Grsec/PaX: 3.0-{3.2.60,3.14.11,3.15.4}-20140707204620140707

author: Anthony G. Basile <blueness@gentoo.org> 2014-07-08 16:15:22 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2014-07-08 16:15:22 -0400
commit: 94139e45a98575a57447fac3045d8f74b6108422 (patch)
tree: c20526949202fed2d4cfd530a4ededad94927417
parent: Grsec/PaX: 3.0-3.15.3-201407060933 (diff)
download: hardened-patchset-20140707.tar.gz
hardened-patchset-20140707.tar.bz2
hardened-patchset-20140707.zip
24 files changed, 197 insertions, 243 deletions
diff --git a/3.14.10/0000_README b/3.14.11/0000_README
index 7edf2bb..4a9468b 100644
--- a/3.14.10/0000_README
+++ b/3.14.11/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.0-3.14.10-201407052031.patch
+Patch:	4420_grsecurity-3.0-3.14.11-201407072045.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.14.10/4420_grsecurity-3.0-3.14.10-201407052031.patch b/3.14.11/4420_grsecurity-3.0-3.14.11-201407072045.patch
index 5cd674b..a883f75 100644
--- a/3.14.10/4420_grsecurity-3.0-3.14.10-201407052031.patch
+++ b/3.14.11/4420_grsecurity-3.0-3.14.11-201407072045.patch
@@ -287,7 +287,7 @@ index 7116fda..d8ed6e8 100644
  
  	pcd.		[PARIDE]
 diff --git a/Makefile b/Makefile
-index bd5d673..00eaa40 100644
+index f1bbec5..d78810b 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -16136,7 +16136,7 @@ index 69bbb48..32517fe 100644
  
  #define smp_load_acquire(p)						\
 diff --git a/arch/x86/include/asm/bitops.h b/arch/x86/include/asm/bitops.h
-index 9fc1af7..fc71228 100644
+index 9fc1af7..776d75a 100644
 --- a/arch/x86/include/asm/bitops.h
 +++ b/arch/x86/include/asm/bitops.h
 @@ -49,7 +49,7 @@
@@ -16216,7 +16216,7 @@ index 9fc1af7..fc71228 100644
   */
  #ifdef CONFIG_X86_64
 -static __always_inline int fls64(__u64 x)
-+static __always_inline long fls64(__u64 x)
++static __always_inline __intentional_overflow(-1) int fls64(__u64 x)
  {
  	int bitpos = -1;
  	/*
@@ -18734,7 +18734,7 @@ index fdedd38..95c02c2 100644
  void df_debug(struct pt_regs *regs, long error_code);
  #endif /* _ASM_X86_PROCESSOR_H */
 diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
-index 14fd6fd..b31a4a4 100644
+index 6205f0c..b31a4a4 100644
 --- a/arch/x86/include/asm/ptrace.h
 +++ b/arch/x86/include/asm/ptrace.h
 @@ -84,28 +84,29 @@ static inline unsigned long regs_return_value(struct pt_regs *regs)
@@ -18807,29 +18807,6 @@ index 14fd6fd..b31a4a4 100644
  #endif
  	return *(unsigned long *)((unsigned long)regs + offset);
  }
-@@ -231,6 +235,22 @@ static inline unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs,
- 
- #define ARCH_HAS_USER_SINGLE_STEP_INFO
- 
-+/*
-+ * When hitting ptrace_stop(), we cannot return using SYSRET because
-+ * that does not restore the full CPU state, only a minimal set.  The
-+ * ptracer can change arbitrary register values, which is usually okay
-+ * because the usual ptrace stops run off the signal delivery path which
-+ * forces IRET; however, ptrace_event() stops happen in arbitrary places
-+ * in the kernel and don't force IRET path.
-+ *
-+ * So force IRET path after a ptrace stop.
-+ */
-+#define arch_ptrace_stop_needed(code, info)				\
-+({									\
-+	set_thread_flag(TIF_NOTIFY_RESUME);				\
-+	false;								\
-+})
-+
- struct user_desc;
- extern int do_get_thread_area(struct task_struct *p, int idx,
- 			      struct user_desc __user *info);
 diff --git a/arch/x86/include/asm/realmode.h b/arch/x86/include/asm/realmode.h
 index 9c6b890..5305f53 100644
 --- a/arch/x86/include/asm/realmode.h
@@ -26887,7 +26864,7 @@ index 9c0280f..5bbb1c0 100644
  		ip = *(u64 *)(fp+8);
  		if (!in_sched_functions(ip))
 diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
-index 7461f50..1334029 100644
+index 7461f50..01d0b9c 100644
 --- a/arch/x86/kernel/ptrace.c
 +++ b/arch/x86/kernel/ptrace.c
 @@ -184,14 +184,13 @@ unsigned long kernel_stack_pointer(struct pt_regs *regs)
@@ -26909,7 +26886,28 @@ index 7461f50..1334029 100644
  
  	return (unsigned long)regs;
  }
-@@ -588,7 +587,7 @@ static void ptrace_triggered(struct perf_event *bp,
+@@ -452,6 +451,20 @@ static int putreg(struct task_struct *child,
+ 		if (child->thread.gs != value)
+ 			return do_arch_prctl(child, ARCH_SET_GS, value);
+ 		return 0;
++
++	case offsetof(struct user_regs_struct,ip):
++		/*
++		 * Protect against any attempt to set ip to an
++		 * impossible address.  There are dragons lurking if the
++		 * address is noncanonical.  (This explicitly allows
++		 * setting ip to TASK_SIZE_MAX, because user code can do
++		 * that all by itself by running off the end of its
++		 * address space.
++		 */
++		if (value > TASK_SIZE_MAX)
++			return -EIO;
++		break;
++
+ #endif
+ 	}
+ 
+@@ -588,7 +601,7 @@ static void ptrace_triggered(struct perf_event *bp,
  static unsigned long ptrace_get_dr7(struct perf_event *bp[])
  {
  	int i;
@@ -26918,7 +26916,7 @@ index 7461f50..1334029 100644
  	struct arch_hw_breakpoint *info;
  
  	for (i = 0; i < HBP_NUM; i++) {
-@@ -822,7 +821,7 @@ long arch_ptrace(struct task_struct *child, long request,
+@@ -822,7 +835,7 @@ long arch_ptrace(struct task_struct *child, long request,
  		 unsigned long addr, unsigned long data)
  {
  	int ret;
@@ -26927,7 +26925,7 @@ index 7461f50..1334029 100644
  
  	switch (request) {
  	/* read the word at location addr in the USER area. */
-@@ -907,14 +906,14 @@ long arch_ptrace(struct task_struct *child, long request,
+@@ -907,14 +920,14 @@ long arch_ptrace(struct task_struct *child, long request,
  		if ((int) addr < 0)
  			return -EIO;
  		ret = do_get_thread_area(child, addr,
@@ -26944,7 +26942,7 @@ index 7461f50..1334029 100644
  		break;
  #endif
  
-@@ -1292,7 +1291,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
+@@ -1292,7 +1305,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
  
  #ifdef CONFIG_X86_64
  
@@ -26953,7 +26951,7 @@ index 7461f50..1334029 100644
  	[REGSET_GENERAL] = {
  		.core_note_type = NT_PRSTATUS,
  		.n = sizeof(struct user_regs_struct) / sizeof(long),
-@@ -1333,7 +1332,7 @@ static const struct user_regset_view user_x86_64_view = {
+@@ -1333,7 +1346,7 @@ static const struct user_regset_view user_x86_64_view = {
  #endif	/* CONFIG_X86_64 */
  
  #if defined CONFIG_X86_32 || defined CONFIG_IA32_EMULATION
@@ -26962,7 +26960,7 @@ index 7461f50..1334029 100644
  	[REGSET_GENERAL] = {
  		.core_note_type = NT_PRSTATUS,
  		.n = sizeof(struct user_regs_struct32) / sizeof(u32),
-@@ -1386,7 +1385,7 @@ static const struct user_regset_view user_x86_32_view = {
+@@ -1386,7 +1399,7 @@ static const struct user_regset_view user_x86_32_view = {
   */
  u64 xstate_fx_sw_bytes[USER_XSTATE_FX_SW_WORDS];
  
