Grsec/PaX: 2.9.1-{2.6.32.61,3.2.47,3.9.7}-20130626190120130626

author: Anthony G. Basile <blueness@gentoo.org> 2013-06-27 06:45:14 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2013-06-27 06:45:14 -0400
commit: 609976f90826e1e43cbd4cd2df5733e292135947 (patch)
tree: e23ebfa2f9ff8eb2ac676d8f2057359db134c091
parent: Grsec/PaX: 2.9.1-{3.2.47,3.9.7}-201306231443 (diff)
download: hardened-patchset-20130626.tar.gz
hardened-patchset-20130626.tar.bz2
hardened-patchset-20130626.zip
6 files changed, 415 insertions, 368 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 82857df..7236f6e 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -38,7 +38,7 @@ Patch:	1060_linux-2.6.32.61.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.61
 
-Patch:	4420_grsecurity-2.9.1-2.6.32.61-201306171902.patch
+Patch:	4420_grsecurity-2.9.1-2.6.32.61-201306261859.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306171902.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306261859.patch
index 2aa8c14..2d540c4 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306171902.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306261859.patch
@@ -14012,10 +14012,27 @@ index 621f56d..f1094fd 100644
 -
  #endif /* _ASM_X86_PROTO_H */
 diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
-index e668d72..5792fad 100644
+index e668d72..c4dd168 100644
 --- a/arch/x86/include/asm/ptrace.h
 +++ b/arch/x86/include/asm/ptrace.h
-@@ -152,28 +152,29 @@ static inline unsigned long regs_return_value(struct pt_regs *regs)
+@@ -2,7 +2,6 @@
+ #define _ASM_X86_PTRACE_H
+ 
+ #include <linux/compiler.h>	/* For __user */
+-#include <linux/linkage.h>	/* For asmregparm */
+ #include <asm/ptrace-abi.h>
+ #include <asm/processor-flags.h>
+ 
+@@ -143,37 +142,35 @@ extern void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
+ 			 int error_code, int si_code);
+ void signal_fault(struct pt_regs *regs, void __user *frame, char *where);
+ 
+-extern asmregparm long syscall_trace_enter(struct pt_regs *);
+-extern asmregparm void syscall_trace_leave(struct pt_regs *);
+-
+ static inline unsigned long regs_return_value(struct pt_regs *regs)
+ {
+ 	return regs->ax;
  }
  
  /*
@@ -81972,7 +81989,7 @@ index cf98da1..da890a9 100644
  	server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
  	if (!server)
 diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
-index bfaef7b..e9d03ca 100644
+index bfaef7b..e9d03ca0 100644
 --- a/fs/nfs/inode.c
 +++ b/fs/nfs/inode.c
 @@ -156,7 +156,7 @@ static void nfs_zap_caches_locked(struct inode *inode)
@@ -116407,10 +116424,18 @@ index f605b23..9e339dc 100644
  
  	write_unlock_bh(&iucv_sk_list.lock);
 diff --git a/net/key/af_key.c b/net/key/af_key.c
-index 4e98193..439b449 100644
+index 4e98193..37072bd 100644
 --- a/net/key/af_key.c
 +++ b/net/key/af_key.c
-@@ -2489,6 +2489,8 @@ static int pfkey_migrate(struct sock *sk, struct sk_buff *skb,
+@@ -1726,6 +1726,7 @@ static int key_notify_sa_flush(struct km_event *c)
+ 	hdr->sadb_msg_version = PF_KEY_V2;
+ 	hdr->sadb_msg_errno = (uint8_t) 0;
+ 	hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
++	hdr->sadb_msg_reserved = 0;
+ 
+ 	pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
+ 
+@@ -2489,6 +2490,8 @@ static int pfkey_migrate(struct sock *sk, struct sk_buff *skb,
  	struct xfrm_migrate m[XFRM_MAX_DEPTH];
  	struct xfrm_kmaddress k;
  
@@ -116419,7 +116444,15 @@ index 4e98193..439b449 100644
  	if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
  				     ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
  	    !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
-@@ -3660,7 +3662,11 @@ static int pfkey_seq_show(struct seq_file *f, void *v)
+@@ -2694,6 +2697,7 @@ static int key_notify_policy_flush(struct km_event *c)
+ 	hdr->sadb_msg_version = PF_KEY_V2;
+ 	hdr->sadb_msg_errno = (uint8_t) 0;
+ 	hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
++	hdr->sadb_msg_reserved = 0;
+ 	pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
+ 	return 0;
+ 
+@@ -3660,7 +3664,11 @@ static int pfkey_seq_show(struct seq_file *f, void *v)
  		seq_printf(f ,"sk       RefCnt Rmem   Wmem   User   Inode\n");
  	else
  		seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
diff --git a/3.2.47/0000_README b/3.2.47/0000_README
index b9aefff..749c390 100644
--- a/3.2.47/0000_README
+++ b/3.2.47/0000_README
@@ -106,7 +106,7 @@ Patch:	1046_linux-3.2.47.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.47
 
-Patch:	4420_grsecurity-2.9.1-3.2.47-201306231441.patch
+Patch:	4420_grsecurity-2.9.1-3.2.47-201306261900.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.47/4420_grsecurity-2.9.1-3.2.47-201306231441.patch b/3.2.47/4420_grsecurity-2.9.1-3.2.47-201306261900.patch
index 548030a..445d69c 100644
--- a/3.2.47/4420_grsecurity-2.9.1-3.2.47-201306231441.patch
+++ b/3.2.47/4420_grsecurity-2.9.1-3.2.47-201306261900.patch
@@ -17156,7 +17156,7 @@ index d2d488b8..a4f589f 100644
  
  /*
 diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index 6274f5f..7157a62 100644
+index 6274f5f..9337430 100644
 --- a/arch/x86/kernel/entry_64.S
 +++ b/arch/x86/kernel/entry_64.S
 @@ -55,6 +55,8 @@
@@ -17232,7 +17232,7 @@ index 6274f5f..7157a62 100644
  	jmp *%rdi
  #endif
  
-@@ -178,6 +186,311 @@ ENTRY(native_usergs_sysret64)
+@@ -178,6 +186,285 @@ ENTRY(native_usergs_sysret64)
  ENDPROC(native_usergs_sysret64)
  #endif /* CONFIG_PARAVIRT */
  
@@ -17362,9 +17362,9 @@ index 6274f5f..7157a62 100644
 +	sub phys_base(%rip),%rbx
 +
 +#ifdef CONFIG_PARAVIRT
-+	pushq %rdi
 +	cmpl $0, pv_info+PARAVIRT_enabled
 +	jz 1f
++	pushq %rdi
 +	i = 0
 +	.rept USER_PGD_PTRS
 +	mov i*8(%rbx),%rsi
@@ -17373,6 +17373,7 @@ index 6274f5f..7157a62 100644
 +	call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
 +	i = i + 1
 +	.endr
++	popq %rdi
 +	jmp 2f
 +1:
 +#endif
@@ -17384,7 +17385,7 @@ index 6274f5f..7157a62 100644
 +	.endr
 +
 +#ifdef CONFIG_PARAVIRT
-+2:	popq %rdi
++2:
 +#endif
 +	SET_RDI_INTO_CR3
 +
@@ -17425,7 +17426,6 @@ index 6274f5f..7157a62 100644
 +	sub phys_base(%rip),%rbx
 +
 +#ifdef CONFIG_PARAVIRT
-+	pushq %rdi
 +	cmpl $0, pv_info+PARAVIRT_enabled
 +	jz 1f
 +	i = 0
@@ -17436,8 +17436,6 @@ index 6274f5f..7157a62 100644
 +	call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
 +	i = i + 1
 +	.endr
-+	popq %rdi
-+	PV_RESTORE_REGS(CLBR_RDI)
 +	jmp 2f
 +1:
 +#endif
@@ -17449,7 +17447,7 @@ index 6274f5f..7157a62 100644
 +	.endr
 +
 +#ifdef CONFIG_PARAVIRT
-+2:
++2:	PV_RESTORE_REGS(CLBR_RDI)
 +#endif
 +
 +	popq %rbx
@@ -17461,30 +17459,6 @@ index 6274f5f..7157a62 100644
 +ENDPROC(pax_exit_kernel_user)
 +#endif
 +
-+	.macro pax_enter_kernel_nmi
-+	pax_set_fptr_mask
-+
-+#ifdef CONFIG_PAX_KERNEXEC
-+	GET_CR0_INTO_RDI
-+	bts $16,%rdi
-+	SET_RDI_INTO_CR0
-+	jc 110f
-+	or $2,%ebx
-+110:
-+#endif
-+	.endm
-+
-+	.macro pax_exit_kernel_nmi
-+#ifdef CONFIG_PAX_KERNEXEC
-+	test $2,%ebx
-+	jz 110f
-+	GET_CR0_INTO_RDI
-+	btr $16,%rdi
-+	SET_RDI_INTO_CR0
-+110:
-+#endif
-+	.endm
-+
 +.macro pax_erase_kstack
 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
 +	call pax_erase_kstack
@@ -17544,7 +17518,7 @@ index 6274f5f..7157a62 100644
  
  .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
  #ifdef CONFIG_TRACE_IRQFLAGS
-@@ -231,8 +544,8 @@ ENDPROC(native_usergs_sysret64)
+@@ -231,8 +518,8 @@ ENDPROC(native_usergs_sysret64)
  	.endm
  
  	.macro UNFAKE_STACK_FRAME
@@ -17555,7 +17529,7 @@ index 6274f5f..7157a62 100644
  	.endm
  
  /*
-@@ -319,7 +632,7 @@ ENDPROC(native_usergs_sysret64)
+@@ -319,7 +606,7 @@ ENDPROC(native_usergs_sysret64)
  	movq %rsp, %rsi
  
  	leaq -RBP(%rsp),%rdi	/* arg1 for handler */
@@ -17564,7 +17538,7 @@ index 6274f5f..7157a62 100644
  	je 1f
  	SWAPGS
  	/*
-@@ -355,9 +668,10 @@ ENTRY(save_rest)
+@@ -355,9 +642,10 @@ ENTRY(save_rest)
  	movq_cfi r15, R15+16
  	movq %r11, 8(%rsp)	/* return address */
  	FIXUP_TOP_OF_STACK %r11, 16
@@ -17576,7 +17550,7 @@ index 6274f5f..7157a62 100644
  
  /* save complete stack frame */
  	.pushsection .kprobes.text, "ax"
-@@ -386,9 +700,10 @@ ENTRY(save_paranoid)
+@@ -386,9 +674,10 @@ ENTRY(save_paranoid)
  	js 1f	/* negative -> in kernel */
  	SWAPGS
  	xorl %ebx,%ebx
@@ -17589,7 +17563,7 @@ index 6274f5f..7157a62 100644
  	.popsection
  
  /*
-@@ -410,7 +725,7 @@ ENTRY(ret_from_fork)
+@@ -410,7 +699,7 @@ ENTRY(ret_from_fork)
  
  	RESTORE_REST
  
@@ -17598,7 +17572,7 @@ index 6274f5f..7157a62 100644
  	je   int_ret_from_sys_call
  
  	testl $_TIF_IA32, TI_flags(%rcx)	# 32-bit compat task needs IRET
-@@ -420,7 +735,7 @@ ENTRY(ret_from_fork)
+@@ -420,7 +709,7 @@ ENTRY(ret_from_fork)
  	jmp ret_from_sys_call			# go to the SYSRET fastpath
  
