aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/linux-grsec/APKBUILD28
-rw-r--r--main/linux-grsec/grsecurity-3.1-3.14.37-201504051405.patch (renamed from main/linux-grsec/grsecurity-3.1-3.14.37-201503270048.patch)588
-rw-r--r--main/linux-grsec/kernelconfig.armhf27
-rw-r--r--main/linux-grsec/kernelconfig.x867
-rw-r--r--main/linux-grsec/kernelconfig.x86_647
5 files changed, 547 insertions, 110 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 3996e6ef9c..c44d3258b1 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -7,7 +7,7 @@ case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
esac
-pkgrel=1
+pkgrel=2
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
- grsecurity-3.1-3.14.37-201503270048.patch
+ grsecurity-3.1-3.14.37-201504051405.patch
fix-memory-map-for-PIE-applications.patch
imx6q-no-unclocked-sleep.patch
@@ -166,25 +166,25 @@ dev() {
md5sums="b621207b3f6ecbb67db18b13258f8ea8 linux-3.14.tar.xz
cbc19671d2c8bab0eaf18bf3afa54f7b patch-3.14.37.xz
-0d1341b1b8588274baa747e40db8df57 grsecurity-3.1-3.14.37-201503270048.patch
+16c2185b59f85b66ba9679eb5f389104 grsecurity-3.1-3.14.37-201504051405.patch
c6a4ae7e8ca6159e1631545515805216 fix-memory-map-for-PIE-applications.patch
1a307fc1d63231bf01d22493a4f14378 imx6q-no-unclocked-sleep.patch
-509a706cb2f0d40b3fe1ceaba4c8b47c kernelconfig.x86
-e451ad5c3e590e4bd73ef45704428ee8 kernelconfig.x86_64
-e18158a62b940c4b12bafbacd1e00639 kernelconfig.armhf"
+78060d5fe4d22f3ff8ebdad76f2a99f0 kernelconfig.x86
+6af32d44523b76b23714fd8eb6d7ee27 kernelconfig.x86_64
+2088fe977722158d7989f928084d52ca kernelconfig.armhf"
sha256sums="61558aa490855f42b6340d1a1596be47454909629327c49a5e4e10268065dffa linux-3.14.tar.xz
ae2c25e7c53bffaf4e6f951a56eaa8ca645e7125cd28f16f870b7dc8aaa66b49 patch-3.14.37.xz
-0e533151c70a94084f6c408c3d77ed2c61e8bf96c347cc29e655a4511382dde7 grsecurity-3.1-3.14.37-201503270048.patch
+43ffb9159085c7194a6f3e767cb9fcd6b7a99ec4a79e187714a2714e5ef93970 grsecurity-3.1-3.14.37-201504051405.patch
500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7 fix-memory-map-for-PIE-applications.patch
21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3 imx6q-no-unclocked-sleep.patch
-cb737416dbd1ff03372c924e3fa52ddaba5209adb46a82dd19ce20774753f7a9 kernelconfig.x86
-61a463b7595e34728fd002589713555a7084d8595ee878e5a0e9429a5d620d3b kernelconfig.x86_64
-655e230d216896c769ec184cb7ec4f95aea3a13326251ffdf35c17426687d1b9 kernelconfig.armhf"
+66196a945d55ce0a164dc5a4303db77c1f47641ab8bf7b53e87f3f39bf23f356 kernelconfig.x86
+77ef1ce8fb80c93aaa9a1c629d5708a409184a72de480cd219f777eaec02caaf kernelconfig.x86_64
+636419c6970c24ae6e02889f641aff606eb237c0ac1796efd992c545f77bc579 kernelconfig.armhf"
sha512sums="5730d83a7a81134c1e77c0bf89e42dee4f8251ad56c1ac2be20c59e26fdfaa7bea55f277e7af156b637f22e1584914a46089af85039177cb43485089c74ac26e linux-3.14.tar.xz
40439c1262331ffd594a110bab6c2da04abd7718fb3f79661de46e0c7cd99d4d8e003bb412be2348df843d7d9abe310caf1e3cc1ec5343e4b92f0769b9cfada4 patch-3.14.37.xz
-139ed90ebf47aeb7f0bfd4c64a3e8c1b387641500f9ec4a972ec1ed2b9583b4b4e9618502b025dc83bbe08ab12735d78e1998c22c682c04b322ccd01db616bc5 grsecurity-3.1-3.14.37-201503270048.patch
+a5cd91d5aed495a34393fe0d4a944b4d8f7b7beabdf007c079711699f4d8b8dfa573827aa0358ad9efd4aef49192fa978567ec4f4de93982cf8afd63a90dec63 grsecurity-3.1-3.14.37-201504051405.patch
4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7 fix-memory-map-for-PIE-applications.patch
87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221 imx6q-no-unclocked-sleep.patch
-1aed15e4b3db162e13ed1e17f19251c995e42623590a5dd112398fe16e34d1bd0e31da212993685836891d6b0063a6fab5175f90dcefe1872462d682510e3fb2 kernelconfig.x86
-e4d84befd2af779ce94d1a4b96bd0dc154718efcf1a418fab4e2d83ff16d3fb2e44d2173a6e7d71125a4b243337ead7d582379c556561476d7724069a80b65d2 kernelconfig.x86_64
-a324821ce93d4c7a019bb0760baca2ca8a009b168acfb4d9ffcde8185411fac930327cc52d75ca4431fb65cf60ea03d4b539f7477f24b84fa8ab80d502c65f86 kernelconfig.armhf"
+63b99a936f8ca561e42590ec639b2a86face1198c6a05d3450ff275ae3651f142e1a08795064562be7ad228097687f3fd745b19c1cdb0f48dcd1eeb2634fd46c kernelconfig.x86
+d1e5c64796e29bbed2c6460e6a240cb31ec0cb6c2a6467a459efa14a620a6c0003c01cc925e3de8e272bbf8a82d6afa639d7703f895d5d3ccea069ea82db5104 kernelconfig.x86_64
+2b8d7afc769398b32eb03850069bde6ddb06ea54deea08d6c85356fb9c9d1d851ff3e72cf55d598aa2c56608efbf1b10e5051f1e07f0178dff5f1aa886fc843d kernelconfig.armhf"
diff --git a/main/linux-grsec/grsecurity-3.1-3.14.37-201503270048.patch b/main/linux-grsec/grsecurity-3.1-3.14.37-201504051405.patch
index e462e33ba7..b383085465 100644
--- a/main/linux-grsec/grsecurity-3.1-3.14.37-201503270048.patch
+++ b/main/linux-grsec/grsecurity-3.1-3.14.37-201504051405.patch
@@ -235,21 +235,24 @@ index b89a739..e289b9b 100644
+zconf.lex.c
zoffset.h
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index 5d91ba1..935a4e7 100644
+index 5d91ba1..ef1d374 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
-@@ -1084,6 +1084,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+@@ -1084,6 +1084,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
Format: <unsigned int> such that (rxsize & ~0x1fffc0) == 0.
Default: 1024
+ grsec_proc_gid= [GRKERNSEC_PROC_USERGROUP] Chooses GID to
+ ignore grsecurity's /proc restrictions
+
++ grsec_sysfs_restrict= Format: 0 | 1
++ Default: 1
++ Disables GRKERNSEC_SYSFS_RESTRICT if enabled in config
+
hashdist= [KNL,NUMA] Large hashes allocated during boot
are distributed across NUMA nodes. Defaults on
for 64-bit NUMA, off otherwise.
