commit 286d05850e53e0022480d4c35714f5b5ef5c1aef
Merge: 89dfe39 8ed4197
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 18 18:22:54 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 8ed4197990352a357168cbdfc9c0d67179312aa8
Merge: 3697d2c 318ff69
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 18 18:22:46 2015 -0400

    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	fs/dcache.c

commit 89dfe393106f1200a036b51790de967da1ed1d23
Author: Manfred Spraul <manfred@colorfullife.com>
Date:   Fri Aug 14 15:35:10 2015 -0700

    ipc/sem.c: update/correct memory barriers
    
    sem_lock() did not properly pair memory barriers:
    
    !spin_is_locked() and spin_unlock_wait() are both only control barriers.
    The code needs an acquire barrier, otherwise the cpu might perform read
    operations before the lock test.
    
    As no primitive exists inside <include/spinlock.h> and since it seems
    noone wants another primitive, the code creates a local primitive within
    ipc/sem.c.
    
    With regards to -stable:
    
    The change of sem_wait_array() is a bugfix, the change to sem_lock() is a
    nop (just a preprocessor redefinition to improve the readability).  The
    bugfix is necessary for all kernels that use sem_wait_array() (i.e.:
    starting from 3.10).
    
    Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
    Reported-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
    Cc: Kirill Tkhai <ktkhai@parallels.com>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: Davidlohr Bueso <dave@stgolabs.net>
    Cc: <stable@vger.kernel.org>	[3.10+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	ipc/sem.c

 ipc/sem.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

commit ed0fd6c10c3d2393f4197516073bc0e1c9d4be72
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 10 20:36:14 2015 -0400

    Update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit b8e50c55dc3137209cd4a4bbd6af8289cd7a4b20
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 10 20:08:48 2015 -0400

    Update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

commit 0e1816101e3a44ef185e3ad1f8b10c09a5d595cf
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Tue Aug 4 23:23:50 2015 -0400

    may_follow_link() should use nd->inode
    
    Now that we can get there in RCU mode, we shouldn't play with
    nd->path.dentry->d_inode - it's not guaranteed to be stable.
    Use nd->inode instead.
    
    Reported-by: Hugh Dickins <hughd@google.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/namei.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d11b6255c4b22a9d9d4b799f4974c65caade2a1b
Author: David S. Miller <davem@davemloft.net>
Date:   Thu Aug 6 19:13:25 2015 -0700

    sparc64: Fix userspace FPU register corruptions.
    
    If we have a series of events from userpsace, with %fprs=FPRS_FEF,
    like follows:
    
    ETRAP
    	ETRAP
    		VIS_ENTRY(fprs=0x4)
    		VIS_EXIT
    		RTRAP (kernel FPU restore with fpu_saved=0x4)
    	RTRAP
    
    We will not restore the user registers that were clobbered by the FPU
    using kernel code in the inner-most trap.
    
    Traps allocate FPU save slots in the thread struct, and FPU using
    sequences save the "dirty" FPU registers only.
    
    This works at the initial trap level because all of the registers
    get recorded into the top-level FPU save area, and we'll return
    to userspace with the FPU disabled so that any FPU use by the user
    will take an FPU disabled trap wherein we'll load the registers
    back up properly.
    
    But this is not how trap returns from kernel to kernel operate.
    
    The simplest fix for this bug is to always save all FPU register state
    for anything other than the top-most FPU save area.
    
    Getting rid of the optimized inner-slot FPU saving code ends up
    making VISEntryHalf degenerate into plain VISEntry.
    
    Longer term we need to do something smarter to reinstate the partial
    save optimizations.  Perhaps the fundament error is having trap entry
    and exit allocate FPU save slots and restore register state.  Instead,
    the VISEntry et al. calls should be doing that work.
    
    This bug is about two decades old.
    
    Reported-by: James Y Knight <jyknight@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/include/asm/visasm.h |   16 +++------
 arch/sparc/lib/NG4memcpy.S      |    5 ++-
 arch/sparc/lib/VISsave.S        |   67 +-------------------------------------
 arch/sparc/lib/ksyms.c          |    4 --
 4 files changed, 11 insertions(+), 81 deletions(-)

commit 2a1611d1553a342bf1662bd7aa919f1c18c70c5f
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sat Aug 1 15:33:26 2015 +0300

    rds: fix an integer overflow test in rds_info_getsockopt()
    
    "len" is a signed integer.  We check that len is not negative, so it
    goes from zero to INT_MAX.  PAGE_SIZE is unsigned long so the comparison
    is type promoted to unsigned long.  ULONG_MAX - 4095 is a higher than
    INT_MAX so the condition can never be true.
    
    I don't know if this is harmful but it seems safe to limit "len" to
    INT_MAX - 4095.
    
    Fixes: a8c879a7ee98 ('RDS: Info and stats')
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/info.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6f370910c0f4b9ba1499bf03917d1a3e5a4f951d
Merge: c0c3caf 3697d2c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 10 19:35:08 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	tools/gcc/size_overflow_plugin/size_overflow_hash.data

commit 3697d2c56f650d2cf5033fec248b7fc8e0424334
Merge: f458751 9b8b905
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 10 19:30:05 2015 -0400

    Update to pax-linux-3.14.50-test55.patch:
    - Emese update the size overflow hash table, reported by Kotcauer Péter <int21h@pirosfeketefa.hu>
    - updated .gitignore for the size overflow plugin, by spender
    
    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	mm/memory.c

commit c0c3cafb37f6a8a09ef1667cf1462c1b0be976a7
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Tue Aug 4 15:42:47 2015 +0800

    net: Fix skb_set_peeked use-after-free bug
    
    The commit 738ac1ebb96d02e0d23bc320302a6ea94c612dec ("net: Clone
    skb before setting peeked flag") introduced a use-after-free bug
    in skb_recv_datagram.  This is because skb_set_peeked may create
    a new skb and free the existing one.  As it stands the caller will
    continue to use the old freed skb.
    
    This patch fixes it by making skb_set_peeked return the new skb
    (or the old one if unchanged).
    
    Fixes: 738ac1ebb96d ("net: Clone skb before setting peeked flag")
    Reported-by: Brenden Blanco <bblanco@plumgrid.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Tested-by: Brenden Blanco <bblanco@plumgrid.com>
    Reviewed-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/datagram.c |   13 +++++++------
 1 files changed, 7 insertions(+), 6 deletions(-)

commit 5931498551657e4dc2cef29f12f08c5e6d888e1a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 10 02:39:35 2015 -0400

    Backport virtio-net security fix by Jason Wang from:
    http://marc.info/?l=linux-netdev&m=143868216724068&w=2

 drivers/net/virtio_net.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 8294cfed52817442f875e284534863fb129e4239
Merge: ce7563d f458751
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 3 20:15:57 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit f458751cd7e4b4fe4a7b2be5165bfde46825b37f
Merge: 48ee1d1 6c180de
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 3 20:15:49 2015 -0400

    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	lib/bitmap.c

commit ce7563d10bf12871ca045303e710e51aa46b904d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 2 08:24:19 2015 -0400

    Update plugins from 4.1 tree to fix reported compilation errors

 tools/gcc/kernexec_plugin.c  |    8 ++++++--
 tools/gcc/stackleak_plugin.c |    8 ++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

commit b0ebd3a0cd8dfce7d968431e14a235e9f6344dfc
Author: Benjamin Randazzo <benjamin@randazzo.fr>
Date:   Sat Jul 25 16:36:50 2015 +0200

    md: use kzalloc() when bitmap is disabled
    
    In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
    mdu_bitmap_file_t called "file".
    
    5769         file = kmalloc(sizeof(*file), GFP_NOIO);
    5770         if (!file)
    5771                 return -ENOMEM;
    
    This structure is copied to user space at the end of the function.
    
    5786         if (err == 0 &&
    5787             copy_to_user(arg, file, sizeof(*file)))
    5788                 err = -EFAULT
    
    But if bitmap is disabled only the first byte of "file" is initialized
    with zero, so it's possible to read some bytes (up to 4095) of kernel
    space memory from user space. This is an information leak.
    
    5775         /* bitmap disabled, zero the first byte and copy out */
    5776         if (!mddev->bitmap_info.file)
    5777                 file->pathname[0] = '\0';
    
    Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
    Signed-off-by: NeilBrown <neilb@suse.com>
    
    Conflicts:
    
    	drivers/md/md.c
    
    Conflicts:
    
    	drivers/md/md.c

 drivers/md/md.c |    9 +++------
 1 files changed, 3 insertions(+), 6 deletions(-)

commit 471587eedcf82d0dd04d8b83787e14ff0cd49f8a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 1 14:55:32 2015 -0400

    From: Colin Ian King <colin.king () canonical com>
    Subject: [PATCH] KEYS: ensure we free the assoc array edit if edit is valid
    
    __key_link_end is not freeing the associated array edit structure
    and this leads to a 512 byte memory leak each time an identical
    existing key is added with add_key().
    
    The reason the add_key() system call returns okay is that
    key_create_or_update() calls __key_link_begin() before checking to see
    whether it can update a key directly rather than adding/replacing - which
    it turns out it can.  Thus __key_link() is not called through
    __key_instantiate_and_link() and __key_link_end() must cancel the edit.
    
    CVE-2015-1333
    
    Signed-off-by: Colin Ian King <colin.king () canonical com>
    Signed-off-by: David Howells <dhowells () redhat com>

 security/keys/keyring.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

commit c1369f92b80606cb7ffd429de33ebd8c0e7a413c
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Jul 29 12:01:41 2015 +0200

    ipv6: flush nd cache on IFF_NOARP change
    
    This patch is the IPv6 equivalent of commit
    6c8b4e3ff81b ("arp: flush arp cache on IFF_NOARP change")
    
    Without it, we keep buggy neighbours in the cache, with destination
    MAC address equal to our own MAC address.
    
    Tested:
     tcpdump -i eth0 -s 0 ip6 -n -e &
     ip link set dev eth0 arp off
     ping6 remote   // sends buggy frames
     ip link set dev eth0 arp on
     ping6 remote   // should work once kernel is patched
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Mario Fanelli <mariofanelli@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ndisc.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 7775917003321535cefccd65c6bcb8eeea3bfc06
Author: Dmitry Skorodumov <sdmitry@parallels.com>
Date:   Tue Jul 28 18:38:32 2015 +0400

    x86/efi: Use all 64 bit of efi_memmap in setup_e820()
    
    The efi_info structure stores low 32 bits of memory map
    in efi_memmap and high 32 bits in efi_memmap_hi.
    
    While constructing pointer in the setup_e820(), need
    to take into account all 64 bit of the pointer.
    
    It is because on 64bit machine the function
    efi_get_memory_map() may return full 64bit pointer and before
    the patch that pointer was truncated.
    
    The issue is triggered on Parallles virtual machine and
    fixed with this patch.
    
    Signed-off-by: Dmitry Skorodumov <sdmitry@parallels.com>
    Cc: Denis V. Lunev <den@openvz.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Matt Fleming <matt.fleming@intel.com>

 arch/x86/boot/compressed/eboot.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 0632423d4abc1d08a59a76c46a69a2e05f6651cc
Author: Andy Lutomirski <luto@kernel.org>
Date:   Thu Jul 30 14:31:31 2015 -0700

    x86/xen: Probe target addresses in set_aliased_prot() before the hypercall
    
    The update_va_mapping hypercall can fail if the VA isn't present
    in the guest's page tables.  Under certain loads, this can
    result in an OOPS when the target address is in unpopulated vmap
    space.
    
    While we're at it, add comments to help explain what's going on.
    
    This isn't a great long-term fix.  This code should probably be
    changed to use something like set_memory_ro.
    
    Signed-off-by: Andy Lutomirski <luto@kernel.org>
    Cc: Andrew Cooper <andrew.cooper3@citrix.com>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Brian Gerst <brgerst@gmail.com>
    Cc: David Vrabel <dvrabel@cantab.net>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Jan Beulich <jbeulich@suse.com>
    Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Sasha Levin <sasha.levin@oracle.com>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: security@kernel.org <security@kernel.org>
    Cc: <stable@vger.kernel.org>
    Cc: xen-devel <xen-devel@lists.xen.org>
    Link: http://lkml.kernel.org/r/0b0e55b995cda11e7829f140b833ef932fcabe3a.1438291540.git.luto@kernel.org
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 arch/x86/xen/enlighten.c |   40 ++++++++++++++++++++++++++++++++++++++++
 1 files changed, 40 insertions(+), 0 deletions(-)

commit ded95122286210b52d26be1e020074c7a9802a01
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Aug 1 14:29:08 2015 -0400

    Backport fix for another vuln the fix for which was snuck into
    the 4.1-rc1 merge process by Al Viro.  Spotted by Ben Hutchings:
    http://seclists.org/oss-sec/2015/q3/271

 drivers/scsi/sg.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 960e1558b5298940df2cb7118cd8db72866aa051
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 16:12:36 2015 -0400

    Protect kexec_load_disabled as well, even though it's disabled under
    GRKERNSEC_KMEM already

 kernel/kexec.c  |    2 +-
 kernel/sysctl.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 760d79444778158d004db53dce473d460d1130fa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 15:10:12 2015 -0400

    Add additional missing Broadcom firmware

 firmware/Makefile                        |    1 +
 firmware/WHENCE                          |    1 +
 firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex | 5804 ++++++++++++++++++++++++++++++
 3 files changed, 5806 insertions(+), 0 deletions(-)

commit 6ac33dbaa18adc6502b0948e18f879a882c0482a
Merge: ba18ee5 48ee1d1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 12:19:30 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 48ee1d15a71aa3a2540872ddb370436493d36f06
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 12:18:43 2015 -0400

    Update to pax-linux-3.14.48-test53.patch:
    - fixed the constify plugin for gcc-5
    - Emese fixed the size_overflow plugin for gcc-5

 include/linux/compiler-gcc5.h                      |    1 -
 tools/gcc/constify_plugin.c                        |    6 +-
 tools/gcc/gcc-common.h                             |  130 +++++++++++++--
 .../insert_size_overflow_asm.c                     |  112 +++++++------
 .../insert_size_overflow_check_core.c              |   80 ++++-----
 .../insert_size_overflow_check_ipa.c               |  174 +++++++++++---------
 .../size_overflow_plugin/intentional_overflow.c    |   96 ++++++-----
 tools/gcc/size_overflow_plugin/misc.c              |   20 ++-
 .../size_overflow_plugin/remove_unnecessary_dup.c  |   19 +-
 tools/gcc/size_overflow_plugin/size_overflow.h     |   88 ++++++++--
 .../gcc/size_overflow_plugin/size_overflow_debug.c |   23 ++-
 .../size_overflow_plugin/size_overflow_plugin.c    |    7 +-
 .../size_overflow_plugin_hash.c                    |   31 ++---
 13 files changed, 495 insertions(+), 292 deletions(-)

commit ba18ee5eedba4a8fef7cc58b833077241a6ac85b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 11:49:44 2015 -0400

    compile fix

 kernel/sysctl.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 6f4c0de94d4457ef4a229013f62ddd16735461d4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 11:02:49 2015 -0400

    compile fix

 grsecurity/grsec_sysctl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c9620339a0a31414405c82d84f0044501c80c0a6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 10:59:07 2015 -0400

    compile fix

 include/linux/sysctl.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit b15c19b6b1dfba15145c921d162bbe20f8184ed1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 10:50:51 2015 -0400

    Add framework for having ambiently read-only sysctl variables.
    Add all grsecurity sysctl entries to it, as well as security-relevant
    upstream sysctl values (modules_disabled, kptr_restrict, etc)
    
    Conflicts:
    
    	kernel/printk/printk.c

 grsecurity/grsec_init.c   |  104 ++++++++++++++++++++++----------------------
 grsecurity/grsec_sysctl.c |  104 ++++++++++++++++++++++----------------------
 include/linux/sysctl.h    |    2 +
 kernel/events/core.c      |    6 +-
 kernel/module.c           |    2 +-
 kernel/printk/printk.c    |    4 +-
 kernel/sysctl.c           |   89 +++++++++++++++++++++++++++++++++++---
 lib/vsprintf.c            |    4 +-
 8 files changed, 196 insertions(+), 119 deletions(-)

commit 813d0df7042a8430481d245618cbab39b76876fc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 11:28:15 2015 -0400

    Implement modify_ldt sysctl toggle from https://lkml.org/lkml/2015/7/25/103,
    make it not depend on CONFIG_MODIFY_LDT_SYSCALL, force modify_ldt to off
    regardless of config setting if grsec is enabled (with the allowance to
    turn it on at runtime), and harden up the implementation a bit
    
    Conflicts:
    
    	arch/x86/Kconfig
    	kernel/sysctl.c

 Documentation/sysctl/kernel.txt |   15 +++++++++++++++
 arch/x86/Kconfig                |   16 ++++++++++++++++
 arch/x86/kernel/ldt.c           |   18 ++++++++++++++++++
 kernel/sysctl.c                 |    8 ++++++++
 4 files changed, 57 insertions(+), 0 deletions(-)

commit 76c2b5f166de21a603f73ce808015294845fb2b0
Author: Nicolas Schichan <nschichan@freebox.fr>
Date:   Tue Jul 21 14:14:12 2015 +0200

    ARM: net: fix condition for load_order > 0 when translating load instructions.
    
    To check whether the load should take the fast path or not, the code
    would check that (r_skb_hlen - load_order) is greater than the offset
    of the access using an "Unsigned higher or same" condition. For
    halfword accesses and an skb length of 1 at offset 0, that test is
    valid, as we end up comparing 0xffffffff(-1) and 0, so the fast path
    is taken and the filter allows the load to wrongly succeed. A similar
    issue exists for word loads at offset 0 and an skb length of less than
    4.
    
    Fix that by using the condition "Signed greater than or equal"
    condition for the fast path code for load orders greater than 0.
    
    Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/arm/net/bpf_jit_32.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8094a4140d04836e1119479f1ebc3300e4067a46
Author: Nicolas Schichan <nschichan@freebox.fr>
Date:   Tue Jul 21 14:14:13 2015 +0200

    ARM: net: handle negative offsets in BPF JIT.
    
    Previously, the JIT would reject negative offsets known during code
    generation and mishandle negative offsets provided at runtime.
    
    Fix that by calling bpf_internal_load_pointer_neg_helper()
    appropriately in the jit_get_skb_{b,h,w} slow path helpers and by forcing
    the execution flow to the slow path helpers when the offset is
    negative.
    
    Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/arm/net/bpf_jit_32.c |   47 ++++++++++++++++++++++++++++++++++++--------
 1 files changed, 38 insertions(+), 9 deletions(-)

commit afbe2e04545cced6ea2ce3011fae62e43db1d820
Author: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Date:   Fri Jul 17 14:01:11 2015 +0300

    net: ratelimit warnings about dst entry refcount underflow or overflow
    
    Kernel generates a lot of warnings when dst entry reference counter
    overflows and becomes negative. That bug was seen several times at
    machines with outdated 3.10.y kernels. Most like it's already fixed
    in upstream. Anyway that flood completely kills machine and makes
    further debugging impossible.
    
    Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/dst.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 11e3af017fb6bf3312ea361393afbe94c2c9bbde
Author: Simon Guinot <simon.guinot@sequanux.org>
Date:   Sun Jul 19 13:00:53 2015 +0200

    net: mvneta: fix refilling for Rx DMA buffers
    
    With the actual code, if a memory allocation error happens while
    refilling a Rx descriptor, then the original Rx buffer is both passed
    to the networking stack (in a SKB) and let in the Rx ring. This leads
    to various kernel oops and crashes.
    
    As a fix, this patch moves Rx descriptor refilling ahead of building
    SKB with the associated Rx buffer. In case of a memory allocation
    failure, data is dropped and the original DMA buffer is put back into
    the Rx ring.
    
    Signed-off-by: Simon Guinot <simon.guinot@sequanux.org>
    Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network unit")
    Cc: <stable@vger.kernel.org> # v3.8+
    Tested-by: Yoann Sculo <yoann@sculo.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/marvell/mvneta.c |   22 ++++++++++------------
 1 files changed, 10 insertions(+), 12 deletions(-)

commit e1bc1df2a541d2162e3e9477d4c51ebbe86e4954
Author: Seymour, Shane M <shane.seymour@hp.com>
Date:   Thu Jul 2 12:01:10 2015 +0000

    st: null pointer dereference panic caused by use after kref_put by st_open
    
    Two SLES11 SP3 servers encountered similar crashes simultaneously
    following some kind of SAN/tape target issue:
    
    ...
    qla2xxx [0000:81:00.0]-801c:3: Abort command issued nexus=3:0:2 --  1 2002.
    qla2xxx [0000:81:00.0]-801c:3: Abort command issued nexus=3:0:2 --  1 2002.
    qla2xxx [0000:81:00.0]-8009:3: DEVICE RESET ISSUED nexus=3:0:2 cmd=ffff882f89c2c7c0.
    qla2xxx [0000:81:00.0]-800c:3: do_reset failed for cmd=ffff882f89c2c7c0.
    qla2xxx [0000:81:00.0]-800f:3: DEVICE RESET FAILED: Task management failed nexus=3:0:2 cmd=ffff882f89c2c7c0.
    qla2xxx [0000:81:00.0]-8009:3: TARGET RESET ISSUED nexus=3:0:2 cmd=ffff882f89c2c7c0.
    qla2xxx [0000:81:00.0]-800c:3: do_reset failed for cmd=ffff882f89c2c7c0.
    qla2xxx [0000:81:00.0]-800f:3: TARGET RESET FAILED: Task management failed nexus=3:0:2 cmd=ffff882f89c2c7c0.
    qla2xxx [0000:81:00.0]-8012:3: BUS RESET ISSUED nexus=3:0:2.
    qla2xxx [0000:81:00.0]-802b:3: BUS RESET SUCCEEDED nexus=3:0:2.
    qla2xxx [0000:81:00.0]-505f:3: Link is operational (8 Gbps).
    qla2xxx [0000:81:00.0]-8018:3: ADAPTER RESET ISSUED nexus=3:0:2.
    qla2xxx [0000:81:00.0]-00af:3: Performing ISP error recovery - ha=ffff88bf04d18000.
     rport-3:0-0: blocked FC remote port time out: removing target and saving binding
    qla2xxx [0000:81:00.0]-505f:3: Link is operational (8 Gbps).
    qla2xxx [0000:81:00.0]-8017:3: ADAPTER RESET SUCCEEDED nexus=3:0:2.
     rport-2:0-0: blocked FC remote port time out: removing target and saving binding
    sg_rq_end_io: device detached
    BUG: unable to handle kernel NULL pointer dereference at 00000000000002a8
    IP: [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
    PGD 7e6586f067 PUD 7e5af06067 PMD 0 [1739975.390354] Oops: 0002 [#1] SMP
    CPU 0
    ...
    Supported: No, Proprietary modules are loaded [1739975.390463]
    Pid: 27965, comm: ABCD Tainted: PF           X 3.0.101-0.29-default #1 HP ProLiant DL580 Gen8
    RIP: 0010:[<ffffffff8133b268>]  [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
    RSP: 0018:ffff8839dc1e7c68  EFLAGS: 00010202
    RAX: 0000000000000000 RBX: ffff883f0592fc00 RCX: 0000000000000090
    RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000138
    RBP: 0000000000000138 R08: 0000000000000010 R09: ffffffff81bd39d0
    R10: 00000000000009c0 R11: ffffffff81025790 R12: 0000000000000001
    R13: ffff883022212b80 R14: 0000000000000004 R15: ffff883022212b80
    FS:  00007f8e54560720(0000) GS:ffff88407f800000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 00000000000002a8 CR3: 0000007e6ced6000 CR4: 00000000001407f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Process ABCD (pid: 27965, threadinfo ffff8839dc1e6000, task ffff883592e0c640)
    Stack:
     ffff883f0592fc00 00000000fffffffa 0000000000000001 ffff883022212b80
     ffff883eff772400 ffffffffa03fa309 0000000000000000 0000000000000000
     ffffffffa04003a0 ffff883f063196c0 ffff887f0379a930 ffffffff8115ea1e
    Call Trace:
     [<ffffffffa03fa309>] st_open+0x129/0x240 [st]
     [<ffffffff8115ea1e>] chrdev_open+0x13e/0x200
     [<ffffffff811588a8>] __dentry_open+0x198/0x310
     [<ffffffff81167d74>] do_last+0x1f4/0x800
     [<ffffffff81168fe9>] path_openat+0xd9/0x420
     [<ffffffff8116946c>] do_filp_open+0x4c/0xc0
     [<ffffffff8115a00f>] do_sys_open+0x17f/0x250
     [<ffffffff81468d92>] system_call_fastpath+0x16/0x1b
     [<00007f8e4f617fd0>] 0x7f8e4f617fcf
    Code: eb d3 90 48 83 ec 28 40 f6 c6 04 48 89 6c 24 08 4c 89 74 24 20 48 89 fd 48 89 1c 24 4c 89 64 24 10 41 89 f6 4c 89 6c 24 18 74 11 <f0> ff 8f 70 01 00 00 0f 94 c0 45 31 ed 84 c0 74 2b 4c 8d a5 a0
    RIP  [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
     RSP <ffff8839dc1e7c68>
    CR2: 00000000000002a8
    
    Analysis reveals the cause of the crash to be due to STp->device
    being NULL. The pointer was NULLed via scsi_tape_put(STp) when it
    calls scsi_tape_release(). In st_open() we jump to err_out after
    scsi_block_when_processing_errors() completes and returns the
    device as offline (sdev_state was SDEV_DEL):
    
    1180 /* Open the device. Needs to take the BKL only because of incrementing the SCSI host
    1181    module count. */
    1182 static int st_open(struct inode *inode, struct file *filp)
    1183 {
    1184         int i, retval = (-EIO);
    1185         int resumed = 0;
    1186         struct scsi_tape *STp;
    1187         struct st_partstat *STps;
    1188         int dev = TAPE_NR(inode);
    1189         char *name;
    ...
    1217         if (scsi_autopm_get_device(STp->device) < 0) {
    1218                 retval = -EIO;
    1219                 goto err_out;
    1220         }
    1221         resumed = 1;
    1222         if (!scsi_block_when_processing_errors(STp->device)) {
    1223                 retval = (-ENXIO);
    1224                 goto err_out;
    1225         }
    ...
    1264  err_out:
    1265         normalize_buffer(STp->buffer);
    1266         spin_lock(&st_use_lock);
    1267         STp->in_use = 0;
    1268         spin_unlock(&st_use_lock);
    1269         scsi_tape_put(STp); <-- STp->device = 0 after this
    1270         if (resumed)
    1271                 scsi_autopm_put_device(STp->device);
    1272         return retval;
    
    The ref count for the struct scsi_tape had already been reduced
    to 1 when the .remove method of the st module had been called.
    The kref_put() in scsi_tape_put() caused scsi_tape_release()
    to be called:
    
    0266 static void scsi_tape_put(struct scsi_tape *STp)
    0267 {
    0268         struct scsi_device *sdev = STp->device;
    0269
    0270         mutex_lock(&st_ref_mutex);
    0271         kref_put(&STp->kref, scsi_tape_release); <-- calls this
    0272         scsi_device_put(sdev);
    0273         mutex_unlock(&st_ref_mutex);
    0274 }
    
    In scsi_tape_release() the struct scsi_device in the struct
    scsi_tape gets set to NULL:
    
    4273 static void scsi_tape_release(struct kref *kref)
    4274 {
    4275         struct scsi_tape *tpnt = to_scsi_tape(kref);
    4276         struct gendisk *disk = tpnt->disk;
    4277
    4278         tpnt->device = NULL; <<<---- where the dev is nulled
    4279
    4280         if (tpnt->buffer) {
    4281                 normalize_buffer(tpnt->buffer);
    4282                 kfree(tpnt->buffer->reserved_pages);
    4283                 kfree(tpnt->buffer);
    4284         }
    4285
    4286         disk->private_data = NULL;
    4287         put_disk(disk);
    4288         kfree(tpnt);
    4289         return;
    4290 }
    
    Although the problem was reported on SLES11.3 the problem appears
    in linux-next as well.
    
    The crash is fixed by reordering the code so we no longer access
    the struct scsi_tape after the kref_put() is done on it in st_open().
    
    Signed-off-by: Shane Seymour <shane.seymour@hp.com>
    Signed-off-by: Darren Lavender <darren.lavender@hp.com>
    Reviewed-by: Johannes Thumshirn <jthumshirn@suse.com>
    Acked-by: Kai Mäkisara <kai.makisara@kolumbus.fi>
    Cc: stable@vger.kernel.org
    Signed-off-by: James Bottomley <JBottomley@Odin.com>

 drivers/scsi/st.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 8b709e0a6a62454ee4a8edd612ece57d45bea7e5
Author: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Date:   Fri Jul 17 16:23:42 2015 -0700

    include, lib: add __printf attributes to several function prototypes
    
    Using __printf attributes helps to detect several format string issues
    at compile time (even though -Wformat-security is currently disabled in
    Makefile).  For example it can detect when formatting a pointer as a
    number, like the issue fixed in commit a3fa71c40f18 ("wl18xx: show
    rx_frames_per_rates as an array as it really is"), or when the arguments
    do not match the format string, c.f.  for example commit 5ce1aca81435
    ("reiserfs: fix __RASSERT format string").
    
    To prevent similar bugs in the future, add a __printf attribute to every
    function prototype which needs one in include/linux/ and lib/.  These
    functions were mostly found by using gcc's -Wsuggest-attribute=format
    flag.
    
    Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Felipe Balbi <balbi@ti.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	include/linux/clkdev.h
    	include/linux/configfs.h
    	include/linux/printk.h
    
    Conflicts:
    
    	include/linux/cpu.h
    	include/linux/device.h
    	include/linux/iommu.h
    	include/linux/printk.h

 include/linux/clkdev.h    |    5 +++--
 include/linux/compat.h    |    2 +-
 include/linux/configfs.h  |    3 ++-
 include/linux/dcache.h    |    3 ++-
 include/linux/device.h    |   10 ++++------
 include/linux/kernel.h    |    9 +++++----
 include/linux/kobject.h   |    5 +++--
 include/linux/mmiotrace.h |    2 +-
 include/linux/printk.h    |    4 ++--
 lib/kobject.c             |    5 +++--
 10 files changed, 26 insertions(+), 22 deletions(-)

commit 798b2e4282a214b5d8508a7ef080d8ba22260e44
Author: WANG Cong <xiyou.wangcong@gmail.com>
Date:   Tue Jul 14 11:21:58 2015 -0700

    fq_codel: fix return value of fq_codel_drop()
    
    The ->drop() is supposed to return the number of bytes it dropped,
    however fq_codel_drop() returns the index of the flow where it drops
    a packet from.
    
    Fix this by introducing a helper to wrap fq_codel_drop().
    
    Cc: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: Cong Wang <cwang@twopensource.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sched/sch_fq_codel.c |   11 ++++++++++-
 1 files changed, 10 insertions(+), 1 deletions(-)

commit afced6bf782617842a58b8ddf69bbb127cf09867
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Mon Jul 13 00:06:02 2015 +0200

    rtnetlink: reject non-IFLA_VF_PORT attributes inside IFLA_VF_PORTS
    
    Similarly as in commit 4f7d2cdfdde7 ("rtnetlink: verify IFLA_VF_INFO
    attributes before passing them to driver"), we have a double nesting
    of netlink attributes, i.e. IFLA_VF_PORTS only contains IFLA_VF_PORT
    that is nested itself. While IFLA_VF_PORTS is a verified attribute
    from ifla_policy[], we only check if the IFLA_VF_PORTS container has
    IFLA_VF_PORT attributes and then pass the attribute's content itself
    via nla_parse_nested(). It would be more correct to reject inner types
    other than IFLA_VF_PORT instead of continuing parsing and also similarly
    as in commit 4f7d2cdfdde7, to check for a minimum of NLA_HDRLEN.
    
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
    Cc: Scott Feldman <sfeldma@gmail.com>
    Cc: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
    Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/rtnetlink.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

commit 369ef50b45b211d74a1ea75c91a98c77ff0df634
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Mon Jul 13 16:04:13 2015 +0800

    net: Clone skb before setting peeked flag
    
    Shared skbs must not be modified and this is crucial for broadcast
    and/or multicast paths where we use it as an optimisation to avoid
    unnecessary cloning.
    
    The function skb_recv_datagram breaks this rule by setting peeked
    without cloning the skb first.  This causes funky races which leads
    to double-free.
    
    This patch fixes this by cloning the skb and replacing the skb
    in the list when setting skb->peeked.
    
    Fixes: a59322be07c9 ("[UDP]: Only increment counter on first peek/recv")
    Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/datagram.c |   41 ++++++++++++++++++++++++++++++++++++++---
 1 files changed, 38 insertions(+), 3 deletions(-)

commit eb2badfcc2a91754c518b442b4cba49ff041c232
Author: Richard Stearn <richard@rns-stearn.demon.co.uk>
Date:   Mon Jul 13 11:38:24 2015 +0200

    NET: AX.25: Stop heartbeat timer on disconnect.
    
    This may result in a kernel panic.  The bug has always existed but
    somehow we've run out of luck now and it bites.
    
    Signed-off-by: Richard Stearn <richard@rns-stearn.demon.co.uk>
    Cc: stable@vger.kernel.org	# all branches
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ax25/ax25_subr.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 5dfc2511555b955965d93e2efcf77058e06f6151
Author: Neil Horman <nhorman@tuxdriver.com>
Date:   Tue Jul 7 14:02:18 2015 -0400

    vmxnet3: prevent receive getting out of sequence on napi poll
    
    vmxnet3's current napi path is built to count every rx descriptor we recieve,
    and use that as a count of the napi budget.  That means its possible to return
    from a napi poll halfway through recieving a fragmented packet accross multiple
    dma descriptors.  If that happens, the next napi poll will start with the
    descriptor ring in an improper state (e.g. the first descriptor we look at may
    have the end-of-packet bit set), which will cause a BUG halt in the driver.
    
    Fix the issue by only counting whole received packets in the napi poll and
    returning that value, rather than the descriptor count.
    
    Tested by the reporter and myself, successfully
    
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    CC: Shreyas Bhatewara <sbhatewara@vmware.com>
    CC: "David S. Miller" <davem@davemloft.net>
    Acked-by: Andy Gospodarek <gospo@cumulusnetworks.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/vmxnet3/vmxnet3_drv.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 26d1971d0cae4246e8d69c4b57b124873a20cba2
Author: Johannes Thumshirn <jthumshirn@suse.de>
Date:   Wed Jul 8 17:16:49 2015 +0200

    macvtap: Destroy minor_idr on module_exit
    
    Destroy minor_idr on module_exit, reclaiming the allocated memory.
    
    This was detected by the following semantic patch (written by Luis Rodriguez
    <mcgrof@suse.com>)
    <SmPL>
    @ defines_module_init @
    declarer name module_init, module_exit;
    declarer name DEFINE_IDR;
    identifier init;
    @@
    
    module_init(init);
    
    @ defines_module_exit @
    identifier exit;
    @@
    
    module_exit(exit);
    
    @ declares_idr depends on defines_module_init && defines_module_exit @
    identifier idr;
    @@
    
    DEFINE_IDR(idr);
    
    @ on_exit_calls_destroy depends on declares_idr && defines_module_exit @
    identifier declares_idr.idr, defines_module_exit.exit;
    @@
    
    exit(void)
    {
     ...
     idr_destroy(&idr);
     ...
    }
    
    @ missing_module_idr_destroy depends on declares_idr && defines_module_exit && !on_exit_calls_destroy @
    identifier declares_idr.idr, defines_module_exit.exit;
    @@
    
    exit(void)
    {
     ...
     +idr_destroy(&idr);
    }
    </SmPL>
    
    Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/macvtap.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit f076754476fc2d0abe97ae84e667caa697b93a6a
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sun Jul 12 10:34:29 2015 -0400

    9p: don't leave a half-initialized inode sitting around
    
    Cc: stable@vger.kernel.org # all branches
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/9p/vfs_inode.c      |    3 +--
 fs/9p/vfs_inode_dotl.c |    3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

commit d2e1f8a569cfb1e4df896611430f6433109cc123
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 25 09:20:34 2015 -0400

    Backport:
    commit 36b84539390fc30663a7a026eef598c4656124bc
    Author: Al Viro <viro@ZenIV.linux.org.uk>
    Date:   Wed Jul 8 02:42:38 2015 +0100
    
        freeing unlinked file indefinitely delayed

 fs/dcache.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit f0c6ed408ce14e02a4c15fa6d9452a096b58a2cc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jul 24 21:17:42 2015 -0400

    cred_subscribers has to do with the ->cred and ->real_cred fields, not our
    delayed_cred field, so don't count it towards it to avoid a BUG() with
    DEBUG_CREDENTIALS enabled

 kernel/cred.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit dbfa6e842bab58d29277002959ccbd7f65044cda
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 12 12:40:03 2015 -0400

    fix RBAC debug compilation

 grsecurity/gracl_policy.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b02a2cb5d7c0ea0a0795fd42f90752a3c29b995a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 11 18:46:04 2015 -0400

    Add missing virtual execute() method to constify plugin for GCC 5.1.
    The missing function didn't affect the security provided by the constify
    plugin, but would prevent compilation errors from being generated
    in cases where const structures were declared as local variables.

 tools/gcc/constify_plugin.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit b81237cf0a82dec6c4a5e8d0b3c113b5cc5d0960
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 11 12:25:32 2015 -0400

    RANDSTRUCT fix for GCC 5.1: make sure we run our bad cast logging pass
    Doesn't affect the security provided by the plugin, is purely for informational
    purposes

 tools/gcc/randomize_layout_plugin.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 99aab170fab9df822c6deb05f04f9e9dfc47f581
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 11 10:04:18 2015 -0400

    Functionally no different than the existing code, but at least now
    we aren't comparing negative values against unsigned types as done
    by Linus:
    http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=45820c294fe1b1a9df495d57f40585ef2d069a39
    and Jan:
    http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0b08c5e5944

 kernel/auditsc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0a6d7bbd25e1810320236e1977d012d8644ddeac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 11 10:08:47 2015 -0400

    Backport vuln fix from Stephen Smalley for an SELinux execmem bypass:
    http://lkml.iu.edu/hypermail/linux/kernel/1507.1/02442.html
    Not marked for -stable even though its handling has been inconsistent
    since at least 3.2 (as far back as I checked).  Shared anonymous
    memory has been implemented through pseudo-files for a while now.
    One would expect fine-grained military-grade expert policy writers
    to have spotted this long ago.  Grsec is not affected.

 security/selinux/hooks.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit f834825965892652f69ab4deae3546caed726f0b
Author: Stephen Smalley <sds@tycho.nsa.gov>
Date:   Tue Jul 7 09:43:45 2015 -0400

    net/tipc: initialize security state for new connection socket
    
    Calling connect() with an AF_TIPC socket would trigger a series
    of error messages from SELinux along the lines of:
    SELinux: Invalid class 0
    type=AVC msg=audit(1434126658.487:34500): avc:  denied  { <unprintable> }
      for pid=292 comm="kworker/u16:5" scontext=system_u:system_r:kernel_t:s0
      tcontext=system_u:object_r:unlabeled_t:s0 tclass=<unprintable>
      permissive=0
    
    This was due to a failure to initialize the security state of the new
    connection sock by the tipc code, leaving it with junk in the security
    class field and an unlabeled secid.  Add a call to security_sk_clone()
    to inherit the security state from the parent socket.
    
    Reported-by: Tim Shearer <tim.shearer@overturenetworks.com>
    Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
    Acked-by: Paul Moore <paul@paul-moore.com>
    Acked-by: Ying Xue <ying.xue@windriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/tipc/socket.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit cc15e52c64cd1a95b584fcf8d23558faffe8a2fe
Author: Nikolay Aleksandrov <razor@blackwall.org>
Date:   Tue Jul 7 15:55:56 2015 +0200

    bridge: mdb: zero out the local br_ip variable before use
    
    Since commit b0e9a30dd669 ("bridge: Add vlan id to multicast groups")
    there's a check in br_ip_equal() for a matching vlan id, but the mdb
    functions were not modified to use (or at least zero it) so when an
    entry was added it would have a garbage vlan id (from the local br_ip
    variable in __br_mdb_add/del) and this would prevent it from being
    matched and also deleted. So zero out the whole local ip var to protect
    ourselves from future changes and also to fix the current bug, since
    there's no vlan id support in the mdb uapi - use always vlan id 0.
    Example before patch:
    root@debian:~# bridge mdb add dev br0 port eth1 grp 239.0.0.1 permanent
    root@debian:~# bridge mdb
    dev br0 port eth1 grp 239.0.0.1 permanent
    root@debian:~# bridge mdb del dev br0 port eth1 grp 239.0.0.1 permanent
    RTNETLINK answers: Invalid argument
    
    After patch:
    root@debian:~# bridge mdb add dev br0 port eth1 grp 239.0.0.1 permanent
    root@debian:~# bridge mdb
    dev br0 port eth1 grp 239.0.0.1 permanent
    root@debian:~# bridge mdb del dev br0 port eth1 grp 239.0.0.1 permanent
    root@debian:~# bridge mdb
    
    Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
    Fixes: b0e9a30dd669 ("bridge: Add vlan id to multicast groups")
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/bridge/br_mdb.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 98131933401e6fcbabca873d182da5670dd4f085
Author: Yann Droneaud <ydroneaud@opteya.com>
Date:   Mon Jun 22 21:38:43 2015 +0200

    perf/x86: Fix copy_from_user_nmi() return if range is not ok
    
    Commit 0a196848ca36 ("perf: Fix arch_perf_out_copy_user default"),
    changes copy_from_user_nmi() to return the number of
    remaining bytes so that it behave like copy_from_user().
    
    Unfortunately, when the range is outside of the process
    memory, the return value  is still the number of byte
    copied, eg. 0, instead of the remaining bytes.
    
    As all users of copy_from_user_nmi() were modified as
    part of commit 0a196848ca36, the function should be
    fixed to return the total number of bytes if range is
    not correct.
    
    Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Link: http://lkml.kernel.org/r/1435001923-30986-1-git-send-email-ydroneaud@opteya.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 arch/x86/lib/usercopy.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 31d2920963b39a4c046f8cafc83f522e4f958ffd
Merge: 44349c7 f57569d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 11 10:48:41 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit f57569dc8b058e567b23dbb4bffe72828a2ee460
Merge: f75f5b9 3cdf919
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 11 10:48:30 2015 -0400

    Merge branch 'linux-3.14.y' into pax-stable2

commit 44349c7d5e54eaba83ade15fb15c15918bac46b4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 5 07:26:54 2015 -0400

    Fix format string vulns in config_item_set_name (used by configfs)
    Thanks to Nicolas Iooss for the report!

 drivers/usb/gadget/configfs.c |    2 +-
 fs/configfs/item.c            |    4 ++--
 include/linux/configfs.h      |    2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

commit d7076589fcc5246b8686fe9e44d17b89ecb35201
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 4 11:12:57 2015 -0400

    add newer socket families for logging

 grsecurity/gracl_ip.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 635bae5b40dd2049fa040760f7dd7c3c7851e3a1
Merge: 8104f08 f75f5b9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 4 10:07:31 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/x86/kernel/cpu/microcode/intel_early.c

commit f75f5b95ebb579e13d67da646b2903a4938ab457
Merge: 3d2a0ee a076824
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jul 4 10:04:41 2015 -0400

    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	arch/x86/kernel/kprobes/core.c

commit 8104f08cba8e3cb85ea52ed1e8ffcc70a1edb8c7
Merge: 4a2a940 3d2a0ee
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 29 21:35:18 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 3d2a0eead558eb1c8dad2bc285c674be6ae74089
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 29 21:34:45 2015 -0400

    Update to pax-linux-3.14.46-test52.patch:
    - use non-deprecated cpumask accessors

 arch/x86/include/asm/mmu_context.h |    6 +++---
 arch/x86/kernel/ldt.c              |    2 +-
 arch/x86/mm/fault.c                |    2 +-
 mm/mprotect.c                      |    4 ++--
 4 files changed, 7 insertions(+), 7 deletions(-)

commit 29a1b9e42cba774e2ea79db949e349c52c456dea
Merge: 193c31b 762167f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 29 21:34:03 2015 -0400

    Merge branch 'linux-3.14.y' into pax-stable2

commit 4a2a9408919c495c586b4a6a5abf56264b27e2f3
Author: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
Date:   Thu Jun 25 18:10:09 2015 -0400

    tracing/filter: Do not allow infix to exceed end of string
    
    While debugging a WARN_ON() for filtering, I found that it is possible
    for the filter string to be referenced after its end. With the filter:
    
     # echo '>' > /sys/kernel/debug/events/ext4/ext4_truncate_exit/filter
    
    The filter_parse() function can call infix_get_op() which calls
    infix_advance() that updates the infix filter pointers for the cnt
    and tail without checking if the filter is already at the end, which
    will put the cnt to zero and the tail beyond the end. The loop then calls
    infix_next() that has
    
    	ps->infix.cnt--;
    	return ps->infix.string[ps->infix.tail++];
    
    The cnt will now be below zero, and the tail that is returned is
    already passed the end of the filter string. So far the allocation
    of the filter string usually has some buffer that is zeroed out, but
    if the filter string is of the exact size of the allocated buffer
    there's no guarantee that the charater after the nul terminating
    character will be zero.
    
    Luckily, only root can write to the filter.
    
    Cc: stable@vger.kernel.org # 2.6.33+
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>

 kernel/trace/trace_events_filter.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit d2f3378044550a672eca946fe544d72306c1b1c4
Merge: 21db675 193c31b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 26 18:49:39 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/arm/mm/fault.c
    	arch/x86/mm/fault.c
    	fs/exec.c

commit 193c31b14fb77adeba0e6ee35d25590b570711f4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 26 18:48:44 2015 -0400

    Update to pax-linux-3.14.45-test51.patch:
    - Emese fixed a size overflow compile error, reported by Daniel Micay (https://bugs.archlinux.org/task/45320)
    - the size overflow plugin caught an integer mixup in scsi_finish_command and sd_done, reported by hunger
    - changed the loglevel of our own messages that could result in a kernel panic
    - some small cleanups backported from the upcoming 4.1 port
    - the size overflow plugin caught an integer mixup in the unlzma code, reported by Vladimir Lushnikov (https://bugs.gentoo.org/show_bug.cgi?id=552642)

 Makefile                   |    2 +-
 arch/arm/mm/fault.c        |    8 ++++----
 arch/s390/mm/mmap.c        |    6 ++++++
 arch/x86/mm/fault.c        |    8 ++++----
 drivers/scsi/scsi.c        |    2 +-
 drivers/scsi/sd.c          |    4 ++--
 drivers/scsi/sr.c          |    8 ++++----
 fs/binfmt_elf.c            |    3 +--
 fs/exec.c                  |    8 ++++----
 include/scsi/scsi_driver.h |    2 +-
 lib/decompress_unlzma.c    |    4 ++--
 tools/gcc/gcc-common.h     |    4 ++--
 12 files changed, 32 insertions(+), 27 deletions(-)

commit 21db675f36aace85ef309a5ca54b4caf858b91f7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jun 26 18:17:29 2015 -0400

    fix an issue with CONFIG_DEBUG_SG being enabled with KSTACKOVERFLOW -- a debug
    check was recently introduced before grsec's rewriting of stack pointers in
    sg_init_one() which triggered an unnecessary BUG().  Fix this and simplify the
    code a bit.

 include/linux/scatterlist.h |   17 +++++++++--------
 1 files changed, 9 insertions(+), 8 deletions(-)

commit f64ba8716060694864bec6e03959d74ace30f395
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 23 19:26:36 2015 -0400

    compile fix

 kernel/trace/trace_events_filter.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit f95ed6a0a393114fb6423a45e237da24df0bcb18
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 23 19:20:52 2015 -0400

    Update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 33a77e6ac77d59c40fe5d6bf960f0ad8fdab6365
Author: Julian Anastasov <ja@ssi.bg>
Date:   Tue Jun 16 22:56:39 2015 +0300

    neigh: do not modify unlinked entries
    
    The lockless lookups can return entry that is unlinked.
    Sometimes they get reference before last neigh_cleanup_and_release,
    sometimes they do not need reference. Later, any
    modification attempts may result in the following problems:
    
    1. entry is not destroyed immediately because neigh_update
    can start the timer for dead entry, eg. on change to NUD_REACHABLE
    state. As result, entry lives for some time but is invisible
    and out of control.
    
    2. __neigh_event_send can run in parallel with neigh_destroy
    while refcnt=0 but if timer is started and expired refcnt can
    reach 0 for second time leading to second neigh_destroy and
    possible crash.
    
    Thanks to Eric Dumazet and Ying Xue for their work and analyze
    on the __neigh_event_send change.
    
    Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour")
    Fixes: a263b3093641 ("ipv4: Make neigh lookups directly in output packet path.")
    Fixes: 6fd6ce2056de ("ipv6: Do not depend on rt->n in ip6_finish_output2().")
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Cc: Ying Xue <ying.xue@windriver.com>
    Signed-off-by: Julian Anastasov <ja@ssi.bg>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/neighbour.c |   13 +++++++++++++
 1 files changed, 13 insertions(+), 0 deletions(-)

commit 2b65902c077716942118f1b41a79c716db974909
Author: Willem de Bruijn <willemb@google.com>
Date:   Wed Jun 17 15:59:34 2015 -0400

    packet: avoid out of bounds read in round robin fanout
    
    PACKET_FANOUT_LB computes f->rr_cur such that it is modulo
    f->num_members. It returns the old value unconditionally, but
    f->num_members may have changed since the last store. Ensure
    that the return value is always < num.
    
    When modifying the logic, simplify it further by replacing the loop
    with an unconditional atomic increment.
    
    Fixes: dc99f600698d ("packet: Add fanout support.")
    Suggested-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/packet/af_packet.c |   18 ++----------------
 1 files changed, 2 insertions(+), 16 deletions(-)

commit f4c7c4154985e6b922546553a6c38aea1ac026b7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 23 18:53:40 2015 -0400

    Backport security fix from https://lkml.org/lkml/2015/6/4/163

 arch/x86/kvm/lapic.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7dda5dab0cff121eeaa76a9d99b1de6c86f4356e
Author: Steve Cornelius <steve.cornelius@freescale.com>
Date:   Mon Jun 15 16:52:59 2015 -0700

    crypto: caam - fix RNG buffer cache alignment
    
    The hwrng output buffers (2) are cast inside of a a struct (caam_rng_ctx)
    allocated in one DMA-tagged region. While the kernel's heap allocator
    should place the overall struct on a cacheline aligned boundary, the 2
    buffers contained within may not necessarily align. Consenquently, the ends
    of unaligned buffers may not fully flush, and if so, stale data will be left
    behind, resulting in small repeating patterns.
    
    This fix aligns the buffers inside the struct.
    
    Note that not all of the data inside caam_rng_ctx necessarily needs to be
    DMA-tagged, only the buffers themselves require this. However, a fix would
    incur the expense of error-handling bloat in the case of allocation failure.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Steve Cornelius <steve.cornelius@freescale.com>
    Signed-off-by: Victoria Milhoan <vicki.milhoan@freescale.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

 drivers/crypto/caam/caamrng.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3179b12ea404fa598f65a9cc112cf4cc049dd8f9
Author: Steve Cornelius <steve.cornelius@freescale.com>
Date:   Mon Jun 15 16:52:56 2015 -0700

    Also backports de0e35ec2b72be30892f28a939c358af1df4fa2c fixing a similar issue
    
    crypto: caam - improve initalization for context state saves
    
    Multiple function in asynchronous hashing use a saved-state block,
    a.k.a. struct caam_hash_state, which holds a stash of information
    between requests (init/update/final). Certain values in this state
    block are loaded for processing using an inline-if, and when this
    is done, the potential for uninitialized data can pose conflicts.
    Therefore, this patch improves initialization of state data to
    prevent false assignments using uninitialized data in the state block.
    
    This patch addresses the following traceback, originating in
    ahash_final_ctx(), although a problem like this could certainly
    exhibit other symptoms:
    
    kernel BUG at arch/arm/mm/dma-mapping.c:465!
    Unable to handle kernel NULL pointer dereference at virtual address 00000000
    pgd = 80004000
    [00000000] *pgd=00000000
    Internal error: Oops: 805 [#1] PREEMPT SMP
    Modules linked in:
    CPU: 0    Not tainted  (3.0.15-01752-gdd441b9-dirty #40)
    PC is at __bug+0x1c/0x28
    LR is at __bug+0x18/0x28
    pc : [<80043240>]    lr : [<8004323c>]    psr: 60000013
    sp : e423fd98  ip : 60000013  fp : 0000001c
    r10: e4191b84  r9 : 00000020  r8 : 00000009
    r7 : 88005038  r6 : 00000001  r5 : 2d676572  r4 : e4191a60
    r3 : 00000000  r2 : 00000001  r1 : 60000093  r0 : 00000033
    Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
    Control: 10c53c7d  Table: 1000404a  DAC: 00000015
    Process cryptomgr_test (pid: 1306, stack limit = 0xe423e2f0)
    Stack: (0xe423fd98 to 0xe4240000)
    fd80:                                                       11807fd1 80048544
    fda0: 88005000 e4191a00 e5178040 8039dda0 00000000 00000014 2d676572 e4191008
    fdc0: 88005018 e4191a60 00100100 e4191a00 00000000 8039ce0c e423fea8 00000007
    fde0: e4191a00 e4227000 e5178000 8039ce18 e419183c 80203808 80a94a44 00000006
    fe00: 00000000 80207180 00000000 00000006 e423ff08 00000000 00000007 e5178000
    fe20: e41918a4 80a949b4 8c4844e2 00000000 00000049 74227000 8c4844e2 00000e90
    fe40: 0000000e 74227e90 ffff8c58 80ac29e0 e423fed4 8006a350 8c81625c e423ff5c
    fe60: 00008576 e4002500 00000003 00030010 e4002500 00000003 e5180000 e4002500
    fe80: e5178000 800e6d24 007fffff 00000000 00000010 e4001280 e4002500 60000013
    fea0: 000000d0 804df078 00000000 00000000 00000000 00000000 00000000 00000000
    fec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    fee0: 00000000 00000000 e4227000 e4226000 e4753000 e4752000 e40a5000 e40a4000
    ff00: e41e7000 e41e6000 00000000 00000000 00000000 e423ff14 e423ff14 00000000
    ff20: 00000400 804f9080 e5178000 e4db0b40 00000000 e4db0b80 0000047c 00000400
    ff40: 00000000 8020758c 00000400 ffffffff 0000008a 00000000 e4db0b40 80206e00
    ff60: e4049dbc 00000000 00000000 00000003 e423ffa4 80062978 e41a8bfc 00000000
    ff80: 00000000 e4049db4 00000013 e4049db0 00000013 00000000 00000000 00000000
    ffa0: e4db0b40 e4db0b40 80204cbc 00000013 00000000 00000000 00000000 80204cfc
    ffc0: e4049da0 80089544 80040a40 00000000 e4db0b40 00000000 00000000 00000000
    ffe0: e423ffe0 e423ffe0 e4049da0 800894c4 80040a40 80040a40 00000000 00000000
    [<80043240>] (__bug+0x1c/0x28) from [<80048544>] (___dma_single_dev_to_cpu+0x84)
    [<80048544>] (___dma_single_dev_to_cpu+0x84/0x94) from [<8039dda0>] (ahash_fina)
    [<8039dda0>] (ahash_final_ctx+0x180/0x428) from [<8039ce18>] (ahash_final+0xc/0)
    [<8039ce18>] (ahash_final+0xc/0x10) from [<80203808>] (crypto_ahash_op+0x28/0xc)
    [<80203808>] (crypto_ahash_op+0x28/0xc0) from [<80207180>] (test_hash+0x214/0x5)
    [<80207180>] (test_hash+0x214/0x5b8) from [<8020758c>] (alg_test_hash+0x68/0x8c)
    [<8020758c>] (alg_test_hash+0x68/0x8c) from [<80206e00>] (alg_test+0x7c/0x1b8)
    [<80206e00>] (alg_test+0x7c/0x1b8) from [<80204cfc>] (cryptomgr_test+0x40/0x48)
    [<80204cfc>] (cryptomgr_test+0x40/0x48) from [<80089544>] (kthread+0x80/0x88)
    [<80089544>] (kthread+0x80/0x88) from [<80040a40>] (kernel_thread_exit+0x0/0x8)
    Code: e59f0010 e1a01003 eb126a8d e3a03000 (e5833000)
    ---[ end trace d52a403a1d1eaa86 ]---
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Steve Cornelius <steve.cornelius@freescale.com>
    Signed-off-by: Victoria Milhoan <vicki.milhoan@freescale.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    
    Conflicts:
    
    	drivers/crypto/caam/caamhash.c

 drivers/crypto/caam/caamhash.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 266461a8fca8b526fe8ac7499d88dc8c7de55b6e
Author: Steven Rostedt <rostedt@goodmis.org>
Date:   Mon Jun 15 17:50:25 2015 -0400

    tracing: Have filter check for balanced ops
    
    When the following filter is used it causes a warning to trigger:
    
     # cd /sys/kernel/debug/tracing
     # echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter
    -bash: echo: write error: Invalid argument
     # cat events/ext4/ext4_truncate_exit/filter
    ((dev==1)blocks==2)
    ^
    parse_error: No error
    
     ------------[ cut here ]------------
     WARNING: CPU: 2 PID: 1223 at kernel/trace/trace_events_filter.c:1640 replace_preds+0x3c5/0x990()
     Modules linked in: bnep lockd grace bluetooth  ...
     CPU: 3 PID: 1223 Comm: bash Tainted: G        W       4.1.0-rc3-test+ #450
     Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
      0000000000000668 ffff8800c106bc98 ffffffff816ed4f9 ffff88011ead0cf0
      0000000000000000 ffff8800c106bcd8 ffffffff8107fb07 ffffffff8136b46c
      ffff8800c7d81d48 ffff8800d4c2bc00 ffff8800d4d4f920 00000000ffffffea
     Call Trace:
      [<ffffffff816ed4f9>] dump_stack+0x4c/0x6e
      [<ffffffff8107fb07>] warn_slowpath_common+0x97/0xe0
      [<ffffffff8136b46c>] ? _kstrtoull+0x2c/0x80
      [<ffffffff8107fb6a>] warn_slowpath_null+0x1a/0x20
      [<ffffffff81159065>] replace_preds+0x3c5/0x990
      [<ffffffff811596b2>] create_filter+0x82/0xb0
      [<ffffffff81159944>] apply_event_filter+0xd4/0x180
      [<ffffffff81152bbf>] event_filter_write+0x8f/0x120
      [<ffffffff811db2a8>] __vfs_write+0x28/0xe0
      [<ffffffff811dda43>] ? __sb_start_write+0x53/0xf0
      [<ffffffff812e51e0>] ? security_file_permission+0x30/0xc0
      [<ffffffff811dc408>] vfs_write+0xb8/0x1b0
      [<ffffffff811dc72f>] SyS_write+0x4f/0xb0
      [<ffffffff816f5217>] system_call_fastpath+0x12/0x6a
     ---[ end trace e11028bd95818dcd ]---
    
    Worse yet, reading the error message (the filter again) it says that
    there was no error, when there clearly was. The issue is that the
    code that checks the input does not check for balanced ops. That is,
    having an op between a closed parenthesis and the next token.
    
    This would only cause a warning, and fail out before doing any real
    harm, but it should still not caues a warning, and the error reported
    should work:
    
     # cd /sys/kernel/debug/tracing
     # echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter
    -bash: echo: write error: Invalid argument
     # cat events/ext4/ext4_truncate_exit/filter
    ((dev==1)blocks==2)
    ^
    parse_error: Meaningless filter expression
    
    And give no kernel warning.
    
    Link: http://lkml.kernel.org/r/20150615175025.7e809215@gandalf.local.home
    
    Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
    Cc: stable@vger.kernel.org # 2.6.31+
    Reported-by: Vince Weaver <vincent.weaver@maine.edu>
    Tested-by: Vince Weaver <vincent.weaver@maine.edu>
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>

 kernel/trace/trace_events_filter.c |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

commit 5f69f1fed6504e0403027779abf54640b1bcad5a
Author: Jaedon Shin <jaedon.shin@gmail.com>
Date:   Fri Jun 12 18:04:14 2015 +0900

    MPI: MIPS: Fix compilation error with GCC 5.1
    
    This patch fixes mips compilation error:
    
    lib/mpi/generic_mpih-mul1.c: In function 'mpihelp_mul_1':
    lib/mpi/longlong.h:651:2: error: impossible constraint in 'asm'
    
    Signed-off-by: Jaedon Shin <jaedon.shin@gmail.com>
    Cc: Linux-MIPS <linux-mips@linux-mips.org>
    Patchwork: https://patchwork.linux-mips.org/patch/10546/
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

 lib/mpi/longlong.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit d1e6af8abea278e18bdd24b17678914a480f440c
Merge: e79913c c26a1fd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 23 18:33:31 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/mips/kernel/irq.c
    	net/ipv4/tcp_minisocks.c

commit c26a1fde04fe14a5a7d108b25d9729c31502d58d
Merge: 446858e 165797d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 23 18:27:23 2015 -0400

    Merge branch 'linux-3.14.y' into pax-stable2

commit e79913c3a3174f4b9c2e25dd9a24229548ba87dd
Merge: 88e5093 446858e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 8 21:14:30 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 446858e9a4e05db2d9d7b823c4856d59b35b3bb1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 8 21:13:24 2015 -0400

    fix typo

 fs/binfmt_elf.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 88e5093e2908563dbd6e8360a162346f9cd9c659
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 8 20:58:12 2015 -0400

    Backport CVE-2015-1805 fix from http://seclists.org/oss-sec/2015/q2/652

 fs/pipe.c |   55 ++++++++++++++++++++++++++++++++-----------------------
 1 files changed, 32 insertions(+), 23 deletions(-)

commit 9f214562e92472ef88c3638b7f1f9837c93f80f5
Author: Helge Deller <deller@gmx.de>
Date:   Thu Jun 4 23:57:18 2015 +0200

    compat: cleanup coding in compat_get_bitmap() and compat_put_bitmap()
    
    In the functions compat_get_bitmap() and compat_put_bitmap() the
    variable nr_compat_longs stores how many compat_ulong_t words should be
    copied in a loop.
    
    The copy loop itself is this:
      if (nr_compat_longs-- > 0) {
          if (__get_user(um, umask)) return -EFAULT;
      } else {
          um = 0;
      }
    
    Since nr_compat_longs gets unconditionally decremented in each loop and
    since it's type is unsigned this could theoretically lead to out of
    bounds accesses to userspace if nr_compat_longs wraps around to
    (unsigned)(-1).
    
    Although the callers currently do not trigger out-of-bounds accesses, we
    should better implement the loop in a safe way to completely avoid such
    warp-arounds.
    
    Signed-off-by: Helge Deller <deller@gmx.de>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>

 kernel/compat.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 9855fe4931ca18197c68e660ccbcedf416d265ad
Author: Robert Shearman <rshearma@brocade.com>
Date:   Fri Jun 5 18:51:54 2015 +0100

    ipv6: fix possible use after free of dev stats
    
    The memory pointed to by idev->stats.icmpv6msgdev,
    idev->stats.icmpv6dev and idev->stats.ipv6 can each be used in an RCU
    read context without taking a reference on idev. For example, through
    IP6_*_STATS_* calls in ip6_rcv. These memory blocks are freed without
    waiting for an RCU grace period to elapse. This could lead to the
    memory being written to after it has been freed.
    
    Fix this by using call_rcu to free the memory used for stats, as well
    as idev after an RCU grace period has elapsed.
    
    Signed-off-by: Robert Shearman <rshearma@brocade.com>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/addrconf_core.c |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

commit 1108849521301f54218fa7b5a3fd6e360bdb2699
Merge: 3b0667c 94a81a9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 8 20:30:55 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 94a81a9dd2e8790e7105b8b902073ed83ff50da2
Merge: 3ba0ad3 e99d350
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 8 20:30:46 2015 -0400

    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	Makefile
    	fs/binfmt_elf.c

commit 3b0667c8fb072131aef54f87e5e2a66b1b7e5b4a
Author: Rusty Russell <rusty@rustcorp.com.au>
Date:   Wed May 27 10:59:26 2015 +0930

    lguest: fix out-by-one error in address checking.
    
    This bug has been there since day 1; addresses in the top guest physical
    page weren't considered valid.  You could map that page (the check in
    check_gpte() is correct), but if a guest tried to put a pagetable there
    we'd check that address manually when walking it, and kill the guest.
    
    Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/lguest/core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d47a29c92ed081273986487e764addbb8743de30
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu May 28 23:09:19 2015 -0400

    d_walk() might skip too much
    
    when we find that a child has died while we'd been trying to ascend,
    we should go into the first live sibling itself, rather than its sibling.
    
    Off-by-one in question had been introduced in "deal with deadlock in
    d_walk()" and the fix needs to be backported to all branches this one
    has been backported to.
    
    Cc: stable@vger.kernel.org # 3.2 and later
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/dcache.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 4a2effa5552477281a4408c1a1b78b7476b7f3a8
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat May 30 09:16:53 2015 -0700

    udp: fix behavior of wrong checksums
    
    We have two problems in UDP stack related to bogus checksums :
    
    1) We return -EAGAIN to application even if receive queue is not empty.
       This breaks applications using edge trigger epoll()
    
    2) Under UDP flood, we can loop forever without yielding to other
       processes, potentially hanging the host, especially on non SMP.
    
    This patch is an attempt to make things better.
    
    We might in the future add extra support for rt applications
    wanting to better control time spent doing a recv() in a hostile
    environment. For example we could validate checksums before queuing
    packets in socket receive queue.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/udp.c |    6 ++----
 net/ipv6/udp.c |    6 ++----
 2 files changed, 4 insertions(+), 8 deletions(-)

commit 6fd0d7d443c481e59b86a24a642b8219479c438e
Author: Jan Kara <jack@suse.cz>
Date:   Tue Jun 2 17:10:28 2015 +0200

    lib: Fix strnlen_user() to not touch memory after specified maximum
    
    If the specified maximum length of the string is a multiple of unsigned
    long, we would load one long behind the specified maximum.  If that
    happens to be in a next page, we can hit a page fault although we were
    not expected to.
    
    Fix the off-by-one bug in the test whether we are at the end of the
    specified range.
    
    Signed-off-by: Jan Kara <jack@suse.cz>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/strnlen_user.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 42ad580ff736300f74042302fc965840abfeaaac
Merge: 443e8d4 3ba0ad3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 27 19:32:55 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 3ba0ad308e19950c30448ef4bab931cf2e67d5b4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 27 19:32:25 2015 -0400

    Update to pax-linux-3.14.43-test50.patch:
    - synchronized some plugin files with the other trees
    - have xfs_error_report resolve the caller to a symbol

 fs/xfs/xfs_error.c          |    2 +-
 tools/gcc/constify_plugin.c |    3 ++-
 tools/gcc/gcc-common.h      |   23 +++++++++++++++++++++++
 3 files changed, 26 insertions(+), 2 deletions(-)

commit 443e8d4907daf572d5bf955df9df476696141a18
Author: Eric Work <work.eric@gmail.com>
Date:   Mon May 18 23:26:23 2015 -0700

    md/raid0: fix restore to sector variable in raid0_make_request
    
    The variable "sector" in "raid0_make_request()" was improperly updated
    by a call to "sector_div()" which modifies its first argument in place.
    Commit 47d68979cc968535cb87f3e5f2e6a3533ea48fbd restored this variable
    after the call for later re-use.  Unfortunetly the restore was done after
    the referenced variable "bio" was advanced.  This lead to the original
    value and the restored value being different.  Here we move this line to
    the proper place.
    
    One observed side effect of this bug was discarding a file though
    unlinking would cause an unrelated file's contents to be discarded.
    
    Signed-off-by: NeilBrown <neilb@suse.de>
    Fixes: 47d68979cc96 ("md/raid0: fix bug with chunksize not a power of 2.")
    Cc: stable@vger.kernel.org (any that received above backport)
    URL: https://bugzilla.kernel.org/show_bug.cgi?id=98501

 drivers/md/raid0.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 1a410aec3e4cd8ba5c0a9e7fa33c2b7fbcb80003
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri May 22 21:10:11 2015 -0400

    Include the required BNX2 firmware from Broadcom for usability
    purposes.  Performed whitespace changes on the WHENCE file to
    ensure Broadcom's license for the file is not only contained in
    the resulting compilation but also in the patch itself.  It is
    being distributed in hex format as permitted by their license.

 firmware/Makefile                         |    1 +
 firmware/WHENCE                           |   19 +-
 firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex | 6496 +++++++++++++++++++++++++++++
 3 files changed, 6507 insertions(+), 9 deletions(-)

commit 8b1f5c585f336c9e777076f2df02692b4374b9f9
Merge: 7d3f4a1 a448d39
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 19 17:17:01 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit a448d39676b73997a00089f993045293a7f798af
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 19 17:16:43 2015 -0400

    Update to pax-linux-3.14.43-test49.patch:
    - fixed a xen regression introduced with the recent enlargement of level1_fixmap_pgt, reported by 2d1
    - fixed a regression in the structleak plugin that would disable it under LTO

 arch/x86/include/asm/pgtable_64.h |    4 ++--
 arch/x86/xen/mmu.c                |    4 +++-
 tools/gcc/structleak_plugin.c     |    2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

commit 7d3f4a1158269141757753ae1eb96616acfe2781
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 18 18:01:08 2015 -0400

    Remove __inline__ from .c files, let the compiler decide
    
    Conflicts:
    
    	grsecurity/gracl_segv.c

 grsecurity/gracl.c       |   12 ++++++------
 grsecurity/gracl_alloc.c |    4 ++--
 grsecurity/gracl_segv.c  |    6 +++---
 grsecurity/grsec_sock.c  |    4 ++--
 4 files changed, 13 insertions(+), 13 deletions(-)

commit 921cc415c6f35e0b68a886a284a9e0b2ad89f123
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 18 17:54:21 2015 -0400

    Actually wire up use of the RANDSTRUCT attributes for GCC 5.1, otherwise we'd
    ICE on some Xen PARAVIRT code (and would miss explicit randomization and would
    break other code)

 include/linux/compiler-gcc5.h |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit c62b8c7a7cbbebfd548c2e69eaafeb6497836d29
Merge: 8e25cbb c62ce50
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 17 14:43:09 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	fs/dcache.c

commit c62ce50fb4d4aca68be10300e11994a88173b074
Merge: 6d5555d 1325370
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 17 14:41:54 2015 -0400

    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	mm/memory-failure.c

commit 8e25cbba41a16c1cd56acf1b5e4e43a8c0a97c76
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 17 14:24:15 2015 -0400

    fix whitespace

 grsecurity/gracl.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 1ce3529411019a62c8e81478a150f103f6a4da00
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 17 14:22:18 2015 -0400

    Fix an ICE in the RANDSTRUCT plugin on GCC 5.1 reported and fixed by pipacs

 tools/gcc/randomize_layout_plugin.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 1a48ada4ec07c07b5d6981533287395d61151323
Merge: 078a859 6d5555d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 13 18:16:31 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 6d5555d58f8fb886cd77ef240b9be96eeb3f7116
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 13 18:16:06 2015 -0400

    Update to pax-linux-3.14.42-test48.patch:
    - disable PCID before exiting the kernel to code that may not sanitize its environment properly before turning off paging, fixes tboot/TXT shutdown among others, reported and debugged by Jason Zaman perfinion@gentoo.org
    - fixed a size overflow false positive in squashfs, reported by Martin Vath <martin@mvath.de> (https://bugs.gentoo.org/show_bug.cgi?id=548960)
    - fixed a /proc/kcore regression to not return uninitialized memory if the requested kernel address range is not fully mapped

 arch/x86/kernel/head_64.S     |   12 +++++++++---
 arch/x86/kernel/tboot.c       |    2 ++
 arch/x86/realmode/rm/reboot.S |    4 ++++
 fs/proc/kcore.c               |   14 ++++++--------
 fs/squashfs/xattr.c           |   12 ++++++------
 5 files changed, 27 insertions(+), 17 deletions(-)

commit 7225cff24d41a3356cff72fc4a3f9297d1f329af
Merge: 90b0ee5 c629522
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 13 18:13:31 2015 -0400

    Merge branch 'linux-3.14.y' into pax-stable2

commit 078a85941d27475c601241b0a18406bcb82f1622
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date:   Wed May 6 15:09:40 2015 +0200

    usbnet: avoid integer overflow in start_xmit
    
    transfer_buffer_length is of type u32. It's therefore wrong to assign it
    to a signed integer. This patch avoids the overflow.
    
    It's worth noting that entry->length here is a long; perhaps it would be
    beneficial at somepoint to change this to be unsigned as well, if
    nothing else relies on its signedness for error conditions or the like.
    
    Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/usb/usbnet.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 67b6784c6e20091da096017d024e380c243c9921
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Fri May 8 16:36:50 2015 -0500

    mnt: Fix fs_fully_visible to verify the root directory is visible
    
    This fixes a dumb bug in fs_fully_visible that allows proc or sys to
    be mounted if there is a bind mount of part of /proc/ or /sys/ visible.
    
    Cc: stable@vger.kernel.org
    Reported-by: Eric Windisch <ewindisch@docker.com>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

 fs/namespace.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 2c6c02608e522eada90242d2074bab86cc81d1d8
Author: Christophe Leroy <christophe.leroy@c-s.fr>
Date:   Wed May 6 17:26:47 2015 +0200

    splice: sendfile() at once fails for big files
    
    Using sendfile with below small program to get MD5 sums of some files,
    it appear that big files (over 64kbytes with 4k pages system) get a
    wrong MD5 sum while small files get the correct sum.
    This program uses sendfile() to send a file to an AF_ALG socket
    for hashing.
    
    /* md5sum2.c */
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <string.h>
    #include <fcntl.h>
    #include <sys/socket.h>
    #include <sys/stat.h>
    #include <sys/types.h>
    #include <linux/if_alg.h>
    
    int main(int argc, char **argv)
    {
    	int sk = socket(AF_ALG, SOCK_SEQPACKET, 0);
    	struct stat st;
    	struct sockaddr_alg sa = {
    		.salg_family = AF_ALG,
    		.salg_type = "hash",
    		.salg_name = "md5",
    	};
    	int n;
    
    	bind(sk, (struct sockaddr*)&sa, sizeof(sa));
    
    	for (n = 1; n < argc; n++) {
    		int size;
    		int offset = 0;
    		char buf[4096];
    		int fd;
    		int sko;
    		int i;
    
    		fd = open(argv[n], O_RDONLY);
    		sko = accept(sk, NULL, 0);
    		fstat(fd, &st);
    		size = st.st_size;
    		sendfile(sko, fd, &offset, size);
    		size = read(sko, buf, sizeof(buf));
    		for (i = 0; i < size; i++)
    			printf("%2.2x", buf[i]);
    		printf("  %s\n", argv[n]);
    		close(fd);
    		close(sko);
    	}
    	exit(0);
    }
    
    Test below is done using official linux patch files. First result is
    with a software based md5sum. Second result is with the program above.
    
    root@vgoip:~# ls -l patch-3.6.*
    -rw-r--r--    1 root     root         64011 Aug 24 12:01 patch-3.6.2.gz
    -rw-r--r--    1 root     root         94131 Aug 24 12:01 patch-3.6.3.gz
    
    root@vgoip:~# md5sum patch-3.6.*
    b3ffb9848196846f31b2ff133d2d6443  patch-3.6.2.gz
    c5e8f687878457db77cb7158c38a7e43  patch-3.6.3.gz
    
    root@vgoip:~# ./md5sum2 patch-3.6.*
    b3ffb9848196846f31b2ff133d2d6443  patch-3.6.2.gz
    5fd77b24e68bb24dcc72d6e57c64790e  patch-3.6.3.gz
    
    After investivation, it appears that sendfile() sends the files by blocks
    of 64kbytes (16 times PAGE_SIZE). The problem is that at the end of each
    block, the SPLICE_F_MORE flag is missing, therefore the hashing operation
    is reset as if it was the end of the file.
    
    This patch adds SPLICE_F_MORE to the flags when more data is pending.
    
    With the patch applied, we get the correct sums:
    
    root@vgoip:~# md5sum patch-3.6.*
    b3ffb9848196846f31b2ff133d2d6443  patch-3.6.2.gz
    c5e8f687878457db77cb7158c38a7e43  patch-3.6.3.gz
    
    root@vgoip:~# ./md5sum2 patch-3.6.*
    b3ffb9848196846f31b2ff133d2d6443  patch-3.6.2.gz
    c5e8f687878457db77cb7158c38a7e43  patch-3.6.3.gz
    
    Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
    Signed-off-by: Jens Axboe <axboe@fb.com>

 fs/splice.c |   12 +++++++++++-
 1 files changed, 11 insertions(+), 1 deletions(-)

commit 58ed9d0e404d3e79e009455e172a8ea966f2b199
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Fri May 8 22:53:15 2015 -0400

    path_openat(): fix double fput()
    
    path_openat() jumps to the wrong place after do_tmpfile() - it has
    already done path_cleanup() (as part of path_lookupat() called by
    do_tmpfile()), so doing that again can lead to double fput().
    
    Cc: stable@vger.kernel.org	# v3.11+
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    
    Conflicts:
    
    	fs/namei.c

 fs/namei.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 6f46ab2665e264e56997384d484b2f3f42dbc376
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 7 18:35:11 2015 -0400

    Update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 09328fcefd1c8954ff1c36d5732681a86bef0593
Merge: 606e87a 90b0ee5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 7 18:23:10 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	fs/open.c

commit 90b0ee5d57d22ec889bb3062d580fb83927ce09a
Merge: 15bf6e6 99e64c4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 7 18:19:18 2015 -0400

    Update to pax-linux-3.14.41-test47.patch:
    - worked around a gcc induced intentional overflow in the bunzip decompressor, reported by Martin Filo (https://bugs.gentoo.org/show_bug.cgi?id=548508)
    - F_SETPIPE_SZ handling ignored pipe_min_size and could trigger the size overflow instrumentation, reported by minipli
    - fixed an integer signedness mixup in a parameter of semop and semtimedop, by minipli
    
    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	arch/arm/include/asm/elf.h
    	fs/binfmt_elf.c

commit 606e87a4d2804bd27ec160869055a011d1066adf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 7 18:01:36 2015 -0400

    Even though in the history of autoconfig it has never tripped anyone
    up under realistic use cases (e.g. nobody starts a config, enables
    only CONFIG_GRKERNSEC, then exits menuconfig, then loads it back up
    and tries to apply an autoconfig setting) explicitly mention that you
    cannot do it and expect the autoconfig to work.  Due to how the Kbuild
    system works, we can't apply defaults and also allow them to be modified
    via custom settings -- if they're 'select'ed then they can't be modified,
    and using 'select' violates any dependencies that may exist.  Therefore
    we have to resort to using 'default', which after a user has already chosen
    all the settings by virtue of enabling CONFIG_GRKERNSEC and then saving their
    complete kernel config, cannot have any effect as the options have now all
    been chosen and there's no 'default' applicable.

 security/Kconfig |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit c37885151a4f264b4512e8c540ebd05878d53d25
Merge: 340e645 15bf6e6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 4 19:34:50 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 15bf6e633f73af7b6240862042cda6b7a70f4738
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 4 19:34:29 2015 -0400

    Update to pax-linux-3.14.40-test45.patch:
    - fixed a bunch of NULL function pointer dereference regressions in the compat drm ioctl code for i915/mga/r128/radeon, reported by minipli

 drivers/gpu/drm/i915/i915_ioc32.c     |   13 ++++++-------
 drivers/gpu/drm/mga/mga_ioc32.c       |    7 +++----
 drivers/gpu/drm/r128/r128_ioc32.c     |    7 +++----
 drivers/gpu/drm/radeon/radeon_ioc32.c |    7 +++----
 4 files changed, 15 insertions(+), 19 deletions(-)

commit 340e6452ca6a50df67d71cec2f7372c0537ae084
Author: David S. Miller <davem@davemloft.net>
Date:   Fri May 1 22:02:47 2015 -0400

    ipv4: Missing sk_nulls_node_init() in ping_unhash().
    
