main/linux-grsec: upgrade to 4.1.17

12 files changed, 116 insertions, 745 deletions

diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index bf11f823b7..08426096fd 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -2,12 +2,12 @@
 
 _mainflavor=grsec
 pkgname=linux-$_mainflavor
-pkgver=4.1.15
+pkgver=4.1.17
 case $pkgver in
 *.*.*)	_kernver=${pkgver%.*};;
 *.*)	_kernver=${pkgver};;
 esac
-pkgrel=5
+pkgrel=0
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs"
@@ -17,23 +17,15 @@ options="!strip"
 install=
 source="http://ftp.kernel.org/pub/linux/kernel/v4.x/linux-$_kernver.tar.xz
 	http://ftp.kernel.org/pub/linux/kernel/v4.x/patch-$pkgver.xz
-	http://dev.alpinelinux.org/~tteras/grsec/pax-linux-4.1.15-test24-alpine.patch
-	http://dev.alpinelinux.org/~tteras/grsec/grsec-4.1.15-3.1-201509112213-alpine.patch
+	grsecurity-4.1.17-3.1-201509201149-tld.patch::http://git.tld-linux.org/?p=packages/kernel-grsecurity.git;a=blob_plain;f=grsecurity.patch;hb=2e7f40eae5385d264ca30ef9d730d99d833f23b5
 
 	fix-spi-nor-namespace-clash.patch
 	imx6q-no-unclocked-sleep.patch
-	add-checks-for-allocation-failure-isdn_ppp_open.patch
-	validate-vj-compression-slot-parameters-completely.patch
-	kvm-svm-unconditionally-intercept-#db.patch
-	vivid-osd-fix-info-leak-in-ioctl.patch
-	staging-dgnc-fix-info-leak-in-ioctl.patch
-	net-add-validation-socket-syscall-protocol-argument.patch
-	pptp-verify-sockaddr_len.patch
-	ovl-fix-permission-checking-for-setattr.patch
-	0001-ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
-	keys-fix-race-between-destruction-and-finding-keyring-by-name.patch
 	keys-fixes.patch
-	keys-fix-keyring-ref-leak-in-join_session_keyring.patch
+	ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
+	ovl-fix-permission-checking-for-setattr.patch
+	staging-dgnc-fix-info-leak-in-ioctl.patch
+	via-velocity-length-check.patch
 
 	config-grsec.x86
 	config-grsec.x86_64
@@ -70,11 +62,12 @@ prepare() {
 
 	# first apply patches in specified order
 	for i in $source; do
-		case $i in
+		local file=${i%::*}
+		case $file in
 		*.patch)
-			msg "Applying $i..."
-			if ! patch -s -p1 -N -i "$srcdir"/${i##*/}; then
-				echo $i >>failed
+			msg "Applying $file..."
+			if ! patch -s -p1 -N -i "$srcdir"/${file##*/}; then
+				echo $file >>failed
 				_patch_failed=1
 			fi
 			;;
@@ -215,69 +208,45 @@ dev() {
 }
 
 md5sums="fe9dc0f6729f36400ea81aa41d614c37  linux-4.1.tar.xz
-5ec05841161a172f8ae1a7f38bb382b0  patch-4.1.15.xz
-d23ac8110941baf0f37f9e3a011e3720  pax-linux-4.1.15-test24-alpine.patch
-ba5670790e9ee117227024cb4b187756  grsec-4.1.15-3.1-201509112213-alpine.patch
+49c68f18968fa809e20a7b20423fd1d2  patch-4.1.17.xz
+cadb807b168b455f10b26baf749a8c00  grsecurity-4.1.17-3.1-201509201149-tld.patch
 b0337a2a9abed17c37eae5db332522d2  fix-spi-nor-namespace-clash.patch
 1a307fc1d63231bf01d22493a4f14378  imx6q-no-unclocked-sleep.patch
-4bf3d4e28a3318ea7251f862aa35dc95  add-checks-for-allocation-failure-isdn_ppp_open.patch
-9b150b8017a25fb6c9e9e29b1f1e791f  validate-vj-compression-slot-parameters-completely.patch
-c02b7d642341d3b82cff47d801813254  kvm-svm-unconditionally-intercept-#db.patch
-b52be7e646d3572687e4d26d4291233e  vivid-osd-fix-info-leak-in-ioctl.patch
-6c48221dbad6928f2b9f6c1f521c5844  staging-dgnc-fix-info-leak-in-ioctl.patch
-730439fc2751795dc00f1fb3ec810b12  net-add-validation-socket-syscall-protocol-argument.patch
-e4590e034252bb838220d2bedc19be2e  pptp-verify-sockaddr_len.patch
+04f93023c13c5cf3d9d5cbdf5c2a3ab3  keys-fixes.patch
+0ac0bfd35d8d857b790f3cf55028d967  ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
 5f27a173424a42db509b46372c200e85  ovl-fix-permission-checking-for-setattr.patch
-0ac0bfd35d8d857b790f3cf55028d967  0001-ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
-0526ef5b0cb5c8b697ab8fcd337d303e  keys-fix-race-between-destruction-and-finding-keyring-by-name.patch
-370b4498d0dc52eb8a85a23a5973bebf  keys-fixes.patch
-6470e9783bd1c7a8feddc2d67f07afd5  keys-fix-keyring-ref-leak-in-join_session_keyring.patch
+6c48221dbad6928f2b9f6c1f521c5844  staging-dgnc-fix-info-leak-in-ioctl.patch
+073d3b8947c33abf715a0e505f144a7e  via-velocity-length-check.patch
