aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/linux-grsec/APKBUILD18
-rw-r--r--main/linux-grsec/grsecurity-2.9.1-3.9.9-201307050017.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.9.8-201306302052.patch)706
2 files changed, 360 insertions, 364 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 7e148c4015..832099d91f 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -2,12 +2,12 @@
_flavor=grsec
pkgname=linux-${_flavor}
-pkgver=3.9.8
+pkgver=3.9.9
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
esac
-pkgrel=1
+pkgrel=0
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
- grsecurity-2.9.1-3.9.8-201306302052.patch
+ grsecurity-2.9.1-3.9.9-201307050017.patch
0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
@@ -149,8 +149,8 @@ dev() {
}
md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz
-c5f2166686a913abf550bfed8b77df27 patch-3.9.8.xz
-647f77555169969b4245c62c0fd0f1ab grsecurity-2.9.1-3.9.8-201306302052.patch
+41f350c2fd6aa14414bf39f173a8e6a3 patch-3.9.9.xz
+f3b3db991845d216a1f60921f5fd650e grsecurity-2.9.1-3.9.9-201307050017.patch
a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
@@ -160,8 +160,8 @@ aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-p
d89089b3c7eb94dd9f65cf8a357fc36d kernelconfig.x86
eb147f09fef5996a488c247790205cd6 kernelconfig.x86_64"
sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz
-2eda9068e81269467e3c247f3343a146731fc45284b12b4bc546bc44dbb263e7 patch-3.9.8.xz
-b111346072b7907d3a284f12a08c490cbfe35592537bc59442014c95080c3a33 grsecurity-2.9.1-3.9.8-201306302052.patch
+4ae653db69190a10b842f05c19499a528ae29898e4f2dfbdb420ef5d26112f3b patch-3.9.9.xz
+d864bb3e745101f5a624a2b716a03ec1b5dc31e4b3ddec6c9741426bcbbd1e53 grsecurity-2.9.1-3.9.9-201307050017.patch
6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
@@ -171,8 +171,8 @@ fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use-
de3c17420664ae4e52826c6e602aade0deeae94f72253f85b3e48771491ed5d6 kernelconfig.x86
e1cce320f207cc2ba72b9d154c7060c8cbed52c664319dfd21f24e8956d0bf3e kernelconfig.x86_64"
sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz
-60b7d694d39faf937e7b732eb3117b8442059c5c8857c9d439eec8a87d5bc185505e64062f5ae02c3512acf5af778caf615c35d3499cb8089a4569c05da65b9c patch-3.9.8.xz
-81912f5c19b8bc891a1ad8ed57bfe91d79c6c301410eb4ef9e58f57caefba2661d9732b306d695e712fd8e7c9b5bbb67659759fade26f4ec853d9cb96d347df9 grsecurity-2.9.1-3.9.8-201306302052.patch
+51fa4e20b23c9900078e90ace0c4cc38e419e5028a88b63443fafa66c07ad28aab77cb0f56ceb9c8416bfde848ceba64e95f608f0f64ab4634386a161cbc7994 patch-3.9.9.xz
+a16dde6d53649aecfa9eb47b969dbc5d147909c48191cc44a666c8f946181688344ac7512330e08fc47c48073010dd4154aac7b572d6301acaf39f5ad6e1b0df grsecurity-2.9.1-3.9.9-201307050017.patch
81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.9.8-201306302052.patch b/main/linux-grsec/grsecurity-2.9.1-3.9.9-201307050017.patch
index 9c80933310..1ae3c82aef 100644
--- a/main/linux-grsec/grsecurity-2.9.1-3.9.8-201306302052.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.9.9-201307050017.patch
@@ -263,7 +263,7 @@ index 8ccbf27..afffeb4 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index b013cbe..4ca639b 100644
+index 9591325..1457ef3 100644
--- a/Makefile
+++ b/Makefile
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -1475,7 +1475,7 @@ index 75fe66b..ba3dee4 100644
#endif
diff --git a/arch/arm/include/asm/cacheflush.h b/arch/arm/include/asm/cacheflush.h
-index e1489c5..d418304 100644
+index 738fcba..7a43500 100644
--- a/arch/arm/include/asm/cacheflush.h
+++ b/arch/arm/include/asm/cacheflush.h
@@ -116,7 +116,7 @@ struct cpu_cache_fns {
@@ -2102,7 +2102,7 @@ index cddda1f..ff357f7 100644
/*
* Change these and you break ASM code in entry-common.S
diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
-index 7e1f760..752fcb7 100644
+index 7e1f760..510061e 100644
--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -18,6 +18,7 @@
@@ -2113,15 +2113,21 @@ index 7e1f760..752fcb7 100644
#define VERIFY_READ 0
#define VERIFY_WRITE 1
-@@ -60,10 +61,34 @@ extern int __put_user_bad(void);
- #define USER_DS TASK_SIZE
- #define get_fs() (current_thread_info()->addr_limit)
+@@ -63,11 +64,35 @@ extern int __put_user_bad(void);
+ static inline void set_fs(mm_segment_t fs)
+ {
+ current_thread_info()->addr_limit = fs;
+- modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER);
++ modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_KERNELCLIENT : DOMAIN_MANAGER);
+ }
+
+ #define segment_eq(a,b) ((a) == (b))
+static inline void pax_open_userland(void)
+{
+
+#ifdef CONFIG_PAX_MEMORY_UDEREF
-+ if (get_fs() == USER_DS) {
++ if (segment_eq(get_fs(), USER_DS) {
+ BUG_ON(test_domain(DOMAIN_USER, DOMAIN_UDEREF));
+ modify_domain(DOMAIN_USER, DOMAIN_UDEREF);
+ }
@@ -2133,7 +2139,7 @@ index 7e1f760..752fcb7 100644
+{
+
+#ifdef CONFIG_PAX_MEMORY_UDEREF
-+ if (get_fs() == USER_DS) {
++ if (segment_eq(get_fs(), USER_DS) {
+ BUG_ON(test_domain(DOMAIN_USER, DOMAIN_NOACCESS));
+ modify_domain(DOMAIN_USER, DOMAIN_NOACCESS);
+ }
@@ -2141,14 +2147,9 @@ index 7e1f760..752fcb7 100644
+
+}
+
- static inline void set_fs(mm_segment_t fs)
- {
- current_thread_info()->addr_limit = fs;
-- modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER);
-+ modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_KERNELCLIENT : DOMAIN_MANAGER);
- }
-
- #define segment_eq(a,b) ((a) == (b))
+ #define __addr_ok(addr) ({ \
+ unsigned long flag; \
+ __asm__("cmp %2, %0; movlo %0, #0" \
@@ -143,8 +168,12 @@ extern int __get_user_4(void *);
#define get_user(x,p) \
@@ -2295,9 +2296,18 @@ index 96ee092..37f1844 100644
#define PSR_ENDIAN_MASK 0x00000200 /* Endianness state mask */
diff --git a/arch/arm/kernel/armksyms.c b/arch/arm/kernel/armksyms.c
-index 60d3b73..d27ee09 100644
+index 60d3b73..e5a0f22 100644
--- a/arch/arm/kernel/armksyms.c
+++ b/arch/arm/kernel/armksyms.c
+@@ -53,7 +53,7 @@ EXPORT_SYMBOL(arm_delay_ops);
+
+ /* networking */
+ EXPORT_SYMBOL(csum_partial);
+-EXPORT_SYMBOL(csum_partial_copy_from_user);
++EXPORT_SYMBOL(__csum_partial_copy_from_user);
+ EXPORT_SYMBOL(csum_partial_copy_nocheck);
+ EXPORT_SYMBOL(__csum_ipv6_magic);
+
@@ -89,9 +89,9 @@ EXPORT_SYMBOL(__memzero);
#ifdef CONFIG_MMU
EXPORT_SYMBOL(copy_page);
@@ -3453,7 +3463,7 @@ index bddce2b..3eb04e2 100644
extern void ux500_cpu_die(unsigned int cpu);
diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
-index 4045c49..4e26c79 100644
+index 4045c49..0263c07 100644
--- a/arch/arm/mm/Kconfig
+++ b/arch/arm/mm/Kconfig
@@ -425,7 +425,7 @@ config CPU_32v5
@@ -3461,7 +3471,7 @@ index 4045c49..4e26c79 100644
config CPU_32v6
bool
- select CPU_USE_DOMAINS if CPU_V6 && MMU
-+ select CPU_USE_DOMAINS if CPU_V6 && MMU && !PAX_KERNEXEC
++ select CPU_USE_DOMAINS if CPU_V6 && MMU && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
select TLS_REG_EMUL if !CPU_32v6K && !MMU
config CPU_32v6K
@@ -11545,7 +11555,7 @@ index cf1a471..3bc4cf8 100644
err |= copy_siginfo_to_user32(&frame->info, &ksig->info);
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
-index 474dc1b..be7bff5 100644
+index 474dc1b..24aaa3e 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -15,8 +15,10 @@
@@ -11583,11 +11593,11 @@ index 474dc1b..be7bff5 100644
+#endif
+ .endm
+
-+.macro pax_erase_kstack
++ .macro pax_erase_kstack
+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
+ call pax_erase_kstack
+#endif
-+.endm
++ .endm
+
/*
* 32bit SYSENTER instruction entry.
