Update Grsec/PaX20101204

 2.2.1-2.6.32.26-201012040057 against 2.6.32.26
 2.2.1-2.6.36.1-201012040057 against 2.6.36.1

3 files changed, 298 insertions, 102 deletions

diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index e3e4d2b..4fd61af 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -3,7 +3,7 @@ README
 
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.2.1-2.6.32.26-201011280939.patch
+Patch:	4420_grsecurity-2.2.1-2.6.32.26-201012040057.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.2.1-2.6.32.26-201011280939.patch b/2.6.32/4420_grsecurity-2.2.1-2.6.32.26-201012040057.patch
index 32c1449..fa46077 100644
--- a/2.6.32/4420_grsecurity-2.2.1-2.6.32.26-201011280939.patch
+++ b/2.6.32/4420_grsecurity-2.2.1-2.6.32.26-201012040057.patch
@@ -20899,7 +20899,7 @@ diff -urNp linux-2.6.32.26/block/blk-iopoll.c linux-2.6.32.26/block/blk-iopoll.c
  	int rearm = 0, budget = blk_iopoll_budget;
 diff -urNp linux-2.6.32.26/block/blk-map.c linux-2.6.32.26/block/blk-map.c
 --- linux-2.6.32.26/block/blk-map.c	2010-08-13 16:24:37.000000000 -0400
-+++ linux-2.6.32.26/block/blk-map.c	2010-11-11 18:23:36.000000000 -0500
++++ linux-2.6.32.26/block/blk-map.c	2010-12-04 00:12:35.000000000 -0500
 @@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
  	 * direct dma. else, set up kernel bounce buffers
  	 */
@@ -20909,16 +20909,17 @@ diff -urNp linux-2.6.32.26/block/blk-map.c linux-2.6.32.26/block/blk-map.c
  		bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
  	else
  		bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
-@@ -205,6 +205,8 @@ int blk_rq_map_user_iov(struct request_q
- 			unaligned = 1;
- 			break;
- 		}
+@@ -201,6 +201,9 @@ int blk_rq_map_user_iov(struct request_q
+ 	for (i = 0; i < iov_count; i++) {
+ 		unsigned long uaddr = (unsigned long)iov[i].iov_base;
+ 
 +		if (!iov[i].iov_len)
 +			return -EINVAL;
- 	}
- 
- 	if (unaligned || (q->dma_pad_mask & len) || map_data)
-@@ -297,7 +299,7 @@ int blk_rq_map_kern(struct request_queue
++
+ 		if (uaddr & queue_dma_alignment(q)) {
+ 			unaligned = 1;
+ 			break;
+@@ -297,7 +300,7 @@ int blk_rq_map_kern(struct request_queue
  	if (!len || !kbuf)
  		return -EINVAL;
  
@@ -26430,6 +26431,39 @@ diff -urNp linux-2.6.32.26/drivers/infiniband/core/sysfs.c linux-2.6.32.26/drive
  	.show = port_attr_show
  };
  
+diff -urNp linux-2.6.32.26/drivers/infiniband/core/uverbs_marshall.c linux-2.6.32.26/drivers/infiniband/core/uverbs_marshall.c
+--- linux-2.6.32.26/drivers/infiniband/core/uverbs_marshall.c	2010-08-13 16:24:37.000000000 -0400
++++ linux-2.6.32.26/drivers/infiniband/core/uverbs_marshall.c	2010-12-04 00:09:12.000000000 -0500
+@@ -40,18 +40,21 @@ void ib_copy_ah_attr_to_user(struct ib_u
+ 	dst->grh.sgid_index        = src->grh.sgid_index;
+ 	dst->grh.hop_limit         = src->grh.hop_limit;
+ 	dst->grh.traffic_class     = src->grh.traffic_class;
++	memset(&dst->grh.reserved, 0, sizeof(dst->grh.reserved));
+ 	dst->dlid 	    	   = src->dlid;
+ 	dst->sl   	    	   = src->sl;
+ 	dst->src_path_bits 	   = src->src_path_bits;
+ 	dst->static_rate   	   = src->static_rate;
+ 	dst->is_global             = src->ah_flags & IB_AH_GRH ? 1 : 0;
+ 	dst->port_num 	    	   = src->port_num;
++	dst->reserved		   = 0;
+ }
+ EXPORT_SYMBOL(ib_copy_ah_attr_to_user);
+ 
+ void ib_copy_qp_attr_to_user(struct ib_uverbs_qp_attr *dst,
+ 			     struct ib_qp_attr *src)
+ {
++	dst->qp_state		= src->qp_state;
+ 	dst->cur_qp_state	= src->cur_qp_state;
+ 	dst->path_mtu		= src->path_mtu;
+ 	dst->path_mig_state	= src->path_mig_state;
+@@ -83,6 +86,7 @@ void ib_copy_qp_attr_to_user(struct ib_u
+ 	dst->rnr_retry		= src->rnr_retry;
+ 	dst->alt_port_num	= src->alt_port_num;
+ 	dst->alt_timeout	= src->alt_timeout;
++	memset(dst->reserved, 0, sizeof(dst->reserved));
+ }
+ EXPORT_SYMBOL(ib_copy_qp_attr_to_user);
+ 
 diff -urNp linux-2.6.32.26/drivers/input/keyboard/atkbd.c linux-2.6.32.26/drivers/input/keyboard/atkbd.c
 --- linux-2.6.32.26/drivers/input/keyboard/atkbd.c	2010-08-13 16:24:37.000000000 -0400
 +++ linux-2.6.32.26/drivers/input/keyboard/atkbd.c	2010-10-23 19:59:20.000000000 -0400
@@ -31934,7 +31968,7 @@ diff -urNp linux-2.6.32.26/fs/compat_binfmt_elf.c linux-2.6.32.26/fs/compat_binf
  /*
 diff -urNp linux-2.6.32.26/fs/compat.c linux-2.6.32.26/fs/compat.c
 --- linux-2.6.32.26/fs/compat.c	2010-08-13 16:24:37.000000000 -0400
-+++ linux-2.6.32.26/fs/compat.c	2010-11-06 18:27:12.000000000 -0400
++++ linux-2.6.32.26/fs/compat.c	2010-12-04 00:28:11.000000000 -0500
 @@ -1098,7 +1098,7 @@ static ssize_t compat_do_readv_writev(in
  	 * verify all the pointers
  	 */
@@ -31944,22 +31978,51 @@ diff -urNp linux-2.6.32.26/fs/compat.c linux-2.6.32.26/fs/compat.c
  		goto out;
  	if (!file->f_op)
  		goto out;
-@@ -1410,14 +1410,12 @@ static int compat_copy_strings(int argc,
+@@ -1353,6 +1353,10 @@ static int compat_count(compat_uptr_t __
+ 			argv++;
+ 			if (i++ >= max)
+ 				return -E2BIG;
++
++			if (fatal_signal_pending(current))
++				return -ERESTARTNOHAND;
++			cond_resched();
+ 		}
+ 	}
+ 	return i;
+@@ -1394,6 +1398,12 @@ static int compat_copy_strings(int argc,
+ 		while (len > 0) {
+ 			int offset, bytes_to_copy;
+ 
++			if (fatal_signal_pending(current)) {
++				ret = -ERESTARTNOHAND;
++				goto out;
++			}
++			cond_resched();
++
+ 			offset = pos % PAGE_SIZE;
+ 			if (offset == 0)
+ 				offset = PAGE_SIZE;
+@@ -1410,17 +1420,8 @@ static int compat_copy_strings(int argc,
  			if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
  				struct page *page;
  