@@ -26971,7 +26969,7 @@ index 7461f50..1334029 100644
  {
  #ifdef CONFIG_X86_64
  	x86_64_regsets[REGSET_XSTATE].n = size / sizeof(u64);
-@@ -1421,7 +1420,7 @@ static void fill_sigtrap_info(struct task_struct *tsk,
+@@ -1421,7 +1434,7 @@ static void fill_sigtrap_info(struct task_struct *tsk,
  	memset(info, 0, sizeof(*info));
  	info->si_signo = SIGTRAP;
  	info->si_code = si_code;
@@ -26980,7 +26978,7 @@ index 7461f50..1334029 100644
  }
  
  void user_single_step_siginfo(struct task_struct *tsk,
-@@ -1450,6 +1449,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
+@@ -1450,6 +1463,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
  # define IS_IA32	0
  #endif
  
@@ -26991,7 +26989,7 @@ index 7461f50..1334029 100644
  /*
   * We must return the syscall number to actually look up in the table.
   * This can be -1L to skip running any syscall at all.
-@@ -1460,6 +1463,11 @@ long syscall_trace_enter(struct pt_regs *regs)
+@@ -1460,6 +1477,11 @@ long syscall_trace_enter(struct pt_regs *regs)
  
  	user_exit();
  
@@ -27003,7 +27001,7 @@ index 7461f50..1334029 100644
  	/*
  	 * If we stepped into a sysenter/syscall insn, it trapped in
  	 * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP.
-@@ -1515,6 +1523,11 @@ void syscall_trace_leave(struct pt_regs *regs)
+@@ -1515,6 +1537,11 @@ void syscall_trace_leave(struct pt_regs *regs)
  	 */
  	user_exit();
  
@@ -47099,6 +47097,19 @@ index a2515887..6d13233 100644
  	dev->net->dev_addr[ETH_ALEN-1] = ifacenum;
  
  	/* we will have to manufacture ethernet headers, prepare template */
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 841b608..198a8b7 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -47,7 +47,7 @@ module_param(gso, bool, 0444);
+ #define RECEIVE_AVG_WEIGHT 64
+ 
+ /* Minimum alignment for mergeable packet buffers. */
+-#define MERGEABLE_BUFFER_ALIGN max(L1_CACHE_BYTES, 256)
++#define MERGEABLE_BUFFER_ALIGN max(L1_CACHE_BYTES, 256UL)
+ 
+ #define VIRTNET_DRIVER_VERSION "1.0.0"
+ 
 diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
 index 40ad25d..8703023 100644
 --- a/drivers/net/vxlan.c
@@ -50909,10 +50920,10 @@ index 24884ca..26c8220 100644
  	login->tgt_agt = sbp_target_agent_register(login);
  	if (IS_ERR(login->tgt_agt)) {
 diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
-index 26416c1..e796a3d 100644
+index 6ea95d2..88607b4 100644
 --- a/drivers/target/target_core_device.c
 +++ b/drivers/target/target_core_device.c
-@@ -1524,7 +1524,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name)
+@@ -1525,7 +1525,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name)
  	spin_lock_init(&dev->se_tmr_lock);
  	spin_lock_init(&dev->qf_cmd_lock);
  	sema_init(&dev->caw_sem, 1);
@@ -62806,7 +62817,7 @@ index f4ccfe6..a5cf064 100644
  static struct callback_op callback_ops[];
  
 diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
-index 360114a..ac6e265 100644
+index 15f9d98..082c625 100644
 --- a/fs/nfs/inode.c
 +++ b/fs/nfs/inode.c
 @@ -1189,16 +1189,16 @@ static int nfs_size_need_update(const struct inode *inode, const struct nfs_fatt
@@ -62843,7 +62854,7 @@ index 9a914e8..e89c0ea 100644
  static struct nfsd4_operation nfsd4_ops[];
  
 diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
-index 16e8fa7..b0803f6 100644
+index bc11bf6..324b058 100644
 --- a/fs/nfsd/nfs4xdr.c
 +++ b/fs/nfsd/nfs4xdr.c
 @@ -1531,7 +1531,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p)
@@ -82100,20 +82111,6 @@ index 34a1e10..70f6bde 100644
  
  struct proc_ns {
  	void *ns;
-diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h
-index 077904c..cc79eff 100644
---- a/include/linux/ptrace.h
-+++ b/include/linux/ptrace.h
-@@ -334,6 +334,9 @@ static inline void user_single_step_siginfo(struct task_struct *tsk,
-  * calling arch_ptrace_stop() when it would be superfluous.  For example,
-  * if the thread has not been back to user mode since the last stop, the
-  * thread state might indicate that nothing needs to be done.
-+ *
-+ * This is guaranteed to be invoked once before a task stops for ptrace and
-+ * may include arch-specific operations necessary prior to a ptrace stop.
-  */
- #define arch_ptrace_stop_needed(code, info)	(0)
- #endif
 diff --git a/include/linux/quota.h b/include/linux/quota.h
 index cc7494a..1e27036 100644
 --- a/include/linux/quota.h
@@ -86755,7 +86752,7 @@ index 81b3d67..ef189a4 100644
  {
  	struct signal_struct *sig = current->signal;
 diff --git a/kernel/fork.c b/kernel/fork.c
-index 45da005c..6581b2b 100644
+index c44bff8..a3c5876 100644
 --- a/kernel/fork.c
 +++ b/kernel/fork.c
 @@ -180,6 +180,48 @@ void thread_info_cache_init(void)
@@ -87137,7 +87134,7 @@ index 45da005c..6581b2b 100644
  	if (likely(p->pid)) {
  		ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
  
-@@ -1537,6 +1647,8 @@ bad_fork_cleanup_count:
+@@ -1539,6 +1649,8 @@ bad_fork_cleanup_count:
  bad_fork_free:
  	free_task(p);
  fork_out:
@@ -87146,7 +87143,7 @@ index 45da005c..6581b2b 100644
  	return ERR_PTR(retval);
  }
  
-@@ -1598,6 +1710,7 @@ long do_fork(unsigned long clone_flags,
+@@ -1600,6 +1712,7 @@ long do_fork(unsigned long clone_flags,
  
  	p = copy_process(clone_flags, stack_start, stack_size,
  			 child_tidptr, NULL, trace);
@@ -87154,7 +87151,7 @@ index 45da005c..6581b2b 100644
  	/*
  	 * Do this prior waking up the new thread - the thread pointer
  	 * might get invalid after that point, if the thread exits quickly.
-@@ -1614,6 +1727,8 @@ long do_fork(unsigned long clone_flags,
+@@ -1616,6 +1729,8 @@ long do_fork(unsigned long clone_flags,
  		if (clone_flags & CLONE_PARENT_SETTID)
  			put_user(nr, parent_tidptr);
  
@@ -87163,7 +87160,7 @@ index 45da005c..6581b2b 100644
  		if (clone_flags & CLONE_VFORK) {
  			p->vfork_done = &vfork;
  			init_completion(&vfork);
-@@ -1732,7 +1847,7 @@ void __init proc_caches_init(void)
+@@ -1734,7 +1849,7 @@ void __init proc_caches_init(void)
  	mm_cachep = kmem_cache_create("mm_struct",
  			sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN,
  			SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK, NULL);
@@ -87172,7 +87169,7 @@ index 45da005c..6581b2b 100644
  	mmap_init();
  	nsproxy_cache_init();
  }
-@@ -1772,7 +1887,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
+@@ -1774,7 +1889,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
  		return 0;
  
  	/* don't need lock here; in the worst case we'll do useless copy */
@@ -87181,7 +87178,7 @@ index 45da005c..6581b2b 100644
  		return 0;
  
