BUG at mm/rmap.c:1088!
        Call Trace:
         ([<000003d100c57000>] 0x3d100c57000)
          [<000000000023a1c0>] do_wp_page+0x2fc/0xa88
          [<000000000023baae>] handle_pte_fault+0x41a/0xac8
          [<000000000023d832>] handle_mm_fault+0x17a/0x268
          [<000000000060507a>] do_protection_exception+0x1e2/0x394
          [<0000000000603a04>] pgm_check_handler+0x138/0x13c
          [<000003fffcf1f07a>] 0x3fffcf1f07a
        Last Breaking-Event-Address:
          [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
    
    Thanks to Jakub Jelinek for his insight on gcc and helping to
    track this down.
    
    Signed-off-by: Jan Stancek <jstancek@redhat.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	mm/mmap.c

 mm/mmap.c  |    2 +-
 mm/nommu.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit c5bc94bf305480ce97b24a43526e0557995902b9
Merge: 1394e00 0901c74
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 3 22:08:05 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 0901c7450d23a25abc48fb228d6dfbbb2f62dbab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 3 22:07:33 2013 -0400

    Update to pax-linux-3.2.42-test100.patch:
    - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391)
    - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394)
    - fixed arm compilation (http://forums.grsecurity.net/viewtopic.php?f=3&t=3395)

 arch/arm/mm/fault.c                   |   27 +++++++++++++++++++++++++++
 drivers/media/video/cx88/cx88-video.c |    6 +++---
 include/net/net_namespace.h           |    4 ++++
 3 files changed, 34 insertions(+), 3 deletions(-)

commit 1394e00fc64734987bbc62960b4f7823cffa13af
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 19:50:32 2013 -0400

    fix compilation as reported on forums for gcc versions lacking plugin
    support

 include/net/net_namespace.h |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 4af9aacb49432a1a7451c9907ccfb21d6c56fe07
Merge: a92e4b1 aa5bf79
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:44:58 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit aa5bf792226a1c147b2a2a29d793cea72bc5a48d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:44:24 2013 -0400

    Update to pax-linux-3.2.42-test99.patch:
    - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table

 arch/x86/include/asm/uaccess_64.h |    6 +-
 include/linux/crash_dump.h        |    2 +-
 include/linux/kvm_host.h          |   14 +++---
 include/linux/moduleloader.h      |    4 +-
 include/linux/oprofile.h          |    2 +-
 include/linux/slab.h              |    4 +-
 include/linux/slab_def.h          |    1 -
 include/linux/slub_def.h          |    1 -
 include/linux/vmalloc.h           |   18 ++++----
 tools/gcc/size_overflow_hash.data |   78 ++++++++++++++++++++++---------------
 10 files changed, 71 insertions(+), 59 deletions(-)

commit a92e4b1ba8153d62b09df899b395ac96f5165537
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 2 17:35:06 2013 -0400

    remove duplicate compiler.h

 include/linux/sysrq.h |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 06aa205d77be1ba3218b623089a67092c7c3bf2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 19:53:50 2013 -0400

    fix intentional_overflow marking on sys_sendto

 include/linux/syscalls.h |    2 +-
 net/socket.c             |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 864a4bf49ef8af21d9646eb46fa259b0ea8edd2a
Merge: ffb25c6 fa39c2b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 18:53:18 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	net/ipv4/route.c

commit fa39c2bb733c65011a252e6343994005258f5264
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 18:52:37 2013 -0400

    Update to pax-linux-3.2.42-test98.patch:
    - fixed __net_initdata and CONSTIFY problems reported by spender

 drivers/net/loopback.c     |    2 +-
 fs/proc/proc_net.c         |    2 +-
 include/linux/netdevice.h  |    2 +-
 net/core/dev.c             |    6 +++---
 net/core/dev_addr_lists.c  |    2 +-
 net/core/sock.c            |    2 +-
 net/ipv4/af_inet.c         |    2 +-
 net/ipv4/devinet.c         |    2 +-
 net/ipv4/icmp.c            |    2 +-
 net/ipv4/proc.c            |    2 +-
 net/ipv4/raw.c             |    2 +-
 net/ipv4/route.c           |    6 +++---
 net/ipv4/sysctl_net_ipv4.c |    2 +-
 net/ipv4/tcp_ipv4.c        |    2 +-
 net/netlink/af_netlink.c   |    2 +-
 net/xfrm/xfrm_policy.c     |    2 +-
 16 files changed, 20 insertions(+), 20 deletions(-)

commit ffb25c6cd202919ea46af10acb85b069a5f1dd6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 18:46:16 2013 -0400

    fix size_overflow false positive

 kernel/futex_compat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b9ccef107c6da2de4e75044984c57de041a91471
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 29 17:05:39 2013 -0400

    Another infoleak, up to 128 bytes on the stack in __sys_recvmsg
    takes user-provided length, copies up to that amount in a sockaddr_storage
    struct on the stack, then takes an upper-bounded-only user-provided length
    and copies the sockaddr_storage struct back out to userland, complete with
    uninitialized data

 net/socket.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ae3c6b6fbcebf9d29694580cd95bd9a9a710dad4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 23:15:12 2013 -0400

    fix pernet_operations markings

 net/ipv4/route.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit f3639a30adc8548d8e8352c8ef9980f2eedace9e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 23:07:37 2013 -0400

    return a proper error, otherwise we could be accessing uninitialized data
    (previous define was a positive value)

 drivers/usb/storage/realtek_cr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ada97e7d2617a175f83edc12764cffbd2b45746b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:53:22 2013 -0400

    Enable structleak by default for the security auto-config

 security/Kconfig |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

commit 884998737aec3b865a0fe79a98780bf0bf50a1cf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 22:36:07 2013 -0400

    make ip_rt_proc_ops initconst

 net/ipv4/route.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 70f5444e47818a5d702daca9afa2989b108fe1cd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 22:23:03 2013 -0400

    Add constify config option

 Makefile           |    4 +---
 security/Kconfig   |   20 +++++++++++++++++++-
 tools/gcc/Makefile |    2 +-
 3 files changed, 21 insertions(+), 5 deletions(-)

commit ea74e8e15ed91aff8b005a5cc28611d38c6edeaa
Merge: f590e76 75e5da5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 22:15:16 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	drivers/gpu/drm/i915/i915_gem_execbuffer.c
    	fs/binfmt_elf.c
    	fs/proc/base.c
    	include/linux/mm.h
    	kernel/fork.c
    	mm/mmap.c
    	mm/page_alloc.c

commit 75e5da5d09ca25aec80454c33297b110e6dc53dd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 22:08:32 2013 -0400

    Update to pax-linux-3.2.42-test97.patch:
     fixed kprobes problem under KERNEXEC/i386, reported by Emese Revfy
    - fixed arm compilation problems reported by Michael Tremer
    - the constify plugin got smarter that enabled, with some additional patching,
      the elimination of about half the static function pointers on amd64/allmod
      (up from about 18%), depending on the kernel config it can be even more (70%)
    - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339)
    - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot
    - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268)
    - changed debian packager rules to include the compiler plugins, from Tyler Coumbes <coumbes@gmail.com>
    - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956)
    - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values
      and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913.
    - added a small sanity check to kfree (spender's idea)
    - fixed a size overflow false positive (well, not really, it's bad zlib code) reported by slashbeast on irc
    - fixed ptrace compat bug found by the size overflow plugin
    - fixed perf compilation reported by Michael Tremer
    - fixed USERCOPY reports triggered by SCTP, reported by Marc Schiffbauer (https://bugzilla.redhat.com/show_bug.cgi?id=919315#c11)
    - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722)
    - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland

 Documentation/dontdiff                     |    2 +
 Documentation/kernel-parameters.txt        |    5 +
 Makefile                                   |    5 +-
 arch/arm/include/asm/cache.h               |    2 +
 arch/arm/include/asm/pgalloc.h             |    1 +
 arch/ia64/kernel/perfmon.c                 |    1 -
 arch/x86/include/asm/compat.h              |    2 +-
 arch/x86/include/asm/desc.h                |    2 +-
 arch/x86/include/asm/div64.h               |    2 +-
 arch/x86/include/asm/i8259.h               |    2 +-
 arch/x86/include/asm/io.h                  |    8 +-
 arch/x86/include/asm/paravirt.h            |    2 +-
 arch/x86/include/asm/x86_init.h            |    2 +-
 arch/x86/kernel/acpi/boot.c                |    4 +-
 arch/x86/kernel/apic/apic_noop.c           |    2 +-
 arch/x86/kernel/apic/es7000_32.c           |    2 +-
 arch/x86/kernel/apic/io_apic.c             |   11 +-
 arch/x86/kernel/cpu/mcheck/mce.c           |    2 +-
 arch/x86/kernel/i8259.c                    |    6 +-
 arch/x86/kernel/io_delay.c                 |    2 +-
 arch/x86/kernel/kprobes.c                  |    4 +-
 arch/x86/kernel/nmi.c                      |    6 +-
 arch/x86/kernel/setup_percpu.c             |    2 +-
 arch/x86/kernel/sys_i386_32.c              |    5 +-
 arch/x86/mm/fault.c                        |    9 +-
 arch/x86/mm/ioremap.c                      |    3 +
 arch/x86/mm/numa.c                         |    2 +-
 arch/x86/mm/physaddr.c                     |    4 +-
 arch/x86/oprofile/nmi_int.c                |    8 +-
 arch/x86/oprofile/op_model_amd.c           |    8 +-
 arch/x86/oprofile/op_model_ppro.c          |    7 +-
 arch/x86/oprofile/op_x86_model.h           |    2 +-
 arch/x86/pci/irq.c                         |    8 +-
 drivers/acpi/apei/apei-internal.h          |    2 +-
 drivers/acpi/blacklist.c                   |    4 +-
 drivers/acpi/processor_idle.c              |    2 +-
 drivers/acpi/sysfs.c                       |    4 +-
 drivers/ata/libahci.c                      |    2 +-
 drivers/base/node.c                        |    2 +-
 drivers/base/syscore.c                     |    4 +-
 drivers/block/drbd/drbd_receiver.c         |    4 +-
 drivers/char/random.c                      |    2 +-
 drivers/cpufreq/acpi-cpufreq.c             |   18 +-
 drivers/cpufreq/cpufreq.c                  |    7 +-
 drivers/cpufreq/p4-clockmod.c              |   12 +-
 drivers/cpufreq/powernow-k8.c              |    7 +-
 drivers/cpufreq/speedstep-centrino.c       |    7 +-
 drivers/cpuidle/cpuidle.c                  |    2 +-
 drivers/cpuidle/governor.c                 |    4 +-
 drivers/cpuidle/sysfs.c                    |    2 +-
 drivers/edac/edac_pci_sysfs.c              |    2 +-
 drivers/firewire/core-device.c             |    2 +-
 drivers/firmware/dmi-id.c                  |    2 +-
 drivers/firmware/efivars.c                 |    4 +-
 drivers/firmware/google/memconsole.c       |    4 +-
 drivers/gpu/drm/drm_drv.c                  |    2 +-
 drivers/gpu/drm/drm_ioc32.c                |    9 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c |    2 +-
 drivers/gpu/drm/i915/i915_ioc32.c          |   11 +-
 drivers/gpu/drm/i915/intel_display.c       |    2 +-
 drivers/gpu/drm/mga/mga_ioc32.c            |   11 +-
 drivers/gpu/drm/nouveau/nouveau_drv.h      |    2 +-
 drivers/gpu/drm/nouveau/nouveau_ioc32.c    |    2 +-
 drivers/gpu/drm/r128/r128_ioc32.c          |   11 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c      |   11 +-
 drivers/gpu/drm/radeon/radeon_ring.c       |   14 +-
 drivers/gpu/drm/radeon/radeon_ttm.c        |   23 +-
 drivers/hwmon/acpi_power_meter.c           |    6 +-
 drivers/hwmon/applesmc.c                   |    2 +-
 drivers/hwmon/asus_atk0110.c               |   10 +-
 drivers/hwmon/ibmaem.c                     |    2 +-
 drivers/hwmon/pmbus/pmbus_core.c           |    2 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c    |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c     |    2 +-
 drivers/input/mouse/psmouse.h              |    2 +-
 drivers/leds/leds-clevo-mail.c             |    2 +-
 drivers/leds/leds-ss4200.c                 |    2 +-
 drivers/lguest/page_tables.c               |    2 +-
 drivers/mfd/twl4030-irq.c                  |    9 +-
 drivers/mfd/twl6030-irq.c                  |   10 +-
 drivers/misc/c2port/core.c                 |    4 +-
 drivers/mtd/sm_ftl.c                       |    2 +-
 drivers/net/bonding/bond_main.c            |    2 +-
 drivers/net/macvlan.c                      |   16 +-
 drivers/net/wireless/at76c50x-usb.c        |    2 +-
 drivers/oprofile/oprofile_files.c          |    2 +-
 drivers/pci/hotplug/acpiphp_ibm.c          |    4 +-
 drivers/pci/hotplug/pci_hotplug_core.c     |    6 +-
 drivers/pci/hotplug/pciehp_core.c          |    2 +-
 drivers/pci/pci-sysfs.c                    |    6 +-
 drivers/pci/pci.h                          |    2 +-
 drivers/platform/x86/msi-laptop.c          |   14 +-
 drivers/power/power_supply.h               |    4 +-
 drivers/power/power_supply_core.c          |    7 +-
 drivers/power/power_supply_sysfs.c         |    6 +-
 drivers/rtc/rtc-cmos.c                     |    4 +-
 drivers/rtc/rtc-m48t59.c                   |    4 +-
 drivers/scsi/bfa/bfa.h                     |    2 +-
 drivers/staging/iio/industrialio-core.c    |    2 +-
 drivers/usb/core/message.c                 |    2 +-
 drivers/usb/gadget/file_storage.c          |   14 +-
 drivers/usb/storage/usb.h                  |    2 +-
 drivers/video/aty/atyfb_base.c             |    8 +-
 drivers/video/aty/mach64_cursor.c          |    5 +-
 drivers/video/backlight/kb3886_bl.c        |    2 +-
 drivers/video/fb_defio.c                   |    6 +-
 drivers/video/mb862xx/mb862xxfb_accel.c    |   16 +-
 drivers/video/nvidia/nvidia.c              |   27 +-
 drivers/video/s1d13xxxfb.c                 |    6 +-
 drivers/video/smscufx.c                    |    4 +-
 drivers/video/udlfb.c                      |    4 +-
 drivers/video/uvesafb.c                    |   14 +-
 drivers/video/vesafb.c                     |    7 +-
 fs/befs/endian.h                           |    4 +-
 fs/binfmt_elf.c                            |   17 +-
 fs/exec.c                                  |   10 +-
 fs/ext4/super.c                            |    2 +-
 fs/jfs/super.c                             |    4 +-
 fs/nfs/callback_xdr.c                      |    2 +-
 fs/nfsd/nfs4proc.c                         |    2 +-
 fs/nfsd/nfs4xdr.c                          |    6 +-
 fs/nls/nls_base.c                          |   18 +-
 fs/nls/nls_euc-jp.c                        |    6 +-
 fs/nls/nls_koi8-ru.c                       |    6 +-
 fs/proc/base.c                             |    2 +-
 fs/sysv/sysv.h                             |    2 +-
 fs/ubifs/io.c                              |    2 +-
 fs/ufs/swab.h                              |    4 +-
 include/drm/drmP.h                         |   12 +-
 include/linux/atmdev.h                     |    2 +-
 include/linux/binfmts.h                    |    2 +-
 include/linux/byteorder/little_endian.h    |    4 +-
 include/linux/compat.h                     |    4 +-
 include/linux/compiler.h                   |   41 +-
 include/linux/completion.h                 |    6 +-
 include/linux/configfs.h                   |    2 +-
 include/linux/cpufreq.h                    |    3 +-
 include/linux/cpuidle.h                    |    5 +-
 include/linux/cpumask.h                    |   12 +-
 include/linux/ctype.h                      |    2 +-
 include/linux/devfreq.h                    |    2 +-
 include/linux/device.h                     |    3 +-
 include/linux/err.h                        |    4 +-
 include/linux/fb.h                         |    2 +-
 include/linux/fscache.h                    |    2 +-
 include/linux/hwmon-sysfs.h                |    5 +-
 include/linux/irq.h                        |    2 +-
 include/linux/key-type.h                   |    2 +-
 include/linux/kobject.h                    |    1 +
 include/linux/kobject_ns.h                 |    2 +-
 include/linux/list.h                       |   14 +-
 include/linux/math64.h                     |    6 +-
 include/linux/mm.h                         |    6 +
 include/linux/mm_types.h                   |    2 +-
 include/linux/mod_devicetable.h            |    2 +-
 include/linux/module.h                     |    5 +-
 include/linux/net.h                        |    2 +-
 include/linux/netfilter.h                  |    2 +-
 include/linux/nls.h                        |    2 +-
 include/linux/pci_hotplug.h                |    3 +-
 include/linux/pnp.h                        |    2 +-
 include/linux/ppp-comp.h                   |    2 +-
 include/linux/proc_fs.h                    |    2 +-
 include/linux/rculist.h                    |   16 +
 include/linux/sched.h                      |    4 +-
 include/linux/sunrpc/clnt.h                |    2 +-
 include/linux/sunrpc/svc.h                 |    2 +-
 include/linux/sunrpc/svcauth.h             |    2 +-
 include/linux/swab.h                       |    6 +-
 include/linux/syscore_ops.h                |    2 +-
 include/linux/sysctl.h                     |    6 +-
 include/linux/sysdev.h                     |    2 +-
 include/linux/sysfs.h                      |   10 +-
 include/linux/sysrq.h                      |    1 +
 include/linux/unaligned/access_ok.h        |   12 +-
 include/linux/usb.h                        |    2 +-
 include/linux/xattr.h                      |    2 +-
 include/linux/zlib.h                       |    3 +-
 include/net/9p/transport.h                 |    2 +-
 include/net/bluetooth/l2cap.h              |    2 +-
 include/net/genetlink.h                    |    2 +-
 include/net/ip.h                           |    2 +-
 include/net/ip_vs.h                        |    4 +-
 include/net/llc_c_ac.h                     |    2 +-
 include/net/llc_c_ev.h                     |    4 +-
 include/net/llc_c_st.h                     |    2 +-
 include/net/llc_s_ac.h                     |    2 +-
 include/net/llc_s_st.h                     |    2 +-
 include/net/mac80211.h                     |    2 +-
 include/net/net_namespace.h                |    4 +-
 include/net/rtnetlink.h                    |    2 +-
 include/net/sctp/sm.h                      |    4 +-
 include/net/sctp/structs.h                 |    2 +-
 include/net/xfrm.h                         |    4 +-
 init/main.c                                |   12 +-
 ipc/ipc_sysctl.c                           |   10 +-
 ipc/mq_sysctl.c                            |    4 +-
 kernel/fork.c                              |    4 +-
 kernel/kmod.c                              |    2 +-
 kernel/ksysfs.c                            |    2 +-
 kernel/module.c                            |    4 +-
 kernel/ptrace.c                            |    2 +-
 kernel/sched.c                             |   49 +-
 kernel/sysctl.c                            |   11 +-
 kernel/time.c                              |    2 +-
 kernel/timer.c                             |    2 +-
 kernel/utsname_sysctl.c                    |    2 +-
 lib/Kconfig.debug                          |    6 +-
 lib/div64.c                                |    4 +-
 lib/kobject.c                              |    4 +-
 lib/list_debug.c                           |   53 +-
 mm/hugetlb.c                               |   16 +-
 mm/memory-failure.c                        |    2 +-
 mm/mmap.c                                  |   20 +-
 mm/mremap.c                                |    2 -
 mm/page-writeback.c                        |    2 +-
 mm/page_alloc.c                            |   27 +
 mm/slab.c                                  |    1 +
 mm/slob.c                                  |    1 +
 mm/slub.c                                  |    3 +-
 net/9p/mod.c                               |    4 +-
 net/ax25/sysctl_net_ax25.c                 |    4 +-
 net/core/net-sysfs.c                       |    2 +-
 net/core/net_namespace.c                   |    8 +-
 net/core/rtnetlink.c                       |   11 +-
 net/core/sock.c                            |    4 +-
 net/core/sysctl_net_core.c                 |   18 +-
 net/decnet/af_decnet.c                     |    1 +
 net/ipv4/af_inet.c                         |    8 +-
 net/ipv4/devinet.c                         |   14 +-
 net/ipv4/inet_connection_sock.c            |    2 +-
 net/ipv4/ip_fragment.c                     |   13 +-
 net/ipv4/ip_gre.c                          |    6 +-
 net/ipv4/route.c                           |   19 +-
 net/ipv4/sysctl_net_ipv4.c                 |   36 +-
 net/ipv6/icmp.c                            |    2 +-
 net/ipv6/reassembly.c                      |   13 +-
 net/ipv6/route.c                           |    2 +-
 net/ipv6/sysctl_net_ipv6.c                 |    2 +-
 net/netfilter/ipset/ip_set_core.c          |    2 +-
 net/netfilter/ipvs/ip_vs_ctl.c             |    4 +-
 net/netfilter/ipvs/ip_vs_lblc.c            |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c           |    2 +-
 net/netfilter/nf_conntrack_acct.c          |    2 +-
 net/netfilter/nf_conntrack_ecache.c        |    2 +-
 net/netfilter/nf_conntrack_proto_dccp.c    |    2 +-
 net/netfilter/nf_conntrack_standalone.c    |    2 +-
 net/netfilter/nf_conntrack_timestamp.c     |    2 +-
 net/netfilter/nf_log.c                     |   10 +-
 net/netfilter/nf_sockopt.c                 |    4 +-
 net/netlink/genetlink.c                    |   16 +-
 net/phonet/sysctl.c                        |    2 +-
 net/rds/rds.h                              |    2 +-
 net/sctp/ipv6.c                            |    6 +-
 net/sctp/protocol.c                        |   10 +-
 net/sctp/sm_sideeffect.c                   |    2 +-
 net/sctp/socket.c                          |   19 +-
 net/socket.c                               |    2 +
 net/sunrpc/clnt.c                          |    4 +-
 net/sunrpc/svc.c                           |    4 +-
 net/unix/sysctl_net_unix.c                 |    2 +-
 net/xfrm/xfrm_policy.c                     |   11 +-
 net/xfrm/xfrm_state.c                      |   29 +-
 net/xfrm/xfrm_sysctl.c                     |    2 +-
 scripts/package/builddeb                   |    1 +
 security/Kconfig                           |   21 +
 security/apparmor/lsm.c                    |    2 +-
 security/keys/key.c                        |   10 +-
 tools/gcc/Makefile                         |    6 +-
 tools/gcc/constify_plugin.c                |  305 +-
 tools/gcc/latent_entropy_plugin.c          |   14 +-
 tools/gcc/size_overflow_hash.data          | 7594 ++++++++++++++++------------
 tools/gcc/size_overflow_plugin.c           | 1077 +++--
 tools/gcc/structleak_plugin.c              |  270 +
 tools/perf/util/include/linux/compiler.h   |    8 +
 275 files changed, 6519 insertions(+), 4314 deletions(-)

commit 16dde5ac06cdc2f92734f3a8d321084c8c2dbb7e
Merge: 79ba6d7 d27ba55
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 22:05:44 2013 -0400

