Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.54/, 3.13.1/, 3.13.2/
Date: Sat, 08 Feb 2014 17:38:12
Message-Id: 1391881111.f31dc62ba3b58489d68b09632c7f5c9272bf9d78.blueness@gentoo
1 commit: f31dc62ba3b58489d68b09632c7f5c9272bf9d78
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Sat Feb 8 17:38:31 2014 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Sat Feb 8 17:38:31 2014 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=f31dc62b
7
8 Grsec/PaX: 3.0-{3.2.54,3.13.2}-201402062224
9
10 ---
11 {3.13.1 => 3.13.2}/0000_README | 2 +-
12 .../4420_grsecurity-3.0-3.13.2-201402062224.patch | 382 +++++++++++++--------
13 {3.13.1 => 3.13.2}/4425_grsec_remove_EI_PAX.patch | 2 +-
14 .../4427_force_XATTR_PAX_tmpfs.patch | 0
15 .../4430_grsec-remove-localversion-grsec.patch | 0
16 {3.13.1 => 3.13.2}/4435_grsec-mute-warnings.patch | 0
17 .../4440_grsec-remove-protected-paths.patch | 7 +-
18 .../4450_grsec-kconfig-default-gids.patch | 20 +-
19 .../4465_selinux-avc_audit-log-curr_ip.patch | 2 +-
20 {3.13.1 => 3.13.2}/4470_disable-compat_vdso.patch | 0
21 {3.13.1 => 3.13.2}/4475_emutramp_default_on.patch | 2 +-
22 3.2.54/0000_README | 2 +-
23 ... 4420_grsecurity-3.0-3.2.54-201402062221.patch} | 41 ++-
24 3.2.54/4425_grsec_remove_EI_PAX.patch | 2 +-
25 3.2.54/4440_grsec-remove-protected-paths.patch | 7 +-
26 3.2.54/4450_grsec-kconfig-default-gids.patch | 8 +-
27 3.2.54/4475_emutramp_default_on.patch | 2 +-
28 17 files changed, 313 insertions(+), 166 deletions(-)
29
30 diff --git a/3.13.1/0000_README b/3.13.2/0000_README
31 similarity index 96%
32 rename from 3.13.1/0000_README
33 rename to 3.13.2/0000_README
34 index 6b35ea7..850ef1e 100644
35 --- a/3.13.1/0000_README
36 +++ b/3.13.2/0000_README
37 @@ -2,7 +2,7 @@ README
38 -----------------------------------------------------------------------------
39 Individual Patch Descriptions:
40 -----------------------------------------------------------------------------
41 -Patch: 4420_grsecurity-3.0-3.13.1-201402052349.patch
42 +Patch: 4420_grsecurity-3.0-3.13.2-201402062224.patch
43 From: http://www.grsecurity.net
44 Desc: hardened-sources base patch from upstream grsecurity
45
46
47 diff --git a/3.13.1/4420_grsecurity-3.0-3.13.1-201402052349.patch b/3.13.2/4420_grsecurity-3.0-3.13.2-201402062224.patch
48 similarity index 99%
49 rename from 3.13.1/4420_grsecurity-3.0-3.13.1-201402052349.patch
50 rename to 3.13.2/4420_grsecurity-3.0-3.13.2-201402062224.patch
51 index ee1465f..824a474 100644
52 --- a/3.13.1/4420_grsecurity-3.0-3.13.1-201402052349.patch
53 +++ b/3.13.2/4420_grsecurity-3.0-3.13.2-201402062224.patch
54 @@ -287,7 +287,7 @@ index b9e9bd8..bf49b92 100644
55
56 pcd. [PARIDE]
57 diff --git a/Makefile b/Makefile
58 -index de4cda9..e5ec62c 100644
59 +index a7fd5d9..84ed0df 100644
60 --- a/Makefile
61 +++ b/Makefile
62 @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
63 @@ -302,7 +302,23 @@ index de4cda9..e5ec62c 100644
64
65 # Decide whether to build built-in, modular, or both.
66 # Normally, just do built-in.
67 -@@ -417,8 +418,8 @@ export RCS_TAR_IGNORE := --exclude SCCS --exclude BitKeeper --exclude .svn \
68 +@@ -311,9 +312,15 @@ endif
69 + # If the user is running make -s (silent mode), suppress echoing of
70 + # commands
71 +
72 ++ifneq ($(filter 4.%,$(MAKE_VERSION)),) # make-4
73 ++ifneq ($(filter %s ,$(firstword x$(MAKEFLAGS))),)
74 ++ quiet=silent_
75 ++endif
76 ++else # make-3.8x
77 + ifneq ($(filter s% -s%,$(MAKEFLAGS)),)
78 + quiet=silent_
79 + endif
80 ++endif
81 +
82 + export quiet Q KBUILD_VERBOSE
83 +
84 +@@ -417,8 +424,8 @@ export RCS_TAR_IGNORE := --exclude SCCS --exclude BitKeeper --exclude .svn \
85 # Rules shared between *config targets and build targets
86
87 # Basic helpers built in scripts/
88 @@ -313,7 +329,7 @@ index de4cda9..e5ec62c 100644
89 $(Q)$(MAKE) $(build)=scripts/basic
90 $(Q)rm -f .tmp_quiet_recordmcount
91
92 -@@ -579,6 +580,76 @@ else
93 +@@ -579,6 +586,74 @@ else
94 KBUILD_CFLAGS += -O2
95 endif
96
97 @@ -340,10 +356,8 @@ index de4cda9..e5ec62c 100644
98 +KERNEXEC_PLUGIN_AFLAGS := -DKERNEXEC_PLUGIN
99 +endif
100 +ifdef CONFIG_GRKERNSEC_RANDSTRUCT
101 -+GRKERNSEC_RANDSTRUCT_SEED := $(shell $(CONFIG_SHELL) $(srctree)/scripts/gen-random-seed.sh)
102 +RANDSTRUCT_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/randomize_layout_plugin.so -DRANDSTRUCT_PLUGIN
103 -+RANDSTRUCT_PLUGIN_CFLAGS += -fplugin-arg-randomize_layout_plugin-seed=$(GRKERNSEC_RANDSTRUCT_SEED)
104 -+RANDSTRUCT_HASHED_SEED := $(shell cat "$(srctree)/tools/gcc/randstruct.hashed_seed")
105 ++RANDSTRUCT_HASHED_SEED := $(shell cat "$(objtree)/tools/gcc/randomize_layout_hash.data")
106 +RANDSTRUCT_PLUGIN_CFLAGS += -DRANDSTRUCT_HASHED_SEED="\"$(RANDSTRUCT_HASHED_SEED)\""
107 +ifdef CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE
108 +RANDSTRUCT_PLUGIN_CFLAGS += -fplugin-arg-randomize_layout_plugin-performance-mode
109 @@ -390,7 +404,16 @@ index de4cda9..e5ec62c 100644
110 include $(srctree)/arch/$(SRCARCH)/Makefile
111
112 ifdef CONFIG_READABLE_ASM
113 -@@ -754,7 +825,7 @@ export mod_sign_cmd
114 +@@ -619,7 +694,7 @@ endif
115 +
116 + ifdef CONFIG_DEBUG_INFO
117 + KBUILD_CFLAGS += -g
118 +-KBUILD_AFLAGS += -gdwarf-2
119 ++KBUILD_AFLAGS += -Wa,--gdwarf-2
120 + endif
121 +
122 + ifdef CONFIG_DEBUG_INFO_REDUCED
123 +@@ -754,7 +829,7 @@ export mod_sign_cmd
124
125
126 ifeq ($(KBUILD_EXTMOD),)
127 @@ -399,7 +422,7 @@ index de4cda9..e5ec62c 100644
128
129 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
130 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
131 -@@ -803,6 +874,8 @@ endif
132 +@@ -803,6 +878,8 @@ endif
133
134 # The actual objects are generated when descending,
135 # make sure no implicit rule kicks in
136 @@ -408,7 +431,7 @@ index de4cda9..e5ec62c 100644
137 $(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
138
139 # Handle descending into subdirectories listed in $(vmlinux-dirs)
140 -@@ -812,7 +885,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
141 +@@ -812,7 +889,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
142 # Error messages still appears in the original language
143
144 PHONY += $(vmlinux-dirs)
145 @@ -417,7 +440,7 @@ index de4cda9..e5ec62c 100644
146 $(Q)$(MAKE) $(build)=$@
147
148 define filechk_kernel.release
149 -@@ -855,10 +928,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \
150 +@@ -855,10 +932,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \
151
152 archprepare: archheaders archscripts prepare1 scripts_basic
153
154 @@ -431,7 +454,7 @@ index de4cda9..e5ec62c 100644
155 prepare: prepare0
156
157 # Generate some files
158 -@@ -966,6 +1042,8 @@ all: modules
159 +@@ -966,6 +1046,8 @@ all: modules
160 # using awk while concatenating to the final file.