 8592323596689e3ef967ff96d1190d1b  config-grsec.x86
 81aab21a18c16cf96d0fa719564281ec  config-grsec.x86_64
 c4c15b3ba79bb557a67cd9356b56d7c4  config-grsec.armhf
 28754e558f94f3b3e0b0fcc27c1c955f  config-virtgrsec.x86
 ae802ba9bdf0dfa50e7506a08bbf929d  config-virtgrsec.x86_64"
 sha256sums="caf51f085aac1e1cea4d00dbbf3093ead07b551fc07b31b2a989c05f8ea72d9f  linux-4.1.tar.xz
-0ffca8557f1aa191da2f2260ad279c9cc858e6308a8af8a76f7ca3d3c0540344  patch-4.1.15.xz
-5cb29b9a0ffb72c11ff17a0c68a9bb6452ca15b79eb1fc00c179cdf1748f2d48  pax-linux-4.1.15-test24-alpine.patch
-a92b81dbd4fa4fbee28cebad93b0bd623820c809e98e8841151842341b9626eb  grsec-4.1.15-3.1-201509112213-alpine.patch
+60e5c4fb93705a1e7d075d528975661303d3a87c522f731b69da2e00f3170b10  patch-4.1.17.xz
+beb4a3343667b045b4680536f765719d1198086f5d57508f16a31fa18f8cbb41  grsecurity-4.1.17-3.1-201509201149-tld.patch
 01279cfb93273d99670c56e2465957ecde3d03693beeb929a743f03afa0b7bdc  fix-spi-nor-namespace-clash.patch
 21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3  imx6q-no-unclocked-sleep.patch
-78ca4ba9863d43ba498db628f2dfc2cf00427236745636025bd24513bdf05189  add-checks-for-allocation-failure-isdn_ppp_open.patch
-d2670dc40c47de365d36ba1e1bbef0ea3e6381f5d4c38e88a4c5db2eb4383925  validate-vj-compression-slot-parameters-completely.patch
-eb787ea2e4637708475569f7498c1ef0fa5e4e80ae22df5c5f44092615f86ebd  kvm-svm-unconditionally-intercept-#db.patch
-4070f46003fb5e1a16474f682da78d989809272a7aa209f794caa8d0b941e2c0  vivid-osd-fix-info-leak-in-ioctl.patch
-144886917b2c5ff880c4beb11ca8743b98ea5ed49bbd10a54a98e1d76cfe23b5  staging-dgnc-fix-info-leak-in-ioctl.patch
-180af96ce8310913f6662be50ca69c9737af250ef8dd3fdefdc58bef5f55ca9e  net-add-validation-socket-syscall-protocol-argument.patch
-5d3f0311176addb6cbbe0739736962cdb3826816e5cc0384f52d34cbd7c2c2a0  pptp-verify-sockaddr_len.patch
+246119a70831c0c01aabdbb31f75d0476883cfbc172e2a749655ec569569440f  keys-fixes.patch
+464fbfe582c2b841c629c78508d117108505aafdcc6fec8a2ae0b34193d04bbe  ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
 79fa593d628d740c7bc2b68398ab381ad978293102d1f282919ee69aeab6a17d  ovl-fix-permission-checking-for-setattr.patch
-464fbfe582c2b841c629c78508d117108505aafdcc6fec8a2ae0b34193d04bbe  0001-ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
-c3a7a6d1ca5c23c98ea703c716144dc88b5bcf5052416a7ff3c766beed78d7db  keys-fix-race-between-destruction-and-finding-keyring-by-name.patch
-653bdfac4fdac0fed19b60c8ae34afe97a699bbabe0e00888584c1ef52a626e1  keys-fixes.patch
-c11bf7442041f2ddaf6aea62b897c0753200aa64ca0e7b9f2c9700ea16326997  keys-fix-keyring-ref-leak-in-join_session_keyring.patch
+144886917b2c5ff880c4beb11ca8743b98ea5ed49bbd10a54a98e1d76cfe23b5  staging-dgnc-fix-info-leak-in-ioctl.patch
+25f174ca77217399a82e59740f60ea75db31a624578cba9ee501b5b7b7ae4cc7  via-velocity-length-check.patch
 fbc303521afbecbe2dccbe9955d108af53aaaa3388f2ca0962fc93f26a535a56  config-grsec.x86
 0d770dbef70ec200e9f0341f7840847c228ac5e5061401614aaa27db59922614  config-grsec.x86_64
 01b4f4e7eae350d40749f34e916e69c101f2fb5b3b7c2bd1917c29b8df3c2668  config-grsec.armhf
 fcfeedde29606b94f79f79ceb9351bd5d018aca6a76bba04459d85e4ad94939f  config-virtgrsec.x86
 91bb0c7e6ad7b438daba3be79117007ecd68afb89857381034467837247edd56  config-virtgrsec.x86_64"
 sha512sums="168ef84a4e67619f9f53f3574e438542a5747f9b43443363cb83597fcdac9f40d201625c66e375a23226745eaada9176eb006ca023613cec089349e91751f3c0  linux-4.1.tar.xz
-646daf16c01fb8c3013c7c9919c18c3635eb6bd37560623cb56cc7a6d0b22fb13290cee8865dfbcc435cd8544cc3ecb6f3aae538d10c9e0b1098806f233155a3  patch-4.1.15.xz
-e5bb53ac77a4b285fa4dd52cf50856669cb932669c2c8b1b9cd14d2384375d1ce9e997a760848c2c2e2c428e5d3c1c41aad890ee4009c9c4653d3a13721eab7a  pax-linux-4.1.15-test24-alpine.patch
-c737219a382206894889ddf8e807836a6fd08bb983b5e2327fae9f8427a0fa591c17f896b6e3f8dab4e356ae2d5f2aaa1cb642dea162eddc0c53c3a494928d52  grsec-4.1.15-3.1-201509112213-alpine.patch
+fa8675bac395ad7255693728ee601cd84a02aeee660ee5f2bf5684a6af053c9cf07afb0abb3324b1eb149305701a0bb9252053e840edc2aebb6499139dc12edd  patch-4.1.17.xz
+929d0e7b73c988c76b6131adf5d2ec28c95736022e3f198c7f37eb0acd18f3784bd622bc050d88bc553bf297cbed6686aca113465c6b5b2fef13867edf596369  grsecurity-4.1.17-3.1-201509201149-tld.patch