-@@ -2081,6 +2085,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+@@ -2081,6 +2088,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
noexec=on: enable non-executable mappings (default)
noexec=off: disable non-executable mappings
@@ -260,7 +263,7 @@ index 5d91ba1..935a4e7 100644
nosmap [X86]
Disable SMAP (Supervisor Mode Access Prevention)
even if it is supported by processor.
-@@ -2348,6 +2356,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+@@ -2348,6 +2359,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
the specified number of seconds. This is to be used if
your oopses keep scrolling off the screen.
@@ -10165,10 +10168,18 @@ index 0167d26..767bb0c 100644
#include <asm/uaccess_64.h>
#else
diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h
-index 53a28dd..50c38c3 100644
+index 53a28dd..6e11369 100644
--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
-@@ -250,27 +250,46 @@ extern unsigned long __copy_user(void __user *to, const void __user *from, unsig
+@@ -47,6 +47,7 @@
+ #define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
+ #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
+ #define __access_ok(addr,size) (__user_ok((addr) & get_fs().seg,(size)))
++#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
+ #define access_ok(type, addr, size) \
+ ({ (void)(type); __access_ok((unsigned long)(addr), size); })
+
+@@ -250,27 +251,46 @@ extern unsigned long __copy_user(void __user *to, const void __user *from, unsig
static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
{
@@ -10220,7 +10231,7 @@ index 53a28dd..50c38c3 100644
}
diff --git a/arch/sparc/include/asm/uaccess_64.h b/arch/sparc/include/asm/uaccess_64.h
-index ad7e178..c9e7423 100644
+index ad7e178..26cd4a7 100644
--- a/arch/sparc/include/asm/uaccess_64.h
+++ b/arch/sparc/include/asm/uaccess_64.h
@@ -10,6 +10,7 @@
@@ -10231,7 +10242,19 @@ index ad7e178..c9e7423 100644
#include <asm/asi.h>
#include <asm/spitfire.h>
#include <asm-generic/uaccess-unaligned.h>
-@@ -214,8 +215,15 @@ extern unsigned long copy_from_user_fixup(void *to, const void __user *from,
+@@ -54,6 +55,11 @@ static inline int __access_ok(const void __user * addr, unsigned long size)
+ return 1;
+ }
+
++static inline int access_ok_noprefault(int type, const void __user * addr, unsigned long size)
++{
++ return 1;
++}
++
+ static inline int access_ok(int type, const void __user * addr, unsigned long size)
+ {
+ return 1;
+@@ -214,8 +220,15 @@ extern unsigned long copy_from_user_fixup(void *to, const void __user *from,
static inline unsigned long __must_check
copy_from_user(void *to, const void __user *from, unsigned long size)
{
@@ -10248,7 +10271,7 @@ index ad7e178..c9e7423 100644
if (unlikely(ret))
ret = copy_from_user_fixup(to, from, size);
-@@ -231,8 +239,15 @@ extern unsigned long copy_to_user_fixup(void __user *to, const void *from,
+@@ -231,8 +244,15 @@ extern unsigned long copy_to_user_fixup(void __user *to, const void *from,
static inline unsigned long __must_check
copy_to_user(void __user *to, const void *from, unsigned long size)
{
@@ -21150,7 +21173,7 @@ index c005fdd..e33da29 100644
if (c->x86_model == 3 && c->x86_mask == 0)
size = 64;
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index e6bddd5..517213d 100644
+index e6bddd5..5b0c55c 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -88,60 +88,6 @@ static const struct cpu_dev default_cpu = {
@@ -21283,10 +21306,20 @@ index e6bddd5..517213d 100644
gdt_descr.size = GDT_SIZE - 1;
load_gdt(&gdt_descr);
/* Reload the per-cpu base */
-@@ -885,6 +884,10 @@ static void identify_cpu(struct cpuinfo_x86 *c)
+@@ -885,6 +884,20 @@ static void identify_cpu(struct cpuinfo_x86 *c)
setup_smep(c);
setup_smap(c);
++#ifdef CONFIG_X86_32
++#ifdef CONFIG_PAX_PAGEEXEC
++ if (!(__supported_pte_mask & _PAGE_NX))
++ clear_cpu_cap(c, X86_FEATURE_PSE);
++#endif
++#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
++ clear_cpu_cap(c, X86_FEATURE_SEP);
++#endif
++#endif
++
+#ifdef CONFIG_X86_64
+ setup_pcid(c);
+#endif
@@ -21294,18 +21327,7 @@ index e6bddd5..517213d 100644
/*
* The vendor-specific functions might have changed features.
* Now we do "generic changes."
-@@ -893,6 +896,10 @@ static void identify_cpu(struct cpuinfo_x86 *c)
- /* Filter out anything that depends on CPUID levels we don't have */
- filter_cpuid_features(c, true);
-
-+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
-+ setup_clear_cpu_cap(X86_FEATURE_SEP);
-+#endif
-+
- /* If the model name is still unset, do table lookup. */
- if (!c->x86_model_id[0]) {
- const char *p;
-@@ -1080,10 +1087,12 @@ static __init int setup_disablecpuid(char *arg)
+@@ -1080,10 +1093,12 @@ static __init int setup_disablecpuid(char *arg)
}
__setup("clearcpuid=", setup_disablecpuid);
@@ -21321,7 +21343,7 @@ index e6bddd5..517213d 100644
DEFINE_PER_CPU_FIRST(union irq_stack_union,
irq_stack_union) __aligned(PAGE_SIZE) __visible;
-@@ -1097,7 +1106,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned =
+@@ -1097,7 +1112,7 @@ DEFINE_PER_CPU(struct task_struct *, current_task) ____cacheline_aligned =
EXPORT_PER_CPU_SYMBOL(current_task);
DEFINE_PER_CPU(unsigned long, kernel_stack) =
@@ -21330,7 +21352,7 @@ index e6bddd5..517213d 100644
EXPORT_PER_CPU_SYMBOL(kernel_stack);