    If we don't do that, then the poison value is left in the ->pprev
    backlink.
    
    This can cause crashes if we do a disconnect, followed by a connect().
    
    Tested-by: Linus Torvalds <torvalds@linux-foundation.org>
    Reported-by: Wen Xu <hotdog3645@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ping.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 1b98f4762286dbe86e9f0af00d559a79530c355c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 30 19:40:23 2015 -0400

    Fix a refcount underflow reported by Jan Hejl caused by GRKERNSEC_CHROOT_RENAME
    We failed to increment the tree in copy_fs_struct, so users of clone with
    CLONE_FS who then exited caused a decrement of the refcounts with no associated
    increment.  This would generally occur on / and took at least a month on
    a heavily-loaded system to trigger.  It shouldn't cause any security problems
    as no freeing is associated with the refcount, and the only interesting value
    is 0, which permits renames in that tree.  I've tested this fixed implementation
    to ensure the refcounts are under control in both directions.

 fs/fs_struct.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit b46f1bc40a99043794c760fafea335fe1ca087fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 30 08:39:48 2015 -0400

    compile fix

 arch/x86/kernel/apic/io_apic.c   |    2 +-
 drivers/xen/events/events_base.c |    6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

commit e8faefbe3f7eb3f2e98987b95d292d2e407402a1
Merge: 6e09ec7 c926430
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 30 08:38:40 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit c926430b0d52397af37a63b15ddb15d9ece60a46
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 30 08:38:17 2015 -0400

    Update to pax-linux-3.14.40-test44.patch:
    - fixed compilation errors due to some overzealous constification of irq_chip variables, reported by spender

 arch/x86/kernel/apic/io_apic.c   |    4 ++--
 drivers/xen/events/events_base.c |    6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

commit 6e09ec7529a9801166a182648a1c808755bd4199
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 30 07:18:06 2015 -0400

    compile fix

 drivers/xen/events/events_base.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit bca9c824b0e8ae0c7794e04307c4af9247905dcc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 30 07:14:18 2015 -0400

    Update size_overflow hash

 .../size_overflow_plugin/size_overflow_hash.data   |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 0364548df8847766844a2d91d397d09f9991f4b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 29 22:34:18 2015 -0400

    compile fix

 arch/x86/kernel/apic/io_apic.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d2e5fa2378b8ff37963278120a3519cbcf290178
Merge: b895f5b e727cfa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 29 21:53:16 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	tools/gcc/gcc-common.h

commit e727cfaee885f426fc3b760eed34a83c894114f4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 29 21:50:40 2015 -0400

    Update to pax-linux-3.14.40-test43.patch:
    - ported all plugins to gcc-5 except size overflow
    - fixed integer signedness mixup in mmc error code handling, caught by the size overflow plugin, reported by Tom Seewald
    - fixed a few section conflicts exposed by LTO
    - fixed the latent entropy plugin for LTO
    - fixed the stackleak plugin for LTO

 arch/x86/include/asm/page_64.h            |    4 +-
 arch/x86/include/asm/uaccess.h            |    8 +-
 arch/x86/kernel/apic/io_apic.c            |    4 +-
 arch/x86/kernel/apm_32.c                  |    2 +-
 arch/x86/kernel/reboot.c                  |    2 +-
 arch/x86/mm/pgtable.c                     |    2 +-
 crypto/zlib.c                             |    4 +-
 drivers/acpi/bus.c                        |    4 +-
 drivers/acpi/ec.c                         |    2 +-
 drivers/acpi/pci_slot.c                   |    2 +-
 drivers/acpi/processor_core.c             |    2 +-
 drivers/acpi/processor_driver.c           |    2 +-
 drivers/acpi/sleep.c                      |    2 +-
 drivers/acpi/thermal.c                    |    2 +-
 drivers/acpi/video.c                      |    2 +-
 drivers/char/i8k.c                        |    2 +-
 drivers/char/sonypi.c                     |    2 +-
 drivers/firmware/efi/runtime-map.c        |    2 +-
 drivers/firmware/google/gsmi.c            |    2 +-
 drivers/firmware/google/memconsole.c      |    2 +-
 drivers/firmware/memmap.c                 |    2 +-
 drivers/hwmon/acpi_power_meter.c          |    2 +-
 drivers/input/touchscreen/htcpen.c        |    2 +-
 drivers/md/raid5.c                        |   12 +-
 drivers/mfd/kempld-core.c                 |    2 +-
 drivers/net/ethernet/via/via-rhine.c      |    2 +-
 drivers/pci/pcie/portdrv_pci.c            |    2 +-
 drivers/platform/chrome/chromeos_pstore.c |    2 +-
 drivers/platform/x86/compal-laptop.c      |    2 +-
 drivers/platform/x86/hdaps.c              |    2 +-
 drivers/platform/x86/ibm_rtl.c            |    2 +-
 drivers/platform/x86/intel_oaktrail.c     |    2 +-
 drivers/platform/x86/msi-laptop.c         |    2 +-
 drivers/platform/x86/samsung-laptop.c     |    2 +-
 drivers/platform/x86/samsung-q10.c        |    2 +-
 drivers/platform/x86/sony-laptop.c        |    2 +-
 drivers/pnp/pnpbios/core.c                |    2 +-
 drivers/thermal/x86_pkg_temp_thermal.c    |    2 +-
 drivers/xen/events/events_base.c          |    6 +-
 include/linux/compiler-gcc5.h             |    2 -
 include/linux/compiler.h                  |    2 +
 include/linux/mmc/core.h                  |    2 +-
 include/linux/syscalls.h                  |    5 +-
 mm/madvise.c                              |    4 +-
 net/l2tp/l2tp_ip.c                        |    2 +-
 net/l2tp/l2tp_ip6.c                       |    2 +-
 net/netfilter/nft_compat.c                |    9 +--
 security/Kconfig                          |    2 +-
 tools/gcc/Makefile                        |    2 +-
 tools/gcc/colorize_plugin.c               |    4 +-
 tools/gcc/constify_plugin.c               |   11 ++-
 tools/gcc/gcc-common.h                    |  166 +++++++++++++++++++++++++++--
 tools/gcc/kallocstat_plugin.c             |   11 ++-
 tools/gcc/kernexec_plugin.c               |   63 ++++++++----
 tools/gcc/latent_entropy_plugin.c         |   21 +++--
 tools/gcc/stackleak_plugin.c              |   52 ++++++++--
 tools/gcc/structleak_plugin.c             |   25 ++++-
 57 files changed, 361 insertions(+), 130 deletions(-)

commit b895f5b8434b2d1a795787fd815959d15b3c43e7
Merge: 0366b72 5ff78d8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 29 07:37:37 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	include/linux/dcache.h

commit 5ff78d85242d3daad27a554d7e3aaabbec545882
Merge: 9310530 7b10379
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 29 07:36:48 2015 -0400

    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	fs/dcache.c
    	fs/libfs.c
    	mm/memory.c

commit 0366b7254987510c15531a1427dd36579e0377f4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 27 07:31:18 2015 -0400

    Backport GCC 5.1 support

 include/linux/compiler-gcc5.h     |    3 --
 tools/gcc/colorize_plugin.c       |    4 +-
 tools/gcc/constify_plugin.c       |   11 +++++--
 tools/gcc/gcc-common.h            |   24 ++++++++++++++-
 tools/gcc/kallocstat_plugin.c     |   11 +++++--
 tools/gcc/kernexec_plugin.c       |   59 ++++++++++++++++++++++++++----------
 tools/gcc/latent_entropy_plugin.c |   12 +++++--
 tools/gcc/stackleak_plugin.c      |   22 ++++++++++---
 tools/gcc/structleak_plugin.c     |   25 ++++++++++++----
 9 files changed, 127 insertions(+), 44 deletions(-)

commit cd40a98c5f72d1db15c2115fade07813270a4609
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 26 16:21:54 2015 -0400

    Revert "tcp: add memory barriers to write space paths"
    
    This reverts commit ad0a4d843ba572b3237ca05c64d72422f083c5d9.

 net/ipv4/tcp.c       |    4 +---
 net/ipv4/tcp_input.c |    2 --
 2 files changed, 1 insertions(+), 5 deletions(-)

commit 0bbd65a053e6b5a0e615b117f06d54e690aad060
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 26 16:10:18 2015 -0400

    compile fix

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit bfa8c961dfbb715c42006c14dc9b69e6a09d4e94
Author: David S. Miller <davem@davemloft.net>
Date:   Fri Apr 17 15:15:40 2015 -0400

    sfc: Fix memcpy() with const destination compiler warning.
    
    drivers/net/ethernet/sfc/selftest.c: In function ‘efx_iterate_state’:
    drivers/net/ethernet/sfc/selftest.c:388:9: warning: passing argument 1 of ‘memcpy’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-array-qualifiers]
    
    This is because the msg[] member of struct efx_loopback_payload
    is marked as 'const'.  Remove that.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/sfc/selftest.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ad0a4d843ba572b3237ca05c64d72422f083c5d9
Author: jbaron@akamai.com <jbaron@akamai.com>
Date:   Mon Apr 20 20:05:07 2015 +0000

    tcp: add memory barriers to write space paths
    
    Ensure that we either see that the buffer has write space
    in tcp_poll() or that we perform a wakeup from the input
    side. Did not run into any actual problem here, but thought
    that we should make things explicit.
    
    Signed-off-by: Jason Baron <jbaron@akamai.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp.c       |    4 +++-
 net/ipv4/tcp_input.c |    2 ++
 2 files changed, 5 insertions(+), 1 deletions(-)

commit 6fde9603974635d4e77d037afd7a02f8cf4cd83d
Author: Jann Horn <jann@thejh.net>
Date:   Sun Apr 19 02:48:39 2015 +0200

    fs: take i_mutex during prepare_binprm for set[ug]id executables
    
    This prevents a race between chown() and execve(), where chowning a
    setuid-user binary to root would momentarily make the binary setuid
    root.
    
    This patch was mostly written by Linus Torvalds.
    
    Signed-off-by: Jann Horn <jann@thejh.net>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	fs/exec.c

 fs/exec.c |   76 ++++++++++++++++++++++++++++++++++++++----------------------
 1 files changed, 48 insertions(+), 28 deletions(-)

commit 2a958eb09171fc5a7b7bcfbf00cb72a55cb8008b
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Apr 14 15:43:19 2015 -0700

    ocfs2: dereferencing freed pointers in ocfs2_reflink()
    
    The code at the "out" label assumes that "default_acl" and "acl" are NULL,
    but actually the pointers can be NULL, unitialized, or freed.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: Mark Fasheh <mfasheh@suse.de>
    Cc: Joel Becker <jlbec@evilplan.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/ocfs2/refcounttree.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit fbf256d6a44844162ad1ec734e5149406eacf66f
Author: Kirill Tkhai <ktkhai@parallels.com>
Date:   Thu Apr 16 12:48:01 2015 -0700

    fs/exec.c:de_thread: move notify_count write under lock
    
    We set sig->notify_count = -1 between RELEASE and ACQUIRE operations:
    
    	spin_unlock_irq(lock);
    	...
    	if (!thread_group_leader(tsk)) {
    		...
                    for (;;) {
    			sig->notify_count = -1;
                            write_lock_irq(&tasklist_lock);
    
    There are no restriction on it so other processors may see this STORE
    mixed with other STOREs in both areas limited by the spinlocks.
    
    Probably, it may be reordered with the above
    
    	sig->group_exit_task = tsk;
    	sig->notify_count = zap_other_threads(tsk);
    
    in some way.
    
    Set it under tasklist_lock locked to be sure nothing will be reordered.
    
    Signed-off-by: Kirill Tkhai <ktkhai@parallels.com>
    Acked-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/exec.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit 80f36d6a8208e026d001b3093dd6b43a80a31521
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 25 21:37:30 2015 -0400

    Update RANDSTRUCT plugin to support GCC 5.1

 tools/gcc/randomize_layout_plugin.c |   12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

commit b430dbec16383dc1d5097fa872637a3be863e017
Merge: aadbc1e 9310530
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 19 06:50:42 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 93105308e39c0fdef6a20b74b83c6199c100a211
Merge: 5666062 5c43c53
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 19 06:50:35 2015 -0400

    Merge branch 'linux-3.14.y' into pax-stable2

commit aadbc1e2e9fbbd552a99f4a240a150ddea93ff28
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 14 22:56:35 2015 -0400

    fix escaping of unix domain paths added in previous patch

 net/unix/af_unix.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit cb2a841fc7907625669a87604ec5aaf8f0f6637b
Author: Mike Christie <michaelc@cs.wisc.edu>
Date:   Fri Apr 10 02:47:27 2015 -0500

    iscsi target: fix oops when adding reject pdu
    
    This fixes a oops due to a double list add when adding a reject PDU for
    iscsit_allocate_iovecs allocation failures. The cmd has already been
    added to the conn_cmd_list in iscsit_setup_scsi_cmd, so this has us call
    iscsit_reject_cmd.
    
    Note that for ERL0 the reject PDU is not actually sent, so this patch
    is not completely tested. Just verified we do not oops. The problem is the
    add reject functions return -1 which is returned all the way up to
    iscsi_target_rx_thread which for ERL0 will drop the connection.
    
    Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
    Cc: <stable@vger.kernel.org> # v3.10+
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>

 drivers/target/iscsi/iscsi_target.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7a476e4b4b58891221a660d4e98d74226dc606ec
Author: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Date:   Wed Apr 8 12:33:47 2015 -0400

    RDS: make sure not to loop forever inside rds_send_xmit
    
    If a determined set of concurrent senders keep the send queue full,
    we can loop forever inside rds_send_xmit.  This fix has two parts.
    
    First we are dropping out of the while(1) loop after we've processed a
    large batch of messages.
    
    Second we add a generation number that gets bumped each time the
    xmit bit lock is acquired.  If someone else has jumped in and
    made progress in the queue, we skip our goto restart.
    
    Original patch by Chris Mason.
    
    Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/connection.c |    1 +
 net/rds/rds.h        |    1 +
 net/rds/send.c       |   33 +++++++++++++++++++++++++++++++--
 3 files changed, 33 insertions(+), 2 deletions(-)

commit 42fcfe83e31a2ac31c14391b953a27e2a9f3fdb0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 14 17:50:14 2015 -0400

    Revert "Modify the resource handling of RBAC so that it doesn't actually"
    
    This reverts commit 91dccad09fe1c750b21bca3b89129bd713984dd8.

 fs/exec.c                   |    9 ++++++-
 fs/proc/array.c             |    2 +-
 grsecurity/gracl.c          |   44 +++++++++++++++++++++++++++++++++++++++++
 grsecurity/gracl_res.c      |   46 -------------------------------------------
 grsecurity/grsec_disabled.c |   20 ------------------
 include/linux/sched.h       |    7 +----
 kernel/acct.c               |    3 --
 kernel/fork.c               |    2 +-
 kernel/posix-cpu-timers.c   |    5 ++-
 mm/mmap.c                   |    5 ++-
 10 files changed, 61 insertions(+), 82 deletions(-)

commit 414b41557b3903516eb4aa083763a25391902b6b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 14 17:50:04 2015 -0400

    Revert "compile fix"
    
    This reverts commit 72544d63f18e2b4a93ccca9a3ed87d1b54e3be5a.

 grsecurity/grsec_disabled.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

commit 36cc85e8bbc7491acd8257e423d6251059069169
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 14 17:49:49 2015 -0400

    Revert "add support for RLIMIT_RTTIME"
    
    This reverts commit 9897ff2548ab2e93451bd41ad6d90222d8bd848d.

 kernel/posix-cpu-timers.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 3430667f0bd1ee6ec5ac6bc2c1a8ee4324a269ba
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 14 17:44:48 2015 -0400

    make the usermodehelper message more generic about paths

 kernel/kmod.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 28dfc0c1d2345b0fc206ad67dde95a0cb44c4849
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 14 17:34:32 2015 -0400

    Prevent /proc/net/unix from containing newlines or tabs in filenames
    as used in:
    http://seclists.org/oss-sec/2015/q2/143

 net/unix/af_unix.c |   19 +++++++++++++++++--
 1 files changed, 17 insertions(+), 2 deletions(-)

commit 6ea305bd1f6f89e04a65f4c9b4f61579f9b73c22
Merge: 9897ff2 5666062
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 14 17:10:14 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 56660625dbb5dcc4dc7536dd0e2c50932bf13fb2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 14 17:09:48 2015 -0400

    Update to pax-linux-3.14.38-test41.patch

 scripts/gcc-plugin.sh       |    2 +-
 tools/gcc/colorize_plugin.c |    7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

commit 9897ff2548ab2e93451bd41ad6d90222d8bd848d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 13 21:20:20 2015 -0400

    add support for RLIMIT_RTTIME

 kernel/posix-cpu-timers.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

commit 72544d63f18e2b4a93ccca9a3ed87d1b54e3be5a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 13 21:12:10 2015 -0400

    compile fix

 grsecurity/grsec_disabled.c |   10 ----------
 1 files changed, 0 insertions(+), 10 deletions(-)

commit 91dccad09fe1c750b21bca3b89129bd713984dd8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 13 20:19:30 2015 -0400

    Modify the resource handling of RBAC so that it doesn't actually
    modify the user-visible resource limits.  We now won't have to
    copy the entire rlimit array on each exec or have any special
    handing for setting rlimits via a subject.  Since most kernel
    code is now using rlimit() and variants, we place ourselves
    there to provide a minimum of the process' original limit
    and RBAC's mandatory limits.  This also removes the exception
    of RBAC's resource handling being capable of providing higher
    resource limits than normally possible for a given process.

 fs/exec.c                   |    9 +------
 fs/proc/array.c             |    2 +-
 grsecurity/gracl.c          |   44 -----------------------------------------
 grsecurity/gracl_res.c      |   46 +++++++++++++++++++++++++++++++++++++++++++
 grsecurity/grsec_disabled.c |   20 ++++++++++++++++++
 include/linux/sched.h       |    7 ++++-
 kernel/acct.c               |    3 ++
 kernel/fork.c               |    2 +-
 kernel/posix-cpu-timers.c   |    5 +--
 mm/mmap.c                   |    5 +--
 10 files changed, 82 insertions(+), 61 deletions(-)

commit e487ccce12a5718156659ee07ddbbc7b7bc22cf7
Author: Joe Perches <joe@perches.com>
Date:   Mon Mar 23 18:01:35 2015 -0700

    selinux: fix sel_write_enforce broken return value
    
    Return a negative error value like the rest of the entries in this function.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Joe Perches <joe@perches.com>
    Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
    [PM: tweaked subject line]
    Signed-off-by: Paul Moore <pmoore@redhat.com>

 security/selinux/selinuxfs.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit eebf99960d774175e2842a439a400759924bdf4f
Author: Richard Guy Briggs <rgb@redhat.com>
Date:   Sun Mar 16 14:00:19 2014 -0400

    sched: declare pid_alive as inline
    
    We accidentally declared pid_alive without any extern/inline connotation.
    Some platforms were fine with this, some like ia64 and mips were very angry.
    If the function is inline, the prototype should be inline!
    
    on ia64:
    include/linux/sched.h:1718: warning: 'pid_alive' declared inline after
    being called
    
    Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
    Signed-off-by: Eric Paris <eparis@redhat.com>

 include/linux/sched.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 63530f2bc4ef48150ffc9faf3b7d4136981298df
Merge: 13617c1 eee4dd0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 13 08:37:43 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit eee4dd09485671b2efa4c7808340ab56ebd836c8
Merge: 6bee52e 80f018d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 13 08:37:39 2015 -0400

    Merge branch 'linux-3.14.y' into pax-stable2

commit 13617c16a29d341b1f7ee339445b20973a2890ea
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Apr 13 07:43:01 2015 -0400

    Allow usermodehelper executions from /usr/bin/ for distros plagued
    by Lennart's bikeshedding, as reported in
    https://bugs.archlinux.org/task/44568

 kernel/kmod.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7a8f15db98207190e95307792eaacacd29c3640d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 5 14:03:23 2015 -0400

    Resolves an issue reported with paid kernel packages and CSF
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1169755
    
    Revert "netfilter: xt_connlimit: remove revision 0"
    
    This reverts commit 68c07cb6d8aa05daf38ab47d5bb674d81a2066fb.
    
    Conflicts:
    
    	Documentation/feature-removal-schedule.txt

 include/uapi/linux/netfilter/xt_connlimit.h |    9 +++++-
 net/netfilter/xt_connlimit.c                |   35 ++++++++++++++++++--------
 2 files changed, 31 insertions(+), 13 deletions(-)

commit d75a69d0008d3f57db25feb36b5928f542f48ff3
Merge: 148ea05 6bee52e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 2 17:22:20 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 6bee52ef5599531340ae23922b4057aa7f3d06ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 2 17:22:06 2015 -0400

    - fixed some REFCOUNT false positives in the tracing ring buffer code, reported by metarox (https://forums.grsecurity.net/viewtopic.php?f=3&t=4186)

 kernel/trace/ring_buffer.c |   20 ++++++++++----------
 1 files changed, 10 insertions(+), 10 deletions(-)

commit 148ea05ef9e74a616043f89b072b15d0b20f0e4d
Merge: 2dc1b14 879408a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 2 08:45:59 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 879408a5e42302ee706b1713c4379776b096dee6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 2 08:45:27 2015 -0400

    Update to pax-linux-3.14.37-test41.patch:
    - fixed early boot crash due to some misplaced STACs on i386, reported by Arnaud Fontaine <arnaud@drno.eu>
    - properly fixed CVE-2014-8159, http://seclists.org/oss-sec/2015/q1/886 and http://seclists.org/oss-sec/2015/q2/10

 arch/sparc/include/asm/uaccess_32.h  |    1 +
 arch/sparc/include/asm/uaccess_64.h  |    5 +++++
 arch/x86/lib/getuser.S               |    6 +++---
 arch/x86/lib/putuser.S               |    8 ++++----
 drivers/infiniband/core/uverbs_cmd.c |    3 +++
 5 files changed, 16 insertions(+), 7 deletions(-)

commit 2dc1b1432e8da3c0ca899e9364dcabe0d2baee62
Merge: e9d7d41 f46d9c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 2 08:27:07 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit f46d9c0aaa01a75b04302298963f7c20407417e0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Apr 2 08:26:39 2015 -0400

    Update to pax-linux-3.14.37-test40.patch:
    - fixed a crash bug with the old PAGEEXEC method and PSE, reported by Merlin
    - added some more gcc-5 support for plugins

 arch/x86/kernel/cpu/common.c                   |   14 ++-
 tools/gcc/gcc-common.h                         |  149 +++++++++++++++++++++++-
 tools/gcc/latent_entropy_plugin.c              |    3 +-
 tools/gcc/size_overflow_plugin/size_overflow.h |   10 +-
 tools/gcc/stackleak_plugin.c                   |    3 +-
 5 files changed, 166 insertions(+), 13 deletions(-)

commit e9d7d41b586189c8b46d6c923f13f5aab61f0269
Author: Florian Westphal <fw@strlen.de>
Date:   Mon Oct 20 13:49:17 2014 +0200

    backport upstream non-backported crash fix to 3.14, with special fixup for ipv4/ip_forward.c
    
    net: make skb_gso_segment error handling more robust
    
    skb_gso_segment has three possible return values:
    1. a pointer to the first segmented skb
    2. an errno value (IS_ERR())
    3. NULL.  This can happen when GSO is used for header verification.
    
    However, several callers currently test IS_ERR instead of IS_ERR_OR_NULL
    and would oops when NULL is returned.
    
    Note that these call sites should never actually see such a NULL return
    value; all callers mask out the GSO bits in the feature argument.
    
    However, there have been issues with some protocol handlers erronously not
    respecting the specified feature mask in some cases.
    
    It is preferable to get 'have to turn off hw offloading, else slow' reports
    rather than 'kernel crashes'.
    
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/ipv4/ip_output.c

 net/ipv4/ip_forward.c                |    2 +-
 net/netfilter/nfnetlink_queue_core.c |    2 +-
 net/openvswitch/datapath.c           |    2 ++
 net/xfrm/xfrm_output.c               |    2 ++
 4 files changed, 6 insertions(+), 2 deletions(-)

commit 5a6aed23b4cb38b48de4fe0b46c74ca593d02030
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Mar 31 17:14:21 2015 -0400

    add an additional guard against negative copy lengths on nla_memcpy as
    signed integers are being used with the expectation that they will always
    be positive.

 lib/nlattr.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 737d168f88349193a44cab209ef50b2e1c2eeedc
Author: Jiri Benc <jbenc@redhat.com>
Date:   Sun Mar 29 16:05:28 2015 +0200

    netlink: pad nla_memcpy dest buffer with zeroes
    
    This is especially important in cases where the kernel allocs a new
    structure and expects a field to be set from a netlink attribute. If such
    attribute is shorter than expected, the rest of the field is left containing
    previous data. When such field is read back by the user space, kernel memory
    content is leaked.
    
    Signed-off-by: Jiri Benc <jbenc@redhat.com>
    Acked-by: Thomas Graf <tgraf@suug.ch>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 lib/nlattr.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 25afa5c4e98b671ca974ac0da0f2b60766b2eefd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 30 20:57:48 2015 -0400

    compile fix

 init/main.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 962bcd3cc8cb086e84752b7599b51824f4d32b31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 30 23:28:01 2015 -0400

    Add a boot-time parameter to disable GRKERNSEC_SYSFS_RESTRICT.
    
    To disable it at boot time (when compiled into the kernel), use
    grsec_sysfs_restrict=0
    on the kernel commandline

 Documentation/kernel-parameters.txt |    3 +++
 fs/debugfs/inode.c                  |   14 ++++++++++----
 fs/sysfs/dir.c                      |    6 ++++++
 init/main.c                         |   10 ++++++++++
 4 files changed, 29 insertions(+), 4 deletions(-)

commit 30c1724c7ea97cbd541e3a78105ab77816275685
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Mar 27 00:12:45 2015 -0400

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit 00e9b4c402251c7f35f8b4d4b1e2034a82b7b8ad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 26 23:42:53 2015 -0400

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit f9a75eabec93e39c846865718f89508d9cb8cf8f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 26 23:18:55 2015 -0400

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit bc4bfd71dbb8ab391152e032dc355070cbc5dde1
Merge: 5eb3ba2 035e7e5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 26 23:10:06 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	security/Kconfig

commit 035e7e53f7c4e44ad04cf004876cff1b220fa174
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 26 23:08:09 2015 -0400

    Update to pax-linux-3.14.37-test39.patch:
    - worked around incompatibility between SANITIZE and DEBUG_PAGEALLOC, reported by metarox (https://forums.grsecurity.net/viewtopic.php?f=3&t=4176)

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5eb3ba29774b453f808b1be48c1245ee25b72f83
Merge: cf3a000 de9fc4e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 26 22:57:18 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit de9fc4e6e1b49b147717d2a9ba38c7465b1d3e5a
Merge: a66b5a2 bdcec2c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Mar 26 22:54:59 2015 -0400

    Merge branch 'linux-3.14.y' into pax-stable2

commit cf3a0009eeb012d2e4f6f4e11f70ca0ee89fb288
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 25 18:40:53 2015 -0400

    Add allowance for /usr/libexec/abrt-hook-cpp to be executed as a usermode helper, as observed on some cPanel systems

 kernel/kmod.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 8e74bf5ea693e952bd97d9125eaf9d23f70f3c06
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 25 18:36:01 2015 -0400

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit d1b7162f07c5181f942ca886f8b5ece95095e708
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 25 16:53:50 2015 -0400

    Revert an incorrect fix from Dan Rosenberg for a btrfs heap overflow which
    preserved the vulnerability in some cases.
    https://lkml.org/lkml/2011/2/9/147
    
    Thanks to eswierk from the forums for spotting this!

 fs/btrfs/ioctl.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 3e176ae7b96563ed4f5dc0d89f9ae1f7b935e22c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 18 21:49:22 2015 -0400

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 59618f3522cd9ece4a9076fc92662ac7cda57497
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 18 21:16:50 2015 -0400

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 0ccc962b31f77c024bdc8f44f978128b057d8315
Merge: 610c0dd a66b5a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 18 21:14:03 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit a66b5a2e73b94b44548445daea5553b398d67d94
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 18 21:13:17 2015 -0400

    Update to pax-linux-3.14.36-test38.patch:
    - fixed a false positive size overflow report that triggered while resizing an ext4 file system, reported by Mathias Krause <minipli@googlemail.com>
    - fixed a use-after-free in AF_UNIX socket handling, by Mathias Krause <minipli@googlemail.com>, reported by coredumb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4150)
    - fixed a USERCOPY false positive and a LATENT_ENTROPY related compile error on ppc, reported by lynliuyan (https://forums.grsecurity.net/viewtopic.php?f=3&t=4158)
    - fixed a compile regression in gcc plugins under gcc 4.6, reported by Kamil Kaczkowski and spender
    - updated size overflow hash table from grsecurity

 arch/powerpc/kernel/Makefile                       |    5 +++++
 fs/ext4/resize.c                                   |   16 +++++++++-------
 kernel/fork.c                                      |    2 +-
 net/unix/af_unix.c                                 |    7 +++++--
 tools/gcc/gcc-common.h                             |    4 ++--
 .../size_overflow_plugin/size_overflow_hash.data   |   12 ++++++++++++
 6 files changed, 34 insertions(+), 12 deletions(-)

commit 610c0ddf4c8de4c2205bd7d2923b226553052668
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 18 20:05:54 2015 -0400

    fix bad merge

 net/ipv4/ping.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

commit b7303a9fc1c4f568f428250c02396ff1236a949a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 18 19:54:15 2015 -0400

    From: Shachar Raindel <raindel () mellanox com>
    Date: Sun, 04 Jan 2015 18:30:32 +0200
    Subject: [PATCH] IB/core: Prevent integer overflow in ib_umem_get address arithmetic
    
    Properly verify that the resulting page aligned end address is larger
    than both the start address and the length of the memory area
    requested.
    
    Both the start and length arguments for ib_umem_get are controlled by
    the user. A misbehaving user can provide values which will cause an
    integer overflow when calculating the page aligned end address.
    
    This overflow can cause also miscalculation of the number of pages
    mapped, and additional logic issues.
    
    Signed-off-by: Shachar Raindel <raindel () mellanox com>
    Signed-off-by: Jack Morgenstein <jackm () mellanox com>
    Signed-off-by: Or Gerlitz <ogerlitz () mellanox com>

 drivers/infiniband/core/umem.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit 2b99a3a677a01c6e1e4c16dcb5bd75f0a83f190e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 18 19:44:26 2015 -0400

    Fix several instances of DMA on stack in the rts5139 driver,
    as reported by z80 on the forums
    
    Conflicts:
    
    	drivers/staging/rts5139/rts51x_transport.c

 drivers/staging/rts5139/rts51x_transport.c |   50 ++++++++++++++++++++++++---
 1 files changed, 44 insertions(+), 6 deletions(-)

commit b843576ba22611bda2349e1b1a42c38f3e74e3c1
Author: Alexey Kodanev <alexey.kodanev@oracle.com>
Date:   Wed Mar 11 14:29:17 2015 +0300

    net: sysctl_net_core: check SNDBUF and RCVBUF for min length
    
    sysctl has sysctl.net.core.rmem_*/wmem_* parameters which can be
    set to incorrect values. Given that 'struct sk_buff' allocates from
    rcvbuf, incorrectly set buffer length could result to memory
    allocation failures. For example, set them as follows:
    
        # sysctl net.core.rmem_default=64
          net.core.wmem_default = 64
        # sysctl net.core.wmem_default=64
          net.core.wmem_default = 64
        # ping localhost -s 1024 -i 0 > /dev/null
    
    This could result to the following failure:
    
    skbuff: skb_over_panic: text:ffffffff81628db4 len:-32 put:-32
    head:ffff88003a1cc200 data:ffff88003a1cc200 tail:0xffffffe0 end:0xc0 dev:<NULL>
    kernel BUG at net/core/skbuff.c:102!
    invalid opcode: 0000 [#1] SMP
    ...
    task: ffff88003b7f5550 ti: ffff88003ae88000 task.ti: ffff88003ae88000
    RIP: 0010:[<ffffffff8155fbd1>]  [<ffffffff8155fbd1>] skb_put+0xa1/0xb0
    RSP: 0018:ffff88003ae8bc68  EFLAGS: 00010296
    RAX: 000000000000008d RBX: 00000000ffffffe0 RCX: 0000000000000000
    RDX: ffff88003fdcf598 RSI: ffff88003fdcd9c8 RDI: ffff88003fdcd9c8
    RBP: ffff88003ae8bc88 R08: 0000000000000001 R09: 0000000000000000
    R10: 0000000000000001 R11: 00000000000002b2 R12: 0000000000000000
    R13: 0000000000000000 R14: ffff88003d3f7300 R15: ffff88000012a900
    FS:  00007fa0e2b4a840(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000d0f7e0 CR3: 000000003b8fb000 CR4: 00000000000006f0
    Stack:
     ffff88003a1cc200 00000000ffffffe0 00000000000000c0 ffffffff818cab1d
     ffff88003ae8bd68 ffffffff81628db4 ffff88003ae8bd48 ffff88003b7f5550
     ffff880031a09408 ffff88003b7f5550 ffff88000012aa48 ffff88000012ab00
    Call Trace:
     [<ffffffff81628db4>] unix_stream_sendmsg+0x2c4/0x470
     [<ffffffff81556f56>] sock_write_iter+0x146/0x160
     [<ffffffff811d9612>] new_sync_write+0x92/0xd0
     [<ffffffff811d9cd6>] vfs_write+0xd6/0x180
     [<ffffffff811da499>] SyS_write+0x59/0xd0
     [<ffffffff81651532>] system_call_fastpath+0x12/0x17
    Code: 00 00 48 89 44 24 10 8b 87 c8 00 00 00 48 89 44 24 08 48 8b 87 d8 00
          00 00 48 c7 c7 30 db 91 81 48 89 04 24 31 c0 e8 4f a8 0e 00 <0f> 0b
          eb fe 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 48 83
    RIP  [<ffffffff8155fbd1>] skb_put+0xa1/0xb0
    RSP <ffff88003ae8bc68>
    Kernel panic - not syncing: Fatal exception
    
    Moreover, the possible minimum is 1, so we can get another kernel panic:
    ...
    BUG: unable to handle kernel paging request at ffff88013caee5c0
    IP: [<ffffffff815604cf>] __alloc_skb+0x12f/0x1f0
    ...
    
    Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/sysctl_net_core.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

commit 9ee5758599fc8cc9a0a84e00d45de9f796e7763e
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sun Mar 15 13:48:03 2015 +0300

    isdn: icn: use strlcpy() when parsing setup options
    
    If you pass an invalid string here then you probably deserve the memory
    corruption, but it annoys static analysis tools so lets fix it.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/icn/icn.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e2b93a2142ad37bbca18318d641796c580d8c93b
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Mar 13 09:49:59 2015 -0700

    inet_diag: fix possible overflow in inet_diag_dump_one_icsk()
    
    inet_diag_dump_one_icsk() allocates too small skb.
    
    Add inet_sk_attr_size() helper right before inet_sk_diag_fill()
    so that it can be updated if/when new attributes are added.
    
    iproute2/ss currently does not use this dump_one() interface,
    this might explain nobody noticed this problem yet.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/inet_diag.c |   18 +++++++++++++++---
 1 files changed, 15 insertions(+), 3 deletions(-)

commit f3da51a1ca7be9c8c6c647416e187bfc8106daa1
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Wed Mar 11 22:46:59 2015 +0100

    rds: avoid potential stack overflow
    
    The rds_iw_update_cm_id function stores a large 'struct rds_sock' object
    on the stack in order to pass a pair of addresses. This happens to just
    fit withint the 1024 byte stack size warning limit on x86, but just
    exceed that limit on ARM, which gives us this warning:
    
    net/rds/iw_rdma.c:200:1: warning: the frame size of 1056 bytes is larger than 1024 bytes [-Wframe-larger-than=]
    
    As the use of this large variable is basically bogus, we can rearrange
    the code to not do that. Instead of passing an rds socket into
    rds_iw_get_device, we now just pass the two addresses that we have
    available in rds_iw_update_cm_id, and we change rds_iw_get_mr accordingly,
    to create two address structures on the stack there.
    
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/iw_rdma.c |   40 ++++++++++++++++++++++------------------
 1 files changed, 22 insertions(+), 18 deletions(-)

commit bdbc397fb33fe4ca2d6531f33a0f1a001302f75f
Merge: d97e734 639cbb4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 18 17:56:25 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	fs/autofs4/dev-ioctl.c
    	fs/proc/inode.c
    	net/ipv4/ping.c

commit 639cbb40ae5274ecf7ae0cdd54879eb618c9b1f2
Merge: baaa807 8a5f782
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Mar 18 17:54:43 2015 -0400

    Merge branch 'linux-3.14.y' into pax-stable2

commit d97e7340b900908d17a4dd5ff9ace60ace659bac
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 9 18:26:00 2015 -0400

    Fix compilation with plugins, reported by Kamil Kaczkowski.  Apparently the version
    of gcc 4.6.4 being shipped with some distros is different from that produced by
    source builds in that it places the c-common.h header file in a different directory.
    We'll now choose the path used by distros for compatibility reasons.

 tools/gcc/gcc-common.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit bb3893d1591ff3f3efc1e89c468c66cfeabe2f9e
Merge: 5ce5a0a baaa807
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 9 18:36:16 2015 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit baaa807f3092fb11318a4a3aceb4b3bee1bdd862
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Mar 9 18:35:06 2015 -0400

    Update to pax-linux-3.14.35-test36.patch:
    - fixed a false positive refcount overflow in threaded irq handling, reported by Emese Revfy
    - fixed kernel oops caused by accessing invalid virtual addresses via /dev/[k]mem under USERCOPY, reported by minipli
    - added preliminary support for gcc-5 to gcc-common.h and the constify plugin

 arch/x86/vdso/vma.c                       |   13 ++--
 drivers/char/mem.c                        |   12 ++--
 drivers/media/radio/wl128x/fmdrv_common.c |    2 +-
 drivers/net/phy/phy_device.c              |    6 +-
 include/linux/irqdesc.h                   |    2 +-
 include/linux/percpu.h                    |    2 +-
 kernel/irq/manage.c                       |    2 +-
 kernel/irq/spurious.c                     |    2 +-
 tools/gcc/constify_plugin.c               |    7 +-
 tools/gcc/gcc-common.h                    |   98 ++++++++++++++++++++++++++---
 10 files changed, 114 insertions(+), 32 deletions(-)

commit 5ce5a0a242b48195149946f78d249af9b5838e90
Author: Johan Hovold <johan@kernel.org>
Date:   Wed Mar 4 10:39:05 2015 +0100

    USB: serial: fix infinite wait_until_sent timeout
    
    Make sure to handle an infinite timeout (0).
    
    Note that wait_until_sent is currently never called with a 0-timeout
    argument due to a bug in tty_wait_until_sent.
    
    Fixes: dcf010503966 ("USB: serial: add generic wait_until_sent
    implementation")
    Cc: stable <stable@vger.kernel.org>	# v3.10
    
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/usb/serial/generic.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit f3dd62d3dd0107c59f47325d358995e5e8f22191
Author: Johan Hovold <johan@kernel.org>
Date:   Wed Mar 4 10:39:06 2015 +0100

    TTY: fix tty_wait_until_sent on 64-bit machines
    
    Fix overflow bug in tty_wait_until_sent on 64-bit machines, where an
    infinite timeout (0) would be passed to the underlying tty-driver's
    wait_until_sent-operation as a negative timeout (-1), causing it to
    return immediately.
    
    This manifests itself for example as tcdrain() returning immediately,
    drivers not honouring the drain flags when setting terminal attributes,
    or even dropped data on close as a requested infinite closing-wait
    timeout would be ignored.
    
    The first symptom  was reported by Asier LLANO who noted that tcdrain()
    returned prematurely when using the ftdi_sio usb-serial driver.
    
    Fix this by passing 0 rather than MAX_SCHEDULE_TIMEOUT (LONG_MAX) to the
    underlying tty driver.
    
    Note that the serial-core wait_until_sent-implementation is not affected
    by this bug due to a lucky chance (comparison to an unsigned maximum
    timeout), and neither is the cyclades one that had an explicit check for
    negative timeouts, but all other tty drivers appear to be affected.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Cc: stable <stable@vger.kernel.org>	# v2.6.12
    Reported-by: ZIV-Asier Llano Palacios <asier.llano@cgglobal.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/tty_ioctl.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

commit 9dc431d6157676858a98b593cb00591151c9a249
Author: Al Viro <viro@ZenIV.linux.org.uk>
Date:   Sat Mar 7 21:08:46 2015 +0000

    sunrpc: fix braino in ->poll()
    
    POLL_OUT isn't what callers of ->poll() are expecting to see; it's
    actually __SI_POLL | 2 and it's a siginfo code, not a poll bitmap
    bit...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: stable@vger.kernel.org
    Cc: Bruce Fields <bfields@fieldses.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 net/sunrpc/cache.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 1617143990b8b2b94369127edab08f642dbe7b04
Author: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Date:   Tue Mar 3 16:31:38 2015 +0100

    Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
    
    Improper arithmetics when calculting the address of the extended ref could
    lead to an out of bounds memory read and kernel panic.
    
    Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
    Reviewed-by: David Sterba <dsterba@suse.cz>
    cc: stable@vger.kernel.org # v3.7+
    Signed-off-by: Chris Mason <clm@fb.com>

 fs/btrfs/tree-log.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit dbdce11b7a33e34a97339a5b2d19a03c92b23b96
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Feb 27 18:40:31 2015 +0100

    tty: fix up atime/mtime mess, take four
    
    This problem was taken care of three times already in
    * b0de59b5733d18b0d1974a060860a8b5c1b36a2e (TTY: do not update
      atime/mtime on read/write),
    * 37b7f3c76595e23257f61bd80b223de8658617ee (TTY: fix atime/mtime
      regression), and
    * b0b885657b6c8ef63a46bc9299b2a7715d19acde (tty: fix up atime/mtime
      mess, take three)
    
    But it still misses one point. As John Paul correctly points out, we
    do not care about setting date. If somebody ever changes wall
    time backwards (by mistake for example), tty timestamps are never
    updated until the original wall time passes.
    
    So check the absolute difference of times and if it large than "8
    seconds or so", always update the time. That means we will update
    immediatelly when changing time. Ergo, CAP_SYS_TIME can foul the
    check, but it was always that way.
    
    Thanks John for serving me this so nicely debugged.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Reported-by: John Paul Perry <john_paul.perry@alcatel-lucent.com>
    Cc: <stable@vger.kernel.org> # all, as b0b885657 was backported
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/tty_io.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 25f444ecef5688a2609cef747d6d7f2ccb08d198
Author: Peter Hurley <peter@hurleysoftware.com>
Date:   Sun Mar 1 10:11:05 2015 -0500

    console: Fix console name size mismatch
    
    commit 6ae9200f2cab7 ("enlarge console.name") increased the storage
    for the console name to 16 bytes, but not the corresponding
    struct console_cmdline::name storage. Console names longer than
    8 bytes cause read beyond end-of-string and failure to match
    console; I'm not sure if there are other unexpected consequences.
    
    Cc: <stable@vger.kernel.org> # 2.6.22+
    Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 kernel/printk/console_cmdline.h |    2 +-
 kernel/printk/printk.c          |    1 +
 2 files changed, 2 insertions(+), 1 deletions(-)

commit 486b8a41ccacd5d04e7657f9a481aa28da209eef
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Jun 27 08:36:16 2014 -0700

    inet: move ipv6only in sock_common
    
    When an UDP application switches from AF_INET to AF_INET6 sockets, we
    have a small performance degradation for IPv4 communications because of
    extra cache line misses to access ipv6only information.
    
    This can also be noticed for TCP listeners, as ipv6_only_sock() is also
    used from __inet_lookup_listener()->compute_score()
    
    This is magnified when SO_REUSEPORT is used.
    
    Move ipv6only into struct sock_common so that it is available at
    no extra cost in lookups.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/linux/ipv6.h             |   10 +++++-----
 include/net/inet_timewait_sock.h |    3 ++-
 include/net/sock.h               |    4 +++-
 net/dccp/minisocks.c             |    4 +---
 net/ipv4/tcp_minisocks.c         |    2 +-
 net/ipv6/af_inet6.c              |    6 +++---
 net/ipv6/ipv6_sockglue.c         |    4 ++--
 net/ipv6/udp.c                   |    3 +--
 8 files changed, 18 insertions(+), 18 deletions(-)

commit 75b4da76dd6de7854b52047c70c6f4db0455a3a4
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Feb 27 18:35:35 2015 -0800

    macvtap: make sure neighbour code can push ethernet header
    
    Brian reported crashes using IPv6 traffic with macvtap/veth combo.
    
    I tracked the crashes in neigh_hh_output()
    
    -> memcpy(skb->data - HH_DATA_MOD, hh->hh_data, HH_DATA_MOD);
    
    Neighbour code assumes headroom to push Ethernet header is
    at least 16 bytes.
    
    It appears macvtap has only 14 bytes available on arches
    where NET_IP_ALIGN is 0 (like x86)
    
    Effect is a corruption of 2 bytes right before skb->head,
    and possible crashes if accessing non existing memory.
    
    This fix should also increase IPv4 performance, as paranoid code
    in ip_finish_output2() wont have to call skb_realloc_headroom()
    
    Reported-by: Brian Rak <brak@vultr.com>
    Tested-by: Brian Rak <brak@vultr.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/macvtap.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 43d84655d02880de2439b74dde71a50529c137d6
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Feb 26 16:19:00 2015 -0600

    net: Verify permission to dest_net in newlink
    
    When applicable verify that the caller has permision to create a
    network device in another network namespace.  This check is already
    present when moving a network device between network namespaces in
    setlink so all that is needed is to duplicate that check in newlink.
    
    This change almost backports cleanly, but there are context conflicts
    as the code that follows was added in v4.0-rc1
    
    Fixes: b51642f6d77b net: Enable a userns root rtnl calls that are safe for unprivilged users
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/core/rtnetlink.c
    
    Conflicts:
    
    	net/core/rtnetlink.c

 net/core/rtnetlink.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 2f8a3ddf56b0e3bfc7573facf6d89e0352bfff46
Author: Florian Westphal <fw@strlen.de>
Date:   Tue Mar 3 13:53:31 2015 +0100

    net: bridge: add compile-time assert for cb struct size
    
    make build fail if structure no longer fits into ->cb storage.
    
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/bridge/br.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit e46324d4846773e58d876be5c4ffb86c534d4c23
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Thu Mar 5 01:09:44 2015 +0100

    x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization
    
    'ret_from_fork' checks TIF_IA32 to determine whether 'pt_regs' and
    the related state make sense for 'ret_from_sys_call'.  This is
    entirely the wrong check.  TS_COMPAT would make a little more
    sense, but there's really no point in keeping this optimization
    at all.
    
    This fixes a return to the wrong user CS if we came from int
    0x80 in a 64-bit task.
    
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/r/4710be56d76ef994ddf59087aad98c000fbab9a4.1424989793.git.luto@amacapital.net
    [ Backported from tip:x86/asm. ]
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 arch/x86/kernel/entry_64.S |   13 ++++++++-----
 1 files changed, 8 insertions(+), 5 deletions(-)

commit 78a2994b539bd6b6e8f5ec164067440a7d955381
Author: Jouni Malinen <jouni@qca.qualcomm.com>
Date:   Thu Feb 26 15:50:50 2015 +0200

    mac80211: Send EAPOL frames at lowest rate
    
    The current minstrel_ht rate control behavior is somewhat optimistic in
    trying to find optimum TX rate. While this is usually fine for normal
    Data frames, there are cases where a more conservative set of retry
    parameters would be beneficial to make the connection more robust.
    
    EAPOL frames are critical to the authentication and especially the
    EAPOL-Key message 4/4 (the last message in the 4-way handshake) is
    important to get through to the AP. If that message is lost, the only
    recovery mechanism in many cases is to reassociate with the AP and start
    from scratch. This can often be avoided by trying to send the frame with
    more conservative rate and/or with more link layer retries.
    
    In most cases, minstrel_ht is currently using the initial EAPOL-Key
    frames for probing higher rates and this results in only five link layer
    transmission attempts (one at high(ish) MCS and four at MCS0). While
    this works with most APs, it looks like there are some deployed APs that
    may have issues with the EAPOL frames using HT MCS immediately after
    association. Similarly, there may be issues in cases where the signal
    strength or radio environment is not good enough to be able to get
    frames through even at couple of MCS 0 tries.
    
    The best approach for this would likely to be to reduce the TX rate for
    the last rate (3rd rate parameter in the set) to a low basic rate (say,
    6 Mbps on 5 GHz and 2 or 5.5 Mbps on 2.4 GHz), but doing that cleanly
    requires some more effort. For now, we can start with a simple one-liner
    that forces the minimum rate to be used for EAPOL frames similarly how
    the TX rate is selected for the IEEE 802.11 Management frames. This does
    result in a small extra latency added to the cases where the AP would be
    able to receive the higher rate, but taken into account how small number
    of EAPOL frames are used, this is likely to be insignificant. A future
    optimization in the minstrel_ht design can also allow this patch to be
    reverted to get back to the more optimized initial TX rate.
    
    It should also be noted that many drivers that do not use minstrel as
    the rate control algorithm are already doing similar workarounds by
    forcing the lowest TX rate to be used for EAPOL frames.
    
    Cc: stable@vger.kernel.org
    Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
    Tested-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>

 net/mac80211/tx.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 2d666f462d1b40afd92b36a3b7c14eb5c261fdd8
Author: Lorenzo Colitti <lorenzo@google.com>
Date:   Tue Mar 3 23:16:16 2015 +0900

    net: ping: Return EAFNOSUPPORT when appropriate.
    
    1. For an IPv4 ping socket, ping_check_bind_addr does not check
       the family of the socket address that's passed in. Instead,
       make it behave like inet_bind, which enforces either that the
       address family is AF_INET, or that the family is AF_UNSPEC and
       the address is 0.0.0.0.
    2. For an IPv6 ping socket, ping_check_bind_addr returns EINVAL
       if the socket family is not AF_INET6. Return EAFNOSUPPORT
       instead, for consistency with inet6_bind.
    3. Make ping_v4_sendmsg and ping_v6_sendmsg return EAFNOSUPPORT
       instead of EINVAL if an incorrect socket address structure is
       passed in.
    4. Make IPv6 ping sockets be IPv6-only. The code does not support
       IPv4, and it cannot easily be made to support IPv4 because
       the protocol numbers for ICMP and ICMPv6 are different. This
       makes connect(::ffff:192.0.2.1) fail with EAFNOSUPPORT instead
       of making the socket unusable.
    
    Among other things, this fixes an oops that can be triggered by:
    
        int s = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
        struct sockaddr_in6 sin6 = {
            .sin6_family = AF_INET6,
            .sin6_addr = in6addr_any,
        };
        bind(s, (struct sockaddr *) &sin6, sizeof(sin6));
    
    Change-Id: If06ca86d9f1e4593c0d6df174caca3487c57a241
    Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ping.c |   12 ++++++++++--
 net/ipv6/ping.c |    5 +++--
 2 files changed, 13 insertions(+), 4 deletions(-)

commit a73dddf32e10e3aa60ed04e4ea61fc3a2770c8c1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 7 09:10:36 2015 -0500

    On architectures that use specific slabs for kernel stacks, mark them with SLAB_USERCOPY
    Reported by lynliuyan at: https://forums.grsecurity.net/viewtopic.php?f=3&t=4158

 kernel/fork.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 68763ef29c8e41f97b0406d463a50e5266f6dfca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 7 09:08:54 2015 -0500

    Fix compilation with the latent entropy plugin on powerpc, as reported by
    lynliuyan at https://forums.grsecurity.net/viewtopic.php?f=3&t=4158

 arch/powerpc/kernel/Makefile |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 0629d64f20dcfec55b191005f10b398c56d8c597
Merge: 2fc7a30 238310c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 7 09:02:29 2015 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 238310c45f10815e04a44819494bf7128215a8f5
Merge: 0df6930 e8f616a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Mar 7 09:02:21 2015 -0500

    Merge branch 'linux-3.14.y' into pax-stable2

commit 2fc7a30f66944d497b3e316cf12e919d72610ad6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 27 08:18:24 2015 -0500

    Fix a PAX_REFCOUNT false positive on the threads_handled statistic field

 include/linux/irqdesc.h |    2 +-
 kernel/irq/manage.c     |    2 +-
 kernel/irq/spurious.c   |    2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

commit da5d46c224a2891d53331eaf0d2642571e4ed948
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 27 07:51:01 2015 -0500

    backport truncate_inode_pages change to 3.14

 fs/debugfs/inode.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit faa06a8d3f26f9b51346d56ad79005d6c098a11f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Feb 21 22:05:11 2015 -0500

    debugfs: leave freeing a symlink body until inode eviction
    
    As it is, we have debugfs_remove() racing with symlink traversals.
    Supply ->evict_inode() and do freeing there - inode will remain
    pinned until we are done with the symlink body.
    
    And rip the idiocy with checking if dentry is positive right after
    we'd verified debugfs_positive(), which is a stronger check...
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/debugfs/inode.c |   34 +++++++++++++++++-----------------
 1 files changed, 17 insertions(+), 17 deletions(-)

commit 20e0b19f6e099730915e3edc5ecc79d20f0af77a
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Feb 21 22:19:57 2015 -0500

    autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation
    
    X-Coverup: just ask spender
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/autofs4/dev-ioctl.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 290239de534feb4ab450ceafa0d545bd8bb6f713
Author: Sasha Levin <sasha.levin@oracle.com>
Date:   Tue Apr 8 16:04:11 2014 -0700

    autofs4: check dev ioctl size before allocating
    
    There wasn't any check of the size passed from userspace before trying
    to allocate the memory required.
    
    This meant that userspace might request more space than allowed,
    triggering an OOM.
    
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: Ian Kent <raven@themaw.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/autofs4/dev-ioctl.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit ca2dd043c2282a1bd59c1b6b289f953f1946556f
Author: Sasha Levin <sasha.levin@oracle.com>
Date:   Fri Jan 23 20:47:00 2015 -0500

    net: llc: use correct size for sysctl timeout entries
    
    The timeout entries are sizeof(int) rather than sizeof(long), which
    means that when they were getting read we'd also leak kernel memory
    to userspace along with the timeout values.
    
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/llc/sysctl_net_llc.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 8bb7aff9e8c7e4eebc75d60ec829e37a16750739
Author: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Date:   Tue Feb 3 13:00:24 2015 +0100

    x86/microcode/intel: Handle truncated microcode images more robustly
    
    We do not check the input data bounds containing the microcode before
    copying a struct microcode_intel_header from it. A specially crafted
    microcode could cause the kernel to read invalid memory and lead to a
    denial-of-service.
    
    Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
    Cc: "H. Peter Anvin" <hpa@zytor.com>
    Cc: Fenghua Yu <fenghua.yu@intel.com>
    Link: http://lkml.kernel.org/r/1422964824-22056-3-git-send-email-quentin.casasnovas@oracle.com
    [ Made error message differ from the next one and flipped comparison. ]
    Signed-off-by: Borislav Petkov <bp@suse.de>

 arch/x86/kernel/cpu/microcode/intel.c       |    5 +++++
 arch/x86/kernel/cpu/microcode/intel_early.c |    4 ++++
 2 files changed, 9 insertions(+), 0 deletions(-)

commit 03c050c37c990ef2de50586fb00ba8cd0547fd83
Author: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Date:   Tue Feb 3 13:00:22 2015 +0100

    x86/microcode/intel: Guard against stack overflow in the loader
    
    mc_saved_tmp is a static array allocated on the stack, we need to make
    sure mc_saved_count stays within its bounds, otherwise we're overflowing
    the stack in _save_mc(). A specially crafted microcode header could lead
    to a kernel crash or potentially kernel execution.
    
    Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
    Cc: "H. Peter Anvin" <hpa@zytor.com>
    Cc: Fenghua Yu <fenghua.yu@intel.com>
    Link: http://lkml.kernel.org/r/1422964824-22056-1-git-send-email-quentin.casasnovas@oracle.com
    Signed-off-by: Borislav Petkov <bp@suse.de>

 arch/x86/kernel/cpu/microcode/intel_early.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f52ce79a2ff001b13dad16e31ada6b0f994012b1
Merge: 9ee7128 0df6930
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 27 06:28:43 2015 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	net/ipv4/ip_output.c
    	net/ipv4/ip_sockglue.c

commit 0df6930d0442d8c39ec7f6bf1755b2020947482d
Merge: 417ba31 413cb08
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 27 06:27:58 2015 -0500

    Merge branch 'linux-3.14.y' into pax-stable2

commit 9ee712882ff5635fe7a76115c45e8a2406c6b39a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 25 18:07:08 2015 -0500

    Disable a near-stack-overflow BUG() on x64 where we have
    GRKERNSEC_KSTACKOVERFLOW to use instead.  Works around a rarely reported issue
    where it seems for some driver we're executing a copy_*_user on a debug
    stack instead of on the process stack.

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 510f02af40b2e6822880b9a5812bbca5d59cb972
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 22 11:36:26 2015 -0500

    use compat_u64 in the compat code

 include/linux/gracl_compat.h |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 2c79b240501d327d3a859d5fdd124aecf248dccc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 22 09:48:42 2015 -0500

    Require version 3.1 gradm to load RBAC

 grsecurity/gracl_compat.c |    3 +--
 grsecurity/gracl_policy.c |    3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

commit b75212c7d16f8640885b0c45fff9a3abff4f5d8e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 22 08:54:26 2015 -0500

    use div_u64_rem for 32-bit archs

 include/linux/gracl.h |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit b65f25c40f749995856b08aa6c4d4b25af6a8772
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 22 07:37:57 2015 -0500

    compile fix when grsec is disabled

 grsecurity/grsec_disabled.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 5cd9eb312a3f032fc439ec1189f773798c9de7b1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Feb 22 07:29:24 2015 -0500

    Add support for 64-bit inodes: as this breaks compatibility with gradm, bump
    the grsecurity version to 3.1

 fs/namei.c                   |    8 ++--
 grsecurity/gracl.c           |   65 +++++++++++++++++++++++++----------------
 grsecurity/gracl_policy.c    |    6 ++--
 grsecurity/gracl_segv.c      |   17 +++++++++--
 grsecurity/grsec_disabled.c  |    4 +-
 include/linux/gracl.h        |   14 ++++----
 include/linux/gracl_compat.h |    6 ++--
 include/linux/grsecurity.h   |    5 ++-
 8 files changed, 76 insertions(+), 49 deletions(-)

commit 40057474e08915f602740f94a72edde2cbeebc34
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 20 17:58:04 2015 -0500

    clamp RLIMIT_NOFILE based on sysctl instead of enforcing a 1024 limit in userland

 grsecurity/gracl.c |   19 ++++++++++++++++---
 1 files changed, 16 insertions(+), 3 deletions(-)

commit e2730e27b3df70d5f33d08fac31cd31fd107b2f6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 19 20:03:59 2015 -0500

    add some extra enforcement that only forward jumps are permitted

 arch/x86/net/bpf_jit_comp.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit e19a47d18d65d0053657d0799467591e808389ec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 19 19:47:08 2015 -0500

    Properly fix relative (un)conditional jumps with GRKERNSEC_JIT_HARDEN so that we
    don't land into our added breakpoint instructions

 arch/x86/net/bpf_jit_comp.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 69a04757d7bf1f38177d09990a446646100f1299
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 19 20:06:46 2015 -0500

    we should decrement the refcounts when we put the old root for GRKERNSEC_CHROOT_RENAME

 fs/fs_struct.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a2bac510be604b5dcf6f042d2c234a33e31512cd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 27 19:51:21 2015 -0500

    compile fix for GRKERNSEC_CHROOT_RENAME

 fs/dcache.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 16eca8ab50076db32bdbf74df5aad36996cf71aa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 27 17:44:11 2015 -0500

    Add GRKERNSEC_CHROOT_RENAME -- no one reported any problems with my posted
    patch, so let's introduce the more secure version
    
    Conflicts:
    
    	include/linux/grsecurity.h

 fs/dcache.c                |    1 +
 fs/fs_struct.c             |    6 +++-
 fs/namei.c                 |    8 ++++
 grsecurity/Kconfig         |   16 ++++++++
 grsecurity/grsec_chroot.c  |   82 ++++++++++++++++++++++++++++++++++++++++++++
 grsecurity/grsec_init.c    |    4 ++
 grsecurity/grsec_sysctl.c  |    9 +++++
 include/linux/dcache.h     |    3 ++
 include/linux/grinternal.h |    1 +
 include/linux/grmsg.h      |    1 +
 include/linux/grsecurity.h |    9 ++++-
 11 files changed, 137 insertions(+), 3 deletions(-)

commit cadccfddab3e1b81639ae1aa5e5e06ac668cf3ee
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Feb 18 17:48:15 2015 -0500

    Fix several issues with the code generated by GRKERNSEC_JIT_HARDEN.
    
    In the mov/test imm case we would generate incorrect instructions in
    the JIT -> the move case is relatively harmless as it would simply
    load an incorrect value into the accumulator, but the test case would
    result in a movs, allowing for the skb the BPF program is attached to
    to be clobbered.
    
    In a case of conditional jumps, the size of the jump
    instruction wasn't computed properly, leading to the code jumping
    into a breakpoint instruction and triggering an OOPs.
    
    Thanks to rfree@mempo.org and avvs@mempo.org for reporting an OOPs
    that led to the discovery of these problems.  The BPF JIT is disabled
    by default (only able to be enabled by an administrator) and they are
    likely the first and only users to ever use this feature as any JIT'd
    BPF program containing a conditional jump would crash the system.
    
    Conflicts:
    
    	arch/x86/net/bpf_jit_comp.c

 arch/x86/net/bpf_jit_comp.c |   19 +++++++++++++++----
 1 files changed, 15 insertions(+), 4 deletions(-)

commit e4fd8654c08cde47ce83172717a23a8307f73edf
Author: Roman Gushchin <klamm@yandex-team.ru>
Date:   Wed Feb 11 15:28:42 2015 -0800

    mm/nommu.c: fix arithmetic overflow in __vm_enough_memory()
    
    I noticed that "allowed" can easily overflow by falling below 0, because
    (total_vm / 32) can be larger than "allowed".  The problem occurs in
    OVERCOMMIT_NONE mode.
    
    In this case, a huge allocation can success and overcommit the system
    (despite OVERCOMMIT_NONE mode).  All subsequent allocations will fall
    (system-wide), so system become unusable.
    
    The problem was masked out by commit c9b1d0981fcc
    ("mm: limit growth of 3% hardcoded other user reserve"),
    but it's easy to reproduce it on older kernels:
    1) set overcommit_memory sysctl to 2
    2) mmap() large file multiple times (with VM_SHARED flag)
    3) try to malloc() large amount of memory
    
    It also can be reproduced on newer kernels, but miss-configured
    sysctl_user_reserve_kbytes is required.
    
    Fix this issue by switching to signed arithmetic here.
    
    Signed-off-by: Roman Gushchin <klamm@yandex-team.ru>
    Cc: Andrew Shewmaker <agshew@gmail.com>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/nommu.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 1d501defae1982cbd3bc1549596bd4d2c27fd464
Author: Roman Gushchin <klamm@yandex-team.ru>
Date:   Wed Feb 11 15:28:39 2015 -0800

    mm/mmap.c: fix arithmetic overflow in __vm_enough_memory()
    
    I noticed, that "allowed" can easily overflow by falling below 0,
    because (total_vm / 32) can be larger than "allowed".  The problem
    occurs in OVERCOMMIT_NONE mode.
    
    In this case, a huge allocation can success and overcommit the system
    (despite OVERCOMMIT_NONE mode).  All subsequent allocations will fall
    (system-wide), so system become unusable.
    
    The problem was masked out by commit c9b1d0981fcc
    ("mm: limit growth of 3% hardcoded other user reserve"),
    but it's easy to reproduce it on older kernels:
    1) set overcommit_memory sysctl to 2
    2) mmap() large file multiple times (with VM_SHARED flag)
    3) try to malloc() large amount of memory
    
    It also can be reproduced on newer kernels, but miss-configured
    sysctl_user_reserve_kbytes is required.
    
    Fix this issue by switching to signed arithmetic here.
    
    [akpm@linux-foundation.org: use min_t]
    Signed-off-by: Roman Gushchin <klamm@yandex-team.ru>
    Cc: Andrew Shewmaker <agshew@gmail.com>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    Reviewed-by: Michal Hocko <mhocko@suse.cz>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmap.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 2afdb4c505ba16698731e167390d8ba5069140e9
Author: David Jeffery <djeffery@redhat.com>
Date:   Thu Feb 12 16:45:31 2015 +0000

    Don't leak a key reference if request_key() tries to use a revoked keyring
    
    If a request_key() call to allocate and fill out a key attempts to insert the
    key structure into a revoked keyring, the key will leak, using memory and part
    of the user's key quota until the system reboots. This is from a failure of
    construct_alloc_key() to decrement the key's reference count after the attempt
    to insert into the requested keyring is rejected.
    
    key_put() needs to be called in the link_prealloc_failed callpath to ensure
    the unused key is released.
    
    Signed-off-by: David Jeffery <djeffery@redhat.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: James Morris <james.l.morris@oracle.com>

 security/keys/request_key.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 05baf1dd8813b87bb56721564ee464c5556a0486
Merge: 5c4549f 417ba31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Feb 17 19:17:28 2015 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 417ba31d0c071c7d8b32a7a6e6922a2d81a464c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Feb 17 19:16:44 2015 -0500

    Update to pax-linux-3.14.33-test34.patch:
    - fail gcc plugins a bit more gracefully on gcc-5
    - fixed a few shellcheck.net warnings in gcc-plugin.sh
    - fixed potential boot crash when applying alternatives under KERNEXEC/i386
    - fixed potential integer truncation bug in xlate_dev_mem_ptr under PAE/i386

 arch/x86/kernel/vmlinux.lds.S |    2 +-
 arch/x86/mm/ioremap.c         |   13 +++----------
 include/linux/compiler-gcc5.h |   22 ++++++++++++++++++++++
 scripts/gcc-plugin.sh         |    4 ++--
 4 files changed, 28 insertions(+), 13 deletions(-)

commit 5c4549fa50ac72407004496cd5629675cd08c126
Merge: 0d71f68 bb45083
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Feb 17 19:09:59 2015 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/x86/kvm/vmx.c

commit bb450837aa0a290667072f716145363c22d00406
Merge: c8a8c07 a74f1d1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Feb 17 19:09:17 2015 -0500

    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	arch/x86/kvm/vmx.c

commit 0d71f68edfd8e162878c26d90af27942f49e61cc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 6 19:01:11 2015 -0500

    remove non-existent entry

 net/ipv6/addrconf.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit cfbebd604fb9d53a0e398a975831382636129a46
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Thu Feb 5 14:39:11 2015 +0100

    ipv6: addrconf: add missing validate_link_af handler
    
    We still need a validate_link_af() handler with an appropriate nla policy,
    similarly as we have in IPv4 case, otherwise size validations are not being
    done properly in that case.
    
    Fixes: f53adae4eae5 ("net: ipv6: add tokenized interface identifier support")
    Fixes: bc91b0f07ada ("ipv6: addrconf: implement address generation modes")
    Cc: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Acked-by: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/addrconf.c |   17 +++++++++++++++++
 1 files changed, 17 insertions(+), 0 deletions(-)

commit 8ffd436b9e035ab7a508a123bf0c7dc2dab10a8b
Merge: a257762 c8a8c07
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 6 18:42:23 2015 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit c8a8c0797562d19e1ffbf9512ef4b2913d8497c1
Merge: a78f767 4ccf212
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Feb 6 18:42:15 2015 -0500

    Merge branch 'linux-3.14.y' into pax-stable2

commit a25776298526acca2d0e8dc218651a43e766fa52
Merge: 116ec20 a78f767
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 5 22:41:10 2015 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit a78f7670476d9403c4c2aa5eac426b939a66b256
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 5 22:40:26 2015 -0500

    Update to pax-linux-3.14.31-test31.patch:
    - fixed cc-ldoption to work with the HJL fork of binutils, reported by Rogelio M. Serrano Jr.
    - fixed regression on XEN/i386 caused by the previous fix meant for amd64 only, reported by timevers (https://forums.grsecurity.net/viewtopic.php?f=1&t=4138)
    - bring is_valid_bugaddr on amd64 in line with the i386 version, should fix BUG() backtraces

 arch/x86/kernel/dumpstack_64.c |    2 +-
 arch/x86/xen/enlighten.c       |    2 ++
 scripts/Kbuild.include         |    2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

commit 116ec20f919dad7b9a88e80e1cee0d93f0ce3bec
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Feb 5 22:00:22 2015 -0500

    Revert "vhost/net: fix up num_buffers endian-ness"
    
    This reverts commit e6c73f7a70159114e5687d5d06c32d8b1a31f59f.

 drivers/vhost/net.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

commit 48e3d37f21d14067ec1b444152df88d452782974
Author: Sachin Prabhu <sprabhu@redhat.com>
Date:   Thu Jan 15 12:22:04 2015 +0000

    Complete oplock break jobs before closing file handle
    
    Commit
    c11f1df5003d534fd067f0168bfad7befffb3b5c
    requires writers to wait for any pending oplock break handler to
    complete before proceeding to write. This is done by waiting on bit
    CIFS_INODE_PENDING_OPLOCK_BREAK in cifsFileInfo->flags. This bit is
    cleared by the oplock break handler job queued on the workqueue once it
    has completed handling the oplock break allowing writers to proceed with
    writing to the file.
    
    While testing, it was noticed that the filehandle could be closed while
    there is a pending oplock break which results in the oplock break
    handler on the cifsiod workqueue being cancelled before it has had a
    chance to execute and clear the CIFS_INODE_PENDING_OPLOCK_BREAK bit.
    Any subsequent attempt to write to this file hangs waiting for the
    CIFS_INODE_PENDING_OPLOCK_BREAK bit to be cleared.
    
    We fix this by ensuring that we also clear the bit
    CIFS_INODE_PENDING_OPLOCK_BREAK when we remove the oplock break handler
    from the workqueue.
    
    The bug was found by Red Hat QA while testing using ltp's fsstress
    command.
    
    Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
    Acked-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
    Signed-off-by: Jeff Layton <jlayton@samba.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Steve French <steve.french@primarydata.com>

 fs/cifs/file.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit ee173880932187d3a50fdec8e4fa2b1d371cdaa6
Author: Niklas Cassel <niklas.cassel@axis.com>
Date:   Thu Jan 22 14:16:34 2015 +0100

    cifs: fix MUST SecurityFlags filtering
    
    If CONFIG_CIFS_WEAK_PW_HASH is not set, CIFSSEC_MUST_LANMAN
    and CIFSSEC_MUST_PLNTXT is defined as 0.
    
    When setting new SecurityFlags without any MUST flags,
    your flags would be overwritten with CIFSSEC_MUST_LANMAN (0).
    
    Signed-off-by: Niklas Cassel <niklass@axis.com>
    Signed-off-by: Steve French <steve.french@primarydata.com>

 fs/cifs/cifs_debug.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit cbb13aaecfe465d17260543c7b1c625635b6bf8a
Author: Giel van Schijndel <me@mortis.eu>
Date:   Tue Jan 6 22:37:00 2015 +0100

    cifs: use memzero_explicit to clear stack buffer
    
    When leaving a function use memzero_explicit instead of memset(0) to
    clear stack allocated buffers. memset(0) may be optimized away.
    
    This particular buffer is highly likely to contain sensitive data which
    we shouldn't leak (it's named 'passwd' after all).
    
    Signed-off-by: Giel van Schijndel <me@mortis.eu>
    Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
    Reported-at: http://www.viva64.com/en/b/0299/
    Reported-by: Andrey Karpov
    Reported-by: Svyatoslav Razmyslov
    Signed-off-by: Steve French <steve.french@primarydata.com>

 fs/cifs/smbencrypt.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5ad65b581a1e2791073460baef6a52890c2489d6
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Thu Jan 15 16:34:35 2015 +0100

    net: sctp: fix race for one-to-many sockets in sendmsg's auto associate
    
    I.e. one-to-many sockets in SCTP are not required to explicitly
    call into connect(2) or sctp_connectx(2) prior to data exchange.
    Instead, they can directly invoke sendmsg(2) and the SCTP stack
    will automatically trigger connection establishment through 4WHS
    via sctp_primitive_ASSOCIATE(). However, this in its current
    implementation is racy: INIT is being sent out immediately (as
    it cannot be bundled anyway) and the rest of the DATA chunks are
    queued up for later xmit when connection is established, meaning
    sendmsg(2) will return successfully. This behaviour can result
    in an undesired side-effect that the kernel made the application
    think the data has already been transmitted, although none of it
    has actually left the machine, worst case even after close(2)'ing
    the socket.
    
    Instead, when the association from client side has been shut down
    e.g. first gracefully through SCTP_EOF and then close(2), the
    client could afterwards still receive the server's INIT_ACK due
    to a connection with higher latency. This INIT_ACK is then considered
    out of the blue and hence responded with ABORT as there was no
    alive assoc found anymore. This can be easily reproduced f.e.
    with sctp_test application from lksctp. One way to fix this race
    is to wait for the handshake to actually complete.
    
    The fix defers waiting after sctp_primitive_ASSOCIATE() and
    sctp_primitive_SEND() succeeded, so that DATA chunks cooked up
    from sctp_sendmsg() have already been placed into the output
    queue through the side-effect interpreter, and therefore can then
    be bundeled together with COOKIE_ECHO control chunks.
    
    strace from example application (shortened):
    
    socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP) = 3
    sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
               msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
    sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
               msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
    sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
               msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
    sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
               msg_iov(1)=[{"hello", 5}], msg_controllen=0, msg_flags=0}, 0) = 5
    sendmsg(3, {msg_name(28)={sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("192.168.1.115")},
               msg_iov(0)=[], msg_controllen=48, {cmsg_len=48, cmsg_level=0x84 /* SOL_??? */, cmsg_type=, ...},
               msg_flags=0}, 0) = 0 // graceful shutdown for SOCK_SEQPACKET via SCTP_EOF
    close(3) = 0
    
    tcpdump before patch (fooling the application):
    
    22:33:36.306142 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 3879023686] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3139201684]
    22:33:36.316619 IP 192.168.1.115.8888 > 192.168.1.114.41462: sctp (1) [INIT ACK] [init tag: 3345394793] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 3380109591]
    22:33:36.317600 IP 192.168.1.114.41462 > 192.168.1.115.8888: sctp (1) [ABORT]
    
    tcpdump after patch:
    
    14:28:58.884116 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [INIT] [init tag: 438593213] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 3092969729]
    14:28:58.888414 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [INIT ACK] [init tag: 381429855] [rwnd: 106496] [OS: 10] [MIS: 10] [init TSN: 2141904492]
    14:28:58.888638 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [COOKIE ECHO] , (2) [DATA] (B)(E) [TSN: 3092969729] [...]
    14:28:58.893278 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [COOKIE ACK] , (2) [SACK] [cum ack 3092969729] [a_rwnd 106491] [#gap acks 0] [#dup tsns 0]
    14:28:58.893591 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969730] [...]
    14:28:59.096963 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969730] [a_rwnd 106496] [#gap acks 0] [#dup tsns 0]
    14:28:59.097086 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [DATA] (B)(E) [TSN: 3092969731] [...] , (2) [DATA] (B)(E) [TSN: 3092969732] [...]
    14:28:59.103218 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SACK] [cum ack 3092969732] [a_rwnd 106486] [#gap acks 0] [#dup tsns 0]
    14:28:59.103330 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN]
    14:28:59.107793 IP 192.168.1.115.8888 > 192.168.1.114.35846: sctp (1) [SHUTDOWN ACK]
    14:28:59.107890 IP 192.168.1.114.35846 > 192.168.1.115.8888: sctp (1) [SHUTDOWN COMPLETE]
    
    Looks like this bug is from the pre-git history museum. ;)
    
    Fixes: 08707d5482df ("lksctp-2_5_31-0_5_1.patch")
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/sctp/socket.c

 net/sctp/socket.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

commit 87e3deb4cb78e9e7d8e6591f4d0943f34b588393
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Wed Jan 21 18:04:18 2015 +0100

    netfilter: nf_tables: disable preemption when restoring chain counters
    
    With CONFIG_DEBUG_PREEMPT=y
    
    [22144.496057] BUG: using smp_processor_id() in preemptible [00000000] code: iptables-compat/10406
    [22144.496061] caller is debug_smp_processor_id+0x17/0x1b
    [22144.496065] CPU: 2 PID: 10406 Comm: iptables-compat Not tainted 3.19.0-rc4+ #
    [...]
    [22144.496092] Call Trace:
    [22144.496098]  [<ffffffff8145b9fa>] dump_stack+0x4f/0x7b
    [22144.496104]  [<ffffffff81244f52>] check_preemption_disabled+0xd6/0xe8
    [22144.496110]  [<ffffffff81244f90>] debug_smp_processor_id+0x17/0x1b
    [22144.496120]  [<ffffffffa07c557e>] nft_stats_alloc+0x94/0xc7 [nf_tables]
    [22144.496130]  [<ffffffffa07c73d2>] nf_tables_newchain+0x471/0x6d8 [nf_tables]
    [22144.496140]  [<ffffffffa07c5ef6>] ? nft_trans_alloc+0x18/0x34 [nf_tables]
    [22144.496154]  [<ffffffffa063c8da>] nfnetlink_rcv_batch+0x2b4/0x457 [nfnetlink]
    
    Reported-by: Andreas Schultz <aschultz@tpip.net>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 net/netfilter/nf_tables_api.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 3c3fa8b6dc55fe983a0de401f3632ff1d67ccc61
Author: Sanjeev Sharma <sanjeev_sharma@mentor.com>
Date:   Tue Feb 3 13:02:02 2015 +0530

    gianfar: correct the bad expression while writing bit-pattern
    
    This patch correct the bad expression while writing the
    bit-pattern from software's buffer to hardware registers.
    
    Signed-off-by: Sanjeev Sharma <Sanjeev_Sharma@mentor.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/freescale/gianfar_ethtool.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 968a07b60ff67b13c5f68a5c62d396c8abbf1018
Author: Sabrina Dubroca <sd@queasysnail.net>
Date:   Wed Feb 4 15:25:09 2015 +0100

    ip6_gre: fix endianness errors in ip6gre_err
    
    info is in network byte order, change it back to host byte order
    before use. In particular, the current code sets the MTU of the tunnel
    to a wrong (too big) value.
    
    Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
    Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_gre.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit cef76776e62d8a9f683994965c6e2e692b81d5b8
Author: Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
Date:   Tue Feb 3 19:05:18 2015 +0100

    cls_api.c: Fix dumping of non-existing actions' stats.
    
    In tcf_exts_dump_stats(), ensure that exts->actions is not empty before
    accessing the first element of that list and calling tcf_action_copy_stats()
    on it.  This fixes some random segvs when adding filters of type "basic" with
    no particular action.
    
    This also fixes the dumping of those "no-action" filters, which more often
    than not made calls to tcf_action_copy_stats() fail and consequently netlink
    attributes added by the caller to be removed by a call to nla_nest_cancel().
    
    Fixes: 33be62715991 ("net_sched: act: use standard struct list_head")
    Signed-off-by: Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
    Acked-by: Cong Wang <cwang@twopensource.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sched/cls_api.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit 91788b663ed1506639b5915f0951d2aa89955a5b
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Feb 4 13:37:44 2015 -0800

    net: remove some sparse warnings
    
    netdev_adjacent_add_links() and netdev_adjacent_del_links()
    are static.
    
    queue->qdisc has __rcu annotation, need to use RCU_INIT_POINTER()
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/dev.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 15d3a6ba0fba3f7b9cfce132e8ee544a900935de
Author: Sasha Levin <sasha.levin@oracle.com>
Date:   Tue Feb 3 08:55:58 2015 -0500

    net: rds: use correct size for max unacked packets and bytes
    
    Max unacked packets/bytes is an int while sizeof(long) was used in the
    sysctl table.
    