 -#ifdef CONFIG_STACK_GROWSUP
- 				ret = expand_stack_downwards(bprm->vma, pos);
- 				if (ret < 0) {
+-				ret = expand_stack_downwards(bprm->vma, pos);
+-				if (ret < 0) {
+-					/* We've exceed the stack rlimit. */
+-					ret = -E2BIG;
+-					goto out;
+-				}
+-#endif
+-				ret = get_user_pages(current, bprm->mm, pos,
+-						     1, 1, 1, &page, NULL);
+-				if (ret <= 0) {
++				page = get_arg_page(bprm, pos, 1);
++				if (!page) {
  					/* We've exceed the stack rlimit. */
  					ret = -E2BIG;
  					goto out;
- 				}
--#endif
- 				ret = get_user_pages(current, bprm->mm, pos,
- 						     1, 1, 1, &page, NULL);
- 				if (ret <= 0) {
-@@ -1463,6 +1461,11 @@ int compat_do_execve(char * filename,
+@@ -1463,6 +1464,11 @@ int compat_do_execve(char * filename,
  	compat_uptr_t __user *envp,
  	struct pt_regs * regs)
  {
@@ -31971,7 +32034,7 @@ diff -urNp linux-2.6.32.26/fs/compat.c linux-2.6.32.26/fs/compat.c
  	struct linux_binprm *bprm;
  	struct file *file;
  	struct files_struct *displaced;
-@@ -1499,6 +1502,14 @@ int compat_do_execve(char * filename,
+@@ -1499,6 +1505,14 @@ int compat_do_execve(char * filename,
  	bprm->filename = filename;
  	bprm->interp = filename;
  
@@ -31986,7 +32049,7 @@ diff -urNp linux-2.6.32.26/fs/compat.c linux-2.6.32.26/fs/compat.c
  	retval = bprm_mm_init(bprm);
  	if (retval)
  		goto out_file;
-@@ -1528,9 +1539,40 @@ int compat_do_execve(char * filename,
+@@ -1528,9 +1542,40 @@ int compat_do_execve(char * filename,
  	if (retval < 0)
  		goto out;
  
@@ -32028,7 +32091,7 @@ diff -urNp linux-2.6.32.26/fs/compat.c linux-2.6.32.26/fs/compat.c
  
  	/* execve succeeded */
  	current->fs->in_exec = 0;
-@@ -1541,6 +1583,14 @@ int compat_do_execve(char * filename,
+@@ -1541,9 +1586,19 @@ int compat_do_execve(char * filename,
  		put_files_struct(displaced);
  	return retval;
  