    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	drivers/firmware/efivars.c
    	drivers/gpu/drm/i915/i915_gem_execbuffer.c

commit f590e7677834e93dd899daf30b8e6dc9380b5d75
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 28 20:02:40 2013 -0400

    Fix 8-byte stack infoleak in ia32_rt_sigpending
    User controls length, kernel only performs check on the upper bound, will
    fill in any amount less than sizeof(sigset_t) via a copy_to_user under
    KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t
    regardless of whether the sigset_t content copied into it has been initialized
    or not

 arch/x86/ia32/sys_ia32.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 9ac8b20f9a8f5065a0c6e2285a1c5c5b541b8dad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 26 21:11:47 2013 -0400

    From: Tomas Hozza <thozza@redhat.com>
    
    commit 95a69adab9acfc3981c504737a2b6578e4d846ef upstream.
    
    The source code without this patch caused hypervkvpd to exit when it processed
    a spoofed Netlink packet which has been sent from an untrusted local user.
    Now Netlink messages with a non-zero nl_pid source address are ignored
    and a warning is printed into the syslog.
    
    Signed-off-by: Tomas Hozza <thozza@redhat.com>
    Acked-by:  K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

 tools/hv/hv_kvp_daemon.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

commit 18d804b7b4b6f2cf9c2654339ee99f45b2a77125
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 26 21:05:05 2013 -0400

    commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576
    Author: J. Bruce Fields <bfields@redhat.com>
    Date:   Tue Mar 26 14:11:13 2013 -0400
    
        nfsd4: reject "negative" acl lengths
    
        Since we only enforce an upper bound, not a lower bound, a "negative"
        length can get through here.
    
        The symptom seen was a warning when we attempt to a kmalloc with an
        excessive size.
    
        Reported-by: Toralf Förster <toralf.foerster@gmx.de>
        Signed-off-by: J. Bruce Fields <bfields@redhat.com>

 fs/nfsd/nfs4xdr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 956c74cf59df8cf405fff11eb71c7e0f015d78fd
Author: Jeff Layton <jlayton@redhat.com>
Date:   Mon Mar 11 09:52:19 2013 -0400

    Upstream commit: f853c616883a8de966873a1dab283f1369e275a1
    
    cifs: ignore everything in SPNEGO blob after mechTypes
    
    We've had several reports of people attempting to mount Windows 8 shares
    and getting failures with a return code of -EINVAL. The default sec=
    mode changed recently to sec=ntlmssp. With that, we expect and parse a
    SPNEGO blob from the server in the NEGOTIATE reply.
    
    The current decode_negTokenInit function first parses all of the
    mechTypes and then tries to parse the rest of the negTokenInit reply.
    The parser however currently expects a mechListMIC or nothing to follow the
    mechTypes, but Windows 8 puts a mechToken field there instead to carry
    some info for the new NegoEx stuff.
    
    In practice, we don't do anything with the fields after the mechTypes
    anyway so I don't see any real benefit in continuing to parse them.
    This patch just has the kernel ignore the fields after the mechTypes.
    We'll probably need to reinstate some of this if we ever want to support
    NegoEx.
    
    Reported-by: Jason Burgess <jason@jacknife2.dns2go.com>
    Reported-by: Yan Li <elliot.li.tech@gmail.com>
    Signed-off-by: Jeff Layton <jlayton@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Steve French <sfrench@us.ibm.com>

 fs/cifs/asn1.c |   53 +++++------------------------------------------------
 1 files changed, 5 insertions(+), 48 deletions(-)

commit 543c7402503dffa283406e2cbf2ea716cbb07253
Merge: b95a056 79ba6d7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:12:56 2013 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	crypto/crypto_user.c
    	crypto/pcompress.c
    	drivers/connector/cn_proc.c
    	security/keys/compat.c

commit 79ba6d79761c610e4b0cb5fdb2de8a5161be554c
Merge: bbe3291 1c08ea4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 18:11:26 2013 -0400

    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	drivers/gpu/drm/i915/intel_display.c
    	security/keys/compat.c

commit b95a0563ea160cdd78bbc53af33dc4ccf80beeef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 25 16:48:34 2013 -0400

    From: Al Viro <viro@ZenIV.linux.org.uk>
    To: Brad Spengler <spender@grsecurity.net>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    
    Umm...  I see what you are describing, and AFAICS you are correct; let me
    see if I am misreading your analysis:
            * vfsmount_lock may act fair; A holding it shared, with B spinning
    on attempt to take it exclusive may lead to C spinning on attempt to take
    it shared.
            * path_is_under() tries get rename_lock while holding vfsmount_lock
    shared.
            * d_path() et.al. try to take vfsmount_lock shared, while holding
    rename_lock.
    
    All true and yes, it's a bug (I'd probably classify it as a livelock, but
    that doesn't make any real difference).  There are three possible solutions,
    AFAICS:
            1) two-liner in path_is_under() replacing the use of vfsmount_lock
    with that of namespace_sem; trivial, but results in function unexpectedly
    blocking.  The current callers are fine with that, but it's a trouble
    waiting to happen.
            2) replace write_seqlock() in prepend_path() callers with
    read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike
    is_subdir() we need more than just ->d_parent not pointing to something
    freed - we also care about ->d_name.len being in sync with ->d_name.name.
    It probably can be worked around, but...
    
            3) declare that rename_lock nests inside vfsmount_lock and let
    the callers of prepend_path() take vfsmount_lock().  I'd probably prefer
    that one...
    
    Nest rename_lock inside vfsmount_lock
    
    ... lest we get livelocks between path_is_under() and d_path() and friends.
    
    [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing
      the issue ]
    
    Spotted-by: Brad Spengler <spender@grsecurity.net>
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
    	fs/dcache.c
    	grsecurity/gracl.c

 fs/dcache.c        |   16 +++++++++++-----
 grsecurity/gracl.c |   20 ++++++++++----------
 2 files changed, 21 insertions(+), 15 deletions(-)

commit 479616d267a2af603d698c8704b191a663cff0f6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:15:50 2013 -0400

    oded 0day #1
    http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
    slide 18

 drivers/net/wireless/zd1211rw/zd_usb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0b770a3bb12adcff9a330daa019a2dacb26aab30
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 23 12:50:13 2013 -0400

    oded 0day #2
    http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
    slide 20

 drivers/net/ethernet/broadcom/tg3.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 9e358e315cb3b4280389e3d045b2e97dbd9f21d0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 17:53:09 2013 -0400

    fix recent RLIMIT_AS changes (due to vm_flags typo)

 fs/binfmt_elf.c    |    2 +-
 include/linux/mm.h |    1 -
 mm/mmap.c          |    2 +-
 3 files changed, 2 insertions(+), 3 deletions(-)

commit 3b058d90a277f551c08ce6352e65b1b32104cafe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 22 17:10:38 2013 -0400

    complete_walk drops rcu-walk mode, no need for our own dropping method
    outside of generic_permission

 fs/namei.c |   30 ------------------------------
 1 files changed, 0 insertions(+), 30 deletions(-)

commit dd1a624c086ad516b39b84821df41e42821476c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 22:44:55 2013 -0400

    remove VM_ACCOUNT from backport

 mm/mmap.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit e3bf3f15b4c2ce6eccfdc3f84ea8254194a48497
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 23:01:57 2013 -0400

    backport VM_NONE, use VM_RESERVED and don't account it

 fs/binfmt_elf.c    |    2 +-
 include/linux/mm.h |    1 +
 mm/mmap.c          |    3 +++
 3 files changed, 5 insertions(+), 1 deletions(-)

commit 5594ae92569b13b99b20d8fe4ea7f10d6172cc76
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 21 22:32:39 2013 -0400

    backport aslr_gap changes from 3.8

 fs/binfmt_elf.c          |   17 ++++++++---------
 fs/exec.c                |    7 ++-----
 include/linux/compat.h   |    2 +-
 include/linux/mm.h       |    4 ++++
 include/linux/mm_types.h |    2 +-
 kernel/ptrace.c          |    2 +-
 mm/mmap.c                |   15 ++++++++++-----
 7 files changed, 27 insertions(+), 22 deletions(-)

commit 9df2d0dad98873d1ee2831b42924d7e2390b0c39
Author: Huang Shijie <shijie8@gmail.com>
Date:   Tue Jul 31 16:41:49 2012 -0700

    mm: account the total_vm in the vm_stat_account()
    
    vm_stat_account() accounts the shared_vm, stack_vm and reserved_vm now.
    But we can also account for total_vm in the vm_stat_account() which makes
    the code tidy.
    
    Even for mprotect_fixup(), we can get the right result in the end.
    
    Signed-off-by: Huang Shijie <shijie8@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	mm/mmap.c

 arch/ia64/kernel/perfmon.c |    1 -
 include/linux/mm.h         |    1 +
 kernel/fork.c              |    4 +---
 mm/mmap.c                  |    7 ++++---
 mm/mremap.c                |    2 --
 5 files changed, 6 insertions(+), 9 deletions(-)

commit 685d5e7a9759b6a3718a9ea545295325fe609802
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 23:32:25 2013 -0400

    From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001
    From: Kees Cook <keescook@chromium.org>
    Date: Sun, 10 Mar 2013 20:09:31 +0000
    Subject: drm/i915: bounds check execbuffer relocation count
    
    It is possible to wrap the counter used to allocate the buffer for
    relocation copies. This could lead to heap writing overflows.
    
    CVE-2013-0913
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Reported-by: Pinkie Pie
    Cc: stable@vger.kernel.org

 drivers/gpu/drm/i915/i915_gem_execbuffer.c |   13 +++++++++----
 1 files changed, 9 insertions(+), 4 deletions(-)

commit 4579d7a6f6f261d21954d59b3655a7c44ccb6cd8
Author: Andy Honig <ahonig@google.com>
Date:   Mon Mar 11 09:34:52 2013 -0700

    Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9
    
    KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796)
    
    If the guest sets the GPA of the time_page so that the request to update the
    time straddles a page then KVM will write onto an incorrect page.  The
    write is done byusing kmap atomic to get a pointer to the page for the time
    structure and then performing a memcpy to that page starting at an offset
    that the guest controls.  Well behaved guests always provide a 32-byte aligned
    address, however a malicious guest could use this to corrupt host kernel
    memory.
    
    Tested: Tested against kvmclock unit test.
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 arch/x86/kvm/x86.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 14dc5fc373b2ed0506cd973c6bcea8515a01081b
Author: Andy Honig <ahonig@google.com>
Date:   Wed Feb 20 14:49:16 2013 -0800

    Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55
    
    KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)
    
    If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
    that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
    that request.  ioapic_read_indirect contains an
    ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
    non-debug builds.  In recent kernels this allows a guest to cause a kernel
    oops by reading invalid memory.  In older kernels (pre-3.3) this allows a
    guest to read from large ranges of host memory.
    
    Tested: tested against apic unit tests.
    
    Signed-off-by: Andrew Honig <ahonig@google.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

 virt/kvm/ioapic.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 90174443d8c5f2ef16b5eb87d1dadae7996878f3
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sat Mar 16 12:48:11 2013 +0300

    Upstream commit: 4502403dcf8f5c76abd4dbab8726c8e4ecb5cd34
    
    selinux: use GFP_ATOMIC under spin_lock
    
    The call tree here is:
    
    sk_clone_lock()              <- takes bh_lock_sock(newsk);
    xfrm_sk_clone_policy()
    __xfrm_sk_clone_policy()
    clone_policy()               <- uses GFP_ATOMIC for allocations
    security_xfrm_policy_clone()
    security_ops->xfrm_policy_clone_security()
    selinux_xfrm_policy_clone()
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: James Morris <james.l.morris@oracle.com>

 security/selinux/xfrm.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 58a0d4c45563fa427de311a8305207463df4b250
Author: Lars-Peter Clausen <lars@metafoo.de>
Date:   Sat Mar 9 15:28:44 2013 +0100

    Upstream commit: 8d0c2d10dd72c5292eda7a06231056a4c972e4cc
    
    ext3: Fix format string issues
    
    ext3_msg() takes the printk prefix as the second parameter and the
    format string as the third parameter. Two callers of ext3_msg omit the
    prefix and pass the format string as the second parameter and the first
    parameter to the format string as the third parameter. In both cases
    this string comes from an arbitrary source. Which means the string may
    contain format string characters, which will
    lead to undefined and potentially harmful behavior.
    
    The issue was introduced in commit 4cf46b67eb("ext3: Unify log messages
    in ext3") and is fixed by this patch.
    
    CC: stable@vger.kernel.org
    Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/ext3/super.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit c09d37b10288cbd2c582f6884f0247c739de7a52
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 20 17:37:59 2013 -0400

    fix compilation

 fs/binfmt_elf.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 3009ccfbdc747eaab8a6185f49fa2d7ab4dcd345
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:42:20 2013 -0400

    fix missing sock_release()

 net/irda/af_irda.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 924f932884bf5a1a0dd1ede919659d762b58dbe5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 18:36:17 2013 -0400

    fix mpt fusion infoleak

 drivers/message/fusion/mptbase.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit a808b42ef7cf425e62c61787b88c6f3eba0033a3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:34:36 2013 -0400

    update documentation on consequences of building without gcc plugin support

 Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c92f78b25d5466bfa7335517441714e1a2f003b3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:51:24 2013 -0400

    Replace brk_gap with aslr_gap, fix aslr_gap accounting as reported on the forums
    (Backported from latest PaX for 3.8)

 fs/binfmt_elf.c          |    5 +++--
 fs/exec.c                |    3 +++
 include/linux/mm_types.h |    2 +-
 mm/mmap.c                |    2 +-
 4 files changed, 8 insertions(+), 4 deletions(-)

commit 13e30907b2d2743bcf0610f1196bda39028247ee
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 17:18:13 2013 -0400

    fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums

 init/main.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 9163504c3caea4c4fcd795a01673f0dfd707a761
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 19 00:38:51 2013 -0400

    compilation fix

 mm/page_alloc.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit becdf4a98cda62de95c81cc21f841db961d02ea5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 23:40:50 2013 -0400

    update latent entropy plugin

 init/main.c                       |    4 ++--
 mm/page_alloc.c                   |    4 ++--
 tools/gcc/latent_entropy_plugin.c |   11 +++++++----
 3 files changed, 11 insertions(+), 8 deletions(-)

commit 9e416cc77fbed4be231306c44e0a56114c8ef243
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 18 23:38:18 2013 -0400

    update entropy plugin

 Documentation/kernel-parameters.txt |    5 +++++
 init/main.c                         |    4 ----
 mm/page_alloc.c                     |   27 +++++++++++++++++++++++++++
 security/Kconfig                    |    5 +++++
 tools/gcc/latent_entropy_plugin.c   |    7 +++++--
 5 files changed, 42 insertions(+), 6 deletions(-)

commit a6e63be203ab75615bf98de4e86d8fcec6895380
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 17 20:51:50 2013 -0400

    fix typo

 grsecurity/gracl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 00159647fe5be91a9b824e2b7b856a479e338bda
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 17 20:03:33 2013 -0400

    Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task
    with a subject applied to it with RES_CPU.  Otherwise, the limit will only
    begin to be applied at fork time.
    
    Thanks to Bjornar Ness for the report.

 grsecurity/gracl.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 3c02d1bd65fb2eee551f04668f527306b8122079
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 22:07:43 2013 -0400

    Move inode auditing prior to our refcnt dropping

 fs/namei.c |    9 ++++-----
 1 files changed, 4 insertions(+), 5 deletions(-)

commit 717e5cb4db079b6bc77e1d5ac8480ba6646b442a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 22:00:30 2013 -0400

    Drop reference on completed path walked in RCU mode or when violating
    the chroot fchdir check inside a chroot -- possible culprit for a reported
    vfsmount_lock hang during unmount

 fs/namei.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 09249c10d8901eefc65e36baec5cc574609403d8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 16:58:11 2013 -0400

    make compat ptr const

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f18de77ec8ca9ee52de599f1c88302769a5dfe4a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 16 11:22:36 2013 -0400

    Don't globally include compat.h -- with the new X32 support it
    changes some definitions involving ELF binaries resulting in invalid
    coredumps, as reported by KDE on the forums:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3310
    Thanks to the PaX Team for debugging

 fs/exec.c                  |   15 +++++++++++++++
 grsecurity/grsec_exec.c    |   13 +++++++++++++
 include/linux/grsecurity.h |   15 ---------------
 3 files changed, 28 insertions(+), 15 deletions(-)

commit b62dfd7dcca71eb6aa4098b9b3c9525d6612b8ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 14 20:59:26 2013 -0400

    Add peer information to /proc/net/unix from Kenan Kalajdzic:
    http://marc.info/?l=linux-netdev&m=126745636809191&w=2
    
    We use a "P" prefix to the inode number instead of "peer=".  This
    additional information can be used, for instance, to find what processes
    are connected to MySQL's unix domain socket.

 net/unix/af_unix.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

commit 24f726f1a688f93819ad2d5ed68e5a34f87d0b0f
Author: Oliver Neukum <oneukum@suse.de>
Date:   Tue Mar 12 14:52:42 2013 +0100

    USB: cdc-wdm: fix buffer overflow
    
    The buffer for responses must not overflow.
    If this would happen, set a flag, drop the data and return
    an error after user space has read all remaining data.
    
    Signed-off-by: Oliver Neukum <oliver@neukum.org>
    CC: stable@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    
    Conflicts:
    
    	drivers/usb/class/cdc-wdm.c

 drivers/usb/class/cdc-wdm.c |   23 ++++++++++++++++++++---
 1 files changed, 20 insertions(+), 3 deletions(-)

commit 6562baf632007d1e422363349e81f8684f0d607f
Author: Rusty Russell <rusty@rustcorp.com.au>
Date:   Tue Mar 5 10:07:08 2013 +1030

    Upstream commit: f7f154f1246ccc5a0a7e9ce50932627d60a0c878
    
    hw_random: make buffer usable in scatterlist.
    
    virtio_rng feeds the randomness buffer handed by the core directly
    into the scatterlist, since commit bb347d98079a547e80bd4722dee1de61e4dca0e8.
    