    This means that when they were getting read we'd also leak kernel memory
    to userspace along with the timeout values.
    
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/sysctl.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit e6c73f7a70159114e5687d5d06c32d8b1a31f59f
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Tue Feb 3 11:07:06 2015 +0200

    vhost/net: fix up num_buffers endian-ness
    
    In virtio 1.0 mode, when mergeable buffers are enabled on a big-endian
    host, num_buffers wasn't byte-swapped correctly, so large incoming
    packets got corrupted.
    
    To fix, fill it in within hdr - this also makes sure it gets
    the correct type.
    
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/vhost/net.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 24825c2a98adb947748aaaffa02daa6018793364
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sun Feb 1 23:54:25 2015 +0300

    isdn: off by one in connect_res()
    
    The bug here is that we use "Reject" as the index into the cau_t[] array
    in the else path.  Since the cau_t[] has 9 elements if Reject == 9 then
    we are reading beyond the end of the array.
    
    My understanding of the code is that it's saying that if Reject is 1 or
    too high then that's invalid and we should hang up.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/hardware/eicon/message.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit bc1d4219a66d196e5b5da2cd362b0b49fdb475fd
Author: Will Deacon <will.deacon@arm.com>
Date:   Thu Jan 29 16:41:46 2015 +0100

    ARM: 8299/1: mm: ensure local active ASID is marked as allocated on rollover
    
    Commit e1a5848e3398 ("ARM: 7924/1: mm: don't bother with reserved ttbr0
    when running with LPAE") removed the use of the reserved TTBR0 value
    for LPAE systems, since the ASID is held in the TTBR and can be updated
    atomicly with the pgd of the next mm.
    
    Unfortunately, this patch forgot to update flush_context, which
    deliberately avoids marking the local active ASID as allocated, since we
    used to switch via ASID zero and didn't need to allocate the ASID of
    the previous mm. The side-effect of this is that we can allocate the
    same ASID to the next mm and, between flushing the local TLB and updating
    TTBR0, we can perform speculative TLB fills for userspace nG mappings
    using the page table of the previous mm.
    
    The consequence of this is that the next mm can erroneously hit some
    mappings of the previous mm. Note that this was made significantly
    harder to hit by a391263cd84e ("ARM: 8203/1: mm: try to re-use old ASID
    assignments following a rollover") but is still theoretically possible.
    
    This patch fixes the problem by removing the code from flush_context
    that forces the allocated ASID to zero for the local CPU. Many thanks
    to the Broadcom guys for tracking this one down.
    
    Fixes: e1a5848e3398 ("ARM: 7924/1: mm: don't bother with reserved ttbr0 when running with LPAE")
    
    Cc: <stable@vger.kernel.org> # v3.14+
    Reported-by: Raymond Ngun <rngun@broadcom.com>
    Tested-by: Raymond Ngun <rngun@broadcom.com>
    Reviewed-by: Gregory Fong <gregory.0xf0@gmail.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

 arch/arm/mm/context.c |   26 +++++++++++---------------
 1 files changed, 11 insertions(+), 15 deletions(-)

commit 664569dfd81681d647f0044290a5a123fb495acf
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Jan 28 05:47:11 2015 -0800

    tcp: ipv4: initialize unicast_sock sk_pacing_rate
    
    When I added sk_pacing_rate field, I forgot to initialize its value
    in the per cpu unicast_sock used in ip_send_unicast_reply()
    
    This means that for sch_fq users, RST packets, or ACK packets sent
    on behalf of TIME_WAIT sockets might be sent to slowly or even dropped
    once we reach the per flow limit.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Fixes: 95bd09eb2750 ("tcp: TSO packets automatic sizing")
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_output.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 4c8724cbaa148031c20c0545f0665a421b23858d
Author: Florian Westphal <fw@strlen.de>
Date:   Wed Jan 28 10:56:04 2015 +0100

    ppp: deflate: never return len larger than output buffer
    
    When we've run out of space in the output buffer to store more data, we
    will call zlib_deflate with a NULL output buffer until we've consumed
    remaining input.
    
    When this happens, olen contains the size the output buffer would have
    consumed iff we'd have had enough room.
    
    This can later cause skb_over_panic when ppp_generic skb_put()s
    the returned length.
    
    Reported-by: Iain Douglas <centos@1n6.org.uk>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ppp/ppp_deflate.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3f088ecae87a2b7e30bf5b0a607aa1606616a703
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 2 17:43:03 2015 -0500

    Backport fix for CVE-2015-1420:
    http://marc.info/?l=linux-kernel&m=142247707318982&w=2
    
    Though it requires CAP_DAC_READ_SEARCH and (additionally in grsec)
    cannot be performed in a chroot

 fs/fhandle.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 8c985cbd8d7290d1e7718e3e06dcf44d4dc34712
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Fri Jan 23 12:01:26 2015 +0100

    ipv4: try to cache dst_entries which would cause a redirect
    
    Not caching dst_entries which cause redirects could be exploited by hosts
    on the same subnet, causing a severe DoS attack. This effect aggravated
    since commit f88649721268999 ("ipv4: fix dst race in sk_dst_get()").
    
    Lookups causing redirects will be allocated with DST_NOCACHE set which
    will force dst_release to free them via RCU.  Unfortunately waiting for
    RCU grace period just takes too long, we can end up with >1M dst_entries
    waiting to be released and the system will run OOM. rcuos threads cannot
    catch up under high softirq load.
    
    Attaching the flag to emit a redirect later on to the specific skb allows
    us to cache those dst_entries thus reducing the pressure on allocation
    and deallocation.
    
    This issue was discovered by Marcelo Leitner.
    
    Cc: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Marcelo Leitner <mleitner@redhat.com>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/ip.h      |   11 ++++++-----
 net/ipv4/ip_forward.c |    3 ++-
 net/ipv4/route.c      |    9 +++++----
 3 files changed, 13 insertions(+), 10 deletions(-)

commit 6724fd423672930f7c5d4b53ddfa09432c9e804b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 2 16:57:54 2015 -0500

    Backport from PaX patch:
    - fixed cc-ldoption to work with the HJL fork of binutils, reported by Rogelio M. Serrano Jr.

 scripts/Kbuild.include |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d6546cbbe8c9573fbfc1562010fb54d6a7b9294c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Feb 2 16:50:13 2015 -0500

    Apply fix for Xen regression reported by timevers on the forums:
    https://forums.grsecurity.net/viewtopic.php?f=1&t=4138

 arch/x86/xen/enlighten.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 58a98bf7558a492a4a1db60291c1a923fd145ea3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jan 31 06:40:15 2015 -0500

    update size_overflow hash

 .../size_overflow_plugin/size_overflow_hash.data   |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 6f02077251fb16fc4b1513feb18e7835dd713293
Merge: 61be251 ef2f1b4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 30 18:19:43 2015 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit ef2f1b446742c8030148ed599a7f6115ee0d3821
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 30 18:19:34 2015 -0500

    whitespace fix

 include/linux/mmzone.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 61be251f745d059c19c204ae3d1fc1197e27d086
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 30 18:17:05 2015 -0500

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 58ee12a9da03804b65051877607a140626f05241
Merge: 48871a3 40a6eb8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 30 18:04:48 2015 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 40a6eb8292362175f6a8f4712e1c717dc96601dc
Merge: e1a2240 016ea48
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Jan 30 18:04:40 2015 -0500

    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	include/linux/mmzone.h
    	mm/page_alloc.c

commit 48871a31bd1073a303c2a3b2eec02887f60d20a8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 27 22:21:44 2015 -0500

    update size_overflow hash

 .../size_overflow_plugin/size_overflow_hash.data   |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 4a797bce5387ca411201b6a9c552cd9db6207c60
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 27 19:54:05 2015 -0500

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit eccd6a91b56897da8cc8535a1380c2a03e02ed8e
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Thu Jan 22 11:27:59 2015 -0800

    x86, tls: Interpret an all-zero struct user_desc as "no segment"
    
    The Witcher 2 did something like this to allocate a TLS segment index:
    
            struct user_desc u_info;
            bzero(&u_info, sizeof(u_info));
            u_info.entry_number = (uint32_t)-1;
    
            syscall(SYS_set_thread_area, &u_info);
    
    Strictly speaking, this code was never correct.  It should have set
    read_exec_only and seg_not_present to 1 to indicate that it wanted
    to find a free slot without putting anything there, or it should
    have put something sensible in the TLS slot if it wanted to allocate
    a TLS entry for real.  The actual effect of this code was to
    allocate a bogus segment that could be used to exploit espfix.
    
    The set_thread_area hardening patches changed the behavior, causing
    set_thread_area to return -EINVAL and crashing the game.
    
    This changes set_thread_area to interpret this as a request to find
    a free slot and to leave it empty, which isn't *quite* what the game
    expects but should be close enough to keep it working.  In
    particular, using the code above to allocate two segments will
    allocate the same segment both times.
    
    According to FrostbittenKing on Github, this fixes The Witcher 2.
    
    If this somehow still causes problems, we could instead allocate
    a limit==0 32-bit data segment, but that seems rather ugly to me.
    
    Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Cc: stable@vger.kernel.org
    Cc: torvalds@linux-foundation.org
    Link: http://lkml.kernel.org/r/0cb251abe1ff0958b8e468a9a9a905b80ae3a746.1421954363.git.luto@amacapital.net
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

 arch/x86/include/asm/desc.h |   13 +++++++++++++
 arch/x86/kernel/tls.c       |   25 +++++++++++++++++++++++--
 2 files changed, 36 insertions(+), 2 deletions(-)

commit 7392e2e4615d172280da079587dc2d8aa86fbaf9
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Thu Jan 22 11:27:58 2015 -0800

    x86, tls, ldt: Stop checking lm in LDT_empty
    
    32-bit programs don't have an lm bit in their ABI, so they can't
    reliably cause LDT_empty to return true without resorting to memset.
    They shouldn't need to do this.
    
    This should fix a longstanding, if minor, issue in all 64-bit kernels
    as well as a potential regression in the TLS hardening code.
    
    Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix
    Cc: stable@vger.kernel.org
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Cc: torvalds@linux-foundation.org
    Link: http://lkml.kernel.org/r/72a059de55e86ad5e2935c80aa91880ddf19d07c.1421954363.git.luto@amacapital.net
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

 arch/x86/include/asm/desc.h |    9 ++-------
 1 files changed, 2 insertions(+), 7 deletions(-)

commit a9e9dff0c8ff6311f5521d50038befa02a37de9e
Author: Nadav Amit <nadav.amit@gmail.com>
Date:   Thu Jan 8 11:59:03 2015 +0100

    KVM: x86: Fix of previously incomplete fix for CVE-2014-8480
    
    STR and SLDT with rip-relative operand can cause a host kernel oops.
    Mark them as DstMem as well.
    
    Cc: stable@vger.linux.org
    Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 arch/x86/kvm/emulate.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit d5f0cbad72787b5b7d9afc6528b212929d8e53ae
Author: Nadav Amit <namit@cs.technion.ac.il>
Date:   Thu Jan 1 23:11:11 2015 +0200

    KVM: x86: SYSENTER emulation is broken
    
    SYSENTER emulation is broken in several ways:
    1. It misses the case of 16-bit code segments completely (CVE-2015-0239).
    2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can
       still be set without causing #GP).
    3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in
       legacy-mode.
    4. There is some unneeded code.
    
    Fix it.
    
    Cc: stable@vger.linux.org
    Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    
    Conflicts:
    
    	arch/x86/kvm/emulate.c

 arch/x86/kvm/emulate.c |   27 ++++++++-------------------
 1 files changed, 8 insertions(+), 19 deletions(-)

commit ee71c08c7d95888bc0fbcfc6e907de133727cb3d
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Thu Jan 22 10:41:01 2015 +0100

    net: cls_bpf: fix size mismatch on filter preparation
    
    In cls_bpf_modify_existing(), we read out the number of filter blocks,
    do some sanity checks, allocate a block on that size, and copy over the
    BPF instruction blob from user space, then pass everything through the
    classic BPF checker prior to installation of the classifier.
    
    We should reject mismatches here, there are 2 scenarios: the number of
    filter blocks could be smaller than the provided instruction blob, so
    we do a partial copy of the BPF program, and thus the instructions will
    either be rejected from the verifier or a valid BPF program will be run;
    in the other case, we'll end up copying more than we're supposed to,
    and most likely the trailing garbage will be rejected by the verifier
    as well (i.e. we need to fit instruction pattern, ret {A,K} needs to be
    last instruction, load/stores must be correct, etc); in case not, we
    would leak memory when dumping back instruction patterns. The code should
    have only used nla_len() as Dave noted to avoid this from the beginning.
    Anyway, lets fix it by rejecting such load attempts.
    
    Fixes: 7d1d65cb84e1 ("net: sched: cls_bpf: add BPF-based classifier")
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sched/cls_bpf.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 9323ab92e67743841c4ae08241ea8146a0ce16bf
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Thu Jan 22 10:41:02 2015 +0100

    net: cls_bpf: fix auto generation of per list handles
    
    When creating a bpf classifier in tc with priority collisions and
    invoking automatic unique handle assignment, cls_bpf_grab_new_handle()
    will return a wrong handle id which in fact is non-unique. Usually
    altering of specific filters is being addressed over major id, but
    in case of collisions we result in a filter chain, where handle ids
    address individual cls_bpf_progs inside the classifier.
    
    Issue is, in cls_bpf_grab_new_handle() we probe for head->hgen handle
    in cls_bpf_get() and in case we found a free handle, we're supposed
    to use exactly head->hgen. In case of insufficient numbers of handles,
    we bail out later as handle id 0 is not allowed.
    
    Fixes: 7d1d65cb84e1 ("net: sched: cls_bpf: add BPF-based classifier")
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Jiri Pirko <jiri@resnulli.us>
    Acked-by: Alexei Starovoitov <ast@plumgrid.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sched/cls_bpf.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 49b733478a6cf3dbe2e3653cdde122ffb991cb70
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Thu Jan 22 18:26:54 2015 +0100

    net: sctp: fix slab corruption from use after free on INIT collisions
    
    When hitting an INIT collision case during the 4WHS with AUTH enabled, as
    already described in detail in commit 1be9a950c646 ("net: sctp: inherit
    auth_capable on INIT collisions"), it can happen that we occasionally
    still remotely trigger the following panic on server side which seems to
    have been uncovered after the fix from commit 1be9a950c646 ...
    
    [  533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff
    [  533.913657] IP: [<ffffffff811ac385>] __kmalloc+0x95/0x230
    [  533.940559] PGD 5030f2067 PUD 0
    [  533.957104] Oops: 0000 [#1] SMP
    [  533.974283] Modules linked in: sctp mlx4_en [...]
    [  534.939704] Call Trace:
    [  534.951833]  [<ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0
    [  534.984213]  [<ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0
    [  535.015025]  [<ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170
    [  535.045661]  [<ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0
    [  535.074593]  [<ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50
    [  535.105239]  [<ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp]
    [  535.138606]  [<ffffffff814e43bd>] SyS_listen+0x9d/0xb0
    [  535.166848]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
    
    ... or depending on the the application, for example this one:
    
    [ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff
    [ 1370.026506] IP: [<ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0
    [ 1370.054568] PGD 633c94067 PUD 0
    [ 1370.070446] Oops: 0000 [#1] SMP
    [ 1370.085010] Modules linked in: sctp kvm_amd kvm [...]
    [ 1370.963431] Call Trace:
    [ 1370.974632]  [<ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960
    [ 1371.000863]  [<ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960
    [ 1371.027154]  [<ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170
    [ 1371.054679]  [<ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130
    [ 1371.080183]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b
    
    With slab debugging enabled, we can see that the poison has been overwritten:
    
    [  669.826368] BUG kmalloc-128 (Tainted: G        W     ): Poison overwritten
    [  669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b
    [  669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494
    [  669.826424]  __slab_alloc+0x4bf/0x566
    [  669.826433]  __kmalloc+0x280/0x310
    [  669.826453]  sctp_auth_create_key+0x23/0x50 [sctp]
    [  669.826471]  sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp]
    [  669.826488]  sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp]
    [  669.826505]  sctp_do_sm+0x29d/0x17c0 [sctp] [...]
    [  669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494
    [  669.826635]  __slab_free+0x39/0x2a8
    [  669.826643]  kfree+0x1d6/0x230
    [  669.826650]  kzfree+0x31/0x40
    [  669.826666]  sctp_auth_key_put+0x19/0x20 [sctp]
    [  669.826681]  sctp_assoc_update+0x1ee/0x2d0 [sctp]
    [  669.826695]  sctp_do_sm+0x674/0x17c0 [sctp]
    
    Since this only triggers in some collision-cases with AUTH, the problem at
    heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice
    when having refcnt 1, once directly in sctp_assoc_update() and yet again
    from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on
    the already kzfree'd memory, which is also consistent with the observation
    of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected
    at a later point in time when poison is checked on new allocation).
    
    Reference counting of auth keys revisited:
    
    Shared keys for AUTH chunks are being stored in endpoints and associations
    in endpoint_shared_keys list. On endpoint creation, a null key is being
    added; on association creation, all endpoint shared keys are being cached
    and thus cloned over to the association. struct sctp_shared_key only holds
    a pointer to the actual key bytes, that is, struct sctp_auth_bytes which
    keeps track of users internally through refcounting. Naturally, on assoc
    or enpoint destruction, sctp_shared_key are being destroyed directly and
    the reference on sctp_auth_bytes dropped.
    
    User space can add keys to either list via setsockopt(2) through struct
    sctp_authkey and by passing that to sctp_auth_set_key() which replaces or
    adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes
    with refcount 1 and in case of replacement drops the reference on the old
    sctp_auth_bytes. A key can be set active from user space through setsockopt()
    on the id via sctp_auth_set_active_key(), which iterates through either
    endpoint_shared_keys and in case of an assoc, invokes (one of various places)
    sctp_auth_asoc_init_active_key().
    
    sctp_auth_asoc_init_active_key() computes the actual secret from local's
    and peer's random, hmac and shared key parameters and returns a new key
    directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops
    the reference if there was a previous one. The secret, which where we
    eventually double drop the ref comes from sctp_auth_asoc_set_secret() with
    intitial refcount of 1, which also stays unchanged eventually in
    sctp_assoc_update(). This key is later being used for crypto layer to
    set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac().
    
    To close the loop: asoc->asoc_shared_key is freshly allocated secret
    material and independant of the sctp_shared_key management keeping track
    of only shared keys in endpoints and assocs. Hence, also commit 4184b2a79a76
    ("net: sctp: fix memory leak in auth key management") is independant of
    this bug here since it concerns a different layer (though same structures
    being used eventually). asoc->asoc_shared_key is reference dropped correctly
    on assoc destruction in sctp_association_free() and when active keys are
    being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount
    of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is
    to remove that sctp_auth_key_put() from there which fixes these panics.
    
    Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/associola.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 9b701a86f34db32ab410d6725a95a12c3c8766eb
Author: subashab@codeaurora.org <subashab@codeaurora.org>
Date:   Fri Jan 23 22:26:02 2015 +0000

    ping: Fix race in free in receive path
    
    An exception is seen in ICMP ping receive path where the skb
    destructor sock_rfree() tries to access a freed socket. This happens
    because ping_rcv() releases socket reference with sock_put() and this
    internally frees up the socket. Later icmp_rcv() will try to free the
    skb and as part of this, skb destructor is called and which leads
    to a kernel panic as the socket is freed already in ping_rcv().
    
    -->|exception
    -007|sk_mem_uncharge
    -007|sock_rfree
    -008|skb_release_head_state
    -009|skb_release_all
    -009|__kfree_skb
    -010|kfree_skb
    -011|icmp_rcv
    -012|ip_local_deliver_finish
    
    Fix this incorrect free by cloning this skb and processing this cloned
    skb instead.
    
    This patch was suggested by Eric Dumazet
    
    Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
    Cc: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ping.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit b238fd8f6bea52fb3bff48bb4acc3d8005edb1da
Author: Steffen Klassert <steffen.klassert@secunet.com>
Date:   Mon Dec 8 07:56:18 2014 +0100

    xfrm6: Fix the nexthdr offset in _decode_session6.
    
    xfrm_decode_session() was originally designed for the
    usage in the receive path where the correct nexthdr offset
    is stored in IP6CB(skb)->nhoff. Over time this function
    spread to code that is used in the output path (netfilter,
    vti) where IP6CB(skb)->nhoff is not set. As a result, we
    get a wrong nexthdr and the upper layer flow informations
    are wrong. This can leed to incorrect policy lookups.
    
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

 net/ipv6/xfrm6_policy.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

commit 491e31854c785babf3c54a3bba7575c829dc8a59
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 27 18:31:25 2015 -0500

    Make it easier to work with inherited subjects that change roles.
    If a subject of the same name of the current inherited subject
    exists in the role being changed to with a similar object
    in it that would trigger inheritance on execution of the current process'
    binary, then we'll use that subject instead of the normal one obtained
    through lookup.
    
    See:
    https://forums.grsecurity.net/viewtopic.php?f=3&t=4129

 grsecurity/gracl.c        |   42 ++++++++++++++++++++++++++++++------------
 grsecurity/gracl_policy.c |   10 +++++-----
 2 files changed, 35 insertions(+), 17 deletions(-)

commit c4e81aff053d35b5962ea18d78d97bd07697d76d
Merge: 62e56aa e1a2240
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 27 18:20:25 2015 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit e1a2240e692c853c6fb87758f9c86e341582d9b3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 27 18:19:56 2015 -0500

    Update to pax-linux-3.14.30-test30.patch:
    - fixed STACKLEAK and stack overflow checking interference, reported by Toralf Förster (https://bugs.gentoo.org/show_bug.cgi?id=536514) and KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=4121)
    - fixed early crash of Xen domU when SSP is enabled (e.g., the default Arch kernel), reported by badchemist

 arch/x86/kernel/entry_32.S   |    1 +
 arch/x86/kernel/entry_64.S   |    1 +
 arch/x86/kernel/process_32.c |    2 +-
 arch/x86/kernel/process_64.c |    2 +-
 arch/x86/xen/enlighten.c     |    5 +++--
 fs/exec.c                    |    2 +-
 6 files changed, 8 insertions(+), 5 deletions(-)

commit 62e56aa4365d92714e33cfd32e868c7c18703eb8
Merge: a406b92 ff4895f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 27 18:17:00 2015 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	fs/proc/stat.c

commit ff4895fe63db5be651b576881c60822d79bffae2
Merge: f0441c7 4d7313c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jan 27 18:14:58 2015 -0500

    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	drivers/gpu/drm/ttm/ttm_page_alloc.c
    	drivers/gpu/drm/ttm/ttm_page_alloc_dma.c

commit a406b9268e979a564b4faf3ddb7aa6b039701653
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date:   Mon Oct 6 10:55:49 2014 -0700

    Input: evdev - fix EVIOCG{type} ioctl
    
    The 'max' size passed into the function is measured in number of bits
    (KEY_MAX, LED_MAX, etc) so we need to convert it accordingly before trying
    to copy the data out, otherwise we will try copying too much and end up
    with up with a page fault.
    
    Reported-by: Pavel Machek <pavel@ucw.cz>
    Reviewed-by: Pavel Machek <pavel@ucw.cz>
    Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

 drivers/input/evdev.c |   13 ++++++++-----
 1 files changed, 8 insertions(+), 5 deletions(-)

commit 465809b61154f41b9f93f0599302c4b6a6eba820
Author: Louis Langholtz <lou_langholtz@me.com>
Date:   Thu Jan 15 22:04:46 2015 -0700

    kernel: avoid overflow in cmp_range
    
    Avoid overflow possibility.
    
    [ The overflow is purely theoretical, since this is used for memory
      ranges that aren't even close to using the full 64 bits, but this is
      the right thing to do regardless.  - Linus ]
    
    Signed-off-by: Louis Langholtz <lou_langholtz@me.com>
    Cc: Yinghai Lu <yinghai@kernel.org>
    Cc: Peter Anvin <hpa@linux.intel.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/range.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

commit 30333a8fb6151c2e6f6611d43daef8f619068eb4
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Jan 19 22:34:51 2015 +0300

    s2io: use snprintf() as a safety feature
    
    "sp->desc[i]" has 25 characters.  "dev->name" has 15 characters.  If we
    used all 15 characters then the sprintf() would overflow.
    
    I changed the "sprintf(sp->name, "%s Neterion %s"" to snprintf(), as
    well, even though it can't overflow just to be consistent.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/neterion/s2io.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

commit 282fc8480fedfc8673a40411bb9576531ae11668
Author: Willem de Bruijn <willemb@google.com>
Date:   Thu Jan 15 13:18:40 2015 -0500

    ip: zero sockaddr returned on error queue
    
    The sockaddr is returned in IP(V6)_RECVERR as part of errhdr. That
    structure is defined and allocated on the stack as
    
        struct {
                struct sock_extended_err ee;
                struct sockaddr_in(6)    offender;
        } errhdr;
    
    The second part is only initialized for certain SO_EE_ORIGIN values.
    Always initialize it completely.
    
    An MTU exceeded error on a SOCK_RAW/IPPROTO_RAW is one example that
    would return uninitialized bytes.
    
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    
    ----
    
    Also verified that there is no padding between errhdr.ee and
    errhdr.offender that could leak additional kernel data.
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/ipv4/ip_sockglue.c
    	net/ipv6/datagram.c

 net/ipv4/ip_sockglue.c |    9 +++------
 net/ipv6/datagram.c    |   10 +++-------
 2 files changed, 6 insertions(+), 13 deletions(-)

commit 5b9c187db84dfc6c61e2ea4b1e2eaa39253f8a9b
Author: Hagen Paul Pfeifer <hagen@jauu.net>
Date:   Thu Jan 15 22:34:25 2015 +0100

    ipv6: stop sending PTB packets for MTU < 1280
    
    Reduce the attack vector and stop generating IPv6 Fragment Header for
    paths with an MTU smaller than the minimum required IPv6 MTU
    size (1280 byte) - called atomic fragments.
    
    See IETF I-D "Deprecating the Generation of IPv6 Atomic Fragments" [1]
    for more information and how this "feature" can be misused.
    
    [1] https://tools.ietf.org/html/draft-ietf-6man-deprecate-atomfrag-generation-00
    
    Signed-off-by: Fernando Gont <fgont@si6networks.com>
    Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/route.c |    7 ++-----
 1 files changed, 2 insertions(+), 5 deletions(-)

commit 711d4d8857255d61be3842deaae3a8abe442df41
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 18 21:51:22 2015 -0500

    update size_overflow hash

 .../size_overflow_plugin/size_overflow_hash.data   |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 8c0a98ce18ebbd5cd14e7da692387d3211d2919f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 18 21:42:06 2015 -0500

    backport xen/ssp fix

 arch/x86/xen/enlighten.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 999132d179c9cd4dfb4a1d822130ac4ce880295c
Merge: 7ad994e f0441c7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 18 21:20:59 2015 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	mm/mmap.c

commit f0441c78bcf59c4068cf8fb6f3bf6a4d83bffa57
Merge: 68da8ba a2ab918
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 18 21:18:26 2015 -0500

    Update to pax-linux-3.14.29-test29.patch
    
    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	arch/x86/vdso/vma.c
    	mm/memory.c

commit 7ad994e87b70d397854a7117da44752fa53dc3d1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 14 22:48:11 2015 -0500

    Allow the admin role and subjects with ptrace override ability to
    view /proc/pid/mem, /proc/pid/fd, and /proc/pid/cmdline of tasks
    with "d" in their subject mode.  Thanks to tjh for the report!

 grsecurity/gracl_fs.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit dac7adc65584b7147a6bdff173633c5cfe4a7ed2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jan 14 21:47:00 2015 -0500

    Fix some instances of dma-on-stack reported by xxterry1xx on the forums

 drivers/staging/line6/driver.c   |   16 ++++++++++++----
 drivers/staging/line6/toneport.c |   13 ++++++++++---
 2 files changed, 22 insertions(+), 7 deletions(-)

commit 6a428e46f7e6e82737cad37a820b49c9bd3976be
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jan 12 08:18:02 2015 -0500

    don't shadow the 'dentry' variable and cause failures in the recent warning
    fix, thanks to orfheo from the forums for the report

 fs/kernfs/dir.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 8b57fe7f399e575a14e8f2a9ec08b321737f6098
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 11 13:31:21 2015 -0500

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit b2f6de3a2e67bad4d8a22d6e288d8544938d8c77
Merge: 3822258 68da8ba
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 11 13:13:30 2015 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 68da8ba0fbeb3c283410e6bb5945d1ec28a6b72b
Merge: 8f556a4 c3b70f0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 11 13:12:59 2015 -0500

    Update to pax-linux-3.14.28-test29.patch
    
    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	arch/x86/kernel/process_64.c

commit 382225854595cc5ffa05187b77326b35acee3e3a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 11 09:46:33 2015 -0500

    squelch a harmless compiler warning

 drivers/iommu/amd_iommu.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 98accfb60b4105323d82621737bc1e696124f3eb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 11 09:36:06 2015 -0500

    properly return zero if the kernfs lookup succeeded

 fs/kernfs/dir.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 77c756c73132ca7ef149299d6e9f4dac57217856
Merge: 28cc260 8f556a4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 4 19:15:44 2015 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/x86/kernel/espfix_64.c

commit 8f556a4c9a3819826cb903a88d331fd2c214e920
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jan 4 19:14:43 2015 -0500

    Update to pax-linux-3.14.27-test29.patch:
    - fixed kernel stack corruption in iret fault handling under RANDKSTACK/amd64, triggered by Andy Lutomirski's linux-clock-tests suite (sigreturn_32)
    - removed superfluous section attr on espfix_pud_page, reported by spender

 arch/x86/kernel/espfix_64.c |    3 +--
 arch/x86/kernel/traps.c     |    3 +++
 2 files changed, 4 insertions(+), 2 deletions(-)

commit 28cc2607526e319b7e0d71643eb4b598e443963d
Author: Jan Kara <jack@suse.cz>
Date:   Thu Sep 4 16:15:51 2014 +0200

    udf: Make udf_read_inode() and udf_iget() return error
    
    Currently __udf_read_inode() wasn't returning anything and we found out
    whether we succeeded reading inode by checking whether inode is bad or
    not. udf_iget() returned NULL on failure and inode pointer otherwise.
    Make these two functions properly propagate errors up the call stack and
    use the return value in callers.
    
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/udf/inode.c   |   99 +++++++++++++++++++++++++-----------------------------
 fs/udf/namei.c   |   22 +++++-------
 fs/udf/super.c   |   69 ++++++++++++++++++++++---------------
 fs/udf/udfdecl.h |    1 -
 4 files changed, 96 insertions(+), 95 deletions(-)

commit 9ff30aec289fbb7f761bf6b8e1d04f6e4e5b8b81
Author: Jan Kara <jack@suse.cz>
Date:   Fri Dec 19 14:27:55 2014 +0100

    udf: Check component length before reading it
    
    Check that length specified in a component of a symlink fits in the
    input buffer we are reading. Also properly ignore component length for
    component types that do not use it. Otherwise we read memory after end
    of buffer for corrupted udf image.
    
    Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
    CC: stable@vger.kernel.org
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/udf/symlink.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit 55998938add388406df006ce4e63a3b946535309
Author: Jan Kara <jack@suse.cz>
Date:   Thu Dec 18 22:37:50 2014 +0100

    udf: Check path length when reading symlink
    
    Symlink reading code does not check whether the resulting path fits into
    the page provided by the generic code. This isn't as easy as just
    checking the symlink size because of various encoding conversions we
    perform on path. So we have to check whether there is still enough space
    in the buffer on the fly.
    
    CC: stable@vger.kernel.org
    Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/udf/dir.c     |    3 ++-
 fs/udf/namei.c   |    3 ++-
 fs/udf/symlink.c |   31 ++++++++++++++++++++++++++-----
 fs/udf/udfdecl.h |    3 ++-
 fs/udf/unicode.c |   28 ++++++++++++++++------------
 5 files changed, 48 insertions(+), 20 deletions(-)

commit 2f08b703c596df809963ed0efa6ec970b951dff5
Author: Jan Kara <jack@suse.cz>
Date:   Fri Dec 19 12:21:47 2014 +0100

    udf: Verify symlink size before loading it
    
    UDF specification allows arbitrarily large symlinks. However we support
    only symlinks at most one block large. Check the length of the symlink
    so that we don't access memory beyond end of the symlink block.
    
    CC: stable@vger.kernel.org
    Reported-by: Carl Henrik Lunde <chlunde@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/udf/symlink.c |   17 +++++++++++++----
 1 files changed, 13 insertions(+), 4 deletions(-)

commit ac829de30529bec076819916f6383541bcf67e13
Author: Jan Kara <jack@suse.cz>
Date:   Fri Dec 19 12:03:53 2014 +0100

    udf: Verify i_size when loading inode
    
    Verify that inode size is sane when loading inode with data stored in
    ICB. Otherwise we may get confused later when working with the inode and
    inode size is too big.
    
    CC: stable@vger.kernel.org
    Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/udf/inode.c |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

commit 0a74ea5ee09b76bbb8b209e2c5d3e590e6ca651f
Author: Jan Kara <jack@suse.cz>
Date:   Thu Dec 18 17:26:10 2014 +0100

    isofs: Fix unchecked printing of ER records
    
    We didn't check length of rock ridge ER records before printing them.
    Thus corrupted isofs image can cause us to access and print some memory
    behind the buffer with obvious consequences.
    
    Reported-and-tested-by: Carl Henrik Lunde <chlunde@ping.uio.no>
    CC: stable@vger.kernel.org
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/isofs/rock.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 9cd590c7064b6d28a3c36c4d20081264e52bfa0c
Author: Sven Eckelmann <sven@narfation.org>
Date:   Sat Dec 20 13:48:55 2014 +0100

    batman-adv: Calculate extra tail size based on queued fragments
    
    The fragmentation code was replaced in 610bfc6bc99bc83680d190ebc69359a05fc7f605
    ("batman-adv: Receive fragmented packets and merge"). The new code provided a
    mostly unused parameter skb for the merging function. It is used inside the
    function to calculate the additionally needed skb tailroom. But instead of
    increasing its own tailroom, it is only increasing the tailroom of the first
    queued skb. This is not correct in some situations because the first queued
    entry can be a different one than the parameter.
    
    An observed problem was:
    
    1. packet with size 104, total_size 1464, fragno 1 was received
       - packet is queued
    2. packet with size 1400, total_size 1464, fragno 0 was received
       - packet is queued at the end of the list
    3. enough data was received and can be given to the merge function
       (1464 == (1400 - 20) + (104 - 20))
       - merge functions gets 1400 byte large packet as skb argument
    4. merge function gets first entry in queue (104 byte)
       - stored as skb_out
    5. merge function calculates the required extra tail as total_size - skb->len
       - pskb_expand_head tail of skb_out with 64 bytes
    6. merge function tries to squeeze the extra 1380 bytes from the second queued
       skb (1400 byte aka skb parameter) in the 64 extra tail bytes of skb_out
    
    Instead calculate the extra required tail bytes for skb_out also using skb_out
    instead of using the parameter skb. The skb parameter is only used to get the
    total_size from the last received packet. This is also the total_size used to
    decide that all fragments were received.
    
    Reported-by: Philipp Psurek <philipp.psurek@gmail.com>
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Acked-by: Martin Hundebøll <martin@hundeboll.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/batman-adv/fragmentation.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 911fe5e375e19d4f4254d8b27cdc2057c5890679
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 31 00:03:55 2014 -0500

    force kernfs to initialize the dentry prior to mkdir return

 fs/kernfs/dir.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

commit 84ed4b2cd78acaf6d32078ae00b852c56c96d667
Merge: db2da5a a1a756c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 30 23:49:08 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/x86/kernel/espfix_64.c
    	arch/x86/kernel/paravirt_patch_64.c

commit a1a756ca485b5cb212f2fbdf3e32aeeafbdcf3b2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 30 23:48:11 2014 -0500

    Update to pax-linux-3.14.27-test28.patch:
    - spender finally figured out and fixed the UDEREF/PCID/PARAVIRT problem, reported by Marcin Mirosław (https://bugs.gentoo.org/show_bug.cgi?id=522252)
    - fixed wrong refcount operation in uart_open, by Rogelio M. Serrano Jr <rogelios664@gmail.com>
    - fixed ESPFIX crash under per-cpu PGD configs (KERNEXEC/UDEREF on amd64), reported by Andy Lutomirski <luto@amacapital.net>
    - constified a few variables

 arch/x86/kernel/entry_64.S          |   10 +++++-----
 arch/x86/kernel/espfix_64.c         |   13 ++++++++-----
 arch/x86/kernel/paravirt_patch_64.c |    8 ++++++++
 arch/x86/kvm/emulate.c              |    2 +-
 drivers/tty/serial/serial_core.c    |    2 +-
 5 files changed, 23 insertions(+), 12 deletions(-)

commit db2da5a8150d3130a583d1be9ac2fd348e2f542e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 27 17:24:20 2014 -0500

    remove the %preun step, we don't want to remove old kernels installed from the paid kernel service

 scripts/package/mkspec |    7 -------
 1 files changed, 0 insertions(+), 7 deletions(-)

commit bd7586bb33e4da75b753006b1fe7161ef122cb42
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 23 23:28:21 2014 -0500

    invoke new-kernel-pkg directly instead of using installkernel, which fixes some
    issues beta testers experienced with the new paid kernel service.
    
    suggested by a sponsor

 scripts/package/mkspec |   17 +++++++++++------
 1 files changed, 11 insertions(+), 6 deletions(-)

commit 5fb8df46382e6d4c8fd860c114df8a08cb5c9fb0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 21 17:28:43 2014 -0500

    compile fix

 arch/x86/kernel/espfix_64.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit 6477dd47081e73a2a9903f6465ada492f49e4b2a
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Fri Dec 5 19:03:28 2014 -0800

    x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's benefit
    
    paravirt_enabled has the following effects:
    
     - Disables the F00F bug workaround warning.  There is no F00F bug
       workaround any more because Linux's standard IDT handling already
       works around the F00F bug, but the warning still exists.  This
       is only cosmetic, and, in any event, there is no such thing as
       KVM on a CPU with the F00F bug.
    
     - Disables 32-bit APM BIOS detection.  On a KVM paravirt system,
       there should be no APM BIOS anyway.
    
     - Disables tboot.  I think that the tboot code should check the
       CPUID hypervisor bit directly if it matters.
    
     - paravirt_enabled disables espfix32.  espfix32 should *not* be
       disabled under KVM paravirt.
    
    The last point is the purpose of this patch.  It fixes a leak of the
    high 16 bits of the kernel stack address on 32-bit KVM paravirt
    guests.  Fixes CVE-2014-8134.
    
    Cc: stable@vger.kernel.org
    Suggested-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 arch/x86/kernel/kvm.c      |    9 ++++++++-
 arch/x86/kernel/kvmclock.c |    1 -
 2 files changed, 8 insertions(+), 2 deletions(-)

commit 70987eb0ac6d037caa1297df91eda99206683d46
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Wed Dec 17 14:48:30 2014 -0800

    x86/tls: Don't validate lm in set_thread_area() after all
    
    It turns out that there's a lurking ABI issue.  GCC, when
    compiling this in a 32-bit program:
    
    struct user_desc desc = {
    	.entry_number    = idx,
    	.base_addr       = base,
    	.limit           = 0xfffff,
    	.seg_32bit       = 1,
    	.contents        = 0, /* Data, grow-up */
    	.read_exec_only  = 0,
    	.limit_in_pages  = 1,
    	.seg_not_present = 0,
    	.useable         = 0,
    };
    
    will leave .lm uninitialized.  This means that anything in the
    kernel that reads user_desc.lm for 32-bit tasks is unreliable.
    
    Revert the .lm check in set_thread_area().  The value never did
    anything in the first place.
    
    Fixes: 0e58af4e1d21 ("x86/tls: Disallow unusual TLS segments")
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Acked-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org # Only if 0e58af4e1d21 is backported
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Link: http://lkml.kernel.org/r/d7875b60e28c512f6a6fc0baf5714d58e7eaadbb.1418856405.git.luto@amacapital.net
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 arch/x86/include/uapi/asm/ldt.h |    7 +++++++
 arch/x86/kernel/tls.c           |    6 ------
 2 files changed, 7 insertions(+), 6 deletions(-)

commit 6b64e85f3dd1cfb346cf6273b302d7e8863b5d03
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Thu Dec 4 16:48:17 2014 -0800

    x86/tls: Disallow unusual TLS segments
    
    Users have no business installing custom code segments into the
    GDT, and segments that are not present but are otherwise valid
    are a historical source of interesting attacks.
    
    For completeness, block attempts to set the L bit.  (Prior to
    this patch, the L bit would have been silently dropped.)
    
    This is an ABI break.  I've checked glibc, musl, and Wine, and
    none of them look like they'll have any trouble.
    
    Note to stable maintainers: this is a hardening patch that fixes
    no known bugs.  Given the possibility of ABI issues, this
    probably shouldn't be backported quickly.
    
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Acked-by: H. Peter Anvin <hpa@zytor.com>
    Cc: stable@vger.kernel.org # optional
    Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: security@kernel.org <security@kernel.org>
    Cc: Willy Tarreau <w@1wt.eu>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 arch/x86/kernel/tls.c |   22 ++++++++++++++++++++++
 1 files changed, 22 insertions(+), 0 deletions(-)

commit e82ca0b184795c5085bfaf9a093dd82a556d47d6
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Thu Dec 4 16:48:16 2014 -0800

    x86/tls: Validate TLS entries to protect espfix
    
    Installing a 16-bit RW data segment into the GDT defeats espfix.
    AFAICT this will not affect glibc, Wine, or dosemu at all.
    
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Acked-by: H. Peter Anvin <hpa@zytor.com>
    Cc: stable@vger.kernel.org
    Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: security@kernel.org <security@kernel.org>
    Cc: Willy Tarreau <w@1wt.eu>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

 arch/x86/kernel/tls.c |   23 +++++++++++++++++++++++
 1 files changed, 23 insertions(+), 0 deletions(-)

commit 3f19dd0a58e6a7952c34818a6f854cf155f9c77f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 21 16:32:08 2014 -0500

    Fix a long-standing incompatibility between x64 UDEREF and CONFIG_PARAVIRT
    on PCID-capable systems.  Generally it resulted in userland crashes preventing
    boot of the system which were able to be worked around by booting with nopcid
    and receiving a weaker UDEREF implementation.  The source of the problem
    was paravirt-specific asm alternatives for flush_tlb_single rewriting the
    pv_mm_ops's native code with a single invlpg.
    
    As of this patch, no recommendations should be made to boot with nopcid, as
    it results in a weaker UDEREF implementation.

 arch/x86/kernel/paravirt_patch_64.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 960d5de61cc63cbf7d6f33467b846b1541f1f38a
Author: Nadav Amit <namit@cs.technion.ac.il>
Date:   Sun Nov 2 11:54:52 2014 +0200

    KVM: x86: MOV to CR3 can set bit 63
    
    Although Intel SDM mentions bit 63 is reserved, MOV to CR3 can have bit 63 set.
    As Intel SDM states in section 4.10.4 "Invalidation of TLBs and
    Paging-Structure Caches": " MOV to CR3. ... If CR4.PCIDE = 1 and bit 63 of the
    instruction’s source operand is 0 ..."
    
    In other words, bit 63 is not reserved. KVM emulator currently consider bit 63
    as reserved. Fix it.
    
    Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    
    Conflicts:
    
    	arch/x86/include/asm/kvm_host.h
    	arch/x86/kvm/emulate.c

 arch/x86/include/asm/kvm_host.h |    1 +
 arch/x86/kvm/emulate.c          |    2 +-
 arch/x86/kvm/x86.c              |    2 ++
 3 files changed, 4 insertions(+), 1 deletions(-)

commit c208048aa4df574ff34b5e28a3703150447c92fc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Dec 20 11:50:30 2014 -0500

    force off X86_16BIT if grsecurity is enabled -- nobody cares about
    running Windows 3.1 apps under wine, it's not worth the risk

 arch/x86/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit b110d84e7c43a0ae3693e747a7623d8f50f11401
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Fri Dec 19 06:20:59 2014 +0000

    Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket
    
    same story as cmtp
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

 net/bluetooth/bnep/core.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 61ff2732cea69c2825998c3626ded772ca9b4fc3
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Fri Dec 19 06:20:58 2014 +0000

    Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with l2cap socket
    
    ... rather than relying on ciptool(8) never passing it anything else.  Give
    it e.g. an AF_UNIX connected socket (from socketpair(2)) and it'll oops,
    trying to evaluate &l2cap_pi(sock->sk)->chan->dst...
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

 net/bluetooth/cmtp/core.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit d8908880c01817ba011e32e8892e5ee4246b354e
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Fri Dec 19 06:20:57 2014 +0000

    Bluetooth: hidp_connection_add() unsafe use of l2cap_pi()
    
    it's OK after we'd verified the sockets, but not before that.
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

 net/bluetooth/hidp/core.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 15cadb2ef60d80d3fe7f6708d19f15d5c8034097
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Dec 18 10:57:19 2014 -0600

    mnt: Fix a memory stomp in umount
    
    While reviewing the code of umount_tree I realized that when we append
    to a preexisting unmounted list we do not change pprev of the former
    first item in the list.
    
    Which means later in namespace_unlock hlist_del_init(&mnt->mnt_hash) on
    the former first item of the list will stomp unmounted.first leaving
    it set to some random mount point which we are likely to free soon.
    
    This isn't likely to hit, but if it does I don't know how anyone could
    track it down.
    
    [ This happened because we don't have all the same operations for
      hlist's as we do for normal doubly-linked lists. In particular,
      list_splice() is easy on our standard doubly-linked lists, while
      hlist_splice() doesn't exist and needs both start/end entries of the
      hlist.  And commit 38129a13e6e7 incorrectly open-coded that missing
      hlist_splice().
    
      We should think about making these kinds of "mindless" conversions
      easier to get right by adding the missing hlist helpers   - Linus ]
    
    Fixes: 38129a13e6e71f666e0468e99fdd932a687b4d7e switch mnt_hash to hlist
    Cc: stable@vger.kernel.org
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/namespace.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 0cf76a228dabb9de1b5083f0bcc86ed219cd1c57
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 17 18:30:48 2014 -0500

    make the statically allocated pud page read-only while we're at it

 arch/x86/kernel/espfix_64.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a9ae00616e969d61f5d2378a8aeeb0eba77aee7a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Dec 17 18:28:16 2014 -0500

    Fix doublefault in espfix code when PAX_PER_CPU_PGD is enabled,
    reported by Andy Lutomirski

 arch/x86/kernel/espfix_64.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

commit f85452dcaba1d776473a8d0a56f058f35ab631ba
Author: Jan Kara <jack@suse.cz>
Date:   Mon Dec 15 14:22:46 2014 +0100

    isofs: Fix infinite looping over CE entries
    
    Rock Ridge extensions define so called Continuation Entries (CE) which
    define where is further space with Rock Ridge data. Corrupted isofs
    image can contain arbitrarily long chain of these, including a one
    containing loop and thus causing kernel to end in an infinite loop when
    traversing these entries.
    
    Limit the traversal to 32 entries which should be more than enough space
    to store all the Rock Ridge data.
    
    Reported-by: P J P <ppandit@redhat.com>
    CC: stable@vger.kernel.org
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/isofs/rock.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit b180ca3018a6beb47610a55de3f5949ac20dc142
Merge: f664f58 e4821ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 16 18:39:51 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit e4821ca7963c22b1fdbbc1eb412d3c5eabc0e87e
Merge: aeb74fc 83a926f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 16 18:39:45 2014 -0500

    Merge branch 'linux-3.14.y' into pax-stable2

commit f664f586e9129896c065e9dbf0feb848f8306671
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 16 17:18:16 2014 -0500

    Force support on for user extended attributes for filesystems that currently
    don't default to on to match up with other filesystems like ext4/xfs that do.
    
    We'll need this to make an upcoming addition to the paid kernel packages work
    without any additional configuration by the user.
    
    If there's a particular mountpoint you don't want to have user extended attributes
    enabled on for whatever reason, the "nouser_xattr" mount option will honor it.
    
    Conflicts:
    
    	fs/reiserfs/super.c

 fs/ext2/super.c     |    8 +++-----
 fs/ext3/super.c     |    8 +++-----
 fs/reiserfs/super.c |    4 ++++
 3 files changed, 10 insertions(+), 10 deletions(-)

commit 337fbc5308268b4ffa1ebf086172ee242b0876da
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 14 19:20:27 2014 -0500

    Point the AMD IOMMU driver to the lowmem-mapped stack instead of allowing
    it to wrongly acquire the physical address of the vmap'd kernel stack
    under KSTACKOVERFLOW.
    
    Thanks to Victor <silentworks@gmail.com> for the report

 drivers/iommu/amd_iommu.c |   14 ++++++++++++--
 1 files changed, 12 insertions(+), 2 deletions(-)

commit 729fd1469bf1cbb5b9331339cbe029720d31a6b2
Merge: 7608a5b aeb74fc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 14 19:06:34 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit aeb74fc204c1c3ad425dd99a5cac1c124f2d3dfb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 14 18:36:30 2014 -0500

    Update to pax-linux-3.14.26-test27.patch:
    - fixed a few REFCOUNT accessors on arm/powerpc/sparc
    - fixed a few section mismatches for CONSTIFY
    - fixed a REFCOUNT false positive in ftrace

 arch/arm/include/asm/atomic.h            |    2 +-
 arch/sparc/include/asm/atomic_64.h       |    4 ++--
 drivers/gpu/drm/ttm/ttm_page_alloc_dma.c |    2 +-
 drivers/net/caif/caif_hsi.c              |    2 +-
 drivers/net/can/dev.c                    |    2 +-
 drivers/net/can/vcan.c                   |    2 +-
 drivers/net/dummy.c                      |    2 +-
 drivers/net/ifb.c                        |    2 +-
 drivers/net/nlmon.c                      |    2 +-
 drivers/net/team/team.c                  |    2 +-
 drivers/net/tun.c                        |    2 +-
 include/linux/sched.h                    |    2 +-
 kernel/trace/ftrace.c                    |    4 ++--
 kernel/trace/trace_functions_graph.c     |    4 ++--
 net/8021q/vlan_netlink.c                 |    2 +-
 net/batman-adv/soft-interface.c          |    2 +-
 net/bridge/br_netlink.c                  |    2 +-
 net/caif/chnl_net.c                      |    2 +-
 net/hsr/hsr_netlink.c                    |    2 +-
 net/ieee802154/6lowpan.c                 |    2 +-
 20 files changed, 23 insertions(+), 23 deletions(-)

commit 7608a5b6c54ea04d57d2c89cbef565a1194f6196
Merge: 18bb07a d8e9ff2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 14 18:07:41 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit d8e9ff273148ee5d84edc48c539878f7ec358699
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 14 18:07:08 2014 -0500

    Update to pax-linux-3.14.26-test26.patch:
    - fixed a (probably harmless) integer underflow in ttm_page_pool_free/ttm_dma_page_pool_free, caught by the size overflow plugin, reported by hunger

 arch/x86/kernel/traps.c                  |    2 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c     |   18 +++++++++---------
 drivers/gpu/drm/ttm/ttm_page_alloc_dma.c |   18 +++++++++---------
 3 files changed, 19 insertions(+), 19 deletions(-)

commit 18bb07a8b79b7aba59de00181c410e99d91f6e58
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 7 12:41:18 2014 -0500

    Fix sparc64 compilation, reported by Blake Self

 arch/sparc/include/asm/pgalloc_64.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 70f2b51fcacc5497befce0361abd84d223d58011
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 7 08:56:31 2014 -0500

    compilation fix

 arch/x86/kernel/traps.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ee7f7798a301cec108146e32bbebc6504baa7174
Merge: 7be7489 00d8c91
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 7 08:09:15 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit 00d8c9116cbf13b014f326a5c0446b6dfb639a1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 7 08:08:32 2014 -0500

    Update to pax-linux-3.14.25-test25.patch:
    - added a temporary workaround for a few size overflow false positives when REFCOUNT was disabled until the new plugin is ready, by Mathias Krause <mathias.krause@secunet.com>
    - preliminary fix by Steffen Klassert (http://marc.info/?l=linux-netdev&m=141768340108789) for an upstream bug in the ipv6 tunnel code caught by the size overflow plugin, reported by Alexander Wetzel (https://forums.grsecurity.net/viewtopic.php?f=1&t=4083) and Colton Reeder (https://bugs.gentoo.org/show_bug.cgi?id=529352)

 arch/x86/include/asm/atomic.h     |    4 ++--
 include/asm-generic/atomic-long.h |    2 +-
 net/ipv6/xfrm6_policy.c           |    2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

commit 7be7489ee5134fc1ff48f56f5c5a859147195e4d
Merge: 1658f6a 6af4f98
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 7 08:07:14 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	drivers/net/ppp/pptp.c

commit 6af4f98989c9cd0796dd0b9ab63f5af23eb7ed11
Merge: f00a94f 356a3e1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Dec 7 08:02:22 2014 -0500

    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	arch/x86/include/asm/cpufeature.h
    	arch/x86/kernel/entry_64.S

commit 1658f6a2ded5c2d778e694f7808034e3fc51672a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Dec 4 20:42:21 2014 -0500

    Subject: [PATCH] xfrm6: Fix transport header offset in _decode_session6.
    
    skb->transport_header might not be valid when we do a reverse
    decode because the ipv6 tunnel error handlers don't update it
    to the inner transport header. This leads to a wrong offset
    calculation and to wrong layer 4 informations. We fix this
    by using the size of the ipv6 header as the first offset.
    
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    
    Bug found with the size_overflow plugin

 net/ipv6/xfrm6_policy.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b0928449ad9f170bafa931ed5ca1d13ee8eace3f
Author: Andrew Morton <akpm@linux-foundation.org>
Date:   Tue Dec 2 15:59:31 2014 -0800

    drivers/input/evdev.c: don't kfree() a vmalloc address
    
    If kzalloc() failed and then evdev_open_device() fails, evdev_open()
    will pass a vmalloc'ed pointer to kfree.
    
    This might fix https://bugzilla.kernel.org/show_bug.cgi?id=88401, where
    there was a crash in kfree().
    
    Reported-by: Christian Casteyde <casteyde.christian@free.fr>
    Belatedly-Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Cc: Henrik Rydberg <rydberg@euromail.se>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/input/evdev.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 769ee85c77d75bb99e274c41839b0e0d6503ee81
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Tue May 6 14:02:53 2014 -0400

    nick kvfree() from apparmor
    
    too many places open-code it
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 include/linux/mm.h                   |    2 ++
 mm/util.c                            |   10 ++++++++++
 security/apparmor/include/apparmor.h |    1 -
 security/apparmor/lib.c              |   14 --------------
 4 files changed, 12 insertions(+), 15 deletions(-)

commit 05b53293e80b694b5c8ca15cd98bac24e556632b
Author: Thomas Graf <tgraf@suug.ch>
Date:   Wed Nov 26 13:42:17 2014 +0100

    net: Validate IFLA_BRIDGE_MODE attribute length
    
    Payload is currently accessed blindly and may exceed valid message
    boundaries.
    
    Fixes: a77dcb8c8 ("be2net: set and query VEB/VEPA mode of the PF interface")
    Fixes: 815cccbf1 ("ixgbe: add setlink, getlink support to ixgbe and ixgbevf")
    Cc: Ajit Khaparde <ajit.khaparde@emulex.com>
    Cc: John Fastabend <john.r.fastabend@intel.com>
    Signed-off-by: Thomas Graf <tgraf@suug.ch>
    Acked-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Acked-by: John Fastabend <john.r.fastabend@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/emulex/benet/be_main.c   |    3 +++
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c |    3 +++
 2 files changed, 6 insertions(+), 0 deletions(-)

commit 422b14820d1548a7a4be21e07bbcadf913eeae1d
Author: Thomas Graf <tgraf@suug.ch>
Date:   Wed Nov 26 13:42:16 2014 +0100

    bridge: Validate IFLA_BRIDGE_FLAGS attribute length
    
    Payload is currently accessed blindly and may exceed valid message
    boundaries.
    
    Fixes: 407af3299 ("bridge: Add netlink interface to configure vlans on bridge ports")
    Cc: Vlad Yasevich <vyasevic@redhat.com>
    Signed-off-by: Thomas Graf <tgraf@suug.ch>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/rtnetlink.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 545b27325d689dca6cdf96f67def3715110c48d6
Author: Seth Forshee <seth.forshee@canonical.com>
Date:   Tue Nov 25 20:28:24 2014 -0600

    xen-netfront: Remove BUGs on paged skb data which crosses a page boundary
    
    These BUGs can be erroneously triggered by frags which refer to
    tail pages within a compound page. The data in these pages may
    overrun the hardware page while still being contained within the
    compound page, but since compound_order() evaluates to 0 for tail
    pages the assertion fails. The code already iterates through
    subsequent pages correctly in this scenario, so the BUGs are
    unnecessary and can be removed.
    
    Fixes: f36c374782e4 ("xen/netfront: handle compound page fragments on transmit")
    Cc: <stable@vger.kernel.org> # 3.7+
    Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
    Reviewed-by: David Vrabel <david.vrabel@citrix.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/xen-netfront.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

commit 9264712d407a4235e522185e834181364680b6ea
Author: Daniel Forrest <dan.forrest@ssec.wisc.edu>
Date:   Tue Dec 2 15:59:42 2014 -0800

    mm: fix anon_vma_clone() error treatment
    
    Andrew Morton noticed that the error return from anon_vma_clone() was
    being dropped and replaced with -ENOMEM (which is not itself a bug
    because the only error return value from anon_vma_clone() is -ENOMEM).
    
    I did an audit of callers of anon_vma_clone() and discovered an actual
    bug where the error return was being lost.  In __split_vma(), between
    Linux 3.11 and 3.12 the code was changed so the err variable is used
    before the call to anon_vma_clone() and the default initial value of
    -ENOMEM is overwritten.  So a failure of anon_vma_clone() will return
    success since err at this point is now zero.
    
    Below is a patch which fixes this bug and also propagates the error
    return value from anon_vma_clone() in all cases.
    
    Fixes: ef0855d334e1 ("mm: mempolicy: turn vma_set_policy() into vma_dup_policy()")
    Signed-off-by: Daniel Forrest <dan.forrest@ssec.wisc.edu>
    Reviewed-by: Michal Hocko <mhocko@suse.cz>
    Cc: Konstantin Khlebnikov <koct9i@gmail.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Tim Hartrick <tim@edgecast.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Michel Lespinasse <walken@google.com>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: <stable@vger.kernel.org>	[3.12+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mmap.c |   10 +++++++---
 mm/rmap.c |    6 ++++--
 2 files changed, 11 insertions(+), 5 deletions(-)

commit 5b20198c53fa3422504f8237d69636efffc953f5
Author: Hugh Dickins <hughd@google.com>
Date:   Tue Dec 2 15:59:39 2014 -0800

    mm: fix swapoff hang after page migration and fork
    
    I've been seeing swapoff hangs in recent testing: it's cycling around
    trying unsuccessfully to find an mm for some remaining pages of swap.
    
    I have been exercising swap and page migration more heavily recently,
    and now notice a long-standing error in copy_one_pte(): it's trying to
    add dst_mm to swapoff's mmlist when it finds a swap entry, but is doing
    so even when it's a migration entry or an hwpoison entry.
    
    Which wouldn't matter much, except it adds dst_mm next to src_mm,
    assuming src_mm is already on the mmlist: which may not be so.  Then if
    pages are later swapped out from dst_mm, swapoff won't be able to find
    where to replace them.
    
    There's already a !non_swap_entry() test for stats: move that up before
    the swap_duplicate() and the addition to mmlist.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Cc: Kelley Nielsen <kelleynnn@gmail.com>
    Cc: <stable@vger.kernel.org>	[2.6.18+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/memory.c |   26 +++++++++++++-------------
 1 files changed, 13 insertions(+), 13 deletions(-)

commit ef9d34871c5dedf9d14361c93dffa96dbb3066ec
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Tue Dec 2 15:59:37 2014 -0800

    fat: fix oops on corrupted vfat fs
    
    a) don't bother with ->d_time for positives - we only check it for
       negatives anyway.
    
    b) make sure to set it at unlink and rmdir time - at *that* point
       soon-to-be negative dentry matches then-current directory contents
    
    c) don't go into renaming of old alias in vfat_lookup() unless it
       has the same parent (which it will, unless we are seeing corrupted
       image)
    
    [hirofumi@mail.parknet.co.jp: make change minimum, don't call d_move() for dir]
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
    Cc: <stable@vger.kernel.org>	[3.17.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/fat/namei_vfat.c |   20 +++++++++++---------
 1 files changed, 11 insertions(+), 9 deletions(-)

commit 632d934d3f8e4b1badb567d417c25cb1936a293a
Author: Andrew Morton <akpm@linux-foundation.org>
Date:   Tue Dec 2 15:59:28 2014 -0800

    mm/vmpressure.c: fix race in vmpressure_work_fn()
    
    In some android devices, there will be a "divide by zero" exception.
    vmpr->scanned could be zero before spin_lock(&vmpr->sr_lock).
    
    Addresses https://bugzilla.kernel.org/show_bug.cgi?id=88051
    
    [akpm@linux-foundation.org: neaten]
    Reported-by: ji_ang <ji_ang@163.com>
    Cc: Anton Vorontsov <anton.vorontsov@linaro.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/vmpressure.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

commit 75f61b76c5c1fa03d7042cb531d2157efbc916d4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 2 07:26:25 2014 -0500

    change name

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 23df2bcff0e427c06e0c179ce075da882874bd1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Dec 2 07:24:49 2014 -0500

    add Hyper-V to auto-configuration

 security/Kconfig |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 1e6c100ab9c47fac6910f6515f7537c1af418a37
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 26 00:57:50 2014 -0500

    add the exclusion back

 scripts/package/mkspec |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 8e6b79472720ff1dfe7b9d35f4e3f59b0766c970
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Nov 25 23:39:17 2014 -0500

    install symlinks in -devel package properly

 scripts/package/mkspec |   12 +++++-------
 1 files changed, 5 insertions(+), 7 deletions(-)

commit 7659241863c4ea1ea2f242d612477b0b8129b4d9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Nov 25 21:52:00 2014 -0500

    Give the files in the tarball used by the source rpm root.root ownership

 scripts/package/Makefile |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit f49955be88d028ba4085009eb0cb97cd6e029f34
Author: Jane Zhou <a17711@motorola.com>
Date:   Mon Nov 24 11:44:08 2014 -0800

    net/ping: handle protocol mismatching scenario
    
    ping_lookup() may return a wrong sock if sk_buff's and sock's protocols
    dont' match. For example, sk_buff's protocol is ETH_P_IPV6, but sock's
    sk_family is AF_INET, in that case, if sk->sk_bound_dev_if is zero, a wrong
    sock will be returned.
    the fix is to "continue" the searching, if no matching, return NULL.
    
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
    Cc: James Morris <jmorris@namei.org>
    Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
    Cc: Patrick McHardy <kaber@trash.net>
    Cc: netdev@vger.kernel.org
    Cc: stable@vger.kernel.org
    Signed-off-by: Jane Zhou <a17711@motorola.com>
    Signed-off-by: Yiwei Zhao <gbjc64@motorola.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ping.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 0d344ddcd57db19da17c29de7cc6c5453fd92a96
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 23 14:08:10 2014 -0500

    move our make rpm chmods to %pre

 scripts/package/mkspec |   22 ++++++++++++----------
 1 files changed, 12 insertions(+), 10 deletions(-)

commit ccefed62049661f82203f3148b0272a46157b52f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 23 09:54:26 2014 -0500

    Harden network settings by default since most users won't bother
    modifying /etc/sysctl.conf.
    
    Specifically we're now setting rp_filter = 1 and accept_redirects = 0

 net/ipv4/devinet.c  |    6 ++++--
 net/ipv6/addrconf.c |    4 ++--
 2 files changed, 6 insertions(+), 4 deletions(-)

commit 6628b7f38438311d1e32260741e98f15ec4c891f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 21 21:15:53 2014 -0500

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 265b4eed05b4ca0343e029027456f61cc03751e8
Merge: e743928 f00a94f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 21 20:36:36 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/arm/mm/Kconfig
    	arch/x86/kernel/ptrace.c

commit f00a94f3442af02eaa9b322ece661b0f737e47b0
Merge: ba8491e 2dc2565
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 21 20:36:07 2014 -0500

    Update to pax-linux-3.14.25-test24.patch
    
    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	ipc/ipc_sysctl.c
    	net/mac80211/iface.c

commit e743928f221814395e6e4092429da7eb02ed0091
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 19 17:25:18 2014 -0500

    From: Mathias Krause <minipli@googlemail.com>
    To: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>, Dmitry
            Kozlov <xeb@mail.ru>
    Subject: [PATCH net] pptp: fix stack info leak in pptp_getname()
    
    pptp_getname() only partially initializes the stack variable sa,
    particularly only fills the pptp part of the sa_addr union. The code
    thereby discloses 16 bytes of kernel stack memory via getsockname().
    
    Fix this by memset(0)'ing the union before.
    
    Cc: Dmitry Kozlov <xeb@mail.ru>
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    ---
    Probably material for stable, too -- v2.6.37+.

 drivers/net/ppp/pptp.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit dadd71ab3afe91d6cc047e5ba0e62b061ad5cde4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 19 08:37:05 2014 -0500

    increase amount of memory reserved for modules in server configs

 security/Kconfig |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 772a66e8b074e56f028635f7faba13b0b115b50f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Nov 15 00:23:33 2014 -0500

    update size_overflow hash

 .../size_overflow_plugin/size_overflow_hash.data   |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 0ac3998ad43e0ab6827a82e76462a1ee2694bb41
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 14 23:40:53 2014 -0500

    update size_overflow hash

 .../size_overflow_plugin/size_overflow_hash.data   |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 03daf208a508a416fb99245c6a5b4ec318f72a3a
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Mon Nov 10 18:00:09 2014 +0100

    net: sctp: fix memory leak in auth key management
    
    A very minimal and simple user space application allocating an SCTP
    socket, setting SCTP_AUTH_KEY setsockopt(2) on it and then closing
    the socket again will leak the memory containing the authentication
    key from user space:
    
    unreferenced object 0xffff8800837047c0 (size 16):
      comm "a.out", pid 2789, jiffies 4296954322 (age 192.258s)
      hex dump (first 16 bytes):
        01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00  ................
      backtrace:
        [<ffffffff816d7e8e>] kmemleak_alloc+0x4e/0xb0
        [<ffffffff811c88d8>] __kmalloc+0xe8/0x270
        [<ffffffffa0870c23>] sctp_auth_create_key+0x23/0x50 [sctp]
        [<ffffffffa08718b1>] sctp_auth_set_key+0xa1/0x140 [sctp]
        [<ffffffffa086b383>] sctp_setsockopt+0xd03/0x1180 [sctp]
        [<ffffffff815bfd94>] sock_common_setsockopt+0x14/0x20
        [<ffffffff815beb61>] SyS_setsockopt+0x71/0xd0
        [<ffffffff816e58a9>] system_call_fastpath+0x12/0x17
        [<ffffffffffffffff>] 0xffffffffffffffff
    
    This is bad because of two things, we can bring down a machine from
    user space when auth_enable=1, but also we would leave security sensitive
    keying material in memory without clearing it after use. The issue is
    that sctp_auth_create_key() already sets the refcount to 1, but after
    allocation sctp_auth_set_key() does an additional refcount on it, and
    thus leaving it around when we free the socket.
    
    Fixes: 65b07e5d0d0 ("[SCTP]: API updates to suport SCTP-AUTH extensions.")
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Vlad Yasevich <vyasevich@gmail.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/auth.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit 7b531c8418d016907ac1f8e3d9c3ddf74840e8bd
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Thu Oct 9 22:55:33 2014 +0200

    net: sctp: fix remote memory pressure from excessive queueing
    
    This scenario is not limited to ASCONF, just taken as one
    example triggering the issue. When receiving ASCONF probes
    in the form of ...
    
      -------------- INIT[ASCONF; ASCONF_ACK] ------------->
      <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
      -------------------- COOKIE-ECHO -------------------->
      <-------------------- COOKIE-ACK ---------------------
      ---- ASCONF_a; [ASCONF_b; ...; ASCONF_n;] JUNK ------>
      [...]
      ---- ASCONF_m; [ASCONF_o; ...; ASCONF_z;] JUNK ------>
    
    ... where ASCONF_a, ASCONF_b, ..., ASCONF_z are good-formed
    ASCONFs and have increasing serial numbers, we process such
    ASCONF chunk(s) marked with !end_of_packet and !singleton,
    since we have not yet reached the SCTP packet end. SCTP does
    only do verification on a chunk by chunk basis, as an SCTP
    packet is nothing more than just a container of a stream of
    chunks which it eats up one by one.
    
    We could run into the case that we receive a packet with a
    malformed tail, above marked as trailing JUNK. All previous
    chunks are here goodformed, so the stack will eat up all
    previous chunks up to this point. In case JUNK does not fit
    into a chunk header and there are no more other chunks in
    the input queue, or in case JUNK contains a garbage chunk
    header, but the encoded chunk length would exceed the skb
    tail, or we came here from an entirely different scenario
    and the chunk has pdiscard=1 mark (without having had a flush
    point), it will happen, that we will excessively queue up
    the association's output queue (a correct final chunk may
    then turn it into a response flood when flushing the
    queue ;)): I ran a simple script with incremental ASCONF
    serial numbers and could see the server side consuming
    excessive amount of RAM [before/after: up to 2GB and more].
    
    The issue at heart is that the chunk train basically ends
    with !end_of_packet and !singleton markers and since commit
    2e3216cd54b1 ("sctp: Follow security requirement of responding
    with 1 packet") therefore preventing an output queue flush
    point in sctp_do_sm() -> sctp_cmd_interpreter() on the input
    chunk (chunk = event_arg) even though local_cork is set,
    but its precedence has changed since then. In the normal
    case, the last chunk with end_of_packet=1 would trigger the
    queue flush to accommodate possible outgoing bundling.
    
    In the input queue, sctp_inq_pop() seems to do the right thing
    in terms of discarding invalid chunks. So, above JUNK will
    not enter the state machine and instead be released and exit
    the sctp_assoc_bh_rcv() chunk processing loop. It's simply
    the flush point being missing at loop exit. Adding a try-flush
    approach on the output queue might not work as the underlying
    infrastructure might be long gone at this point due to the
    side-effect interpreter run.
    
    One possibility, albeit a bit of a kludge, would be to defer
    invalid chunk freeing into the state machine in order to
    possibly trigger packet discards and thus indirectly a queue
    flush on error. It would surely be better to discard chunks
    as in the current, perhaps better controlled environment, but
    going back and forth, it's simply architecturally not possible.
    I tried various trailing JUNK attack cases and it seems to
    look good now.
    
    Joint work with Vlad Yasevich.
    
    Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet")
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/inqueue.c      |   33 +++++++--------------------------
 net/sctp/sm_statefuns.c |    3 +++
 2 files changed, 10 insertions(+), 26 deletions(-)

commit 56ec221082c637681fcbd0043ef7b674f558ec09
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Thu Oct 9 22:55:32 2014 +0200

    net: sctp: fix panic on duplicate ASCONF chunks
    
    When receiving a e.g. semi-good formed connection scan in the
    form of ...
    
      -------------- INIT[ASCONF; ASCONF_ACK] ------------->
      <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
      -------------------- COOKIE-ECHO -------------------->
      <-------------------- COOKIE-ACK ---------------------
      ---------------- ASCONF_a; ASCONF_b ----------------->
    
    ... where ASCONF_a equals ASCONF_b chunk (at least both serials
    need to be equal), we panic an SCTP server!
    
    The problem is that good-formed ASCONF chunks that we reply with
    ASCONF_ACK chunks are cached per serial. Thus, when we receive a
    same ASCONF chunk twice (e.g. through a lost ASCONF_ACK), we do
    not need to process them again on the server side (that was the
    idea, also proposed in the RFC). Instead, we know it was cached
    and we just resend the cached chunk instead. So far, so good.
    
    Where things get nasty is in SCTP's side effect interpreter, that
    is, sctp_cmd_interpreter():
    
    While incoming ASCONF_a (chunk = event_arg) is being marked
    !end_of_packet and !singleton, and we have an association context,
    we do not flush the outqueue the first time after processing the
    ASCONF_ACK singleton chunk via SCTP_CMD_REPLY. Instead, we keep it
    queued up, although we set local_cork to 1. Commit 2e3216cd54b1
    changed the precedence, so that as long as we get bundled, incoming
    chunks we try possible bundling on outgoing queue as well. Before
    this commit, we would just flush the output queue.
    
    Now, while ASCONF_a's ASCONF_ACK sits in the corked outq, we
    continue to process the same ASCONF_b chunk from the packet. As
    we have cached the previous ASCONF_ACK, we find it, grab it and
    do another SCTP_CMD_REPLY command on it. So, effectively, we rip
    the chunk->list pointers and requeue the same ASCONF_ACK chunk
    another time. Since we process ASCONF_b, it's correctly marked
    with end_of_packet and we enforce an uncork, and thus flush, thus
    crashing the kernel.
    
    Fix it by testing if the ASCONF_ACK is currently pending and if
    that is the case, do not requeue it. When flushing the output
    queue we may relink the chunk for preparing an outgoing packet,
    but eventually unlink it when it's copied into the skb right
    before transmission.
    
    Joint work with Vlad Yasevich.
    
    Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet")
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/sctp/sctp.h |    5 +++++
 net/sctp/associola.c    |    2 ++
 2 files changed, 7 insertions(+), 0 deletions(-)

commit a4f2f1cc9dc17af7f4e72ecb9f9b852f4f09e0c3
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Thu Oct 9 22:55:31 2014 +0200

    net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks
    
    Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
    ASCONF chunk") added basic verification of ASCONF chunks, however,
    it is still possible to remotely crash a server by sending a
    special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
    
    skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
     head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
     end:0x440 dev:<NULL>
     ------------[ cut here ]------------
    kernel BUG at net/core/skbuff.c:129!
    [...]
    Call Trace:
     <IRQ>
     [<ffffffff8144fb1c>] skb_put+0x5c/0x70
     [<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
     [<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
     [<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
     [<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
     [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
     [<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
     [<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
     [<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
     [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
     [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
     [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
     [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
     [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
     [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
     [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
     [<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
     [<ffffffff81497078>] ip_local_deliver+0x98/0xa0
     [<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
     [<ffffffff81496ac5>] ip_rcv+0x275/0x350
     [<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
     [<ffffffff81460588>] netif_receive_skb+0x58/0x60
    
    This can be triggered e.g., through a simple scripted nmap
    connection scan injecting the chunk after the handshake, for
    example, ...
    
      -------------- INIT[ASCONF; ASCONF_ACK] ------------->
      <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
      -------------------- COOKIE-ECHO -------------------->
      <-------------------- COOKIE-ACK ---------------------
      ------------------ ASCONF; UNKNOWN ------------------>
    
    ... where ASCONF chunk of length 280 contains 2 parameters ...
    
      1) Add IP address parameter (param length: 16)
      2) Add/del IP address parameter (param length: 255)
    
    ... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
    Address Parameter in the ASCONF chunk is even missing, too.
    This is just an example and similarly-crafted ASCONF chunks
    could be used just as well.
    
    The ASCONF chunk passes through sctp_verify_asconf() as all
    parameters passed sanity checks, and after walking, we ended
    up successfully at the chunk end boundary, and thus may invoke
    sctp_process_asconf(). Parameter walking is done with
    WORD_ROUND() to take padding into account.
    
    In sctp_process_asconf()'s TLV processing, we may fail in
    sctp_process_asconf_param() e.g., due to removal of the IP
    address that is also the source address of the packet containing
    the ASCONF chunk, and thus we need to add all TLVs after the
    failure to our ASCONF response to remote via helper function
    sctp_add_asconf_response(), which basically invokes a
    sctp_addto_chunk() adding the error parameters to the given
    skb.
    
    When walking to the next parameter this time, we proceed
    with ...
    
      length = ntohs(asconf_param->param_hdr.length);
      asconf_param = (void *)asconf_param + length;
    
    ... instead of the WORD_ROUND()'ed length, thus resulting here
    in an off-by-one that leads to reading the follow-up garbage
    parameter length of 12336, and thus throwing an skb_over_panic
    for the reply when trying to sctp_addto_chunk() next time,
    which implicitly calls the skb_put() with that length.
    
    Fix it by using sctp_walk_params() [ which is also used in
    INIT parameter processing ] macro in the verification *and*
    in ASCONF processing: it will make sure we don't spill over,
    that we walk parameters WORD_ROUND()'ed. Moreover, we're being
    more defensive and guard against unknown parameter types and
    missized addresses.
    
    Joint work with Vlad Yasevich.
    
    Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/sctp/sm.h    |    6 +-
 net/sctp/sm_make_chunk.c |   99 +++++++++++++++++++++++++--------------------
 net/sctp/sm_statefuns.c  |   18 +-------
 3 files changed, 60 insertions(+), 63 deletions(-)

commit a11c401062112d6d22ded5976607acec6430a704
Author: Nadav Amit <namit@cs.technion.ac.il>
Date:   Wed Sep 17 02:50:50 2014 +0300

    KVM: x86: Don't report guest userspace emulation error to userspace
    
    Commit fc3a9157d314 ("KVM: X86: Don't report L2 emulation failures to
    user-space") disabled the reporting of L2 (nested guest) emulation failures to
    userspace due to race-condition between a vmexit and the instruction emulator.
    The same rational applies also to userspace applications that are permitted by
    the guest OS to access MMIO area or perform PIO.
    
    This patch extends the current behavior - of injecting a #UD instead of
    reporting it to userspace - also for guest userspace code.
    
    Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 arch/x86/kvm/x86.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 091a885f91bab51985595e93ac92f98c151a2577
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Mon Nov 10 17:54:26 2014 +0100

    net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet
    
    An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
    in the form of:
    
      ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
    
    While the INIT chunk parameter verification dissects through many things
    in order to detect malformed input, it misses to actually check parameters
    inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
    IP address' parameter in ASCONF, which has as a subparameter an address
    parameter.
    
    So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
    or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
    and thus sctp_get_af_specific() returns NULL, too, which we then happily
    dereference unconditionally through af->from_addr_param().
    
    The trace for the log:
    
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
    IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
    PGD 0
    Oops: 0000 [#1] SMP
    [...]
    Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
    RIP: 0010:[<ffffffffa01e9c62>]  [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
    [...]
    Call Trace:
     <IRQ>
     [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
     [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
     [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
     [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
     [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
     [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
     [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
     [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
     [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
     [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
     [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
     [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
    [...]
    
    A minimal way to address this is to check for NULL as we do on all
    other such occasions where we know sctp_get_af_specific() could
    possibly return with NULL.
    
    Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Vlad Yasevich <vyasevich@gmail.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/sm_make_chunk.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 6fad41263c55af611391f0169b4a23eff19f18b0
Author: Kyle McMartin <kyle@redhat.com>
Date:   Wed Nov 12 21:07:44 2014 +0000

    arm64: __clear_user: handle exceptions on strb
    
    ARM64 currently doesn't fix up faults on the single-byte (strb) case of
    __clear_user... which means that we can cause a nasty kernel panic as an
    ordinary user with any multiple PAGE_SIZE+1 read from /dev/zero.
    i.e.: dd if=/dev/zero of=foo ibs=1 count=1 (or ibs=65537, etc.)
    