  	CFI_ENDPROC
@@ -17607,7 +17581,7 @@ index 6274f5f..7157a62 100644
  
  /*
   * System call entry. Up to 6 arguments in registers are supported.
-@@ -456,7 +771,7 @@ END(ret_from_fork)
+@@ -456,7 +745,7 @@ END(ret_from_fork)
  ENTRY(system_call)
  	CFI_STARTPROC	simple
  	CFI_SIGNAL_FRAME
@@ -17616,7 +17590,7 @@ index 6274f5f..7157a62 100644
  	CFI_REGISTER	rip,rcx
  	/*CFI_REGISTER	rflags,r11*/
  	SWAPGS_UNSAFE_STACK
-@@ -469,12 +784,18 @@ ENTRY(system_call_after_swapgs)
+@@ -469,12 +758,18 @@ ENTRY(system_call_after_swapgs)
  
  	movq	%rsp,PER_CPU_VAR(old_rsp)
  	movq	PER_CPU_VAR(kernel_stack),%rsp
@@ -17636,7 +17610,7 @@ index 6274f5f..7157a62 100644
  	movq  %rax,ORIG_RAX-ARGOFFSET(%rsp)
  	movq  %rcx,RIP-ARGOFFSET(%rsp)
  	CFI_REL_OFFSET rip,RIP-ARGOFFSET
-@@ -484,7 +805,7 @@ ENTRY(system_call_after_swapgs)
+@@ -484,7 +779,7 @@ ENTRY(system_call_after_swapgs)
  system_call_fastpath:
  	cmpq $__NR_syscall_max,%rax
  	ja badsys
@@ -17645,7 +17619,7 @@ index 6274f5f..7157a62 100644
  	call *sys_call_table(,%rax,8)  # XXX:	 rip relative
  	movq %rax,RAX-ARGOFFSET(%rsp)
  /*
-@@ -503,6 +824,8 @@ sysret_check:
+@@ -503,6 +798,8 @@ sysret_check:
  	andl %edi,%edx
  	jnz  sysret_careful
  	CFI_REMEMBER_STATE
@@ -17654,7 +17628,7 @@ index 6274f5f..7157a62 100644
  	/*
  	 * sysretq will re-enable interrupts:
  	 */
-@@ -554,14 +877,18 @@ badsys:
+@@ -554,14 +851,18 @@ badsys:
  	 * jump back to the normal fast path.
  	 */
  auditsys:
@@ -17674,7 +17648,7 @@ index 6274f5f..7157a62 100644
  	jmp system_call_fastpath
  
  	/*
-@@ -591,16 +918,20 @@ tracesys:
+@@ -591,16 +892,20 @@ tracesys:
  	FIXUP_TOP_OF_STACK %rdi
  	movq %rsp,%rdi
  	call syscall_trace_enter
@@ -17696,7 +17670,7 @@ index 6274f5f..7157a62 100644
  	call *sys_call_table(,%rax,8)
  	movq %rax,RAX-ARGOFFSET(%rsp)
  	/* Use IRET because user could have changed frame */
-@@ -612,7 +943,7 @@ tracesys:
+@@ -612,7 +917,7 @@ tracesys:
  GLOBAL(int_ret_from_sys_call)
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	TRACE_IRQS_OFF
@@ -17705,7 +17679,7 @@ index 6274f5f..7157a62 100644
  	je retint_restore_args
  	movl $_TIF_ALLWORK_MASK,%edi
  	/* edi:	mask to check */
-@@ -623,7 +954,9 @@ GLOBAL(int_with_check)
+@@ -623,7 +928,9 @@ GLOBAL(int_with_check)
  	andl %edi,%edx
  	jnz   int_careful
  	andl    $~TS_COMPAT,TI_status(%rcx)
@@ -17716,7 +17690,7 @@ index 6274f5f..7157a62 100644
  
  	/* Either reschedule or signal or syscall exit tracking needed. */
  	/* First do a reschedule test. */
-@@ -669,7 +1002,7 @@ int_restore_rest:
+@@ -669,7 +976,7 @@ int_restore_rest:
  	TRACE_IRQS_OFF
  	jmp int_with_check
  	CFI_ENDPROC
@@ -17725,7 +17699,7 @@ index 6274f5f..7157a62 100644
  
  /*
   * Certain special system calls that need to save a complete full stack frame.
-@@ -685,7 +1018,7 @@ ENTRY(\label)
+@@ -685,7 +992,7 @@ ENTRY(\label)
  	call \func
  	jmp ptregscall_common
  	CFI_ENDPROC
@@ -17734,7 +17708,7 @@ index 6274f5f..7157a62 100644
  	.endm
  
  	PTREGSCALL stub_clone, sys_clone, %r8
-@@ -703,9 +1036,10 @@ ENTRY(ptregscall_common)
+@@ -703,9 +1010,10 @@ ENTRY(ptregscall_common)
  	movq_cfi_restore R12+8, r12
  	movq_cfi_restore RBP+8, rbp
  	movq_cfi_restore RBX+8, rbx
@@ -17746,7 +17720,7 @@ index 6274f5f..7157a62 100644
  
  ENTRY(stub_execve)
  	CFI_STARTPROC
-@@ -720,7 +1054,7 @@ ENTRY(stub_execve)
+@@ -720,7 +1028,7 @@ ENTRY(stub_execve)
  	RESTORE_REST
  	jmp int_ret_from_sys_call
  	CFI_ENDPROC
@@ -17755,7 +17729,7 @@ index 6274f5f..7157a62 100644
  
  /*
   * sigreturn is special because it needs to restore all registers on return.
-@@ -738,7 +1072,7 @@ ENTRY(stub_rt_sigreturn)
+@@ -738,7 +1046,7 @@ ENTRY(stub_rt_sigreturn)
  	RESTORE_REST
  	jmp int_ret_from_sys_call
  	CFI_ENDPROC
@@ -17764,7 +17738,7 @@ index 6274f5f..7157a62 100644
  
  /*
   * Build the entry stubs and pointer table with some assembler magic.
-@@ -773,7 +1107,7 @@ vector=vector+1
+@@ -773,7 +1081,7 @@ vector=vector+1
  2:	jmp common_interrupt
  .endr
  	CFI_ENDPROC
@@ -17773,7 +17747,7 @@ index 6274f5f..7157a62 100644
  
  .previous
  END(interrupt)
-@@ -793,6 +1127,16 @@ END(interrupt)
+@@ -793,6 +1101,16 @@ END(interrupt)
  	subq $ORIG_RAX-RBP, %rsp
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
  	SAVE_ARGS_IRQ
@@ -17790,7 +17764,7 @@ index 6274f5f..7157a62 100644
  	call \func
  	.endm
  
-@@ -824,7 +1168,7 @@ ret_from_intr:
+@@ -824,7 +1142,7 @@ ret_from_intr:
  
  exit_intr:
  	GET_THREAD_INFO(%rcx)
@@ -17799,7 +17773,7 @@ index 6274f5f..7157a62 100644
  	je retint_kernel
  
  	/* Interrupt came from user space */
-@@ -846,12 +1190,16 @@ retint_swapgs:		/* return to user-space */
+@@ -846,12 +1164,16 @@ retint_swapgs:		/* return to user-space */
  	 * The iretq could re-enable interrupts:
  	 */
  	DISABLE_INTERRUPTS(CLBR_ANY)
@@ -17816,7 +17790,7 @@ index 6274f5f..7157a62 100644
  	/*
  	 * The iretq could re-enable interrupts:
  	 */
-@@ -940,7 +1288,7 @@ ENTRY(retint_kernel)
+@@ -940,7 +1262,7 @@ ENTRY(retint_kernel)
  #endif
  
  	CFI_ENDPROC
@@ -17825,7 +17799,7 @@ index 6274f5f..7157a62 100644
  /*
   * End of kprobes section
   */
-@@ -956,7 +1304,7 @@ ENTRY(\sym)
+@@ -956,7 +1278,7 @@ ENTRY(\sym)
  	interrupt \do_sym
  	jmp ret_from_intr
  	CFI_ENDPROC
@@ -17834,7 +17808,7 @@ index 6274f5f..7157a62 100644
  .endm
  
  #ifdef CONFIG_SMP
-@@ -1021,12 +1369,22 @@ ENTRY(\sym)
+@@ -1021,12 +1343,22 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call error_entry
  	DEFAULT_FRAME 0
@@ -17858,7 +17832,7 @@ index 6274f5f..7157a62 100644
  .endm
  
  .macro paranoidzeroentry sym do_sym
-@@ -1038,15 +1396,25 @@ ENTRY(\sym)
+@@ -1038,15 +1370,25 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call save_paranoid
  	TRACE_IRQS_OFF
@@ -17886,7 +17860,7 @@ index 6274f5f..7157a62 100644
  .macro paranoidzeroentry_ist sym do_sym ist
  ENTRY(\sym)
  	INTR_FRAME
-@@ -1056,14 +1424,30 @@ ENTRY(\sym)
+@@ -1056,14 +1398,30 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call save_paranoid
  	TRACE_IRQS_OFF
@@ -17918,7 +17892,7 @@ index 6274f5f..7157a62 100644
  .endm
  
  .macro errorentry sym do_sym
-@@ -1074,13 +1458,23 @@ ENTRY(\sym)
+@@ -1074,13 +1432,23 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call error_entry
  	DEFAULT_FRAME 0
@@ -17943,7 +17917,7 @@ index 6274f5f..7157a62 100644
  .endm
  
  	/* error code is on the stack already */
-@@ -1093,13 +1487,23 @@ ENTRY(\sym)
+@@ -1093,13 +1461,23 @@ ENTRY(\sym)
  	call save_paranoid
  	DEFAULT_FRAME 0
  	TRACE_IRQS_OFF
@@ -17968,7 +17942,7 @@ index 6274f5f..7157a62 100644
  .endm
  
  zeroentry divide_error do_divide_error
-@@ -1129,9 +1533,10 @@ gs_change:
+@@ -1129,9 +1507,10 @@ gs_change:
  2:	mfence		/* workaround */
  	SWAPGS
  	popfq_cfi
@@ -17980,7 +17954,7 @@ index 6274f5f..7157a62 100644
  
  	.section __ex_table,"a"
  	.align 8
-@@ -1153,13 +1558,14 @@ ENTRY(kernel_thread_helper)
+@@ -1153,13 +1532,14 @@ ENTRY(kernel_thread_helper)
  	 * Here we are in the child and the registers are set as they were
  	 * at kernel_thread() invocation in the parent.
  	 */
@@ -17996,7 +17970,7 @@ index 6274f5f..7157a62 100644
  
  /*
   * execve(). This function needs to use IRET, not SYSRET, to set up all state properly.
-@@ -1186,11 +1592,11 @@ ENTRY(kernel_execve)
+@@ -1186,11 +1566,11 @@ ENTRY(kernel_execve)
  	RESTORE_REST
  	testq %rax,%rax
  	je int_ret_from_sys_call
@@ -18010,7 +17984,7 @@ index 6274f5f..7157a62 100644
  
  /* Call softirq on interrupt stack. Interrupts are off. */
  ENTRY(call_softirq)
-@@ -1208,9 +1614,10 @@ ENTRY(call_softirq)
+@@ -1208,9 +1588,10 @@ ENTRY(call_softirq)
  	CFI_DEF_CFA_REGISTER	rsp
  	CFI_ADJUST_CFA_OFFSET   -8
  	decl PER_CPU_VAR(irq_count)
@@ -18022,7 +17996,7 @@ index 6274f5f..7157a62 100644
  