@@ -32041,8 +32104,14 @@ diff -urNp linux-2.6.32.26/fs/compat.c linux-2.6.32.26/fs/compat.c
 +#endif
 +
  out:
- 	if (bprm->mm)
+-	if (bprm->mm)
++	if (bprm->mm) {
++		acct_arg_size(bprm, 0);
  		mmput(bprm->mm);
++	}
+ 
+ out_file:
+ 	if (bprm->file) {
 diff -urNp linux-2.6.32.26/fs/compat_ioctl.c linux-2.6.32.26/fs/compat_ioctl.c
 --- linux-2.6.32.26/fs/compat_ioctl.c	2010-08-13 16:24:37.000000000 -0400
 +++ linux-2.6.32.26/fs/compat_ioctl.c	2010-10-23 19:59:24.000000000 -0400
@@ -32121,7 +32190,7 @@ diff -urNp linux-2.6.32.26/fs/ecryptfs/inode.c linux-2.6.32.26/fs/ecryptfs/inode
  		goto out_free;
 diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
 --- linux-2.6.32.26/fs/exec.c	2010-10-31 16:44:11.000000000 -0400
-+++ linux-2.6.32.26/fs/exec.c	2010-10-23 19:59:20.000000000 -0400
++++ linux-2.6.32.26/fs/exec.c	2010-12-04 00:51:17.000000000 -0500
 @@ -56,12 +56,24 @@
  #include <linux/fsnotify.h>
  #include <linux/fs_struct.h>
@@ -32156,7 +32225,25 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  				MAY_READ | MAY_EXEC | MAY_OPEN);
  	putname(tmp);
  	error = PTR_ERR(file);
-@@ -163,18 +175,10 @@ static struct page *get_arg_page(struct 
+@@ -159,28 +171,35 @@ out:
+ 
+ #ifdef CONFIG_MMU
+ 
+-static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
++void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
++{
++	struct mm_struct *mm = current->mm;
++	long diff = (long)(pages - bprm->vma_pages);
++
++	if (!mm || !diff)
++		return;
++
++	bprm->vma_pages = pages;
++
++	add_mm_counter(mm, anon_rss, diff);
++}
++
++struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
  		int write)
  {
  	struct page *page;
@@ -32178,7 +32265,15 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  		return NULL;
  
  	if (write) {
-@@ -246,6 +250,11 @@ static int __bprm_mm_init(struct linux_b
+ 		unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
+ 		struct rlimit *rlim;
+ 
++		acct_arg_size(bprm, size / PAGE_SIZE);
++
+ 		/*
+ 		 * We've historically supported up to 32 pages (ARG_MAX)
+ 		 * of argument strings even with small stacks
+@@ -246,6 +265,11 @@ static int __bprm_mm_init(struct linux_b
  	vma->vm_end = STACK_TOP_MAX;
  	vma->vm_start = vma->vm_end - PAGE_SIZE;
  	vma->vm_flags = VM_STACK_FLAGS;
@@ -32190,7 +32285,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  	vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
  	err = insert_vm_struct(mm, vma);
  	if (err)
-@@ -254,6 +263,12 @@ static int __bprm_mm_init(struct linux_b
+@@ -254,6 +278,12 @@ static int __bprm_mm_init(struct linux_b
  	mm->stack_vm = mm->total_vm = 1;
  	up_write(&mm->mmap_sem);
  	bprm->p = vma->vm_end - sizeof(void *);
@@ -32203,7 +32298,20 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  	return 0;
  err:
  	up_write(&mm->mmap_sem);
-@@ -484,7 +499,7 @@ int copy_strings_kernel(int argc,char **
+@@ -269,7 +299,11 @@ static bool valid_arg_len(struct linux_b
+ 
+ #else
+ 
+-static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
++void acct_arg_size(struct linux_binprm *bprm, unsigned long pages)
++{
++}
++
++struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
+ 		int write)
+ {
+ 	struct page *page;
+@@ -484,7 +518,7 @@ int copy_strings_kernel(int argc,char **
  	int r;
  	mm_segment_t oldfs = get_fs();
  	set_fs(KERNEL_DS);
@@ -32212,7 +32320,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  	set_fs(oldfs);
  	return r;
  }
-@@ -514,7 +529,8 @@ static int shift_arg_pages(struct vm_are
+@@ -514,7 +548,8 @@ static int shift_arg_pages(struct vm_are
  	unsigned long new_end = old_end - shift;
  	struct mmu_gather *tlb;
  
@@ -32222,7 +32330,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  
  	/*
  	 * ensure there are no vmas between where we want to go
-@@ -523,6 +539,10 @@ static int shift_arg_pages(struct vm_are
+@@ -523,6 +558,10 @@ static int shift_arg_pages(struct vm_are
  	if (vma != find_vma(mm, new_start))
  		return -EFAULT;
  
@@ -32233,7 +32341,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  	/*
  	 * cover the whole range: [new_start, old_end)
  	 */
-@@ -603,11 +623,6 @@ int setup_arg_pages(struct linux_binprm 
+@@ -603,11 +642,6 @@ int setup_arg_pages(struct linux_binprm 
  #else
  	stack_top = arch_align_stack(stack_top);
  	stack_top = PAGE_ALIGN(stack_top);
@@ -32245,7 +32353,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  	stack_shift = vma->vm_end - stack_top;
  
  	bprm->p -= stack_shift;
-@@ -619,6 +634,14 @@ int setup_arg_pages(struct linux_binprm 
+@@ -619,6 +653,14 @@ int setup_arg_pages(struct linux_binprm 
  	bprm->exec -= stack_shift;
  
  	down_write(&mm->mmap_sem);
@@ -32260,7 +32368,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  	vm_flags = VM_STACK_FLAGS;
  