    However, if CONFIG_HW_RANDOM=m, the static buffer isn't a linear address
    (at least on most archs).  We could fix this in virtio_rng, but it's actually
    far easier to just do it in the core as virtio_rng would have to allocate
    a buffer every time (it doesn't know how much the core will want to read).
    
    Reported-by: Aurelien Jarno <aurelien@aurel32.net>
    Tested-by: Aurelien Jarno <aurelien@aurel32.net>
    Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
    Cc: stable@kernel.org

 drivers/char/hw_random/core.c |   19 ++++++++++++++++---
 1 files changed, 16 insertions(+), 3 deletions(-)

commit 533cbb1392d6e3d1a28b28512f954f052f63c043
Author: Jeff Layton <jlayton@redhat.com>
Date:   Fri Feb 1 15:11:01 2013 -0500

    Upstream commit: ce2ac52105aa663056dfc17966ebed1bf93e6e64
    
    cifs: ensure that cifs_get_root() only traverses directories
    
    Kjell Braden reported this oops:
    
    [  833.211970] BUG: unable to handle kernel NULL pointer dereference at           (null)
    [  833.212816] IP: [<          (null)>]           (null)
    [  833.213280] PGD 1b9b2067 PUD e9f7067 PMD 0
    [  833.213874] Oops: 0010 [#1] SMP
    [  833.214344] CPU 0
    [  833.214458] Modules linked in: des_generic md4 nls_utf8 cifs vboxvideo drm snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq bnep rfcomm snd_timer bluetooth snd_seq_device ppdev snd vboxguest parport_pc joydev mac_hid soundcore snd_page_alloc psmouse i2c_piix4 serio_raw lp parport usbhid hid e1000
    [  833.215629]
    [  833.215629] Pid: 1752, comm: mount.cifs Not tainted 3.0.0-rc7-bisectcifs-fec11dd9a0+ #18 innotek GmbH VirtualBox/VirtualBox
    [  833.215629] RIP: 0010:[<0000000000000000>]  [<          (null)>]           (null)
    [  833.215629] RSP: 0018:ffff8800119c9c50  EFLAGS: 00010282
    [  833.215629] RAX: ffffffffa02186c0 RBX: ffff88000c427780 RCX: 0000000000000000
    [  833.215629] RDX: 0000000000000000 RSI: ffff88000c427780 RDI: ffff88000c4362e8
    [  833.215629] RBP: ffff8800119c9c88 R08: ffff88001fc15e30 R09: 00000000d69515c7
    [  833.215629] R10: ffffffffa0201972 R11: ffff88000e8f6a28 R12: ffff88000c4362e8
    [  833.215629] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88001181aaa6
    [  833.215629] FS:  00007f2986171700(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000
    [  833.215629] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    [  833.215629] CR2: 0000000000000000 CR3: 000000001b982000 CR4: 00000000000006f0
    [  833.215629] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [  833.215629] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    [  833.215629] Process mount.cifs (pid: 1752, threadinfo ffff8800119c8000, task ffff88001c1c16f0)
    [  833.215629] Stack:
    [  833.215629]  ffffffff8116a9b5 ffff8800119c9c88 ffffffff81178075 0000000000000286
    [  833.215629]  0000000000000000 ffff88000c4276c0 ffff8800119c9ce8 ffff8800119c9cc8
    [  833.215629]  ffffffff8116b06e ffff88001bc6fc00 ffff88000c4276c0 ffff88000c4276c0
    [  833.215629] Call Trace:
    [  833.215629]  [<ffffffff8116a9b5>] ? d_alloc_and_lookup+0x45/0x90
    [  833.215629]  [<ffffffff81178075>] ? d_lookup+0x35/0x60
    [  833.215629]  [<ffffffff8116b06e>] __lookup_hash.part.14+0x9e/0xc0
    [  833.215629]  [<ffffffff8116b1d6>] lookup_one_len+0x146/0x1e0
    [  833.215629]  [<ffffffff815e4f7e>] ? _raw_spin_lock+0xe/0x20
    [  833.215629]  [<ffffffffa01eef0d>] cifs_do_mount+0x26d/0x500 [cifs]
    [  833.215629]  [<ffffffff81163bd3>] mount_fs+0x43/0x1b0
    [  833.215629]  [<ffffffff8117d41a>] vfs_kern_mount+0x6a/0xd0
    [  833.215629]  [<ffffffff8117e584>] do_kern_mount+0x54/0x110
    [  833.215629]  [<ffffffff8117fdc2>] do_mount+0x262/0x840
    [  833.215629]  [<ffffffff81108a0e>] ? __get_free_pages+0xe/0x50
    [  833.215629]  [<ffffffff8117f9ca>] ? copy_mount_options+0x3a/0x180
    [  833.215629]  [<ffffffff8118075d>] sys_mount+0x8d/0xe0
    [  833.215629]  [<ffffffff815ece82>] system_call_fastpath+0x16/0x1b
    [  833.215629] Code:  Bad RIP value.
    [  833.215629] RIP  [<          (null)>]           (null)
    [  833.215629]  RSP <ffff8800119c9c50>
    [  833.215629] CR2: 0000000000000000
    [  833.238525] ---[ end trace ec00758b8d44f529 ]---
    
    When walking down the path on the server, it's possible to hit a
    symlink. The path walking code assumes that the caller will handle that
    situation properly, but cifs_get_root() isn't set up for it. This patch
    prevents the oops by simply returning an error.
    
    A better solution would be to try and chase the symlinks here, but that's
    fairly complicated to handle.
    
    Fixes:
    
        https://bugzilla.kernel.org/show_bug.cgi?id=53221
    
    Reported-and-tested-by: Kjell Braden <afflux@pentabarf.de>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Jeff Layton <jlayton@redhat.com>
    Signed-off-by: Steve French <sfrench@us.ibm.com>

 fs/cifs/cifsfs.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 38d0728e4aee9a0b44f892ed01a55201f163638c
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Feb 11 22:03:18 2013 +0300

    Upstream commit: 208afec4f3be8c51ad6eebe6611dd6d2ad2fa298
    
    [SCSI] dc395x: uninitialized variable in device_alloc()
    
    This bug was introduced back in bitkeeper days in 2003.  We use
    "dcb->dev_mode" before it has been initialized.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Oliver Neukum <oliver@neukum.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>

 drivers/scsi/dc395x.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 9547aa21a6c0fc7c4fcd48f5fca4dd0e77002fba
Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date:   Mon Feb 25 10:20:36 2013 -0500

    Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49
    
    Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
    
    Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
    compat_process_vm_rw() shows that the compatibility code requires an
    explicit "access_ok()" check before calling
    compat_rw_copy_check_uvector(). The same difference seems to appear when
    we compare fs/read_write.c:do_readv_writev() to
    fs/compat.c:compat_do_readv_writev().
    
    This subtle difference between the compat and non-compat requirements
    should probably be debated, as it seems to be error-prone. In fact,
    there are two others sites that use this function in the Linux kernel,
    and they both seem to get it wrong:
    
    Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
    also ends up calling compat_rw_copy_check_uvector() through
    aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
    be missing. Same situation for
    security/keys/compat.c:compat_keyctl_instantiate_key_iov().
    
    I propose that we add the access_ok() check directly into
    compat_rw_copy_check_uvector(), so callers don't have to worry about it,
    and it therefore makes the compat call code similar to its non-compat
    counterpart. Place the access_ok() check in the same location where
    copy_from_user() can trigger a -EFAULT error in the non-compat code, so
    the ABI behaviors are alike on both compat and non-compat.
    
    While we are here, fix compat_do_readv_writev() so it checks for
    compat_rw_copy_check_uvector() negative return values.
    
    And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
    handling.
    
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
    Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	security/keys/compat.c
    
    Conflicts:
    
    	fs/compat.c

 fs/compat.c            |   15 +++++++--------
 mm/process_vm_access.c |    8 --------
 security/keys/compat.c |    3 ++-
 3 files changed, 9 insertions(+), 17 deletions(-)

commit 40ee20019f37a4501efc4af876fc53bf800e2142
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Tue Mar 12 02:59:49 2013 +0000

    Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512
    
    vfs: fix pipe counter breakage
    
    If you open a pipe for neither read nor write, the pipe code will not
    add any usage counters to the pipe, causing the 'struct pipe_inode_info"
    to be potentially released early.
    
    That doesn't normally matter, since you cannot actually use the pipe,
    but the pipe release code - particularly fasync handling - still expects
    the actual pipe infrastructure to all be there.  And rather than adding
    NULL pointer checks, let's just disallow this case, the same way we
    already do for the named pipe ("fifo") case.
    
    This is ancient going back to pre-2.4 days, and until trinity, nobody
    naver noticed.
    
    Reported-by: Dave Jones <davej@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/pipe.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit dfa0882777e2638ddeeb67eae24e3578b38012ba
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 11 18:38:38 2013 -0400

    Fix leak of signal handler addresses across execve, found by Emese Revfy

 kernel/signal.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 666be15906ab103bf34d136093e1989fad20ac67
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Mar 10 12:04:39 2013 -0400

    backport fixed i386 mmap check (to allow non-fixed mmap requests to choose
    a bad range and let the allocator find the proper space)

 arch/x86/kernel/sys_i386_32.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 9433f474e3b7c9136f6df50d1d1431ed74e1bbde
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 9 15:54:24 2013 -0500

    fix compilation error reported by djcool on IRC

 fs/proc/task_mmu.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 75fb8bb5b399ab3d1e38b692e878baf66f902c97
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 9 11:19:06 2013 -0500

    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
            Stephen Hemminger <stephen@networkplumber.org>
    Subject: [PATCH 1/3] bridge: fix mdb info leaks
    Date: Sat,  9 Mar 2013 16:52:19 +0100
    
    The bridging code discloses heap and stack bytes via the RTM_GETMDB
    netlink interface and via the notify messages send to group RTNLGRP_MDB
    afer a successful add/del.
    
    Fix both cases by initializing all unset members/padding bytes with
    memset(0).
    
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
    Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices
    Date: Sat,  9 Mar 2013 16:52:20 +0100
    
    Initialize the mac address buffer with 0 as the driver specific function
    will probably not fill the whole buffer. In fact, all in-kernel drivers
    fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
    bytes. Therefore we currently leak 26 bytes of stack memory to userland
    via the netlink interface.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
    Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks
    Date: Sat,  9 Mar 2013 16:52:21 +0100
    
    The dcb netlink interface leaks stack memory in various places:
    * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
      copied completely,
    * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
      so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
      for ieee_pfc structs, etc.,
    * the same is true for CEE -- no in-kernel driver fills the whole
      struct,
    
    Prevent all of the above stack info leaks by properly initializing the
    buffers/structures involved.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    Conflicts:
    
    	net/bridge/br_mdb.c
    	net/dcb/dcbnl.c

 net/core/rtnetlink.c |    1 +
 net/dcb/dcbnl.c      |    7 +++++++
 2 files changed, 8 insertions(+), 0 deletions(-)

commit 1b361b20cac7c1f94d4da20a08861ca61f73d745
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 8 18:47:43 2013 -0500

    Allow copies to user from DECnet's NSP slab cache

 net/decnet/af_decnet.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 65b208809043a835524a2a6e64bfd8dbe07ca76a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 22:00:21 2013 -0500

    fix ARM compilation reported on IRC

 arch/arm/include/asm/pgalloc.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 4e3bdb314d3e4677edc35af62b551984a55d377b
Author: Kees Cook <keescook@chromium.org>
Date:   Mon Feb 25 21:32:25 2013 +0000

    Upstream commit: e70ab977991964a5a7ad1182799451d067e62669
    
    proc connector: reject unprivileged listener bumps
    
    While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
    for an unprivileged user to turn off notifications for all listeners by
    sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
    required for a multicast bind.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: Evgeniy Polyakov <zbr@ioremap.net>
    Cc: Matt Helsley <matthltc@us.ibm.com>
    Cc: stable@vger.kernel.org
    Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
    Acked-by: Matt Helsley <matthltc@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	drivers/connector/cn_proc.c

 drivers/connector/cn_proc.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

commit 1d10a77bb5eecdc14415d5443dbd11641b03ed26
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Feb 26 19:15:02 2013 +0000

    Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a
    
    irda: small read beyond end of array in debug code
    
    charset comes from skb->data.  It's a number in the 0-255 range.
    If we have debugging turned on then this could cause a read beyond
    the end of the array.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/irda/iriap.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 562feb38bda7bf16725723bb2f98150d16caea34
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Fri Mar 1 05:02:02 2013 +0000

    Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a
    
    l2tp: Restore socket refcount when sendmsg succeeds
    
    The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket
    reference counter after successful transmissions. Any successful
    sendmsg() call from userspace will then increase the reference counter
    forever, thus preventing the kernel's session and tunnel data from
    being freed later on.
    
    The problem only happens when writing directly on L2TP sockets.
    PPP sockets attached to L2TP are unaffected as the PPP subsystem
    uses pppol2tp_xmit() which symmetrically increase/decrease reference
    counters.
    
    This patch adds the missing call to sock_put() before returning from
    pppol2tp_sendmsg().
    
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/l2tp/l2tp_ppp.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e696b07a8a40c2a80c62585e2038be7c356f0fbd
Author: Cong Wang <amwang@redhat.com>
Date:   Sun Mar 3 16:18:11 2013 +0000

    Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0
    
    rds: limit the size allocated by rds_message_alloc()
    
    Dave Jones reported the following bug:
    
    "When fed mangled socket data, rds will trust what userspace gives it,
    and tries to allocate enormous amounts of memory larger than what
    kmalloc can satisfy."
    
    WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
    Hardware name: GA-MA78GM-S2H
    Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
    Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
    Call Trace:
     [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
     [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
     [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
     [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
     [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
     [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
     [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
     [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
     [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
     [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
     [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
     [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
     [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
     [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
     [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
     [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
     [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
     [<ffffffff81567f30>] sys_sendto+0x130/0x180
     [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
     [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
     [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
     [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
     [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
     [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
    ---[ end trace eed6ae990d018c8b ]---
    
    Reported-by: Dave Jones <davej@redhat.com>
    Cc: Dave Jones <davej@redhat.com>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/message.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 6c6c2318ae34d1b2846b05a889a1bb98463269db
Author: Cong Wang <amwang@redhat.com>
Date:   Sun Mar 3 16:28:27 2013 +0000

    Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e
    
    sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE
    
    Don't definite its own MAX_KMALLOC_SIZE, use the one
    defined in mm.
    
    Cc: Vlad Yasevich <vyasevich@gmail.com>
    Cc: Sridhar Samudrala <sri@us.ibm.com>
    Cc: Neil Horman <nhorman@tuxdriver.com>
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Cong Wang <amwang@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/ssnmap.c |    8 +++-----
 1 files changed, 3 insertions(+), 5 deletions(-)

commit 62019622ddb34af1a7491b8910a1f13f1519ba08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:57:49 2013 -0500

    Upstream commit: https://lkml.org/lkml/2013/3/6/535

 security/keys/process_keys.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ae14eb6c28a45c21e055b9720afb3c9d7ee85bc7
Merge: c5d126f bbe3291
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:45:11 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/x86/mm/fault.c
    	kernel/kmod.c

commit bbe329188b69a8a42d0d422664ca52fa1c686713
Merge: ef7d861 733c794
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 7 17:31:20 2013 -0500

    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	arch/x86/mm/fault.c

commit c5d126fcabd2d29bd3049c230185affe3d0ff7f1
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed Feb 27 08:36:04 2013 -0800

    Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0
    
    mm: do not grow the stack vma just because of an overrun on preceding vma
    
    The stack vma is designed to grow automatically (marked with VM_GROWSUP
    or VM_GROWSDOWN depending on architecture) when an access is made beyond
    the existing boundary.  However, particularly if you have not limited
    your stack at all ("ulimit -s unlimited"), this can cause the stack to
    grow even if the access was really just one past *another* segment.
    
    And that's wrong, especially since we first grow the segment, but then
    immediately later enforce the stack guard page on the last page of the
    segment.  So _despite_ first growing the stack segment as a result of
    the access, the kernel will then make the access cause a SIGSEGV anyway!
    
    So do the same logic as the guard page check does, and consider an
    access to within one page of the next segment to be a bad access, rather
    than growing the stack to abut the next segment.
    
    Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmap.c |   27 +++++++++++++++++++++++++++
 1 files changed, 27 insertions(+), 0 deletions(-)

commit c5fec05036e409c7331f15be8332dde8f3ecdf98
Author: H. Peter Anvin <hpa@linux.intel.com>
Date:   Wed Feb 27 12:46:40 2013 -0800

    Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c
    
    x86: Make sure we can boot in the case the BDA contains pure garbage
    
    On non-BIOS platforms it is possible that the BIOS data area contains
    garbage instead of being zeroed or something equivalent (firmware
    people: we are talking of 1.5K here, so please do the sane thing.)
    
    We need on the order of 20-30K of low memory in order to boot, which
    may grow up to < 64K in the future.  We probably want to avoid the
    lowest of the low memory.  At the same time, it seems extremely
    unlikely that a legitimate EBDA would ever reach down to the 128K
    (which would require it to be over half a megabyte in size.)  Thus,
    pick 128K as the cutoff for "this is insane, ignore."  We may still
    end up reserving a bunch of extra memory on the low megabyte, but that
    is not really a major issue these days.  In the worst case we lose
    512K of RAM.
    
    This code really should be merged with trim_bios_range() in
    arch/x86/kernel/setup.c, but that is a bigger patch for a later merge
    window.
    
    Reported-by: Darren Hart <dvhart@linux.intel.com>
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Cc: Matt Fleming <matt.fleming@intel.com>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org

 arch/x86/kernel/head.c |   53 ++++++++++++++++++++++++++++++-----------------
 1 files changed, 34 insertions(+), 19 deletions(-)

commit 959e94223933bd41b03d15d37dd90ba6da2d0a2f
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Wed Feb 27 17:05:46 2013 -0800

    Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469
    
    memstick: move the dereference below the NULL test
    
    The dereference should be moved below the NULL test.
    
    spatch with a semantic match is used to found this.
    (http://coccinelle.lip6.fr/)
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Cc: Maxim Levitsky <maximlevitsky@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/memstick/host/r592.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit a11e3c3f7c35c7b8131537c3364c659cefe591e9
Author: Xi Wang <xi.wang@gmail.com>
Date:   Wed Feb 27 17:05:21 2013 -0800

    Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560
    
    sysctl: fix null checking in bin_dn_node_address()
    
    The null check of `strchr() + 1' is broken, which is always non-null,
    leading to OOB read.  Instead, check the result of strchr().
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/sysctl_binary.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 8b5d5fabb5a5aa862bd76a8454489483649605e8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 1 20:31:42 2013 -0500

    Fix dentry use-after-free after failed complete_walk() with RBAC enabled
    Many thanks to zakalwe from #grsecurity for the report and debugging help

 fs/namei.c |    8 +++-----
 1 files changed, 3 insertions(+), 5 deletions(-)

commit ac8de3b2811460dbe4ce7fe1d873f98f4e76e7d2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 22:20:22 2013 -0500

    add compiler.h to sysrq.h to fix compilation problem reported by micu on forums

 include/linux/sysrq.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 53b50ef22e0493baea9a04f9106d4dbe3f7ab770
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 27 18:14:21 2013 -0500

    check for CAP_SYSLOG on /dev/kmsg write

 drivers/char/mem.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 695b80c298392e89d34a6bc9f2be1b5a12707d22
Author: Anderson Lizardo <anderson.lizardo@openbossa.org>
Date:   Sun Jan 6 18:28:53 2013 -0400

    Upstream commit: 0a9ab9bdb3e891762553f667066190c1d22ad62b
    (fix two additional copy lengths as well -spender)
    
    Bluetooth: Fix incorrect strncpy() in hidp_setup_hid()
    
    The length parameter should be sizeof(req->name) - 1 because there is no
    guarantee that string provided by userspace will contain the trailing
    '\0'.
    