  #ifdef CONFIG_XEN
  zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
-@@ -1248,7 +1655,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
+@@ -1248,7 +1629,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
  	decl PER_CPU_VAR(irq_count)
  	jmp  error_exit
  	CFI_ENDPROC
@@ -18031,7 +18005,7 @@ index 6274f5f..7157a62 100644
  
  /*
   * Hypervisor uses this for application faults while it executes.
-@@ -1307,7 +1714,7 @@ ENTRY(xen_failsafe_callback)
+@@ -1307,7 +1688,7 @@ ENTRY(xen_failsafe_callback)
  	SAVE_ALL
  	jmp error_exit
  	CFI_ENDPROC
@@ -18040,7 +18014,7 @@ index 6274f5f..7157a62 100644
  
  apicinterrupt XEN_HVM_EVTCHN_CALLBACK \
  	xen_hvm_callback_vector xen_evtchn_do_upcall
-@@ -1356,16 +1763,31 @@ ENTRY(paranoid_exit)
+@@ -1356,16 +1737,31 @@ ENTRY(paranoid_exit)
  	TRACE_IRQS_OFF
  	testl %ebx,%ebx				/* swapgs needed? */
  	jnz paranoid_restore
@@ -18073,7 +18047,7 @@ index 6274f5f..7157a62 100644
  	jmp irq_return
  paranoid_userspace:
  	GET_THREAD_INFO(%rcx)
-@@ -1394,7 +1816,7 @@ paranoid_schedule:
+@@ -1394,7 +1790,7 @@ paranoid_schedule:
  	TRACE_IRQS_OFF
  	jmp paranoid_userspace
  	CFI_ENDPROC
@@ -18082,7 +18056,7 @@ index 6274f5f..7157a62 100644
  
  /*
   * Exception entry point. This expects an error code/orig_rax on the stack.
-@@ -1421,12 +1843,13 @@ ENTRY(error_entry)
+@@ -1421,12 +1817,13 @@ ENTRY(error_entry)
  	movq_cfi r14, R14+8
  	movq_cfi r15, R15+8
  	xorl %ebx,%ebx
@@ -18097,7 +18071,7 @@ index 6274f5f..7157a62 100644
  	ret
  
  /*
-@@ -1453,7 +1876,7 @@ bstep_iret:
+@@ -1453,7 +1850,7 @@ bstep_iret:
  	movq %rcx,RIP+8(%rsp)
  	jmp error_swapgs
  	CFI_ENDPROC
@@ -18106,7 +18080,7 @@ index 6274f5f..7157a62 100644
  
  
  /* ebx:	no swapgs flag (1: don't need swapgs, 0: need it) */
-@@ -1473,7 +1896,7 @@ ENTRY(error_exit)
+@@ -1473,7 +1870,7 @@ ENTRY(error_exit)
  	jnz retint_careful
  	jmp retint_swapgs
  	CFI_ENDPROC
@@ -18115,38 +18089,55 @@ index 6274f5f..7157a62 100644
  
  
  	/* runs on exception stack */
-@@ -1485,6 +1908,8 @@ ENTRY(nmi)
+@@ -1485,6 +1882,17 @@ ENTRY(nmi)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call save_paranoid
  	DEFAULT_FRAME 0
-+	pax_enter_kernel_nmi
++#ifdef CONFIG_PAX_MEMORY_UDEREF
++	testb $3, CS(%rsp)
++	jnz 1f
++	pax_enter_kernel
++	jmp 2f
++1:	pax_enter_kernel_user
++2:
++#else
++	pax_enter_kernel
++#endif
 +
  	/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
  	movq %rsp,%rdi
  	movq $-1,%rsi
-@@ -1493,15 +1918,19 @@ ENTRY(nmi)
- 	/* paranoidexit; without TRACE_IRQS_OFF */
- 	/* ebx:	no swapgs flag */
+@@ -1495,12 +1903,28 @@ ENTRY(nmi)
  	DISABLE_INTERRUPTS(CLBR_NONE)
--	testl %ebx,%ebx				/* swapgs needed? */
-+	testl $1,%ebx				/* swapgs needed? */
+ 	testl %ebx,%ebx				/* swapgs needed? */
  	jnz nmi_restore
- 	testl $3,CS(%rsp)
+-	testl $3,CS(%rsp)
++	testb $3,CS(%rsp)
  	jnz nmi_userspace
++#ifdef CONFIG_PAX_MEMORY_UDEREF
++	pax_exit_kernel
++	SWAPGS_UNSAFE_STACK
++	RESTORE_ALL 8
++	pax_force_retaddr_bts
++	jmp irq_return
++#endif
  nmi_swapgs:
++#ifdef CONFIG_PAX_MEMORY_UDEREF
++	pax_exit_kernel_user
++#else
++	pax_exit_kernel
++#endif
  	SWAPGS_UNSAFE_STACK
++	RESTORE_ALL 8
++	jmp irq_return
  nmi_restore:
-+	pax_exit_kernel_nmi
++	pax_exit_kernel
  	RESTORE_ALL 8
--	jmp irq_return
-+	testb $3, 8(%rsp)
-+	jnz 1f
 +	pax_force_retaddr_bts
-+1:	jmp irq_return
+ 	jmp irq_return
  nmi_userspace:
  	GET_THREAD_INFO(%rcx)
- 	movl TI_flags(%rcx),%ebx
-@@ -1529,14 +1958,14 @@ nmi_schedule:
+@@ -1529,14 +1953,14 @@ nmi_schedule:
  	jmp paranoid_exit
  	CFI_ENDPROC
  #endif
@@ -18164,7 +18155,7 @@ index 6274f5f..7157a62 100644
  /*
   * End of kprobes section
 diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c
-index c9a281f..3658fbe 100644
+index c9a281f..7316164 100644
 --- a/arch/x86/kernel/ftrace.c
 +++ b/arch/x86/kernel/ftrace.c
 @@ -126,7 +126,7 @@ static void *mod_code_ip;		/* holds the IP to write to */
@@ -18197,15 +18188,6 @@ index c9a281f..3658fbe 100644
  	}
  	/* Must have previous changes seen before executions */
  	smp_mb();
-@@ -236,7 +238,7 @@ do_ftrace_mod_code(unsigned long ip, const void *new_code)
- 	 * kernel identity mapping to modify code.
- 	 */
- 	if (within(ip, (unsigned long)_text, (unsigned long)_etext))
--		ip = (unsigned long)__va(__pa(ip));
-+		ip = (unsigned long)__va(__pa(ktla_ktva(ip)));
- 
- 	mod_code_ip = (void *)ip;
- 	mod_code_newcode = new_code;
 @@ -271,6 +273,8 @@ ftrace_modify_code(unsigned long ip, unsigned const char *old_code,
  {
  	unsigned char replaced[MCOUNT_INSN_SIZE];
@@ -18215,15 +18197,6 @@ index c9a281f..3658fbe 100644
  	/*
  	 * Note: Due to modules and __init, code can
  	 *  disappear and change, we need to protect against faulting
-@@ -282,7 +286,7 @@ ftrace_modify_code(unsigned long ip, unsigned const char *old_code,
- 	 */
- 
- 	/* read the text we want to modify */
--	if (probe_kernel_read(replaced, (void *)ip, MCOUNT_INSN_SIZE))
-+	if (probe_kernel_read(replaced, (void *)ktla_ktva(ip), MCOUNT_INSN_SIZE))
- 		return -EFAULT;
- 
- 	/* Make sure it is what we expect it to be */
 @@ -327,7 +331,7 @@ int ftrace_update_ftrace_func(ftrace_func_t func)
  	unsigned char old[MCOUNT_INSN_SIZE], *new;
  	int ret;
@@ -18704,7 +18677,7 @@ index ce0be7c..1252d68 100644
 +	.fill PAGE_SIZE_asm - GDT_SIZE,1,0
 +	.endr
 diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
-index e11e394..9aebc5d 100644
+index e11e394..b1c65cc 100644
 --- a/arch/x86/kernel/head_64.S
 +++ b/arch/x86/kernel/head_64.S
 @@ -19,6 +19,8 @@
@@ -18930,7 +18903,7 @@ index e11e394..9aebc5d 100644
  
  NEXT_PAGE(level2_kernel_pgt)
  	/*
-@@ -389,33 +429,55 @@ NEXT_PAGE(level2_kernel_pgt)
+@@ -389,35 +429,56 @@ NEXT_PAGE(level2_kernel_pgt)
  	 *  If you want to increase this then increase MODULES_VADDR
  	 *  too.)
  	 */
@@ -18994,8 +18967,10 @@ index e11e394..9aebc5d 100644
 -	.skip IDT_ENTRIES * 16
 +	.fill 512,8,0
  
- 	__PAGE_ALIGNED_BSS
+-	__PAGE_ALIGNED_BSS
  	.align PAGE_SIZE
+ ENTRY(empty_zero_page)
+ 	.skip PAGE_SIZE
 diff --git a/arch/x86/kernel/i386_ksyms_32.c b/arch/x86/kernel/i386_ksyms_32.c
 index 9c3bd4a..e1d9b35 100644
 --- a/arch/x86/kernel/i386_ksyms_32.c
@@ -37514,7 +37489,7 @@ index 614ebeb..ce439fd 100644
  		.callback = ss4200_led_dmi_callback,
  		.ident = "Intel SS4200-E",
 diff --git a/drivers/lguest/core.c b/drivers/lguest/core.c
-index b5fdcb7..5b6c59f 100644
+index b5fdcb7..8ed3519 100644
 --- a/drivers/lguest/core.c
 +++ b/drivers/lguest/core.c
 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
@@ -37522,7 +37497,7 @@ index b5fdcb7..5b6c59f 100644
  	 * allocates an extra guard page, so we need space for that.
  	 */
 +
-+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
 +	switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
 +				     VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
 +				     + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
@@ -89914,10 +89889,26 @@ index 403be43..87f09da 100644
  };
  
 diff --git a/net/key/af_key.c b/net/key/af_key.c
-index 1e733e9..3d73c9f 100644
+index 1e733e9..b603137 100644
 --- a/net/key/af_key.c
 +++ b/net/key/af_key.c
-@@ -3016,10 +3016,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc
+@@ -1705,6 +1705,7 @@ static int key_notify_sa_flush(const struct km_event *c)
+ 	hdr->sadb_msg_version = PF_KEY_V2;
+ 	hdr->sadb_msg_errno = (uint8_t) 0;
+ 	hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
++	hdr->sadb_msg_reserved = 0;
+ 
+ 	pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
+ 
+@@ -2686,6 +2687,7 @@ static int key_notify_policy_flush(const struct km_event *c)
+ 	hdr->sadb_msg_version = PF_KEY_V2;
+ 	hdr->sadb_msg_errno = (uint8_t) 0;
+ 	hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
++	hdr->sadb_msg_reserved = 0;
+ 	pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
+ 	return 0;
+ 
+@@ -3016,10 +3018,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc
  static u32 get_acqseq(void)
  {
  	u32 res;
diff --git a/3.9.7/0000_README b/3.9.7/0000_README
index ad315b8..14536fc 100644
--- a/3.9.7/0000_README
+++ b/3.9.7/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.9.1-3.9.7-201306231443.patch
+Patch:	4420_grsecurity-2.9.1-3.9.7-201306261901.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.9.7/4420_grsecurity-2.9.1-3.9.7-201306231443.patch b/3.9.7/4420_grsecurity-2.9.1-3.9.7-201306261901.patch
index 5af3232..45e175d 100644
--- a/3.9.7/4420_grsecurity-2.9.1-3.9.7-201306231443.patch
+++ b/3.9.7/4420_grsecurity-2.9.1-3.9.7-201306261901.patch
@@ -3799,7 +3799,7 @@ index 04d9006..c547d85 100644
  	return __arm_ioremap_caller(phys_addr, size, mtype,
  			__builtin_return_address(0));
 diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
-index 10062ce..cd34fb9 100644
+index 10062ce..8695745 100644
 --- a/arch/arm/mm/mmap.c
 +++ b/arch/arm/mm/mmap.c
 @@ -59,6 +59,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
@@ -3876,20 +3876,7 @@ index 10062ce..cd34fb9 100644
  	addr = vm_unmapped_area(&info);
  