161
162 PHONY += modules
163 @@ -440,7 +463,7 @@ index de4cda9..e5ec62c 100644
164 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin
165 $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
166 @$(kecho) ' Building modules, stage 2.';
167 -@@ -981,7 +1059,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin)
168 +@@ -981,7 +1063,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin)
169
170 # Target to prepare building external modules
171 PHONY += modules_prepare
172 @@ -449,17 +472,17 @@ index de4cda9..e5ec62c 100644
173
174 # Target to install modules
175 PHONY += modules_install
176 -@@ -1047,7 +1125,8 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \
177 +@@ -1047,7 +1129,8 @@ MRPROPER_FILES += .config .config.old .version .old_version $(version_h) \
178 Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
179 signing_key.priv signing_key.x509 x509.genkey \
180 extra_certificates signing_key.x509.keyid \
181 - signing_key.x509.signer
182 + signing_key.x509.signer tools/gcc/size_overflow_hash.h \
183 -+ tools/gcc/randstruct.seed tools/gcc/randstruct.hashed_seed
184 ++ tools/gcc/randomize_layout_seed.h tools/gcc/randomize_layout_hash.data
185
186 # clean - Delete most, but leave enough to build external modules
187 #
188 -@@ -1087,6 +1166,7 @@ distclean: mrproper
189 +@@ -1087,6 +1170,7 @@ distclean: mrproper
190 \( -name '*.orig' -o -name '*.rej' -o -name '*~' \
191 -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
192 -o -name '.*.rej' \
193 @@ -467,7 +490,7 @@ index de4cda9..e5ec62c 100644
194 -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \
195 -type f -print | xargs rm -f
196
197 -@@ -1248,6 +1328,8 @@ PHONY += $(module-dirs) modules
198 +@@ -1248,6 +1332,8 @@ PHONY += $(module-dirs) modules
199 $(module-dirs): crmodverdir $(objtree)/Module.symvers
200 $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
201
202 @@ -476,7 +499,7 @@ index de4cda9..e5ec62c 100644
203 modules: $(module-dirs)
204 @$(kecho) ' Building modules, stage 2.';
205 $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
206 -@@ -1387,17 +1469,21 @@ else
207 +@@ -1387,17 +1473,21 @@ else
208 target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
209 endif
210
211 @@ -502,7 +525,7 @@ index de4cda9..e5ec62c 100644
212 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
213 %.symtypes: %.c prepare scripts FORCE
214 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
215 -@@ -1407,11 +1493,15 @@ endif
216 +@@ -1407,11 +1497,15 @@ endif
217 $(cmd_crmodverdir)
218 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
219 $(build)=$(build-dir)
220 @@ -3596,6 +3619,29 @@ index 8a1b5e0..5f30074 100644
221
222 /* omap_hwmod_list contains all registered struct omap_hwmods */
223 static LIST_HEAD(omap_hwmod_list);
224 +diff --git a/arch/arm/mach-omap2/powerdomains43xx_data.c b/arch/arm/mach-omap2/powerdomains43xx_data.c
225 +index 95fee54..cfa9cf1 100644
226 +--- a/arch/arm/mach-omap2/powerdomains43xx_data.c
227 ++++ b/arch/arm/mach-omap2/powerdomains43xx_data.c
228 +@@ -10,6 +10,7 @@
229 +
230 + #include <linux/kernel.h>
231 + #include <linux/init.h>
232 ++#include <asm/pgtable.h>
233 +
234 + #include "powerdomain.h"
235 +
236 +@@ -129,7 +130,9 @@ static int am43xx_check_vcvp(void)
237 +
238 + void __init am43xx_powerdomains_init(void)
239 + {
240 +- omap4_pwrdm_operations.pwrdm_has_voltdm = am43xx_check_vcvp;
241 ++ pax_open_kernel();
242 ++ *(void **)&omap4_pwrdm_operations.pwrdm_has_voltdm = am43xx_check_vcvp;
243 ++ pax_close_kernel();
244 + pwrdm_register_platform_funcs(&omap4_pwrdm_operations);
245 + pwrdm_register_pwrdms(powerdomains_am43xx);
246 + pwrdm_complete_init();
247 diff --git a/arch/arm/mach-omap2/wd_timer.c b/arch/arm/mach-omap2/wd_timer.c
248 index d15c7bb..b2d1f0c 100644
249 --- a/arch/arm/mach-omap2/wd_timer.c
250 @@ -18643,7 +18689,7 @@ index 3ba3de4..6c113b2 100644
251 #endif
252 #endif /* _ASM_X86_THREAD_INFO_H */
253 diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
254 -index e6d90ba..0897f44 100644
255 +index e6d90ba..f81f114 100644
256 --- a/arch/x86/include/asm/tlbflush.h
257 +++ b/arch/x86/include/asm/tlbflush.h
258 @@ -17,18 +17,44 @@
259 @@ -18697,11 +18743,10 @@ index e6d90ba..0897f44 100644
260 }
261
262 static inline void __native_flush_tlb_global(void)
263 -@@ -49,6 +75,42 @@ static inline void __native_flush_tlb_global(void)
264 +@@ -49,6 +75,41 @@ static inline void __native_flush_tlb_global(void)
265
266 static inline void __native_flush_tlb_single(unsigned long addr)
267 {
268 -+
269 + if (static_cpu_has(X86_FEATURE_INVPCID)) {
270 + u64 descriptor[2];
271 +
272 @@ -20255,10 +20300,10 @@ index 47b56a7..efc2bc6 100644
273 obj-y += proc.o capflags.o powerflags.o common.o
274 obj-y += rdrand.o
275 diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
276 -index bca023b..c544908 100644
277 +index 59bfebc..d8f27bd 100644
278 --- a/arch/x86/kernel/cpu/amd.c
279 +++ b/arch/x86/kernel/cpu/amd.c
280 -@@ -743,7 +743,7 @@ static void init_amd(struct cpuinfo_x86 *c)
281 +@@ -753,7 +753,7 @@ static void init_amd(struct cpuinfo_x86 *c)
282 static unsigned int amd_size_cache(struct cpuinfo_x86 *c, unsigned int size)
283 {
284 /* AMD errata T13 (order #21922) */
285 @@ -27510,7 +27555,7 @@ index c697625..a032162 100644
286
287 out:
288 diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
289 -index 775702f..737d4a9 100644
290 +index d86ff15..e77b023 100644
291 --- a/arch/x86/kvm/lapic.c
292 +++ b/arch/x86/kvm/lapic.c
293 @@ -55,7 +55,7 @@
294 @@ -27723,10 +27768,10 @@ index da7837e..86c6ebf 100644
295
296 vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
297 diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
298 -index 5d004da..0802480 100644
299 +index d89d51b..f3c612a 100644
300 --- a/arch/x86/kvm/x86.c
301 +++ b/arch/x86/kvm/x86.c
302 -@@ -1788,8 +1788,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
303 +@@ -1791,8 +1791,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
304 {
305 struct kvm *kvm = vcpu->kvm;
306 int lm = is_long_mode(vcpu);
307 @@ -27737,7 +27782,7 @@ index 5d004da..0802480 100644
308 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
309 : kvm->arch.xen_hvm_config.blob_size_32;
310 u32 page_num = data & ~PAGE_MASK;
311 -@@ -2673,6 +2673,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
312 +@@ -2676,6 +2676,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
313 if (n < msr_list.nmsrs)
314 goto out;
315 r = -EFAULT;
316 @@ -27746,7 +27791,7 @@ index 5d004da..0802480 100644
317 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
318 num_msrs_to_save * sizeof(u32)))
319 goto out;
320 -@@ -5482,7 +5484,7 @@ static struct notifier_block pvclock_gtod_notifier = {
321 +@@ -5485,7 +5487,7 @@ static struct notifier_block pvclock_gtod_notifier = {
322 };
323 #endif
324
325 @@ -35509,7 +35554,7 @@ index c482f8c..c832240 100644
326 unsigned long timeout_msec)
327 {
328 diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
329 -index 1393a58..3bf8cbe 100644
330 +index 1a3dbd1..dfc6e5c 100644
331 --- a/drivers/ata/libata-core.c
332 +++ b/drivers/ata/libata-core.c
333 @@ -98,7 +98,7 @@ static unsigned int ata_dev_set_xfermode(struct ata_device *dev);