@@ -14091,6 +14101,18 @@ index c0fa356..07a498a 100644
void unregister_nmi_handler(unsigned int, const char *);
+diff --git a/arch/x86/include/asm/page.h b/arch/x86/include/asm/page.h
+index c878924..21f4889 100644
+--- a/arch/x86/include/asm/page.h
++++ b/arch/x86/include/asm/page.h
+@@ -52,6 +52,7 @@ static inline void copy_user_page(void *to, void *from, unsigned long vaddr,
+ __phys_addr_symbol(__phys_reloc_hide((unsigned long)(x)))
+
+ #define __va(x) ((void *)((unsigned long)(x)+PAGE_OFFSET))
++#define __early_va(x) ((void *)((unsigned long)(x)+__START_KERNEL_map - phys_base))
+
+ #define __boot_va(x) __va(x)
+ #define __boot_pa(x) __pa(x)
diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
index 0f1ddee..e2fc3d1 100644
--- a/arch/x86/include/asm/page_64.h
@@ -18228,7 +18250,7 @@ index 9b9f18b..9fcaa04 100644
#include <asm/processor.h>
#include <asm/fcntl.h>
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
-index 8f3e2de..934870f 100644
+index 8f3e2de..caecc4e 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -177,13 +177,153 @@
@@ -18326,11 +18348,11 @@ index 8f3e2de..934870f 100644
+ENDPROC(pax_exit_kernel)
+#endif
+
-+.macro pax_erase_kstack
++ .macro pax_erase_kstack
+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
+ call pax_erase_kstack
+#endif
-+.endm
++ .endm
+
+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
+/*
@@ -18988,7 +19010,7 @@ index 8f3e2de..934870f 100644
/*
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index c1d01e6..7f633850 100644
+index c1d01e6..a88cf02 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -59,6 +59,8 @@
@@ -19326,11 +19348,11 @@ index c1d01e6..7f633850 100644
+#endif
+ .endm
+
-+.macro pax_erase_kstack
++ .macro pax_erase_kstack
+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
+ call pax_erase_kstack
+#endif
-+.endm
++ .endm
+
+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
+ENTRY(pax_erase_kstack)
@@ -19900,9 +19922,12 @@ index c1d01e6..7f633850 100644
apicinterrupt HYPERVISOR_CALLBACK_VECTOR \
xen_hvm_callback_vector xen_evtchn_do_upcall
-@@ -1498,16 +1907,31 @@ ENTRY(paranoid_exit)
+@@ -1496,18 +1905,33 @@ ENTRY(paranoid_exit)
+ DEFAULT_FRAME
+ DISABLE_INTERRUPTS(CLBR_NONE)
TRACE_IRQS_OFF_DEBUG
- testl %ebx,%ebx /* swapgs needed? */
+- testl %ebx,%ebx /* swapgs needed? */
++ testl $1,%ebx /* swapgs needed? */
jnz paranoid_restore
- testl $3,CS(%rsp)
+ testb $3,CS(%rsp)
@@ -19966,6 +19991,15 @@ index c1d01e6..7f633850 100644
/* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */
+@@ -1606,7 +2031,7 @@ ENTRY(error_exit)
+ DISABLE_INTERRUPTS(CLBR_NONE)
+ TRACE_IRQS_OFF
+ GET_THREAD_INFO(%rcx)
+- testl %eax,%eax
++ testl $1,%eax
+ jne retint_kernel
+ LOCKDEP_SYS_EXIT_IRQ
+ movl TI_flags(%rcx),%edx
@@ -1615,7 +2040,7 @@ ENTRY(error_exit)
jnz retint_careful
jmp retint_swapgs
@@ -20118,9 +20152,50 @@ index 42a392a..fbbd930 100644
return -EFAULT;
diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
-index 8f3201d..aa860bf 100644
+index 8f3201d..6898c0c 100644
--- a/arch/x86/kernel/head64.c
+++ b/arch/x86/kernel/head64.c
+@@ -67,12 +67,12 @@ again:
+ pgd = *pgd_p;
+
+ /*
+- * The use of __START_KERNEL_map rather than __PAGE_OFFSET here is
+- * critical -- __PAGE_OFFSET would point us back into the dynamic
++ * The use of __early_va rather than __va here is critical:
++ * __va would point us back into the dynamic
+ * range and we might end up looping forever...
+ */
+ if (pgd)
+- pud_p = (pudval_t *)((pgd & PTE_PFN_MASK) + __START_KERNEL_map - phys_base);
++ pud_p = (pudval_t *)(__early_va(pgd & PTE_PFN_MASK));
+ else {
+ if (next_early_pgt >= EARLY_DYNAMIC_PAGE_TABLES) {
+ reset_early_page_tables();
+@@ -82,13 +82,13 @@ again:
+ pud_p = (pudval_t *)early_dynamic_pgts[next_early_pgt++];
+ for (i = 0; i < PTRS_PER_PUD; i++)
+ pud_p[i] = 0;
+- *pgd_p = (pgdval_t)pud_p - __START_KERNEL_map + phys_base + _KERNPG_TABLE;
++ *pgd_p = (pgdval_t)__pa(pud_p) + _KERNPG_TABLE;
+ }
+ pud_p += pud_index(address);
+ pud = *pud_p;
+
+ if (pud)
+- pmd_p = (pmdval_t *)((pud & PTE_PFN_MASK) + __START_KERNEL_map - phys_base);
++ pmd_p = (pmdval_t *)(__early_va(pud & PTE_PFN_MASK));
+ else {
+ if (next_early_pgt >= EARLY_DYNAMIC_PAGE_TABLES) {
+ reset_early_page_tables();
+@@ -98,7 +98,7 @@ again:
+ pmd_p = (pmdval_t *)early_dynamic_pgts[next_early_pgt++];
+ for (i = 0; i < PTRS_PER_PMD; i++)
+ pmd_p[i] = 0;
+- *pud_p = (pudval_t)pmd_p - __START_KERNEL_map + phys_base + _KERNPG_TABLE;
++ *pud_p = (pudval_t)__pa(pmd_p) + _KERNPG_TABLE;
+ }
+ pmd = (physaddr & PMD_MASK) + early_pmd_flags;
+ pmd_p[pmd_index(address)] = pmd;
@@ -175,7 +175,6 @@ void __init x86_64_start_kernel(char * real_mode_data)
if (console_loglevel == 10)
early_printk("Kernel alive\n");
@@ -20562,7 +20637,7 @@ index 73afd11..d1670f5 100644
+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0
+ .endr
diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
-index 321d65e..7830f05 100644
+index 321d65e..ad8817d 100644
--- a/arch/x86/kernel/head_64.S
+++ b/arch/x86/kernel/head_64.S
@@ -20,6 +20,8 @@
@@ -20587,23 +20662,34 @@ index 321d65e..7830f05 100644
.text
__HEAD
-@@ -89,11 +97,15 @@ startup_64:
+@@ -89,11 +97,23 @@ startup_64:
* Fixup the physical addresses in the page table
*/
addq %rbp, early_level4_pgt + (L4_START_KERNEL*8)(%rip)
++ addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
+ addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
+ addq %rbp, init_level4_pgt + (L4_VMALLOC_END*8)(%rip)
+ addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
++ addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
- addq %rbp, level3_kernel_pgt + (510*8)(%rip)
- addq %rbp, level3_kernel_pgt + (511*8)(%rip)
+- addq %rbp, level3_kernel_pgt + (510*8)(%rip)
+- addq %rbp, level3_kernel_pgt + (511*8)(%rip)
++ addq %rbp, level3_ident_pgt + (0*8)(%rip)
++#ifndef CONFIG_XEN
++ addq %rbp, level3_ident_pgt + (1*8)(%rip)
++#endif
- addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
+- addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
++ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
++
++ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
++ addq %rbp, level3_kernel_pgt + ((L3_START_KERNEL+1)*8)(%rip)
++
+ addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
/*
* Set up the identity mapping for the switchover. These
-@@ -177,8 +189,8 @@ ENTRY(secondary_startup_64)
+@@ -177,8 +197,8 @@ ENTRY(secondary_startup_64)
movq $(init_level4_pgt - __START_KERNEL_map), %rax
1:
@@ -20614,7 +20700,7 @@ index 321d65e..7830f05 100644
movq %rcx, %cr4
/* Setup early boot stage 4 level pagetables. */
-@@ -199,10 +211,18 @@ ENTRY(secondary_startup_64)
+@@ -199,10 +219,18 @@ ENTRY(secondary_startup_64)
movl $MSR_EFER, %ecx
rdmsr
btsl $_EFER_SCE, %eax /* Enable System Call */
@@ -20634,7 +20720,7 @@ index 321d65e..7830f05 100644
1: wrmsr /* Make changes effective */
/* Setup cr0 */
-@@ -282,6 +302,7 @@ ENTRY(secondary_startup_64)
+@@ -282,6 +310,7 @@ ENTRY(secondary_startup_64)
* REX.W + FF /5 JMP m16:64 Jump far, absolute indirect,
* address given in m16:64.
