Grsec/PaX: 2.6.32.51-201112222105 + 3.1.6-201112222105

13 files changed, 250 insertions, 306 deletions

diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 60b9d80..22c2947 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -3,7 +3,7 @@ README
 
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.2.2-2.6.32.50-201112102010.patch
+Patch:	4420_grsecurity-2.2.2-2.6.32.51-201112222105.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.50-201112102010.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.51-201112222105.patch
index bb97e13..1a4e34c 100644
--- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.50-201112102010.patch
+++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.51-201112222105.patch
@@ -185,7 +185,7 @@ index c840e7d..f4c451c 100644
  
  	pcd.		[PARIDE]
 diff --git a/Makefile b/Makefile
-index f38986c..46a251b 100644
+index 1c640ea..b545bdc 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -26002,19 +26002,10 @@ index 36fe08e..b123d3a 100644
  EXPORT_SYMBOL_GPL(leave_mm);
  
 diff --git a/arch/x86/oprofile/backtrace.c b/arch/x86/oprofile/backtrace.c
-index 044897b..a195924 100644
+index 829edf0..672adb3 100644
 --- a/arch/x86/oprofile/backtrace.c
 +++ b/arch/x86/oprofile/backtrace.c
-@@ -57,7 +57,7 @@ static struct frame_head *dump_user_backtrace(struct frame_head *head)
- 	struct frame_head bufhead[2];
- 
- 	/* Also check accessibility of one struct frame_head beyond */
--	if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
-+	if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
- 		return NULL;
- 	if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
- 		return NULL;
-@@ -77,7 +77,7 @@ x86_backtrace(struct pt_regs * const regs, unsigned int depth)
+@@ -115,7 +115,7 @@ x86_backtrace(struct pt_regs * const regs, unsigned int depth)
  {
  	struct frame_head *head = (struct frame_head *)frame_pointer(regs);
  
@@ -39601,10 +39592,10 @@ index 2ecbedb..42704f0 100644
  
  	tmp = cpu_to_le32(rts_threshold);
 diff --git a/drivers/oprofile/buffer_sync.c b/drivers/oprofile/buffer_sync.c
-index 5c4df24..3b42925 100644
+index 334ccd6..47f8944 100644
 --- a/drivers/oprofile/buffer_sync.c
 +++ b/drivers/oprofile/buffer_sync.c
-@@ -341,7 +341,7 @@ static void add_data(struct op_entry *entry, struct mm_struct *mm)
+@@ -342,7 +342,7 @@ static void add_data(struct op_entry *entry, struct mm_struct *mm)
  		if (cookie == NO_COOKIE)
  			offset = pc;
  		if (cookie == INVALID_COOKIE) {
@@ -39613,7 +39604,7 @@ index 5c4df24..3b42925 100644
  			offset = pc;
  		}
  		if (cookie != last_cookie) {
-@@ -385,14 +385,14 @@ add_sample(struct mm_struct *mm, struct op_sample *s, int in_kernel)
+@@ -386,14 +386,14 @@ add_sample(struct mm_struct *mm, struct op_sample *s, int in_kernel)
  	/* add userspace sample */
  
  	if (!mm) {
@@ -39630,7 +39621,7 @@ index 5c4df24..3b42925 100644
  		return 0;
  	}
  
-@@ -561,7 +561,7 @@ void sync_buffer(int cpu)
+@@ -562,7 +562,7 @@ void sync_buffer(int cpu)
  		/* ignore backtraces if failed to add a sample */
  		if (state == sb_bt_start) {
  			state = sb_bt_ignore;
@@ -50470,50 +50461,6 @@ index 4463297..4fed53b 100644
  	.uevent = gfs2_uevent,
  };
  
-diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c
-index 052f214..2462c5b 100644
---- a/fs/hfs/btree.c
-+++ b/fs/hfs/btree.c
-@@ -45,11 +45,27 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke
- 	case HFS_EXT_CNID:
- 		hfs_inode_read_fork(tree->inode, mdb->drXTExtRec, mdb->drXTFlSize,
- 				    mdb->drXTFlSize, be32_to_cpu(mdb->drXTClpSiz));
-+
-+		if (HFS_I(tree->inode)->alloc_blocks >
-+					HFS_I(tree->inode)->first_blocks) {
-+			printk(KERN_ERR "hfs: invalid btree extent records\n");
-+			unlock_new_inode(tree->inode);
-+			goto free_inode;
-+		}
-+
- 		tree->inode->i_mapping->a_ops = &hfs_btree_aops;
- 		break;
- 	case HFS_CAT_CNID:
- 		hfs_inode_read_fork(tree->inode, mdb->drCTExtRec, mdb->drCTFlSize,
- 				    mdb->drCTFlSize, be32_to_cpu(mdb->drCTClpSiz));
-+
-+		if (!HFS_I(tree->inode)->first_blocks) {
-+			printk(KERN_ERR "hfs: invalid btree extent records "
-+								"(0 size).\n");
-+			unlock_new_inode(tree->inode);
-+			goto free_inode;
-+		}
-+
- 		tree->inode->i_mapping->a_ops = &hfs_btree_aops;
- 		break;
- 	default:
-@@ -58,11 +74,6 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke
- 	}
- 	unlock_new_inode(tree->inode);
- 
--	if (!HFS_I(tree->inode)->first_blocks) {
--		printk(KERN_ERR "hfs: invalid btree extent records (0 size).\n");
--		goto free_inode;
--	}
--
- 	mapping = tree->inode->i_mapping;
- 	page = read_mapping_page(mapping, 0, NULL);
- 	if (IS_ERR(page))
 diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
 index f6874ac..7cd98a8 100644
 --- a/fs/hfsplus/catalog.c
@@ -71032,7 +70979,7 @@ index 4bde56f..29a9bab 100644
  			else
  				new_fs = fs;
 diff --git a/kernel/futex.c b/kernel/futex.c
-index fb98c9f..f158c0c 100644
+index fb98c9f..333faec 100644
 --- a/kernel/futex.c
 +++ b/kernel/futex.c
 @@ -54,6 +54,7 @@
@@ -71082,34 +71029,18 @@ index fb98c9f..f158c0c 100644
  	if (!bitset)
  		return -EINVAL;
  
-@@ -2407,7 +2417,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
- {
- 	struct robust_list_head __user *head;
- 	unsigned long ret;
-+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
- 	const struct cred *cred = current_cred(), *pcred;
-+#endif
- 
- 	if (!futex_cmpxchg_enabled)
- 		return -ENOSYS;
-@@ -2423,11 +2435,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
+@@ -2423,6 +2433,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
  		if (!p)
  			goto err_unlock;
  		ret = -EPERM;
 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
 +		if (!ptrace_may_access(p, PTRACE_MODE_READ))
 +			goto err_unlock;
-+#else
++#endif
  		pcred = __task_cred(p);
  		if (cred->euid != pcred->euid &&
  		    cred->euid != pcred->uid &&
- 		    !capable(CAP_SYS_PTRACE))
- 			goto err_unlock;
-+#endif
- 		head = p->robust_list;
- 		rcu_read_unlock();
- 	}
-@@ -2489,7 +2506,7 @@ retry:
+@@ -2489,7 +2503,7 @@ retry:
   */
  static inline int fetch_robust_entry(struct robust_list __user **entry,
  				     struct robust_list __user * __user *head,
@@ -71118,7 +71049,7 @@ index fb98c9f..f158c0c 100644
  {
  	unsigned long uentry;
  