DEFINE_PER_CPU(char *, irq_stack_ptr) =
-@@ -1247,7 +1256,7 @@ void cpu_init(void)
+@@ -1247,7 +1262,7 @@ void cpu_init(void)
load_ucode_ap();
cpu = stack_smp_processor_id();
@@ -21339,7 +21361,7 @@ index e6bddd5..517213d 100644
oist = &per_cpu(orig_ist, cpu);
#ifdef CONFIG_NUMA
-@@ -1282,7 +1291,6 @@ void cpu_init(void)
+@@ -1282,7 +1297,6 @@ void cpu_init(void)
wrmsrl(MSR_KERNEL_GS_BASE, 0);
barrier();
@@ -21347,7 +21369,7 @@ index e6bddd5..517213d 100644
enable_x2apic();
/*
-@@ -1334,7 +1342,7 @@ void cpu_init(void)
+@@ -1334,7 +1348,7 @@ void cpu_init(void)
{
int cpu = smp_processor_id();
struct task_struct *curr = current;
@@ -30219,7 +30241,7 @@ index 7609e0e..b449b98 100644
}
EXPORT_SYMBOL(csum_partial_copy_to_user);
diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S
-index a451235..1daa956 100644
+index a451235..a74bfa3 100644
--- a/arch/x86/lib/getuser.S
+++ b/arch/x86/lib/getuser.S
@@ -33,17 +33,40 @@
@@ -30244,8 +30266,6 @@ index a451235..1daa956 100644
GET_THREAD_INFO(%_ASM_DX)
cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
jae bad_get_user
- ASM_STAC
--1: movzbl (%_ASM_AX),%edx
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_DX
@@ -30257,6 +30277,8 @@ index a451235..1daa956 100644
+
+#endif
+
+ ASM_STAC
+-1: movzbl (%_ASM_AX),%edx
+1: __copyuser_seg movzbl (%_ASM_AX),%edx
xor %eax,%eax
ASM_CLAC
@@ -30274,8 +30296,6 @@ index a451235..1daa956 100644
GET_THREAD_INFO(%_ASM_DX)
cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
jae bad_get_user
- ASM_STAC
--2: movzwl -1(%_ASM_AX),%edx
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_DX
@@ -30287,6 +30307,8 @@ index a451235..1daa956 100644
+
+#endif
+
+ ASM_STAC
+-2: movzwl -1(%_ASM_AX),%edx
+2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
xor %eax,%eax
ASM_CLAC
@@ -30304,8 +30326,6 @@ index a451235..1daa956 100644
GET_THREAD_INFO(%_ASM_DX)
cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
jae bad_get_user
- ASM_STAC
--3: movl -3(%_ASM_AX),%edx
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_DX
@@ -30317,6 +30337,8 @@ index a451235..1daa956 100644
+
+#endif
+
+ ASM_STAC
+-3: movl -3(%_ASM_AX),%edx
+3: __copyuser_seg movl -3(%_ASM_AX),%edx
xor %eax,%eax
ASM_CLAC
@@ -30895,7 +30917,7 @@ index f6d13ee..d789440 100644
3:
CFI_RESTORE_STATE
diff --git a/arch/x86/lib/putuser.S b/arch/x86/lib/putuser.S
-index fc6ba17..d4d989d 100644
+index fc6ba17..14ad9a5 100644
--- a/arch/x86/lib/putuser.S
+++ b/arch/x86/lib/putuser.S
@@ -16,7 +16,9 @@
@@ -30943,8 +30965,6 @@ index fc6ba17..d4d989d 100644
+ GET_THREAD_INFO(%_ASM_BX)
cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
jae bad_put_user
- ASM_STAC
--1: movb %al,(%_ASM_CX)
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_BX
@@ -30956,6 +30976,8 @@ index fc6ba17..d4d989d 100644
+
+#endif
+
+ ASM_STAC
+-1: movb %al,(%_ASM_CX)
+1: __copyuser_seg movb %al,(_DEST)
xor %eax,%eax
EXIT
@@ -30970,8 +30992,6 @@ index fc6ba17..d4d989d 100644
sub $1,%_ASM_BX
cmp %_ASM_BX,%_ASM_CX
jae bad_put_user
- ASM_STAC
--2: movw %ax,(%_ASM_CX)
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_BX
@@ -30983,6 +31003,8 @@ index fc6ba17..d4d989d 100644
+
+#endif
+
+ ASM_STAC
+-2: movw %ax,(%_ASM_CX)
+2: __copyuser_seg movw %ax,(_DEST)
xor %eax,%eax
EXIT
@@ -30997,8 +31019,6 @@ index fc6ba17..d4d989d 100644
sub $3,%_ASM_BX
cmp %_ASM_BX,%_ASM_CX
jae bad_put_user
- ASM_STAC
--3: movl %eax,(%_ASM_CX)
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_BX
@@ -31010,6 +31030,8 @@ index fc6ba17..d4d989d 100644
+
+#endif
+
+ ASM_STAC
+-3: movl %eax,(%_ASM_CX)
+3: __copyuser_seg movl %eax,(_DEST)
xor %eax,%eax
EXIT
@@ -31024,8 +31046,6 @@ index fc6ba17..d4d989d 100644
sub $7,%_ASM_BX
cmp %_ASM_BX,%_ASM_CX
jae bad_put_user
- ASM_STAC
--4: mov %_ASM_AX,(%_ASM_CX)
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+ mov pax_user_shadow_base,%_ASM_BX
@@ -31037,6 +31057,8 @@ index fc6ba17..d4d989d 100644
+
+#endif
+
+ ASM_STAC
+-4: mov %_ASM_AX,(%_ASM_CX)
+4: __copyuser_seg mov %_ASM_AX,(_DEST)
#ifdef CONFIG_X86_32
-5: movl %edx,4(%_ASM_CX)
@@ -43391,6 +43413,20 @@ index a841123..055ebeb 100644
if (!can_do_mlock())
return ERR_PTR(-EPERM);
+diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
+index 2adc143..619e970 100644
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -923,6 +923,9 @@ ssize_t ib_uverbs_reg_mr(struct ib_uverbs_file *file,
+ if (copy_from_user(&cmd, buf, sizeof cmd))
+ return -EFAULT;
+
++ if (!access_ok_noprefault(VERIFY_READ, cmd.start, cmd.length))
++ return -EFAULT;
++
+ INIT_UDATA(&udata, buf + sizeof cmd,
+ (unsigned long) cmd.response + sizeof resp,
+ in_len - sizeof cmd, out_len - sizeof resp);
diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c
index 41b1195..27971a0 100644
--- a/drivers/infiniband/hw/cxgb4/mem.c
@@ -61038,21 +61074,32 @@ index 4366127..b8c2cf9 100644
dcache_init();
inode_init();
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
-index 1ff8fe5..5bf8b25 100644
+index 1ff8fe5..31407fe 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
-@@ -424,7 +424,11 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
+@@ -422,10 +422,20 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
+ * If debugfs is not enabled in the kernel, the value -%ENODEV will be
+ * returned.
