commit: c609df6c830330818ec52a8eab7e7f6870b2afe1
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Tue Apr 7 01:51:47 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Tue Apr 7 01:51:47 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=c609df6c
Grsec/PaX: 3.1-{3.2.68,3.14.37,3.19.3}-201504051405
3.14.37/0000_README | 2 +-
...4420_grsecurity-3.1-3.14.37-201504051405.patch} | 588 ++++++++++++++++++---
3.19.3/0000_README | 2 +-
... 4420_grsecurity-3.1-3.19.3-201504021826.patch} | 515 +++++++++++++++---
3.2.68/0000_README | 2 +-
... 4420_grsecurity-3.1-3.2.68-201504021823.patch} | 296 ++++++++---
6 files changed, 1177 insertions(+), 228 deletions(-)
diff --git a/3.14.37/0000_README b/3.14.37/0000_README
index 6e499e4..cbf4ba6 100644
--- a/3.14.37/0000_README
+++ b/3.14.37/0000_README
@@ -6,7 +6,7 @@ Patch: 1036_linux-3.14.37.patch
From: http://www.kernel.org
Desc: Linux 3.14.37
-Patch: 4420_grsecurity-3.1-3.14.37-201503270048.patch
+Patch: 4420_grsecurity-3.1-3.14.37-201504051405.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.14.37/4420_grsecurity-3.1-3.14.37-201503270048.patch
b/3.14.37/4420_grsecurity-3.1-3.14.37-201504051405.patch
similarity index 99%
rename from 3.14.37/4420_grsecurity-3.1-3.14.37-201503270048.patch
rename to 3.14.37/4420_grsecurity-3.1-3.14.37-201504051405.patch
index e462e33..b383085 100644
--- a/3.14.37/4420_grsecurity-3.1-3.14.37-201503270048.patch
+++ b/3.14.37/4420_grsecurity-3.1-3.14.37-201504051405.patch
@@ -235,21 +235,24 @@ index b89a739..e289b9b 100644
+zconf.lex.c
zoffset.h
diff --git a/Documentation/kernel-parameters.txt
b/Documentation/kernel-parameters.txt
-index 5d91ba1..935a4e7 100644
+index 5d91ba1..ef1d374 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
-@@ -1084,6 +1084,10 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
+@@ -1084,6 +1084,13 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
Format: <unsigned int> such that (rxsize & ~0x1fffc0)
== 0.
Default: 1024
+ grsec_proc_gid= [GRKERNSEC_PROC_USERGROUP] Chooses GID to
+ ignore grsecurity's /proc restrictions
+
++ grsec_sysfs_restrict= Format: 0 | 1
++ Default: 1
++ Disables GRKERNSEC_SYSFS_RESTRICT if enabled in config
+
hashdist= [KNL,NUMA] Large hashes allocated during boot
are distributed across NUMA nodes. Defaults on
for 64-bit NUMA, off otherwise.
-@@ -2081,6 +2085,10 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
+@@ -2081,6 +2088,10 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
noexec=on: enable non-executable mappings (default)
noexec=off: disable non-executable mappings
@@ -260,7 +263,7 @@ index 5d91ba1..935a4e7 100644
nosmap [X86]
Disable SMAP (Supervisor Mode Access Prevention)
even if it is supported by processor.
-@@ -2348,6 +2356,30 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
+@@ -2348,6 +2359,30 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
the specified number of seconds. This is to be used if
your oopses keep scrolling off the screen.
@@ -10165,10 +10168,18 @@ index 0167d26..767bb0c 100644
#include <asm/uaccess_64.h>
#else
diff --git a/arch/sparc/include/asm/uaccess_32.h
b/arch/sparc/include/asm/uaccess_32.h
-index 53a28dd..50c38c3 100644
+index 53a28dd..6e11369 100644
--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
-@@ -250,27 +250,46 @@ extern unsigned long __copy_user(void __user *to, const
void __user *from, unsig
+@@ -47,6 +47,7 @@
+ #define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
+ #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
+ #define __access_ok(addr,size) (__user_ok((addr) & get_fs().seg,(size)))
++#define access_ok_noprefault(type, addr, size) access_ok((type), (addr),
(size))
+ #define access_ok(type, addr, size) \
+ ({ (void)(type); __access_ok((unsigned long)(addr), size); })
+
+@@ -250,27 +251,46 @@ extern unsigned long __copy_user(void __user *to, const
void __user *from, unsig
static inline unsigned long copy_to_user(void __user *to, const void *from,
unsigned long n)
{
@@ -10220,7 +10231,7 @@ index 53a28dd..50c38c3 100644
}
diff --git a/arch/sparc/include/asm/uaccess_64.h
b/arch/sparc/include/asm/uaccess_64.h
-index ad7e178..c9e7423 100644
+index ad7e178..26cd4a7 100644
--- a/arch/sparc/include/asm/uaccess_64.h
+++ b/arch/sparc/include/asm/uaccess_64.h
@@ -10,6 +10,7 @@
@@ -10231,7 +10242,19 @@ index ad7e178..c9e7423 100644
#include <asm/asi.h>
#include <asm/spitfire.h>
#include <asm-generic/uaccess-unaligned.h>
-@@ -214,8 +215,15 @@ extern unsigned long copy_from_user_fixup(void *to, const
void __user *from,
+@@ -54,6 +55,11 @@ static inline int __access_ok(const void __user * addr,
unsigned long size)
+ return 1;
+ }
+
++static inline int access_ok_noprefault(int type, const void __user * addr,
unsigned long size)
++{
++ return 1;
++}
++
+ static inline int access_ok(int type, const void __user * addr, unsigned long
size)
+ {
+ return 1;
+@@ -214,8 +220,15 @@ extern unsigned long copy_from_user_fixup(void *to, const
void __user *from,
static inline unsigned long __must_check
copy_from_user(void *to, const void __user *from, unsigned long size)
{
@@ -10248,7 +10271,7 @@ index ad7e178..c9e7423 100644
if (unlikely(ret))
ret = copy_from_user_fixup(to, from, size);
-@@ -231,8 +239,15 @@ extern unsigned long copy_to_user_fixup(void __user *to,
const void *from,
+@@ -231,8 +244,15 @@ extern unsigned long copy_to_user_fixup(void __user *to,
const void *from,
static inline unsigned long __must_check
copy_to_user(void __user *to, const void *from, unsigned long size)
{
@@ -21150,7 +21173,7 @@ index c005fdd..e33da29 100644
if (c->x86_model == 3 && c->x86_mask == 0)
size = 64;
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index e6bddd5..517213d 100644
+index e6bddd5..5b0c55c 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -88,60 +88,6 @@ static const struct cpu_dev default_cpu = {
@@ -21283,10 +21306,20 @@ index e6bddd5..517213d 100644
gdt_descr.size = GDT_SIZE - 1;
load_gdt(&gdt_descr);
/* Reload the per-cpu base */
-@@ -885,6 +884,10 @@ static void identify_cpu(struct cpuinfo_x86 *c)
+@@ -885,6 +884,20 @@ static void identify_cpu(struct cpuinfo_x86 *c)
setup_smep(c);
setup_smap(c);
++#ifdef CONFIG_X86_32
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (!(__supported_pte_mask & _PAGE_NX))
++ clear_cpu_cap(c, X86_FEATURE_PSE);
++#endif
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) ||
defined(CONFIG_PAX_MEMORY_UDEREF)
++ clear_cpu_cap(c, X86_FEATURE_SEP);
++#endif
++#endif
++
+#ifdef CONFIG_X86_64
+ setup_pcid(c);
+#endif
@@ -21294,18 +21327,7 @@ index e6bddd5..517213d 100644
/*
* The vendor-specific functions might have changed features.
* Now we do "generic changes."
-@@ -893,6 +896,10 @@ static void identify_cpu(struct cpuinfo_x86 *c)
- /* Filter out anything that depends on CPUID levels we don't have */
- filter_cpuid_features(c, true);
-
-+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_SEGMEXEC) ||
defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
-+ setup_clear_cpu_cap(X86_FEATURE_SEP);
-+#endif
-+
- /* If the model name is still unset, do table lookup. */
- if (!c->x86_model_id[0]) {
- const char *p;
-@@ -1080,10 +1087,12 @@ static __init int setup_disablecpuid(char *arg)
+@@ -1080,10 +1093,12 @@ static __init int setup_disablecpuid(char *arg)
}
__setup("clearcpuid=", setup_disablecpuid);
@@ -21321,7 +21343,7 @@ index e6bddd5..517213d 100644
DEFINE_PER_CPU_FIRST(union irq_stack_union,
irq_stack_union) __aligned(PAGE_SIZE) __visible;
-@@ -1097,7 +1106,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task)
____cacheline_aligned =
+@@ -1097,7 +1112,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task)
____cacheline_aligned =
EXPORT_PER_CPU_SYMBOL(current_task);
DEFINE_PER_CPU(unsigned long, kernel_stack) =
@@ -21330,7 +21352,7 @@ index e6bddd5..517213d 100644
EXPORT_PER_CPU_SYMBOL(kernel_stack);
DEFINE_PER_CPU(char *, irq_stack_ptr) =
-@@ -1247,7 +1256,7 @@ void cpu_init(void)
+@@ -1247,7 +1262,7 @@ void cpu_init(void)
load_ucode_ap();
cpu = stack_smp_processor_id();
@@ -21339,7 +21361,7 @@ index e6bddd5..517213d 100644
oist = &per_cpu(orig_ist, cpu);
#ifdef CONFIG_NUMA
-@@ -1282,7 +1291,6 @@ void cpu_init(void)
+@@ -1282,7 +1297,6 @@ void cpu_init(void)
wrmsrl(MSR_KERNEL_GS_BASE, 0);
barrier();
@@ -21347,7 +21369,7 @@ index e6bddd5..517213d 100644
enable_x2apic();
/*
-@@ -1334,7 +1342,7 @@ void cpu_init(void)
+@@ -1334,7 +1348,7 @@ void cpu_init(void)
{
int cpu = smp_processor_id();
struct task_struct *curr = current;
@@ -30219,7 +30241,7 @@ index 7609e0e..b449b98 100644
}
EXPORT_SYMBOL(csum_partial_copy_to_user);
diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S
-index a451235..1daa956 100644
+index a451235..a74bfa3 100644
--- a/arch/x86/lib/getuser.S
+++ b/arch/x86/lib/getuser.S
@@ -33,17 +33,40 @@
@@ -30244,8 +30266,6 @@ index a451235..1daa956 100644
GET_THREAD_INFO(%_ASM_DX)
cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
jae bad_get_user
- ASM_STAC
--1: movzbl (%_ASM_AX),%edx
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_DX
@@ -30257,6 +30277,8 @@ index a451235..1daa956 100644
+
+#endif
+
+ ASM_STAC
+-1: movzbl (%_ASM_AX),%edx
+1: __copyuser_seg movzbl (%_ASM_AX),%edx
xor %eax,%eax
ASM_CLAC
@@ -30274,8 +30296,6 @@ index a451235..1daa956 100644
GET_THREAD_INFO(%_ASM_DX)
cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
jae bad_get_user
- ASM_STAC
--2: movzwl -1(%_ASM_AX),%edx
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_DX
@@ -30287,6 +30307,8 @@ index a451235..1daa956 100644
+
+#endif
+
+ ASM_STAC
+-2: movzwl -1(%_ASM_AX),%edx
+2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
xor %eax,%eax
ASM_CLAC
@@ -30304,8 +30326,6 @@ index a451235..1daa956 100644
GET_THREAD_INFO(%_ASM_DX)
cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
jae bad_get_user
- ASM_STAC
--3: movl -3(%_ASM_AX),%edx
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_DX
@@ -30317,6 +30337,8 @@ index a451235..1daa956 100644
+
+#endif
+
+ ASM_STAC
+-3: movl -3(%_ASM_AX),%edx
+3: __copyuser_seg movl -3(%_ASM_AX),%edx
xor %eax,%eax
ASM_CLAC
@@ -30895,7 +30917,7 @@ index f6d13ee..d789440 100644
3:
CFI_RESTORE_STATE
diff --git a/arch/x86/lib/putuser.S b/arch/x86/lib/putuser.S
-index fc6ba17..d4d989d 100644
+index fc6ba17..14ad9a5 100644
--- a/arch/x86/lib/putuser.S
+++ b/arch/x86/lib/putuser.S
@@ -16,7 +16,9 @@
@@ -30943,8 +30965,6 @@ index fc6ba17..d4d989d 100644
+ GET_THREAD_INFO(%_ASM_BX)
cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
jae bad_put_user
- ASM_STAC
--1: movb %al,(%_ASM_CX)
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_BX
@@ -30956,6 +30976,8 @@ index fc6ba17..d4d989d 100644
+
+#endif
+
+ ASM_STAC
+-1: movb %al,(%_ASM_CX)
+1: __copyuser_seg movb %al,(_DEST)
xor %eax,%eax
EXIT
@@ -30970,8 +30992,6 @@ index fc6ba17..d4d989d 100644
sub $1,%_ASM_BX
cmp %_ASM_BX,%_ASM_CX
jae bad_put_user
- ASM_STAC
--2: movw %ax,(%_ASM_CX)
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_BX
@@ -30983,6 +31003,8 @@ index fc6ba17..d4d989d 100644
+
+#endif
+
+ ASM_STAC
+-2: movw %ax,(%_ASM_CX)
+2: __copyuser_seg movw %ax,(_DEST)
xor %eax,%eax
EXIT
@@ -30997,8 +31019,6 @@ index fc6ba17..d4d989d 100644
sub $3,%_ASM_BX
cmp %_ASM_BX,%_ASM_CX
jae bad_put_user
- ASM_STAC
--3: movl %eax,(%_ASM_CX)
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_BX
@@ -31010,6 +31030,8 @@ index fc6ba17..d4d989d 100644
+
+#endif
+
+ ASM_STAC
+-3: movl %eax,(%_ASM_CX)
+3: __copyuser_seg movl %eax,(_DEST)
xor %eax,%eax
EXIT
@@ -31024,8 +31046,6 @@ index fc6ba17..d4d989d 100644
sub $7,%_ASM_BX
cmp %_ASM_BX,%_ASM_CX
jae bad_put_user
- ASM_STAC
--4: mov %_ASM_AX,(%_ASM_CX)
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_BX
@@ -31037,6 +31057,8 @@ index fc6ba17..d4d989d 100644
+
+#endif
+
+ ASM_STAC
+-4: mov %_ASM_AX,(%_ASM_CX)
+4: __copyuser_seg mov %_ASM_AX,(_DEST)
#ifdef CONFIG_X86_32
-5: movl %edx,4(%_ASM_CX)
@@ -43391,6 +43413,20 @@ index a841123..055ebeb 100644
if (!can_do_mlock())
return ERR_PTR(-EPERM);
+diff --git a/drivers/infiniband/core/uverbs_cmd.c
b/drivers/infiniband/core/uverbs_cmd.c
+index 2adc143..619e970 100644
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -923,6 +923,9 @@ ssize_t ib_uverbs_reg_mr(struct ib_uverbs_file *file,
+ if (copy_from_user(&cmd, buf, sizeof cmd))
+ return -EFAULT;
+
++ if (!access_ok_noprefault(VERIFY_READ, cmd.start, cmd.length))
++ return -EFAULT;
++
+ INIT_UDATA(&udata, buf + sizeof cmd,
+ (unsigned long) cmd.response + sizeof resp,
+ in_len - sizeof cmd, out_len - sizeof resp);
diff --git a/drivers/infiniband/hw/cxgb4/mem.c
b/drivers/infiniband/hw/cxgb4/mem.c
index 41b1195..27971a0 100644
--- a/drivers/infiniband/hw/cxgb4/mem.c
@@ -61038,21 +61074,32 @@ index 4366127..b8c2cf9 100644
dcache_init();
inode_init();
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
-index 1ff8fe5..5bf8b25 100644
+index 1ff8fe5..31407fe 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
-@@ -424,7 +424,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
+@@ -422,10 +422,20 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
+ * If debugfs is not enabled in the kernel, the value -%ENODEV will be
+ * returned.