-@@ -2670,6 +2687,7 @@ static int __init futex_init(void)
+@@ -2670,6 +2684,7 @@ static int __init futex_init(void)
  {
  	u32 curval;
  	int i;
@@ -71126,7 +71057,7 @@ index fb98c9f..f158c0c 100644
  
  	/*
  	 * This will fail and we want it. Some arch implementations do
-@@ -2681,7 +2699,10 @@ static int __init futex_init(void)
+@@ -2681,7 +2696,10 @@ static int __init futex_init(void)
  	 * implementation, the non functional ones will return
  	 * -ENOSYS.
  	 */
@@ -71138,7 +71069,7 @@ index fb98c9f..f158c0c 100644
  		futex_cmpxchg_enabled = 1;
  
 diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
-index 2357165..8d70cee 100644
+index 2357165..eb25501 100644
 --- a/kernel/futex_compat.c
 +++ b/kernel/futex_compat.c
 @@ -10,6 +10,7 @@
@@ -71149,35 +71080,27 @@ index 2357165..8d70cee 100644
  
  #include <asm/uaccess.h>
  
-@@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
+@@ -135,7 +136,8 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
  {
  	struct compat_robust_list_head __user *head;
  	unsigned long ret;
 -	const struct cred *cred = current_cred(), *pcred;
-+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
 +	const struct cred *cred = current_cred();
 +	const struct cred *pcred;
-+#endif
  
  	if (!futex_cmpxchg_enabled)
  		return -ENOSYS;
-@@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
+@@ -151,6 +153,10 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
  		if (!p)
  			goto err_unlock;
  		ret = -EPERM;
 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
 +		if (!ptrace_may_access(p, PTRACE_MODE_READ))
 +			goto err_unlock;
-+#else
++#endif
  		pcred = __task_cred(p);
  		if (cred->euid != pcred->euid &&
  		    cred->euid != pcred->uid &&
- 		    !capable(CAP_SYS_PTRACE))
- 			goto err_unlock;
-+#endif
- 		head = p->compat_robust_list;
- 		read_unlock(&tasklist_lock);
- 	}
 diff --git a/kernel/gcov/base.c b/kernel/gcov/base.c
 index 9b22d03..6295b62 100644
 --- a/kernel/gcov/base.c
@@ -74411,7 +74334,7 @@ index 469193c..ea3ecb2 100644
  			    (table->proc_handler == proc_dointvec_minmax) ||
  			    (table->proc_handler == proc_dointvec_jiffies) ||
 diff --git a/kernel/taskstats.c b/kernel/taskstats.c
-index b080920..d344f89 100644
+index a4ef542..798bcd7 100644
 --- a/kernel/taskstats.c
 +++ b/kernel/taskstats.c
 @@ -26,9 +26,12 @@
@@ -78051,11 +77974,11 @@ index 3ecab7e..594a471 100644
  #endif /* CONFIG_SPARSEMEM */
  
 diff --git a/mm/percpu.c b/mm/percpu.c
-index 3bfd6e2..60404b9 100644
+index c90614a..5f7b7b8 100644
 --- a/mm/percpu.c
 +++ b/mm/percpu.c
-@@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu __read_mostly;
- static unsigned int pcpu_last_unit_cpu __read_mostly;
+@@ -115,7 +115,7 @@ static unsigned int pcpu_low_unit_cpu __read_mostly;
+ static unsigned int pcpu_high_unit_cpu __read_mostly;
  
  /* the address of the first chunk which starts with the kernel static area */
 -void *pcpu_base_addr __read_mostly;
@@ -78943,7 +78866,7 @@ index 308e57d..5de19c0 100644
  	}
  }
 diff --git a/mm/util.c b/mm/util.c
-index b377ce4..3a891af 100644
+index e48b493..24a601d 100644
 --- a/mm/util.c
 +++ b/mm/util.c
 @@ -228,6 +228,12 @@ EXPORT_SYMBOL(strndup_user);
diff --git a/3.1.5/0000_README b/3.1.6/0000_README
index 613b71d..29427c6 100644
--- a/3.1.5/0000_README
+++ b/3.1.6/0000_README
@@ -3,7 +3,7 @@ README
 
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.2.2-3.1.5-201112101853.patch
+Patch:	4420_grsecurity-2.2.2-3.1.6-201112222105.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.1.5/4420_grsecurity-2.2.2-3.1.5-201112101853.patch b/3.1.6/4420_grsecurity-2.2.2-3.1.6-201112222105.patch
index 67dea05..5c91c1a 100644
--- a/3.1.5/4420_grsecurity-2.2.2-3.1.5-201112101853.patch
+++ b/3.1.6/4420_grsecurity-2.2.2-3.1.6-201112222105.patch
@@ -186,7 +186,7 @@ index d6e6724..a024ce8 100644
  
  	pcd.		[PARIDE]
 diff --git a/Makefile b/Makefile
-index 94ab2ad..1e4a6e8 100644
+index 2d6e0a8..d1d2564 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -10212,7 +10212,7 @@ index cb23852..2dde194 100644
  
  asmlinkage long sys32_sched_rr_get_interval(compat_pid_t,
 diff --git a/arch/x86/include/asm/system.h b/arch/x86/include/asm/system.h
-index c2ff2a1..4349184 100644
+index 2d2f01c..f985723 100644
 --- a/arch/x86/include/asm/system.h
 +++ b/arch/x86/include/asm/system.h
 @@ -129,7 +129,7 @@ do {									\
@@ -10242,7 +10242,7 @@ index c2ff2a1..4349184 100644
  }
  
  static inline void native_clts(void)
-@@ -397,12 +397,12 @@ void enable_hlt(void);
+@@ -397,13 +397,13 @@ void enable_hlt(void);
  
  void cpu_idle_wait(void);
  
@@ -10251,6 +10251,7 @@ index c2ff2a1..4349184 100644
  extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
  
  void default_idle(void);
+ bool set_pm_idle_to_default(void);
  
 -void stop_this_cpu(void *dummy);
 +void stop_this_cpu(void *dummy) __noreturn;
@@ -16136,7 +16137,7 @@ index 35ccf75..67e7d4d 100644
  	for (p = start; p < finish; p++) {
  		q = find_dependents_of(start, finish, p);
 diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
-index e7e3b01..43c5af3 100644
+index 30eb651..0758167 100644
 --- a/arch/x86/kernel/process.c
 +++ b/arch/x86/kernel/process.c
 @@ -48,16 +48,33 @@ void free_thread_xstate(struct task_struct *tsk)
@@ -16219,16 +16220,17 @@ index e7e3b01..43c5af3 100644
  #else
  	regs.ss = __KERNEL_DS;
  #endif
-@@ -403,7 +423,7 @@ void default_idle(void)
- EXPORT_SYMBOL(default_idle);
- #endif
+@@ -411,7 +431,8 @@ bool set_pm_idle_to_default(void)
  
+ 	return ret;
+ }
 -void stop_this_cpu(void *dummy)
++
 +__noreturn void stop_this_cpu(void *dummy)
  {
  	local_irq_disable();
  	/*
-@@ -645,16 +665,37 @@ static int __init idle_setup(char *str)
+@@ -653,16 +674,37 @@ static int __init idle_setup(char *str)
  }
  early_param("idle", idle_setup);
  