    This is a pretty obscure bug in the general case since we'll only
    __do_kernel_fault (since there's no extable entry for pc) if the
    mmap_sem is contended. However, with CONFIG_DEBUG_VM enabled, we'll
    always fault.
    
    if (!down_read_trylock(&mm->mmap_sem)) {
    	if (!user_mode(regs) && !search_exception_tables(regs->pc))
    		goto no_context;
    retry:
    	down_read(&mm->mmap_sem);
    } else {
    	/*
    	 * The above down_read_trylock() might have succeeded in
    	 * which
    	 * case, we'll have missed the might_sleep() from
    	 * down_read().
    	 */
    	might_sleep();
    	if (!user_mode(regs) && !search_exception_tables(regs->pc))
    		goto no_context;
    }
    
    Fix that by adding an extable entry for the strb instruction, since it
    touches user memory, similar to the other stores in __clear_user.
    
    Signed-off-by: Kyle McMartin <kyle@redhat.com>
    Reported-by: Miloš Prchlík <mprchlik@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>

 arch/arm64/lib/clear_user.S |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 9cf8211ba1464bf5d4e7426f1da861b0a4a052b8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Sep 5 09:09:28 2014 -0300

    [media] ttusb-dec: buffer overflow in ioctl
    
    We need to add a limit check here so we don't overflow the buffer.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

 drivers/media/usb/ttusb-dec/ttusbdecfe.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit fa669daef5d787861292d3ca513ab61b819755a7
Author: Ilya Dryomov <idryomov@redhat.com>
Date:   Thu Oct 23 00:25:22 2014 +0400

    libceph: do not crash on large auth tickets
    
    Large (greater than 32k, the value of PAGE_ALLOC_COSTLY_ORDER) auth
    tickets will have their buffers vmalloc'ed, which leads to the
    following crash in crypto:
    
    [   28.685082] BUG: unable to handle kernel paging request at ffffeb04000032c0
    [   28.686032] IP: [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80
    [   28.686032] PGD 0
    [   28.688088] Oops: 0000 [#1] PREEMPT SMP
    [   28.688088] Modules linked in:
    [   28.688088] CPU: 0 PID: 878 Comm: kworker/0:2 Not tainted 3.17.0-vm+ #305
    [   28.688088] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
    [   28.688088] Workqueue: ceph-msgr con_work
    [   28.688088] task: ffff88011a7f9030 ti: ffff8800d903c000 task.ti: ffff8800d903c000
    [   28.688088] RIP: 0010:[<ffffffff81392b42>]  [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80
    [   28.688088] RSP: 0018:ffff8800d903f688  EFLAGS: 00010286
    [   28.688088] RAX: ffffeb04000032c0 RBX: ffff8800d903f718 RCX: ffffeb04000032c0
    [   28.688088] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8800d903f750
    [   28.688088] RBP: ffff8800d903f688 R08: 00000000000007de R09: ffff8800d903f880
    [   28.688088] R10: 18df467c72d6257b R11: 0000000000000000 R12: 0000000000000010
    [   28.688088] R13: ffff8800d903f750 R14: ffff8800d903f8a0 R15: 0000000000000000
    [   28.688088] FS:  00007f50a41c7700(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
    [   28.688088] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    [   28.688088] CR2: ffffeb04000032c0 CR3: 00000000da3f3000 CR4: 00000000000006b0
    [   28.688088] Stack:
    [   28.688088]  ffff8800d903f698 ffffffff81392ca8 ffff8800d903f6e8 ffffffff81395d32
    [   28.688088]  ffff8800dac96000 ffff880000000000 ffff8800d903f980 ffff880119b7e020
    [   28.688088]  ffff880119b7e010 0000000000000000 0000000000000010 0000000000000010
    [   28.688088] Call Trace:
    [   28.688088]  [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40
    [   28.688088]  [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40
    [   28.688088]  [<ffffffff81395d32>] blkcipher_walk_done+0x182/0x220
    [   28.688088]  [<ffffffff813990bf>] crypto_cbc_encrypt+0x15f/0x180
    [   28.688088]  [<ffffffff81399780>] ? crypto_aes_set_key+0x30/0x30
    [   28.688088]  [<ffffffff8156c40c>] ceph_aes_encrypt2+0x29c/0x2e0
    [   28.688088]  [<ffffffff8156d2a3>] ceph_encrypt2+0x93/0xb0
    [   28.688088]  [<ffffffff8156d7da>] ceph_x_encrypt+0x4a/0x60
    [   28.688088]  [<ffffffff8155b39d>] ? ceph_buffer_new+0x5d/0xf0
    [   28.688088]  [<ffffffff8156e837>] ceph_x_build_authorizer.isra.6+0x297/0x360
    [   28.688088]  [<ffffffff8112089b>] ? kmem_cache_alloc_trace+0x11b/0x1c0
    [   28.688088]  [<ffffffff8156b496>] ? ceph_auth_create_authorizer+0x36/0x80
    [   28.688088]  [<ffffffff8156ed83>] ceph_x_create_authorizer+0x63/0xd0
    [   28.688088]  [<ffffffff8156b4b4>] ceph_auth_create_authorizer+0x54/0x80
    [   28.688088]  [<ffffffff8155f7c0>] get_authorizer+0x80/0xd0
    [   28.688088]  [<ffffffff81555a8b>] prepare_write_connect+0x18b/0x2b0
    [   28.688088]  [<ffffffff81559289>] try_read+0x1e59/0x1f10
    
    This is because we set up crypto scatterlists as if all buffers were
    kmalloc'ed.  Fix it.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Ilya Dryomov <idryomov@redhat.com>
    Reviewed-by: Sage Weil <sage@redhat.com>

 net/ceph/crypto.c |  169 +++++++++++++++++++++++++++++++++++++++++------------
 1 files changed, 132 insertions(+), 37 deletions(-)

commit baea1dd8fada62efd88f982c16f6b36f80550bf6
Author: Stefan Richter <stefanr@s5r6.in-berlin.de>
Date:   Tue Nov 11 17:16:44 2014 +0100

    firewire: cdev: prevent kernel stack leaking into ioctl arguments
    
    Found by the UC-KLEE tool:  A user could supply less input to
    firewire-cdev ioctls than write- or write/read-type ioctl handlers
    expect.  The handlers used data from uninitialized kernel stack then.
    
    This could partially leak back to the user if the kernel subsequently
    generated fw_cdev_event_'s (to be read from the firewire-cdev fd)
    which notably would contain the _u64 closure field which many of the
    ioctl argument structures contain.
    
    The fact that the handlers would act on random garbage input is a
    lesser issue since all handlers must check their input anyway.
    
    The fix simply always null-initializes the entire ioctl argument buffer
    regardless of the actual length of expected user input.  That is, a
    runtime overhead of memset(..., 40) is added to each firewirew-cdev
    ioctl() call.  [Comment from Clemens Ladisch:  This part of the stack is
    most likely to be already in the cache.]
    
    Remarks:
      - There was never any leak from kernel stack to the ioctl output
        buffer itself.  IOW, it was not possible to read kernel stack by a
        read-type or write/read-type ioctl alone; the leak could at most
        happen in combination with read()ing subsequent event data.
      - The actual expected minimum user input of each ioctl from
        include/uapi/linux/firewire-cdev.h is, in bytes:
        [0x00] = 32, [0x05] =  4, [0x0a] = 16, [0x0f] = 20, [0x14] = 16,
        [0x01] = 36, [0x06] = 20, [0x0b] =  4, [0x10] = 20, [0x15] = 20,
        [0x02] = 20, [0x07] =  4, [0x0c] =  0, [0x11] =  0, [0x16] =  8,
        [0x03] =  4, [0x08] = 24, [0x0d] = 20, [0x12] = 36, [0x17] = 12,
        [0x04] = 20, [0x09] = 24, [0x0e] =  4, [0x13] = 40, [0x18] =  4.
    
    Reported-by: David Ramos <daramos@stanford.edu>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>

 drivers/firewire/core-cdev.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit 4591f1581351e751b75a7f9f0ec430250f9ee91c
Merge: df700c2 ba8491e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 14 22:45:33 2014 -0500

    Merge branch 'pax-stable2' into grsec-stable2

commit ba8491e416a8cd031d3ad3866919ce31794fc59e
Merge: 3652f45 9c3da88
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Nov 14 22:45:13 2014 -0500

    Update to pax-linux-3.14.24-test24.patch
    
    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	arch/x86/ia32/ia32entry.S
    	drivers/cpufreq/intel_pstate.c

commit df700c2a8ac4058285f4fc71360c6459a024bb8a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Nov 12 18:06:32 2014 -0500

    fix a case of DMA-on-stack reported here:
    https://bugs.archlinux.org/task/42756

 drivers/staging/line6/driver.c |   17 ++++++++++++-----
 1 files changed, 12 insertions(+), 5 deletions(-)

commit a047c2e789640710edb48d19250aa7685ff6f890
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 9 17:51:13 2014 -0500

    update mkspec to also chmod /boot, etc since we have no control over generated initrd images

 scripts/package/mkspec |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

commit 7fd5c3e3581f7ef89630367f2058af1f1ba5c66a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 9 08:51:17 2014 -0500

    set directory mode to 500

 scripts/package/mkspec |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 643e95ce9570334103605ca9be92457e71819e9f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Nov 9 07:56:51 2014 -0500

    force make rpm to install sensitive files with 0400

 scripts/package/mkspec |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 50f27b2fa188be4802f1f2b06b9265475ea3ca3b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 6 19:33:59 2014 -0500

    add additional unnecessary checks

 kernel/trace/trace_syscalls.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 1f2f94f9f0cc78e25eede2bd6ab6912809055ca0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Nov 6 19:30:26 2014 -0500

    add extra unnecessary checks

 kernel/trace/trace_syscalls.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit cb63bd284a9820a0bd573394efdeca5b72bfc4f6
Author: Rabin Vincent <rabin@rab.in>
Date:   Wed Oct 29 23:06:58 2014 +0100

    tracing/syscalls: Ignore numbers outside NR_syscalls' range
    
    ARM has some private syscalls (for example, set_tls(2)) which lie
    outside the range of NR_syscalls.  If any of these are called while
    syscall tracing is being performed, out-of-bounds array access will
    occur in the ftrace and perf sys_{enter,exit} handlers.
    
     # trace-cmd record -e raw_syscalls:* true && trace-cmd report
     ...
     true-653   [000]   384.675777: sys_enter:            NR 192 (0, 1000, 3, 4000022, ffffffff, 0)
     true-653   [000]   384.675812: sys_exit:             NR 192 = 1995915264
     true-653   [000]   384.675971: sys_enter:            NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1)
     true-653   [000]   384.675988: sys_exit:             NR 983045 = 0
     ...
    
     # trace-cmd record -e syscalls:* true
     [   17.289329] Unable to handle kernel paging request at virtual address aaaaaace
     [   17.289590] pgd = 9e71c000
     [   17.289696] [aaaaaace] *pgd=00000000
     [   17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
     [   17.290169] Modules linked in:
     [   17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21
     [   17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000
     [   17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8
     [   17.290866] LR is at syscall_trace_enter+0x124/0x184
    
    Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers.
    
    Commit cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
    added the check for less than zero, but it should have also checked
    for greater than NR_syscalls.
    
    Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in
    
    Fixes: cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
    Cc: stable@vger.kernel.org # 2.6.33+
    Signed-off-by: Rabin Vincent <rabin@rab.in>
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>

 kernel/trace/trace_syscalls.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit f52e064edf27b37e4f266d532d35f0c8e3aa93d0
Author: Ilya Dryomov <idryomov@redhat.com>
Date:   Fri Oct 10 16:39:05 2014 +0400

    libceph: ceph-msgr workqueue needs a resque worker
    
    commit f9865f06f7f18c6661c88d0511f05c48612319cc upstream.
    
    Commit f363e45fd118 ("net/ceph: make ceph_msgr_wq non-reentrant")
    effectively removed WQ_MEM_RECLAIM flag from ceph_msgr_wq.  This is
    wrong - libceph is very much a memory reclaim path, so restore it.
    
    Cc: stable@vger.kernel.org # needs backporting for < 3.12
    Signed-off-by: Ilya Dryomov <idryomov@redhat.com>
    Tested-by: Micha Krause <micha@krausam.de>
    Reviewed-by: Sage Weil <sage@redhat.com>
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>

 net/ceph/messenger.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit 8de6eddbbc742d5d161ef356d53699a8273e17ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 31 19:03:01 2014 -0400

    Backport fix for dcache lockup reported here:
    https://lkml.org/lkml/2014/10/25/179

 fs/dcache.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c893071245167b1083948d5f60c454e2a289a0f0
Author: Jan Kara <jack@suse.cz>
Date:   Wed Oct 29 14:50:44 2014 -0700

    lib/bitmap.c: fix undefined shift in __bitmap_shift_{left|right}()
    
    If __bitmap_shift_left() or __bitmap_shift_right() are asked to shift by
    a multiple of BITS_PER_LONG, they will try to shift a long value by
    BITS_PER_LONG bits which is undefined.  Change the functions to avoid
    the undefined shift.
    
    Coverity id: 1192175
    Coverity id: 1192174
    Signed-off-by: Jan Kara <jack@suse.cz>
    Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 lib/bitmap.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit bae59188d4d1549ccc18dac3a4f9d96b1dc4e2d7
Author: Richard Weinberger <richard@nod.at>
Date:   Wed Oct 29 14:50:53 2014 -0700

    ocfs2: fix d_splice_alias() return code checking
    
    d_splice_alias() can return a valid dentry, NULL or an ERR_PTR.
    Currently the code checks not for ERR_PTR and will cuase an oops in
    ocfs2_dentry_attach_lock().  Fix this by using IS_ERR_OR_NULL().
    
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Cc: Mark Fasheh <mfasheh@suse.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/ocfs2/namei.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d07c65450b9a5819d07eb580c8c9353aa44edfdb
Merge: 0fa213c 3652f45
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 31 19:22:10 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/sparc/include/asm/oplib_64.h
    	arch/sparc/include/asm/setup.h
    	arch/sparc/kernel/entry.h
    	mm/slab_common.c

commit 3652f45ed66a7fdb07ab1fe3d1bb58bae6129458
Merge: e9f5f28 cd2c538
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 31 19:18:48 2014 -0400

    Update to pax-linux-3.14.23-test24.patch:
    - added pax_sanitize_slab=full mode, by Mathias Krause <minipli@googlemail.com>
    - fixed pax_sanitize_slab breakage on SLAB_DESTROY_BY_RCU slabs, by Mathias Krause <minipli@googlemail.com>
      - this should fix several reports:
        - https://forums.grsecurity.net/viewtopic.php?f=1&t=4020
        - https://forums.grsecurity.net/viewtopic.php?f=3&t=4037
        - https://forums.grsecurity.net/viewtopic.php?f=1&t=4071
    - updated size overflow hash table
    - fixed REFCOUNT/arm for THUMB2, reported by Michael Tremer
    - backported ce9ec37bddb633404a0c23e1acb181a264e7f7f2 from vanilla, hopefully it'll fix the UDEREF/PCID related crashes reported since 3.15+
    - removed an unnecessary set_memory_rw in the x86 bpf jit
    
    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	arch/sparc/include/asm/pgalloc_64.h
    	arch/sparc/include/asm/thread_info_64.h

commit 0fa213cce614ad25a79acbd06f37f1e9022134d9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Oct 31 17:29:20 2014 -0400

    From: Mathias Krause <minipli@googlemail.com>
    To: PaX Team <pageexec@freemail.hu>
    Cc: Brad Spengler <spender@grsecurity.net>, Mathias Krause
            <minipli@googlemail.com>
    Subject: [PATCH] pax: don't sanitize RCU slab caches
    
    We cannot sanitize SLAB_DESTROY_BY_RCU slab caches in kmem_cache_free()
    as there might be readers in this RCU period, wanting to access the
    object.
    
    Fix this, for now, by marking those with SLAB_NO_SANITIZE. Hopefully we
    can have a real fix later on. But this should fix the RCU stalls and
    netfilter conntrack related problems.
    
    This patch should go on top of the previous patch.
    
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    
    Conflicts:
    
    	mm/slab_common.c

 mm/slab_common.c |   16 ++++++++++++++++
 1 files changed, 16 insertions(+), 0 deletions(-)

commit a8ee169c76b4fab6f6adf4ebd56b4dee23b0b4f5
Author: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Date:   Fri Oct 17 22:55:59 2014 +0200

    kvm: fix excessive pages un-pinning in kvm_iommu_map error path.
    
    The third parameter of kvm_unpin_pages() when called from
    kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
    and not the page size.
    
    This error was facilitated with an inconsistent API: kvm_pin_pages() takes
    a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
    by matching the two.
    
    This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter
    of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
    un-pinning for pages intended to be un-pinned (i.e. memory leak) but
    unfortunately potentially aggravated the number of pages we un-pin that
    should have stayed pinned. As far as I understand though, the same
    practical mitigations apply.
    
    This issue was found during review of Red Hat 6.6 patches to prepare
    Ksplice rebootless updates.
    
    Thanks to Vegard for his time on a late Friday evening to help me in
    understanding this code.
    
    Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
    Cc: stable@vger.kernel.org
    Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
    Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
    Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
    Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 virt/kvm/iommu.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

commit 0eee7e7448e396c762d91984b588d017becbb09d
Author: David S. Miller <davem@davemloft.net>
Date:   Thu Oct 23 12:58:13 2014 -0700

    sparc64: Fix register corruption in top-most kernel stack frame during boot.
    
    Meelis Roos reported that kernels built with gcc-4.9 do not boot, we
    eventually narrowed this down to only impacting machines using
    UltraSPARC-III and derivitive cpus.
    
    The crash happens right when the first user process is spawned:
    
    [   54.451346] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000004
    [   54.451346]
    [   54.571516] CPU: 1 PID: 1 Comm: init Not tainted 3.16.0-rc2-00211-gd7933ab #96
    [   54.666431] Call Trace:
    [   54.698453]  [0000000000762f8c] panic+0xb0/0x224
    [   54.759071]  [000000000045cf68] do_exit+0x948/0x960
    [   54.823123]  [000000000042cbc0] fault_in_user_windows+0xe0/0x100
    [   54.902036]  [0000000000404ad0] __handle_user_windows+0x0/0x10
    [   54.978662] Press Stop-A (L1-A) to return to the boot prom
    [   55.050713] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000004
    
    Further investigation showed that compiling only per_cpu_patch() with
    an older compiler fixes the boot.
    
    Detailed analysis showed that the function is not being miscompiled by
    gcc-4.9, but it is using a different register allocation ordering.
    
    With the gcc-4.9 compiled function, something during the code patching
    causes some of the %i* input registers to get corrupted.  Perhaps
    we have a TLB miss path into the firmware that is deep enough to
    cause a register window spill and subsequent restore when we get
    back from the TLB miss trap.
    
    Let's plug this up by doing two things:
    
    1) Stop using the firmware stack for client interface calls into
       the firmware.  Just use the kernel's stack.
    
    2) As soon as we can, call into a new function "start_early_boot()"
       to put a one-register-window buffer between the firmware's
       deepest stack frame and the top-most initial kernel one.
    
    Reported-by: Meelis Roos <mroos@linux.ee>
    Tested-by: Meelis Roos <mroos@linux.ee>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	arch/sparc/include/asm/oplib_64.h
    	arch/sparc/include/asm/setup.h
    	arch/sparc/kernel/entry.h

 arch/sparc/include/asm/oplib_64.h |    3 +-
 arch/sparc/include/asm/setup.h    |    4 +++
 arch/sparc/kernel/entry.h         |   11 +++------
 arch/sparc/kernel/head_64.S       |   40 +++---------------------------------
 arch/sparc/kernel/hvtramp.S       |    1 -
 arch/sparc/kernel/setup_64.c      |   28 ++++++++++++++++++-------
 arch/sparc/kernel/trampoline_64.S |   12 ++++++----
 arch/sparc/prom/cif.S             |    5 +--
 arch/sparc/prom/init_64.c         |    6 ++--
 arch/sparc/prom/p1275.c           |    2 -
 10 files changed, 46 insertions(+), 66 deletions(-)

commit e097432d404243fff21a5fc7e1b0fae16ac8d494
Author: David S. Miller <davem@davemloft.net>
Date:   Fri Oct 24 09:59:02 2014 -0700

    sparc64: Implement __get_user_pages_fast().
    
    It is not sufficient to only implement get_user_pages_fast(), you
    must also implement the atomic version __get_user_pages_fast()
    otherwise you end up using the weak symbol fallback implementation
    which simply returns zero.
    
    This is dangerous, because it causes the futex code to loop forever
    if transparent hugepages are supported (see get_futex_key()).
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/mm/gup.c |   30 ++++++++++++++++++++++++++++++
 1 files changed, 30 insertions(+), 0 deletions(-)

commit 7b1ebc6b0c9ab5ffe46742ab8b5eecfe8f1d7945
Author: Bjorn Helgaas <bhelgaas@google.com>
Date:   Mon Oct 13 18:01:34 2014 -0600

    x86, intel-mid: Remove "weak" from function declarations
    
    For the following interfaces:
    
      get_penwell_ops()
      get_cloverview_ops()
      get_tangier_ops()
    
    there is only one implementation, so they do not need to be marked "weak".
    
    Remove the "weak" attribute from their declarations.
    
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Acked-by: Ingo Molnar <mingo@kernel.org>
    CC: David Cohen <david.a.cohen@linux.intel.com>
    CC: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
    CC: x86@kernel.org
    Conflicts:
    
    	arch/x86/platform/intel-mid/intel_mid_weak_decls.h
    
    Conflicts:
    
    	arch/x86/platform/intel-mid/intel_mid_weak_decls.h

 arch/x86/platform/intel-mid/intel_mid_weak_decls.h |    7 +++----
 arch/x86/platform/intel-mid/mfld.c                 |    4 ++--
 arch/x86/platform/intel-mid/mrfl.c                 |    2 +-
 3 files changed, 6 insertions(+), 7 deletions(-)

commit 6c7d2283a0b891e3798d628ba23869e87d2df378
Author: Bjorn Helgaas <bhelgaas@google.com>
Date:   Mon Oct 13 18:59:09 2014 -0600

    clocksource: Remove "weak" from clocksource_default_clock() declaration
    
    kernel/time/jiffies.c provides a default clocksource_default_clock()
    definition explicitly marked "weak".  arch/s390 provides its own definition
    intended to override the default, but the "weak" attribute on the
    declaration applied to the s390 definition as well, so the linker chose one
    based on link order (see 10629d711ed7 ("PCI: Remove __weak annotation from
    pcibios_get_phb_of_node decl")).
    
    Remove the "weak" attribute from the clocksource_default_clock()
    declaration so we always prefer a non-weak definition over the weak one,
    independent of link order.
    
    Fixes: f1b82746c1e9 ("clocksource: Cleanup clocksource selection")
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Acked-by: John Stultz <john.stultz@linaro.org>
    Acked-by: Ingo Molnar <mingo@kernel.org>
    CC: Daniel Lezcano <daniel.lezcano@linaro.org>
    CC: Martin Schwidefsky <schwidefsky@de.ibm.com>

 include/linux/clocksource.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 94d5fc2f833615221953713c50482de19add9cd6
Author: Bjorn Helgaas <bhelgaas@google.com>
Date:   Mon Oct 13 18:59:41 2014 -0600

    vmcore: Remove "weak" from function declarations
    
    For the following functions:
    
      elfcorehdr_alloc()
      elfcorehdr_free()
      elfcorehdr_read()
      elfcorehdr_read_notes()
      remap_oldmem_pfn_range()
    
    fs/proc/vmcore.c provides default definitions explicitly marked "weak".
    arch/s390 provides its own definitions intended to override the default
    ones, but the "weak" attribute on the declarations applied to the s390
    definitions as well, so the linker chose one based on link order (see
    10629d711ed7 ("PCI: Remove __weak annotation from pcibios_get_phb_of_node
    decl")).
    
    Remove the "weak" attribute from the declarations so we always prefer a
    non-weak definition over the weak one, independent of link order.
    
    Fixes: be8a8d069e50 ("vmcore: introduce ELF header in new memory feature")
    Fixes: 9cb218131de1 ("vmcore: introduce remap_oldmem_pfn_range()")
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Acked-by: Andrew Morton <akpm@linux-foundation.org>
    Acked-by: Vivek Goyal <vgoyal@redhat.com>
    CC: Michael Holzheu <holzheu@linux.vnet.ibm.com>

 include/linux/crash_dump.h |   15 +++++++--------
 1 files changed, 7 insertions(+), 8 deletions(-)

commit a69ac3a59aee2e75db96470f1c9053e0952998b6
Author: Vineet Gupta <vgupta@synopsys.com>
Date:   Mon Oct 20 10:17:04 2014 -0600

    ARC: kgdb: generic kgdb_arch_pc() suffices
    
    The ARC version of kgdb_arch_pc() is identical to the generic version in
    kernel/debug/debug_core.c.  Drop the ARC version so we use the generic one.
    
    Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>

 arch/arc/kernel/kgdb.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

commit 21560a63031fe5d22c71cae090cf92fdfc6dc273
Author: Bjorn Helgaas <bhelgaas@google.com>
Date:   Mon Oct 13 19:00:25 2014 -0600

    kgdb: Remove "weak" from kgdb_arch_pc() declaration
    
    kernel/debug/debug_core.c provides a default kgdb_arch_pc() definition
    explicitly marked "weak".  Several architectures provide their own
    definitions intended to override the default, but the "weak" attribute on
    the declaration applied to the arch definitions as well, so the linker
    chose one based on link order (see 10629d711ed7 ("PCI: Remove __weak
    annotation from pcibios_get_phb_of_node decl")).
    
    Remove the "weak" attribute from the declaration so we always prefer a
    non-weak definition over the weak one, independent of link order.
    
    Fixes: 688b744d8bc8 ("kgdb: fix signedness mixmatches, add statics, add declaration to header")
    Tested-by: Vineet Gupta <vgupta@synopsys.com>	# for ARC build
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Reviewed-by: Harvey Harrison <harvey.harrison@gmail.com>

 include/linux/kgdb.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ddc947af9fabf397a2cf742123f64bf78028e9dc
Author: Bjorn Helgaas <bhelgaas@google.com>
Date:   Mon Oct 13 19:00:47 2014 -0600

    memory-hotplug: Remove "weak" from memory_block_size_bytes() declaration
    
    drivers/base/memory.c provides a default memory_block_size_bytes()
    definition explicitly marked "weak".  Several architectures provide their
    own definitions intended to override the default, but the "weak" attribute
    on the declaration applied to the arch definitions as well, so the linker
    chose one based on link order (see 10629d711ed7 ("PCI: Remove __weak
    annotation from pcibios_get_phb_of_node decl")).
    
    Remove the "weak" attribute from the declaration so we always prefer a
    non-weak definition over the weak one, independent of link order.
    
    Fixes: 41f107266b19 ("drivers: base: Add prototype declaration to the header file")
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Acked-by: Andrew Morton <akpm@linux-foundation.org>
    CC: Rashika Kheria <rashika.kheria@gmail.com>
    CC: Nathan Fontenot <nfont@austin.ibm.com>
    CC: Anton Blanchard <anton@au1.ibm.com>
    CC: Heiko Carstens <heiko.carstens@de.ibm.com>
    CC: Yinghai Lu <yinghai@kernel.org>

 include/linux/memory.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d2c7990f8f104ba878e2000efa2be6df3e74ceed
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Sun Sep 7 23:23:38 2014 +0200

    crypto: memzero_explicit - make sure to clear out sensitive data
    
    Recently, in commit 13aa93c70e71 ("random: add and use memzero_explicit()
    for clearing data"), we have found that GCC may optimize some memset()
    cases away when it detects a stack variable is not being used anymore
    and going out of scope. This can happen, for example, in cases when we
    are clearing out sensitive information such as keying material or any
    e.g. intermediate results from crypto computations, etc.
    
    With the help of Coccinelle, we can figure out and fix such occurences
    in the crypto subsytem as well. Julia Lawall provided the following
    Coccinelle program:
    
      @@
      type T;
      identifier x;
      @@
    
      T x;
      ... when exists
          when any
      -memset
      +memzero_explicit
         (&x,
      -0,
         ...)
      ... when != x
          when strict
    
      @@
      type T;
      identifier x;
      @@
    
      T x[...];
      ... when exists
          when any
      -memset
      +memzero_explicit
         (x,
      -0,
         ...)
      ... when != x
          when strict
    
    Therefore, make use of the drop-in replacement memzero_explicit() for
    exactly such cases instead of using memset().
    
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Cc: Julia Lawall <julia.lawall@lip6.fr>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: Theodore Ts'o <tytso@mit.edu>
    Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>

 crypto/cts.c            |    3 ++-
 crypto/sha1_generic.c   |    2 +-
 crypto/sha256_generic.c |    5 ++---
 crypto/sha512_generic.c |    2 +-
 crypto/tgr192.c         |    4 ++--
 crypto/vmac.c           |    2 +-
 crypto/wp512.c          |    8 ++++----
 7 files changed, 13 insertions(+), 13 deletions(-)

commit 9834d21f9fb72e5eabbfc5290261987ae21133af
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Tue Aug 26 23:16:35 2014 -0400

    random: add and use memzero_explicit() for clearing data
    
    zatimend has reported that in his environment (3.16/gcc4.8.3/corei7)
    memset() calls which clear out sensitive data in extract_{buf,entropy,
    entropy_user}() in random driver are being optimized away by gcc.
    
    Add a helper memzero_explicit() (similarly as explicit_bzero() variants)
    that can be used in such cases where a variable with sensitive data is
    being cleared out in the end. Other use cases might also be in crypto
    code. [ I have put this into lib/string.c though, as it's always built-in
    and doesn't need any dependencies then. ]
    
    Fixes kernel bugzilla: 82041
    
    Reported-by: zatimend@hotmail.co.uk
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Cc: Alexey Dobriyan <adobriyan@gmail.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: stable@vger.kernel.org
    
    Conflicts:
    
    	drivers/char/random.c

 drivers/char/random.c  |   10 +++++-----
 include/linux/string.h |    5 +++--
 lib/string.c           |   16 ++++++++++++++++
 3 files changed, 24 insertions(+), 7 deletions(-)

commit 26b683871a4b2dafca09f16efd38101a5d97abba
Author: Li RongQing <roy.qing.li@gmail.com>
Date:   Wed Oct 22 17:09:53 2014 +0800

    xfrm6: fix a potential use after free in xfrm6_policy.c
    
    pskb_may_pull() maybe change skb->data and make nh and exthdr pointer
    oboslete, so recompute the nd and exthdr
    
    Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/xfrm6_policy.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

commit 9f9123ab40959f0c63f267a46016c6d0fa823c2f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Oct 23 19:20:18 2014 -0400

    allow print_bad_pte to display symbols

 mm/memory.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit a6f917db2aff6f1156220d766c3de2933261c2c1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 22 18:36:16 2014 -0400

    Remove argument from gr_update_task_in_ip_table, as it's always called with 'current'
    
    Conflicts:
    
    	net/ipv4/inet_hashtables.c

 grsecurity/grsec_sock.c    |    4 ++--
 net/ipv4/inet_hashtables.c |    4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

commit 481cc2a6877c249b8d32ae06575cb5ee05290d77
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 22 18:19:01 2014 -0400

    hold sighand lock while accessing ->signal

 fs/proc/array.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

commit e9ed2200c5e7567760874558d80e6e4ae9a7ce3d
Author: David S. Miller <davem@davemloft.net>
Date:   Sat Oct 18 23:12:33 2014 -0400

    sparc64: Do not define thread fpregs save area as zero-length array.
    
    This breaks the stack end corruption detection facility.
    
    What that facility does it write a magic value to "end_of_stack()"
    and checking to see if it gets overwritten.
    
    "end_of_stack()" is "task_thread_info(p) + 1", which for sparc64 is
    the beginning of the FPU register save area.
    
    So once the user uses the FPU, the magic value is overwritten and the
    debug checks trigger.
    
    Fix this by making the size explicit.
    
    Due to the size we use for the fpsaved[], gsr[], and xfsr[] arrays we
    are limited to 7 levels of FPU state saves.  So each FPU register set
    is 256 bytes, allocate 256 * 7 for the fpregs area.
    
    Reported-by: Meelis Roos <mroos@linux.ee>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	arch/sparc/include/asm/thread_info_64.h

 arch/sparc/include/asm/thread_info_64.h |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit a53c7c430b42d3421bd690f6c03be8762b3bfb61
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Wed Oct 8 09:02:13 2014 -0700

    x86,kvm,vmx: Preserve CR4 across VM entry
    
    CR4 isn't constant; at least the TSD and PCE bits can vary.
    
    TBH, treating CR0 and CR3 as constant scares me a bit, too, but it looks
    like it's correct.
    
    This adds a branch and a read from cr4 to each vm entry.  Because it is
    extremely likely that consecutive entries into the same vcpu will have
    the same host cr4 value, this fixes up the vmcs instead of restoring cr4
    after the fact.  A subsequent patch will add a kernel-wide cr4 shadow,
    reducing the overhead in the common case to just two memory reads and a
    branch.
    
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Acked-by: Paolo Bonzini <pbonzini@redhat.com>
    Cc: stable@vger.kernel.org
    Cc: Petr Matousek <pmatouse@redhat.com>
    Cc: Gleb Natapov <gleb@kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	arch/x86/kvm/vmx.c
    
    Conflicts:
    
    	arch/x86/kvm/vmx.c

 arch/x86/kvm/vmx.c |   17 ++++++++++++++---
 1 files changed, 14 insertions(+), 3 deletions(-)

commit 8b1486f8b3aacbb608191fabc14bef795313fb38
Author: Li RongQing <roy.qing.li@gmail.com>
Date:   Sat Oct 18 17:33:38 2014 +0800

    ipv6: fix a potential use after free in sit.c
    
    pskb_may_pull() maybe change skb->data and make iph pointer oboslete,
    fix it by geting ip header length directly.
    
    Fixes: ca15a078 (sit: generate icmpv6 error when receiving icmpv4 error)
    Cc: Oussama Ghorbel <ghorbel@pivasoftware.com>
    Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/sit.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 83b88f60683ae645a157f8b4c04bc4e09c0f5239
Author: Li RongQing <roy.qing.li@gmail.com>
Date:   Sat Oct 18 17:27:42 2014 +0800

    ipv6: fix a potential use after free in ip6_offload.c
    
    pskb_may_pull() maybe change skb->data and make opth pointer oboslete,
    so set the opth again
    
    Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/ip6_offload.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit ae7d1526b53bf64ba1bf54ad6b598b26cade2afd
Author: Li RongQing <roy.qing.li@gmail.com>
Date:   Sat Oct 18 17:26:04 2014 +0800

    ipv4: fix a potential use after free in gre_offload.c
    
    pskb_may_pull() may change skb->data and make greh pointer oboslete;
    so need to reassign greh;
    but since first calling pskb_may_pull already ensured that skb->data
    has enough space for greh, so move the reference of greh before second
    calling pskb_may_pull(), to avoid reassign greh.
    
    Fixes: 7a7ffbabf9("ipv4: fix tunneled VM traffic over hw VXLAN/GRE GSO NIC")
    Cc: Wei-Chun Chao <weichunc@plumgrid.com>
    Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/gre_offload.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit beaad463714e08a463dabcf86f582583c5ee7bb3
Author: Catalin Marinas <catalin.marinas@arm.com>
Date:   Fri Oct 17 17:38:49 2014 +0100

    futex: Ensure get_futex_key_refs() always implies a barrier
    
    Commit b0c29f79ecea (futexes: Avoid taking the hb->lock if there's
    nothing to wake up) changes the futex code to avoid taking a lock when
    there are no waiters. This code has been subsequently fixed in commit
    11d4616bd07f (futex: revert back to the explicit waiter counting code).
    Both the original commit and the fix-up rely on get_futex_key_refs() to
    always imply a barrier.
    
    However, for private futexes, none of the cases in the switch statement
    of get_futex_key_refs() would be hit and the function completes without
    a memory barrier as required before checking the "waiters" in
    futex_wake() -> hb_waiters_pending(). The consequence is a race with a
    thread waiting on a futex on another CPU, allowing the waker thread to
    read "waiters == 0" while the waiter thread to have read "futex_val ==
    locked" (in kernel).
    
    Without this fix, the problem (user space deadlocks) can be seen with
    Android bionic's mutex implementation on an arm64 multi-cluster system.
    
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
    Reported-by: Matteo Franchin <Matteo.Franchin@arm.com>
    Fixes: b0c29f79ecea (futexes: Avoid taking the hb->lock if there's nothing to wake up)
    Acked-by: Davidlohr Bueso <dave@stgolabs.net>
    Tested-by: Mike Galbraith <umgwanakikbuti@gmail.com>
    Cc: <stable@vger.kernel.org>
    Cc: Darren Hart <dvhart@linux.intel.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/futex.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 94392b10cc2163524db9fc23818e3dbf8dc6d342
Author: Stephen Smalley <sds@tycho.nsa.gov>
Date:   Mon Oct 6 16:32:52 2014 -0400

    selinux: fix inode security list corruption
    
    sb_finish_set_opts() can race with inode_free_security()
    when initializing inode security structures for inodes
    created prior to initial policy load or by the filesystem
    during ->mount().   This appears to have always been
    a possible race, but commit 3dc91d4 ("SELinux:  Fix possible
    NULL pointer dereference in selinux_inode_permission()")
    made it more evident by immediately reusing the unioned
    list/rcu element  of the inode security structure for call_rcu()
    upon an inode_free_security().  But the underlying issue
    was already present before that commit as a possible use-after-free
    of isec.
    
    Shivnandan Kumar reported the list corruption and proposed
    a patch to split the list and rcu elements out of the union
    as separate fields of the inode_security_struct so that setting
    the rcu element would not affect the list element.  However,
    this would merely hide the issue and not truly fix the code.
    
    This patch instead moves up the deletion of the list entry
    prior to dropping the sbsec->isec_lock initially.  Then,
    if the inode is dropped subsequently, there will be no further
    references to the isec.
    
    Reported-by: Shivnandan Kumar <shivnandan.k@samsung.com>
    Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Moore <pmoore@redhat.com>

 security/selinux/hooks.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 89d00d19e034483a9dc7aac60aa6138dbea89f0f
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Oct 17 12:45:55 2014 -0700

    bna: fix skb->truesize underestimation
    
    skb->truesize is not meant to be tracking amount of used bytes
    in an skb, but amount of reserved/consumed bytes in memory.
    
    For instance, if we use a single byte in last page fragment,
    we have to account the full size of the fragment.
    
    skb->truesize can be very different from skb->len, that has
    a very specific safety purpose.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Rasesh Mody <rasesh.mody@qlogic.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/brocade/bna/bnad.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 5f803810e77676e082e15a4b8b02853f5bb81ea9
Author: Vasily Averin <vvs@parallels.com>
Date:   Wed Oct 15 16:24:02 2014 +0400

    ipv4: dst_entry leak in ip_send_unicast_reply()
    
    ip_setup_cork() called inside ip_append_data() steals dst entry from rt to cork
    and in case errors in __ip_append_data() nobody frees stolen dst entry
    
    Fixes: 2e77d89b2fa8 ("net: avoid a pair of dst_hold()/dst_release() in ip_append_data()")
    Signed-off-by: Vasily Averin <vvs@parallels.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_output.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

commit bf2469aa750b56ee64ed0543dccf1b23009c15cb
Author: Li RongQing <roy.qing.li@gmail.com>
Date:   Fri Oct 17 16:53:23 2014 +0800

    ipv4: fix a potential use after free in ip_tunnel_core.c
    
    pskb_may_pull() maybe change skb->data and make eth pointer oboslete,
    so set eth after pskb_may_pull()
    
    Fixes:3d7b46cd("ip_tunnel: push generic protocol handling to ip_tunnel module")
    Cc: Pravin B Shelar <pshelar@nicira.com>
    Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
    Acked-by: Pravin B Shelar <pshelar@nicira.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/ip_tunnel_core.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit e99220de78d3139f78792984e27163cd6eefa86a
Author: Emil Tantilov <emil.s.tantilov@intel.com>
Date:   Thu Oct 16 15:49:02 2014 +0000

    ixgbe: check for vfs outside of sriov_num_vfs before dereference
    
    The check for vfinfo is not sufficient because it does not protect
    against specifying vf that is outside of sriov_num_vfs range.
    All of the ndo functions have a check for it except for
    ixgbevf_ndo_set_spoofcheck().
    
    The following patch is all we need to protect against this panic:
    
    ip link set p96p1 vf 0 spoofchk off
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000052
    IP: [<ffffffffa044a1c1>]
    ixgbe_ndo_set_vf_spoofchk+0x51/0x150 [ixgbe]
    
    Reported-by: Thierry Herbelot <thierry.herbelot@6wind.com>
    Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
    Acked-by: Thierry Herbelot <thierry.herbelot@6wind.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>

 drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 70321f134ddb7a65379f7cb02ef2b7ac59b55987
Author: Li RongQing <roy.qing.li@gmail.com>
Date:   Thu Oct 16 08:49:41 2014 +0800

    vxlan: fix a use after free in vxlan_encap_bypass
    
    when netif_rx() is done, the netif_rx handled skb maybe be freed,
    and should not be used.
    
    Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/vxlan.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

commit 109c622ed75c4335cf2b69dc914fdcdc78ee2ff3
Author: Li RongQing <roy.qing.li@gmail.com>
Date:   Thu Oct 16 09:17:18 2014 +0800

    vxlan: using pskb_may_pull as early as possible
    
    pskb_may_pull should be used to check if skb->data has enough space,
    skb->len can not ensure that.
    
    Cc: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/vxlan.c |    6 ++----
 1 files changed, 2 insertions(+), 4 deletions(-)

commit 2a0cedab047f3d15bfddde413e5175fb7fb0d266
Author: Yan, Zheng <zyan@redhat.com>
Date:   Tue Oct 14 15:38:01 2014 +0800

    ceph: fix divide-by-zero in __validate_layout()
    
    The 'stripe_unit' field is 64 bits, casting it to 32 bits can result zero.
    
    Signed-off-by: Yan, Zheng <zyan@redhat.com>

 fs/ceph/ioctl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0663ddf2e569e37f4ba95358c699c510c5c90bd6
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Oct 10 04:48:18 2014 -0700

    net: fix races in page->_count manipulation
    
    This is illegal to use atomic_set(&page->_count, ...) even if we 'own'
    the page. Other entities in the kernel need to use get_page_unless_zero()
    to get a reference to the page before testing page properties, so we could
    loose a refcount increment.
    
    The only case it is valid is when page->_count is 0
    
    Fixes: 540eb7bf0bbed ("net: Update alloc frag to reduce get/put page usage and recycle pages")
    Signed-off-by: Eric Dumaze <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/skbuff.c |   25 ++++++++++++++++++-------
 1 files changed, 18 insertions(+), 7 deletions(-)

commit 049447ef0a6ad7c089ddbd105e9f181a26a22f05
Author: Prarit Bhargava <prarit@redhat.com>
Date:   Tue Oct 14 02:51:39 2014 +1030

    modules, lock around setting of MODULE_STATE_UNFORMED
    
    A panic was seen in the following sitation.
    
    There are two threads running on the system. The first thread is a system
    monitoring thread that is reading /proc/modules. The second thread is
    loading and unloading a module (in this example I'm using my simple
    dummy-module.ko).  Note, in the "real world" this occurred with the qlogic
    driver module.
    
    When doing this, the following panic occurred:
    
     ------------[ cut here ]------------
     kernel BUG at kernel/module.c:3739!
     invalid opcode: 0000 [#1] SMP
     Modules linked in: binfmt_misc sg nfsv3 rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel lrw igb gf128mul glue_helper iTCO_wdt iTCO_vendor_support ablk_helper ptp sb_edac cryptd pps_core edac_core shpchp i2c_i801 pcspkr wmi lpc_ich ioatdma mfd_core dca ipmi_si nfsd ipmi_msghandler auth_rpcgss nfs_acl lockd sunrpc xfs libcrc32c sr_mod cdrom sd_mod crc_t10dif crct10dif_common mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit drm_kms_helper ttm isci drm libsas ahci libahci scsi_transport_sas libata i2c_core dm_mirror dm_region_hash dm_log dm_mod [last unloaded: dummy_module]
     CPU: 37 PID: 186343 Comm: cat Tainted: GF          O--------------   3.10.0+ #7
     Hardware name: Intel Corporation S2600CP/S2600CP, BIOS RMLSDP.86I.00.29.D696.1311111329 11/11/2013
     task: ffff8807fd2d8000 ti: ffff88080fa7c000 task.ti: ffff88080fa7c000
     RIP: 0010:[<ffffffff810d64c5>]  [<ffffffff810d64c5>] module_flags+0xb5/0xc0
     RSP: 0018:ffff88080fa7fe18  EFLAGS: 00010246
     RAX: 0000000000000003 RBX: ffffffffa03b5200 RCX: 0000000000000000
     RDX: 0000000000001000 RSI: ffff88080fa7fe38 RDI: ffffffffa03b5000
     RBP: ffff88080fa7fe28 R08: 0000000000000010 R09: 0000000000000000
     R10: 0000000000000000 R11: 000000000000000f R12: ffffffffa03b5000
     R13: ffffffffa03b5008 R14: ffffffffa03b5200 R15: ffffffffa03b5000
     FS:  00007f6ae57ef740(0000) GS:ffff88101e7a0000(0000) knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 0000000000404f70 CR3: 0000000ffed48000 CR4: 00000000001407e0
     DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
     DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
     Stack:
      ffffffffa03b5200 ffff8810101e4800 ffff88080fa7fe70 ffffffff810d666c
      ffff88081e807300 000000002e0f2fbf 0000000000000000 ffff88100f257b00
      ffffffffa03b5008 ffff88080fa7ff48 ffff8810101e4800 ffff88080fa7fee0
     Call Trace:
      [<ffffffff810d666c>] m_show+0x19c/0x1e0
      [<ffffffff811e4d7e>] seq_read+0x16e/0x3b0
      [<ffffffff812281ed>] proc_reg_read+0x3d/0x80
      [<ffffffff811c0f2c>] vfs_read+0x9c/0x170
      [<ffffffff811c1a58>] SyS_read+0x58/0xb0
      [<ffffffff81605829>] system_call_fastpath+0x16/0x1b
     Code: 48 63 c2 83 c2 01 c6 04 03 29 48 63 d2 eb d9 0f 1f 80 00 00 00 00 48 63 d2 c6 04 13 2d 41 8b 0c 24 8d 50 02 83 f9 01 75 b2 eb cb <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
     RIP  [<ffffffff810d64c5>] module_flags+0xb5/0xc0
      RSP <ffff88080fa7fe18>
    
        Consider the two processes running on the system.
    
        CPU 0 (/proc/modules reader)
        CPU 1 (loading/unloading module)
    
        CPU 0 opens /proc/modules, and starts displaying data for each module by
        traversing the modules list via fs/seq_file.c:seq_open() and
        fs/seq_file.c:seq_read().  For each module in the modules list, seq_read
        does
    
                op->start()  <-- this is a pointer to m_start()
                op->show()   <- this is a pointer to m_show()
                op->stop()   <-- this is a pointer to m_stop()
    
        The m_start(), m_show(), and m_stop() module functions are defined in
        kernel/module.c. The m_start() and m_stop() functions acquire and release
        the module_mutex respectively.
    
        ie) When reading /proc/modules, the module_mutex is acquired and released
        for each module.
    
        m_show() is called with the module_mutex held.  It accesses the module
        struct data and attempts to write out module data.  It is in this code
        path that the above BUG_ON() warning is encountered, specifically m_show()
        calls
    
        static char *module_flags(struct module *mod, char *buf)
        {
                int bx = 0;
    
                BUG_ON(mod->state == MODULE_STATE_UNFORMED);
        ...
    
        The other thread, CPU 1, in unloading the module calls the syscall
        delete_module() defined in kernel/module.c.  The module_mutex is acquired
        for a short time, and then released.  free_module() is called without the
        module_mutex.  free_module() then sets mod->state = MODULE_STATE_UNFORMED,
        also without the module_mutex.  Some additional code is called and then the
        module_mutex is reacquired to remove the module from the modules list:
    
            /* Now we can delete it from the lists */
            mutex_lock(&module_mutex);
            stop_machine(__unlink_module, mod, NULL);
            mutex_unlock(&module_mutex);
    
    This is the sequence of events that leads to the panic.
    
    CPU 1 is removing dummy_module via delete_module().  It acquires the
    module_mutex, and then releases it.  CPU 1 has NOT set dummy_module->state to
    MODULE_STATE_UNFORMED yet.
    
    CPU 0, which is reading the /proc/modules, acquires the module_mutex and
    acquires a pointer to the dummy_module which is still in the modules list.
    CPU 0 calls m_show for dummy_module.  The check in m_show() for
    MODULE_STATE_UNFORMED passed for dummy_module even though it is being
    torn down.
    
    Meanwhile CPU 1, which has been continuing to remove dummy_module without
    holding the module_mutex, now calls free_module() and sets
    dummy_module->state to MODULE_STATE_UNFORMED.
    
    CPU 0 now calls module_flags() with dummy_module and ...
    
    static char *module_flags(struct module *mod, char *buf)
    {
            int bx = 0;
    
            BUG_ON(mod->state == MODULE_STATE_UNFORMED);
    
    and BOOM.
    
    Acquire and release the module_mutex lock around the setting of
    MODULE_STATE_UNFORMED in the teardown path, which should resolve the
    problem.
    
    Testing: In the unpatched kernel I can panic the system within 1 minute by
    doing
    
    while (true) do insmod dummy_module.ko; rmmod dummy_module.ko; done
    
    and
    
    while (true) do cat /proc/modules; done
    
    in separate terminals.
    
    In the patched kernel I was able to run just over one hour without seeing
    any issues.  I also verified the output of panic via sysrq-c and the output
    of /proc/modules looks correct for all three states for the dummy_module.
    
            dummy_module 12661 0 - Unloading 0xffffffffa03a5000 (OE-)
            dummy_module 12661 0 - Live 0xffffffffa03bb000 (OE)
            dummy_module 14015 1 - Loading 0xffffffffa03a5000 (OE+)
    
    Signed-off-by: Prarit Bhargava <prarit@redhat.com>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
    Cc: stable@kernel.org

 kernel/module.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 3da31f53bebc732e98972ff8d29e7799dec3cdf0
Author: Cong Wang <cwang@twopensource.com>
Date:   Tue Oct 14 12:35:08 2014 -0700

    rds: avoid calling sock_kfree_s() on allocation failure
    
    It is okay to free a NULL pointer but not okay to mischarge the socket optmem
    accounting. Compile test only.
    
    Reported-by: rucsoftsec@gmail.com
    Cc: Chien Yen <chien.yen@oracle.com>
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: Cong Wang <cwang@twopensource.com>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/rdma.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit 33a376b67ce7f30699dda7bb86cf3018165f9aac
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Oct 14 17:02:37 2014 -0400

    net: Trap attempts to call sock_kfree_s() with a NULL pointer.
    
    Unlike normal kfree() it is never right to call sock_kfree_s() with
    a NULL pointer, because sock_kfree_s() also has the side effect of
    discharging the memory from the sockets quota.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/core/sock.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 178b10fc52004de86669c50a9224b938b0b01d69
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Wed Oct 8 10:42:27 2014 -0700

    mnt: Prevent pivot_root from creating a loop in the mount tree
    
    Andy Lutomirski recently demonstrated that when chroot is used to set
    the root path below the path for the new ``root'' passed to pivot_root
    the pivot_root system call succeeds and leaks mounts.
    
    In examining the code I see that starting with a new root that is
    below the current root in the mount tree will result in a loop in the
    mount tree after the mounts are detached and then reattached to one
    another.  Resulting in all kinds of ugliness including a leak of that
    mounts involved in the leak of the mount loop.
    
    Prevent this problem by ensuring that the new mount is reachable from
    the current root of the mount tree.
    
    [Added stable cc.  Fixes CVE-2014-7970.  --Andy]
    
    Cc: stable@vger.kernel.org
    Reported-by: Andy Lutomirski <luto@amacapital.net>
    Reviewed-by: Andy Lutomirski <luto@amacapital.net>
    Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>

 fs/namespace.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 74885780db01e31e05b05b58a186b20415d9d801
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sun Sep 7 21:05:05 2014 +0100

    x86: Reject x32 executables if x32 ABI not supported
    
    It is currently possible to execve() an x32 executable on an x86_64
    kernel that has only ia32 compat enabled.  However all its syscalls
    will fail, even _exit().  This usually causes it to segfault.
    
    Change the ELF compat architecture check so that x32 executables are
    rejected if we don't support the x32 ABI.
    
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Link: http://lkml.kernel.org/r/1410120305.6822.9.camel@decadent.org.uk
    Cc: stable@vger.kernel.org
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

 arch/x86/include/asm/elf.h |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 119993339cd6de5a129120d14d42237cac08c8b1
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Wed Oct 8 23:44:00 2014 -0400

    fix misuses of f_count() in ppp and netlink
    
    we used to check for "nobody else could start doing anything with
    that opened file" by checking that refcount was 2 or less - one
    for descriptor table and one we'd acquired in fget() on the way to
    wherever we are.  That was race-prone (somebody else might have
    had a reference to descriptor table and do fget() just as we'd
    been checking) and it had become flat-out incorrect back when
    we switched to fget_light() on those codepaths - unlike fget(),
    it doesn't grab an extra reference unless the descriptor table
    is shared.  The same change allowed a race-free check, though -
    we are safe exactly when refcount is less than 2.
    
    It was a long time ago; pre-2.6.12 for ioctl() (the codepath leading
    to ppp one) and 2.6.17 for sendmsg() (netlink one).  OTOH,
    netlink hadn't grown that check until 3.9 and ppp used to live
    in drivers/net, not drivers/net/ppp until 3.1.  The bug existed
    well before that, though, and the same fix used to apply in old
    location of file.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 drivers/net/ppp/ppp_generic.c |    2 +-
 net/netlink/af_netlink.c      |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 9d9f0adc667f8ade1ce3fe7c2f40cca62a452f72
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Sun Jul 27 13:00:41 2014 -0400

    fs: make cont_expand_zero interruptible
    
    This patch makes it possible to kill a process looping in
    cont_expand_zero. A process may spend a lot of time in this function, so
    it is desirable to be able to kill it.
    
    It happened to me that I wanted to copy a piece data from the disk to a
    file. By mistake, I used the "seek" parameter to dd instead of "skip". Due
    to the "seek" parameter, dd attempted to extend the file and became stuck
    doing so - the only possibility was to reset the machine or wait many
    hours until the filesystem runs out of space and cont_expand_zero fails.
    We need this patch to be able to terminate the process.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/buffer.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit b342bd406906ae2c398764d61e414b9538f82be3
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Sat May 17 20:56:38 2014 +0900

    fs: Fix theoretical division by 0 in super_cache_scan().
    
    total_objects could be 0 and is used as a denom.
    
    While total_objects is a "long", total_objects == 0 unlikely happens for
    3.12 and later kernels because 32-bit architectures would not be able to
    hold (1 << 32) objects. However, total_objects == 0 may happen for kernels
    between 3.1 and 3.11 because total_objects in prune_super() was an "int"
    and (e.g.) x86_64 architecture might be able to hold (1 << 32) objects.
    
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Cc: stable <stable@kernel.org> # 3.1+
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/super.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit e4de452fdd9562a206056869ed813520557250ba
Author: Sasha Levin <sasha.levin@oracle.com>
Date:   Thu Oct 9 15:24:37 2014 -0700

    fsnotify: don't put user context if it was never assigned
    
    On some failure paths we may attempt to free user context even if it
    wasn't assigned yet.  This will cause a NULL ptr deref and a kernel BUG.
    
    The path I was looking at is in inotify_new_group():
    
            oevent = kmalloc(sizeof(struct inotify_event_info), GFP_KERNEL);
            if (unlikely(!oevent)) {
                    fsnotify_destroy_group(group);
                    return ERR_PTR(-ENOMEM);
            }
    
    fsnotify_destroy_group() would get called here, but
    group->inotify_data.user is only getting assigned later:
    
    	group->inotify_data.user = get_current_user();
    
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
    Cc: John McCutchan <john@johnmccutchan.com>
    Cc: Robert Love <rlove@rlove.org>
    Cc: Eric Paris <eparis@parisplace.org>
    Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/notify/inotify/inotify_fsnotify.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 56d00cedb016678aac6ed8b55bf68b3964a0c15b
Merge: 3da2043 e9f5f28
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Oct 16 17:34:17 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit e9f5f282a4e9cec16a8605a4034094db2c5b4822
Merge: 99513ab d7892a4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Oct 16 17:34:01 2014 -0400

    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	include/net/inet_connection_sock.h

commit 3da204340946ebd40965c28fb7993ad84cced96d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Oct 13 19:31:03 2014 -0400

    compile fix

 net/ipv4/ip_input.c  |    4 ++++
 net/ipv4/tcp_input.c |    4 ----
 2 files changed, 4 insertions(+), 4 deletions(-)

commit 86722e8791ae7e5c763b6e4768a497f86f543444
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Oct 13 19:16:43 2014 -0400

    add reference to grsec_enable_blackhole

 net/ipv4/tcp_input.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit fc53478e92badd52c965aa72bc1dd5f663fcadb8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Oct 12 21:07:48 2014 -0400

    update GRKERNSEC_BLACKHOLE documentation

 grsecurity/Kconfig |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 0587f066f6e0ece89499fba84cfb43080f5826af
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Oct 12 21:03:37 2014 -0400

    Though it can be done easily enough with iptables by dropping
    packets of unknown protocols, when GRKERNSEC_BLACKHOLE is enabled
    avoid sending icmp protocol unreachable for unknown protocols except
    on the loopback interface.
    
    Suggested by @NoAgendaIT

 net/ipv4/ip_input.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 1e7e9a2c942becf9eecaa630778f78dc6089add6
Merge: f9aaad8 99513ab
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Oct 9 20:23:26 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	fs/exec.c
    	fs/udf/inode.c

commit 99513abc85f08a09bebee5150e2605d8fe5dd9a9
Merge: db21ab7 89161fe
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Oct 9 20:21:44 2014 -0400

    Merge branch 'linux-3.14.y' into pax-stable2

commit f9aaad82fbc89280d825a79c039e8dfba31519bc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 8 19:28:11 2014 -0400

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b973aed5265e0c8567d1894ffe6296e51322d6ee
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 8 19:27:22 2014 -0400

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit dde1e0fd9ebd9bad5d07388624c234498f519e38
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Oct 8 18:57:57 2014 -0400

    apply fix from PaX for Xen booting, introduced recently by a fix for a KASLR/Xen incompatibility

 arch/x86/include/asm/pgtable_64.h |    1 +
 arch/x86/xen/mmu.c                |    2 ++
 2 files changed, 3 insertions(+), 0 deletions(-)

commit 8b5fde78ffd9312b220ea3016ca04425dfa4813b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Oct 6 19:57:52 2014 -0400

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 06369a5d662278215f7423734af1c41a6e5ee41e
Author: Mel Gorman <mgorman@suse.de>
Date:   Thu Oct 2 19:47:41 2014 +0100

    mm: migrate: Close race between migration completion and mprotect
    
    A migration entry is marked as write if pte_write was true at the time the
    entry was created. The VMA protections are not double checked when migration
    entries are being removed as mprotect marks write-migration-entries as
    read. It means that potentially we take a spurious fault to mark PTEs write
    again but it's straight-forward. However, there is a race between write
    migrations being marked read and migrations finishing. This potentially
    allows a PTE to be write that should have been read. Close this race by
    double checking the VMA permissions using maybe_mkwrite when migration
    completes.
    
    [torvalds@linux-foundation.org: use maybe_mkwrite]
    Cc: stable@vger.kernel.org
    Signed-off-by: Mel Gorman <mgorman@suse.de>
    Acked-by: Rik van Riel <riel@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/migrate.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit 0af7463a4454897d1b7d2e467f05e0b8ae1ee6d3
Author: Mel Gorman <mgorman@suse.de>
Date:   Thu Oct 2 19:47:42 2014 +0100

    mm: numa: Do not mark PTEs pte_numa when splitting huge pages
    
    This patch reverts 1ba6e0b50b ("mm: numa: split_huge_page: transfer the
    NUMA type from the pmd to the pte"). If a huge page is being split due
    a protection change and the tail will be in a PROT_NONE vma then NUMA
    hinting PTEs are temporarily created in the protected VMA.
    
     VM_RW|VM_PROTNONE
    |-----------------|
          ^
          split here
    
    In the specific case above, it should get fixed up by change_pte_range()
    but there is a window of opportunity for weirdness to happen. Similarly,
    if a huge page is shrunk and split during a protection update but before
    pmd_numa is cleared then a pte_numa can be left behind.
    
    Instead of adding complexity trying to deal with the case, this patch
    will not mark PTEs NUMA when splitting a huge page. NUMA hinting faults
    will not be triggered which is marginal in comparison to the complexity
    in dealing with the corner cases during THP split.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Mel Gorman <mgorman@suse.de>
    Acked-by: Rik van Riel <riel@redhat.com>
    Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/huge_memory.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit b843da2c673373489d28bbd3e42cd95a538a8f4d
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Thu Oct 2 16:17:02 2014 -0700

    perf: fix perf bug in fork()
    
    Oleg noticed that a cleanup by Sylvain actually uncovered a bug; by
    calling perf_event_free_task() when failing sched_fork() we will not yet
    have done the memset() on ->perf_event_ctxp[] and will therefore try and
    'free' the inherited contexts, which are still in use by the parent
    process.  This is bad..
    
    Suggested-by: Oleg Nesterov <oleg@redhat.com>
    Reported-by: Oleg Nesterov <oleg@redhat.com>
    Reported-by: Sylvain 'ythier' Hitier <sylvain.hitier@gmail.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/events/core.c |    4 +++-
 kernel/fork.c        |    5 +++--
 2 files changed, 6 insertions(+), 3 deletions(-)

commit 71b1e78dad02622c8f7073ce17bc4d8e07df820c
Author: Herton R. Krzesinski <herton@redhat.com>
Date:   Wed Oct 1 18:49:54 2014 -0300

    net/rds: fix possible double free on sock tear down
    
    I got a report of a double free happening at RDS slab cache. One
    suspicion was that may be somewhere we were doing a sock_hold/sock_put
    on an already freed sock. Thus after providing a kernel with the
    following change:
    
     static inline void sock_hold(struct sock *sk)
     {
    -       atomic_inc(&sk->sk_refcnt);
    +       if (!atomic_inc_not_zero(&sk->sk_refcnt))
    +               WARN(1, "Trying to hold sock already gone: %p (family: %hd)\n",
    +                       sk, sk->sk_family);
     }
    
    The warning successfuly triggered:
    
    Trying to hold sock already gone: ffff81f6dda61280 (family: 21)
    WARNING: at include/net/sock.h:350 sock_hold()
    Call Trace:
    <IRQ>  [<ffffffff8adac135>] :rds:rds_send_remove_from_sock+0xf0/0x21b
    [<ffffffff8adad35c>] :rds:rds_send_drop_acked+0xbf/0xcf
    [<ffffffff8addf546>] :rds_rdma:rds_ib_recv_tasklet_fn+0x256/0x2dc
    [<ffffffff8009899a>] tasklet_action+0x8f/0x12b
    [<ffffffff800125a2>] __do_softirq+0x89/0x133
    [<ffffffff8005f30c>] call_softirq+0x1c/0x28
    [<ffffffff8006e644>] do_softirq+0x2c/0x7d
    [<ffffffff8006e4d4>] do_IRQ+0xee/0xf7
    [<ffffffff8005e625>] ret_from_intr+0x0/0xa
    <EOI>
    
    Looking at the call chain above, the only way I think this would be
    possible is if somewhere we already released the same socket->sock which
    is assigned to the rds_message at rds_send_remove_from_sock. Which seems
    only possible to happen after the tear down done on rds_release.
    
    rds_release properly calls rds_send_drop_to to drop the socket from any
    rds_message, and some proper synchronization is in place to avoid race
    with rds_send_drop_acked/rds_send_remove_from_sock. However, I still see
    a very narrow window where it may be possible we touch a sock already
    released: when rds_release races with rds_send_drop_acked, we check
    RDS_MSG_ON_CONN to avoid cleanup on the same rds_message, but in this
    specific case we don't clear rm->m_rs. In this case, it seems we could
    then go on at rds_send_drop_to and after it returns, the sock is freed
    by last sock_put on rds_release, with concurrently we being at
    rds_send_remove_from_sock; then at some point in the loop at
    rds_send_remove_from_sock we process an rds_message which didn't have
    rm->m_rs unset for a freed sock, and a possible sock_hold on an sock
    already gone at rds_release happens.
    
    This hopefully address the described condition above and avoids a double
    free on "second last" sock_put. In addition, I removed the comment about
    socket destruction on top of rds_send_drop_acked: we call rds_send_drop_to
    in rds_release and we should have things properly serialized there, thus
    I can't see the comment being accurate there.
    
    Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/rds/send.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

commit 490c23f7aeba76a7b1d64f8f1a2d12bffd65ea51
Author: Steve French <smfrench@gmail.com>
Date:   Thu Sep 25 01:26:55 2014 -0500

    Fix problem recognizing symlinks
    
    Changeset eb85d94bd introduced a problem where if a cifs open
    fails during query info of a file we
    will still try to close the file (happens with certain types
    of reparse points) even though the file handle is not valid.
    
    In addition for SMB2/SMB3 we were not mapping the return code returned
    by Windows when trying to open a file (like a Windows NFS symlink)
    which is a reparse point.
    
    Signed-off-by: Steve French <smfrench@gmail.com>
    Reviewed-by: Pavel Shilovsky <pshilovsky@samba.org>
    CC: stable <stable@vger.kernel.org> #v3.13+

 fs/cifs/smb1ops.c      |    2 +-
 fs/cifs/smb2maperror.c |    2 ++
 2 files changed, 3 insertions(+), 1 deletions(-)

commit b321c651ffc502a6989b67627d05661cd3a852c8
Merge: 0ec13aa db21ab7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Oct 6 18:15:17 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/arm/include/asm/tls.h
    	fs/namei.c

commit db21ab7fe40dcaa3459cf4445e959da7b8c9b478
Merge: b477dda 2023c00
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Oct 6 18:03:41 2014 -0400

    Update to pax-linux-3.14.20-test21.patch:
    
    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	arch/arm/kernel/traps.c
    	arch/x86/include/asm/pgtable_64.h
    	arch/x86/xen/mmu.c
    	drivers/gpu/drm/ttm/ttm_page_alloc.c
    	include/linux/vga_switcheroo.h

commit 0ec13aaf124013f57c706ec3fa3ef2bed0c9ec44
Merge: 05aef4f b477dda
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 28 19:28:26 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit b477ddaafca9bb828a9c90b7ca890ff4f73571c7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 28 19:26:12 2014 -0400

    Backport fix from https://lkml.org/lkml/2014/8/29/317
    Problem is a boot crash with Xen due to KASLR, also observed
    by one of our users:
    https://forums.grsecurity.net/viewtopic.php?f=3&t=4053

 arch/x86/include/asm/pgtable_64.h |    1 +
 arch/x86/xen/mmu.c                |   27 ++++++++++++---------------
 2 files changed, 13 insertions(+), 15 deletions(-)

commit 05aef4f103c29ec0cf5995e002be43729f2bbd80
Merge: f6986bd8 3b7e2c8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 28 13:15:55 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/x86/platform/efi/efi_64.c

commit 3b7e2c84a54158cfd711f03fa0a3740d86dee880
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 28 13:13:09 2014 -0400

    Update to pax-linux-3.14.19-test20.patch:
    - the kernel physical memory map can be made non-executable when EFI uses the new memmap code, by Mathias Krause <mathias.krause@secunet.com>
    - fixed some REFCOUNT false positives in drbd, reported by schiffi (https://forums.grsecurity.net/viewtopic.php?f=3&t=3786)
    - removed bash dependence from scripts/gcc-plugin.sh

 arch/x86/platform/efi/efi_64.c     |    2 +-
 drivers/block/drbd/drbd_bitmap.c   |    2 +-
 drivers/block/drbd/drbd_int.h      |    4 ++--
 drivers/block/drbd/drbd_main.c     |    4 ++--
 drivers/block/drbd/drbd_receiver.c |   12 ++++++------
 drivers/block/drbd/drbd_worker.c   |    8 ++++----
 scripts/gcc-plugin.sh              |   28 ++++++++++++++++++----------
 7 files changed, 34 insertions(+), 26 deletions(-)

commit f6986bd85880724214520bf6ea80bb843874e944
Author: Christoph Hellwig <hch@lst.de>
Date:   Tue Sep 16 14:44:07 2014 -0700

    blk-mq: avoid infinite recursion with the FUA flag
    
    We should not insert requests into the flush state machine from
    blk_mq_insert_request.  All incoming flush requests come through
    blk_{m,s}q_make_request and are handled there, while blk_execute_rq_nowait
    should only be called for BLOCK_PC requests.  All other callers
    deal with requests that already went through the flush statemchine
    and shouldn't be reinserted into it.
    
    Reported-by: Robert Elliott  <Elliott@hp.com>
    Debugged-by: Ming Lei <ming.lei@canonical.com>
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Jens Axboe <axboe@fb.com>

 block/blk-exec.c |    1 +
 block/blk-mq.c   |   11 +++--------
 2 files changed, 4 insertions(+), 8 deletions(-)

commit 3ce96249bddb24169146e97a02587b571f21e71b
Author: Miklos Szeredi <mszeredi@suse.cz>
Date:   Wed Sep 24 17:56:17 2014 +0200

    shmem: fix nlink for rename overwrite directory
    
    If overwriting an empty directory with rename, then need to drop the extra
    nlink.
    
    Test prog:
    
    #include <stdio.h>
    #include <fcntl.h>
    #include <err.h>
    #include <sys/stat.h>
    
    int main(void)
    {
    	const char *test_dir1 = "test-dir1";
    	const char *test_dir2 = "test-dir2";
    	int res;
    	int fd;
    	struct stat statbuf;
    
    	res = mkdir(test_dir1, 0777);
    	if (res == -1)
    		err(1, "mkdir(\"%s\")", test_dir1);
    
    	res = mkdir(test_dir2, 0777);
    	if (res == -1)
    		err(1, "mkdir(\"%s\")", test_dir2);
    
    	fd = open(test_dir2, O_RDONLY);
    	if (fd == -1)
    		err(1, "open(\"%s\")", test_dir2);
    
    	res = rename(test_dir1, test_dir2);
    	if (res == -1)
    		err(1, "rename(\"%s\", \"%s\")", test_dir1, test_dir2);
    
    	res = fstat(fd, &statbuf);
    	if (res == -1)
    		err(1, "fstat(%i)", fd);
    
    	if (statbuf.st_nlink != 0) {
    		fprintf(stderr, "nlink is %lu, should be 0\n", statbuf.st_nlink);
    		return 1;
    	}
    
    	return 0;
    }
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 mm/shmem.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 7d0157d570738671ef0e8a7ae5553573f227b5a3
Author: Nathan Lynch <nathan_lynch@mentor.com>
Date:   Thu Sep 11 02:49:08 2014 +0100

    ARM: 8148/1: flush TLS and thumbee register state during exec
    
    The TPIDRURO and TPIDRURW registers need to be flushed during exec;
    otherwise TLS information is potentially leaked.  TPIDRURO in
    particular needs careful treatment.  Since flush_thread basically
    needs the same code used to set the TLS in arm_syscall, pull that into
    a common set_tls helper in tls.h and use it in both places.
    
    Similarly, TEEHBR needs to be cleared during exec as well.  Clearing
    its save slot in thread_info isn't right as there is no guarantee
    that a thread switch will occur before the new program runs.  Just
    setting the register directly is sufficient.
    
    Signed-off-by: Nathan Lynch <nathan_lynch@mentor.com>
    Acked-by: Will Deacon <will.deacon@arm.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
    
    Conflicts:
    
    	arch/arm/kernel/traps.c

 arch/arm/include/asm/tls.h |   65 ++++++++++++++++++++++++++++++++++++++++++++
 arch/arm/kernel/process.c  |    2 +
 arch/arm/kernel/thumbee.c  |    2 +-
 arch/arm/kernel/traps.c    |   19 +------------
 4 files changed, 69 insertions(+), 19 deletions(-)

commit 52ff455af04163df228892fef6f725f080de20cf
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Wed Sep 3 13:11:09 2014 -0400

    [fix] lustre: d_make_root() does iput() on dentry allocation failure
    
    double-free is a bad thing
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 drivers/staging/lustre/lustre/llite/llite_lib.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ec403cfffdcd81a19afc71afa3f85e441042cc4a
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Sep 13 21:59:43 2014 -0400

    be careful with nd->inode in path_init() and follow_dotdot_rcu()
    
    in the former we simply check if dentry is still valid after picking
    its ->d_inode; in the latter we fetch ->d_inode in the same places
    where we fetch dentry and its ->d_seq, under the same checks.
    
    Cc: stable@vger.kernel.org # 2.6.38+
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/namei.c |   15 +++++++++++++--
 1 files changed, 13 insertions(+), 2 deletions(-)

commit d3814a9451d6fdbad5a2d87d14fc4fcd73590dc3
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Sep 13 21:55:46 2014 -0400

    don't bugger nd->seq on set_root_rcu() from follow_dotdot_rcu()
    
    return the value instead, and have path_init() do the assignment.  Broken by
    "vfs: Fix absolute RCU path walk failures due to uninitialized seq number",
    which was Cc-stable with 2.6.38+ as destination.  This one should go where
    it went.
    
    To avoid dummy value returned in case when root is already set (it would do
    no harm, actually, since the only caller that doesn't ignore the return value
    is guaranteed to have nd->root *not* set, but it's more obvious that way),
    lift the check into callers.  And do the same to set_root(), to keep them
    in sync.
    
    Cc: stable@vger.kernel.org # 2.6.38+
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

 fs/namei.c |   33 +++++++++++++++++----------------
 1 files changed, 17 insertions(+), 16 deletions(-)

commit 8fa3ca27bc1b30bfffd363f18aacb2178593e953
Author: David Rientjes <rientjes@google.com>
Date:   Thu Sep 25 16:05:20 2014 -0700

    mm, slab: initialize object alignment on cache creation
    
    Since commit 4590685546a3 ("mm/sl[aou]b: Common alignment code"), the
    "ralign" automatic variable in __kmem_cache_create() may be used as
    uninitialized.
    
    The proper alignment defaults to BYTES_PER_WORD and can be overridden by
    SLAB_RED_ZONE or the alignment specified by the caller.
    
    This fixes https://bugzilla.kernel.org/show_bug.cgi?id=85031
    
    Signed-off-by: David Rientjes <rientjes@google.com>
    Reported-by: Andrei Elovikov <a.elovikov@gmail.com>
    Acked-by: Christoph Lameter <cl@linux.com>
    Cc: Pekka Enberg <penberg@kernel.org>
    Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/slab.c |   11 ++---------
 1 files changed, 2 insertions(+), 9 deletions(-)

commit 84eed61f96537388680de432e2b51aad40abdcc4
Author: Anton Altaparmakov <aia21@cam.ac.uk>
Date:   Mon Sep 22 01:53:03 2014 +0100

    Fix nasty 32-bit overflow bug in buffer i/o code.
    
    On 32-bit architectures, the legacy buffer_head functions are not always
    handling the sector number with the proper 64-bit types, and will thus
    fail on 4TB+ disks.
    
    Any code that uses __getblk() (and thus bread(), breadahead(),
    sb_bread(), sb_breadahead(), sb_getblk()), and calls it using a 64-bit
    block on a 32-bit arch (where "long" is 32-bit) causes an inifinite loop
    in __getblk_slow() with an infinite stream of errors logged to dmesg
    like this:
    
      __find_get_block_slow() failed. block=6740375944, b_blocknr=2445408648
      b_state=0x00000020, b_size=512
      device sda1 blocksize: 512
    
    Note how in hex block is 0x191C1F988 and b_blocknr is 0x91C1F988 i.e. the
    top 32-bits are missing (in this case the 0x1 at the top).
    
    This is because grow_dev_page() is broken and has a 32-bit overflow due
    to shifting the page index value (a pgoff_t - which is just 32 bits on
    32-bit architectures) left-shifted as the block number.  But the top
    bits to get lost as the pgoff_t is not type cast to sector_t / 64-bit
    before the shift.
    
    This patch fixes this issue by type casting "index" to sector_t before
    doing the left shift.
    
    Note this is not a theoretical bug but has been seen in the field on a
    4TiB hard drive with logical sector size 512 bytes.
    
    This patch has been verified to fix the infinite loop problem on 3.17-rc5
    kernel using a 4TB disk image mounted using "-o loop".  Without this patch
    doing a "find /nt" where /nt is an NTFS volume causes the inifinite loop
    100% reproducibly whilst with the patch it works fine as expected.
    
    Signed-off-by: Anton Altaparmakov <aia21@cantab.net>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/buffer.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 5eae38da77d938c3e68884821aba7464d5b700d8
Author: Mike Christie <michaelc@cs.wisc.edu>
Date:   Wed Sep 3 00:00:39 2014 -0500

    [SCSI] libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu
    
    This patches fixes a potential buffer overrun in __iscsi_conn_send_pdu.
    This function is used by iscsi drivers and userspace to send iscsi PDUs/
    commands. For login commands, we have a set buffer size. For all other
    commands we do not support data buffers.
    
    This was reported by Dan Carpenter here:
    http://www.spinics.net/lists/linux-scsi/msg66838.html
    
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
    Reviewed-by: Sagi Grimberg <sagig@mellanox.com>
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>

 drivers/scsi/libiscsi.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

commit 83d25dc5d9c12947b32936cb4bf57587b70f537f
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Sep 19 13:43:11 2014 +0300

    staging: vt6655: buffer overflow in ioctl
    
    ->u.generic_elem.len is a user controlled number between 0-255.  We
    should limit it to avoid memory corruption.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/staging/vt6655/hostap.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 33f6b30bedadf58cfc32d1c5440c64987116f677
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 22 19:45:28 2014 -0400

    Allow printk_address to show symbols

 arch/x86/kernel/dumpstack.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a0e21e7db4e27e6f127076be05c172d5f6b99757
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 18 08:51:47 2014 -0400

    update documentation

 security/Kconfig |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 4508b59788b622de3cfdd67a317e9043eec1c206
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 18 08:29:16 2014 -0400

    Update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit f523f3f60331162f51c8d5f8bdbe84951f0ef6fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Sep 17 23:22:42 2014 -0400

    pr_info->pr_alert, add missing newline

 arch/x86/platform/efi/efi_64.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b4f2a711bb6a52195b945fb702a1dd6530d780ad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Sep 17 19:59:52 2014 -0400

    Update KERNEXEC documentation to mention CONFIG_EFI interaction

 security/Kconfig |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit d71bc35dcff4f506b018ab12854230ffcf41d063
Merge: 6b25afd 6847e23
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Sep 17 20:53:21 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 6847e2380c256bd27abf4e9e3dbd834506bba9b9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Sep 17 20:52:12 2014 -0400

    Update to pax-linux-3.14.19-test19.patch:
    - the kernel physical memory map can be made non-executable when EFI uses the new memmap code, by Mathias Krause <mathias.krause@secunet.com>

 arch/x86/kernel/head_64.S      |    5 +++--
 arch/x86/platform/efi/efi_64.c |   17 ++++++++++++++++-
 2 files changed, 19 insertions(+), 3 deletions(-)

commit a5453ee3dcd3b2e49bf64512726f2001e8c1555c
Merge: 9c8ad78 af92ba8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Sep 17 20:43:15 2014 -0400

    Merge branch 'linux-3.14.y' into pax-stable2

commit 6b25afd6169006ee2df1e1ff5b73eeabaf538363
Merge: 9b7d687 9c8ad78
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 14 16:13:49 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 9c8ad785eedf243faa73dffbd03c96c2ae276b1e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Sep 14 16:12:44 2014 -0400

    Update to pax-linux-3.14.18-test19.patch:
    - fixed powerpc compilation, reported by Rodrigo Branco
    - hopefully fixed a build race on ia64, reported by Dennis Schridde (https://bugs.gentoo.org/show_bug.cgi?id=503878)
    - fixed regression on arm (missing smp_mb in atomic64_sub_return) introduced while forward porting to 3.13, https://bugs.gentoo.org/show_bug.cgi?id=502058 was not fixed completely before
    - added REFCOUNT protection to lockref, it may have a non-trivial performance impact on certain dentry operations due to the lack of a lockless refcount API in the kernel

 arch/arm/include/asm/atomic.h |    2 ++
 arch/ia64/Makefile            |    1 +
 arch/powerpc/mm/mmap.c        |    2 +-
 fs/dcache.c                   |   34 +++++++++++++++++-----------------
 include/linux/lockref.h       |   32 ++++++++++++++++++++++++++++++++
 lib/lockref.c                 |   20 ++++++++++----------
 6 files changed, 63 insertions(+), 28 deletions(-)

commit 9b7d68782914bd6e3e93dea7660711d833a2eaf5
Author: Richard Larocque <rlarocque@google.com>
Date:   Tue Sep 9 18:31:03 2014 -0700

    alarmtimer: Return relative times in timer_gettime
    
    Returns the time remaining for an alarm timer, rather than the time at
    which it is scheduled to expire.  If the timer has already expired or it
    is not currently scheduled, the it_value's members are set to zero.
    