*/
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++extern int grsec_enable_sysfs_restrict;
++#endif
++
struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
{
+- return __create_file(name, S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
+- parent, NULL, NULL);
++ umode_t mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
++
+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
-+ return __create_file(name, S_IFDIR | S_IRWXU,
-+#else
- return __create_file(name, S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
++ if (grsec_enable_sysfs_restrict)
++ mode = S_IFDIR | S_IRWXU;
+#endif
- parent, NULL, NULL);
++
++ return __create_file(name, mode, parent, NULL, NULL);
}
EXPORT_SYMBOL_GPL(debugfs_create_dir);
+
diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
index a85ceb7..5097313b 100644
--- a/fs/ecryptfs/inode.c
@@ -68319,10 +68366,21 @@ index ae0c3ce..9ee641c 100644
generic_fillattr(inode, stat);
return 0;
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
-index ee0d761..b346c58 100644
+index ee0d761..2f33d21 100644
--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
-@@ -62,9 +62,16 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char
*name)
+@@ -54,6 +54,10 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char
*name)
+ kfree(path);
+ }
+
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++extern int grsec_enable_sysfs_restrict;
++#endif
++
+ /**
+ * sysfs_create_dir_ns - create a directory for an object with a namespace tag
+ * @kobj: object we're creating directory for
+@@ -62,9 +66,16 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char
*name)
int sysfs_create_dir_ns(struct kobject *kobj, const void *ns)
{
struct kernfs_node *parent, *kn;
@@ -68339,7 +68397,7 @@ index ee0d761..b346c58 100644
if (kobj->parent)
parent = kobj->parent->sd;
else
-@@ -73,11 +80,22 @@ int sysfs_create_dir_ns(struct kobject *kobj, const void
*ns)
+@@ -73,11 +84,24 @@ int sysfs_create_dir_ns(struct kobject *kobj, const void
*ns)
if (!parent)
return -ENOENT;
@@ -68354,6 +68412,8 @@ index ee0d761..b346c58 100644
+ (!strcmp(parent_name, "fs") && (!strcmp(name, "selinux") ||
!strcmp(name, "fuse") || !strcmp(name, "ecryptfs"))) ||
+ (!strcmp(parent_name, "system") && !strcmp(name, "cpu")))
+ mode = S_IRWXU | S_IRUGO | S_IXUGO;
++ if (!grsec_enable_sysfs_restrict)
++ mode = S_IRWXU | S_IRUGO | S_IXUGO;
+#endif
+
+ kn = kernfs_create_dir_ns(parent, name,
@@ -88618,6 +88678,26 @@ index ef6103b..d4e65dd 100644
#define ELFMAG0 0x7f /* EI_MAG */
#define ELFMAG1 'E'
#define ELFMAG2 'L'
+diff --git a/include/uapi/linux/netfilter/xt_connlimit.h
b/include/uapi/linux/netfilter/xt_connlimit.h
+index f165609..d1366f0 100644
+--- a/include/uapi/linux/netfilter/xt_connlimit.h
++++ b/include/uapi/linux/netfilter/xt_connlimit.h
+@@ -22,8 +22,13 @@ struct xt_connlimit_info {
+ #endif
+ };
+ unsigned int limit;
+- /* revision 1 */
+- __u32 flags;
++ union {
++ /* revision 0 */
++ unsigned int inverse;
++
++ /* revision 1 */
++ __u32 flags;
++ };
+
+ /* Used internally by the kernel */
+ struct xt_connlimit_data *data __attribute__((aligned(8)));
diff --git a/include/uapi/linux/personality.h
b/include/uapi/linux/personality.h
index aa169c4..6a2771d 100644
--- a/include/uapi/linux/personality.h
@@ -89117,7 +89197,7 @@ index 93b6139..8d628b7 100644
next_state = Reset;
return 0;
diff --git a/init/main.c b/init/main.c
-index 58c132d..ac3f3b0 100644
+index 58c132d..310b5fa 100644
--- a/init/main.c
+++ b/init/main.c
@@ -97,6 +97,8 @@ extern void radix_tree_init(void);
@@ -89129,7 +89209,7 @@ index 58c132d..ac3f3b0 100644
/*
* Debug helper: via this flag we know that we are in 'early bootup code'
* where only the boot processor is running with IRQ disabled. This means
-@@ -158,6 +160,75 @@ static int __init set_reset_devices(char *str)
+@@ -158,6 +160,85 @@ static int __init set_reset_devices(char *str)
__setup("reset_devices", set_reset_devices);
@@ -89142,6 +89222,16 @@ index 58c132d..ac3f3b0 100644
+}
+__setup("grsec_proc_gid=", setup_grsec_proc_gid);
+#endif
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++int grsec_enable_sysfs_restrict = 1;
++static int __init setup_grsec_sysfs_restrict(char *str)
++{
++ if (!simple_strtol(str, NULL, 0))
++ grsec_enable_sysfs_restrict = 0;
++ return 1;
++}
++__setup("grsec_sysfs_restrict", setup_grsec_sysfs_restrict);
++#endif
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+unsigned long pax_user_shadow_base __read_only;
@@ -89205,7 +89295,7 @@ index 58c132d..ac3f3b0 100644
static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
static const char *panic_later, *panic_param;
-@@ -692,25 +763,24 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -692,25 +773,24 @@ int __init_or_module do_one_initcall(initcall_t fn)
{
int count = preempt_count();
int ret;
@@ -89236,7 +89326,7 @@ index 58c132d..ac3f3b0 100644
return ret;
}
-@@ -817,8 +887,8 @@ static int run_init_process(const char *init_filename)
+@@ -817,8 +897,8 @@ static int run_init_process(const char *init_filename)
{
argv_init[0] = init_filename;
return do_execve(getname_kernel(init_filename),
@@ -89247,7 +89337,7 @@ index 58c132d..ac3f3b0 100644
}
static int try_to_run_init_process(const char *init_filename)
-@@ -835,6 +905,10 @@ static int try_to_run_init_process(const char
*init_filename)
+@@ -835,6 +915,10 @@ static int try_to_run_init_process(const char
*init_filename)
return ret;
}
@@ -89258,7 +89348,7 @@ index 58c132d..ac3f3b0 100644
static noinline void __init kernel_init_freeable(void);
static int __ref kernel_init(void *unused)
-@@ -859,6 +933,11 @@ static int __ref kernel_init(void *unused)
+@@ -859,6 +943,11 @@ static int __ref kernel_init(void *unused)
ramdisk_execute_command, ret);
}
@@ -89270,7 +89360,7 @@ index 58c132d..ac3f3b0 100644
/*
* We try each of these until one succeeds.
*
-@@ -914,7 +993,7 @@ static noinline void __init kernel_init_freeable(void)
+@@ -914,7 +1003,7 @@ static noinline void __init kernel_init_freeable(void)
do_basic_setup();
/* Open the /dev/console on the rootfs, this should never fail */
@@ -89279,7 +89369,7 @@ index 58c132d..ac3f3b0 100644
pr_err("Warning: unable to open an initial console.\n");
(void) sys_dup(0);
-@@ -927,11 +1006,13 @@ static noinline void __init kernel_init_freeable(void)
+@@ -927,11 +1016,13 @@ static noinline void __init kernel_init_freeable(void)
if (!ramdisk_execute_command)
ramdisk_execute_command = "/init";
@@ -95201,7 +95291,7 @@ index e3be87e..abc908f 100644
/* make curr_ret_stack visible before we add the ret_stack */
smp_wmb();
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
-index 774a080..7fa60b1 100644
+index 774a080..d09b170 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -352,9 +352,9 @@ struct buffer_data_page {
@@ -95216,17 +95306,22 @@ index 774a080..7fa60b1 100644
unsigned long real_end; /* real end of data */
struct buffer_data_page *page; /* Actual data page */
};
-@@ -473,8 +473,8 @@ struct ring_buffer_per_cpu {
+@@ -473,11 +473,11 @@ struct ring_buffer_per_cpu {
unsigned long last_overrun;
local_t entries_bytes;
local_t entries;
- local_t overrun;
- local_t commit_overrun;
+- local_t dropped_events;
+ local_unchecked_t overrun;
+ local_unchecked_t commit_overrun;
- local_t dropped_events;
++ local_unchecked_t dropped_events;
local_t committing;
- local_t commits;
+- local_t commits;
++ local_unchecked_t commits;
+ unsigned long read;
+ unsigned long read_bytes;
+ u64 write_stamp;
@@ -1005,8 +1005,8 @@ static int rb_tail_page_update(struct
ring_buffer_per_cpu *cpu_buffer,
*
* We add a counter to the write field to denote this.
@@ -95318,6 +95413,15 @@ index 774a080..7fa60b1 100644
goto out_reset;
}
+@@ -2330,7 +2330,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
+ * this is easy, just stop here.
+ */
+ if (!(buffer->flags & RB_FL_OVERWRITE)) {
+- local_inc(&cpu_buffer->dropped_events);
++
local_inc_unchecked(&cpu_buffer->dropped_events);
+ goto out_reset;
+ }
+
@@ -2356,7 +2356,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
cpu_buffer->tail_page) &&
(cpu_buffer->commit_page ==
@@ -95363,6 +95467,42 @@ index 774a080..7fa60b1 100644
if (index == old_index) {
/* update counters */
local_sub(event_length, &cpu_buffer->entries_bytes);
+@@ -2486,7 +2486,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
+ static void rb_start_commit(struct ring_buffer_per_cpu *cpu_buffer)
+ {
+ local_inc(&cpu_buffer->committing);
+- local_inc(&cpu_buffer->commits);
++ local_inc_unchecked(&cpu_buffer->commits);
+ }
+
+ static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -2498,7 +2498,7 @@ static inline void rb_end_commit(struct
ring_buffer_per_cpu *cpu_buffer)
+ return;
+
+ again:
+- commits = local_read(&cpu_buffer->commits);
++ commits = local_read_unchecked(&cpu_buffer->commits);
+ /* synchronize with interrupts */
+ barrier();
+ if (local_read(&cpu_buffer->committing) == 1)
+@@ -2514,7 +2514,7 @@ static inline void rb_end_commit(struct
ring_buffer_per_cpu *cpu_buffer)
+ * updating of the commit page and the clearing of the
+ * committing counter.
+ */
+- if (unlikely(local_read(&cpu_buffer->commits) != commits) &&
++ if (unlikely(local_read_unchecked(&cpu_buffer->commits) != commits) &&
+ !local_read(&cpu_buffer->committing)) {
+ local_inc(&cpu_buffer->committing);
+ goto again;
+@@ -2544,7 +2544,7 @@ rb_reserve_next_event(struct ring_buffer *buffer,
+ barrier();
+ if (unlikely(ACCESS_ONCE(cpu_buffer->buffer) != buffer)) {
+ local_dec(&cpu_buffer->committing);
+- local_dec(&cpu_buffer->commits);
++ local_dec_unchecked(&cpu_buffer->commits);
+ return NULL;
+ }
+ #endif
@@ -2863,7 +2863,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu
*cpu_buffer,
/* Do the likely case first */
@@ -95408,6 +95548,15 @@ index 774a080..7fa60b1 100644
return ret;
}
+@@ -3293,7 +3293,7 @@ ring_buffer_dropped_events_cpu(struct ring_buffer
*buffer, int cpu)
+ return 0;
+
+ cpu_buffer = buffer->buffers[cpu];
+- ret = local_read(&cpu_buffer->dropped_events);
++ ret = local_read_unchecked(&cpu_buffer->dropped_events);
+
+ return ret;
+ }
@@ -3356,7 +3356,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer
*buffer)
/* if you care about this being correct, lock the buffer */
for_each_buffer_cpu(buffer, cpu) {
@@ -95448,7 +95597,7 @@ index 774a080..7fa60b1 100644
local_set(&cpu_buffer->head_page->page->commit, 0);
cpu_buffer->head_page->read = 0;
-@@ -4145,14 +4145,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -4145,18 +4145,18 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
INIT_LIST_HEAD(&cpu_buffer->reader_page->list);
INIT_LIST_HEAD(&cpu_buffer->new_pages);
@@ -95462,11 +95611,17 @@ index 774a080..7fa60b1 100644
local_set(&cpu_buffer->entries_bytes, 0);
- local_set(&cpu_buffer->overrun, 0);
- local_set(&cpu_buffer->commit_overrun, 0);
+- local_set(&cpu_buffer->dropped_events, 0);
+ local_set_unchecked(&cpu_buffer->overrun, 0);
+ local_set_unchecked(&cpu_buffer->commit_overrun, 0);
- local_set(&cpu_buffer->dropped_events, 0);
++ local_set_unchecked(&cpu_buffer->dropped_events, 0);
local_set(&cpu_buffer->entries, 0);
local_set(&cpu_buffer->committing, 0);
+- local_set(&cpu_buffer->commits, 0);
++ local_set_unchecked(&cpu_buffer->commits, 0);
+ cpu_buffer->read = 0;
+ cpu_buffer->read_bytes = 0;
+
@@ -4557,8 +4557,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer,
rb_init_page(bpage);
bpage = reader->page;
@@ -96410,6 +96565,22 @@ index f07a40d..0a445a7 100644
retval = 1;
}
spin_unlock(&lockref->lock);
+diff --git a/lib/nlattr.c b/lib/nlattr.c
+index 10ad042d..25b47b5 100644
+--- a/lib/nlattr.c
++++ b/lib/nlattr.c
+@@ -274,7 +274,11 @@ int nla_memcpy(void *dest, const struct nlattr *src, int
count)
+ {
+ int minlen = min_t(int, count, nla_len(src));
+
++ BUG_ON(minlen < 0);
++
+ memcpy(dest, nla_data(src), minlen);
++ if (count > minlen)
++ memset(dest + minlen, 0, count - minlen);
+
+ return minlen;
+ }
diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c
index 963b703..438bc51 100644
--- a/lib/percpu-refcount.c
@@ -103893,6 +104064,19 @@ index bf2cb4a..d83ba8a 100644
p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
p->rate_tokens = 0;
/* 60*HZ is arbitrary, but chosen enough high so that the first
+diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
+index ecb34b5..5c5ab40 100644
+--- a/net/ipv4/ip_forward.c
++++ b/net/ipv4/ip_forward.c
+@@ -82,7 +82,7 @@ static int ip_forward_finish_gso(struct sk_buff *skb)
+
+ features = netif_skb_dev_features(skb, dst->dev);
+ segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
+- if (IS_ERR(segs)) {
++ if (IS_ERR_OR_NULL(segs)) {
+ kfree_skb(skb);
+ return -ENOMEM;
+ }
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 9ff497d..877a388 100644
--- a/net/ipv4/ip_fragment.c
@@ -106767,6 +106951,19 @@ index 6ff12a1..d1815b6 100644
goto nla_put_failure;
if (data_len) {
+diff --git a/net/netfilter/nfnetlink_queue_core.c
b/net/netfilter/nfnetlink_queue_core.c
+index 108120f..5b169db 100644
+--- a/net/netfilter/nfnetlink_queue_core.c
++++ b/net/netfilter/nfnetlink_queue_core.c
+@@ -665,7 +665,7 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry,
unsigned int queuenum)
+ * returned by nf_queue. For instance, callers rely on -ECANCELED to
+ * mean 'ignore this hook'.