@@ -22066,19 +22068,10 @@ index 0d17c8c..4f4764f 100644
 +	return ret ? -EFAULT : 0;
 +}
 diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c
-index ea30585..7d26398 100644
+index dd74e46..7d26398 100644
 --- a/arch/x86/mm/gup.c
 +++ b/arch/x86/mm/gup.c
-@@ -201,6 +201,8 @@ static noinline int gup_huge_pud(pud_t pud, unsigned long addr,
- 	do {
- 		VM_BUG_ON(compound_head(page) != head);
- 		pages[*nr] = page;
-+		if (PageTail(page))
-+			get_huge_page_tail(page);
- 		(*nr)++;
- 		page++;
- 		refs++;
-@@ -253,7 +255,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
+@@ -255,7 +255,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
  	addr = start;
  	len = (unsigned long) nr_pages << PAGE_SHIFT;
  	end = start + len;
@@ -28728,10 +28721,10 @@ index b51e157..8f14fb9 100644
  	return can_switch;
  }
 diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c
-index 6adb3e5..b91553e2 100644
+index 07ac481..41cb437 100644
 --- a/drivers/gpu/drm/radeon/radeon_display.c
 +++ b/drivers/gpu/drm/radeon/radeon_display.c
-@@ -925,6 +925,8 @@ void radeon_compute_pll_legacy(struct radeon_pll *pll,
+@@ -926,6 +926,8 @@ void radeon_compute_pll_legacy(struct radeon_pll *pll,
  	uint32_t post_div;
  	u32 pll_out_min, pll_out_max;
  
@@ -37356,10 +37349,10 @@ index ed147c4..94fc3c6 100644
  
  /* core tmem accessor functions */
 diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
-index 26a5d8b..74434f8 100644
+index c4ac6f6..4f90f53 100644
 --- a/drivers/target/iscsi/iscsi_target.c
 +++ b/drivers/target/iscsi/iscsi_target.c
-@@ -1368,7 +1368,7 @@ static int iscsit_handle_data_out(struct iscsi_conn *conn, unsigned char *buf)
+@@ -1370,7 +1370,7 @@ static int iscsit_handle_data_out(struct iscsi_conn *conn, unsigned char *buf)
  		 * outstanding_r2ts reaches zero, go ahead and send the delayed
  		 * TASK_ABORTED status.
  		 */
@@ -37391,7 +37384,7 @@ index 8badcb4..94c9ac6 100644
  	memset(wwn, 0, ALUA_SECONDARY_METADATA_WWN_LEN);
  
 diff --git a/drivers/target/target_core_cdb.c b/drivers/target/target_core_cdb.c
-index f04d4ef..7de212b 100644
+index 5f91397..dcc2d25 100644
 --- a/drivers/target/target_core_cdb.c
 +++ b/drivers/target/target_core_cdb.c
 @@ -933,6 +933,8 @@ target_emulate_modesense(struct se_cmd *cmd, int ten)
@@ -37479,7 +37472,7 @@ index 5c1b8c5..0cb7d0e 100644
  
  		core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
 diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
-index 013c100..8fd2e57 100644
+index e2added..ccb5251 100644
 --- a/drivers/target/target_core_transport.c
 +++ b/drivers/target/target_core_transport.c
 @@ -1445,7 +1445,7 @@ struct se_device *transport_add_device_to_core_hba(
@@ -37521,7 +37514,7 @@ index 013c100..8fd2e57 100644
  	    cmd->t_task_list_num)
  		atomic_set(&cmd->transport_sent, 1);
  
-@@ -4665,7 +4665,7 @@ static void transport_generic_wait_for_tasks(
+@@ -4682,7 +4682,7 @@ static void transport_generic_wait_for_tasks(
  		atomic_set(&cmd->transport_lun_stop, 0);
  	}
  	if (!atomic_read(&cmd->t_transport_active) ||
@@ -37530,7 +37523,7 @@ index 013c100..8fd2e57 100644
  		goto remove;
  
  	atomic_set(&cmd->t_transport_stop, 1);
-@@ -4900,7 +4900,7 @@ int transport_check_aborted_status(struct se_cmd *cmd, int send_status)
+@@ -4917,7 +4917,7 @@ int transport_check_aborted_status(struct se_cmd *cmd, int send_status)
  {
  	int ret = 0;
  
@@ -37539,7 +37532,7 @@ index 013c100..8fd2e57 100644
  		if (!send_status ||
  		     (cmd->se_cmd_flags & SCF_SENT_DELAYED_TAS))
  			return 1;
-@@ -4937,7 +4937,7 @@ void transport_send_task_abort(struct se_cmd *cmd)
+@@ -4954,7 +4954,7 @@ void transport_send_task_abort(struct se_cmd *cmd)
  	 */
  	if (cmd->data_direction == DMA_TO_DEVICE) {
  		if (cmd->se_tfo->write_pending_status(cmd) != 0) {
@@ -37548,7 +37541,7 @@ index 013c100..8fd2e57 100644
  			smp_mb__after_atomic_inc();
  			cmd->scsi_status = SAM_STAT_TASK_ABORTED;
  			transport_new_cmd_failure(cmd);
-@@ -5051,7 +5051,7 @@ static void transport_processing_shutdown(struct se_device *dev)
+@@ -5068,7 +5068,7 @@ static void transport_processing_shutdown(struct se_device *dev)
  			cmd->se_tfo->get_task_tag(cmd),
  			cmd->t_task_list_num,
  			atomic_read(&cmd->t_task_cdbs_left),
@@ -43434,10 +43427,10 @@ index 9a37a9b..35792b6 100644
  				/*
  				 * We'll have a dentry and an inode for
 diff --git a/fs/dcache.c b/fs/dcache.c
-index a88948b..1e32160 100644
+index 8b732a2..6db6c27 100644
 --- a/fs/dcache.c
 +++ b/fs/dcache.c
-@@ -2998,7 +2998,7 @@ void __init vfs_caches_init(unsigned long mempages)
+@@ -3015,7 +3015,7 @@ void __init vfs_caches_init(unsigned long mempages)
  	mempages -= reserve;
  