 4e3aeb70712f9838afea75fe9e6c1389414d833a89286ea55441d6a8d54ce74b0e39b565721e3153443af0a614bff57c767251b7e5b81faa5e0784eddfcd2164  fix-spi-nor-namespace-clash.patch
 87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221  imx6q-no-unclocked-sleep.patch
-2fac663732ec9f5d0089b7bfdc31e4166028b381da328aef405f4a2c9102486139bc759dccc704293d9fbc0d4a19d9682e31e62f913bfa5fd22a4ef77e4b2255  add-checks-for-allocation-failure-isdn_ppp_open.patch
-528604f2296bd1a67e32b465b4885ddba8ccf50925909e80cc523186ab03439c47eb5c016c133f3e3f27b0666f234f88a9c33399d7550867a448e12c73f878c2  validate-vj-compression-slot-parameters-completely.patch
-5d9628e59117b9b0e464bfdac4249663a8c46f8c0ac5f521e19bbb1d59ad3a0dc0d97de34a1f011033d31c792452e6b20a70081ec8cc208bf0671fb50017ab6c  kvm-svm-unconditionally-intercept-#db.patch
-98bd4ef55ce0b7c4b4fee638ba079555a7363f1b34bc415135bd2fcbd12957ef45d569d7bf85edcbf322638f9951e01951807279279e729bbc13bee3be5d2b45  vivid-osd-fix-info-leak-in-ioctl.patch
-51bdf43837e0bc24771b6dd67e4f5f49ae77716a49155b2b04ca17aa84a7aea65f858733795a91d8c5c3221a77c576370c0ccc7e711c32edaa87210cf55974ec  staging-dgnc-fix-info-leak-in-ioctl.patch
-d41f3b7c30d59a0fb43f877fff5a311c7fad8e12dfb51c519af368e8d1511202e6cceace3e051620a90e30f3c4b170847172764db045c9a5777663e2e9f2116c  net-add-validation-socket-syscall-protocol-argument.patch
-9454738454abee92200c7025a5b19e6870056ee71faf7e78dc10c0e7317e2d27c940ab031e2e53db856e1bea3b3fe5e32ce5aaa7c29dc833aa0f75d35bbf7a79  pptp-verify-sockaddr_len.patch
+8d4646d564e6beb60925724ca4cdef06ac08a4909629330f0e3c5cf1701dc82ca4bc9b809cdbf1f2229a30cc700106733cb77fea12885a44a0c4a65a1d5656d5  keys-fixes.patch
+928492c522cc376abc244f9aec25b10abf0efc4cf19e5f3b7130ed8efed904e674975a05b70f3f46343dba5aa324c46981cb98eea7a619defbb7235742a3333e  ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
 061d58353e8d8eb83a10ae1cdfd16ff5d982ee594decd115d42f438293747b9f4ea3cb16ce242685b34d52ca57feb3b8e9f344adc425e1894f0283abe47ef355  ovl-fix-permission-checking-for-setattr.patch
-928492c522cc376abc244f9aec25b10abf0efc4cf19e5f3b7130ed8efed904e674975a05b70f3f46343dba5aa324c46981cb98eea7a619defbb7235742a3333e  0001-ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
-d4d65eacdac1d9baed2ddf926f09a6d66b4dc42ea40ac9b118ad69dfd8dcc06052afb742aaf906fad54d70182d2243bdc1f0649eea7754a2402fc94447d568b1  keys-fix-race-between-destruction-and-finding-keyring-by-name.patch
-2611db9cca53ac6851beb9f48e51651090e6b97a644d260671d6f4aa2b2d75ff71276b6d14d0b2e5908bc261c86fc6c2dc4bd88e093fdd74e144983c720f0a2b  keys-fixes.patch
-89ba4dd5bc12bc188a63d370f815573885e91f9e856c57eab4410d41033d443554a20e417b72a810024ff8b3195300edb35a2d1f4c5a9feec036b387ad1f8fe5  keys-fix-keyring-ref-leak-in-join_session_keyring.patch
+51bdf43837e0bc24771b6dd67e4f5f49ae77716a49155b2b04ca17aa84a7aea65f858733795a91d8c5c3221a77c576370c0ccc7e711c32edaa87210cf55974ec  staging-dgnc-fix-info-leak-in-ioctl.patch
+0be40b94b99f0fa0ab975c833e50a121e45b057c812e229a3d175a7bc8b03472eb6ab4a1273988971db89625f55b9fc4a35b7696acb21709887294fcf8a7c48d  via-velocity-length-check.patch
 819ff2d16b5c15399de9b3c254d4ed6b7ef580a5b7cdacb209d90d35d178e93e34a5d6159b0edfab4afec9decf404901a7504f7b106c62c3dba0cdb4f0951a61  config-grsec.x86
 61b2f6b1264e51548c657b337a23592d7bdf0fe730f71e9039af098dd9ebd1b2bd7dbff1811ccb36c7c50b4cfef4cf19534a1f25ef05048a404fd6a6c3120a59  config-grsec.x86_64
 3be2587ca157eff3910ad1cd4dd9013c699e08d6f8fdde22458caa423f17591a7b386aad5f592f79baac4da6b32f5965483c3080c1cf2bc906fdffbe33a16bf7  config-grsec.armhf
diff --git a/main/linux-grsec/add-checks-for-allocation-failure-isdn_ppp_open.patch b/main/linux-grsec/add-checks-for-allocation-failure-isdn_ppp_open.patch
deleted file mode 100644
index 2f700ac510..0000000000
--- a/main/linux-grsec/add-checks-for-allocation-failure-isdn_ppp_open.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 0baa57d8dc32db78369d8b5176ef56c5e2e18ab3 Mon Sep 17 00:00:00 2001
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Sun, 1 Nov 2015 16:21:24 +0000
-Subject: isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
-
-Compile-tested only.