+ */
+- if (IS_ERR(segs))
++ if (IS_ERR_OR_NULL(segs))
+ goto out_err;
+ queued = 0;
+ err = 0;
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 7350723..c58f861 100644
--- a/net/netfilter/nft_compat.c
@@ -106789,6 +106986,60 @@ index 7350723..c58f861 100644
set_fs(old_fs);
ret = nla_put(skb, NFTA_MATCH_INFO, XT_ALIGN(m->matchsize),
out);
kfree(out);
+diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
+index c40b269..b73fd7d 100644
+--- a/net/netfilter/xt_connlimit.c
++++ b/net/netfilter/xt_connlimit.c
+@@ -274,25 +274,38 @@ static void connlimit_mt_destroy(const struct
xt_mtdtor_param *par)
+ kfree(info->data);
+ }
+
+-static struct xt_match connlimit_mt_reg __read_mostly = {
+- .name = "connlimit",
+- .revision = 1,
+- .family = NFPROTO_UNSPEC,
+- .checkentry = connlimit_mt_check,
+- .match = connlimit_mt,
+- .matchsize = sizeof(struct xt_connlimit_info),
+- .destroy = connlimit_mt_destroy,
+- .me = THIS_MODULE,
++static struct xt_match connlimit_mt_reg[] __read_mostly = {
++ {
++ .name = "connlimit",
++ .revision = 0,
++ .family = NFPROTO_UNSPEC,
++ .checkentry = connlimit_mt_check,
++ .match = connlimit_mt,
++ .matchsize = sizeof(struct xt_connlimit_info),
++ .destroy = connlimit_mt_destroy,
++ .me = THIS_MODULE,
++ },
++ {
++ .name = "connlimit",
++ .revision = 1,
++ .family = NFPROTO_UNSPEC,
++ .checkentry = connlimit_mt_check,
++ .match = connlimit_mt,
++ .matchsize = sizeof(struct xt_connlimit_info),
++ .destroy = connlimit_mt_destroy,
++ .me = THIS_MODULE,
++ },
+ };
+
+ static int __init connlimit_mt_init(void)
+ {
+- return xt_register_match(&connlimit_mt_reg);
++ return xt_register_matches(connlimit_mt_reg,
++ ARRAY_SIZE(connlimit_mt_reg));
+ }
+
+ static void __exit connlimit_mt_exit(void)
+ {
+- xt_unregister_match(&connlimit_mt_reg);
++ xt_unregister_matches(connlimit_mt_reg, ARRAY_SIZE(connlimit_mt_reg));
+ }
+
+ module_init(connlimit_mt_init);
diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c
new file mode 100644
index 0000000..c566332
@@ -106945,6 +107196,19 @@ index b74aa07..d41926e 100644
sax->fsa_ax25.sax25_call = nr->source_addr;
*uaddr_len = sizeof(struct sockaddr_ax25);
}
+diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
+index 270b77d..0a9d0981 100644
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -314,6 +314,8 @@ static int queue_gso_packets(struct datapath *dp, struct
sk_buff *skb,
+ segs = __skb_gso_segment(skb, NETIF_F_SG, false);
+ if (IS_ERR(segs))
+ return PTR_ERR(segs);
++ if (segs == NULL)
++ return -EINVAL;
+
+ /* Queue all of the segments. */
+ skb = segs;
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 48b1817..d2c096b 100644
--- a/net/packet/af_packet.c
@@ -108758,6 +109022,19 @@ index 0917f04..f4e3d8c 100644
return -ENOMEM;
if (!proc_create("x25/route", S_IRUGO, init_net.proc_net,
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index 3bb2cdc..616d812 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -157,6 +157,8 @@ static int xfrm_output_gso(struct sk_buff *skb)
+ kfree_skb(skb);
+ if (IS_ERR(segs))
+ return PTR_ERR(segs);
++ if (segs == NULL)
++ return -EINVAL;
+
+ do {
+ struct sk_buff *nskb = segs->next;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 59cf325..e7fa6f0 100644
--- a/net/xfrm/xfrm_policy.c
@@ -112954,10 +113231,10 @@ index 0000000..3b5af59
+}
diff --git a/tools/gcc/gcc-common.h b/tools/gcc/gcc-common.h
new file mode 100644
-index 0000000..cd95c07
+index 0000000..14ec226
--- /dev/null
+++ b/tools/gcc/gcc-common.h
-@@ -0,0 +1,375 @@
+@@ -0,0 +1,520 @@
+#ifndef GCC_COMMON_H_INCLUDED
+#define GCC_COMMON_H_INCLUDED
+
@@ -113038,6 +113315,10 @@ index 0000000..cd95c07
+#include "tree-cfgcleanup.h"
+#endif
+
++#if BUILDING_GCC_VERSION >= 4008
++#include "is-a.h"
++#endif
++
+#include "diagnostic.h"
+//#include "tree-diagnostic.h"
+#include "tree-dump.h"
@@ -113080,6 +113361,9 @@ index 0000000..cd95c07
+//#include "lto-streamer.h"
+#endif
+//#include "lto-compress.h"
++#if BUILDING_GCC_VERSION >= 5000
++//#include "lto-section-names.h"
++#endif
+
+//#include "expr.h" where are you...
+extern rtx emit_move_insn(rtx x, rtx y);
@@ -113108,11 +113392,11 @@ index 0000000..cd95c07
+#define C_TYPE_FIELDS_READONLY(TYPE) TREE_LANG_FLAG_1(TYPE)
+
+#if BUILDING_GCC_VERSION == 4005
-+#define FOR_EACH_VEC_ELT_REVERSE(T,V,I,P) for (I = VEC_length(T, (V)) - 1;
VEC_iterate(T, (V), (I), (P)); (I)--)
-+#define FOR_EACH_LOCAL_DECL(FUN, I, D) FOR_EACH_VEC_ELT_REVERSE(tree,
(FUN)->local_decls, I, D)
++#define FOR_EACH_LOCAL_DECL(FUN, I, D) for (tree vars = (FUN)->local_decls;
vars && (D = TREE_VALUE(vars)); vars = TREE_CHAIN(vars), I)
+#define DECL_CHAIN(NODE) (TREE_CHAIN(DECL_MINIMAL_CHECK(NODE)))
+#define FOR_EACH_VEC_ELT(T, V, I, P) for (I = 0; VEC_iterate(T, (V), (I),
(P)); ++(I))
+#define TODO_rebuild_cgraph_edges 0
++#define SCOPE_FILE_SCOPE_P(EXP) (!(EXP))
+
+#ifndef O_BINARY
+#define O_BINARY 0
@@ -113256,6 +113540,7 @@ index 0000000..cd95c07
+#define PROP_loops 0
+#define NODE_SYMBOL(node) (node)
+#define NODE_DECL(node) (node)->decl
++#define INSN_LOCATION(INSN) RTL_LOCATION(INSN)
+
+static inline int bb_loop_depth(const_basic_block bb)
+{
@@ -113276,6 +113561,13 @@ index 0000000..cd95c07
+ cgraph_create_edge_including_clones((caller), (callee),
(old_call_stmt), (call_stmt), (count), (freq), (reason))
+#endif
+
++#if BUILDING_GCC_VERSION == 4007 || BUILDING_GCC_VERSION == 4008
++static inline struct cgraph_node *cgraph_alias_target(struct cgraph_node *n)
++{
++ return cgraph_alias_aliased_node(n);
++}
++#endif
++
+#if BUILDING_GCC_VERSION <= 4008
+#define ENTRY_BLOCK_PTR_FOR_FN(FN) ENTRY_BLOCK_PTR_FOR_FUNCTION(FN)
+#define EXIT_BLOCK_PTR_FOR_FN(FN) EXIT_BLOCK_PTR_FOR_FUNCTION(FN)
@@ -113295,6 +113587,11 @@ index 0000000..cd95c07
+}
+
+#define ipa_remove_stmt_references(cnode, stmt)
++typedef union gimple_statement_d gasm;
++typedef union gimple_statement_d gassign;
++typedef union gimple_statement_d gcall;
++typedef union gimple_statement_d gphi;
++typedef union gimple_statement_d greturn;
+#endif
+
+#if BUILDING_GCC_VERSION == 4008
@@ -113312,6 +113609,29 @@ index 0000000..cd95c07
+
+#if BUILDING_GCC_VERSION <= 4009
+#define TODO_verify_il 0
++#define AVAIL_INTERPOSABLE AVAIL_OVERWRITABLE
++#endif
++
++#if BUILDING_GCC_VERSION == 4009
++typedef struct gimple_statement_base gasm;
++typedef struct gimple_statement_base gassign;
++typedef struct gimple_statement_base gcall;
++typedef struct gimple_statement_base gphi;
++typedef struct gimple_statement_base greturn;
++#endif
++
++#if BUILDING_GCC_VERSION <= 4009
++typedef struct rtx_def rtx_insn;
++
++static inline gasm *as_a_gasm(gimple stmt)
++{
++ return stmt;
++}
++
++static inline gcall *as_a_gcall(gimple stmt)
++{
++ return stmt;
++}
+#endif
+
+#if BUILDING_GCC_VERSION >= 4009
@@ -113328,8 +113648,110 @@ index 0000000..cd95c07
+#define TODO_verify_stmts TODO_verify_il
+#define TODO_verify_rtl_sharing TODO_verify_il
+
++#define TREE_INT_CST_HIGH(NODE) ({ TREE_INT_CST_EXT_NUNITS(NODE) > 1 ?
(unsigned HOST_WIDE_INT)TREE_INT_CST_ELT(NODE, 1) : 0; })
++
++#define INSN_DELETED_P(insn) (insn)->deleted()
++
++extern bool is_simple_builtin(tree);
++
++// symtab/cgraph related
+#define debug_cgraph_node(node) (node)->debug()
+#define cgraph_get_node(decl) cgraph_node::get(decl)
++#define cgraph_n_nodes symtab->cgraph_count
++#define cgraph_max_uid symtab->cgraph_max_uid
++
++typedef struct cgraph_node *cgraph_node_ptr;
++typedef struct cgraph_edge *cgraph_edge_p;
++
++static inline void change_decl_assembler_name(tree decl, tree name)
++{
++ symtab->change_decl_assembler_name(decl, name);
++}
++
++static inline void varpool_finalize_decl(tree decl)
++{
++ varpool_node::finalize_decl(decl);
++}
++
++static inline cgraph_node_ptr cgraph_function_node(cgraph_node_ptr node, enum
availability *availability)
++{
++ return node->function_symbol(availability);
++}
++
++static inline cgraph_node_ptr cgraph_function_or_thunk_node(cgraph_node_ptr
node, enum availability *availability = NULL)
++{
++ return node->ultimate_alias_target(availability);
++}
++
++static inline bool cgraph_only_called_directly_p(cgraph_node_ptr node)
++{
++ return node->only_called_directly_p();
++}
++
++static inline enum availability
cgraph_function_body_availability(cgraph_node_ptr node)
++{
++ return node->get_availability();
++}
++
++static inline cgraph_node_ptr cgraph_alias_target(cgraph_node_ptr node)
++{
++ return node->get_alias_target();
++}
++
++static inline struct cgraph_node_hook_list
*cgraph_add_function_insertion_hook(cgraph_node_hook hook, void *data)
++{
++ return symtab->add_cgraph_insertion_hook(hook, data);
++}
++
++static inline void cgraph_remove_function_insertion_hook(struct
cgraph_node_hook_list *entry)
++{
++ symtab->remove_cgraph_insertion_hook(entry);
++}
++
++static inline struct cgraph_node_hook_list
*cgraph_add_node_removal_hook(cgraph_node_hook hook, void *data)
++{
++ return symtab->add_cgraph_removal_hook(hook, data);
++}
++
++static inline void cgraph_remove_node_removal_hook(struct
cgraph_node_hook_list *entry)
++{
++ symtab->remove_cgraph_removal_hook(entry);
++}
++
++static inline struct cgraph_2node_hook_list
*cgraph_add_node_duplication_hook(cgraph_2node_hook hook, void *data)
++{
++ return symtab->add_cgraph_duplication_hook(hook, data);
++}
++
++static inline void cgraph_remove_node_duplication_hook(struct
cgraph_2node_hook_list *entry)
++{
++ symtab->remove_cgraph_duplication_hook(entry);
++}
++
++// gimple related
++static inline gimple gimple_build_assign_with_ops(enum tree_code subcode,
tree lhs, tree op1, tree op2 MEM_STAT_DECL)
++{
++ return gimple_build_assign(lhs, subcode, op1, op2 PASS_MEM_STAT);
++}
++
++static inline gasm *as_a_gasm(gimple stmt)
++{
++ return as_a<gasm *>(stmt);
++}
++
++static inline gcall *as_a_gcall(gimple stmt)
++{
++ return as_a<gcall *>(stmt);
++}
++
++// IPA/LTO related
++#define ipa_ref_list_referring_iterate(L,I,P) (L)->referring.iterate((I),
&(P))
++#define ipa_ref_list_reference_iterate(L,I,P) (L)->reference.iterate((I),
&(P))
++
++static inline cgraph_node_ptr ipa_ref_referring_node(struct ipa_ref *ref)
++{
++ return dyn_cast<cgraph_node_ptr>(ref->referring);
++}
+#endif
+
+#endif
@@ -114066,10 +114488,10 @@ index 0000000..89f256d
+}
diff --git a/tools/gcc/latent_entropy_plugin.c
b/tools/gcc/latent_entropy_plugin.c
new file mode 100644
-index 0000000..e48b323
+index 0000000..2a39357
--- /dev/null
+++ b/tools/gcc/latent_entropy_plugin.c
-@@ -0,0 +1,466 @@
+@@ -0,0 +1,467 @@
+/*
+ * Copyright 2012-2014 by the PaX Team <pagee...@freemail.hu>
+ * Licensed under the GPL v2
@@ -114095,7 +114517,7 @@ index 0000000..e48b323
+
+int plugin_is_GPL_compatible;
+
-+static tree latent_entropy_decl;
++static GTY(()) tree latent_entropy_decl;
+
+static struct plugin_info latent_entropy_plugin_info = {
+ .version = "201409101820",
@@ -114440,6 +114862,7 @@ index 0000000..e48b323
+ TREE_STATIC(latent_entropy_decl) = 1;
+ TREE_PUBLIC(latent_entropy_decl) = 1;
+ TREE_USED(latent_entropy_decl) = 1;
++ DECL_PRESERVE_P(latent_entropy_decl) = 1;
+ TREE_THIS_VOLATILE(latent_entropy_decl) = 1;
+ DECL_EXTERNAL(latent_entropy_decl) = 1;
+ DECL_ARTIFICIAL(latent_entropy_decl) = 1;
@@ -119546,7 +119969,7 @@ index 0000000..7c9e6d1
+
diff --git a/tools/gcc/size_overflow_plugin/size_overflow.h
b/tools/gcc/size_overflow_plugin/size_overflow.h
new file mode 100644
-index 0000000..e5b4e50
+index 0000000..37f8fc3
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow.h
@@ -0,0 +1,127 @@
@@ -119579,11 +120002,11 @@ index 0000000..e5b4e50
+};
+
+// size_overflow_plugin.c
-+extern tree report_size_overflow_decl;
-+extern tree size_overflow_type_HI;
-+extern tree size_overflow_type_SI;
-+extern tree size_overflow_type_DI;
-+extern tree size_overflow_type_TI;
++extern GTY(()) tree report_size_overflow_decl;
++extern GTY(()) tree size_overflow_type_HI;
++extern GTY(()) tree size_overflow_type_SI;
++extern GTY(()) tree size_overflow_type_DI;
++extern GTY(()) tree size_overflow_type_TI;
+
+
+// size_overflow_plugin_hash.c
@@ -126597,10 +127020,10 @@ index 0000000..0888f6c
+
diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c
new file mode 100644
-index 0000000..924652b
+index 0000000..90125d6
--- /dev/null
+++ b/tools/gcc/stackleak_plugin.c
-@@ -0,0 +1,395 @@
+@@ -0,0 +1,396 @@
+/*
+ * Copyright 2011-2014 by the PaX Team <pagee...@freemail.hu>
+ * Licensed under the GPL v2
@@ -126628,7 +127051,8 @@ index 0000000..924652b
+static int track_frame_size = -1;
+static const char track_function[] = "pax_track_stack";
+static const char check_function[] = "pax_check_alloca";
-+static tree track_function_decl, check_function_decl;
++static GTY(()) tree track_function_decl;
++static GTY(()) tree check_function_decl;
+static bool init_locals;
+
+static struct plugin_info stackleak_plugin_info = {
diff --git a/3.19.3/0000_README b/3.19.3/0000_README
index 4d5e072..571c76c 100644
--- a/3.19.3/0000_README
+++ b/3.19.3/0000_README
@@ -6,7 +6,7 @@ Patch: 1002_linux-3.19.3.patch
From: http://www.kernel.org
Desc: Linux 3.19.3
-Patch: 4420_grsecurity-3.1-3.19.3-201503270049.patch
+Patch: 4420_grsecurity-3.1-3.19.3-201504021826.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.19.3/4420_grsecurity-3.1-3.19.3-201503270049.patch
b/3.19.3/4420_grsecurity-3.1-3.19.3-201504021826.patch
similarity index 99%
rename from 3.19.3/4420_grsecurity-3.1-3.19.3-201503270049.patch
rename to 3.19.3/4420_grsecurity-3.1-3.19.3-201504021826.patch
index 237bab8..f16dac3 100644
--- a/3.19.3/4420_grsecurity-3.1-3.19.3-201503270049.patch
+++ b/3.19.3/4420_grsecurity-3.1-3.19.3-201504021826.patch
@@ -313,21 +313,24 @@ index a311db8..415b28c 100644
A typical pattern in a Kbuild file looks like this:
diff --git a/Documentation/kernel-parameters.txt
b/Documentation/kernel-parameters.txt
-index 176d4fe..17ceefa 100644
+index 176d4fe..6eabd3c 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
-@@ -1191,6 +1191,10 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
+@@ -1191,6 +1191,13 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
Format: <unsigned int> such that (rxsize & ~0x1fffc0)
== 0.