*/
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++extern int grsec_enable_sysfs_restrict;
++#endif
++
struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
{
+- return __create_file(name, S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
+- parent, NULL, NULL);
++ umode_t mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
++
+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
-+ return __create_file(name, S_IFDIR | S_IRWXU,
-+#else
- return __create_file(name, S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
++ if (grsec_enable_sysfs_restrict)
++ mode = S_IFDIR | S_IRWXU;
+#endif
- parent, NULL, NULL);
++
++ return __create_file(name, mode, parent, NULL, NULL);
}
EXPORT_SYMBOL_GPL(debugfs_create_dir);
+
diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
index a85ceb7..5097313b 100644
--- a/fs/ecryptfs/inode.c
@@ -68319,10 +68366,21 @@ index ae0c3ce..9ee641c 100644
generic_fillattr(inode, stat);
return 0;
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
-index ee0d761..b346c58 100644
+index ee0d761..2f33d21 100644
--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
-@@ -62,9 +62,16 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char *name)
+@@ -54,6 +54,10 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char *name)
+ kfree(path);
+ }
+
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++extern int grsec_enable_sysfs_restrict;
++#endif
++
+ /**
+ * sysfs_create_dir_ns - create a directory for an object with a namespace tag
+ * @kobj: object we're creating directory for
+@@ -62,9 +66,16 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char *name)
int sysfs_create_dir_ns(struct kobject *kobj, const void *ns)
{
struct kernfs_node *parent, *kn;
@@ -68339,7 +68397,7 @@ index ee0d761..b346c58 100644
if (kobj->parent)
parent = kobj->parent->sd;
else
-@@ -73,11 +80,22 @@ int sysfs_create_dir_ns(struct kobject *kobj, const void *ns)
+@@ -73,11 +84,24 @@ int sysfs_create_dir_ns(struct kobject *kobj, const void *ns)
if (!parent)
return -ENOENT;
@@ -68354,6 +68412,8 @@ index ee0d761..b346c58 100644
+ (!strcmp(parent_name, "fs") && (!strcmp(name, "selinux") || !strcmp(name, "fuse") || !strcmp(name, "ecryptfs"))) ||
+ (!strcmp(parent_name, "system") && !strcmp(name, "cpu")))
+ mode = S_IRWXU | S_IRUGO | S_IXUGO;
++ if (!grsec_enable_sysfs_restrict)
++ mode = S_IRWXU | S_IRUGO | S_IXUGO;
+#endif
+
+ kn = kernfs_create_dir_ns(parent, name,
@@ -88618,6 +88678,26 @@ index ef6103b..d4e65dd 100644
#define ELFMAG0 0x7f /* EI_MAG */
#define ELFMAG1 'E'
#define ELFMAG2 'L'
+diff --git a/include/uapi/linux/netfilter/xt_connlimit.h b/include/uapi/linux/netfilter/xt_connlimit.h
+index f165609..d1366f0 100644
+--- a/include/uapi/linux/netfilter/xt_connlimit.h
++++ b/include/uapi/linux/netfilter/xt_connlimit.h
+@@ -22,8 +22,13 @@ struct xt_connlimit_info {
+ #endif
+ };
+ unsigned int limit;
+- /* revision 1 */
+- __u32 flags;
++ union {
++ /* revision 0 */
++ unsigned int inverse;
++
++ /* revision 1 */
++ __u32 flags;
++ };
+
+ /* Used internally by the kernel */
+ struct xt_connlimit_data *data __attribute__((aligned(8)));
diff --git a/include/uapi/linux/personality.h b/include/uapi/linux/personality.h
index aa169c4..6a2771d 100644
--- a/include/uapi/linux/personality.h
@@ -89117,7 +89197,7 @@ index 93b6139..8d628b7 100644
next_state = Reset;
return 0;
diff --git a/init/main.c b/init/main.c
-index 58c132d..ac3f3b0 100644
+index 58c132d..310b5fa 100644
--- a/init/main.c
+++ b/init/main.c
@@ -97,6 +97,8 @@ extern void radix_tree_init(void);
@@ -89129,7 +89209,7 @@ index 58c132d..ac3f3b0 100644
/*
* Debug helper: via this flag we know that we are in 'early bootup code'
* where only the boot processor is running with IRQ disabled. This means
-@@ -158,6 +160,75 @@ static int __init set_reset_devices(char *str)
+@@ -158,6 +160,85 @@ static int __init set_reset_devices(char *str)
__setup("reset_devices", set_reset_devices);
@@ -89142,6 +89222,16 @@ index 58c132d..ac3f3b0 100644
+}
+__setup("grsec_proc_gid=", setup_grsec_proc_gid);
+#endif
++#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
++int grsec_enable_sysfs_restrict = 1;
++static int __init setup_grsec_sysfs_restrict(char *str)
++{
++ if (!simple_strtol(str, NULL, 0))
++ grsec_enable_sysfs_restrict = 0;
++ return 1;
++}
++__setup("grsec_sysfs_restrict", setup_grsec_sysfs_restrict);
++#endif
+
+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
+unsigned long pax_user_shadow_base __read_only;
@@ -89205,7 +89295,7 @@ index 58c132d..ac3f3b0 100644
static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
static const char *panic_later, *panic_param;
-@@ -692,25 +763,24 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -692,25 +773,24 @@ int __init_or_module do_one_initcall(initcall_t fn)
{
int count = preempt_count();
int ret;
@@ -89236,7 +89326,7 @@ index 58c132d..ac3f3b0 100644
return ret;
}
-@@ -817,8 +887,8 @@ static int run_init_process(const char *init_filename)
+@@ -817,8 +897,8 @@ static int run_init_process(const char *init_filename)
{
argv_init[0] = init_filename;
return do_execve(getname_kernel(init_filename),
@@ -89247,7 +89337,7 @@ index 58c132d..ac3f3b0 100644
}
static int try_to_run_init_process(const char *init_filename)
-@@ -835,6 +905,10 @@ static int try_to_run_init_process(const char *init_filename)
+@@ -835,6 +915,10 @@ static int try_to_run_init_process(const char *init_filename)
return ret;
}
@@ -89258,7 +89348,7 @@ index 58c132d..ac3f3b0 100644
static noinline void __init kernel_init_freeable(void);
static int __ref kernel_init(void *unused)
-@@ -859,6 +933,11 @@ static int __ref kernel_init(void *unused)
+@@ -859,6 +943,11 @@ static int __ref kernel_init(void *unused)
ramdisk_execute_command, ret);
}
@@ -89270,7 +89360,7 @@ index 58c132d..ac3f3b0 100644
/*
* We try each of these until one succeeds.
*
-@@ -914,7 +993,7 @@ static noinline void __init kernel_init_freeable(void)
+@@ -914,7 +1003,7 @@ static noinline void __init kernel_init_freeable(void)
do_basic_setup();
/* Open the /dev/console on the rootfs, this should never fail */
@@ -89279,7 +89369,7 @@ index 58c132d..ac3f3b0 100644
pr_err("Warning: unable to open an initial console.\n");
(void) sys_dup(0);
-@@ -927,11 +1006,13 @@ static noinline void __init kernel_init_freeable(void)
+@@ -927,11 +1016,13 @@ static noinline void __init kernel_init_freeable(void)
if (!ramdisk_execute_command)
ramdisk_execute_command = "/init";
@@ -95201,7 +95291,7 @@ index e3be87e..abc908f 100644
/* make curr_ret_stack visible before we add the ret_stack */
smp_wmb();
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
-index 774a080..7fa60b1 100644
+index 774a080..d09b170 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -352,9 +352,9 @@ struct buffer_data_page {
@@ -95216,17 +95306,22 @@ index 774a080..7fa60b1 100644
unsigned long real_end; /* real end of data */
struct buffer_data_page *page; /* Actual data page */
};
-@@ -473,8 +473,8 @@ struct ring_buffer_per_cpu {
+@@ -473,11 +473,11 @@ struct ring_buffer_per_cpu {
unsigned long last_overrun;
local_t entries_bytes;
local_t entries;
- local_t overrun;
- local_t commit_overrun;
+- local_t dropped_events;
+ local_unchecked_t overrun;
+ local_unchecked_t commit_overrun;
- local_t dropped_events;
++ local_unchecked_t dropped_events;
local_t committing;
- local_t commits;
+- local_t commits;
++ local_unchecked_t commits;
+ unsigned long read;
+ unsigned long read_bytes;
+ u64 write_stamp;
@@ -1005,8 +1005,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
*
* We add a counter to the write field to denote this.
@@ -95318,6 +95413,15 @@ index 774a080..7fa60b1 100644
goto out_reset;
}
+@@ -2330,7 +2330,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
+ * this is easy, just stop here.