  	/*
-@@ -632,19 +655,24 @@ int setup_arg_pages(struct linux_binprm 
+@@ -632,19 +674,24 @@ int setup_arg_pages(struct linux_binprm 
  		vm_flags &= ~VM_EXEC;
  	vm_flags |= mm->def_flags;
  
@@ -32292,7 +32400,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  	stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE;
  	stack_size = vma->vm_end - vma->vm_start;
  	/*
-@@ -681,7 +709,7 @@ struct file *open_exec(const char *name)
+@@ -681,7 +728,7 @@ struct file *open_exec(const char *name)
  	int err;
  
  	file = do_filp_open(AT_FDCWD, name,
@@ -32301,7 +32409,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  				MAY_EXEC | MAY_OPEN);
  	if (IS_ERR(file))
  		goto out;
-@@ -718,7 +746,7 @@ int kernel_read(struct file *file, loff_
+@@ -718,7 +765,7 @@ int kernel_read(struct file *file, loff_
  	old_fs = get_fs();
  	set_fs(get_ds());
  	/* The cast to a user pointer is valid due to the set_fs() */
@@ -32310,7 +32418,15 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  	set_fs(old_fs);
  	return result;
  }
-@@ -1124,7 +1152,7 @@ int check_unsafe_exec(struct linux_binpr
+@@ -976,6 +1023,7 @@ int flush_old_exec(struct linux_binprm *
+ 	/*
+ 	 * Release all of the old mmap stuff
+ 	 */
++	acct_arg_size(bprm, 0);
+ 	retval = exec_mmap(bprm->mm);
+ 	if (retval)
+ 		goto out;
+@@ -1124,7 +1172,7 @@ int check_unsafe_exec(struct linux_binpr
  	}
  	rcu_read_unlock();
  
@@ -32319,7 +32435,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  		bprm->unsafe |= LSM_UNSAFE_SHARE;
  	} else {
  		res = -EAGAIN;
-@@ -1323,6 +1351,11 @@ int do_execve(char * filename,
+@@ -1323,6 +1371,11 @@ int do_execve(char * filename,
  	char __user *__user *envp,
  	struct pt_regs * regs)
  {
@@ -32331,7 +32447,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  	struct linux_binprm *bprm;
  	struct file *file;
  	struct files_struct *displaced;
-@@ -1359,6 +1392,18 @@ int do_execve(char * filename,
+@@ -1359,6 +1412,18 @@ int do_execve(char * filename,
  	bprm->filename = filename;
  	bprm->interp = filename;
  
@@ -32350,7 +32466,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  	retval = bprm_mm_init(bprm);
  	if (retval)
  		goto out_file;
-@@ -1388,10 +1433,41 @@ int do_execve(char * filename,
+@@ -1388,10 +1453,41 @@ int do_execve(char * filename,
  	if (retval < 0)
  		goto out;
  
@@ -32393,7 +32509,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  
  	/* execve succeeded */
  	current->fs->in_exec = 0;
-@@ -1402,6 +1478,14 @@ int do_execve(char * filename,
+@@ -1402,9 +1498,19 @@ int do_execve(char * filename,
  		put_files_struct(displaced);
  	return retval;
  
@@ -32406,9 +32522,15 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
 +#endif
 +
  out:
- 	if (bprm->mm)
+-	if (bprm->mm)
++	if (bprm->mm) {
++		acct_arg_size(bprm, 0);
  		mmput (bprm->mm);
-@@ -1565,6 +1649,217 @@ out:
++	}
+ 
+ out_file:
+ 	if (bprm->file) {
+@@ -1565,6 +1671,217 @@ out:
  	return ispipe;
  }
  
@@ -32626,7 +32748,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  static int zap_process(struct task_struct *start)
  {
  	struct task_struct *t;
-@@ -1767,17 +2062,17 @@ static void wait_for_dump_helpers(struct
+@@ -1767,17 +2084,17 @@ static void wait_for_dump_helpers(struct
  	pipe = file->f_path.dentry->d_inode->i_pipe;
  
  	pipe_lock(pipe);
@@ -32649,7 +32771,7 @@ diff -urNp linux-2.6.32.26/fs/exec.c linux-2.6.32.26/fs/exec.c
  	pipe_unlock(pipe);
  
  }
-@@ -1848,6 +2143,10 @@ void do_coredump(long signr, int exit_co
+@@ -1848,6 +2165,10 @@ void do_coredump(long signr, int exit_co
  	 */
  	clear_thread_flag(TIF_SIGPENDING);
  
@@ -33495,7 +33617,7 @@ diff -urNp linux-2.6.32.26/fs/locks.c linux-2.6.32.26/fs/locks.c
  	lock_kernel();
 diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
 --- linux-2.6.32.26/fs/namei.c	2010-08-13 16:24:37.000000000 -0400
-+++ linux-2.6.32.26/fs/namei.c	2010-11-20 13:52:05.000000000 -0500
++++ linux-2.6.32.26/fs/namei.c	2010-12-04 00:54:11.000000000 -0500
 @@ -224,14 +224,6 @@ int generic_permission(struct inode *ino
  		return ret;
  