334 @@ -35521,7 +35566,7 @@ index 1393a58..3bf8cbe 100644
335
336 struct ata_force_param {
337 const char *name;
338 -@@ -4823,7 +4823,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
339 +@@ -4850,7 +4850,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
340 struct ata_port *ap;
341 unsigned int tag;
342
343 @@ -35530,7 +35575,7 @@ index 1393a58..3bf8cbe 100644
344 ap = qc->ap;
345
346 qc->flags = 0;
347 -@@ -4839,7 +4839,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
348 +@@ -4866,7 +4866,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
349 struct ata_port *ap;
350 struct ata_link *link;
351
352 @@ -35539,7 +35584,7 @@ index 1393a58..3bf8cbe 100644
353 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
354 ap = qc->ap;
355 link = qc->dev->link;
356 -@@ -5958,6 +5958,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
357 +@@ -5985,6 +5985,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
358 return;
359
360 spin_lock(&lock);
361 @@ -35547,7 +35592,7 @@ index 1393a58..3bf8cbe 100644
362
363 for (cur = ops->inherits; cur; cur = cur->inherits) {
364 void **inherit = (void **)cur;
365 -@@ -5971,8 +5972,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
366 +@@ -5998,8 +5999,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
367 if (IS_ERR(*pp))
368 *pp = NULL;
369
370 @@ -35558,7 +35603,7 @@ index 1393a58..3bf8cbe 100644
371 spin_unlock(&lock);
372 }
373
374 -@@ -6165,7 +6167,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht)
375 +@@ -6192,7 +6194,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht)
376
377 /* give ports names and add SCSI hosts */
378 for (i = 0; i < host->n_ports; i++) {
379 @@ -35568,10 +35613,10 @@ index 1393a58..3bf8cbe 100644
380 }
381
382 diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
383 -index 377eb88..8591b44 100644
384 +index ef8567d..8bdbd03 100644
385 --- a/drivers/ata/libata-scsi.c
386 +++ b/drivers/ata/libata-scsi.c
387 -@@ -4135,7 +4135,7 @@ int ata_sas_port_init(struct ata_port *ap)
388 +@@ -4147,7 +4147,7 @@ int ata_sas_port_init(struct ata_port *ap)
389
390 if (rc)
391 return rc;
392 @@ -39035,6 +39080,27 @@ index 9902732..64b62dd 100644
393
394 return -EINVAL;
395 }
396 +diff --git a/drivers/gpu/drm/armada/armada_drv.c b/drivers/gpu/drm/armada/armada_drv.c
397 +index 62d0ff3..073dbf3 100644
398 +--- a/drivers/gpu/drm/armada/armada_drv.c
399 ++++ b/drivers/gpu/drm/armada/armada_drv.c
400 +@@ -68,15 +68,7 @@ void __armada_drm_queue_unref_work(struct drm_device *dev,
401 + {
402 + struct armada_private *priv = dev->dev_private;
403 +
404 +- /*
405 +- * Yes, we really must jump through these hoops just to store a
406 +- * _pointer_ to something into the kfifo. This is utterly insane
407 +- * and idiotic, because it kfifo requires the _data_ pointed to by
408 +- * the pointer const, not the pointer itself. Not only that, but
409 +- * you have to pass a pointer _to_ the pointer you want stored.
410 +- */
411 +- const struct drm_framebuffer *silly_api_alert = fb;
412 +- WARN_ON(!kfifo_put(&priv->fb_unref, &silly_api_alert));
413 ++ WARN_ON(!kfifo_put(&priv->fb_unref, fb));
414 + schedule_work(&priv->fb_unref_work);
415 + }
416 +
417 diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
418 index d6cf77c..2842146 100644
419 --- a/drivers/gpu/drm/drm_crtc.c
420 @@ -40354,6 +40420,19 @@ index ae1cb31..5b5b6b7c 100644
421
422 err = drm_debugfs_create_files(dc->debugfs_files,
423 ARRAY_SIZE(debugfs_files),
424 +diff --git a/drivers/gpu/drm/tegra/hdmi.c b/drivers/gpu/drm/tegra/hdmi.c
425 +index 0cd9bc2..9759be4 100644
426 +--- a/drivers/gpu/drm/tegra/hdmi.c
427 ++++ b/drivers/gpu/drm/tegra/hdmi.c
428 +@@ -57,7 +57,7 @@ struct tegra_hdmi {
429 + bool stereo;
430 + bool dvi;
431 +
432 +- struct drm_info_list *debugfs_files;
433 ++ drm_info_list_no_const *debugfs_files;
434 + struct drm_minor *minor;
435 + struct dentry *debugfs;
436 + };
437 diff --git a/drivers/gpu/drm/ttm/ttm_bo_manager.c b/drivers/gpu/drm/ttm/ttm_bo_manager.c
438 index c58eba33..83c2728 100644
439 --- a/drivers/gpu/drm/ttm/ttm_bo_manager.c
440 @@ -44379,6 +44458,21 @@ index 464419b..64bae8d 100644
441
442 c2dev->dev = device_create(c2port_class, NULL, 0, c2dev,
443 "c2port%d", c2dev->id);
444 +diff --git a/drivers/misc/eeprom/sunxi_sid.c b/drivers/misc/eeprom/sunxi_sid.c
445 +index 9c34e57..b981cda 100644
446 +--- a/drivers/misc/eeprom/sunxi_sid.c
447 ++++ b/drivers/misc/eeprom/sunxi_sid.c
448 +@@ -127,7 +127,9 @@ static int sunxi_sid_probe(struct platform_device *pdev)
449 +
450 + platform_set_drvdata(pdev, sid_data);
451 +
452 +- sid_bin_attr.size = sid_data->keysize;
453 ++ pax_open_kernel();
454 ++ *(size_t *)&sid_bin_attr.size = sid_data->keysize;
455 ++ pax_close_kernel();
456 + if (device_create_bin_file(&pdev->dev, &sid_bin_attr))
457 + return -ENODEV;
458 +
459 diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c
460 index 36f5d52..32311c3 100644
461 --- a/drivers/misc/kgdbts.c
462 @@ -44809,6 +44903,25 @@ index f320579..7b7ebac 100644
463 mmci_write_datactrlreg(host, MCI_ST_DPSM_BUSYMODE);
464 }
465
466 +diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c
467 +index 1dcaf8a..025af25 100644
468 +--- a/drivers/mmc/host/sdhci-esdhc-imx.c
469 ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
470 +@@ -1009,9 +1009,12 @@ static int sdhci_esdhc_imx_probe(struct platform_device *pdev)
471 + host->quirks2 |= SDHCI_QUIRK2_PRESET_VALUE_BROKEN;
472 + }
473 +
474 +- if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING)
475 +- sdhci_esdhc_ops.platform_execute_tuning =
476 ++ if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING) {
477 ++ pax_open_kernel();
478 ++ *(void **)&sdhci_esdhc_ops.platform_execute_tuning =
479 + esdhc_executing_tuning;
480 ++ pax_close_kernel();
481 ++ }
482 + boarddata = &imx_data->boarddata;
483 + if (sdhci_esdhc_imx_probe_dt(pdev, boarddata) < 0) {
484 + if (!host->mmc->parent->platform_data) {
485 diff --git a/drivers/mmc/host/sdhci-s3c.c b/drivers/mmc/host/sdhci-s3c.c
486 index 6debda9..2ba7427 100644
487 --- a/drivers/mmc/host/sdhci-s3c.c
488 @@ -45549,10 +45662,10 @@ index a79e9d3..78cd4fa 100644
489
490 /* we will have to manufacture ethernet headers, prepare template */
491 diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
492 -index ed384fe..9e3f4f4 100644
493 +index 0247973..088193a 100644
494 --- a/drivers/net/vxlan.c
495 +++ b/drivers/net/vxlan.c
496 -@@ -2617,7 +2617,7 @@ nla_put_failure:
497 +@@ -2615,7 +2615,7 @@ nla_put_failure:
498 return -EMSGSIZE;
499 }
500
501 @@ -46226,10 +46339,10 @@ index 7aad766..06addb4 100644
502 data->sku_cap_band_24GHz_enable ? "" : "NOT", "enabled",
503 data->sku_cap_band_52GHz_enable ? "" : "NOT", "enabled",
504 diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c
505 -index cde9c16..e485cfe 100644
506 +index f53ef83..5e34bcb 100644
507 --- a/drivers/net/wireless/iwlwifi/pcie/trans.c
508 +++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
509 -@@ -1368,7 +1368,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file,
510 +@@ -1390,7 +1390,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file,
511 struct isr_statistics *isr_stats = &trans_pcie->isr_stats;
512
513 char buf[8];