-
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/isdn/i4l/isdn_ppp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
-index c4198fa..86f9abe 100644
---- a/drivers/isdn/i4l/isdn_ppp.c
-+++ b/drivers/isdn/i4l/isdn_ppp.c
-@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file)
- 	is->compflags = 0;
- 
- 	is->reset = isdn_ppp_ccp_reset_alloc(is);
-+	if (!is->reset)
-+		return -ENOMEM;
- 
- 	is->lp = NULL;
- 	is->mp_seqno = 0;       /* MP sequence number */
-@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file)
- 	 * VJ header compression init
- 	 */
- 	is->slcomp = slhc_init(16, 16);	/* not necessary for 2. link in bundle */
-+	if (!is->slcomp) {
-+		isdn_ppp_ccp_reset_free(is);
-+		return -ENOMEM;
-+	}
- #endif
- #ifdef CONFIG_IPPP_FILTER
- 	is->pass_filter = NULL;
--- 
-cgit v0.11.2
-
diff --git a/main/linux-grsec/keys-fix-keyring-ref-leak-in-join_session_keyring.patch b/main/linux-grsec/keys-fix-keyring-ref-leak-in-join_session_keyring.patch
deleted file mode 100644
index 49020d7dba..0000000000
--- a/main/linux-grsec/keys-fix-keyring-ref-leak-in-join_session_keyring.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 Mon Sep 17 00:00:00 2001
-From: Yevgeny Pats <yevgeny@perception-point.io>
-Date: Tue, 19 Jan 2016 22:09:04 +0000
-Subject: KEYS: Fix keyring ref leak in join_session_keyring()
-
-This fixes CVE-2016-0728.
-
-If a thread is asked to join as a session keyring the keyring that's already
-set as its session, we leak a keyring reference.
-
-This can be tested with the following program:
-
-	#include <stddef.h>
-	#include <stdio.h>
-	#include <sys/types.h>
-	#include <keyutils.h>
-
-	int main(int argc, const char *argv[])
-	{
-		int i = 0;
-		key_serial_t serial;
-
-		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
-				"leaked-keyring");
-		if (serial < 0) {
-			perror("keyctl");
-			return -1;
-		}
-
-		if (keyctl(KEYCTL_SETPERM, serial,
-			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
-			perror("keyctl");
-			return -1;
-		}
-
-		for (i = 0; i < 100; i++) {
-			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
-					"leaked-keyring");
-			if (serial < 0) {
-				perror("keyctl");
-				return -1;
-			}
-		}
-
-		return 0;
-	}
-
-If, after the program has run, there something like the following line in
-/proc/keys:
-
-3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
-
-with a usage count of 100 * the number of times the program has been run,
-then the kernel is malfunctioning.  If leaked-keyring has zero usages or
-has been garbage collected, then the problem is fixed.
-
-Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Don Zickus <dzickus@redhat.com>
-Acked-by: Prarit Bhargava <prarit@redhat.com>
-Acked-by: Jarod Wilson <jarod@redhat.com>
-Signed-off-by: James Morris <james.l.morris@oracle.com>
----
- security/keys/process_keys.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index a3f85d2..e6d50172 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
- 		ret = PTR_ERR(keyring);
- 		goto error2;
- 	} else if (keyring == new->session_keyring) {
-+		key_put(keyring);
- 		ret = 0;
- 		goto error2;
- 	}
--- 
-cgit v0.12
-
diff --git a/main/linux-grsec/keys-fix-race-between-destruction-and-finding-keyring-by-name.patch b/main/linux-grsec/keys-fix-race-between-destruction-and-finding-keyring-by-name.patch
deleted file mode 100644
index 792296068f..0000000000
--- a/main/linux-grsec/keys-fix-race-between-destruction-and-finding-keyring-by-name.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 94c4554ba07adbdde396748ee7ae01e86cf2d8d7 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Fri, 25 Sep 2015 16:30:08 +0100
-Subject: KEYS: Fix race between key destruction and finding a keyring by name
-
-There appears to be a race between:
-
- (1) key_gc_unused_keys() which frees key->security and then calls
-     keyring_destroy() to unlink the name from the name list
-
- (2) find_keyring_by_name() which calls key_permission(), thus accessing
-     key->security, on a key before checking to see whether the key usage is 0
-     (ie. the key is dead and might be cleaned up).
-
-Fix this by calling ->destroy() before cleaning up the core key data -
-including key->security.
-
-Reported-by: Petr Matousek <pmatouse@redhat.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- security/keys/gc.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/security/keys/gc.c b/security/keys/gc.c
-index c795237..39eac1f 100644
---- a/security/keys/gc.c
-+++ b/security/keys/gc.c
-@@ -134,6 +134,10 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
- 		kdebug("- %u", key->serial);
- 		key_check(key);
- 
-+		/* Throw away the key data */
-+		if (key->type->destroy)
-+			key->type->destroy(key);
-+
- 		security_key_free(key);
- 
- 		/* deal with the user's key tracking and quota */
-@@ -148,10 +152,6 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
- 		if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
- 			atomic_dec(&key->user->nikeys);
- 
--		/* now throw away the key memory */
--		if (key->type->destroy)
--			key->type->destroy(key);
--
- 		key_user_put(key->user);
- 
- 		kfree(key->description);
--- 
-cgit v0.11.2
-
diff --git a/main/linux-grsec/keys-fixes.patch b/main/linux-grsec/keys-fixes.patch
index 8ef8a0c359..85bbda7e02 100644
--- a/main/linux-grsec/keys-fixes.patch
+++ b/main/linux-grsec/keys-fixes.patch
@@ -1,83 +1,3 @@
-From f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Thu, 15 Oct 2015 17:21:37 +0100
-Subject: KEYS: Fix crash when attempt to garbage collect an uninstantiated
- keyring
-
-The following sequence of commands:
-
-    i=`keyctl add user a a @s`
-    keyctl request2 keyring foo bar @t
-    keyctl unlink $i @s
-
-tries to invoke an upcall to instantiate a keyring if one doesn't already
-exist by that name within the user's keyring set.  However, if the upcall
-fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
-other error code.  When the key is garbage collected, the key destroy
-function is called unconditionally and keyring_destroy() uses list_empty()
-on keyring->type_data.link - which is in a union with reject_error.
-Subsequently, the kernel tries to unlink the keyring from the keyring names
-list - which oopses like this:
-
-	BUG: unable to handle kernel paging request at 00000000ffffff8a
-	IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
-	...