  	names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
@@ -45976,7 +45969,7 @@ index b6cca47..ec782c3 100644
  	cuse_class = class_create(THIS_MODULE, "cuse");
  	if (IS_ERR(cuse_class))
 diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
-index 5cb8614..6865b11 100644
+index 2aaf3ea..8e50863 100644
 --- a/fs/fuse/dev.c
 +++ b/fs/fuse/dev.c
 @@ -1242,7 +1242,7 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
@@ -46014,50 +46007,6 @@ index 900cf98..3896726 100644
  	if (!IS_ERR(s))
  		kfree(s);
  }
-diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c
-index 3ebc437..eb23952 100644
---- a/fs/hfs/btree.c
-+++ b/fs/hfs/btree.c
-@@ -46,11 +46,27 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke
- 	case HFS_EXT_CNID:
- 		hfs_inode_read_fork(tree->inode, mdb->drXTExtRec, mdb->drXTFlSize,
- 				    mdb->drXTFlSize, be32_to_cpu(mdb->drXTClpSiz));
-+
-+		if (HFS_I(tree->inode)->alloc_blocks >
-+					HFS_I(tree->inode)->first_blocks) {
-+			printk(KERN_ERR "hfs: invalid btree extent records\n");
-+			unlock_new_inode(tree->inode);
-+			goto free_inode;
-+		}
-+
- 		tree->inode->i_mapping->a_ops = &hfs_btree_aops;
- 		break;
- 	case HFS_CAT_CNID:
- 		hfs_inode_read_fork(tree->inode, mdb->drCTExtRec, mdb->drCTFlSize,
- 				    mdb->drCTFlSize, be32_to_cpu(mdb->drCTClpSiz));
-+
-+		if (!HFS_I(tree->inode)->first_blocks) {
-+			printk(KERN_ERR "hfs: invalid btree extent records "
-+								"(0 size).\n");
-+			unlock_new_inode(tree->inode);
-+			goto free_inode;
-+		}
-+
- 		tree->inode->i_mapping->a_ops = &hfs_btree_aops;
- 		break;
- 	default:
-@@ -59,11 +75,6 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke
- 	}
- 	unlock_new_inode(tree->inode);
- 
--	if (!HFS_I(tree->inode)->first_blocks) {
--		printk(KERN_ERR "hfs: invalid btree extent records (0 size).\n");
--		goto free_inode;
--	}
--
- 	mapping = tree->inode->i_mapping;
- 	page = read_mapping_page(mapping, 0, NULL);
- 	if (IS_ERR(page))
 diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
 index 4dfbfec..947c9c2 100644
 --- a/fs/hfsplus/catalog.c
@@ -47015,10 +46964,10 @@ index 3d15072..c1ddf9c 100644
  out:
  	return len;
 diff --git a/fs/namespace.c b/fs/namespace.c
-index e5e1c7d..019609e 100644
+index 5e7f2e9..cd13685 100644
 --- a/fs/namespace.c
 +++ b/fs/namespace.c
-@@ -1329,6 +1329,9 @@ static int do_umount(struct vfsmount *mnt, int flags)
+@@ -1326,6 +1326,9 @@ static int do_umount(struct vfsmount *mnt, int flags)
  		if (!(sb->s_flags & MS_RDONLY))
  			retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
  		up_write(&sb->s_umount);
@@ -47028,7 +46977,7 @@ index e5e1c7d..019609e 100644
  		return retval;
  	}
  
-@@ -1348,6 +1351,9 @@ static int do_umount(struct vfsmount *mnt, int flags)
+@@ -1345,6 +1348,9 @@ static int do_umount(struct vfsmount *mnt, int flags)
  	br_write_unlock(vfsmount_lock);
  	up_write(&namespace_sem);
  	release_mounts(&umount_list);
@@ -47038,7 +46987,7 @@ index e5e1c7d..019609e 100644
  	return retval;
  }
  
-@@ -2339,6 +2345,16 @@ long do_mount(char *dev_name, char *dir_name, char *type_page,
+@@ -2336,6 +2342,16 @@ long do_mount(char *dev_name, char *dir_name, char *type_page,
  		   MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
  		   MS_STRICTATIME);
  
@@ -47055,7 +47004,7 @@ index e5e1c7d..019609e 100644
  	if (flags & MS_REMOUNT)
  		retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
  				    data_page);
-@@ -2353,6 +2369,9 @@ long do_mount(char *dev_name, char *dir_name, char *type_page,
+@@ -2350,6 +2366,9 @@ long do_mount(char *dev_name, char *dir_name, char *type_page,
  				      dev_name, data_page);
  dput_out:
  	path_put(&path);
@@ -47065,7 +47014,7 @@ index e5e1c7d..019609e 100644
  	return retval;
  }
  
-@@ -2576,6 +2595,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
+@@ -2573,6 +2592,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
  	if (error)
  		goto out2;
  
@@ -48470,7 +48419,7 @@ index d245cb2..7e645bd 100644
  		return -EPERM;
  	if (kcore_need_update)
 diff --git a/fs/proc/meminfo.c b/fs/proc/meminfo.c
-index 5861741..32c53bc 100644
+index 80e4645..d2689e9 100644
 --- a/fs/proc/meminfo.c
 +++ b/fs/proc/meminfo.c
 @@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
@@ -48482,7 +48431,7 @@ index 5861741..32c53bc 100644
  /*
   * display in kilobytes.
   */
-@@ -157,7 +159,7 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
+@@ -158,7 +160,7 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
  		vmi.used >> 10,
  		vmi.largest_chunk >> 10
  #ifdef CONFIG_MEMORY_FAILURE
@@ -49098,7 +49047,7 @@ index d33418f..f8e06bc 100644
  		return -EINVAL;
  
 diff --git a/fs/seq_file.c b/fs/seq_file.c
-index 05d6b0e..ee96362 100644
+index dba43c3..a99fb63 100644
 --- a/fs/seq_file.c
 +++ b/fs/seq_file.c
 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m, loff_t offset)
@@ -49591,10 +49540,10 @@ index 474920b..97169a9 100644
  		kfree(s);
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..9629731
+index 0000000..4639511
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1037 @@
+@@ -0,0 +1,1051 @@
 +#
 +# grecurity configuration
 +#
@@ -49729,6 +49678,7 @@ index 0000000..9629731
 +	select GRKERNSEC_PROC_ADD
 +	select GRKERNSEC_CHROOT_CHMOD
 +	select GRKERNSEC_CHROOT_NICE
++	select GRKERNSEC_SETXID
 +	select GRKERNSEC_AUDIT_MOUNT
 +	select GRKERNSEC_MODHARDEN if (MODULES)
 +	select GRKERNSEC_HARDEN_PTRACE
@@ -50394,6 +50344,19 @@ index 0000000..9629731
 +	  option is enabled, a sysctl option with name "harden_ptrace" is
 +	  created.
 +
++config GRKERNSEC_SETXID
++	bool "Enforce consistent multithreaded privileges"
++	help
++	  If you say Y here, a change from a root uid to a non-root uid
++	  in a multithreaded application will cause the resulting uids,
++	  gids, supplementary groups, and capabilities in that thread
++	  to be propagated to the other threads of the process.  In most
++	  cases this is unnecessary, as glibc will emulate this behavior
++	  on behalf of the application.  Other libcs do not act in the
++	  same way, allowing the other threads of the process to continue
++	  running with root privileges.  If the sysctl option is enabled,
++	  a sysctl option with name "consistent_setxid" is created.
++
 +config GRKERNSEC_TPE
 +	bool "Trusted Path Execution (TPE)"
 +	help
@@ -57558,10 +57521,10 @@ index 0000000..8ca18bf
 +}
 diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c
 new file mode 100644
-index 0000000..356ef00
+index 0000000..cb8e5a1
 --- /dev/null
 +++ b/grsecurity/grsec_init.c
-@@ -0,0 +1,269 @@
+@@ -0,0 +1,273 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/mm.h>
@@ -57571,6 +57534,7 @@ index 0000000..356ef00
 +#include <linux/percpu.h>
 +#include <linux/module.h>
 +
++int grsec_enable_setxid;
 +int grsec_enable_brute;
 +int grsec_enable_link;
 +int grsec_enable_dmesg;
@@ -57751,6 +57715,9 @@ index 0000000..356ef00
 +#ifdef CONFIG_GRKERNSEC_EXECLOG
 +	grsec_enable_execlog = 1;
 +#endif
++#ifdef CONFIG_GRKERNSEC_SETXID
++	grsec_enable_setxid = 1;
++#endif
 +#ifdef CONFIG_GRKERNSEC_SIGNAL
 +	grsec_enable_signal = 1;
 +#endif
@@ -58841,10 +58808,10 @@ index 0000000..4030d57
 +}
 diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c
 new file mode 100644
-index 0000000..174668f
+index 0000000..bceef2f
 --- /dev/null
 +++ b/grsecurity/grsec_sysctl.c
-@@ -0,0 +1,433 @@
+@@ -0,0 +1,442 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/sysctl.h>
@@ -58908,6 +58875,15 @@ index 0000000..174668f
 +		.proc_handler	= &proc_dointvec,
 +	},
 +#endif
++#ifdef CONFIG_GRKERNSEC_SETXID
++	{
++		.procname	= "consistent_setxid",
++		.data		= &grsec_enable_setxid,
++		.maxlen		= sizeof(int),
++		.mode		= 0600,
++		.proc_handler	= &proc_dointvec,
++	},
++#endif
 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
 +	{
 +		.procname	= "ip_blackhole",
@@ -60533,7 +60509,7 @@ index 84ccf8e..2e9b14c 100644
  };
  