@@ -33578,7 +33700,28 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  	path_put(&nd->path);
  return_err:
  	return err;
-@@ -1621,12 +1636,19 @@ static int __open_namei_create(struct na
+@@ -1576,6 +1591,20 @@ int may_open(struct path *path, int acc_
+ 	if (error)
+ 		goto err_out;
+ 
++
++	if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
++		error = -EPERM;
++		goto err_out;
++	}
++	if (gr_handle_rawio(inode)) {
++		error = -EPERM;
++		goto err_out;
++	}
++	if (!gr_acl_handle_open(dentry, path->mnt, flag)) {
++		error = -EACCES;
++		goto err_out;
++	}
++
+ 	if (flag & O_TRUNC) {
+ 		error = get_write_access(inode);
+ 		if (error)
+@@ -1621,12 +1650,19 @@ static int __open_namei_create(struct na
  	int error;
  	struct dentry *dir = nd->path.dentry;
  
@@ -33598,7 +33741,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  out_unlock:
  	mutex_unlock(&dir->d_inode->i_mutex);
  	dput(nd->path.dentry);
-@@ -1709,6 +1731,22 @@ struct file *do_filp_open(int dfd, const
+@@ -1709,6 +1745,22 @@ struct file *do_filp_open(int dfd, const
  					 &nd, flag);
  		if (error)
  			return ERR_PTR(error);
@@ -33621,24 +33764,14 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  		goto ok;
  	}
  
-@@ -1795,6 +1833,24 @@ do_last:
+@@ -1795,6 +1847,14 @@ do_last:
  	/*
  	 * It already exists.
  	 */
 +
-+	if (gr_handle_rofs_blockwrite(path.dentry, nd.path.mnt, acc_mode)) {
-+		error = -EPERM;
-+		goto exit_mutex_unlock;
-+	}
-+	if (gr_handle_rawio(path.dentry->d_inode)) {
-+		error = -EPERM;
-+		goto exit_mutex_unlock;
-+	}
-+	if (!gr_acl_handle_open(path.dentry, nd.path.mnt, flag)) {
-+		error = -EACCES;
-+		goto exit_mutex_unlock;
-+	}
-+	if (gr_handle_fifo(path.dentry, nd.path.mnt, dir, flag, acc_mode)) {
++	/* only check if O_CREAT is specified, all other checks need
++	   to go into may_open */
++	if (gr_handle_fifo(path.dentry, path.mnt, dir, flag, acc_mode)) {
 +		error = -EACCES;
 +		goto exit_mutex_unlock;
 +	}
@@ -33646,7 +33779,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  	mutex_unlock(&dir->d_inode->i_mutex);
  	audit_inode(pathname, path.dentry);
  
-@@ -1887,6 +1943,13 @@ do_link:
+@@ -1887,6 +1947,13 @@ do_link:
  	error = security_inode_follow_link(path.dentry, &nd);
  	if (error)
  		goto exit_dput;
@@ -33660,7 +33793,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  	error = __do_follow_link(&path, &nd);
  	if (error) {
  		/* Does someone understand code flow here? Or it is only
-@@ -2061,6 +2124,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
+@@ -2061,6 +2128,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
  	error = may_mknod(mode);
  	if (error)
  		goto out_dput;
@@ -33678,7 +33811,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  	error = mnt_want_write(nd.path.mnt);
  	if (error)
  		goto out_dput;
-@@ -2081,6 +2155,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
+@@ -2081,6 +2159,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
  	}
  out_drop_write:
  	mnt_drop_write(nd.path.mnt);
@@ -33688,7 +33821,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  out_dput:
  	dput(dentry);
  out_unlock:
-@@ -2134,6 +2211,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
+@@ -2134,6 +2215,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
  	if (IS_ERR(dentry))
  		goto out_unlock;
  
@@ -33700,7 +33833,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  	if (!IS_POSIXACL(nd.path.dentry->d_inode))
  		mode &= ~current_umask();
  	error = mnt_want_write(nd.path.mnt);
-@@ -2145,6 +2227,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
+@@ -2145,6 +2231,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
  	error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
  out_drop_write:
  	mnt_drop_write(nd.path.mnt);
@@ -33711,7 +33844,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  out_dput:
  	dput(dentry);
  out_unlock:
-@@ -2226,6 +2312,8 @@ static long do_rmdir(int dfd, const char
+@@ -2226,6 +2316,8 @@ static long do_rmdir(int dfd, const char
  	char * name;
  	struct dentry *dentry;
  	struct nameidata nd;
@@ -33720,7 +33853,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  
  	error = user_path_parent(dfd, pathname, &nd, &name);
  	if (error)
-@@ -2250,6 +2338,19 @@ static long do_rmdir(int dfd, const char
+@@ -2250,6 +2342,19 @@ static long do_rmdir(int dfd, const char
  	error = PTR_ERR(dentry);
  	if (IS_ERR(dentry))
  		goto exit2;
@@ -33740,7 +33873,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  	error = mnt_want_write(nd.path.mnt);
  	if (error)
  		goto exit3;
-@@ -2257,6 +2358,8 @@ static long do_rmdir(int dfd, const char
+@@ -2257,6 +2362,8 @@ static long do_rmdir(int dfd, const char
  	if (error)
  		goto exit4;
  	error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
@@ -33749,7 +33882,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  exit4:
  	mnt_drop_write(nd.path.mnt);
  exit3:
-@@ -2318,6 +2421,8 @@ static long do_unlinkat(int dfd, const c
+@@ -2318,6 +2425,8 @@ static long do_unlinkat(int dfd, const c
  	struct dentry *dentry;
  	struct nameidata nd;
  	struct inode *inode = NULL;
@@ -33758,7 +33891,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  
  	error = user_path_parent(dfd, pathname, &nd, &name);
  	if (error)
-@@ -2337,8 +2442,19 @@ static long do_unlinkat(int dfd, const c
+@@ -2337,8 +2446,19 @@ static long do_unlinkat(int dfd, const c
  		if (nd.last.name[nd.last.len])
  			goto slashes;
  		inode = dentry->d_inode;
@@ -33779,7 +33912,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  		error = mnt_want_write(nd.path.mnt);
  		if (error)
  			goto exit2;
-@@ -2346,6 +2462,8 @@ static long do_unlinkat(int dfd, const c
+@@ -2346,6 +2466,8 @@ static long do_unlinkat(int dfd, const c
  		if (error)
  			goto exit3;
  		error = vfs_unlink(nd.path.dentry->d_inode, dentry);
@@ -33788,7 +33921,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  exit3:
  		mnt_drop_write(nd.path.mnt);
  	exit2:
-@@ -2424,6 +2542,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
+@@ -2424,6 +2546,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
  	if (IS_ERR(dentry))
  		goto out_unlock;
  
