summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2013-03-12 09:24:53 -0400
committerAnthony G. Basile <blueness@gentoo.org>2013-03-12 09:24:53 -0400
commit5887bfa1ed303153a33e8909165ea760a787f68d (patch)
treee981cbe31e5f8810f857e535310f803ed0cf3bcc
parentGrsec/PaX: 2.9.1-{2.6.32.60,3.2.40,3.8.2}-201303082215 (diff)
downloadhardened-patchset-20130311.tar.gz
hardened-patchset-20130311.tar.bz2
hardened-patchset-20130311.zip
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.40,3.8.2}-20130311184520130311
-rw-r--r--2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303082034.patch)88
-rw-r--r--3.2.40/0000_README2
-rw-r--r--3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch (renamed from 3.2.40/4420_grsecurity-2.9.1-3.2.40-201303082037.patch)136
-rw-r--r--3.8.2/0000_README2
-rw-r--r--3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch (renamed from 3.8.2/4420_grsecurity-2.9.1-3.8.2-201303082215.patch)425
5 files changed, 508 insertions, 145 deletions
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303082034.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch
index 0660165..844bced 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303082034.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201303111841.patch
@@ -22169,10 +22169,10 @@ index 3149032..14f1053 100644
return 0;
/* 64-bit mode: REX prefix */
diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c
-index dee1ff7..d0e3ef7 100644
+index dee1ff7..585a36b 100644
--- a/arch/x86/kernel/sys_i386_32.c
+++ b/arch/x86/kernel/sys_i386_32.c
-@@ -24,6 +24,21 @@
+@@ -24,6 +24,22 @@
#include <asm/syscalls.h>
@@ -22185,8 +22185,9 @@ index dee1ff7..d0e3ef7 100644
+ pax_task_size = SEGMEXEC_TASK_SIZE;
+#endif
+
-+ if (len > pax_task_size || addr > pax_task_size - len)
-+ return -EINVAL;
++ if (flags & MAP_FIXED)
++ if (len > pax_task_size || addr > pax_task_size - len)
++ return -EINVAL;
+
+ return 0;
+}
@@ -22194,7 +22195,7 @@ index dee1ff7..d0e3ef7 100644
/*
* Perform the select(nd, in, out, ex, tv) and mmap() system
* calls. Linux/i386 didn't use to be able to handle more than
-@@ -58,6 +73,214 @@ out:
+@@ -58,6 +74,214 @@ out:
return err;
}
@@ -22409,7 +22410,7 @@ index dee1ff7..d0e3ef7 100644
struct sel_arg_struct {
unsigned long n;
-@@ -93,7 +316,7 @@ asmlinkage int sys_ipc(uint call, int first, int second,
+@@ -93,7 +317,7 @@ asmlinkage int sys_ipc(uint call, int first, int second,
return sys_semtimedop(first, (struct sembuf __user *)ptr, second, NULL);
case SEMTIMEDOP:
return sys_semtimedop(first, (struct sembuf __user *)ptr, second,
@@ -22418,7 +22419,7 @@ index dee1ff7..d0e3ef7 100644
case SEMGET:
return sys_semget(first, second, third);
-@@ -140,7 +363,7 @@ asmlinkage int sys_ipc(uint call, int first, int second,
+@@ -140,7 +364,7 @@ asmlinkage int sys_ipc(uint call, int first, int second,
ret = do_shmat(first, (char __user *) ptr, second, &raddr);
if (ret)
return ret;
@@ -22427,7 +22428,7 @@ index dee1ff7..d0e3ef7 100644
}
case 1: /* iBCS2 emulator entry point */
if (!segment_eq(get_fs(), get_ds()))
-@@ -207,17 +430,3 @@ asmlinkage int sys_olduname(struct oldold_utsname __user *name)
+@@ -207,17 +431,3 @@ asmlinkage int sys_olduname(struct oldold_utsname __user *name)
return error;
}
@@ -83601,7 +83602,7 @@ index b080b79..d957e63 100644
}
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index 3b7b82a..0655a0f 100644
+index 3b7b82a..43956d4 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -8,12 +8,19 @@
@@ -83624,7 +83625,7 @@ index 3b7b82a..0655a0f 100644
void task_mem(struct seq_file *m, struct mm_struct *mm)
{
unsigned long data, text, lib;
-@@ -46,15 +53,27 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
+@@ -46,15 +53,32 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
"VmStk:\t%8lu kB\n"
"VmExe:\t%8lu kB\n"
"VmLib:\t%8lu kB\n"
@@ -83647,15 +83648,20 @@ index 3b7b82a..0655a0f 100644
+ (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
+
+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
+ , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_base
+ , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_limit
++#else
++ , mm->context.user_cs_base
++ , mm->context.user_cs_limit
++#endif
+#endif
+
+ );
}
unsigned long task_vsize(struct mm_struct *mm)
-@@ -175,7 +194,8 @@ static void m_stop(struct seq_file *m, void *v)
+@@ -175,7 +199,8 @@ static void m_stop(struct seq_file *m, void *v)
struct proc_maps_private *priv = m->private;
struct vm_area_struct *vma = v;
@@ -83665,7 +83671,7 @@ index 3b7b82a..0655a0f 100644
if (priv->task)
put_task_struct(priv->task);
}
-@@ -206,7 +226,6 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+@@ -206,7 +231,6 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
int flags = vma->vm_flags;
unsigned long ino = 0;
unsigned long long pgoff = 0;
@@ -83673,7 +83679,7 @@ index 3b7b82a..0655a0f 100644
dev_t dev = 0;
int len;
-@@ -217,20 +236,23 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+@@ -217,20 +241,23 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
}
@@ -83704,7 +83710,7 @@ index 3b7b82a..0655a0f 100644
MAJOR(dev), MINOR(dev), ino, &len);
/*
-@@ -239,7 +261,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+@@ -239,7 +266,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
*/
if (file) {
pad_len_spaces(m, len);
@@ -83713,7 +83719,7 @@ index 3b7b82a..0655a0f 100644
} else {
const char *name = arch_vma_name(vma);
if (!name) {
-@@ -247,8 +269,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+@@ -247,8 +274,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
if (vma->vm_start <= mm->brk &&
vma->vm_end >= mm->start_brk) {
name = "[heap]";
@@ -83725,7 +83731,7 @@ index 3b7b82a..0655a0f 100644
name = "[stack]";
}
} else {
-@@ -269,6 +292,13 @@ static int show_map(struct seq_file *m, void *v)
+@@ -269,6 +297,13 @@ static int show_map(struct seq_file *m, void *v)
struct proc_maps_private *priv = m->private;
struct task_struct *task = priv->task;
@@ -83739,7 +83745,7 @@ index 3b7b82a..0655a0f 100644
show_map_vma(m, vma);
if (m->count < m->size) /* vma is copied successfully */
-@@ -390,10 +420,23 @@ static int show_smap(struct seq_file *m, void *v)
+@@ -390,10 +425,23 @@ static int show_smap(struct seq_file *m, void *v)
.private = &mss,
};
@@ -83766,7 +83772,7 @@ index 3b7b82a..0655a0f 100644
show_map_vma(m, vma);
-@@ -409,7 +452,11 @@ static int show_smap(struct seq_file *m, void *v)
+@@ -409,7 +457,11 @@ static int show_smap(struct seq_file *m, void *v)
"Swap: %8lu kB\n"
"KernelPageSize: %8lu kB\n"
"MMUPageSize: %8lu kB\n",
@@ -106892,7 +106898,7 @@ index 0591df8..dcf3f9f 100644
if (cpu != group_first_cpu(sd->groups))
return;
diff --git a/kernel/signal.c b/kernel/signal.c
-index 2494827..02e4288 100644
+index 2494827..3087914 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -41,12 +41,12 @@
@@ -106929,7 +106935,17 @@ index 2494827..02e4288 100644
if (override_rlimit ||
atomic_read(&user->sigpending) <=
t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur)
-@@ -327,7 +330,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
+@@ -320,6 +323,9 @@ flush_signal_handlers(struct task_struct *t, int force_default)
+ if (force_default || ka->sa.sa_handler != SIG_IGN)
+ ka->sa.sa_handler = SIG_DFL;
+ ka->sa.sa_flags = 0;
++#ifdef SA_RESTORER
++ ka->sa.sa_restorer = NULL;
++#endif
+ sigemptyset(&ka->sa.sa_mask);
+ ka++;
+ }
+@@ -327,7 +333,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
int unhandled_signal(struct task_struct *tsk, int sig)
{
@@ -106938,7 +106954,7 @@ index 2494827..02e4288 100644
if (is_global_init(tsk))
return 1;
if (handler != SIG_IGN && handler != SIG_DFL)
-@@ -513,23 +516,17 @@ int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info)
+@@ -513,23 +519,17 @@ int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info)
* No need to set need_resched since signal event passing
* goes through ->blocked
*/
@@ -106965,7 +106981,7 @@ index 2494827..02e4288 100644
kick_process(t);
}