+ */
+ if (!(buffer->flags & RB_FL_OVERWRITE)) {
+- local_inc(&cpu_buffer->dropped_events);
++ local_inc_unchecked(&cpu_buffer->dropped_events);
+ goto out_reset;
+ }
+
@@ -2356,7 +2356,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
cpu_buffer->tail_page) &&
(cpu_buffer->commit_page ==
@@ -95363,6 +95467,42 @@ index 774a080..7fa60b1 100644
if (index == old_index) {
/* update counters */
local_sub(event_length, &cpu_buffer->entries_bytes);
+@@ -2486,7 +2486,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
+ static void rb_start_commit(struct ring_buffer_per_cpu *cpu_buffer)
+ {
+ local_inc(&cpu_buffer->committing);
+- local_inc(&cpu_buffer->commits);
++ local_inc_unchecked(&cpu_buffer->commits);
+ }
+
+ static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -2498,7 +2498,7 @@ static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer)
+ return;
+
+ again:
+- commits = local_read(&cpu_buffer->commits);
++ commits = local_read_unchecked(&cpu_buffer->commits);
+ /* synchronize with interrupts */
+ barrier();
+ if (local_read(&cpu_buffer->committing) == 1)
+@@ -2514,7 +2514,7 @@ static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer)
+ * updating of the commit page and the clearing of the
+ * committing counter.
+ */
+- if (unlikely(local_read(&cpu_buffer->commits) != commits) &&
++ if (unlikely(local_read_unchecked(&cpu_buffer->commits) != commits) &&
+ !local_read(&cpu_buffer->committing)) {
+ local_inc(&cpu_buffer->committing);
+ goto again;
+@@ -2544,7 +2544,7 @@ rb_reserve_next_event(struct ring_buffer *buffer,
+ barrier();
+ if (unlikely(ACCESS_ONCE(cpu_buffer->buffer) != buffer)) {
+ local_dec(&cpu_buffer->committing);
+- local_dec(&cpu_buffer->commits);
++ local_dec_unchecked(&cpu_buffer->commits);
+ return NULL;
+ }
+ #endif
@@ -2863,7 +2863,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
/* Do the likely case first */
@@ -95408,6 +95548,15 @@ index 774a080..7fa60b1 100644
return ret;
}
+@@ -3293,7 +3293,7 @@ ring_buffer_dropped_events_cpu(struct ring_buffer *buffer, int cpu)
+ return 0;
+
+ cpu_buffer = buffer->buffers[cpu];
+- ret = local_read(&cpu_buffer->dropped_events);
++ ret = local_read_unchecked(&cpu_buffer->dropped_events);
+
+ return ret;
+ }
@@ -3356,7 +3356,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer)
/* if you care about this being correct, lock the buffer */
for_each_buffer_cpu(buffer, cpu) {
@@ -95448,7 +95597,7 @@ index 774a080..7fa60b1 100644
local_set(&cpu_buffer->head_page->page->commit, 0);
cpu_buffer->head_page->read = 0;
-@@ -4145,14 +4145,14 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
+@@ -4145,18 +4145,18 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
INIT_LIST_HEAD(&cpu_buffer->reader_page->list);
INIT_LIST_HEAD(&cpu_buffer->new_pages);
@@ -95462,11 +95611,17 @@ index 774a080..7fa60b1 100644
local_set(&cpu_buffer->entries_bytes, 0);
- local_set(&cpu_buffer->overrun, 0);
- local_set(&cpu_buffer->commit_overrun, 0);
+- local_set(&cpu_buffer->dropped_events, 0);
+ local_set_unchecked(&cpu_buffer->overrun, 0);
+ local_set_unchecked(&cpu_buffer->commit_overrun, 0);
- local_set(&cpu_buffer->dropped_events, 0);
++ local_set_unchecked(&cpu_buffer->dropped_events, 0);
local_set(&cpu_buffer->entries, 0);
local_set(&cpu_buffer->committing, 0);
+- local_set(&cpu_buffer->commits, 0);
++ local_set_unchecked(&cpu_buffer->commits, 0);
+ cpu_buffer->read = 0;
+ cpu_buffer->read_bytes = 0;
+
@@ -4557,8 +4557,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer,
rb_init_page(bpage);
bpage = reader->page;
@@ -96410,6 +96565,22 @@ index f07a40d..0a445a7 100644
retval = 1;
}
spin_unlock(&lockref->lock);
+diff --git a/lib/nlattr.c b/lib/nlattr.c
+index 10ad042d..25b47b5 100644
+--- a/lib/nlattr.c
++++ b/lib/nlattr.c
+@@ -274,7 +274,11 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count)
+ {
+ int minlen = min_t(int, count, nla_len(src));
+
++ BUG_ON(minlen < 0);
++
+ memcpy(dest, nla_data(src), minlen);
++ if (count > minlen)
++ memset(dest + minlen, 0, count - minlen);
+
+ return minlen;
+ }
diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c
index 963b703..438bc51 100644
--- a/lib/percpu-refcount.c
@@ -103893,6 +104064,19 @@ index bf2cb4a..d83ba8a 100644
p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
p->rate_tokens = 0;
/* 60*HZ is arbitrary, but chosen enough high so that the first
+diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
+index ecb34b5..5c5ab40 100644
+--- a/net/ipv4/ip_forward.c
++++ b/net/ipv4/ip_forward.c
+@@ -82,7 +82,7 @@ static int ip_forward_finish_gso(struct sk_buff *skb)
+
+ features = netif_skb_dev_features(skb, dst->dev);
+ segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
+- if (IS_ERR(segs)) {
++ if (IS_ERR_OR_NULL(segs)) {
+ kfree_skb(skb);
+ return -ENOMEM;
+ }
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 9ff497d..877a388 100644
--- a/net/ipv4/ip_fragment.c
@@ -106767,6 +106951,19 @@ index 6ff12a1..d1815b6 100644
goto nla_put_failure;
if (data_len) {
+diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
+index 108120f..5b169db 100644
+--- a/net/netfilter/nfnetlink_queue_core.c
++++ b/net/netfilter/nfnetlink_queue_core.c
+@@ -665,7 +665,7 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
+ * returned by nf_queue. For instance, callers rely on -ECANCELED to
+ * mean 'ignore this hook'.