 diff --git a/include/linux/fs.h b/include/linux/fs.h
-index 277f497..9be66a4 100644
+index cf7bc25..0d2babf 100644
 --- a/include/linux/fs.h
 +++ b/include/linux/fs.h
 @@ -1588,7 +1588,8 @@ struct file_operations {
@@ -61455,10 +61431,10 @@ index 0000000..9d5fd4a
 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
 new file mode 100644
-index 0000000..bd25f72
+index 0000000..4620f36
 --- /dev/null
 +++ b/include/linux/grsecurity.h
-@@ -0,0 +1,228 @@
+@@ -0,0 +1,231 @@
 +#ifndef GR_SECURITY_H
 +#define GR_SECURITY_H
 +#include <linux/fs.h>
@@ -61684,6 +61660,9 @@ index 0000000..bd25f72
 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
 +extern int grsec_enable_chroot_findtask;
 +#endif
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern int grsec_enable_setxid;
++#endif
 +#endif
 +
 +#endif
@@ -65202,7 +65181,7 @@ index 42e8fa0..9e7406b 100644
  		return -ENOMEM;
  
 diff --git a/kernel/cred.c b/kernel/cred.c
-index 8ef31f5..f63d997 100644
+index 8ef31f5..d7d50d8 100644
 --- a/kernel/cred.c
 +++ b/kernel/cred.c
 @@ -158,6 +158,8 @@ static void put_cred_rcu(struct rcu_head *rcu)
@@ -65241,7 +65220,15 @@ index 8ef31f5..f63d997 100644
  	new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
  	if (!new)
  		return NULL;
-@@ -287,6 +295,8 @@ struct cred *prepare_creds(void)
+@@ -281,12 +289,14 @@ error:
+  *
+  * Call commit_creds() or abort_creds() to clean up.
+  */
+-struct cred *prepare_creds(void)
++
++static struct cred *__prepare_creds(struct task_struct *task)
+ {
+-	struct task_struct *task = current;
  	const struct cred *old;
  	struct cred *new;
  
@@ -65250,7 +65237,19 @@ index 8ef31f5..f63d997 100644
  	validate_process_creds();
  
  	new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
-@@ -333,6 +343,8 @@ struct cred *prepare_exec_creds(void)
+@@ -322,6 +332,11 @@ error:
+ 	abort_creds(new);
+ 	return NULL;
+ }
++
++struct cred *prepare_creds(void)
++{
++	return __prepare_creds(current);
++}
+ EXPORT_SYMBOL(prepare_creds);
+ 
+ /*
+@@ -333,6 +348,8 @@ struct cred *prepare_exec_creds(void)
  	struct thread_group_cred *tgcred = NULL;
  	struct cred *new;
  
@@ -65259,7 +65258,7 @@ index 8ef31f5..f63d997 100644
  #ifdef CONFIG_KEYS
  	tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
  	if (!tgcred)
-@@ -385,6 +397,8 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
+@@ -385,6 +402,8 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
  	struct cred *new;
  	int ret;
  
@@ -65268,8 +65267,14 @@ index 8ef31f5..f63d997 100644
  	if (
  #ifdef CONFIG_KEYS
  		!p->cred->thread_keyring &&
-@@ -475,6 +489,8 @@ int commit_creds(struct cred *new)
- 	struct task_struct *task = current;
+@@ -470,11 +489,12 @@ error_put:
+  * Always returns 0 thus allowing this function to be tail-called at the end
+  * of, say, sys_setgid().
+  */
+-int commit_creds(struct cred *new)
++static int __commit_creds(struct task_struct *task, struct cred *new)
+ {
+-	struct task_struct *task = current;
  	const struct cred *old = task->real_cred;
  
 +	pax_track_stack();
@@ -65277,7 +65282,7 @@ index 8ef31f5..f63d997 100644
  	kdebug("commit_creds(%p{%d,%d})", new,
  	       atomic_read(&new->usage),
  	       read_cred_subscribers(new));
-@@ -489,6 +505,8 @@ int commit_creds(struct cred *new)
+@@ -489,6 +509,8 @@ int commit_creds(struct cred *new)
  
  	get_cred(new); /* we will require a ref for the subj creds too */
  
@@ -65286,7 +65291,72 @@ index 8ef31f5..f63d997 100644
  	/* dumpability changes */
  	if (old->euid != new->euid ||
  	    old->egid != new->egid ||
-@@ -549,6 +567,8 @@ EXPORT_SYMBOL(commit_creds);
+@@ -538,6 +560,64 @@ int commit_creds(struct cred *new)
+ 	put_cred(old);
+ 	return 0;
+ }
++
++int commit_creds(struct cred *new)
++{
++#ifdef CONFIG_GRKERNSEC_SETXID
++	struct task_struct *t;
++	struct cred *ncred;
++	const struct cred *old;
++
++	if (grsec_enable_setxid && !current_is_single_threaded() &&
++	    !current_uid() && new->uid) {
++		rcu_read_lock();
++		read_lock(&tasklist_lock);
++		for (t = next_thread(current); t != current;
++		     t = next_thread(t)) {
++			old = __task_cred(t);
++			if (old->uid)
++				continue;
++			ncred = __prepare_creds(t);
++			if (!ncred)
++				goto die;
++			// uids
++			ncred->uid = new->uid;
++			ncred->euid = new->euid;
++			ncred->suid = new->suid;
++			ncred->fsuid = new->fsuid;
++			// gids
++			ncred->gid = new->gid;
++			ncred->egid = new->egid;
++			ncred->sgid = new->sgid;
++			ncred->fsgid = new->fsgid;
++			// groups
++			if (set_groups(ncred, new->group_info) < 0) {
++				abort_creds(ncred);
++				goto die;
++			}
++			// caps
++			ncred->securebits = new->securebits;
++			ncred->cap_inheritable = new->cap_inheritable;
++			ncred->cap_permitted = new->cap_permitted;
++			ncred->cap_effective = new->cap_effective;
++			ncred->cap_bset = new->cap_bset;
++
++			__commit_creds(t, ncred);
++		}	
++		read_unlock(&tasklist_lock);
++		rcu_read_unlock();
++	}
++#endif
++	return __commit_creds(current, new);
++#ifdef CONFIG_GRKERNSEC_SETXID
++die:
++	read_unlock(&tasklist_lock);
++	rcu_read_unlock();
++	abort_creds(new);
++	do_group_exit(SIGKILL);
++#endif
++}
++
+ EXPORT_SYMBOL(commit_creds);
+ 
+ /**
+@@ -549,6 +629,8 @@ EXPORT_SYMBOL(commit_creds);
   */
  void abort_creds(struct cred *new)
  {
@@ -65295,7 +65365,7 @@ index 8ef31f5..f63d997 100644
  	kdebug("abort_creds(%p{%d,%d})", new,
  	       atomic_read(&new->usage),
  	       read_cred_subscribers(new));
-@@ -572,6 +592,8 @@ const struct cred *override_creds(const struct cred *new)
+@@ -572,6 +654,8 @@ const struct cred *override_creds(const struct cred *new)
  {
  	const struct cred *old = current->cred;
  