  	*new_fsp = copy_fs_struct(fs);
-@@ -1879,7 +1994,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
+@@ -1881,7 +1996,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
  			fs = current->fs;
  			spin_lock(&fs->lock);
  			current->fs = new_fs;
@@ -91701,10 +91698,10 @@ index fc4da2d..f3e800b 100644
  		*data_page = bpage;
  
 diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
-index 24c1f23..781fd73f 100644
+index f0831c22..4b19cb3 100644
 --- a/kernel/trace/trace.c
 +++ b/kernel/trace/trace.c
-@@ -3399,7 +3399,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set)
+@@ -3400,7 +3400,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set)
  	return 0;
  }
  
@@ -91894,7 +91891,7 @@ index 4f69f9a..7c6f8f8 100644
  	memcpy(&uts_table, table, sizeof(uts_table));
  	uts_table.data = get_uts(table, write);
 diff --git a/kernel/watchdog.c b/kernel/watchdog.c
-index 4431610..4265616 100644
+index c9b6f01..37781d9 100644
 --- a/kernel/watchdog.c
 +++ b/kernel/watchdog.c
 @@ -475,7 +475,7 @@ static int watchdog_nmi_enable(unsigned int cpu) { return 0; }
@@ -92442,37 +92439,6 @@ index c24c2f7..f0296f4 100644
 +	pax_close_kernel();
 +}
 +EXPORT_SYMBOL(pax_list_del_rcu);
-diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
-index b74da44..7a85967 100644
---- a/lib/lz4/lz4_decompress.c
-+++ b/lib/lz4/lz4_decompress.c
-@@ -192,6 +192,8 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
- 			int s = 255;
- 			while ((ip < iend) && (s == 255)) {
- 				s = *ip++;
-+				if (unlikely(length > (size_t)(length + s)))
-+					goto _output_error;
- 				length += s;
- 			}
- 		}
-@@ -232,6 +234,8 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
- 		if (length == ML_MASK) {
- 			while (ip < iend) {
- 				int s = *ip++;
-+				if (unlikely(length > (size_t)(length + s)))
-+					goto _output_error;
- 				length += s;
- 				if (s == 255)
- 					continue;
-@@ -284,7 +288,7 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
- 
- 	/* write overflow error detected */
- _output_error:
--	return (int) (-(((char *) ip) - source));
-+	return -1;
- }
- 
- int lz4_decompress(const unsigned char *src, size_t *src_len,
 diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c
 index 963b703..438bc51 100644
 --- a/lib/percpu-refcount.c
@@ -101804,7 +101770,7 @@ index a8eb0a8..86f2de4 100644
  
  	if (!todrop_rate[i]) return 0;
 diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
-index 4f26ee4..6a9d7c3 100644
+index 3d2d2c8..c87e4d3 100644
 --- a/net/netfilter/ipvs/ip_vs_core.c
 +++ b/net/netfilter/ipvs/ip_vs_core.c
 @@ -567,7 +567,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
@@ -101816,7 +101782,7 @@ index 4f26ee4..6a9d7c3 100644
  		ip_vs_conn_put(cp);
  		return ret;
  	}
-@@ -1706,7 +1706,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
+@@ -1711,7 +1711,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
  	if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
  		pkts = sysctl_sync_threshold(ipvs);
  	else
@@ -101994,7 +101960,7 @@ index a4b5e2a..13b1de3 100644
  	table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table),
  			GFP_KERNEL);
 diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
-index 356bef5..99932cb 100644
+index 356bef5..163b56a 100644
 --- a/net/netfilter/nf_conntrack_core.c
 +++ b/net/netfilter/nf_conntrack_core.c
 @@ -1627,6 +1627,10 @@ void nf_conntrack_init_end(void)
@@ -102013,7 +101979,7 @@ index 356bef5..99932cb 100644
  	}
  
 +#ifdef CONFIG_GRKERNSEC_HIDESYM
-+	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08lx", atomic_inc_return_unchecked(&conntrack_cache_id));
++	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08x", atomic_inc_return_unchecked(&conntrack_cache_id));
 +#else
  	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
 +#endif
@@ -114733,7 +114699,7 @@ index 0000000..4378111
 +}
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
 new file mode 100644
-index 0000000..8972f81
+index 0000000..4077712
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
 @@ -0,0 +1,5988 @@
@@ -116547,8 +116513,8 @@ index 0000000..8972f81
 +attach_hdlc_protocol_19986 attach_hdlc_protocol 3 19986 NULL
 +rtw_set_wps_probe_resp_19989 rtw_set_wps_probe_resp 3 19989 NULL
 +diva_um_idi_read_20003 diva_um_idi_read 0 20003 NULL
-+lov_stripe_md_size_20009 lov_stripe_md_size 0-1 20009 NULL nohasharray
-+event_trigger_write_20009 event_trigger_write 3 20009 &lov_stripe_md_size_20009
++event_trigger_write_20009 event_trigger_write 3 20009 NULL nohasharray
++lov_stripe_md_size_20009 lov_stripe_md_size 0-1 20009 &event_trigger_write_20009
 +tree_mod_log_eb_move_20011 tree_mod_log_eb_move 5 20011 NULL
 +SYSC_fgetxattr_20027 SYSC_fgetxattr 4 20027 NULL
 +split_scan_timeout_read_20029 split_scan_timeout_read 3 20029 NULL
@@ -116915,8 +116881,8 @@ index 0000000..8972f81
 +bin_to_hex_dup_23853 bin_to_hex_dup 2 23853 NULL
 +ocfs2_xattr_get_clusters_23857 ocfs2_xattr_get_clusters 0 23857 NULL
 +ieee80211_if_read_dot11MeshMaxPeerLinks_23878 ieee80211_if_read_dot11MeshMaxPeerLinks 3 23878 NULL
-+nouveau_clock_create__23881 nouveau_clock_create_ 5 23881 NULL nohasharray
-+writeback_single_inode_23881 writeback_single_inode 0 23881 &nouveau_clock_create__23881
++writeback_single_inode_23881 writeback_single_inode 0 23881 NULL nohasharray
++nouveau_clock_create__23881 nouveau_clock_create_ 5 23881 &writeback_single_inode_23881
 +tipc_snprintf_23893 tipc_snprintf 2-0 23893 NULL
 +add_new_gdb_meta_bg_23911 add_new_gdb_meta_bg 3 23911 NULL nohasharray
 +ieee80211_if_read_hw_queues_23911 ieee80211_if_read_hw_queues 3 23911 &add_new_gdb_meta_bg_23911
diff --git a/3.14.10/4425_grsec_remove_EI_PAX.patch b/3.14.11/4425_grsec_remove_EI_PAX.patch
index fc51f79..fc51f79 100644
--- a/3.14.10/4425_grsec_remove_EI_PAX.patch
+++ b/3.14.11/4425_grsec_remove_EI_PAX.patch
diff --git a/3.14.10/4427_force_XATTR_PAX_tmpfs.patch b/3.14.11/4427_force_XATTR_PAX_tmpfs.patch
index 3db2112..3db2112 100644
--- a/3.14.10/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.14.11/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.14.10/4430_grsec-remove-localversion-grsec.patch b/3.14.11/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.14.10/4430_grsec-remove-localversion-grsec.patch
+++ b/3.14.11/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.14.10/4435_grsec-mute-warnings.patch b/3.14.11/4435_grsec-mute-warnings.patch
index 392cefb..392cefb 100644
--- a/3.14.10/4435_grsec-mute-warnings.patch
+++ b/3.14.11/4435_grsec-mute-warnings.patch
diff --git a/3.14.10/4440_grsec-remove-protected-paths.patch b/3.14.11/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/3.14.10/4440_grsec-remove-protected-paths.patch
+++ b/3.14.11/4440_grsec-remove-protected-paths.patch
diff --git a/3.14.10/4450_grsec-kconfig-default-gids.patch b/3.14.11/4450_grsec-kconfig-default-gids.patch
index af218a8..af218a8 100644
--- a/3.14.10/4450_grsec-kconfig-default-gids.patch
+++ b/3.14.11/4450_grsec-kconfig-default-gids.patch
diff --git a/3.14.10/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.11/4465_selinux-avc_audit-log-curr_ip.patch
index fb528d0..fb528d0 100644
--- a/3.14.10/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.14.11/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.14.10/4470_disable-compat_vdso.patch b/3.14.11/4470_disable-compat_vdso.patch
index 677174c..677174c 100644
--- a/3.14.10/4470_disable-compat_vdso.patch
+++ b/3.14.11/4470_disable-compat_vdso.patch
diff --git a/3.14.10/4475_emutramp_default_on.patch b/3.14.11/4475_emutramp_default_on.patch
index 015c7c1..015c7c1 100644
--- a/3.14.10/4475_emutramp_default_on.patch
+++ b/3.14.11/4475_emutramp_default_on.patch
diff --git a/3.15.3/0000_README b/3.15.4/0000_README
index a26acbb..a26acbb 100644
--- a/3.15.3/0000_README
+++ b/3.15.4/0000_README
diff --git a/3.15.3/4420_grsecurity-3.0-3.15.3-201407060933.patch b/3.15.4/4420_grsecurity-3.0-3.15.4-201407072046.patch
index 8f5bdcd..0dbb183 100644
--- a/3.15.3/4420_grsecurity-3.0-3.15.3-201407060933.patch
+++ b/3.15.4/4420_grsecurity-3.0-3.15.4-201407072046.patch
@@ -287,7 +287,7 @@ index 30a8ad0d..2ed9efd 100644
  