    Can be easily reproduced by manually setting req->name to 128 non-zero
    bytes prior to ioctl(HIDPCONNADD) and checking the device name setup on
    input subsystem:
    
    $ cat /sys/devices/pnp0/00\:04/tty/ttyS0/hci0/hci0\:1/input8/name
    AAAAAA[...]AAAAAAAAf0:af:f0:af:f0:af
    
    ("f0:af:f0:af:f0:af" is the device bluetooth address, taken from "phys"
    field in struct hid_device due to overflow.)
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
    Acked-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
    
    Conflicts:
    
    	net/bluetooth/hidp/core.c

 net/bluetooth/hidp/core.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 31123145b542970da371c0af442300421fb61027
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date:   Thu Feb 21 16:42:43 2013 -0800

    Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a
    
    configfs: move the dereference below the NULL test
    
    The dereference should be moved below the NULL test.
    
    spatch with a semantic match is used to found this.
    (http://coccinelle.lip6.fr/)
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Cc: Joel Becker <jlbec@evilplan.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/configfs/dir.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 1ebb7feb18aaca110dea90adf3c641cd9f3e5d98
Author: Alan Stern <stern@rowland.harvard.edu>
Date:   Thu Nov 17 16:42:19 2011 -0500

    Upstream commit: 0720a06a7518c9d0c0125bd5d1f3b6264c55c3dd
    
    NLS: improve UTF8 -> UTF16 string conversion routine
    
    The utf8s_to_utf16s conversion routine needs to be improved.  Unlike
    its utf16s_to_utf8s sibling, it doesn't accept arguments specifying
    the maximum length of the output buffer or the endianness of its
    16-bit output.
    
    This patch (as1501) adds the two missing arguments, and adjusts the
    only two places in the kernel where the function is called.  A
    follow-on patch will add a third caller that does utilize the new
    capabilities.
    
    The two conversion routines are still annoyingly inconsistent in the
    way they handle invalid byte combinations.  But that's a subject for a
    different patch.
    
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    CC: Clemens Ladisch <clemens@ladisch.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 drivers/hv/hv_kvp.c |   10 ++++++----
 fs/fat/namei_vfat.c |    3 ++-
 fs/nls/nls_base.c   |   43 +++++++++++++++++++++++++++++++++----------
 include/linux/nls.h |    5 +++--
 4 files changed, 44 insertions(+), 17 deletions(-)

commit ca0366a73b4228ca47f24712112bd5d005371f92
Author: Greg Thelen <gthelen@google.com>
Date:   Fri Feb 22 16:36:01 2013 -0800

    Upstream commit: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987
    
    tmpfs: fix use-after-free of mempolicy object
    
    The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
    option is not specified in the remount request.  A new policy can be
    specified if mpol=M is given.
    
    Before this patch remounting an mpol bound tmpfs without specifying
    mpol= mount option in the remount request would set the filesystem's
    mempolicy object to a freed mempolicy object.
    
    To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
        # mkdir /tmp/x
    
        # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
    
        # grep /tmp/x /proc/mounts
        nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
    
        # mount -o remount,size=200M nodev /tmp/x
    
        # grep /tmp/x /proc/mounts
        nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
            # note ? garbage in mpol=... output above
    
        # dd if=/dev/zero of=/tmp/x/f count=1
            # panic here
    
    Panic:
        BUG: unable to handle kernel NULL pointer dereference at           (null)
        IP: [<          (null)>]           (null)
        [...]
        Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
        Call Trace:
          mpol_shared_policy_init+0xa5/0x160
          shmem_get_inode+0x209/0x270
          shmem_mknod+0x3e/0xf0
          shmem_create+0x18/0x20
          vfs_create+0xb5/0x130
          do_last+0x9a1/0xea0
          path_openat+0xb3/0x4d0
          do_filp_open+0x42/0xa0
          do_sys_open+0xfe/0x1e0
          compat_sys_open+0x1b/0x20
          cstar_dispatch+0x7/0x1f
    
    Non-debug kernels will not crash immediately because referencing the
    dangling mpol will not cause a fault.  Instead the filesystem will
    reference a freed mempolicy object, which will cause unpredictable
    behavior.
    
    The problem boils down to a dropped mpol reference below if
    shmem_parse_options() does not allocate a new mpol:
    
        config = *sbinfo
        shmem_parse_options(data, &config, true)
        mpol_put(sbinfo->mpol)
        sbinfo->mpol = config.mpol  /* BUG: saves unreferenced mpol */
    
    This patch avoids the crash by not releasing the mempolicy if
    shmem_parse_options() doesn't create a new mpol.
    
    How far back does this issue go? I see it in both 2.6.36 and 3.3.  I did
    not look back further.
    
    Signed-off-by: Greg Thelen <gthelen@google.com>
    Acked-by: Hugh Dickins <hughd@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/shmem.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit ecfc3ccfab1b520c294a676cbe5db18f383b5ad2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 21 22:53:40 2013 -0500

    remove kcalloc_error, only a minor performance improvement
    we've fixed all upstream callers by now, though some out-of-tree
    callers with swapped args may still exist
    no point in failing such builds simply for this

 include/linux/slab.h |    9 ---------
 1 files changed, 0 insertions(+), 9 deletions(-)

commit 78ae2e2503c12f6772494e26c41e2dc731a9075f
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Jan 10 16:18:47 2013 +0000

    tcp: accept RST without ACK flag
    
    commit c3ae62af8e755 (tcp: should drop incoming frames without ACK flag
    set) added a regression on the handling of RST messages.
    
    RST should be allowed to come even without ACK bit set. We validate
    the RST by checking the exact sequence, as requested by RFC 793 and
    5961 3.2, in tcp_validate_incoming()
    
    Reported-by: Eric Wong <normalperson@yhbt.net>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Tested-by: Eric Wong <normalperson@yhbt.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/ipv4/tcp_input.c

 net/ipv4/tcp_input.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 40daaf07ee2aa6efeb9a7c55dfaebd8305e399c8
Merge: 583fdbb ef7d861
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 20 19:10:38 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	Makefile

commit ef7d861a59549935594f086ac5cd7b33403f127c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 20 19:09:41 2013 -0500

    Update to pax-linux-3.2.39-test96.patch:
    - some more struct notifier_block constification

 Makefile                                 |    4 ++++
 arch/arm/kernel/hw_breakpoint.c          |    2 +-
 arch/ia64/kernel/err_inject.c            |    2 +-
 arch/ia64/kernel/mca.c                   |    2 +-
 arch/ia64/kernel/palinfo.c               |    2 +-
 arch/ia64/kernel/salinfo.c               |    2 +-
 arch/ia64/kernel/topology.c              |    2 +-
 arch/powerpc/kernel/sysfs.c              |    2 +-
 arch/powerpc/mm/mmu_context_nohash.c     |    2 +-
 arch/powerpc/mm/numa.c                   |    2 +-
 arch/powerpc/platforms/powermac/smp.c    |    2 +-
 arch/s390/appldata/appldata_base.c       |    2 +-
 arch/s390/kernel/smp.c                   |    2 +-
 arch/sh/kernel/cpu/sh4a/smp-shx3.c       |    2 +-
 arch/sparc/kernel/sysfs.c                |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c    |    2 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c    |    2 +-
 arch/x86/kernel/cpu/mcheck/mce.c         |    2 +-
 arch/x86/kernel/cpu/mcheck/therm_throt.c |    2 +-
 arch/x86/kernel/cpuid.c                  |    2 +-
 arch/x86/kernel/kvm.c                    |    2 +-
 arch/x86/kernel/microcode_core.c         |    2 +-
 arch/x86/kernel/msr.c                    |    2 +-
 arch/x86/kernel/tboot.c                  |    2 +-
 arch/x86/pci/amd_bus.c                   |    2 +-
 arch/x86/xen/enlighten.c                 |    2 +-
 block/blk-iopoll.c                       |    2 +-
 block/blk-softirq.c                      |    2 +-
 drivers/cpufreq/cpufreq.c                |    2 +-
 drivers/cpufreq/cpufreq_stats.c          |    2 +-
 drivers/dma/shdma.c                      |    2 +-
 drivers/gpu/drm/radeon/radeon_ttm.c      |    2 ++
 drivers/hwmon/coretemp.c                 |    2 +-
 drivers/hwmon/via-cputemp.c              |    2 +-
 drivers/infiniband/hw/ehca/ehca_irq.c    |    2 +-
 drivers/net/ethernet/ibm/emac/core.c     |    2 +-
 drivers/net/macvlan.c                    |    2 +-
 drivers/oprofile/timer_int.c             |    2 +-
 include/linux/cpu.h                      |    2 +-
 include/linux/perf_event.h               |    2 +-
 kernel/hrtimer.c                         |    2 +-
 kernel/sched.c                           |    2 +-
 kernel/smp.c                             |    2 +-
 kernel/softirq.c                         |    4 ++--
 kernel/stop_machine.c                    |    2 +-
 kernel/timer.c                           |    2 +-
 kernel/watchdog.c                        |    2 +-
 mm/page-writeback.c                      |    2 +-
 mm/slab.c                                |    2 +-
 mm/slub.c                                |    2 +-
 mm/vmstat.c                              |    2 +-
 net/iucv/iucv.c                          |    2 +-
 scripts/gcc-plugin.sh                    |    2 +-
 53 files changed, 58 insertions(+), 52 deletions(-)

commit 583fdbb82026b27d4c81a4d968a07d464ee08b11
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Mon Feb 18 09:58:02 2013 -0800

    Upstream commit: 7c45512df987c5619db041b5c9b80d281e26d3db
    
    mm: fix pageblock bitmap allocation
    
    Commit c060f943d092 ("mm: use aligned zone start for pfn_to_bitidx
    calculation") fixed out calculation of the index into the pageblock
    bitmap when a !SPARSEMEM zome was not aligned to pageblock_nr_pages.
    
    However, the _allocation_ of that bitmap had never taken this alignment
    requirement into accout, so depending on the exact size and alignment of
    the zone, the use of that index could then access past the allocation,
    resulting in some very subtle memory corruption.
    
    This was reported (and bisected) by Ingo Molnar: one of his random
    config builds would hang with certain very specific kernel command line
    options.
    
    In the meantime, commit c060f943d092 has been marked for stable, so this
    fix needs to be back-ported to the stable kernels that backported the
    commit to use the right alignment.
    
    Bisected-and-tested-by: Ingo Molnar <mingo@kernel.org>
    Acked-by: Mel Gorman <mgorman@suse.de>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/page_alloc.c |   15 +++++++++------
 1 files changed, 9 insertions(+), 6 deletions(-)

commit 12201122b593e48e7fa148ff26171bb2da248f41
Merge: c114821 d89f727
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 20 17:32:05 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit d89f7279207eb9571207cfa05f5634915d0f3dfe
Merge: 964588c cd1b44e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 20 17:31:53 2013 -0500

    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	arch/x86/xen/xen-asm_32.S

commit c114821371117bc7a0c4fdbfc6b998cac7955da7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Feb 19 18:31:42 2013 -0500

    Apply patch:
    "arp: fix possible crash in arp_rcv()" from Eric Dumazet

 net/ipv4/arp.c |   21 +++++++++++----------
 1 files changed, 11 insertions(+), 10 deletions(-)

commit b1bacd472771b30d50603a76f718f55c8e34747e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 17 17:36:28 2013 -0500

    Fix radeon driver crash reported on forums

 drivers/gpu/drm/radeon/radeon_ttm.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit f2913da4a4fc467a41bfe5a62ced209b962a22b0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 17 17:00:52 2013 -0500

    From b834b19a076b1d1448d903cf4e7e69a4bd83d8d9 Mon Sep 17 00:00:00 2001
    From: Mathias Krause <minipli@googlemail.com>
    Date: Tue, 5 Feb 2013 17:56:37 +0100
    Subject: [PATCH 3/3] crypto: user - ensure user supplied strings are
     nul-terminated
    
    To avoid misuse, ensure cru_name and cru_driver_name are always
    nul-terminated strings.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>

 crypto/crypto_user.c |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

commit 198571fd4e8955b9851e3e59c198e7d65fe3fbfe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 17 16:58:52 2013 -0500

    From 7061588328f144624e58857ab07de8c589d6924a Mon Sep 17 00:00:00 2001
    From: Mathias Krause <minipli@googlemail.com>
    Date: Sat, 2 Feb 2013 16:42:34 +0100
    Subject: [PATCHv2 2/3] crypto: user - fix empty string test in report API
    
    The current test for empty strings fails because it is testing the
    address of a field, not a pointer. So the test will always be true.
    Test the first character in the string to not be null instead.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    ---
    v2: - switched to simple character test, as suggested by Herbert Xu

 crypto/crypto_user.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 413e1cc8257ebc81725bc53c24ef1989b7998774
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 17 16:57:47 2013 -0500

    From f70baf464631ee8d6d67d13a9982d61b3c8e12c5 Mon Sep 17 00:00:00 2001
    From: Mathias Krause <minipli@googlemail.com>
    Date: Wed, 30 Jan 2013 12:14:18 +0100
    Subject: [PATCHv2 1/3] crypto: user - fix info leaks in report API
    
    Three errors resulting in kernel memory disclosure:
    
    1/ The structures used for the netlink based crypto algorithm report API
    are located on the stack. As snprintf() does not fill the remainder of
    the buffer with null bytes, those stack bytes will be disclosed to users
    of the API. Switch to strncpy() to fix this.
    
    2/ crypto_report_one() does not initialize all field of struct
    crypto_user_alg. Fix this to fix the heap info leak.
    
    3/ For the module name we should copy only as many bytes as
    module_name() returns -- not as much as the destination buffer could
    hold. But the current code does not and therefore copies random data
    from behind the end of the module name, as the module name is always
    shorter than CRYPTO_MAX_ALG_NAME.
    
    Also switch to use strncpy() to copy the algorithm's name and
    driver_name. They are strings, after all.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>

 crypto/ablkcipher.c  |   12 ++++++------
 crypto/aead.c        |    9 ++++-----
 crypto/ahash.c       |    2 +-
 crypto/blkcipher.c   |    6 +++---
 crypto/crypto_user.c |   20 +++++++++++---------
 crypto/pcompress.c   |    2 +-
 crypto/rng.c         |    2 +-
 crypto/shash.c       |    3 ++-
 8 files changed, 29 insertions(+), 27 deletions(-)

commit b1cf339860eabcbe6393b89ec034e38b12fdd0df
Author: Jan Beulich <JBeulich@suse.com>
Date:   Thu Jan 24 13:11:10 2013 +0000

    Upstream commit: afb7b3a2bd406586ed4aebc1e159352e588b991e
    
    x86/xen: don't assume %ds is usable in xen_iret for 32-bit PVOPS.
    
    commit 13d2b4d11d69a92574a55bfd985cfb0ca77aebdc upstream.
    
    This fixes CVE-2013-0228 / XSA-42
    
    Drew Jones while working on CVE-2013-0190 found that that unprivileged guest user
    in 32bit PV guest can use to crash the > guest with the panic like this:
    
    -------------
    general protection fault: 0000 [#1] SMP
    last sysfs file: /sys/devices/vbd-51712/block/xvda/dev
    Modules linked in: sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4
    iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6
    xt_state nf_conntrack ip6table_filter ip6_tables ipv6 xen_netfront ext4
    mbcache jbd2 xen_blkfront dm_mirror dm_region_hash dm_log dm_mod [last
    unloaded: scsi_wait_scan]
    
    Pid: 1250, comm: r Not tainted 2.6.32-356.el6.i686 #1
    EIP: 0061:[<c0407462>] EFLAGS: 00010086 CPU: 0
    EIP is at xen_iret+0x12/0x2b
    EAX: eb8d0000 EBX: 00000001 ECX: 08049860 EDX: 00000010
    ESI: 00000000 EDI: 003d0f00 EBP: b77f8388 ESP: eb8d1fe0
     DS: 0000 ES: 007b FS: 0000 GS: 00e0 SS: 0069
    Process r (pid: 1250, ti=eb8d0000 task=c2953550 task.ti=eb8d0000)
    Stack:
     00000000 0027f416 00000073 00000206 b77f8364 0000007b 00000000 00000000
    Call Trace:
    Code: c3 8b 44 24 18 81 4c 24 38 00 02 00 00 8d 64 24 30 e9 03 00 00 00
    8d 76 00 f7 44 24 08 00 00 02 80 75 33 50 b8 00 e0 ff ff 21 e0 <8b> 40
    10 8b 04 85 a0 f6 ab c0 8b 80 0c b0 b3 c0 f6 44 24 0d 02
    EIP: [<c0407462>] xen_iret+0x12/0x2b SS:ESP 0069:eb8d1fe0
    general protection fault: 0000 [#2]
    ---[ end trace ab0d29a492dcd330 ]---
    Kernel panic - not syncing: Fatal exception
    Pid: 1250, comm: r Tainted: G      D    ---------------
    2.6.32-356.el6.i686 #1
    Call Trace:
     [<c08476df>] ? panic+0x6e/0x122
     [<c084b63c>] ? oops_end+0xbc/0xd0
     [<c084b260>] ? do_general_protection+0x0/0x210
     [<c084a9b7>] ? error_code+0x73/
    -------------
    
    Petr says: "
     I've analysed the bug and I think that xen_iret() cannot cope with
     mangled DS, in this case zeroed out (null selector/descriptor) by either
     xen_failsafe_callback() or RESTORE_REGS because the corresponding LDT
     entry was invalidated by the reproducer. "
    
    Jan took a look at the preliminary patch and came up a fix that solves
    this problem:
    
    "This code gets called after all registers other than those handled by
    IRET got already restored, hence a null selector in %ds or a non-null
    one that got loaded from a code or read-only data descriptor would
    cause a kernel mode fault (with the potential of crashing the kernel
    as a whole, if panic_on_oops is set)."
    
    The way to fix this is to realize that the we can only relay on the
    registers that IRET restores. The two that are guaranteed are the
    %cs and %ss as they are always fixed GDT selectors. Also they are
    inaccessible from user mode - so they cannot be altered. This is
    the approach taken in this patch.
    
    Another alternative option suggested by Jan would be to relay on
    the subtle realization that using the %ebp or %esp relative references uses
    the %ss segment.  In which case we could switch from using %eax to %ebp and
    would not need the %ss over-rides. That would also require one extra
    instruction to compensate for the one place where the register is used
    as scaled index. However Andrew pointed out that is too subtle and if
    further work was to be done in this code-path it could escape folks attention
    and lead to accidents.
    