Default: 1024
+ grsec_proc_gid= [GRKERNSEC_PROC_USERGROUP] Chooses GID to
+ ignore grsecurity's /proc restrictions
+
++ grsec_sysfs_restrict= Format: 0 | 1
++ Default: 1
++ Disables GRKERNSEC_SYSFS_RESTRICT if enabled in config
+
hashdist= [KNL,NUMA] Large hashes allocated during boot
are distributed across NUMA nodes. Defaults on
for 64-bit NUMA, off otherwise.
-@@ -2283,6 +2287,10 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
+@@ -2283,6 +2290,10 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
noexec=on: enable non-executable mappings (default)
noexec=off: disable non-executable mappings
@@ -338,7 +341,7 @@ index 176d4fe..17ceefa 100644
nosmap [X86]
Disable SMAP (Supervisor Mode Access Prevention)
even if it is supported by processor.
-@@ -2584,6 +2592,30 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
+@@ -2584,6 +2595,30 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
the specified number of seconds. This is to be used if
your oopses keep scrolling off the screen.
@@ -4786,6 +4789,26 @@ index ce6d763..cfea917 100644
extern void *samsung_dmadev_get_ops(void);
extern void *s3c_dma_get_ops(void);
+diff --git a/arch/arm64/include/asm/atomic.h b/arch/arm64/include/asm/atomic.h
+index 7047051..44e8675 100644
+--- a/arch/arm64/include/asm/atomic.h
++++ b/arch/arm64/include/asm/atomic.h
+@@ -252,5 +252,15 @@ static inline int atomic64_add_unless(atomic64_t *v, long
a, long u)
+ #define atomic64_dec_and_test(v) (atomic64_dec_return((v)) == 0)
+ #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1LL, 0LL)
+
++#define atomic64_read_unchecked(v) atomic64_read(v)
++#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
++#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
++#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
++#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
++#define atomic64_inc_unchecked(v) atomic64_inc(v)
++#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
++#define atomic64_dec_unchecked(v) atomic64_dec(v)
++#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
++
+ #endif
+ #endif
diff --git a/arch/arm64/include/asm/barrier.h
b/arch/arm64/include/asm/barrier.h
index a5abb00..9cbca9a 100644
--- a/arch/arm64/include/asm/barrier.h
@@ -4824,6 +4847,22 @@ index 09da25b..3ea0d64 100644
break;
default:
BUILD_BUG();
+diff --git a/arch/arm64/include/asm/pgalloc.h
b/arch/arm64/include/asm/pgalloc.h
+index e20df38..027ede3 100644
+--- a/arch/arm64/include/asm/pgalloc.h
++++ b/arch/arm64/include/asm/pgalloc.h
+@@ -46,6 +46,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t
*pud, pmd_t *pmd)
+ set_pud(pud, __pud(__pa(pmd) | PMD_TYPE_TABLE));
+ }
+
++static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud,
pmd_t *pmd)
++{
++ pud_populate(mm, pud, pmd);
++}
++
+ #endif /* CONFIG_ARM64_PGTABLE_LEVELS > 2 */
+
+ #if CONFIG_ARM64_PGTABLE_LEVELS > 3
diff --git a/arch/arm64/include/asm/uaccess.h
b/arch/arm64/include/asm/uaccess.h
index 3bf8f4e..5dd5491 100644
--- a/arch/arm64/include/asm/uaccess.h
@@ -4836,6 +4875,19 @@ index 3bf8f4e..5dd5491 100644
#define access_ok(type, addr, size) __range_ok(addr, size)
#define user_addr_max get_fs
+diff --git a/arch/arm64/mm/dma-mapping.c b/arch/arm64/mm/dma-mapping.c
+index df34a70..5727a75 100644
+--- a/arch/arm64/mm/dma-mapping.c
++++ b/arch/arm64/mm/dma-mapping.c
+@@ -137,7 +137,7 @@ static void __dma_free_coherent(struct device *dev, size_t
size,
+ phys_to_page(paddr),
+ size >> PAGE_SHIFT);
+ if (!freed)
+- swiotlb_free_coherent(dev, size, vaddr, dma_handle);
++ swiotlb_free_coherent(dev, size, vaddr, dma_handle, attrs);
+ }
+
+ static void *__dma_alloc_noncoherent(struct device *dev, size_t size,
diff --git a/arch/avr32/include/asm/cache.h b/arch/avr32/include/asm/cache.h
index c3a58a1..78fbf54 100644
--- a/arch/avr32/include/asm/cache.h
@@ -10419,10 +10471,18 @@ index bd56c28..4b63d83 100644
#include <asm/uaccess_64.h>
#else
diff --git a/arch/sparc/include/asm/uaccess_32.h
b/arch/sparc/include/asm/uaccess_32.h
-index 9634d08..f55fe4f 100644
+index 9634d08..020b2dc 100644
--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
-@@ -250,27 +250,46 @@ unsigned long __copy_user(void __user *to, const void
__user *from, unsigned lon
+@@ -47,6 +47,7 @@
+ #define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
+ #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
+ #define __access_ok(addr,size) (__user_ok((addr) & get_fs().seg,(size)))
++#define access_ok_noprefault(type, addr, size) access_ok((type), (addr),
(size))
+ #define access_ok(type, addr, size) \
+ ({ (void)(type); __access_ok((unsigned long)(addr), size); })
+
+@@ -250,27 +251,46 @@ unsigned long __copy_user(void __user *to, const void
__user *from, unsigned lon
static inline unsigned long copy_to_user(void __user *to, const void *from,
unsigned long n)
{
@@ -10474,7 +10534,7 @@ index 9634d08..f55fe4f 100644
}
diff --git a/arch/sparc/include/asm/uaccess_64.h
b/arch/sparc/include/asm/uaccess_64.h
-index c990a5e..f17b9c1 100644
+index c990a5e..7384856 100644
--- a/arch/sparc/include/asm/uaccess_64.h
+++ b/arch/sparc/include/asm/uaccess_64.h
@@ -10,6 +10,7 @@
@@ -10485,7 +10545,19 @@ index c990a5e..f17b9c1 100644
#include <asm/asi.h>
#include <asm/spitfire.h>
#include <asm-generic/uaccess-unaligned.h>
-@@ -214,8 +215,15 @@ unsigned long copy_from_user_fixup(void *to, const void
__user *from,
+@@ -54,6 +55,11 @@ static inline int __access_ok(const void __user * addr,
unsigned long size)
+ return 1;
+ }
+
++static inline int access_ok_noprefault(int type, const void __user * addr,
unsigned long size)
++{
++ return 1;
++}
++
+ static inline int access_ok(int type, const void __user * addr, unsigned long
size)
+ {
+ return 1;
+@@ -214,8 +220,15 @@ unsigned long copy_from_user_fixup(void *to, const void
__user *from,
static inline unsigned long __must_check
copy_from_user(void *to, const void __user *from, unsigned long size)
{
@@ -10502,7 +10574,7 @@ index c990a5e..f17b9c1 100644
if (unlikely(ret))
ret = copy_from_user_fixup(to, from, size);
-@@ -231,8 +239,15 @@ unsigned long copy_to_user_fixup(void __user *to, const
void *from,
+@@ -231,8 +244,15 @@ unsigned long copy_to_user_fixup(void __user *to, const
void *from,
static inline unsigned long __must_check
copy_to_user(void __user *to, const void *from, unsigned long size)
{
@@ -21132,7 +21204,7 @@ index 15c5df9..d9a604a 100644
if (c->x86_model == 3 && c->x86_mask == 0)
size = 64;
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index c604965..0b0e28a 100644
+index c604965..1558f4a 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -90,60 +90,6 @@ static const struct cpu_dev default_cpu = {
@@ -21265,10 +21337,20 @@ index c604965..0b0e28a 100644
gdt_descr.size = GDT_SIZE - 1;
load_gdt(&gdt_descr);
/* Reload the per-cpu base */
-@@ -895,6 +894,10 @@ static void identify_cpu(struct cpuinfo_x86 *c)
+@@ -895,6 +894,20 @@ static void identify_cpu(struct cpuinfo_x86 *c)
setup_smep(c);
setup_smap(c);
++#ifdef CONFIG_X86_32
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (!(__supported_pte_mask & _PAGE_NX))
++ clear_cpu_cap(c, X86_FEATURE_PSE);
++#endif
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) ||
defined(CONFIG_PAX_MEMORY_UDEREF)
++ clear_cpu_cap(c, X86_FEATURE_SEP);
++#endif
++#endif
++
+#ifdef CONFIG_X86_64
+ setup_pcid(c);
+#endif
@@ -21276,18 +21358,7 @@ index c604965..0b0e28a 100644
/*
* The vendor-specific functions might have changed features.
* Now we do "generic changes."
-@@ -903,6 +906,10 @@ static void identify_cpu(struct cpuinfo_x86 *c)
- /* Filter out anything that depends on CPUID levels we don't have */
- filter_cpuid_features(c, true);
-
-+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_SEGMEXEC) ||
defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
-+ setup_clear_cpu_cap(X86_FEATURE_SEP);
-+#endif
-+
- /* If the model name is still unset, do table lookup. */
- if (!c->x86_model_id[0]) {
- const char *p;
-@@ -977,7 +984,7 @@ static void syscall32_cpu_init(void)
+@@ -977,7 +990,7 @@ static void syscall32_cpu_init(void)
void enable_sep_cpu(void)
{
int cpu = get_cpu();
@@ -21296,7 +21367,7 @@ index c604965..0b0e28a 100644
if (!boot_cpu_has(X86_FEATURE_SEP)) {
put_cpu();
-@@ -1115,14 +1122,16 @@ static __init int setup_disablecpuid(char *arg)
+@@ -1115,14 +1128,16 @@ static __init int setup_disablecpuid(char *arg)
}
__setup("clearcpuid=", setup_disablecpuid);
@@ -21317,7 +21388,7 @@ index c604965..0b0e28a 100644
DEFINE_PER_CPU_FIRST(union irq_stack_union,
irq_stack_union) __aligned(PAGE_SIZE) __visible;
-@@ -1299,7 +1308,7 @@ void cpu_init(void)
+@@ -1299,7 +1314,7 @@ void cpu_init(void)
*/
load_ucode_ap();
@@ -21326,7 +21397,7 @@ index c604965..0b0e28a 100644
oist = &per_cpu(orig_ist, cpu);
#ifdef CONFIG_NUMA
-@@ -1331,7 +1340,6 @@ void cpu_init(void)
+@@ -1331,7 +1346,6 @@ void cpu_init(void)
wrmsrl(MSR_KERNEL_GS_BASE, 0);
barrier();
@@ -21334,7 +21405,7 @@ index c604965..0b0e28a 100644
enable_x2apic();
/*
-@@ -1383,7 +1391,7 @@ void cpu_init(void)
+@@ -1383,7 +1397,7 @@ void cpu_init(void)
{
int cpu = smp_processor_id();
struct task_struct *curr = current;
@@ -30126,7 +30197,7 @@ index 1318f75..44c30fd 100644
}
EXPORT_SYMBOL(csum_partial_copy_to_user);
diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S
-index a451235..1daa956 100644
+index a451235..a74bfa3 100644
--- a/arch/x86/lib/getuser.S
+++ b/arch/x86/lib/getuser.S
@@ -33,17 +33,40 @@
@@ -30151,8 +30222,6 @@ index a451235..1daa956 100644
GET_THREAD_INFO(%_ASM_DX)
cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
jae bad_get_user
- ASM_STAC
--1: movzbl (%_ASM_AX),%edx
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_DX
@@ -30164,6 +30233,8 @@ index a451235..1daa956 100644
+
+#endif
+
+ ASM_STAC
+-1: movzbl (%_ASM_AX),%edx
+1: __copyuser_seg movzbl (%_ASM_AX),%edx
xor %eax,%eax
ASM_CLAC
@@ -30181,8 +30252,6 @@ index a451235..1daa956 100644
GET_THREAD_INFO(%_ASM_DX)
cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
jae bad_get_user
- ASM_STAC
--2: movzwl -1(%_ASM_AX),%edx
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_DX
@@ -30194,6 +30263,8 @@ index a451235..1daa956 100644
+
+#endif
+
+ ASM_STAC
+-2: movzwl -1(%_ASM_AX),%edx
+2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
xor %eax,%eax
ASM_CLAC
@@ -30211,8 +30282,6 @@ index a451235..1daa956 100644
GET_THREAD_INFO(%_ASM_DX)
cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
jae bad_get_user
- ASM_STAC
--3: movl -3(%_ASM_AX),%edx
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_DX
@@ -30224,6 +30293,8 @@ index a451235..1daa956 100644
+
+#endif
+
+ ASM_STAC
+-3: movl -3(%_ASM_AX),%edx
+3: __copyuser_seg movl -3(%_ASM_AX),%edx
xor %eax,%eax
ASM_CLAC
@@ -30804,7 +30875,7 @@ index f6d13ee..d789440 100644
3:
CFI_RESTORE_STATE
diff --git a/arch/x86/lib/putuser.S b/arch/x86/lib/putuser.S
-index fc6ba17..d4d989d 100644
+index fc6ba17..14ad9a5 100644
--- a/arch/x86/lib/putuser.S
+++ b/arch/x86/lib/putuser.S
@@ -16,7 +16,9 @@
@@ -30852,8 +30923,6 @@ index fc6ba17..d4d989d 100644
+ GET_THREAD_INFO(%_ASM_BX)
cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
jae bad_put_user
- ASM_STAC
--1: movb %al,(%_ASM_CX)
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_BX
@@ -30865,6 +30934,8 @@ index fc6ba17..d4d989d 100644
+
+#endif
+
+ ASM_STAC
+-1: movb %al,(%_ASM_CX)
+1: __copyuser_seg movb %al,(_DEST)
xor %eax,%eax
EXIT
@@ -30879,8 +30950,6 @@ index fc6ba17..d4d989d 100644
sub $1,%_ASM_BX
cmp %_ASM_BX,%_ASM_CX
jae bad_put_user
- ASM_STAC
--2: movw %ax,(%_ASM_CX)
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_BX
@@ -30892,6 +30961,8 @@ index fc6ba17..d4d989d 100644
+
+#endif
+
+ ASM_STAC
+-2: movw %ax,(%_ASM_CX)
+2: __copyuser_seg movw %ax,(_DEST)
xor %eax,%eax
EXIT
@@ -30906,8 +30977,6 @@ index fc6ba17..d4d989d 100644
sub $3,%_ASM_BX
cmp %_ASM_BX,%_ASM_CX
jae bad_put_user
- ASM_STAC
--3: movl %eax,(%_ASM_CX)
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_BX
@@ -30919,6 +30988,8 @@ index fc6ba17..d4d989d 100644
+
+#endif
+
+ ASM_STAC
+-3: movl %eax,(%_ASM_CX)
+3: __copyuser_seg movl %eax,(_DEST)
xor %eax,%eax
EXIT
@@ -30933,8 +31004,6 @@ index fc6ba17..d4d989d 100644
sub $7,%_ASM_BX
cmp %_ASM_BX,%_ASM_CX
jae bad_put_user
- ASM_STAC
--4: mov %_ASM_AX,(%_ASM_CX)
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_BX
@@ -30946,6 +31015,8 @@ index fc6ba17..d4d989d 100644
+
+#endif
+
+ ASM_STAC
+-4: mov %_ASM_AX,(%_ASM_CX)
+4: __copyuser_seg mov %_ASM_AX,(_DEST)
#ifdef CONFIG_X86_32
-5: movl %edx,4(%_ASM_CX)
@@ -42552,6 +42623,20 @@ index aec7a6a..8c014b5 100644
if (!can_do_mlock())
return ERR_PTR(-EPERM);
+diff --git a/drivers/infiniband/core/uverbs_cmd.c
b/drivers/infiniband/core/uverbs_cmd.c
+index 6c52e72..6303e3f 100644
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -945,6 +945,9 @@ ssize_t ib_uverbs_reg_mr(struct ib_uverbs_file *file,
+ if (copy_from_user(&cmd, buf, sizeof cmd))
+ return -EFAULT;
+
++ if (!access_ok_noprefault(VERIFY_READ, cmd.start, cmd.length))
++ return -EFAULT;
++
+ INIT_UDATA(&udata, buf + sizeof cmd,
+ (unsigned long) cmd.response + sizeof resp,
+ in_len - sizeof cmd, out_len - sizeof resp);
diff --git a/drivers/infiniband/hw/cxgb4/mem.c
b/drivers/infiniband/hw/cxgb4/mem.c
index cb43c22..2e12dd7 100644
--- a/drivers/infiniband/hw/cxgb4/mem.c
@@ -60463,21 +60548,32 @@ index e368d4f..b40ba59 100644
dcache_init();
inode_init();
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
-index 6f0ce53..780f4f8 100644
+index 6f0ce53..92bba36 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
-@@ -425,7 +425,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
+@@ -423,10 +423,20 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
+ * If debugfs is not enabled in the kernel, the value -%ENODEV will be
+ * returned.