@@ -65304,7 +65374,7 @@ index 8ef31f5..f63d997 100644
  	kdebug("override_creds(%p{%d,%d})", new,
  	       atomic_read(&new->usage),
  	       read_cred_subscribers(new));
-@@ -601,6 +623,8 @@ void revert_creds(const struct cred *old)
+@@ -601,6 +685,8 @@ void revert_creds(const struct cred *old)
  {
  	const struct cred *override = current->cred;
  
@@ -65313,7 +65383,7 @@ index 8ef31f5..f63d997 100644
  	kdebug("revert_creds(%p{%d,%d})", old,
  	       atomic_read(&old->usage),
  	       read_cred_subscribers(old));
-@@ -647,6 +671,8 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
+@@ -647,6 +733,8 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
  	const struct cred *old;
  	struct cred *new;
  
@@ -65322,7 +65392,7 @@ index 8ef31f5..f63d997 100644
  	new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
  	if (!new)
  		return NULL;
-@@ -701,6 +727,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
+@@ -701,6 +789,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
   */
  int set_security_override(struct cred *new, u32 secid)
  {
@@ -65331,7 +65401,7 @@ index 8ef31f5..f63d997 100644
  	return security_kernel_act_as(new, secid);
  }
  EXPORT_SYMBOL(set_security_override);
-@@ -720,6 +748,8 @@ int set_security_override_from_ctx(struct cred *new, const char *secctx)
+@@ -720,6 +810,8 @@ int set_security_override_from_ctx(struct cred *new, const char *secctx)
  	u32 secid;
  	int ret;
  
@@ -65896,7 +65966,7 @@ index 8e6b6f4..9dccf00 100644
  			else
  				new_fs = fs;
 diff --git a/kernel/futex.c b/kernel/futex.c
-index 11cbe05..9ff191b 100644
+index 11cbe05..c5dab58 100644
 --- a/kernel/futex.c
 +++ b/kernel/futex.c
 @@ -54,6 +54,7 @@
@@ -65937,36 +66007,18 @@ index 11cbe05..9ff191b 100644
  	if (!bitset)
  		return -EINVAL;
  
-@@ -2431,7 +2441,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
- {
- 	struct robust_list_head __user *head;
- 	unsigned long ret;
-+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
- 	const struct cred *cred = current_cred(), *pcred;
-+#endif
- 
- 	if (!futex_cmpxchg_enabled)
- 		return -ENOSYS;
-@@ -2447,6 +2459,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
+@@ -2447,6 +2457,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
  		if (!p)
  			goto err_unlock;
  		ret = -EPERM;
 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
 +		if (!ptrace_may_access(p, PTRACE_MODE_READ))
 +			goto err_unlock;
-+#else
++#endif
  		pcred = __task_cred(p);
  		/* If victim is in different user_ns, then uids are not
  		   comparable, so we must have CAP_SYS_PTRACE */
-@@ -2461,6 +2477,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
- 		    !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
- 			goto err_unlock;
- ok:
-+#endif
- 		head = p->robust_list;
- 		rcu_read_unlock();
- 	}
-@@ -2712,6 +2729,7 @@ static int __init futex_init(void)
+@@ -2712,6 +2726,7 @@ static int __init futex_init(void)
  {
  	u32 curval;
  	int i;
@@ -65974,7 +66026,7 @@ index 11cbe05..9ff191b 100644
  
  	/*
  	 * This will fail and we want it. Some arch implementations do
-@@ -2723,8 +2741,11 @@ static int __init futex_init(void)
+@@ -2723,8 +2738,11 @@ static int __init futex_init(void)
  	 * implementation, the non-functional ones will return
  	 * -ENOSYS.
  	 */
@@ -65987,7 +66039,7 @@ index 11cbe05..9ff191b 100644
  	for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {
  		plist_head_init(&futex_queues[i].chain);
 diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
-index 5f9e689..03afa21 100644
+index 5f9e689..582d46d 100644
 --- a/kernel/futex_compat.c
 +++ b/kernel/futex_compat.c
 @@ -10,6 +10,7 @@
@@ -65998,37 +66050,27 @@ index 5f9e689..03afa21 100644
  
  #include <asm/uaccess.h>
  
-@@ -136,7 +137,10 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
+@@ -136,7 +137,8 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
  {
  	struct compat_robust_list_head __user *head;
  	unsigned long ret;
 -	const struct cred *cred = current_cred(), *pcred;
-+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
 +	const struct cred *cred = current_cred();
 +	const struct cred *pcred;
-+#endif
  
  	if (!futex_cmpxchg_enabled)
  		return -ENOSYS;
-@@ -152,6 +156,10 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
+@@ -152,6 +154,10 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
  		if (!p)
  			goto err_unlock;
  		ret = -EPERM;
 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
 +		if (!ptrace_may_access(p, PTRACE_MODE_READ))
 +			goto err_unlock;
-+#else
++#endif
  		pcred = __task_cred(p);
  		/* If victim is in different user_ns, then uids are not
  		   comparable, so we must have CAP_SYS_PTRACE */
-@@ -166,6 +174,7 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
- 		    !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
- 			goto err_unlock;
- ok:
-+#endif
- 		head = p->compat_robust_list;
- 		rcu_read_unlock();
- 	}
 diff --git a/kernel/gcov/base.c b/kernel/gcov/base.c
 index 9b22d03..6295b62 100644
 --- a/kernel/gcov/base.c
@@ -66364,10 +66406,10 @@ index b30fd54..11821ec 100644
  	head = &kprobe_table[i];
  	preempt_disable();
 diff --git a/kernel/lockdep.c b/kernel/lockdep.c
-index 91d67ce..ac259df 100644
+index 4479606..4036bea 100644
 --- a/kernel/lockdep.c
 +++ b/kernel/lockdep.c
-@@ -583,6 +583,10 @@ static int static_obj(void *obj)
+@@ -584,6 +584,10 @@ static int static_obj(void *obj)
  		      end   = (unsigned long) &_end,
  		      addr  = (unsigned long) obj;
  