  	pcd.		[PARIDE]
 diff --git a/Makefile b/Makefile
-index 2e37d8b..3904d75 100644
+index 25ecc1d..184bee9 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -246,7 +246,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -15755,7 +15755,7 @@ index 69bbb48..32517fe 100644
  
  #define smp_load_acquire(p)						\
 diff --git a/arch/x86/include/asm/bitops.h b/arch/x86/include/asm/bitops.h
-index 9fc1af7..fc71228 100644
+index 9fc1af7..776d75a 100644
 --- a/arch/x86/include/asm/bitops.h
 +++ b/arch/x86/include/asm/bitops.h
 @@ -49,7 +49,7 @@
@@ -15835,7 +15835,7 @@ index 9fc1af7..fc71228 100644
   */
  #ifdef CONFIG_X86_64
 -static __always_inline int fls64(__u64 x)
-+static __always_inline long fls64(__u64 x)
++static __always_inline __intentional_overflow(-1) int fls64(__u64 x)
  {
  	int bitpos = -1;
  	/*
@@ -18365,7 +18365,7 @@ index a4ea023..33aa874 100644
  void df_debug(struct pt_regs *regs, long error_code);
  #endif /* _ASM_X86_PROCESSOR_H */
 diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
-index 14fd6fd..b31a4a4 100644
+index 6205f0c..b31a4a4 100644
 --- a/arch/x86/include/asm/ptrace.h
 +++ b/arch/x86/include/asm/ptrace.h
 @@ -84,28 +84,29 @@ static inline unsigned long regs_return_value(struct pt_regs *regs)
@@ -18438,29 +18438,6 @@ index 14fd6fd..b31a4a4 100644
  #endif
  	return *(unsigned long *)((unsigned long)regs + offset);
  }
-@@ -231,6 +235,22 @@ static inline unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs,
- 
- #define ARCH_HAS_USER_SINGLE_STEP_INFO
- 
-+/*
-+ * When hitting ptrace_stop(), we cannot return using SYSRET because
-+ * that does not restore the full CPU state, only a minimal set.  The
-+ * ptracer can change arbitrary register values, which is usually okay
-+ * because the usual ptrace stops run off the signal delivery path which
-+ * forces IRET; however, ptrace_event() stops happen in arbitrary places
-+ * in the kernel and don't force IRET path.
-+ *
-+ * So force IRET path after a ptrace stop.
-+ */
-+#define arch_ptrace_stop_needed(code, info)				\
-+({									\
-+	set_thread_flag(TIF_NOTIFY_RESUME);				\
-+	false;								\
-+})
-+
- struct user_desc;
- extern int do_get_thread_area(struct task_struct *p, int idx,
- 			      struct user_desc __user *info);
 diff --git a/arch/x86/include/asm/realmode.h b/arch/x86/include/asm/realmode.h
 index 9c6b890..5305f53 100644
 --- a/arch/x86/include/asm/realmode.h
@@ -26431,7 +26408,7 @@ index 898d077..4c458ff 100644
  		ip = *(u64 *)(fp+8);
  		if (!in_sched_functions(ip))
 diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
-index 678c0ad..d309ccb 100644
+index 678c0ad..2fc2a7b 100644
 --- a/arch/x86/kernel/ptrace.c
 +++ b/arch/x86/kernel/ptrace.c
 @@ -186,10 +186,10 @@ unsigned long kernel_stack_pointer(struct pt_regs *regs)
@@ -26447,7 +26424,28 @@ index 678c0ad..d309ccb 100644
  	if (prev_esp)
  		return (unsigned long)prev_esp;
  
-@@ -588,7 +588,7 @@ static void ptrace_triggered(struct perf_event *bp,
+@@ -452,6 +452,20 @@ static int putreg(struct task_struct *child,
+ 		if (child->thread.gs != value)
+ 			return do_arch_prctl(child, ARCH_SET_GS, value);
+ 		return 0;
++
++	case offsetof(struct user_regs_struct,ip):
++		/*
++		 * Protect against any attempt to set ip to an
++		 * impossible address.  There are dragons lurking if the
++		 * address is noncanonical.  (This explicitly allows
++		 * setting ip to TASK_SIZE_MAX, because user code can do
++		 * that all by itself by running off the end of its
++		 * address space.
++		 */
++		if (value > TASK_SIZE_MAX)
++			return -EIO;
++		break;
++
+ #endif
+ 	}
+ 
+@@ -588,7 +602,7 @@ static void ptrace_triggered(struct perf_event *bp,
  static unsigned long ptrace_get_dr7(struct perf_event *bp[])
  {
  	int i;
@@ -26456,7 +26454,7 @@ index 678c0ad..d309ccb 100644
  	struct arch_hw_breakpoint *info;
  
  	for (i = 0; i < HBP_NUM; i++) {
-@@ -822,7 +822,7 @@ long arch_ptrace(struct task_struct *child, long request,
+@@ -822,7 +836,7 @@ long arch_ptrace(struct task_struct *child, long request,
  		 unsigned long addr, unsigned long data)
  {
  	int ret;
@@ -26465,7 +26463,7 @@ index 678c0ad..d309ccb 100644
  
  	switch (request) {
  	/* read the word at location addr in the USER area. */
-@@ -907,14 +907,14 @@ long arch_ptrace(struct task_struct *child, long request,
+@@ -907,14 +921,14 @@ long arch_ptrace(struct task_struct *child, long request,
  		if ((int) addr < 0)
  			return -EIO;
  		ret = do_get_thread_area(child, addr,
@@ -26482,7 +26480,7 @@ index 678c0ad..d309ccb 100644
  		break;
  #endif
  
-@@ -1292,7 +1292,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
+@@ -1292,7 +1306,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
  
  #ifdef CONFIG_X86_64
  
@@ -26491,7 +26489,7 @@ index 678c0ad..d309ccb 100644
  	[REGSET_GENERAL] = {
  		.core_note_type = NT_PRSTATUS,
  		.n = sizeof(struct user_regs_struct) / sizeof(long),
-@@ -1333,7 +1333,7 @@ static const struct user_regset_view user_x86_64_view = {
+@@ -1333,7 +1347,7 @@ static const struct user_regset_view user_x86_64_view = {
  #endif	/* CONFIG_X86_64 */
  
  #if defined CONFIG_X86_32 || defined CONFIG_IA32_EMULATION
@@ -26500,7 +26498,7 @@ index 678c0ad..d309ccb 100644
  	[REGSET_GENERAL] = {
  		.core_note_type = NT_PRSTATUS,
  		.n = sizeof(struct user_regs_struct32) / sizeof(u32),
-@@ -1386,7 +1386,7 @@ static const struct user_regset_view user_x86_32_view = {
+@@ -1386,7 +1400,7 @@ static const struct user_regset_view user_x86_32_view = {
   */
  u64 xstate_fx_sw_bytes[USER_XSTATE_FX_SW_WORDS];
  
