Grsec/PaX: 3.0-{3.2.62,3.14.18,3.16.2}-20140908212920140908

author: Anthony G. Basile <blueness@gentoo.org> 2014-09-09 21:02:06 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2014-09-09 21:02:06 -0400
commit: 5c8fe786238039dc02cd80652dbe1265adbf1f6d (patch)
tree: 0bbf78a93a977c717091b382ecce0776001cb769
parent: Grsec/PaX: 3.0-{3.14.18,3.16.2}-201409060014 (diff)
download: hardened-patchset-5c8fe786238039dc02cd80652dbe1265adbf1f6d.tar.gz
hardened-patchset-5c8fe786238039dc02cd80652dbe1265adbf1f6d.tar.bz2
hardened-patchset-5c8fe786238039dc02cd80652dbe1265adbf1f6d.zip
10 files changed, 1458 insertions, 83 deletions
diff --git a/3.14.18/0000_README b/3.14.18/0000_README
index e496f22..58616e9 100644
--- a/3.14.18/0000_README
+++ b/3.14.18/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.0-3.14.18-201409060013.patch
+Patch:	4420_grsecurity-3.0-3.14.18-201409082127.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.14.18/4420_grsecurity-3.0-3.14.18-201409060013.patch b/3.14.18/4420_grsecurity-3.0-3.14.18-201409082127.patch
index 2207958..2a00986 100644
--- a/3.14.18/4420_grsecurity-3.0-3.14.18-201409060013.patch
+++ b/3.14.18/4420_grsecurity-3.0-3.14.18-201409082127.patch
@@ -22894,7 +22894,7 @@ index c5a9cb9..228d280 100644
  
  /*
 diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index 03cd2a8..05a9aed 100644
+index 03cd2a8..d236ccb 100644
 --- a/arch/x86/kernel/entry_64.S
 +++ b/arch/x86/kernel/entry_64.S
 @@ -60,6 +60,8 @@
@@ -23815,7 +23815,7 @@ index 03cd2a8..05a9aed 100644
  	je retint_kernel
  
  	/* Interrupt came from user space */
-@@ -1027,12 +1500,16 @@ retint_swapgs:		/* return to user-space */
+@@ -1027,12 +1500,35 @@ retint_swapgs:		/* return to user-space */
  	 * The iretq could re-enable interrupts:
  	 */
  	DISABLE_INTERRUPTS(CLBR_ANY)
@@ -23828,11 +23828,30 @@ index 03cd2a8..05a9aed 100644
  retint_restore_args:	/* return to kernel space */
  	DISABLE_INTERRUPTS(CLBR_ANY)
 +	pax_exit_kernel
++
++#if defined(CONFIG_EFI) && defined(CONFIG_PAX_KERNEXEC)
++	/* This is a quirk to allow IRQs/NMIs/MCEs during early EFI setup,
++	 * namely calling EFI runtime services with a phys mapping. We're
++	 * starting off with NOPs and patch in the real instrumentation
++	 * (BTS/OR) before starting any userland process; even before starting
++	 * up the APs.
++	 */
++	.pushsection .altinstr_replacement, "a"
++	601: pax_force_retaddr (RIP-ARGOFFSET)
++	602:
++	.popsection
++	603: .fill 602b-601b, 1, 0x90
++	.pushsection .altinstructions, "a"
++	altinstruction_entry 603b, 601b, X86_FEATURE_ALWAYS, 602b-601b, 602b-601b
++	.popsection
++#else
 +	pax_force_retaddr (RIP-ARGOFFSET)
++#endif
++
  	/*
  	 * The iretq could re-enable interrupts:
  	 */
-@@ -1145,7 +1622,7 @@ ENTRY(retint_kernel)
+@@ -1145,7 +1641,7 @@ ENTRY(retint_kernel)
  	jmp exit_intr
  #endif
  	CFI_ENDPROC
@@ -23841,7 +23860,7 @@ index 03cd2a8..05a9aed 100644
  
  	/*
  	 * If IRET takes a fault on the espfix stack, then we
-@@ -1167,13 +1644,13 @@ __do_double_fault:
+@@ -1167,13 +1663,13 @@ __do_double_fault:
  	cmpq $native_irq_return_iret,%rax
  	jne do_double_fault		/* This shouldn't happen... */
  	movq PER_CPU_VAR(kernel_stack),%rax
@@ -23857,7 +23876,7 @@ index 03cd2a8..05a9aed 100644
  #else
  # define __do_double_fault do_double_fault
  #endif
-@@ -1195,7 +1672,7 @@ ENTRY(\sym)
+@@ -1195,7 +1691,7 @@ ENTRY(\sym)
  	interrupt \do_sym
  	jmp ret_from_intr
  	CFI_ENDPROC
@@ -23866,7 +23885,7 @@ index 03cd2a8..05a9aed 100644
  .endm
  