    This new behavior matches that of the other posix-timers and the POSIX
    specifications.
    
    This is a change in user-visible behavior, and may break existing
    applications.  Hopefully, few users rely on the old incorrect behavior.
    
    Cc: stable@vger.kernel.org
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Richard Cochran <richardcochran@gmail.com>
    Cc: Prarit Bhargava <prarit@redhat.com>
    Cc: Sharvil Nanavati <sharvil@google.com>
    Signed-off-by: Richard Larocque <rlarocque@google.com>
    [jstultz: minor style tweak]
    Signed-off-by: John Stultz <john.stultz@linaro.org>

 kernel/time/alarmtimer.c |   18 +++++++++++-------
 1 files changed, 11 insertions(+), 7 deletions(-)

commit fa1b66dd166535ad488215dc9f1b1cc6b5af3b18
Author: Richard Larocque <rlarocque@google.com>
Date:   Tue Sep 9 18:31:05 2014 -0700

    alarmtimer: Lock k_itimer during timer callback
    
    Locks the k_itimer's it_lock member when handling the alarm timer's
    expiry callback.
    
    The regular posix timers defined in posix-timers.c have this lock held
    during timout processing because their callbacks are routed through
    posix_timer_fn().  The alarm timers follow a different path, so they
    ought to grab the lock somewhere else.
    
    Cc: stable@vger.kernel.org
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Richard Cochran <richardcochran@gmail.com>
    Cc: Prarit Bhargava <prarit@redhat.com>
    Cc: Sharvil Nanavati <sharvil@google.com>
    Signed-off-by: Richard Larocque <rlarocque@google.com>
    Signed-off-by: John Stultz <john.stultz@linaro.org>

 kernel/time/alarmtimer.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

commit 5451e734b6dd20e7ac4cbf7ba55590e7a1a4b145
Author: Richard Larocque <rlarocque@google.com>
Date:   Tue Sep 9 18:31:04 2014 -0700

    alarmtimer: Do not signal SIGEV_NONE timers
    
    Avoids sending a signal to alarm timers created with sigev_notify set to
    SIGEV_NONE by checking for that special case in the timeout callback.
    
    The regular posix timers avoid sending signals to SIGEV_NONE timers by
    not scheduling any callbacks for them in the first place.  Although it
    would be possible to do something similar for alarm timers, it's simpler
    to handle this as a special case in the timeout.
    
    Prior to this patch, the alarm timer would ignore the sigev_notify value
    and try to deliver signals to the process anyway.  Even worse, the
    sanity check for the value of sigev_signo is skipped when SIGEV_NONE was
    specified, so the signal number could be bogus.  If sigev_signo was an
    unitialized value (as it often would be if SIGEV_NONE is used), then
    it's hard to predict which signal will be sent.
    
    Cc: stable@vger.kernel.org
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Richard Cochran <richardcochran@gmail.com>
    Cc: Prarit Bhargava <prarit@redhat.com>
    Cc: Sharvil Nanavati <sharvil@google.com>
    Signed-off-by: Richard Larocque <rlarocque@google.com>
    Signed-off-by: John Stultz <john.stultz@linaro.org>

 kernel/time/alarmtimer.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit d1a1d55d29d2ab9168a4958b5ac16161246e278f
Author: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Date:   Tue Sep 9 14:51:01 2014 -0700

    kcmp: fix standard comparison bug
    
    The C operator <= defines a perfectly fine total ordering on the set of
    values representable in a long.  However, unlike its namesake in the
    integers, it is not translation invariant, meaning that we do not have
    "b <= c" iff "a+b <= a+c" for all a,b,c.
    
    This means that it is always wrong to try to boil down the relationship
    between two longs to a question about the sign of their difference,
    because the resulting relation [a LEQ b iff a-b <= 0] is neither
    anti-symmetric or transitive.  The former is due to -LONG_MIN==LONG_MIN
    (take any two a,b with a-b = LONG_MIN; then a LEQ b and b LEQ a, but a !=
    b).  The latter can either be seen observing that x LEQ x+1 for all x,
    implying x LEQ x+1 LEQ x+2 ...  LEQ x-1 LEQ x; or more directly with the
    simple example a=LONG_MIN, b=0, c=1, for which a-b < 0, b-c < 0, but a-c >
    0.
    
    Note that it makes absolutely no difference that a transmogrying bijection
    has been applied before the comparison is done.  In fact, had the
    obfuscation not been done, one could probably not observe the bug
    (assuming all values being compared always lie in one half of the address
    space, the mathematical value of a-b is always representable in a long).
    As it stands, one can easily obtain three file descriptors exhibiting the
    non-transitivity of kcmp().
    
    Side note 1: I can't see that ensuring the MSB of the multiplier is
    set serves any purpose other than obfuscating the obfuscating code.
    
    Side note 2:
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <fcntl.h>
    #include <unistd.h>
    #include <assert.h>
    #include <sys/syscall.h>
    
    enum kcmp_type {
            KCMP_FILE,
            KCMP_VM,
            KCMP_FILES,
            KCMP_FS,
            KCMP_SIGHAND,
            KCMP_IO,
            KCMP_SYSVSEM,
            KCMP_TYPES,
    };
    pid_t pid;
    
    int kcmp(pid_t pid1, pid_t pid2, int type,
    	 unsigned long idx1, unsigned long idx2)
    {
    	return syscall(SYS_kcmp, pid1, pid2, type, idx1, idx2);
    }
    int cmp_fd(int fd1, int fd2)
    {
    	int c = kcmp(pid, pid, KCMP_FILE, fd1, fd2);
    	if (c < 0) {
    		perror("kcmp");
    		exit(1);
    	}
    	assert(0 <= c && c < 3);
    	return c;
    }
    int cmp_fdp(const void *a, const void *b)
    {
    	static const int normalize[] = {0, -1, 1};
    	return normalize[cmp_fd(*(int*)a, *(int*)b)];
    }
    #define MAX 100 /* This is plenty; I've seen it trigger for MAX==3 */
    int main(int argc, char *argv[])
    {
    	int r, s, count = 0;
    	int REL[3] = {0,0,0};
    	int fd[MAX];
    	pid = getpid();
    	while (count < MAX) {
    		r = open("/dev/null", O_RDONLY);
    		if (r < 0)
    			break;
    		fd[count++] = r;
    	}
    	printf("opened %d file descriptors\n", count);
    	for (r = 0; r < count; ++r) {
    		for (s = r+1; s < count; ++s) {
    			REL[cmp_fd(fd[r], fd[s])]++;
    		}
    	}
    	printf("== %d\t< %d\t> %d\n", REL[0], REL[1], REL[2]);
    	qsort(fd, count, sizeof(fd[0]), cmp_fdp);
    	memset(REL, 0, sizeof(REL));
    
    	for (r = 0; r < count; ++r) {
    		for (s = r+1; s < count; ++s) {
    			REL[cmp_fd(fd[r], fd[s])]++;
    		}
    	}
    	printf("== %d\t< %d\t> %d\n", REL[0], REL[1], REL[2]);
    	return (REL[0] + REL[2] != 0);
    }
    
    Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
    Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
    "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/kcmp.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit 147e912000d944ae724c3cce52cb69a574600807
Author: David Howells <dhowells@redhat.com>
Date:   Wed Sep 10 22:22:00 2014 +0100

    KEYS: Fix termination condition in assoc array garbage collection
    
    This fixes CVE-2014-3631.
    
    It is possible for an associative array to end up with a shortcut node at the
    root of the tree if there are more than fan-out leaves in the tree, but they
    all crowd into the same slot in the lowest level (ie. they all have the same
    first nibble of their index keys).
    
    When assoc_array_gc() returns back up the tree after scanning some leaves, it
    can fall off of the root and crash because it assumes that the back pointer
    from a shortcut (after label ascend_old_tree) must point to a normal node -
    which isn't true of a shortcut node at the root.
    
    Should we find we're ascending rootwards over a shortcut, we should check to
    see if the backpointer is zero - and if it is, we have completed the scan.
    
    This particular bug cannot occur if the root node is not a shortcut - ie. if
    you have fewer than 17 keys in a keyring or if you have at least two keys that
    sit into separate slots (eg. a keyring and a non keyring).
    
    This can be reproduced by:
    
    	ring=`keyctl newring bar @s`
    	for ((i=1; i<=18; i++)); do last_key=`keyctl newring foo$i $ring`; done
    	keyctl timeout $last_key 2
    
    Doing this:
    
    	echo 3 >/proc/sys/kernel/keys/gc_delay
    
    first will speed things up.
    
    If we do fall off of the top of the tree, we get the following oops:
    
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
    IP: [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540
    PGD dae15067 PUD cfc24067 PMD 0
    Oops: 0000 [#1] SMP
    Modules linked in: xt_nat xt_mark nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_ni
    CPU: 0 PID: 26011 Comm: kworker/0:1 Not tainted 3.14.9-200.fc20.x86_64 #1
    Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
    Workqueue: events key_garbage_collector
    task: ffff8800918bd580 ti: ffff8800aac14000 task.ti: ffff8800aac14000
    RIP: 0010:[<ffffffff8136cea7>] [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540
    RSP: 0018:ffff8800aac15d40  EFLAGS: 00010206
    RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8800aaecacc0
    RDX: ffff8800daecf440 RSI: 0000000000000001 RDI: ffff8800aadc2bc0
    RBP: ffff8800aac15da8 R08: 0000000000000001 R09: 0000000000000003
    R10: ffffffff8136ccc7 R11: 0000000000000000 R12: 0000000000000000
    R13: 0000000000000000 R14: 0000000000000070 R15: 0000000000000001
    FS:  0000000000000000(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 0000000000000018 CR3: 00000000db10d000 CR4: 00000000000006f0
    Stack:
     ffff8800aac15d50 0000000000000011 ffff8800aac15db8 ffffffff812e2a70
     ffff880091a00600 0000000000000000 ffff8800aadc2bc3 00000000cd42c987
     ffff88003702df20 ffff88003702dfa0 0000000053b65c09 ffff8800aac15fd8
    Call Trace:
     [<ffffffff812e2a70>] ? keyring_detect_cycle_iterator+0x30/0x30
     [<ffffffff812e3e75>] keyring_gc+0x75/0x80
     [<ffffffff812e1424>] key_garbage_collector+0x154/0x3c0
     [<ffffffff810a67b6>] process_one_work+0x176/0x430
     [<ffffffff810a744b>] worker_thread+0x11b/0x3a0
     [<ffffffff810a7330>] ? rescuer_thread+0x3b0/0x3b0
     [<ffffffff810ae1a8>] kthread+0xd8/0xf0
     [<ffffffff810ae0d0>] ? insert_kthread_work+0x40/0x40
     [<ffffffff816ffb7c>] ret_from_fork+0x7c/0xb0
     [<ffffffff810ae0d0>] ? insert_kthread_work+0x40/0x40
    Code: 08 4c 8b 22 0f 84 bf 00 00 00 41 83 c7 01 49 83 e4 fc 41 83 ff 0f 4c 89 65 c0 0f 8f 5a fe ff ff 48 8b 45 c0 4d 63 cf 49 83 c1 02 <4e> 8b 34 c8 4d 85 f6 0f 84 be 00 00 00 41 f6 c6 01 0f 84 92
    RIP  [<ffffffff8136cea7>] assoc_array_gc+0x2f7/0x540
     RSP <ffff8800aac15d40>
    CR2: 0000000000000018
    ---[ end trace 1129028a088c0cbd ]---
    
    Signed-off-by: David Howells <dhowells@redhat.com>
    Acked-by: Don Zickus <dzickus@redhat.com>
    Signed-off-by: James Morris <james.l.morris@oracle.com>

 lib/assoc_array.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 67ce070b61e4819a434bca62c2e5cc6f56d7fbc8
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sat Sep 13 11:30:10 2014 -0700

    vfs: fix bad hashing of dentries
    
    Josef Bacik found a performance regression between 3.2 and 3.10 and
    narrowed it down to commit bfcfaa77bdf0 ("vfs: use 'unsigned long'
    accesses for dcache name comparison and hashing"). He reports:
    
     "The test case is essentially
    
          for (i = 0; i < 1000000; i++)
                  mkdir("a$i");
    
      On xfs on a fio card this goes at about 20k dir/sec with 3.2, and 12k
      dir/sec with 3.10.  This is because we spend waaaaay more time in
      __d_lookup on 3.10 than in 3.2.
    
      The new hashing function for strings is suboptimal for <
      sizeof(unsigned long) string names (and hell even > sizeof(unsigned
      long) string names that I've tested).  I broke out the old hashing
      function and the new one into a userspace helper to get real numbers
      and this is what I'm getting:
    
          Old hash table had 1000000 entries, 0 dupes, 0 max dupes
          New hash table had 12628 entries, 987372 dupes, 900 max dupes
          We had 11400 buckets with a p50 of 30 dupes, p90 of 240 dupes, p99 of 567 dupes for the new hash
    
      My test does the hash, and then does the d_hash into a integer pointer
      array the same size as the dentry hash table on my system, and then
      just increments the value at the address we got to see how many
      entries we overlap with.
    
      As you can see the old hash function ended up with all 1 million
      entries in their own bucket, whereas the new one they are only
      distributed among ~12.5k buckets, which is why we're using so much
      more CPU in __d_lookup".
    
    The reason for this hash regression is two-fold:
    
     - On 64-bit architectures the down-mixing of the original 64-bit
       word-at-a-time hash into the final 32-bit hash value is very
       simplistic and suboptimal, and just adds the two 32-bit parts
       together.
    
       In particular, because there is no bit shuffling and the mixing
       boundary is also a byte boundary, similar character patterns in the
       low and high word easily end up just canceling each other out.
    
     - the old byte-at-a-time hash mixed each byte into the final hash as it
       hashed the path component name, resulting in the low bits of the hash
       generally being a good source of hash data.  That is not true for the
       word-at-a-time case, and the hash data is distributed among all the
       bits.
    
    The fix is the same in both cases: do a better job of mixing the bits up
    and using as much of the hash data as possible.  We already have the
    "hash_32|64()" functions to do that.
    
    Reported-by: Josef Bacik <jbacik@fb.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Chris Mason <clm@fb.com>
    Cc: linux-fsdevel@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/dcache.c |    3 +--
 fs/namei.c  |    4 ++--
 2 files changed, 3 insertions(+), 4 deletions(-)

commit 4f6bd878a42e4a69b461865319fc6de966f18fb3
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sat Sep 13 11:24:03 2014 -0700

    Make hash_64() use a 64-bit multiply when appropriate
    
    The hash_64() function historically does the multiply by the
    GOLDEN_RATIO_PRIME_64 number with explicit shifts and adds, because
    unlike the 32-bit case, gcc seems unable to turn the constant multiply
    into the more appropriate shift and adds when required.
    
    However, that means that we generate those shifts and adds even when the
    architecture has a fast multiplier, and could just do it better in
    hardware.
    
    Use the now-cleaned-up CONFIG_ARCH_HAS_FAST_MULTIPLIER (together with
    "is it a 64-bit architecture") to decide whether to use an integer
    multiply or the explicit sequence of shift/add instructions.
    
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 include/linux/hash.h |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit c4cf8a13bb94a9541d4cb183f85a3d6620899449
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sat Sep 13 11:14:53 2014 -0700

    Make ARCH_HAS_FAST_MULTIPLIER a real config variable
    
    It used to be an ad-hoc hack defined by the x86 version of
    <asm/bitops.h> that enabled a couple of library routines to know whether
    an integer multiply is faster than repeated shifts and additions.
    
    This just makes it use the real Kconfig system instead, and makes x86
    (which was the only architecture that did this) select the option.
    
    NOTE! Even for x86, this really is kind of wrong.  If we cared, we would
    probably not enable this for builds optimized for netburst (P4), where
    shifts-and-adds are generally faster than multiplies.  This patch does
    *not* change that kind of logic, though, it is purely a syntactic change
    with no code changes.
    
    This was triggered by the fact that we have other places that really
    want to know "do I want to expand multiples by constants by hand or
    not", particularly the hash generation code.
    
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/x86/Kconfig              |    1 +
 arch/x86/include/asm/bitops.h |    2 --
 lib/Kconfig                   |    3 +++
 lib/hweight.c                 |    4 ++--
 lib/string.c                  |    4 ++--
 5 files changed, 8 insertions(+), 6 deletions(-)

commit 612cdc7e0561694184903defa1f6583abecae833
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Thu Sep 11 23:44:35 2014 +0200

    futex: Unlock hb->lock in futex_wait_requeue_pi() error path
    
    futex_wait_requeue_pi() calls futex_wait_setup(). If
    futex_wait_setup() succeeds it returns with hb->lock held and
    preemption disabled. Now the sanity check after this does:
    
            if (match_futex(&q.key, &key2)) {
    	   	ret = -EINVAL;
    		goto out_put_keys;
    	}
    
    which releases the keys but does not release hb->lock.
    
    So we happily return to user space with hb->lock held and therefor
    preemption disabled.
    
    Unlock hb->lock before taking the exit route.
    
    Reported-by: Dave "Trinity" Jones <davej@redhat.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Darren Hart <dvhart@linux.intel.com>
    Reviewed-by: Davidlohr Bueso <dave@stgolabs.net>
    Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: stable@vger.kernel.org
    Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1409112318500.4178@nanos
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

 kernel/futex.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 6862f180a7e3a5ea7abf6f1914a0cccc22ca277a
Author: Ilya Dryomov <ilya.dryomov@inktank.com>
Date:   Tue Sep 9 19:39:15 2014 +0400

    libceph: do not hard code max auth ticket len
    
    We hard code cephx auth ticket buffer size to 256 bytes.  This isn't
    enough for any moderate setups and, in case tickets themselves are not
    encrypted, leads to buffer overflows (ceph_x_decrypt() errors out, but
    ceph_decode_copy() doesn't - it's just a memcpy() wrapper).  Since the
    buffer is allocated dynamically anyway, allocated it a bit later, at
    the point where we know how much is going to be needed.
    
    Fixes: http://tracker.ceph.com/issues/8979
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com>
    Reviewed-by: Sage Weil <sage@redhat.com>

 net/ceph/auth_x.c |   64 ++++++++++++++++++++++++-----------------------------
 1 files changed, 29 insertions(+), 35 deletions(-)

commit e820ad90ca5c8fa3d1649ff6ebe2f2df40e08204
Author: Ilya Dryomov <ilya.dryomov@inktank.com>
Date:   Mon Sep 8 17:25:34 2014 +0400

    libceph: add process_one_ticket() helper
    
    Add a helper for processing individual cephx auth tickets.  Needed for
    the next commit, which deals with allocating ticket buffers.  (Most of
    the diff here is whitespace - view with git diff -b).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com>
    Reviewed-by: Sage Weil <sage@redhat.com>

 net/ceph/auth_x.c |  228 +++++++++++++++++++++++++++++------------------------
 1 files changed, 124 insertions(+), 104 deletions(-)

commit 0439d41b898d865380015036be9ea3f74296929c
Author: Sage Weil <sage@redhat.com>
Date:   Mon Aug 4 07:01:54 2014 -0700

    libceph: gracefully handle large reply messages from the mon
    
    We preallocate a few of the message types we get back from the mon.  If we
    get a larger message than we are expecting, fall back to trying to allocate
    a new one instead of blindly using the one we have.
    
    CC: stable@vger.kernel.org
    Signed-off-by: Sage Weil <sage@redhat.com>
    Reviewed-by: Ilya Dryomov <ilya.dryomov@inktank.com>

 net/ceph/mon_client.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit 6bf4d8bcdd7dfc4baeafd96bb8902e2e5d8333a9
Author: Jan Kara <jack@suse.cz>
Date:   Thu Sep 4 14:06:55 2014 +0200

    udf: Avoid infinite loop when processing indirect ICBs
    
    We did not implement any bound on number of indirect ICBs we follow when
    loading inode. Thus corrupted medium could cause kernel to go into an
    infinite loop, possibly causing a stack overflow.
    
    Fix the possible stack overflow by removing recursion from
    __udf_read_inode() and limit number of indirect ICBs we follow to avoid
    infinite loops.
    
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/udf/inode.c |   35 +++++++++++++++++++++--------------
 1 files changed, 21 insertions(+), 14 deletions(-)

commit 1a21fbc20d8ce1989e38e96d9c43637e3b99eecd
Author: Jan Kara <jack@suse.cz>
Date:   Thu Sep 4 13:32:50 2014 +0200

    udf: Fold udf_fill_inode() into __udf_read_inode()
    
    There's no good reason to separate these since udf_fill_inode() is
    called only from __udf_read_inode() and both do part of the same thing.
    
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/udf/inode.c |   22 +++++-----------------
 1 files changed, 5 insertions(+), 17 deletions(-)

commit eee6781d73a28ea760bd9b99590680975df0a940
Author: Jan Kara <jack@suse.cz>
Date:   Thu Sep 4 11:47:51 2014 +0200

    udf: Avoid dir link count to go negative
    
    If we are writing back inode of unlinked directory, its link count ends
    up being (u16)-1. Although the inode is deleted, udf_iget() can load the
    inode when NFS uses stale file handle and get confused.
    
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/udf/inode.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 84a70340dc8768c1f704fabf188f924ce809722f
Author: Ani Sinha <ani@arista.com>
Date:   Mon Sep 8 14:49:59 2014 -0700

    net:socket: set msg_namelen to 0 if msg_name is passed as NULL in msghdr struct from userland.
    
    Linux manpage for recvmsg and sendmsg calls does not explicitly mention setting msg_namelen to 0 when
    msg_name passed set as NULL. When developers don't set msg_namelen member in msghdr, it might contain garbage
    value which will fail the validation check and sendmsg and recvmsg calls from kernel will return EINVAL. This will
    break old binaries and any code for which there is no access to source code.
    To fix this, we set msg_namelen to 0 when msg_name is passed as NULL from userland.
    
    Signed-off-by: Ani Sinha <ani@arista.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/socket.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 7644120b6eac094ab9a15343613ccfac59e39fdd
Author: Andrey Vagin <avagin@openvz.org>
Date:   Tue Sep 9 14:51:04 2014 -0700

    fsnotify/fdinfo: use named constants instead of hardcoded values
    
    MAX_HANDLE_SZ is equal to 128, but currently the size of pad is only 64
    bytes, so exportfs_encode_inode_fh can return an error.
    
    Signed-off-by: Andrey Vagin <avagin@openvz.org>
    Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	fs/notify/fdinfo.c

 fs/notify/fdinfo.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 578dfabf7795615370a17572ba1ecd90b60f00ec
Author: Andrey Vagin <avagin@openvz.org>
Date:   Tue Sep 9 14:51:06 2014 -0700

    fs/notify: don't show f_handle if exportfs_encode_inode_fh failed
    
    Currently we handle only ENOSPC.  In case of other errors the file_handle
    variable isn't filled properly and we will show a part of stack.
    
    Signed-off-by: Andrey Vagin <avagin@openvz.org>
    Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	fs/notify/fdinfo.c

 fs/notify/fdinfo.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 3b5b2119ffb5b5a89db11ab09bcdc0d4def64785
Merge: 90e485d 82cdd4d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 11 18:39:20 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 82cdd4d5f1a93b5220bd34e4c35504e09fb1fbe5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Sep 11 18:37:31 2014 -0400

    Update to pax-linux-3.14.18-test18.patch:
    - fixed an assert in the latent entropy plugin under gcc 4.5, reported by Emese
    - worked around an incompatibility between the KERNEXEC plugins and early EFI service calls, by Mathias Krause <mathias.krause@secunet.com>
    - fixed a typo in INVPCID_ALL_MONGLOBAL

 arch/arm/kvm/arm.c                |    2 +-
 arch/mips/kvm/kvm_mips.c          |    2 +-
 arch/x86/include/asm/processor.h  |    2 +-
 arch/x86/include/asm/tlbflush.h   |    2 +-
 arch/x86/kernel/entry_64.S        |   19 +++++++++++++++++++
 tools/gcc/latent_entropy_plugin.c |    6 +++++-
 6 files changed, 28 insertions(+), 5 deletions(-)

commit 90e485dc3f9c686802332908c0ddab091a2c70b5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 8 20:57:24 2014 -0400

    fix several more cases of DMA-on-stack

 drivers/media/usb/dvb-usb/cinergyT2-fe.c |  182 ++++++++++++++++++++++--------
 1 files changed, 133 insertions(+), 49 deletions(-)

commit 506a1d7f9a054e2e959b74f5d2befe915de06c55
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Sep 8 19:56:08 2014 -0400

    Fix yet another DMA-on-stack case in the driver for the DVB-T TerraTec
    Cinergy T2, reported by sainz76 on the forums.

 drivers/media/usb/dvb-usb/cinergyT2-core.c |   91 +++++++++++++++++++++++-----
 1 files changed, 75 insertions(+), 16 deletions(-)

commit 9b8cf978657a67901fb53388d18532a94fffcdc7
Author: Mathias Krause <mathias.krause@secunet.com>
Date:   Mon Sep 8 13:13:02 2014 +0200

    pax: defer KERNEXEC instrumentation in IRQ return path
    
    The EFI runtime service to relocate, well, the EFI runtime services
    (SetVirtualAddressMap) gets called with a physical mapping and with
    interrupts enabled. If an IRQ triggers while we're executing code in
    the EFI region, the KERNEXEC instrumentation will set the MSB of the
    return address. But this address is actually located in the lower 4GB,
    thereby setting the MSB makes the CPU #GP as the return address just
    got non-canonical.
    
    Fix this by deferring the KERNEXEC instrumentation for the iret path
    until alternatives are applied. This allows this early EFI runtime
    service calls to get interrupted not only by IRQs but also NMIs and
    activates the instrumentation before any userland code will be
    executed -- even before the other APs are started.
    
    Signed-off-by: Mathias Krause <mathias.krause@secunet.com>

 arch/x86/kernel/entry_64.S |   19 +++++++++++++++++++
 1 files changed, 19 insertions(+), 0 deletions(-)

commit 62d2c9f3e8fc60252ac136952a2e5605271652db
Author: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Date:   Wed Sep 3 23:59:21 2014 +0200

    ipv6: fix a refcnt leak with peer addr
    
    There is no reason to take a refcnt before deleting the peer address route.
    It's done some lines below for the local prefix route because
    inet6_ifa_finish_destroy() will release it at the end.
    For the peer address route, we want to free it right now.
    
    This bug has been introduced by commit
    caeaba79009c ("ipv6: add support of peer address").
    
    Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/addrconf.c |    7 ++-----
 1 files changed, 2 insertions(+), 5 deletions(-)

commit 39d4a4e77590e069654f0c3bcda9bdc3e93c617d
Merge: c3193fc 1c910c6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Sep 5 20:24:05 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 1c910c607d3cd9340d72309c9260efdba9457880
Merge: 623cd879 8e952ae
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Sep 5 20:23:48 2014 -0400

    Merge branch 'linux-3.14.y' into pax-stable2

commit c3193fc6b232ec6088c2c5684f8708a96915f14d
Author: Jeff Moyer <jmoyer@redhat.com>
Date:   Tue Sep 2 13:17:00 2014 -0400

    aio: add missing smp_rmb() in read_events_ring
    
    We ran into a case on ppc64 running mariadb where io_getevents would
    return zeroed out I/O events.  After adding instrumentation, it became
    clear that there was some missing synchronization between reading the
    tail pointer and the events themselves.  This small patch fixes the
    problem in testing.
    
    Thanks to Zach for helping to look into this, and suggesting the fix.
    
    Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
    Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
    Cc: stable@vger.kernel.org

 fs/aio.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 889829fcce958e6aee8bab0d8acb16efb0b8b2a3
Author: David Howells <dhowells@redhat.com>
Date:   Tue Sep 2 13:52:20 2014 +0100

    KEYS: Fix use-after-free in assoc_array_gc()
    
    An edit script should be considered inaccessible by a function once it has
    called assoc_array_apply_edit() or assoc_array_cancel_edit().
    
    However, assoc_array_gc() is accessing the edit script just after the
    gc_complete: label.
    
    Reported-by: Andreea-Cristina Bernat <bernat.ada@gmail.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Reviewed-by: Andreea-Cristina Bernat <bernat.ada@gmail.com>
    cc: shemming@brocade.com
    cc: paulmck@linux.vnet.ibm.com
    Cc: stable@vger.kernel.org
    Signed-off-by: James Morris <james.l.morris@oracle.com>

 lib/assoc_array.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7c8de7d2e55b6ba40297e8d439e456970ae7b797
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Sep 2 17:10:28 2014 -0400

    Don't copy directly out of dentry struct via inline names with cefs
    to avoid a USERCOPY violation
    
    Reported by Stephane Neveu

 fs/ceph/dir.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

commit 225f4a2944493d3f3a78f9a77242bc40187709b4
Author: Matthew Wilcox <matthew.r.wilcox@intel.com>
Date:   Fri Aug 29 15:18:33 2014 -0700

    mm: actually clear pmd_numa before invalidating
    
    Commit 67f87463d3a3 ("mm: clear pmd_numa before invalidating") cleared
    the NUMA bit in a copy of the PMD entry, but then wrote back the
    original
    
    Signed-off-by: Matthew Wilcox <matthew.r.wilcox@intel.com>
    Acked-by: Mel Gorman <mgorman@suse.de>
    Reviewed-by: Rik van Riel <riel@redhat.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/pgtable-generic.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 6a81ffa5f417c4a9b3e132e4901009dac52e5fd5
Author: Jiri Kosina <jkosina@suse.cz>
Date:   Wed Aug 27 09:13:15 2014 +0200

    HID: picolcd: sanity check report size in raw_event() callback
    
    The report passed to us from transport driver could potentially be
    arbitrarily large, therefore we better sanity-check it so that raw_data
    that we hold in picolcd_pending structure are always kept within proper
    bounds.
    
    Cc: stable@vger.kernel.org
    Reported-by: Steven Vittitoe <scvitti@google.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>

 drivers/hid/hid-picolcd_core.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

commit 0fbba1d7ded681af95711461594afaee7a8d57e6
Author: Jiri Kosina <jkosina@suse.cz>
Date:   Wed Aug 27 09:12:24 2014 +0200

    HID: magicmouse: sanity check report size in raw_event() callback
    
    The report passed to us from transport driver could potentially be
    arbitrarily large, therefore we better sanity-check it so that
    magicmouse_emit_touch() gets only valid values of raw_id.
    
    Cc: stable@vger.kernel.org
    Reported-by: Steven Vittitoe <scvitti@google.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>

 drivers/hid/hid-magicmouse.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

commit f5ee9941ebb0f4914dc0eab251f733de029751a4
Author: Josef Bacik <jbacik@fb.com>
Date:   Mon Aug 25 13:59:41 2014 -0400

    trace: Fix epoll hang when we race with new entries
    
    Epoll on trace_pipe can sometimes hang in a weird case.  If the ring buffer is
    empty when we set waiters_pending but an event shows up exactly at that moment
    we can miss being woken up by the ring buffers irq work.  Since
    ring_buffer_empty() is inherently racey we will sometimes think that the buffer
    is not empty.  So we don't get woken up and we don't think there are any events
    even though there were some ready when we added the watch, which makes us hang.
    This patch fixes this by making sure that we are actually on the wait list
    before we set waiters_pending, and add a memory barrier to make sure
    ring_buffer_empty() is going to be correct.
    
    Link: http://lkml.kernel.org/p/1408989581-23727-1-git-send-email-jbacik@fb.com
    
    Cc: stable@vger.kernel.org # 3.10+
    Cc: Martin Lau <kafai@fb.com>
    Signed-off-by: Josef Bacik <jbacik@fb.com>
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>

 kernel/trace/ring_buffer.c |   16 +++++++++++++++-
 1 files changed, 15 insertions(+), 1 deletions(-)

commit 1f6566157cb600e58657781039126f268cd289f9
Merge: 235e904 623cd879
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 31 16:09:39 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	include/net/inetpeer.h

commit 623cd87988ed76c26d77888ffc88028a0a15fe5a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 31 16:08:46 2014 -0400

    Update to pax-linux-3.14.17-test16.patch

 fs/nfsd/nfscache.c     |    2 +-
 fs/nls/nls_base.c      |    4 ++--
 include/linux/nls.h    |    2 +-
 include/net/inetpeer.h |    2 +-
 net/ipv4/route.c       |   12 ++++--------
 net/ipv6/output_core.c |    1 +
 6 files changed, 10 insertions(+), 13 deletions(-)

commit 235e9046d0ed61ae8c893041156e6ce5b14c45f7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 26 00:35:30 2014 -0400

    add comment
    
    Conflicts:
    
    	mm/mmap.c

 mm/mmap.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 76a4deb6635f9862e30dd547b7c63530e822076f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 25 23:28:01 2014 -0400

    reuse mm instead of using current->mm

 mm/mmap.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0042386d97cb97b99231c7bfd67f8028d6e69e52
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 25 23:19:09 2014 -0400

    Kill Chris Evans' ulimit -d 1 technique to slightly reduce heap ASLR
    entropy on suid/sgid binaries.
    
    Time he spent developing the entire exploit: who knows
    Time I spent adding another way in addition to the 6 or so existing
    ways his exploit is prevented: ~ 5 minutes
    
    Hashtag: ProjectZeroImpact

 mm/mmap.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 39e6c350f26d40b9e002ec3d5b43078384cfafd6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 25 19:48:38 2014 -0400

    compile fix

 grsecurity/gracl_cap.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit a2b8c5d78a0aab758240d16ea5f05487336e53c6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Aug 25 19:40:32 2014 -0400

    make sure in every case where we would end up performing a role
    transition in the full-learned policy that we log the necessary
    CAP_SETUID/CAP_SETGID.  This will happen regardless of the
    process actually having CAP_SETUID or CAP_SETGID set, as the
    check on role transition is done only against the subject's permitted
    capabilities, not actual active capabilities
    
    This fixes full-learning on sshd and likely other applications
    
    Thanks to Stephane from the forums for the report!

 grsecurity/gracl_cap.c      |   40 +++++++++++++++++++++++++++-------------
 grsecurity/grsec_disabled.c |    6 ++++++
 include/linux/grsecurity.h  |    2 ++
 kernel/sys.c                |   19 +++++++++++++++++++
 4 files changed, 54 insertions(+), 13 deletions(-)

commit 1a98391aec2d0076a940fb3d73fab91bc649b3d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 24 14:59:13 2014 -0400

    add GFP_USERCOPY to single_open_size(), spotted during 3.16 port

 fs/seq_file.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 269287c80578f51ebdfa5523718f58a14166bbd3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 22 16:41:15 2014 -0400

    Introduce an experimental change to TPE -- reject execution of binaries that
    are world-writable.  Contributed by Mickaël Salaün

 grsecurity/grsec_tpe.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 3a0557d256dddeed487ea5f4fc93ad73205a2278
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 21 23:53:18 2014 -0400

    If no cgroup agent release path is specified, don't bother trying to
    exec any nonexistent usermode helper -- prevents a waste of resources
    and fixes some annoying grsec logs detecting this case.
    
    Thanks to ice9 from the forums for help with testing.
    
    Conflicts:
    
    	kernel/cgroup.c

 kernel/cgroup.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit b5c77ef755ab388101d5bd1cfe91253283e6e9da
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Aug 15 09:16:04 2014 -0700

    Upstream commit: dc808110bb62b64a448696ecac3938902c92e1ab
    
    packet: handle too big packets for PACKET_V3
    
    af_packet can currently overwrite kernel memory by out of bound
    accesses, because it assumed a [new] block can always hold one frame.
    
    This is not generally the case, even if most existing tools do it right.
    
    This patch clamps too long frames as API permits, and issue a one time
    error on syslog.
    
    [  394.357639] tpacket_rcv: packet too big, clamped from 5042 to 3966. macoff=82
    
    In this example, packet header tp_snaplen was set to 3966,
    and tp_len was set to 5042 (skb->len)
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
    Acked-by: Daniel Borkmann <dborkman@redhat.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/packet/af_packet.c |   17 +++++++++++++++++
 net/packet/internal.h  |    1 +
 2 files changed, 18 insertions(+), 0 deletions(-)

commit c223ecf11b6afea9bcd450630eceab2c65d1d307
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 21 20:33:45 2014 -0400

    Remove GRKERNSEC_RANDNET -- it has been unnecessary for quite some
    time now, at least since get_random_bytes started to be used directly
    for filling of AT_RANDOM on each exec -- it's not really possible
    anymore to store up sufficient entropy such that this option would
    have any effect.

 drivers/char/random.c |   14 --------------
 grsecurity/Kconfig    |   10 ----------
 2 files changed, 0 insertions(+), 24 deletions(-)

commit 519cc6cc7618a93a821a9733cccc2a635be84017
Author: Jiri Kosina <jkosina@suse.cz>
Date:   Thu Aug 21 09:57:17 2014 -0500

    Upstream commit: ad3e14d7c5268c2e24477c6ef54bbdf88add5d36
    
    HID: logitech: perform bounds checking on device_id early enough
    
    device_index is a char type and the size of paired_dj_deivces is 7
    elements, therefore proper bounds checking has to be applied to
    device_index before it is used.
    
    We are currently performing the bounds checking in
    logi_dj_recv_add_djhid_device(), which is too late, as malicious device
    could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
    problem in one of the report forwarding functions called from
    logi_dj_raw_event().
    
    Fix this by performing the check at the earliest possible ocasion in
    logi_dj_raw_event().
    
    Cc: stable@vger.kernel.org
    Reported-by: Ben Hawkes <hawkes@google.com>
    Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>

 drivers/hid/hid-logitech-dj.c |   13 ++++++-------
 1 files changed, 6 insertions(+), 7 deletions(-)

commit 7a214b55871b780e5a9eec6e38fffb2d7d37afc4
Author: Jiri Kosina <jkosina@suse.cz>
Date:   Thu Aug 21 09:57:48 2014 -0500

    Upstream commit: 4ab25786c87eb20857bbb715c3ae34ec8fd6a214
    
    HID: fix a couple of off-by-ones
    
    There are a few very theoretical off-by-one bugs in report descriptor size
    checking when performing a pre-parsing fixup. Fix those.
    
    Cc: stable@vger.kernel.org
    Reported-by: Ben Hawkes <hawkes@google.com>
    Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>

 drivers/hid/hid-cherry.c   |    2 +-
 drivers/hid/hid-kye.c      |    2 +-
 drivers/hid/hid-lg.c       |    4 ++--
 drivers/hid/hid-monterey.c |    2 +-
 drivers/hid/hid-petalynx.c |    2 +-
 drivers/hid/hid-sunplus.c  |    2 +-
 6 files changed, 7 insertions(+), 7 deletions(-)

commit 1652ff2d0602e17e3b70cafd24fca7ac75580c23
Author: Jan Kara <jack@suse.cz>
Date:   Sun Aug 17 11:49:57 2014 +0200

    Upstream commit: 410dd3cf4c9b36f27ed4542ee18b1af5e68645a4
    
    isofs: Fix unbounded recursion when processing relocated directories
    
    We did not check relocated directory in any way when processing Rock
    Ridge 'CL' tag. Thus a corrupted isofs image can possibly have a CL
    entry pointing to another CL entry leading to possibly unbounded
    recursion in kernel code and thus stack overflow or deadlocks (if there
    is a loop created from CL entries).
    
    Fix the problem by not allowing CL entry to point to a directory entry
    with CL entry (such use makes no good sense anyway) and by checking
    whether CL entry doesn't point to itself.
    
    CC: stable@vger.kernel.org
    Reported-by: Chris Evans <cevans@google.com>
    Signed-off-by: Jan Kara <jack@suse.cz>

 fs/isofs/inode.c |   15 ++++++++-------
 fs/isofs/isofs.h |   23 +++++++++++++++++++----
 fs/isofs/rock.c  |   39 ++++++++++++++++++++++++++++-----------
 3 files changed, 55 insertions(+), 22 deletions(-)

commit fe3388bb02a3c91810742864fe7d65ce73b1d02a
Author: NeilBrown <neilb@suse.de>
Date:   Mon Aug 18 13:59:50 2014 +1000

    Upstream commit: b39685526f46976bcd13aa08c82480092befa46c
    
    md/raid10: Fix memory leak when raid10 reshape completes.
    
    When a raid10 commences a resync/recovery/reshape it allocates
    some buffer space.
    When a resync/recovery completes the buffer space is freed.  But not
    when the reshape completes.
    This can result in a small memory leak.
    
    There is a subtle side-effect of this bug.  When a RAID10 is reshaped
    to a larger array (more devices), the reshape is immediately followed
    by a "resync" of the new space.  This "resync" will use the buffer
    space which was allocated for "reshape".  This can cause problems
    including a "BUG" in the SCSI layer.  So this is suitable for -stable.
    
    Cc: stable@vger.kernel.org (v3.5+)
    Fixes: 3ea7daa5d7fde47cd41f4d56c2deb949114da9d6
    Signed-off-by: NeilBrown <neilb@suse.de>

 drivers/md/raid10.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 327bfcc73c2281768d0e2bf96402ae8e63a540aa
Author: NeilBrown <neilb@suse.de>
Date:   Mon Aug 18 13:56:38 2014 +1000

    Upstream commit: ce0b0a46955d1bb389684a2605dbcaa990ba0154
    
    md/raid10: fix memory leak when reshaping a RAID10.
    
    raid10 reshape clears unwanted bits from a bio->bi_flags using
    a method which, while clumsy, worked until 3.10 when BIO_OWNS_VEC
    was added.
    Since then it clears that bit but shouldn't.  This results in a
    memory leak.
    
    So change to used the approved method of clearing unwanted bits.
    
    As this causes a memory leak which can consume all of memory
    the fix is suitable for -stable.
    
    Fixes: a38352e0ac02dbbd4fa464dc22d1352b5fbd06fd
    Cc: stable@vger.kernel.org (v3.10+)
    Reported-by: mdraid.pkoch@dfgh.net (Peter Koch)
    Signed-off-by: NeilBrown <neilb@suse.de>

 drivers/md/raid10.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2403af4cfb9aecd9453635deecf47091d64cbc09
Author: NeilBrown <neilb@suse.de>
Date:   Wed Aug 13 09:57:07 2014 +1000

    Upstream commit: 9c4bdf697c39805078392d5ddbbba5ae5680e0dd
    
    md/raid6: avoid data corruption during recovery of double-degraded RAID6
    
    During recovery of a double-degraded RAID6 it is possible for
    some blocks not to be recovered properly, leading to corruption.
    
    If a write happens to one block in a stripe that would be written to a
    missing device, and at the same time that stripe is recovering data
    to the other missing device, then that recovered data may not be written.
    
    This patch skips, in the double-degraded case, an optimisation that is
    only safe for single-degraded arrays.
    
    Bug was introduced in 2.6.32 and fix is suitable for any kernel since
    then.  In an older kernel with separate handle_stripe5() and
    handle_stripe6() functions the patch must change handle_stripe6().
    
    Cc: stable@vger.kernel.org (2.6.32+)
    Fixes: 6c0069c0ae9659e3a91b68eaed06a5c6c37f45c8
    Cc: Yuri Tikhonov <yur@emcraft.com>
    Cc: Dan Williams <dan.j.williams@intel.com>
    Reported-by: "Manibalan P" <pmanibalan@amiindia.co.in>
    Tested-by: "Manibalan P" <pmanibalan@amiindia.co.in>
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1090423
    Signed-off-by: NeilBrown <neilb@suse.de>
    Acked-by: Dan Williams <dan.j.williams@intel.com>

 drivers/md/raid5.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit ea43743fbbed094df0aa88386cd4dcef73fef306
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Aug 19 17:51:21 2014 -0400

    add support for CAP_BLOCK_SUSPEND

 grsecurity/grsec_exec.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit b2a10b4681dea18a09d1d1d93b61fdf72073c03e
Merge: afbffd5 c254daf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 13 23:34:45 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	arch/sparc/mm/fault_64.c
    	include/net/inetpeer.h
    	include/net/ip.h
    	net/ipv4/route.c

commit c254daf6a752f5d0c5953b3abc31b33f61c7206d
Merge: b754570 946de0e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Aug 13 23:31:00 2014 -0400

    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	arch/sparc/mm/fault_64.c
    	include/net/inetpeer.h
    	net/ipv4/inetpeer.c
    	net/ipv6/output_core.c

commit afbffd51fcf50a750cd3907b2daa6c77d26fce69
Author: Jiri Kosina <jkosina@suse.cz>
Date:   Wed Aug 6 16:08:43 2014 -0700

    Upstream commit: 69102311a57d1fd65cdc4002c55c5d551c799044
    
    ./Makefile: tell gcc optimizer to never introduce new data races
    
    We have been chasing a memory corruption bug, which turned out to be
    caused by very old gcc (4.3.4), which happily turned conditional load
    into a non-conditional one, and that broke correctness (the condition
    was met only if lock was held) and corrupted memory.
    
    This particular problem with that particular code did not happen when
    never gccs were used.  I've brought this up with our gcc folks, as I
    wanted to make sure that this can't really happen again, and it turns
    out it actually can.
    
    Quoting Martin Jambor <mjambor@suse.cz>:
     "More current GCCs are more careful when it comes to replacing a
      conditional load with a non-conditional one, most notably they check
      that a store happens in each iteration of _a_ loop but they assume
      loops are executed.  They also perform a simple check whether the
      store cannot trap which currently passes only for non-const
      variables.  A simple testcase demonstrating it on an x86_64 is for
      example the following:
    
      $ cat cond_store.c
    
      int g_1 = 1;
    
      int g_2[1024] __attribute__((section ("safe_section"), aligned (4096)));
    
      int c = 4;
    
      int __attribute__ ((noinline))
      foo (void)
      {
        int l;
        for (l = 0; (l != 4); l++) {
          if (g_1)
            return l;
          for (g_2[0] = 0; (g_2[0] >= 26); ++g_2[0])
            ;
        }
        return 2;
      }
    
      int main (int argc, char* argv[])
      {
        if (mprotect (g_2, sizeof(g_2), PROT_READ) == -1)
          {
            int e = errno;
            error (e, e, "mprotect error %i", e);
          }
        foo ();
        __builtin_printf("OK\n");
        return 0;
      }
      /* EOF */
      $ ~/gcc/trunk/inst/bin/gcc cond_store.c -O2 --param allow-store-data-races=0
      $ ./a.out
      OK
      $ ~/gcc/trunk/inst/bin/gcc cond_store.c -O2 --param allow-store-data-races=1
      $ ./a.out
      Segmentation fault
    
      The testcase fails the same at least with 4.9, 4.8 and 4.7.  Therefore
      I would suggest building kernels with this parameter set to zero. I
      also agree with Jikos that the default should be changed for -O2.  I
      have run most of the SPEC 2k6 CPU benchmarks (gamess and dealII
      failed, at -O2, not sure why) compiled with and without this option
      and did not see any real difference between respective run-times"
    
    Hopefully the default will be changed in newer gccs, but let's force it
    for kernel builds so that we are on a safe side even when older gcc are
    used.
    
    The code in question was out-of-tree printk-in-NMI (yeah, surprise
    suprise, once again) patch written by Petr Mladek, let me quote his
    comment from our internal bugzilla:
    
     "I have spent few days investigating inconsistent state of kernel ring buffer.
      It went out that it was caused by speculative store generated by
      gcc-4.3.4.
    
      The problem is in assembly generated for make_free_space(). The functions is
      called the following way:
    
      + vprintk_emit();
          + log = MAIN_LOG; // with logbuf_lock
             or
             log = NMI_LOG; // with nmi_logbuf_lock
             cont_add(log, ...);
              + cont_flush(log, ...);
                  + log_store(log, ...);
                        + log_make_free_space(log, ...);
    
      If called with log = NMI_LOG then only nmi_log_* global variables are safe to
      modify but the generated code does store also into (main_)log_* global
      variables:
    
      <log_make_free_space>:
             55                      push   %rbp
             89 f6                   mov    %esi,%esi
    
             48 8b 05 03 99 51 01    mov    0x1519903(%rip),%rax       # ffffffff82620868 <nmi_log_next_id>
             44 8b 1d ec 98 51 01    mov    0x15198ec(%rip),%r11d      # ffffffff82620858 <log_next_idx>
             8b 35 36 60 14 01       mov    0x1146036(%rip),%esi       # ffffffff8224cfa8 <log_buf_len>
             44 8b 35 33 60 14 01    mov    0x1146033(%rip),%r14d      # ffffffff8224cfac <nmi_log_buf_len>
             4c 8b 2d d0 98 51 01    mov    0x15198d0(%rip),%r13       # ffffffff82620850 <log_next_seq>
             4c 8b 25 11 61 14 01    mov    0x1146111(%rip),%r12       # ffffffff8224d098 <log_buf>
             49 89 c2                mov    %rax,%r10
             48 21 c2                and    %rax,%rdx
             48 8b 1d 0c 99 55 01    mov    0x155990c(%rip),%rbx       # ffffffff826608a0 <nmi_log_buf>
             49 c1 ea 20             shr    $0x20,%r10
             48 89 55 d0             mov    %rdx,-0x30(%rbp)
             44 29 de                sub    %r11d,%esi
             45 29 d6                sub    %r10d,%r14d
             4c 8b 0d 97 98 51 01    mov    0x1519897(%rip),%r9	# ffffffff82620840 <log_first_seq>
             eb 7e                   jmp    ffffffff81107029	<log_make_free_space+0xe9>
      [...]
             85 ff                   test   %edi,%edi                  # edi = 1 for NMI_LOG
             4c 89 e8                mov    %r13,%rax
             4c 89 ca                mov    %r9,%rdx
             74 0a                   je     ffffffff8110703d	<log_make_free_space+0xfd>
             8b 15 27 98 51 01       mov    0x1519827(%rip),%edx       # ffffffff82620860 <nmi_log_first_id>
             48 8b 45 d0             mov    -0x30(%rbp),%rax
             48 39 c2                cmp    %rax,%rdx                  # end of loop
             0f 84 da 00 00 00       je     ffffffff81107120 <log_make_free_space+0x1e0>
      [...]
             85 ff                   test   %edi,%edi                  # edi = 1 for NMI_LOG
             4c 89 0d 17 97 51 01    mov    %r9,0x1519717(%rip)        # ffffffff82620840 <log_first_seq>
                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^
                                     KABOOOM
             74 35                   je     ffffffff81107160		 <log_make_free_space+0x220>
    
      It stores log_first_seq when edi == NMI_LOG. This instructions are used also
      when edi == MAIN_LOG but the store is done speculatively before the condition
      is decided.  It is unsafe because we do not have "logbuf_lock" in NMI context
      and some other process migh modify "log_first_seq" in parallel"
    
    I believe that the best course of action is both
    
     - building kernel (and anything multi-threaded, I guess) with that
       optimization turned off
     - persuade gcc folks to change the default for future releases
    
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Cc: Martin Jambor <mjambor@suse.cz>
    Cc: Petr Mladek <pmladek@suse.cz>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Marek Polacek <polacek@redhat.com>
    Cc: Jakub Jelinek <jakub@redhat.com>
    Cc: Steven Noonan <steven@uplinklabs.net>
    Cc: Richard Biener <richard.guenther@gmail.com>
    Cc: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	Makefile

 Makefile |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 44e32ebe76d8635bf73cbafdc2134f6d53a646ee
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 10 23:24:39 2014 -0400

    error on a brain-damaged configuration seen on the forums:
    https://forums.grsecurity.net/viewtopic.php?f=3&t=4026

 include/linux/grsecurity.h |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit c63e1e99d43657cdbc72cc9a8ba57d18121f0292
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 10 23:15:22 2014 -0400

    Fix upstream crash in NFSv3 ACL code when the remote system doesn't
    support ACLs
    Ref: https://bugs.archlinux.org/task/41518

 fs/nfs/nfs3acl.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 38224e27dabf4b1289bdd20564ebff6dcc7178fd
Merge: 751fa2a b754570
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 10 23:05:52 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit b754570e25f0ce0c836c93c5a5d3ac95fa28dead
Merge: b939291 e21af7d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 10 23:05:33 2014 -0400

    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	arch/x86/include/asm/pgtable_64_types.h
    	arch/x86/kernel/entry_64.S
    	arch/x86/kernel/ldt.c

commit 751fa2a8f1bc18de63f635f66ae18e9c77cc24fe
Merge: 0320af7 b939291
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 3 20:00:58 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit b9392913de04dc9b3839a2b50f8f6bf99876beb1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 3 20:00:08 2014 -0400

    Update to pax-linux-3.14.15-test16.patch:
    - fixed an incompatiblity between STACKLEAK and Xen, reported by joe (http://forums.grsecurity.net/viewtopic.php?f=3&t=3997#p14241)
    - fixed the ESPFIX SS limit on i386 so that it actually works instead of triggering a double fault, reported by Oscon

 arch/x86/kernel/head_32.S    |    2 +-
 tools/gcc/stackleak_plugin.c |   21 ++++++++++++++++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)

commit 0320af76fdaff58fc90bb385fc34fa7b4fddd56f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 3 10:20:05 2014 -0400

    compile fix

 grsecurity/grsum.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 801ea0ffafe27a6dcf9ee74d829383144b198c50
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 3 10:15:31 2014 -0400

    fix retval

 grsecurity/grsum.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

commit 5c126813a33a262193a5ce20ff6ad000c279958c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 3 10:00:44 2014 -0400

    Mark the right declarations __read_only

 grsecurity/gracl_policy.c |    6 +++---
 grsecurity/grsec_init.c   |    6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

commit 20bf7c8a7b7a65864e26ca09de3e7930a9681636
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Aug 3 09:52:39 2014 -0400

    While on x86/x64 scatterlists can be created from kernel image buffers,
    on sparc64 this is apparently invalid and causes a system hang.
    Convert gr_usermode, gr_system_sum, and gr_system_salt back to using
    memory allocated at init.
    
    Many thanks to Blake Self for late night debugging help
    
    Conflicts:
    
    	grsecurity/gracl_policy.c

 grsecurity/gracl_policy.c |   60 ++++++++++++++++++++++----------------------
 grsecurity/grsec_init.c   |   14 ++++++++++
 grsecurity/grsum.c        |   37 +++++++++++++--------------
 3 files changed, 62 insertions(+), 49 deletions(-)

commit 77667ee683d6c1c6f2f93d4281bf0e0a9d8fac32
Author: Brad Spengler <spender@grsecurity.net>
Date:   Fri Aug 1 06:37:23 2014 -0400

    The bucket id field for the new ip id support should be unchecked
    Thanks to William Dauchy for the report.

 net/ipv4/route.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit f62725e51068e08fa20e620b016d3edf69f78ff3
Merge: c0adb11 cf427bb8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 31 20:30:14 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit cf427bb841e6db140fde2f9d6e1f2dc6a94a4d20
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 31 20:29:41 2014 -0400

    Update to pax-linux-3.14.15-test15.patch:
    - forward port to 3.14.15
    - fixed a merge error in copy_from_user on x86

 arch/x86/include/asm/uaccess.h |    2 +-
 arch/x86/kernel/signal.c       |    6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

commit c0adb11d7477e42b9287a86dae6434f80774dbfc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 31 19:06:01 2014 -0400

    fix compile error

 tools/gcc/randomize_layout_plugin.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 1b498f7b3f2b6b0dbf40eb4b72f551b9d85854e8
Author: James Bottomley <JBottomley@Parallels.com>
Date:   Thu Jul 3 19:17:34 2014 +0200

    Upstream commit: 89fb4cd1f717a871ef79fa7debbe840e3225cd54
    
    scsi: handle flush errors properly
    
    Flush commands don't transfer data and thus need to be special cased
    in the I/O completion handler so that we can propagate errors to
    the block layer and filesystem.
    
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>
    Reported-by: Steven Haber <steven@qumulo.com>
    Tested-by: Steven Haber <steven@qumulo.com>
    Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Christoph Hellwig <hch@lst.de>

 drivers/scsi/scsi_lib.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit c7e0864c485249dcd45faa2b1468eecd29544505
Author: Milan Broz <gmazyland@gmail.com>
Date:   Tue Jul 29 18:41:09 2014 +0000

    Upstream commit: 4c63f83c2c2e16a13ce274ee678e28246bd33645
    
    crypto: af_alg - properly label AF_ALG socket
    
    Th AF_ALG socket was missing a security label (e.g. SELinux)
    which means that socket was in "unlabeled" state.
    
    This was recently demonstrated in the cryptsetup package
    (cryptsetup v1.6.5 and later.)
    See https://bugzilla.redhat.com/show_bug.cgi?id=1115120
    
    This patch clones the sock's label from the parent sock
    and resolves the issue (similar to AF_BLUETOOTH protocol family).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Milan Broz <gmazyland@gmail.com>
    Acked-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

 crypto/af_alg.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 1f254e30f43d36155788beeb473d37a887456674
Author: Christoph Paasch <christoph.paasch@uclouvain.be>
Date:   Tue Jul 29 12:07:27 2014 +0200

    Upstream commit: 45a07695bc64b3ab5d6d2215f9677e5b8c05a7d0
    
    tcp: Fix integer-overflows in TCP veno
    
    In veno we do a multiplication of the cwnd and the rtt. This
    may overflow and thus their result is stored in a u64. However, we first
    need to cast the cwnd so that actually 64-bit arithmetic is done.
    
    A first attempt at fixing 76f1017757aa0 ([TCP]: TCP Veno congestion
    control) was made by 159131149c2 (tcp: Overflow bug in Vegas), but it
    failed to add the required cast in tcp_veno_cong_avoid().
    
    Fixes: 76f1017757aa0 ([TCP]: TCP Veno congestion control)
    Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp_veno.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7d4ad18011b3ec6e7ef612c72d6bced81d2acf87
Author: Christoph Paasch <christoph.paasch@uclouvain.be>
Date:   Tue Jul 29 13:40:57 2014 +0200

    Upstream commit: 1f74e613ded11517db90b2bd57e9464d9e0fb161
    
    tcp: Fix integer-overflow in TCP vegas
    
    In vegas we do a multiplication of the cwnd and the rtt. This
    may overflow and thus their result is stored in a u64. However, we first
    need to cast the cwnd so that actually 64-bit arithmetic is done.
    
    Then, we need to do do_div to allow this to be used on 32-bit arches.
    
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Cc: Neal Cardwell <ncardwell@google.com>
    Cc: Eric Dumazet <eric.dumazet@gmail.com>
    Cc: David Laight <David.Laight@ACULAB.COM>
    Cc: Doug Leith <doug.leith@nuim.ie>
    Fixes: 8d3a564da34e (tcp: tcp_vegas cong avoid fix)
    Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp_vegas.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 2ba2d6805d9cb3ad3c153f8050f7c50efbb56230
Author: Michal Hocko <mhocko@suse.cz>
Date:   Wed Jul 30 16:08:33 2014 -0700

    Upstream commit: 2bcf2e92c3918ce62ab4e934256e47e9a16d19c3
    
    memcg: oom_notify use-after-free fix
    
    Paul Furtado has reported the following GPF:
    
      general protection fault: 0000 [#1] SMP
      Modules linked in: ipv6 dm_mod xen_netfront coretemp hwmon x86_pkg_temp_thermal crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ablk_helper cryptd lrw gf128mul glue_helper aes_x86_64 microcode pcspkr ext4 jbd2 mbcache raid0 xen_blkfront
      CPU: 3 PID: 3062 Comm: java Not tainted 3.16.0-rc5 #1
      task: ffff8801cfe8f170 ti: ffff8801d2ec4000 task.ti: ffff8801d2ec4000
      RIP: e030:mem_cgroup_oom_synchronize+0x140/0x240
      RSP: e02b:ffff8801d2ec7d48  EFLAGS: 00010283
      RAX: 0000000000000001 RBX: ffff88009d633800 RCX: 000000000000000e
      RDX: fffffffffffffffe RSI: ffff88009d630200 RDI: ffff88009d630200
      RBP: ffff8801d2ec7da8 R08: 0000000000000012 R09: 00000000fffffffe
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff88009d633800
      R13: ffff8801d2ec7d48 R14: dead000000100100 R15: ffff88009d633a30
      FS:  00007f1748bb4700(0000) GS:ffff8801def80000(0000) knlGS:0000000000000000
      CS:  e033 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 00007f4110300308 CR3: 00000000c05f7000 CR4: 0000000000002660
      Call Trace:
        pagefault_out_of_memory+0x18/0x90
        mm_fault_error+0xa9/0x1a0
        __do_page_fault+0x478/0x4c0
        do_page_fault+0x2c/0x40
        page_fault+0x28/0x30
      Code: 44 00 00 48 89 df e8 40 ca ff ff 48 85 c0 49 89 c4 74 35 4c 8b b0 30 02 00 00 4c 8d b8 30 02 00 00 4d 39 fe 74 1b 0f 1f 44 00 00 <49> 8b 7e 10 be 01 00 00 00 e8 42 d2 04 00 4d 8b 36 4d 39 fe 75
      RIP  mem_cgroup_oom_synchronize+0x140/0x240
    
    Commit fb2a6fc56be6 ("mm: memcg: rework and document OOM waiting and
    wakeup") has moved mem_cgroup_oom_notify outside of memcg_oom_lock
    assuming it is protected by the hierarchical OOM-lock.
    
    Although this is true for the notification part the protection doesn't
    cover unregistration of event which can happen in parallel now so
    mem_cgroup_oom_notify can see already unlinked and/or freed
    mem_cgroup_eventfd_list.
    
    Fix this by using memcg_oom_lock also in mem_cgroup_oom_notify.
    
    Addresses https://bugzilla.kernel.org/show_bug.cgi?id=80881
    
    Fixes: fb2a6fc56be6 (mm: memcg: rework and document OOM waiting and wakeup)
    Signed-off-by: Michal Hocko <mhocko@suse.cz>
    Reported-by: Paul Furtado <paulfurtado91@gmail.com>
    Tested-by: Paul Furtado <paulfurtado91@gmail.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: <stable@vger.kernel.org>	[3.12+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/memcontrol.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

commit 7238e2e4cb051e167beab1751c0fc7aa3487f160
Merge: e52e899 95b81f4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 31 18:41:35 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 95b81f4d5b3dc1b57aa182105d2817e242da9397
Merge: 1984a38 735fbc7
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 31 18:41:16 2014 -0400

    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	arch/x86/kernel/entry_32.S

commit e52e899e57922c1de4defa435128ef1b382ffa31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 31 18:02:05 2014 -0400

    Work around a compatibility issue between the VirtualBox drivers and RANDSTRUCT.
    Two of its ops structs, INTNETTRUNKFACTORY and RAWPCIFACTORY, were chosen for
    randomization, but these seem to be part of a public interface used by code
    not compiled by RANDSTRUCT.  To resolve this, omit these two type names from
    randomization.  Thanks to Pedro Ribeiro for the report.

 tools/gcc/randomize_layout_plugin.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 2e7378a4c9f2b2100b5077e892f45d164158e04b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 29 21:28:57 2014 -0400

    mark the two newly-introduced IP ID functions as intentional_overflow

 include/linux/random.h |    2 +-
 include/net/ip.h       |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit 9b21bce181d58bc5f1375140199fce7427b78eb0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 29 20:26:18 2014 -0400

    compile fix

 include/net/inetpeer.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b0ad2297f68f8d3b43b7aa2063cb2db09258abf7
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat Jul 26 08:58:10 2014 +0200

    Upstream commit: 04ca6973f7c1a0d8537f2d9906a0cf8e69886d75
    
    ip: make IP identifiers less predictable
    
    In "Counting Packets Sent Between Arbitrary Internet Hosts", Jeffrey and
    Jedidiah describe ways exploiting linux IP identifier generation to
    infer whether two machines are exchanging packets.
    
    With commit 73f156a6e8c1 ("inetpeer: get rid of ip_id_count"), we
    changed IP id generation, but this does not really prevent this
    side-channel technique.
    
    This patch adds a random amount of perturbation so that IP identifiers
    for a given destination [1] are no longer monotonically increasing after
    an idle period.
    
    Note that prandom_u32_max(1) returns 0, so if generator is used at most
    once per jiffy, this patch inserts no hole in the ID suite and do not
    increase collision probability.
    
    This is jiffies based, so in the worst case (HZ=1000), the id can
    rollover after ~65 seconds of idle time, which should be fine.
    
    We also change the hash used in __ip_select_ident() to not only hash
    on daddr, but also saddr and protocol, so that ICMP probes can not be
    used to infer information for other protocols.
    
    For IPv6, adds saddr into the hash as well, but not nexthdr.
    
    If I ping the patched target, we can see ID are now hard to predict.
    
    21:57:11.008086 IP (...)
        A > target: ICMP echo request, seq 1, length 64
    21:57:11.010752 IP (... id 2081 ...)
        target > A: ICMP echo reply, seq 1, length 64
    
    21:57:12.013133 IP (...)
        A > target: ICMP echo request, seq 2, length 64
    21:57:12.015737 IP (... id 3039 ...)
        target > A: ICMP echo reply, seq 2, length 64
    
    21:57:13.016580 IP (...)
        A > target: ICMP echo request, seq 3, length 64
    21:57:13.019251 IP (... id 3437 ...)
        target > A: ICMP echo reply, seq 3, length 64
    
    [1] TCP sessions uses a per flow ID generator not changed by this patch.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Jeffrey Knockel <jeffk@cs.unm.edu>
    Reported-by: Jedidiah R. Crandall <crandall@cs.unm.edu>
    Cc: Willy Tarreau <w@1wt.eu>
    Cc: Hannes Frederic Sowa <hannes@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/ip.h      |   11 +----------
 net/ipv4/route.c      |   32 +++++++++++++++++++++++++++++---
 net/ipv6/ip6_output.c |    2 ++
 3 files changed, 32 insertions(+), 13 deletions(-)

commit c30c132948e8c7bfe5ddbd3577ca64f26c052446
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Jun 2 05:26:03 2014 -0700

    Upstream commit: 73f156a6e8c1074ac6327e0abd1169e95eb66463
    
    inetpeer: get rid of ip_id_count
    
    Ideally, we would need to generate IP ID using a per destination IP
    generator.
    
    linux kernels used inet_peer cache for this purpose, but this had a huge
    cost on servers disabling MTU discovery.
    
    1) each inet_peer struct consumes 192 bytes
    
    2) inetpeer cache uses a binary tree of inet_peer structs,
       with a nominal size of ~66000 elements under load.
    
    3) lookups in this tree are hitting a lot of cache lines, as tree depth
       is about 20.
    
    4) If server deals with many tcp flows, we have a high probability of
       not finding the inet_peer, allocating a fresh one, inserting it in
       the tree with same initial ip_id_count, (cf secure_ip_id())
    
    5) We garbage collect inet_peer aggressively.
    
    IP ID generation do not have to be 'perfect'
    
    Goal is trying to avoid duplicates in a short period of time,
    so that reassembly units have a chance to complete reassembly of
    fragments belonging to one message before receiving other fragments
    with a recycled ID.
    
    We simply use an array of generators, and a Jenkin hash using the dst IP
    as a key.
    
    ipv6_select_ident() is put back into net/ipv6/ip6_output.c where it
    belongs (it is only used from this file)
    
    secure_ip_id() and secure_ipv6_id() no longer are needed.
    
    Rename ip_select_ident_more() to ip_select_ident_segs() to avoid
    unnecessary decrement/increment of the number of segments.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	include/net/inetpeer.h
    	include/net/ip.h
    	net/ipv4/inetpeer.c
    	net/ipv6/output_core.c
    
    Conflicts:
    
    	net/ipv6/output_core.c

 drivers/net/ppp/pptp.c          |    2 +-
 include/net/inetpeer.h          |   18 +++------------
 include/net/ip.h                |   40 ++++++++++++++++++++--------------
 include/net/ipv6.h              |    2 -
 include/net/secure_seq.h        |    2 -
 net/core/secure_seq.c           |   25 ---------------------
 net/ipv4/igmp.c                 |    4 +-
 net/ipv4/inetpeer.c             |   18 ---------------
 net/ipv4/ip_output.c            |    7 ++---
 net/ipv4/ip_tunnel_core.c       |    2 +-
 net/ipv4/ipmr.c                 |    2 +-
 net/ipv4/raw.c                  |    2 +-
 net/ipv4/route.c                |   45 +++++++++++++-------------------------
 net/ipv4/xfrm4_mode_tunnel.c    |    2 +-
 net/ipv6/ip6_output.c           |   12 ++++++++++
 net/ipv6/output_core.c          |   24 --------------------
 net/netfilter/ipvs/ip_vs_xmit.c |    2 +-
 17 files changed, 66 insertions(+), 143 deletions(-)

commit 25b91d2caf02e0c2782e522426f4ac06d48e858d
Author: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Date:   Sat Jul 26 21:26:58 2014 +0400

    Upstream commit: 40eea803c6b2cfaab092f053248cbeab3f368412
    
    net: sendmsg: fix NULL pointer dereference
    
    Sasha's report:
    	> While fuzzing with trinity inside a KVM tools guest running the latest -next
    	> kernel with the KASAN patchset, I've stumbled on the following spew:
    	>
    	> [ 4448.949424] ==================================================================
    	> [ 4448.951737] AddressSanitizer: user-memory-access on address 0
    	> [ 4448.952988] Read of size 2 by thread T19638:
    	> [ 4448.954510] CPU: 28 PID: 19638 Comm: trinity-c76 Not tainted 3.16.0-rc4-next-20140711-sasha-00046-g07d3099-dirty #813
    	> [ 4448.956823]  ffff88046d86ca40 0000000000000000 ffff880082f37e78 ffff880082f37a40
    	> [ 4448.958233]  ffffffffb6e47068 ffff880082f37a68 ffff880082f37a58 ffffffffb242708d
    	> [ 4448.959552]  0000000000000000 ffff880082f37a88 ffffffffb24255b1 0000000000000000
    	> [ 4448.961266] Call Trace:
    	> [ 4448.963158] dump_stack (lib/dump_stack.c:52)
    	> [ 4448.964244] kasan_report_user_access (mm/kasan/report.c:184)
    	> [ 4448.965507] __asan_load2 (mm/kasan/kasan.c:352)
    	> [ 4448.966482] ? netlink_sendmsg (net/netlink/af_netlink.c:2339)
    	> [ 4448.967541] netlink_sendmsg (net/netlink/af_netlink.c:2339)
    	> [ 4448.968537] ? get_parent_ip (kernel/sched/core.c:2555)
    	> [ 4448.970103] sock_sendmsg (net/socket.c:654)
    	> [ 4448.971584] ? might_fault (mm/memory.c:3741)
    	> [ 4448.972526] ? might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3740)
    	> [ 4448.973596] ? verify_iovec (net/core/iovec.c:64)
    	> [ 4448.974522] ___sys_sendmsg (net/socket.c:2096)
    	> [ 4448.975797] ? put_lock_stats.isra.13 (./arch/x86/include/asm/preempt.h:98 kernel/locking/lockdep.c:254)
    	> [ 4448.977030] ? lock_release_holdtime (kernel/locking/lockdep.c:273)
    	> [ 4448.978197] ? lock_release_non_nested (kernel/locking/lockdep.c:3434 (discriminator 1))
    	> [ 4448.979346] ? check_chain_key (kernel/locking/lockdep.c:2188)
    	> [ 4448.980535] __sys_sendmmsg (net/socket.c:2181)
    	> [ 4448.981592] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2600)
    	> [ 4448.982773] ? trace_hardirqs_on (kernel/locking/lockdep.c:2607)
    	> [ 4448.984458] ? syscall_trace_enter (arch/x86/kernel/ptrace.c:1500 (discriminator 2))
    	> [ 4448.985621] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2600)
    	> [ 4448.986754] SyS_sendmmsg (net/socket.c:2201)
    	> [ 4448.987708] tracesys (arch/x86/kernel/entry_64.S:542)
    	> [ 4448.988929] ==================================================================
    
    This reports means that we've come to netlink_sendmsg() with msg->msg_name == NULL and msg->msg_namelen > 0.
    
    After this report there was no usual "Unable to handle kernel NULL pointer dereference"
    and this gave me a clue that address 0 is mapped and contains valid socket address structure in it.
    
    This bug was introduced in f3d3342602f8bcbf37d7c46641cb9bca7618eb1c
    (net: rework recvmsg handler msg_name and msg_namelen logic).
    Commit message states that:
    	"Set msg->msg_name = NULL if user specified a NULL in msg_name but had a
    	 non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't
    	 affect sendto as it would bail out earlier while trying to copy-in the
    	 address."
    But in fact this affects sendto when address 0 is mapped and contains
    socket address structure in it. In such case copy-in address will succeed,
    verify_iovec() function will successfully exit with msg->msg_namelen > 0
    and msg->msg_name == NULL.
    
    This patch fixes it by setting msg_namelen to 0 if msg_name == NULL.
    
    Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Cc: Eric Dumazet <edumazet@google.com>
    Cc: <stable@vger.kernel.org>
    Reported-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
    Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/compat.c     |    9 +++++----
 net/core/iovec.c |    6 +++---
 2 files changed, 8 insertions(+), 7 deletions(-)

commit ee879f1643b0bbd29a6af76e2b0c876ac54c0d5e
Merge: 7fdb40c 1984a38
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 28 18:44:55 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	net/sctp/ulpevent.c

commit 1984a387b94a2b52544cfd0e41f7a5a2bb9a8cf1
Merge: d368615 6a0a453
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 28 18:44:22 2014 -0400

    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	arch/x86/Kconfig
    	drivers/gpu/drm/qxl/qxl_irq.c
    	net/sctp/sysctl.c

commit 7fdb40cc7bab590113d09ab394fa903fe487018d
Merge: e1ba946 d368615
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 27 19:55:35 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit d368615d6ec4d2f824c99b540ca47a9fac2975ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 27 19:54:54 2014 -0400

    Update to pax-linux-3.14.13-test15.patch:
    - fixed an incorrect get_user cast, reported by Corey Minyard
      - there're a few more instances in the kernel still
    - Emese fixed a compile error in the size overflow plugin that manifested under gcc 4.9

 fs/compat_ioctl.c                                  |    2 +-
 .../insert_size_overflow_asm.c                     |   42 --------------------
 .../insert_size_overflow_check_core.c              |   41 +++++++++++++++++++
 .../insert_size_overflow_check_ipa.c               |    2 +-
 .../size_overflow_plugin/intentional_overflow.c    |    3 +
 .../size_overflow_plugin/size_overflow_plugin.c    |    2 +-
 6 files changed, 47 insertions(+), 45 deletions(-)

commit e1ba94687d9a7d108e33ea9dba82a50bb5c4a157
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sat Jul 26 14:52:01 2014 -0700

    Upstream commit: 2062afb4f804afef61cbe62a30cac9a46e58e067
    
    Fix gcc-4.9.0 miscompilation of load_balance()  in scheduler
    
    Michel Dänzer and a couple of other people reported inexplicable random
    oopses in the scheduler, and the cause turns out to be gcc mis-compiling
    the load_balance() function when debugging is enabled.  The gcc bug
    apparently goes back to gcc-4.5, but slight optimization changes means
    that it now showed up as a problem in 4.9.0 and 4.9.1.
    
    The instruction scheduling problem causes gcc to schedule a spill
    operation to before the stack frame has been created, which in turn can
    corrupt the spilled value if an interrupt comes in.  There may be other
    effects of this bug too, but that's the code generation problem seen in
    Michel's case.
    
    This is fixed in current gcc HEAD, but the workaround as suggested by
    Markus Trippelsdorf is pretty simple: use -fno-var-tracking-assignments
    when compiling the kernel, which disables the gcc code that causes the
    problem.  This can result in slightly worse debug information for
    variable accesses, but that is infinitely preferable to actual code
    generation problems.
    
    Doing this unconditionally (not just for CONFIG_DEBUG_INFO) also allows
    non-debug builds to verify that the debug build would be identical: we
    can do
    
        export GCC_COMPARE_DEBUG=1
    
    to make gcc internally verify that the result of the build is
    independent of the "-g" flag (it will make the compiler build everything
    twice, toggling the debug flag, and compare the results).
    
    Without the "-fno-var-tracking-assignments" option, the build would fail
    (even with 4.8.3 that didn't show the actual stack frame bug) with a gcc
    compare failure.
    
    See also gcc bugzilla:
    
      https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61801
    
    Reported-by: Michel Dänzer <michel@daenzer.net>
    Suggested-by: Markus Trippelsdorf <markus@trippelsdorf.de>
    Cc: Jakub Jelinek <jakub@redhat.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 Makefile |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 4093ac2752200e1106fa7167bbb8abb1925faa01
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Jul 17 13:50:45 2014 +0300

    Upstream commit: a28d0e873d2899bd750ae495f84fe9c1a2f53809
    
    wan/x25_asy: integer overflow in x25_asy_change_mtu()
    
    If "newmtu * 2 + 4" is too large then it can cause an integer overflow
    leading to memory corruption.  Eric Dumazet suggests that 65534 is a
    reasonable upper limit.
    
    Btw, "newmtu" is not allowed to be a negative number because of the
    check in dev_set_mtu(), so that's ok.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/wan/x25_asy.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit 0c65deebee9003bdf3ccdf8b89a7e7dcb25c00ae
Author: Hugh Dickins <hughd@google.com>
Date:   Wed Jul 23 14:00:10 2014 -0700

    Upstream commit: 8e205f779d1443a94b5ae81aa359cb535dd3021e
    
    shmem: fix faulting into a hole, not taking i_mutex
    
    Commit f00cdc6df7d7 ("shmem: fix faulting into a hole while it's
    punched") was buggy: Sasha sent a lockdep report to remind us that
    grabbing i_mutex in the fault path is a no-no (write syscall may already
    hold i_mutex while faulting user buffer).
    
    We tried a completely different approach (see following patch) but that
    proved inadequate: good enough for a rational workload, but not good
    enough against trinity - which forks off so many mappings of the object
    that contention on i_mmap_mutex while hole-puncher holds i_mutex builds
    into serious starvation when concurrent faults force the puncher to fall
    back to single-page unmap_mapping_range() searches of the i_mmap tree.
    
    So return to the original umbrella approach, but keep away from i_mutex
    this time.  We really don't want to bloat every shmem inode with a new
    mutex or completion, just to protect this unlikely case from trinity.
    So extend the original with wait_queue_head on stack at the hole-punch
    end, and wait_queue item on the stack at the fault end.
    
    This involves further use of i_lock to guard against the races: lockdep
    has been happy so far, and I see fs/inode.c:unlock_new_inode() holds
    i_lock around wake_up_bit(), which is comparable to what we do here.
    i_lock is more convenient, but we could switch to shmem's info->lock.
    