@@ -26509,7 +26507,7 @@ index 678c0ad..d309ccb 100644
  {
  #ifdef CONFIG_X86_64
  	x86_64_regsets[REGSET_XSTATE].n = size / sizeof(u64);
-@@ -1421,7 +1421,7 @@ static void fill_sigtrap_info(struct task_struct *tsk,
+@@ -1421,7 +1435,7 @@ static void fill_sigtrap_info(struct task_struct *tsk,
  	memset(info, 0, sizeof(*info));
  	info->si_signo = SIGTRAP;
  	info->si_code = si_code;
@@ -26518,7 +26516,7 @@ index 678c0ad..d309ccb 100644
  }
  
  void user_single_step_siginfo(struct task_struct *tsk,
-@@ -1450,6 +1450,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
+@@ -1450,6 +1464,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
  # define IS_IA32	0
  #endif
  
@@ -26529,7 +26527,7 @@ index 678c0ad..d309ccb 100644
  /*
   * We must return the syscall number to actually look up in the table.
   * This can be -1L to skip running any syscall at all.
-@@ -1460,6 +1464,11 @@ long syscall_trace_enter(struct pt_regs *regs)
+@@ -1460,6 +1478,11 @@ long syscall_trace_enter(struct pt_regs *regs)
  
  	user_exit();
  
@@ -26541,7 +26539,7 @@ index 678c0ad..d309ccb 100644
  	/*
  	 * If we stepped into a sysenter/syscall insn, it trapped in
  	 * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP.
-@@ -1515,6 +1524,11 @@ void syscall_trace_leave(struct pt_regs *regs)
+@@ -1515,6 +1538,11 @@ void syscall_trace_leave(struct pt_regs *regs)
  	 */
  	user_exit();
  
@@ -39039,7 +39037,7 @@ index 000e4e0..4770351 100644
  		cpu_notifier_register_begin();
  
 diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
-index abda660..f1d1de0 100644
+index 558224c..55e3b57 100644
 --- a/drivers/cpufreq/cpufreq.c
 +++ b/drivers/cpufreq/cpufreq.c
 @@ -2022,7 +2022,7 @@ void cpufreq_unregister_governor(struct cpufreq_governor *governor)
@@ -39051,7 +39049,7 @@ index abda660..f1d1de0 100644
  	mutex_unlock(&cpufreq_governor_mutex);
  	return;
  }
-@@ -2240,7 +2240,7 @@ static int cpufreq_cpu_callback(struct notifier_block *nfb,
+@@ -2238,7 +2238,7 @@ static int cpufreq_cpu_callback(struct notifier_block *nfb,
  	return NOTIFY_OK;
  }
  
@@ -39060,7 +39058,7 @@ index abda660..f1d1de0 100644
  	.notifier_call = cpufreq_cpu_callback,
  };
  
-@@ -2280,13 +2280,17 @@ int cpufreq_boost_trigger_state(int state)
+@@ -2278,13 +2278,17 @@ int cpufreq_boost_trigger_state(int state)
  		return 0;
  
  	write_lock_irqsave(&cpufreq_driver_lock, flags);
@@ -39080,7 +39078,7 @@ index abda660..f1d1de0 100644
  		write_unlock_irqrestore(&cpufreq_driver_lock, flags);
  
  		pr_err("%s: Cannot %s BOOST\n",
-@@ -2342,8 +2346,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
+@@ -2340,8 +2344,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
  
  	pr_debug("trying to register driver %s\n", driver_data->name);
  
@@ -39094,7 +39092,7 @@ index abda660..f1d1de0 100644
  
  	write_lock_irqsave(&cpufreq_driver_lock, flags);
  	if (cpufreq_driver) {
-@@ -2358,8 +2365,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
+@@ -2356,8 +2363,11 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
  		 * Check if driver provides function to enable boost -
  		 * if not, use cpufreq_boost_set_sw as default
  		 */
@@ -46464,6 +46462,19 @@ index a2515887..6d13233 100644
  	dev->net->dev_addr[ETH_ALEN-1] = ifacenum;
  
  	/* we will have to manufacture ethernet headers, prepare template */
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 8a852b5..668a4b6 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -47,7 +47,7 @@ module_param(gso, bool, 0444);
+ #define RECEIVE_AVG_WEIGHT 64
+ 
+ /* Minimum alignment for mergeable packet buffers. */
+-#define MERGEABLE_BUFFER_ALIGN max(L1_CACHE_BYTES, 256)
++#define MERGEABLE_BUFFER_ALIGN max(L1_CACHE_BYTES, 256UL)
+ 
+ #define VIRTNET_DRIVER_VERSION "1.0.0"
+ 
 diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
 index 77dcf92..549924a 100644
 --- a/drivers/net/vxlan.c
@@ -48745,10 +48756,10 @@ index 3cbb57a..95e47a3 100644
  
  	/* These three are default values which can be overridden */
 diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
-index 9a6e4a2..27843b6 100644
+index fda6cf1..7a6b5d8 100644
 --- a/drivers/scsi/hpsa.c
 +++ b/drivers/scsi/hpsa.c
-@@ -687,10 +687,10 @@ static inline u32 next_command(struct ctlr_info *h, u8 q)
+@@ -699,10 +699,10 @@ static inline u32 next_command(struct ctlr_info *h, u8 q)
  	unsigned long flags;
  
  	if (h->transMethod & CFGTBL_Trans_io_accel1)
@@ -48761,7 +48772,7 @@ index 9a6e4a2..27843b6 100644
  
  	if ((rq->head[rq->current_entry] & 1) == rq->wraparound) {
  		a = rq->head[rq->current_entry];
-@@ -5448,7 +5448,7 @@ static void start_io(struct ctlr_info *h)
+@@ -5460,7 +5460,7 @@ static void start_io(struct ctlr_info *h)
  	while (!list_empty(&h->reqQ)) {
  		c = list_entry(h->reqQ.next, struct CommandList, list);
  		/* can't do anything if fifo is full */
@@ -48770,7 +48781,7 @@ index 9a6e4a2..27843b6 100644
  			h->fifo_recently_full = 1;
  			dev_warn(&h->pdev->dev, "fifo full\n");
  			break;
-@@ -5472,7 +5472,7 @@ static void start_io(struct ctlr_info *h)
+@@ -5484,7 +5484,7 @@ static void start_io(struct ctlr_info *h)
  
  		/* Tell the controller execute command */
  		spin_unlock_irqrestore(&h->lock, flags);
@@ -48779,7 +48790,7 @@ index 9a6e4a2..27843b6 100644
  		spin_lock_irqsave(&h->lock, flags);
  	}
  	spin_unlock_irqrestore(&h->lock, flags);
-@@ -5480,17 +5480,17 @@ static void start_io(struct ctlr_info *h)
+@@ -5492,17 +5492,17 @@ static void start_io(struct ctlr_info *h)
  
  static inline unsigned long get_next_completion(struct ctlr_info *h, u8 q)
  {
@@ -48800,7 +48811,7 @@ index 9a6e4a2..27843b6 100644
  		(h->interrupts_enabled == 0);
  }
  
-@@ -6444,7 +6444,7 @@ static int hpsa_pci_init(struct ctlr_info *h)
+@@ -6456,7 +6456,7 @@ static int hpsa_pci_init(struct ctlr_info *h)
  	if (prod_index < 0)
  		return -ENODEV;
  	h->product_name = products[prod_index].product_name;
@@ -48809,7 +48820,7 @@ index 9a6e4a2..27843b6 100644
  
  	pci_disable_link_state(h->pdev, PCIE_LINK_STATE_L0S |
  			       PCIE_LINK_STATE_L1 | PCIE_LINK_STATE_CLKPM);
-@@ -6723,7 +6723,7 @@ static void controller_lockup_detected(struct ctlr_info *h)
+@@ -6735,7 +6735,7 @@ static void controller_lockup_detected(struct ctlr_info *h)
  {
  	unsigned long flags;
  