-	Workqueue: events key_garbage_collector
-	...
-	RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88
-	RSP: 0018:ffff88003e2f3d30  EFLAGS: 00010203
-	RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
-	RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
-	RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
-	R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
-	R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
-	...
-	CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
-	...
-	Call Trace:
-	 [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
-	 [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
-	 [<ffffffff8105ec9b>] process_one_work+0x28e/0x547
-	 [<ffffffff8105fd17>] worker_thread+0x26e/0x361
-	 [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
-	 [<ffffffff810648ad>] kthread+0xf3/0xfb
-	 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
-	 [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
-	 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
-
-Note the value in RAX.  This is a 32-bit representation of -ENOKEY.
-
-The solution is to only call ->destroy() if the key was successfully
-instantiated.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Tested-by: Dmitry Vyukov <dvyukov@google.com>
----
- security/keys/gc.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/security/keys/gc.c b/security/keys/gc.c
-index 39eac1f..addf060 100644
---- a/security/keys/gc.c
-+++ b/security/keys/gc.c
-@@ -134,8 +134,10 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
- 		kdebug("- %u", key->serial);
- 		key_check(key);
- 
--		/* Throw away the key data */
--		if (key->type->destroy)
-+		/* Throw away the key data if the key is instantiated */
-+		if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&
-+		    !test_bit(KEY_FLAG_NEGATIVE, &key->flags) &&
-+		    key->type->destroy)
- 			key->type->destroy(key);
- 
- 		security_key_free(key);
--- 
-cgit v0.11.2
-
-
 From 911b79cde95c7da0ec02f48105358a36636b7a71 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Mon, 19 Oct 2015 11:20:28 +0100
diff --git a/main/linux-grsec/kvm-svm-unconditionally-intercept-#db.patch b/main/linux-grsec/kvm-svm-unconditionally-intercept-#db.patch
deleted file mode 100644
index 938219ea1a..0000000000
--- a/main/linux-grsec/kvm-svm-unconditionally-intercept-#db.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From cbdb967af3d54993f5814f1cee0ed311a055377d Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 10 Nov 2015 09:14:39 +0100
-Subject: KVM: svm: unconditionally intercept #DB
-
-This is needed to avoid the possibility that the guest triggers
-an infinite stream of #DB exceptions (CVE-2015-8104).
-
-VMX is not affected: because it does not save DR6 in the VMCS,
-it already intercepts #DB unconditionally.
-
-Reported-by: Jan Beulich <jbeulich@suse.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- arch/x86/kvm/svm.c | 14 +++-----------
- 1 file changed, 3 insertions(+), 11 deletions(-)
-
-diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 1839264..1cc1ffc 100644
---- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -1020,6 +1020,7 @@ static void init_vmcb(struct vcpu_svm *svm)
- 	set_exception_intercept(svm, UD_VECTOR);
- 	set_exception_intercept(svm, MC_VECTOR);
- 	set_exception_intercept(svm, AC_VECTOR);
-+	set_exception_intercept(svm, DB_VECTOR);
- 
- 	set_intercept(svm, INTERCEPT_INTR);
- 	set_intercept(svm, INTERCEPT_NMI);
-@@ -1554,20 +1555,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
- 	mark_dirty(svm->vmcb, VMCB_SEG);
- }
- 
--static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
-+static void update_bp_intercept(struct kvm_vcpu *vcpu)
- {
- 	struct vcpu_svm *svm = to_svm(vcpu);
- 
--	clr_exception_intercept(svm, DB_VECTOR);
- 	clr_exception_intercept(svm, BP_VECTOR);
- 
--	if (svm->nmi_singlestep)
--		set_exception_intercept(svm, DB_VECTOR);
--
- 	if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
--		if (vcpu->guest_debug &
--		    (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
--			set_exception_intercept(svm, DB_VECTOR);
- 		if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
- 			set_exception_intercept(svm, BP_VECTOR);
- 	} else
-@@ -1673,7 +1667,6 @@ static int db_interception(struct vcpu_svm *svm)
- 		if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
- 			svm->vmcb->save.rflags &=
- 				~(X86_EFLAGS_TF | X86_EFLAGS_RF);
--		update_db_bp_intercept(&svm->vcpu);
- 	}
- 
- 	if (svm->vcpu.guest_debug &
-@@ -3661,7 +3654,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
- 	 */
- 	svm->nmi_singlestep = true;
- 	svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
--	update_db_bp_intercept(vcpu);
- }
- 
- static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
-@@ -4287,7 +4279,7 @@ static struct kvm_x86_ops svm_x86_ops = {
- 	.vcpu_load = svm_vcpu_load,
- 	.vcpu_put = svm_vcpu_put,
- 
--	.update_db_bp_intercept = update_db_bp_intercept,
-+	.update_db_bp_intercept = update_bp_intercept,
- 	.get_msr = svm_get_msr,
- 	.set_msr = svm_set_msr,
- 	.get_segment_base = svm_get_segment_base,
--- 
-cgit v0.11.2
-
diff --git a/main/linux-grsec/net-add-validation-socket-syscall-protocol-argument.patch b/main/linux-grsec/net-add-validation-socket-syscall-protocol-argument.patch
deleted file mode 100644
index 910ac7ccea..0000000000
--- a/main/linux-grsec/net-add-validation-socket-syscall-protocol-argument.patch
+++ /dev/null
@@ -1,139 +0,0 @@
-From 79462ad02e861803b3840cc782248c7359451cd9 Mon Sep 17 00:00:00 2001
-From: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Mon, 14 Dec 2015 22:03:39 +0100
-Subject: net: add validation for the socket syscall protocol argument
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-郭永刚 reported that one could simply crash the kernel as root by
-using a simple program:
-
-	int socket_fd;
-	struct sockaddr_in addr;
-	addr.sin_port = 0;
-	addr.sin_addr.s_addr = INADDR_ANY;
-	addr.sin_family = 10;
-
-	socket_fd = socket(10,3,0x40000000);
-	connect(socket_fd , &addr,16);
-
-AF_INET, AF_INET6 sockets actually only support 8-bit protocol
-identifiers. inet_sock's skc_protocol field thus is sized accordingly,
-thus larger protocol identifiers simply cut off the higher bits and
-store a zero in the protocol fields.