514 @@ -46238,7 +46351,7 @@ index cde9c16..e485cfe 100644
515 u32 reset_flag;
516
517 memset(buf, 0, sizeof(buf));
518 -@@ -1389,7 +1389,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file,
519 +@@ -1411,7 +1411,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file,
520 {
521 struct iwl_trans *trans = file->private_data;
522 char buf[8];
523 @@ -48544,10 +48657,10 @@ index 084d1fd..9f939eb 100644
524 uint32_t default_time2wait; /* Default Min time between
525 * relogins (+aens) */
526 diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
527 -index a28d5e6..000a8af 100644
528 +index cf174a4..128a420 100644
529 --- a/drivers/scsi/qla4xxx/ql4_os.c
530 +++ b/drivers/scsi/qla4xxx/ql4_os.c
531 -@@ -3308,12 +3308,12 @@ static void qla4xxx_check_relogin_flash_ddb(struct iscsi_cls_session *cls_sess)
532 +@@ -3311,12 +3311,12 @@ static void qla4xxx_check_relogin_flash_ddb(struct iscsi_cls_session *cls_sess)
533 */
534 if (!iscsi_is_session_online(cls_sess)) {
535 /* Reset retry relogin timer */
536 @@ -48562,7 +48675,7 @@ index a28d5e6..000a8af 100644
537 ddb_entry->default_time2wait + 4));
538 set_bit(DPC_RELOGIN_DEVICE, &ha->dpc_flags);
539 atomic_set(&ddb_entry->retry_relogin_timer,
540 -@@ -5455,7 +5455,7 @@ static void qla4xxx_setup_flash_ddb_entry(struct scsi_qla_host *ha,
541 +@@ -5458,7 +5458,7 @@ static void qla4xxx_setup_flash_ddb_entry(struct scsi_qla_host *ha,
542
543 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
544 atomic_set(&ddb_entry->relogin_timer, 0);
545 @@ -50607,7 +50720,7 @@ index d0e3a44..5f8b754 100644
546 ret = -EPERM;
547 goto reterr;
548 diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
549 -index f7beb6e..8c0bbd0 100644
550 +index a673e5b..36e5d32 100644
551 --- a/drivers/uio/uio.c
552 +++ b/drivers/uio/uio.c
553 @@ -25,6 +25,7 @@
554 @@ -50886,7 +50999,7 @@ index 6bffb8c..b404e8b 100644
555 wake_up(&usb_kill_urb_queue);
556 usb_put_urb(urb);
557 diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
558 -index bd9dc35..c04ae2f 100644
559 +index 07e6654..6420edf 100644
560 --- a/drivers/usb/core/hub.c
561 +++ b/drivers/usb/core/hub.c
562 @@ -27,6 +27,7 @@
563 @@ -50897,7 +51010,7 @@ index bd9dc35..c04ae2f 100644
564
565 #include <asm/uaccess.h>
566 #include <asm/byteorder.h>
567 -@@ -4463,6 +4464,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
568 +@@ -4442,6 +4443,10 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
569 goto done;
570 return;
571 }
572 @@ -56118,10 +56231,10 @@ index a4b38f9..f86a509 100644
573 spin_lock_init(&delayed_root->lock);
574 init_waitqueue_head(&delayed_root->wait);
575 diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
576 -index 21da576..3551e09 100644
577 +index 9f831bb..14afde5 100644
578 --- a/fs/btrfs/ioctl.c
579 +++ b/fs/btrfs/ioctl.c
580 -@@ -3451,9 +3451,12 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
581 +@@ -3457,9 +3457,12 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
582 for (i = 0; i < num_types; i++) {
583 struct btrfs_space_info *tmp;
584
585 @@ -56134,7 +56247,7 @@ index 21da576..3551e09 100644
586 info = NULL;
587 rcu_read_lock();
588 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
589 -@@ -3475,10 +3478,7 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
590 +@@ -3481,10 +3484,7 @@ static long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
591 memcpy(dest, &space, sizeof(space));
592 dest++;
593 space_args.total_spaces++;
594 @@ -57166,7 +57279,7 @@ index bc3fbcd..6031650 100644
595 return 0;
596 while (nr) {
597 diff --git a/fs/dcache.c b/fs/dcache.c
598 -index cb4a106..b75581f 100644
599 +index fdbe230..ba17c1f 100644
600 --- a/fs/dcache.c
601 +++ b/fs/dcache.c
602 @@ -1495,7 +1495,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
603 @@ -57178,7 +57291,7 @@ index cb4a106..b75581f 100644
604 if (!dname) {
605 kmem_cache_free(dentry_cache, dentry);
606 return NULL;
607 -@@ -3429,7 +3429,8 @@ void __init vfs_caches_init(unsigned long mempages)
608 +@@ -3428,7 +3428,8 @@ void __init vfs_caches_init(unsigned long mempages)
609 mempages -= reserve;
610
611 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
612 @@ -60150,7 +60263,7 @@ index 92a0f0a..45a48f0 100644
613
614 spin_lock(&inode->i_lock);
615 diff --git a/fs/mount.h b/fs/mount.h
616 -index d64c594..6c283db 100644
617 +index a17458c..e69fb5b 100644
618 --- a/fs/mount.h
619 +++ b/fs/mount.h
620 @@ -11,7 +11,7 @@ struct mnt_namespace {
621 @@ -64110,7 +64223,7 @@ index 104455b..764c512 100644
622 kfree(s);
623 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
624 new file mode 100644
625 -index 0000000..01d5523
626 +index 0000000..e98584b
627 --- /dev/null
628 +++ b/grsecurity/Kconfig
629 @@ -0,0 +1,1147 @@
630 @@ -64343,7 +64456,7 @@ index 0000000..01d5523
631 + Volatility against the system (unless the kernel source tree isn't
632 + cleaned after kernel installation).
633 +
634 -+ The seed used for compilation is located at tools/gcc/randstruct.seed.
635 ++ The seed used for compilation is located at tools/gcc/randomize_layout_seed.h.
636 + It remains after a make clean to allow for external modules to be compiled
637 + with the existing seed and will be removed by a make mrproper or
638 + make distclean.
639 @@ -65263,10 +65376,10 @@ index 0000000..01d5523
640 +endmenu
641 diff --git a/grsecurity/Makefile b/grsecurity/Makefile
642 new file mode 100644
643 -index 0000000..8a0354c
644 +index 0000000..5307c8a
645 --- /dev/null
646 +++ b/grsecurity/Makefile
647 -@@ -0,0 +1,53 @@
648 +@@ -0,0 +1,54 @@
649 +# grsecurity – access control and security hardening for Linux
650 +# All code in this directory and various hooks located throughout the Linux kernel are
651 +# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc.
652 @@ -65318,6 +65431,7 @@ index 0000000..8a0354c
653 + @-chmod -f 500 /lib64/modules
654 + @-chmod -f 500 /lib32/modules
655 + @-chmod -f 700 .
656 ++ @-chmod -f 700 $(objtree)
657 + @echo ' grsec: protected kernel image paths'
658 +endif
659 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
660 @@ -75711,7 +75825,7 @@ index e73c19e..5b89e00 100644
661 struct crypto_instance {
662 struct crypto_alg alg;
663 diff --git a/include/drm/drmP.h b/include/drm/drmP.h
664 -index 1d4a920..53a3229 100644
665 +index 1d4a920..da65658 100644
666 --- a/include/drm/drmP.h
667 +++ b/include/drm/drmP.h
668 @@ -66,6 +66,7 @@
669 @@ -75750,16 +75864,17 @@ index 1d4a920..53a3229 100644
670
671 /**
672 * Creates a driver or general drm_ioctl_desc array entry for the given
673 -@@ -1013,7 +1016,7 @@ struct drm_info_list {
674 +@@ -1013,7 +1016,8 @@ struct drm_info_list {
675 int (*show)(struct seq_file*, void*); /** show callback */
676 u32 driver_features; /**< Required driver features for this entry */
677 void *data;
678 -};
679 +} __do_const;
680 ++typedef struct drm_info_list __no_const drm_info_list_no_const;
681
682 /**
683 * debugfs node structure. This structure represents a debugfs file.
684 -@@ -1097,7 +1100,7 @@ struct drm_device {
685 +@@ -1097,7 +1101,7 @@ struct drm_device {
686
687 /** \name Usage Counters */
688 /*@{ */
689 @@ -75807,6 +75922,18 @@ index 72dcbe8..8db58d7 100644
690
691 /**
692 * struct ttm_mem_global - Global memory accounting structure.