+ */
+- if (IS_ERR(segs))
++ if (IS_ERR_OR_NULL(segs))
+ goto out_err;
+ queued = 0;
+ err = 0;
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 7350723..c58f861 100644
--- a/net/netfilter/nft_compat.c
@@ -106789,6 +106986,60 @@ index 7350723..c58f861 100644
set_fs(old_fs);
ret = nla_put(skb, NFTA_MATCH_INFO, XT_ALIGN(m->matchsize), out);
kfree(out);
+diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
+index c40b269..b73fd7d 100644
+--- a/net/netfilter/xt_connlimit.c
++++ b/net/netfilter/xt_connlimit.c
+@@ -274,25 +274,38 @@ static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
+ kfree(info->data);
+ }
+
+-static struct xt_match connlimit_mt_reg __read_mostly = {
+- .name = "connlimit",
+- .revision = 1,
+- .family = NFPROTO_UNSPEC,
+- .checkentry = connlimit_mt_check,
+- .match = connlimit_mt,
+- .matchsize = sizeof(struct xt_connlimit_info),
+- .destroy = connlimit_mt_destroy,
+- .me = THIS_MODULE,
++static struct xt_match connlimit_mt_reg[] __read_mostly = {
++ {
++ .name = "connlimit",
++ .revision = 0,
++ .family = NFPROTO_UNSPEC,
++ .checkentry = connlimit_mt_check,
++ .match = connlimit_mt,
++ .matchsize = sizeof(struct xt_connlimit_info),
++ .destroy = connlimit_mt_destroy,
++ .me = THIS_MODULE,
++ },
++ {
++ .name = "connlimit",
++ .revision = 1,
++ .family = NFPROTO_UNSPEC,
++ .checkentry = connlimit_mt_check,
++ .match = connlimit_mt,
++ .matchsize = sizeof(struct xt_connlimit_info),
++ .destroy = connlimit_mt_destroy,
++ .me = THIS_MODULE,
++ },
+ };
+
+ static int __init connlimit_mt_init(void)
+ {
+- return xt_register_match(&connlimit_mt_reg);
++ return xt_register_matches(connlimit_mt_reg,
++ ARRAY_SIZE(connlimit_mt_reg));
+ }
+
+ static void __exit connlimit_mt_exit(void)
+ {
+- xt_unregister_match(&connlimit_mt_reg);
++ xt_unregister_matches(connlimit_mt_reg, ARRAY_SIZE(connlimit_mt_reg));
+ }
+
+ module_init(connlimit_mt_init);
diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c
new file mode 100644
index 0000000..c566332
@@ -106945,6 +107196,19 @@ index b74aa07..d41926e 100644
sax->fsa_ax25.sax25_call = nr->source_addr;
*uaddr_len = sizeof(struct sockaddr_ax25);
}
+diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
+index 270b77d..0a9d0981 100644
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -314,6 +314,8 @@ static int queue_gso_packets(struct datapath *dp, struct sk_buff *skb,
+ segs = __skb_gso_segment(skb, NETIF_F_SG, false);
+ if (IS_ERR(segs))
+ return PTR_ERR(segs);
++ if (segs == NULL)
++ return -EINVAL;
+
+ /* Queue all of the segments. */
+ skb = segs;
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 48b1817..d2c096b 100644
--- a/net/packet/af_packet.c
@@ -108758,6 +109022,19 @@ index 0917f04..f4e3d8c 100644
return -ENOMEM;
if (!proc_create("x25/route", S_IRUGO, init_net.proc_net,
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index 3bb2cdc..616d812 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -157,6 +157,8 @@ static int xfrm_output_gso(struct sk_buff *skb)
+ kfree_skb(skb);
+ if (IS_ERR(segs))
+ return PTR_ERR(segs);
++ if (segs == NULL)
++ return -EINVAL;
+
+ do {
+ struct sk_buff *nskb = segs->next;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 59cf325..e7fa6f0 100644
--- a/net/xfrm/xfrm_policy.c
@@ -112954,10 +113231,10 @@ index 0000000..3b5af59
+}
diff --git a/tools/gcc/gcc-common.h b/tools/gcc/gcc-common.h
new file mode 100644
-index 0000000..cd95c07
+index 0000000..14ec226
--- /dev/null
+++ b/tools/gcc/gcc-common.h
-@@ -0,0 +1,375 @@
+@@ -0,0 +1,520 @@
+#ifndef GCC_COMMON_H_INCLUDED
+#define GCC_COMMON_H_INCLUDED
+
@@ -113038,6 +113315,10 @@ index 0000000..cd95c07
+#include "tree-cfgcleanup.h"
+#endif
+
++#if BUILDING_GCC_VERSION >= 4008
++#include "is-a.h"
++#endif
++
+#include "diagnostic.h"
+//#include "tree-diagnostic.h"
+#include "tree-dump.h"
@@ -113080,6 +113361,9 @@ index 0000000..cd95c07
+//#include "lto-streamer.h"
+#endif
+//#include "lto-compress.h"
++#if BUILDING_GCC_VERSION >= 5000
++//#include "lto-section-names.h"
++#endif
+
+//#include "expr.h" where are you...
+extern rtx emit_move_insn(rtx x, rtx y);
@@ -113108,11 +113392,11 @@ index 0000000..cd95c07
+#define C_TYPE_FIELDS_READONLY(TYPE) TREE_LANG_FLAG_1(TYPE)
+
+#if BUILDING_GCC_VERSION == 4005
-+#define FOR_EACH_VEC_ELT_REVERSE(T,V,I,P) for (I = VEC_length(T, (V)) - 1; VEC_iterate(T, (V), (I), (P)); (I)--)
-+#define FOR_EACH_LOCAL_DECL(FUN, I, D) FOR_EACH_VEC_ELT_REVERSE(tree, (FUN)->local_decls, I, D)
++#define FOR_EACH_LOCAL_DECL(FUN, I, D) for (tree vars = (FUN)->local_decls; vars && (D = TREE_VALUE(vars)); vars = TREE_CHAIN(vars), I)
+#define DECL_CHAIN(NODE) (TREE_CHAIN(DECL_MINIMAL_CHECK(NODE)))
+#define FOR_EACH_VEC_ELT(T, V, I, P) for (I = 0; VEC_iterate(T, (V), (I), (P)); ++(I))
+#define TODO_rebuild_cgraph_edges 0
++#define SCOPE_FILE_SCOPE_P(EXP) (!(EXP))
+
+#ifndef O_BINARY
+#define O_BINARY 0
@@ -113256,6 +113540,7 @@ index 0000000..cd95c07
+#define PROP_loops 0
+#define NODE_SYMBOL(node) (node)
+#define NODE_DECL(node) (node)->decl
++#define INSN_LOCATION(INSN) RTL_LOCATION(INSN)
+
+static inline int bb_loop_depth(const_basic_block bb)
+{
@@ -113276,6 +113561,13 @@ index 0000000..cd95c07
+ cgraph_create_edge_including_clones((caller), (callee), (old_call_stmt), (call_stmt), (count), (freq), (reason))
+#endif
+
++#if BUILDING_GCC_VERSION == 4007 || BUILDING_GCC_VERSION == 4008
++static inline struct cgraph_node *cgraph_alias_target(struct cgraph_node *n)
++{
++ return cgraph_alias_aliased_node(n);
++}
++#endif
++
+#if BUILDING_GCC_VERSION <= 4008
+#define ENTRY_BLOCK_PTR_FOR_FN(FN) ENTRY_BLOCK_PTR_FOR_FUNCTION(FN)
+#define EXIT_BLOCK_PTR_FOR_FN(FN) EXIT_BLOCK_PTR_FOR_FUNCTION(FN)
@@ -113295,6 +113587,11 @@ index 0000000..cd95c07
+}