@@ -33800,7 +33933,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  	error = mnt_want_write(nd.path.mnt);
  	if (error)
  		goto out_dput;
-@@ -2431,6 +2554,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
+@@ -2431,6 +2558,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
  	if (error)
  		goto out_drop_write;
  	error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
@@ -33809,7 +33942,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  out_drop_write:
  	mnt_drop_write(nd.path.mnt);
  out_dput:
-@@ -2524,6 +2649,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
+@@ -2524,6 +2653,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
  	error = PTR_ERR(new_dentry);
  	if (IS_ERR(new_dentry))
  		goto out_unlock;
@@ -33830,7 +33963,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  	error = mnt_want_write(nd.path.mnt);
  	if (error)
  		goto out_dput;
-@@ -2531,6 +2670,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
+@@ -2531,6 +2674,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
  	if (error)
  		goto out_drop_write;
  	error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
@@ -33839,7 +33972,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  out_drop_write:
  	mnt_drop_write(nd.path.mnt);
  out_dput:
-@@ -2764,6 +2905,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
+@@ -2764,6 +2909,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
  	if (new_dentry == trap)
  		goto exit5;
  
@@ -33852,7 +33985,7 @@ diff -urNp linux-2.6.32.26/fs/namei.c linux-2.6.32.26/fs/namei.c
  	error = mnt_want_write(oldnd.path.mnt);
  	if (error)
  		goto exit5;
-@@ -2773,6 +2920,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
+@@ -2773,6 +2924,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
  		goto exit6;
  	error = vfs_rename(old_dir->d_inode, old_dentry,
  				   new_dir->d_inode, new_dentry);
@@ -36137,7 +36270,7 @@ diff -urNp linux-2.6.32.26/fs/utimes.c linux-2.6.32.26/fs/utimes.c
  	mutex_unlock(&inode->i_mutex);
 diff -urNp linux-2.6.32.26/fs/xattr.c linux-2.6.32.26/fs/xattr.c
 --- linux-2.6.32.26/fs/xattr.c	2010-08-13 16:24:37.000000000 -0400
-+++ linux-2.6.32.26/fs/xattr.c	2010-11-28 09:38:51.000000000 -0500
++++ linux-2.6.32.26/fs/xattr.c	2010-12-02 18:29:05.000000000 -0500
 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
   * Extended attribute SET operations
   */
@@ -36147,21 +36280,22 @@ diff -urNp linux-2.6.32.26/fs/xattr.c linux-2.6.32.26/fs/xattr.c
  	 size_t size, int flags)
  {
  	int error;
-@@ -271,7 +271,12 @@ setxattr(struct dentry *d, const char __
+@@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
  			return PTR_ERR(kvalue);
  	}
  