693 +diff --git a/include/drm/ttm/ttm_page_alloc.h b/include/drm/ttm/ttm_page_alloc.h
694 +index d1f61bf..2239439 100644
695 +--- a/include/drm/ttm/ttm_page_alloc.h
696 ++++ b/include/drm/ttm/ttm_page_alloc.h
697 +@@ -78,6 +78,7 @@ void ttm_dma_page_alloc_fini(void);
698 + */
699 + extern int ttm_dma_page_alloc_debugfs(struct seq_file *m, void *data);
700 +
701 ++struct device;
702 + extern int ttm_dma_populate(struct ttm_dma_tt *ttm_dma, struct device *dev);
703 + extern void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev);
704 +
705 diff --git a/include/keys/asymmetric-subtype.h b/include/keys/asymmetric-subtype.h
706 index 4b840e8..155d235 100644
707 --- a/include/keys/asymmetric-subtype.h
708 @@ -78620,10 +78747,10 @@ index 9523d2a..16c0424 100644
709
710 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
711 diff --git a/include/linux/libata.h b/include/linux/libata.h
712 -index 9b50337..712d748 100644
713 +index bec6dbe..2873d64 100644
714 --- a/include/linux/libata.h
715 +++ b/include/linux/libata.h
716 -@@ -973,7 +973,7 @@ struct ata_port_operations {
717 +@@ -975,7 +975,7 @@ struct ata_port_operations {
718 * fields must be pointers.
719 */
720 const struct ata_port_operations *inherits;
721 @@ -91285,7 +91412,7 @@ index 6768ce9..4c41d69 100644
722 mm = get_task_mm(tsk);
723 if (!mm)
724 diff --git a/mm/mempolicy.c b/mm/mempolicy.c
725 -index 0cd2c4d..9558c83 100644
726 +index e1bd997..055f496 100644
727 --- a/mm/mempolicy.c
728 +++ b/mm/mempolicy.c
729 @@ -747,6 +747,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
730 @@ -95513,7 +95640,7 @@ index 4a5df7b..9ad1f1d 100644
731
732 switch (ss->ss_family) {
733 diff --git a/net/compat.c b/net/compat.c
734 -index dd32e34..94fa415 100644
735 +index f50161f..94fa415 100644
736 --- a/net/compat.c
737 +++ b/net/compat.c
738 @@ -73,9 +73,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
739 @@ -95643,31 +95770,7 @@ index dd32e34..94fa415 100644
740 struct group_filter __user *kgf;
741 int __user *koptlen;
742 u32 interface, fmode, numsrc;
743 -@@ -780,21 +780,16 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
744 - if (flags & MSG_CMSG_COMPAT)
745 - return -EINVAL;
746 -
747 -- if (COMPAT_USE_64BIT_TIME)
748 -- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
749 -- flags | MSG_CMSG_COMPAT,
750 -- (struct timespec *) timeout);
751 --
752 - if (timeout == NULL)
753 - return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
754 - flags | MSG_CMSG_COMPAT, NULL);
755 -
756 -- if (get_compat_timespec(&ktspec, timeout))
757 -+ if (compat_get_timespec(&ktspec, timeout))
758 - return -EFAULT;
759 -
760 - datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
761 - flags | MSG_CMSG_COMPAT, &ktspec);
762 -- if (datagrams > 0 && put_compat_timespec(&ktspec, timeout))
763 -+ if (datagrams > 0 && compat_put_timespec(&ktspec, timeout))
764 - datagrams = -EFAULT;
765 -
766 - return datagrams;
767 -@@ -808,7 +803,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
768 +@@ -803,7 +803,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
769
770 if (call < SYS_SOCKET || call > SYS_SENDMMSG)
771 return -EINVAL;
772 @@ -96481,7 +96584,7 @@ index a1b5bcb..62ec5c6 100644
773 #endif
774 if (dflt != &ipv4_devconf_dflt)
775 diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
776 -index d846304..d0622bb 100644
777 +index c7539e2..b455e51 100644
778 --- a/net/ipv4/fib_frontend.c
779 +++ b/net/ipv4/fib_frontend.c
780 @@ -1015,12 +1015,12 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
781 @@ -96499,7 +96602,7 @@ index d846304..d0622bb 100644
782 if (ifa->ifa_dev->ifa_list == NULL) {
783 /* Last address was deleted from this interface.
784 * Disable IP.
785 -@@ -1056,7 +1056,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
786 +@@ -1058,7 +1058,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
787 #ifdef CONFIG_IP_ROUTE_MULTIPATH
788 fib_sync_up(dev);
789 #endif
790 @@ -96631,7 +96734,7 @@ index 2481993..2d9a7a7 100644
791 return -ENOMEM;
792 }
793 diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
794 -index e560ef3..218c5c5 100644
795 +index d306360..1c1a1f1 100644
796 --- a/net/ipv4/ip_gre.c
797 +++ b/net/ipv4/ip_gre.c
798 @@ -115,7 +115,7 @@ static bool log_ecn_error = true;
799 @@ -101278,20 +101381,6 @@ index 0000000..5e0222d
800 + [[ "$plugincc" =~ "$1" ]] && echo "$1"
801 + [[ "$plugincc" =~ "$2" ]] && echo "$2"
802 +fi
803 -diff --git a/scripts/gen-random-seed.sh b/scripts/gen-random-seed.sh
804 -new file mode 100644
805 -index 0000000..27e0f4a
806 ---- /dev/null
807 -+++ b/scripts/gen-random-seed.sh
808 -@@ -0,0 +1,8 @@
809 -+#!/bin/sh
810 -+
811 -+if [ ! -f 'tools/gcc/randstruct.seed' ]; then
812 -+ SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'`
813 -+ echo "$SEED" > tools/gcc/randstruct.seed
814 -+ cat tools/gcc/randstruct.seed | sha256sum | cut -d" " -f1 | tr -d "\n" > tools/gcc/randstruct.hashed_seed
815 -+fi
816 -+cat tools/gcc/randstruct.seed
817 diff --git a/scripts/headers_install.sh b/scripts/headers_install.sh
818 index 5de5660..d3deb89 100644
819 --- a/scripts/headers_install.sh
820 @@ -102924,6 +103013,21 @@ index 48c3cc9..8022cf7 100644
821 rtnl_lock();
822 for_each_net(net)
823 rt_genid_bump_all(net);
824 +diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
825 +index d106733..539aadd 100644
826 +--- a/security/selinux/ss/services.c
827 ++++ b/security/selinux/ss/services.c
828 +@@ -1232,6 +1232,10 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
829 + struct context context;
830 + int rc = 0;
831 +
832 ++ /* An empty security context is never valid. */
833 ++ if (!scontext_len)
834 ++ return -EINVAL;
835 ++
836 + if (!ss_initialized) {
837 + int i;
838 +
839 diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
840 index b0be893..646bd94 100644
841 --- a/security/smack/smack_lsm.c
842 @@ -103730,10 +103834,10 @@ index 0000000..8eb55ca
843 +randstruct.hashed_seed
844 diff --git a/tools/gcc/Makefile b/tools/gcc/Makefile
845 new file mode 100644
846 -index 0000000..f8ef8a3
847 +index 0000000..51a2ba2
848 --- /dev/null
849 +++ b/tools/gcc/Makefile
850 -@@ -0,0 +1,47 @@
851 +@@ -0,0 +1,55 @@
852 +#CC := gcc
853 +#PLUGIN_SOURCE_FILES := pax_plugin.c
854 +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
855 @@ -103773,6 +103877,8 @@ index 0000000..f8ef8a3
856 +randomize_layout_plugin-objs := randomize_layout_plugin.o
857 +
858 +$(obj)/size_overflow_plugin.o: $(objtree)/$(obj)/size_overflow_hash.h
859 ++$(obj)/randomize_layout_plugin.o: $(objtree)/$(obj)/randomize_layout_seed.h \
860 ++ $(objtree)/$(obj)/randomize_layout_hash.data
861 +
862 +quiet_cmd_build_size_overflow_hash = GENHASH $@
863 + cmd_build_size_overflow_hash = \
864 @@ -103780,7 +103886,13 @@ index 0000000..f8ef8a3
865 +$(objtree)/$(obj)/size_overflow_hash.h: $(src)/size_overflow_hash.data FORCE
866 + $(call if_changed,build_size_overflow_hash)
867 +
868 -+targets += size_overflow_hash.h
869 ++quiet_cmd_create_randomize_layout_seed = GENSEED $@
870 ++ cmd_create_randomize_layout_seed = \
871 ++ $(CONFIG_SHELL) $(srctree)/$(src)/gen-random-seed.sh $@ $(objtree)/$(obj)/randomize_layout_hash.data
872 ++$(objtree)/$(obj)/randomize_layout_seed.h $(objtree)/$(obj)/randomize_layout_hash.data: FORCE