*/
@@ -20642,7 +20728,7 @@ index 321d65e..7830f05 100644
movq initial_code(%rip),%rax
pushq $0 # fake return address to stop unwinder
pushq $__KERNEL_CS # set correct cs
-@@ -388,7 +409,7 @@ ENTRY(early_idt_handler)
+@@ -388,7 +417,7 @@ ENTRY(early_idt_handler)
call dump_stack
#ifdef CONFIG_KALLSYMS
leaq early_idt_ripmsg(%rip),%rdi
@@ -20651,7 +20737,7 @@ index 321d65e..7830f05 100644
call __print_symbol
#endif
#endif /* EARLY_PRINTK */
-@@ -416,6 +437,7 @@ ENDPROC(early_idt_handler)
+@@ -416,6 +445,7 @@ ENDPROC(early_idt_handler)
early_recursion_flag:
.long 0
@@ -20659,9 +20745,12 @@ index 321d65e..7830f05 100644
#ifdef CONFIG_EARLY_PRINTK
early_idt_msg:
.asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
-@@ -445,27 +467,50 @@ NEXT_PAGE(early_dynamic_pgts)
+@@ -443,29 +473,52 @@ NEXT_PAGE(early_level4_pgt)
+ NEXT_PAGE(early_dynamic_pgts)
+ .fill 512*EARLY_DYNAMIC_PAGE_TABLES,8,0
- .data
+- .data
++ .section .rodata,"a",@progbits
-#ifndef CONFIG_XEN
NEXT_PAGE(init_level4_pgt)
@@ -20718,7 +20807,7 @@ index 321d65e..7830f05 100644
NEXT_PAGE(level3_kernel_pgt)
.fill L3_START_KERNEL,8,0
-@@ -473,6 +518,9 @@ NEXT_PAGE(level3_kernel_pgt)
+@@ -473,6 +526,9 @@ NEXT_PAGE(level3_kernel_pgt)
.quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
.quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
@@ -20728,7 +20817,7 @@ index 321d65e..7830f05 100644
NEXT_PAGE(level2_kernel_pgt)
/*
* 512 MB kernel mapping. We spend a full page on this pagetable
-@@ -488,39 +536,64 @@ NEXT_PAGE(level2_kernel_pgt)
+@@ -488,39 +544,64 @@ NEXT_PAGE(level2_kernel_pgt)
KERNEL_IMAGE_SIZE/PMD_SIZE)
NEXT_PAGE(level2_fixmap_pgt)
@@ -28081,7 +28170,7 @@ index ae1aa71..d9bea75 100644
#endif /*HAVE_ARCH_HUGETLB_UNMAPPED_AREA*/
diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
-index 0c13708..689fe7f 100644
+index 0c13708..ca05f23 100644
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
@@ -4,6 +4,7 @@
@@ -28101,7 +28190,23 @@ index 0c13708..689fe7f 100644
#include "mm_internal.h"
-@@ -464,10 +467,40 @@ void __init init_mem_mapping(void)
+@@ -448,7 +451,15 @@ void __init init_mem_mapping(void)
+ early_ioremap_page_table_range_init();
+ #endif
+
++#ifdef CONFIG_PAX_PER_CPU_PGD
++ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
++ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
++ KERNEL_PGD_PTRS);
++ load_cr3(get_cpu_pgd(0));
++#else
+ load_cr3(swapper_pg_dir);
++#endif
++
+ __flush_tlb_all();
+
+ early_memtest(0, max_pfn_mapped << PAGE_SHIFT);
+@@ -464,10 +475,40 @@ void __init init_mem_mapping(void)
* Access has to be given to non-kernel-ram areas as well, these contain the PCI
* mmio resources as well as potential bios/acpi data regions.