    Reviewed-by: Petr Matousek <pmatouse@redhat.com>
    Reported-by: Petr Matousek <pmatouse@redhat.com>
    Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    
    Conflicts:
    
    	arch/x86/xen/xen-asm_32.S

 arch/x86/xen/xen-asm_32.S |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit c8159ee5edb29750e7f41bf41e44fb87e7156dff
Merge: 4e76bfd 964588c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 17 16:33:11 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	drivers/net/ethernet/mellanox/mlx4/eq.c

commit 964588cb0830ac56f245b09f5a926cc63c1bdacf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 17 16:29:19 2013 -0500

    Update to pax-linux-3.2.38-test94.patch:
    - reverted/rewrote some of the recent constification changes as gcc proved to be
      a bit too smart in optimizing constified function pointer dereferences that in
      turn broke special cases where such pointers did have to be modified, reported
      by gaima (http://forums.grsecurity.net/viewtopic.php?f=3&t=3276)

 arch/x86/include/asm/kvm_host.h         |    2 +-
 arch/x86/include/asm/paravirt_types.h   |   10 ++--
 arch/x86/include/asm/reboot.h           |    2 +-
 arch/x86/include/asm/smp.h              |    2 +-
 arch/x86/include/asm/x86_init.h         |   10 ++--
 arch/x86/kernel/acpi/boot.c             |    2 +-
 arch/x86/kernel/amd_gart_64.c           |    2 +-
 arch/x86/kernel/aperture_64.c           |    2 +-
 arch/x86/kernel/apic/apic_flat_64.c     |    4 +-
 arch/x86/kernel/apic/bigsmp_32.c        |    2 +-
 arch/x86/kernel/apic/es7000_32.c        |    5 +-
 arch/x86/kernel/apic/numaq_32.c         |   19 ++++-----
 arch/x86/kernel/apic/probe_32.c         |    2 +-
 arch/x86/kernel/apic/summit_32.c        |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c   |    2 +-
 arch/x86/kernel/apic/x2apic_phys.c      |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c      |    6 +-
 arch/x86/kernel/cpu/vmware.c            |    2 +-
 arch/x86/kernel/head32.c                |    4 +-
 arch/x86/kernel/kvm.c                   |    8 ++--
 arch/x86/kernel/kvmclock.c              |   14 +++---
 arch/x86/kernel/paravirt.c              |    8 ++--
 arch/x86/kernel/pci-calgary_64.c        |    2 +-
 arch/x86/kernel/ptrace.c                |    8 ++--
 arch/x86/kernel/reboot.c                |    2 +-
 arch/x86/kernel/smp.c                   |    2 +-
 arch/x86/kernel/vsmp_64.c               |    2 +-
 arch/x86/kernel/x86_init.c              |    6 +-
 arch/x86/lguest/boot.c                  |   64 +++++++++++++++---------------
 arch/x86/pci/acpi.c                     |    2 +-
 arch/x86/pci/xen.c                      |   14 +++---
 arch/x86/platform/efi/efi.c             |    4 +-
 arch/x86/platform/mrst/mrst.c           |   40 ++++++++++----------
 arch/x86/platform/mrst/vrtc.c           |    4 +-
 arch/x86/xen/enlighten.c                |   46 +++++++++++-----------
 arch/x86/xen/irq.c                      |    2 +-
 arch/x86/xen/mmu.c                      |    6 +-
 arch/x86/xen/smp.c                      |   12 +++---
 arch/x86/xen/spinlock.c                 |   12 +++---
 arch/x86/xen/time.c                     |   26 ++++++------
 drivers/firmware/efivars.c              |    8 ++--
 drivers/gpu/drm/radeon/radeon_ttm.c     |    8 +--
 drivers/iommu/amd_iommu_init.c          |    4 +-
 drivers/iommu/dmar.c                    |    2 +-
 drivers/net/ethernet/mellanox/mlx4/eq.c |    4 +-
 include/linux/efi.h                     |    1 +
 include/linux/interrupt.h               |    2 +-
 include/linux/mm.h                      |    1 +
 include/linux/regset.h                  |    1 +
 kernel/softirq.c                        |    8 +--
 kernel/trace/trace_events.c             |    8 ++--
 net/core/rtnetlink.c                    |   16 +++-----
 virt/kvm/kvm_main.c                     |   12 +++---
 53 files changed, 217 insertions(+), 224 deletions(-)

commit 4e76bfd90156e59670b812d2b90a2be3537b9b82
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 17 13:28:08 2013 -0500

    add security_capable_noaudit for CONFIG_SECURITY

 security/security.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 12b830c785b1d32521538addec8a5d827a8482ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 16 13:54:20 2013 -0500

    add security_capable_noaudit

 include/linux/security.h |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit bfca3ea61b28f8b94b663ccdce4895cfc23d549f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 16 13:32:42 2013 -0500

    Make capable_nolog call security_capable_noaudit so that SELinux doesn't
    complain about capabilities that aren't necessarily used.
    Patch from Luis Ressel
    
    Conflicts:
    
    	kernel/capability.c

 kernel/capability.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 2634834999db26c366dde3408b7520d18892f016
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Mon Jan 21 20:47:41 2013 +0100

    Upstream commit: 910ffdb18a6408e14febbb6e4b6840fd2c928c82
    
    ptrace: introduce signal_wake_up_state() and ptrace_signal_wake_up()
    
    Cleanup and preparation for the next change.
    
    signal_wake_up(resume => true) is overused. None of ptrace/jctl callers
    actually want to wakeup a TASK_WAKEKILL task, but they can't specify the
    necessary mask.
    
    Turn signal_wake_up() into signal_wake_up_state(state), reintroduce
    signal_wake_up() as a trivial helper, and add ptrace_signal_wake_up()
    which adds __TASK_TRACED.
    
    This way ptrace_signal_wake_up() can work "inside" ptrace_request()
    even if the tracee doesn't have the TASK_WAKEKILL bit set.
    
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 include/linux/sched.h |   11 ++++++++++-
 kernel/ptrace.c       |    8 ++++----
 kernel/signal.c       |   14 ++++----------
 3 files changed, 18 insertions(+), 15 deletions(-)

commit 67e0216cdffd10fa6677ae497c55abb37584fa91
Author: Mel Gorman <mgorman@suse.de>
Date:   Mon Feb 11 14:52:36 2013 +0000

    Upstream commit: 0ee364eb316348ddf3e0dfcd986f5f13f528f821
    
    x86/mm: Check if PUD is large when validating a kernel address
    
    A user reported the following oops when a backup process reads
    /proc/kcore:
    
     BUG: unable to handle kernel paging request at ffffbb00ff33b000
     IP: [<ffffffff8103157e>] kern_addr_valid+0xbe/0x110
     [...]
    
     Call Trace:
      [<ffffffff811b8aaa>] read_kcore+0x17a/0x370
      [<ffffffff811ad847>] proc_reg_read+0x77/0xc0
      [<ffffffff81151687>] vfs_read+0xc7/0x130
      [<ffffffff811517f3>] sys_read+0x53/0xa0
      [<ffffffff81449692>] system_call_fastpath+0x16/0x1b
    
    Investigation determined that the bug triggered when reading
    system RAM at the 4G mark. On this system, that was the first
    address using 1G pages for the virt->phys direct mapping so the
    PUD is pointing to a physical address, not a PMD page.
    
    The problem is that the page table walker in kern_addr_valid() is
    not checking pud_large() and treats the physical address as if
    it was a PMD.  If it happens to look like pmd_none then it'll
    silently fail, probably returning zeros instead of real data. If
    the data happens to look like a present PMD though, it will be
    walked resulting in the oops above.
    
    This patch adds the necessary pud_large() check.
    
    Unfortunately the problem was not readily reproducible and now
    they are running the backup program without accessing
    /proc/kcore so the patch has not been validated but I think it
    makes sense.
    
    Signed-off-by: Mel Gorman <mgorman@suse.de>
    Reviewed-by: Rik van Riel <riel@redhat.coM>
    Reviewed-by: Michal Hocko <mhocko@suse.cz>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: stable@vger.kernel.org
    Cc: linux-mm@kvack.org
    Link: http://lkml.kernel.org/r/20130211145236.GX21389@suse.de
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 arch/x86/include/asm/pgtable.h |    5 +++++
 arch/x86/mm/init_64.c          |    3 +++
 2 files changed, 8 insertions(+), 0 deletions(-)

commit d24d1ceeb5503748089ee29c4700a60c3fee8f05
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 11 23:12:57 2013 -0500

    fix kcalloc order

 drivers/net/ethernet/mellanox/mlx4/eq.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit d0ff201ea8f7fb8b3abf46f726d0fb2db1094089
Merge: 27dd4e1 290edfa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 11 23:06:28 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 290edfa0f945c0f1ed924e76cbb3e712adf038e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 11 22:18:23 2013 -0500

    Update to pax-linux-3.2.38-test93.patch:
    - gcc plugins should now work with gcc 4.8 as well

 tools/gcc/colorize_plugin.c       |    7 ++++-
 tools/gcc/constify_plugin.c       |   24 ++++++++++++++------
 tools/gcc/kallocstat_plugin.c     |    7 ++++-
 tools/gcc/kernexec_plugin.c       |   43 ++++++++++++++++++++++++++++++++----
 tools/gcc/latent_entropy_plugin.c |   30 ++++++++++++++++++++++++-
 tools/gcc/size_overflow_plugin.c  |   15 +++++++++++-
 tools/gcc/stackleak_plugin.c      |   28 ++++++++++++++++++------
 7 files changed, 127 insertions(+), 27 deletions(-)

commit 27dd4e1b110f498e70a6bcc86fdc334c6bffef2c
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Thu Feb 7 00:55:37 2013 +0000

    Upstream commit: 586c31f3bf04c290dc0a0de7fc91d20aa9a5ee53
    
    net: sctp: sctp_auth_key_put: use kzfree instead of kfree
    
    For sensitive data like keying material, it is common practice to zero
    out keys before returning the memory back to the allocator. Thus, use
    kzfree instead of kfree.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/auth.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7ca8f40141488f934670b8dedc6f989f17db4420
Author: Phil Sutter <phil.sutter@viprinet.com>
Date:   Fri Feb 1 07:21:41 2013 +0000

    Upstream commit: 9665d5d62487e8e7b1f546c00e11107155384b9a
    
    packet: fix leakage of tx_ring memory
    
    When releasing a packet socket, the routine packet_set_ring() is reused
    to free rings instead of allocating them. But when calling it for the
    first time, it fills req->tp_block_nr with the value of rb->pg_vec_len
    which in the second invocation makes it bail out since req->tp_block_nr
    is greater zero but req->tp_block_size is zero.
    
    This patch solves the problem by passing a zeroed auto-variable to
    packet_set_ring() upon each invocation from packet_release().
    
    As far as I can tell, this issue exists even since 69e3c75 (net: TX_RING
    and packet mmap), i.e. the original inclusion of TX ring support into
    af_packet, but applies only to sockets with both RX and TX ring
    allocated, which is probably why this was unnoticed all the time.
    
    Signed-off-by: Phil Sutter <phil.sutter@viprinet.com>
    Cc: Johann Baudy <johann.baudy@gnu-log.net>
    Cc: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/packet/af_packet.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

commit 436d8e15705c772daab7eaeeeacc66e57dcba52f
Author: Bjørn Mork <bjorn@mork.no>
Date:   Mon Jan 28 23:51:28 2013 +0000

    Upstream commit: 70c37bf97f2a91accba76080db69144f3b69f736
    
    net: usbnet: prevent buggy devices from killing us
    
    A device sending 0 length frames as fast as it can has been
    observed killing the host system due to the resulting memory
    pressure.
    
    Temporarily disable RX skb allocation and URB submission when
    the current error ratio is high, preventing us from trying to
    allocate an infinite number of skbs.  Reenable as soon as we
    are finished processing the done queue, allowing the device
    to continue working after short error bursts.
    
    Signed-off-by: Bjørn Mork <bjorn@mork.no>
    Acked-by: Oliver Neukum <oneukum@suse.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	include/linux/usb/usbnet.h
    
    Conflicts:
    
    	drivers/net/usb/usbnet.c
    	include/linux/usb/usbnet.h

 drivers/net/usb/usbnet.c   |   25 +++++++++++++++++++++++++
 include/linux/usb/usbnet.h |    3 +++
 2 files changed, 28 insertions(+), 0 deletions(-)

commit 2c233aa4f38da2c2a8b7b04266656113a76eb43e
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Fri Feb 8 03:04:35 2013 +0000

    Upstream commit: b5c37fe6e24eec194bb29d22fdd55d73bcc709bf
    
    net: sctp: sctp_endpoint_free: zero out secret key data
    
    On sctp_endpoint_destroy, previously used sensitive keying material
    should be zeroed out before the memory is returned, as we already do
    with e.g. auth keys when released.
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Vlad Yasevich <vyasevic@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/endpointola.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 6bb72fb746f2d67a729cb8e7af7984ea3b329926
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Fri Feb 8 03:04:34 2013 +0000

    Upstream commit: 6ba542a291a5e558603ac51cda9bded347ce7627
    
    net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree
    
    In sctp_setsockopt_auth_key, we create a temporary copy of the user
    passed shared auth key for the endpoint or association and after
    internal setup, we free it right away. Since it's sensitive data, we
    should zero out the key before returning the memory back to the
    allocator. Thus, use kzfree instead of kfree, just as we do in
    sctp_auth_key_put().
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/socket.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 70d5ff46e17b3ccef091db3ad370ad89b370fba5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 9 20:36:25 2013 -0500

    fix kcalloc arg order

 net/rxrpc/ar-key.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 99ce66f80f778a54352e9edda73d33be83a12544
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 9 20:01:09 2013 -0500

    Add missing offsets to calls to check_heap_stack_gap
    
    Conflicts:
    
    	fs/hugetlbfs/inode.c
    	mm/mmap.c

 fs/hugetlbfs/inode.c |    8 +++++---
 mm/mmap.c            |   14 ++++++++------
 2 files changed, 13 insertions(+), 9 deletions(-)

commit e10dca0b57eeaea0b47bc9e4ef6789a630af2e0a
Merge: 7513c23 eaa0192
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 9 20:09:33 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/x86/Kconfig
    	arch/x86/mm/fault.c
    	security/Kconfig

commit eaa0192c2e5a4a821b8b2463209ad38f62082383
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Feb 9 20:04:04 2013 -0500

    Update to pax-linux-3.2.38-test92.patch:
    - added compile time detection for non-optimal use of kmalloc_array/kcalloc
    - reworked the USERCOPY interface a bit to make checking for constant copy sizes easier
    - various ASLR cleanups
      - enabled it for hugetlb (x86 and generic)
      - made arm/mips/powerpc/sparc ignore PF_RANDOMIZE as x86 does
    - added a fix for http://vulnfactory.org/blog/2013/02/06/a-linux-memory-trick/

 arch/arm/include/asm/uaccess.h    |    8 ++------
 arch/arm/kernel/module.c          |    2 ++
 arch/arm/mm/mmap.c                |    5 +++++
 arch/mips/mm/mmap.c               |   16 ++++++++++++++++
 arch/powerpc/mm/mmap_64.c         |    4 ++++
 arch/sparc/kernel/sys_sparc_64.c  |    4 ++++
 arch/x86/Kconfig                  |    1 +
 arch/x86/include/asm/pgtable.h    |    4 ++--
 arch/x86/include/asm/uaccess.h    |    2 --
 arch/x86/include/asm/uaccess_32.h |   15 +++++++--------
 arch/x86/include/asm/uaccess_64.h |   19 +++++++++----------
 arch/x86/kernel/module.c          |    2 +-
 arch/x86/kernel/setup.c           |    1 +
 arch/x86/kernel/traps.c           |    4 ++--
 arch/x86/mm/fault.c               |    6 ++++--
 arch/x86/mm/hugetlbpage.c         |    4 ++++
 drivers/acpi/proc.c               |    7 +++++--
 drivers/mfd/mfd-core.c            |    2 +-
 drivers/staging/iio/dac/ad5360.c  |    4 ++--
 fs/exec.c                         |    4 ++--
 fs/hugetlbfs/inode.c              |   12 ++++++++----
 include/linux/sched.h             |    1 -
 include/linux/slab.h              |   10 ++++++++++
 include/linux/thread_info.h       |    7 +++++++
 include/video/omapdss.h           |    2 +-
 kernel/module.c                   |    4 ++--
 security/Kconfig                  |    8 ++++----
 27 files changed, 106 insertions(+), 52 deletions(-)

commit 7513c2357e5c96dc16cb3846561847c6b0e72328
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 7 17:47:47 2013 -0500

    It was "suggested by" Kees Cook to rewrite my previous patch
    in exactly and only the ways in which I pasted code for.  Include these
    changes!

 arch/x86/mm/fault.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 8979ec479f18d6ba1f06c66c73ece44e91efc892
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 7 17:39:27 2013 -0500

    Allow printing of symbols in kernel backtraces

 arch/arm/kernel/process.c |    4 ++--
 arch/arm/kernel/traps.c   |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

commit ecbe93d5b63d35ee7607ec51659ef52df4c33d99
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 6 18:14:13 2013 -0500

    Kill yet another useless technique from Dan Rosenberg
    (already unaffected due to GRKERNSEC_DMESG)

 arch/x86/mm/fault.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 3773f1ade09ecb5820615790f2cad67d61669232
Merge: e735315 b04b168
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 6 17:49:30 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit b04b168209b65d80382c26476c5c34e409b1172c
Merge: 50a402d 8eedd520
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 6 17:49:19 2013 -0500

    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	arch/x86/kernel/setup.c
    	arch/x86/kernel/traps.c

commit e73531596fb9c17bac850d66f4aabe476d87de04
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 4 20:38:36 2013 -0500

    remove unused gr_handle_chroot_rawio(), its functionality is in
    gr_handle_rawio()

 grsecurity/grsec_chroot.c |   11 -----------
 security/Kconfig          |    6 ++++++
 2 files changed, 6 insertions(+), 11 deletions(-)

commit aa037a363fafd32161a74f3ba401eecc2ff12ceb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 31 18:06:01 2013 -0500

    when GRKERNSEC_KMEM is enabled, X86_MSR should be disabled

 arch/x86/Kconfig   |    1 +
 grsecurity/Kconfig |   10 ++++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

commit 6c7cdce33427d7c2b119a87000d0831bd13617f7
Author: Alan Cox <alan@linux.intel.com>
Date:   Thu Nov 15 13:06:22 2012 +0000

    Upstream commit: c903f0456bc69176912dee6dd25c6a66ee1aed00
    
    x86/msr: Add capabilities check
    
    At the moment the MSR driver only relies upon file system
    checks. This means that anything as root with any capability set
    can write to MSRs. Historically that wasn't very interesting but
    on modern processors the MSRs are such that writing to them
    provides several ways to execute arbitary code in kernel space.
    Sample code and documentation on doing this is circulating and
    MSR attacks are used on Windows 64bit rootkits already.
    
    In the Linux case you still need to be able to open the device
    file so the impact is fairly limited and reduces the security of
    some capability and security model based systems down towards
    that of a generic "root owns the box" setup.
    
    Therefore they should require CAP_SYS_RAWIO to prevent an
    elevation of capabilities. The impact of this is fairly minimal
    on most setups because they don't have heavy use of
    capabilities. Those using SELinux, SMACK or AppArmor rules might
    want to consider if their rulesets on the MSR driver could be
    tighter.
    
    Signed-off-by: Alan Cox <alan@linux.intel.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: Horses <stable@kernel.org>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 arch/x86/kernel/msr.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 9c90088b1efd8fb46d568fb5111fd4e3584cabef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 29 18:29:41 2013 -0500

    Update config help based on report from tgs3 on #grsecurity
    GRKERNSEC_AUDIT_GROUP never applied to mount/unmount logging, which
    were always logged unconditionally

 grsecurity/Kconfig |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

commit 8e13f300300bb4fd2e1bd100606a8bd6cb4e5244
Author: Steven Rostedt <srostedt@redhat.com>
Date:   Fri Dec 14 09:48:15 2012 -0500

    Upstream commit: c1bf08ac26e92122faab9f6c32ea8aba94612dae
    
    ftrace: Be first to run code modification on modules
    
    If some other kernel subsystem has a module notifier, and adds a kprobe
    to a ftrace mcount point (now that kprobes work on ftrace points),
    when the ftrace notifier runs it will fail and disable ftrace, as well
    as kprobes that are attached to ftrace points.
    
    Here's the error:
    
     WARNING: at kernel/trace/ftrace.c:1618 ftrace_bug+0x239/0x280()
     Hardware name: Bochs
     Modules linked in: fat(+) stap_56d28a51b3fe546293ca0700b10bcb29__8059(F) nfsv4 auth_rpcgss nfs dns_resolver fscache xt_nat iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack lockd sunrpc ppdev parport_pc parport microcode virtio_net i2c_piix4 drm_kms_helper ttm drm i2c_core [last unloaded: bid_shared]
     Pid: 8068, comm: modprobe Tainted: GF            3.7.0-0.rc8.git0.1.fc19.x86_64 #1
     Call Trace:
      [<ffffffff8105e70f>] warn_slowpath_common+0x7f/0xc0
      [<ffffffff81134106>] ? __probe_kernel_read+0x46/0x70
      [<ffffffffa0180000>] ? 0xffffffffa017ffff
      [<ffffffffa0180000>] ? 0xffffffffa017ffff
      [<ffffffff8105e76a>] warn_slowpath_null+0x1a/0x20
      [<ffffffff810fd189>] ftrace_bug+0x239/0x280
      [<ffffffff810fd626>] ftrace_process_locs+0x376/0x520
      [<ffffffff810fefb7>] ftrace_module_notify+0x47/0x50
      [<ffffffff8163912d>] notifier_call_chain+0x4d/0x70
      [<ffffffff810882f8>] __blocking_notifier_call_chain+0x58/0x80
      [<ffffffff81088336>] blocking_notifier_call_chain+0x16/0x20
      [<ffffffff810c2a23>] sys_init_module+0x73/0x220
      [<ffffffff8163d719>] system_call_fastpath+0x16/0x1b
     ---[ end trace 9ef46351e53bbf80 ]---
     ftrace failed to modify [<ffffffffa0180000>] init_once+0x0/0x20 [fat]
      actual: cc:bb:d2:4b:e1
    
    A kprobe was added to the init_once() function in the fat module on load.
    But this happened before ftrace could have touched the code. As ftrace
    didn't run yet, the kprobe system had no idea it was a ftrace point and
    simply added a breakpoint to the code (0xcc in the cc:bb:d2:4b:e1).
    
    Then when ftrace went to modify the location from a call to mcount/fentry
    into a nop, it didn't see a call op, but instead it saw the breakpoint op
    and not knowing what to do with it, ftrace shut itself down.
    
    The solution is to simply give the ftrace module notifier the max priority.
    This should have been done regardless, as the core code ftrace modification
    also happens very early on in boot up. This makes the module modification
    closer to core modification.
    