  #ifdef CONFIG_TRACING
-@@ -1283,7 +1760,7 @@ ENTRY(\sym)
+@@ -1283,7 +1779,7 @@ ENTRY(\sym)
  	call \do_sym
  	jmp error_exit		/* %ebx: no swapgs flag */
  	CFI_ENDPROC
@@ -23875,7 +23894,7 @@ index 03cd2a8..05a9aed 100644
  .endm
  
  .macro paranoidzeroentry sym do_sym
-@@ -1301,10 +1778,10 @@ ENTRY(\sym)
+@@ -1301,10 +1797,10 @@ ENTRY(\sym)
  	call \do_sym
  	jmp paranoid_exit	/* %ebx: no swapgs flag */
  	CFI_ENDPROC
@@ -23888,7 +23907,7 @@ index 03cd2a8..05a9aed 100644
  .macro paranoidzeroentry_ist sym do_sym ist
  ENTRY(\sym)
  	INTR_FRAME
-@@ -1317,12 +1794,18 @@ ENTRY(\sym)
+@@ -1317,12 +1813,18 @@ ENTRY(\sym)
  	TRACE_IRQS_OFF_DEBUG
  	movq %rsp,%rdi		/* pt_regs pointer */
  	xorl %esi,%esi		/* no error code */
@@ -23908,7 +23927,7 @@ index 03cd2a8..05a9aed 100644
  .endm
  
  .macro errorentry sym do_sym
-@@ -1340,7 +1823,7 @@ ENTRY(\sym)
+@@ -1340,7 +1842,7 @@ ENTRY(\sym)
  	call \do_sym
  	jmp error_exit			/* %ebx: no swapgs flag */
  	CFI_ENDPROC
@@ -23917,7 +23936,7 @@ index 03cd2a8..05a9aed 100644
  .endm
  
  #ifdef CONFIG_TRACING
-@@ -1371,7 +1854,7 @@ ENTRY(\sym)
+@@ -1371,7 +1873,7 @@ ENTRY(\sym)
  	call \do_sym
  	jmp paranoid_exit		/* %ebx: no swapgs flag */
  	CFI_ENDPROC
@@ -23926,7 +23945,7 @@ index 03cd2a8..05a9aed 100644
  .endm
  
  zeroentry divide_error do_divide_error
-@@ -1401,9 +1884,10 @@ gs_change:
+@@ -1401,9 +1903,10 @@ gs_change:
  2:	mfence		/* workaround */
  	SWAPGS
  	popfq_cfi
@@ -23938,7 +23957,7 @@ index 03cd2a8..05a9aed 100644
  
  	_ASM_EXTABLE(gs_change,bad_gs)
  	.section .fixup,"ax"
-@@ -1431,9 +1915,10 @@ ENTRY(do_softirq_own_stack)
+@@ -1431,9 +1934,10 @@ ENTRY(do_softirq_own_stack)
  	CFI_DEF_CFA_REGISTER	rsp
  	CFI_ADJUST_CFA_OFFSET   -8
  	decl PER_CPU_VAR(irq_count)
@@ -23950,7 +23969,7 @@ index 03cd2a8..05a9aed 100644
  
  #ifdef CONFIG_XEN
  zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
-@@ -1471,7 +1956,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
+@@ -1471,7 +1975,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
  	decl PER_CPU_VAR(irq_count)
  	jmp  error_exit
  	CFI_ENDPROC
@@ -23959,7 +23978,7 @@ index 03cd2a8..05a9aed 100644
  