-@@ -627,6 +624,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
+@@ -627,6 +627,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
}
}
@@ -106979,7 +106995,7 @@ index 2494827..02e4288 100644
return security_task_kill(t, info, sig, 0);
}
-@@ -968,7 +972,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
+@@ -968,7 +975,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
return send_signal(sig, info, p, 1);
}
@@ -106988,7 +107004,7 @@ index 2494827..02e4288 100644
specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
{
return send_signal(sig, info, t, 0);
-@@ -1005,6 +1009,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
+@@ -1005,6 +1012,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
unsigned long int flags;
int ret, blocked, ignored;
struct k_sigaction *action;
@@ -106996,7 +107012,7 @@ index 2494827..02e4288 100644
spin_lock_irqsave(&t->sighand->siglock, flags);
action = &t->sighand->action[sig-1];
-@@ -1019,9 +1024,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
+@@ -1019,9 +1027,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
}
if (action->sa.sa_handler == SIG_DFL)
t->signal->flags &= ~SIGNAL_UNKILLABLE;
@@ -107015,7 +107031,7 @@ index 2494827..02e4288 100644
return ret;
}
-@@ -1081,8 +1095,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
+@@ -1081,8 +1098,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
{
int ret = check_kill_permission(sig, info, p);
@@ -107028,7 +107044,7 @@ index 2494827..02e4288 100644
return ret;
}
-@@ -1530,6 +1547,10 @@ static inline int may_ptrace_stop(void)
+@@ -1530,6 +1550,10 @@ static inline int may_ptrace_stop(void)
* If SIGKILL was already sent before the caller unlocked
* ->siglock we must see ->core_state != NULL. Otherwise it
* is safe to enter schedule().
@@ -107039,7 +107055,7 @@ index 2494827..02e4288 100644
*/
if (unlikely(current->mm->core_state) &&
unlikely(current->mm == current->parent->mm))
-@@ -1611,6 +1632,8 @@ static void ptrace_stop(int exit_code, int clear_code, siginfo_t *info)
+@@ -1611,6 +1635,8 @@ static void ptrace_stop(int exit_code, int clear_code, siginfo_t *info)
* By the time we got the lock, our tracer went away.
* Don't drop the lock yet, another tracer may come.
*/
@@ -107048,7 +107064,7 @@ index 2494827..02e4288 100644
__set_current_state(TASK_RUNNING);
if (clear_code)
current->exit_code = 0;
-@@ -1644,6 +1667,8 @@ void ptrace_notify(int exit_code)
+@@ -1644,6 +1670,8 @@ void ptrace_notify(int exit_code)
{
siginfo_t info;
@@ -107057,7 +107073,7 @@ index 2494827..02e4288 100644
BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
memset(&info, 0, sizeof info);
-@@ -2275,7 +2300,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
+@@ -2275,7 +2303,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
int error = -ESRCH;
rcu_read_lock();
@@ -114315,6 +114331,18 @@ index 4538a34..d53ed34 100644
}
EXPORT_SYMBOL(sock_init_data);
+diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
+index ac1205d..813fe4b 100644
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -307,6 +307,7 @@ static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlattr **tb,
+ dcb->dcb_family = AF_UNSPEC;
+ dcb->cmd = DCB_CMD_GPERM_HWADDR;
+
++ memset(perm_addr, 0, sizeof(perm_addr));
+ netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
+
+ ret = nla_put(dcbnl_skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr),
diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c
index 34dcc79..f51ed45 100644
--- a/net/dccp/ccids/ccid3.c
diff --git a/3.2.40/0000_README b/3.2.40/0000_README
index fd368e5..173a1e3 100644
--- a/3.2.40/0000_README
+++ b/3.2.40/0000_README
@@ -78,7 +78,7 @@ Patch: 1039_linux-3.2.40.patch
From: http://www.kernel.org
Desc: Linux 3.2.40
-Patch: 4420_grsecurity-2.9.1-3.2.40-201303082037.patch
+Patch: 4420_grsecurity-2.9.1-3.2.40-201303111844.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303082037.patch b/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch
index 774963f..94cafc4 100644
--- a/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303082037.patch
+++ b/3.2.40/4420_grsecurity-2.9.1-3.2.40-201303111844.patch
@@ -20387,10 +20387,10 @@ index d4f278e..86c58c0 100644
for (i = 0; i < copied; i++) {
switch (opcode[i]) {
diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c
-index 0b0cb5f..26bb1af 100644
+index 0b0cb5f..207bec6 100644
--- a/arch/x86/kernel/sys_i386_32.c
+++ b/arch/x86/kernel/sys_i386_32.c
-@@ -24,17 +24,226 @@
+@@ -24,17 +24,227 @@
#include <asm/syscalls.h>
@@ -20415,8 +20415,9 @@ index 0b0cb5f..26bb1af 100644
+ pax_task_size = SEGMEXEC_TASK_SIZE;
+#endif
+
-+ if (len > pax_task_size || addr > pax_task_size - len)
-+ return -EINVAL;
++ if (flags & MAP_FIXED)
++ if (len > pax_task_size || addr > pax_task_size - len)
++ return -EINVAL;
+
+ return 0;
+}
@@ -52514,7 +52515,7 @@ index 03102d9..4ae347e 100644
}
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index 3efa725..6d85d94 100644
+index 3efa725..27582ca 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -11,12 +11,19 @@
@@ -52553,7 +52554,7 @@ index 3efa725..6d85d94 100644
(total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
mm->locked_vm << (PAGE_SHIFT-10),
mm->pinned_vm << (PAGE_SHIFT-10),
-@@ -62,7 +74,14 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
+@@ -62,7 +74,19 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
data << (PAGE_SHIFT-10),
mm->stack_vm << (PAGE_SHIFT-10), text, lib,
(PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
@@ -52561,15 +52562,20 @@ index 3efa725..6d85d94 100644
+ swap << (PAGE_SHIFT-10)
+
+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
+ , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_base
+ , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_limit
++#else
++ , mm->context.user_cs_base
++ , mm->context.user_cs_limit
++#endif
+#endif
+
+ );
}
unsigned long task_vsize(struct mm_struct *mm)
-@@ -125,7 +144,7 @@ static void *m_start(struct seq_file *m, loff_t *pos)
+@@ -125,7 +149,7 @@ static void *m_start(struct seq_file *m, loff_t *pos)
if (!priv->task)
return ERR_PTR(-ESRCH);
@@ -52578,7 +52584,7 @@ index 3efa725..6d85d94 100644
if (!mm || IS_ERR(mm))
return mm;
down_read(&mm->mmap_sem);
-@@ -227,13 +246,13 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+@@ -227,13 +251,13 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
}
@@ -52597,7 +52603,7 @@ index 3efa725..6d85d94 100644
seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
start,
-@@ -242,7 +261,11 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+@@ -242,7 +266,11 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
flags & VM_WRITE ? 'w' : '-',
flags & VM_EXEC ? 'x' : '-',
flags & VM_MAYSHARE ? 's' : 'p',
@@ -52609,7 +52615,7 @@ index 3efa725..6d85d94 100644
MAJOR(dev), MINOR(dev), ino, &len);
/*
-@@ -251,7 +274,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+@@ -251,7 +279,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
*/
if (file) {
pad_len_spaces(m, len);
@@ -52618,7 +52624,7 @@ index 3efa725..6d85d94 100644
} else {
const char *name = arch_vma_name(vma);
if (!name) {
-@@ -259,8 +282,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
+@@ -259,8 +287,9 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
if (vma->vm_start <= mm->brk &&
vma->vm_end >= mm->start_brk) {
name = "[heap]";
@@ -52630,7 +52636,7 @@ index 3efa725..6d85d94 100644
name = "[stack]";
}
} else {
-@@ -281,6 +305,13 @@ static int show_map(struct seq_file *m, void *v)
+@@ -281,6 +310,13 @@ static int show_map(struct seq_file *m, void *v)
struct proc_maps_private *priv = m->private;
struct task_struct *task = priv->task;
@@ -52644,7 +52650,7 @@ index 3efa725..6d85d94 100644
show_map_vma(m, vma);
if (m->count < m->size) /* vma is copied successfully */
-@@ -437,12 +468,23 @@ static int show_smap(struct seq_file *m, void *v)
+@@ -437,12 +473,23 @@ static int show_smap(struct seq_file *m, void *v)
.private = &mss,
};
@@ -52673,7 +52679,7 @@ index 3efa725..6d85d94 100644
show_map_vma(m, vma);