  	/*
-@@ -162,6 +172,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
- 		VM_BUG_ON(addr != -ENOMEM);
- 		info.flags = 0;
- 		info.low_limit = mm->mmap_base;
-+
-+#ifdef CONFIG_PAX_RANDMMAP
-+		if (mm->pax_flags & MF_PAX_RANDMMAP)
-+			info.low_limit += mm->delta_mmap;
-+#endif
-+
- 		info.high_limit = TASK_SIZE;
- 		addr = vm_unmapped_area(&info);
- 	}
-@@ -173,6 +189,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
+@@ -173,6 +183,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
  {
  	unsigned long random_factor = 0UL;
  
@@ -3900,7 +3887,7 @@ index 10062ce..cd34fb9 100644
  	/* 8 bits of randomness in 20 address space bits */
  	if ((current->flags & PF_RANDOMIZE) &&
  	    !(current->personality & ADDR_NO_RANDOMIZE))
-@@ -180,10 +200,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
+@@ -180,10 +194,22 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
  
  	if (mmap_is_legacy()) {
  		mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
@@ -19028,7 +19015,7 @@ index 8f3e2de..934870f 100644
  
  /*
 diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index c1d01e6..1bef85a 100644
+index c1d01e6..7f633850 100644
 --- a/arch/x86/kernel/entry_64.S
 +++ b/arch/x86/kernel/entry_64.S
 @@ -59,6 +59,8 @@
@@ -19115,7 +19102,7 @@ index c1d01e6..1bef85a 100644
  #endif
  
  
-@@ -284,6 +293,311 @@ ENTRY(native_usergs_sysret64)
+@@ -284,6 +293,309 @@ ENTRY(native_usergs_sysret64)
  ENDPROC(native_usergs_sysret64)
  #endif /* CONFIG_PARAVIRT */
  
@@ -19245,9 +19232,9 @@ index c1d01e6..1bef85a 100644
 +	sub phys_base(%rip),%rbx
 +
 +#ifdef CONFIG_PARAVIRT
-+	pushq %rdi
 +	cmpl $0, pv_info+PARAVIRT_enabled
 +	jz 1f
++	pushq %rdi
 +	i = 0
 +	.rept USER_PGD_PTRS
 +	mov i*8(%rbx),%rsi
@@ -19256,6 +19243,7 @@ index c1d01e6..1bef85a 100644
 +	call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
 +	i = i + 1
 +	.endr
++	popq %rdi
 +	jmp 2f
 +1:
 +#endif
@@ -19267,7 +19255,7 @@ index c1d01e6..1bef85a 100644
 +	.endr
 +
 +#ifdef CONFIG_PARAVIRT
-+2:	popq %rdi
++2:
 +#endif
 +	SET_RDI_INTO_CR3
 +
@@ -19308,7 +19296,6 @@ index c1d01e6..1bef85a 100644
 +	sub phys_base(%rip),%rbx
 +
 +#ifdef CONFIG_PARAVIRT
-+	pushq %rdi
 +	cmpl $0, pv_info+PARAVIRT_enabled
 +	jz 1f
 +	i = 0
@@ -19319,8 +19306,6 @@ index c1d01e6..1bef85a 100644
 +	call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
 +	i = i + 1
 +	.endr
-+	popq %rdi
-+	PV_RESTORE_REGS(CLBR_RDI)
 +	jmp 2f
 +1:
 +#endif
@@ -19332,7 +19317,7 @@ index c1d01e6..1bef85a 100644
 +	.endr
 +
 +#ifdef CONFIG_PARAVIRT
-+2:
++2:	PV_RESTORE_REGS(CLBR_RDI)
 +#endif
 +
 +	popq %rbx
@@ -19350,8 +19335,8 @@ index c1d01e6..1bef85a 100644
 +#ifdef CONFIG_PAX_KERNEXEC
 +	GET_CR0_INTO_RDI
 +	bts $16,%rdi
-+	SET_RDI_INTO_CR0
 +	jc 110f
++	SET_RDI_INTO_CR0
 +	or $2,%ebx
 +110:
 +#endif
@@ -19359,8 +19344,8 @@ index c1d01e6..1bef85a 100644
 +
 +	.macro pax_exit_kernel_nmi
 +#ifdef CONFIG_PAX_KERNEXEC
-+	test $2,%ebx
-+	jz 110f
++	btr $1,%ebx
++	jnc 110f
 +	GET_CR0_INTO_RDI
 +	btr $16,%rdi
 +	SET_RDI_INTO_CR0
@@ -19427,7 +19412,7 @@ index c1d01e6..1bef85a 100644
  
  .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
  #ifdef CONFIG_TRACE_IRQFLAGS
-@@ -375,8 +689,8 @@ ENDPROC(native_usergs_sysret64)
+@@ -375,8 +687,8 @@ ENDPROC(native_usergs_sysret64)
  	.endm
  
  	.macro UNFAKE_STACK_FRAME
@@ -19438,7 +19423,7 @@ index c1d01e6..1bef85a 100644
  	.endm
  
  /*
-@@ -463,7 +777,7 @@ ENDPROC(native_usergs_sysret64)
+@@ -463,7 +775,7 @@ ENDPROC(native_usergs_sysret64)
  	movq %rsp, %rsi
  
  	leaq -RBP(%rsp),%rdi	/* arg1 for handler */
@@ -19447,7 +19432,7 @@ index c1d01e6..1bef85a 100644
  	je 1f
  	SWAPGS
  	/*
-@@ -498,9 +812,10 @@ ENTRY(save_rest)
+@@ -498,9 +810,10 @@ ENTRY(save_rest)
  	movq_cfi r15, R15+16
  	movq %r11, 8(%rsp)	/* return address */
  	FIXUP_TOP_OF_STACK %r11, 16
@@ -19459,7 +19444,7 @@ index c1d01e6..1bef85a 100644
  
  /* save complete stack frame */
  	.pushsection .kprobes.text, "ax"
-@@ -529,9 +844,10 @@ ENTRY(save_paranoid)
+@@ -529,9 +842,10 @@ ENTRY(save_paranoid)
  	js 1f	/* negative -> in kernel */
  	SWAPGS
  	xorl %ebx,%ebx
@@ -19472,7 +19457,7 @@ index c1d01e6..1bef85a 100644
  	.popsection
  
  /*
-@@ -553,7 +869,7 @@ ENTRY(ret_from_fork)
+@@ -553,7 +867,7 @@ ENTRY(ret_from_fork)
  
  	RESTORE_REST
  
@@ -19481,7 +19466,7 @@ index c1d01e6..1bef85a 100644
  	jz   1f
  
  	testl $_TIF_IA32, TI_flags(%rcx)	# 32-bit compat task needs IRET
-@@ -571,7 +887,7 @@ ENTRY(ret_from_fork)
+@@ -571,7 +885,7 @@ ENTRY(ret_from_fork)
  	RESTORE_REST
  	jmp int_ret_from_sys_call
  	CFI_ENDPROC
@@ -19490,7 +19475,7 @@ index c1d01e6..1bef85a 100644
  
  /*
   * System call entry. Up to 6 arguments in registers are supported.
-@@ -608,7 +924,7 @@ END(ret_from_fork)
+@@ -608,7 +922,7 @@ END(ret_from_fork)
  ENTRY(system_call)
  	CFI_STARTPROC	simple
  	CFI_SIGNAL_FRAME
@@ -19499,7 +19484,7 @@ index c1d01e6..1bef85a 100644
  	CFI_REGISTER	rip,rcx
  	/*CFI_REGISTER	rflags,r11*/
  	SWAPGS_UNSAFE_STACK
-@@ -621,16 +937,23 @@ GLOBAL(system_call_after_swapgs)
+@@ -621,16 +935,23 @@ GLOBAL(system_call_after_swapgs)
  
  	movq	%rsp,PER_CPU_VAR(old_rsp)
  	movq	PER_CPU_VAR(kernel_stack),%rsp
@@ -19525,7 +19510,7 @@ index c1d01e6..1bef85a 100644
  	jnz tracesys
  system_call_fastpath:
  #if __SYSCALL_MASK == ~0
-@@ -640,7 +963,7 @@ system_call_fastpath:
+@@ -640,7 +961,7 @@ system_call_fastpath:
  	cmpl $__NR_syscall_max,%eax
  #endif
  	ja badsys
@@ -19534,7 +19519,7 @@ index c1d01e6..1bef85a 100644
  	call *sys_call_table(,%rax,8)  # XXX:	 rip relative
  	movq %rax,RAX-ARGOFFSET(%rsp)
  /*
-@@ -654,10 +977,13 @@ sysret_check:
+@@ -654,10 +975,13 @@ sysret_check:
  	LOCKDEP_SYS_EXIT
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	TRACE_IRQS_OFF
@@ -19549,7 +19534,7 @@ index c1d01e6..1bef85a 100644
  	/*
  	 * sysretq will re-enable interrupts:
  	 */
-@@ -709,14 +1035,18 @@ badsys:
+@@ -709,14 +1033,18 @@ badsys:
  	 * jump back to the normal fast path.
  	 */
  auditsys:
@@ -19569,7 +19554,7 @@ index c1d01e6..1bef85a 100644
  	jmp system_call_fastpath
  
  	/*
-@@ -737,7 +1067,7 @@ sysret_audit:
+@@ -737,7 +1065,7 @@ sysret_audit:
  	/* Do syscall tracing */
  tracesys:
  #ifdef CONFIG_AUDITSYSCALL
@@ -19578,7 +19563,7 @@ index c1d01e6..1bef85a 100644
  	jz auditsys
  #endif
  	SAVE_REST
-@@ -745,12 +1075,16 @@ tracesys:
+@@ -745,12 +1073,16 @@ tracesys:
  	FIXUP_TOP_OF_STACK %rdi
  	movq %rsp,%rdi
  	call syscall_trace_enter
@@ -19595,7 +19580,7 @@ index c1d01e6..1bef85a 100644
  	RESTORE_REST
  #if __SYSCALL_MASK == ~0
  	cmpq $__NR_syscall_max,%rax
-@@ -759,7 +1093,7 @@ tracesys:
+@@ -759,7 +1091,7 @@ tracesys:
  	cmpl $__NR_syscall_max,%eax
  #endif
  	ja   int_ret_from_sys_call	/* RAX(%rsp) set to -ENOSYS above */
@@ -19604,7 +19589,7 @@ index c1d01e6..1bef85a 100644
  	call *sys_call_table(,%rax,8)
  	movq %rax,RAX-ARGOFFSET(%rsp)
  	/* Use IRET because user could have changed frame */
-@@ -780,7 +1114,9 @@ GLOBAL(int_with_check)
+@@ -780,7 +1112,9 @@ GLOBAL(int_with_check)
  	andl %edi,%edx
  	jnz   int_careful
  	andl    $~TS_COMPAT,TI_status(%rcx)
@@ -19615,7 +19600,7 @@ index c1d01e6..1bef85a 100644
  