*/
@@ -28143,7 +28248,7 @@ index 0c13708..689fe7f 100644
if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
return 0;
if (!page_is_ram(pagenr))
-@@ -524,8 +557,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
+@@ -524,8 +565,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
#endif
}
@@ -28262,7 +28367,7 @@ index 0c13708..689fe7f 100644
(unsigned long)(&__init_begin),
(unsigned long)(&__init_end));
diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c
-index 2d19001..6a1046c 100644
+index 2d19001..e549d98 100644
--- a/arch/x86/mm/init_32.c
+++ b/arch/x86/mm/init_32.c
@@ -62,33 +62,6 @@ static noinline int do_test_wp_bit(void);
@@ -28476,20 +28581,7 @@ index 2d19001..6a1046c 100644
EXPORT_SYMBOL_GPL(__supported_pte_mask);
/* user-defined highmem size */
-@@ -752,6 +754,12 @@ void __init mem_init(void)
-
- pci_iommu_alloc();
-
-+#ifdef CONFIG_PAX_PER_CPU_PGD
-+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
-+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
-+ KERNEL_PGD_PTRS);
-+#endif
-+
- #ifdef CONFIG_FLATMEM
- BUG_ON(!mem_map);
- #endif
-@@ -780,7 +788,7 @@ void __init mem_init(void)
+@@ -780,7 +782,7 @@ void __init mem_init(void)
after_bootmem = 1;
codesize = (unsigned long) &_etext - (unsigned long) &_text;
@@ -28498,7 +28590,7 @@ index 2d19001..6a1046c 100644
initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
-@@ -821,10 +829,10 @@ void __init mem_init(void)
+@@ -821,10 +823,10 @@ void __init mem_init(void)
((unsigned long)&__init_end -
(unsigned long)&__init_begin) >> 10,
@@ -28512,7 +28604,7 @@ index 2d19001..6a1046c 100644
((unsigned long)&_etext - (unsigned long)&_text) >> 10);
/*
-@@ -914,6 +922,7 @@ void set_kernel_text_rw(void)
+@@ -914,6 +916,7 @@ void set_kernel_text_rw(void)
if (!kernel_set_to_readonly)
return;
@@ -28520,7 +28612,7 @@ index 2d19001..6a1046c 100644
pr_debug("Set kernel text: %lx - %lx for read write\n",
start, start+size);
-@@ -928,6 +937,7 @@ void set_kernel_text_ro(void)
+@@ -928,6 +931,7 @@ void set_kernel_text_ro(void)
if (!kernel_set_to_readonly)
return;
@@ -28528,7 +28620,7 @@ index 2d19001..6a1046c 100644
pr_debug("Set kernel text: %lx - %lx for read only\n",
start, start+size);
-@@ -956,6 +966,7 @@ void mark_rodata_ro(void)
+@@ -956,6 +960,7 @@ void mark_rodata_ro(void)
unsigned long start = PFN_ALIGN(_text);
unsigned long size = PFN_ALIGN(_etext) - start;
@@ -28537,7 +28629,7 @@ index 2d19001..6a1046c 100644
printk(KERN_INFO "Write protecting the kernel text: %luk\n",
size >> 10);
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
-index 474e28f..647dd12 100644
+index 474e28f..f016b6e 100644
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -150,7 +150,7 @@ early_param("gbpages", parse_direct_gbpages_on);
@@ -28654,20 +28746,7 @@ index 474e28f..647dd12 100644
spin_unlock(&init_mm.page_table_lock);
pgd_changed = true;
}
-@@ -1065,6 +1079,12 @@ void __init mem_init(void)
-
- pci_iommu_alloc();
-
-+#ifdef CONFIG_PAX_PER_CPU_PGD
-+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
-+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
-+ KERNEL_PGD_PTRS);
-+#endif
-+
- /* clear_bss() already clear the empty_zero_page */
-
- reservedpages = 0;
-@@ -1224,8 +1244,8 @@ int kern_addr_valid(unsigned long addr)
+@@ -1224,8 +1238,8 @@ int kern_addr_valid(unsigned long addr)
static struct vm_area_struct gate_vma = {
.vm_start = VSYSCALL_START,
.vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
@@ -28678,7 +28757,7 @@ index 474e28f..647dd12 100644
};
struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
-@@ -1259,7 +1279,7 @@ int in_gate_area_no_mm(unsigned long addr)
+@@ -1259,7 +1273,7 @@ int in_gate_area_no_mm(unsigned long addr)
const char *arch_vma_name(struct vm_area_struct *vma)
{
@@ -30390,7 +30469,7 @@ index c77b24a..c979855 100644
}
EXPORT_SYMBOL(pcibios_set_irq_routing);
diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c
-index 40e4469..1ab536e 100644
+index 40e4469..0592924 100644
--- a/arch/x86/platform/efi/efi_32.c
+++ b/arch/x86/platform/efi/efi_32.c
@@ -44,11 +44,22 @@ void efi_call_phys_prelog(void)
@@ -30416,7 +30495,7 @@ index 40e4469..1ab536e 100644
gdt_descr.address = __pa(get_cpu_gdt_table(0));
gdt_descr.size = GDT_SIZE - 1;
load_gdt(&gdt_descr);
-@@ -58,6 +69,14 @@ void efi_call_phys_epilog(void)
+@@ -58,11 +69,24 @@ void efi_call_phys_epilog(void)
{
struct desc_ptr gdt_descr;
@@ -30431,6 +30510,44 @@ index 40e4469..1ab536e 100644
gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
gdt_descr.size = GDT_SIZE - 1;
load_gdt(&gdt_descr);
+
++#ifdef CONFIG_PAX_PER_CPU_PGD
++ load_cr3(get_cpu_pgd(smp_processor_id()));
++#else
+ load_cr3(swapper_pg_dir);
++#endif
++
+ __flush_tlb_all();
+
+ local_irq_restore(efi_rt_eflags);
+diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
+index 2b20038..eaf558f 100644
+--- a/arch/x86/platform/efi/efi_64.c
++++ b/arch/x86/platform/efi/efi_64.c
+@@ -75,6 +75,11 @@ void __init efi_call_phys_prelog(void)
+ vaddress = (unsigned long)__va(pgd * PGDIR_SIZE);
+ set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), *pgd_offset_k(vaddress));
+ }
++
++#ifdef CONFIG_PAX_PER_CPU_PGD
++ load_cr3(swapper_pg_dir);
++#endif
++
+ __flush_tlb_all();
+ }
+
+@@ -88,6 +93,11 @@ void __init efi_call_phys_epilog(void)
+ for (pgd = 0; pgd < n_pgds; pgd++)
+ set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), save_pgd[pgd]);
+ kfree(save_pgd);
++
++#ifdef CONFIG_PAX_PER_CPU_PGD
++ load_cr3(get_cpu_pgd(smp_processor_id()));
++#endif
++
+ __flush_tlb_all();
+ local_irq_restore(efi_flags);
+ early_code_mapping_set_exec(0);
diff --git a/arch/x86/platform/efi/efi_stub_32.S b/arch/x86/platform/efi/efi_stub_32.S
index fbe66e6..eae5e38 100644
--- a/arch/x86/platform/efi/efi_stub_32.S
@@ -31988,7 +32105,7 @@ index 34c8216..f56c828 100644
unsigned long timeout_msec)
{
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
-index cf15aee..e0b7078 100644
+index 8038ee3..a19a6e6 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4792,7 +4792,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
@@ -37624,10 +37741,10 @@ index b972d43..8943713 100644
/**
diff --git a/drivers/iommu/irq_remapping.c b/drivers/iommu/irq_remapping.c
-index 7c11ff3..a2a0457 100644
+index dcfea4e..f4226b2 100644
--- a/drivers/iommu/irq_remapping.c
+++ b/drivers/iommu/irq_remapping.c
-@@ -348,7 +348,7 @@ int setup_hpet_msi_remapped(unsigned int irq, unsigned int id)
+@@ -354,7 +354,7 @@ int setup_hpet_msi_remapped(unsigned int irq, unsigned int id)
void panic_if_irq_remap(const char *msg)
{
if (irq_remapping_enabled)
@@ -37636,7 +37753,7 @@ index 7c11ff3..a2a0457 100644
}
static void ir_ack_apic_edge(struct irq_data *data)
-@@ -369,10 +369,12 @@ static void ir_print_prefix(struct irq_data *data, struct seq_file *p)
+@@ -375,10 +375,12 @@ static void ir_print_prefix(struct irq_data *data, struct seq_file *p)
void irq_remap_modify_chip_defaults(struct irq_chip *chip)
{
@@ -40388,62 +40505,6 @@ index a4fe5f1..6c9e77f 100644
.kind = "vxlan",
.maxtype = IFLA_VXLAN_MAX,
.policy = vxlan_policy,
-diff --git a/drivers/net/wan/dlci.c b/drivers/net/wan/dlci.c
-index 147614e..6a8a382 100644
---- a/drivers/net/wan/dlci.c
-+++ b/drivers/net/wan/dlci.c
-@@ -384,21 +384,37 @@ static int dlci_del(struct dlci_add *dlci)
- struct frad_local *flp;
- struct net_device *master, *slave;
- int err;
-+ bool found = false;
-+
-+ rtnl_lock();
-
- /* validate slave device */
- master = __dev_get_by_name(&init_net, dlci->devname);
-- if (!master)
-- return -ENODEV;
-+ if (!master) {
-+ err = -ENODEV;
-+ goto out;
-+ }
-+
-+ list_for_each_entry(dlp, &dlci_devs, list) {
-+ if (dlp->master == master) {
-+ found = true;
-+ break;
-+ }
-+ }
-+ if (!found) {
-+ err = -ENODEV;
-+ goto out;
-+ }
-
- if (netif_running(master)) {
-- return -EBUSY;
-+ err = -EBUSY;
-+ goto out;
- }
-
- dlp = netdev_priv(master);
- slave = dlp->slave;
- flp = netdev_priv(slave);
-
-- rtnl_lock();
- err = (*flp->deassoc)(slave, master);
- if (!err) {
- list_del(&dlp->list);
-@@ -407,8 +423,8 @@ static int dlci_del(struct dlci_add *dlci)
-