seq_printf(m,
-@@ -460,7 +502,11 @@ static int show_smap(struct seq_file *m, void *v)
+@@ -460,7 +507,11 @@ static int show_smap(struct seq_file *m, void *v)
"KernelPageSize: %8lu kB\n"
"MMUPageSize: %8lu kB\n"
"Locked: %8lu kB\n",
@@ -52685,7 +52691,7 @@ index 3efa725..6d85d94 100644
mss.resident >> 10,
(unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
mss.shared_clean >> 10,
-@@ -798,7 +844,7 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
+@@ -798,7 +849,7 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
if (!pm.buffer)
goto out_task;
@@ -52694,7 +52700,7 @@ index 3efa725..6d85d94 100644
ret = PTR_ERR(mm);
if (!mm || IS_ERR(mm))
goto out_free;
-@@ -1024,6 +1070,13 @@ static int show_numa_map(struct seq_file *m, void *v)
+@@ -1024,6 +1075,13 @@ static int show_numa_map(struct seq_file *m, void *v)
int n;
char buffer[50];
@@ -52708,7 +52714,7 @@ index 3efa725..6d85d94 100644
if (!mm)
return 0;
-@@ -1041,11 +1094,15 @@ static int show_numa_map(struct seq_file *m, void *v)
+@@ -1041,11 +1099,15 @@ static int show_numa_map(struct seq_file *m, void *v)
mpol_to_str(buffer, sizeof(buffer), pol, 0);
mpol_cond_put(pol);
@@ -73568,7 +73574,7 @@ index 66e4576..d05c6d5 100644
int this_cpu = smp_processor_id();
struct rq *this_rq = cpu_rq(this_cpu);
diff --git a/kernel/signal.c b/kernel/signal.c
-index d2f55ea..4dc47a0 100644
+index d2f55ea..5725e4f 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cachep;
@@ -73605,7 +73611,17 @@ index d2f55ea..4dc47a0 100644
if (override_rlimit ||
atomic_read(&user->sigpending) <=
task_rlimit(t, RLIMIT_SIGPENDING)) {
-@@ -488,7 +491,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
+@@ -481,6 +484,9 @@ flush_signal_handlers(struct task_struct *t, int force_default)
+ if (force_default || ka->sa.sa_handler != SIG_IGN)
+ ka->sa.sa_handler = SIG_DFL;
+ ka->sa.sa_flags = 0;
++#ifdef SA_RESTORER
++ ka->sa.sa_restorer = NULL;
++#endif
+ sigemptyset(&ka->sa.sa_mask);
+ ka++;
+ }
+@@ -488,7 +494,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
int unhandled_signal(struct task_struct *tsk, int sig)
{
@@ -73614,7 +73630,7 @@ index d2f55ea..4dc47a0 100644
if (is_global_init(tsk))
return 1;
if (handler != SIG_IGN && handler != SIG_DFL)
-@@ -809,6 +812,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
+@@ -809,6 +815,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
}
}
@@ -73628,7 +73644,7 @@ index d2f55ea..4dc47a0 100644
return security_task_kill(t, info, sig, 0);
}
-@@ -1159,7 +1169,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
+@@ -1159,7 +1172,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
return send_signal(sig, info, p, 1);
}
@@ -73637,7 +73653,7 @@ index d2f55ea..4dc47a0 100644
specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
{
return send_signal(sig, info, t, 0);
-@@ -1196,6 +1206,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
+@@ -1196,6 +1209,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
unsigned long int flags;
int ret, blocked, ignored;
struct k_sigaction *action;
@@ -73645,7 +73661,7 @@ index d2f55ea..4dc47a0 100644
spin_lock_irqsave(&t->sighand->siglock, flags);
action = &t->sighand->action[sig-1];
-@@ -1210,9 +1221,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
+@@ -1210,9 +1224,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
}
if (action->sa.sa_handler == SIG_DFL)
t->signal->flags &= ~SIGNAL_UNKILLABLE;
@@ -73664,7 +73680,7 @@ index d2f55ea..4dc47a0 100644
return ret;
}
-@@ -1279,8 +1299,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
+@@ -1279,8 +1302,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
ret = check_kill_permission(sig, info, p);
rcu_read_unlock();
@@ -73677,7 +73693,7 @@ index d2f55ea..4dc47a0 100644
return ret;
}
-@@ -2762,7 +2785,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
+@@ -2762,7 +2788,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
int error = -ESRCH;
rcu_read_lock();
@@ -81453,7 +81469,7 @@ index c40f27e..7f49254 100644
m->msg_iov = iov;
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
-index 5229c7f..6cb13fa 100644
+index 5229c7f..d5c2289 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -57,7 +57,7 @@ struct rtnl_link {
@@ -81465,6 +81481,14 @@ index 5229c7f..6cb13fa 100644
static DEFINE_MUTEX(rtnl_mutex);
+@@ -973,6 +973,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
+ * report anything.
+ */
+ ivi.spoofchk = -1;
++ memset(ivi.mac, 0, sizeof(ivi.mac));
+ if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi))
+ break;
+ vf_mac.vf =
diff --git a/net/core/scm.c b/net/core/scm.c
index ff52ad0..aff1c0f 100644
--- a/net/core/scm.c
@@ -81610,6 +81634,66 @@ index 1e8a882..af175b4 100644
}
EXPORT_SYMBOL(sock_init_data);
+diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
+index d860530..2f9517d 100644
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -336,6 +336,7 @@ static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlattr **tb,
+ dcb->dcb_family = AF_UNSPEC;
+ dcb->cmd = DCB_CMD_GPERM_HWADDR;
+
++ memset(perm_addr, 0, sizeof(perm_addr));
+ netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
+
+ ret = nla_put(dcbnl_skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr),
+@@ -1238,6 +1239,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_getets) {
+ struct ieee_ets ets;
++ memset(&ets, 0, sizeof(ets));
+ err = ops->ieee_getets(netdev, &ets);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets);
+@@ -1245,6 +1247,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_getpfc) {
+ struct ieee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->ieee_getpfc(netdev, &pfc);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc);
+@@ -1277,6 +1280,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+ /* get peer info if available */
+ if (ops->ieee_peer_getets) {
+ struct ieee_ets ets;
++ memset(&ets, 0, sizeof(ets));
+ err = ops->ieee_peer_getets(netdev, &ets);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets);
+@@ -1284,6 +1288,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_peer_getpfc) {
+ struct ieee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->ieee_peer_getpfc(netdev, &pfc);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc);
+@@ -1463,6 +1468,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
+ /* peer info if available */
+ if (ops->cee_peer_getpg) {
+ struct cee_pg pg;
++ memset(&pg, 0, sizeof(pg));
+ err = ops->cee_peer_getpg(netdev, &pg);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg);
+@@ -1470,6 +1476,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->cee_peer_getpfc) {
+ struct cee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->cee_peer_getpfc(netdev, &pfc);
+ if (!err)
+ NLA_PUT(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc);
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index 19acd00..dcb43f2 100644
--- a/net/decnet/af_decnet.c
diff --git a/3.8.2/0000_README b/3.8.2/0000_README
index ff4a56d..3b4b3f3 100644
--- a/3.8.2/0000_README
+++ b/3.8.2/0000_README
@@ -6,7 +6,7 @@ Patch: 1001_linux-3.8.1.patch
From: http://www.kernel.org
Desc: Linux 3.8.1
-Patch: 4420_grsecurity-2.9.1-3.8.2-201303082215.patch
+Patch: 4420_grsecurity-2.9.1-3.8.2-201303111845.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303082215.patch b/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch
index 6e0e897..e088f8a 100644
--- a/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303082215.patch
+++ b/3.8.2/4420_grsecurity-2.9.1-3.8.2-201303111845.patch
@@ -225,7 +225,7 @@ index b89a739..b47493f 100644
+zconf.lex.c
zoffset.h
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index 986614d..0afd461 100644
+index 986614d..e8bfedc 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -922,6 +922,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
@@ -239,7 +239,7 @@ index 986614d..0afd461 100644
hashdist= [KNL,NUMA] Large hashes allocated during boot
are distributed across NUMA nodes. Defaults on
for 64-bit NUMA, off otherwise.