  	/* Either reschedule or signal or syscall exit tracking needed. */
  	/* First do a reschedule test. */
-@@ -826,7 +1162,7 @@ int_restore_rest:
+@@ -826,7 +1160,7 @@ int_restore_rest:
  	TRACE_IRQS_OFF
  	jmp int_with_check
  	CFI_ENDPROC
@@ -19624,7 +19609,7 @@ index c1d01e6..1bef85a 100644
  
  	.macro FORK_LIKE func
  ENTRY(stub_\func)
-@@ -839,9 +1175,10 @@ ENTRY(stub_\func)
+@@ -839,9 +1173,10 @@ ENTRY(stub_\func)
  	DEFAULT_FRAME 0 8		/* offset 8: return address */
  	call sys_\func
  	RESTORE_TOP_OF_STACK %r11, 8
@@ -19636,7 +19621,7 @@ index c1d01e6..1bef85a 100644
  	.endm
  
  	.macro FIXED_FRAME label,func
-@@ -851,9 +1188,10 @@ ENTRY(\label)
+@@ -851,9 +1186,10 @@ ENTRY(\label)
  	FIXUP_TOP_OF_STACK %r11, 8-ARGOFFSET
  	call \func
  	RESTORE_TOP_OF_STACK %r11, 8-ARGOFFSET
@@ -19648,7 +19633,7 @@ index c1d01e6..1bef85a 100644
  	.endm
  
  	FORK_LIKE  clone
-@@ -870,9 +1208,10 @@ ENTRY(ptregscall_common)
+@@ -870,9 +1206,10 @@ ENTRY(ptregscall_common)
  	movq_cfi_restore R12+8, r12
  	movq_cfi_restore RBP+8, rbp
  	movq_cfi_restore RBX+8, rbx
@@ -19660,7 +19645,7 @@ index c1d01e6..1bef85a 100644
  
  ENTRY(stub_execve)
  	CFI_STARTPROC
-@@ -885,7 +1224,7 @@ ENTRY(stub_execve)
+@@ -885,7 +1222,7 @@ ENTRY(stub_execve)
  	RESTORE_REST
  	jmp int_ret_from_sys_call
  	CFI_ENDPROC
@@ -19669,7 +19654,7 @@ index c1d01e6..1bef85a 100644
  
  /*
   * sigreturn is special because it needs to restore all registers on return.
-@@ -902,7 +1241,7 @@ ENTRY(stub_rt_sigreturn)
+@@ -902,7 +1239,7 @@ ENTRY(stub_rt_sigreturn)
  	RESTORE_REST
  	jmp int_ret_from_sys_call
  	CFI_ENDPROC
@@ -19678,7 +19663,7 @@ index c1d01e6..1bef85a 100644
  
  #ifdef CONFIG_X86_X32_ABI
  ENTRY(stub_x32_rt_sigreturn)
-@@ -916,7 +1255,7 @@ ENTRY(stub_x32_rt_sigreturn)
+@@ -916,7 +1253,7 @@ ENTRY(stub_x32_rt_sigreturn)
  	RESTORE_REST
  	jmp int_ret_from_sys_call
  	CFI_ENDPROC
@@ -19687,7 +19672,7 @@ index c1d01e6..1bef85a 100644
  
  ENTRY(stub_x32_execve)
  	CFI_STARTPROC
-@@ -930,7 +1269,7 @@ ENTRY(stub_x32_execve)
+@@ -930,7 +1267,7 @@ ENTRY(stub_x32_execve)
  	RESTORE_REST
  	jmp int_ret_from_sys_call
  	CFI_ENDPROC
@@ -19696,7 +19681,7 @@ index c1d01e6..1bef85a 100644
  
  #endif
  
-@@ -967,7 +1306,7 @@ vector=vector+1
+@@ -967,7 +1304,7 @@ vector=vector+1
  2:	jmp common_interrupt
  .endr
  	CFI_ENDPROC
@@ -19705,7 +19690,7 @@ index c1d01e6..1bef85a 100644
  
  .previous
  END(interrupt)
-@@ -987,6 +1326,16 @@ END(interrupt)
+@@ -987,6 +1324,16 @@ END(interrupt)
  	subq $ORIG_RAX-RBP, %rsp
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
  	SAVE_ARGS_IRQ
@@ -19722,7 +19707,7 @@ index c1d01e6..1bef85a 100644
  	call \func
  	.endm
  
-@@ -1019,7 +1368,7 @@ ret_from_intr:
+@@ -1019,7 +1366,7 @@ ret_from_intr:
  
  exit_intr:
  	GET_THREAD_INFO(%rcx)
@@ -19731,7 +19716,7 @@ index c1d01e6..1bef85a 100644
  	je retint_kernel
  
  	/* Interrupt came from user space */
-@@ -1041,12 +1390,16 @@ retint_swapgs:		/* return to user-space */
+@@ -1041,12 +1388,16 @@ retint_swapgs:		/* return to user-space */
  	 * The iretq could re-enable interrupts:
  	 */
  	DISABLE_INTERRUPTS(CLBR_ANY)
@@ -19748,7 +19733,7 @@ index c1d01e6..1bef85a 100644
  	/*
  	 * The iretq could re-enable interrupts:
  	 */
-@@ -1129,7 +1482,7 @@ ENTRY(retint_kernel)
+@@ -1129,7 +1480,7 @@ ENTRY(retint_kernel)
  #endif
  
  	CFI_ENDPROC
@@ -19757,7 +19742,7 @@ index c1d01e6..1bef85a 100644
  /*
   * End of kprobes section
   */
-@@ -1147,7 +1500,7 @@ ENTRY(\sym)
+@@ -1147,7 +1498,7 @@ ENTRY(\sym)
  	interrupt \do_sym
  	jmp ret_from_intr
  	CFI_ENDPROC
@@ -19766,7 +19751,7 @@ index c1d01e6..1bef85a 100644
  .endm
  
  #ifdef CONFIG_SMP
-@@ -1203,12 +1556,22 @@ ENTRY(\sym)
+@@ -1203,12 +1554,22 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call error_entry
  	DEFAULT_FRAME 0
@@ -19790,7 +19775,7 @@ index c1d01e6..1bef85a 100644
  .endm
  
  .macro paranoidzeroentry sym do_sym
-@@ -1221,15 +1584,25 @@ ENTRY(\sym)
+@@ -1221,15 +1582,25 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call save_paranoid
  	TRACE_IRQS_OFF
@@ -19818,7 +19803,7 @@ index c1d01e6..1bef85a 100644
  .macro paranoidzeroentry_ist sym do_sym ist
  ENTRY(\sym)
  	INTR_FRAME
-@@ -1240,14 +1613,30 @@ ENTRY(\sym)
+@@ -1240,14 +1611,30 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call save_paranoid
  	TRACE_IRQS_OFF_DEBUG
@@ -19850,7 +19835,7 @@ index c1d01e6..1bef85a 100644
  .endm
  
  .macro errorentry sym do_sym
-@@ -1259,13 +1648,23 @@ ENTRY(\sym)
+@@ -1259,13 +1646,23 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call error_entry
  	DEFAULT_FRAME 0
@@ -19875,7 +19860,7 @@ index c1d01e6..1bef85a 100644
  .endm
  
  	/* error code is on the stack already */
-@@ -1279,13 +1678,23 @@ ENTRY(\sym)
+@@ -1279,13 +1676,23 @@ ENTRY(\sym)
  	call save_paranoid
  	DEFAULT_FRAME 0
  	TRACE_IRQS_OFF
@@ -19900,7 +19885,7 @@ index c1d01e6..1bef85a 100644
  .endm
  
  zeroentry divide_error do_divide_error
-@@ -1315,9 +1724,10 @@ gs_change:
+@@ -1315,9 +1722,10 @@ gs_change:
  2:	mfence		/* workaround */
  	SWAPGS
  	popfq_cfi
@@ -19912,7 +19897,7 @@ index c1d01e6..1bef85a 100644
  
  	_ASM_EXTABLE(gs_change,bad_gs)
  	.section .fixup,"ax"
-@@ -1345,9 +1755,10 @@ ENTRY(call_softirq)
+@@ -1345,9 +1753,10 @@ ENTRY(call_softirq)
  	CFI_DEF_CFA_REGISTER	rsp
  	CFI_ADJUST_CFA_OFFSET   -8
  	decl PER_CPU_VAR(irq_count)
@@ -19924,7 +19909,7 @@ index c1d01e6..1bef85a 100644
  
  #ifdef CONFIG_XEN
  zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
-@@ -1385,7 +1796,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
+@@ -1385,7 +1794,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
  	decl PER_CPU_VAR(irq_count)
  	jmp  error_exit
  	CFI_ENDPROC
@@ -19933,7 +19918,7 @@ index c1d01e6..1bef85a 100644
  
  /*
   * Hypervisor uses this for application faults while it executes.
-@@ -1444,7 +1855,7 @@ ENTRY(xen_failsafe_callback)
+@@ -1444,7 +1853,7 @@ ENTRY(xen_failsafe_callback)
  	SAVE_ALL
  	jmp error_exit
  	CFI_ENDPROC
@@ -19942,7 +19927,7 @@ index c1d01e6..1bef85a 100644
  
  apicinterrupt HYPERVISOR_CALLBACK_VECTOR \
  	xen_hvm_callback_vector xen_evtchn_do_upcall
-@@ -1498,16 +1909,31 @@ ENTRY(paranoid_exit)
+@@ -1498,16 +1907,31 @@ ENTRY(paranoid_exit)
  	TRACE_IRQS_OFF_DEBUG
  	testl %ebx,%ebx				/* swapgs needed? */
  	jnz paranoid_restore
@@ -19975,7 +19960,7 @@ index c1d01e6..1bef85a 100644
  	jmp irq_return
  paranoid_userspace:
  	GET_THREAD_INFO(%rcx)
-@@ -1536,7 +1962,7 @@ paranoid_schedule:
+@@ -1536,7 +1960,7 @@ paranoid_schedule:
  	TRACE_IRQS_OFF
  	jmp paranoid_userspace
  	CFI_ENDPROC
@@ -19984,7 +19969,7 @@ index c1d01e6..1bef85a 100644
  
  /*
   * Exception entry point. This expects an error code/orig_rax on the stack.
-@@ -1563,12 +1989,13 @@ ENTRY(error_entry)
+@@ -1563,12 +1987,13 @@ ENTRY(error_entry)
  	movq_cfi r14, R14+8
  	movq_cfi r15, R15+8
  	xorl %ebx,%ebx
@@ -19999,7 +19984,7 @@ index c1d01e6..1bef85a 100644
  	ret
  
  /*
-@@ -1595,7 +2022,7 @@ bstep_iret:
+@@ -1595,7 +2020,7 @@ bstep_iret:
  	movq %rcx,RIP+8(%rsp)
  	jmp error_swapgs
  	CFI_ENDPROC
@@ -20008,7 +19993,7 @@ index c1d01e6..1bef85a 100644
  
  
  /* ebx:	no swapgs flag (1: don't need swapgs, 0: need it) */
-@@ -1615,7 +2042,7 @@ ENTRY(error_exit)
+@@ -1615,7 +2040,7 @@ ENTRY(error_exit)
  	jnz retint_careful
  	jmp retint_swapgs
  	CFI_ENDPROC
@@ -20017,7 +20002,7 @@ index c1d01e6..1bef85a 100644
  