@@ -66378,7 +66420,7 @@ index 91d67ce..ac259df 100644
  	/*
  	 * static variable?
  	 */
-@@ -718,6 +722,7 @@ register_lock_class(struct lockdep_map *lock, unsigned int subclass, int force)
+@@ -719,6 +723,7 @@ register_lock_class(struct lockdep_map *lock, unsigned int subclass, int force)
  	if (!static_obj(lock->key)) {
  		debug_locks_off();
  		printk("INFO: trying to register non-static key.\n");
@@ -66386,7 +66428,7 @@ index 91d67ce..ac259df 100644
  		printk("the code is fine but needs lockdep annotation.\n");
  		printk("turning off the locking correctness validator.\n");
  		dump_stack();
-@@ -2948,7 +2953,7 @@ static int __lock_acquire(struct lockdep_map *lock, unsigned int subclass,
+@@ -2954,7 +2959,7 @@ static int __lock_acquire(struct lockdep_map *lock, unsigned int subclass,
  		if (!class)
  			return 0;
  	}
@@ -69057,7 +69099,7 @@ index d776062..fa8d186 100644
  		sys_tz = *tz;
  		update_vsyscall_tz();
 diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
-index ea5e1a9..8b8df07 100644
+index 8b70c76..923e9f5 100644
 --- a/kernel/time/alarmtimer.c
 +++ b/kernel/time/alarmtimer.c
 @@ -693,7 +693,7 @@ static int __init alarmtimer_init(void)
@@ -69679,6 +69721,20 @@ index 013a761..c28f3fc 100644
  #define free(a) kfree(a)
  #endif
  
+diff --git a/lib/is_single_threaded.c b/lib/is_single_threaded.c
+index bd2bea9..6b3c95e 100644
+--- a/lib/is_single_threaded.c
++++ b/lib/is_single_threaded.c
+@@ -22,6 +22,9 @@ bool current_is_single_threaded(void)
+ 	struct task_struct *p, *t;
+ 	bool ret;
+ 
++	if (!mm)
++		return true;
++
+ 	if (atomic_read(&task->signal->live) != 1)
+ 		return false;
+ 
 diff --git a/lib/kref.c b/lib/kref.c
 index 3efb882..8492f4c 100644
 --- a/lib/kref.c
@@ -69916,18 +69972,10 @@ index d819d93..468e18f 100644
  		cond_resched();
  	}
 diff --git a/mm/hugetlb.c b/mm/hugetlb.c
-index bb28a5f..fef0140 100644
+index 73f17c0..fef0140 100644
 --- a/mm/hugetlb.c
 +++ b/mm/hugetlb.c
-@@ -576,6 +576,7 @@ static void prep_compound_gigantic_page(struct page *page, unsigned long order)
- 	__SetPageHead(page);
- 	for (i = 1; i < nr_pages; i++, p = mem_map_next(p, page, i)) {
- 		__SetPageTail(p);
-+		set_page_count(p, 0);
- 		p->first_page = page;
- 	}
- }
-@@ -2346,6 +2347,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2347,6 +2347,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
  	return 1;
  }
  
@@ -69955,7 +70003,7 @@ index bb28a5f..fef0140 100644
  /*
   * Hugetlb_cow() should be called with page lock of the original hugepage held.
   */
-@@ -2449,6 +2471,11 @@ retry_avoidcopy:
+@@ -2450,6 +2471,11 @@ retry_avoidcopy:
  				make_huge_pte(vma, new_page, 1));
  		page_remove_rmap(old_page);
  		hugepage_add_new_anon_rmap(new_page, vma, address);
@@ -69967,7 +70015,7 @@ index bb28a5f..fef0140 100644
  		/* Make the old page be freed below */
  		new_page = old_page;
  		mmu_notifier_invalidate_range_end(mm,
-@@ -2600,6 +2627,10 @@ retry:
+@@ -2601,6 +2627,10 @@ retry:
  				&& (vma->vm_flags & VM_SHARED)));
  	set_huge_pte_at(mm, address, ptep, new_pte);
  
@@ -69978,7 +70026,7 @@ index bb28a5f..fef0140 100644
  	if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
  		/* Optimization, do the COW without a second fault */
  		ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
-@@ -2629,6 +2660,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2630,6 +2660,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	static DEFINE_MUTEX(hugetlb_instantiation_mutex);
  	struct hstate *h = hstate_vma(vma);
  
@@ -69989,7 +70037,7 @@ index bb28a5f..fef0140 100644
  	ptep = huge_pte_offset(mm, address);
  	if (ptep) {
  		entry = huge_ptep_get(ptep);
-@@ -2640,6 +2675,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2641,6 +2675,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  			       VM_FAULT_SET_HINDEX(h - hstates);
  	}
  
@@ -72683,7 +72731,7 @@ index 626303b..e9a1785 100644
  	if (oom_unkillable_task(p, mem, nodemask))
  		return 0;
 diff --git a/mm/page_alloc.c b/mm/page_alloc.c
-index 6e8ecb6..d9e3d7a 100644
+index e8fae15..18c0442 100644
 --- a/mm/page_alloc.c
 +++ b/mm/page_alloc.c
 @@ -340,7 +340,7 @@ out:
@@ -72695,16 +72743,6 @@ index 6e8ecb6..d9e3d7a 100644
  {
  	__free_pages_ok(page, compound_order(page));
  }
-@@ -355,8 +355,8 @@ void prep_compound_page(struct page *page, unsigned long order)
- 	__SetPageHead(page);
- 	for (i = 1; i < nr_pages; i++) {
- 		struct page *p = page + i;
--
- 		__SetPageTail(p);
-+		set_page_count(p, 0);
- 		p->first_page = page;
- 	}
- }
 @@ -653,6 +653,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
  	int i;
  	int bad = 0;
@@ -72763,20 +72801,12 @@ index 6e8ecb6..d9e3d7a 100644
  			return 1;
  	}
  	return 0;
-@@ -3373,6 +3393,7 @@ static void setup_zone_migrate_reserve(struct zone *zone)
- 	/* Get the start pfn, end pfn and the number of blocks to reserve */
- 	start_pfn = zone->zone_start_pfn;
- 	end_pfn = start_pfn + zone->spanned_pages;
-+	start_pfn = roundup(start_pfn, pageblock_nr_pages);
- 	reserve = roundup(min_wmark_pages(zone), pageblock_nr_pages) >>
- 							pageblock_order;
- 
 diff --git a/mm/percpu.c b/mm/percpu.c
-index bf80e55..c7c3f9a 100644
+index 93b5a7c..28d642c 100644
 --- a/mm/percpu.c
 +++ b/mm/percpu.c
-@@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu __read_mostly;
- static unsigned int pcpu_last_unit_cpu __read_mostly;
+@@ -121,7 +121,7 @@ static unsigned int pcpu_low_unit_cpu __read_mostly;
+ static unsigned int pcpu_high_unit_cpu __read_mostly;
  
  /* the address of the first chunk which starts with the kernel static area */
 -void *pcpu_base_addr __read_mostly;
@@ -73806,7 +73836,7 @@ index 88ea1bd..0f1dfdb 100644
  	mm->unmap_area = arch_unmap_area;
  }
 diff --git a/mm/vmalloc.c b/mm/vmalloc.c
-index 56faf31..862c072 100644
+index 3a65d6f7..862c072 100644
 --- a/mm/vmalloc.c
 +++ b/mm/vmalloc.c
 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
@@ -73955,16 +73985,7 @@ index 56faf31..862c072 100644
  	area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNLIST,
  				  start, end, node, gfp_mask, caller);
  
-@@ -1634,6 +1696,8 @@ void *__vmalloc_node_range(unsigned long size, unsigned long align,
- 		return NULL;
- 
- 	addr = __vmalloc_area_node(area, gfp_mask, prot, node, caller);
-+	if (!addr)
-+		return NULL;
- 
- 	/*
- 	 * In this function, newly allocated vm_struct is not added
-@@ -1672,6 +1736,7 @@ static void *__vmalloc_node(unsigned long size, unsigned long align,
+@@ -1674,6 +1736,7 @@ static void *__vmalloc_node(unsigned long size, unsigned long align,
  				gfp_mask, prot, node, caller);
  }
  