  /*
   * Hypervisor uses this for application faults while it executes.
-@@ -1530,7 +2015,7 @@ ENTRY(xen_failsafe_callback)
+@@ -1530,7 +2034,7 @@ ENTRY(xen_failsafe_callback)
  	SAVE_ALL
  	jmp error_exit
  	CFI_ENDPROC
@@ -23968,7 +23987,7 @@ index 03cd2a8..05a9aed 100644
  
  apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
  	xen_hvm_callback_vector xen_evtchn_do_upcall
-@@ -1582,18 +2067,33 @@ ENTRY(paranoid_exit)
+@@ -1582,18 +2086,33 @@ ENTRY(paranoid_exit)
  	DEFAULT_FRAME
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	TRACE_IRQS_OFF_DEBUG
@@ -24004,7 +24023,7 @@ index 03cd2a8..05a9aed 100644
  	jmp irq_return
  paranoid_userspace:
  	GET_THREAD_INFO(%rcx)
-@@ -1622,7 +2122,7 @@ paranoid_schedule:
+@@ -1622,7 +2141,7 @@ paranoid_schedule:
  	TRACE_IRQS_OFF
  	jmp paranoid_userspace
  	CFI_ENDPROC
@@ -24013,7 +24032,7 @@ index 03cd2a8..05a9aed 100644
  
  /*
   * Exception entry point. This expects an error code/orig_rax on the stack.
-@@ -1649,12 +2149,23 @@ ENTRY(error_entry)
+@@ -1649,12 +2168,23 @@ ENTRY(error_entry)
  	movq_cfi r14, R14+8
  	movq_cfi r15, R15+8
  	xorl %ebx,%ebx
@@ -24038,7 +24057,7 @@ index 03cd2a8..05a9aed 100644
  	ret
  
  /*
-@@ -1681,7 +2192,7 @@ bstep_iret:
+@@ -1681,7 +2211,7 @@ bstep_iret:
  	movq %rcx,RIP+8(%rsp)
  	jmp error_swapgs
  	CFI_ENDPROC
@@ -24047,7 +24066,7 @@ index 03cd2a8..05a9aed 100644
  
  
  /* ebx:	no swapgs flag (1: don't need swapgs, 0: need it) */
-@@ -1692,7 +2203,7 @@ ENTRY(error_exit)
+@@ -1692,7 +2222,7 @@ ENTRY(error_exit)
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	TRACE_IRQS_OFF
  	GET_THREAD_INFO(%rcx)
@@ -24056,7 +24075,7 @@ index 03cd2a8..05a9aed 100644
  	jne retint_kernel
  	LOCKDEP_SYS_EXIT_IRQ
  	movl TI_flags(%rcx),%edx
-@@ -1701,7 +2212,7 @@ ENTRY(error_exit)
+@@ -1701,7 +2231,7 @@ ENTRY(error_exit)
  	jnz retint_careful
  	jmp retint_swapgs
  	CFI_ENDPROC
@@ -24065,7 +24084,7 @@ index 03cd2a8..05a9aed 100644
  
  /*
   * Test if a given stack is an NMI stack or not.
-@@ -1759,9 +2270,11 @@ ENTRY(nmi)
+@@ -1759,9 +2289,11 @@ ENTRY(nmi)
  	 * If %cs was not the kernel segment, then the NMI triggered in user
  	 * space, which means it is definitely not nested.
  	 */
@@ -24078,7 +24097,7 @@ index 03cd2a8..05a9aed 100644
  	/*
  	 * Check the special variable on the stack to see if NMIs are
  	 * executing.
-@@ -1795,8 +2308,7 @@ nested_nmi:
+@@ -1795,8 +2327,7 @@ nested_nmi:
  
  1:
  	/* Set up the interrupted NMIs stack to jump to repeat_nmi */
@@ -24088,7 +24107,7 @@ index 03cd2a8..05a9aed 100644
  	CFI_ADJUST_CFA_OFFSET 1*8
  	leaq -10*8(%rsp), %rdx
  	pushq_cfi $__KERNEL_DS
-@@ -1814,6 +2326,7 @@ nested_nmi_out:
+@@ -1814,6 +2345,7 @@ nested_nmi_out:
  	CFI_RESTORE rdx
  
  	/* No need to check faults here */
@@ -24096,7 +24115,7 @@ index 03cd2a8..05a9aed 100644
  	INTERRUPT_RETURN
  
  	CFI_RESTORE_STATE
-@@ -1910,13 +2423,13 @@ end_repeat_nmi:
+@@ -1910,13 +2442,13 @@ end_repeat_nmi:
  	subq $ORIG_RAX-R15, %rsp
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	/*
@@ -24112,7 +24131,7 @@ index 03cd2a8..05a9aed 100644
  	DEFAULT_FRAME 0
  
  	/*
-@@ -1926,9 +2439,9 @@ end_repeat_nmi:
+@@ -1926,9 +2458,9 @@ end_repeat_nmi:
  	 * NMI itself takes a page fault, the page fault that was preempted
  	 * will read the information from the NMI page fault and not the
  	 * origin fault. Save it off and restore it if it changes.
@@ -24124,7 +24143,7 @@ index 03cd2a8..05a9aed 100644
  