*/
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++extern int grsec_enable_sysfs_restrict;
++#endif
++
struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
{
+- return __create_file(name, S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
+- parent, NULL, NULL);
++ umode_t mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
++
+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
-+ return __create_file(name, S_IFDIR | S_IRWXU,
-+#else
- return __create_file(name, S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
++ if (grsec_enable_sysfs_restrict)
++ mode = S_IFDIR | S_IRWXU;
+#endif
- parent, NULL, NULL);
++
++ return __create_file(name, mode, parent, NULL, NULL);
}
EXPORT_SYMBOL_GPL(debugfs_create_dir);
+
diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
index 1686dc2..9611c50 100644
--- a/fs/ecryptfs/inode.c
@@ -67570,10 +67666,21 @@ index ae0c3ce..9ee641c 100644
generic_fillattr(inode, stat);
return 0;
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
-index 0b45ff4..847de5b 100644
+index 0b45ff4..edf9d3a 100644
--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
-@@ -41,9 +41,16 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char
*name)
+@@ -33,6 +33,10 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char
*name)
+ kfree(buf);
+ }
+
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++extern int grsec_enable_sysfs_restrict;
++#endif
++
+ /**
+ * sysfs_create_dir_ns - create a directory for an object with a namespace tag
+ * @kobj: object we're creating directory for
+@@ -41,9 +45,16 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char
*name)
int sysfs_create_dir_ns(struct kobject *kobj, const void *ns)
{
struct kernfs_node *parent, *kn;
@@ -67590,7 +67697,7 @@ index 0b45ff4..847de5b 100644
if (kobj->parent)
parent = kobj->parent->sd;
else
-@@ -52,11 +59,22 @@ int sysfs_create_dir_ns(struct kobject *kobj, const void
*ns)
+@@ -52,11 +63,24 @@ int sysfs_create_dir_ns(struct kobject *kobj, const void
*ns)
if (!parent)
return -ENOENT;
@@ -67605,6 +67712,8 @@ index 0b45ff4..847de5b 100644
+ (!strcmp(parent_name, "fs") && (!strcmp(name, "selinux") ||
!strcmp(name, "fuse") || !strcmp(name, "ecryptfs"))) ||
+ (!strcmp(parent_name, "system") && !strcmp(name, "cpu")))
+ mode = S_IRWXU | S_IRUGO | S_IXUGO;
++ if (!grsec_enable_sysfs_restrict)
++ mode = S_IRWXU | S_IRUGO | S_IXUGO;
+#endif
+
+ kn = kernfs_create_dir_ns(parent, name,
@@ -87595,7 +87704,7 @@ index ad1bd77..dca2c1b 100644
next_state = Reset;
return 0;
diff --git a/init/main.c b/init/main.c
-index 61b99376..85893612d 100644
+index 61b99376..1e346cb 100644
--- a/init/main.c
+++ b/init/main.c
@@ -100,6 +100,8 @@ extern void radix_tree_init(void);
@@ -87607,7 +87716,7 @@ index 61b99376..85893612d 100644
/*
* Debug helper: via this flag we know that we are in 'early bootup code'
* where only the boot processor is running with IRQ disabled. This means
-@@ -161,6 +163,75 @@ static int __init set_reset_devices(char *str)
+@@ -161,6 +163,85 @@ static int __init set_reset_devices(char *str)
__setup("reset_devices", set_reset_devices);
@@ -87620,6 +87729,16 @@ index 61b99376..85893612d 100644
+}
+__setup("grsec_proc_gid=", setup_grsec_proc_gid);
+#endif
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++int grsec_enable_sysfs_restrict = 1;
++static int __init setup_grsec_sysfs_restrict(char *str)
++{
++ if (!simple_strtol(str, NULL, 0))
++ grsec_enable_sysfs_restrict = 0;
++ return 1;
++}
++__setup("grsec_sysfs_restrict", setup_grsec_sysfs_restrict);
++#endif
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+unsigned long pax_user_shadow_base __read_only;
@@ -87683,7 +87802,7 @@ index 61b99376..85893612d 100644
static const char *argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
const char *envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
static const char *panic_later, *panic_param;
-@@ -735,7 +806,7 @@ static bool __init_or_module
initcall_blacklisted(initcall_t fn)
+@@ -735,7 +816,7 @@ static bool __init_or_module
initcall_blacklisted(initcall_t fn)
struct blacklist_entry *entry;
char *fn_name;
@@ -87692,7 +87811,7 @@ index 61b99376..85893612d 100644
if (!fn_name)
return false;
-@@ -787,7 +858,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -787,7 +868,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
{
int count = preempt_count();
int ret;
@@ -87701,7 +87820,7 @@ index 61b99376..85893612d 100644
if (initcall_blacklisted(fn))
return -EPERM;
-@@ -797,18 +868,17 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -797,18 +878,17 @@ int __init_or_module do_one_initcall(initcall_t fn)
else
ret = fn();
@@ -87724,7 +87843,7 @@ index 61b99376..85893612d 100644
return ret;
}
-@@ -914,8 +984,8 @@ static int run_init_process(const char *init_filename)
+@@ -914,8 +994,8 @@ static int run_init_process(const char *init_filename)
{
argv_init[0] = init_filename;
return do_execve(getname_kernel(init_filename),
@@ -87735,7 +87854,7 @@ index 61b99376..85893612d 100644
}
static int try_to_run_init_process(const char *init_filename)
-@@ -932,6 +1002,10 @@ static int try_to_run_init_process(const char
*init_filename)
+@@ -932,6 +1012,10 @@ static int try_to_run_init_process(const char
*init_filename)
return ret;
}
@@ -87746,7 +87865,7 @@ index 61b99376..85893612d 100644
static noinline void __init kernel_init_freeable(void);
static int __ref kernel_init(void *unused)
-@@ -956,6 +1030,11 @@ static int __ref kernel_init(void *unused)
+@@ -956,6 +1040,11 @@ static int __ref kernel_init(void *unused)
ramdisk_execute_command, ret);
}
@@ -87758,7 +87877,7 @@ index 61b99376..85893612d 100644
/*
* We try each of these until one succeeds.
*
-@@ -1016,7 +1095,7 @@ static noinline void __init kernel_init_freeable(void)
+@@ -1016,7 +1105,7 @@ static noinline void __init kernel_init_freeable(void)
do_basic_setup();
/* Open the /dev/console on the rootfs, this should never fail */
@@ -87767,7 +87886,7 @@ index 61b99376..85893612d 100644
pr_err("Warning: unable to open an initial console.\n");
(void) sys_dup(0);
-@@ -1029,11 +1108,13 @@ static noinline void __init kernel_init_freeable(void)
+@@ -1029,11 +1118,13 @@ static noinline void __init kernel_init_freeable(void)
if (!ramdisk_execute_command)
ramdisk_execute_command = "/init";
@@ -93844,7 +93963,7 @@ index af5bffd..57664b8 100644
/* make curr_ret_stack visible before we add the ret_stack */
smp_wmb();
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
-index d2e151c..b68c835 100644
+index d2e151c..1498973 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -350,9 +350,9 @@ struct buffer_data_page {
@@ -93859,17 +93978,22 @@ index d2e151c..b68c835 100644
unsigned long real_end; /* real end of data */
struct buffer_data_page *page; /* Actual data page */
};
-@@ -473,8 +473,8 @@ struct ring_buffer_per_cpu {
+@@ -473,11 +473,11 @@ struct ring_buffer_per_cpu {
unsigned long last_overrun;
local_t entries_bytes;
local_t entries;
- local_t overrun;
- local_t commit_overrun;
+- local_t dropped_events;
+ local_unchecked_t overrun;
+ local_unchecked_t commit_overrun;
- local_t dropped_events;
++ local_unchecked_t dropped_events;
local_t committing;
- local_t commits;
+- local_t commits;
++ local_unchecked_t commits;
+ unsigned long read;
+ unsigned long read_bytes;
+ u64 write_stamp;
@@ -1047,8 +1047,8 @@ static int rb_tail_page_update(struct
ring_buffer_per_cpu *cpu_buffer,
*
* We add a counter to the write field to denote this.
@@ -93961,6 +94085,15 @@ index d2e151c..b68c835 100644
goto out_reset;
}
+@@ -2360,7 +2360,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
+ * this is easy, just stop here.
+ */
+ if (!(buffer->flags & RB_FL_OVERWRITE)) {
+- local_inc(&cpu_buffer->dropped_events);
++
local_inc_unchecked(&cpu_buffer->dropped_events);
+ goto out_reset;
+ }
+
@@ -2386,7 +2386,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
cpu_buffer->tail_page) &&
(cpu_buffer->commit_page ==
@@ -94006,6 +94139,42 @@ index d2e151c..b68c835 100644
if (index == old_index) {
/* update counters */
local_sub(event_length, &cpu_buffer->entries_bytes);
+@@ -2516,7 +2516,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
+ static void rb_start_commit(struct ring_buffer_per_cpu *cpu_buffer)
+ {
+ local_inc(&cpu_buffer->committing);
+- local_inc(&cpu_buffer->commits);
++ local_inc_unchecked(&cpu_buffer->commits);
+ }
+
+ static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -2528,7 +2528,7 @@ static inline void rb_end_commit(struct
ring_buffer_per_cpu *cpu_buffer)
+ return;
+
+ again:
+- commits = local_read(&cpu_buffer->commits);
++ commits = local_read_unchecked(&cpu_buffer->commits);
+ /* synchronize with interrupts */
+ barrier();
+ if (local_read(&cpu_buffer->committing) == 1)
+@@ -2544,7 +2544,7 @@ static inline void rb_end_commit(struct
ring_buffer_per_cpu *cpu_buffer)
+ * updating of the commit page and the clearing of the
+ * committing counter.
+ */
+- if (unlikely(local_read(&cpu_buffer->commits) != commits) &&
++ if (unlikely(local_read_unchecked(&cpu_buffer->commits) != commits) &&
+ !local_read(&cpu_buffer->committing)) {
+ local_inc(&cpu_buffer->committing);
+ goto again;
+@@ -2574,7 +2574,7 @@ rb_reserve_next_event(struct ring_buffer *buffer,
+ barrier();
+ if (unlikely(ACCESS_ONCE(cpu_buffer->buffer) != buffer)) {
+ local_dec(&cpu_buffer->committing);
+- local_dec(&cpu_buffer->commits);
++ local_dec_unchecked(&cpu_buffer->commits);
+ return NULL;
+ }
+ #endif
@@ -2904,7 +2904,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu
*cpu_buffer,
/* Do the likely case first */
@@ -94051,6 +94220,15 @@ index d2e151c..b68c835 100644
return ret;
}
+@@ -3334,7 +3334,7 @@ ring_buffer_dropped_events_cpu(struct ring_buffer
*buffer, int cpu)
+ return 0;
+
+ cpu_buffer = buffer->buffers[cpu];
+- ret = local_read(&cpu_buffer->dropped_events);
++ ret = local_read_unchecked(&cpu_buffer->dropped_events);
+
+ return ret;
+ }
@@ -3397,7 +3397,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer
*buffer)
/* if you care about this being correct, lock the buffer */
for_each_buffer_cpu(buffer, cpu) {
@@ -94091,7 +94269,7 @@ index d2e151c..b68c835 100644
local_set(&cpu_buffer->head_page->page->commit, 0);
cpu_buffer->head_page->read = 0;
-@@ -4186,14 +4186,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -4186,18 +4186,18 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
INIT_LIST_HEAD(&cpu_buffer->reader_page->list);
INIT_LIST_HEAD(&cpu_buffer->new_pages);
@@ -94105,11 +94283,17 @@ index d2e151c..b68c835 100644
local_set(&cpu_buffer->entries_bytes, 0);
- local_set(&cpu_buffer->overrun, 0);
- local_set(&cpu_buffer->commit_overrun, 0);
+- local_set(&cpu_buffer->dropped_events, 0);
+ local_set_unchecked(&cpu_buffer->overrun, 0);
+ local_set_unchecked(&cpu_buffer->commit_overrun, 0);
- local_set(&cpu_buffer->dropped_events, 0);
++ local_set_unchecked(&cpu_buffer->dropped_events, 0);
local_set(&cpu_buffer->entries, 0);
local_set(&cpu_buffer->committing, 0);
+- local_set(&cpu_buffer->commits, 0);
++ local_set_unchecked(&cpu_buffer->commits, 0);
+ cpu_buffer->read = 0;
+ cpu_buffer->read_bytes = 0;
+
@@ -4598,8 +4598,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer,
rb_init_page(bpage);
bpage = reader->page;
@@ -94995,6 +95179,22 @@ index d2233de..fa1a2f6 100644
retval = 1;
}
spin_unlock(&lockref->lock);
+diff --git a/lib/nlattr.c b/lib/nlattr.c
+index 9c3e85f..0affd1b 100644
+--- a/lib/nlattr.c
++++ b/lib/nlattr.c
+@@ -279,7 +279,11 @@ int nla_memcpy(void *dest, const struct nlattr *src, int
count)
+ {
+ int minlen = min_t(int, count, nla_len(src));
+
++ BUG_ON(minlen < 0);
++
+ memcpy(dest, nla_data(src), minlen);
++ if (count > minlen)
++ memset(dest + minlen, 0, count - minlen);
+
+ return minlen;
+ }
diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c
index 6111bcb..02e816b 100644
--- a/lib/percpu-refcount.c
@@ -110930,10 +111130,10 @@ index 0000000..3b5af59
+}
diff --git a/tools/gcc/gcc-common.h b/tools/gcc/gcc-common.h
new file mode 100644
-index 0000000..cd95c07
+index 0000000..14ec226
--- /dev/null
+++ b/tools/gcc/gcc-common.h
-@@ -0,0 +1,375 @@
+@@ -0,0 +1,520 @@
+#ifndef GCC_COMMON_H_INCLUDED
+#define GCC_COMMON_H_INCLUDED
+
@@ -111014,6 +111214,10 @@ index 0000000..cd95c07
+#include "tree-cfgcleanup.h"
+#endif
+
++#if BUILDING_GCC_VERSION >= 4008
++#include "is-a.h"
++#endif
++
+#include "diagnostic.h"
+//#include "tree-diagnostic.h"
+#include "tree-dump.h"
@@ -111056,6 +111260,9 @@ index 0000000..cd95c07
+//#include "lto-streamer.h"
+#endif
+//#include "lto-compress.h"
++#if BUILDING_GCC_VERSION >= 5000
++//#include "lto-section-names.h"
++#endif
+
+//#include "expr.h" where are you...