@@ -48818,7 +48829,7 @@ index 9a6e4a2..27843b6 100644
  	spin_lock_irqsave(&h->lock, flags);
  	h->lockup_detected = readl(h->vaddr + SA5_SCRATCHPAD_OFFSET);
  	spin_unlock_irqrestore(&h->lock, flags);
-@@ -6951,7 +6951,7 @@ reinit_after_soft_reset:
+@@ -6963,7 +6963,7 @@ reinit_after_soft_reset:
  	}
  
  	/* make sure the board interrupts are off */
@@ -48827,7 +48838,7 @@ index 9a6e4a2..27843b6 100644
  
  	if (hpsa_request_irq(h, do_hpsa_intr_msi, do_hpsa_intr_intx))
  		goto clean2;
-@@ -6986,7 +6986,7 @@ reinit_after_soft_reset:
+@@ -6998,7 +6998,7 @@ reinit_after_soft_reset:
  		 * fake ones to scoop up any residual completions.
  		 */
  		spin_lock_irqsave(&h->lock, flags);
@@ -48836,7 +48847,7 @@ index 9a6e4a2..27843b6 100644
  		spin_unlock_irqrestore(&h->lock, flags);
  		free_irqs(h);
  		rc = hpsa_request_irq(h, hpsa_msix_discard_completions,
-@@ -7005,9 +7005,9 @@ reinit_after_soft_reset:
+@@ -7017,9 +7017,9 @@ reinit_after_soft_reset:
  		dev_info(&h->pdev->dev, "Board READY.\n");
  		dev_info(&h->pdev->dev,
  			"Waiting for stale completions to drain.\n");
@@ -48848,7 +48859,7 @@ index 9a6e4a2..27843b6 100644
  
  		rc = controller_reset_failed(h->cfgtable);
  		if (rc)
-@@ -7033,7 +7033,7 @@ reinit_after_soft_reset:
+@@ -7045,7 +7045,7 @@ reinit_after_soft_reset:
  	h->drv_req_rescan = 0;
  
  	/* Turn the interrupts on so we can service requests */
@@ -48857,7 +48868,7 @@ index 9a6e4a2..27843b6 100644
  
  	hpsa_hba_inquiry(h);
  	hpsa_register_scsi(h);	/* hook ourselves into SCSI subsystem */
-@@ -7102,7 +7102,7 @@ static void hpsa_shutdown(struct pci_dev *pdev)
+@@ -7114,7 +7114,7 @@ static void hpsa_shutdown(struct pci_dev *pdev)
  	 * To write all data in the battery backed cache to disks
  	 */
  	hpsa_flush_cache(h);
@@ -48866,7 +48877,7 @@ index 9a6e4a2..27843b6 100644
  	hpsa_free_irqs_and_disable_msix(h);
  }
  
-@@ -7220,7 +7220,7 @@ static void hpsa_enter_performant_mode(struct ctlr_info *h, u32 trans_support)
+@@ -7232,7 +7232,7 @@ static void hpsa_enter_performant_mode(struct ctlr_info *h, u32 trans_support)
  				CFGTBL_Trans_enable_directed_msix |
  			(trans_support & (CFGTBL_Trans_io_accel1 |
  				CFGTBL_Trans_io_accel2));
@@ -48875,7 +48886,7 @@ index 9a6e4a2..27843b6 100644
  
  	/* This is a bit complicated.  There are 8 registers on
  	 * the controller which we write to to tell it 8 different
-@@ -7285,12 +7285,12 @@ static void hpsa_enter_performant_mode(struct ctlr_info *h, u32 trans_support)
+@@ -7297,12 +7297,12 @@ static void hpsa_enter_performant_mode(struct ctlr_info *h, u32 trans_support)
  	 * enable outbound interrupt coalescing in accelerator mode;
  	 */
  	if (trans_support & CFGTBL_Trans_io_accel1) {
@@ -50293,10 +50304,10 @@ index e7e9372..161f530 100644
  	login->tgt_agt = sbp_target_agent_register(login);
  	if (IS_ERR(login->tgt_agt)) {
 diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
-index 26416c1..e796a3d 100644
+index 6ea95d2..88607b4 100644
 --- a/drivers/target/target_core_device.c
 +++ b/drivers/target/target_core_device.c
-@@ -1524,7 +1524,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name)
+@@ -1525,7 +1525,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name)
  	spin_lock_init(&dev->se_tmr_lock);
  	spin_lock_init(&dev->qf_cmd_lock);
  	sema_init(&dev->caw_sem, 1);
@@ -62226,7 +62237,7 @@ index f4ccfe6..a5cf064 100644
  static struct callback_op callback_ops[];
  
 diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
-index 0c43897..0949f08 100644
+index c79f3e7..d61d671 100644
 --- a/fs/nfs/inode.c
 +++ b/fs/nfs/inode.c
 @@ -1209,16 +1209,16 @@ static int nfs_size_need_update(const struct inode *inode, const struct nfs_fatt
@@ -62263,7 +62274,7 @@ index d543222..2cfa2a2 100644
  static struct nfsd4_operation nfsd4_ops[];
  
 diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
-index 18881f3..40e5bef 100644
+index b4c4958..04687ad 100644
 --- a/fs/nfsd/nfs4xdr.c
 +++ b/fs/nfsd/nfs4xdr.c
 @@ -1530,7 +1530,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p)
@@ -81571,20 +81582,6 @@ index 34a1e10..70f6bde 100644
  
  struct proc_ns {
  	void *ns;
-diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h
-index 077904c..cc79eff 100644
---- a/include/linux/ptrace.h
-+++ b/include/linux/ptrace.h
-@@ -334,6 +334,9 @@ static inline void user_single_step_siginfo(struct task_struct *tsk,
-  * calling arch_ptrace_stop() when it would be superfluous.  For example,
-  * if the thread has not been back to user mode since the last stop, the
-  * thread state might indicate that nothing needs to be done.
-+ *
-+ * This is guaranteed to be invoked once before a task stops for ptrace and
-+ * may include arch-specific operations necessary prior to a ptrace stop.
-  */
- #define arch_ptrace_stop_needed(code, info)	(0)
- #endif
 diff --git a/include/linux/quota.h b/include/linux/quota.h
 index cc7494a..1e27036 100644
 --- a/include/linux/quota.h
@@ -86219,7 +86216,7 @@ index 6ed6a1d..edecb0e 100644
  {
  	struct signal_struct *sig = current->signal;
 diff --git a/kernel/fork.c b/kernel/fork.c
-index 1429043..9d95f16 100644
+index 68b9226..0700bf6 100644
 --- a/kernel/fork.c
 +++ b/kernel/fork.c
 @@ -183,6 +183,48 @@ void thread_info_cache_init(void)
@@ -86601,7 +86598,7 @@ index 1429043..9d95f16 100644
  	if (likely(p->pid)) {
  		ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
  
-@@ -1539,6 +1649,8 @@ bad_fork_cleanup_count:
+@@ -1541,6 +1651,8 @@ bad_fork_cleanup_count:
  bad_fork_free:
  	free_task(p);
  fork_out:
@@ -86610,7 +86607,7 @@ index 1429043..9d95f16 100644
  	return ERR_PTR(retval);
  }
  
-@@ -1600,6 +1712,7 @@ long do_fork(unsigned long clone_flags,
+@@ -1602,6 +1714,7 @@ long do_fork(unsigned long clone_flags,
  
  	p = copy_process(clone_flags, stack_start, stack_size,
  			 child_tidptr, NULL, trace);
@@ -86618,7 +86615,7 @@ index 1429043..9d95f16 100644
  	/*
  	 * Do this prior waking up the new thread - the thread pointer
  	 * might get invalid after that point, if the thread exits quickly.
-@@ -1616,6 +1729,8 @@ long do_fork(unsigned long clone_flags,
+@@ -1618,6 +1731,8 @@ long do_fork(unsigned long clone_flags,
  		if (clone_flags & CLONE_PARENT_SETTID)
  			put_user(nr, parent_tidptr);
  