  	/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
  	movq %rsp,%rdi
-@@ -1937,31 +2450,36 @@ end_repeat_nmi:
+@@ -1937,31 +2469,36 @@ end_repeat_nmi:
  
  	/* Did the NMI take a page fault? Restore cr2 if it did */
  	movq %cr2, %rcx
@@ -44946,6 +44965,433 @@ index 2fd9009..278cc1e 100644
  
  	radio = devm_kzalloc(&pdev->dev, sizeof(*radio), GFP_KERNEL);
  	if (!radio)
+diff --git a/drivers/media/usb/dvb-usb/cinergyT2-core.c b/drivers/media/usb/dvb-usb/cinergyT2-core.c
+index 9fd1527..8927230 100644
+--- a/drivers/media/usb/dvb-usb/cinergyT2-core.c
++++ b/drivers/media/usb/dvb-usb/cinergyT2-core.c
+@@ -50,29 +50,73 @@ static struct dvb_usb_device_properties cinergyt2_properties;
+ 
+ static int cinergyt2_streaming_ctrl(struct dvb_usb_adapter *adap, int enable)
+ {
+-	char buf[] = { CINERGYT2_EP1_CONTROL_STREAM_TRANSFER, enable ? 1 : 0 };
+-	char result[64];
+-	return dvb_usb_generic_rw(adap->dev, buf, sizeof(buf), result,
+-				sizeof(result), 0);
++	char *buf;
++	char *result;
++	int retval;
++
++	buf = kmalloc(2, GFP_KERNEL);
++	if (buf == NULL)
++		return -ENOMEM;
++	result = kmalloc(64, GFP_KERNEL);
++	if (result == NULL) {
++		kfree(buf);
++		return -ENOMEM;
++	}
++
++	buf[0] = CINERGYT2_EP1_CONTROL_STREAM_TRANSFER;
++	buf[1] = enable ? 1 : 0;
++
++	retval = dvb_usb_generic_rw(adap->dev, buf, 2, result, 64, 0);
++
++	kfree(buf);
++	kfree(result);
++	return retval;
+ }
+ 
+ static int cinergyt2_power_ctrl(struct dvb_usb_device *d, int enable)
+ {
+-	char buf[] = { CINERGYT2_EP1_SLEEP_MODE, enable ? 0 : 1 };
+-	char state[3];
+-	return dvb_usb_generic_rw(d, buf, sizeof(buf), state, sizeof(state), 0);
++	char *buf;
++	char *state;
++	int retval;
++
++	buf = kmalloc(2, GFP_KERNEL);
++	if (buf == NULL)
++		return -ENOMEM;
++	state = kmalloc(3, GFP_KERNEL);
++	if (state == NULL) {
++		kfree(buf);
++		return -ENOMEM;
++	}
++
++	buf[0] = CINERGYT2_EP1_SLEEP_MODE;
++	buf[1] = enable ? 1 : 0;
++
++	retval = dvb_usb_generic_rw(d, buf, 2, state, 3, 0);
++
++	kfree(buf);
++	kfree(state);
++	return retval;
+ }
+ 
+ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
+ {
+-	char query[] = { CINERGYT2_EP1_GET_FIRMWARE_VERSION };
+-	char state[3];
++	char *query;
++	char *state;
+ 	int ret;
++	query = kmalloc(1, GFP_KERNEL);
++	if (query == NULL)
++		return -ENOMEM;
++	state = kmalloc(3, GFP_KERNEL);
++	if (state == NULL) {
++		kfree(query);
++		return -ENOMEM;
++	}
++
++	query[0] = CINERGYT2_EP1_GET_FIRMWARE_VERSION;
+ 
+ 	adap->fe_adap[0].fe = cinergyt2_fe_attach(adap->dev);
+ 
+-	ret = dvb_usb_generic_rw(adap->dev, query, sizeof(query), state,
+-				sizeof(state), 0);
++	ret = dvb_usb_generic_rw(adap->dev, query, 1, state, 3, 0);
+ 	if (ret < 0) {
+ 		deb_rc("cinergyt2_power_ctrl() Failed to retrieve sleep "
+ 			"state info\n");
+@@ -80,7 +124,8 @@ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
+ 
+ 	/* Copy this pointer as we are gonna need it in the release phase */
+ 	cinergyt2_usb_device = adap->dev;
+-
++	kfree(query);
++	kfree(state);
+ 	return 0;
+ }
+ 
+@@ -141,12 +186,23 @@ static int repeatable_keys[] = {
+ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ {
+ 	struct cinergyt2_state *st = d->priv;
+-	u8 key[5] = {0, 0, 0, 0, 0}, cmd = CINERGYT2_EP1_GET_RC_EVENTS;
++	u8 *key, *cmd;
+ 	int i;
+ 
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -EINVAL;
++	key = kzalloc(5, GFP_KERNEL);
++	if (key == NULL) {