873 ++ $(call if_changed,create_randomize_layout_seed)
874 ++
875 ++targets += size_overflow_hash.h randomize_layout_seed.h randomize_layout_hash.data
876 diff --git a/tools/gcc/checker_plugin.c b/tools/gcc/checker_plugin.c
877 new file mode 100644
878 index 0000000..5452feea
879 @@ -104672,10 +104784,10 @@ index 0000000..4f67ac1
880 +}
881 diff --git a/tools/gcc/gcc-common.h b/tools/gcc/gcc-common.h
882 new file mode 100644
883 -index 0000000..986f39b
884 +index 0000000..312d3b6
885 --- /dev/null
886 +++ b/tools/gcc/gcc-common.h
887 -@@ -0,0 +1,267 @@
888 +@@ -0,0 +1,268 @@
889 +#ifndef GCC_COMMON_H_INCLUDED
890 +#define GCC_COMMON_H_INCLUDED
891 +
892 @@ -104766,6 +104878,7 @@ index 0000000..986f39b
893 +#if BUILDING_GCC_VERSION >= 4009
894 +#include "tree-ssa-operands.h"
895 +#include "tree-phinodes.h"
896 ++#include "tree-cfg.h"
897 +#include "gimple-iterator.h"
898 +#include "gimple-ssa.h"
899 +#include "ssa-iterators.h"
900 @@ -104943,6 +105056,19 @@ index 0000000..986f39b
901 +#endif
902 +
903 +#endif
904 +diff --git a/tools/gcc/gen-random-seed.sh b/tools/gcc/gen-random-seed.sh
905 +new file mode 100644
906 +index 0000000..8030e6e
907 +--- /dev/null
908 ++++ b/tools/gcc/gen-random-seed.sh
909 +@@ -0,0 +1,7 @@
910 ++#!/bin/sh
911 ++
912 ++if [ ! -f "$1" ]; then
913 ++ SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'`
914 ++ echo "const char *randstruct_seed = \"$SEED\";" > "$1"
915 ++ echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d "\n" > "$2"
916 ++fi
917 diff --git a/tools/gcc/generate_size_overflow_hash.sh b/tools/gcc/generate_size_overflow_hash.sh
918 new file mode 100644
919 index 0000000..e518932
920 @@ -106089,10 +106215,10 @@ index 0000000..592b923
921 +}
922 diff --git a/tools/gcc/randomize_layout_plugin.c b/tools/gcc/randomize_layout_plugin.c
923 new file mode 100644
924 -index 0000000..8ed761c6
925 +index 0000000..fed12bf
926 --- /dev/null
927 +++ b/tools/gcc/randomize_layout_plugin.c
928 -@@ -0,0 +1,914 @@
929 +@@ -0,0 +1,902 @@
930 +/*
931 + * Copyright 2014 by Open Source Security, Inc., Brad Spengler <spender@××××××××××.net>
932 + * and PaX Team <pageexec@××××××××.hu>
933 @@ -106107,6 +106233,7 @@ index 0000000..8ed761c6
934 + */
935 +
936 +#include "gcc-common.h"
937 ++#include "randomize_layout_seed.h"
938 +
939 +#define ORIG_TYPE_NAME(node) \
940 + (TYPE_NAME(TYPE_MAIN_VARIANT(node)) != NULL_TREE ? ((const unsigned char *)IDENTIFIER_POINTER(TYPE_NAME(TYPE_MAIN_VARIANT(node)))) : (const unsigned char *)"anonymous")
941 @@ -106116,9 +106243,8 @@ index 0000000..8ed761c6
942 +static int performance_mode;
943 +
944 +static struct plugin_info randomize_layout_plugin_info = {
945 -+ .version = "201402011940",
946 ++ .version = "201402061950",
947 + .help = "disable\t\t\tdo not activate plugin\n"
948 -+ "seed\t\t\tprovide a required 64-byte seed in hex format\n"
949 + "performance-mode\tenable cacheline-aware layout randomization\n"
950 +};
951 +
952 @@ -106685,13 +106811,8 @@ index 0000000..8ed761c6
953 + struct varpool_node *node;
954 + tree init;
955 +
956 -+#if BUILDING_GCC_VERSION <= 4007
957 -+ for (node = varpool_nodes; node; node = node->next) {
958 -+ tree var = node->decl;
959 -+#else
960 + FOR_EACH_VARIABLE(node) {
961 -+ tree var = node->symbol.decl;
962 -+#endif
963 ++ tree var = NODE_DECL(node);
964 + init = DECL_INITIAL(var);
965 + if (init == NULL_TREE)
966 + continue;
967 @@ -106975,22 +107096,15 @@ index 0000000..8ed761c6
968 + performance_mode = 1;
969 + continue;
970 + }
971 -+ if (!strcmp(argv[i].key, "seed")) {
972 -+ if (!argv[i].value) {
973 -+ error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
974 -+ continue;
975 -+ }
976 -+ if (strlen(argv[i].value) != 64) {
977 -+ error(G_("invalid value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
978 -+ continue;
979 -+ }
980 -+ obtained_seed = sscanf(argv[i].value, "%016llx%016llx%016llx%016llx",
981 -+ &shuffle_seed[0], &shuffle_seed[1], &shuffle_seed[2], &shuffle_seed[3]);
982 -+ continue;
983 -+ }
984 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
985 + }
986 +
987 ++ if (strlen(randstruct_seed) != 64) {
988 ++ error(G_("invalid seed value supplied for %s plugin"), plugin_name);
989 ++ return 1;
990 ++ }
991 ++ obtained_seed = sscanf(randstruct_seed, "%016llx%016llx%016llx%016llx",
992 ++ &shuffle_seed[0], &shuffle_seed[1], &shuffle_seed[2], &shuffle_seed[3]);
993 + if (obtained_seed != 4) {
994 + error(G_("Invalid seed supplied for %s plugin"), plugin_name);
995 + return 1;
996
997 diff --git a/3.13.1/4425_grsec_remove_EI_PAX.patch b/3.13.2/4425_grsec_remove_EI_PAX.patch
998 similarity index 96%
999 rename from 3.13.1/4425_grsec_remove_EI_PAX.patch
1000 rename to 3.13.2/4425_grsec_remove_EI_PAX.patch
1001 index cf65d90..fc51f79 100644
1002 --- a/3.13.1/4425_grsec_remove_EI_PAX.patch
1003 +++ b/3.13.2/4425_grsec_remove_EI_PAX.patch
1004 @@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600
1005 diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig
1006 --- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500
1007 +++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500
1008 -@@ -267,7 +267,7 @@
1009 +@@ -268,7 +268,7 @@
1010
1011 config PAX_EI_PAX
1012 bool 'Use legacy ELF header marking'
1013
1014 diff --git a/3.13.1/4427_force_XATTR_PAX_tmpfs.patch b/3.13.2/4427_force_XATTR_PAX_tmpfs.patch
1015 similarity index 100%
1016 rename from 3.13.1/4427_force_XATTR_PAX_tmpfs.patch
1017 rename to 3.13.2/4427_force_XATTR_PAX_tmpfs.patch
1018
1019 diff --git a/3.13.1/4430_grsec-remove-localversion-grsec.patch b/3.13.2/4430_grsec-remove-localversion-grsec.patch
1020 similarity index 100%
1021 rename from 3.13.1/4430_grsec-remove-localversion-grsec.patch
1022 rename to 3.13.2/4430_grsec-remove-localversion-grsec.patch
1023
1024 diff --git a/3.13.1/4435_grsec-mute-warnings.patch b/3.13.2/4435_grsec-mute-warnings.patch
1025 similarity index 100%
1026 rename from 3.13.1/4435_grsec-mute-warnings.patch
1027 rename to 3.13.2/4435_grsec-mute-warnings.patch
1028
1029 diff --git a/3.13.1/4440_grsec-remove-protected-paths.patch b/3.13.2/4440_grsec-remove-protected-paths.patch
1030 similarity index 71%
1031 rename from 3.13.1/4440_grsec-remove-protected-paths.patch
1032 rename to 3.13.2/4440_grsec-remove-protected-paths.patch
1033 index 05710b1..741546d 100644
1034 --- a/3.13.1/4440_grsec-remove-protected-paths.patch
1035 +++ b/3.13.2/4440_grsec-remove-protected-paths.patch
1036 @@ -4,9 +4,9 @@ We don't want GRSEC's Makefile to change permissions on paths in
1037 the filesystem.
1038
1039 diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile
1040 ---- a/grsecurity/Makefile 2011-10-19 20:42:50.000000000 -0400
1041 -+++ b/grsecurity/Makefile 2011-10-19 20:45:08.000000000 -0400
1042 -@@ -34,10 +34,4 @@
1043 +--- a/grsecurity/Makefile 2011-10-19 20:42:50.000000000 -0400
1044 ++++ b/grsecurity/Makefile 2011-10-19 20:45:08.000000000 -0400
1045 +@@ -44,11 +44,4 @@
1046 ifdef CONFIG_GRKERNSEC_HIDESYM
1047 extra-y := grsec_hidesym.o
1048 $(obj)/grsec_hidesym.o:
1049 @@ -15,5 +15,6 @@ diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile
1050 - @-chmod -f 500 /lib64/modules
1051 - @-chmod -f 500 /lib32/modules
1052 - @-chmod -f 700 .