 -	error = vfs_setxattr(d, kname, kvalue, size, flags);
-+	error = 0;
-+	if (!gr_acl_handle_setxattr(path->dentry, path->mnt))
++	if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
 +		error = -EACCES;
++		goto out;
++	}
 +
-+	if (!error)
-+		error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
++	error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
++out:
  	kfree(kvalue);
  	return error;
  }
-@@ -288,7 +293,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
+@@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
  		return error;
  	error = mnt_want_write(path.mnt);
  	if (!error) {
@@ -36170,7 +36304,7 @@ diff -urNp linux-2.6.32.26/fs/xattr.c linux-2.6.32.26/fs/xattr.c
  		mnt_drop_write(path.mnt);
  	}
  	path_put(&path);
-@@ -307,7 +312,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
+@@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
  		return error;
  	error = mnt_want_write(path.mnt);
  	if (!error) {
@@ -36179,7 +36313,7 @@ diff -urNp linux-2.6.32.26/fs/xattr.c linux-2.6.32.26/fs/xattr.c
  		mnt_drop_write(path.mnt);
  	}
  	path_put(&path);
-@@ -318,17 +323,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
+@@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
  		const void __user *,value, size_t, size, int, flags)
  {
  	struct file *f;
@@ -46585,8 +46719,27 @@ diff -urNp linux-2.6.32.26/include/linux/backlight.h linux-2.6.32.26/include/lin
  				   enum backlight_update_reason reason);
 diff -urNp linux-2.6.32.26/include/linux/binfmts.h linux-2.6.32.26/include/linux/binfmts.h
 --- linux-2.6.32.26/include/linux/binfmts.h	2010-08-13 16:24:37.000000000 -0400
-+++ linux-2.6.32.26/include/linux/binfmts.h	2010-10-23 19:59:20.000000000 -0400
-@@ -78,6 +78,7 @@ struct linux_binfmt {
++++ linux-2.6.32.26/include/linux/binfmts.h	2010-12-04 00:29:58.000000000 -0500
+@@ -29,6 +29,7 @@ struct linux_binprm{
+ 	char buf[BINPRM_BUF_SIZE];
+ #ifdef CONFIG_MMU
+ 	struct vm_area_struct *vma;
++	unsigned long vma_pages;
+ #else
+ # define MAX_ARG_PAGES	32
+ 	struct page *page[MAX_ARG_PAGES];
+@@ -59,6 +60,10 @@ struct linux_binprm{
+ 	unsigned long loader, exec;
+ };
+ 
++extern void acct_arg_size(struct linux_binprm *bprm, unsigned long pages);
++extern struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
++					int write);
++
+ #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
+ #define BINPRM_FLAGS_ENFORCE_NONDUMP (1 << BINPRM_FLAGS_ENFORCE_NONDUMP_BIT)
+ 
+@@ -78,6 +83,7 @@ struct linux_binfmt {
  	int (*load_binary)(struct linux_binprm *, struct  pt_regs * regs);
  	int (*load_shlib)(struct file *);
  	int (*core_dump)(long signr, struct pt_regs *regs, struct file *file, unsigned long limit);
@@ -50545,7 +50698,7 @@ diff -urNp linux-2.6.32.26/kernel/cred.c linux-2.6.32.26/kernel/cred.c
  	    old->egid != new->egid ||
 diff -urNp linux-2.6.32.26/kernel/exit.c linux-2.6.32.26/kernel/exit.c
 --- linux-2.6.32.26/kernel/exit.c	2010-09-26 17:26:05.000000000 -0400
-+++ linux-2.6.32.26/kernel/exit.c	2010-10-23 19:59:20.000000000 -0400
++++ linux-2.6.32.26/kernel/exit.c	2010-12-04 00:19:54.000000000 -0500
 @@ -56,6 +56,10 @@
  #include <asm/mmu_context.h>
  #include "cred-internals.h"
@@ -50557,7 +50710,22 @@ diff -urNp linux-2.6.32.26/kernel/exit.c linux-2.6.32.26/kernel/exit.c
  static void exit_mm(struct task_struct * tsk);
  
  static void __unhash_process(struct task_struct *p)
-@@ -167,6 +171,8 @@ void release_task(struct task_struct * p
+@@ -92,6 +96,14 @@ static void __exit_signal(struct task_st
+ 		posix_cpu_timers_exit_group(tsk);
+ 	else {
+ 		/*
++		 * This can only happen if the caller is de_thread().
++		 * FIXME: this is the temporary hack, we should teach
++		 * posix-cpu-timers to handle this case correctly.
++		 */
++		if (unlikely(has_group_leader_pid(tsk)))
++			posix_cpu_timers_exit_group(tsk);
++
++		/*
+ 		 * If there is any task waiting for the group exit
+ 		 * then notify it:
+ 		 */
+@@ -167,6 +179,8 @@ void release_task(struct task_struct * p
  	struct task_struct *leader;
  	int zap_leader;
  repeat:
@@ -50566,7 +50734,7 @@ diff -urNp linux-2.6.32.26/kernel/exit.c linux-2.6.32.26/kernel/exit.c
  	tracehook_prepare_release_task(p);
  	/* don't need to get the RCU readlock here - the process is dead and
  	 * can't be modifying its own credentials */
-@@ -334,11 +340,22 @@ static void reparent_to_kthreadd(void)
+@@ -334,11 +348,22 @@ static void reparent_to_kthreadd(void)
  {
  	write_lock_irq(&tasklist_lock);
  
@@ -50589,7 +50757,7 @@ diff -urNp linux-2.6.32.26/kernel/exit.c linux-2.6.32.26/kernel/exit.c
  	/* Set the exit signal to SIGCHLD so we signal init on exit */
  	current->exit_signal = SIGCHLD;
  
-@@ -390,7 +407,7 @@ int allow_signal(int sig)
+@@ -390,7 +415,7 @@ int allow_signal(int sig)
  	 * know it'll be handled, so that they don't get converted to
  	 * SIGKILL or just silently dropped.
  	 */
@@ -50598,7 +50766,7 @@ diff -urNp linux-2.6.32.26/kernel/exit.c linux-2.6.32.26/kernel/exit.c
  	recalc_sigpending();
  	spin_unlock_irq(&current->sighand->siglock);
  	return 0;
-@@ -426,6 +443,17 @@ void daemonize(const char *name, ...)
+@@ -426,6 +451,17 @@ void daemonize(const char *name, ...)
  	vsnprintf(current->comm, sizeof(current->comm), name, args);
  	va_end(args);
  