-@@ -2121,6 +2125,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+@@ -2121,6 +2125,18 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
the specified number of seconds. This is to be used if
your oopses keep scrolling off the screen.
@@ -250,6 +250,11 @@ index 986614d..0afd461 100644
+
+ pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
+
++ pax_extra_latent_entropy
++ Enable a very simple form of latent entropy extraction
++ from the first 4GB of memory as the bootmem allocator
++ passes the memory pages to the buddy allocator.
++
pcbit= [HW,ISDN]
pcd. [PARIDE]
@@ -2798,6 +2803,26 @@ index 1e9be5d..03edbc2 100644
#endif
int
+diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c
+index 07314af..c46655c 100644
+--- a/arch/arm/kernel/patch.c
++++ b/arch/arm/kernel/patch.c
+@@ -18,6 +18,7 @@ void __kprobes __patch_text(void *addr, unsigned int insn)
+ bool thumb2 = IS_ENABLED(CONFIG_THUMB2_KERNEL);
+ int size;
+
++ pax_open_kernel();
+ if (thumb2 && __opcode_is_thumb16(insn)) {
+ *(u16 *)addr = __opcode_to_mem_thumb16(insn);
+ size = sizeof(u16);
+@@ -39,6 +40,7 @@ void __kprobes __patch_text(void *addr, unsigned int insn)
+ *(u32 *)addr = insn;
+ size = sizeof(u32);
+ }
++ pax_close_kernel();
+
+ flush_icache_range((uintptr_t)(addr),
+ (uintptr_t)(addr) + size);
diff --git a/arch/arm/kernel/perf_event_cpu.c b/arch/arm/kernel/perf_event_cpu.c
index 5f66206..dce492f 100644
--- a/arch/arm/kernel/perf_event_cpu.c
@@ -22328,10 +22353,10 @@ index 9b4d51d..5d28b58 100644
switch (opcode[i]) {
diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c
new file mode 100644
-index 0000000..26bb1af
+index 0000000..207bec6
--- /dev/null
+++ b/arch/x86/kernel/sys_i386_32.c
-@@ -0,0 +1,249 @@
+@@ -0,0 +1,250 @@
+/*
+ * This file contains various random system calls that
+ * have a non-standard calling sequence on the Linux/i386
@@ -22367,8 +22392,9 @@ index 0000000..26bb1af
+ pax_task_size = SEGMEXEC_TASK_SIZE;
+#endif
+
-+ if (len > pax_task_size || addr > pax_task_size - len)
-+ return -EINVAL;
++ if (flags & MAP_FIXED)
++ if (len > pax_task_size || addr > pax_task_size - len)
++ return -EINVAL;
+
+ return 0;
+}
@@ -31370,9 +31396,18 @@ index be60399..778b33e8 100644
bgrt_kobj = kobject_create_and_add("bgrt", acpi_kobj);
if (!bgrt_kobj)
diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c
-index cb96296..2d6082b 100644
+index cb96296..b81293b 100644
--- a/drivers/acpi/blacklist.c
+++ b/drivers/acpi/blacklist.c
+@@ -52,7 +52,7 @@ struct acpi_blacklist_item {
+ u32 is_critical_error;
+ };
+
+-static struct dmi_system_id acpi_osi_dmi_table[] __initdata;
++static const struct dmi_system_id acpi_osi_dmi_table[] __initconst;
+
+ /*
+ * POLICY: If *anything* doesn't work, put it on the blacklist.
@@ -193,7 +193,7 @@ static int __init dmi_disable_osi_win7(const struct dmi_system_id *d)
return 0;
}
@@ -43843,10 +43878,18 @@ index 4f27fdc..d3537e6 100644
}
diff --git a/drivers/video/aty/mach64_cursor.c b/drivers/video/aty/mach64_cursor.c
-index 95ec042..ae33e7a 100644
+index 95ec042..e6affdd 100644
--- a/drivers/video/aty/mach64_cursor.c
+++ b/drivers/video/aty/mach64_cursor.c
-@@ -208,7 +208,9 @@ int aty_init_cursor(struct fb_info *info)
+@@ -7,6 +7,7 @@
+ #include <linux/string.h>
+
+ #include <asm/io.h>
++#include <asm/pgtable.h>
+
+ #ifdef __sparc__
+ #include <asm/fbio.h>
+@@ -208,7 +209,9 @@ int aty_init_cursor(struct fb_info *info)
info->sprite.buf_align = 16; /* and 64 lines tall. */
info->sprite.flags = FB_PIXMAP_IO;
@@ -47369,7 +47412,7 @@ index 6043567..16a9239 100644
fd_offset + ex.a_text);
if (error != N_DATADDR(ex)) {
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 0c42cdb..f4be023 100644
+index 0c42cdb..9551bb8 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -33,6 +33,7 @@
@@ -47866,7 +47909,7 @@ index 0c42cdb..f4be023 100644
loc = kmalloc(sizeof(*loc), GFP_KERNEL);
if (!loc) {
-@@ -715,11 +1050,81 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -715,11 +1050,82 @@ static int load_elf_binary(struct linux_binprm *bprm)
goto out_free_dentry;
/* OK, This is the point of no return */
@@ -47887,6 +47930,7 @@ index 0c42cdb..f4be023 100644
+#ifdef CONFIG_PAX_ASLR
+ current->mm->delta_mmap = 0UL;
+ current->mm->delta_stack = 0UL;
++ current->mm->aslr_gap = 0UL;
+#endif
+
+ current->mm->def_flags = 0;
@@ -47949,7 +47993,7 @@ index 0c42cdb..f4be023 100644
if (elf_read_implies_exec(loc->elf_ex, executable_stack))
current->personality |= READ_IMPLIES_EXEC;
-@@ -810,6 +1215,20 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -810,6 +1216,20 @@ static int load_elf_binary(struct linux_binprm *bprm)
#else
load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
#endif
@@ -47970,7 +48014,7 @@ index 0c42cdb..f4be023 100644
}
error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
-@@ -842,9 +1261,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -842,9 +1262,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
* allowed task size. Note that p_filesz must always be
* <= p_memsz so it is only necessary to check p_memsz.