+extern rtx emit_move_insn(rtx x, rtx y);
@@ -111084,11 +111291,11 @@ index 0000000..cd95c07
+#define C_TYPE_FIELDS_READONLY(TYPE) TREE_LANG_FLAG_1(TYPE)
+
+#if BUILDING_GCC_VERSION == 4005
-+#define FOR_EACH_VEC_ELT_REVERSE(T,V,I,P) for (I = VEC_length(T, (V)) - 1;
VEC_iterate(T, (V), (I), (P)); (I)--)
-+#define FOR_EACH_LOCAL_DECL(FUN, I, D) FOR_EACH_VEC_ELT_REVERSE(tree,
(FUN)->local_decls, I, D)
++#define FOR_EACH_LOCAL_DECL(FUN, I, D) for (tree vars = (FUN)->local_decls;
vars && (D = TREE_VALUE(vars)); vars = TREE_CHAIN(vars), I)
+#define DECL_CHAIN(NODE) (TREE_CHAIN(DECL_MINIMAL_CHECK(NODE)))
+#define FOR_EACH_VEC_ELT(T, V, I, P) for (I = 0; VEC_iterate(T, (V), (I),
(P)); ++(I))
+#define TODO_rebuild_cgraph_edges 0
++#define SCOPE_FILE_SCOPE_P(EXP) (!(EXP))
+
+#ifndef O_BINARY
+#define O_BINARY 0
@@ -111232,6 +111439,7 @@ index 0000000..cd95c07
+#define PROP_loops 0
+#define NODE_SYMBOL(node) (node)
+#define NODE_DECL(node) (node)->decl
++#define INSN_LOCATION(INSN) RTL_LOCATION(INSN)
+
+static inline int bb_loop_depth(const_basic_block bb)
+{
@@ -111252,6 +111460,13 @@ index 0000000..cd95c07
+ cgraph_create_edge_including_clones((caller), (callee),
(old_call_stmt), (call_stmt), (count), (freq), (reason))
+#endif
+
++#if BUILDING_GCC_VERSION == 4007 || BUILDING_GCC_VERSION == 4008
++static inline struct cgraph_node *cgraph_alias_target(struct cgraph_node *n)
++{
++ return cgraph_alias_aliased_node(n);
++}
++#endif
++
+#if BUILDING_GCC_VERSION <= 4008
+#define ENTRY_BLOCK_PTR_FOR_FN(FN) ENTRY_BLOCK_PTR_FOR_FUNCTION(FN)
+#define EXIT_BLOCK_PTR_FOR_FN(FN) EXIT_BLOCK_PTR_FOR_FUNCTION(FN)
@@ -111271,6 +111486,11 @@ index 0000000..cd95c07
+}
+
+#define ipa_remove_stmt_references(cnode, stmt)
++typedef union gimple_statement_d gasm;
++typedef union gimple_statement_d gassign;
++typedef union gimple_statement_d gcall;
++typedef union gimple_statement_d gphi;
++typedef union gimple_statement_d greturn;
+#endif
+
+#if BUILDING_GCC_VERSION == 4008
@@ -111288,6 +111508,29 @@ index 0000000..cd95c07
+
+#if BUILDING_GCC_VERSION <= 4009
+#define TODO_verify_il 0
++#define AVAIL_INTERPOSABLE AVAIL_OVERWRITABLE
++#endif
++
++#if BUILDING_GCC_VERSION == 4009
++typedef struct gimple_statement_base gasm;
++typedef struct gimple_statement_base gassign;
++typedef struct gimple_statement_base gcall;
++typedef struct gimple_statement_base gphi;
++typedef struct gimple_statement_base greturn;
++#endif
++
++#if BUILDING_GCC_VERSION <= 4009
++typedef struct rtx_def rtx_insn;
++
++static inline gasm *as_a_gasm(gimple stmt)
++{
++ return stmt;
++}
++
++static inline gcall *as_a_gcall(gimple stmt)
++{
++ return stmt;
++}
+#endif
+
+#if BUILDING_GCC_VERSION >= 4009
@@ -111304,8 +111547,110 @@ index 0000000..cd95c07
+#define TODO_verify_stmts TODO_verify_il
+#define TODO_verify_rtl_sharing TODO_verify_il
+
++#define TREE_INT_CST_HIGH(NODE) ({ TREE_INT_CST_EXT_NUNITS(NODE) > 1 ?
(unsigned HOST_WIDE_INT)TREE_INT_CST_ELT(NODE, 1) : 0; })
++
++#define INSN_DELETED_P(insn) (insn)->deleted()
++
++extern bool is_simple_builtin(tree);
++
++// symtab/cgraph related
+#define debug_cgraph_node(node) (node)->debug()
+#define cgraph_get_node(decl) cgraph_node::get(decl)
++#define cgraph_n_nodes symtab->cgraph_count
++#define cgraph_max_uid symtab->cgraph_max_uid
++
++typedef struct cgraph_node *cgraph_node_ptr;
++typedef struct cgraph_edge *cgraph_edge_p;
++
++static inline void change_decl_assembler_name(tree decl, tree name)
++{
++ symtab->change_decl_assembler_name(decl, name);
++}
++
++static inline void varpool_finalize_decl(tree decl)
++{
++ varpool_node::finalize_decl(decl);
++}
++
++static inline cgraph_node_ptr cgraph_function_node(cgraph_node_ptr node, enum
availability *availability)
++{
++ return node->function_symbol(availability);
++}
++
++static inline cgraph_node_ptr cgraph_function_or_thunk_node(cgraph_node_ptr
node, enum availability *availability = NULL)
++{
++ return node->ultimate_alias_target(availability);
++}
++
++static inline bool cgraph_only_called_directly_p(cgraph_node_ptr node)
++{
++ return node->only_called_directly_p();
++}
++
++static inline enum availability
cgraph_function_body_availability(cgraph_node_ptr node)
++{
++ return node->get_availability();
++}
++
++static inline cgraph_node_ptr cgraph_alias_target(cgraph_node_ptr node)
++{
++ return node->get_alias_target();
++}
++
++static inline struct cgraph_node_hook_list
*cgraph_add_function_insertion_hook(cgraph_node_hook hook, void *data)
++{
++ return symtab->add_cgraph_insertion_hook(hook, data);
++}
++
++static inline void cgraph_remove_function_insertion_hook(struct
cgraph_node_hook_list *entry)
++{
++ symtab->remove_cgraph_insertion_hook(entry);
++}
++
++static inline struct cgraph_node_hook_list
*cgraph_add_node_removal_hook(cgraph_node_hook hook, void *data)
++{
++ return symtab->add_cgraph_removal_hook(hook, data);
++}
++
++static inline void cgraph_remove_node_removal_hook(struct
cgraph_node_hook_list *entry)
++{
++ symtab->remove_cgraph_removal_hook(entry);
++}
++
++static inline struct cgraph_2node_hook_list
*cgraph_add_node_duplication_hook(cgraph_2node_hook hook, void *data)
++{
++ return symtab->add_cgraph_duplication_hook(hook, data);
++}
++
++static inline void cgraph_remove_node_duplication_hook(struct
cgraph_2node_hook_list *entry)
++{
++ symtab->remove_cgraph_duplication_hook(entry);
++}
++
++// gimple related
++static inline gimple gimple_build_assign_with_ops(enum tree_code subcode,
tree lhs, tree op1, tree op2 MEM_STAT_DECL)
++{
++ return gimple_build_assign(lhs, subcode, op1, op2 PASS_MEM_STAT);
++}
++
++static inline gasm *as_a_gasm(gimple stmt)
++{
++ return as_a<gasm *>(stmt);
++}
++
++static inline gcall *as_a_gcall(gimple stmt)
++{
++ return as_a<gcall *>(stmt);
++}
++
++// IPA/LTO related
++#define ipa_ref_list_referring_iterate(L,I,P) (L)->referring.iterate((I),
&(P))
++#define ipa_ref_list_reference_iterate(L,I,P) (L)->reference.iterate((I),
&(P))
++
++static inline cgraph_node_ptr ipa_ref_referring_node(struct ipa_ref *ref)
++{
++ return dyn_cast<cgraph_node_ptr>(ref->referring);
++}
+#endif
+
+#endif
@@ -112042,10 +112387,10 @@ index 0000000..89f256d
+}
diff --git a/tools/gcc/latent_entropy_plugin.c
b/tools/gcc/latent_entropy_plugin.c
new file mode 100644
-index 0000000..e48b323
+index 0000000..2a39357
--- /dev/null
+++ b/tools/gcc/latent_entropy_plugin.c
-@@ -0,0 +1,466 @@
+@@ -0,0 +1,467 @@
+/*
+ * Copyright 2012-2014 by the PaX Team <pagee...@freemail.hu>
+ * Licensed under the GPL v2
@@ -112071,7 +112416,7 @@ index 0000000..e48b323
+
+int plugin_is_GPL_compatible;
+
-+static tree latent_entropy_decl;
++static GTY(()) tree latent_entropy_decl;
+
+static struct plugin_info latent_entropy_plugin_info = {
+ .version = "201409101820",
@@ -112416,6 +112761,7 @@ index 0000000..e48b323
+ TREE_STATIC(latent_entropy_decl) = 1;
+ TREE_PUBLIC(latent_entropy_decl) = 1;
+ TREE_USED(latent_entropy_decl) = 1;
++ DECL_PRESERVE_P(latent_entropy_decl) = 1;
+ TREE_THIS_VOLATILE(latent_entropy_decl) = 1;
+ DECL_EXTERNAL(latent_entropy_decl) = 1;
+ DECL_ARTIFICIAL(latent_entropy_decl) = 1;
@@ -115520,7 +115866,7 @@ index 0000000..c955c6b
+
diff --git a/tools/gcc/size_overflow_plugin/size_overflow.h
b/tools/gcc/size_overflow_plugin/size_overflow.h
new file mode 100644
-index 0000000..ee99659
+index 0000000..516289f
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow.h
@@ -0,0 +1,226 @@
@@ -115614,11 +115960,11 @@ index 0000000..ee99659
+};
+
+// size_overflow_plugin.c
-+extern tree report_size_overflow_decl;
-+extern tree size_overflow_type_HI;
-+extern tree size_overflow_type_SI;
-+extern tree size_overflow_type_DI;
-+extern tree size_overflow_type_TI;
++extern GTY(()) tree report_size_overflow_decl;
++extern GTY(()) tree size_overflow_type_HI;
++extern GTY(()) tree size_overflow_type_SI;
++extern GTY(()) tree size_overflow_type_DI;
++extern GTY(()) tree size_overflow_type_TI;
+
+
+// size_overflow_plugin_hash.c
@@ -146639,10 +146985,10 @@ index 0000000..fd4aa92
+}
diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c
new file mode 100644
-index 0000000..924652b
+index 0000000..90125d6
--- /dev/null
+++ b/tools/gcc/stackleak_plugin.c
-@@ -0,0 +1,395 @@
+@@ -0,0 +1,396 @@
+/*
+ * Copyright 2011-2014 by the PaX Team <pagee...@freemail.hu>
+ * Licensed under the GPL v2
@@ -146670,7 +147016,8 @@ index 0000000..924652b
+static int track_frame_size = -1;
+static const char track_function[] = "pax_track_stack";
+static const char check_function[] = "pax_check_alloca";
-+static tree track_function_decl, check_function_decl;
++static GTY(()) tree track_function_decl;
++static GTY(()) tree check_function_decl;
+static bool init_locals;
+
+static struct plugin_info stackleak_plugin_info = {
diff --git a/3.2.68/0000_README b/3.2.68/0000_README
index 238a9f1..b13028d 100644
--- a/3.2.68/0000_README
+++ b/3.2.68/0000_README
@@ -190,7 +190,7 @@ Patch: 1067_linux-3.2.68.patch
From: http://www.kernel.org
Desc: Linux 3.2.68
-Patch: 4420_grsecurity-3.1-3.2.68-201503251805.patch
+Patch: 4420_grsecurity-3.1-3.2.68-201504021823.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.68/4420_grsecurity-3.1-3.2.68-201503251805.patch
b/3.2.68/4420_grsecurity-3.1-3.2.68-201504021823.patch
similarity index 99%
rename from 3.2.68/4420_grsecurity-3.1-3.2.68-201503251805.patch
rename to 3.2.68/4420_grsecurity-3.1-3.2.68-201504021823.patch
index 9c4d314..e85b221 100644
--- a/3.2.68/4420_grsecurity-3.1-3.2.68-201503251805.patch
+++ b/3.2.68/4420_grsecurity-3.1-3.2.68-201504021823.patch
@@ -203,20 +203,24 @@ index dfa6fc6..ccbfbf3 100644
+zconf.lex.c
zoffset.h
diff --git a/Documentation/kernel-parameters.txt
b/Documentation/kernel-parameters.txt
-index f0001eb..1727e84 100644
+index f0001eb..8f5703b 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
-@@ -859,6 +859,9 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
+@@ -859,6 +859,13 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
gpt [EFI] Forces disk with valid GPT signature but
invalid Protective MBR to be treated as GPT.
+ grsec_proc_gid= [GRKERNSEC_PROC_USERGROUP] Chooses GID to
+ ignore grsecurity's /proc restrictions
+
++ grsec_sysfs_restrict= Format: 0 | 1
++ Default: 1
++ Disables GRKERNSEC_SYSFS_RESTRICT if enabled in config
++
hashdist= [KNL,NUMA] Large hashes allocated during boot
are distributed across NUMA nodes. Defaults on
for 64-bit NUMA, off otherwise.
-@@ -1963,6 +1966,27 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
+@@ -1963,6 +1970,27 @@ bytes respectively. Such letter suffixes can also be
entirely omitted.
the specified number of seconds. This is to be used if
your oopses keep scrolling off the screen.