    This issue has been tagged with CVE-2014-4171, which will require commit
    f00cdc6df7d7 and this and the following patch to be backported: we
    suggest to 3.1+, though in fact the trinity forkbomb effect might go
    back as far as 2.6.16, when madvise(,,MADV_REMOVE) came in - or might
    not, since much has changed, with i_mmap_mutex a spinlock before 3.0.
    Anyone running trinity on 3.0 and earlier? I don't think we need care.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Reported-by: Sasha Levin <sasha.levin@oracle.com>
    Tested-by: Sasha Levin <sasha.levin@oracle.com>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: Konstantin Khlebnikov <koct9i@gmail.com>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Lukas Czerner <lczerner@redhat.com>
    Cc: Dave Jones <davej@redhat.com>
    Cc: <stable@vger.kernel.org>	[3.1+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/shmem.c |   78 ++++++++++++++++++++++++++++++++++++++++--------------------
 1 files changed, 52 insertions(+), 26 deletions(-)

commit 00d09360782f4c3ad922ab35540ca919a5cf4e9f
Author: Hugh Dickins <hughd@google.com>
Date:   Mon Jun 23 13:22:06 2014 -0700

    Upstream commit: f00cdc6df7d7cfcabb5b740911e6788cb0802bdb
    
    shmem: fix faulting into a hole while it's punched
    
    Trinity finds that mmap access to a hole while it's punched from shmem
    can prevent the madvise(MADV_REMOVE) or fallocate(FALLOC_FL_PUNCH_HOLE)
    from completing, until the reader chooses to stop; with the puncher's
    hold on i_mutex locking out all other writers until it can complete.
    
    It appears that the tmpfs fault path is too light in comparison with its
    hole-punching path, lacking an i_data_sem to obstruct it; but we don't
    want to slow down the common case.
    
    Extend shmem_fallocate()'s existing range notification mechanism, so
    shmem_fault() can refrain from faulting pages into the hole while it's
    punched, waiting instead on i_mutex (when safe to sleep; or repeatedly
    faulting when not).
    
    [akpm@linux-foundation.org: coding-style fixes]
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Reported-by: Sasha Levin <sasha.levin@oracle.com>
    Tested-by: Sasha Levin <sasha.levin@oracle.com>
    Cc: Dave Jones <davej@redhat.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	mm/shmem.c

 mm/shmem.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit e7dcde88b65eaa3da09d557f49c70009be065d0f
Author: Hugh Dickins <hughd@google.com>
Date:   Wed Jul 23 14:00:13 2014 -0700

    Upstream commit: b1a366500bd537b50c3aad26dc7df083ec03a448
    
    shmem: fix splicing from a hole while it's punched
    
    shmem_fault() is the actual culprit in trinity's hole-punch starvation,
    and the most significant cause of such problems: since a page faulted is
    one that then appears page_mapped(), needing unmap_mapping_range() and
    i_mmap_mutex to be unmapped again.
    
    But it is not the only way in which a page can be brought into a hole in
    the radix_tree while that hole is being punched; and Vlastimil's testing
    implies that if enough other processors are busy filling in the hole,
    then shmem_undo_range() can be kept from completing indefinitely.
    
    shmem_file_splice_read() is the main other user of SGP_CACHE, which can
    instantiate shmem pagecache pages in the read-only case (without holding
    i_mutex, so perhaps concurrently with a hole-punch).  Probably it's
    silly not to use SGP_READ already (using the ZERO_PAGE for holes): which
    ought to be safe, but might bring surprises - not a change to be rushed.
    
    shmem_read_mapping_page_gfp() is an internal interface used by
    drivers/gpu/drm GEM (and next by uprobes): it should be okay.  And
    shmem_file_read_iter() uses the SGP_DIRTY variant of SGP_CACHE, when
    called internally by the kernel (perhaps for a stacking filesystem,
    which might rely on holes to be reserved): it's unclear whether it could
    be provoked to keep hole-punch busy or not.
    
    We could apply the same umbrella as now used in shmem_fault() to
    shmem_file_splice_read() and the others; but it looks ugly, and use over
    a range raises questions - should it actually be per page? can these get
    starved themselves?
    
    The origin of this part of the problem is my v3.1 commit d0823576bf4b
    ("mm: pincer in truncate_inode_pages_range"), once it was duplicated
    into shmem.c.  It seemed like a nice idea at the time, to ensure
    (barring RCU lookup fuzziness) that there's an instant when the entire
    hole is empty; but the indefinitely repeated scans to ensure that make
    it vulnerable.
    
    Revert that "enhancement" to hole-punch from shmem_undo_range(), but
    retain the unproblematic rescanning when it's truncating; add a couple
    of comments there.
    
    Remove the "indices[0] >= end" test: that is now handled satisfactorily
    by the inner loop, and mem_cgroup_uncharge_start()/end() are too light
    to be worth avoiding here.
    
    But if we do not always loop indefinitely, we do need to handle the case
    of swap swizzled back to page before shmem_free_swap() gets it: add a
    retry for that case, as suggested by Konstantin Khlebnikov; and for the
    case of page swizzled back to swap, as suggested by Johannes Weiner.
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Reported-by: Sasha Levin <sasha.levin@oracle.com>
    Suggested-by: Vlastimil Babka <vbabka@suse.cz>
    Cc: Konstantin Khlebnikov <koct9i@gmail.com>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Lukas Czerner <lczerner@redhat.com>
    Cc: Dave Jones <davej@redhat.com>
    Cc: <stable@vger.kernel.org>	[3.1+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    Conflicts:
    
    	mm/shmem.c

 mm/shmem.c |   24 +++++++++++++++---------
 1 files changed, 15 insertions(+), 9 deletions(-)

commit a872215e19553b26755c82b3b85d9d352182ae72
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Mon Jul 21 00:06:48 2014 +0100

    Upstream commit: 640d7efe4c08f06c4ae5d31b79bd8740e7f6790a
    
    dns_resolver: Null-terminate the right string
    
    *_result[len] is parsed as *(_result[len]) which is not at all what we
    want to touch here.
    
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Fixes: 84a7c0b1db1c ("dns_resolver: assure that dns_query() result is null-terminated")
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/dns_resolver/dns_query.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit ed155128b6d65195cceaa71ed7e23066819c6f40
Author: Manuel Schölling <manuel.schoelling@gmx.de>
Date:   Sat Jun 7 23:57:25 2014 +0200

    Upstream commit: 84a7c0b1db1c17d5ded8d3800228a608e1070b40
    
    dns_resolver: assure that dns_query() result is null-terminated
    
    dns_query() credulously assumes that keys are null-terminated and
    returns a copy of a memory block that is off by one.
    
    Signed-off-by: Manuel Schölling <manuel.schoelling@gmx.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/dns_resolver/dns_query.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit 417ac1f7de6ecdcf6aa750847b490bdf647bcd16
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 23 20:38:57 2014 -0400

    Backport actual fixes from 8f2e5ae40ec193bc0a0ed99e95315c3eebca84ea
    not sure why upstream saw it necessary to lump in over a dozen
    comment and noop formatting changes into the same patch

 net/sctp/ulpevent.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit c7f8a70162218255cd8fc8d07b10fa643602f1ef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 23 20:33:27 2014 -0400

    Backport patch from https://lkml.org/lkml/2014/7/21/98
    for unmounting failure on symlinked dir

 fs/namei.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 518d403382773529dd5fa6fc0ca075e6520b0b73
Author: Daniel Borkmann <dborkman@redhat.com>
Date:   Tue Jul 22 15:22:45 2014 +0200

    Upstream commit: 1be9a950c646c9092fb3618197f7b6bfb50e82aa
    
    net: sctp: inherit auth_capable on INIT collisions
    
    Jason reported an oops caused by SCTP on his ARM machine with
    SCTP authentication enabled:
    
    Internal error: Oops: 17 [#1] ARM
    CPU: 0 PID: 104 Comm: sctp-test Not tainted 3.13.0-68744-g3632f30c9b20-dirty #1
    task: c6eefa40 ti: c6f52000 task.ti: c6f52000
    PC is at sctp_auth_calculate_hmac+0xc4/0x10c
    LR is at sg_init_table+0x20/0x38
    pc : [<c024bb80>]    lr : [<c00f32dc>]    psr: 40000013
    sp : c6f538e8  ip : 00000000  fp : c6f53924
    r10: c6f50d80  r9 : 00000000  r8 : 00010000
    r7 : 00000000  r6 : c7be4000  r5 : 00000000  r4 : c6f56254
    r3 : c00c8170  r2 : 00000001  r1 : 00000008  r0 : c6f1e660
    Flags: nZcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
    Control: 0005397f  Table: 06f28000  DAC: 00000015
    Process sctp-test (pid: 104, stack limit = 0xc6f521c0)
    Stack: (0xc6f538e8 to 0xc6f54000)
    [...]
    Backtrace:
    [<c024babc>] (sctp_auth_calculate_hmac+0x0/0x10c) from [<c0249af8>] (sctp_packet_transmit+0x33c/0x5c8)
    [<c02497bc>] (sctp_packet_transmit+0x0/0x5c8) from [<c023e96c>] (sctp_outq_flush+0x7fc/0x844)
    [<c023e170>] (sctp_outq_flush+0x0/0x844) from [<c023ef78>] (sctp_outq_uncork+0x24/0x28)
    [<c023ef54>] (sctp_outq_uncork+0x0/0x28) from [<c0234364>] (sctp_side_effects+0x1134/0x1220)
    [<c0233230>] (sctp_side_effects+0x0/0x1220) from [<c02330b0>] (sctp_do_sm+0xac/0xd4)
    [<c0233004>] (sctp_do_sm+0x0/0xd4) from [<c023675c>] (sctp_assoc_bh_rcv+0x118/0x160)
    [<c0236644>] (sctp_assoc_bh_rcv+0x0/0x160) from [<c023d5bc>] (sctp_inq_push+0x6c/0x74)
    [<c023d550>] (sctp_inq_push+0x0/0x74) from [<c024a6b0>] (sctp_rcv+0x7d8/0x888)
    
    While we already had various kind of bugs in that area
    ec0223ec48a9 ("net: sctp: fix sctp_sf_do_5_1D_ce to verify if
    we/peer is AUTH capable") and b14878ccb7fa ("net: sctp: cache
    auth_enable per endpoint"), this one is a bit of a different
    kind.
    
    Giving a bit more background on why SCTP authentication is
    needed can be found in RFC4895:
    
      SCTP uses 32-bit verification tags to protect itself against
      blind attackers. These values are not changed during the
      lifetime of an SCTP association.
    
      Looking at new SCTP extensions, there is the need to have a
      method of proving that an SCTP chunk(s) was really sent by
      the original peer that started the association and not by a
      malicious attacker.
    
    To cause this bug, we're triggering an INIT collision between
    peers; normal SCTP handshake where both sides intent to
    authenticate packets contains RANDOM; CHUNKS; HMAC-ALGO
    parameters that are being negotiated among peers:
    
      ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
      <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
      -------------------- COOKIE-ECHO -------------------->
      <-------------------- COOKIE-ACK ---------------------
    
    RFC4895 says that each endpoint therefore knows its own random
    number and the peer's random number *after* the association
    has been established. The local and peer's random number along
    with the shared key are then part of the secret used for
    calculating the HMAC in the AUTH chunk.
    
    Now, in our scenario, we have 2 threads with 1 non-blocking
    SEQ_PACKET socket each, setting up common shared SCTP_AUTH_KEY
    and SCTP_AUTH_ACTIVE_KEY properly, and each of them calling
    sctp_bindx(3), listen(2) and connect(2) against each other,
    thus the handshake looks similar to this, e.g.:
    
      ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
      <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
      <--------- INIT[RANDOM; CHUNKS; HMAC-ALGO] -----------
      -------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] -------->
      ...
    
    Since such collisions can also happen with verification tags,
    the RFC4895 for AUTH rather vaguely says under section 6.1:
    
      In case of INIT collision, the rules governing the handling
      of this Random Number follow the same pattern as those for
      the Verification Tag, as explained in Section 5.2.4 of
      RFC 2960 [5]. Therefore, each endpoint knows its own Random
      Number and the peer's Random Number after the association
      has been established.
    
    In RFC2960, section 5.2.4, we're eventually hitting Action B:
    
      B) In this case, both sides may be attempting to start an
         association at about the same time but the peer endpoint
         started its INIT after responding to the local endpoint's
         INIT. Thus it may have picked a new Verification Tag not
         being aware of the previous Tag it had sent this endpoint.
         The endpoint should stay in or enter the ESTABLISHED
         state but it MUST update its peer's Verification Tag from
         the State Cookie, stop any init or cookie timers that may
         running and send a COOKIE ACK.
    
    In other words, the handling of the Random parameter is the
    same as behavior for the Verification Tag as described in
    Action B of section 5.2.4.
    
    Looking at the code, we exactly hit the sctp_sf_do_dupcook_b()
    case which triggers an SCTP_CMD_UPDATE_ASSOC command to the
    side effect interpreter, and in fact it properly copies over
    peer_{random, hmacs, chunks} parameters from the newly created
    association to update the existing one.
    
    Also, the old asoc_shared_key is being released and based on
    the new params, sctp_auth_asoc_init_active_key() updated.
    However, the issue observed in this case is that the previous
    asoc->peer.auth_capable was 0, and has *not* been updated, so
    that instead of creating a new secret, we're doing an early
    return from the function sctp_auth_asoc_init_active_key()
    leaving asoc->asoc_shared_key as NULL. However, we now have to
    authenticate chunks from the updated chunk list (e.g. COOKIE-ACK).
    
    That in fact causes the server side when responding with ...
    
      <------------------ AUTH; COOKIE-ACK -----------------
    
    ... to trigger a NULL pointer dereference, since in
    sctp_packet_transmit(), it discovers that an AUTH chunk is
    being queued for xmit, and thus it calls sctp_auth_calculate_hmac().
    
    Since the asoc->active_key_id is still inherited from the
    endpoint, and the same as encoded into the chunk, it uses
    asoc->asoc_shared_key, which is still NULL, as an asoc_key
    and dereferences it in ...
    
      crypto_hash_setkey(desc.tfm, &asoc_key->data[0], asoc_key->len)
    
    ... causing an oops. All this happens because sctp_make_cookie_ack()
    called with the *new* association has the peer.auth_capable=1
    and therefore marks the chunk with auth=1 after checking
    sctp_auth_send_cid(), but it is *actually* sent later on over
    the then *updated* association's transport that didn't initialize
    its shared key due to peer.auth_capable=0. Since control chunks
    in that case are not sent by the temporary association which
    are scheduled for deletion, they are issued for xmit via
    SCTP_CMD_REPLY in the interpreter with the context of the
    *updated* association. peer.auth_capable was 0 in the updated
    association (which went from COOKIE_WAIT into ESTABLISHED state),
    since all previous processing that performed sctp_process_init()
    was being done on temporary associations, that we eventually
    throw away each time.
    
    The correct fix is to update to the new peer.auth_capable
    value as well in the collision case via sctp_assoc_update(),
    so that in case the collision migrated from 0 -> 1,
    sctp_auth_asoc_init_active_key() can properly recalculate
    the secret. This therefore fixes the observed server panic.
    
    Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
    Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
    Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
    Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
    Cc: Vlad Yasevich <vyasevich@gmail.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/associola.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit ca5e5e7be2c2ac1a63dd452737f4153e091a08f4
Merge: f330c45 3d2929f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 23 19:50:28 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 3d2929f147f2ffc22b002dc231b08f9a5a2b2ec2
Merge: 3720f31 bc1f55e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 23 19:49:50 2014 -0400

    Update to pax-linux-3.14.13-test14.patch
    
    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	arch/x86/mm/ioremap.c

commit f330c45dd600d50344123737a38c78ee308f0083
Author: Sasha Levin <sasha.levin@oracle.com>
Date:   Mon Jul 14 17:02:31 2014 -0700

    Upstream commit: 3cf521f7dc87c031617fd47e4b7aa2593c2f3daf
    
    Yet another upstream silent security fix
    
    net/l2tp: don't fall back on UDP [get|set]sockopt
    
    The l2tp [get|set]sockopt() code has fallen back to the UDP functions
    for socket option levels != SOL_PPPOL2TP since day one, but that has
    never actually worked, since the l2tp socket isn't an inet socket.
    
    As David Miller points out:
    
      "If we wanted this to work, it'd have to look up the tunnel and then
       use tunnel->sk, but I wonder how useful that would be"
    
    Since this can never have worked so nobody could possibly have depended
    on that functionality, just remove the broken code and return -EINVAL.
    
    Reported-by: Sasha Levin <sasha.levin@oracle.com>
    Acked-by: James Chapman <jchapman@katalix.com>
    Acked-by: David Miller <davem@davemloft.net>
    Cc: Phil Turnbull <phil.turnbull@oracle.com>
    Cc: Vegard Nossum <vegard.nossum@oracle.com>
    Cc: Willy Tarreau <w@1wt.eu>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 net/l2tp/l2tp_ppp.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 766f92e0d6038dbf4ae8899360a34102822731ce
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 15 16:40:36 2014 -0400

    fix more DMA-on-stack cases

 drivers/media/usb/dvb-usb/dvb-usb-firmware.c |   37 ++++++++++++++++++-------
 1 files changed, 26 insertions(+), 11 deletions(-)

commit ddac5115c289111ef49e423b8469d4cb869ec484
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 14 21:36:52 2014 -0400

    fix another case of DMA-on-stack

 drivers/media/usb/dvb-usb/technisat-usb2.c |   23 ++++++++++++++++-------
 1 files changed, 16 insertions(+), 7 deletions(-)

commit 74862a345cd9a0ce7646765c99189fa02332c577
Merge: 6a611fb 3720f31
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 13 19:46:40 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 3720f31caa078125d859581e7466f537cec58df2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 13 19:46:03 2014 -0400

    Update to pax-linux-3.14.12-test14.patch:
    - Emese fixed a size overflow false positive, reported by joe (http://forums.grsecurity.net/viewtopic.php?f=3&t=3997)

 .../insert_size_overflow_check_ipa.c               |   18 +++++++++++++-----
 .../size_overflow_plugin/size_overflow_plugin.c    |    2 +-
 2 files changed, 14 insertions(+), 6 deletions(-)

commit 6a611fb0732cc5a09d37051000cd48ce0d0aaeee
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 13 11:30:26 2014 -0400

    fix another DMA-on-stack case

 drivers/usb/host/hwa-hc.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

commit bd22ea279d41af7f7dc14c8757dc1c10456fd5c0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 13 11:04:37 2014 -0400

    fix a number of callers to usb_control_msg() passing stack addresses for DMA
    caught by GRKERNSEC_KSTACKOVERFLOW and reported here:
    https://forums.grsecurity.net/viewtopic.php?f=3&t=4003

 drivers/media/usb/dvb-usb/technisat-usb2.c |   52 +++++++++++++++++++++-------
 1 files changed, 39 insertions(+), 13 deletions(-)

commit 7bff0f98b564cf8facba0c0aa91122a5406d16dd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jul 10 00:04:50 2014 -0400

    compile fix

 net/ipv6/addrconf.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c2835e309e182c3aa32bdbdbb76a2eaf43b96e86
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 9 23:14:19 2014 -0400

    Allow /proc/net/if_inet6 to be visible by non-root users -- it is needed
    on Fedora 20 and the contents are similar to those of the already-allowed
    /proc/net/dev

 fs/proc/proc_net.c  |   23 ++++++++++++++++++++++-
 net/ipv6/addrconf.c |    9 ++++++++-
 2 files changed, 30 insertions(+), 2 deletions(-)

commit 7666f579a70c9ee3d24749dcfc7d0df6f656d5db
Merge: bb4146e 1e40a53
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 9 20:53:59 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 1e40a530badaa65fd4417e5973f43bfef8aeb584
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 9 20:53:04 2014 -0400

    Update to pax-linux-3.14.12-test13.patch

 .../size_overflow_plugin/size_overflow_hash.data   | 1353 ++++++++++++++++++--
 1 files changed, 1267 insertions(+), 86 deletions(-)

commit 3b22cd42e6dc4484b1698601d57695a2c5ff2d4a
Merge: 287408d c0cbbde
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jul 9 20:50:41 2014 -0400

    Merge branch 'linux-3.14.y' into pax-stable2

commit bb4146e290b1d2dfd4acbb495ef6e6a85ac275e5
Author: nikolay@redhat.com <nikolay@redhat.com>
Date:   Sat Apr 6 00:54:37 2013 +0000

    fix bad merge spotted by minipli, would result in a crash on
    bonding device removal
    
    Revert "bonding: remove sysfs before removing devices"
    
    This reverts commit 4de79c737b200492195ebc54a887075327e1ec1d.
    
    This patch introduces a new bug which causes access to freed memory.
    In bond_uninit: list_del(&bond->bond_list);
    bond_list is linked in bond_net's dev_list which is freed by
    unregister_pernet_subsys.
    
    Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	drivers/net/bonding/bond_main.c

 drivers/net/bonding/bond_main.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit cabfce0d20e2ead0496614d5079d055c3a85add0
Author: David S. Miller <davem@davemloft.net>
Date:   Wed Nov 14 22:32:15 2012 -0500

    Revert "drivers/net/phy/mdio-bitbang.c: Call mdiobus_unregister before mdiobus_free"
    
    This reverts commit aa731872f7d33dcb8b54dad0cfb82d4e4d195d7e.
    
    As pointed out by Ben Hutchings, this change is not correct.
    
    mdiobus_unregister() can't be called if the bus isn't registered yet,
    however this change can result in situations which cause that to
    happen.
    
    Part of the confusion here revolves around the fact that the
    callers of this module control registration/unregistration,
    rather than the module itself.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/phy/mdio-bitbang.c |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 4e634202ffed75eebb5b74b5dce7cbe073daf9a9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 7 20:40:33 2014 -0400

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   | 1353 ++++++++++++++++++--
 1 files changed, 1267 insertions(+), 86 deletions(-)

commit e5f0b45ce9b381707c6bf9e5f6c25d27ecbd4db4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 7 17:22:16 2014 -0400

    fix gcc warning

 net/netfilter/nf_conntrack_core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e3a62f9608c2f23553892f38cb7924e6f9b1c983
Merge: a5f062c 287408d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 7 16:19:29 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	tools/gcc/size_overflow_plugin/size_overflow_hash.data

commit 287408de06d1b7b2f251131f7f8c1899a15961b1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 7 16:18:08 2014 -0400

    Update to pax-linux-3.14.11-test13.patch:
    - forward port to 3.14.11
    - marked the amd64 version of fls64 with __intentional_overflow
    - fixed a few warnings in virtio_net.c due L1_CACHE_BYTES being an unsigned long under PaX

 arch/x86/include/asm/bitops.h                      |    2 +-
 drivers/net/virtio_net.c                           |    2 +-
 .../size_overflow_plugin/size_overflow_hash.data   |    1 +
 3 files changed, 3 insertions(+), 2 deletions(-)

commit a5f062cf1612487c3c95fb43224100d27c47b7ee
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jul 7 16:07:41 2014 -0400

    Backport extra commit for safety sake:
    commit f302b21ee907f65af6434d8618d2c1a921c02d48
    Author: Andy Lutomirski <luto@amacapital.net>
    Date:   Wed Jul 2 14:52:55 2014 -0700
    
        x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    
        Don't allow ptrace to set RIP to a value that couldn't happen by
        ordinary control flow. There are CPU bugs^Wfeatures that can have
        interesting effects if RIP is non-canonical.
    
        I didn't make the corresponding x86_32 change, since x86_32 has no
        concept of canonical addresses.
    
        putreg32 doesn't need this fix: value is only 32 bits, so it can't
        be non-canonical.
    
        Fixes CVE-2014-4699.  There are arguably still bugs here, but this
        fixes the major issue.
    
        Signed-off-by: Andy Lutomirski <luto@amacapital.net>
        CVE-2014-4699
        BugLink: http://bugs.launchpad.net/bugs/1337339
        Acked-by: Andy Whitcroft <apw@canonical.com>
        Signed-off-by: John Johansen <john.johansen@canonical.com>
        Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

 arch/x86/kernel/ptrace.c |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

commit 4f0874139a5d0b7689823b93993d2137f9971359
Merge: 1c22c1a 4b4a316
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 6 23:08:34 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit 4b4a3166c3a51a1b16c027c627ac37a4e0069da4
Merge: d28058d ff694e2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jul 6 23:08:15 2014 -0400

    Merge branch 'linux-3.14.y' into pax-stable2

commit 1c22c1a0cc084823656f852df34ca4c7a41162bc
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Thu Jul 3 16:06:57 2014 -0700

    Upstream commit: 4a3a99045177369700c60d074c0e525e8093b0fc
    
    lz4: add overrun checks to lz4_uncompress_unknownoutputsize()
    
    Jan points out that I forgot to make the needed fixes to the
    lz4_uncompress_unknownoutputsize() function to mirror the changes done
    in lz4_decompress() with regards to potential pointer overflows.
    
    The only in-kernel user of this function is the zram code, which only
    takes data from a valid compressed buffer that it made itself, so it's
    not a big issue.  But due to external kernel modules using this
    function, it's better to be safe here.
    
    Reported-by: Jan Beulich <JBeulich@suse.com>
    Cc: "Don A. Bailey" <donb@securitymouse.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 lib/lz4/lz4_decompress.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit dc5d474fb3e83d58f62e005d75c46af11f191158
Author: Tejun Heo <tj@kernel.org>
Date:   Thu Jul 3 15:43:15 2014 -0400

    Upstream commit: b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a
    
    ptrace,x86: force IRET path after a ptrace_stop()
    
    The 'sysret' fastpath does not correctly restore even all regular
    registers, much less any segment registers or reflags values.  That is
    very much part of why it's faster than 'iret'.
    
    Normally that isn't a problem, because the normal ptrace() interface
    catches the process using the signal handler infrastructure, which
    always returns with an iret.
    
    However, some paths can get caught using ptrace_event() instead of the
    signal path, and for those we need to make sure that we aren't going to
    return to user space using 'sysret'.  Otherwise the modifications that
    may have been done to the register set by the tracer wouldn't
    necessarily take effect.
    
    Fix it by forcing IRET path by setting TIF_NOTIFY_RESUME from
    arch_ptrace_stop_needed() which is invoked from ptrace_stop().
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Reported-by: Andy Lutomirski <luto@amacapital.net>
    Acked-by: Oleg Nesterov <oleg@redhat.com>
    Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/x86/include/asm/ptrace.h |   16 ++++++++++++++++
 include/linux/ptrace.h        |    3 +++
 2 files changed, 19 insertions(+), 0 deletions(-)

commit cd90f3e16e3ede621679421e2c868caceb3dc4df
Author: Jan Kara <jack@suse.cz>
Date:   Sun Jun 15 23:46:28 2014 -0400

    Upstream commit: c5c7b8ddfbf8cb3b2291e515a34ab1b8982f5a2d
    
    ext4: Fix buffer double free in ext4_alloc_branch()
    
    Error recovery in ext4_alloc_branch() calls ext4_forget() even for
    buffer corresponding to indirect block it did not allocate. This leads
    to brelse() being called twice for that buffer (once from ext4_forget()
    and once from cleanup in ext4_ind_map_blocks()) leading to buffer use
    count misaccounting. Eventually (but often much later because there
    are other users of the buffer) we will see messages like:
    VFS: brelse: Trying to free free buffer
    
    Another manifestation of this problem is an error:
    JBD2 unexpected failure: jbd2_journal_revoke: !buffer_revoked(bh);
    inconsistent data on disk
    
    The fix is easy - don't forget buffer we did not allocate. Also add an
    explanatory comment because the indexing at ext4_alloc_branch() is
    somewhat subtle.
    
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: stable@vger.kernel.org

 fs/ext4/indirect.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

commit 20633d8169d9240b9f5b7146aa2c2784f3459f85
Author: Jan Kara <jack@suse.cz>
Date:   Thu Jun 26 12:28:57 2014 -0400

    Upstream commit: 77ea2a4ba657a1ad4fb7c64bc5cdce84b8a132b6
    
    ext4: Fix block zeroing when punching holes in indirect block files
    
    free_holes_block() passed local variable as a block pointer
    to ext4_clear_blocks(). Thus ext4_clear_blocks() zeroed out this local
    variable instead of proper place in inode / indirect block. We later
    zero out proper place in inode / indirect block but don't dirty the
    inode / buffer again which can lead to subtle issues (some changes e.g.
    to inode can be lost).
    
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>

 fs/ext4/indirect.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit db57fe4b1a98e0974ff85160d80444bd5f708b07
Author: Jan Kara <jack@suse.cz>
Date:   Thu Jun 26 12:30:54 2014 -0400

    Upstream commit: a93cd4cf86466caa49cfe64607bea7f0bde3f916
    
    ext4: Fix hole punching for files with indirect blocks
    
    Hole punching code for files with indirect blocks wrongly computed
    number of blocks which need to be cleared when traversing the indirect
    block tree. That could result in punching more blocks than actually
    requested and thus effectively cause a data loss. For example:
    
    fallocate -n -p 10240000 4096
    
    will punch the range 10240000 - 12632064 instead of the range 1024000 -
    10244096. Fix the calculation.
    
    CC: stable@vger.kernel.org
    Fixes: 8bad6fc813a3a5300f51369c39d315679fd88c72
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>

 fs/ext4/indirect.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

commit 1eb65fff52d3fb8c579885a1ca9bd58ce07ead5e
Author: Will Deacon <will.deacon@arm.com>
Date:   Fri Jun 27 17:01:47 2014 +0100

    Upstream commit: 42309ab450b608ddcfafa90e4cfa93a5001ecfba
    
    ARM: 8087/1: ptrace: reload syscall number after secure_computing() check
    
    On the syscall tracing path, we call out to secure_computing() to allow
    seccomp to check the syscall number being attempted. As part of this, a
    SIGTRAP may be sent to the tracer and the syscall could be re-written by
    a subsequent SET_SYSCALL ptrace request. Unfortunately, this new syscall
    is ignored by the current code unless TIF_SYSCALL_TRACE is also set on
    the current thread.
    
    This patch slightly reworks the enter path of the syscall tracing code
    so that we always reload the syscall number from
    current_thread_info()->syscall after the potential ptrace traps.
    
    Acked-by: Kees Cook <keescook@chromium.org>
    Tested-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

 arch/arm/kernel/ptrace.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

commit 281c508e6a8e458e6217f84a7683b81dea5d239d
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Jun 26 00:44:02 2014 -0700

    Upstream commit: 07b0f00964def8af9321cfd6c4a7e84f6362f728
    
    bnx2x: fix possible panic under memory stress
    
    While it is legal to kfree(NULL), it is not wise to use :
    put_page(virt_to_head_page(NULL))
    
     BUG: unable to handle kernel paging request at ffffeba400000000
     IP: [<ffffffffc01f5928>] virt_to_head_page+0x36/0x44 [bnx2x]
    
    Reported-by: Michel Lespinasse <walken@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Ariel Elior <ariel.elior@qlogic.com>
    Fixes: d46d132cc021 ("bnx2x: use netdev_alloc_frag()")
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 7618307ae6047feaccf1fe2939e5b9669c0490f9
Merge: 23ae677 d28058d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 1 18:31:19 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2
    
    Conflicts:
    	tools/gcc/size_overflow_plugin/size_overflow_hash.data

commit d28058dee0a4ddc49d442beda550fa59b33727de
Merge: f79b52f bbae7ad
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jul 1 18:27:39 2014 -0400

    Update to pax-linux-3.14.10-test13.patch:
    - forward port to 3.14.10
    - reverted an old compiler warning fix now causing problems with PCI device enumeration, reported by /dev/random (http://forums.grsecurity.net/viewtopic.php?f=3&t=3989)
    
    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	arch/x86/kernel/entry_32.S

commit 23ae6776383230e514d1a6b63a459b70e6c507c5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 29 18:11:08 2014 -0400

    revert PCI_ANY_ID change to fix problem with vgaswitcheroo as reported by
    /dev/random here:
    https://forums.grsecurity.net/viewtopic.php?f=3&t=3989

 include/linux/mod_devicetable.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 0804eaadac6e20536718662674e8e00af805d7ee
Author: Zhaowei Yuan <zhaowei.yuan@samsung.com>
Date:   Wed Jun 18 14:33:59 2014 +0800

    Upstream commit: 1539fb9bd405ee32282ea0a38404f9e008ac5b7a
    
    drm: fix NULL pointer access by wrong ioctl
    
    If user uses wrong ioctl command with _IOC_NONE and argument size
    greater than 0, it can cause NULL pointer access from memset of line
    463. If _IOC_NONE, don't memset to 0 for kdata.
    
    Signed-off-by: Zhaowei Yuan <zhaowei.yuan@samsung.com>
    Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    
    Conflicts:
    
    	drivers/gpu/drm/drm_drv.c

 drivers/gpu/drm/drm_drv.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 848113456052b4bd7c0c888cb46cdf53250f033d
Author: Andrzej Zaborowski <andrew.zaborowski@intel.com>
Date:   Mon Jun 9 16:50:40 2014 +0200

    Upstream commit: 783ee43118dc773bc8b0342c5b230e017d5a04d0
    
    efi-pstore: Fix an overflow on 32-bit builds
    
    In generic_id the long int timestamp is multiplied by 100000 and needs
    an explicit cast to u64.
    
    Without that the id in the resulting pstore filename is wrong and
    userspace may have problems parsing it, but more importantly files in
    pstore can never be deleted and may fill the EFI flash (brick device?).
    This happens because when generic pstore code wants to delete a file,
    it passes the id to the EFI backend which reinterpretes it and a wrong
    variable name is attempted to be deleted.  There's no error message but
    after remounting pstore, deleted files would reappear.
    
    Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
    Acked-by: David Rientjes <rientjes@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Matt Fleming <matt.fleming@intel.com>

 drivers/firmware/efi/efi-pstore.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b3db03e804af5c06976177ef5300a9f7a18f61e1
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue Jun 24 16:59:01 2014 -0400

    Upstream commit: 4148c1f67abf823099b2d7db6851e4aea407f5ee
    
    lz4: fix another possible overrun
    
    There is one other possible overrun in the lz4 code as implemented by
    Linux at this point in time (which differs from the upstream lz4
    codebase, but will get synced at in a future kernel release.)  As
    pointed out by Don, we also need to check the overflow in the data
    itself.
    
    While we are at it, replace the odd error return value with just a
    "simple" -1 value as the return value is never used for anything other
    than a basic "did this work or not" check.
    
    Reported-by: "Don A. Bailey" <donb@securitymouse.com>
    Reported-by: Willy Tarreau <w@1wt.eu>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 lib/lz4/lz4_decompress.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

commit a14dee588fa0ec05a7b262a1fa2df3d8dadd289c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 26 20:32:58 2014 -0400

    Backport fix for refcount vuln in aio from https://lkml.org/lkml/2014/6/24/619

 fs/aio.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

commit c020f8245d07025ddb95734b2cc522bc6dbc498e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 26 20:31:15 2014 -0400

    Backport infoleak security fix from: https://lkml.org/lkml/2014/6/24/623

 fs/aio.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 625e5fc66eb73067fd554282d7ca9756fd592040
Merge: 45c984e f79b52f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 26 16:43:18 2014 -0400

    Merge branch 'pax-stable2' into grsec-stable2

commit f79b52f91120c85bf661b4b8ec5ead0bffb542d0
Merge: b8ae816 47026b1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 26 16:42:59 2014 -0400

    Merge branch 'linux-3.14.y' into pax-stable2
    
    Conflicts:
    	include/net/inetpeer.h
    	net/ipv6/output_core.c

commit 45c984e7289230661052a0b28edb401c1207c76f
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Jun 24 10:05:11 2014 -0700

    Upstream commit: f88649721268999bdff09777847080a52004f691
    
    ipv4: fix dst race in sk_dst_get()
    
    When IP route cache had been removed in linux-3.6, we broke assumption
    that dst entries were all freed after rcu grace period. DST_NOCACHE
    dst were supposed to be freed from dst_release(). But it appears
    we want to keep such dst around, either in UDP sockets or tunnels.
    
    In sk_dst_get() we need to make sure dst refcount is not 0
    before incrementing it, or else we might end up freeing a dst
    twice.
    
    DST_NOCACHE set on a dst does not mean this dst can not be attached
    to a socket or a tunnel.
    
    Then, before actual freeing, we need to observe a rcu grace period
    to make sure all other cpus can catch the fact the dst is no longer
    usable.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Dormando <dormando@rydia.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/sock.h   |    4 ++--
 net/core/dst.c       |   16 +++++++++++-----
 net/ipv4/ip_tunnel.c |   14 +++++---------
 3 files changed, 18 insertions(+), 16 deletions(-)

commit 0bc2a9839d0b4dc4e29f7b33b2d8306c7e3a86d0
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Jun 20 22:01:41 2014 -0700

    Upstream commit: 206204a1162b995e2185275167b22468c00d6b36
    
    lz4: ensure length does not wrap
    
    Given some pathologically compressed data, lz4 could possibly decide to
    wrap a few internal variables, causing unknown things to happen.  Catch
    this before the wrapping happens and abort the decompression.
    
    Reported-by: "Don A. Bailey" <donb@securitymouse.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 lib/lz4/lz4_decompress.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 379045b80e8ce91b4cb240c24d6254ae99f7a1f1
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Jun 20 22:00:53 2014 -0700

    Upstream commit: 206a81c18401c0cde6e579164f752c4b147324ce
    
    lzo: properly check for overruns
    
    The lzo decompressor can, if given some really crazy data, possibly
    overrun some variable types.  Modify the checking logic to properly
    detect overruns before they happen.
    
    Reported-by: "Don A. Bailey" <donb@securitymouse.com>
    Tested-by: "Don A. Bailey" <donb@securitymouse.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 lib/lzo/lzo1x_decompress_safe.c |   62 +++++++++++++++++++++++++-------------
 1 files changed, 41 insertions(+), 21 deletions(-)

commit 1009c8f7785975e35beb95f785d14a406dfd6767
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 23 21:07:10 2014 -0400

    change vunmap documentation back, it was changed when I was exploring
    a simpler approach to the KSTACKOVERFLOW problem

 mm/vmalloc.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c7526f3374d087b7fb555e487755e175040401d5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 22 17:45:49 2014 -0400

    apply patch from http://marc.info/?l=linux-fsdevel&m=140128600801771&w=2
    to ensure "hidden" files can't be created due to get_next_ino returning an inode of 0

 fs/inode.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit 2ff392e6da4f4cf4f711199aedd4b5819dded7dc
Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date:   Mon Nov 18 04:20:45 2013 +0100

    Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69
    (prevented by our recvmsg clearing)
    
    inet: prevent leakage of uninitialized memory to user in recv syscalls
    
    Only update *addr_len when we actually fill in sockaddr, otherwise we
    can return uninitialized memory from the stack to the caller in the
    recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)
    checks because we only get called with a valid addr_len pointer either
    from sock_common_recvmsg or inet_recvmsg.
    
    If a blocking read waits on a socket which is concurrently shut down we
    now return zero and set msg_msgnamelen to 0.
    
    Reported-by: mpb <mpb.mail@gmail.com>
    Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	net/ipv4/ping.c
    	net/phonet/datagram.c

 net/ieee802154/dgram.c |    3 +--
 net/ipv4/ping.c        |   11 ++---------
 net/ipv4/raw.c         |    4 +---
 net/ipv4/udp.c         |    7 +------
 net/ipv6/raw.c         |    4 +---
 net/ipv6/udp.c         |    5 +----
 net/l2tp/l2tp_ip.c     |    4 +---
 7 files changed, 8 insertions(+), 30 deletions(-)

commit 2553ed5128989389bdffb7243e666f9578fc21ca
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 22 12:26:30 2014 -0400

    move grkernsec_setxid flag on mips into the LSW to match header documentation

 arch/mips/include/asm/thread_info.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit a3a00beb6f810b53c5e1d68080c79cee3acb2922
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 22 00:47:05 2014 -0400

    fix !GRKERNSEC_KSTACKOVERFLOW compilation

 include/linux/vmalloc.h |    2 ++
 mm/vmalloc.c            |   10 ++++++++++
 2 files changed, 12 insertions(+), 0 deletions(-)

commit c444c2b5a57302d51a2cfbe2b9df83420d9d7ee4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Jun 21 23:17:23 2014 -0400

    Fix GRKERNSEC_KSTACKOVERFLOW incompatibility with virtio_net and other more
    rare drivers.  Unfortunately to resolve the problem we had to choose between
    invasive changes to dozens of call-sites and continued future maintenance work,
    or rearchitecting the feature to be able to handle the uses seamlessly.  With
    some tips from pipacs, I chose the latter.
    
    Various drivers including virtio_net use scatterlists derived from stack-based
    buffers (e.g. as an argument to sg_set_buf/sg_init_one).  The scatterlist API
    requires that these buffers be in the kernel image or in kmalloc'd buffers,
    which caused a problem when vmalloc'd stacks were used due to
    GRKERNSEC_KSTACKOVERFLOW.  What we do now is keep the original lowmem kstack
    allocation and then perform a THREAD_SIZE-aligned vmapped alias of the lowmem
    kstack's physical pages.  We also restore kernel stack accounting by using
    this method.  The downside is the existence of the lowmem kstack mapping, but
    the security guarantees of the feature are preserved.
    
    In sg_set_buf() (called by sg_init_one and directly) we now check to see if
    the buffer is on the current kernel stack.  If it is, then we redirect the API
    to the lowmem alias of the kernel stack, preserving its assumptions.
    
    Since the unmapping of the virtual alias can sleep, we need to schedule it
    when called in interrupt context similar to before with vfree.  Unlike before
    however, the contents of the alias depend on the lowmem physical pages, so
    we also need to defer the execution of free_thread_info().
    
    We also have added a temporary debugging measure for this feature by
    adding a BUG_ON() to virt_to_page() to ensure we're not using a vmapped kernel
    stack address for APIs needing lowmem buffers -- this way we can be notified
    of any other APIs that need similar redirection.
    
    Thanks to kocka for assisting with some initial qemu/kernel debugging.
    
    Conflicts:
    
    	include/linux/scatterlist.h
    	include/linux/vmalloc.h
    	kernel/fork.c
    	mm/vmalloc.c

 arch/x86/include/asm/page.h |   12 ++++++-
 include/linux/scatterlist.h |    7 ++++
 include/linux/sched.h       |    5 ++-
 include/linux/vmalloc.h     |    3 +-
 kernel/fork.c               |   75 +++++++++++++++++++++++++++++++-----------
 mm/vmalloc.c                |   62 ++++++++++++++++++++++++++++++-----
 6 files changed, 132 insertions(+), 32 deletions(-)

commit 60befc902c6f0af93b37c3296e219c5db09206fc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 19 13:14:18 2014 -0400

    shmem: fix faulting into a hole while it's punched
    
    Trinity finds that mmap access to a hole while it's punched from shmem can
    prevent the madvise(MADV_REMOVE) or fallocate(FALLOC_FL_PUNCH_HOLE) from
    completing, until the reader chooses to stop; with the puncher's hold on
    i_mutex locking out all other writers until it can complete.
    
    It appears that the tmpfs fault path is too light in comparison with its
    hole-punching path, lacking an i_data_sem to obstruct it; but we don't
    want to slow down the common case.
    
    Extend shmem_fallocate()'s existing range notification mechanism, so
    shmem_fault() can refrain from faulting pages into the hole while it's
    punched, waiting instead on i_mutex (when safe to sleep; or repeatedly
    faulting when not).
    
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Reported-by: Sasha Levin <sasha.levin@oracle.com>
    Tested-by: Sasha Levin <sasha.levin@oracle.com>
    Cc: Dave Jones <davej@redhat.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

 mm/shmem.c |   55 +++++++++++++++++++++++++++++++++++++++++++++++++++----
 1 files changed, 51 insertions(+), 4 deletions(-)

commit acccccdea02e1bdde09f762fc4bf934682c936fd
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 19 13:12:03 2014 -0400

    Fix bad git merge caused by recent upstream backport, reported by ncopa:
    http://forums.grsecurity.net/viewtopic.php?t=3982&p=14104#p14104

 net/ipv4/ping.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 4d1c8be26151402e6ca25c72a8c47659eff32eef
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 19 11:57:30 2014 -0400

    fix infoleak in raid5 slab cache names reported by Philippe Ganon

 drivers/md/raid5.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit 4f4a90a91011543a001d010933a2056ec6a0889c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 19 11:31:07 2014 -0400

    in_nmi -> in_interrupt

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b160ff4b2a2514036a88e431c781b4d4aba01b61
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 19 10:34:21 2014 -0400

    as reported by Mathias Krause, perf needs to use copy_to/from_user in
    NMI context, using the appropriate _nmi versions of the routines.  Only
    BUG() if we're not in interrupt context

 fs/exec.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit dff3cefd077081187da487d2c75515623be50ba4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 19 10:01:17 2014 -0400

    add missing include

 fs/fhandle.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 0f6030872e22b4ce5a75200f98439a225191bd24
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 19 09:51:38 2014 -0400

    Disable access to file handles inside chroots as part of GRKERNSEC_CHROOT_FCHDIR, as
    stealth's attack on docker containers also works against grsec chroots with uid 0 and
    CAP_DAC_READ_SEARCH inside.  Only the test patch was affected.

 fs/fhandle.c               |    2 +-
 grsecurity/Kconfig         |    8 +++++---
 grsecurity/grsec_chroot.c  |   17 +++++++++++++++++
 include/linux/grmsg.h      |    1 +
 include/linux/grsecurity.h |    1 +
 5 files changed, 25 insertions(+), 4 deletions(-)

commit 93663afb9c6a255dc7c66d19b3035a03224504a7
Merge: e14c4ee b8ae816
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 18 23:21:01 2014 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
    	arch/mips/include/asm/thread_info.h
    	fs/namei.c
    	kernel/capability.c

commit b8ae816df9130ebba2ab22eb964afa5cce332e1c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 18 22:51:39 2014 -0400

    Update to pax-linux-3.14.8-test13.patch:
    - added detection for more broken CC/HOSTCC combinations, reported by GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3973)
    - updated *FS_XATTR selection for PAX_XATTR_PAX_FLAGS, triggered by a discussion on gentoo-hardened (http://marc.info/?t=140267048800002)

 include/net/inetpeer.h |    2 +-
 mm/memory-failure.c    |    2 +-
 scripts/gcc-plugin.sh  |   35 +++++++++++++++++++++++++++++++----
 security/Kconfig       |    2 +-
 4 files changed, 34 insertions(+), 7 deletions(-)

commit 27afc16f2bc022c188c720c785b3de7c3fa3245f
Merge: 47c0d28 0c5b3b8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Jun 18 22:49:31 2014 -0400

    Merge branch 'linux-3.14.y' into pax-test

commit e14c4ee0e76a8e48156c016e00fe06c724c7f160
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Wed May 28 23:09:58 2014 -0400

    Upstream commit: a3c54931199565930d6d84f4c3456f6440aefd41
    
    auditsc: audit_krule mask accesses need bounds checking
    
    Fixes an easy DoS and possible information disclosure.
    
    This does nothing about the broken state of x32 auditing.
    
    eparis: If the admin has enabled auditd and has specifically loaded
    audit rules.  This bug has been around since before git.  Wow...
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: Eric Paris <eparis@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 kernel/auditsc.c |   27 ++++++++++++++++++---------
 1 files changed, 18 insertions(+), 9 deletions(-)

commit 94675ecc3f966e380d3c5c927917de722454b472
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 10 12:54:50 2014 -0400

    update size_overflow hash table

 .../size_overflow_plugin/size_overflow_hash.data   |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 25882334b3df7b7b6fdf47793458cb914c7f43b9
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 10 10:45:35 2014 -0400

    fix typo

 include/net/inetpeer.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e46521e6c87f5425ed9b61c3f5101fc729dfa65f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 10 10:01:00 2014 -0400

    fix !x86 compilation, reported by Blake Self

 fs/exec.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

commit 3f0358f8a2c4c3af2008a0d63e7472805c42f83e
Merge: 9e87724 47c0d28
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 10 09:57:01 2014 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
    	security/Kconfig

commit 47c0d285e66e0b6e28d4fa428e080c2a5bae51b3
Merge: 8b34961 a1bc295
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 10 09:56:06 2014 -0400

    Update to pax-linux-3.14.6-test12.patch:
    - backported 'net: fix inet_getid() and ipv6_select_ident() bugs', commit 39c36094d78c39e038c1e499b2364e13bce36f54 upstream
    - backported 'x86_64: expand kernel stack to 16K', commit 6538b8ea886e472f4431db8ca1d60478f838d14b upstream
    - backported 'mm: rmap: fix use-after-free in __put_anon_vma', commit 624483f3ea82598ab0f62f1bdb9177f531ab1892 upstream
    - CPUs are switched to the percpu pgd earlier to support early vmalloc faults (needed for grsecurity's KSTACKOVERFLOW)
    - cleaned up some unnecessary hunks
    - folded RANDUSTACK into RANDMMAP as supporting them separately isn't worth it, reported by Roy Li <rongqing.li@windriver.com>
    - converted some ACCESS_ONCE usage into the correct ACCESS_ONCE_RW
    
    Merge branch 'linux-3.14.y' into pax-test
    
    Conflicts:
    	drivers/cpufreq/intel_pstate.c
    	mm/memory-failure.c

commit 9e87724f22aa5c91e0f564f92bcf47e6e5e1c80f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 5 12:35:51 2014 -0400

    randomize layouts of two futex structs

 kernel/futex.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit 064d5806d5d604f0179d6bba35a9ee38aedc3d36
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Mon May 12 20:45:35 2014 +0000

    Upstream commit: f0d71b3dcb8332f7971b5f2363632573e6d9486a
    
    futex: Prevent attaching to kernel threads
    
    We happily allow userspace to declare a random kernel thread to be the
    owner of a user space PI futex.
    
    Found while analysing the fallout of Dave Jones syscall fuzzer.
    
    We also should validate the thread group for private futexes and find
    some fast way to validate whether the "alleged" owner has RW access on
    the file which backs the SHM, but that's a separate issue.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: Dave Jones <davej@redhat.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Darren Hart <darren@dvhart.com>
    Cc: Davidlohr Bueso <davidlohr@hp.com>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: Clark Williams <williams@redhat.com>
    Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
    Cc: Lai Jiangshan <laijs@cn.fujitsu.com>
    Cc: Roland McGrath <roland@hack.frob.com>
    Cc: Carlos ODonell <carlos@redhat.com>
    Cc: Jakub Jelinek <jakub@redhat.com>
    Cc: Michael Kerrisk <mtk.manpages@gmail.com>
    Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    Link: http://lkml.kernel.org/r/20140512201701.194824402@linutronix.de
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org

 kernel/futex.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit 9c7b78634a505475c3283b3178220bc97c93ea79
Author: Ursula Braun <ursula.braun@de.ibm.com>
Date:   Tue May 13 14:38:02 2014 +0200

    Upstream commit: f5738e2ef88070ef1372e6e718124d88e9abe4ac
    
    af_iucv: wrong mapping of sent and confirmed skbs
    
    When sending data through IUCV a MESSAGE COMPLETE interrupt
    signals that sent data memory can be freed or reused again.
    With commit f9c41a62bba3f3f7ef3541b2a025e3371bcbba97
    "af_iucv: fix recvmsg by replacing skb_pull() function" the
    MESSAGE COMPLETE callback iucv_callback_txdone() identifies
    the wrong skb as being confirmed, which leads to data corruption.
    This patch fixes the skb mapping logic in iucv_callback_txdone().
    
    Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
    Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/iucv/af_iucv.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 7db9658af6838283b8f765027088b9f2b5d406d9
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri May 23 19:37:21 2014 +0300

    Upstream commit: 7df566bbdd0af0785542b89466a937e94257fcfb
    
    qlcnic: info leak in qlcnic_dcb_peer_app_info()
    
    This function is called from dcbnl_build_peer_app().  The "info"
    struct isn't initialized at all so we disclose 2 bytes of uninitialized
    stack data.  We should clear it before passing it to the user.
    
    Fixes: 48365e485275 ('qlcnic: dcb: Add support for CEE Netlink interface.')
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit bea241de3bca2bd2d116d7d6fc4d7947333f6c93
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Fri May 30 11:04:00 2014 -0700

    Upstream commit: 2d7a85f4b06e9c27ff629f07a524c48074f07f81
    
    netlink: Only check file credentials for implicit destinations
    
    It was possible to get a setuid root or setcap executable to write to
    it's stdout or stderr (which has been set made a netlink socket) and
    inadvertently reconfigure the networking stack.
    
    To prevent this we check that both the creator of the socket and
    the currentl applications has permission to reconfigure the network
    stack.
    
    Unfortunately this breaks Zebra which always uses sendto/sendmsg
    and creates it's socket without any privileges.
    
    To keep Zebra working don't bother checking if the creator of the
    socket has privilege when a destination address is specified.  Instead
    rely exclusively on the privileges of the sender of the socket.
    
    Note from Andy: This is exactly Eric's code except for some comment
    clarifications and formatting fixes.  Neither I nor, I think, anyone
    else is thrilled with this approach, but I'm hesitant to wait on a
    better fix since 3.15 is almost here.
    
    Note to stable maintainers: This is a mess.  An earlier series of
    patches in 3.15 fix a rather serious security issue (CVE-2014-0181),
    but they did so in a way that breaks Zebra.  The offending series
    includes:
    
        commit aa4cf9452f469f16cea8c96283b641b4576d4a7b
        Author: Eric W. Biederman <ebiederm@xmission.com>
        Date:   Wed Apr 23 14:28:03 2014 -0700
    
            net: Add variants of capable for use on netlink messages
    
    If a given kernel version is missing that series of fixes, it's
    probably worth backporting it and this patch.  if that series is
    present, then this fix is critical if you care about Zebra.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/linux/netlink.h  |    7 ++++---
 net/netlink/af_netlink.c |    7 ++++++-
 2 files changed, 10 insertions(+), 4 deletions(-)

commit 93f6913dfd0fc9a7dadfed16d187cb760557567d
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Wed Apr 23 14:28:03 2014 -0700

    Upstream commit: aa4cf9452f469f16cea8c96283b641b4576d4a7b
    
    net: Add variants of capable for use on netlink messages
    
    netlink_net_capable - The common case use, for operations that are safe on a network namespace
    netlink_capable - For operations that are only known to be safe for the global root
    netlink_ns_capable - The general case of capable used to handle special cases
    
    __netlink_ns_capable - Same as netlink_ns_capable except taking a netlink_skb_parms instead of
    		       the skbuff of a netlink message.
    
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/linux/netlink.h  |    7 +++++
 net/netlink/af_netlink.c |   65 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+), 0 deletions(-)

commit 83eee88f79157580fe01a244a628f5c39f205eb8
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Wed Apr 23 14:25:48 2014 -0700

    Upstream commit: 5187cd055b6e81fc6526109456f8b20623148d5f
    
    netlink: Rename netlink_capable netlink_allowed
    
    netlink_capable is a static internal function in af_netlink.c and we
    have better uses for the name netlink_capable.
    
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/netlink/af_netlink.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

commit b79e73e3664f6d9fdaa5db1bbb653a584026a64a
Author: Sebastian Ott <sebott@linux.vnet.ibm.com>
Date:   Wed Jun 4 15:58:24 2014 +0200

    Upstream commit: 0c36b390a546055b6815d4b93a2c9fed4d980ffb
    
    percpu-refcount: fix usage of this_cpu_ops
    
    The percpu-refcount infrastructure uses the underscore variants of
    this_cpu_ops in order to modify percpu reference counters.
    (e.g. __this_cpu_inc()).
    
    However the underscore variants do not atomically update the percpu
    variable, instead they may be implemented using read-modify-write
    semantics (more than one instruction).  Therefore it is only safe to
    use the underscore variant if the context is always the same (process,
    softirq, or hardirq). Otherwise it is possible to lose updates.
    
    This problem is something that Sebastian has seen within the aio
    subsystem which uses percpu refcounters both in process and softirq
    context leading to reference counts that never dropped to zeroes; even
    though the number of "get" and "put" calls matched.
    
    Fix this by using the non-underscore this_cpu_ops variant which
    provides correct per cpu atomic semantics and fixes the corrupted
    reference counts.
    
    Cc: Kent Overstreet <kmo@daterainc.com>
    Cc: <stable@vger.kernel.org> # v3.11+
    Reported-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Tejun Heo <tj@kernel.org>
    References: http://lkml.kernel.org/g/alpine.LFD.2.11.1406041540520.21183@denkbrett

 include/linux/percpu-refcount.h |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit bdd7037701e89d9d9137f6e81336648ad6bb6d90
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Jun 5 11:43:32 2014 -0400

    futex: Make lookup_pi_state more robust
    
    The current implementation of lookup_pi_state has ambigous handling of
    the TID value 0 in the user space futex. We can get into the kernel
    even if the TID value is 0, because either there is a stale waiters
    bit or the owner died bit is set or we are called from the requeue_pi
    path or from user space just for fun.
    
    The current code avoids an explicit sanity check for pid = 0 in case
    that kernel internal state (waiters) are found for the user space
    address. This can lead to state leakage and worse under some
    circumstances.
    
    Handle the cases explicit:
    
         Waiter | pi_state | pi->owner | uTID      | uODIED | ?
    
    [1]  NULL   | ---      | ---       | 0         | 0/1    | Valid
    [2]  NULL   | ---      | ---       | >0        | 0/1    | Valid
    
    [3]  Found  | NULL     | --        | Any       | 0/1    | Invalid
    
    [4]  Found  | Found    | NULL      | 0         | 1      | Valid
    [5]  Found  | Found    | NULL      | >0        | 1      | Invalid
    
    [6]  Found  | Found    | task      | 0         | 1      | Valid
    
    [7]  Found  | Found    | NULL      | Any       | 0      | Invalid
    [8]  Found  | Found    | task      | ==taskTID | 0/1    | Valid
    [9]  Found  | Found    | task      | 0         | 0      | Invalid
    [10] Found  | Found    | task      | !=taskTID | 0/1    | Invalid
    
    [1]  Indicates that the kernel can acquire the futex atomically. We
         came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
    
    [2]  Valid, if TID does not belong to a kernel thread. If no matching
         thread is found then it indicates that the owner TID has died.
    
    [3]  Invalid. The waiter is queued on a non PI futex
    
    [4]  Valid state after exit_robust_list(), which sets the user space
         value to FUTEX_WAITERS | FUTEX_OWNER_DIED.
    
    [5]  The user space value got manipulated between exit_robust_list()
         and exit_pi_state_list()
    
    [6]  Valid state after exit_pi_state_list() which sets the new owner in
         the pi_state but cannot access the user space value.
    
    [7]  pi_state->owner can only be NULL when the OWNER_DIED bit is set.
    
    [8]  Owner and user space value match
    
    [9]  There is no transient state which sets the user space TID to 0
         except exit_robust_list(), but this is indicated by the
         FUTEX_OWNER_DIED bit. See [4]
    
    [10] There is no transient state which leaves owner and user space
         TID out of sync.
    
    Backport to 3.13
      conflicts: kernel/futex.c
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: John Johansen <john.johansen@canonical.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Will Drewry <wad@chromium.org>
    Cc: Darren Hart <dvhart@linux.intel.com>
    Cc: stable@vger.kernel.org

 kernel/futex.c |  123 ++++++++++++++++++++++++++++++++++++++++++++++++--------
 1 files changed, 106 insertions(+), 17 deletions(-)

commit 62fa4abca42b8ac782c4961ee22a2f45e8347f2c
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Tue Jun 3 12:27:07 2014 +0000

    futex: Always cleanup owner tid in unlock_pi
    
    If the owner died bit is set at futex_unlock_pi, we currently do not
    cleanup the user space futex. So the owner TID of the current owner
    (the unlocker) persists. That's observable inconsistant state,
    especially when the ownership of the pi state got transferred.
    
    Clean it up unconditionally.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Will Drewry <wad@chromium.org>
    Cc: Darren Hart <dvhart@linux.intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/futex.c |   40 ++++++++++++++++++----------------------
 1 files changed, 18 insertions(+), 22 deletions(-)

commit b3fe7a7c6ce8135784b22649ac41ea26bd560dbc
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Tue Jun 3 12:27:06 2014 +0000

    futex: Validate atomic acquisition in
    
    We need to protect the atomic acquisition in the kernel against rogue
    user space which sets the user space futex to 0, so the kernel side
    acquisition succeeds while there is existing state in the kernel
    associated to the real owner.
    
    Verify whether the futex has waiters associated with kernel state. If
    it has, return -EINVAL. The state is corrupted already, so no point in
    cleaning it up. Subsequent calls will fail as well. Not our problem.
    
    [ tglx: Use futex_top_waiter() and explain why we do not need to try
      	restoring the already corrupted user space state. ]
    
    Signed-off-by: Darren Hart <dvhart@linux.intel.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Will Drewry <wad@chromium.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/futex.c |   14 +++++++++++---
 1 files changed, 11 insertions(+), 3 deletions(-)

commit 9353b65389c326aacfe98091f7f67170361a3ea9
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Tue Jun 3 12:27:06 2014 +0000

    futex-prevent-requeue-pi-on-same-futex.patch
    
    If uaddr == uaddr2, then we have broken the rule of only requeueing
    from a non-pi futex to a pi futex with this call. If we attempt this,
    then dangling pointers may be left for rt_waiter resulting in an
    exploitable condition.
    
    This change brings futex_requeue() into line with
    futex_wait_requeue_pi() which performs the same check as per commit
    6f7b0a2a5 (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi())
    
    [ tglx: Compare the resulting keys as well, as uaddrs might be
      	different depending on the mapping ]
    
    Fixes CVE-2014-3153.
    
    Reported-by: Pinkie Pie
    Signed-off-by: Will Drewry <wad@chromium.org>
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Brad Spengler <spender@grsecurity.net>

 kernel/futex.c |   25 +++++++++++++++++++++++++
 1 files changed, 25 insertions(+), 0 deletions(-)

commit 5f91521cf6929379a912ebc9ede7957afc8812a3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Jun 3 09:49:01 2014 -0400

    fix compiler warning

 fs/exec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit b64fe5a34976cab207dddd33da55eee75540cc62
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 2 14:32:40 2014 -0400

    remove now-outdated documentation

 kernel/cred.c |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

commit 8001473542f0384528a6d406d5cc4993800fb87d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 2 14:15:25 2014 -0400

    compare securebits in addition to ensuring the other threads are running
    with uid 0

 include/linux/cred.h |    1 +
 kernel/cred.c        |   10 ++++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

commit eb821bd70f42873600a3697261a43a55afcf1a86
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 2 13:08:43 2014 -0400

    add documentation

 kernel/cred.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

commit 58493cba34e705f10484dc8bf3e01c146630993e
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 2 12:57:48 2014 -0400

    Fix a bug with GRKERNSEC_SETXID exhibited by ntpd bailing out when
    being unable to drop privileges.  It drops privileges itself in
    two separate threads, though only one of the threads calls a
    PR_SET_KEEPCAPS which forks off the cred struct.  While it's a little
    silly for ntpd to be doing this (having two threads of different
    privilege with the same shared memory space) we can make GRKERNSEC_SETXID
    compatible by only scheduling a credential change for tasks that share
    a cred struct with the thread that's doing the root -> nonroot setuid
    
    Thanks to strcat for the report

 kernel/cred.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

commit a47afbb7822943c5ede32b4712fa9719db251844
Merge: b34ba4b 8b34961
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 2 12:24:49 2014 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
    	net/core/filter.c

commit 8b349614897a39ad13e59c448692646916b5ecc6
Merge: 9460d83 0314057
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 2 12:23:19 2014 -0400

    Update to pax-linux-3.14.5-test10.patch:
    - fixed an off-by-one in the prefault code in access_ok on x86, reported by Roy Li <rongqing.li@windriver.com>
      it'd cause a prefault attempt on address 0 and other unmapped addresses and fail the current syscall
    - updated gcc-common.h
    
    Merge branch 'linux-3.14.y' into pax-test
    
    Conflicts:
    	arch/x86/net/bpf_jit_comp.c

commit b34ba4b6d4489f98b90e583b6016f926b75cfbed
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon Jun 2 06:51:24 2014 -0400

    avoid include hell by moving the stack check to fs/exec.c and passing
    in an extra bool to the function specifying whether the length is const
    or not.  we'll also perform this check regardless of USERCOPY status

 fs/exec.c                   |   17 +++++++++++++++--
 include/linux/thread_info.h |   16 ++--------------
 2 files changed, 17 insertions(+), 16 deletions(-)

commit 4e9db31ff463f509366359d65a25ce48490d0629
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Jun 1 12:43:42 2014 -0400

    We can use an even stricter check on the stack for copy*user as it should
    only ever be called in process context -- this allows us not only to check
    for potential future overflow but actual overflow

 include/linux/thread_info.h |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

commit 52d9aa7e2d501f1d9cf948b1fdb159755073a069
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 28 18:16:00 2014 -0400

    don't force on DEBUG_STACKOVERFLOW as we now have the better STACKLEAK
    improvements and KSTACKOVERFLOW

 security/Kconfig |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit 1c4bf7bd54b098ed27046e41723d594471fec1b4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 27 12:54:48 2014 -0400

    make pax_track_stack BUG() immediately if it notices the stack getting
    too deep -- this will happen separately to its later check that we're
    clearing too much stack on syscall exit

 fs/exec.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 9c30ed737cf129e265c8a19e9dee3ce5b3a0b7ee
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 27 10:40:50 2014 -0400

    Add a new feature for 64-bit kernels to defend against stack overflows
    GRKERNSEC_KSTACKOVERFLOW
    
    Contrary to some naive suggestions on Twitter, it's not just a simple
    process of "adding guard pages" due to how kernel stacks are allocated
    on Linux and the fact that just adding guard pages to that existing
    allocation mechanism would require breaking up large pages, adding a
    large maintenance and performance cost.  Instead we allocate the kernel
    process stacks using vmalloc which provides us with the "guard pages"
    for free, though we only do this on 64-bit architectures (other than Itanium)
    due to the limited space for vmalloc allocations on 32-bit.
    
    We've been working on some other approaches for solving this problem,
    including one that required several advances in GCC plugin analysis, but
    this will exist for now as a stopgap until another approach replaces it.

 arch/x86/kernel/traps.c |    5 +++++
 fs/exec.c               |    1 +
 grsecurity/Kconfig      |   13 +++++++++++++
 include/linux/sched.h   |   19 +++++++++++++++++++
 include/linux/vmalloc.h |    1 +
 kernel/fork.c           |   15 +++++++++++++++
 kernel/sched/core.c     |    8 ++++++--
 mm/vmalloc.c            |    6 ++++++
 8 files changed, 66 insertions(+), 2 deletions(-)

commit 9d960434d84ecce5c80b92bb8e70362ddb31276f
Author: Jens Axboe <axboe@fb.com>
Date:   Thu May 22 11:54:16 2014 -0700

    Upstream commit: 7fcbbaf18392f0b17c95e2f033c8ccf87eecde1d
    
    mm/filemap.c: avoid always dirtying mapping->flags on O_DIRECT
    
    In some testing I ran today (some fio jobs that spread over two nodes),
    we end up spending 40% of the time in filemap_check_errors().  That
    smells fishy.  Looking further, this is basically what happens:
    
    blkdev_aio_read()
        generic_file_aio_read()
            filemap_write_and_wait_range()
                if (!mapping->nr_pages)
                    filemap_check_errors()
    
    and filemap_check_errors() always attempts two test_and_clear_bit() on
    the mapping flags, thus dirtying it for every single invocation.  The
    patch below tests each of these bits before clearing them, avoiding this
    issue.  In my test case (4-socket box), performance went from 1.7M IOPS
    to 4.0M IOPS.
    
    Signed-off-by: Jens Axboe <axboe@fb.com>
    Acked-by: Jeff Moyer <jmoyer@redhat.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/filemap.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit 98e383b2e3f72ddd28dff0a371ae57680effbd16
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 25 20:19:32 2014 -0400

    update hash table

 .../size_overflow_plugin/size_overflow_hash.data   |  159 +++++++++++++++++---
 1 files changed, 135 insertions(+), 24 deletions(-)

commit a374af73d1d3bcf89a3cbcb13f7d3ad329e89b41
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 25 16:03:39 2014 -0400

    update hash table

 .../size_overflow_plugin/size_overflow_hash.data   | 1212 ++++++++++++++++++--
 1 files changed, 1141 insertions(+), 71 deletions(-)

commit cac2bc69dfd571246fd9f029c569b8ad4f2d9d16
Author: Anthony Iliopoulos <anthony.iliopoulos@huawei.com>
Date:   Wed May 14 11:29:48 2014 +0200

    Upstream commit: 9844f5462392b53824e8b86726e7c33b5ecbb676
    
    x86, mm, hugetlb: Add missing TLB page invalidation for hugetlb_cow()
    
    The invalidation is required in order to maintain proper semantics
    under CoW conditions. In scenarios where a process clones several
    threads, a thread operating on a core whose DTLB entry for a
    particular hugepage has not been invalidated, will be reading from
    the hugepage that belongs to the forked child process, even after
    hugetlb_cow().
    
    The thread will not see the updated page as long as the stale DTLB
    entry remains cached, the thread attempts to write into the page,
    the child process exits, or the thread gets migrated to a different
    processor.
    
    Signed-off-by: Anthony Iliopoulos <anthony.iliopoulos@huawei.com>
    Link: http://lkml.kernel.org/r/20140514092948.GA17391@server-36.huawei.corp
    Suggested-by: Shay Goikhman <shay.goikhman@huawei.com>
    Acked-by: Dave Hansen <dave.hansen@intel.com>
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Cc: <stable@vger.kernel.org> # v2.6.16+ (!)

 arch/x86/include/asm/hugetlb.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 87b8aa4784d20b7b6a206ab25f8b8a4318a59e77
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed May 14 16:33:54 2014 -0700

    Upstream commit: fa81511bb0bbb2b1aace3695ce869da9762624ff
    
    x86-64, modify_ldt: Make support for 16-bit segments a runtime option
    
    Checkin:
    
    b3b42ac2cbae x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels
    
    disabled 16-bit segments on 64-bit kernels due to an information
    leak.  However, it does seem that people are genuinely using Wine to
    run old 16-bit Windows programs on Linux.
    
    A proper fix for this ("espfix64") is coming in the upcoming merge
    window, but as a temporary fix, create a sysctl to allow the
    administrator to re-enable support for 16-bit segments.
    
    It adds a "/proc/sys/abi/ldt16" sysctl that defaults to zero (off). If
    you hit this issue and care about your old Windows program more than
    you care about a kernel stack address information leak, you can do
    
       echo 1 > /proc/sys/abi/ldt16
    
    as root (add it to your startup scripts), and you should be ok.
    
    The sysctl table is only added if you have COMPAT support enabled on
    x86-64, but I assume anybody who runs old windows binaries very much
    does that ;)
    
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Link: http://lkml.kernel.org/r/CA%2B55aFw9BPoD10U1LfHbOMpHWZkvJTkMcfCs9s3urPr1YyWBxw@mail.gmail.com
    Cc: <stable@vger.kernel.org>

 arch/x86/kernel/ldt.c        |    4 +++-
 arch/x86/vdso/vdso32-setup.c |    8 ++++++++
 2 files changed, 11 insertions(+), 1 deletions(-)

commit ed852d4758cd8351de4f68d0c8a88f209afccef2
Author: Tejun Heo <tj@kernel.org>
Date:   Mon May 19 15:52:10 2014 -0400

    Upstream commit: f5c16f29bf5e57ba4051fc7785ba7f035f798c71
    
    sysfs: make sure read buffer is zeroed
    
    13c589d5b0ac ("sysfs: use seq_file when reading regular files")
    switched sysfs from custom read implementation to seq_file to enable
    later transition to kernfs.  After the change, the buffer passed to
    ->show() is acquired through seq_get_buf(); unfortunately, this
    introduces a subtle behavior change.  Before the commit, the buffer
    passed to ->show() was always zero as it was allocated using
    get_zeroed_page().  Because seq_file doesn't clear buffers on
    allocation and neither does seq_get_buf(), after the commit, depending
    on the behavior of ->show(), we may end up exposing uninitialized data
    to userland thus possibly altering userland visible behavior and
    leaking information.
    
    Fix it by explicitly clearing the buffer.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Reported-by: Ron <ron@debian.org>
    Fixes: 13c589d5b0ac ("sysfs: use seq_file when reading regular files")
    Cc: stable <stable@vger.kernel.org> # 3.13+
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 fs/sysfs/file.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

commit 5165ee753899c8af578eda16e1796b5681ecc757
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 25 12:11:16 2014 -0400

    fix sysfs infoleak caught by HIDESYM and reported by sandb0y

 mm/slub.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

commit 8c287bcb50bc1a01620bd0a22d3a83c90c3fbb7b
Merge: 6041a88 9460d83
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 25 12:06:37 2014 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
    	Makefile
    	tools/gcc/size_overflow_plugin/size_overflow_hash.data

commit 9460d836b604ec4db0bec529207c62edb806e352
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 25 12:02:13 2014 -0400

    Update to pax-linux-3.14.4-test9.patch:
    - Emese fixed the handling of more intentional overflows in unsigned/signed casts, reported by minipli
    - updated the mrproper target for the new location of the overflow plugin headers, by minipli
    - updated the size overflow hash database

 Makefile                                           |    5 +-
 .../insert_size_overflow_check_core.c              |    9 +-
 .../size_overflow_plugin/intentional_overflow.c    |  108 ++++++++++-
 tools/gcc/size_overflow_plugin/misc.c              |   23 +++
 .../size_overflow_plugin/remove_unnecessary_dup.c  |   25 +---
 tools/gcc/size_overflow_plugin/size_overflow.h     |    3 +
 .../size_overflow_plugin/size_overflow_hash.data   |  196 +++++++++++++++++++-
 .../size_overflow_plugin/size_overflow_plugin.c    |    2 +-
 8 files changed, 328 insertions(+), 43 deletions(-)

commit 6041a88c489343c25b1b98d4c55f9f5ecb47c2e1
Merge: f3afbfa 62fe16f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 14 16:00:06 2014 -0400

    Merge branch 'pax-test' into grsec-test

commit 62fe16fcd604bfa92f665155d1dbc710c0a83861
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed May 14 15:59:33 2014 -0400

    Update to pax-linux-3.14.4-test8.patch:
    - Emese fixed an assert in the size overflow plugin that could trigger while compiling on 32 bit archs, reported by spender

 .../insert_size_overflow_check_core.c              |    2 +-
 .../size_overflow_plugin/remove_unnecessary_dup.c  |   14 ++++++++++----
 .../size_overflow_plugin/size_overflow_plugin.c    |    2 +-
 3 files changed, 12 insertions(+), 6 deletions(-)

commit f3afbfacafcf2c52475ac04d165a270fc50f3d8e
Merge: 1106fa2 27ffb5a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 13 20:04:04 2014 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:

commit 27ffb5aaaaea9257cc7e5f26120f24315941b485
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 13 20:00:39 2014 -0400

    Update to pax-linux-3.14.4-test7.patch:
    - forward port to 3.14.4
    - Emese fixed a size overflow bug, reported by minipli

 arch/x86/Makefile                                  |    2 +-
 arch/x86/kernel/paravirt.c                         |    2 +-
 tools/gcc/.gitignore                               |    1 -
 tools/gcc/size_overflow_plugin/.gitignore          |    1 +
 .../insert_size_overflow_asm.c                     |    8 +-
 .../insert_size_overflow_check_core.c              |   10 +++-
 .../size_overflow_plugin/intentional_overflow.c    |   67 ++++++++++++++++++++
 .../size_overflow_plugin/remove_unnecessary_dup.c  |   18 +++--
 tools/gcc/size_overflow_plugin/size_overflow.h     |    7 ++-
 .../size_overflow_plugin/size_overflow_plugin.c    |    2 +-
 10 files changed, 101 insertions(+), 17 deletions(-)

commit 1106fa26fc99a7d683b6e04c95bff3bbbb4a49cb
Merge: c73db0f dab255c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 13 10:26:31 2014 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
    	drivers/tty/n_tty.c

commit dab255c402cfe7c75929e4e7f3b44fb4077b0365
Merge: dbd1f7f 7261684
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 13 10:24:45 2014 -0400

    Merge branch 'linux-3.14.y' into pax-test
    
    Conflicts:
    	arch/x86/Makefile

commit c73db0fc647d04acb96b40b479f60794a56c6b3f
Merge: e1d09b0 dbd1f7f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 12 17:52:08 2014 -0400

    Merge branch 'pax-test' into grsec-test
    
    Conflicts:
    	tools/gcc/Makefile

commit dbd1f7f9ca789dd950683331bcc69a5a09288d12
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 12 17:43:32 2014 -0400

    Update to pax-linux-3.14.3-test7.patch:
    - forward port to 3.14.3
    - removed the no longer necessary mmap_sem locking from binfmt_flat, reported by Lionel Debroux
    - fixed resume on i386/KERNEXEC, reported by vincent (https://forums.grsecurity.net/viewtopic.php?f=3&t=3176)
    - Emese refactored the size overflow plugin and also fixed several integer constant related false positives
      - https://forums.grsecurity.net/viewtopic.php?f=3&t=3940
      - https://forums.grsecurity.net/viewtopic.php?f=3&t=3942
      - https://forums.grsecurity.net/viewtopic.php?f=3&t=3943
      - https://forums.grsecurity.net/viewtopic.php?f=3&t=3949
      - https://forums.grsecurity.net/viewtopic.php?f=3&t=3950

 Makefile                                           |    2 +-
 arch/x86/realmode/rm/wakeup_asm.S                  |    5 +-
 fs/binfmt_flat.c                                   |    6 -
 mm/page_alloc.c                                    |    4 +-
 tools/gcc/Makefile                                 |   29 +-
 tools/gcc/generate_size_overflow_hash.sh           |   97 -
 tools/gcc/size_overflow_hash.data                  | 4629 --------------------
 tools/gcc/size_overflow_hash_aux.data              |   92 -
 tools/gcc/size_overflow_plugin.c                   | 4169 ------------------
 tools/gcc/size_overflow_plugin/Makefile            |   20 +
 .../generate_size_overflow_hash.sh                 |  102 +
 .../insert_size_overflow_asm.c                     |  790 ++++
 .../insert_size_overflow_check_core.c              |  889 ++++
 .../insert_size_overflow_check_ipa.c               | 1133 +++++
 .../size_overflow_plugin/intentional_overflow.c    |  568 +++
 tools/gcc/size_overflow_plugin/misc.c              |  180 +
 .../size_overflow_plugin/remove_unnecessary_dup.c  |  151 +
 tools/gcc/size_overflow_plugin/size_overflow.h     |  119 +
 .../gcc/size_overflow_plugin/size_overflow_debug.c |  116 +
 .../size_overflow_plugin/size_overflow_hash.data   | 4629 ++++++++++++++++++++
 .../size_overflow_hash_aux.data                    |   92 +
 .../size_overflow_plugin/size_overflow_plugin.c    |  259 ++
 .../size_overflow_plugin_hash.c                    |  364 ++
 23 files changed, 9426 insertions(+), 9019 deletions(-)

commit e1d09b04917662f6d497d46c63510fc32956c3e4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 11 18:00:35 2014 -0400

    fix compilation on sparc

 drivers/cpufreq/sparc-us3-cpufreq.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit 54e7e93f6d47e1888b7abc97283a74d679a2a97d
Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Date:   Fri May 9 15:37:00 2014 -0700

    Upstream commit: dd18dbc2d42af75fffa60c77e0f02220bc329829
    
    mm, thp: close race between mremap() and split_huge_page()
    
    It's critical for split_huge_page() (and migration) to catch and freeze
    all PMDs on rmap walk.  It gets tricky if there's concurrent fork() or
    mremap() since usually we copy/move page table entries on dup_mm() or
    move_page_tables() without rmap lock taken.  To get it work we rely on
    rmap walk order to not miss any entry.  We expect to see destination VMA
    after source one to work correctly.
    
    But after switching rmap implementation to interval tree it's not always
    possible to preserve expected walk order.
    
    It works fine for dup_mm() since new VMA has the same vma_start_pgoff()
    / vma_last_pgoff() and explicitly insert dst VMA after src one with
    vma_interval_tree_insert_after().
    
    But on move_vma() destination VMA can be merged into adjacent one and as
    result shifted left in interval tree.  Fortunately, we can detect the
    situation and prevent race with rmap walk by moving page table entries
    under rmap lock.  See commit 38a76013ad80.
    