*/
@@ -47983,7 +48027,7 @@ index 0c42cdb..f4be023 100644
/* set_brk can never work. Avoid overflows. */
send_sig(SIGKILL, current, 0);
retval = -EINVAL;
-@@ -883,17 +1302,44 @@ static int load_elf_binary(struct linux_binprm *bprm)
+@@ -883,17 +1303,44 @@ static int load_elf_binary(struct linux_binprm *bprm)
goto out_free_dentry;
}
if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
@@ -48009,7 +48053,7 @@ index 0c42cdb..f4be023 100644
+ unsigned long prot = PROT_NONE;
+
+ up_read(&current->mm->mmap_sem);
-+ current->mm->brk_gap = PAGE_ALIGN(size) >> PAGE_SHIFT;
++ current->mm->aslr_gap += PAGE_ALIGN(size) >> PAGE_SHIFT;
+// if (current->personality & ADDR_NO_RANDOMIZE)
+// prot = PROT_READ;
+ start = vm_mmap(NULL, start, size, prot, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0);
@@ -48034,7 +48078,7 @@ index 0c42cdb..f4be023 100644
load_bias);
if (!IS_ERR((void *)elf_entry)) {
/*
-@@ -1115,7 +1561,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
+@@ -1115,7 +1562,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
* Decide what to dump of a segment, part, all or none.
*/
static unsigned long vma_dump_size(struct vm_area_struct *vma,
@@ -48043,7 +48087,7 @@ index 0c42cdb..f4be023 100644
{
#define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
-@@ -1152,7 +1598,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
+@@ -1152,7 +1599,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
if (vma->vm_file == NULL)
return 0;
@@ -48052,7 +48096,7 @@ index 0c42cdb..f4be023 100644
goto whole;
/*
-@@ -1374,9 +1820,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
+@@ -1374,9 +1821,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
{
elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
int i = 0;
@@ -48064,7 +48108,7 @@ index 0c42cdb..f4be023 100644
fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
}
-@@ -2006,14 +2452,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
+@@ -2006,14 +2453,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
}
static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
@@ -48081,7 +48125,7 @@ index 0c42cdb..f4be023 100644
return size;
}
-@@ -2107,7 +2553,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2107,7 +2554,7 @@ static int elf_core_dump(struct coredump_params *cprm)
dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
@@ -48090,7 +48134,7 @@ index 0c42cdb..f4be023 100644
offset += elf_core_extra_data_size();
e_shoff = offset;
-@@ -2121,10 +2567,12 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2121,10 +2568,12 @@ static int elf_core_dump(struct coredump_params *cprm)
offset = dataoff;
size += sizeof(*elf);
@@ -48103,7 +48147,7 @@ index 0c42cdb..f4be023 100644
if (size > cprm->limit
|| !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
goto end_coredump;
-@@ -2138,7 +2586,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2138,7 +2587,7 @@ static int elf_core_dump(struct coredump_params *cprm)
phdr.p_offset = offset;
phdr.p_vaddr = vma->vm_start;
phdr.p_paddr = 0;
@@ -48112,7 +48156,7 @@ index 0c42cdb..f4be023 100644
phdr.p_memsz = vma->vm_end - vma->vm_start;
offset += phdr.p_filesz;
phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
-@@ -2149,6 +2597,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2149,6 +2598,7 @@ static int elf_core_dump(struct coredump_params *cprm)
phdr.p_align = ELF_EXEC_PAGESIZE;
size += sizeof(phdr);
@@ -48120,7 +48164,7 @@ index 0c42cdb..f4be023 100644
if (size > cprm->limit
|| !dump_write(cprm->file, &phdr, sizeof(phdr)))
goto end_coredump;
-@@ -2173,7 +2622,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2173,7 +2623,7 @@ static int elf_core_dump(struct coredump_params *cprm)
unsigned long addr;
unsigned long end;
@@ -48129,7 +48173,7 @@ index 0c42cdb..f4be023 100644
for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
struct page *page;
-@@ -2182,6 +2631,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2182,6 +2632,7 @@ static int elf_core_dump(struct coredump_params *cprm)
page = get_dump_page(addr);
if (page) {
void *kaddr = kmap(page);
@@ -48137,7 +48181,7 @@ index 0c42cdb..f4be023 100644
stop = ((size += PAGE_SIZE) > cprm->limit) ||
!dump_write(cprm->file, kaddr,
PAGE_SIZE);
-@@ -2199,6 +2649,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2199,6 +2650,7 @@ static int elf_core_dump(struct coredump_params *cprm)
if (e_phnum == PN_XNUM) {
size += sizeof(*shdr4extnum);
@@ -48145,7 +48189,7 @@ index 0c42cdb..f4be023 100644
if (size > cprm->limit
|| !dump_write(cprm->file, shdr4extnum,
sizeof(*shdr4extnum)))
-@@ -2219,6 +2670,97 @@ out:
+@@ -2219,6 +2671,97 @@ out:
#endif /* CONFIG_ELF_CORE */
@@ -49502,7 +49546,7 @@ index b2a34a1..162fa69 100644
return rc;
}
diff --git a/fs/exec.c b/fs/exec.c
-index 20df02c..9b8f78d 100644
+index 20df02c..81c9e78 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,6 +55,17 @@
@@ -49767,7 +49811,7 @@ index 20df02c..9b8f78d 100644
/* mprotect_fixup is overkill to remove the temporary stack flags */
vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
-@@ -737,6 +776,27 @@ int setup_arg_pages(struct linux_binprm *bprm,
+@@ -737,6 +776,30 @@ int setup_arg_pages(struct linux_binprm *bprm,
#endif
current->mm->start_stack = bprm->p;
ret = expand_stack(vma, stack_base);
@@ -49784,8 +49828,11 @@ index 20df02c..9b8f78d 100644
+
+#ifdef CONFIG_X86
+ if (!ret) {
++ current->mm->aslr_gap += size >> PAGE_SHIFT;
+ size = mmap_min_addr + ((mm->delta_mmap ^ mm->delta_stack) & (0xFFUL << PAGE_SHIFT));
+ ret = 0 != mmap_region(NULL, 0, size, flags, vm_flags, 0);
++ if (!ret)
++ current->mm->aslr_gap += size >> PAGE_SHIFT;
+ }
+#endif
+
@@ -49795,7 +49842,7 @@ index 20df02c..9b8f78d 100644
if (ret)
ret = -EFAULT;
-@@ -772,6 +832,8 @@ struct file *open_exec(const char *name)
+@@ -772,6 +835,8 @@ struct file *open_exec(const char *name)
fsnotify_open(file);
@@ -49804,7 +49851,7 @@ index 20df02c..9b8f78d 100644
err = deny_write_access(file);
if (err)
goto exit;
-@@ -795,7 +857,7 @@ int kernel_read(struct file *file, loff_t offset,
+@@ -795,7 +860,7 @@ int kernel_read(struct file *file, loff_t offset,
old_fs = get_fs();
set_fs(get_ds());
/* The cast to a user pointer is valid due to the set_fs() */
@@ -49813,7 +49860,7 @@ index 20df02c..9b8f78d 100644
set_fs(old_fs);
return result;
}
-@@ -1247,7 +1309,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
+@@ -1247,7 +1312,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
}
rcu_read_unlock();
@@ -49822,7 +49869,7 @@ index 20df02c..9b8f78d 100644
bprm->unsafe |= LSM_UNSAFE_SHARE;
} else {
res = -EAGAIN;
-@@ -1447,6 +1509,28 @@ int search_binary_handler(struct linux_binprm *bprm)
+@@ -1447,6 +1512,28 @@ int search_binary_handler(struct linux_binprm *bprm)
EXPORT_SYMBOL(search_binary_handler);
@@ -49851,7 +49898,7 @@ index 20df02c..9b8f78d 100644
/*
* sys_execve() executes a new program.