@@ -7658,10 +7662,18 @@ index e88fbe5..bd0eda7 100644
#include <asm/uaccess_64.h>
#else
diff --git a/arch/sparc/include/asm/uaccess_32.h
b/arch/sparc/include/asm/uaccess_32.h
-index 8303ac4..07f333d 100644
+index 8303ac4..d2eec81 100644
--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
-@@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __user *to, const
void __user *from, unsig
+@@ -46,6 +46,7 @@
+ #define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
+ #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
+ #define __access_ok(addr,size) (__user_ok((addr) & get_fs().seg,(size)))
++#define access_ok_noprefault(type, addr, size) access_ok((type), (addr),
(size))
+ #define access_ok(type, addr, size) \
+ ({ (void)(type); __access_ok((unsigned long)(addr), size); })
+
+@@ -249,27 +250,46 @@ extern unsigned long __copy_user(void __user *to, const
void __user *from, unsig
static inline unsigned long copy_to_user(void __user *to, const void *from,
unsigned long n)
{
@@ -7713,7 +7725,7 @@ index 8303ac4..07f333d 100644
}
diff --git a/arch/sparc/include/asm/uaccess_64.h
b/arch/sparc/include/asm/uaccess_64.h
-index 6d6c731..2f65aba 100644
+index 6d6c731..c55ac5e 100644
--- a/arch/sparc/include/asm/uaccess_64.h
+++ b/arch/sparc/include/asm/uaccess_64.h
@@ -10,6 +10,7 @@
@@ -7724,7 +7736,19 @@ index 6d6c731..2f65aba 100644
#include <asm/asi.h>
#include <asm/system.h>
#include <asm/spitfire.h>
-@@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixup(void *to, const
void __user *from,
+@@ -53,6 +54,11 @@ static inline int __access_ok(const void __user * addr,
unsigned long size)
+ return 1;
+ }
+
++static inline int access_ok_noprefault(int type, const void __user * addr,
unsigned long size)
++{
++ return 1;
++}
++
+ static inline int access_ok(int type, const void __user * addr, unsigned long
size)
+ {
+ return 1;
+@@ -213,8 +219,15 @@ extern unsigned long copy_from_user_fixup(void *to, const
void __user *from,
static inline unsigned long __must_check
copy_from_user(void *to, const void __user *from, unsigned long size)
{
@@ -7741,7 +7765,7 @@ index 6d6c731..2f65aba 100644
if (unlikely(ret))
ret = copy_from_user_fixup(to, from, size);
-@@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(void __user *to,
const void *from,
+@@ -230,8 +243,15 @@ extern unsigned long copy_to_user_fixup(void __user *to,
const void *from,
static inline unsigned long __must_check
copy_to_user(void __user *to, const void *from, unsigned long size)
{
@@ -17920,7 +17944,7 @@ index 60d4c33..3f51857 100644
if (c->x86_model == 3 && c->x86_mask == 0)
size = 64;
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 6284d6d..ac6d8c6 100644
+index 6284d6d..60561cb 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -84,60 +84,6 @@ static const struct cpu_dev __cpuinitconst default_cpu = {
@@ -17993,18 +18017,24 @@ index 6284d6d..ac6d8c6 100644
gdt_descr.size = GDT_SIZE - 1;
load_gdt(&gdt_descr);
/* Reload the per-cpu base */
-@@ -841,6 +787,10 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c)
- /* Filter out anything that depends on CPUID levels we don't have */
- filter_cpuid_features(c, true);
+@@ -769,6 +715,16 @@ static void __cpuinit generic_identify(struct cpuinfo_x86
*c)
-+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_SEGMEXEC) ||
defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
-+ setup_clear_cpu_cap(X86_FEATURE_SEP);
+ setup_smep(c);
+
++#ifdef CONFIG_X86_32
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (!(__supported_pte_mask & _PAGE_NX))
++ clear_cpu_cap(c, X86_FEATURE_PSE);
++#endif
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) ||
defined(CONFIG_PAX_MEMORY_UDEREF)
++ clear_cpu_cap(c, X86_FEATURE_SEP);
++#endif
+#endif
+
- /* If the model name is still unset, do table lookup. */
- if (!c->x86_model_id[0]) {
- const char *p;
-@@ -1021,6 +971,9 @@ static __init int setup_disablecpuid(char *arg)
+ get_model_name(c); /* Default name */
+
+ detect_nopl(c);
+@@ -1021,6 +977,9 @@ static __init int setup_disablecpuid(char *arg)
}
__setup("clearcpuid=", setup_disablecpuid);
@@ -18014,7 +18044,7 @@ index 6284d6d..ac6d8c6 100644
#ifdef CONFIG_X86_64
struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table
};
-@@ -1036,7 +989,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task)
____cacheline_aligned =
+@@ -1036,7 +995,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task)
____cacheline_aligned =
EXPORT_PER_CPU_SYMBOL(current_task);
DEFINE_PER_CPU(unsigned long, kernel_stack) =
@@ -18023,7 +18053,7 @@ index 6284d6d..ac6d8c6 100644
EXPORT_PER_CPU_SYMBOL(kernel_stack);
DEFINE_PER_CPU(char *, irq_stack_ptr) =
-@@ -1101,7 +1054,7 @@ struct pt_regs * __cpuinit idle_regs(struct pt_regs
*regs)
+@@ -1101,7 +1060,7 @@ struct pt_regs * __cpuinit idle_regs(struct pt_regs
*regs)
{
memset(regs, 0, sizeof(struct pt_regs));
regs->fs = __KERNEL_PERCPU;
@@ -18032,7 +18062,7 @@ index 6284d6d..ac6d8c6 100644
return regs;
}
-@@ -1156,7 +1109,7 @@ void __cpuinit cpu_init(void)
+@@ -1156,7 +1115,7 @@ void __cpuinit cpu_init(void)
int i;
cpu = stack_smp_processor_id();
@@ -18041,7 +18071,7 @@ index 6284d6d..ac6d8c6 100644
oist = &per_cpu(orig_ist, cpu);
#ifdef CONFIG_NUMA
-@@ -1182,7 +1135,7 @@ void __cpuinit cpu_init(void)
+@@ -1182,7 +1141,7 @@ void __cpuinit cpu_init(void)
switch_to_new_gdt(cpu);
loadsegment(fs, 0);
@@ -18050,7 +18080,7 @@ index 6284d6d..ac6d8c6 100644
memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
syscall_init();
-@@ -1191,7 +1144,6 @@ void __cpuinit cpu_init(void)
+@@ -1191,7 +1150,6 @@ void __cpuinit cpu_init(void)
wrmsrl(MSR_KERNEL_GS_BASE, 0);
barrier();
@@ -18058,7 +18088,7 @@ index 6284d6d..ac6d8c6 100644
if (cpu != 0)
enable_x2apic();
-@@ -1245,7 +1197,7 @@ void __cpuinit cpu_init(void)
+@@ -1245,7 +1203,7 @@ void __cpuinit cpu_init(void)
{
int cpu = smp_processor_id();
struct task_struct *curr = current;
@@ -41189,6 +41219,20 @@ index a841123..055ebeb 100644
if (!can_do_mlock())
return ERR_PTR(-EPERM);
+diff --git a/drivers/infiniband/core/uverbs_cmd.c
b/drivers/infiniband/core/uverbs_cmd.c
+index a8445b8..e43f9b9 100644
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -928,6 +928,9 @@ ssize_t ib_uverbs_reg_mr(struct ib_uverbs_file *file,
+ if (copy_from_user(&cmd, buf, sizeof cmd))
+ return -EFAULT;
+
++ if (!access_ok_noprefault(VERIFY_READ, cmd.start, cmd.length))
++ return -EFAULT;
++
+ INIT_UDATA(&udata, buf + sizeof cmd,
+ (unsigned long) cmd.response + sizeof resp,
+ in_len - sizeof cmd, out_len - sizeof resp);
diff --git a/drivers/infiniband/hw/cxgb4/mem.c
b/drivers/infiniband/hw/cxgb4/mem.c
index 40c8353..946b0e4 100644
--- a/drivers/infiniband/hw/cxgb4/mem.c
@@ -58640,7 +58684,7 @@ index 8bc98af..a49e6f0 100644
dcache_init();
inode_init();
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
-index 6ac0893..238a21a 100644
+index 6ac0893..6edd689 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -145,6 +145,7 @@ static struct file_system_type debug_fs_type = {
@@ -58651,18 +58695,30 @@ index 6ac0893..238a21a 100644
static int debugfs_create_by_name(const char *name, mode_t mode,
struct dentry *parent,
-@@ -261,7 +262,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
+@@ -258,11 +259,20 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
+ * If debugfs is not enabled in the kernel, the value -%ENODEV will be
+ * returned.
+ */
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++extern int grsec_enable_sysfs_restrict;
++#endif
++
struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
{
- return debugfs_create_file(name,
+- return debugfs_create_file(name,
+- S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
+- parent, NULL, NULL);
++ umode_t mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
++
+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
-+ S_IFDIR | S_IRWXU,
-+#else
- S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
++ if (grsec_enable_sysfs_restrict)
++ mode = S_IFDIR | S_IRWXU;
+#endif
- parent, NULL, NULL);
++
++ return debugfs_create_file(name, mode, parent, NULL, NULL);
}
EXPORT_SYMBOL_GPL(debugfs_create_dir);
+
diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
index 782569b..175dea4 100644
--- a/fs/ecryptfs/inode.c
@@ -66598,10 +66654,21 @@ index a475983..3aab767 100644
if (!bb->vm_ops)
return -EINVAL;
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
-index e756bc4..684ab5b71 100644
+index e756bc4..6e4ebbc 100644
--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
-@@ -642,6 +642,18 @@ static int create_dir(struct kobject *kobj, struct
sysfs_dirent *parent_sd,
+@@ -87,6 +87,10 @@ static void sysfs_link_sibling(struct sysfs_dirent *sd)
+ rb_insert_color(&sd->name_node, &parent_sd->s_dir.name_tree);
+ }
+
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++extern int grsec_enable_sysfs_restrict;
++#endif
++
+ /**
+ * sysfs_unlink_sibling - unlink sysfs_dirent from sibling list
+ * @sd: sysfs_dirent of interest
+@@ -642,6 +646,20 @@ static int create_dir(struct kobject *kobj, struct
sysfs_dirent *parent_sd,
struct sysfs_dirent *sd;
int rc;
@@ -66615,6 +66682,8 @@ index e756bc4..684ab5b71 100644
+ (!strcmp(parent_name, "fs") && (!strcmp(name, "selinux") ||
!strcmp(name, "fuse") || !strcmp(name, "ecryptfs"))) ||
+ (!strcmp(parent_name, "system") && !strcmp(name, "cpu")))
+ mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
++ if (!grsec_enable_sysfs_restrict)
++ mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
+#endif
+
/* allocate */
@@ -88201,7 +88270,7 @@ index 2531811..4f036c4 100644
#ifdef CONFIG_BLK_DEV_RAM
int fd;
diff --git a/init/main.c b/init/main.c
-index e937d9b..d7da1cf 100644
+index e937d9b..4700693 100644
--- a/init/main.c
+++ b/init/main.c
@@ -97,6 +97,8 @@ static inline void mark_rodata_ro(void) { }
@@ -88213,7 +88282,7 @@ index e937d9b..d7da1cf 100644
/*
* Debug helper: via this flag we know that we are in 'early bootup code'
* where only the boot processor is running with IRQ disabled. This means
-@@ -150,6 +152,64 @@ static int __init set_reset_devices(char *str)
+@@ -150,6 +152,74 @@ static int __init set_reset_devices(char *str)
__setup("reset_devices", set_reset_devices);
@@ -88226,6 +88295,16 @@ index e937d9b..d7da1cf 100644
+}
+__setup("grsec_proc_gid=", setup_grsec_proc_gid);
+#endif
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++int grsec_enable_sysfs_restrict = 1;
++static int __init setup_grsec_sysfs_restrict(char *str)
++{
++ if (!simple_strtol(str, NULL, 0))
++ grsec_enable_sysfs_restrict = 0;
++ return 1;
++}
++__setup("grsec_sysfs_restrict", setup_grsec_sysfs_restrict);
++#endif
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+unsigned long pax_user_shadow_base __read_only = 1UL << TASK_SIZE_MAX_SHIFT;
@@ -88278,7 +88357,7 @@ index e937d9b..d7da1cf 100644
static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
static const char *panic_later, *panic_param;
-@@ -683,6 +743,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -683,6 +753,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
{
int count = preempt_count();
int ret;
@@ -88286,7 +88365,7 @@ index e937d9b..d7da1cf 100644
if (initcall_debug)
ret = do_one_initcall_debug(fn);
-@@ -695,17 +756,18 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -695,17 +766,18 @@ int __init_or_module do_one_initcall(initcall_t fn)
sprintf(msgbuf, "error code %d ", ret);
if (preempt_count() != count) {
@@ -88309,7 +88388,7 @@ index e937d9b..d7da1cf 100644
return ret;
}
-@@ -754,6 +816,10 @@ static void run_init_process(const char *init_filename)
+@@ -754,6 +826,10 @@ static void run_init_process(const char *init_filename)
kernel_execve(init_filename, argv_init, envp_init);
}
@@ -88320,7 +88399,7 @@ index e937d9b..d7da1cf 100644
/* This is a non __init function. Force it to be noinline otherwise gcc
* makes it inline to init() and it becomes part of init.text section
*/
-@@ -775,6 +841,11 @@ static noinline int init_post(void)
+@@ -775,6 +851,11 @@ static noinline int init_post(void)
ramdisk_execute_command);
}
@@ -88332,7 +88411,7 @@ index e937d9b..d7da1cf 100644
/*
* We try each of these until one succeeds.
*
-@@ -827,7 +898,7 @@ static int __init kernel_init(void * unused)
+@@ -827,7 +908,7 @@ static int __init kernel_init(void * unused)
do_basic_setup();
/* Open the /dev/console on the rootfs, this should never fail */
@@ -88341,7 +88420,7 @@ index e937d9b..d7da1cf 100644
printk(KERN_WARNING "Warning: unable to open an initial
console.\n");
(void) sys_dup(0);
-@@ -840,11 +911,13 @@ static int __init kernel_init(void * unused)
+@@ -840,11 +921,13 @@ static int __init kernel_init(void * unused)
if (!ramdisk_execute_command)
ramdisk_execute_command = "/init";
@@ -90465,7 +90544,7 @@ index dc7bc08..4601964 100644
/* Don't allow clients that don't understand the native
diff --git a/kernel/kmod.c b/kernel/kmod.c
-index a16dac1..67f7981 100644
+index a16dac1..d6f7dbc 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -64,7 +64,7 @@ static void free_modprobe_argv(struct subprocess_info *info)
@@ -90593,7 +90672,7 @@ index a16dac1..67f7981 100644
EXPORT_SYMBOL(__request_module);
#endif /* CONFIG_MODULES */
-@@ -188,6 +241,20 @@ static int ____call_usermodehelper(void *data)
+@@ -188,6 +241,21 @@ static int ____call_usermodehelper(void *data)
*/
set_user_nice(current, 0);
@@ -90604,6 +90683,7 @@ index a16dac1..67f7981 100644
+ */
+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path,
"/usr/lib/", 9) &&
+ strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path,
"/lib64/", 7) &&
++ strncmp(sub_info->path, "/usr/libexec/", 13) &&
+ strcmp(sub_info->path, "/usr/share/apport/apport")) ||
strstr(sub_info->path, "..")) {
+ printk(KERN_ALERT "grsec: denied exec of usermode helper binary
%.950s located outside of /sbin and system library paths\n", sub_info->path);
+ retval = -EPERM;
@@ -90614,7 +90694,7 @@ index a16dac1..67f7981 100644
retval = -ENOMEM;
new = prepare_kernel_cred(current);
if (!new)
-@@ -221,6 +288,10 @@ fail:
+@@ -221,6 +289,10 @@ fail:
void call_usermodehelper_freeinfo(struct subprocess_info *info)
{
@@ -90625,7 +90705,7 @@ index a16dac1..67f7981 100644
if (info->cleanup)
(*info->cleanup)(info);
kfree(info);
-@@ -265,7 +336,7 @@ static int wait_for_helper(void *data)
+@@ -265,7 +337,7 @@ static int wait_for_helper(void *data)
*
* Thus the __user pointer cast is valid here.
*/
@@ -90634,7 +90714,7 @@ index a16dac1..67f7981 100644
/*
* If ret is 0, either ____call_usermodehelper failed and the
-@@ -413,7 +484,12 @@ struct subprocess_info *call_usermodehelper_setup(char
*path, char **argv,
+@@ -413,7 +485,12 @@ struct subprocess_info *call_usermodehelper_setup(char
*path, char **argv,
goto out;
INIT_WORK(&sub_info->work, __call_usermodehelper);
@@ -90647,7 +90727,7 @@ index a16dac1..67f7981 100644
sub_info->argv = argv;
sub_info->envp = envp;
out:
-@@ -512,7 +588,7 @@ EXPORT_SYMBOL(call_usermodehelper_exec);
+@@ -512,7 +589,7 @@ EXPORT_SYMBOL(call_usermodehelper_exec);
static int proc_cap_handler(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
@@ -94961,7 +95041,7 @@ index dcbafed..bba19b9 100644
/* make curr_ret_stack visible before we add the ret_stack */
smp_wmb();
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
-index b252661..45b218f 100644
+index b252661..c3a5113 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -376,9 +376,9 @@ struct buffer_data_page {
@@ -94976,7 +95056,7 @@ index b252661..45b218f 100644
unsigned long real_end; /* real end of data */
struct buffer_data_page *page; /* Actual data page */
};
-@@ -489,8 +489,8 @@ struct ring_buffer_per_cpu {
+@@ -489,11 +489,11 @@ struct ring_buffer_per_cpu {
unsigned long lost_events;
unsigned long last_overrun;
local_t entries_bytes;
@@ -94986,7 +95066,11 @@ index b252661..45b218f 100644
+ local_unchecked_t overrun;
local_t entries;
local_t committing;
- local_t commits;
+- local_t commits;
++ local_unchecked_t commits;
+ unsigned long read;
+ unsigned long read_bytes;
+ u64 write_stamp;
@@ -884,8 +884,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu
*cpu_buffer,
*
* We add a counter to the write field to denote this.