@@ -86627,7 +86624,7 @@ index 1429043..9d95f16 100644
  		if (clone_flags & CLONE_VFORK) {
  			p->vfork_done = &vfork;
  			init_completion(&vfork);
-@@ -1734,7 +1849,7 @@ void __init proc_caches_init(void)
+@@ -1736,7 +1851,7 @@ void __init proc_caches_init(void)
  	mm_cachep = kmem_cache_create("mm_struct",
  			sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN,
  			SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK, NULL);
@@ -86636,7 +86633,7 @@ index 1429043..9d95f16 100644
  	mmap_init();
  	nsproxy_cache_init();
  }
-@@ -1774,7 +1889,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
+@@ -1776,7 +1891,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
  		return 0;
  
  	/* don't need lock here; in the worst case we'll do useless copy */
@@ -86645,7 +86642,7 @@ index 1429043..9d95f16 100644
  		return 0;
  
  	*new_fsp = copy_fs_struct(fs);
-@@ -1881,7 +1996,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
+@@ -1883,7 +1998,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
  			fs = current->fs;
  			spin_lock(&fs->lock);
  			current->fs = new_fs;
@@ -91252,10 +91249,10 @@ index c634868..00d0d19 100644
  		*data_page = bpage;
  
 diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
-index 737b0ef..bd21ea6 100644
+index e916972..e87f285 100644
 --- a/kernel/trace/trace.c
 +++ b/kernel/trace/trace.c
-@@ -3448,7 +3448,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set)
+@@ -3449,7 +3449,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set)
  	return 0;
  }
  
@@ -91445,7 +91442,7 @@ index 4f69f9a..7c6f8f8 100644
  	memcpy(&uts_table, table, sizeof(uts_table));
  	uts_table.data = get_uts(table, write);
 diff --git a/kernel/watchdog.c b/kernel/watchdog.c
-index 516203e..ecc58d1 100644
+index 30e4822..dd2b854 100644
 --- a/kernel/watchdog.c
 +++ b/kernel/watchdog.c
 @@ -479,7 +479,7 @@ static int watchdog_nmi_enable(unsigned int cpu) { return 0; }
@@ -91971,37 +91968,6 @@ index c24c2f7..f0296f4 100644
 +	pax_close_kernel();
 +}
 +EXPORT_SYMBOL(pax_list_del_rcu);
-diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
-index b74da44..7a85967 100644
---- a/lib/lz4/lz4_decompress.c
-+++ b/lib/lz4/lz4_decompress.c
-@@ -192,6 +192,8 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
- 			int s = 255;
- 			while ((ip < iend) && (s == 255)) {
- 				s = *ip++;
-+				if (unlikely(length > (size_t)(length + s)))
-+					goto _output_error;
- 				length += s;
- 			}
- 		}
-@@ -232,6 +234,8 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
- 		if (length == ML_MASK) {
- 			while (ip < iend) {
- 				int s = *ip++;
-+				if (unlikely(length > (size_t)(length + s)))
-+					goto _output_error;
- 				length += s;
- 				if (s == 255)
- 					continue;
-@@ -284,7 +288,7 @@ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
- 
- 	/* write overflow error detected */
- _output_error:
--	return (int) (-(((char *) ip) - source));
-+	return -1;
- }
- 
- int lz4_decompress(const unsigned char *src, size_t *src_len,
 diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c
 index 963b703..438bc51 100644
 --- a/lib/percpu-refcount.c
@@ -101773,7 +101739,7 @@ index a4b5e2a..13b1de3 100644
  	table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table),
  			GFP_KERNEL);
 diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
-index 75421f2..054c1fc 100644
+index 75421f2..0e69621 100644
 --- a/net/netfilter/nf_conntrack_core.c
 +++ b/net/netfilter/nf_conntrack_core.c
 @@ -1789,6 +1789,10 @@ void nf_conntrack_init_end(void)
@@ -101792,7 +101758,7 @@ index 75421f2..054c1fc 100644
  		goto err_pcpu_lists;
  
 +#ifdef CONFIG_GRKERNSEC_HIDESYM
-+	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08lx", atomic_inc_return_unchecked(&conntrack_cache_id));
++	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08x", atomic_inc_return_unchecked(&conntrack_cache_id));
 +#else
  	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
 +#endif
@@ -114525,10 +114491,10 @@ index 0000000..4378111
 +}
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
 new file mode 100644
-index 0000000..2393acc
+index 0000000..386f2d1
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
-@@ -0,0 +1,5800 @@
+@@ -0,0 +1,5801 @@
 +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL
 +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL
 +compat_sock_setsockopt_23 compat_sock_setsockopt 5 23 NULL
@@ -119795,6 +119761,7 @@ index 0000000..2393acc
 +btrfs_insert_dir_item_59304 btrfs_insert_dir_item 4 59304 NULL
 +fd_copyout_59323 fd_copyout 3 59323 NULL
 +read_9287_modal_eeprom_59327 read_9287_modal_eeprom 3 59327 NULL
++set_state_private_59336 set_state_private 0 59336 NULL
 +rx_defrag_in_process_called_read_59338 rx_defrag_in_process_called_read 3 59338 NULL
 +xfs_attrmulti_attr_set_59346 xfs_attrmulti_attr_set 4 59346 NULL
 +f2fs_fallocate_59377 f2fs_fallocate 4-3 59377 NULL
diff --git a/3.15.3/4425_grsec_remove_EI_PAX.patch b/3.15.4/4425_grsec_remove_EI_PAX.patch
index fc51f79..fc51f79 100644
--- a/3.15.3/4425_grsec_remove_EI_PAX.patch
+++ b/3.15.4/4425_grsec_remove_EI_PAX.patch
diff --git a/3.15.3/4427_force_XATTR_PAX_tmpfs.patch b/3.15.4/4427_force_XATTR_PAX_tmpfs.patch
index 85766c5..85766c5 100644
--- a/3.15.3/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.15.4/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.15.3/4430_grsec-remove-localversion-grsec.patch b/3.15.4/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.15.3/4430_grsec-remove-localversion-grsec.patch
+++ b/3.15.4/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.15.3/4435_grsec-mute-warnings.patch b/3.15.4/4435_grsec-mute-warnings.patch
index a685858..a685858 100644
--- a/3.15.3/4435_grsec-mute-warnings.patch
+++ b/3.15.4/4435_grsec-mute-warnings.patch
diff --git a/3.15.3/4440_grsec-remove-protected-paths.patch b/3.15.4/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/3.15.3/4440_grsec-remove-protected-paths.patch
+++ b/3.15.4/4440_grsec-remove-protected-paths.patch
diff --git a/3.15.3/4450_grsec-kconfig-default-gids.patch b/3.15.4/4450_grsec-kconfig-default-gids.patch
index af218a8..af218a8 100644
--- a/3.15.3/4450_grsec-kconfig-default-gids.patch
+++ b/3.15.4/4450_grsec-kconfig-default-gids.patch
diff --git a/3.15.3/4465_selinux-avc_audit-log-curr_ip.patch b/3.15.4/4465_selinux-avc_audit-log-curr_ip.patch
index fb528d0..fb528d0 100644
--- a/3.15.3/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.15.4/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.15.3/4470_disable-compat_vdso.patch b/3.15.4/4470_disable-compat_vdso.patch
index 7852848..7852848 100644
--- a/3.15.3/4470_disable-compat_vdso.patch
+++ b/3.15.4/4470_disable-compat_vdso.patch
diff --git a/3.15.3/4475_emutramp_default_on.patch b/3.15.4/4475_emutramp_default_on.patch
index cf88fd9..cf88fd9 100644
--- a/3.15.3/4475_emutramp_default_on.patch
+++ b/3.15.4/4475_emutramp_default_on.patch
diff --git a/3.2.60/0000_README b/3.2.60/0000_README
index ee22cb5..f6a6bee 100644
--- a/3.2.60/0000_README
+++ b/3.2.60/0000_README
@@ -158,7 +158,7 @@ Patch:	1059_linux-3.2.60.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.60
 