    Link: http://lkml.kernel.org/r/20130107140333.593683061@goodmis.org
    
    Cc: stable@vger.kernel.org
    Acked-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
    Reported-by: Frank Ch. Eigler <fche@redhat.com>
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>

 kernel/trace/ftrace.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1a370c37a0312e30906c3d060fcefec4d601624e
Author: Oleg Nesterov <oleg@redhat.com>
Date:   Mon Jan 21 20:48:00 2013 +0100

    Upstream commit: 9899d11f654474d2d54ea52ceaa2a1f4db3abd68
    
    ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL
    
    putreg() assumes that the tracee is not running and pt_regs_access() can
    safely play with its stack.  However a killed tracee can return from
    ptrace_stop() to the low-level asm code and do RESTORE_REST, this means
    that debugger can actually read/modify the kernel stack until the tracee
    does SAVE_REST again.
    
    set_task_blockstep() can race with SIGKILL too and in some sense this
    race is even worse, the very fact the tracee can be woken up breaks the
    logic.
    
    As Linus suggested we can clear TASK_WAKEKILL around the arch_ptrace()
    call, this ensures that nobody can ever wakeup the tracee while the
    debugger looks at it.  Not only this fixes the mentioned problems, we
    can do some cleanups/simplifications in arch_ptrace() paths.
    
    Probably ptrace_unfreeze_traced() needs more callers, for example it
    makes sense to make the tracee killable for oom-killer before
    access_process_vm().
    
    While at it, add the comment into may_ptrace_stop() to explain why
    ptrace_stop() still can't rely on SIGKILL and signal_pending_state().
    
    Reported-by: Salman Qazi <sqazi@google.com>
    Reported-by: Suleiman Souhlal <suleiman@google.com>
    Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	arch/x86/kernel/step.c

 kernel/ptrace.c |   64 ++++++++++++++++++++++++++++++++++++++++++++++--------
 kernel/signal.c |    5 ++++
 2 files changed, 59 insertions(+), 10 deletions(-)

commit 78c89832a236be4851a161755fb2b59e45b5424d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 28 18:52:04 2013 -0500

    Upstream commit: 9067ac85d533651b98c2ff903182a20cbb361fcb
    
    wake_up_process() should be never used to wakeup a TASK_STOPPED/TRACED task
    author	Oleg Nesterov <oleg@redhat.com>
    Mon, 21 Jan 2013 19:48:17 +0000 (20:48 +0100)
    committer	Linus Torvalds <torvalds@linux-foundation.org>
    Tue, 22 Jan 2013 18:08:17 +0000 (10:08 -0800)
    wake_up_process() should never wakeup a TASK_STOPPED/TRACED task.
    Change it to use TASK_NORMAL and add the WARN_ON().
    
    TASK_ALL has no other users, probably can be killed.
    
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/sched.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 052ce0ce9105b35513efbacc2bfea32ce57a414c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 28 18:45:07 2013 -0500

    compile fix on mips

 arch/mips/mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 02bbcab824f5420d29d34d4c9f0d90a63b002885
Merge: 9be01de 50a402d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 28 18:40:00 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 50a402dd59b2423422249f5a27d1915fd2013e4d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 28 18:38:54 2013 -0500

    Update to pax-linux-3.2.37-test91.patch:
    
    - mips got more heap-stack gap enforcement
    - added countermeasure against attacks that reduce ASLR by exhausting the address space on 32 bit userland
      see kingcope's post for the windows version
      http://kingcope.wordpress.com/2013/01/24/attacking-the-windows-78-address-space-randomization/

 arch/mips/mm/mmap.c            |   10 ++++------
 arch/x86/kernel/ptrace.c       |    2 +-
 drivers/misc/sgi-xp/xpc_main.c |    2 +-
 fs/binfmt_elf.c                |    2 +-
 fs/exec.c                      |   22 ++++++++++++++++++++++
 5 files changed, 29 insertions(+), 9 deletions(-)

commit 9be01dec0fdb1551a4d8e79bf7e077d5cf092621
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 28 06:08:12 2013 -0500

    make kmemleak user-readonly

 mm/kmemleak.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0f253825359cb8eb5b90b802f891fee64289a8cb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 28 06:06:43 2013 -0500

    allow kmemleak, it's a debugfs-only file marked user-readonly

 mm/kmemleak.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 71ec63a2a964b1f34e2b45a1086cd9521d076a9f
Merge: 51b2579 9044324
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 22 22:08:19 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 9044324b82b19ffcec59c3a169018bf9f7851ba3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 22 22:07:43 2013 -0500

    Update to pax-linux-3.2.37-test90.patch:
    - fixed some more constification fallout (e.g., https://bugs.gentoo.org/show_bug.cgi?id=453216)
    - fixed a pointless alloca in Xen that interfered with STACKLEAK

 arch/arm/include/asm/ptrace.h |    2 +-
 arch/x86/xen/enlighten.c      |    6 ++----
 kernel/trace/trace_output.c   |    2 ++
 3 files changed, 5 insertions(+), 5 deletions(-)

commit 51b257955f24402f2d1e16a2b01453ec037438f9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 19 17:37:10 2013 -0500

    fix typo

 grsecurity/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 995b535aa3a096dfebc405b21f524c0b19ccf62f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 19 10:56:50 2013 -0500

    fix typo in documentation

 grsecurity/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6ccce0d9b59cf6dc90e6e221147d9c12ae38eee6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 19 02:31:15 2013 -0500

    Choose "between" wording to cover both topdown and bottom-up allocators

 grsecurity/Kconfig |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 61a4b6d1ddc303a84fb3a6cac780685ddfc85a69
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 18 19:47:09 2013 -0500

    compile fix

 mm/mmap.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 0d9f22f2bf0884e07d9eb77da19d1d153bce6d8b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 18 19:31:24 2013 -0500

    compile fixes

 arch/x86/kernel/sys_x86_64.c |    2 +-
 fs/stat.c                    |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 50c552046f0e5574cf7c96d2d11a7ba45115e79a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 18 19:22:11 2013 -0500

    depend on PAX_RANDMMAP instead and make disabled version inline

 grsecurity/Kconfig    |    2 +-
 include/linux/sched.h |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 565f6738248381b5737b9d3dc5d2697d36d18875
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 18 19:09:04 2013 -0500

    add CONFIG_GRKERNSEC_RAND_THREADSTACK
    
    Conflicts:
    
    	arch/arm/mm/mmap.c
    	arch/x86/kernel/sys_x86_64.c
    	arch/x86/mm/hugetlbpage.c

 arch/alpha/kernel/osf_sys.c      |   14 +++++++-------
 arch/arm/mm/mmap.c               |    6 +++---
 arch/frv/mm/elf-fdpic.c          |    7 ++++---
 arch/ia64/kernel/sys_ia64.c      |    3 ++-
 arch/ia64/mm/hugetlbpage.c       |    3 ++-
 arch/mips/mm/mmap.c              |    9 +++++----
 arch/parisc/kernel/sys_parisc.c  |   19 +++++++++++--------
 arch/powerpc/mm/slice.c          |    8 ++++----
 arch/sh/mm/mmap.c                |   14 ++++++++------
 arch/sparc/kernel/sys_sparc_32.c |    3 ++-
 arch/sparc/kernel/sys_sparc_64.c |   14 ++++++++------
 arch/sparc/mm/hugetlbpage.c      |   13 ++++++++-----
 arch/x86/kernel/sys_i386_32.c    |   14 ++++++++------
 arch/x86/kernel/sys_x86_64.c     |   12 +++++++-----
 arch/x86/mm/hugetlbpage.c        |   11 +++++++----
 grsecurity/Kconfig               |   20 ++++++++++++++++++++
 include/linux/sched.h            |   14 ++++++++++++--
 mm/mmap.c                        |   26 ++++++++++++++++++++++----
 18 files changed, 140 insertions(+), 70 deletions(-)

commit fc7fad5e0682f797b9aeb41e0db931650be6654a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 16 11:14:17 2012 -0500

    Fix compilation error reported on forums

 grsecurity/gracl.c    |   32 ++++++++++++++++----------------
 include/linux/gracl.h |    8 ++++----
 2 files changed, 20 insertions(+), 20 deletions(-)

commit b0d2b598920692738fabe56e2861a7849a4780a5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 18 16:24:58 2013 -0500

    Add GRKERNSEC_DEVICE_SIDECHANNEL
    
    Conflicts:
    
    	include/linux/fs.h

 fs/stat.c                |   19 +++++++++++++++----
 grsecurity/Kconfig       |   13 +++++++++++++
 include/linux/fs.h       |   10 ++++++++++
 include/linux/fsnotify.h |    6 ++++++
 4 files changed, 44 insertions(+), 4 deletions(-)

commit 4d258955a8d8c2a024515674b713a551d284109e
Merge: e5b00e5 1996678
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 17 21:13:26 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	security/Kconfig

commit 199667850497bb7e96cad5fb6331124de5758d99
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 17 21:12:26 2013 -0500

    remove ARM_LPAE, doesn't exist here

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e5b00e5010cae356eb8e8e52551364df823bb4bb
Merge: 54107cf b09d192
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 17 20:55:03 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit b09d19282bd5bb8bd718de07dfe64b7ee994f2a0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 17 20:54:04 2013 -0500

    revert set_pgd_batched() change

 arch/x86/include/asm/pgtable_64.h |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit 54107cf38a3c4a6ff218849f6469573c66304ff4
Merge: bb16456 cf3a81f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 16 19:20:57 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	security/Kconfig

commit cf3a81f6c589a92b12babf1712e5d7656c149201
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 16 19:18:10 2013 -0500

    Update to pax-linux-3.2.37-test88.patch:
    - more constification based on stats supplied by Larry H of Subreption
    - ported USERCOPY to ia64 based on the discussion with Dennis Schridde at https://bugs.gentoo.org/show_bug.cgi?id=432100
    - simplified the latent entropy code a bit
    - added some list handling wrappers for KERNEXEC/LIST_DEBUG to minimize the exposure of an open kernel
    - some constification work
      - smarter plugin allowed the removal of many no_const attrs
      - function pointer array fields are recognized as well
    - KERNEXEC compatibility fix for native_set_pgd_batched
    - new size overflow plugin from Emese to fix some false positives (http://forums.grsecurity.net/viewtopic.php?f=3&t=3208)

 arch/arm/include/asm/pgalloc.h                     |    1 -
 arch/arm/kernel/head.S                             |    4 +-
 arch/arm/kernel/setup.c                            |    6 +-
 arch/arm/mach-omap2/smartreflex.h                  |    2 +-
 arch/arm/mm/fault.c                                |   34 --------
 arch/ia64/include/asm/uaccess.h                    |   28 ++++++-
 arch/x86/include/asm/io.h                          |    2 +-
 arch/x86/include/asm/paravirt_types.h              |   12 ++--
 arch/x86/include/asm/pgtable_64.h                  |    2 +
 arch/x86/include/asm/reboot.h                      |    2 +-
 arch/x86/include/asm/smp.h                         |    2 +-
 arch/x86/include/asm/x86_init.h                    |   26 +++---
 arch/x86/kernel/acpi/boot.c                        |    2 +-
 arch/x86/kernel/amd_gart_64.c                      |    2 +-
 arch/x86/kernel/aperture_64.c                      |    2 +-
 arch/x86/kernel/apic/numaq_32.c                    |   16 ++--
 arch/x86/kernel/apic/x2apic_uv_x.c                 |    4 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c              |   48 ++++++++----
 arch/x86/kernel/cpu/mcheck/mce.c                   |    2 +-
 arch/x86/kernel/cpu/vmware.c                       |    2 +-
 arch/x86/kernel/head32.c                           |    4 +-
 arch/x86/kernel/kvm.c                              |    8 +-
 arch/x86/kernel/kvmclock.c                         |   14 ++--
 arch/x86/kernel/paravirt.c                         |    8 +-
 arch/x86/kernel/pci-calgary_64.c                   |    2 +-
 arch/x86/kernel/ptrace.c                           |   10 +-
 arch/x86/kernel/vsmp_64.c                          |    2 +-
 arch/x86/lguest/boot.c                             |   52 ++++++------
 arch/x86/mm/ioremap.c                              |    2 +-
 arch/x86/mm/mmio-mod.c                             |    4 +-
 arch/x86/pci/acpi.c                                |    2 +-
 arch/x86/pci/xen.c                                 |   14 ++--
 arch/x86/platform/efi/efi.c                        |    4 +-
 arch/x86/platform/mrst/mrst.c                      |   40 +++++-----
 arch/x86/platform/mrst/vrtc.c                      |    4 +-
 arch/x86/platform/olpc/olpc_dt.c                   |    2 +-
 arch/x86/xen/enlighten.c                           |   30 ++++----
 arch/x86/xen/irq.c                                 |    2 +-
 arch/x86/xen/mmu.c                                 |    6 +-
 arch/x86/xen/smp.c                                 |   14 ++--
 arch/x86/xen/spinlock.c                            |   12 ++--
 arch/x86/xen/time.c                                |   26 +++---
 drivers/cdrom/cdrom.c                              |    9 +-
 drivers/cdrom/gdrom.c                              |    1 -
 drivers/char/random.c                              |   11 ---
 drivers/firmware/efivars.c                         |    6 +-
 drivers/gpu/drm/i915/i915_drv.h                    |    2 +-
 drivers/gpu/drm/i915/intel_display.c               |   12 ++-
 drivers/gpu/drm/radeon/evergreen.c                 |    4 +-
 drivers/gpu/drm/radeon/ni.c                        |    4 +-
 drivers/gpu/drm/radeon/r100.c                      |    6 +-
 drivers/gpu/drm/radeon/r300.c                      |    6 +-
 drivers/gpu/drm/radeon/r600.c                      |    4 +-
 drivers/gpu/drm/radeon/radeon.h                    |    4 +-
 drivers/gpu/drm/radeon/radeon_asic.c               |   28 ++++---
 drivers/gpu/drm/radeon/rv770.c                     |    4 +-
 drivers/i2c/i2c-mux.c                              |    2 +-
 drivers/iommu/amd_iommu_init.c                     |    4 +-
 drivers/iommu/dmar.c                               |    2 +-
 drivers/isdn/hardware/eicon/divasync.h             |    2 +-
 drivers/isdn/hardware/eicon/xdi_adapter.h          |    2 +-
 drivers/md/persistent-data/dm-space-map-disk.c     |    2 +-
 drivers/md/persistent-data/dm-space-map-metadata.c |    2 +-
 drivers/media/dvb/dvb-core/dvb_demux.h             |    2 +-
 drivers/media/video/au0828/au0828.h                |    2 +-
 drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h |    2 +-
 drivers/media/video/timblogiw.c                    |    4 +-
 drivers/mfd/abx500-core.c                          |    2 +-
 drivers/net/ethernet/8390/ax88796.c                |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h    |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c     |   11 +--
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h     |    5 +-
 drivers/net/ethernet/intel/e1000e/80003es2lan.c    |   13 ++--
 drivers/net/ethernet/intel/e1000e/82571.c          |   39 +++++-----
 drivers/net/ethernet/intel/e1000e/hw.h             |    9 +--
 drivers/net/ethernet/intel/igb/e1000_hw.h          |   12 +--
 drivers/net/ethernet/intel/igbvf/vf.h              |    6 +-
 drivers/net/ethernet/intel/ixgbe/ixgbe_type.h      |   12 +--
 drivers/net/ethernet/intel/ixgbevf/vf.h            |    6 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c   |    7 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.h   |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-traffic.h  |    2 +-
 drivers/net/macvtap.c                              |    2 +-
 drivers/net/wireless/ath/ath.h                     |    1 -
 drivers/net/wireless/ath/ath9k/hw.h                |    2 +-
 .../net/wireless/brcm80211/brcmfmac/wl_cfg80211.h  |    4 +-
 .../net/wireless/brcm80211/brcmsmac/phy/phy_int.h  |    2 +-
 drivers/net/wireless/mwifiex/main.h                |    2 +-
 drivers/net/wireless/wl1251/sdio.c                 |   12 ++-
 drivers/net/wireless/wl1251/wl1251.h               |    2 +-
 drivers/pci/hotplug/cpci_hotplug.h                 |    2 +-
 drivers/pci/hotplug/cpcihp_generic.c               |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c                |   14 ++-
 drivers/power/bq27x00_battery.c                    |    2 +-
 drivers/scsi/aacraid/aacraid.h                     |    2 +-
 drivers/scsi/bfa/bfa_fcpim.c                       |    4 +-
 drivers/scsi/bfa/bfa_fcpim.h                       |    5 +-
 drivers/scsi/ips.h                                 |    2 +-
 drivers/scsi/qla2xxx/qla_def.h                     |    2 +-
 drivers/scsi/qla2xxx/qla_os.c                      |    6 +-
 drivers/staging/usbip/usbip_common.h               |    2 +-
 drivers/staging/wlan-ng/hfa384x_usb.c              |    2 +-
 drivers/tty/serial/samsung.c                       |    9 +-
 drivers/xen/xen-pciback/conf_space.h               |    6 +-
 fs/exec.c                                          |    2 +-
 fs/nfs/blocklayout/blocklayout.c                   |    2 +-
 fs/seq_file.c                                      |    2 +-
 include/acpi/acpi_bus.h                            |    2 +-
 include/crypto/algapi.h                            |    2 +-
 include/drm/drm_crtc_helper.h                      |    2 +-
 include/linux/cdrom.h                              |    1 -
 include/linux/efi.h                                |    2 +-
 include/linux/firewire.h                           |    2 +-
 include/linux/fsnotify_backend.h                   |    1 -
 include/linux/ftrace_event.h                       |    2 +-
 include/linux/hid.h                                |    2 +-
 include/linux/if_pppox.h                           |    2 +-
 include/linux/intel-iommu.h                        |    2 +-
 include/linux/kobject.h                            |    2 +-
 include/linux/list.h                               |    3 +
 include/linux/memory.h                             |    2 +-
 include/linux/mfd/abx500.h                         |    1 -
 include/linux/mmiotrace.h                          |    4 +-
 include/linux/module.h                             |    1 +
 include/linux/netfilter/ipset/ip_set.h             |    2 +-
 include/linux/netfilter/nfnetlink.h                |    2 +-
 include/linux/notifier.h                           |    3 +-
 include/linux/of_pdt.h                             |    2 +-
 include/linux/preempt.h                            |    2 +-
 include/linux/proc_fs.h                            |    2 +-
 include/linux/random.h                             |    4 -
 include/linux/regset.h                             |    2 +-
 include/linux/rfkill.h                             |    1 -
 include/linux/slab.h                               |    2 +-
 include/linux/sunrpc/sched.h                       |    1 -
 include/linux/sysrq.h                              |    2 +-
 include/linux/tty_driver.h                         |    2 +-
 include/linux/usb/renesas_usbhs.h                  |    2 +-
 include/media/saa7146_vv.h                         |    2 +-
 include/media/v4l2-dev.h                           |    1 -
 include/media/v4l2-ioctl.h                         |    1 -
 include/net/caif/caif_hsi.h                        |    2 +-
 include/net/inet_connection_sock.h                 |    2 +-
 include/net/irda/ircomm_core.h                     |    2 +-
 include/net/netfilter/nf_queue.h                   |    2 +-
 include/net/protocol.h                             |    4 +-
 include/net/sctp/structs.h                         |    4 +-
 include/net/tcp.h                                  |    2 +-
 include/net/udp.h                                  |    2 +-
 include/net/xfrm.h                                 |    2 +-
 include/sound/ak4xxx-adda.h                        |    2 +-
 include/sound/hwdep.h                              |    2 +-
 include/sound/info.h                               |    2 +-
 include/sound/pcm.h                                |    1 -
 include/sound/sb16_csp.h                           |    2 +-
 include/sound/soc.h                                |    2 +-
 include/target/target_core_base.h                  |    2 +-
 include/video/omapdss.h                            |    2 +-
 init/main.c                                        |    8 ++-
 kernel/notifier.c                                  |   17 +++-
 kernel/timer.c                                     |    2 +-
 kernel/trace/ftrace.c                              |    7 +-
 kernel/trace/trace_output.c                        |    8 +-
 lib/Makefile                                       |    2 +-
 lib/cpu-notifier-error-inject.c                    |    4 +-
 lib/dma-debug.c                                    |    2 +-
 lib/list_debug.c                                   |   65 ++++++++++++++-
 mm/slab.c                                          |    2 +-
 mm/slob.c                                          |    2 +-
 mm/slub.c                                          |    2 +-
 net/8021q/vlan.c                                   |    2 +-
 net/atm/mpc.h                                      |    2 +-
 net/can/af_can.c                                   |    2 +-
 net/can/gw.c                                       |    8 +-
 net/core/rtnetlink.c                               |   16 +++--
 net/sctp/ipv6.c                                    |    2 +-
 net/sctp/protocol.c                                |    8 +-
 net/tipc/eth_media.c                               |    8 +-
 net/wireless/core.h                                |    2 +-
 net/xfrm/xfrm_state.c                              |    4 +-
 security/Kconfig                                   |    4 +-
 sound/isa/cmi8330.c                                |    2 +-
 sound/pci/hda/hda_codec.h                          |    7 +-
 sound/pci/ice1712/ice1712.h                        |    4 +-
 sound/soc/soc-pcm.c                                |   18 +++--
 tools/gcc/constify_plugin.c                        |   82 ++++++++++++--------
 tools/gcc/size_overflow_plugin.c                   |   82 +++++++++++--------
 virt/kvm/kvm_main.c                                |   10 ++-
 188 files changed, 713 insertions(+), 591 deletions(-)

commit bb16456b78d9bda4d8cfdbf6a69de9d28d0c9e60
Merge: 6c6b091 b2a1b39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 16 16:33:08 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	net/ipv4/tcp_input.c

commit b2a1b3930f77f97a3d3be05ca5ff3a69e8416fdd
Merge: 4137111 2d18772
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 16 16:31:07 2013 -0500

    Merge branch 'linux-3.2.y' into pax-stable2

commit 6c6b091e94649c02a478d6ea0f6e12a36d9e722f
Author: Xi Wang <xi.wang@gmail.com>
Date:   Fri Jan 11 14:31:48 2013 -0800

    Upstream commit: 6d92d4f6a74766cc885b18218268e0c47fbca399
    
    fs/exec.c: work around icc miscompilation
    
    The tricky problem is this check:
    
    	if (i++ >= max)
    
    icc (mis)optimizes this check as:
    
    	if (++i > max)
    
    The check now becomes a no-op since max is MAX_ARG_STRINGS (0x7FFFFFFF).
    