@@ -95117,6 +95201,42 @@ index b252661..45b218f 100644
if (index == old_index) {
/* update counters */
local_sub(event_length, &cpu_buffer->entries_bytes);
+@@ -2116,7 +2116,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
+ static void rb_start_commit(struct ring_buffer_per_cpu *cpu_buffer)
+ {
+ local_inc(&cpu_buffer->committing);
+- local_inc(&cpu_buffer->commits);
++ local_inc_unchecked(&cpu_buffer->commits);
+ }
+
+ static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -2128,7 +2128,7 @@ static inline void rb_end_commit(struct
ring_buffer_per_cpu *cpu_buffer)
+ return;
+
+ again:
+- commits = local_read(&cpu_buffer->commits);
++ commits = local_read_unchecked(&cpu_buffer->commits);
+ /* synchronize with interrupts */
+ barrier();
+ if (local_read(&cpu_buffer->committing) == 1)
+@@ -2144,7 +2144,7 @@ static inline void rb_end_commit(struct
ring_buffer_per_cpu *cpu_buffer)
+ * updating of the commit page and the clearing of the
+ * committing counter.
+ */
+- if (unlikely(local_read(&cpu_buffer->commits) != commits) &&
++ if (unlikely(local_read_unchecked(&cpu_buffer->commits) != commits) &&
+ !local_read(&cpu_buffer->committing)) {
+ local_inc(&cpu_buffer->committing);
+ goto again;
+@@ -2174,7 +2174,7 @@ rb_reserve_next_event(struct ring_buffer *buffer,
+ barrier();
+ if (unlikely(ACCESS_ONCE(cpu_buffer->buffer) != buffer)) {
+ local_dec(&cpu_buffer->committing);
+- local_dec(&cpu_buffer->commits);
++ local_dec_unchecked(&cpu_buffer->commits);
+ return NULL;
+ }
+ #endif
@@ -2440,7 +2440,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu
*cpu_buffer,
/* Do the likely case first */
@@ -95202,7 +95322,7 @@ index b252661..45b218f 100644
local_set(&cpu_buffer->head_page->page->commit, 0);
cpu_buffer->head_page->read = 0;
-@@ -3593,14 +3593,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -3593,17 +3593,17 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
cpu_buffer->commit_page = cpu_buffer->head_page;
INIT_LIST_HEAD(&cpu_buffer->reader_page->list);
@@ -95220,7 +95340,11 @@ index b252661..45b218f 100644
+ local_set_unchecked(&cpu_buffer->overrun, 0);
local_set(&cpu_buffer->entries, 0);
local_set(&cpu_buffer->committing, 0);
- local_set(&cpu_buffer->commits, 0);
+- local_set(&cpu_buffer->commits, 0);
++ local_set_unchecked(&cpu_buffer->commits, 0);
+ cpu_buffer->read = 0;
+ cpu_buffer->read_bytes = 0;
+
@@ -3998,8 +3998,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer,
rb_init_page(bpage);
bpage = reader->page;
@@ -96141,6 +96265,22 @@ index b8029a5..2b120e1 100644
+ pax_close_kernel();
+}
+EXPORT_SYMBOL(pax_list_del_rcu);
+diff --git a/lib/nlattr.c b/lib/nlattr.c
+index be25e35..4d920a2 100644
+--- a/lib/nlattr.c
++++ b/lib/nlattr.c
+@@ -272,7 +272,11 @@ int nla_memcpy(void *dest, const struct nlattr *src, int
count)
+ {
+ int minlen = min_t(int, count, nla_len(src));
+
++ BUG_ON(minlen < 0);
++
+ memcpy(dest, nla_data(src), minlen);
++ if (count > minlen)
++ memset(dest + minlen, 0, count - minlen);
+
+ return minlen;
+ }
diff --git a/lib/radix-tree.c b/lib/radix-tree.c
index d9df745..a541641b 100644
--- a/lib/radix-tree.c
@@ -107704,6 +107844,19 @@ index 957374a..dcbce7a 100644
mutex_unlock(&nf_log_mutex);
}
+diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
+index b3a7db6..6d70533 100644
+--- a/net/netfilter/nf_queue.c
++++ b/net/netfilter/nf_queue.c
+@@ -233,7 +233,7 @@ int nf_queue(struct sk_buff *skb,
+ * returned by nf_queue. For instance, callers rely on -ECANCELED to
mean
+ * 'ignore this hook'.
+ */
+- if (IS_ERR(segs))
++ if (IS_ERR_OR_NULL(segs))
+ return -EINVAL;
+
+ queued = 0;
diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c
index f042ae5..30ea486 100644
--- a/net/netfilter/nf_sockopt.c
@@ -110519,6 +110672,19 @@ index 2ffde46..76f0432 100644
if (!x25_proc_dir)
goto out;
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index 47bacd8..e49d5f4 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -151,6 +151,8 @@ static int xfrm_output_gso(struct sk_buff *skb)
+ kfree_skb(skb);
+ if (IS_ERR(segs))
+ return PTR_ERR(segs);
++ if (segs == NULL)
++ return -EINVAL;
+
+ do {
+ struct sk_buff *nskb = segs->next;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 113d20e..2bb5a4e 100644
--- a/net/xfrm/xfrm_policy.c
@@ -122703,10 +122869,10 @@ index 0000000..4378111
+}
diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data
b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
new file mode 100644
-index 0000000..0d53d19
+index 0000000..6e35346
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
-@@ -0,0 +1,5121 @@
+@@ -0,0 +1,5133 @@
+intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL
+storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL
+compat_sock_setsockopt_23 compat_sock_setsockopt 5 23 NULL
@@ -122884,6 +123050,7 @@ index 0000000..0d53d19
+zr364xx_read_2354 zr364xx_read 3 2354 NULL
+viafb_iga2_odev_proc_write_2363 viafb_iga2_odev_proc_write 3 2363 NULL
+rose_recvmsg_2368 rose_recvmsg 4 2368 NULL
++rts51x_read_ppbuf_2389 rts51x_read_ppbuf 3 2389 NULL
+rxpipe_rx_prep_beacon_drop_read_2403 rxpipe_rx_prep_beacon_drop_read 3 2403
NULL
+isdn_v110_open_2418 isdn_v110_open 3 2418 NULL
+hfcpci_empty_fifo_2427 hfcpci_empty_fifo 4 2427 NULL
@@ -123202,7 +123369,8 @@ index 0000000..0d53d19
+mpeg_read_6708 mpeg_read 3 6708 NULL
+ibmpex_query_sensor_count_6709 ibmpex_query_sensor_count 0 6709 NULL
+video_proc_write_6724 video_proc_write 3 6724 NULL
-+posix_acl_xattr_count_6725 posix_acl_xattr_count 0-1 6725 NULL
++posix_acl_xattr_count_6725 posix_acl_xattr_count 0-1 6725 NULL nohasharray
++rts51x_transfer_data_rcc_6725 rts51x_transfer_data_rcc 4 6725
&posix_acl_xattr_count_6725
+rds_rdma_pages_6735 rds_rdma_pages 0 6735 NULL
+device_queue_depth_6771 device_queue_depth 0 6771 NULL
+kobject_add_varg_6781 kobject_add_varg 0 6781 NULL
@@ -123291,6 +123459,7 @@ index 0000000..0d53d19
+diva_os_copy_from_user_7792 diva_os_copy_from_user 4 7792 NULL
+config_desc_7878 config_desc 0 7878 NULL
+dvb_dmxdev_read_sec_7892 dvb_dmxdev_read_sec 4 7892 NULL
++xd_read_data_from_ppb_7897 xd_read_data_from_ppb 4 7897 NULL
+xfs_trans_get_efi_7898 xfs_trans_get_efi 2 7898 NULL
+gfs2_tune_get_i_7903 gfs2_tune_get_i 0 7903 NULL
+libfc_host_alloc_7917 libfc_host_alloc 2 7917 NULL
@@ -123309,7 +123478,7 @@ index 0000000..0d53d19
+venus_lookup_8121 venus_lookup 4 8121 NULL
+ieee80211_if_fmt_num_buffered_multicast_8127
ieee80211_if_fmt_num_buffered_multicast 3 8127 NULL
+CalcCalPLL_8136 CalcCalPLL 0 8136 NULL
-+ext_sd_execute_write_data_8175 ext_sd_execute_write_data 9 8175 NULL
++ext_sd_execute_write_data_8175 ext_sd_execute_write_data 9-11 8175 NULL
+__sk_mem_schedule_8185 __sk_mem_schedule 2 8185 NULL
+ieee80211_if_fmt_dot11MeshHoldingTimeout_8187
ieee80211_if_fmt_dot11MeshHoldingTimeout 3 8187 NULL
+__nf_nat_mangle_tcp_packet_8190 __nf_nat_mangle_tcp_packet 5-7 8190 NULL
@@ -123604,7 +123773,8 @@ index 0000000..0d53d19
+kmem_zalloc_11510 kmem_zalloc 1 11510 NULL
+skb_cow_data_11565 skb_cow_data 0-2 11565 NULL
+mlx4_init_cmpt_table_11569 mlx4_init_cmpt_table 3 11569 NULL
-+lpfc_idiag_ctlacc_write_11576 lpfc_idiag_ctlacc_write 3 11576 NULL
++lpfc_idiag_ctlacc_write_11576 lpfc_idiag_ctlacc_write 3 11576 NULL nohasharray
++rts51x_write_ppbuf_11576 rts51x_write_ppbuf 3 11576
&lpfc_idiag_ctlacc_write_11576
+oprofilefs_ulong_to_user_11582 oprofilefs_ulong_to_user 3 11582 NULL
+snd_pcm_action_11589 snd_pcm_action 0 11589 NULL
+fw_device_op_ioctl_11595 fw_device_op_ioctl 2 11595 NULL
@@ -124202,6 +124372,7 @@ index 0000000..0d53d19
+read_file_dump_nfcal_18766 read_file_dump_nfcal 3 18766 NULL
+ffs_epfile_read_18775 ffs_epfile_read 3 18775 NULL
+alloc_fcdev_18780 alloc_fcdev 1 18780 NULL
++sd_write_data_18803 sd_write_data 9 18803 NULL
+ieee80211_auth_challenge_18810 ieee80211_auth_challenge 3 18810 NULL
+iio_allocate_device_18821 iio_allocate_device 1 18821 NULL
+sys_modify_ldt_18824 sys_modify_ldt 3 18824 NULL
@@ -124823,6 +124994,7 @@ index 0000000..0d53d19
+scnprint_id_26842 scnprint_id 3-0 26842 NULL
+ecryptfs_miscdev_write_26847 ecryptfs_miscdev_write 3 26847 NULL
+svc_print_xprts_26881 svc_print_xprts 0 26881 NULL
++ms_read_bytes_26894 ms_read_bytes 6 26894 NULL
+ctnetlink_counters_size_26898 ctnetlink_counters_size 0 26898 NULL
+slhc_uncompress_26905 slhc_uncompress 0-3 26905 NULL
+x25_asy_change_mtu_26928 x25_asy_change_mtu 2 26928 NULL
@@ -126493,7 +126665,7 @@ index 0000000..0d53d19
+ubi_dbg_check_write_48525 ubi_dbg_check_write 0 48525 NULL
+wiimote_hid_send_48528 wiimote_hid_send 3 48528 NULL
+drbd_bm_capacity_48530 drbd_bm_capacity 0 48530 NULL
-+ext_sd_execute_read_data_48589 ext_sd_execute_read_data 9 48589 NULL
++ext_sd_execute_read_data_48589 ext_sd_execute_read_data 9-11 48589 NULL
+do_ip_vs_set_ctl_48641 do_ip_vs_set_ctl 4 48641 NULL
+lc_create_48662 lc_create 3 48662 NULL
+aes_encrypt_packets_read_48666 aes_encrypt_packets_read 3 48666 NULL
@@ -126840,6 +127012,7 @@ index 0000000..0d53d19
+iwl_legacy_dbgfs_channels_read_52619 iwl_legacy_dbgfs_channels_read 3 52619
NULL
+__iter_shared_inline_ref_inodes_52668 __iter_shared_inline_ref_inodes 0 52668
NULL
+vendorextnWriteSection_52698 vendorextnWriteSection 0 52698 NULL
++ms_transfer_data_52705 ms_transfer_data 9 52705 NULL
+cx25840_ir_rx_read_52724 cx25840_ir_rx_read 3 52724 NULL
+blkcipher_next_slow_52733 blkcipher_next_slow 3-4 52733 NULL
+relay_alloc_page_array_52735 relay_alloc_page_array 1 52735 NULL
@@ -126943,6 +127116,7 @@ index 0000000..0d53d19
+i2400m_zrealloc_2x_54166 i2400m_zrealloc_2x 3 54166 NULL nohasharray
+memcpy_toiovec_54166 memcpy_toiovec 3 54166 &i2400m_zrealloc_2x_54166
+p9_client_prepare_req_54175 p9_client_prepare_req 3 54175 NULL
++sd_read_data_54207 sd_read_data 9 54207 NULL
+do_sys_poll_54221 do_sys_poll 2 54221 NULL
+__register_chrdev_54223 __register_chrdev 2-3 54223 NULL
+_format_mac_addr_54229 _format_mac_addr 2-0 54229 NULL
@@ -126982,6 +127156,7 @@ index 0000000..0d53d19
+unix_dgram_connect_54535 unix_dgram_connect 3 54535 NULL
+setsockopt_54539 setsockopt 5 54539 NULL
+lbs_lowsnr_write_54549 lbs_lowsnr_write 3 54549 NULL
++rts51x_seq_read_register_54567 rts51x_seq_read_register 3 54567 NULL
+nfsd_vfs_write_54577 nfsd_vfs_write 6 54577 NULL
+fw_iso_buffer_init_54582 fw_iso_buffer_init 3 54582 NULL
+xfrm_polexpire_msgsize_54589 xfrm_polexpire_msgsize 0 54589 NULL
@@ -127048,12 +127223,14 @@ index 0000000..0d53d19
+ext4_ext_convert_to_initialized_55235 ext4_ext_convert_to_initialized 0 55235
NULL
+memcpy_fromiovec_55247 memcpy_fromiovec 3 55247 NULL
+lbs_failcount_write_55276 lbs_failcount_write 3 55276 NULL
-+rx_streaming_interval_read_55291 rx_streaming_interval_read 3 55291 NULL
++rx_streaming_interval_read_55291 rx_streaming_interval_read 3 55291 NULL
nohasharray
++xd_read_cis_55291 xd_read_cis 4 55291 &rx_streaming_interval_read_55291
+gsm_control_modem_55303 gsm_control_modem 3 55303 NULL
+wimax_msg_len_55304 wimax_msg_len 0 55304 NULL
+vme_user_read_55338 vme_user_read 3 55338 NULL
+__wa_xfer_setup_sizes_55342 __wa_xfer_setup_sizes 0 55342 NULL nohasharray
+sctp_datamsg_from_user_55342 sctp_datamsg_from_user 4 55342
&__wa_xfer_setup_sizes_55342
++rts51x_seq_write_register_55345 rts51x_seq_write_register 3 55345 NULL
+acpi_system_read_event_55362 acpi_system_read_event 3 55362 NULL
+iwl_dbgfs_plcp_delta_read_55407 iwl_dbgfs_plcp_delta_read 3 55407 NULL
+alloc_skb_55439 alloc_skb 1 55439 NULL
@@ -127812,6 +127989,7 @@ index 0000000..0d53d19
+redirected_tty_write_65297 redirected_tty_write 3 65297 NULL
+get_var_len_65304 get_var_len 0 65304 NULL
+unpack_array_65318 unpack_array 0 65318 NULL
++rts51x_get_rsp_65334 rts51x_get_rsp 2 65334 NULL
+dccp_setsockopt_service_65336 dccp_setsockopt_service 4 65336 NULL
+dma_rx_requested_read_65354 dma_rx_requested_read 3 65354 NULL
+alloc_cpu_rmap_65363 alloc_cpu_rmap 1 65363 NULL