1053 +- @-chmod -f 700 $(objtree)
1054 - @echo ' grsec: protected kernel image paths'
1055 endif
1056
1057 diff --git a/3.13.1/4450_grsec-kconfig-default-gids.patch b/3.13.2/4450_grsec-kconfig-default-gids.patch
1058 similarity index 95%
1059 rename from 3.13.1/4450_grsec-kconfig-default-gids.patch
1060 rename to 3.13.2/4450_grsec-kconfig-default-gids.patch
1061 index 207c450..88f1f9b 100644
1062 --- a/3.13.1/4450_grsec-kconfig-default-gids.patch
1063 +++ b/3.13.2/4450_grsec-kconfig-default-gids.patch
1064 @@ -16,7 +16,7 @@ from shooting themselves in the foot.
1065 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1066 --- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400
1067 +++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400
1068 -@@ -656,7 +656,7 @@
1069 +@@ -657,7 +657,7 @@
1070 config GRKERNSEC_AUDIT_GID
1071 int "GID for auditing"
1072 depends on GRKERNSEC_AUDIT_GROUP
1073 @@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1074
1075 config GRKERNSEC_EXECLOG
1076 bool "Exec logging"
1077 -@@ -887,7 +887,7 @@
1078 +@@ -888,7 +888,7 @@
1079 config GRKERNSEC_TPE_UNTRUSTED_GID
1080 int "GID for TPE-untrusted users"
1081 depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
1082 @@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1083 help
1084 Setting this GID determines what group TPE restrictions will be
1085 *enabled* for. If the sysctl option is enabled, a sysctl option
1086 -@@ -896,7 +896,7 @@
1087 +@@ -897,7 +897,7 @@
1088 config GRKERNSEC_TPE_TRUSTED_GID
1089 int "GID for TPE-trusted users"
1090 depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
1091 @@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1092 help
1093 Setting this GID determines what group TPE restrictions will be
1094 *disabled* for. If the sysctl option is enabled, a sysctl option
1095 -@@ -989,7 +989,7 @@
1096 +@@ -990,7 +990,7 @@
1097 config GRKERNSEC_SOCKET_ALL_GID
1098 int "GID to deny all sockets for"
1099 depends on GRKERNSEC_SOCKET_ALL
1100 @@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1101 help
1102 Here you can choose the GID to disable socket access for. Remember to
1103 add the users you want socket access disabled for to the GID
1104 -@@ -1010,7 +1010,7 @@
1105 +@@ -1011,7 +1011,7 @@
1106 config GRKERNSEC_SOCKET_CLIENT_GID
1107 int "GID to deny client sockets for"
1108 depends on GRKERNSEC_SOCKET_CLIENT
1109 @@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1110 help
1111 Here you can choose the GID to disable client socket access for.
1112 Remember to add the users you want client socket access disabled for to
1113 -@@ -1028,7 +1028,7 @@
1114 +@@ -1029,7 +1029,7 @@
1115 config GRKERNSEC_SOCKET_SERVER_GID
1116 int "GID to deny server sockets for"
1117 depends on GRKERNSEC_SOCKET_SERVER
1118 @@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1119 diff -Nuar a/security/Kconfig b/security/Kconfig
1120 --- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400
1121 +++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400
1122 -@@ -195,7 +195,7 @@
1123 +@@ -196,7 +196,7 @@
1124
1125 config GRKERNSEC_PROC_GID
1126 int "GID exempted from /proc restrictions"
1127 @@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
1128 help
1129 Setting this GID determines which group will be exempted from
1130 grsecurity's /proc restrictions, allowing users of the specified
1131 -@@ -206,7 +206,7 @@
1132 +@@ -207,7 +207,7 @@
1133 config GRKERNSEC_TPE_UNTRUSTED_GID
1134 int "GID for TPE-untrusted users"
1135 depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
1136 @@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
1137 help
1138 Setting this GID determines which group untrusted users should
1139 be added to. These users will be placed under grsecurity's Trusted Path
1140 -@@ -218,7 +218,7 @@
1141 +@@ -219,7 +219,7 @@
1142 config GRKERNSEC_TPE_TRUSTED_GID
1143 int "GID for TPE-trusted users"
1144 depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
1145 @@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
1146 help
1147 Setting this GID determines what group TPE restrictions will be
1148 *disabled* for. If the sysctl option is enabled, a sysctl option
1149 -@@ -227,7 +227,7 @@
1150 +@@ -228,7 +228,7 @@
1151 config GRKERNSEC_SYMLINKOWN_GID
1152 int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
1153 depends on GRKERNSEC_CONFIG_SERVER
1154
1155 diff --git a/3.13.1/4465_selinux-avc_audit-log-curr_ip.patch b/3.13.2/4465_selinux-avc_audit-log-curr_ip.patch
1156 similarity index 99%
1157 rename from 3.13.1/4465_selinux-avc_audit-log-curr_ip.patch
1158 rename to 3.13.2/4465_selinux-avc_audit-log-curr_ip.patch
1159 index ddabda7..0648169 100644
1160 --- a/3.13.1/4465_selinux-avc_audit-log-curr_ip.patch
1161 +++ b/3.13.2/4465_selinux-avc_audit-log-curr_ip.patch
1162 @@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
1163 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1164 --- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
1165 +++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
1166 -@@ -1123,6 +1123,27 @@
1167 +@@ -1124,6 +1124,27 @@
1168 menu "Logging Options"
1169 depends on GRKERNSEC
1170
1171
1172 diff --git a/3.13.1/4470_disable-compat_vdso.patch b/3.13.2/4470_disable-compat_vdso.patch
1173 similarity index 100%
1174 rename from 3.13.1/4470_disable-compat_vdso.patch
1175 rename to 3.13.2/4470_disable-compat_vdso.patch
1176
1177 diff --git a/3.13.1/4475_emutramp_default_on.patch b/3.13.2/4475_emutramp_default_on.patch
1178 similarity index 97%
1179 rename from 3.13.1/4475_emutramp_default_on.patch
1180 rename to 3.13.2/4475_emutramp_default_on.patch
1181 index cfde6f8..30f6978 100644
1182 --- a/3.13.1/4475_emutramp_default_on.patch
1183 +++ b/3.13.2/4475_emutramp_default_on.patch
1184 @@ -10,7 +10,7 @@ See bug:
1185 diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
1186 --- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400
1187 +++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400
1188 -@@ -427,7 +427,7 @@
1189 +@@ -428,7 +428,7 @@
1190
1191 config PAX_EMUTRAMP
1192 bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
1193
1194 diff --git a/3.2.54/0000_README b/3.2.54/0000_README
1195 index 18647c3..61f72a8 100644
1196 --- a/3.2.54/0000_README
1197 +++ b/3.2.54/0000_README
1198 @@ -134,7 +134,7 @@ Patch: 1053_linux-3.2.54.patch
1199 From: http://www.kernel.org
1200 Desc: Linux 3.2.54
1201
1202 -Patch: 4420_grsecurity-3.0-3.2.54-201402052347.patch
1203 +Patch: 4420_grsecurity-3.0-3.2.54-201402062221.patch
1204 From: http://www.grsecurity.net
1205 Desc: hardened-sources base patch from upstream grsecurity
1206
1207
1208 diff --git a/3.2.54/4420_grsecurity-3.0-3.2.54-201402052347.patch b/3.2.54/4420_grsecurity-3.0-3.2.54-201402062221.patch
1209 similarity index 99%
1210 rename from 3.2.54/4420_grsecurity-3.0-3.2.54-201402052347.patch
1211 rename to 3.2.54/4420_grsecurity-3.0-3.2.54-201402062221.patch
1212 index fa55d46..88feed1 100644
1213 --- a/3.2.54/4420_grsecurity-3.0-3.2.54-201402052347.patch
1214 +++ b/3.2.54/4420_grsecurity-3.0-3.2.54-201402062221.patch
1215 @@ -52869,10 +52869,25 @@ index 49eefdb..547693e 100644
1216 do_chunk_alloc(trans, root->fs_info->extent_root,
1217 num_bytes, data, CHUNK_ALLOC_FORCE);
1218 diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
1219 -index 618ae6f..118fe0c 100644
1220 +index 618ae6f..82d0bc6 100644
1221 --- a/fs/btrfs/ioctl.c
1222 +++ b/fs/btrfs/ioctl.c
1223 -@@ -2733,9 +2733,12 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
1224 +@@ -1329,6 +1329,14 @@ static noinline int btrfs_ioctl_snap_create_transid(struct file *file,
1225 + ret = -EINVAL;
1226 + fput(src_file);
1227 + goto out;
1228 ++ } else if (!inode_owner_or_capable(src_inode)) {
1229 ++ /*
1230 ++ * Subvolume creation is not restricted, but snapshots
1231 ++ * are limited to own subvolumes only
1232 ++ */
1233 ++ ret = -EPERM;
1234 ++ fput(src_file);
1235 ++ goto out;
1236 + }
1237 + ret = btrfs_mksubvol(&file->f_path, name, namelen,
1238 + BTRFS_I(src_inode)->root,
1239 +@@ -2733,9 +2741,12 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
1240 for (i = 0; i < num_types; i++) {
1241 struct btrfs_space_info *tmp;
1242
1243 @@ -52885,7 +52900,7 @@ index 618ae6f..118fe0c 100644
1244 info = NULL;
1245 rcu_read_lock();
1246 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
1247 -@@ -2757,15 +2760,12 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
1248 +@@ -2757,15 +2768,12 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
1249 memcpy(dest, &space, sizeof(space));
1250 dest++;
1251 space_args.total_spaces++;
1252 @@ -62842,10 +62857,10 @@ index 0000000..c4717f9
1253 +endmenu
1254 diff --git a/grsecurity/Makefile b/grsecurity/Makefile
1255 new file mode 100644
1256 -index 0000000..5cb186f
1257 +index 0000000..f96524e
1258 --- /dev/null
1259 +++ b/grsecurity/Makefile
1260 -@@ -0,0 +1,53 @@
1261 +@@ -0,0 +1,54 @@
1262 +# grsecurity – access control and security hardening for Linux
1263 +# All code in this directory and various hooks located throughout the Linux kernel are
1264 +# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc.