-Patch:	4420_grsecurity-3.0-3.2.60-201407052028.patch
+Patch:	4420_grsecurity-3.0-3.2.60-201407072042.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.60/4420_grsecurity-3.0-3.2.60-201407052028.patch b/3.2.60/4420_grsecurity-3.0-3.2.60-201407072042.patch
index 2ddb90d..b3267bc 100644
--- a/3.2.60/4420_grsecurity-3.0-3.2.60-201407052028.patch
+++ b/3.2.60/4420_grsecurity-3.0-3.2.60-201407072042.patch
@@ -22643,7 +22643,7 @@ index 6a364a6..b147d11 100644
  		ip = *(u64 *)(fp+8);
  		if (!in_sched_functions(ip))
 diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
-index 2dc4121..60e1086 100644
+index 2dc4121..c7c8aac 100644
 --- a/arch/x86/kernel/ptrace.c
 +++ b/arch/x86/kernel/ptrace.c
 @@ -181,14 +181,13 @@ unsigned long kernel_stack_pointer(struct pt_regs *regs)
@@ -22665,7 +22665,28 @@ index 2dc4121..60e1086 100644
  
  	return (unsigned long)regs;
  }
-@@ -585,7 +584,7 @@ static void ptrace_triggered(struct perf_event *bp,
+@@ -449,6 +448,20 @@ static int putreg(struct task_struct *child,
+ 		if (child->thread.gs != value)
+ 			return do_arch_prctl(child, ARCH_SET_GS, value);
+ 		return 0;
++
++	case offsetof(struct user_regs_struct,ip):
++		/*
++		 * Protect against any attempt to set ip to an
++		 * impossible address.  There are dragons lurking if the
++		 * address is noncanonical.  (This explicitly allows
++		 * setting ip to TASK_SIZE_MAX, because user code can do
++		 * that all by itself by running off the end of its
++		 * address space.
++		 */
++		if (value > TASK_SIZE_MAX)
++			return -EIO;
++		break;
++
+ #endif
+ 	}
+ 
+@@ -585,7 +598,7 @@ static void ptrace_triggered(struct perf_event *bp,
  static unsigned long ptrace_get_dr7(struct perf_event *bp[])
  {
  	int i;
@@ -22674,7 +22695,7 @@ index 2dc4121..60e1086 100644
  	struct arch_hw_breakpoint *info;
  
  	for (i = 0; i < HBP_NUM; i++) {
-@@ -852,7 +851,7 @@ long arch_ptrace(struct task_struct *child, long request,
+@@ -852,7 +865,7 @@ long arch_ptrace(struct task_struct *child, long request,
  		 unsigned long addr, unsigned long data)
  {
  	int ret;
@@ -22683,7 +22704,7 @@ index 2dc4121..60e1086 100644
  
  	switch (request) {
  	/* read the word at location addr in the USER area. */
-@@ -937,14 +936,14 @@ long arch_ptrace(struct task_struct *child, long request,
+@@ -937,14 +950,14 @@ long arch_ptrace(struct task_struct *child, long request,
  		if ((int) addr < 0)
  			return -EIO;
  		ret = do_get_thread_area(child, addr,
@@ -22700,7 +22721,7 @@ index 2dc4121..60e1086 100644
  		break;
  #endif
  
-@@ -1229,7 +1228,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
+@@ -1229,7 +1242,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
  
  #ifdef CONFIG_X86_64
  
@@ -22709,7 +22730,7 @@ index 2dc4121..60e1086 100644
  	[REGSET_GENERAL] = {
  		.core_note_type = NT_PRSTATUS,
  		.n = sizeof(struct user_regs_struct) / sizeof(long),
-@@ -1273,7 +1272,7 @@ static const struct user_regset_view user_x86_64_view = {
+@@ -1273,7 +1286,7 @@ static const struct user_regset_view user_x86_64_view = {
  #endif	/* CONFIG_X86_64 */
  
  #if defined CONFIG_X86_32 || defined CONFIG_IA32_EMULATION
@@ -22718,7 +22739,7 @@ index 2dc4121..60e1086 100644
  	[REGSET_GENERAL] = {
  		.core_note_type = NT_PRSTATUS,
  		.n = sizeof(struct user_regs_struct32) / sizeof(u32),
-@@ -1326,7 +1325,7 @@ static const struct user_regset_view user_x86_32_view = {
+@@ -1326,7 +1339,7 @@ static const struct user_regset_view user_x86_32_view = {
   */
  u64 xstate_fx_sw_bytes[USER_XSTATE_FX_SW_WORDS];
  
@@ -22727,7 +22748,7 @@ index 2dc4121..60e1086 100644
  {
  #ifdef CONFIG_X86_64
  	x86_64_regsets[REGSET_XSTATE].n = size / sizeof(u64);
-@@ -1361,7 +1360,7 @@ static void fill_sigtrap_info(struct task_struct *tsk,
+@@ -1361,7 +1374,7 @@ static void fill_sigtrap_info(struct task_struct *tsk,
  	memset(info, 0, sizeof(*info));
  	info->si_signo = SIGTRAP;
  	info->si_code = si_code;
@@ -22736,7 +22757,7 @@ index 2dc4121..60e1086 100644
  }
  
  void user_single_step_siginfo(struct task_struct *tsk,
-@@ -1390,6 +1389,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
+@@ -1390,6 +1403,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
  # define IS_IA32	0
  #endif
  
@@ -22747,7 +22768,7 @@ index 2dc4121..60e1086 100644
  /*
   * We must return the syscall number to actually look up in the table.
   * This can be -1L to skip running any syscall at all.
-@@ -1398,6 +1401,11 @@ long syscall_trace_enter(struct pt_regs *regs)
+@@ -1398,6 +1415,11 @@ long syscall_trace_enter(struct pt_regs *regs)
  {
  	long ret = 0;
  
@@ -22759,7 +22780,7 @@ index 2dc4121..60e1086 100644
  	/*
  	 * If we stepped into a sysenter/syscall insn, it trapped in
  	 * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP.
-@@ -1409,7 +1417,11 @@ long syscall_trace_enter(struct pt_regs *regs)
+@@ -1409,7 +1431,11 @@ long syscall_trace_enter(struct pt_regs *regs)
  		regs->flags |= X86_EFLAGS_TF;
  
  	/* do the secure computing check first */
@@ -22772,7 +22793,7 @@ index 2dc4121..60e1086 100644
  
  	if (unlikely(test_thread_flag(TIF_SYSCALL_EMU)))
  		ret = -1L;
-@@ -1436,6 +1448,7 @@ long syscall_trace_enter(struct pt_regs *regs)
+@@ -1436,6 +1462,7 @@ long syscall_trace_enter(struct pt_regs *regs)
  #endif
  	}
  
@@ -22780,7 +22801,7 @@ index 2dc4121..60e1086 100644
  	return ret ?: regs->orig_ax;
  }
  
-@@ -1443,6 +1456,11 @@ void syscall_trace_leave(struct pt_regs *regs)
+@@ -1443,6 +1470,11 @@ void syscall_trace_leave(struct pt_regs *regs)
  {
  	bool step;
  
@@ -104860,7 +104881,7 @@ index 369df3f..b660190 100644
  	table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table),
  			GFP_KERNEL);
 diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
-index 7489bd3..5f4df88 100644
+index 7489bd3..b7a282c 100644
 --- a/net/netfilter/nf_conntrack_core.c
 +++ b/net/netfilter/nf_conntrack_core.c
 @@ -1491,6 +1491,10 @@ err_proto:
@@ -104879,7 +104900,7 @@ index 7489bd3..5f4df88 100644
  	}
  
 +#ifdef CONFIG_GRKERNSEC_HIDESYM
-+	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08lx", atomic_inc_return_unchecked(&conntrack_cache_id));
++	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08x", atomic_inc_return_unchecked(&conntrack_cache_id));
 +#else
  	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
 +#endif
author	Anthony G. Basile <blueness@gentoo.org>	2014-07-08 16:15:22 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2014-07-08 16:15:22 -0400
commit	94139e45a98575a57447fac3045d8f74b6108422 (patch)
tree	c20526949202fed2d4cfd530a4ededad94927417
parent	Grsec/PaX: 3.0-3.15.3-201407060933 (diff)
download	hardened-patchset-20140707.tar.gz hardened-patchset-20140707.tar.bz2 hardened-patchset-20140707.zip