+
+#define ipa_remove_stmt_references(cnode, stmt)
++typedef union gimple_statement_d gasm;
++typedef union gimple_statement_d gassign;
++typedef union gimple_statement_d gcall;
++typedef union gimple_statement_d gphi;
++typedef union gimple_statement_d greturn;
+#endif
+
+#if BUILDING_GCC_VERSION == 4008
@@ -113312,6 +113609,29 @@ index 0000000..cd95c07
+
+#if BUILDING_GCC_VERSION <= 4009
+#define TODO_verify_il 0
++#define AVAIL_INTERPOSABLE AVAIL_OVERWRITABLE
++#endif
++
++#if BUILDING_GCC_VERSION == 4009
++typedef struct gimple_statement_base gasm;
++typedef struct gimple_statement_base gassign;
++typedef struct gimple_statement_base gcall;
++typedef struct gimple_statement_base gphi;
++typedef struct gimple_statement_base greturn;
++#endif
++
++#if BUILDING_GCC_VERSION <= 4009
++typedef struct rtx_def rtx_insn;
++
++static inline gasm *as_a_gasm(gimple stmt)
++{
++ return stmt;
++}
++
++static inline gcall *as_a_gcall(gimple stmt)
++{
++ return stmt;
++}
+#endif
+
+#if BUILDING_GCC_VERSION >= 4009
@@ -113328,8 +113648,110 @@ index 0000000..cd95c07
+#define TODO_verify_stmts TODO_verify_il
+#define TODO_verify_rtl_sharing TODO_verify_il
+
++#define TREE_INT_CST_HIGH(NODE) ({ TREE_INT_CST_EXT_NUNITS(NODE) > 1 ? (unsigned HOST_WIDE_INT)TREE_INT_CST_ELT(NODE, 1) : 0; })
++
++#define INSN_DELETED_P(insn) (insn)->deleted()
++
++extern bool is_simple_builtin(tree);
++
++// symtab/cgraph related
+#define debug_cgraph_node(node) (node)->debug()
+#define cgraph_get_node(decl) cgraph_node::get(decl)
++#define cgraph_n_nodes symtab->cgraph_count
++#define cgraph_max_uid symtab->cgraph_max_uid
++
++typedef struct cgraph_node *cgraph_node_ptr;
++typedef struct cgraph_edge *cgraph_edge_p;
++
++static inline void change_decl_assembler_name(tree decl, tree name)
++{
++ symtab->change_decl_assembler_name(decl, name);
++}
++
++static inline void varpool_finalize_decl(tree decl)
++{
++ varpool_node::finalize_decl(decl);
++}
++
++static inline cgraph_node_ptr cgraph_function_node(cgraph_node_ptr node, enum availability *availability)
++{
++ return node->function_symbol(availability);
++}
++
++static inline cgraph_node_ptr cgraph_function_or_thunk_node(cgraph_node_ptr node, enum availability *availability = NULL)
++{
++ return node->ultimate_alias_target(availability);
++}
++
++static inline bool cgraph_only_called_directly_p(cgraph_node_ptr node)
++{
++ return node->only_called_directly_p();
++}
++
++static inline enum availability cgraph_function_body_availability(cgraph_node_ptr node)
++{
++ return node->get_availability();
++}
++
++static inline cgraph_node_ptr cgraph_alias_target(cgraph_node_ptr node)
++{
++ return node->get_alias_target();
++}
++
++static inline struct cgraph_node_hook_list *cgraph_add_function_insertion_hook(cgraph_node_hook hook, void *data)
++{
++ return symtab->add_cgraph_insertion_hook(hook, data);
++}
++
++static inline void cgraph_remove_function_insertion_hook(struct cgraph_node_hook_list *entry)
++{
++ symtab->remove_cgraph_insertion_hook(entry);
++}
++
++static inline struct cgraph_node_hook_list *cgraph_add_node_removal_hook(cgraph_node_hook hook, void *data)
++{
++ return symtab->add_cgraph_removal_hook(hook, data);
++}
++
++static inline void cgraph_remove_node_removal_hook(struct cgraph_node_hook_list *entry)
++{
++ symtab->remove_cgraph_removal_hook(entry);
++}
++
++static inline struct cgraph_2node_hook_list *cgraph_add_node_duplication_hook(cgraph_2node_hook hook, void *data)
++{
++ return symtab->add_cgraph_duplication_hook(hook, data);
++}
++
++static inline void cgraph_remove_node_duplication_hook(struct cgraph_2node_hook_list *entry)
++{
++ symtab->remove_cgraph_duplication_hook(entry);
++}
++
++// gimple related
++static inline gimple gimple_build_assign_with_ops(enum tree_code subcode, tree lhs, tree op1, tree op2 MEM_STAT_DECL)
++{
++ return gimple_build_assign(lhs, subcode, op1, op2 PASS_MEM_STAT);
++}
++
++static inline gasm *as_a_gasm(gimple stmt)
++{
++ return as_a<gasm *>(stmt);
++}
++
++static inline gcall *as_a_gcall(gimple stmt)
++{
++ return as_a<gcall *>(stmt);
++}
++
++// IPA/LTO related
++#define ipa_ref_list_referring_iterate(L,I,P) (L)->referring.iterate((I), &(P))
++#define ipa_ref_list_reference_iterate(L,I,P) (L)->reference.iterate((I), &(P))
++
++static inline cgraph_node_ptr ipa_ref_referring_node(struct ipa_ref *ref)
++{
++ return dyn_cast<cgraph_node_ptr>(ref->referring);
++}
+#endif
+
+#endif
@@ -114066,10 +114488,10 @@ index 0000000..89f256d
+}
diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c
new file mode 100644
-index 0000000..e48b323
+index 0000000..2a39357
--- /dev/null
+++ b/tools/gcc/latent_entropy_plugin.c
-@@ -0,0 +1,466 @@
+@@ -0,0 +1,467 @@
+/*
+ * Copyright 2012-2014 by the PaX Team <pageexec@freemail.hu>
+ * Licensed under the GPL v2
@@ -114095,7 +114517,7 @@ index 0000000..e48b323
+
+int plugin_is_GPL_compatible;
+
-+static tree latent_entropy_decl;
++static GTY(()) tree latent_entropy_decl;
+
+static struct plugin_info latent_entropy_plugin_info = {
+ .version = "201409101820",
@@ -114440,6 +114862,7 @@ index 0000000..e48b323
+ TREE_STATIC(latent_entropy_decl) = 1;
+ TREE_PUBLIC(latent_entropy_decl) = 1;
+ TREE_USED(latent_entropy_decl) = 1;
++ DECL_PRESERVE_P(latent_entropy_decl) = 1;
+ TREE_THIS_VOLATILE(latent_entropy_decl) = 1;
+ DECL_EXTERNAL(latent_entropy_decl) = 1;
+ DECL_ARTIFICIAL(latent_entropy_decl) = 1;
@@ -119546,7 +119969,7 @@ index 0000000..7c9e6d1
+
diff --git a/tools/gcc/size_overflow_plugin/size_overflow.h b/tools/gcc/size_overflow_plugin/size_overflow.h
new file mode 100644
-index 0000000..e5b4e50
+index 0000000..37f8fc3
--- /dev/null
+++ b/tools/gcc/size_overflow_plugin/size_overflow.h
@@ -0,0 +1,127 @@