  /*
   * Test if a given stack is an NMI stack or not.
-@@ -1673,9 +2100,11 @@ ENTRY(nmi)
+@@ -1673,9 +2098,11 @@ ENTRY(nmi)
  	 * If %cs was not the kernel segment, then the NMI triggered in user
  	 * space, which means it is definitely not nested.
  	 */
@@ -20030,7 +20015,7 @@ index c1d01e6..1bef85a 100644
  	/*
  	 * Check the special variable on the stack to see if NMIs are
  	 * executing.
-@@ -1709,8 +2138,7 @@ nested_nmi:
+@@ -1709,8 +2136,7 @@ nested_nmi:
  
  1:
  	/* Set up the interrupted NMIs stack to jump to repeat_nmi */
@@ -20040,7 +20025,7 @@ index c1d01e6..1bef85a 100644
  	CFI_ADJUST_CFA_OFFSET 1*8
  	leaq -10*8(%rsp), %rdx
  	pushq_cfi $__KERNEL_DS
-@@ -1728,6 +2156,7 @@ nested_nmi_out:
+@@ -1728,6 +2154,7 @@ nested_nmi_out:
  	CFI_RESTORE rdx
  
  	/* No need to check faults here */
@@ -20048,7 +20033,7 @@ index c1d01e6..1bef85a 100644
  	INTERRUPT_RETURN
  
  	CFI_RESTORE_STATE
-@@ -1844,6 +2273,8 @@ end_repeat_nmi:
+@@ -1844,6 +2271,8 @@ end_repeat_nmi:
  	 */
  	movq %cr2, %r12
  
@@ -20057,7 +20042,7 @@ index c1d01e6..1bef85a 100644
  	/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
  	movq %rsp,%rdi
  	movq $-1,%rsi
-@@ -1856,26 +2287,31 @@ end_repeat_nmi:
+@@ -1856,26 +2285,31 @@ end_repeat_nmi:
  	movq %r12, %cr2
  1:
  	
@@ -20604,7 +20589,7 @@ index 73afd11..d1670f5 100644
 +	.fill PAGE_SIZE_asm - GDT_SIZE,1,0
 +	.endr
 diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
-index 321d65e..e9437f7 100644
+index 321d65e..7830f05 100644
 --- a/arch/x86/kernel/head_64.S
 +++ b/arch/x86/kernel/head_64.S
 @@ -20,6 +20,8 @@
@@ -20770,7 +20755,7 @@ index 321d65e..e9437f7 100644
  NEXT_PAGE(level2_kernel_pgt)
  	/*
  	 * 512 MB kernel mapping. We spend a full page on this pagetable
-@@ -488,38 +536,64 @@ NEXT_PAGE(level2_kernel_pgt)
+@@ -488,39 +536,64 @@ NEXT_PAGE(level2_kernel_pgt)
  		KERNEL_IMAGE_SIZE/PMD_SIZE)
  
  NEXT_PAGE(level2_fixmap_pgt)
@@ -20844,8 +20829,9 @@ index 321d65e..e9437f7 100644
 -	.skip IDT_ENTRIES * 16
 +	.fill 512,8,0
  
- 	__PAGE_ALIGNED_BSS
+-	__PAGE_ALIGNED_BSS
  NEXT_PAGE(empty_zero_page)
+ 	.skip PAGE_SIZE
 diff --git a/arch/x86/kernel/i386_ksyms_32.c b/arch/x86/kernel/i386_ksyms_32.c
 index 0fa6912..37fce70 100644
 --- a/arch/x86/kernel/i386_ksyms_32.c
@@ -22601,7 +22587,7 @@ index f2bb9c9..bed145d7 100644
  
  1:
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index fae9134..f8e4a47 100644
+index fae9134..8fcd87c 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
 @@ -111,6 +111,7 @@
@@ -22644,7 +22630,7 @@ index fae9134..f8e4a47 100644
  void __init setup_arch(char **cmdline_p)
  {
 +#ifdef CONFIG_X86_32
-+	memblock_reserve(LOAD_PHYSICAL_ADDR, __pa_symbol(__bss_stop) - ____LOAD_PHYSICAL_ADDR);
++	memblock_reserve(LOAD_PHYSICAL_ADDR, __pa_symbol(__bss_stop) - LOAD_PHYSICAL_ADDR);
 +#else
  	memblock_reserve(__pa_symbol(_text),
  			 (unsigned long)__bss_stop - (unsigned long)_text);
@@ -22923,10 +22909,10 @@ index 9b4d51d..5d28b58 100644
  		switch (opcode[i]) {
 diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c
 new file mode 100644
-index 0000000..207bec6
+index 0000000..5877189
 --- /dev/null
 +++ b/arch/x86/kernel/sys_i386_32.c
-@@ -0,0 +1,250 @@
+@@ -0,0 +1,189 @@
 +/*
 + * This file contains various random system calls that
 + * have a non-standard calling sequence on the Linux/i386
@@ -22947,6 +22933,7 @@ index 0000000..207bec6
 +#include <linux/file.h>
 +#include <linux/utsname.h>
 +#include <linux/ipc.h>
++#include <linux/elf.h>
 +
 +#include <linux/uaccess.h>
 +#include <linux/unistd.h>
@@ -22969,13 +22956,28 @@ index 0000000..207bec6
 +	return 0;
 +}
 +
++/*
++ * Align a virtual address to avoid aliasing in the I$ on AMD F15h.
++ */
++static unsigned long get_align_mask(void)
++{
++	if (va_align.flags < 0 || !(va_align.flags & ALIGN_VA_32))
++		return 0;
++
++	if (!(current->flags & PF_RANDOMIZE))
++		return 0;
++
++	return va_align.mask;
++}
++
 +unsigned long
 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
 +		unsigned long len, unsigned long pgoff, unsigned long flags)
 +{
 +	struct mm_struct *mm = current->mm;
 +	struct vm_area_struct *vma;
-+	unsigned long start_addr, pax_task_size = TASK_SIZE;
++	unsigned long pax_task_size = TASK_SIZE;
++	struct vm_unmapped_area_info info;
 +	unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
 +
 +#ifdef CONFIG_PAX_SEGMEXEC
@@ -23003,61 +23005,35 @@ index 0000000..207bec6
 +				return addr;
 +		}
 +	}
-+	if (len > mm->cached_hole_size) {
-+		start_addr = addr = mm->free_area_cache;
-+	} else {
-+		start_addr = addr = mm->mmap_base;
-+		mm->cached_hole_size = 0;
-+	}
++
++	info.flags = 0;
++	info.length = len;
++	info.align_mask = filp ? get_align_mask() : 0;
++	info.align_offset = pgoff << PAGE_SHIFT;
++	info.threadstack_offset = offset;
 +
 +#ifdef CONFIG_PAX_PAGEEXEC
-+	if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
-+		start_addr = 0x00110000UL;
++	if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE)) {
++		info.low_limit = 0x00110000UL;
++		info.high_limit = mm->start_code;
 +
 +#ifdef CONFIG_PAX_RANDMMAP
 +		if (mm->pax_flags & MF_PAX_RANDMMAP)
-+			start_addr += mm->delta_mmap & 0x03FFF000UL;
++			info.low_limit += mm->delta_mmap & 0x03FFF000UL;
 +#endif
 +
-+		if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
-+			start_addr = addr = mm->mmap_base;
-+		else
-+			addr = start_addr;
-+	}
++		if (info.low_limit < info.high_limit) {
++			addr = vm_unmapped_area(&info);
++			if (!IS_ERR_VALUE(addr))
++				return addr;
++		}
++	} else
 +#endif
 +
-+full_search:
-+	for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
-+		/* At this point:  (!vma || addr < vma->vm_end). */
-+		if (pax_task_size - len < addr) {
-+			/*
-+			 * Start a new search - just in case we missed
-+			 * some holes.
-+			 */
-+			if (start_addr != mm->mmap_base) {
-+				start_addr = addr = mm->mmap_base;
-+				mm->cached_hole_size = 0;
-+				goto full_search;
-+			}
-+			return -ENOMEM;
-+		}
-+		if (check_heap_stack_gap(vma, addr, len, offset))
-+			break;
-+		if (addr + mm->cached_hole_size < vma->vm_start)
-+			mm->cached_hole_size = vma->vm_start - addr;
-+		addr = vma->vm_end;
-+		if (mm->start_brk <= addr && addr < mm->mmap_base) {
-+			start_addr = addr = mm->mmap_base;
-+			mm->cached_hole_size = 0;
-+			goto full_search;
-+		}
-+	}
++	info.low_limit = mm->mmap_base;
++	info.high_limit = pax_task_size;
 +
-+	/*
-+	 * Remember the place where we stopped the search:
-+	 */
-+	mm->free_area_cache = addr + len;
-+	return addr;
++	return vm_unmapped_area(&info);
 +}
 +
 +unsigned long
@@ -23067,7 +23043,8 @@ index 0000000..207bec6
 +{
 +	struct vm_area_struct *vma;
 +	struct mm_struct *mm = current->mm;
-+	unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
++	unsigned long addr = addr0, pax_task_size = TASK_SIZE;
++	struct vm_unmapped_area_info info;
 +	unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
 +
 +#ifdef CONFIG_PAX_SEGMEXEC
@@ -23103,46 +23080,18 @@ index 0000000..207bec6
 +		}
 +	}
 +
-+	/* check if free_area_cache is useful for us */
-+	if (len <= mm->cached_hole_size) {
-+		mm->cached_hole_size = 0;
-+		mm->free_area_cache = mm->mmap_base;
-+	}
-+
-+	/* either no address requested or can't fit in requested address hole */
-+	addr = mm->free_area_cache;
-+
-+	/* make sure it can fit in the remaining address space */
-+	if (addr > len) {
-+		vma = find_vma(mm, addr-len);
-+		if (check_heap_stack_gap(vma, addr - len, len, offset))
-+			/* remember the address as a hint for next time */
-+			return (mm->free_area_cache = addr-len);
-+	}
-+
-+	if (mm->mmap_base < len)
-+		goto bottomup;
-+
-+	addr = mm->mmap_base-len;
-+
-+	do {
-+		/*
-+		 * Lookup failure means no vma is above this address,
-+		 * else if new region fits below vma->vm_start,
-+		 * return with success:
-+		 */
-+		vma = find_vma(mm, addr);
-+		if (check_heap_stack_gap(vma, addr, len, offset))
-+			/* remember the address as a hint for next time */
-+			return (mm->free_area_cache = addr);
-+
-+		/* remember the largest hole we saw so far */
-+		if (addr + mm->cached_hole_size < vma->vm_start)
-+			mm->cached_hole_size = vma->vm_start - addr;
++	info.flags = VM_UNMAPPED_AREA_TOPDOWN;
++	info.length = len;
++	info.low_limit = PAGE_SIZE;
++	info.high_limit = mm->mmap_base;
++	info.align_mask = filp ? get_align_mask() : 0;
++	info.align_offset = pgoff << PAGE_SHIFT;
++	info.threadstack_offset = offset;
 +
-+		/* try just below the current vma->vm_start */
-+		addr = skip_heap_stack_gap(vma, len, offset);
-+	} while (!IS_ERR_VALUE(addr));
++	addr = vm_unmapped_area(&info);
++	if (!(addr & ~PAGE_MASK))
++		return addr;
++	VM_BUG_ON(addr != -ENOMEM);
 +
 +bottomup:
 +	/*
@@ -23151,31 +23100,7 @@ index 0000000..207bec6
 +	 * can happen with large stack limits and large mmap()
 +	 * allocations.
 +	 */
-+
-+#ifdef CONFIG_PAX_SEGMEXEC
-+	if (mm->pax_flags & MF_PAX_SEGMEXEC)
-+		mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
-+	else
-+#endif
-+
-+	mm->mmap_base = TASK_UNMAPPED_BASE;
-+
-+#ifdef CONFIG_PAX_RANDMMAP
-+	if (mm->pax_flags & MF_PAX_RANDMMAP)
-+		mm->mmap_base += mm->delta_mmap;
-+#endif
-+
-+	mm->free_area_cache = mm->mmap_base;
-+	mm->cached_hole_size = ~0UL;
-+	addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
-+	/*
-+	 * Restore the topdown base:
-+	 */
-+	mm->mmap_base = base;
-+	mm->free_area_cache = base;
-+	mm->cached_hole_size = ~0UL;
-+
-+	return addr;
++	return arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
 +}
 diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
 index dbded5a..ace2781 100644
@@ -38029,7 +37954,7 @@ index 64e204e..c6bf189 100644
  		.callback = ss4200_led_dmi_callback,
  		.ident = "Intel SS4200-E",
 diff --git a/drivers/lguest/core.c b/drivers/lguest/core.c
-index a5ebc00..982886f 100644
+index a5ebc00..3de3364 100644
 --- a/drivers/lguest/core.c
 +++ b/drivers/lguest/core.c
 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
@@ -38037,7 +37962,7 @@ index a5ebc00..982886f 100644
  	 * allocates an extra guard page, so we need space for that.
  	 */
 +
-+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
 +	switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
 +				     VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
 +				     + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
@@ -57045,7 +56970,7 @@ index ca9ecaa..60100c7 100644
  		kfree(s);
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..ba9c5e3
+index 0000000..4fb1dde
 --- /dev/null
 +++ b/grsecurity/Kconfig
 @@ -0,0 +1,1053 @@
@@ -57156,7 +57081,7 @@ index 0000000..ba9c5e3
 +config GRKERNSEC_RAND_THREADSTACK
 +	bool "Insert random gaps between thread stacks"
 +	default y if GRKERNSEC_CONFIG_AUTO
-+	depends on PAX_RANDMMAP && !PPC && BROKEN
++	depends on PAX_RANDMMAP && !PPC
 +	help
 +	  If you say Y here, a random-sized gap will be enforced between allocated
 +	  thread stacks.  Glibc's NPTL and other threading libraries that
@@ -70255,7 +70180,7 @@ index b8ba855..0148090 100644
  	u32 remainder;
  	return div_u64_rem(dividend, divisor, &remainder);
 diff --git a/include/linux/mm.h b/include/linux/mm.h
-index e2091b8..821db54 100644
+index e2091b8..3c7b38c 100644
 --- a/include/linux/mm.h
 +++ b/include/linux/mm.h
 @@ -101,6 +101,11 @@ extern unsigned int kobjsize(const void *objp);
@@ -70428,14 +70353,29 @@ index e2091b8..821db54 100644
  