-
-This could lead to e.g. NULL function pointer because as a result of
-the cut off inet_num is zero and we call down to inet_autobind, which
-is NULL for raw sockets.
-
-kernel: Call Trace:
-kernel:  [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
-kernel:  [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
-kernel:  [<ffffffff81645069>] SYSC_connect+0xd9/0x110
-kernel:  [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
-kernel:  [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
-kernel:  [<ffffffff81645e0e>] SyS_connect+0xe/0x10
-kernel:  [<ffffffff81779515>] tracesys_phase2+0x84/0x89
-
-I found no particular commit which introduced this problem.
-
-CVE: CVE-2015-8543
-Cc: Cong Wang <cwang@twopensource.com>
-Reported-by: 郭永刚 <guoyonggang@360.cn>
-Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/net/sock.h     | 1 +
- net/ax25/af_ax25.c     | 3 +++
- net/decnet/af_decnet.c | 3 +++
- net/ipv4/af_inet.c     | 3 +++
- net/ipv6/af_inet6.c    | 3 +++
- net/irda/af_irda.c     | 3 +++
- 6 files changed, 16 insertions(+)
-
-diff --git a/include/net/sock.h b/include/net/sock.h
-index eaef414..c4205e0 100644
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -403,6 +403,7 @@ struct sock {
- 				sk_no_check_rx : 1,
- 				sk_userlocks : 4,
- 				sk_protocol  : 8,
-+#define SK_PROTOCOL_MAX U8_MAX
- 				sk_type      : 16;
- 	kmemcheck_bitfield_end(flags);
- 	int			sk_wmem_queued;
-diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
-index ae3a47f..fbd0acf 100644
---- a/net/ax25/af_ax25.c
-+++ b/net/ax25/af_ax25.c
-@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
- 	struct sock *sk;
- 	ax25_cb *ax25;
- 
-+	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+		return -EINVAL;
-+
- 	if (!net_eq(net, &init_net))
- 		return -EAFNOSUPPORT;
- 
-diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
-index eebf5ac..13d6b1a 100644
---- a/net/decnet/af_decnet.c
-+++ b/net/decnet/af_decnet.c
-@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol,
- {
- 	struct sock *sk;
- 
-+	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+		return -EINVAL;
-+
- 	if (!net_eq(net, &init_net))
- 		return -EAFNOSUPPORT;
- 
-diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
-index 11c4ca1..5c5db66 100644
---- a/net/ipv4/af_inet.c
-+++ b/net/ipv4/af_inet.c
-@@ -257,6 +257,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
- 	int try_loading_module = 0;
- 	int err;
- 
-+	if (protocol < 0 || protocol >= IPPROTO_MAX)
-+		return -EINVAL;
-+
- 	sock->state = SS_UNCONNECTED;
- 
- 	/* Look for the requested type/protocol pair. */
-diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
-index 8ec0df7..9f5137c 100644
---- a/net/ipv6/af_inet6.c
-+++ b/net/ipv6/af_inet6.c
-@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
- 	int try_loading_module = 0;
- 	int err;
- 
-+	if (protocol < 0 || protocol >= IPPROTO_MAX)
-+		return -EINVAL;
-+
- 	/* Look for the requested type/protocol pair. */
- lookup_protocol:
- 	err = -ESOCKTNOSUPPORT;
-diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
-index e6aa48b..923abd6 100644
---- a/net/irda/af_irda.c
-+++ b/net/irda/af_irda.c
-@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol,
- 	struct sock *sk;
- 	struct irda_sock *self;
- 
-+	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
-+		return -EINVAL;
-+
- 	if (net != &init_net)
- 		return -EAFNOSUPPORT;
- 
--- 
-cgit v0.11.2
-
diff --git a/main/linux-grsec/0001-ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch b/main/linux-grsec/ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
index b3efdfd46d..b3efdfd46d 100644
--- a/main/linux-grsec/0001-ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
+++ b/main/linux-grsec/ovl-fix-getcwd-failure-after-unsuccessful-rmdir.patch
diff --git a/main/linux-grsec/pptp-verify-sockaddr_len.patch b/main/linux-grsec/pptp-verify-sockaddr_len.patch
deleted file mode 100644
index 0f9c1ec3b3..0000000000
--- a/main/linux-grsec/pptp-verify-sockaddr_len.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 09ccfd238e5a0e670d8178cf50180ea81ae09ae1 Mon Sep 17 00:00:00 2001
-From: WANG Cong <xiyou.wangcong@gmail.com>
-Date: Mon, 14 Dec 2015 13:48:36 -0800
-Subject: pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
-
-Reported-by: Dmitry Vyukov <dvyukov@gmail.com>
-Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/ppp/pptp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
-index fc69e41..597c53e 100644
---- a/drivers/net/ppp/pptp.c
-+++ b/drivers/net/ppp/pptp.c
-@@ -419,6 +419,9 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr,
- 	struct pptp_opt *opt = &po->proto.pptp;
- 	int error = 0;
- 
-+	if (sockaddr_len < sizeof(struct sockaddr_pppox))
-+		return -EINVAL;
-+
- 	lock_sock(sk);
- 
- 	opt->src_addr = sp->sa_addr.pptp;
-@@ -440,6 +443,9 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr,
- 	struct flowi4 fl4;
- 	int error = 0;
- 
-+	if (sockaddr_len < sizeof(struct sockaddr_pppox))
-+		return -EINVAL;
-+
- 	if (sp->sa_protocol != PX_PROTO_PPTP)
- 		return -EINVAL;
- 
--- 
-cgit v0.11.2
-
diff --git a/main/linux-grsec/validate-vj-compression-slot-parameters-completely.patch b/main/linux-grsec/validate-vj-compression-slot-parameters-completely.patch
deleted file mode 100644
index 009ff86169..0000000000
--- a/main/linux-grsec/validate-vj-compression-slot-parameters-completely.patch
+++ /dev/null
@@ -1,139 +0,0 @@
-From 4ab42d78e37a294ac7bc56901d563c642e03c4ae Mon Sep 17 00:00:00 2001
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Sun, 1 Nov 2015 16:22:53 +0000
-Subject: ppp, slip: Validate VJ compression slot parameters completely
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently slhc_init() treats out-of-range values of rslots and tslots
-as equivalent to 0, except that if tslots is too large it will
-dereference a null pointer (CVE-2015-7799).