*/
-@@ -1454,6 +1538,11 @@ static int do_execve_common(const char *filename,
+@@ -1454,6 +1541,11 @@ static int do_execve_common(const char *filename,
struct user_arg_ptr argv,
struct user_arg_ptr envp)
{
@@ -49863,7 +49910,7 @@ index 20df02c..9b8f78d 100644
struct linux_binprm *bprm;
struct file *file;
struct files_struct *displaced;
-@@ -1461,6 +1550,8 @@ static int do_execve_common(const char *filename,
+@@ -1461,6 +1553,8 @@ static int do_execve_common(const char *filename,
int retval;
const struct cred *cred = current_cred();
@@ -49872,7 +49919,7 @@ index 20df02c..9b8f78d 100644
/*
* We move the actual failure in case of RLIMIT_NPROC excess from
* set*uid() to execve() because too many poorly written programs
-@@ -1501,12 +1592,27 @@ static int do_execve_common(const char *filename,
+@@ -1501,12 +1595,27 @@ static int do_execve_common(const char *filename,
if (IS_ERR(file))
goto out_unmark;
@@ -49900,7 +49947,7 @@ index 20df02c..9b8f78d 100644
retval = bprm_mm_init(bprm);
if (retval)
goto out_file;
-@@ -1523,24 +1629,65 @@ static int do_execve_common(const char *filename,
+@@ -1523,24 +1632,65 @@ static int do_execve_common(const char *filename,
if (retval < 0)
goto out;
@@ -49970,7 +50017,7 @@ index 20df02c..9b8f78d 100644
current->fs->in_exec = 0;
current->in_execve = 0;
acct_update_integrals(current);
-@@ -1549,6 +1696,14 @@ static int do_execve_common(const char *filename,
+@@ -1549,6 +1699,14 @@ static int do_execve_common(const char *filename,
put_files_struct(displaced);
return retval;
@@ -49985,7 +50032,7 @@ index 20df02c..9b8f78d 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
-@@ -1697,3 +1852,253 @@ asmlinkage long compat_sys_execve(const char __user * filename,
+@@ -1697,3 +1855,253 @@ asmlinkage long compat_sys_execve(const char __user * filename,
return error;
}
#endif
@@ -68780,7 +68827,7 @@ index 66e2f7c..ea88001 100644
#endif /* __KERNEL__ */
#endif /* _LINUX_MM_H */
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
-index f8f5162..6276a36 100644
+index f8f5162..a039af9 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -288,6 +288,8 @@ struct vm_area_struct {
@@ -68797,7 +68844,7 @@ index f8f5162..6276a36 100644
unsigned long nr_ptes; /* Page table pages */
unsigned long start_code, end_code, start_data, end_data;
- unsigned long start_brk, brk, start_stack;
-+ unsigned long brk_gap, start_brk, brk, start_stack;
++ unsigned long aslr_gap, start_brk, brk, start_stack;
unsigned long arg_start, arg_end, env_start, env_end;
unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */
@@ -72264,7 +72311,7 @@ index 84c6bf1..8899338 100644
next_state = Reset;
return 0;
diff --git a/init/main.c b/init/main.c
-index cee4b5c..9c267d9 100644
+index cee4b5c..6a3402b 100644
--- a/init/main.c
+++ b/init/main.c
@@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void) { }
@@ -72366,18 +72413,7 @@ index cee4b5c..9c267d9 100644
}
return ret;
-@@ -743,6 +801,10 @@ static char *initcall_level_names[] __initdata = {
- "late",
- };
-
-+#ifdef CONFIG_PAX_LATENT_ENTROPY
-+u64 latent_entropy;
-+#endif
-+
- static void __init do_initcall_level(int level)
- {
- extern const struct kernel_param __start___param[], __stop___param[];
-@@ -755,8 +817,14 @@ static void __init do_initcall_level(int level)
+@@ -755,8 +813,14 @@ static void __init do_initcall_level(int level)
level, level,
&repair_env_string);
@@ -72386,14 +72422,14 @@ index cee4b5c..9c267d9 100644
do_one_initcall(*fn);
+
+#ifdef CONFIG_PAX_LATENT_ENTROPY
-+ add_device_randomness(&latent_entropy, sizeof(latent_entropy));
++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
+#endif
+
+ }
}
static void __init do_initcalls(void)
-@@ -790,8 +858,14 @@ static void __init do_pre_smp_initcalls(void)
+@@ -790,8 +854,14 @@ static void __init do_pre_smp_initcalls(void)
{
initcall_t *fn;
@@ -72402,14 +72438,14 @@ index cee4b5c..9c267d9 100644
do_one_initcall(*fn);
+
+#ifdef CONFIG_PAX_LATENT_ENTROPY
-+ add_device_randomness(&latent_entropy, sizeof(latent_entropy));
++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
+#endif
+
+ }
}
static int run_init_process(const char *init_filename)
-@@ -877,7 +951,7 @@ static noinline void __init kernel_init_freeable(void)
+@@ -877,7 +947,7 @@ static noinline void __init kernel_init_freeable(void)
do_basic_setup();
/* Open the /dev/console on the rootfs, this should never fail */
@@ -72418,7 +72454,7 @@ index cee4b5c..9c267d9 100644
printk(KERN_WARNING "Warning: unable to open an initial console.\n");
(void) sys_dup(0);
-@@ -890,11 +964,13 @@ static noinline void __init kernel_init_freeable(void)
+@@ -890,11 +960,13 @@ static noinline void __init kernel_init_freeable(void)
if (!ramdisk_execute_command)
ramdisk_execute_command = "/init";
@@ -72508,7 +72544,7 @@ index 71a3ca1..cc330ee 100644
if (u->mq_bytes + mq_bytes < u->mq_bytes ||
u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) {
diff --git a/ipc/msg.c b/ipc/msg.c
-index 950572f..266c15f 100644
+index 950572f..362ea07 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -309,18 +309,19 @@ static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg)
@@ -72536,6 +72572,40 @@ index 950572f..266c15f 100644
msg_params.key = key;
msg_params.flg = msgflg;
+@@ -820,15 +821,17 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp,
+ struct msg_msg *copy = NULL;
+ unsigned long copy_number = 0;
+
++ ns = current->nsproxy->ipc_ns;
++
+ if (msqid < 0 || (long) bufsz < 0)
+ return -EINVAL;
+ if (msgflg & MSG_COPY) {
+- copy = prepare_copy(buf, bufsz, msgflg, &msgtyp, &copy_number);
++ copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax),
++ msgflg, &msgtyp, &copy_number);
+ if (IS_ERR(copy))
+ return PTR_ERR(copy);
+ }
+ mode = convert_mode(&msgtyp, msgflg);
+- ns = current->nsproxy->ipc_ns;
+
+ msq = msg_lock_check(ns, msqid);
+ if (IS_ERR(msq)) {
+diff --git a/ipc/msgutil.c b/ipc/msgutil.c
+index ebfcbfa..5df8e4b 100644
+--- a/ipc/msgutil.c
++++ b/ipc/msgutil.c
+@@ -117,9 +117,6 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
+ if (alen > DATALEN_MSG)
+ alen = DATALEN_MSG;
+
+- dst->next = NULL;
+- dst->security = NULL;
+-
+ memcpy(dst + 1, src + 1, alen);
+
+ len -= alen;
diff --git a/ipc/sem.c b/ipc/sem.c
index 58d31f1..cce7a55 100644
--- a/ipc/sem.c
@@ -76688,7 +76758,7 @@ index 81fa536..6ccf96a 100644
int this_cpu = smp_processor_id();
struct rq *this_rq = cpu_rq(this_cpu);
diff --git a/kernel/signal.c b/kernel/signal.c
-index 3d09cf6..a67d2c6 100644
+index 3d09cf6..8988390 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -50,12 +50,12 @@ static struct kmem_cache *sigqueue_cachep;
@@ -76725,7 +76795,17 @@ index 3d09cf6..a67d2c6 100644
if (override_rlimit ||
atomic_read(&user->sigpending) <=
task_rlimit(t, RLIMIT_SIGPENDING)) {
-@@ -492,7 +495,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
+@@ -485,6 +488,9 @@ flush_signal_handlers(struct task_struct *t, int force_default)
+ if (force_default || ka->sa.sa_handler != SIG_IGN)
+ ka->sa.sa_handler = SIG_DFL;
+ ka->sa.sa_flags = 0;
++#ifdef SA_RESTORER
++ ka->sa.sa_restorer = NULL;
++#endif
+ sigemptyset(&ka->sa.sa_mask);
+ ka++;
+ }
+@@ -492,7 +498,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
int unhandled_signal(struct task_struct *tsk, int sig)
{
@@ -76734,7 +76814,7 @@ index 3d09cf6..a67d2c6 100644
if (is_global_init(tsk))
return 1;
if (handler != SIG_IGN && handler != SIG_DFL)
-@@ -812,6 +815,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
+@@ -812,6 +818,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