@@ -73972,7 +73993,7 @@ index 56faf31..862c072 100644
  void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
  {
  	return __vmalloc_node(size, 1, gfp_mask, prot, -1,
-@@ -1695,6 +1760,7 @@ static inline void *__vmalloc_node_flags(unsigned long size,
+@@ -1697,6 +1760,7 @@ static inline void *__vmalloc_node_flags(unsigned long size,
   *	For tight control over page level allocator and protection flags
   *	use __vmalloc() instead.
   */
@@ -73980,7 +74001,7 @@ index 56faf31..862c072 100644
  void *vmalloc(unsigned long size)
  {
  	return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
-@@ -1711,6 +1777,7 @@ EXPORT_SYMBOL(vmalloc);
+@@ -1713,6 +1777,7 @@ EXPORT_SYMBOL(vmalloc);
   *	For tight control over page level allocator and protection flags
   *	use __vmalloc() instead.
   */
@@ -73988,7 +74009,7 @@ index 56faf31..862c072 100644
  void *vzalloc(unsigned long size)
  {
  	return __vmalloc_node_flags(size, -1,
-@@ -1725,6 +1792,7 @@ EXPORT_SYMBOL(vzalloc);
+@@ -1727,6 +1792,7 @@ EXPORT_SYMBOL(vzalloc);
   * The resulting memory area is zeroed so it can be mapped to userspace
   * without leaking data.
   */
@@ -73996,7 +74017,7 @@ index 56faf31..862c072 100644
  void *vmalloc_user(unsigned long size)
  {
  	struct vm_struct *area;
-@@ -1752,6 +1820,7 @@ EXPORT_SYMBOL(vmalloc_user);
+@@ -1754,6 +1820,7 @@ EXPORT_SYMBOL(vmalloc_user);
   *	For tight control over page level allocator and protection flags
   *	use __vmalloc() instead.
   */
@@ -74004,7 +74025,7 @@ index 56faf31..862c072 100644
  void *vmalloc_node(unsigned long size, int node)
  {
  	return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
-@@ -1771,6 +1840,7 @@ EXPORT_SYMBOL(vmalloc_node);
+@@ -1773,6 +1840,7 @@ EXPORT_SYMBOL(vmalloc_node);
   * For tight control over page level allocator and protection flags
   * use __vmalloc_node() instead.
   */
@@ -74012,7 +74033,7 @@ index 56faf31..862c072 100644
  void *vzalloc_node(unsigned long size, int node)
  {
  	return __vmalloc_node_flags(size, node,
-@@ -1793,10 +1863,10 @@ EXPORT_SYMBOL(vzalloc_node);
+@@ -1795,10 +1863,10 @@ EXPORT_SYMBOL(vzalloc_node);
   *	For tight control over page level allocator and protection flags
   *	use __vmalloc() instead.
   */
@@ -74025,7 +74046,7 @@ index 56faf31..862c072 100644
  			      -1, __builtin_return_address(0));
  }
  
-@@ -1815,6 +1885,7 @@ void *vmalloc_exec(unsigned long size)
+@@ -1817,6 +1885,7 @@ void *vmalloc_exec(unsigned long size)
   *	Allocate enough 32bit PA addressable pages to cover @size from the
   *	page level allocator and map them into contiguous kernel virtual space.
   */
@@ -74033,7 +74054,7 @@ index 56faf31..862c072 100644
  void *vmalloc_32(unsigned long size)
  {
  	return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
-@@ -1829,6 +1900,7 @@ EXPORT_SYMBOL(vmalloc_32);
+@@ -1831,6 +1900,7 @@ EXPORT_SYMBOL(vmalloc_32);
   * The resulting memory area is 32bit addressable and zeroed so it can be
   * mapped to userspace without leaking data.
   */
@@ -74041,7 +74062,7 @@ index 56faf31..862c072 100644
  void *vmalloc_32_user(unsigned long size)
  {
  	struct vm_struct *area;
-@@ -2091,6 +2163,8 @@ int remap_vmalloc_range(struct vm_area_struct *vma, void *addr,
+@@ -2093,6 +2163,8 @@ int remap_vmalloc_range(struct vm_area_struct *vma, void *addr,
  	unsigned long uaddr = vma->vm_start;
  	unsigned long usize = vma->vm_end - vma->vm_start;
  
diff --git a/3.1.5/4421_grsec-remove-localversion-grsec.patch b/3.1.6/4421_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.1.5/4421_grsec-remove-localversion-grsec.patch
+++ b/3.1.6/4421_grsec-remove-localversion-grsec.patch
diff --git a/3.1.5/4422_grsec-mute-warnings.patch b/3.1.6/4422_grsec-mute-warnings.patch
index e85abd6..e85abd6 100644
--- a/3.1.5/4422_grsec-mute-warnings.patch
+++ b/3.1.6/4422_grsec-mute-warnings.patch
diff --git a/3.1.5/4423_grsec-remove-protected-paths.patch b/3.1.6/4423_grsec-remove-protected-paths.patch
index 4afb3e2..4afb3e2 100644
--- a/3.1.5/4423_grsec-remove-protected-paths.patch
+++ b/3.1.6/4423_grsec-remove-protected-paths.patch
diff --git a/3.1.5/4425_grsec-pax-without-grsec.patch b/3.1.6/4425_grsec-pax-without-grsec.patch
index 97e8837..97e8837 100644
--- a/3.1.5/4425_grsec-pax-without-grsec.patch
+++ b/3.1.6/4425_grsec-pax-without-grsec.patch
diff --git a/3.1.5/4430_grsec-kconfig-default-gids.patch b/3.1.6/4430_grsec-kconfig-default-gids.patch
index 453cb8d..453cb8d 100644
--- a/3.1.5/4430_grsec-kconfig-default-gids.patch
+++ b/3.1.6/4430_grsec-kconfig-default-gids.patch
diff --git a/3.1.5/4435_grsec-kconfig-gentoo.patch b/3.1.6/4435_grsec-kconfig-gentoo.patch
index d9083f4..d9083f4 100644
--- a/3.1.5/4435_grsec-kconfig-gentoo.patch
+++ b/3.1.6/4435_grsec-kconfig-gentoo.patch
diff --git a/3.1.5/4437-grsec-kconfig-proc-user.patch b/3.1.6/4437-grsec-kconfig-proc-user.patch
index fb20d59..fb20d59 100644
--- a/3.1.5/4437-grsec-kconfig-proc-user.patch
+++ b/3.1.6/4437-grsec-kconfig-proc-user.patch
diff --git a/3.1.5/4440_selinux-avc_audit-log-curr_ip.patch b/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch
index 56c8ef1..56c8ef1 100644
--- a/3.1.5/4440_selinux-avc_audit-log-curr_ip.patch
+++ b/3.1.6/4440_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.1.5/4445_disable-compat_vdso.patch b/3.1.6/4445_disable-compat_vdso.patch
index 737dcca..737dcca 100644
--- a/3.1.5/4445_disable-compat_vdso.patch
+++ b/3.1.6/4445_disable-compat_vdso.patch