-
-Add a range-check at the top of the function and make it return an
-ERR_PTR() on error instead of NULL.  Change the callers accordingly.
-
-Compile-tested only.
-
-Reported-by: 郭永刚 <guoyonggang@360.cn>
-References: http://article.gmane.org/gmane.comp.security.oss.general/17908
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/isdn/i4l/isdn_ppp.c   | 10 ++++------
- drivers/net/ppp/ppp_generic.c |  6 ++----
- drivers/net/slip/slhc.c       | 12 ++++++++----
- drivers/net/slip/slip.c       |  2 +-
- 4 files changed, 15 insertions(+), 15 deletions(-)
-
-diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
-index 86f9abe..9c1e8ad 100644
---- a/drivers/isdn/i4l/isdn_ppp.c
-+++ b/drivers/isdn/i4l/isdn_ppp.c
-@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file)
- 	 * VJ header compression init
- 	 */
- 	is->slcomp = slhc_init(16, 16);	/* not necessary for 2. link in bundle */
--	if (!is->slcomp) {
-+	if (IS_ERR(is->slcomp)) {
- 		isdn_ppp_ccp_reset_free(is);
--		return -ENOMEM;
-+		return PTR_ERR(is->slcomp);
- 	}
- #endif
- #ifdef CONFIG_IPPP_FILTER
-@@ -573,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg)
- 			is->maxcid = val;
- #ifdef CONFIG_ISDN_PPP_VJ
- 			sltmp = slhc_init(16, val);
--			if (!sltmp) {
--				printk(KERN_ERR "ippp, can't realloc slhc struct\n");
--				return -ENOMEM;
--			}
-+			if (IS_ERR(sltmp))
-+				return PTR_ERR(sltmp);
- 			if (is->slcomp)
- 				slhc_free(is->slcomp);
- 			is->slcomp = sltmp;
-diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
-index ed00446..9a863c6 100644
---- a/drivers/net/ppp/ppp_generic.c
-+++ b/drivers/net/ppp/ppp_generic.c
-@@ -721,10 +721,8 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 			val &= 0xffff;
- 		}
- 		vj = slhc_init(val2+1, val+1);
--		if (!vj) {
--			netdev_err(ppp->dev,
--				   "PPP: no memory (VJ compressor)\n");
--			err = -ENOMEM;
-+		if (IS_ERR(vj)) {
-+			err = PTR_ERR(vj);
- 			break;
- 		}
- 		ppp_lock(ppp);
-diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
-index 079f7ad..27ed252 100644
---- a/drivers/net/slip/slhc.c
-+++ b/drivers/net/slip/slhc.c
-@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp);
- static unsigned char * put16(unsigned char *cp, unsigned short x);
- static unsigned short pull16(unsigned char **cpp);
- 
--/* Initialize compression data structure
-+/* Allocate compression data structure
-  *	slots must be in range 0 to 255 (zero meaning no compression)
-+ * Returns pointer to structure or ERR_PTR() on error.
-  */
- struct slcompress *
- slhc_init(int rslots, int tslots)
-@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots)
- 	register struct cstate *ts;
- 	struct slcompress *comp;
- 
-+	if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255)
-+		return ERR_PTR(-EINVAL);
-+
- 	comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
- 	if (! comp)
- 		goto out_fail;
- 
--	if ( rslots > 0  &&  rslots < 256 ) {
-+	if (rslots > 0) {
- 		size_t rsize = rslots * sizeof(struct cstate);
- 		comp->rstate = kzalloc(rsize, GFP_KERNEL);
- 		if (! comp->rstate)
-@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots)
- 		comp->rslot_limit = rslots - 1;
- 	}
- 
--	if ( tslots > 0  &&  tslots < 256 ) {
-+	if (tslots > 0) {
- 		size_t tsize = tslots * sizeof(struct cstate);
- 		comp->tstate = kzalloc(tsize, GFP_KERNEL);
- 		if (! comp->tstate)
-@@ -141,7 +145,7 @@ out_free2:
- out_free:
- 	kfree(comp);
- out_fail:
--	return NULL;
-+	return ERR_PTR(-ENOMEM);
- }
- 
- 
-diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
-index 05387b1..a17d86a 100644
---- a/drivers/net/slip/slip.c
-+++ b/drivers/net/slip/slip.c
-@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl, int mtu)
- 	if (cbuff == NULL)
- 		goto err_exit;
- 	slcomp = slhc_init(16, 16);
--	if (slcomp == NULL)
-+	if (IS_ERR(slcomp))
- 		goto err_exit;
- #endif
- 	spin_lock_bh(&sl->lock);
--- 
-cgit v0.11.2
-
diff --git a/main/linux-grsec/via-velocity-length-check.patch b/main/linux-grsec/via-velocity-length-check.patch
new file mode 100644
index 0000000000..163bf54494
--- /dev/null
+++ b/main/linux-grsec/via-velocity-length-check.patch
@@ -0,0 +1,86 @@
+From patchwork Mon Nov 16 12:36:32 2015
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+Subject: via-velocity: unconditionally drop frames with bad l2 length
+From: =?utf-8?q?Timo_Ter=C3=A4s?= <timo.teras@iki.fi>
+X-Patchwork-Id: 544990
+Message-Id: <1447677392-17400-1-git-send-email-timo.teras@iki.fi>
+To: Francois Romieu <romieu@fr.zoreil.com>, netdev@vger.kernel.org
+Cc: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Mon, 16 Nov 2015 14:36:32 +0200
+
+By default the driver allowed incorrect frames to be received. What is
+worse the code does not handle very short frames correctly. The FCS
+length is unconditionally subtracted, and the underflow can cause
+skb_put to be called with large number after implicit cast to unsigned.