- dev_put(slave);
- }
-+out:
- rtnl_unlock();
--
- return err;
- }
-
diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c
index 5ac5f7a..5f82012 100644
--- a/drivers/net/wireless/at76c50x-usb.c
@@ -50560,7 +50621,7 @@ index 6a16053..2155147 100644
return rc;
}
diff --git a/fs/exec.c b/fs/exec.c
-index 6d56ff2..f65b4ca 100644
+index 0d5c76f..3d4585e 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,8 +55,20 @@
@@ -50584,7 +50645,7 @@ index 6d56ff2..f65b4ca 100644
#include <asm/mmu_context.h>
#include <asm/tlb.h>
-@@ -66,6 +78,18 @@
+@@ -66,17 +78,32 @@
#include <trace/events/sched.h>
@@ -50603,7 +50664,12 @@ index 6d56ff2..f65b4ca 100644
int suid_dumpable = 0;
static LIST_HEAD(formats);
-@@ -75,8 +99,8 @@ void __register_binfmt(struct linux_binfmt * fmt, int insert)
+ static DEFINE_RWLOCK(binfmt_lock);
+
++extern int gr_process_kernel_exec_ban(void);
++extern int gr_process_suid_exec_ban(const struct linux_binprm *bprm);
++
+ void __register_binfmt(struct linux_binfmt * fmt, int insert)
{
BUG_ON(!fmt);
write_lock(&binfmt_lock);
@@ -50614,7 +50680,7 @@ index 6d56ff2..f65b4ca 100644
write_unlock(&binfmt_lock);
}
-@@ -85,7 +109,7 @@ EXPORT_SYMBOL(__register_binfmt);
+@@ -85,7 +112,7 @@ EXPORT_SYMBOL(__register_binfmt);
void unregister_binfmt(struct linux_binfmt * fmt)
{
write_lock(&binfmt_lock);
@@ -50623,7 +50689,7 @@ index 6d56ff2..f65b4ca 100644
write_unlock(&binfmt_lock);
}
-@@ -180,18 +204,10 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+@@ -180,18 +207,10 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
int write)
{
struct page *page;
@@ -50645,7 +50711,7 @@ index 6d56ff2..f65b4ca 100644
return NULL;
if (write) {
-@@ -207,6 +223,17 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+@@ -207,6 +226,17 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
if (size <= ARG_MAX)
return page;
@@ -50663,7 +50729,7 @@ index 6d56ff2..f65b4ca 100644
/*
* Limit to 1/4-th the stack size for the argv+env strings.
* This ensures that:
-@@ -266,6 +293,11 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
+@@ -266,6 +296,11 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
vma->vm_end = STACK_TOP_MAX;
vma->vm_start = vma->vm_end - PAGE_SIZE;
vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
@@ -50675,7 +50741,7 @@ index 6d56ff2..f65b4ca 100644
vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
INIT_LIST_HEAD(&vma->anon_vma_chain);
-@@ -276,6 +308,12 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
+@@ -276,6 +311,12 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
mm->stack_vm = mm->total_vm = 1;
up_write(&mm->mmap_sem);
bprm->p = vma->vm_end - sizeof(void *);
@@ -50688,7 +50754,7 @@ index 6d56ff2..f65b4ca 100644
return 0;
err:
up_write(&mm->mmap_sem);
-@@ -396,7 +434,7 @@ struct user_arg_ptr {
+@@ -396,7 +437,7 @@ struct user_arg_ptr {
} ptr;
};
@@ -50697,7 +50763,7 @@ index 6d56ff2..f65b4ca 100644
{
const char __user *native;
-@@ -405,14 +443,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
+@@ -405,14 +446,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
compat_uptr_t compat;
if (get_user(compat, argv.ptr.compat + nr))
@@ -50714,7 +50780,7 @@ index 6d56ff2..f65b4ca 100644
return native;
}
-@@ -431,7 +469,7 @@ static int count(struct user_arg_ptr argv, int max)
+@@ -431,7 +472,7 @@ static int count(struct user_arg_ptr argv, int max)
if (!p)
break;
@@ -50723,7 +50789,7 @@ index 6d56ff2..f65b4ca 100644
return -EFAULT;
if (i >= max)
-@@ -466,7 +504,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv,
+@@ -466,7 +507,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv,
ret = -EFAULT;
str = get_user_arg_ptr(argv, argc);
@@ -50732,7 +50798,7 @@ index 6d56ff2..f65b4ca 100644
goto out;
len = strnlen_user(str, MAX_ARG_STRLEN);
-@@ -548,7 +586,7 @@ int copy_strings_kernel(int argc, const char *const *__argv,
+@@ -548,7 +589,7 @@ int copy_strings_kernel(int argc, const char *const *__argv,
int r;
mm_segment_t oldfs = get_fs();
struct user_arg_ptr argv = {
@@ -50741,7 +50807,7 @@ index 6d56ff2..f65b4ca 100644
};
set_fs(KERNEL_DS);
-@@ -583,7 +621,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
+@@ -583,7 +624,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
unsigned long new_end = old_end - shift;
struct mmu_gather tlb;
@@ -50751,7 +50817,7 @@ index 6d56ff2..f65b4ca 100644
/*
* ensure there are no vmas between where we want to go
-@@ -592,6 +631,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
+@@ -592,6 +634,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
if (vma != find_vma(mm, new_start))
return -EFAULT;
@@ -50762,7 +50828,7 @@ index 6d56ff2..f65b4ca 100644
/*
* cover the whole range: [new_start, old_end)
*/
-@@ -672,10 +715,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -672,10 +718,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
stack_top = arch_align_stack(stack_top);
stack_top = PAGE_ALIGN(stack_top);
@@ -50773,7 +50839,7 @@ index 6d56ff2..f65b4ca 100644
stack_shift = vma->vm_end - stack_top;
bprm->p -= stack_shift;
-@@ -687,8 +726,28 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -687,8 +729,28 @@ int setup_arg_pages(struct linux_binprm *bprm,
bprm->exec -= stack_shift;
down_write(&mm->mmap_sem);
@@ -50802,7 +50868,7 @@ index 6d56ff2..f65b4ca 100644
/*
* Adjust stack execute permissions; explicitly enable for
* EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
-@@ -707,13 +766,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -707,13 +769,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
goto out_unlock;
BUG_ON(prev != vma);
@@ -50816,7 +50882,7 @@ index 6d56ff2..f65b4ca 100644
/* mprotect_fixup is overkill to remove the temporary stack flags */
vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
-@@ -737,6 +789,27 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -737,6 +792,27 @@ int setup_arg_pages(struct linux_binprm *bprm,
#endif
current->mm->start_stack = bprm->p;
ret = expand_stack(vma, stack_base);
@@ -50844,7 +50910,7 @@ index 6d56ff2..f65b4ca 100644
if (ret)
ret = -EFAULT;
-@@ -772,6 +845,8 @@ struct file *open_exec(const char *name)
+@@ -772,6 +848,8 @@ struct file *open_exec(const char *name)
fsnotify_open(file);
@@ -50853,7 +50919,7 @@ index 6d56ff2..f65b4ca 100644
err = deny_write_access(file);
if (err)
goto exit;
-@@ -795,7 +870,7 @@ int kernel_read(struct file *file, loff_t offset,
+@@ -795,7 +873,7 @@ int kernel_read(struct file *file, loff_t offset,
old_fs = get_fs();
set_fs(get_ds());
/* The cast to a user pointer is valid due to the set_fs() */
@@ -50862,37 +50928,7 @@ index 6d56ff2..f65b4ca 100644
set_fs(old_fs);
return result;
}
-@@ -1136,13 +1211,6 @@ void setup_new_exec(struct linux_binprm * bprm)
- set_dumpable(current->mm, suid_dumpable);
- }
-
-- /*
-- * Flush performance counters when crossing a
-- * security domain:
-- */
-- if (!get_dumpable(current->mm))
-- perf_event_exit_task(current);
--
- /* An exec changes our domain. We are no longer part of the thread
- group */
-
-@@ -1206,6 +1274,15 @@ void install_exec_creds(struct linux_binprm *bprm)
-
- commit_creds(bprm->cred);
- bprm->cred = NULL;
-+
-+ /*
-+ * Disable monitoring for regular users
-+ * when executing setuid binaries. Must
-+ * wait until new credentials are committed
-+ * by commit_creds() above
-+ */
-+ if (get_dumpable(current->mm) != SUID_DUMP_USER)
-+ perf_event_exit_task(current);
- /*
- * cred_guard_mutex must be held at least to this point to prevent
- * ptrace_attach() from altering our determination of the task's
-@@ -1250,7 +1327,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
+@@ -1252,7 +1330,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
}
rcu_read_unlock();
@@ -50901,7 +50937,7 @@ index 6d56ff2..f65b4ca 100644
bprm->unsafe |= LSM_UNSAFE_SHARE;
} else {
res = -EAGAIN;
-@@ -1450,6 +1527,31 @@ int search_binary_handler(struct linux_binprm *bprm)
+@@ -1452,6 +1530,31 @@ int search_binary_handler(struct linux_binprm *bprm)
EXPORT_SYMBOL(search_binary_handler);
@@ -50933,7 +50969,7 @@ index 6d56ff2..f65b4ca 100644
/*
* sys_execve() executes a new program.