    Problem is that we miss the lock when we move transhuge PMD.  Most
    likely this bug caused the crash[1].
    
    [1] http://thread.gmane.org/gmane.linux.kernel.mm/96473
    
    Fixes: 108d6642ad81 ("mm anon rmap: remove anon_vma_moveto_tail")
    
    Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Rik van Riel <riel@redhat.com>
    Acked-by: Michel Lespinasse <walken@google.com>
    Cc: Dave Jones <davej@redhat.com>
    Cc: David Miller <davem@davemloft.net>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: <stable@vger.kernel.org>        [3.7+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/mremap.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

commit 36257c0bd2117881be7807c62c942463c78762f2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 11 17:46:20 2014 -0400

    Upstream commit: 28b92e09e25bdc0ae864b22eacf195a74f861389
    
    x86, vdso, time: Cast tv_nsec to u64 for proper shifting in update_vsyscall()
    With tk->wall_to_monotonic.tv_nsec being a 32-bit value on 32-bit
    systems, (tk->wall_to_monotonic.tv_nsec << tk->shift) in update_vsyscall()
    may lose upper bits or, worse, add them since compiler will do this:
    	(u64)(tk->wall_to_monotonic.tv_nsec << tk->shift)
    instead of
    	((u64)tk->wall_to_monotonic.tv_nsec << tk->shift)
    
    So if, for example, tv_nsec is 0x800000 and shift is 8 we will end up
    with 0xffffffff80000000 instead of 0x80000000. And then we are stuck in
    the subsequent 'while' loop.
    
    We need an explicit cast.
    
    Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Link: http://lkml.kernel.org/r/1399648287-15178-1-git-send-email-boris.ostrovsky@oracle.com
    Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Cc: <stable@vger.kernel.org> # v3.14
    Signed-off-by: H. Peter Anvin <hpa@zytor.com>

 arch/x86/kernel/vsyscall_64.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 159ee7f30d3d31b83f47be3925c7f9ba0d4e9c80
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Apr 29 13:03:27 2014 -0700

    Upstream commit: 26cf432551d749e7d581db33529507a711c6eaab
    
    sparc64: Add basic validations to {pud,pmd}_bad().
    
    Instead of returning false we should at least check the most basic
    things, otherwise page table corruptions will be very difficult to
    debug.
    
    PMD and PTE tables are of size PAGE_SIZE, so none of the sub-PAGE_SIZE
    bits should be set.
    
    We also complement this with a check that the physical address the
    pud/pmd points to is valid memory.
    
    PowerPC was used as a guide while implementating this.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Conflicts:
    
    	arch/sparc/include/asm/pgtable_64.h

 arch/sparc/include/asm/pgtable_64.h |   46 +++++++++++++++++++++++-----------
 1 files changed, 31 insertions(+), 15 deletions(-)

commit 69d5aea5a39dcb65700e8721f2b64a4cfb71ee76
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Apr 29 12:58:03 2014 -0700

    Upstream commit: ee73887e92a69ae0a5cda21c68ea75a27804c944
    
    sparc64: Fix range check in kern_addr_valid().
    
    In commit b2d438348024b75a1ee8b66b85d77f569a5dfed8 ("sparc64: Make
    PAGE_OFFSET variable."), the MAX_PHYS_ADDRESS_BITS value was increased
    (to 47).
    
    This constant reference to '41UL' was missed.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/include/asm/pgtable_64.h |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit d956411472c3cb4b0d922588074e0c8750246dd9
Author: David S. Miller <davem@davemloft.net>
Date:   Mon Apr 28 23:52:11 2014 -0700

    Upstream commit: 70ffc6ebaead783ac8dafb1e87df0039bb043596
    
    sparc64: Fix top-level fault handling bugs.
    
    Make get_user_insn() able to cope with huge PMDs.
    
    Next, make do_fault_siginfo() more robust when get_user_insn() can't
    actually fetch the instruction.  In particular, use the MMU announced
    fault address when that happens, instead of calling
    compute_effective_address() and computing garbage.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/mm/fault_64.c |   82 +++++++++++++++++++++++++++++-----------------
 1 files changed, 52 insertions(+), 30 deletions(-)

commit cd77d17308b2adf148d34b5778a08f2c630ad299
Author: David S. Miller <davem@davemloft.net>
Date:   Tue Apr 29 13:28:23 2014 -0700

    Upstream commit: fe866433f843b080246ce729b5e6b27b5f5d9a58
    
    sparc64: Give more detailed information in {pgd,pmd}_ERROR() and kill pte_ERROR().
    
    pte_ERROR() is not used anywhere, delete it.
    
    For pgd_ERROR() and pmd_ERROR(), output something similar to x86, giving the address
    of the pgd/pmd as well as it's value.
    
    Also provide the caller, since these macros are invoked from pgd_clear_bad() and
    pmd_clear_bad() which provides little context as to what high level operation was
    occuring when the BAD state was detected.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/include/asm/pgtable_64.h |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

commit 37cb28b61a50ae2c5c52308931c2a6539b6e81e5
Author: David S. Miller <davem@davemloft.net>
Date:   Mon Apr 28 23:50:08 2014 -0700

    Upstream commit: d037d16372bbe4d580342bebbb8826821ad9edf0
    
    sparc64: Handle 32-bit tasks properly in compute_effective_address().
    
    If we have a 32-bit task we must chop off the top 32-bits of the
    64-bit value just as the cpu would.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/kernel/unaligned_64.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

commit 10e5b721586e4aa824ed7ae802a22deda77b3383
Author: David S. Miller <davem@davemloft.net>
Date:   Fri Apr 25 10:21:12 2014 -0700

    Upstream commit: 04df419de34104d8818b8c5cffaa062fa36d20ea
    
    sparc64: Fix bugs in get_user_pages_fast() wrt. THP.
    
    The large PMD path needs to check _PAGE_VALID not _PAGE_PRESENT, to
    decide if it needs to bail and return 0.
    
    pmd_large() should therefore just check _PAGE_PMD_HUGE.
    
    Calls to gup_huge_pmd() are guarded with a check of pmd_large(), so we
    just need to add a valid bit check.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/include/asm/pgtable_64.h |    2 +-
 arch/sparc/mm/gup.c                 |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

commit a97c8c954ec2428b69f233ceef737a9f8a2cb8bd
Author: David S. Miller <davem@davemloft.net>
Date:   Thu Apr 24 13:58:02 2014 -0700

    Upstream commit: 51e5ef1bb7ab0e5fa7de4e802da5ab22fe35f0bf
    
    sparc64: Fix huge PMD invalidation.
    
    On sparc64 "present" and "valid" are seperate PTE bits, this allows us to
    naturally distinguish between the user explicitly asking for PROT_NONE
    with mprotect() and other situations.
    
    However we weren't handling this properly in the huge PMD paths.
    
    First of all, the page table walker in the TSB miss path only checks
    for _PAGE_PMD_HUGE.  So the generic pmdp_invalidate() would clear
    _PAGE_PRESENT but the TLB miss paths would still load it into the TLB
    as a valid huge PMD.
    
    Fix this by clearing the valid bit in pmdp_invalidate(), and also
    checking the valid bit in USER_PGTABLE_CHECK_PMD_HUGE using "brgez"
    since _PAGE_VALID is bit 63 in both the sun4u and sun4v pte layouts.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/include/asm/pgtable_64.h |   18 ++++--------------
 arch/sparc/include/asm/tsb.h        |    3 ++-
 arch/sparc/mm/tlb.c                 |   11 +++++++++++
 3 files changed, 17 insertions(+), 15 deletions(-)

commit a422426e1fd1de318f37193d530b5bb391545f1c
Author: David S. Miller <davem@davemloft.net>
Date:   Sun Apr 20 21:55:01 2014 -0400

    Upstream commit: 5b1e94fa439a3227beefad58c28c17f68287a8e9
    
    sparc64: Fix executable bit testing in set_pmd_at() paths.
    
    This code was mistakenly using the exec bit from the PMD in all
    cases, even when the PMD isn't a huge PMD.
    
    If it's not a huge PMD, test the exec bit in the individual ptes down
    in tlb_batch_pmd_scan().
    
    Signed-off-by: David S. Miller <davem@davemloft.net>

 arch/sparc/mm/tlb.c |   15 +++++++++------
 1 files changed, 9 insertions(+), 6 deletions(-)

commit 62718f107b55cce3983fc85c14dbdd1d61811804
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 10 17:31:17 2014 -0400

    fix compilation

 include/linux/thread_info.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit caca44254a6356660d8e7f8e85187dd90a34a903
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 10 17:24:47 2014 -0400

    force DEBUG_STACKOVERFLOW on on grsec kernels and make it
    trigger the bruteforce logic

 arch/mips/kernel/irq.c    |    4 ++++
 arch/powerpc/kernel/irq.c |    3 +++
 arch/x86/kernel/irq_32.c  |    3 +++
 arch/x86/kernel/irq_64.c  |    4 ++++
 security/Kconfig          |    1 +
 5 files changed, 15 insertions(+), 0 deletions(-)

commit cdba1e7ede26f16ed2cd48b8e906b3e98e23845a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 10 16:46:48 2014 -0400

    always perform the stack overflow check, not just for non-fixed size copies
    
    Conflicts:
    
    	include/linux/thread_info.h

 fs/exec.c                   |   16 +---------------
 include/linux/thread_info.h |    8 ++++++++
 2 files changed, 9 insertions(+), 15 deletions(-)

commit b729936a95dc6374f463fecb52f95317b7261a1c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 10 15:52:44 2014 -0400

    improve PAX_USERCOPY on x86 to detect attempted copies when the current
    stack has overflowed

 arch/x86/kernel/dumpstack_32.c |    2 +-
 arch/x86/kernel/dumpstack_64.c |    2 +-
 fs/exec.c                      |   17 ++++++++++++++++-
 3 files changed, 18 insertions(+), 3 deletions(-)

commit 9f9391e854ab1d0617c70411c0a137401bbe7b00
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 10 15:23:22 2014 -0400

    relax /proc/stat restrictions

 fs/proc/stat.c |   53 ++++++++++++++++++++++++-----------------------------
 1 files changed, 24 insertions(+), 29 deletions(-)

commit 82d874f453c5ed2fbde05b30a545b6fbb3728f4d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 10 14:59:15 2014 -0400

    work around a division by zero in vmstat -a

 fs/proc/stat.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit ded4fcbf3d8e773ec9264082b465749ac325a0a7
Author: John David Anglin <dave.anglin@bell.net>
Date:   Sun Apr 27 16:20:47 2014 -0400

    Upstream commit: e0d8898d76a785453bfaf6cd08b830a7d5189f78
    
    parisc: remove _STK_LIM_MAX override
    
    There are only a couple of architectures that override _STK_LIM_MAX to
    a non-infinity value. This changes the stack allocation semantics in
    subtle ways. For example, GNU make changes its stack allocation to the
    hard maximum defined by _STK_LIM_MAX. As a results, threads executed
    by processes running under make are allocated a stack size of
    _STK_LIM_MAX rather than a sensible default value. This causes various
    thread stress tests to fail when they can't muster more than about 50
    threads.
    
    The attached change implements the default behavior used by the
    majority of architectures.
    
    Signed-off-by: John David Anglin <dave.anglin@bell.net>
    Reviewed-by: Carlos O'Donell <carlos@systemhalted.org>
    Cc: stable@vger.kernel.org # 3.14
    Signed-off-by: Helge Deller <deller@gmx.de>

 arch/parisc/include/uapi/asm/resource.h |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

commit f011c01d537ef5acbdcb0a5a5f7b511881192afd
Author: Leon Yu <chianglungyu@gmail.com>
Date:   Thu May 1 03:31:28 2014 +0000

    Upstream commit: 754320d6e166d3a12cb4810a452bde00afbd4e9a
    
    aio: fix potential leak in aio_run_iocb().
    
    iovec should be reclaimed whenever caller of rw_copy_check_uvector() returns,
    but it doesn't hold when failure happens right after aio_setup_vectored_rw().
    
    Fix that in a such way to avoid hairy goto.
    
    Signed-off-by: Leon Yu <chianglungyu@gmail.com>
    Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
    Cc: stable@vger.kernel.org

 fs/aio.c |    6 ++----
 1 files changed, 2 insertions(+), 4 deletions(-)

commit 53366a1f1b2587e85e6c67d894d9e6d86b94e8f4
Author: Bjørn Mork <bjorn@mork.no>
Date:   Fri May 2 23:27:00 2014 +0200

    Upstream commit: 9becd707841207652449a8dfd90fe9c476d88546
    
    net: cdc_ncm: fix buffer overflow
    
    Commit 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs
    if we send ZLPs") changed the padding logic for devices with the ZLP
    flag set.  This meant that frames of any size will be sent without
    additional padding, except for the single byte added if the size is
    a multiple of the USB packet size. But if the unpadded size is
    identical to the maximum frame size, and the maximum size is a
    multiplum of the USB packet size, then this one-byte padding will
    overflow the buffer.
    
    Prevent padding if already at maximum frame size, letting usbnet
    transmit a ZLP instead in this case.
    
    Fixes: 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs if we send ZLPs")
    Reported by: Yu-an Shih <yshih@nvidia.com>
    Signed-off-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/usb/cdc_ncm.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit a3cfbca9cec13b6270a27f1f1aa709e22d73c3d9
Author: Will Woods <wwoods@redhat.com>
Date:   Tue May 6 12:50:10 2014 -0700

    Upstream commit: 9becd707841207652449a8dfd90fe9c476d88546
    
    fanotify: fix -EOVERFLOW with large files on 64-bit
    
    On 64-bit systems, O_LARGEFILE is automatically added to flags inside
    the open() syscall (also openat(), blkdev_open(), etc).  Userspace
    therefore defines O_LARGEFILE to be 0 - you can use it, but it's a
    no-op.  Everything should be O_LARGEFILE by default.
    
    But: when fanotify does create_fd() it uses dentry_open(), which skips
    all that.  And userspace can't set O_LARGEFILE in fanotify_init()
    because it's defined to 0.  So if fanotify gets an event regarding a
    large file, the read() will just fail with -EOVERFLOW.
    
    This patch adds O_LARGEFILE to fanotify_init()'s event_f_flags on 64-bit
    systems, using the same test as open()/openat()/etc.
    
    Addresses https://bugzilla.redhat.com/show_bug.cgi?id=696821
    
    Signed-off-by: Will Woods <wwoods@redhat.com>
    Acked-by: Eric Paris <eparis@redhat.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/notify/fanotify/fanotify_user.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 7f09c21acd29f701c9be8b3b1c0d03c1a5b43cd4
Author: Fabian Frederick <fabf@skynet.be>
Date:   Tue May 6 12:50:11 2014 -0700

    Upstream commit: d353efd02357a74753cd45f367a2d3d357fd6904
    
    fs/affs/super.c: bugfix / double free
    
    Commit 842a859db26b ("affs: use ->kill_sb() to simplify ->put_super()
    and failure exits of ->mount()") adds .kill_sb which frees sbi but
    doesn't remove sbi free in case of parse_options error causing double
    free+random crash.
    
    Signed-off-by: Fabian Frederick <fabf@skynet.be>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: <stable@vger.kernel.org>	[3.14.x]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/affs/super.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

commit cfc1168a8cd5bb3bebbd9477a4ebcd1311db65a2
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sat May 3 23:27:00 2014 +0300

    Upstream commit: 3cf0b0311e746a26dcc7c0b5ba0756f61d636a33
    
    agp: info leak in agpioc_info_wrap()
    
    On 64 bit systems the agp_info struct has a 4 byte hole between
    ->agp_mode and ->aper_base.  We need to clear it to avoid disclosing
    stack information to userspace.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

 drivers/char/agp/frontend.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 4eb22b1780f897edebafc98471a028767d018f68
Author: Matthew Daley <mattd@bugfuzz.com>
Date:   Mon Apr 28 19:05:20 2014 +1200

    Upstream commit: ef87dbe7614341c2e7bfe8d32fcb7028cc97442c
    
    floppy: ignore kernel-only members in FDRAWCMD ioctl input
    
    Always clear out these floppy_raw_cmd struct members after copying the
    entire structure from userspace so that the in-kernel version is always
    valid and never left in an interdeterminate state.
    
    Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/block/floppy.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit b029e28a822159e71fc06ee3a38649c457237bab
Author: Matthew Daley <mattd@bugfuzz.com>
Date:   Mon Apr 28 19:05:21 2014 +1200

    Upstream commit: 2145e15e0557a01b9195d1c7199a1b92cb9be81f
    
    floppy: don't write kernel-only members to FDRAWCMD ioctl output
    
    Do not leak kernel-only floppy_raw_cmd structure members to userspace.
    This includes the linked-list pointer and the pointer to the allocated
    DMA space.
    
    Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 drivers/block/floppy.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

commit 00c9338a1d971a976f9e07d2e776d6ae11461995
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 6 21:30:54 2014 -0400

    update size_overflow hash table

 tools/gcc/size_overflow_hash.data |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 603c6c4a5f17df3c20d2e8da3d0e1d6077fdc338
Merge: 4f0228b 60400a27
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 6 17:34:25 2014 -0400

    Merge branch 'pax-test' into grsec-test

commit 60400a27828523dc7ff09bcc24b79937d4e49347
Merge: db5906b 774e1e6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue May 6 17:33:54 2014 -0400

    Merge branch 'linux-3.14.y' into pax-test
    
    Conflicts:
    	arch/arm/mm/Kconfig
    	arch/x86/kernel/ldt.c

commit 4f0228bf02504dc03b8230f0463677e23fdf1978
Author: Brad Spengler <spender@grsecurity.net>
Date:   Mon May 5 18:12:30 2014 -0400

    Backport fix for heap overflow in the tty layer, CVE-2014-0196
    http://bugzillafiles.novell.org/attachment.cgi?id=588355

 drivers/tty/n_tty.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

commit e50ebdb10d55d6596d41088f49f18ca424ed8ae1
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 4 12:01:01 2014 -0400

    restrict rt_cache

 net/ipv4/route.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 7b203e85d14f2cd81f97803f2f4a2afbc710d5fb
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 4 11:39:59 2014 -0400

    use ERR_PTR

 fs/proc/generic.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 9d24e618f2196fdbb84aea759b8c572066b1c0aa
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 4 11:37:27 2014 -0400

    compile fix

 fs/proc/generic.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit deced968c8b0a931ea8594f3dba9da40575cf7dc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 4 11:33:57 2014 -0400

    compile fix

 fs/proc/generic.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit a07d8206b2b37c3567069ad1cc4cb244766aaaf0
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 4 11:32:18 2014 -0400

    compile fix

 fs/proc/generic.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 2e194064a4c184dd955418a88805845deb1d78f4
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 4 11:26:04 2014 -0400

    compile fix

 include/linux/proc_fs.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

commit 6a19db7abd2d2d7390f4ff64c11fb93cea9fc0d3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun May 4 11:21:38 2014 -0400

    forward-port recent change to /proc/net/dev handling

 fs/proc/generic.c                  |   69 ++++++++++++++++++++++++++++++++++-
 fs/proc/internal.h                 |    3 ++
 fs/proc/proc_net.c                 |   20 +++++------
 fs/seq_file.c                      |   22 +++++++++++
 grsecurity/Makefile                |    2 +-
 grsecurity/grsec_proc.c            |   20 ++++++++++
 include/linux/grsecurity.h         |    2 +
 include/linux/proc_fs.h            |    3 +-
 include/linux/seq_file.h           |    2 +
 net/appletalk/atalk_proc.c         |    2 +-
 net/can/bcm.c                      |    2 +-
 net/can/proc.c                     |    2 +-
 net/core/net-procfs.c              |   12 +++++--
 net/core/pktgen.c                  |    2 +-
 net/ipv4/netfilter/ipt_CLUSTERIP.c |    2 +-
 net/ipv6/proc.c                    |    2 +-
 net/ipx/ipx_proc.c                 |    2 +-
 net/irda/irproc.c                  |    2 +-
 net/llc/llc_proc.c                 |    2 +-
 net/netfilter/xt_hashlimit.c       |    4 +-
 net/netfilter/xt_recent.c          |    2 +-
 net/sunrpc/cache.c                 |    2 +-
 net/sunrpc/stats.c                 |    2 +-
 net/x25/x25_proc.c                 |    2 +-
 24 files changed, 152 insertions(+), 33 deletions(-)

commit 03781fdb2928a6aad9a65527120612e42e8d897c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat May 3 07:25:19 2014 -0400

    approve the display of the rcu-torture rtc pointer, since it's only printed
    into a temporary kmalloc'd buffer then sent to dmesg via printk().
    Thanks to Jack Suter for the report

 kernel/rcu/torture.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit e6abe3c923a2663c6599a22ef3db0e084ad067bf
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu May 1 17:46:13 2014 -0400

    Fix CVE-2014-1739, upstream vuln in media_enum_entities()
    Author Salva Peiró
    Date April 2014 - Discovery of the vulnerability.
    Impact The vulnerability discloses 200 bytes of kernel process stack.
    Affected Version From linux-2.6.38 to linux-3.15-rc3
    Bug Timespan 3 years: 2011-03-23 to 2014-04-29 commit 1651333b
    
    (Deleted) blog post at: http://speirofr.appspot.com/cve-2014-1739-kernel-infoleak-vulnerability-in-media_enum_entities.html

 drivers/media/media-device.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 1d1e095be5e60f547aa6963be5afd8db7b6f4527
Author: Brad Spengler <spender@grsecurity.net>
Date:   Tue Apr 29 20:23:46 2014 -0400

    update gitignore

 tools/gcc/.gitignore |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit e0a8d627469b275ce581d5b142ef5e2c18464cab
Merge: 0315786 db5906b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 27 08:54:33 2014 -0400

    Merge branch 'pax-test' into grsec-test

commit db5906b69e8ce2b57485cdf9b75c628b94129c79
Merge: 966aa1c 798d3c5
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 27 08:53:57 2014 -0400

    Merge branch 'linux-3.14.y' into pax-test

commit 0315786960600005ba56ac24ac020efc8f698d0f
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Apr 16 14:25:16 2014 +0300

    Upstream commit: b7a314054eb55e3745a9409beaa5d8be5cd2d273
    
    isdn: icn: buffer overflow in icn_command()
    
    This buffer over was detected using static analysis:
    
    	drivers/isdn/icn/icn.c:1325 icn_command()
    	error: format string overflow. buf_size: 60 length: 98
    
    The calculation for the length of the string is off because it assumes
    that the dial[] buffer holds a 50 character string, but actually it is
    at most 31 characters and NUL.  I have removed the dial[] buffer because
    it isn't needed.
    
    The maximum length of the string is actually 79 characters and a NUL.  I
    have made the cbuf[] array large enough to hold it and changed the
    sprintf() to an snprintf() as a further safety enhancement.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/isdn/icn/icn.c |   11 +++++------
 1 files changed, 5 insertions(+), 6 deletions(-)

commit b0dff0371d218b1a0f94f93684abe16ce56ba384
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat Apr 19 10:15:07 2014 -0700

    Upstream commit: 404ca80eb5c2727d78cd517d12108b040c522e12
    
    coredump: fix va_list corruption
    
    A va_list needs to be copied in case it needs to be used twice.
    
    Thanks to Hugh for debugging this issue, leading to various panics.
    
    Tested:
    
      lpq84:~# echo "|/foobar12345 %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h" >/proc/sys/kernel/core_pattern
    
    'produce_core' is simply : main() { *(int *)0 = 1;}
    
      lpq84:~# ./produce_core
      Segmentation fault (core dumped)
      lpq84:~# dmesg | tail -1
      [  614.352947] Core dump to |/foobar12345 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 (null) pipe failed
    
    Notice the last argument was replaced by a NULL (we were lucky enough to
    not crash, but do not try this on your production machine !)
    
    After fix :
    
      lpq83:~# echo "|/foobar12345 %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h" >/proc/sys/kernel/core_pattern
      lpq83:~# ./produce_core
      Segmentation fault
      lpq83:~# dmesg | tail -1
      [  740.800441] Core dump to |/foobar12345 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 pipe failed
    
    Fixes: 5fe9d8ca21cc ("coredump: cn_vprintf() has no reason to call vsnprintf() twice")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Diagnosed-by: Hugh Dickins <hughd@google.com>
    Acked-by: Oleg Nesterov <oleg@redhat.com>
    Cc: Neil Horman <nhorman@tuxdriver.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: stable@vger.kernel.org # 3.11+
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 fs/coredump.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

commit d6238568d6f2ffd112bda2a5dcc8b1c055ab5eef
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue Apr 22 13:49:40 2014 -0700

    Upstream commit: 1b17844b29ae042576bea588164f2f1e9590a8bc
    
    mm: make fixup_user_fault() check the vma access rights too
    
    fixup_user_fault() is used by the futex code when the direct user access
    fails, and the futex code wants it to either map in the page in a usable
    form or return an error.  It relied on handle_mm_fault() to map the
    page, and correctly checked the error return from that, but while that
    does map the page, it doesn't actually guarantee that the page will be
    mapped with sufficient permissions to be then accessed.
    
    So do the appropriate tests of the vma access rights by hand.
    
    [ Side note: arguably handle_mm_fault() could just do that itself, but
      we have traditionally done it in the caller, because some callers -
      notably get_user_pages() - have been able to access pages even when
      they are mapped with PROT_NONE.  Maybe we should re-visit that design
      decision, but in the meantime this is the minimal patch. ]
    
    Found by Dave Jones running his trinity tool.
    
    Reported-by: Dave Jones <davej@redhat.com>
    Acked-by: Hugh Dickins <hughd@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/memory.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

commit c30687b3dc4a23853c179b365d4c5b003f768f80
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 23 20:19:43 2014 -0400

    fix RANDSTRUCT compilation on arm allyesconfig

 drivers/video/sh_mobile_lcdcfb.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 480fa0cf384348cc476b719836bc94bab5b6c2d6
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 23 20:04:53 2014 -0400

    compile fix: we renamed object_is_on_stack to (the more accurate)
    object_starts_on_stack

 drivers/mtd/nand/gpmi-nand/gpmi-nand.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit fd5d587eb3cb7f64bdc925b508dc7ae8e7540684
Merge: 1884701 966aa1c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 23 19:06:10 2014 -0400

    Merge branch 'pax-test' into grsec-test

commit 966aa1c686ea4bff7eac840c8e292a5661059dc8
Author: Brad Spengler <spender@grsecurity.net>
Date:   Wed Apr 23 19:04:54 2014 -0400

    Update to pax-linux-3.14.1-test6.patch:
    - spender fixed various compilation problems on arm, reported by Michael Tremer
    - spender fixed a sparc compile error
    - changed the colorize plugin to be similar to -fdiagnostics-color in gcc 4.9
      - http://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Language-Independent-Options.html
      - by default colorization is off
      - if GCC_COLORS exists in the environment then stderr will be colored if it's a terminal
      - -fplugin-arg-colorize_plugin-color= takes the same arguments as -fdiagnostics-color=
        - e.g., the old behaviour is equivalent to EXTRA_CFLAGS=-fplugin-arg-colorize_plugin-color=always
      - the value of GCC_COLORS isn't parsed yet, the existing colors (red/yellow/blue) are used instead
    - fixed all warnings on the gcc plugins reported by clang
    - fixed a REFCOUNT regression that would instrument code even when REFCOUNT was disabled

 Makefile                           |    2 +-
 arch/arm/include/asm/mach/map.h    |    4 +-
 arch/arm/mm/mmu.c                  |    4 +-
 arch/arm/plat-iop/setup.c          |    2 +-
 arch/sparc/mm/hugetlbpage.c        |    1 +
 arch/x86/include/asm/cmpxchg.h     |    4 ++
 arch/x86/kernel/traps.c            |    4 +-
 drivers/dma/sh/shdma-base.c        |    4 +-
 drivers/gpu/drm/tegra/dsi.c        |    2 +-
 drivers/irqchip/irq-renesas-irqc.c |    2 +-
 drivers/thermal/of-thermal.c       |   13 ++++--
 tools/gcc/colorize_plugin.c        |   77 +++++++++++++++++++++++++++--------
 tools/gcc/constify_plugin.c        |   13 ++++--
 tools/gcc/kallocstat_plugin.c      |    9 ++--
 tools/gcc/kernexec_plugin.c        |   27 +++++++------
 tools/gcc/latent_entropy_plugin.c  |   13 ++++--
 tools/gcc/size_overflow_plugin.c   |   27 +++++++------
 tools/gcc/stackleak_plugin.c       |   18 +++++----
 tools/gcc/structleak_plugin.c      |    9 ++--
 19 files changed, 154 insertions(+), 81 deletions(-)

commit 188470114e75fba3505dcf6722cf65fd04a1a974
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 20 17:00:14 2014 -0400

    fix allmodconfig compilation

 drivers/usb/gadget/f_uac1.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit c960a617471b908413a489019c60a7b644127708
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 20 16:59:15 2014 -0400

    fix allmodconfig compilation

 drivers/usb/gadget/u_uac1.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 72467604afc9007084fffdee0f202d1aaac6a520
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 20 11:16:23 2014 -0400

    sparc64 compile fix

 arch/sparc/mm/hugetlbpage.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

commit 7f349d61ecba290e865667f05cd9d850bc613837
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 20 11:11:53 2014 -0400

    fix compiler warning

 fs/sysfs/dir.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

commit f47412cc933473db618600d465f00e95e3c2f17f
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 20 11:09:18 2014 -0400

    automatically enable KERNEXEC/UDEREF in ARM autoconfig

 security/Kconfig |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

commit b8741437aaf0d01cf65754010948c21d974a8a2c
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sun Apr 20 10:32:19 2014 -0400

    arm compile fixes, reported by Michael Tremer

 arch/arm/include/asm/mach/map.h |    4 ++--
 arch/arm/mm/mmu.c               |    4 +++-
 arch/arm/plat-iop/setup.c       |    2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

commit d3bbc864301cb104276f4436884323ee3fa85ffc
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 19 23:49:07 2014 -0400

    update size_overflow hash table

 tools/gcc/size_overflow_hash.data | 1397 ++++++++++++++++++++++++++++++++++---
 1 files changed, 1316 insertions(+), 81 deletions(-)

commit cd23784e8fa1bfdb94ab996974b55ff393a99d1d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 19 17:56:43 2014 -0400

    update hash table

 tools/gcc/size_overflow_hash.data |   89 ++++++++++++++++++++++++++++++++----
 1 files changed, 79 insertions(+), 10 deletions(-)

commit c690d26a85ddc401b41736fcf3843184b8aa8ce3
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 19 17:27:30 2014 -0400

    compile fix

 fs/sysfs/dir.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

commit 9c2e86fc73a07e339453c37d453c15df5239a81b
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 19 17:21:37 2014 -0400

    compile fix

 fs/sysfs/dir.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit 291020f4909335691022cad5667223cba91b889a
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 19 17:16:53 2014 -0400

    compile fix

 kernel/sched/core.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

commit c7ff410e37eefde634fbc08b161cb2588955dd2d
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 19 17:11:30 2014 -0400

    compile fixes

 fs/exec.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

commit 52aeace717f5179e7da8b4bc1a5b8d30dd2a5435
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 19 17:01:32 2014 -0400

    Initial port of grsecurity for Linux 3.14.1

 Documentation/dontdiff                             |    2 +
 Documentation/kernel-parameters.txt                |    4 +
 Makefile                                           |   18 +-
 arch/alpha/include/asm/cache.h                     |    4 +-
 arch/alpha/kernel/osf_sys.c                        |   12 +-
 arch/arm/Kconfig                                   |    1 +
 arch/arm/include/asm/thread_info.h                 |    9 +-
 arch/arm/kernel/process.c                          |    4 +-
 arch/arm/kernel/ptrace.c                           |    9 +
 arch/arm/kernel/traps.c                            |    7 +-
 arch/arm/mm/Kconfig                                |    4 +-
 arch/arm/mm/fault.c                                |   40 +-
 arch/arm/mm/mmap.c                                 |    8 +-
 arch/avr32/include/asm/cache.h                     |    4 +-
 arch/blackfin/include/asm/cache.h                  |    3 +-
 arch/cris/include/arch-v10/arch/cache.h            |    3 +-
 arch/cris/include/arch-v32/arch/cache.h            |    3 +-
 arch/frv/include/asm/cache.h                       |    3 +-
 arch/frv/mm/elf-fdpic.c                            |    4 +-
 arch/hexagon/include/asm/cache.h                   |    6 +-
 arch/ia64/Kconfig                                  |    1 +
 arch/ia64/include/asm/cache.h                      |    3 +-
 arch/ia64/kernel/sys_ia64.c                        |    2 +
 arch/ia64/mm/hugetlbpage.c                         |    2 +
 arch/m32r/include/asm/cache.h                      |    4 +-
 arch/m68k/include/asm/cache.h                      |    4 +-
 arch/metag/mm/hugetlbpage.c                        |    1 +
 arch/microblaze/include/asm/cache.h                |    3 +-
 arch/mips/Kconfig                                  |    1 +
 arch/mips/include/asm/cache.h                      |    3 +-
 arch/mips/include/asm/thread_info.h                |    9 +-
 arch/mips/kernel/ptrace.c                          |    9 +
 arch/mips/mm/mmap.c                                |    4 +-
 arch/mn10300/proc-mn103e010/include/proc/cache.h   |    4 +-
 arch/mn10300/proc-mn2ws0050/include/proc/cache.h   |    4 +-
 arch/openrisc/include/asm/cache.h                  |    4 +-
 arch/parisc/include/asm/cache.h                    |    5 +-
 arch/parisc/kernel/sys_parisc.c                    |    4 +
 arch/powerpc/Kconfig                               |    1 +
 arch/powerpc/include/asm/cache.h                   |    3 +-
 arch/powerpc/include/asm/thread_info.h             |    5 +-
 arch/powerpc/kernel/Makefile                       |    2 +
 arch/powerpc/kernel/process.c                      |   10 +-
 arch/powerpc/kernel/ptrace.c                       |   14 +
 arch/powerpc/kernel/traps.c                        |    5 +
 arch/powerpc/mm/mmap.c                             |    2 +-
 arch/powerpc/mm/slice.c                            |    2 +-
 arch/powerpc/platforms/cell/celleb_scc_pciex.c     |    4 +-
 arch/s390/include/asm/cache.h                      |    4 +-
 arch/score/include/asm/cache.h                     |    4 +-
 arch/sh/include/asm/cache.h                        |    3 +-
 arch/sh/mm/mmap.c                                  |    6 +-
 arch/sparc/include/asm/cache.h                     |    4 +-
 arch/sparc/include/asm/thread_info_64.h            |    9 +-
 arch/sparc/kernel/process_32.c                     |    6 +-
 arch/sparc/kernel/process_64.c                     |    8 +-
 arch/sparc/kernel/ptrace_64.c                      |   14 +
 arch/sparc/kernel/sys_sparc_64.c                   |    8 +-
 arch/sparc/kernel/syscalls.S                       |    8 +-
 arch/sparc/kernel/traps_32.c                       |    8 +-
 arch/sparc/kernel/traps_64.c                       |   28 +-
 arch/sparc/kernel/unaligned_64.c                   |    2 +-
 arch/sparc/mm/fault_64.c                           |    2 +-
 arch/sparc/mm/hugetlbpage.c                        |   15 +-
 arch/tile/Kconfig                                  |    1 +
 arch/tile/include/asm/cache.h                      |    3 +-
 arch/tile/mm/hugetlbpage.c                         |    2 +
 arch/um/include/asm/cache.h                        |    3 +-
 arch/unicore32/include/asm/cache.h                 |    6 +-
 arch/x86/Kconfig                                   |    6 +-
 arch/x86/ia32/ia32_aout.c                          |    2 +
 arch/x86/include/asm/floppy.h                      |   20 +-
 arch/x86/include/asm/paravirt_types.h              |   23 +-
 arch/x86/include/asm/processor.h                   |    2 +-
 arch/x86/include/asm/thread_info.h                 |    8 +-
 arch/x86/kernel/dumpstack.c                        |    8 +
 arch/x86/kernel/entry_32.S                         |    2 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kernel/ioport.c                           |   13 +
 arch/x86/kernel/ldt.c                              |   11 +
 arch/x86/kernel/msr.c                              |   10 +
 arch/x86/kernel/ptrace.c                           |   14 +
 arch/x86/kernel/signal.c                           |    9 +-
 arch/x86/kernel/sys_i386_32.c                      |    9 +-
 arch/x86/kernel/sys_x86_64.c                       |    8 +-
 arch/x86/kernel/verify_cpu.S                       |    1 +
 arch/x86/kernel/vm86_32.c                          |   16 +
 arch/x86/mm/fault.c                                |   12 +-
 arch/x86/mm/hugetlbpage.c                          |   15 +-
 arch/x86/mm/init.c                                 |   66 +-
 arch/x86/mm/init_32.c                              |    6 +-
 arch/x86/net/bpf_jit_comp.c                        |  126 +-
 arch/x86/xen/Kconfig                               |    1 +
 arch/xtensa/variants/dc232b/include/variant/core.h |    2 +-
 arch/xtensa/variants/fsf/include/variant/core.h    |    3 +-
 arch/xtensa/variants/s6000/include/variant/core.h  |    3 +-
 drivers/acpi/acpica/hwxfsleep.c                    |   11 +-
 drivers/acpi/custom_method.c                       |    4 +
 drivers/block/cciss.h                              |   30 +-
 drivers/block/drbd/drbd_interval.c                 |    6 +-
 drivers/block/smart1,2.h                           |   40 +-
 drivers/cdrom/cdrom.c                              |    2 +-
 drivers/char/Kconfig                               |    4 +-
 drivers/char/genrtc.c                              |    1 +
 drivers/char/mem.c                                 |   17 +
 drivers/char/random.c                              |   19 +-
 drivers/firewire/ohci.c                            |    4 +
 drivers/gpu/drm/drm_info.c                         |    4 +
 drivers/gpu/drm/nouveau/nouveau_ttm.c              |   30 +-
 drivers/gpu/drm/ttm/ttm_bo_manager.c               |   10 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c      |   10 +-
 drivers/hid/hid-wiimote-debug.c                    |    2 +-
 drivers/infiniband/hw/ipath/ipath_dma.c            |   26 +-
 drivers/infiniband/hw/nes/nes_cm.c                 |   22 +-
 drivers/isdn/gigaset/bas-gigaset.c                 |   32 +-
 drivers/isdn/gigaset/ser-gigaset.c                 |   32 +-
 drivers/isdn/gigaset/usb-gigaset.c                 |   32 +-
 drivers/isdn/i4l/isdn_concap.c                     |    6 +-
 drivers/isdn/i4l/isdn_x25iface.c                   |   16 +-
 drivers/media/radio/radio-cadet.c                  |    2 +-
 drivers/message/fusion/mptbase.c                   |    9 +
 drivers/misc/sgi-xp/xp_main.c                      |   12 +-
 drivers/net/bonding/bond_main.c                    |    1 +
 drivers/net/ethernet/brocade/bna/bna_enet.c        |    8 +-
 drivers/net/phy/mdio-bitbang.c                     |    1 +
 drivers/net/wan/lmc/lmc_media.c                    |   97 +-
 drivers/net/wan/z85230.c                           |   24 +-
 drivers/net/wireless/zd1211rw/zd_usb.c             |    2 +-
 drivers/pci/proc.c                                 |    9 +
 drivers/platform/x86/asus-wmi.c                    |   12 +
 drivers/rtc/rtc-dev.c                              |    3 +
 drivers/scsi/bfa/bfa_fcs.c                         |   19 +-
 drivers/scsi/bfa/bfa_fcs_lport.c                   |   29 +-
 drivers/scsi/bfa/bfa_modules.h                     |   12 +-
 drivers/scsi/hpsa.h                                |   20 +-
 drivers/staging/lustre/lustre/ldlm/ldlm_flock.c    |    2 +-
 drivers/staging/lustre/lustre/libcfs/module.c      |   10 +-
 drivers/staging/lustre/lustre/llite/dir.c          |    2 +-
 drivers/staging/media/solo6x10/solo6x10-g723.c     |    2 +-
 drivers/tty/sysrq.c                                |    2 +-
 drivers/tty/vt/keyboard.c                          |   22 +-
 drivers/uio/uio.c                                  |    6 +-
 drivers/usb/core/hub.c                             |    5 +
 drivers/video/arcfb.c                              |    2 +-
 drivers/video/logo/logo_linux_clut224.ppm          | 2720 ++++++++------------
 drivers/video/matrox/matroxfb_DAC1064.c            |   10 +-
 drivers/video/matrox/matroxfb_Ti3026.c             |    5 +-
 drivers/xen/xenfs/xenstored.c                      |    5 +
 fs/attr.c                                          |    1 +
 fs/autofs4/waitq.c                                 |    9 +
 fs/binfmt_aout.c                                   |    7 +
 fs/binfmt_elf.c                                    |   40 +-
 fs/btrfs/ioctl.c                                   |    6 +-
 fs/compat.c                                        |   20 +-
 fs/coredump.c                                      |   17 +-
 fs/debugfs/inode.c                                 |    4 +
 fs/exec.c                                          |  196 ++-
 fs/ext2/balloc.c                                   |    4 +-
 fs/ext3/balloc.c                                   |    4 +-
 fs/ext4/balloc.c                                   |    4 +-
 fs/fcntl.c                                         |    5 +
 fs/file.c                                          |    4 +
 fs/filesystems.c                                   |    4 +
 fs/fs_struct.c                                     |   13 +-
 fs/hugetlbfs/inode.c                               |    5 +-
 fs/mount.h                                         |    4 +-
 fs/namei.c                                         |  235 ++-
 fs/namespace.c                                     |   24 +
 fs/nfs/nfs4proc.c                                  |   19 +-
 fs/open.c                                          |   38 +
 fs/pipe.c                                          |    2 +-
 fs/posix_acl.c                                     |   15 +-
 fs/proc/Kconfig                                    |   10 +-
 fs/proc/array.c                                    |   59 +-
 fs/proc/base.c                                     |  166 ++-
 fs/proc/cmdline.c                                  |    4 +
 fs/proc/devices.c                                  |    4 +
 fs/proc/fd.c                                       |   17 +-
 fs/proc/inode.c                                    |   17 +
 fs/proc/internal.h                                 |    7 +-
 fs/proc/interrupts.c                               |    4 +
 fs/proc/kcore.c                                    |    3 +
 fs/proc/proc_net.c                                 |   12 +
 fs/proc/proc_sysctl.c                              |   52 +-
 fs/proc/root.c                                     |    8 +
 fs/proc/stat.c                                     |   27 +-
 fs/proc/task_mmu.c                                 |   75 +-
 fs/readdir.c                                       |   19 +
 fs/reiserfs/item_ops.c                             |   24 +-
 fs/select.c                                        |    2 +
 fs/seq_file.c                                      |   12 +-
 fs/stat.c                                          |   20 +-
 fs/sysfs/dir.c                                     |   15 +-
 fs/utimes.c                                        |    7 +
 fs/xattr.c                                         |   38 +-
 grsecurity/Kconfig                                 | 1161 +++++++++
 grsecurity/Makefile                                |   54 +
 grsecurity/gracl.c                                 | 2679 +++++++++++++++++++
 grsecurity/gracl_alloc.c                           |  105 +
 grsecurity/gracl_cap.c                             |  110 +
 grsecurity/gracl_compat.c                          |  270 ++
 grsecurity/gracl_fs.c                              |  437 ++++
 grsecurity/gracl_ip.c                              |  386 +++
 grsecurity/gracl_learn.c                           |  207 ++
 grsecurity/gracl_policy.c                          | 1782 +++++++++++++
 grsecurity/gracl_res.c                             |   68 +
 grsecurity/gracl_segv.c                            |  313 +++
 grsecurity/gracl_shm.c                             |   40 +
 grsecurity/grsec_chdir.c                           |   19 +
 grsecurity/grsec_chroot.c                          |  370 +++
 grsecurity/grsec_disabled.c                        |  433 ++++
 grsecurity/grsec_exec.c                            |  187 ++
 grsecurity/grsec_fifo.c                            |   24 +
 grsecurity/grsec_fork.c                            |   23 +
 grsecurity/grsec_init.c                            |  272 ++
 grsecurity/grsec_ipc.c                             |   48 +
 grsecurity/grsec_link.c                            |   58 +
 grsecurity/grsec_log.c                             |  341 +++
 grsecurity/grsec_mem.c                             |   48 +
 grsecurity/grsec_mount.c                           |   65 +
 grsecurity/grsec_pax.c                             |   45 +
 grsecurity/grsec_ptrace.c                          |   30 +
 grsecurity/grsec_sig.c                             |  236 ++
 grsecurity/grsec_sock.c                            |  244 ++
 grsecurity/grsec_sysctl.c                          |  479 ++++
 grsecurity/grsec_time.c                            |   16 +
 grsecurity/grsec_tpe.c                             |   73 +
 grsecurity/grsec_usb.c                             |   15 +
 grsecurity/grsum.c                                 |   61 +
 include/linux/binfmts.h                            |    5 +-
 include/linux/capability.h                         |    5 +
 include/linux/compiler-gcc4.h                      |    5 +
 include/linux/compiler.h                           |    8 +
 include/linux/cred.h                               |    7 +-
 include/linux/dcache.h                             |    2 +-
 include/linux/fs.h                                 |   24 +-
 include/linux/fs_struct.h                          |    2 +-
 include/linux/fsnotify.h                           |    6 +
 include/linux/gracl.h                              |  340 +++
 include/linux/gracl_compat.h                       |  156 ++
 include/linux/gralloc.h                            |    9 +
 include/linux/grdefs.h                             |  140 +
 include/linux/grinternal.h                         |  229 ++
 include/linux/grmsg.h                              |  116 +
 include/linux/grsecurity.h                         |  246 ++
 include/linux/grsock.h                             |   19 +
 include/linux/ipc_namespace.h                      |    2 +-
 include/linux/kallsyms.h                           |   18 +-
 include/linux/kmod.h                               |    5 +
 include/linux/kobject.h                            |    2 +-
 include/linux/mm.h                                 |    1 +
 include/linux/mm_types.h                           |    4 +-
 include/linux/module.h                             |    4 +-
 include/linux/mount.h                              |    2 +-
 include/linux/netfilter/xt_gradm.h                 |    9 +
 include/linux/path.h                               |    4 +-
 include/linux/perf_event.h                         |   13 +-
 include/linux/pid_namespace.h                      |    2 +-
 include/linux/printk.h                             |    3 +-
 include/linux/proc_fs.h                            |   13 +
 include/linux/proc_ns.h                            |    2 +-
 include/linux/rbtree_augmented.h                   |    4 +-
 include/linux/sched.h                              |   80 +-
 include/linux/security.h                           |    3 +-
 include/linux/seq_file.h                           |    3 +
 include/linux/shm.h                                |    4 +
 include/linux/skbuff.h                             |    3 +
 include/linux/slab.h                               |    9 -
 include/linux/sysctl.h                             |    4 +-
 include/linux/thread_info.h                        |    2 +
 include/linux/tty.h                                |    2 +-
 include/linux/tty_driver.h                         |    4 +-
 include/linux/uidgid.h                             |    5 +
 include/linux/user_namespace.h                     |    2 +-
 include/linux/utsname.h                            |    2 +-
 include/linux/vermagic.h                           |   16 +-
 include/net/af_unix.h                              |    2 +-
 include/net/neighbour.h                            |    3 +-
 include/net/net_namespace.h                        |    2 +-
 include/net/netfilter/nf_conntrack_extend.h        |    4 +-
 include/net/sock.h                                 |    4 +-
 include/trace/events/fs.h                          |   53 +
 include/uapi/linux/personality.h                   |    1 +
 init/Kconfig                                       |    3 +-
 init/main.c                                        |   23 +
 ipc/mqueue.c                                       |    1 +
 ipc/shm.c                                          |   28 +
 ipc/util.c                                         |    6 +
 kernel/capability.c                                |   40 +-
 kernel/cgroup.c                                    |    2 +-
 kernel/compat.c                                    |    1 +
 kernel/configs.c                                   |   11 +
 kernel/cred.c                                      |  110 +-
 kernel/events/core.c                               |   14 +-
 kernel/exit.c                                      |   10 +-
 kernel/fork.c                                      |   24 +-
 kernel/futex.c                                     |    1 +
 kernel/kallsyms.c                                  |    9 +
 kernel/kcmp.c                                      |    4 +
 kernel/kmod.c                                      |   94 +-
 kernel/kprobes.c                                   |    7 +-
 kernel/ksysfs.c                                    |    2 +
 kernel/locking/lockdep_proc.c                      |   10 +-
 kernel/module.c                                    |  106 +-
 kernel/panic.c                                     |    4 +-
 kernel/pid.c                                       |   19 +-
 kernel/pid_namespace.c                             |    4 +-
 kernel/posix-timers.c                              |    8 +
 kernel/power/Kconfig                               |    2 +
 kernel/printk/printk.c                             |    5 +
 kernel/ptrace.c                                    |   20 +-
 kernel/resource.c                                  |   10 +
 kernel/sched/core.c                                |    6 +-
 kernel/signal.c                                    |   37 +-
 kernel/sys.c                                       |   45 +-
 kernel/sysctl.c                                    |   71 +-
 kernel/taskstats.c                                 |    6 +
 kernel/time.c                                      |    5 +
 kernel/time/timekeeping.c                          |    3 +
 kernel/time/timer_list.c                           |   12 +
 kernel/time/timer_stats.c                          |   10 +-
 kernel/user_namespace.c                            |   15 +
 lib/Kconfig.debug                                  |    7 +-
 lib/is_single_threaded.c                           |    3 +
 lib/list_debug.c                                   |   65 +-
 lib/rbtree.c                                       |    4 +-
 lib/vsprintf.c                                     |   31 +
 localversion-grsec                                 |    1 +
 mm/Kconfig                                         |    5 +-
 mm/filemap.c                                       |    1 +
 mm/kmemleak.c                                      |    4 +-
 mm/mempolicy.c                                     |   12 +-
 mm/migrate.c                                       |    3 +-
 mm/mlock.c                                         |    6 +-
 mm/mmap.c                                          |   85 +-
 mm/mprotect.c                                      |    8 +
 mm/process_vm_access.c                             |    6 +
 mm/shmem.c                                         |    2 +-
 mm/slab.c                                          |    2 +-
 mm/slub.c                                          |   14 +-
 mm/vmalloc.c                                       |    4 +
 mm/vmstat.c                                        |   29 +-
 net/atm/lec.c                                      |    6 +-
 net/atm/mpoa_caches.c                              |   42 +-
 net/core/dev_ioctl.c                               |    4 +
 net/core/filter.c                                  |   25 +-
 net/core/neighbour.c                               |    9 +-
 net/core/net-procfs.c                              |    5 +
 net/core/sock_diag.c                               |    7 +
 net/decnet/dn_dev.c                                |    2 +-
 net/ieee802154/dgram.c                             |    3 +-
 net/ipv4/inet_hashtables.c                         |    5 +
 net/ipv4/ip_sockglue.c                             |    3 +-
 net/ipv4/ping.c                                    |   22 +-
 net/ipv4/raw.c                                     |    4 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_ipv4.c                                |   24 +-
 net/ipv4/tcp_minisocks.c                           |    9 +-
 net/ipv4/tcp_timer.c                               |   11 +
 net/ipv4/udp.c                                     |   31 +-
 net/ipv6/raw.c                                     |    4 +-
 net/ipv6/tcp_ipv6.c                                |   23 +-
 net/ipv6/udp.c                                     |   12 +-
 net/l2tp/l2tp_ip.c                                 |    4 +-
 net/netfilter/Kconfig                              |   10 +
 net/netfilter/Makefile                             |    1 +
 net/netfilter/nf_conntrack_core.c                  |    8 +
 net/netfilter/nf_tables_api.c                      |    7 +-
 net/netfilter/xt_gradm.c                           |   51 +
 net/netrom/af_netrom.c                             |    1 -
 net/socket.c                                       |   72 +-
 net/sysctl_net.c                                   |    2 +-
 net/unix/af_unix.c                                 |   31 +-
 net/vmw_vsock/vmci_transport_notify.c              |   30 +-
 net/vmw_vsock/vmci_transport_notify_qstate.c       |   30 +-
 net/x25/sysctl_net_x25.c                           |    2 +-
 scripts/Makefile                                   |    2 +
 security/Kconfig                                   |  349 +++-
 security/apparmor/file.c                           |    4 +-
 security/apparmor/lsm.c                            |    8 +-
 security/commoncap.c                               |   29 +
 security/min_addr.c                                |    2 +
 security/tomoyo/file.c                             |   12 +-
 security/tomoyo/mount.c                            |    4 +
 security/tomoyo/tomoyo.c                           |   22 +-
 security/yama/Kconfig                              |    2 +-
 sound/core/seq/oss/seq_oss.c                       |    4 +-
 sound/core/seq/seq_midi.c                          |    4 +-
 sound/drivers/opl3/opl3_seq.c                      |    4 +-
 sound/drivers/opl4/opl4_seq.c                      |    4 +-
 sound/isa/sb/emu8000_synth.c                       |    4 +-
 sound/pci/emu10k1/emu10k1_synth.c                  |    4 +-
 sound/synth/emux/emux_seq.c                        |   14 +-
 tools/gcc/.gitignore                               |    1 +
 tools/gcc/Makefile                                 |   11 +
 tools/gcc/gen-random-seed.sh                       |    8 +
 tools/gcc/randomize_layout_plugin.c                |  910 +++++++
 virt/kvm/ioapic.c                                  |    2 +-
 398 files changed, 18219 insertions(+), 2583 deletions(-)

commit 6c907241bdb826a89c81080d01b5fa596b8300a2
Author: Brad Spengler <spender@grsecurity.net>
Date:   Sat Apr 19 15:15:29 2014 -0400