}
}
@@ -76748,7 +76828,7 @@ index 3d09cf6..a67d2c6 100644
return security_task_kill(t, info, sig, 0);
}
-@@ -1194,7 +1204,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
+@@ -1194,7 +1207,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
return send_signal(sig, info, p, 1);
}
@@ -76757,7 +76837,7 @@ index 3d09cf6..a67d2c6 100644
specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
{
return send_signal(sig, info, t, 0);
-@@ -1231,6 +1241,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
+@@ -1231,6 +1244,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
unsigned long int flags;
int ret, blocked, ignored;
struct k_sigaction *action;
@@ -76765,7 +76845,7 @@ index 3d09cf6..a67d2c6 100644
spin_lock_irqsave(&t->sighand->siglock, flags);
action = &t->sighand->action[sig-1];
-@@ -1245,9 +1256,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
+@@ -1245,9 +1259,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
}
if (action->sa.sa_handler == SIG_DFL)
t->signal->flags &= ~SIGNAL_UNKILLABLE;
@@ -76784,7 +76864,7 @@ index 3d09cf6..a67d2c6 100644
return ret;
}
-@@ -1314,8 +1334,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
+@@ -1314,8 +1337,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
ret = check_kill_permission(sig, info, p);
rcu_read_unlock();
@@ -76797,7 +76877,7 @@ index 3d09cf6..a67d2c6 100644
return ret;
}
-@@ -2852,7 +2875,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
+@@ -2852,7 +2878,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
int error = -ESRCH;
rcu_read_lock();
@@ -76814,7 +76894,7 @@ index 3d09cf6..a67d2c6 100644
if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
error = check_kill_permission(sig, info, p);
/*
-@@ -3135,8 +3166,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
+@@ -3135,8 +3169,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
}
seg = get_fs();
set_fs(KERNEL_DS);
@@ -80133,7 +80213,7 @@ index c9bd528..da8d069 100644
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
diff --git a/mm/mmap.c b/mm/mmap.c
-index 8832b87..7d36e4f 100644
+index 8832b87..20500c1 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -32,6 +32,7 @@
@@ -81299,7 +81379,7 @@ index 8832b87..7d36e4f 100644
+#ifdef CONFIG_PAX_RANDMMAP
+ if (mm->pax_flags & MF_PAX_RANDMMAP)
-+ cur -= mm->brk_gap;
++ cur -= mm->aslr_gap;
+#endif
+
+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
@@ -81717,10 +81797,18 @@ index 0713bfb..e3774e0 100644
.next = NULL,
};
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
-index 6a83cd3..bc2dcb6 100644
+index 6a83cd3..3ab04ef 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
-@@ -338,7 +338,7 @@ out:
+@@ -58,6 +58,7 @@
+ #include <linux/prefetch.h>
+ #include <linux/migrate.h>
+ #include <linux/page-debug-flags.h>
++#include <linux/random.h>
+
+ #include <asm/tlbflush.h>
+ #include <asm/div64.h>
+@@ -338,7 +339,7 @@ out:
* This usage means that zero-order pages may not be compound.
*/
@@ -81729,7 +81817,7 @@ index 6a83cd3..bc2dcb6 100644
{
__free_pages_ok(page, compound_order(page));
}
-@@ -693,6 +693,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
+@@ -693,6 +694,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
int i;
int bad = 0;
@@ -81740,7 +81828,7 @@ index 6a83cd3..bc2dcb6 100644
trace_mm_page_free(page, order);
kmemcheck_free_shadow(page, order);
-@@ -708,6 +712,12 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
+@@ -708,6 +713,12 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
debug_check_no_obj_freed(page_address(page),
PAGE_SIZE << order);
}
@@ -81753,7 +81841,47 @@ index 6a83cd3..bc2dcb6 100644
arch_free_page(page, order);
kernel_map_pages(page, 1 << order, 0);
-@@ -861,8 +871,10 @@ static int prep_new_page(struct page *page, int order, gfp_t gfp_flags)
+@@ -730,6 +741,19 @@ static void __free_pages_ok(struct page *page, unsigned int order)
+ local_irq_restore(flags);
+ }
+
++#ifdef CONFIG_PAX_LATENT_ENTROPY
++bool __meminitdata extra_latent_entropy;
++
++static int __init setup_pax_extra_latent_entropy(char *str)
++{
++ extra_latent_entropy = true;
++ return 0;
++}
++early_param("pax_extra_latent_entropy", setup_pax_extra_latent_entropy);
++
++volatile u64 latent_entropy;
++#endif
++
+ /*
+ * Read access to zone->managed_pages is safe because it's unsigned long,
+ * but we still need to serialize writers. Currently all callers of
+@@ -752,6 +776,19 @@ void __meminit __free_pages_bootmem(struct page *page, unsigned int order)
+ set_page_count(p, 0);
+ }
+
++#ifdef CONFIG_PAX_LATENT_ENTROPY
++ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) {
++ u64 hash = 0;
++ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash;
++ const u64 *data = lowmem_page_address(page);
++
++ for (index = 0; index < end; index++)
++ hash ^= hash + data[index];
++ latent_entropy ^= hash;
++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
++ }
++#endif
++
+ page_zone(page)->managed_pages += 1 << order;
+ set_page_refcounted(page);
+ __free_pages(page, order);
+@@ -861,8 +898,10 @@ static int prep_new_page(struct page *page, int order, gfp_t gfp_flags)
arch_alloc_page(page, order);
kernel_map_pages(page, 1 << order, 1);
@@ -81764,7 +81892,7 @@ index 6a83cd3..bc2dcb6 100644
if (order && (gfp_flags & __GFP_COMP))
prep_compound_page(page, order);
-@@ -3752,7 +3764,13 @@ static int pageblock_is_reserved(unsigned long start_pfn, unsigned long end_pfn)
+@@ -3752,7 +3791,13 @@ static int pageblock_is_reserved(unsigned long start_pfn, unsigned long end_pfn)
unsigned long pfn;
for (pfn = start_pfn; pfn < end_pfn; pfn++) {
@@ -83712,6 +83840,42 @@ index bd6fd0f..6492cba 100644
spin_unlock_irqrestore(&dev->port.lock, flags);
if (dev->tty_dev->parent)
device_move(dev->tty_dev, NULL, DPM_ORDER_DEV_LAST);
+diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
+index acc9f4c..2897e40 100644
+--- a/net/bridge/br_mdb.c
++++ b/net/bridge/br_mdb.c
+@@ -82,6 +82,7 @@ static int br_mdb_fill_info(struct sk_buff *skb, struct netlink_callback *cb,
+ port = p->port;
+ if (port) {
+ struct br_mdb_entry e;
++ memset(&e, 0, sizeof(e));
+ e.ifindex = port->dev->ifindex;
+ e.state = p->state;
+ if (p->addr.proto == htons(ETH_P_IP))
+@@ -138,6 +139,7 @@ static int br_mdb_dump(struct sk_buff *skb, struct netlink_callback *cb)
+ break;
+
+ bpm = nlmsg_data(nlh);
++ memset(bpm, 0, sizeof(*bpm));
+ bpm->ifindex = dev->ifindex;
+ if (br_mdb_fill_info(skb, cb, dev) < 0)
+ goto out;
+@@ -173,6 +175,7 @@ static int nlmsg_populate_mdb_fill(struct sk_buff *skb,
+ return -EMSGSIZE;
+
+ bpm = nlmsg_data(nlh);
++ memset(bpm, 0, sizeof(*bpm));
+ bpm->family = AF_BRIDGE;
+ bpm->ifindex = dev->ifindex;
+ nest = nla_nest_start(skb, MDBA_MDB);
+@@ -230,6 +233,7 @@ void br_mdb_notify(struct net_device *dev, struct net_bridge_port *port,
+ {
+ struct br_mdb_entry entry;
+
++ memset(&entry, 0, sizeof(entry));
+ entry.ifindex = port->dev->ifindex;
+ entry.addr.proto = group->proto;
+ entry.addr.u.ip4 = group->u.ip4;
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5fe2ff3..121d696 100644
--- a/net/bridge/netfilter/ebtables.c
@@ -84216,7 +84380,7 @@ index 8acce01..2e306bb 100644
return error;
}
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
-index 1868625..b1b1284 100644
+index 1868625..e2261f5 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -58,7 +58,7 @@ struct rtnl_link {
@@ -84254,6 +84418,14 @@ index 1868625..b1b1284 100644
}
EXPORT_SYMBOL_GPL(__rtnl_link_unregister);
+@@ -976,6 +979,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
+ * report anything.