*/
-@@ -1457,6 +1559,11 @@ static int do_execve_common(const char *filename,
+@@ -1459,6 +1562,11 @@ static int do_execve_common(const char *filename,
struct user_arg_ptr argv,
struct user_arg_ptr envp)
{
@@ -50945,7 +50981,7 @@ index 6d56ff2..f65b4ca 100644
struct linux_binprm *bprm;
struct file *file;
struct files_struct *displaced;
-@@ -1464,6 +1571,8 @@ static int do_execve_common(const char *filename,
+@@ -1466,6 +1574,8 @@ static int do_execve_common(const char *filename,
int retval;
const struct cred *cred = current_cred();
@@ -50954,7 +50990,7 @@ index 6d56ff2..f65b4ca 100644
/*
* We move the actual failure in case of RLIMIT_NPROC excess from
* set*uid() to execve() because too many poorly written programs
-@@ -1504,12 +1613,27 @@ static int do_execve_common(const char *filename,
+@@ -1506,12 +1616,22 @@ static int do_execve_common(const char *filename,
if (IS_ERR(file))
goto out_unmark;
@@ -50969,11 +51005,6 @@ index 6d56ff2..f65b4ca 100644
bprm->filename = filename;
bprm->interp = filename;
-+ if (gr_process_user_ban()) {
-+ retval = -EPERM;
-+ goto out_file;
-+ }
-+
+ if (!gr_acl_handle_execve(file->f_path.dentry, file->f_path.mnt)) {
+ retval = -EACCES;
+ goto out_file;
@@ -50982,7 +51013,7 @@ index 6d56ff2..f65b4ca 100644
retval = bprm_mm_init(bprm);
if (retval)
goto out_file;
-@@ -1526,24 +1650,65 @@ static int do_execve_common(const char *filename,
+@@ -1528,24 +1648,70 @@ static int do_execve_common(const char *filename,
if (retval < 0)
goto out;
@@ -51002,6 +51033,11 @@ index 6d56ff2..f65b4ca 100644
+ current->signal->rlim[RLIMIT_STACK].rlim_cur = 8 * 1024 * 1024;
+#endif
+
++ if (gr_process_kernel_exec_ban() || gr_process_suid_exec_ban(bprm)) {
++ retval = -EPERM;
++ goto out_fail;
++ }
++
+ if (!gr_tpe_allow(file)) {
+ retval = -EACCES;
+ goto out_fail;
@@ -51052,7 +51088,7 @@ index 6d56ff2..f65b4ca 100644
current->fs->in_exec = 0;
current->in_execve = 0;
acct_update_integrals(current);
-@@ -1552,6 +1717,14 @@ static int do_execve_common(const char *filename,
+@@ -1554,6 +1720,14 @@ static int do_execve_common(const char *filename,
put_files_struct(displaced);
return retval;
@@ -51067,7 +51103,7 @@ index 6d56ff2..f65b4ca 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1700,3 +1873,283 @@ asmlinkage long compat_sys_execve(const char __user * filename,
+@@ -1702,3 +1876,283 @@ asmlinkage long compat_sys_execve(const char __user * filename,
return error;
}
#endif
@@ -56788,67 +56824,6 @@ index 69d4889..a810bd4 100644
{
if (sbi->s_bytesex == BYTESEX_PDP)
return PDP_swab((__force __u32)n);
-diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
-index de08c92f..732cd63 100644
---- a/fs/ubifs/dir.c
-+++ b/fs/ubifs/dir.c
-@@ -364,6 +364,24 @@ static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir)
- */
- return 0;
-
-+ if (file->f_version == 0) {
-+ /*
-+ * The file was seek'ed, which means that @file->private_data
-+ * is now invalid. This may also be just the first
-+ * 'ubifs_readdir()' invocation, in which case
-+ * @file->private_data is NULL, and the below code is
-+ * basically a no-op.
-+ */
-+ kfree(file->private_data);
-+ file->private_data = NULL;
-+ }
-+
-+ /*
-+ * 'generic_file_llseek()' unconditionally sets @file->f_version to
-+ * zero, and we use this for detecting whether the file was seek'ed.
-+ */
-+ file->f_version = 1;
-+
- /* File positions 0 and 1 correspond to "." and ".." */
- if (file->f_pos == 0) {
- ubifs_assert(!file->private_data);
-@@ -438,6 +456,14 @@ static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir)
- file->f_pos = key_hash_flash(c, &dent->key);
- file->private_data = dent;
- cond_resched();
-+
-+ if (file->f_version == 0)
-+ /*
-+ * The file was seek'ed meanwhile, lets return and start
-+ * reading direntries from the new position on the next
-+ * invocation.
-+ */
-+ return 0;
- }
-
- out:
-@@ -448,15 +474,13 @@ out:
-
- kfree(file->private_data);
- file->private_data = NULL;
-+ /* 2 is a special value indicating that there are no more direntries */
- file->f_pos = 2;
- return 0;
- }
-
--/* If a directory is seeked, we have to free saved readdir() state */
- static loff_t ubifs_dir_llseek(struct file *file, loff_t offset, int whence)
- {
-- kfree(file->private_data);
-- file->private_data = NULL;
- return generic_file_llseek(file, offset, whence);
- }
-
diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c
index e18b988..f1d4ad0f 100644
--- a/fs/ubifs/io.c
@@ -57091,10 +57066,10 @@ index ca9ecaa..60100c7 100644
kfree(s);
diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
new file mode 100644
-index 0000000..4fb1dde
+index 0000000..c9c4ac3
--- /dev/null
+++ b/grsecurity/Kconfig
-@@ -0,0 +1,1053 @@
+@@ -0,0 +1,1054 @@
+#
+# grecurity configuration
+#
@@ -57251,8 +57226,9 @@ index 0000000..4fb1dde
+ fork until the administrator is able to assess the situation and
+ restart the daemon.
+ In the suid/sgid case, the attempt is logged, the user has all their
-+ processes terminated, and they are prevented from executing any further
-+ processes for 15 minutes.
++ existing instances of the suid/sgid binary terminated and will
++ be unable to execute any suid/sgid binaries for 15 minutes.
++
+ It is recommended that you also enable signal logging in the auditing
+ section so that logs are generated when a process triggers a suspicious
+ signal.