+And indeed, an skb_over_panic() was observed with via-velocity.
+
+This removes the module parameter as it does not work in it's
+current state, and should be implemented via NETIF_F_RXALL if needed.
+
+Suggested-by: Francois Romieu <romieu@fr.zoreil.com>
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+---
+Francois, is this something like you had in mind? I can try give this
+a test spin in the known bad location, if this looks otherwise ok.
+
+ drivers/net/ethernet/via/via-velocity.c | 24 +++---------------------
+ 1 file changed, 3 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/net/ethernet/via/via-velocity.c b/drivers/net/ethernet/via/via-velocity.c
+index a43e849..03ce386 100644
+--- a/drivers/net/ethernet/via/via-velocity.c
++++ b/drivers/net/ethernet/via/via-velocity.c
+@@ -345,13 +345,6 @@ VELOCITY_PARAM(flow_control, "Enable flow control ability");
+ */
+ VELOCITY_PARAM(speed_duplex, "Setting the speed and duplex mode");
+ 
+-#define VAL_PKT_LEN_DEF     0
+-/* ValPktLen[] is used for setting the checksum offload ability of NIC.
+-   0: Receive frame with invalid layer 2 length (Default)
+-   1: Drop frame with invalid layer 2 length
+-*/
+-VELOCITY_PARAM(ValPktLen, "Receiving or Drop invalid 802.3 frame");
+-
+ #define WOL_OPT_DEF     0
+ #define WOL_OPT_MIN     0
+ #define WOL_OPT_MAX     7
+@@ -494,7 +487,6 @@ static void velocity_get_options(struct velocity_opt *opts, int index,
+ 
+ 	velocity_set_int_opt(&opts->flow_cntl, flow_control[index], FLOW_CNTL_MIN, FLOW_CNTL_MAX, FLOW_CNTL_DEF, "flow_control", devname);
+ 	velocity_set_bool_opt(&opts->flags, IP_byte_align[index], IP_ALIG_DEF, VELOCITY_FLAGS_IP_ALIGN, "IP_byte_align", devname);
+-	velocity_set_bool_opt(&opts->flags, ValPktLen[index], VAL_PKT_LEN_DEF, VELOCITY_FLAGS_VAL_PKT_LEN, "ValPktLen", devname);
+ 	velocity_set_int_opt((int *) &opts->spd_dpx, speed_duplex[index], MED_LNK_MIN, MED_LNK_MAX, MED_LNK_DEF, "Media link mode", devname);
+ 	velocity_set_int_opt(&opts->wol_opts, wol_opts[index], WOL_OPT_MIN, WOL_OPT_MAX, WOL_OPT_DEF, "Wake On Lan options", devname);
+ 	opts->numrx = (opts->numrx & ~3);
+@@ -2055,8 +2047,9 @@ static int velocity_receive_frame(struct velocity_info *vptr, int idx)
+ 	int pkt_len = le16_to_cpu(rd->rdesc0.len) & 0x3fff;
+ 	struct sk_buff *skb;
+ 
+-	if (rd->rdesc0.RSR & (RSR_STP | RSR_EDP)) {
+-		VELOCITY_PRT(MSG_LEVEL_VERBOSE, KERN_ERR " %s : the received frame spans multiple RDs.\n", vptr->netdev->name);
++	if (unlikely(rd->rdesc0.RSR & (RSR_STP | RSR_EDP | RSR_RL))) {
++		if (rd->rdesc0.RSR & (RSR_STP | RSR_EDP))
++			VELOCITY_PRT(MSG_LEVEL_VERBOSE, KERN_ERR " %s : the received frame spans multiple RDs.\n", vptr->netdev->name);
+ 		stats->rx_length_errors++;
+ 		return -EINVAL;
+ 	}
+@@ -2069,17 +2062,6 @@ static int velocity_receive_frame(struct velocity_info *vptr, int idx)
+ 	dma_sync_single_for_cpu(vptr->dev, rd_info->skb_dma,
+ 				    vptr->rx.buf_sz, DMA_FROM_DEVICE);
+ 
+-	/*
+-	 *	Drop frame not meeting IEEE 802.3
+-	 */
+-
+-	if (vptr->flags & VELOCITY_FLAGS_VAL_PKT_LEN) {
+-		if (rd->rdesc0.RSR & RSR_RL) {
+-			stats->rx_length_errors++;
+-			return -EINVAL;
+-		}
+-	}
+-
+ 	velocity_rx_csum(rd, skb);
+ 
+ 	if (velocity_rx_copy(&skb, pkt_len, vptr) < 0) {
diff --git a/main/linux-grsec/vivid-osd-fix-info-leak-in-ioctl.patch b/main/linux-grsec/vivid-osd-fix-info-leak-in-ioctl.patch
deleted file mode 100644
index 1ca7a993f2..0000000000
--- a/main/linux-grsec/vivid-osd-fix-info-leak-in-ioctl.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From eda98796aff0d9bf41094b06811f5def3b4c333c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speirofr@gmail.com>
-Date: Wed, 7 Oct 2015 07:09:26 -0300
-Subject: [media] media/vivid-osd: fix info leak in ioctl
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of
-struct fb_vblank after the ->hcount member. Add an explicit
-memset(0) before filling the structure to avoid the info leak.
-
-Signed-off-by: Salva Peiró <speirofr@gmail.com>
-Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
----
- drivers/media/platform/vivid/vivid-osd.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c
-index 084d346..e15eef6 100644
---- a/drivers/media/platform/vivid/vivid-osd.c
-+++ b/drivers/media/platform/vivid/vivid-osd.c
-@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg)
- 	case FBIOGET_VBLANK: {
- 		struct fb_vblank vblank;
- 
-+		memset(&vblank, 0, sizeof(vblank));
- 		vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT |
- 			FB_VBLANK_HAVE_VSYNC;
- 		vblank.count = 0;
--- 
-cgit v0.11.2
-