+ */
+ ivi.spoofchk = -1;
++ memset(ivi.mac, 0, sizeof(ivi.mac));
+ if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi))
+ break;
+ vf_mac.vf =
diff --git a/net/core/scm.c b/net/core/scm.c
index 905dcc6..14ee2d6 100644
--- a/net/core/scm.c
@@ -84551,6 +84723,74 @@ index d1b0804..4aed0a5 100644
.init = sysctl_core_net_init,
.exit = sysctl_core_net_exit,
};
+diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
+index 1b588e2..21291f1 100644
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -284,6 +284,7 @@ static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlmsghdr *nlh,
+ if (!netdev->dcbnl_ops->getpermhwaddr)
+ return -EOPNOTSUPP;
+
++ memset(perm_addr, 0, sizeof(perm_addr));
+ netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
+
+ return nla_put(skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), perm_addr);
+@@ -1042,6 +1043,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_getets) {
+ struct ieee_ets ets;
++ memset(&ets, 0, sizeof(ets));
+ err = ops->ieee_getets(netdev, &ets);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets))
+@@ -1050,6 +1052,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_getmaxrate) {
+ struct ieee_maxrate maxrate;
++ memset(&maxrate, 0, sizeof(maxrate));
+ err = ops->ieee_getmaxrate(netdev, &maxrate);
+ if (!err) {
+ err = nla_put(skb, DCB_ATTR_IEEE_MAXRATE,
+@@ -1061,6 +1064,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_getpfc) {
+ struct ieee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->ieee_getpfc(netdev, &pfc);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc))
+@@ -1094,6 +1098,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+ /* get peer info if available */
+ if (ops->ieee_peer_getets) {
+ struct ieee_ets ets;
++ memset(&ets, 0, sizeof(ets));
+ err = ops->ieee_peer_getets(netdev, &ets);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets))
+@@ -1102,6 +1107,7 @@ static int dcbnl_ieee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->ieee_peer_getpfc) {
+ struct ieee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->ieee_peer_getpfc(netdev, &pfc);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc))
+@@ -1280,6 +1286,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
+ /* peer info if available */
+ if (ops->cee_peer_getpg) {
+ struct cee_pg pg;
++ memset(&pg, 0, sizeof(pg));
+ err = ops->cee_peer_getpg(netdev, &pg);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg))
+@@ -1288,6 +1295,7 @@ static int dcbnl_cee_fill(struct sk_buff *skb, struct net_device *netdev)
+
+ if (ops->cee_peer_getpfc) {
+ struct cee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->cee_peer_getpfc(netdev, &pfc);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc))
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index 307c322..78a4c6f 100644
--- a/net/decnet/af_decnet.c
@@ -89156,10 +89396,10 @@ index e4fd45b..2eeb5c4 100644
shdr = (Elf_Shdr *)((char *)ehdr + _r(&ehdr->e_shoff));
shstrtab_sec = shdr + r2(&ehdr->e_shstrndx);
diff --git a/security/Kconfig b/security/Kconfig
-index e9c6ac7..da94e8b 100644
+index e9c6ac7..952353c 100644
--- a/security/Kconfig
+++ b/security/Kconfig
-@@ -4,6 +4,920 @@
+@@ -4,6 +4,925 @@
menu "Security options"
@@ -90060,6 +90300,11 @@ index e9c6ac7..da94e8b 100644
+ there is little 'natural' source of entropy normally. The cost
+ is some slowdown of the boot process.
+
++ When pax_extra_latent_entropy is passed on the kernel command line,
++ entropy will be extracted from up to the first 4GB of RAM while the
++ runtime memory allocator is being initialized. This costs even more
++ slowdown of the boot process.
++
+ Note that the implementation requires a gcc with plugin support,
+ i.e., gcc 4.5 or newer. You may need to install the supporting
+ headers explicitly in addition to the normal gcc package.
@@ -90080,7 +90325,7 @@ index e9c6ac7..da94e8b 100644
source security/keys/Kconfig
config SECURITY_DMESG_RESTRICT
-@@ -103,7 +1017,7 @@ config INTEL_TXT
+@@ -103,7 +1022,7 @@ config INTEL_TXT
config LSM_MMAP_MIN_ADDR
int "Low address space for LSM to protect from user allocation"
depends on SECURITY && SECURITY_SELINUX
@@ -92708,10 +92953,10 @@ index 0000000..0408e06
+}
diff --git a/tools/gcc/latent_entropy_plugin.c b/tools/gcc/latent_entropy_plugin.c
new file mode 100644
-index 0000000..1276616
+index 0000000..b5395ba
--- /dev/null
+++ b/tools/gcc/latent_entropy_plugin.c
-@@ -0,0 +1,321 @@
+@@ -0,0 +1,327 @@
+/*
+ * Copyright 2012-2013 by the PaX Team <pageexec@freemail.hu>
+ * Licensed under the GPL v2
@@ -92752,6 +92997,7 @@ index 0000000..1276616
+#include "rtl.h"
+#include "emit-rtl.h"
+#include "tree-flow.h"
++#include "langhooks.h"
+
+#if BUILDING_GCC_VERSION >= 4008
+#define TODO_dump_func 0
@@ -92762,7 +93008,7 @@ index 0000000..1276616
+static tree latent_entropy_decl;
+
+static struct plugin_info latent_entropy_plugin_info = {
-+ .version = "201302112000",
++ .version = "201303102320",
+ .help = NULL
+};
+
@@ -92986,6 +93232,8 @@ index 0000000..1276616
+
+static void start_unit_callback(void *gcc_data, void *user_data)
+{
++ tree latent_entropy_type;
++
+#if BUILDING_GCC_VERSION >= 4007
+ seed = get_random_seed(false);
+#else
@@ -92996,16 +93244,19 @@ index 0000000..1276616
+ if (in_lto_p)
+ return;
+
-+ // extern u64 latent_entropy
-+ latent_entropy_decl = build_decl(UNKNOWN_LOCATION, VAR_DECL, get_identifier("latent_entropy"), unsigned_intDI_type_node);
++ // extern volatile u64 latent_entropy
++ gcc_assert(TYPE_PRECISION(long_long_unsigned_type_node) == 64);
++ latent_entropy_type = build_qualified_type(long_long_unsigned_type_node, TYPE_QUALS(long_long_unsigned_type_node) | TYPE_QUAL_VOLATILE);
++ latent_entropy_decl = build_decl(UNKNOWN_LOCATION, VAR_DECL, get_identifier("latent_entropy"), latent_entropy_type);
+
+ TREE_STATIC(latent_entropy_decl) = 1;
+ TREE_PUBLIC(latent_entropy_decl) = 1;
+ TREE_USED(latent_entropy_decl) = 1;
+ TREE_THIS_VOLATILE(latent_entropy_decl) = 1;
+ DECL_EXTERNAL(latent_entropy_decl) = 1;
-+ DECL_ARTIFICIAL(latent_entropy_decl) = 0;
++ DECL_ARTIFICIAL(latent_entropy_decl) = 1;
+ DECL_INITIAL(latent_entropy_decl) = NULL;
++ lang_hooks.decls.pushdecl(latent_entropy_decl);
+// DECL_ASSEMBLER_NAME(latent_entropy_decl);
+// varpool_finalize_decl(latent_entropy_decl);
+// varpool_mark_needed_node(latent_entropy_decl);