1265 @@ -62897,6 +62912,7 @@ index 0000000..5cb186f
1266 + @-chmod -f 500 /lib64/modules
1267 + @-chmod -f 500 /lib32/modules
1268 + @-chmod -f 700 .
1269 ++ @-chmod -f 700 $(objtree)
1270 + @echo ' grsec: protected kernel image paths'
1271 +endif
1272 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
1273 @@ -104658,6 +104674,21 @@ index b43813c..74be837 100644
1274 }
1275 #else
1276 static inline int selinux_xfrm_enabled(void)
1277 +diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
1278 +index 185f849..72b20b1 100644
1279 +--- a/security/selinux/ss/services.c
1280 ++++ b/security/selinux/ss/services.c
1281 +@@ -1229,6 +1229,10 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
1282 + struct context context;
1283 + int rc = 0;
1284 +
1285 ++ /* An empty security context is never valid. */
1286 ++ if (!scontext_len)
1287 ++ return -EINVAL;
1288 ++
1289 + if (!ss_initialized) {
1290 + int i;
1291 +
1292 diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
1293 index 7db62b4..ee4d949 100644
1294 --- a/security/smack/smack_lsm.c
1295
1296 diff --git a/3.2.54/4425_grsec_remove_EI_PAX.patch b/3.2.54/4425_grsec_remove_EI_PAX.patch
1297 index 415fda5..cf65d90 100644
1298 --- a/3.2.54/4425_grsec_remove_EI_PAX.patch
1299 +++ b/3.2.54/4425_grsec_remove_EI_PAX.patch
1300 @@ -8,7 +8,7 @@ X-Gentoo-Bug-URL: https://bugs.gentoo.org/445600
1301 diff -Nuar linux-3.7.1-hardened.orig/security/Kconfig linux-3.7.1-hardened/security/Kconfig
1302 --- linux-3.7.1-hardened.orig/security/Kconfig 2012-12-26 08:39:29.000000000 -0500
1303 +++ linux-3.7.1-hardened/security/Kconfig 2012-12-26 09:05:44.000000000 -0500
1304 -@@ -266,7 +266,7 @@
1305 +@@ -267,7 +267,7 @@
1306
1307 config PAX_EI_PAX
1308 bool 'Use legacy ELF header marking'
1309
1310 diff --git a/3.2.54/4440_grsec-remove-protected-paths.patch b/3.2.54/4440_grsec-remove-protected-paths.patch
1311 index 05710b1..741546d 100644
1312 --- a/3.2.54/4440_grsec-remove-protected-paths.patch
1313 +++ b/3.2.54/4440_grsec-remove-protected-paths.patch
1314 @@ -4,9 +4,9 @@ We don't want GRSEC's Makefile to change permissions on paths in
1315 the filesystem.
1316
1317 diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile
1318 ---- a/grsecurity/Makefile 2011-10-19 20:42:50.000000000 -0400
1319 -+++ b/grsecurity/Makefile 2011-10-19 20:45:08.000000000 -0400
1320 -@@ -34,10 +34,4 @@
1321 +--- a/grsecurity/Makefile 2011-10-19 20:42:50.000000000 -0400
1322 ++++ b/grsecurity/Makefile 2011-10-19 20:45:08.000000000 -0400
1323 +@@ -44,11 +44,4 @@
1324 ifdef CONFIG_GRKERNSEC_HIDESYM
1325 extra-y := grsec_hidesym.o
1326 $(obj)/grsec_hidesym.o:
1327 @@ -15,5 +15,6 @@ diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile
1328 - @-chmod -f 500 /lib64/modules
1329 - @-chmod -f 500 /lib32/modules
1330 - @-chmod -f 700 .
1331 +- @-chmod -f 700 $(objtree)
1332 - @echo ' grsec: protected kernel image paths'
1333 endif
1334
1335 diff --git a/3.2.54/4450_grsec-kconfig-default-gids.patch b/3.2.54/4450_grsec-kconfig-default-gids.patch
1336 index 55a02aa..71f6231 100644
1337 --- a/3.2.54/4450_grsec-kconfig-default-gids.patch
1338 +++ b/3.2.54/4450_grsec-kconfig-default-gids.patch
1339 @@ -73,7 +73,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
1340 diff -Nuar a/security/Kconfig b/security/Kconfig
1341 --- a/security/Kconfig 2012-10-13 09:51:35.000000000 -0400
1342 +++ b/security/Kconfig 2012-10-13 09:52:59.000000000 -0400
1343 -@@ -194,7 +194,7 @@
1344 +@@ -195,7 +195,7 @@
1345
1346 config GRKERNSEC_PROC_GID
1347 int "GID exempted from /proc restrictions"
1348 @@ -82,7 +82,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
1349 help
1350 Setting this GID determines which group will be exempted from
1351 grsecurity's /proc restrictions, allowing users of the specified
1352 -@@ -205,7 +205,7 @@
1353 +@@ -206,7 +206,7 @@
1354 config GRKERNSEC_TPE_UNTRUSTED_GID
1355 int "GID for TPE-untrusted users"
1356 depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
1357 @@ -91,7 +91,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
1358 help
1359 Setting this GID determines which group untrusted users should
1360 be added to. These users will be placed under grsecurity's Trusted Path
1361 -@@ -217,7 +217,7 @@
1362 +@@ -218,7 +218,7 @@
1363 config GRKERNSEC_TPE_TRUSTED_GID
1364 int "GID for TPE-trusted users"
1365 depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
1366 @@ -100,7 +100,7 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
1367 help
1368 Setting this GID determines what group TPE restrictions will be
1369 *disabled* for. If the sysctl option is enabled, a sysctl option
1370 -@@ -226,7 +226,7 @@
1371 +@@ -227,7 +227,7 @@
1372 config GRKERNSEC_SYMLINKOWN_GID
1373 int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
1374 depends on GRKERNSEC_CONFIG_SERVER
1375
1376 diff --git a/3.2.54/4475_emutramp_default_on.patch b/3.2.54/4475_emutramp_default_on.patch
1377 index df700e6..cfde6f8 100644
1378 --- a/3.2.54/4475_emutramp_default_on.patch
1379 +++ b/3.2.54/4475_emutramp_default_on.patch
1380 @@ -10,7 +10,7 @@ See bug:
1381 diff -Naur linux-3.9.2-hardened.orig/security/Kconfig linux-3.9.2-hardened/security/Kconfig
1382 --- linux-3.9.2-hardened.orig/security/Kconfig 2013-05-18 08:53:41.000000000 -0400
1383 +++ linux-3.9.2-hardened/security/Kconfig 2013-05-18 09:17:57.000000000 -0400
1384 -@@ -426,7 +426,7 @@
1385 +@@ -427,7 +427,7 @@
1386
1387 config PAX_EMUTRAMP
1388 bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
Report Message
Find on MARC Find on Google Groups