@@ -58194,7 +58170,7 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..1248ee0
+index 0000000..0d5c602
--- /dev/null
+++ b/grsecurity/gracl.c
@@ -0,0 +1,4073 @@
@@ -60545,7 +60521,7 @@ index 0000000..1248ee0
+ return;
+}
+
-+extern int __gr_process_user_ban(struct user_struct *user);
++extern int gr_process_kernel_setuid_ban(struct user_struct *user);
+
+int
+gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs)
@@ -60559,7 +60535,7 @@ index 0000000..1248ee0
+ int fsok = 0;
+ uid_t globalreal, globaleffective, globalfs;
+
-+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
++#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT)
+ struct user_struct *user;
+
+ if (!uid_valid(real))
@@ -60573,7 +60549,7 @@ index 0000000..1248ee0
+ if (user == NULL)
+ goto skipit;
+
-+ if (__gr_process_user_ban(user)) {
++ if (gr_process_kernel_setuid_ban(user)) {
+ /* for find_user */
+ free_uid(user);
+ return 1;
@@ -63617,7 +63593,7 @@ index 0000000..39645c9
+}
diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c
new file mode 100644
-index 0000000..4dcc92a
+index 0000000..3c38bfe
--- /dev/null
+++ b/grsecurity/gracl_segv.c
@@ -0,0 +1,305 @@
@@ -63859,7 +63835,7 @@ index 0000000..4dcc92a
+ if (likely(tsk != task)) {
+ // if this thread has the same subject as the one that triggered
+ // RES_CRASH and it's the same binary, kill it
-+ if (tsk->acl == task->acl && tsk->exec_file == task->exec_file)
++ if (tsk->acl == task->acl && gr_is_same_file(tsk->exec_file, task->exec_file))
+ gr_fake_force_sig(SIGKILL, tsk);
+ }
+ } while_each_thread(tsk2, tsk);
@@ -65944,12 +65920,13 @@ index 0000000..f7f29aa
+}
diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c
new file mode 100644
-index 0000000..e09715a
+index 0000000..4e29cc7
--- /dev/null
+++ b/grsecurity/grsec_sig.c
-@@ -0,0 +1,222 @@
+@@ -0,0 +1,246 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
++#include <linux/fs.h>
+#include <linux/delay.h>
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
@@ -66049,7 +66026,7 @@ index 0000000..e09715a
+ rcu_read_lock();
+ read_lock(&tasklist_lock);
+ read_lock(&grsec_exec_file_lock);
-+ if (p->real_parent && p->real_parent->exec_file == p->exec_file) {
++ if (p->real_parent && gr_is_same_file(p->real_parent->exec_file, p->exec_file)) {
+ p->real_parent->brute_expires = get_seconds() + GR_DAEMON_BRUTE_TIME;
+ p->real_parent->brute = 1;
+ daemon = 1;
@@ -66066,14 +66043,15 @@ index 0000000..e09715a
+ user = find_user(uid);
+ if (user == NULL)
+ goto unlock;
-+ user->banned = 1;
-+ user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
-+ if (user->ban_expires == ~0UL)
-+ user->ban_expires--;
++ user->suid_banned = 1;
++ user->suid_ban_expires = get_seconds() + GR_USER_BAN_TIME;
++ if (user->suid_ban_expires == ~0UL)
++ user->suid_ban_expires--;
+
++ /* only kill other threads of the same binary, from the same user */
+ do_each_thread(tsk2, tsk) {
+ cred2 = __task_cred(tsk);
-+ if (tsk != p && uid_eq(cred2->uid, uid))
++ if (tsk != p && uid_eq(cred2->uid, uid) && gr_is_same_file(tsk->exec_file, p->exec_file))
+ gr_fake_force_sig(SIGKILL, tsk);
+ } while_each_thread(tsk2, tsk);
+ }
@@ -66084,8 +66062,7 @@ index 0000000..e09715a
+ rcu_read_unlock();
+
+ if (gr_is_global_nonroot(uid))
-+ printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n",
-+ GR_GLOBAL_UID(uid), GR_USER_BAN_TIME / 60);
++ gr_log_fs_int2(GR_DONT_AUDIT, GR_BRUTE_SUID_MSG, p->exec_file->f_path.dentry, p->exec_file->f_path.mnt, GR_GLOBAL_UID(uid), GR_USER_BAN_TIME / 60);
+ else if (daemon)
+ gr_log_noargs(GR_DONT_AUDIT, GR_BRUTE_DAEMON_MSG);
+
@@ -66132,11 +66109,10 @@ index 0000000..e09715a
+ GR_GLOBAL_UID(uid));
+ /* we intentionally leak this ref */
+ user = get_uid(current->cred->user);
-+ if (user) {
-+ user->banned = 1;
-+ user->ban_expires = ~0UL;
-+ }
++ if (user)
++ user->kernel_banned = 1;
+
++ /* kill all processes of this user */
+ read_lock(&tasklist_lock);
+ do_each_thread(tsk2, tsk) {
+ cred = __task_cred(tsk);
@@ -66148,25 +66124,49 @@ index 0000000..e09715a
+#endif
+}
+
-+int __gr_process_user_ban(struct user_struct *user)
++#ifdef CONFIG_GRKERNSEC_BRUTE
++static bool suid_ban_expired(struct user_struct *user)
+{
-+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
-+ if (unlikely(user->banned)) {
-+ if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
-+ user->banned = 0;
-+ user->ban_expires = 0;
-+ free_uid(user);
-+ } else
-+ return -EPERM;
++ if (user->suid_ban_expires != ~0UL && time_after_eq(get_seconds(), user->suid_ban_expires)) {
++ user->suid_banned = 0;
++ user->suid_ban_expires = 0;
++ free_uid(user);
++ return true;
+ }
++
++ return false;
++}
++#endif
++
++int gr_process_kernel_exec_ban(void)
++{
++#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
++ if (unlikely(current->cred->user->kernel_banned))
++ return -EPERM;
++#endif
++ return 0;
++}
++
++int gr_process_kernel_setuid_ban(struct user_struct *user)
++{
++#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
++ if (unlikely(user->kernel_banned))
++ gr_fake_force_sig(SIGKILL, current);
+#endif
+ return 0;
+}
+
-+int gr_process_user_ban(void)
++int gr_process_suid_exec_ban(const struct linux_binprm *bprm)
+{
-+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
-+ return __gr_process_user_ban(current->cred->user);
++#ifdef CONFIG_GRKERNSEC_BRUTE
++ struct user_struct *user = current->cred->user;
++ if (unlikely(user->suid_banned)) {
++ if (suid_ban_expired(user))
++ return 0;
++ /* disallow execution of suid binaries only */
++ else if (!uid_eq(bprm->cred->euid, current->cred->uid))
++ return -EPERM;
++ }
+#endif
+ return 0;
+}
@@ -69201,10 +69201,10 @@ index 0000000..be66033
+#endif
diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h
new file mode 100644
-index 0000000..5402bce
+index 0000000..12994b5
--- /dev/null
+++ b/include/linux/grinternal.h
-@@ -0,0 +1,215 @@
+@@ -0,0 +1,227 @@
+#ifndef __GRINTERNAL_H
+#define __GRINTERNAL_H
+
@@ -69318,6 +69318,18 @@ index 0000000..5402bce
+
+#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
+
++static inline bool gr_is_same_file(const struct file *file1, const struct file *file2)
++{
++ if (file1 && file2) {
++ const struct inode *inode1 = file1->f_path.dentry->d_inode;
++ const struct inode *inode2 = file2->f_path.dentry->d_inode;
++ if (inode1->i_ino == inode2->i_ino && inode1->i_sb->s_dev == inode2->i_sb->s_dev)
++ return true;
++ }
++
++ return false;
++}
++
+#define GR_CHROOT_CAPS {{ \
+ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
+ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
@@ -69422,10 +69434,10 @@ index 0000000..5402bce
+#endif
diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
new file mode 100644
-index 0000000..2bd4c8d
+index 0000000..2f159b5
--- /dev/null
+++ b/include/linux/grmsg.h
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,112 @@
+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -69537,12 +69549,13 @@ index 0000000..2bd4c8d
+#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by "
+#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
+#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for "
++#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes. Please investigate the crash report for "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..d7ef0ac
+index 0000000..d957f6d
--- /dev/null