    Initial import of pax-linux-3.14.1-test5.patch

 Documentation/dontdiff                             |   47 +-
 Documentation/kernel-parameters.txt                |   23 +
 Makefile                                           |  102 +-
 arch/alpha/include/asm/atomic.h                    |   10 +
 arch/alpha/include/asm/elf.h                       |    7 +
 arch/alpha/include/asm/pgalloc.h                   |    6 +
 arch/alpha/include/asm/pgtable.h                   |   11 +
 arch/alpha/kernel/module.c                         |    2 +-
 arch/alpha/kernel/osf_sys.c                        |    8 +-
 arch/alpha/mm/fault.c                              |  141 +-
 arch/arm/Kconfig                                   |    2 +-
 arch/arm/include/asm/atomic.h                      |  442 ++-
 arch/arm/include/asm/cache.h                       |    5 +-
 arch/arm/include/asm/cacheflush.h                  |    2 +-
 arch/arm/include/asm/checksum.h                    |   14 +-
 arch/arm/include/asm/cmpxchg.h                     |    2 +
 arch/arm/include/asm/domain.h                      |   33 +-
 arch/arm/include/asm/elf.h                         |   13 +-
 arch/arm/include/asm/fncpy.h                       |    2 +
 arch/arm/include/asm/futex.h                       |   10 +
 arch/arm/include/asm/kmap_types.h                  |    2 +-
 arch/arm/include/asm/mach/dma.h                    |    2 +-
 arch/arm/include/asm/mach/map.h                    |   12 +-
 arch/arm/include/asm/outercache.h                  |    2 +-
 arch/arm/include/asm/page.h                        |    3 +-
 arch/arm/include/asm/pgalloc.h                     |   22 +-
 arch/arm/include/asm/pgtable-2level-hwdef.h        |    5 +
 arch/arm/include/asm/pgtable-2level.h              |    3 +
 arch/arm/include/asm/pgtable-3level-hwdef.h        |    1 +
 arch/arm/include/asm/pgtable-3level.h              |    2 +
 arch/arm/include/asm/pgtable.h                     |   54 +-
 arch/arm/include/asm/psci.h                        |    2 +-
 arch/arm/include/asm/smp.h                         |    2 +-
 arch/arm/include/asm/thread_info.h                 |    6 +-
 arch/arm/include/asm/uaccess.h                     |   96 +-
 arch/arm/include/uapi/asm/ptrace.h                 |    2 +-
 arch/arm/kernel/armksyms.c                         |    8 +-
 arch/arm/kernel/entry-armv.S                       |  110 +-
 arch/arm/kernel/entry-common.S                     |   40 +-
 arch/arm/kernel/entry-header.S                     |   60 +
 arch/arm/kernel/fiq.c                              |    3 +
 arch/arm/kernel/head.S                             |    2 +-
 arch/arm/kernel/module.c                           |   31 +-
 arch/arm/kernel/patch.c                            |    2 +
 arch/arm/kernel/process.c                          |   42 +-
 arch/arm/kernel/psci.c                             |    2 +-
 arch/arm/kernel/setup.c                            |   20 +-
 arch/arm/kernel/signal.c                           |   35 +-
 arch/arm/kernel/smp.c                              |    2 +-
 arch/arm/kernel/tcm.c                              |    4 +-
 arch/arm/kernel/traps.c                            |    8 +-
 arch/arm/kernel/vmlinux.lds.S                      |   24 +-
 arch/arm/kvm/arm.c                                 |    8 +-
 arch/arm/lib/clear_user.S                          |    6 +-
 arch/arm/lib/copy_from_user.S                      |    6 +-
 arch/arm/lib/copy_page.S                           |    1 +
 arch/arm/lib/copy_to_user.S                        |    6 +-
 arch/arm/lib/csumpartialcopyuser.S                 |    4 +-
 arch/arm/lib/delay.c                               |    2 +-
 arch/arm/lib/uaccess_with_memcpy.c                 |    4 +-
 arch/arm/mach-at91/setup.c                         |    2 +-
 arch/arm/mach-kirkwood/common.c                    |   19 +-
 arch/arm/mach-omap2/board-n8x0.c                   |    2 +-
 arch/arm/mach-omap2/gpmc.c                         |   22 +-
 arch/arm/mach-omap2/omap-mpuss-lowpower.c          |    4 +-
 arch/arm/mach-omap2/omap-wakeupgen.c               |    2 +-
 arch/arm/mach-omap2/omap_device.c                  |    4 +-
 arch/arm/mach-omap2/omap_device.h                  |    4 +-
 arch/arm/mach-omap2/omap_hwmod.c                   |    4 +-
 arch/arm/mach-omap2/powerdomains43xx_data.c        |    5 +-
 arch/arm/mach-omap2/wd_timer.c                     |    6 +-
 arch/arm/mach-tegra/cpuidle-tegra20.c              |    2 +-
 arch/arm/mach-ux500/setup.h                        |    7 -
 arch/arm/mm/Kconfig                                |    6 +-
 arch/arm/mm/alignment.c                            |    8 +
 arch/arm/mm/cache-l2x0.c                           |    2 +-
 arch/arm/mm/context.c                              |   10 +-
 arch/arm/mm/fault.c                                |  140 +
 arch/arm/mm/fault.h                                |   12 +
 arch/arm/mm/init.c                                 |   41 +
 arch/arm/mm/ioremap.c                              |    4 +-
 arch/arm/mm/mmap.c                                 |   30 +-
 arch/arm/mm/mmu.c                                  |  178 +-
 arch/arm/plat-omap/sram.c                          |    2 +
 arch/arm/plat-samsung/include/plat/dma-ops.h       |    2 +-
 arch/arm64/include/asm/uaccess.h                   |    1 +
 arch/avr32/include/asm/elf.h                       |    8 +-
 arch/avr32/include/asm/kmap_types.h                |    4 +-
 arch/avr32/mm/fault.c                              |   27 +
 arch/frv/include/asm/atomic.h                      |   10 +
 arch/frv/include/asm/kmap_types.h                  |    2 +-
 arch/frv/mm/elf-fdpic.c                            |    3 +-
 arch/ia64/include/asm/atomic.h                     |   10 +
 arch/ia64/include/asm/elf.h                        |    7 +
 arch/ia64/include/asm/pgalloc.h                    |   12 +
 arch/ia64/include/asm/pgtable.h                    |   13 +-
 arch/ia64/include/asm/spinlock.h                   |    2 +-
 arch/ia64/include/asm/uaccess.h                    |   27 +-
 arch/ia64/kernel/module.c                          |   48 +-
 arch/ia64/kernel/palinfo.c                         |    2 +-
 arch/ia64/kernel/sys_ia64.c                        |    7 +
 arch/ia64/kernel/vmlinux.lds.S                     |    2 +-
 arch/ia64/mm/fault.c                               |   32 +-
 arch/ia64/mm/init.c                                |   13 +
 arch/m32r/lib/usercopy.c                           |    6 +
 arch/mips/cavium-octeon/dma-octeon.c               |    2 +-
 arch/mips/include/asm/atomic.h                     |  728 +++-
 arch/mips/include/asm/elf.h                        |   11 +-
 arch/mips/include/asm/exec.h                       |    2 +-
 arch/mips/include/asm/hw_irq.h                     |    2 +-
 arch/mips/include/asm/local.h                      |   57 +
 arch/mips/include/asm/page.h                       |    2 +-
 arch/mips/include/asm/pgalloc.h                    |    5 +
 arch/mips/include/asm/pgtable.h                    |    3 +
 arch/mips/include/asm/smtc_proc.h                  |    2 +-
 arch/mips/include/asm/uaccess.h                    |    1 +
 arch/mips/kernel/binfmt_elfn32.c                   |    7 +
 arch/mips/kernel/binfmt_elfo32.c                   |    7 +
 arch/mips/kernel/i8259.c                           |    2 +-
 arch/mips/kernel/irq-gt641xx.c                     |    2 +-
 arch/mips/kernel/irq.c                             |    6 +-
 arch/mips/kernel/process.c                         |   12 -
 arch/mips/kernel/reset.c                           |    4 +
 arch/mips/kernel/smtc-proc.c                       |    6 +-
 arch/mips/kernel/smtc.c                            |    2 +-
 arch/mips/kernel/sync-r4k.c                        |   24 +-
 arch/mips/kernel/traps.c                           |   13 +-
 arch/mips/mm/fault.c                               |   25 +
 arch/mips/mm/mmap.c                                |   51 +-
 arch/mips/pci/pci-octeon.c                         |    4 +-
 arch/mips/pci/pcie-octeon.c                        |   12 +-
 arch/mips/sgi-ip27/ip27-nmi.c                      |    6 +-
 arch/mips/sni/rm200.c                              |    2 +-
 arch/mips/vr41xx/common/icu.c                      |    2 +-
 arch/mips/vr41xx/common/irq.c                      |    4 +-
 arch/parisc/include/asm/atomic.h                   |   10 +
 arch/parisc/include/asm/elf.h                      |    7 +
 arch/parisc/include/asm/pgalloc.h                  |    6 +
 arch/parisc/include/asm/pgtable.h                  |   11 +
 arch/parisc/include/asm/uaccess.h                  |    4 +-
 arch/parisc/kernel/module.c                        |   50 +-
 arch/parisc/kernel/sys_parisc.c                    |   15 +
 arch/parisc/kernel/traps.c                         |    4 +-
 arch/parisc/mm/fault.c                             |  140 +-
 arch/powerpc/include/asm/atomic.h                  |   10 +
 arch/powerpc/include/asm/elf.h                     |   19 +-
 arch/powerpc/include/asm/exec.h                    |    2 +-
 arch/powerpc/include/asm/kmap_types.h              |    2 +-
 arch/powerpc/include/asm/local.h                   |   15 +
 arch/powerpc/include/asm/mman.h                    |    2 +-
 arch/powerpc/include/asm/page.h                    |    8 +-
 arch/powerpc/include/asm/page_64.h                 |    7 +-
 arch/powerpc/include/asm/pgalloc-64.h              |    7 +
 arch/powerpc/include/asm/pgtable.h                 |    1 +
 arch/powerpc/include/asm/pte-hash32.h              |    1 +
 arch/powerpc/include/asm/reg.h                     |    1 +
 arch/powerpc/include/asm/smp.h                     |    2 +-
 arch/powerpc/include/asm/uaccess.h                 |  141 +-
 arch/powerpc/kernel/exceptions-64e.S               |    4 +-
 arch/powerpc/kernel/exceptions-64s.S               |    2 +-
 arch/powerpc/kernel/module_32.c                    |   15 +-
 arch/powerpc/kernel/process.c                      |   55 -
 arch/powerpc/kernel/signal_32.c                    |    2 +-
 arch/powerpc/kernel/signal_64.c                    |    2 +-
 arch/powerpc/kernel/vdso.c                         |    5 +-
 arch/powerpc/kvm/powerpc.c                         |    2 +-
 arch/powerpc/lib/usercopy_64.c                     |   18 -
 arch/powerpc/mm/fault.c                            |   54 +-
 arch/powerpc/mm/mmap.c                             |   22 +-
 arch/powerpc/mm/slice.c                            |   13 +-
 arch/powerpc/platforms/cell/spufs/file.c           |    4 +-
 arch/s390/include/asm/atomic.h                     |   10 +
 arch/s390/include/asm/elf.h                        |   13 +-
 arch/s390/include/asm/exec.h                       |    2 +-
 arch/s390/include/asm/uaccess.h                    |   16 +-
 arch/s390/kernel/module.c                          |   22 +-
 arch/s390/kernel/process.c                         |   34 -
 arch/s390/mm/mmap.c                                |   24 +
 arch/score/include/asm/exec.h                      |    2 +-
 arch/score/kernel/process.c                        |    5 -
 arch/sh/mm/mmap.c                                  |   22 +-
 arch/sparc/include/asm/atomic_64.h                 |  106 +-
 arch/sparc/include/asm/cache.h                     |    2 +-
 arch/sparc/include/asm/elf_32.h                    |    7 +
 arch/sparc/include/asm/elf_64.h                    |    7 +
 arch/sparc/include/asm/pgalloc_32.h                |    1 +
 arch/sparc/include/asm/pgalloc_64.h                |    1 +
 arch/sparc/include/asm/pgtable.h                   |    4 +
 arch/sparc/include/asm/pgtable_32.h                |   15 +-
 arch/sparc/include/asm/pgtsrmmu.h                  |    5 +
 arch/sparc/include/asm/spinlock_64.h               |   35 +-
 arch/sparc/include/asm/thread_info_32.h            |    2 +
 arch/sparc/include/asm/thread_info_64.h            |    2 +
 arch/sparc/include/asm/uaccess.h                   |    1 +
 arch/sparc/include/asm/uaccess_32.h                |   27 +-
 arch/sparc/include/asm/uaccess_64.h                |   19 +-
 arch/sparc/kernel/Makefile                         |    2 +-
 arch/sparc/kernel/prom_common.c                    |    2 +-
 arch/sparc/kernel/smp_64.c                         |   12 +-
 arch/sparc/kernel/sys_sparc_32.c                   |    2 +-
 arch/sparc/kernel/sys_sparc_64.c                   |   52 +-
 arch/sparc/kernel/traps_64.c                       |   27 +-
 arch/sparc/lib/Makefile                            |    2 +-
 arch/sparc/lib/atomic_64.S                         |  136 +-
 arch/sparc/lib/ksyms.c                             |    6 +
 arch/sparc/mm/Makefile                             |    2 +-
 arch/sparc/mm/fault_32.c                           |  292 ++
 arch/sparc/mm/fault_64.c                           |  486 ++
 arch/sparc/mm/hugetlbpage.c                        |   21 +-
 arch/sparc/mm/init_64.c                            |   10 +-
 arch/tile/include/asm/atomic_64.h                  |   10 +
 arch/tile/include/asm/uaccess.h                    |    4 +-
 arch/um/Makefile                                   |    4 +
 arch/um/include/asm/kmap_types.h                   |    2 +-
 arch/um/include/asm/page.h                         |    3 +
 arch/um/include/asm/pgtable-3level.h               |    1 +
 arch/um/kernel/process.c                           |   16 -
 arch/x86/Kconfig                                   |   13 +-
 arch/x86/Kconfig.cpu                               |    6 +-
 arch/x86/Kconfig.debug                             |    4 +-
 arch/x86/Makefile                                  |   16 +-
 arch/x86/boot/Makefile                             |    3 +
 arch/x86/boot/bitops.h                             |    4 +-
 arch/x86/boot/boot.h                               |    4 +-
 arch/x86/boot/compressed/Makefile                  |    3 +
 arch/x86/boot/compressed/efi_stub_32.S             |   16 +-
 arch/x86/boot/compressed/head_32.S                 |    4 +-
 arch/x86/boot/compressed/head_64.S                 |   12 +-
 arch/x86/boot/compressed/misc.c                    |   13 +-
 arch/x86/boot/cpucheck.c                           |   16 +-
 arch/x86/boot/header.S                             |    6 +-
 arch/x86/boot/memory.c                             |    2 +-
 arch/x86/boot/video-vesa.c                         |    1 +
 arch/x86/boot/video.c                              |    2 +-
 arch/x86/crypto/aes-x86_64-asm_64.S                |    4 +
 arch/x86/crypto/aesni-intel_asm.S                  |  106 +-
 arch/x86/crypto/blowfish-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/camellia-aesni-avx-asm_64.S        |   10 +
 arch/x86/crypto/camellia-aesni-avx2-asm_64.S       |   10 +
 arch/x86/crypto/camellia-x86_64-asm_64.S           |    7 +
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S          |   51 +-
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S          |   25 +-
 arch/x86/crypto/crc32c-pcl-intel-asm_64.S          |    2 +
 arch/x86/crypto/ghash-clmulni-intel_asm.S          |    4 +
 arch/x86/crypto/salsa20-x86_64-asm_64.S            |    4 +
 arch/x86/crypto/serpent-avx-x86_64-asm_64.S        |    9 +
 arch/x86/crypto/serpent-avx2-asm_64.S              |    9 +
 arch/x86/crypto/serpent-sse2-x86_64-asm_64.S       |    4 +
 arch/x86/crypto/sha1_ssse3_asm.S                   |   10 +-
 arch/x86/crypto/sha256-avx-asm.S                   |    2 +
 arch/x86/crypto/sha256-avx2-asm.S                  |    2 +
 arch/x86/crypto/sha256-ssse3-asm.S                 |    2 +
 arch/x86/crypto/sha512-avx-asm.S                   |    2 +
 arch/x86/crypto/sha512-avx2-asm.S                  |    2 +
 arch/x86/crypto/sha512-ssse3-asm.S                 |    2 +
 arch/x86/crypto/twofish-avx-x86_64-asm_64.S        |   25 +-
 arch/x86/crypto/twofish-x86_64-asm_64-3way.S       |    4 +
 arch/x86/crypto/twofish-x86_64-asm_64.S            |    3 +
 arch/x86/ia32/ia32_signal.c                        |   18 +-
 arch/x86/ia32/ia32entry.S                          |  173 +-
 arch/x86/ia32/sys_ia32.c                           |    4 +-
 arch/x86/include/asm/alternative-asm.h             |   39 +
 arch/x86/include/asm/alternative.h                 |    4 +-
 arch/x86/include/asm/apic.h                        |    2 +-
 arch/x86/include/asm/apm.h                         |    4 +-
 arch/x86/include/asm/atomic.h                      |  269 ++-
 arch/x86/include/asm/atomic64_32.h                 |  100 +
 arch/x86/include/asm/atomic64_64.h                 |  166 +-
 arch/x86/include/asm/bitops.h                      |   18 +-
 arch/x86/include/asm/boot.h                        |    7 +-
 arch/x86/include/asm/cache.h                       |    5 +-
 arch/x86/include/asm/cacheflush.h                  |    2 +-
 arch/x86/include/asm/calling.h                     |  118 +-
 arch/x86/include/asm/checksum_32.h                 |   12 +-
 arch/x86/include/asm/cmpxchg.h                     |   35 +
 arch/x86/include/asm/compat.h                      |    2 +-
 arch/x86/include/asm/cpufeature.h                  |   16 +-
 arch/x86/include/asm/desc.h                        |   78 +-
 arch/x86/include/asm/desc_defs.h                   |    6 +
 arch/x86/include/asm/div64.h                       |    2 +-
 arch/x86/include/asm/elf.h                         |   31 +-
 arch/x86/include/asm/emergency-restart.h           |    2 +-
 arch/x86/include/asm/fpu-internal.h                |    8 +-
 arch/x86/include/asm/futex.h                       |   14 +-
 arch/x86/include/asm/hw_irq.h                      |    4 +-
 arch/x86/include/asm/i8259.h                       |    2 +-
 arch/x86/include/asm/io.h                          |   21 +-
 arch/x86/include/asm/irqflags.h                    |    5 +
 arch/x86/include/asm/kprobes.h                     |    9 +-
 arch/x86/include/asm/local.h                       |  106 +-
 arch/x86/include/asm/mman.h                        |   15 +
 arch/x86/include/asm/mmu.h                         |   16 +-
 arch/x86/include/asm/mmu_context.h                 |  136 +-
 arch/x86/include/asm/module.h                      |   17 +-
 arch/x86/include/asm/nmi.h                         |    6 +-
 arch/x86/include/asm/page.h                        |    1 +
 arch/x86/include/asm/page_64.h                     |    4 +-
 arch/x86/include/asm/paravirt.h                    |   46 +-
 arch/x86/include/asm/paravirt_types.h              |   15 +-
 arch/x86/include/asm/pgalloc.h                     |   23 +
 arch/x86/include/asm/pgtable-2level.h              |    2 +
 arch/x86/include/asm/pgtable-3level.h              |    4 +
 arch/x86/include/asm/pgtable.h                     |  124 +-
 arch/x86/include/asm/pgtable_32.h                  |   14 +-
 arch/x86/include/asm/pgtable_32_types.h            |   15 +-
 arch/x86/include/asm/pgtable_64.h                  |   19 +-
 arch/x86/include/asm/pgtable_64_types.h            |    5 +
 arch/x86/include/asm/pgtable_types.h               |   36 +-
 arch/x86/include/asm/preempt.h                     |    2 +-
 arch/x86/include/asm/processor.h                   |   79 +-
 arch/x86/include/asm/ptrace.h                      |   26 +-
 arch/x86/include/asm/realmode.h                    |    4 +-
 arch/x86/include/asm/reboot.h                      |   10 +-
 arch/x86/include/asm/rmwcc.h                       |   84 +-
 arch/x86/include/asm/rwsem.h                       |   60 +-
 arch/x86/include/asm/segment.h                     |   29 +-
 arch/x86/include/asm/smap.h                        |   64 +-
 arch/x86/include/asm/smp.h                         |   14 +-
 arch/x86/include/asm/spinlock.h                    |   36 +-
 arch/x86/include/asm/stackprotector.h              |    4 +-
 arch/x86/include/asm/stacktrace.h                  |   32 +-
 arch/x86/include/asm/switch_to.h                   |    4 +-
 arch/x86/include/asm/thread_info.h                 |   82 +-
 arch/x86/include/asm/tlbflush.h                    |   73 +-
 arch/x86/include/asm/uaccess.h                     |  180 +-
 arch/x86/include/asm/uaccess_32.h                  |   24 +-
 arch/x86/include/asm/uaccess_64.h                  |  173 +-
 arch/x86/include/asm/word-at-a-time.h              |    2 +-
 arch/x86/include/asm/x86_init.h                    |   10 +-
 arch/x86/include/asm/xen/page.h                    |    2 +-
 arch/x86/include/asm/xsave.h                       |   14 +-
 arch/x86/include/uapi/asm/e820.h                   |    2 +-
 arch/x86/include/uapi/asm/ptrace-abi.h             |    1 -
 arch/x86/kernel/Makefile                           |    2 +-
 arch/x86/kernel/acpi/boot.c                        |    4 +-
 arch/x86/kernel/acpi/sleep.c                       |    4 +
 arch/x86/kernel/acpi/wakeup_32.S                   |    6 +-
 arch/x86/kernel/alternative.c                      |   69 +-
 arch/x86/kernel/apic/apic.c                        |    4 +-
 arch/x86/kernel/apic/apic_flat_64.c                |    4 +-
 arch/x86/kernel/apic/apic_noop.c                   |    2 +-
 arch/x86/kernel/apic/bigsmp_32.c                   |    2 +-
 arch/x86/kernel/apic/es7000_32.c                   |    5 +-
 arch/x86/kernel/apic/io_apic.c                     |    8 +-
 arch/x86/kernel/apic/numaq_32.c                    |    3 +-
 arch/x86/kernel/apic/probe_32.c                    |    2 +-
 arch/x86/kernel/apic/summit_32.c                   |    2 +-
 arch/x86/kernel/apic/x2apic_cluster.c              |    4 +-
 arch/x86/kernel/apic/x2apic_phys.c                 |    2 +-
 arch/x86/kernel/apic/x2apic_uv_x.c                 |    2 +-
 arch/x86/kernel/apm_32.c                           |   19 +-
 arch/x86/kernel/asm-offsets.c                      |   20 +
 arch/x86/kernel/asm-offsets_64.c                   |    1 +
 arch/x86/kernel/cpu/Makefile                       |    4 -
 arch/x86/kernel/cpu/amd.c                          |    2 +-
 arch/x86/kernel/cpu/common.c                       |  132 +-
 arch/x86/kernel/cpu/intel_cacheinfo.c              |   48 +-
 arch/x86/kernel/cpu/mcheck/mce.c                   |   31 +-
 arch/x86/kernel/cpu/mcheck/p5.c                    |    3 +
 arch/x86/kernel/cpu/mcheck/winchip.c               |    3 +
 arch/x86/kernel/cpu/microcode/core.c               |    2 +-
 arch/x86/kernel/cpu/microcode/intel.c              |    4 +-
 arch/x86/kernel/cpu/mtrr/main.c                    |    2 +-
 arch/x86/kernel/cpu/mtrr/mtrr.h                    |    2 +-
 arch/x86/kernel/cpu/perf_event.c                   |    8 +-
 arch/x86/kernel/cpu/perf_event_amd_iommu.c         |    2 +-
 arch/x86/kernel/cpu/perf_event_intel.c             |    6 +-
 arch/x86/kernel/cpu/perf_event_intel_rapl.c        |    2 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.c      |    2 +-
 arch/x86/kernel/cpu/perf_event_intel_uncore.h      |    2 +-
 arch/x86/kernel/cpuid.c                            |    2 +-
 arch/x86/kernel/crash.c                            |    4 +-
 arch/x86/kernel/crash_dump_64.c                    |    2 +-
 arch/x86/kernel/doublefault.c                      |    8 +-
 arch/x86/kernel/dumpstack.c                        |   30 +-
 arch/x86/kernel/dumpstack_32.c                     |   34 +-
 arch/x86/kernel/dumpstack_64.c                     |   61 +-
 arch/x86/kernel/e820.c                             |    4 +-
 arch/x86/kernel/early_printk.c                     |    1 +
 arch/x86/kernel/entry_32.S                         |  356 ++-
 arch/x86/kernel/entry_64.S                         |  742 +++-
 arch/x86/kernel/ftrace.c                           |   10 +-
 arch/x86/kernel/head64.c                           |   13 +-
 arch/x86/kernel/head_32.S                          |  228 +-
 arch/x86/kernel/head_64.S                          |  138 +-
 arch/x86/kernel/i386_ksyms_32.c                    |   12 +
 arch/x86/kernel/i387.c                             |    2 +-
 arch/x86/kernel/i8259.c                            |   10 +-
 arch/x86/kernel/io_delay.c                         |    2 +-
 arch/x86/kernel/ioport.c                           |    2 +-
 arch/x86/kernel/irq.c                              |    8 +-
 arch/x86/kernel/irq_32.c                           |   67 +-
 arch/x86/kernel/irq_64.c                           |    2 +-
 arch/x86/kernel/jump_label.c                       |    8 +-
 arch/x86/kernel/kgdb.c                             |   25 +-
 arch/x86/kernel/kprobes/core.c                     |   30 +-
 arch/x86/kernel/kprobes/opt.c                      |   16 +-
 arch/x86/kernel/ksysfs.c                           |    2 +-
 arch/x86/kernel/ldt.c                              |   31 +-
 arch/x86/kernel/machine_kexec_32.c                 |    6 +-
 arch/x86/kernel/module.c                           |   76 +-
 arch/x86/kernel/msr.c                              |    2 +-
 arch/x86/kernel/nmi.c                              |   19 +-
 arch/x86/kernel/nmi_selftest.c                     |    4 +-
 arch/x86/kernel/paravirt-spinlocks.c               |    2 +-
 arch/x86/kernel/paravirt.c                         |   43 +-
 arch/x86/kernel/pci-calgary_64.c                   |    2 +-
 arch/x86/kernel/pci-iommu_table.c                  |    2 +-
 arch/x86/kernel/pci-swiotlb.c                      |    2 +-
 arch/x86/kernel/preempt.S                          |    3 +
 arch/x86/kernel/process.c                          |   55 +-
 arch/x86/kernel/process_32.c                       |   29 +-
 arch/x86/kernel/process_64.c                       |   20 +-
 arch/x86/kernel/ptrace.c                           |   25 +-
 arch/x86/kernel/pvclock.c                          |    8 +-
 arch/x86/kernel/reboot.c                           |   42 +-
 arch/x86/kernel/reboot_fixups_32.c                 |    2 +-
 arch/x86/kernel/relocate_kernel_64.S               |    3 +-
 arch/x86/kernel/setup.c                            |   63 +-
 arch/x86/kernel/setup_percpu.c                     |   29 +-
 arch/x86/kernel/signal.c                           |   15 +-
 arch/x86/kernel/smp.c                              |    2 +-
 arch/x86/kernel/smpboot.c                          |   30 +-
 arch/x86/kernel/step.c                             |   10 +-
 arch/x86/kernel/sys_i386_32.c                      |  184 +
 arch/x86/kernel/sys_x86_64.c                       |   22 +-
 arch/x86/kernel/tboot.c                            |   12 +-
 arch/x86/kernel/time.c                             |   10 +-
 arch/x86/kernel/tls.c                              |    7 +-
 arch/x86/kernel/tracepoint.c                       |    4 +-
 arch/x86/kernel/traps.c                            |   62 +-
 arch/x86/kernel/tsc.c                              |    2 +-
 arch/x86/kernel/uprobes.c                          |    4 +-
 arch/x86/kernel/vm86_32.c                          |    6 +-
 arch/x86/kernel/vmlinux.lds.S                      |  147 +-
 arch/x86/kernel/vsyscall_64.c                      |   12 +-
 arch/x86/kernel/x8664_ksyms_64.c                   |    6 +-
 arch/x86/kernel/x86_init.c                         |    6 +-
 arch/x86/kernel/xsave.c                            |   10 +-
 arch/x86/kvm/cpuid.c                               |   21 +-
 arch/x86/kvm/lapic.c                               |    2 +-
 arch/x86/kvm/paging_tmpl.h                         |    2 +-
 arch/x86/kvm/svm.c                                 |    8 +
 arch/x86/kvm/vmx.c                                 |   63 +-
 arch/x86/kvm/x86.c                                 |    8 +-
 arch/x86/lguest/boot.c                             |    3 +-
 arch/x86/lib/atomic64_386_32.S                     |  164 +
 arch/x86/lib/atomic64_cx8_32.S                     |  103 +-
 arch/x86/lib/checksum_32.S                         |  100 +-
 arch/x86/lib/clear_page_64.S                       |    5 +-
 arch/x86/lib/cmpxchg16b_emu.S                      |    2 +
 arch/x86/lib/copy_page_64.S                        |   20 +-
 arch/x86/lib/copy_user_64.S                        |   81 +-
 arch/x86/lib/copy_user_nocache_64.S                |   14 +
 arch/x86/lib/csum-copy_64.S                        |   18 +-
 arch/x86/lib/csum-wrappers_64.c                    |    8 +-
 arch/x86/lib/getuser.S                             |   74 +-
 arch/x86/lib/insn.c                                |    6 +-
 arch/x86/lib/iomap_copy_64.S                       |    2 +
 arch/x86/lib/memcpy_64.S                           |   10 +-
 arch/x86/lib/memmove_64.S                          |    4 +-
 arch/x86/lib/memset_64.S                           |    7 +-
 arch/x86/lib/mmx_32.c                              |  243 +-
 arch/x86/lib/msr-reg.S                             |    2 +
 arch/x86/lib/putuser.S                             |   90 +-
 arch/x86/lib/rwlock.S                              |   42 +
 arch/x86/lib/rwsem.S                               |    6 +-
 arch/x86/lib/thunk_64.S                            |   12 +-
 arch/x86/lib/usercopy_32.c                         |  357 +-
 arch/x86/lib/usercopy_64.c                         |   18 +-
 arch/x86/mm/Makefile                               |    4 +
 arch/x86/mm/extable.c                              |   25 +-
 arch/x86/mm/fault.c                                |  564 +++-
 arch/x86/mm/gup.c                                  |    6 +-
 arch/x86/mm/highmem_32.c                           |    4 +
 arch/x86/mm/hugetlbpage.c                          |   24 +-
 arch/x86/mm/init.c                                 |  101 +-
 arch/x86/mm/init_32.c                              |  111 +-
 arch/x86/mm/init_64.c                              |   45 +-
 arch/x86/mm/iomap_32.c                             |    4 +
 arch/x86/mm/ioremap.c                              |   15 +-
 arch/x86/mm/kmemcheck/kmemcheck.c                  |    4 +-
 arch/x86/mm/mmap.c                                 |   36 +-
 arch/x86/mm/mmio-mod.c                             |   10 +-
 arch/x86/mm/numa.c                                 |    2 +-
 arch/x86/mm/pageattr-test.c                        |    2 +-
 arch/x86/mm/pageattr.c                             |   33 +-
 arch/x86/mm/pat.c                                  |   12 +-
 arch/x86/mm/pat_rbtree.c                           |    2 +-
 arch/x86/mm/pf_in.c                                |   10 +-
 arch/x86/mm/pgtable.c                              |  151 +-
 arch/x86/mm/pgtable_32.c                           |    3 +
 arch/x86/mm/physaddr.c                             |    4 +-
 arch/x86/mm/setup_nx.c                             |    7 +
 arch/x86/mm/tlb.c                                  |    4 +
 arch/x86/mm/uderef_64.c                            |   37 +
 arch/x86/net/bpf_jit.S                             |   14 +
 arch/x86/net/bpf_jit_comp.c                        |   38 +-
 arch/x86/oprofile/backtrace.c                      |    8 +-
 arch/x86/oprofile/nmi_int.c                        |    8 +-
 arch/x86/oprofile/op_model_amd.c                   |    8 +-
 arch/x86/oprofile/op_model_ppro.c                  |    7 +-
 arch/x86/oprofile/op_x86_model.h                   |    2 +-
 arch/x86/pci/intel_mid_pci.c                       |    2 +-
 arch/x86/pci/irq.c                                 |    8 +-
 arch/x86/pci/pcbios.c                              |  144 +-
 arch/x86/platform/efi/efi_32.c                     |   24 +
 arch/x86/platform/efi/efi_64.c                     |   10 +
 arch/x86/platform/efi/efi_stub_32.S                |   64 +-
 arch/x86/platform/efi/efi_stub_64.S                |    8 +
 arch/x86/platform/intel-mid/intel-mid.c            |    3 +-
 arch/x86/platform/olpc/olpc_dt.c                   |    2 +-
 arch/x86/power/cpu.c                               |   11 +-
 arch/x86/realmode/init.c                           |   10 +-
 arch/x86/realmode/rm/Makefile                      |    3 +
 arch/x86/realmode/rm/header.S                      |    4 +-
 arch/x86/realmode/rm/trampoline_32.S               |   12 +-
 arch/x86/realmode/rm/trampoline_64.S               |    3 +-
 arch/x86/tools/Makefile                            |    2 +-
 arch/x86/tools/relocs.c                            |   94 +-
 arch/x86/um/tls_32.c                               |    2 +-
 arch/x86/vdso/Makefile                             |    2 +-
 arch/x86/vdso/vdso32-setup.c                       |   23 +-
 arch/x86/vdso/vma.c                                |   29 +-
 arch/x86/xen/enlighten.c                           |   45 +-
 arch/x86/xen/mmu.c                                 |   11 +-
 arch/x86/xen/smp.c                                 |   21 +-
 arch/x86/xen/xen-asm_32.S                          |   12 +-
 arch/x86/xen/xen-head.S                            |   11 +
 arch/x86/xen/xen-ops.h                             |    2 -
 block/blk-cgroup.c                                 |    4 +-
 block/blk-iopoll.c                                 |    2 +-
 block/blk-map.c                                    |    2 +-
 block/blk-softirq.c                                |    2 +-
 block/bsg.c                                        |   12 +-
 block/compat_ioctl.c                               |    4 +-
 block/genhd.c                                      |    9 +-
 block/partitions/efi.c                             |    8 +-
 block/scsi_ioctl.c                                 |   29 +-
 crypto/cryptd.c                                    |    4 +-
 crypto/pcrypt.c                                    |    2 +-
 drivers/acpi/apei/apei-internal.h                  |    2 +-
 drivers/acpi/apei/ghes.c                           |    4 +-
 drivers/acpi/bgrt.c                                |    6 +-
 drivers/acpi/blacklist.c                           |    4 +-
 drivers/acpi/processor_idle.c                      |    2 +-
 drivers/acpi/sysfs.c                               |    4 +-
 drivers/ata/libahci.c                              |    2 +-
 drivers/ata/libata-core.c                          |   12 +-
 drivers/ata/libata-scsi.c                          |    2 +-
 drivers/ata/libata.h                               |    2 +-
 drivers/ata/pata_arasan_cf.c                       |    4 +-
 drivers/atm/adummy.c                               |    2 +-
 drivers/atm/ambassador.c                           |    8 +-
 drivers/atm/atmtcp.c                               |   14 +-
 drivers/atm/eni.c                                  |   10 +-
 drivers/atm/firestream.c                           |    8 +-
 drivers/atm/fore200e.c                             |   14 +-
 drivers/atm/he.c                                   |   18 +-
 drivers/atm/horizon.c                              |    4 +-
 drivers/atm/idt77252.c                             |   36 +-
 drivers/atm/iphase.c                               |   34 +-
 drivers/atm/lanai.c                                |   12 +-
 drivers/atm/nicstar.c                              |   46 +-
 drivers/atm/solos-pci.c                            |    4 +-
 drivers/atm/suni.c                                 |    4 +-
 drivers/atm/uPD98402.c                             |   16 +-
 drivers/atm/zatm.c                                 |    6 +-
 drivers/base/bus.c                                 |    4 +-
 drivers/base/devtmpfs.c                            |    8 +-
 drivers/base/node.c                                |    2 +-
 drivers/base/power/domain.c                        |    8 +-
 drivers/base/power/sysfs.c                         |    2 +-
 drivers/base/power/wakeup.c                        |    8 +-
 drivers/base/syscore.c                             |    4 +-
 drivers/block/cciss.c                              |   28 +-
 drivers/block/cciss.h                              |    2 +-
 drivers/block/cpqarray.c                           |   28 +-
 drivers/block/cpqarray.h                           |    2 +-
 drivers/block/drbd/drbd_int.h                      |    6 +-
 drivers/block/drbd/drbd_main.c                     |    8 +-
 drivers/block/drbd/drbd_nl.c                       |    4 +-
 drivers/block/drbd/drbd_receiver.c                 |   22 +-
 drivers/block/loop.c                               |    2 +-
 drivers/block/null_blk.c                           |   27 +-
 drivers/block/pktcdvd.c                            |    4 +-
 drivers/bluetooth/btwilink.c                       |    2 +-
 drivers/cdrom/cdrom.c                              |   11 +-
 drivers/cdrom/gdrom.c                              |    1 -
 drivers/char/agp/compat_ioctl.c                    |    2 +-
 drivers/char/agp/frontend.c                        |    4 +-
 drivers/char/hpet.c                                |    2 +-
 drivers/char/hw_random/intel-rng.c                 |    2 +-
 drivers/char/ipmi/ipmi_msghandler.c                |    8 +-
 drivers/char/ipmi/ipmi_si_intf.c                   |    8 +-
 drivers/char/mem.c                                 |   43 +-
 drivers/char/nvram.c                               |    2 +-
 drivers/char/pcmcia/synclink_cs.c                  |   18 +-
 drivers/char/random.c                              |   18 +-
 drivers/char/sonypi.c                              |    9 +-
 drivers/char/tpm/tpm_acpi.c                        |    3 +-
 drivers/char/tpm/tpm_eventlog.c                    |    7 +-
 drivers/char/virtio_console.c                      |    4 +-
 drivers/clk/clk-composite.c                        |    2 +-
 drivers/clk/socfpga/clk.c                          |    9 +-
 drivers/cpufreq/acpi-cpufreq.c                     |   17 +-
 drivers/cpufreq/cpufreq.c                          |   26 +-
 drivers/cpufreq/cpufreq_governor.c                 |    6 +-
 drivers/cpufreq/cpufreq_governor.h                 |    4 +-
 drivers/cpufreq/cpufreq_ondemand.c                 |   10 +-
 drivers/cpufreq/intel_pstate.c                     |   30 +-
 drivers/cpufreq/p4-clockmod.c                      |   12 +-
 drivers/cpufreq/sparc-us3-cpufreq.c                |   70 +-
 drivers/cpufreq/speedstep-centrino.c               |    7 +-
 drivers/cpuidle/driver.c                           |    2 +-
 drivers/cpuidle/governor.c                         |    2 +-
 drivers/cpuidle/sysfs.c                            |    2 +-
 drivers/crypto/hifn_795x.c                         |    4 +-
 drivers/devfreq/devfreq.c                          |    4 +-
 drivers/dma/sh/shdmac.c                            |    2 +-
 drivers/edac/edac_device.c                         |    4 +-
 drivers/edac/edac_mc_sysfs.c                       |   12 +-
 drivers/edac/edac_pci.c                            |    4 +-
 drivers/edac/edac_pci_sysfs.c                      |   22 +-
 drivers/edac/mce_amd.h                             |    2 +-
 drivers/firewire/core-card.c                       |    6 +-
 drivers/firewire/core-device.c                     |    2 +-
 drivers/firewire/core-transaction.c                |    1 +
 drivers/firewire/core.h                            |    1 +
 drivers/firmware/dmi-id.c                          |    2 +-
 drivers/firmware/dmi_scan.c                        |    2 +-
 drivers/firmware/efi/cper.c                        |    8 +-
 drivers/firmware/efi/efi.c                         |   12 +-
 drivers/firmware/efi/efivars.c                     |    2 +-
 drivers/firmware/google/memconsole.c               |    4 +-
 drivers/gpio/gpio-em.c                             |    2 +-
 drivers/gpio/gpio-ich.c                            |    2 +-
 drivers/gpio/gpio-rcar.c                           |    2 +-
 drivers/gpio/gpio-vr41xx.c                         |    2 +-
 drivers/gpu/drm/drm_crtc.c                         |    2 +-
 drivers/gpu/drm/drm_drv.c                          |    4 +-
 drivers/gpu/drm/drm_fops.c                         |   12 +-
 drivers/gpu/drm/drm_global.c                       |   14 +-
 drivers/gpu/drm/drm_info.c                         |   13 +-
 drivers/gpu/drm/drm_ioc32.c                        |   13 +-
 drivers/gpu/drm/drm_stub.c                         |    2 +-
 drivers/gpu/drm/drm_sysfs.c                        |    2 +-
 drivers/gpu/drm/i810/i810_drv.h                    |    4 +-
 drivers/gpu/drm/i915/i915_debugfs.c                |    2 +-
 drivers/gpu/drm/i915/i915_dma.c                    |    2 +-
 drivers/gpu/drm/i915/i915_drv.h                    |    2 +-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c         |    4 +-
 drivers/gpu/drm/i915/i915_ioc32.c                  |   11 +-
 drivers/gpu/drm/i915/i915_irq.c                    |   26 +-
 drivers/gpu/drm/i915/intel_display.c               |   26 +-
 drivers/gpu/drm/mga/mga_drv.h                      |    4 +-
 drivers/gpu/drm/mga/mga_ioc32.c                    |   11 +-
 drivers/gpu/drm/mga/mga_irq.c                      |    8 +-
 drivers/gpu/drm/nouveau/nouveau_bios.c             |    2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.h              |    1 -
 drivers/gpu/drm/nouveau/nouveau_ioc32.c            |    2 +-
 drivers/gpu/drm/nouveau/nouveau_vga.c              |    2 +-
 drivers/gpu/drm/qxl/qxl_cmd.c                      |   12 +-
 drivers/gpu/drm/qxl/qxl_debugfs.c                  |    8 +-
 drivers/gpu/drm/qxl/qxl_drv.h                      |    8 +-
 drivers/gpu/drm/qxl/qxl_ioctl.c                    |   10 +-
 drivers/gpu/drm/qxl/qxl_irq.c                      |   16 +-
 drivers/gpu/drm/qxl/qxl_ttm.c                      |   38 +-
 drivers/gpu/drm/r128/r128_cce.c                    |    2 +-
 drivers/gpu/drm/r128/r128_drv.h                    |    4 +-
 drivers/gpu/drm/r128/r128_ioc32.c                  |   11 +-
 drivers/gpu/drm/r128/r128_irq.c                    |    4 +-
 drivers/gpu/drm/r128/r128_state.c                  |    4 +-
 drivers/gpu/drm/radeon/mkregtable.c                |    4 +-
 drivers/gpu/drm/radeon/radeon_device.c             |    2 +-
 drivers/gpu/drm/radeon/radeon_drv.h                |    2 +-
 drivers/gpu/drm/radeon/radeon_ioc32.c              |   13 +-
 drivers/gpu/drm/radeon/radeon_irq.c                |    6 +-
 drivers/gpu/drm/radeon/radeon_state.c              |    4 +-
 drivers/gpu/drm/radeon/radeon_ttm.c                |    4 +-
 drivers/gpu/drm/tegra/dc.c                         |    2 +-
 drivers/gpu/drm/tegra/hdmi.c                       |    2 +-
 drivers/gpu/drm/ttm/ttm_memory.c                   |    4 +-
 drivers/gpu/drm/ttm/ttm_page_alloc.c               |    4 +-
 drivers/gpu/drm/udl/udl_fb.c                       |    1 -
 drivers/gpu/drm/via/via_drv.h                      |    4 +-
 drivers/gpu/drm/via/via_irq.c                      |   18 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h                |    2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c               |    8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c              |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_irq.c                |    4 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_marker.c             |    2 +-
 drivers/gpu/vga/vga_switcheroo.c                   |    4 +-
 drivers/hid/hid-core.c                             |    4 +-
 drivers/hid/uhid.c                                 |    6 +-
 drivers/hv/channel.c                               |    4 +-
 drivers/hv/hv.c                                    |    4 +-
 drivers/hv/hv_balloon.c                            |   18 +-
 drivers/hv/hyperv_vmbus.h                          |    2 +-
 drivers/hv/vmbus_drv.c                             |    4 +-
 drivers/hwmon/acpi_power_meter.c                   |    4 +-
 drivers/hwmon/applesmc.c                           |    2 +-
 drivers/hwmon/asus_atk0110.c                       |   10 +-
 drivers/hwmon/coretemp.c                           |    2 +-
 drivers/hwmon/ibmaem.c                             |    2 +-
 drivers/hwmon/iio_hwmon.c                          |    2 +-
 drivers/hwmon/nct6775.c                            |    6 +-
 drivers/hwmon/pmbus/pmbus_core.c                   |   10 +-
 drivers/hwmon/sht15.c                              |   12 +-
 drivers/hwmon/via-cputemp.c                        |    2 +-
 drivers/i2c/busses/i2c-amd756-s4882.c              |    2 +-
 drivers/i2c/busses/i2c-diolan-u2c.c                |    2 +-
 drivers/i2c/busses/i2c-nforce2-s4985.c             |    2 +-
 drivers/i2c/i2c-dev.c                              |    2 +-
 drivers/ide/ide-cd.c                               |    2 +-
 drivers/iio/industrialio-core.c                    |    2 +-
 drivers/infiniband/core/cm.c                       |   32 +-
 drivers/infiniband/core/fmr_pool.c                 |   20 +-
 drivers/infiniband/hw/cxgb4/mem.c                  |    4 +-
 drivers/infiniband/hw/ipath/ipath_rc.c             |    6 +-
 drivers/infiniband/hw/ipath/ipath_ruc.c            |    6 +-
 drivers/infiniband/hw/mlx4/mad.c                   |    2 +-
 drivers/infiniband/hw/mlx4/mcg.c                   |    2 +-
 drivers/infiniband/hw/mlx4/mlx4_ib.h               |    2 +-
 drivers/infiniband/hw/mthca/mthca_cmd.c            |    8 +-
 drivers/infiniband/hw/mthca/mthca_main.c           |    2 +-
 drivers/infiniband/hw/mthca/mthca_mr.c             |    6 +-
 drivers/infiniband/hw/mthca/mthca_provider.c       |    2 +-
 drivers/infiniband/hw/nes/nes.c                    |    4 +-
 drivers/infiniband/hw/nes/nes.h                    |   40 +-
 drivers/infiniband/hw/nes/nes_cm.c                 |   62 +-
 drivers/infiniband/hw/nes/nes_mgt.c                |    8 +-
 drivers/infiniband/hw/nes/nes_nic.c                |   40 +-
 drivers/infiniband/hw/nes/nes_verbs.c              |   10 +-
 drivers/infiniband/hw/qib/qib.h                    |    1 +
 drivers/input/gameport/gameport.c                  |    4 +-
 drivers/input/input.c                              |    4 +-
 drivers/input/joystick/sidewinder.c                |    1 +
 drivers/input/joystick/xpad.c                      |    4 +-
 drivers/input/misc/ims-pcu.c                       |    4 +-
 drivers/input/mouse/psmouse.h                      |    2 +-
 drivers/input/mousedev.c                           |    2 +-
 drivers/input/serio/serio.c                        |    4 +-
 drivers/input/serio/serio_raw.c                    |    4 +-
 drivers/iommu/iommu.c                              |    2 +-
 drivers/iommu/irq_remapping.c                      |   12 +-
 drivers/irqchip/irq-gic.c                          |    4 +-
 drivers/isdn/capi/capi.c                           |   10 +-
 drivers/isdn/gigaset/interface.c                   |    8 +-
 drivers/isdn/gigaset/usb-gigaset.c                 |    2 +-
 drivers/isdn/hardware/avm/b1.c                     |    4 +-
 drivers/isdn/i4l/isdn_common.c                     |    2 +
 drivers/isdn/i4l/isdn_tty.c                        |   22 +-
 drivers/isdn/icn/icn.c                             |    2 +-
 drivers/isdn/mISDN/dsp_cmx.c                       |    2 +-
 drivers/leds/leds-clevo-mail.c                     |    2 +-
 drivers/leds/leds-ss4200.c                         |    2 +-
 drivers/lguest/core.c                              |   10 +-
 drivers/lguest/page_tables.c                       |    2 +-
 drivers/lguest/x86/core.c                          |   12 +-
 drivers/lguest/x86/switcher_32.S                   |   27 +-
 drivers/md/bcache/closure.h                        |    2 +-
 drivers/md/bitmap.c                                |    2 +-
 drivers/md/dm-ioctl.c                              |    2 +-
 drivers/md/dm-raid1.c                              |   16 +-
 drivers/md/dm-stats.c                              |    6 +-
 drivers/md/dm-stripe.c                             |   10 +-
 drivers/md/dm-table.c                              |    4 +-
 drivers/md/dm-thin-metadata.c                      |    4 +-
 drivers/md/dm.c                                    |   16 +-
 drivers/md/md.c                                    |   26 +-
 drivers/md/md.h                                    |    6 +-
 drivers/md/persistent-data/dm-space-map-metadata.c |    4 +-
 drivers/md/persistent-data/dm-space-map.h          |    1 +
 drivers/md/raid1.c                                 |    4 +-
 drivers/md/raid10.c                                |   16 +-
 drivers/md/raid5.c                                 |   10 +-
 drivers/media/dvb-core/dvbdev.c                    |    2 +-
 drivers/media/dvb-frontends/dib3000.h              |    2 +-
 drivers/media/pci/cx88/cx88-video.c                |    6 +-
 drivers/media/pci/ivtv/ivtv-driver.c               |    2 +-
 drivers/media/platform/omap/omap_vout.c            |   11 +-
 drivers/media/platform/s5p-tv/mixer.h              |    2 +-
 drivers/media/platform/s5p-tv/mixer_grp_layer.c    |    2 +-
 drivers/media/platform/s5p-tv/mixer_reg.c          |    2 +-
 drivers/media/platform/s5p-tv/mixer_video.c        |   24 +-
 drivers/media/platform/s5p-tv/mixer_vp_layer.c     |    2 +-
 drivers/media/platform/vivi.c                      |    4 +-
 drivers/media/radio/radio-cadet.c                  |    2 +
 drivers/media/radio/radio-maxiradio.c              |    2 +-
 drivers/media/radio/radio-shark.c                  |    2 +-
 drivers/media/radio/radio-shark2.c                 |    2 +-
 drivers/media/radio/radio-si476x.c                 |    2 +-
 drivers/media/usb/dvb-usb/cxusb.c                  |    2 +-
 drivers/media/usb/dvb-usb/dw2102.c                 |    2 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c      |   16 +-
 drivers/media/v4l2-core/v4l2-ctrls.c               |    4 +-
 drivers/media/v4l2-core/v4l2-device.c              |    4 +-
 drivers/media/v4l2-core/v4l2-ioctl.c               |   13 +-
 drivers/message/fusion/mptsas.c                    |   34 +-
 drivers/message/fusion/mptscsih.c                  |   19 +-
 drivers/message/i2o/i2o_proc.c                     |   67 +-
 drivers/message/i2o/iop.c                          |    8 +-
 drivers/mfd/ab8500-debugfs.c                       |    2 +-
 drivers/mfd/janz-cmodio.c                          |    1 +
 drivers/mfd/max8925-i2c.c                          |    2 +-
 drivers/mfd/tps65910.c                             |    2 +-
 drivers/mfd/twl4030-irq.c                          |    9 +-
 drivers/misc/c2port/core.c                         |    4 +-
 drivers/misc/eeprom/sunxi_sid.c                    |    4 +-
 drivers/misc/kgdbts.c                              |    4 +-
 drivers/misc/lis3lv02d/lis3lv02d.c                 |    8 +-
 drivers/misc/lis3lv02d/lis3lv02d.h                 |    2 +-
 drivers/misc/sgi-gru/gruhandles.c                  |    4 +-
 drivers/misc/sgi-gru/gruprocfs.c                   |    8 +-
 drivers/misc/sgi-gru/grutables.h                   |  154 +-
 drivers/misc/sgi-xp/xp.h                           |    2 +-
 drivers/misc/sgi-xp/xpc.h                          |    3 +-
 drivers/misc/sgi-xp/xpc_main.c                     |    4 +-
 drivers/mmc/card/block.c                           |    2 +-
 drivers/mmc/core/mmc_ops.c                         |    2 +-
 drivers/mmc/host/dw_mmc.h                          |    2 +-
 drivers/mmc/host/mmci.c                            |    4 +-
 drivers/mmc/host/sdhci-esdhc-imx.c                 |    7 +-
 drivers/mmc/host/sdhci-s3c.c                       |    8 +-
 drivers/mtd/chips/cfi_cmdset_0020.c                |    2 +-
 drivers/mtd/nand/denali.c                          |    1 +
 drivers/mtd/nftlmount.c                            |    1 +
 drivers/mtd/sm_ftl.c                               |    2 +-
 drivers/net/bonding/bond_netlink.c                 |    2 +-
 drivers/net/can/Kconfig                            |    2 +-
 drivers/net/ethernet/8390/ax88796.c                |    4 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h    |    2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c     |   11 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h     |    3 +-
 drivers/net/ethernet/broadcom/tg3.h                |    1 +
 drivers/net/ethernet/chelsio/cxgb3/l2t.h           |    2 +-
 drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c    |    2 +-
 drivers/net/ethernet/dec/tulip/de4x5.c             |    4 +-
 drivers/net/ethernet/emulex/benet/be_main.c        |    2 +-
 drivers/net/ethernet/faraday/ftgmac100.c           |    2 +
 drivers/net/ethernet/faraday/ftmac100.c            |    2 +
 drivers/net/ethernet/intel/i40e/i40e_ptp.c         |    2 +-
 drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c       |    2 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c   |    7 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c  |    4 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c  |   12 +-
 .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c   |    2 +-
 drivers/net/ethernet/realtek/r8169.c               |    8 +-
 drivers/net/ethernet/sfc/ptp.c                     |    2 +-
 drivers/net/ethernet/stmicro/stmmac/mmc_core.c     |    4 +-
 drivers/net/hyperv/hyperv_net.h                    |    2 +-
 drivers/net/hyperv/rndis_filter.c                  |    4 +-
 drivers/net/ieee802154/fakehard.c                  |    2 +-
 drivers/net/macvlan.c                              |   18 +-
 drivers/net/macvtap.c                              |    4 +-
 drivers/net/ppp/ppp_generic.c                      |    4 +-
 drivers/net/slip/slhc.c                            |    2 +-
 drivers/net/team/team.c                            |    2 +-
 drivers/net/tun.c                                  |    5 +-
 drivers/net/usb/hso.c                              |   23 +-
 drivers/net/usb/r8152.c                            |    2 +-
 drivers/net/usb/sierra_net.c                       |    4 +-
 drivers/net/vxlan.c                                |    4 +-
 drivers/net/wimax/i2400m/rx.c                      |    2 +-
 drivers/net/wireless/airo.c                        |    2 +-
 drivers/net/wireless/at76c50x-usb.c                |    2 +-
 drivers/net/wireless/ath/ath10k/htc.c              |    7 +-
 drivers/net/wireless/ath/ath10k/htc.h              |    4 +-
 drivers/net/wireless/ath/ath9k/ar9002_mac.c        |   30 +-
 drivers/net/wireless/ath/ath9k/ar9003_mac.c        |   58 +-
 drivers/net/wireless/ath/ath9k/hw.h                |    4 +-
 drivers/net/wireless/b43/phy_lp.c                  |    2 +-
 drivers/net/wireless/iwlegacy/3945-mac.c           |    4 +-
 drivers/net/wireless/iwlwifi/dvm/debugfs.c         |   34 +-
 drivers/net/wireless/iwlwifi/dvm/main.c            |    3 +-
 drivers/net/wireless/iwlwifi/pcie/trans.c          |    4 +-
 drivers/net/wireless/mac80211_hwsim.c              |   28 +-
 drivers/net/wireless/rndis_wlan.c                  |    2 +-
 drivers/net/wireless/rt2x00/rt2x00.h               |    2 +-
 drivers/net/wireless/rt2x00/rt2x00queue.c          |    4 +-
 drivers/net/wireless/ti/wl1251/sdio.c              |   12 +-
 drivers/net/wireless/ti/wl12xx/main.c              |    8 +-
 drivers/net/wireless/ti/wl18xx/main.c              |    6 +-
 drivers/nfc/nfcwilink.c                            |    2 +-
 drivers/oprofile/buffer_sync.c                     |    8 +-
 drivers/oprofile/event_buffer.c                    |    2 +-
 drivers/oprofile/oprof.c                           |    2 +-
 drivers/oprofile/oprofile_files.c                  |    2 +-
 drivers/oprofile/oprofile_stats.c                  |   10 +-
 drivers/oprofile/oprofile_stats.h                  |   10 +-
 drivers/oprofile/oprofilefs.c                      |    6 +-
 drivers/oprofile/timer_int.c                       |    2 +-
 drivers/parport/procfs.c                           |    4 +-
 drivers/pci/hotplug/acpiphp_ibm.c                  |    4 +-
 drivers/pci/hotplug/cpcihp_generic.c               |    6 +-
 drivers/pci/hotplug/cpcihp_zt5550.c                |   14 +-
 drivers/pci/hotplug/cpqphp_nvram.c                 |    4 +
 drivers/pci/hotplug/pci_hotplug_core.c             |    6 +-
 drivers/pci/hotplug/pciehp_core.c                  |    2 +-
 drivers/pci/msi.c                                  |    6 +-
 drivers/pci/pci-sysfs.c                            |    6 +-
 drivers/pci/pci.h                                  |    2 +-
 drivers/pci/pcie/aspm.c                            |    6 +-
 drivers/pci/probe.c                                |    2 +-
 drivers/platform/chrome/chromeos_laptop.c          |    2 +-
 drivers/platform/x86/msi-laptop.c                  |   14 +-
 drivers/platform/x86/msi-wmi.c                     |    2 +-
 drivers/platform/x86/sony-laptop.c                 |    2 +-
 drivers/platform/x86/thinkpad_acpi.c               |   70 +-
 drivers/pnp/pnpbios/bioscalls.c                    |   14 +-
 drivers/pnp/resource.c                             |    4 +-
 drivers/power/pda_power.c                          |    7 +-
 drivers/power/power_supply.h                       |    4 +-
 drivers/power/power_supply_core.c                  |    7 +-
 drivers/power/power_supply_sysfs.c                 |    6 +-
 drivers/powercap/powercap_sys.c                    |  136 +-
 drivers/regulator/core.c                           |    4 +-
 drivers/regulator/max8660.c                        |    6 +-
 drivers/regulator/max8973-regulator.c              |    8 +-
 drivers/regulator/mc13892-regulator.c              |    6 +-
 drivers/rtc/rtc-cmos.c                             |    4 +-
 drivers/rtc/rtc-ds1307.c                           |    2 +-
 drivers/rtc/rtc-m48t59.c                           |    4 +-
 drivers/scsi/aic7xxx/aic79xx_pci.c                 |   18 +-
 drivers/scsi/bfa/bfa_fcpim.h                       |    2 +-
 drivers/scsi/bfa/bfa_ioc.h                         |    4 +-
 drivers/scsi/fcoe/fcoe_sysfs.c                     |   12 +-
 drivers/scsi/hosts.c                               |    4 +-
 drivers/scsi/hpsa.c                                |   30 +-
 drivers/scsi/hpsa.h                                |    2 +-
 drivers/scsi/libfc/fc_exch.c                       |   50 +-
 drivers/scsi/libsas/sas_ata.c                      |    2 +-
 drivers/scsi/lpfc/lpfc.h                           |    8 +-
 drivers/scsi/lpfc/lpfc_debugfs.c                   |   18 +-
 drivers/scsi/lpfc/lpfc_init.c                      |    6 +-
 drivers/scsi/lpfc/lpfc_scsi.c                      |   16 +-
 drivers/scsi/mpt2sas/mpt2sas_scsih.c               |    8 +-
 drivers/scsi/pmcraid.c                             |   20 +-
 drivers/scsi/pmcraid.h                             |    8 +-
 drivers/scsi/qla2xxx/qla_attr.c                    |    4 +-
 drivers/scsi/qla2xxx/qla_gbl.h                     |    4 +-
 drivers/scsi/qla2xxx/qla_os.c                      |    6 +-
 drivers/scsi/qla4xxx/ql4_def.h                     |    2 +-
 drivers/scsi/qla4xxx/ql4_os.c                      |    6 +-
 drivers/scsi/scsi.c                                |    2 +-
 drivers/scsi/scsi_lib.c                            |    6 +-
 drivers/scsi/scsi_sysfs.c                          |    2 +-
 drivers/scsi/scsi_tgt_lib.c                        |    2 +-
 drivers/scsi/scsi_transport_fc.c                   |    8 +-
 drivers/scsi/scsi_transport_iscsi.c                |    6 +-
 drivers/scsi/scsi_transport_srp.c                  |    6 +-
 drivers/scsi/sd.c                                  |    2 +-
 drivers/scsi/sg.c                                  |    2 +-
 drivers/spi/spi.c                                  |    2 +-
 drivers/staging/android/timed_output.c             |    6 +-
 drivers/staging/gdm724x/gdm_tty.c                  |    2 +-
 drivers/staging/imx-drm/imx-drm-core.c             |    6 +-
 drivers/staging/lustre/lnet/selftest/brw_test.c    |   12 +-
 drivers/staging/lustre/lnet/selftest/framework.c   |    4 -
 drivers/staging/lustre/lnet/selftest/ping_test.c   |   14 +-
 drivers/staging/lustre/lustre/include/lustre_dlm.h |    2 +-
 drivers/staging/lustre/lustre/include/obd.h        |    2 +-
 .../lustre/lustre/libcfs/linux/linux-proc.c        |    6 +-
 drivers/staging/media/solo6x10/solo6x10-core.c     |    2 +-
 drivers/staging/media/solo6x10/solo6x10-p2m.c      |    2 +-
 drivers/staging/media/solo6x10/solo6x10.h          |    2 +-
 drivers/staging/octeon/ethernet-rx.c               |   12 +-
 drivers/staging/octeon/ethernet.c                  |    8 +-
 drivers/staging/rtl8188eu/include/hal_intf.h       |    2 +-
 drivers/staging/rtl8188eu/include/rtw_io.h         |    2 +-
 drivers/staging/rtl8712/rtl871x_io.h               |    2 +-
 drivers/staging/sbe-2t3e3/netdev.c                 |    2 +-
 drivers/staging/usbip/vhci.h                       |    2 +-
 drivers/staging/usbip/vhci_hcd.c                   |    6 +-
 drivers/staging/usbip/vhci_rx.c                    |    2 +-
 drivers/staging/vt6655/hostap.c                    |    7 +-
 drivers/staging/vt6656/hostap.c                    |    7 +-
 drivers/target/sbp/sbp_target.c                    |    4 +-
 drivers/target/target_core_device.c                |    2 +-
 drivers/target/target_core_transport.c             |    2 +-
 drivers/tty/cyclades.c                             |    6 +-
 drivers/tty/hvc/hvc_console.c                      |   14 +-
 drivers/tty/hvc/hvcs.c                             |   21 +-
 drivers/tty/hvc/hvsi.c                             |   22 +-
 drivers/tty/hvc/hvsi_lib.c                         |    4 +-
 drivers/tty/ipwireless/tty.c                       |   27 +-
 drivers/tty/moxa.c                                 |    2 +-
 drivers/tty/n_gsm.c                                |    4 +-
 drivers/tty/n_tty.c                                |    5 +-
 drivers/tty/pty.c                                  |    4 +-
 drivers/tty/rocket.c                               |    6 +-
 drivers/tty/serial/ioc4_serial.c                   |    6 +-
 drivers/tty/serial/kgdboc.c                        |   32 +-
 drivers/tty/serial/msm_serial.c                    |    4 +-
 drivers/tty/serial/samsung.c                       |    9 +-
 drivers/tty/serial/serial_core.c                   |    8 +-
 drivers/tty/synclink.c                             |   34 +-
 drivers/tty/synclink_gt.c                          |   28 +-
 drivers/tty/synclinkmp.c                           |   34 +-
 drivers/tty/tty_io.c                               |    2 +-
 drivers/tty/tty_ldisc.c                            |    8 +-
 drivers/tty/tty_port.c                             |   22 +-
 drivers/uio/uio.c                                  |   15 +-
 drivers/usb/atm/cxacru.c                           |    2 +-
 drivers/usb/atm/usbatm.c                           |   24 +-
 drivers/usb/core/devices.c                         |    6 +-
 drivers/usb/core/devio.c                           |   10 +-
 drivers/usb/core/hcd.c                             |    4 +-
 drivers/usb/core/message.c                         |    6 +-
 drivers/usb/core/sysfs.c                           |    2 +-
 drivers/usb/core/usb.c                             |    2 +-
 drivers/usb/dwc3/gadget.c                          |    2 -
 drivers/usb/early/ehci-dbgp.c                      |   16 +-
 drivers/usb/gadget/u_serial.c                      |   22 +-
 drivers/usb/host/ehci-hub.c                        |    4 +-
 drivers/usb/misc/appledisplay.c                    |    4 +-
 drivers/usb/serial/console.c                       |    8 +-
 drivers/usb/storage/usb.h                          |    2 +-
 drivers/usb/wusbcore/wa-hc.h                       |    4 +-
 drivers/usb/wusbcore/wa-xfer.c                     |    2 +-
 drivers/vfio/vfio.c                                |    2 +-
 drivers/vhost/vringh.c                             |   20 +-
 drivers/video/aty/aty128fb.c                       |    2 +-
 drivers/video/aty/atyfb_base.c                     |    8 +-
 drivers/video/aty/mach64_cursor.c                  |    5 +-
 drivers/video/backlight/kb3886_bl.c                |    2 +-
 drivers/video/fb_defio.c                           |    6 +-
 drivers/video/fbmem.c                              |    8 +-
 drivers/video/hyperv_fb.c                          |    4 +-
 drivers/video/i810/i810_accel.c                    |    1 +
 drivers/video/mb862xx/mb862xxfb_accel.c            |   16 +-
 drivers/video/nvidia/nvidia.c                      |   27 +-
 drivers/video/omap2/dss/display.c                  |    8 +-
 drivers/video/s1d13xxxfb.c                         |    6 +-
 drivers/video/smscufx.c                            |    4 +-
 drivers/video/udlfb.c                              |   36 +-
 drivers/video/uvesafb.c                            |   53 +-
 drivers/video/vesafb.c                             |   58 +-
 drivers/video/via/via_clock.h                      |    2 +-
 fs/9p/vfs_addr.c                                   |    2 +-
 fs/9p/vfs_inode.c                                  |    2 +-
 fs/Kconfig.binfmt                                  |    2 +-
 fs/afs/inode.c                                     |    4 +-
 fs/aio.c                                           |    2 +-
 fs/autofs4/waitq.c                                 |    2 +-
 fs/befs/endian.h                                   |    6 +-
 fs/binfmt_aout.c                                   |   23 +-
 fs/binfmt_elf.c                                    |  680 +++-
 fs/binfmt_flat.c                                   |    6 +
 fs/bio.c                                           |    6 +-
 fs/block_dev.c                                     |    2 +-
 fs/btrfs/ctree.c                                   |    9 +-
 fs/btrfs/delayed-inode.c                           |    6 +-
 fs/btrfs/delayed-inode.h                           |    4 +-
 fs/btrfs/super.c                                   |    2 +-
 fs/btrfs/sysfs.c                                   |    2 +-
 fs/buffer.c                                        |    2 +-
 fs/cachefiles/bind.c                               |    6 +-
 fs/cachefiles/daemon.c                             |    8 +-
 fs/cachefiles/internal.h                           |   12 +-
 fs/cachefiles/namei.c                              |    2 +-
 fs/cachefiles/proc.c                               |   12 +-
 fs/cachefiles/rdwr.c                               |    2 +-
 fs/ceph/dir.c                                      |    2 +-
 fs/ceph/super.c                                    |    4 +-
 fs/cifs/cifs_debug.c                               |   12 +-
 fs/cifs/cifsfs.c                                   |    8 +-
 fs/cifs/cifsglob.h                                 |   54 +-
 fs/cifs/file.c                                     |   10 +-
 fs/cifs/misc.c                                     |    4 +-
 fs/cifs/smb1ops.c                                  |   80 +-
 fs/cifs/smb2ops.c                                  |   84 +-
 fs/cifs/smb2pdu.c                                  |    3 +-
 fs/coda/cache.c                                    |   10 +-
 fs/compat.c                                        |    4 +-
 fs/compat_binfmt_elf.c                             |    2 +
 fs/compat_ioctl.c                                  |   12 +-
 fs/configfs/dir.c                                  |   10 +-
 fs/coredump.c                                      |   16 +-
 fs/dcache.c                                        |    5 +-
 fs/ecryptfs/inode.c                                |    2 +-
 fs/ecryptfs/miscdev.c                              |    2 +-
 fs/exec.c                                          |  362 ++-
 fs/ext2/xattr.c                                    |    5 +-
 fs/ext3/xattr.c                                    |    5 +-
 fs/ext4/ext4.h                                     |   20 +-
 fs/ext4/mballoc.c                                  |   44 +-
 fs/ext4/mmp.c                                      |    2 +-
 fs/ext4/super.c                                    |    4 +-
 fs/ext4/xattr.c                                    |    5 +-
 fs/fhandle.c                                       |    3 +-
 fs/file.c                                          |    4 +-
 fs/fs_struct.c                                     |    8 +-
 fs/fscache/cookie.c                                |   40 +-
 fs/fscache/internal.h                              |  200 +-
 fs/fscache/object.c                                |   26 +-
 fs/fscache/operation.c                             |   30 +-
 fs/fscache/page.c                                  |  110 +-
 fs/fscache/stats.c                                 |  344 +-
 fs/fuse/cuse.c                                     |   10 +-
 fs/fuse/dev.c                                      |    4 +-
 fs/fuse/dir.c                                      |    2 +-
 fs/hostfs/hostfs_kern.c                            |    2 +-
 fs/hugetlbfs/inode.c                               |   13 +-
 fs/inode.c                                         |    4 +-
 fs/jffs2/erase.c                                   |    3 +-
 fs/jffs2/wbuf.c                                    |    3 +-
 fs/jfs/super.c                                     |    2 +-
 fs/kernfs/dir.c                                    |    2 +-
 fs/kernfs/file.c                                   |   16 +-
 fs/kernfs/symlink.c                                |    2 +-
 fs/libfs.c                                         |   12 +-
 fs/lockd/clntproc.c                                |    4 +-
 fs/locks.c                                         |    8 +-
 fs/namei.c                                         |   15 +-
 fs/namespace.c                                     |   16 +-
 fs/nfs/callback_xdr.c                              |    2 +-
 fs/nfs/inode.c                                     |    6 +-
 fs/nfsd/nfs4proc.c                                 |    2 +-
 fs/nfsd/nfs4xdr.c                                  |    2 +-
 fs/nfsd/nfscache.c                                 |    9 +-
 fs/nfsd/vfs.c                                      |    6 +-
 fs/nls/nls_base.c                                  |   22 +-
 fs/nls/nls_euc-jp.c                                |    6 +-
 fs/nls/nls_koi8-ru.c                               |    6 +-
 fs/notify/fanotify/fanotify_user.c                 |    4 +-
 fs/notify/notification.c                           |    4 +-
 fs/ntfs/dir.c                                      |    2 +-
 fs/ntfs/file.c                                     |    2 +-
 fs/ntfs/super.c                                    |    6 +-
 fs/ocfs2/localalloc.c                              |    2 +-
 fs/ocfs2/ocfs2.h                                   |   10 +-
 fs/ocfs2/suballoc.c                                |   12 +-
 fs/ocfs2/super.c                                   |   20 +-
 fs/pipe.c                                          |   59 +-
 fs/posix_acl.c                                     |    4 +-
 fs/proc/array.c                                    |   20 +
 fs/proc/base.c                                     |    4 +-
 fs/proc/kcore.c                                    |   32 +-
 fs/proc/meminfo.c                                  |    2 +-
 fs/proc/nommu.c                                    |    2 +-
 fs/proc/proc_sysctl.c                              |   18 +-
 fs/proc/task_mmu.c                                 |   39 +-
 fs/proc/task_nommu.c                               |    4 +-
 fs/proc/vmcore.c                                   |   16 +-
 fs/qnx6/qnx6.h                                     |    4 +-
 fs/quota/netlink.c                                 |    4 +-
 fs/read_write.c                                    |    2 +-
 fs/reiserfs/do_balan.c                             |    2 +-
 fs/reiserfs/procfs.c                               |    2 +-
 fs/reiserfs/reiserfs.h                             |    4 +-
 fs/seq_file.c                                      |    4 +-
 fs/splice.c                                        |   41 +-
 fs/sysv/sysv.h                                     |    2 +-
 fs/ubifs/io.c                                      |    2 +-
 fs/udf/misc.c                                      |    2 +-
 fs/ufs/swab.h                                      |    4 +-
 fs/xattr.c                                         |   21 +
 fs/xfs/xfs_bmap.c                                  |    2 +-
 fs/xfs/xfs_dir2_readdir.c                          |    7 +-
 fs/xfs/xfs_ioctl.c                                 |    2 +-
 include/asm-generic/4level-fixup.h                 |    2 +
 include/asm-generic/atomic-long.h                  |  212 +-
 include/asm-generic/atomic.h                       |    2 +-
 include/asm-generic/atomic64.h                     |   12 +
 include/asm-generic/bitops/__fls.h                 |    2 +-
 include/asm-generic/bitops/fls.h                   |    2 +-
 include/asm-generic/bitops/fls64.h                 |    4 +-
 include/asm-generic/cache.h                        |    4 +-
 include/asm-generic/emergency-restart.h            |    2 +-
 include/asm-generic/kmap_types.h                   |    4 +-
 include/asm-generic/local.h                        |   13 +
 include/asm-generic/pgtable-nopmd.h                |   18 +-
 include/asm-generic/pgtable-nopud.h                |   15 +-
 include/asm-generic/pgtable.h                      |   16 +
 include/asm-generic/uaccess.h                      |   16 +
 include/asm-generic/vmlinux.lds.h                  |   10 +-
 include/crypto/algapi.h                            |    2 +-
 include/drm/drmP.h                                 |   16 +-
 include/drm/drm_crtc_helper.h                      |    2 +-
 include/drm/i915_pciids.h                          |    2 +-
 include/drm/ttm/ttm_memory.h                       |    2 +-
 include/drm/ttm/ttm_page_alloc.h                   |    1 +
 include/keys/asymmetric-subtype.h                  |    2 +-
 include/linux/atmdev.h                             |    4 +-
 include/linux/audit.h                              |    2 +-
 include/linux/binfmts.h                            |    3 +-
 include/linux/bitops.h                             |    6 +-
 include/linux/blkdev.h                             |    2 +-
 include/linux/blktrace_api.h                       |    2 +-
 include/linux/cache.h                              |    8 +
 include/linux/cdrom.h                              |    1 -
 include/linux/cleancache.h                         |    2 +-
 include/linux/clk-provider.h                       |    1 +
 include/linux/compat.h                             |    4 +-
 include/linux/compiler-gcc4.h                      |   20 +
 include/linux/compiler.h                           |   65 +-
 include/linux/completion.h                         |   12 +-
 include/linux/configfs.h                           |    2 +-
 include/linux/cpufreq.h                            |    3 +-
 include/linux/cpuidle.h                            |    5 +-
 include/linux/cpumask.h                            |   12 +-
 include/linux/crypto.h                             |    6 +-
 include/linux/ctype.h                              |    2 +-
 include/linux/decompress/mm.h                      |    2 +-
 include/linux/devfreq.h                            |    2 +-
 include/linux/device.h                             |    7 +-
 include/linux/dma-mapping.h                        |    2 +-
 include/linux/dmaengine.h                          |    4 +-
 include/linux/efi.h                                |    1 +
 include/linux/elf.h                                |    2 +
 include/linux/err.h                                |    4 +-
 include/linux/extcon.h                             |    2 +-
 include/linux/fb.h                                 |    2 +-
 include/linux/fdtable.h                            |    2 +-
 include/linux/frontswap.h                          |    2 +-
 include/linux/fs.h                                 |    3 +-
 include/linux/fs_struct.h                          |    2 +-
 include/linux/fscache-cache.h                      |    4 +-
 include/linux/fscache.h                            |    2 +-
 include/linux/fsnotify.h                           |    2 +-
 include/linux/genhd.h                              |    4 +-
 include/linux/genl_magic_func.h                    |    2 +-
 include/linux/gfp.h                                |   12 +-
 include/linux/hash.h                               |    2 +-
 include/linux/highmem.h                            |   12 +
 include/linux/hwmon-sysfs.h                        |    6 +-
 include/linux/i2c.h                                |    1 +
 include/linux/i2o.h                                |    2 +-
 include/linux/if_pppox.h                           |    2 +-
 include/linux/init.h                               |   12 +-
 include/linux/init_task.h                          |    7 +
 include/linux/interrupt.h                          |    6 +-
 include/linux/iommu.h                              |    2 +-
 include/linux/ioport.h                             |    2 +-
 include/linux/irq.h                                |    3 +-
 include/linux/irqchip/arm-gic.h                    |    4 +-
 include/linux/jiffies.h                            |   14 +-
 include/linux/key-type.h                           |    2 +-
 include/linux/kgdb.h                               |    6 +-
 include/linux/kobject.h                            |    3 +-
 include/linux/kobject_ns.h                         |    2 +-
 include/linux/kref.h                               |    2 +-
 include/linux/kvm_host.h                           |    4 +-
 include/linux/libata.h                             |    2 +-
 include/linux/linkage.h                            |    1 +
 include/linux/list.h                               |   15 +
 include/linux/math64.h                             |   10 +-
 include/linux/mempolicy.h                          |    7 +
 include/linux/mm.h                                 |  118 +-
 include/linux/mm_types.h                           |   20 +
 include/linux/mmiotrace.h                          |    4 +-
 include/linux/mmzone.h                             |    2 +-
 include/linux/mod_devicetable.h                    |    6 +-
 include/linux/module.h                             |   60 +-
 include/linux/moduleloader.h                       |   16 +
 include/linux/moduleparam.h                        |    4 +-
 include/linux/namei.h                              |    6 +-
 include/linux/net.h                                |    2 +-
 include/linux/netdevice.h                          |    3 +-
 include/linux/netfilter.h                          |    2 +-
 include/linux/netfilter/nfnetlink.h                |    2 +-
 include/linux/nls.h                                |    2 +-
 include/linux/notifier.h                           |    3 +-
 include/linux/oprofile.h                           |    4 +-
 include/linux/padata.h                             |    2 +-
 include/linux/pci_hotplug.h                        |    3 +-
 include/linux/perf_event.h                         |   10 +-
 include/linux/pipe_fs_i.h                          |    8 +-
 include/linux/pm.h                                 |    1 +
 include/linux/pm_domain.h                          |    4 +-
 include/linux/pm_runtime.h                         |    2 +-
 include/linux/pnp.h                                |    2 +-
 include/linux/poison.h                             |    4 +-
 include/linux/power/smartreflex.h                  |    2 +-
 include/linux/ppp-comp.h                           |    2 +-
 include/linux/preempt.h                            |   21 +
 include/linux/proc_ns.h                            |    2 +-
 include/linux/quota.h                              |    2 +-
 include/linux/random.h                             |   23 +-
 include/linux/rculist.h                            |   20 +-
 include/linux/rcupdate.h                           |    2 +-
 include/linux/reboot.h                             |   14 +-
 include/linux/regset.h                             |    3 +-
 include/linux/relay.h                              |    2 +-
 include/linux/rio.h                                |    2 +-
 include/linux/rmap.h                               |    4 +-
 include/linux/sched.h                              |   68 +-
 include/linux/sched/sysctl.h                       |    1 +
 include/linux/security.h                           |    2 -
 include/linux/semaphore.h                          |    2 +-
 include/linux/seq_file.h                           |    1 +
 include/linux/skbuff.h                             |    8 +-
 include/linux/slab.h                               |   48 +-
 include/linux/slab_def.h                           |   14 +-
 include/linux/slub_def.h                           |    2 +-
 include/linux/smp.h                                |    2 +
 include/linux/sock_diag.h                          |    2 +-
 include/linux/sonet.h                              |    2 +-
 include/linux/sunrpc/addr.h                        |    8 +-
 include/linux/sunrpc/clnt.h                        |    2 +-
 include/linux/sunrpc/svc.h                         |    2 +-
 include/linux/sunrpc/svc_rdma.h                    |   18 +-
 include/linux/sunrpc/svcauth.h                     |    2 +-
 include/linux/swiotlb.h                            |    3 +-
 include/linux/syscalls.h                           |   18 +-
 include/linux/syscore_ops.h                        |    2 +-
 include/linux/sysctl.h                             |    6 +-
 include/linux/sysfs.h                              |    9 +-
 include/linux/sysrq.h                              |    3 +-
 include/linux/thread_info.h                        |    7 +
 include/linux/tty.h                                |    4 +-
 include/linux/tty_driver.h                         |    2 +-
 include/linux/tty_ldisc.h                          |    2 +-
 include/linux/types.h                              |   16 +
 include/linux/uaccess.h                            |    6 +-
 include/linux/unaligned/access_ok.h                |   24 +-
 include/linux/usb.h                                |    4 +-
 include/linux/usb/renesas_usbhs.h                  |    2 +-
 include/linux/vermagic.h                           |   21 +-
 include/linux/vga_switcheroo.h                     |    8 +-
 include/linux/vmalloc.h                            |    7 +-
 include/linux/vmstat.h                             |   24 +-
 include/linux/xattr.h                              |    5 +-
 include/linux/zlib.h                               |    3 +-
 include/media/v4l2-dev.h                           |    2 +-
 include/media/v4l2-device.h                        |    2 +-
 include/net/9p/transport.h                         |    2 +-
 include/net/bluetooth/l2cap.h                      |    2 +-
 include/net/caif/cfctrl.h                          |    6 +-
 include/net/flow.h                                 |    2 +-
 include/net/genetlink.h                            |    2 +-
 include/net/gro_cells.h                            |    2 +-
 include/net/inet_connection_sock.h                 |    2 +-
 include/net/inetpeer.h                             |   17 +-
 include/net/ip.h                                   |    2 +-
 include/net/ip_fib.h                               |    2 +-
 include/net/ip_vs.h                                |    8 +-
 include/net/irda/ircomm_tty.h                      |    1 +
 include/net/iucv/af_iucv.h                         |    2 +-
 include/net/llc_c_ac.h                             |    2 +-
 include/net/llc_c_ev.h                             |    4 +-
 include/net/llc_c_st.h                             |    2 +-
 include/net/llc_s_ac.h                             |    2 +-
 include/net/llc_s_st.h                             |    2 +-
 include/net/mac80211.h                             |    2 +-
 include/net/neighbour.h                            |    2 +-
 include/net/net_namespace.h                        |   20 +-
 include/net/netdma.h                               |    2 +-
 include/net/netlink.h                              |    2 +-
 include/net/netns/conntrack.h                      |    6 +-
 include/net/netns/ipv4.h                           |    4 +-
 include/net/netns/ipv6.h                           |    4 +-
 include/net/ping.h                                 |    2 +-
 include/net/protocol.h                             |    4 +-
 include/net/rtnetlink.h                            |    2 +-
 include/net/sctp/checksum.h                        |    4 +-
 include/net/sctp/sm.h                              |    4 +-
 include/net/sctp/structs.h                         |    2 +-
 include/net/sock.h                                 |    8 +-
 include/net/tcp.h                                  |    8 +-
 include/net/xfrm.h                                 |   13 +-
 include/rdma/iw_cm.h                               |    2 +-
 include/scsi/libfc.h                               |    3 +-
 include/scsi/scsi_device.h                         |    6 +-
 include/scsi/scsi_transport_fc.h                   |    3 +-
 include/sound/compress_driver.h                    |    2 +-
 include/sound/soc.h                                |    4 +-
 include/target/target_core_base.h                  |    2 +-
 include/trace/events/irq.h                         |    4 +-
 include/uapi/linux/a.out.h                         |    8 +
 include/uapi/linux/bcache.h                        |    5 +-
 include/uapi/linux/byteorder/little_endian.h       |   28 +-
 include/uapi/linux/elf.h                           |   28 +
 include/uapi/linux/screen_info.h                   |    3 +-
 include/uapi/linux/swab.h                          |    6 +-
 include/uapi/linux/sysctl.h                        |    2 -
 include/uapi/linux/videodev2.h                     |    2 +-
 include/uapi/linux/xattr.h                         |    4 +
 include/video/udlfb.h                              |    8 +-
 include/video/uvesafb.h                            |    1 +
 init/Kconfig                                       |    2 +-
 init/Makefile                                      |    3 +
 init/do_mounts.c                                   |   14 +-
 init/do_mounts.h                                   |    8 +-
 init/do_mounts_initrd.c                            |   30 +-
 init/do_mounts_md.c                                |    6 +-
 init/init_task.c                                   |    4 +
 init/initramfs.c                                   |   40 +-
 init/main.c                                        |   78 +-
 ipc/compat.c                                       |    2 +-
 ipc/ipc_sysctl.c                                   |   10 +-
 ipc/mq_sysctl.c                                    |    4 +-
 ipc/msg.c                                          |   11 +-
 ipc/sem.c                                          |   11 +-
 ipc/shm.c                                          |   17 +-
 kernel/acct.c                                      |    2 +-
 kernel/audit.c                                     |    8 +-
 kernel/auditsc.c                                   |    4 +-
 kernel/capability.c                                |    3 +
 kernel/compat.c                                    |   40 +-
 kernel/debug/debug_core.c                          |   16 +-
 kernel/debug/kdb/kdb_main.c                        |    4 +-
 kernel/events/core.c                               |   28 +-
 kernel/events/internal.h                           |   10 +-
 kernel/events/uprobes.c                            |    2 +-
 kernel/exit.c                                      |    4 +-
 kernel/fork.c                                      |  166 +-
 kernel/futex.c                                     |   11 +-
 kernel/futex_compat.c                              |    2 +-
 kernel/gcov/base.c                                 |    7 +-
 kernel/hrtimer.c                                   |    2 +-
 kernel/irq_work.c                                  |    7 +-
 kernel/jump_label.c                                |    5 +
 kernel/kallsyms.c                                  |   39 +-
 kernel/kexec.c                                     |    3 +-
 kernel/kmod.c                                      |    8 +-
 kernel/kprobes.c                                   |    4 +-
 kernel/ksysfs.c                                    |    2 +-
 kernel/locking/lockdep.c                           |    7 +-
 kernel/locking/mutex-debug.c                       |   12 +-
 kernel/locking/mutex-debug.h                       |    4 +-
 kernel/locking/mutex.c                             |   10 +-
 kernel/locking/rtmutex-tester.c                    |   24 +-
 kernel/module.c                                    |  337 +-
 kernel/notifier.c                                  |   17 +-
 kernel/padata.c                                    |    4 +-
 kernel/panic.c                                     |    5 +-
 kernel/pid.c                                       |    2 +-
 kernel/pid_namespace.c                             |    2 +-
 kernel/posix-cpu-timers.c                          |    4 +-
 kernel/posix-timers.c                              |   24 +-
 kernel/power/process.c                             |   12 +-
 kernel/profile.c                                   |   14 +-
 kernel/ptrace.c                                    |    8 +-
 kernel/rcu/srcu.c                                  |    4 +-
 kernel/rcu/tiny.c                                  |    4 +-
 kernel/rcu/torture.c                               |   56 +-
 kernel/rcu/tree.c                                  |   76 +-
 kernel/rcu/tree.h                                  |   26 +-
 kernel/rcu/tree_plugin.h                           |   42 +-
 kernel/rcu/tree_trace.c                            |   22 +-
 kernel/rcu/update.c                                |    4 +-
 kernel/sched/auto_group.c                          |    4 +-
 kernel/sched/completion.c                          |    6 +-
 kernel/sched/core.c                                |   45 +-
 kernel/sched/fair.c                                |    4 +-
 kernel/sched/sched.h                               |    2 +-
 kernel/signal.c                                    |   12 +-
 kernel/smpboot.c                                   |    4 +-
 kernel/softirq.c                                   |   12 +-
 kernel/sys.c                                       |   10 +-
 kernel/sysctl.c                                    |   34 +-
 kernel/time/alarmtimer.c                           |    2 +-
 kernel/time/timer_stats.c                          |   10 +-
 kernel/timer.c                                     |    4 +-
 kernel/trace/blktrace.c                            |    6 +-
 kernel/trace/ftrace.c                              |   18 +-
 kernel/trace/ring_buffer.c                         |   76 +-
 kernel/trace/trace.c                               |    2 +-
 kernel/trace/trace.h                               |    2 +-
 kernel/trace/trace_clock.c                         |    4 +-
 kernel/trace/trace_events.c                        |    1 -
 kernel/trace/trace_mmiotrace.c                     |    8 +-
 kernel/trace/trace_output.c                        |   12 +-
 kernel/trace/trace_stack.c                         |    2 +-
 kernel/user_namespace.c                            |    2 +-
 kernel/utsname_sysctl.c                            |    2 +-
 kernel/watchdog.c                                  |    2 +-
 kernel/workqueue.c                                 |    2 +-
 lib/Kconfig.debug                                  |    8 +-
 lib/Makefile                                       |    2 +-
 lib/average.c                                      |    2 +-
 lib/bitmap.c                                       |    8 +-
 lib/bug.c                                          |    2 +
 lib/debugobjects.c                                 |    2 +-
 lib/devres.c                                       |    4 +-
 lib/div64.c                                        |    4 +-
 lib/dma-debug.c                                    |    4 +-
 lib/hash.c                                         |    2 +-
 lib/inflate.c                                      |    2 +-
 lib/ioremap.c                                      |    4 +-
 lib/kobject.c                                      |    4 +-
 lib/list_debug.c                                   |  126 +-
 lib/percpu-refcount.c                              |    2 +-
 lib/radix-tree.c                                   |    2 +-
 lib/random32.c                                     |    2 +-
 lib/show_mem.c                                     |    2 +-
 lib/strncpy_from_user.c                            |    2 +-
 lib/strnlen_user.c                                 |    2 +-
 lib/swiotlb.c                                      |    2 +-
 lib/usercopy.c                                     |    6 +
 lib/vsprintf.c                                     |   12 +-
 mm/Kconfig                                         |    6 +-
 mm/backing-dev.c                                   |    4 +-
 mm/filemap.c                                       |   10 +-
 mm/fremap.c                                        |    5 +
 mm/highmem.c                                       |    7 +-
 mm/hugetlb.c                                       |   70 +-
 mm/internal.h                                      |    3 +-
 mm/maccess.c                                       |    4 +-
 mm/madvise.c                                       |   41 +
 mm/memory-failure.c                                |   28 +-
 mm/memory.c                                        |  424 ++-
 mm/mempolicy.c                                     |   25 +
 mm/mlock.c                                         |   15 +-
 mm/mmap.c                                          |  581 +++-
 mm/mprotect.c                                      |  139 +-
 mm/mremap.c                                        |   44 +-
 mm/nommu.c                                         |   21 +-
 mm/page-writeback.c                                |    2 +-
 mm/page_alloc.c                                    |   42 +-
 mm/page_io.c                                       |    2 +-
 mm/percpu.c                                        |    2 +-
 mm/process_vm_access.c                             |   14 +-
 mm/rmap.c                                          |   44 +-
 mm/shmem.c                                         |   19 +-
 mm/slab.c                                          |  106 +-
 mm/slab.h                                          |   15 +-
 mm/slab_common.c                                   |   60 +-
 mm/slob.c                                          |  206 +-
 mm/slub.c                                          |   86 +-
 mm/sparse-vmemmap.c                                |    4 +-
 mm/sparse.c                                        |    2 +-
 mm/swap.c                                          |    3 +
 mm/swapfile.c                                      |   12 +-
 mm/util.c                                          |    6 +
 mm/vmalloc.c                                       |   75 +-
 mm/vmstat.c                                        |   12 +-
 net/8021q/vlan.c                                   |    5 +-
 net/9p/client.c                                    |    6 +-
 net/9p/mod.c                                       |    4 +-
 net/9p/trans_fd.c                                  |    2 +-
 net/atm/atm_misc.c                                 |    8 +-
 net/atm/lec.h                                      |    2 +-
 net/atm/proc.c                                     |    6 +-
 net/atm/resources.c                                |    4 +-
 net/ax25/sysctl_net_ax25.c                         |    2 +-
 net/batman-adv/bat_iv_ogm.c                        |    8 +-
 net/batman-adv/fragmentation.c                     |    2 +-
 net/batman-adv/soft-interface.c                    |    6 +-
 net/batman-adv/types.h                             |    6 +-
 net/bluetooth/hci_sock.c                           |    2 +-
 net/bluetooth/l2cap_core.c                         |    6 +-
 net/bluetooth/l2cap_sock.c                         |   12 +-
 net/bluetooth/rfcomm/sock.c                        |    4 +-
 net/bluetooth/rfcomm/tty.c                         |    4 +-
 net/bridge/netfilter/ebtables.c                    |    6 +-
 net/caif/cfctrl.c                                  |   11 +-
 net/can/af_can.c                                   |    2 +-
 net/can/gw.c                                       |    6 +-
 net/ceph/messenger.c                               |    4 +-
 net/compat.c                                       |   34 +-
 net/core/datagram.c                                |    2 +-
 net/core/dev.c                                     |   16 +-
 net/core/filter.c                                  |    2 +-
 net/core/flow.c                                    |    8 +-
 net/core/iovec.c                                   |    4 +-
 net/core/neighbour.c                               |    4 +-
 net/core/net_namespace.c                           |    8 +-
 net/core/netpoll.c                                 |    4 +-
 net/core/rtnetlink.c                               |   13 +-
 net/core/scm.c                                     |    8 +-
 net/core/skbuff.c                                  |    8 +-
 net/core/sock.c                                    |   28 +-
 net/core/sock_diag.c                               |    9 +-
 net/core/sysctl_net_core.c                         |   20 +-
 net/decnet/af_decnet.c                             |    1 +
 net/decnet/sysctl_net_decnet.c                     |    4 +-
 net/ipv4/af_inet.c                                 |    8 +-
 net/ipv4/devinet.c                                 |   18 +-
 net/ipv4/fib_frontend.c                            |    6 +-
 net/ipv4/fib_semantics.c                           |    2 +-
 net/ipv4/inet_connection_sock.c                    |    2 +-
 net/ipv4/inetpeer.c                                |    4 +-
 net/ipv4/ip_fragment.c                             |   15 +-
 net/ipv4/ip_gre.c                                  |    6 +-
 net/ipv4/ip_sockglue.c                             |    2 +-
 net/ipv4/ip_vti.c                                  |    4 +-
 net/ipv4/ipconfig.c                                |    6 +-
 net/ipv4/ipip.c                                    |    4 +-
 net/ipv4/netfilter/arp_tables.c                    |   12 +-
 net/ipv4/netfilter/ip_tables.c                     |   12 +-
 net/ipv4/ping.c                                    |   16 +-
 net/ipv4/raw.c                                     |   14 +-
 net/ipv4/route.c                                   |   20 +-
 net/ipv4/sysctl_net_ipv4.c                         |   37 +-
 net/ipv4/tcp_input.c                               |    4 +-
 net/ipv4/tcp_probe.c                               |    2 +-
 net/ipv4/udp.c                                     |   10 +-
 net/ipv4/xfrm4_policy.c                            |   18 +-
 net/ipv6/addrconf.c                                |   12 +-
 net/ipv6/af_inet6.c                                |    2 +-
 net/ipv6/datagram.c                                |    2 +-
 net/ipv6/icmp.c                                    |    2 +-
 net/ipv6/ip6_gre.c                                 |    8 +-
 net/ipv6/ip6_tunnel.c                              |    4 +-
 net/ipv6/ip6_vti.c                                 |    4 +-
 net/ipv6/ipv6_sockglue.c                           |    2 +-
 net/ipv6/netfilter/ip6_tables.c                    |   12 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c            |   14 +-
 net/ipv6/output_core.c                             |   15 +-
 net/ipv6/ping.c                                    |   33 +-
 net/ipv6/raw.c                                     |   17 +-
 net/ipv6/reassembly.c                              |   13 +-
 net/ipv6/route.c                                   |    2 +-
 net/ipv6/sit.c                                     |    4 +-
 net/ipv6/sysctl_net_ipv6.c                         |    2 +-
 net/ipv6/udp.c                                     |    6 +-
 net/ipv6/xfrm6_policy.c                            |   17 +-
 net/irda/ircomm/ircomm_tty.c                       |   18 +-
 net/iucv/af_iucv.c                                 |    4 +-
 net/iucv/iucv.c                                    |    2 +-
 net/key/af_key.c                                   |    4 +-
 net/mac80211/cfg.c                                 |    8 +-
 net/mac80211/ieee80211_i.h                         |    3 +-
 net/mac80211/iface.c                               |   16 +-
 net/mac80211/main.c                                |    2 +-
 net/mac80211/pm.c                                  |    6 +-
 net/mac80211/rate.c                                |    2 +-
 net/mac80211/rc80211_pid_debugfs.c                 |    2 +-
 net/mac80211/util.c                                |    4 +-
 net/netfilter/ipset/ip_set_core.c                  |    2 +-
 net/netfilter/ipvs/ip_vs_conn.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_core.c                    |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                     |   16 +-
 net/netfilter/ipvs/ip_vs_lblc.c                    |    2 +-
 net/netfilter/ipvs/ip_vs_lblcr.c                   |    2 +-
 net/netfilter/ipvs/ip_vs_sync.c                    |    6 +-
 net/netfilter/ipvs/ip_vs_xmit.c                    |    4 +-
 net/netfilter/nf_conntrack_acct.c                  |    2 +-
 net/netfilter/nf_conntrack_ecache.c                |    2 +-
 net/netfilter/nf_conntrack_helper.c                |    2 +-
 net/netfilter/nf_conntrack_proto.c                 |    2 +-
 net/netfilter/nf_conntrack_standalone.c            |    2 +-
 net/netfilter/nf_conntrack_timestamp.c             |    2 +-
 net/netfilter/nf_log.c                             |   10 +-
 net/netfilter/nf_sockopt.c                         |    4 +-
 net/netfilter/nfnetlink_log.c                      |    4 +-
 net/netfilter/nft_compat.c                         |    4 +-
 net/netfilter/xt_statistic.c                       |    8 +-
 net/netlink/af_netlink.c                           |    4 +-
 net/packet/af_packet.c                             |    8 +-
 net/phonet/pep.c                                   |    6 +-
 net/phonet/socket.c                                |    2 +-
 net/phonet/sysctl.c                                |    2 +-
 net/rds/cong.c                                     |    6 +-
 net/rds/ib.h                                       |    2 +-
 net/rds/ib_cm.c                                    |    2 +-
 net/rds/ib_recv.c                                  |    4 +-
 net/rds/iw.h                                       |    2 +-
 net/rds/iw_cm.c                                    |    2 +-
 net/rds/iw_recv.c                                  |    4 +-
 net/rds/rds.h                                      |    2 +-
 net/rds/tcp.c                                      |    2 +-
 net/rds/tcp_send.c                                 |    2 +-
 net/rxrpc/af_rxrpc.c                               |    2 +-
 net/rxrpc/ar-ack.c                                 |   14 +-
 net/rxrpc/ar-call.c                                |    2 +-
 net/rxrpc/ar-connection.c                          |    2 +-
 net/rxrpc/ar-connevent.c                           |    2 +-
 net/rxrpc/ar-input.c                               |    4 +-
 net/rxrpc/ar-internal.h                            |    8 +-
 net/rxrpc/ar-local.c                               |    2 +-
 net/rxrpc/ar-output.c                              |    4 +-
 net/rxrpc/ar-peer.c                                |    2 +-
 net/rxrpc/ar-proc.c                                |    4 +-
 net/rxrpc/ar-transport.c                           |    2 +-
 net/rxrpc/rxkad.c                                  |    4 +-
 net/sctp/ipv6.c                                    |    6 +-
 net/sctp/protocol.c                                |   10 +-
 net/sctp/sm_sideeffect.c                           |    2 +-
 net/sctp/socket.c                                  |   21 +-
 net/sctp/sysctl.c                                  |   13 +-
 net/socket.c                                       |   20 +-
 net/sunrpc/auth_gss/svcauth_gss.c                  |    4 +-
 net/sunrpc/clnt.c                                  |    4 +-
 net/sunrpc/sched.c                                 |    4 +-
 net/sunrpc/svc.c                                   |    4 +-
 net/sunrpc/svcauth_unix.c                          |    4 +-
 net/sunrpc/xprtrdma/svc_rdma.c                     |   38 +-
 net/sunrpc/xprtrdma/svc_rdma_recvfrom.c            |    6 +-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c              |    2 +-
 net/sunrpc/xprtrdma/svc_rdma_transport.c           |   10 +-
 net/tipc/subscr.c                                  |    2 +-
 net/unix/sysctl_net_unix.c                         |    2 +-
 net/wireless/wext-core.c                           |   19 +-
 net/xfrm/xfrm_policy.c                             |   16 +-
 net/xfrm/xfrm_state.c                              |   33 +-
 net/xfrm/xfrm_sysctl.c                             |    2 +-
 scripts/Makefile.build                             |    2 +-
 scripts/Makefile.clean                             |    3 +-
 scripts/Makefile.host                              |   28 +-
 scripts/basic/fixdep.c                             |   12 +-
 scripts/gcc-plugin.sh                              |   16 +
 scripts/headers_install.sh                         |    1 +
 scripts/link-vmlinux.sh                            |    2 +-
 scripts/mod/file2alias.c                           |   14 +-
 scripts/mod/modpost.c                              |   25 +-
 scripts/mod/modpost.h                              |    6 +-
 scripts/mod/sumversion.c                           |    2 +-
 scripts/module-common.lds                          |    4 +
 scripts/package/builddeb                           |    1 +
 scripts/pnmtologo.c                                |    6 +-
 scripts/sortextable.h                              |    6 +-
 security/Kconfig                                   |  689 +++-
 security/apparmor/lsm.c                            |    2 +-
 security/integrity/ima/ima.h                       |    4 +-
 security/integrity/ima/ima_api.c                   |    2 +-
 security/integrity/ima/ima_fs.c                    |    4 +-
 security/integrity/ima/ima_queue.c                 |    2 +-
 security/keys/compat.c                             |    2 +-
 security/keys/internal.h                           |    2 +-
 security/keys/key.c                                |   18 +-
 security/keys/keyctl.c                             |    8 +-
 security/security.c                                |    9 +-
 security/selinux/avc.c                             |    6 +-
 security/selinux/hooks.c                           |   11 +-
 security/selinux/include/xfrm.h                    |    2 +-
 security/smack/smack_lsm.c                         |    2 +-
 security/tomoyo/tomoyo.c                           |    2 +-
 security/yama/yama_lsm.c                           |   22 +-
 sound/aoa/codecs/onyx.c                            |    7 +-
 sound/aoa/codecs/onyx.h                            |    1 +
 sound/core/oss/pcm_oss.c                           |   18 +-
 sound/core/pcm_compat.c                            |    2 +-
 sound/core/pcm_native.c                            |    4 +-
 sound/core/seq/seq_device.c                        |    8 +-
 sound/core/sound.c                                 |    2 +-
 sound/drivers/mts64.c                              |   14 +-
 sound/drivers/opl4/opl4_lib.c                      |    2 +-
 sound/drivers/portman2x4.c                         |    3 +-
 sound/firewire/amdtp.c                             |    4 +-
 sound/firewire/amdtp.h                             |    2 +-
 sound/firewire/isight.c                            |   10 +-
 sound/firewire/scs1x.c                             |    8 +-
 sound/oss/sb_audio.c                               |    2 +-
 sound/oss/swarm_cs4297a.c                          |    6 +-
 sound/pci/hda/hda_codec.c                          |   10 +-
 sound/pci/ymfpci/ymfpci.h                          |    2 +-
 sound/pci/ymfpci/ymfpci_main.c                     |   12 +-
 sound/soc/fsl/fsl_ssi.c                            |    6 +-
 sound/soc/soc-core.c                               |    6 +-
 tools/gcc/.gitignore                               |    1 +
 tools/gcc/Makefile                                 |   51 +
 tools/gcc/checker_plugin.c                         |  150 +
 tools/gcc/colorize_plugin.c                        |  169 +
 tools/gcc/constify_plugin.c                        |  552 +++
 tools/gcc/gcc-common.h                             |  287 ++
 tools/gcc/generate_size_overflow_hash.sh           |   97 +
 tools/gcc/kallocstat_plugin.c                      |  182 +
 tools/gcc/kernexec_plugin.c                        |  519 +++
 tools/gcc/latent_entropy_plugin.c                  |  457 ++
 tools/gcc/size_overflow_hash.data                  | 4629 ++++++++++++++++++++
 tools/gcc/size_overflow_hash_aux.data              |   92 +
 tools/gcc/size_overflow_plugin.c                   | 4166 ++++++++++++++++++
 tools/gcc/stackleak_plugin.c                       |  374 ++
 tools/gcc/structleak_plugin.c                      |  273 ++
 tools/include/linux/compiler.h                     |    8 +
 tools/lib/api/Makefile                             |    2 +-
 tools/perf/util/include/asm/alternative-asm.h      |    3 +
 virt/kvm/kvm_main.c                                |   44 +-
 1763 files changed, 34368 insertions(+), 8117 deletions(-)