    This is "allowed" by the C standard, assuming i++ never overflows,
    because signed integer overflow is undefined behavior.  This
    optimization effectively reverts the previous commit 362e6663ef23
    ("exec.c, compat.c: fix count(), compat_count() bounds checking") that
    tries to fix the check.
    
    This patch simply moves ++ after the check.
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Cc: Jason Baron <jbaron@redhat.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/exec.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit acaa2f68ead06598824abcffdeabceac6c260bf5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 14 23:13:34 2013 -0500

    Fix dup_mm() OOPS caused by exec_file refcnt imbalance, as reported at:
    http://forums.grsecurity.net/viewtopic.php?f=3&t=3230

 fs/fs_struct.c        |    4 ----
 grsecurity/gracl_fs.c |   10 ++--------
 kernel/exit.c         |    1 +
 kernel/fork.c         |    8 +++++---
 4 files changed, 8 insertions(+), 15 deletions(-)

commit a1a1d9f316d1917b59e3c520fca822d634cc5b95
Author: Xi Wang <xi.wang@gmail.com>
Date:   Sat Jan 5 11:19:24 2013 +0000

    Upstream commit: c7e2e1d72ed7707239d20525e0ebcad7e3303659
    
    ipv4: fix NULL checking in devinet_ioctl()
    
    The NULL pointer check `!ifa' should come before its first use.
    
    [ Bug origin : commit fd23c3b31107e2fc483301ee923d8a1db14e53f4
      (ipv4: Add hash table of interface addresses) in linux-2.6.39 ]
    
    Signed-off-by: Xi Wang <xi.wang@gmail.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/devinet.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 71d39f6f80de0b939713f632ea0a1eb46fcec714
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 5 13:47:47 2013 -0500

    Add a feature from Willy Tarreau to disable TCP Simultaneous Connect.
    I've eliminated the sysctl and enabled the feature by default
    in all automatic configurations.
    
    Willy's original commit message is below:
    
    >From 61abc5ef6c3bc210c63036b5f36cc96a7802b605 Mon Sep 17 00:00:00 2001
    From: Willy Tarreau <w@1wt.eu>
    Date: Wed, 8 Oct 2008 10:00:42 +0200
    Subject: [PATCH] TCP: add a sysctl to disable simultaneous connection opening.
    
    Strict implementation of RFC793 (TCP) requires support for a feature
    called "simultaneous connect", which allows two clients to connect to
    each other without anyone entering a listening state.  While almost
    never used, and supported by few OSes, Linux supports this feature.
    
    However, it introduces a weakness in the protocol which makes it very
    easy for an attacker to prevent a client from connecting to a known
    server. The attacker only has to guess the source port to shut down
    the client connection during its establishment. The impact is limited,
    but it may be used to prevent an antivirus or IPS from fetching updates
    and not detecting an attack, or to prevent an SSL gateway from fetching
    a CRL for example.
    
    This patch provides a new sysctl "tcp_simult_connect" to enable or disable
    support for this useless feature. It comes disabled by default.
    
    Hundreds of systems running with that feature disabled for more than 4 years
    have never encountered an application which requires it. It is almost never
    supported by firewalls BTW.
    
    Signed-off-by: Willy Tarreau <w@1wt.eu>

 grsecurity/Kconfig   |   18 ++++++++++++++++++
 net/ipv4/tcp_input.c |    2 ++
 2 files changed, 20 insertions(+), 0 deletions(-)

commit b622422c80ce58f64db0b2199a4bd2da35489ff9
Author: Hugh Dickins <hughd@google.com>
Date:   Wed Jan 2 02:01:33 2013 -0800

    Upstream commit: f2a07f40dbc603c15f8b06e6ec7f768af67b424f
    
    tmpfs mempolicy: fix /proc/mounts corrupting memory
    
    Recently I suggested using "mount -o remount,mpol=local /tmp" in NUMA
    mempolicy testing.  Very nasty.  Reading /proc/mounts, /proc/pid/mounts
    or /proc/pid/mountinfo may then corrupt one bit of kernel memory, often
    in a page table (causing "Bad swap" or "Bad page map" warning or "Bad
    pagetable" oops), sometimes in a vm_area_struct or rbnode or somewhere
    worse.  "mpol=prefer" and "mpol=prefer:Node" are equally toxic.
    
    Recent NUMA enhancements are not to blame: this dates back to 2.6.35,
    when commit e17f74af351c "mempolicy: don't call mpol_set_nodemask() when
    no_context" skipped mpol_parse_str()'s call to mpol_set_nodemask(),
    which used to initialize v.preferred_node, or set MPOL_F_LOCAL in flags.
    With slab poisoning, you can then rely on mpol_to_str() to set the bit
    for node 0x6b6b, probably in the next page above the caller's stack.
    
    mpol_parse_str() is only called from shmem_parse_options(): no_context
    is always true, so call it unused for now, and remove !no_context code.
    Set v.nodes or v.preferred_node or MPOL_F_LOCAL as mpol_to_str() might
    expect.  Then mpol_to_str() can ignore its no_context argument also,
    the mpol being appropriately initialized whether contextualized or not.
    Rename its no_context unused too, and let subsequent patch remove them
    (that's not needed for stable backporting, which would involve rejects).
    
    I don't understand why MPOL_LOCAL is described as a pseudo-policy:
    it's a reasonable policy which suffers from a confusing implementation
    in terms of MPOL_PREFERRED with MPOL_F_LOCAL.  I believe this would be
    much more robust if MPOL_LOCAL were recognized in switch statements
    throughout, MPOL_F_LOCAL deleted, and MPOL_PREFERRED use the (possibly
    empty) nodes mask like everyone else, instead of its preferred_node
    variant (I presume an optimization from the days before MPOL_LOCAL).
    But that would take me too long to get right and fully tested.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mempolicy.c |   64 ++++++++++++++++++++++---------------------------------
 1 files changed, 26 insertions(+), 38 deletions(-)

commit d13f2bb8896829482d284efb34de811c10e5a77d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 3 18:30:42 2013 -0500

    GR_NESTED is an outdated flag -- nested subjects don't exist in hash tables
    these days and are directly attached to objects.  Remove it.

 grsecurity/gracl.c     |   17 -----------------
 include/linux/grdefs.h |    2 +-
 2 files changed, 1 insertions(+), 18 deletions(-)

commit 9944161825aca755a9dd8020229c2d12e9818309
Merge: cb91e70 4137111
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 3 17:13:01 2013 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 4137111085e54b6088adc9d90ec9c7b8cbeee4f7
Merge: a52d4ca 37701d1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jan 3 17:12:45 2013 -0500

    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	mm/memory.c

commit cb91e70c91d91215769cfdc8972da7a9c0a99f14
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 1 14:05:19 2013 -0500

    Fix warning (from HIDESYM) on reading /proc/vmallocinfo
    Thanks to Allan Wegan for the report

 mm/vmalloc.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 55d7ef1bdb3c968e87cd70c08856e47f57f1f446
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 31 20:15:51 2012 -0500

    Fix compiler warning

 lib/vsprintf.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2ca98a512ccf373ff2aeb53f0a89bcd375b7b0c3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 27 19:02:18 2012 -0500

    Resolve compiler warning

 fs/autofs4/waitq.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0110a5c2f8e9c71f7c0ac0de60538f8c61691dfa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 27 18:53:28 2012 -0500

    compile fix

 net/ipv4/tcp_input.c |   17 -----------------
 1 files changed, 0 insertions(+), 17 deletions(-)

commit f3ef92528e8b1303fef7edc081fd90a1a102b4c9
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Jul 17 01:41:30 2012 +0000

    Upstream commit: 0c24604b
    
    tcp: implement RFC 5961 4.2
    
    Implement the RFC 5691 mitigation against Blind
    Reset attack using SYN bit.
    
    Section 4.2 of RFC 5961 advises to send a Challenge ACK and drop
    incoming packet, instead of resetting the session.
    
    Add a new SNMP counter to count number of challenge acks sent
    in response to SYN packets.
    (netstat -s | grep TCPSYNChallenge)
    
    Remove obsolete TCPAbortOnSyn, since we no longer abort a TCP session
    because of a SYN flag.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Kiran Kumar Kella <kkiran@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/ipv4/tcp_input.c

 include/linux/snmp.h |    2 +-
 net/ipv4/proc.c      |    2 +-
 net/ipv4/tcp_input.c |   32 +++++++++++++++-----------------
 3 files changed, 17 insertions(+), 19 deletions(-)

commit 409c8c24917728cc628480988a69e2b08275e4af
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Jul 17 10:13:05 2012 +0200

    Upstream commit: 282f23c6ee343126156dd41218b22ece96d747e3
    
    tcp: implement RFC 5961 3.2
    
    Implement the RFC 5691 mitigation against Blind
    Reset attack using RST bit.
    
    Idea is to validate incoming RST sequence,
    to match RCV.NXT value, instead of previouly accepted
    window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND)
    
    If sequence is in window but not an exact match, send
    a "challenge ACK", so that the other part can resend an
    RST with the appropriate sequence.
    
    Add a new sysctl, tcp_challenge_ack_limit, to limit
    number of challenge ACK sent per second.
    
    Add a new SNMP counter to count number of challenge acks sent.
    (netstat -s | grep TCPChallengeACK)
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Kiran Kumar Kella <kkiran@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	Documentation/networking/ip-sysctl.txt
    	include/linux/snmp.h
    	include/net/tcp.h
    	net/ipv4/proc.c
    	net/ipv4/sysctl_net_ipv4.c
    
    Conflicts:
    
    	Documentation/networking/ip-sysctl.txt
    	include/linux/snmp.h
    	include/net/tcp.h
    	net/ipv4/proc.c

 Documentation/networking/ip-sysctl.txt |    5 +++++
 include/linux/snmp.h                   |    1 +
 include/net/tcp.h                      |    1 +
 net/ipv4/proc.c                        |    1 +
 net/ipv4/sysctl_net_ipv4.c             |    7 +++++++
 net/ipv4/tcp_input.c                   |   31 ++++++++++++++++++++++++++++++-
 6 files changed, 45 insertions(+), 1 deletions(-)

commit 2a1606ece92fd78dfdd0735532a9e38b6261c275
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 27 18:20:59 2012 -0500

    Clarify documentation for GRKERNSEC_DMESG based on Twitter discussion

 grsecurity/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b53211d24c27efb270c97e1141f8d5d1e342a1a6
Author: Jarod Wilson <jarod@redhat.com>
Date:   Tue Nov 6 10:42:42 2012 -0500

    Upstream commit: ec8f02da9ea500474417d1d31fa3d46a562ab366
    
    random: prime last_data value per fips requirements
    
    The value stored in last_data must be primed for FIPS 140-2 purposes. Upon
    first use, either on system startup or after an RNDCLEARPOOL ioctl, we
    need to take an initial random sample, store it internally in last_data,
    then pass along the value after that to the requester, so that consistency
    checks aren't being run against stale and possibly known data.
    
    CC: Herbert Xu <herbert@gondor.apana.org.au>
    CC: "David S. Miller" <davem@davemloft.net>
    CC: Matt Mackall <mpm@selenic.com>
    CC: linux-crypto@vger.kernel.org
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: Jarod Wilson <jarod@redhat.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    
    Conflicts:
    
    	drivers/char/random.c

 drivers/char/random.c |   17 +++++++++++++++++
 1 files changed, 17 insertions(+), 0 deletions(-)

commit 7987ebd47faefdbbcb062d6e48319128c416279d
Author: Nick Kossifidis <mickflemm@gmail.com>
Date:   Sun Dec 16 22:18:11 2012 -0500

    Upstream commit: 6133705494bb02953e1e2cc3018a4373981b3c97
    
    random: Mix cputime from each thread that exits to the pool
    
    When a thread exits mix its cputime (userspace + kernelspace) to the entropy pool.
    
    We don't know how "random" this is, so we use add_device_randomness that doesn't mess
    with entropy count.
    
    Signed-off-by: Nick Kossifidis <mickflemm@gmail.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>

 kernel/posix-cpu-timers.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit d90be10e65fba2d0520ab4b1261207a023724253
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 27 18:06:58 2012 -0500

    Backport upstream commit: a68c2f12b4b28994aaf622bbe5724b7258cc2fcf
    
    sendfile: allows bypassing of notifier events
    author	Scott Wolchok <swolchok@umich.edu>
    do_sendfile() in fs/read_write.c does not call the fsnotify functions,
    unlike its neighbors.  This manifests as a lack of inotify ACCESS events
    when a file is sent using sendfile(2).
    
    Addresses
      https://bugzilla.kernel.org/show_bug.cgi?id=12812

 fs/read_write.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit c85cb9a260726afb138cd5360c2127b101d5cfbc
Author: Vahram Martirosyan <vmartirosyan@gmail.com>
Date:   Wed Nov 28 12:44:16 2012 -0500

    Upstream commit: 766f44d46a726cb59f52a75c5c87425a10c4bade
    
    ext4: fixed potential NULL dereference in ext4_calculate_overhead()
    
    The memset operation before check can cause a BUG if the memory
    allocation failed.  Since we are using get_zeroed_age, there is no
    need to use memset anyway.
    
    Found by the Spruce system in cooperation with the KEDR Framework.
    
    Signed-off-by: Vahram Martirosyan <vmartirosyan@linuxtesting.org>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>

 fs/ext4/super.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit a20d4dc627e376988da7d0f8b8af7130cbe28a8e
Author: Eric Sandeen <sandeen@redhat.com>
Date:   Wed Nov 14 22:22:05 2012 -0500

    Upstream commit: 66bea92c69477a75a5d37b9bfed5773c92a3c4b4
    
    ext4: init pagevec in ext4_da_block_invalidatepages
    
    ext4_da_block_invalidatepages is missing a pagevec_init(),
    which means that pvec->cold contains random garbage.
    
    This affects whether the page goes to the front or
    back of the LRU when ->cold makes it to
    free_hot_cold_page()
    
    Reviewed-by: Lukas Czerner <lczerner@redhat.com>
    Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
    Signed-off-by: Eric Sandeen <sandeen@redhat.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Cc: stable@vger.kernel.org
    
    Conflicts:
    
    	fs/ext4/inode.c

 fs/ext4/inode.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 32382ab46b8f20ede9deabb0480d4c20ff5aee12
Author: Christoffer Dall <cdall@cs.columbia.edu>
Date:   Fri Dec 21 13:03:50 2012 -0500

    Upstream commit: ad4b3fb7ff9940bcdb1e4cd62bd189d10fa636ba
    
    mm: Fix PageHead when !CONFIG_PAGEFLAGS_EXTENDED
    
    Unfortunately with !CONFIG_PAGEFLAGS_EXTENDED, (!PageHead) is false, and
    (PageHead) is true, for tail pages.  If this is indeed the intended
    behavior, which I doubt because it breaks cache cleaning on some ARM
    systems, then the nomenclature is highly problematic.
    
    This patch makes sure PageHead is only true for head pages and PageTail
    is only true for tail pages, and neither is true for non-compound pages.
    
    [ This buglet seems ancient - seems to have been introduced back in Apr
      2008 in commit 6a1e7f777f61: "pageflags: convert to the use of new
      macros".  And the reason nobody noticed is because the PageHead()
      tests are almost all about just sanity-checking, and only used on
      pages that are actual page heads.  The fact that the old code returned
      true for tail pages too was thus not really noticeable.   - Linus ]
    
    Signed-off-by: Christoffer Dall <cdall@cs.columbia.edu>
    Acked-by:  Andrea Arcangeli <aarcange@redhat.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Will Deacon <Will.Deacon@arm.com>
    Cc: Steve Capper <Steve.Capper@arm.com>
    Cc: Christoph Lameter <cl@linux.com>
    Cc: stable@kernel.org  # 2.6.26+
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 include/linux/page-flags.h |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

commit 85a9264c0384512097f1899cfa7f06779d57d41d
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Dec 26 12:44:34 2012 +0000

    Upstream commit: c3ae62af8e755ea68380fb5ce682e60079a4c388
    
    tcp: should drop incoming frames without ACK flag set
    
    In commit 96e0bf4b5193d (tcp: Discard segments that ack data not yet
    sent) John Dykstra enforced a check against ack sequences.
    
    In commit 354e4aa391ed5 (tcp: RFC 5961 5.2 Blind Data Injection Attack
    Mitigation) I added more safety tests.
    
    But we missed fact that these tests are not performed if ACK bit is
    not set.
    
    RFC 793 3.9 mandates TCP should drop a frame without ACK flag set.
    
    " fifth check the ACK field,
          if the ACK bit is off drop the segment and return"
    
    Not doing so permits an attacker to only guess an acceptable sequence
    number, evading stronger checks.
    
    Many thanks to Zhiyun Qian for bringing this issue to our attention.
    
    See :
    http://web.eecs.umich.edu/~zhiyunq/pub/ccs12_TCP_sequence_number_inference.pdf
    
    Reported-by: Zhiyun Qian <zhiyunq@umich.edu>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Nandita Dukkipati <nanditad@google.com>
    Cc: Neal Cardwell <ncardwell@google.com>
    Cc: John Dykstra <john.dykstra1@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/ipv4/tcp_input.c

 net/ipv4/tcp_input.c |   13 +++++++++----
 1 files changed, 9 insertions(+), 4 deletions(-)

commit 086efa46d6d699664e68fef9a1a3335b91af0b6d
Author: Eric Dumazet <edumazet@google.com>
Date:   Sun Oct 21 19:57:11 2012 +0000

    Upstream commit: 354e4aa391ed50a4d827ff6fc11e0667d0859b25
    
    tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation
    
    RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation]
    
      All TCP stacks MAY implement the following mitigation.  TCP stacks
      that implement this mitigation MUST add an additional input check to
      any incoming segment.  The ACK value is considered acceptable only if
      it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=
      SND.NXT).  All incoming segments whose ACK value doesn't satisfy the
      above condition MUST be discarded and an ACK sent back.
    