  #ifdef CONFIG_MMU
  extern int __mm_populate(unsigned long addr, unsigned long len,
-@@ -1483,6 +1497,7 @@ struct vm_unmapped_area_info {
+@@ -1483,10 +1497,11 @@ struct vm_unmapped_area_info {
  	unsigned long high_limit;
  	unsigned long align_mask;
  	unsigned long align_offset;
 +	unsigned long threadstack_offset;
  };
  
- extern unsigned long unmapped_area(struct vm_unmapped_area_info *info);
+-extern unsigned long unmapped_area(struct vm_unmapped_area_info *info);
+-extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
++extern unsigned long unmapped_area(const struct vm_unmapped_area_info *info);
++extern unsigned long unmapped_area_topdown(const struct vm_unmapped_area_info *info);
+ 
+ /*
+  * Search for an unmapped address range.
+@@ -1498,7 +1513,7 @@ extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
+  * - satisfies (begin_addr & align_mask) == (align_offset & align_mask)
+  */
+ static inline unsigned long
+-vm_unmapped_area(struct vm_unmapped_area_info *info)
++vm_unmapped_area(const struct vm_unmapped_area_info *info)
+ {
+ 	if (!(info->flags & VM_UNMAPPED_AREA_TOPDOWN))
+ 		return unmapped_area(info);
 @@ -1561,6 +1576,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add
  extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
  					     struct vm_area_struct **pprev);
@@ -82244,7 +82184,7 @@ index 79b7cf7..9944291 100644
  	    capable(CAP_IPC_LOCK))
  		ret = do_mlockall(flags);
 diff --git a/mm/mmap.c b/mm/mmap.c
-index 0dceed8..e7cfc40 100644
+index 0dceed8..bfcaf45 100644
 --- a/mm/mmap.c
 +++ b/mm/mmap.c
 @@ -33,6 +33,7 @@
@@ -82645,10 +82585,11 @@ index 0dceed8..e7cfc40 100644
  	kmem_cache_free(vm_area_cachep, vma);
  unacct_error:
  	if (charged)
-@@ -1584,6 +1744,62 @@ unacct_error:
+@@ -1584,7 +1744,63 @@ unacct_error:
  	return error;
  }
  
+-unsigned long unmapped_area(struct vm_unmapped_area_info *info)
 +#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK
 +unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags)
 +{
@@ -82705,10 +82646,76 @@ index 0dceed8..e7cfc40 100644
 +	return -ENOMEM;
 +}
 +
- unsigned long unmapped_area(struct vm_unmapped_area_info *info)
++unsigned long unmapped_area(const struct vm_unmapped_area_info *info)
  {
  	/*
-@@ -1803,6 +2019,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+ 	 * We implement the search by looking for an rbtree node that
+@@ -1632,11 +1848,29 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
+ 			}
+ 		}
+ 
+-		gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0;
++		gap_start = vma->vm_prev ? vma->vm_prev->vm_end: 0;
+ check_current:
+ 		/* Check if current node has a suitable gap */
+ 		if (gap_start > high_limit)
+ 			return -ENOMEM;
++
++		if (gap_end - gap_start > info->threadstack_offset)
++			gap_start += info->threadstack_offset;
++		else
++			gap_start = gap_end;
++
++		if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) {
++			if (gap_end - gap_start > sysctl_heap_stack_gap)
++				gap_start += sysctl_heap_stack_gap;
++			else
++				gap_start = gap_end;
++		}
++		if (vma->vm_flags & VM_GROWSDOWN) {
++			if (gap_end - gap_start > sysctl_heap_stack_gap)
++				gap_end -= sysctl_heap_stack_gap;
++			else
++				gap_end = gap_start;
++		}
+ 		if (gap_end >= low_limit && gap_end - gap_start >= length)
+ 			goto found;
+ 
+@@ -1686,7 +1920,7 @@ found:
+ 	return gap_start;
+ }
+ 
+-unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
++unsigned long unmapped_area_topdown(const struct vm_unmapped_area_info *info)
+ {
+ 	struct mm_struct *mm = current->mm;
+ 	struct vm_area_struct *vma;
+@@ -1740,6 +1974,24 @@ check_current:
+ 		gap_end = vma->vm_start;
+ 		if (gap_end < low_limit)
+ 			return -ENOMEM;
++
++		if (gap_end - gap_start > info->threadstack_offset)
++			gap_end -= info->threadstack_offset;
++		else
++			gap_end = gap_start;
++
++		if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) {
++			if (gap_end - gap_start > sysctl_heap_stack_gap)
++				gap_start += sysctl_heap_stack_gap;
++			else
++				gap_start = gap_end;
++		}
++		if (vma->vm_flags & VM_GROWSDOWN) {
++			if (gap_end - gap_start > sysctl_heap_stack_gap)
++				gap_end -= sysctl_heap_stack_gap;
++			else
++				gap_end = gap_start;
++		}
+ 		if (gap_start <= high_limit && gap_end - gap_start >= length)
+ 			goto found;
+ 
+@@ -1803,6 +2055,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
  	struct mm_struct *mm = current->mm;
  	struct vm_area_struct *vma;
  	struct vm_unmapped_area_info info;
@@ -82716,7 +82723,7 @@ index 0dceed8..e7cfc40 100644
  
  	if (len > TASK_SIZE)
  		return -ENOMEM;
-@@ -1810,29 +2027,45 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1810,29 +2063,45 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
  	if (flags & MAP_FIXED)
  		return addr;
  
@@ -82765,7 +82772,7 @@ index 0dceed8..e7cfc40 100644
  		mm->free_area_cache = addr;
  }
  
-@@ -1850,6 +2083,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1850,6 +2119,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
  	struct mm_struct *mm = current->mm;
  	unsigned long addr = addr0;
  	struct vm_unmapped_area_info info;
@@ -82773,7 +82780,7 @@ index 0dceed8..e7cfc40 100644
  
  	/* requested length too big for entire address space */
  	if (len > TASK_SIZE)
-@@ -1858,12 +2092,15 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1858,12 +2128,15 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
  	if (flags & MAP_FIXED)
  		return addr;
  
@@ -82791,7 +82798,7 @@ index 0dceed8..e7cfc40 100644
  			return addr;
  	}
  
-@@ -1872,6 +2109,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1872,6 +2145,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
  	info.low_limit = PAGE_SIZE;
  	info.high_limit = mm->mmap_base;
  	info.align_mask = 0;
@@ -82799,7 +82806,7 @@ index 0dceed8..e7cfc40 100644
  	addr = vm_unmapped_area(&info);
  
  	/*
-@@ -1884,6 +2122,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1884,6 +2158,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
  		VM_BUG_ON(addr != -ENOMEM);
  		info.flags = 0;
  		info.low_limit = TASK_UNMAPPED_BASE;
@@ -82812,7 +82819,7 @@ index 0dceed8..e7cfc40 100644
  		info.high_limit = TASK_SIZE;
  		addr = vm_unmapped_area(&info);
  	}
-@@ -1894,6 +2138,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1894,6 +2174,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
  
  void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
  {
@@ -82825,7 +82832,7 @@ index 0dceed8..e7cfc40 100644
  	/*
  	 * Is this a new hole at the highest possible address?
  	 */
-@@ -1901,8 +2151,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
+@@ -1901,8 +2187,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
  		mm->free_area_cache = addr;
  
  	/* dont allow allocations above current base */
@@ -82837,7 +82844,7 @@ index 0dceed8..e7cfc40 100644
  }
  
  unsigned long
-@@ -2001,6 +2253,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
+@@ -2001,6 +2289,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
  	return vma;
  }
  
@@ -82866,7 +82873,7 @@ index 0dceed8..e7cfc40 100644
  /*
   * Verify that the stack growth is acceptable and
   * update accounting. This is shared with both the
-@@ -2017,6 +2291,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2017,6 +2327,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
  		return -ENOMEM;
  
  	/* Stack limit test */
@@ -82874,7 +82881,7 @@ index 0dceed8..e7cfc40 100644
  	if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
  		return -ENOMEM;
  