+++ b/include/linux/grsecurity.h
-@@ -0,0 +1,242 @@
+@@ -0,0 +1,241 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -69567,7 +69580,6 @@ index 0000000..d7ef0ac
+void gr_handle_brute_attach(unsigned long mm_flags);
+void gr_handle_brute_check(void);
+void gr_handle_kernel_exploit(void);
-+int gr_process_user_ban(void);
+
+char gr_roletype_to_char(void);
+
@@ -71444,7 +71456,7 @@ index 6dacb93..6174423 100644
static inline void anon_vma_merge(struct vm_area_struct *vma,
struct vm_area_struct *next)
diff --git a/include/linux/sched.h b/include/linux/sched.h
-index be4e742..7f9d593 100644
+index be4e742..01f1387 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -62,6 +62,7 @@ struct bio_list;
@@ -71501,19 +71513,22 @@ index be4e742..7f9d593 100644
#ifdef CONFIG_AUDIT
unsigned audit_tty;
struct tty_audit_buf *tty_audit_buf;
-@@ -683,6 +707,11 @@ struct user_struct {
+@@ -683,6 +707,14 @@ struct user_struct {
struct key *session_keyring; /* UID's default session keyring */
#endif
-+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
-+ unsigned int banned;
-+ unsigned long ban_expires;
++#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
++ unsigned char kernel_banned;
++#endif
++#ifdef CONFIG_GRKERNSEC_BRUTE
++ unsigned char suid_banned;
++ unsigned long suid_ban_expires;
+#endif
+
/* Hash table maintenance information */
struct hlist_node uidhash_node;
kuid_t uid;
-@@ -1082,7 +1111,7 @@ struct sched_class {
+@@ -1082,7 +1114,7 @@ struct sched_class {
#ifdef CONFIG_FAIR_GROUP_SCHED
void (*task_move_group) (struct task_struct *p, int on_rq);
#endif
@@ -71522,7 +71537,7 @@ index be4e742..7f9d593 100644
struct load_weight {
unsigned long weight, inv_weight;
-@@ -1323,8 +1352,8 @@ struct task_struct {
+@@ -1323,8 +1355,8 @@ struct task_struct {
struct list_head thread_group;
struct completion *vfork_done; /* for vfork() */
@@ -71533,7 +71548,7 @@ index be4e742..7f9d593 100644
cputime_t utime, stime, utimescaled, stimescaled;
cputime_t gtime;
-@@ -1349,11 +1378,6 @@ struct task_struct {
+@@ -1349,11 +1381,6 @@ struct task_struct {
struct task_cputime cputime_expires;
struct list_head cpu_timers[3];
@@ -71545,7 +71560,7 @@ index be4e742..7f9d593 100644
char comm[TASK_COMM_LEN]; /* executable name excluding path
- access with [gs]et_task_comm (which lock
it with task_lock())
-@@ -1370,6 +1394,10 @@ struct task_struct {
+@@ -1370,6 +1397,10 @@ struct task_struct {
#endif
/* CPU-specific state of this task */
struct thread_struct thread;
@@ -71556,7 +71571,7 @@ index be4e742..7f9d593 100644
/* filesystem information */
struct fs_struct *fs;
/* open file information */
-@@ -1443,6 +1471,10 @@ struct task_struct {
+@@ -1443,6 +1474,10 @@ struct task_struct {
gfp_t lockdep_reclaim_gfp;
#endif
@@ -71567,7 +71582,7 @@ index be4e742..7f9d593 100644
/* journalling filesystem info */
void *journal_info;
-@@ -1481,6 +1513,10 @@ struct task_struct {
+@@ -1481,6 +1516,10 @@ struct task_struct {
/* cg_list protected by css_set_lock and tsk->alloc_lock */
struct list_head cg_list;
#endif
@@ -71578,7 +71593,7 @@ index be4e742..7f9d593 100644
#ifdef CONFIG_FUTEX
struct robust_list_head __user *robust_list;
#ifdef CONFIG_COMPAT
-@@ -1577,8 +1613,74 @@ struct task_struct {
+@@ -1577,8 +1616,74 @@ struct task_struct {
#ifdef CONFIG_UPROBES
struct uprobe_task *utask;
#endif
@@ -71653,7 +71668,7 @@ index be4e742..7f9d593 100644
/* Future-safe accessor for struct task_struct's cpus_allowed. */
#define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
-@@ -1637,7 +1739,7 @@ struct pid_namespace;
+@@ -1637,7 +1742,7 @@ struct pid_namespace;
pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
struct pid_namespace *ns);
@@ -71662,7 +71677,7 @@ index be4e742..7f9d593 100644
{
return tsk->pid;
}
-@@ -2073,7 +2175,9 @@ void yield(void);
+@@ -2073,7 +2178,9 @@ void yield(void);
extern struct exec_domain default_exec_domain;
union thread_union {
@@ -71672,7 +71687,7 @@ index be4e742..7f9d593 100644
unsigned long stack[THREAD_SIZE/sizeof(long)];
};
-@@ -2106,6 +2210,7 @@ extern struct pid_namespace init_pid_ns;
+@@ -2106,6 +2213,7 @@ extern struct pid_namespace init_pid_ns;
*/
extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -71680,7 +71695,7 @@ index be4e742..7f9d593 100644
extern struct task_struct *find_task_by_pid_ns(pid_t nr,
struct pid_namespace *ns);
-@@ -2272,7 +2377,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
+@@ -2272,7 +2380,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
extern void exit_itimers(struct signal_struct *);
extern void flush_itimer_signals(void);
@@ -71689,7 +71704,7 @@ index be4e742..7f9d593 100644
extern int allow_signal(int);
extern int disallow_signal(int);
-@@ -2463,9 +2568,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
+@@ -2463,9 +2571,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
#endif
@@ -82291,7 +82306,7 @@ index 79b7cf7..9944291 100644
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
diff --git a/mm/mmap.c b/mm/mmap.c
-index 0dceed8..bfcaf45 100644
+index 0dceed8..a559c2e 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -33,6 +33,7 @@
@@ -82701,7 +82716,7 @@ index 0dceed8..bfcaf45 100644
+unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags)
+{
+ if ((mm->pax_flags & MF_PAX_RANDMMAP) && !filp && (flags & MAP_STACK))
-+ return (random32() & 0xFF) << PAGE_SHIFT;
++ return ((random32() & 0xFF) + 1) << PAGE_SHIFT;
+
+ return 0;
+}
@@ -85978,20 +85993,10 @@ index 6a93614..1415549 100644
err = -EFAULT;
break;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
-index c5f9cd6..dfc8ec1 100644
+index 04b32e1..dfc8ec1 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
-@@ -2743,6 +2743,9 @@ static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn, u8 code,
- BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %u",
- conn, code, ident, dlen);
-
-+ if (conn->mtu < L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE)
-+ return NULL;
-+
- len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
- count = min_t(unsigned int, conn->mtu, len);
-
-@@ -3395,8 +3398,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
+@@ -3398,8 +3398,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
break;
case L2CAP_CONF_RFC:
@@ -86004,15 +86009,6 @@ index c5f9cd6..dfc8ec1 100644
if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
rfc.mode != chan->mode)
-@@ -4221,7 +4226,7 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn,
- struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
- u16 type, result;
-
-- if (cmd_len != sizeof(*rsp))
-+ if (cmd_len < sizeof(*rsp))
- return -EPROTO;
-
- type = __le16_to_cpu(rsp->type);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 1bcfb84..dad9f98 100644
--- a/net/bluetooth/l2cap_sock.c
@@ -88850,7 +88846,7 @@ index 843d8c4..cb04fa1 100644
if (local->use_chanctx)
*chandef = local->monitor_chandef;
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
-index 5672533..6738c93 100644
+index 4e74cd6..963b8a1 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -28,6 +28,7 @@
@@ -89008,7 +89004,7 @@ index c97a065..ff61928 100644
return p;
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
-index 0f38f43..e53d4a8 100644
+index 1f4b908..c4def45 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1388,7 +1388,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)