@@ -50616,7 +50784,23 @@ diff -urNp linux-2.6.32.26/kernel/exit.c linux-2.6.32.26/kernel/exit.c
  	/*
  	 * If we were started as result of loading a module, close all of the
  	 * user space pages.  We don't need them, and if we didn't close them
-@@ -957,6 +985,9 @@ NORET_TYPE void do_exit(long code)
+@@ -899,6 +935,15 @@ NORET_TYPE void do_exit(long code)
+ 	if (unlikely(!tsk->pid))
+ 		panic("Attempted to kill the idle task!");
+ 
++	/*
++	 * If do_exit is called because this processes oopsed, it's possible
++	 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
++	 * continuing. Amongst other possible reasons, this is to prevent
++	 * mm_release()->clear_child_tid() from writing to a user-controlled
++	 * kernel address.
++	 */
++	set_fs(USER_DS);
++
+ 	tracehook_report_exit(&code);
+ 
+ 	validate_creds_for_do_exit(tsk);
+@@ -957,6 +1002,9 @@ NORET_TYPE void do_exit(long code)
  	tsk->exit_code = code;
  	taskstats_exit(tsk, group_dead);
  
@@ -50626,7 +50810,7 @@ diff -urNp linux-2.6.32.26/kernel/exit.c linux-2.6.32.26/kernel/exit.c
  	exit_mm(tsk);
  
  	if (group_dead)
-@@ -1172,7 +1203,7 @@ static int wait_task_zombie(struct wait_
+@@ -1172,7 +1220,7 @@ static int wait_task_zombie(struct wait_
  
  	if (unlikely(wo->wo_flags & WNOWAIT)) {
  		int exit_code = p->exit_code;
@@ -57051,6 +57235,18 @@ diff -urNp linux-2.6.32.26/net/decnet/sysctl_net_decnet.c linux-2.6.32.26/net/de
  		return -EFAULT;
  
  	*lenp = len;
+diff -urNp linux-2.6.32.26/net/econet/Kconfig linux-2.6.32.26/net/econet/Kconfig
+--- linux-2.6.32.26/net/econet/Kconfig	2010-08-13 16:24:37.000000000 -0400
++++ linux-2.6.32.26/net/econet/Kconfig	2010-12-04 00:12:01.000000000 -0500
+@@ -4,7 +4,7 @@
+ 
+ config ECONET
+ 	tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
+-	depends on EXPERIMENTAL && INET
++	depends on EXPERIMENTAL && INET && BROKEN
+ 	---help---
+ 	  Econet is a fairly old and slow networking protocol mainly used by
+ 	  Acorn computers to access file and print servers. It uses native
 diff -urNp linux-2.6.32.26/net/ipv4/inet_diag.c linux-2.6.32.26/net/ipv4/inet_diag.c
 --- linux-2.6.32.26/net/ipv4/inet_diag.c	2010-08-13 16:24:37.000000000 -0400
 +++ linux-2.6.32.26/net/ipv4/inet_diag.c	2010-11-13 14:53:02.000000000 -0500
@@ -58475,7 +58671,7 @@ diff -urNp linux-2.6.32.26/net/tipc/socket.c linux-2.6.32.26/net/tipc/socket.c
  
 diff -urNp linux-2.6.32.26/net/unix/af_unix.c linux-2.6.32.26/net/unix/af_unix.c
 --- linux-2.6.32.26/net/unix/af_unix.c	2010-09-26 17:26:06.000000000 -0400
-+++ linux-2.6.32.26/net/unix/af_unix.c	2010-10-23 19:59:20.000000000 -0400
++++ linux-2.6.32.26/net/unix/af_unix.c	2010-12-04 00:41:07.000000000 -0500
 @@ -743,6 +743,12 @@ static struct sock *unix_find_other(stru
  		err = -ECONNREFUSED;
  		if (!S_ISSOCK(inode->i_mode))
diff --git a/2.6.32/4425_grsec-pax-without-grsec.patch b/2.6.32/4425_grsec-pax-without-grsec.patch
index 438148a..8bf0dc4 100644
--- a/2.6.32/4425_grsec-pax-without-grsec.patch
+++ b/2.6.32/4425_grsec-pax-without-grsec.patch
@@ -28,7 +28,7 @@ The original version of this patch contained no credits/description.
  	}
 --- a/fs/exec.c
 +++ b/fs/exec.c
-@@ -1759,9 +1759,11 @@
+@@ -1781,9 +1781,11 @@
  		}
  		up_read(&mm->mmap_sem);
  	}
@@ -40,7 +40,7 @@ The original version of this patch contained no credits/description.
  		printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
  	printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
  			"PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
-@@ -1776,10 +1778,12 @@
+@@ -1798,10 +1800,12 @@
  #ifdef CONFIG_PAX_REFCOUNT
  void pax_report_refcount_overflow(struct pt_regs *regs)
  {
@@ -53,7 +53,7 @@ The original version of this patch contained no credits/description.
  		printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
  				 current->comm, task_pid_nr(current), current_uid(), current_euid());
  	print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
-@@ -1839,10 +1843,12 @@
+@@ -1861,10 +1865,12 @@
  
  void pax_report_leak_to_user(const void *ptr, unsigned long len)
  {
@@ -66,7 +66,7 @@ The original version of this patch contained no credits/description.
  		printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
  	dump_stack();
  	do_group_exit(SIGKILL);
-@@ -1850,10 +1856,12 @@
+@@ -1872,10 +1878,12 @@
  
  void pax_report_overflow_from_user(const void *ptr, unsigned long len)
  {