-@@ -2027,6 +2302,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2027,6 +2338,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
  		locked = mm->locked_vm + grow;
  		limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
  		limit >>= PAGE_SHIFT;
@@ -82882,7 +82889,7 @@ index 0dceed8..e7cfc40 100644
  		if (locked > limit && !capable(CAP_IPC_LOCK))
  			return -ENOMEM;
  	}
-@@ -2056,37 +2332,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -2056,37 +2368,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
   * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
   * vma is the last one with address > vma->vm_end.  Have to extend vma.
   */
@@ -82940,7 +82947,7 @@ index 0dceed8..e7cfc40 100644
  		unsigned long size, grow;
  
  		size = address - vma->vm_start;
-@@ -2121,6 +2408,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+@@ -2121,6 +2444,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
  			}
  		}
  	}
@@ -82949,7 +82956,7 @@ index 0dceed8..e7cfc40 100644
  	vma_unlock_anon_vma(vma);
  	khugepaged_enter_vma_merge(vma);
  	validate_mm(vma->vm_mm);
-@@ -2135,6 +2424,8 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2135,6 +2460,8 @@ int expand_downwards(struct vm_area_struct *vma,
  				   unsigned long address)
  {
  	int error;
@@ -82958,7 +82965,7 @@ index 0dceed8..e7cfc40 100644
  
  	/*
  	 * We must make sure the anon_vma is allocated
-@@ -2148,6 +2439,15 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2148,6 +2475,15 @@ int expand_downwards(struct vm_area_struct *vma,
  	if (error)
  		return error;
  
@@ -82974,7 +82981,7 @@ index 0dceed8..e7cfc40 100644
  	vma_lock_anon_vma(vma);
  
  	/*
-@@ -2157,9 +2457,17 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2157,9 +2493,17 @@ int expand_downwards(struct vm_area_struct *vma,
  	 */
  
  	/* Somebody else might have raced and expanded it already */
@@ -82993,7 +83000,7 @@ index 0dceed8..e7cfc40 100644
  		size = vma->vm_end - address;
  		grow = (vma->vm_start - address) >> PAGE_SHIFT;
  
-@@ -2184,13 +2492,27 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2184,13 +2528,27 @@ int expand_downwards(struct vm_area_struct *vma,
  				vma->vm_pgoff -= grow;
  				anon_vma_interval_tree_post_update_vma(vma);
  				vma_gap_update(vma);
@@ -83021,7 +83028,7 @@ index 0dceed8..e7cfc40 100644
  	khugepaged_enter_vma_merge(vma);
  	validate_mm(vma->vm_mm);
  	return error;
-@@ -2288,6 +2610,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2288,6 +2646,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
  	do {
  		long nrpages = vma_pages(vma);
  
@@ -83035,7 +83042,7 @@ index 0dceed8..e7cfc40 100644
  		if (vma->vm_flags & VM_ACCOUNT)
  			nr_accounted += nrpages;
  		vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
-@@ -2333,6 +2662,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2333,6 +2698,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
  	insertion_point = (prev ? &prev->vm_next : &mm->mmap);
  	vma->vm_prev = NULL;
  	do {
@@ -83052,7 +83059,7 @@ index 0dceed8..e7cfc40 100644
  		vma_rb_erase(vma, &mm->mm_rb);
  		mm->map_count--;
  		tail_vma = vma;
-@@ -2364,14 +2703,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2364,14 +2739,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  	struct vm_area_struct *new;
  	int err = -ENOMEM;
  
@@ -83086,7 +83093,7 @@ index 0dceed8..e7cfc40 100644
  	/* most fields are the same, copy all, and then fixup */
  	*new = *vma;
  
-@@ -2384,6 +2742,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2384,6 +2778,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  		new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
  	}
  
@@ -83109,7 +83116,7 @@ index 0dceed8..e7cfc40 100644
  	pol = mpol_dup(vma_policy(vma));
  	if (IS_ERR(pol)) {
  		err = PTR_ERR(pol);
-@@ -2406,6 +2780,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2406,6 +2816,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  	else
  		err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
  
@@ -83146,7 +83153,7 @@ index 0dceed8..e7cfc40 100644
  	/* Success. */
  	if (!err)
  		return 0;
-@@ -2415,10 +2819,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2415,10 +2855,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  		new->vm_ops->close(new);
  	if (new->vm_file)
  		fput(new->vm_file);
@@ -83166,7 +83173,7 @@ index 0dceed8..e7cfc40 100644
  	kmem_cache_free(vm_area_cachep, new);
   out_err:
  	return err;
-@@ -2431,6 +2843,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2431,6 +2879,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
  	      unsigned long addr, int new_below)
  {
@@ -83182,7 +83189,7 @@ index 0dceed8..e7cfc40 100644
  	if (mm->map_count >= sysctl_max_map_count)
  		return -ENOMEM;
  
-@@ -2442,11 +2863,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2442,11 +2899,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
   * work.  This now handles partial unmappings.
   * Jeremy Fitzhardinge <jeremy@goop.org>
   */
@@ -83213,7 +83220,7 @@ index 0dceed8..e7cfc40 100644
  	if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
  		return -EINVAL;
  
-@@ -2521,6 +2961,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
+@@ -2521,6 +2997,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
  	/* Fix up all other VM information */
  	remove_vma_list(mm, vma);
  
@@ -83222,7 +83229,7 @@ index 0dceed8..e7cfc40 100644
  	return 0;
  }
  
-@@ -2529,6 +2971,13 @@ int vm_munmap(unsigned long start, size_t len)
+@@ -2529,6 +3007,13 @@ int vm_munmap(unsigned long start, size_t len)
  	int ret;
  	struct mm_struct *mm = current->mm;
  
@@ -83236,7 +83243,7 @@ index 0dceed8..e7cfc40 100644
  	down_write(&mm->mmap_sem);
  	ret = do_munmap(mm, start, len);
  	up_write(&mm->mmap_sem);
-@@ -2542,16 +2991,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
+@@ -2542,16 +3027,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
  	return vm_munmap(addr, len);
  }
  
@@ -83253,7 +83260,7 @@ index 0dceed8..e7cfc40 100644
  /*
   *  this is really a simplified "do_mmap".  it only handles
   *  anonymous maps.  eventually we may be able to do some
-@@ -2565,6 +3004,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2565,6 +3040,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
  	struct rb_node ** rb_link, * rb_parent;
  	pgoff_t pgoff = addr >> PAGE_SHIFT;
  	int error;
@@ -83261,7 +83268,7 @@ index 0dceed8..e7cfc40 100644
  
  	len = PAGE_ALIGN(len);
  	if (!len)
-@@ -2572,16 +3012,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2572,16 +3048,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
  
  	flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
  
@@ -83293,7 +83300,7 @@ index 0dceed8..e7cfc40 100644
  		locked += mm->locked_vm;
  		lock_limit = rlimit(RLIMIT_MEMLOCK);
  		lock_limit >>= PAGE_SHIFT;
-@@ -2598,21 +3052,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2598,21 +3088,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
  	/*
  	 * Clear old maps.  this also does some error checking for us
  	 */
@@ -83318,7 +83325,7 @@ index 0dceed8..e7cfc40 100644
  		return -ENOMEM;
  
  	/* Can we just expand an old private anonymous mapping? */
-@@ -2626,7 +3079,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2626,7 +3115,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
  	 */
  	vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
  	if (!vma) {
@@ -83327,7 +83334,7 @@ index 0dceed8..e7cfc40 100644
  		return -ENOMEM;
  	}
  
-@@ -2640,9 +3093,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2640,9 +3129,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
  	vma_link(mm, vma, prev, rb_link, rb_parent);
  out:
  	perf_event_mmap(vma);
@@ -83340,7 +83347,7 @@ index 0dceed8..e7cfc40 100644
  	return addr;
  }
  
-@@ -2704,6 +3158,7 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2704,6 +3194,7 @@ void exit_mmap(struct mm_struct *mm)
  	while (vma) {
  		if (vma->vm_flags & VM_ACCOUNT)
  			nr_accounted += vma_pages(vma);
@@ -83348,7 +83355,7 @@ index 0dceed8..e7cfc40 100644
  		vma = remove_vma(vma);
  	}
  	vm_unacct_memory(nr_accounted);
-@@ -2720,6 +3175,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2720,6 +3211,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
  	struct vm_area_struct *prev;
  	struct rb_node **rb_link, *rb_parent;
  
@@ -83362,7 +83369,7 @@ index 0dceed8..e7cfc40 100644
  	/*
  	 * The vm_pgoff of a purely anonymous vma should be irrelevant
  	 * until its first write fault, when page's anon_vma and index
-@@ -2743,7 +3205,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2743,7 +3241,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
  	     security_vm_enough_memory_mm(mm, vma_pages(vma)))
  		return -ENOMEM;
  
@@ -83384,7 +83391,7 @@ index 0dceed8..e7cfc40 100644
  	return 0;
  }
  
-@@ -2763,6 +3239,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2763,6 +3275,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
  	struct mempolicy *pol;
  	bool faulted_in_anon_vma = true;
  
@@ -83393,7 +83400,7 @@ index 0dceed8..e7cfc40 100644
  	/*
  	 * If anonymous vma has not yet been faulted, update new pgoff
  	 * to match new location, to increase its chance of merging.
-@@ -2829,6 +3307,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2829,6 +3343,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
  	return NULL;
  }
  
@@ -83433,7 +83440,7 @@ index 0dceed8..e7cfc40 100644
  /*
   * Return true if the calling process may expand its vm space by the passed
   * number of pages
-@@ -2840,6 +3351,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
+@@ -2840,6 +3387,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
  
  	lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
  
@@ -83441,7 +83448,7 @@ index 0dceed8..e7cfc40 100644
  	if (cur + npages > lim)
  		return 0;
  	return 1;
-@@ -2910,6 +3422,22 @@ int install_special_mapping(struct mm_struct *mm,
+@@ -2910,6 +3458,22 @@ int install_special_mapping(struct mm_struct *mm,
  	vma->vm_start = addr;
  	vma->vm_end = addr + len;
  
@@ -88697,10 +88704,26 @@ index 4fe76ff..426a904 100644
  };
  
 diff --git a/net/key/af_key.c b/net/key/af_key.c
-index 5b1e5af..2358147 100644
+index 5b1e5af..1b929e7 100644
 --- a/net/key/af_key.c
 +++ b/net/key/af_key.c
-@@ -3041,10 +3041,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc
+@@ -1710,6 +1710,7 @@ static int key_notify_sa_flush(const struct km_event *c)
+ 	hdr->sadb_msg_version = PF_KEY_V2;
+ 	hdr->sadb_msg_errno = (uint8_t) 0;
+ 	hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
++	hdr->sadb_msg_reserved = 0;
+ 
+ 	pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
+ 
+@@ -2695,6 +2696,7 @@ static int key_notify_policy_flush(const struct km_event *c)
+ 	hdr->sadb_msg_errno = (uint8_t) 0;
+ 	hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC;
+ 	hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
++	hdr->sadb_msg_reserved = 0;
+ 	pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
+ 	return 0;
+ 
+@@ -3041,10 +3043,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc
  static u32 get_acqseq(void)
  {
  	u32 res;
author	Anthony G. Basile <blueness@gentoo.org>	2013-06-27 06:45:14 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2013-06-27 06:45:14 -0400
commit	609976f90826e1e43cbd4cd2df5733e292135947 (patch)
tree	e23ebfa2f9ff8eb2ac676d8f2057359db134c091
parent	Grsec/PaX: 2.9.1-{3.2.47,3.9.7}-201306231443 (diff)
download	hardened-patchset-20130626.tar.gz hardened-patchset-20130626.tar.bz2 hardened-patchset-20130626.zip