@@ -119579,11 +120002,11 @@ index 0000000..e5b4e50
+};
+
+// size_overflow_plugin.c
-+extern tree report_size_overflow_decl;
-+extern tree size_overflow_type_HI;
-+extern tree size_overflow_type_SI;
-+extern tree size_overflow_type_DI;
-+extern tree size_overflow_type_TI;
++extern GTY(()) tree report_size_overflow_decl;
++extern GTY(()) tree size_overflow_type_HI;
++extern GTY(()) tree size_overflow_type_SI;
++extern GTY(()) tree size_overflow_type_DI;
++extern GTY(()) tree size_overflow_type_TI;
+
+
+// size_overflow_plugin_hash.c
@@ -126597,10 +127020,10 @@ index 0000000..0888f6c
+
diff --git a/tools/gcc/stackleak_plugin.c b/tools/gcc/stackleak_plugin.c
new file mode 100644
-index 0000000..924652b
+index 0000000..90125d6
--- /dev/null
+++ b/tools/gcc/stackleak_plugin.c
-@@ -0,0 +1,395 @@
+@@ -0,0 +1,396 @@
+/*
+ * Copyright 2011-2014 by the PaX Team <pageexec@freemail.hu>
+ * Licensed under the GPL v2
@@ -126628,7 +127051,8 @@ index 0000000..924652b
+static int track_frame_size = -1;
+static const char track_function[] = "pax_track_stack";
+static const char check_function[] = "pax_check_alloca";
-+static tree track_function_decl, check_function_decl;
++static GTY(()) tree track_function_decl;
++static GTY(()) tree check_function_decl;
+static bool init_locals;
+
+static struct plugin_info stackleak_plugin_info = {
diff --git a/main/linux-grsec/kernelconfig.armhf b/main/linux-grsec/kernelconfig.armhf
index f1815b9ea4..1824327983 100644
--- a/main/linux-grsec/kernelconfig.armhf
+++ b/main/linux-grsec/kernelconfig.armhf
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm 3.14.33 Kernel Configuration
+# Linux/arm 3.14.37 Kernel Configuration
#
CONFIG_ARM=y
CONFIG_MIGHT_HAVE_PCI=y
@@ -2566,6 +2566,7 @@ CONFIG_POWER_SUPPLY=y
# CONFIG_BATTERY_MAX17040 is not set
# CONFIG_BATTERY_MAX17042 is not set
# CONFIG_CHARGER_PCF50633 is not set
+# CONFIG_CHARGER_ISP1704 is not set
# CONFIG_CHARGER_MAX8903 is not set
# CONFIG_CHARGER_LP8727 is not set
# CONFIG_CHARGER_GPIO is not set
@@ -2815,6 +2816,7 @@ CONFIG_MFD_SYSCON=y
# CONFIG_MFD_TI_AM335X_TSCADC is not set
# CONFIG_MFD_LP3943 is not set
# CONFIG_MFD_LP8788 is not set
+CONFIG_MFD_OMAP_USB_HOST=y
# CONFIG_MFD_PALMAS is not set
# CONFIG_TPS6105X is not set
CONFIG_TPS65010=m
@@ -3564,19 +3566,26 @@ CONFIG_USB_WUSB_CBAF=m
#
CONFIG_USB_C67X00_HCD=m
CONFIG_USB_XHCI_HCD=m
-# CONFIG_USB_EHCI_HCD is not set
+CONFIG_USB_EHCI_HCD=m
+CONFIG_USB_EHCI_ROOT_HUB_TT=y
+CONFIG_USB_EHCI_TT_NEWSCHED=y
+CONFIG_USB_EHCI_MXC=m
+CONFIG_USB_EHCI_HCD_OMAP=m
+CONFIG_USB_EHCI_HCD_PLATFORM=m
CONFIG_USB_OXU210HP_HCD=m
CONFIG_USB_ISP116X_HCD=m
CONFIG_USB_ISP1760_HCD=m
CONFIG_USB_ISP1362_HCD=m
# CONFIG_USB_FUSBH200_HCD is not set
# CONFIG_USB_FOTG210_HCD is not set
-# CONFIG_USB_OHCI_HCD is not set
+CONFIG_USB_OHCI_HCD=m
+# CONFIG_USB_OHCI_HCD_SSB is not set
+CONFIG_USB_OHCI_HCD_PLATFORM=m
CONFIG_USB_U132_HCD=m
CONFIG_USB_SL811_HCD=m
CONFIG_USB_SL811_HCD_ISO=y
CONFIG_USB_R8A66597_HCD=m
-# CONFIG_USB_IMX21_HCD is not set
+CONFIG_USB_IMX21_HCD=m
# CONFIG_USB_HCD_BCMA is not set
CONFIG_USB_HCD_SSB=m
# CONFIG_USB_HCD_TEST_MODE is not set
@@ -3633,6 +3642,7 @@ CONFIG_MUSB_PIO_ONLY=y
CONFIG_USB_DWC2=m
# CONFIG_USB_DWC2_DEBUG is not set
# CONFIG_USB_DWC2_TRACK_MISSED_SOFS is not set
+# CONFIG_USB_CHIPIDEA is not set
#
# USB port drivers
@@ -3728,9 +3738,9 @@ CONFIG_USB_XUSBATM=m
#
# USB Physical Layer drivers
#
-# CONFIG_USB_PHY is not set
+CONFIG_USB_PHY=y
# CONFIG_USB_OTG_FSM is not set
-# CONFIG_NOP_USB_XCEIV is not set
+CONFIG_NOP_USB_XCEIV=m
# CONFIG_OMAP_CONTROL_USB is not set
# CONFIG_OMAP_USB3 is not set
# CONFIG_AM335X_PHY_USB is not set
@@ -4085,6 +4095,7 @@ CONFIG_RESET_CONTROLLER=y
#
CONFIG_GENERIC_PHY=y
# CONFIG_PHY_EXYNOS_MIPI_VIDEO is not set
+# CONFIG_OMAP_USB2 is not set
# CONFIG_PHY_EXYNOS_DP_VIDEO is not set
# CONFIG_BCM_KONA_USB2_PHY is not set
# CONFIG_POWERCAP is not set
@@ -4566,8 +4577,8 @@ CONFIG_PAX=y
#
CONFIG_PAX_SOFTMODE=y
# CONFIG_PAX_EI_PAX is not set
-CONFIG_PAX_PT_PAX_FLAGS=y
-# CONFIG_PAX_XATTR_PAX_FLAGS is not set
+# CONFIG_PAX_PT_PAX_FLAGS is not set
+CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
diff --git a/main/linux-grsec/kernelconfig.x86 b/main/linux-grsec/kernelconfig.x86
index 08cb790567..c168a72d86 100644
--- a/main/linux-grsec/kernelconfig.x86
+++ b/main/linux-grsec/kernelconfig.x86
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.14.33 Kernel Configuration
+# Linux/x86 3.14.37 Kernel Configuration
#
# CONFIG_64BIT is not set
CONFIG_X86_32=y
@@ -68,6 +68,7 @@ CONFIG_SWAP=y
CONFIG_SYSVIPC=y
CONFIG_SYSVIPC_SYSCTL=y
CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
# CONFIG_FHANDLE is not set
# CONFIG_AUDIT is not set
@@ -5772,8 +5773,8 @@ CONFIG_PAX=y
#
CONFIG_PAX_SOFTMODE=y
# CONFIG_PAX_EI_PAX is not set
-CONFIG_PAX_PT_PAX_FLAGS=y
-# CONFIG_PAX_XATTR_PAX_FLAGS is not set
+# CONFIG_PAX_PT_PAX_FLAGS is not set
+CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
diff --git a/main/linux-grsec/kernelconfig.x86_64 b/main/linux-grsec/kernelconfig.x86_64
index dec4d20c0c..fcad3f6a12 100644
--- a/main/linux-grsec/kernelconfig.x86_64
+++ b/main/linux-grsec/kernelconfig.x86_64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.14.33 Kernel Configuration
+# Linux/x86_64 3.14.37 Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
@@ -69,6 +69,7 @@ CONFIG_SWAP=y
CONFIG_SYSVIPC=y
CONFIG_SYSVIPC_SYSCTL=y
CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
# CONFIG_FHANDLE is not set
# CONFIG_AUDIT is not set
@@ -5652,8 +5653,8 @@ CONFIG_PAX=y
#
CONFIG_PAX_SOFTMODE=y
# CONFIG_PAX_EI_PAX is not set
-CONFIG_PAX_PT_PAX_FLAGS=y
-# CONFIG_PAX_XATTR_PAX_FLAGS is not set
+# CONFIG_PAX_PT_PAX_FLAGS is not set
+CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set