    Move tcp_send_challenge_ack() before tcp_ack() to avoid a forward
    declaration.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Neal Cardwell <ncardwell@google.com>
    Cc: Yuchung Cheng <ycheng@google.com>
    Cc: Jerry Chu <hkchu@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp_input.c |   26 +++++++++++++++++++++++++-
 1 files changed, 25 insertions(+), 1 deletions(-)

commit 8ded7a2148a5f68d514f1fba0e35a01334bb077e
Merge: c5916b2 a52d4ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 15 13:12:17 2012 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	security/Kconfig

commit a52d4ca1dd5e965610ec305fc3972b8d94c7e368
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 15 13:11:19 2012 -0500

    Update to pax-linux-3.2.35-test87.patch:
    - size overflow plugin update from Emese (new hashtable format, small fixes)
    - introduced local_unchecked_t and related wrappers to handle exceptional cases of non-refcounting local_t variables
    - fixed ftrace/kgdb/kprobes for i386/KERNEXEC

 arch/x86/include/asm/local.h             |   66 +
 arch/x86/kernel/ftrace.c                 |    6 +-
 arch/x86/kernel/kgdb.c                   |   15 +-
 arch/x86/kernel/kprobes.c                |   18 +-
 arch/x86/mm/pageattr.c                   |    2 +-
 drivers/misc/kgdbts.c                    |    4 +-
 include/asm-generic/atomic-long.h        |   21 +
 include/asm-generic/local.h              |   12 +
 kernel/trace/ring_buffer.c               |   74 +-
 security/Kconfig                         |    2 +-
 tools/gcc/generate_size_overflow_hash.sh |   12 +-
 tools/gcc/size_overflow_hash.data        | 6768 +++++++++++++++---------------
 tools/gcc/size_overflow_plugin.c         |  107 +-
 13 files changed, 3633 insertions(+), 3474 deletions(-)

commit c5916b296e273fce1caeeb45d4e4d3867deec87e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Dec 7 15:40:59 2012 -0500

    compile fix

 grsecurity/grsec_sig.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit ee1c61148459011ca589a4e4c0713ac0b901f60a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Dec 7 15:16:19 2012 -0500

    Improve usability of GRKERNSEC_BRUTE, sponsorship work for Exonet:
    Log when activating bruteforce protection against a network daemon
    Expire the bruteforce protection in 30 minutes if no new crashes occur
    Check sysctl option at time of stalling forks so that flagged processes
    don't still delay when the feature is disabled and require a service restart
    
    Conflicts:
    
    	grsecurity/grsec_sig.c
    	include/linux/sched.h

 fs/exec.c                  |    2 +-
 grsecurity/grsec_sig.c     |   19 ++++++++++++++++---
 include/linux/grmsg.h      |    1 +
 include/linux/grsecurity.h |    2 +-
 include/linux/sched.h      |    1 +
 5 files changed, 20 insertions(+), 5 deletions(-)

commit abd28eb0c0348df8d14a951adc5b9dc367e00549
Author: Mel Gorman <mgorman@suse.de>
Date:   Wed Dec 5 14:01:41 2012 -0800

    Upstream commit: 18a2f371f5edf41810f6469cb9be39931ef9deb9
    
    tmpfs: fix shared mempolicy leak
    
    This fixes a regression in 3.7-rc, which has since gone into stable.
    
    Commit 00442ad04a5e ("mempolicy: fix a memory corruption by refcount
    imbalance in alloc_pages_vma()") changed get_vma_policy() to raise the
    refcount on a shmem shared mempolicy; whereas shmem_alloc_page() went
    on expecting alloc_page_vma() to drop the refcount it had acquired.
    This deserves a rework: but for now fix the leak in shmem_alloc_page().
    
    Hugh: shmem_swapin() did not need a fix, but surely it's clearer to use
    the same refcounting there as in shmem_alloc_page(), delete its onstack
    mempolicy, and the strange mpol_cond_copy() and __mpol_cond_copy() -
    those were invented to let swapin_readahead() make an unknown number of
    calls to alloc_pages_vma() with one mempolicy; but since 00442ad04a5e,
    alloc_pages_vma() has kept refcount in balance, so now no problem.
    
    Reported-and-tested-by: Tommi Rantala <tt.rantala@gmail.com>
    Signed-off-by: Mel Gorman <mgorman@suse.de>
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 include/linux/mempolicy.h |   16 ----------------
 mm/mempolicy.c            |   22 ----------------------
 mm/shmem.c                |   26 ++++++++++++++++----------
 3 files changed, 16 insertions(+), 48 deletions(-)

commit 86f90506694f57b63088c0d2830a4a832cc1b02f
Merge: 34d98a8 19185bb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 6 18:07:29 2012 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 19185bba4d966a0558f7ac906387f32ccc5591ce
Merge: e621524 20c7bbd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 6 18:07:11 2012 -0500

    Update to pax-linux-3.2.35-test86.patch
    
    Merge branch 'linux-3.2.y' into pax-stable2
    
    Conflicts:
    	arch/x86/mm/init.c

commit 34d98a8122b0074dce27c120c0c3edc21436c9e1
Merge: 58f5c17 e621524
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 4 19:02:00 2012 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit e621524e2124443b09c8dae6a0b8f983b737bbff
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 4 19:01:02 2012 -0500

    Update to pax-linux-3.2.34-test86.patch:
    - removed old cruft
    - fixed i386/fpu regression introduced by a previous backport, thanks to Kevin Chadwick for reporting it

 arch/x86/include/asm/i387.h |    9 ++++++++-
 arch/x86/kernel/traps.c     |    2 +-
 arch/x86/power/cpu.c        |    4 ----
 3 files changed, 9 insertions(+), 6 deletions(-)

commit 58f5c17182d8bf32d3036187ae4af2cadef612ee
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu Nov 29 22:17:21 2012 -0500

    Upstream commit: 21d8a15ac333b05f1fecdf9fdc30996be2e11d60
    
    lookup_one_len: don't accept . and ..
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
    	fs/namei.c

 fs/namei.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 5da6dd34fda33e4ec8fd8205ab20d925a3c5682b
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu Nov 29 22:11:06 2012 -0500

    Upstream commit: 0903a0c8491c1e987dfc6eb294199a36760398bc
    
    cifs: get rid of blind d_drop() in readdir
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/cifs/readdir.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit ab72d7098e8f37f2d2da74a25155bab9ab09c299
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu Nov 29 22:04:36 2012 -0500

    Upstream commit: c44600c9d1de64314c2bd58103f15acb53e10073
    
    nfs_lookup_revalidate(): fix a leak
    
    We are leaking fattr and fhandle if we decide that dentry is not to
    be invalidated, after all (e.g. happens to be a mountpoint).  Just
    free both before that...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/nfs/dir.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 29cef27ba3d92da2c1f4bab82d69e49a2e5dba1b
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu Nov 29 22:00:51 2012 -0500

    Upstream commit: 696199f8ccf7fc6d17ef89c296ad3b6c78c52d9c
    
    don't do blind d_drop() in nfs_prime_dcache()
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/nfs/dir.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 970c1ac809323ee3b8313250adbbe758a81f48d2
Author: H. Peter Anvin <hpa@linux.intel.com>
Date:   Wed Nov 21 14:41:21 2012 -0800

    Upstream commit: cb7cb2864e758a1b040040bc55e404c677c911cb
    
    x86, kvm: Remove incorrect redundant assembly constraint
    
    In __emulate_1op_rax_rdx, we use "+a" and "+d" which are input/output
    constraints, and *then* use "a" and "d" as input constraints.  This is
    incorrect, but happens to work on some versions of gcc.
    
    However, it breaks gcc with -O0 and icc, and may break on future
    versions of gcc.
    
    Reported-and-tested-by: Melanie Blower <melanie.blower@intel.com>
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Link: http://lkml.kernel.org/r/B3584E72CFEBED439A3ECA9BCE67A4EF1B17AF90@FMSMSX107.amr.corp.intel.com
    Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
    Acked-by: Marcelo Tosatti <mtosatti@redhat.com>

 arch/x86/kvm/emulate.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit b1c117eadf2b219c51680c3a844e94ee97b3f719
Author: Mike Galbraith <mgalbraith@suse.de>
Date:   Wed Nov 28 07:17:18 2012 +0100

    Upstream commit: 412d32e6c98527078779e5b515823b2810e40324
    
    workqueue: exit rescuer_thread() as TASK_RUNNING
    
    A rescue thread exiting TASK_INTERRUPTIBLE can lead to a task scheduling
    off, never to be seen again.  In the case where this occurred, an exiting
    thread hit reiserfs homebrew conditional resched while holding a mutex,
    bringing the box to its knees.
    
    PID: 18105  TASK: ffff8807fd412180  CPU: 5   COMMAND: "kdmflush"
     #0 [ffff8808157e7670] schedule at ffffffff8143f489
     #1 [ffff8808157e77b8] reiserfs_get_block at ffffffffa038ab2d [reiserfs]
     #2 [ffff8808157e79a8] __block_write_begin at ffffffff8117fb14
     #3 [ffff8808157e7a98] reiserfs_write_begin at ffffffffa0388695 [reiserfs]
     #4 [ffff8808157e7ad8] generic_perform_write at ffffffff810ee9e2
     #5 [ffff8808157e7b58] generic_file_buffered_write at ffffffff810eeb41
     #6 [ffff8808157e7ba8] __generic_file_aio_write at ffffffff810f1a3a
     #7 [ffff8808157e7c58] generic_file_aio_write at ffffffff810f1c88
     #8 [ffff8808157e7cc8] do_sync_write at ffffffff8114f850
     #9 [ffff8808157e7dd8] do_acct_process at ffffffff810a268f
        [exception RIP: kernel_thread_helper]
        RIP: ffffffff8144a5c0  RSP: ffff8808157e7f58  RFLAGS: 00000202
        RAX: 0000000000000000  RBX: 0000000000000000  RCX: 0000000000000000
        RDX: 0000000000000000  RSI: ffffffff8107af60  RDI: ffff8803ee491d18
        RBP: 0000000000000000   R8: 0000000000000000   R9: 0000000000000000
        R10: 0000000000000000  R11: 0000000000000000  R12: 0000000000000000
        R13: 0000000000000000  R14: 0000000000000000  R15: 0000000000000000
        ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
    
    Signed-off-by: Mike Galbraith <mgalbraith@suse.de>
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Cc: stable@vger.kernel.org

 kernel/workqueue.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 5ac46de6182d0b680d2874fb5cc20fd2246f9a4f
Author: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Date:   Thu Nov 29 13:54:34 2012 -0800

    Upstream commit: 783657a7dc20e5c0efbc9a09a9dd38e238a723da
    
    mm: soft offline: split thp at the beginning of soft_offline_page()
    
    When we try to soft-offline a thp tail page, put_page() is called on the
    tail page unthinkingly and VM_BUG_ON is triggered in put_compound_page().
    
    This patch splits thp before going into the main body of soft-offlining.
    
    Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    Cc: Andi Kleen <andi@firstfloor.org>
    Cc: Tony Luck <tony.luck@intel.com>
    Cc: Andi Kleen <andi.kleen@intel.com>
    Cc: Wu Fengguang <fengguang.wu@intel.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/memory-failure.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit 3c50c636930bae6199f27596f7db63f98a0d1542
Author: Jianguo Wu <wujianguo@huawei.com>
Date:   Thu Nov 29 13:54:21 2012 -0800

    Upstream commit: ae64ffcac35de0db628ba9631edf8ff34c5cd7ac
    
    mm/vmemmap: fix wrong use of virt_to_page
    
    I enable CONFIG_DEBUG_VIRTUAL and CONFIG_SPARSEMEM_VMEMMAP, when doing
    memory hotremove, there is a kernel BUG at arch/x86/mm/physaddr.c:20.
    
    It is caused by free_section_usemap()->virt_to_page(), virt_to_page() is
    only used for kernel direct mapping address, but sparse-vmemmap uses
    vmemmap address, so it is going wrong here.
    
      ------------[ cut here ]------------
      kernel BUG at arch/x86/mm/physaddr.c:20!
      invalid opcode: 0000 [#1] SMP
      Modules linked in: acpihp_drv acpihp_slot edd cpufreq_conservative cpufreq_userspace cpufreq_powersave acpi_cpufreq mperf fuse vfat fat loop dm_mod coretemp kvm crc32c_intel ipv6 ixgbe igb iTCO_wdt i7core_edac edac_core pcspkr iTCO_vendor_support ioatdma microcode joydev sr_mod i2c_i801 dca lpc_ich mfd_core mdio tpm_tis i2c_core hid_generic tpm cdrom sg tpm_bios rtc_cmos button ext3 jbd mbcache usbhid hid uhci_hcd ehci_hcd usbcore usb_common sd_mod crc_t10dif processor thermal_sys hwmon scsi_dh_alua scsi_dh_hp_sw scsi_dh_rdac scsi_dh_emc scsi_dh ata_generic ata_piix libata megaraid_sas scsi_mod
      CPU 39
      Pid: 6454, comm: sh Not tainted 3.7.0-rc1-acpihp-final+ #45 QCI QSSC-S4R/QSSC-S4R
      RIP: 0010:[<ffffffff8103c908>]  [<ffffffff8103c908>] __phys_addr+0x88/0x90
      RSP: 0018:ffff8804440d7c08  EFLAGS: 00010006
      RAX: 0000000000000006 RBX: ffffea0012000000 RCX: 000000000000002c
      ...
    
    Signed-off-by: Jianguo Wu <wujianguo@huawei.com>
    Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
    Reviewd-by: Wen Congyang <wency@cn.fujitsu.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
    Reviewed-by: Michal Hocko <mhocko@suse.cz>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/sparse.c |   10 ++++------
 1 files changed, 4 insertions(+), 6 deletions(-)

commit 053df3aac0287316519822981cfd5f1ef4a91d0e
Merge: 4b3f03c b01ae0b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 3 17:25:01 2012 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit b01ae0beceb65c6adcbeab3bd664ae62d38235b9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Dec 3 17:24:38 2012 -0500

    Update to pax-linux-3.2.34-test85.patch:
    - fixed a refcount false positive in the USB stack, thanks to Christian Perle for reporting it

 drivers/usb/core/hcd.c   |    4 ++--
 drivers/usb/core/sysfs.c |    2 +-
 drivers/usb/core/usb.c   |    2 +-
 include/linux/usb.h      |    2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

commit 4b3f03c2e7867a82605463dc55f19b2f522e14ac
Author: Oliver Hartkopp <socketcan@hartkopp.net>
Date:   Mon Nov 26 22:24:23 2012 +0100

    Upstream commit: 81b401100c01d2357031e874689f89bd788d13cd
    
    can: bcm: initialize ifindex for timeouts without previous frame reception
    
    Set in the rx_ifindex to pass the correct interface index in the case of a
    message timeout detection. Usually the rx_ifindex value is set at receive
    time. But when no CAN frame has been received the RX_TIMEOUT notification
    did not contain a valid value.
    
    Cc: linux-stable <stable@vger.kernel.org>
    Reported-by: Andre Naujoks <nautsch2@googlemail.com>
    Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

 net/can/bcm.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 557bb5a74e935f43720867efc2a67eae80dc78c5
Author: Eric Dumazet <edumazet@google.com>
Date:   Sun Nov 25 09:44:29 2012 +0000

    Upstream commit: b49d3c1e1c948d76d64790abe9acffa9fa747d19
    
    net: ipmr: limit MRT_TABLE identifiers
    
    Name of pimreg devices are built from following format :
    
    char name[IFNAMSIZ]; // IFNAMSIZ == 16
    
    sprintf(name, "pimreg%u", mrt->id);
    
    We must therefore limit mrt->id to 9 decimal digits
    or risk a buffer overflow and a crash.
    
    Restrict table identifiers in [0 ... 999999999] interval.
    
    Reported-by: Chen Gang <gang.chen@asianux.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ipmr.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 0c9309648d93c5fd45e46205866a0656885fbb7f
Author: Schoch Christian <e0326715@student.tuwien.ac.at>
Date:   Wed Nov 28 05:18:29 2012 +0000

    Upstream commit: 92d64c261e77cb2a6117887617e2a629fea6b67c
    
    sctp: Error in calculation of RTTvar
    
    The calculation of RTTVAR involves the subtraction of two unsigned
    numbers which
    may causes rollover and results in very high values of RTTVAR when RTT > SRTT.
    With this patch it is possible to set RTOmin = 1 to get the minimum of RTO at
    4 times the clock granularity.
    
    Change Notes:
    
    v2)
            *Replaced abs() by abs64() and long by __s64, changed patch
    description.
    
    Signed-off-by: Christian Schoch <e0326715@student.tuwien.ac.at>
    CC: Vlad Yasevich <vyasevich@gmail.com>
    CC: Sridhar Samudrala <sri@us.ibm.com>
    CC: Neil Horman <nhorman@tuxdriver.com>
    CC: linux-sctp@vger.kernel.org
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/sctp/transport.c

 net/sctp/transport.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0b5be1ad7d4041f743d726dcf26bb3c1558afc1a
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Mon Nov 26 05:57:27 2012 +0000

    Upstream commit: bd97120fc3d1a11f3124c7c9ba1d91f51829eb85
    
    vhost: fix length for cross region descriptor
    
    If a single descriptor crosses a region, the
    second chunk length should be decremented
    by size translated so far, instead it includes
    the full descriptor length.
    
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/vhost/vhost.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0de4c83b06af082237ce8f17d15acbd92d5b9511
Author: Florian Westphal <fw@strlen.de>
Date:   Thu Nov 22 01:32:45 2012 +0000

    Upstream commit: 4a6dd664eba59488c9e56b51a594396d7706eb08
    
    netfilter: ipset: fix netiface set name overflow
    
    attribute is copied to IFNAMSIZ-size stack variable,
    but IFNAMSIZ is smaller than IPSET_MAXNAMELEN.
    
    Fortunately nfnetlink needs CAP_NET_ADMIN.
    
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/ipset/ip_set_hash_netiface.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5e6be5b576c6d2c54bb5a238ab598d7cc6e0f078
Author: Tommi Rantala <tt.rantala@gmail.com>
Date:   Mon Nov 26 04:16:44 2012 +0000

    Upstream commit: c3b2c2581988d304127c2aa218430b5fca88ce56
    
    irda: irttp: fix memory leak in irttp_open_tsap() error path
    
    Cleanup the memory we allocated earlier in irttp_open_tsap() when we hit
    this error path. The leak goes back to at least 1da177e4
    ("Linux-2.6.12-rc2").
    
    Discovered with Trinity (the syscall fuzzer).
    
    Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/irda/irttp.c

 net/irda/irttp.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 133b51eac82695af4acf8df4cabcd01968b1897f
Author: Tommi Rantala <tt.rantala@gmail.com>
Date:   Tue Nov 27 04:01:46 2012 +0000

    Upstream commit: be364c8c0f17a3dd42707b5a090b318028538eb9
    
    sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails
    
    Trinity (the syscall fuzzer) discovered a memory leak in SCTP,
    reproducible e.g. with the sendto() syscall by passing invalid
    user space pointer in the second argument:
    
     #include <string.h>
     #include <arpa/inet.h>
     #include <sys/socket.h>
    
     int main(void)
     {
             int fd;
             struct sockaddr_in sa;
    
             fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
             if (fd < 0)
                     return 1;
    
             memset(&sa, 0, sizeof(sa));
             sa.sin_family = AF_INET;
             sa.sin_addr.s_addr = inet_addr("127.0.0.1");
             sa.sin_port = htons(11111);
    
             sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));
    
             return 0;
     }
    
    As far as I can tell, the leak has been around since ~2003.
    
    Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/chunk.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit b869ac767054bf5bc1517b909be22245baefd3b0
Merge: 31fd091 d82afa7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 1 11:11:12 2012 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit d82afa74be4ef92c3ba77374156b8e6bde1e47dd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 1 11:10:28 2012 -0500

    Updated to pax-linux-3.2.34-test84.patch:
    - simplified/synchronized some UDEREF/amd64 logic based on the 3.7 forward port

 arch/x86/include/asm/futex.h      |    2 +-
 arch/x86/include/asm/i387.h       |   18 +++------
 arch/x86/include/asm/uaccess_64.h |   79 +++++-------------------------------
 arch/x86/include/asm/xsave.h      |   20 ++++------
 arch/x86/kernel/dumpstack_32.c    |    2 +-
 arch/x86/kernel/dumpstack_64.c    |    2 +-
 arch/x86/kernel/entry_64.S        |    2 +-
 arch/x86/kernel/process_32.c      |    2 +-
 arch/x86/kernel/xsave.c           |    5 +-
 arch/x86/lib/csum-wrappers_64.c   |   16 +-------
 arch/x86/lib/usercopy_64.c        |   21 +--------
 11 files changed, 37 insertions(+), 132 deletions(-)

commit 31fd091aba4bf457f22a4deb9cd82bf9acff3db0
Author: Darren Hart <dvhart@linux.intel.com>
Date:   Mon Nov 26 16:29:56 2012 -0800

    Upstream commit: aa10990e028cac3d5e255711fb9fb47e00700e35
    
    futex: avoid wake_futex() for a PI futex_q
    
    Dave Jones reported a bug with futex_lock_pi() that his trinity test
    exposed.  Sometime between queue_me()