++		kfree(cmd);
++		return -EINVAL;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_RC_EVENTS;
++
+ 	*state = REMOTE_NO_KEY_PRESSED;
+ 
+-	dvb_usb_generic_rw(d, &cmd, 1, key, sizeof(key), 0);
++	dvb_usb_generic_rw(d, cmd, 1, key, 5, 0);
+ 	if (key[4] == 0xff) {
+ 		/* key repeat */
+ 		st->rc_counter++;
+@@ -157,12 +213,12 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ 					*event = d->last_event;
+ 					deb_rc("repeat key, event %x\n",
+ 						   *event);
+-					return 0;
++					goto out;
+ 				}
+ 			}
+ 			deb_rc("repeated key (non repeatable)\n");
+ 		}
+-		return 0;
++		goto out;
+ 	}
+ 
+ 	/* hack to pass checksum on the custom field */
+@@ -174,6 +230,9 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ 
+ 		deb_rc("key: %*ph\n", 5, key);
+ 	}
++out:
++	kfree(cmd);
++	kfree(key);
+ 	return 0;
+ }
+ 
+diff --git a/drivers/media/usb/dvb-usb/cinergyT2-fe.c b/drivers/media/usb/dvb-usb/cinergyT2-fe.c
+index c890fe4..f9b2ae6 100644
+--- a/drivers/media/usb/dvb-usb/cinergyT2-fe.c
++++ b/drivers/media/usb/dvb-usb/cinergyT2-fe.c
+@@ -145,103 +145,176 @@ static int cinergyt2_fe_read_status(struct dvb_frontend *fe,
+ 					fe_status_t *status)
+ {
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_get_status_msg result;
+-	u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++	struct dvbt_get_status_msg *result;
++	u8 *cmd;
+ 	int ret;
+ 
+-	ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&result,
+-			sizeof(result), 0);
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -ENOMEM;
++	result = kmalloc(sizeof(*result), GFP_KERNEL);
++	if (result == NULL) {
++		kfree(cmd);
++		return -ENOMEM;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++	ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)result,
++			sizeof(*result), 0);
+ 	if (ret < 0)
+-		return ret;
++		goto out;
+ 
+ 	*status = 0;
+ 
+-	if (0xffff - le16_to_cpu(result.gain) > 30)
++	if (0xffff - le16_to_cpu(result->gain) > 30)
+ 		*status |= FE_HAS_SIGNAL;
+-	if (result.lock_bits & (1 << 6))
++	if (result->lock_bits & (1 << 6))
+ 		*status |= FE_HAS_LOCK;
+-	if (result.lock_bits & (1 << 5))
++	if (result->lock_bits & (1 << 5))
+ 		*status |= FE_HAS_SYNC;
+-	if (result.lock_bits & (1 << 4))
++	if (result->lock_bits & (1 << 4))
+ 		*status |= FE_HAS_CARRIER;
+-	if (result.lock_bits & (1 << 1))
++	if (result->lock_bits & (1 << 1))
+ 		*status |= FE_HAS_VITERBI;
+ 
+ 	if ((*status & (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC)) !=
+ 			(FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC))
+ 		*status &= ~FE_HAS_LOCK;
+ 
+-	return 0;
++out:
++	kfree(cmd);
++	kfree(result);
++	return ret;
+ }
+ 
+ static int cinergyt2_fe_read_ber(struct dvb_frontend *fe, u32 *ber)
+ {
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_get_status_msg status;
+-	char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++	struct dvbt_get_status_msg *status;
++	char *cmd;
+ 	int ret;
+ 
+-	ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+-				sizeof(status), 0);
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -ENOMEM;
++	status = kmalloc(sizeof(*status), GFP_KERNEL);
++	if (status == NULL) {
++		kfree(cmd);
++		return -ENOMEM;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++	ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++				sizeof(*status), 0);
+ 	if (ret < 0)
+-		return ret;
++		goto out;
+ 
+-	*ber = le32_to_cpu(status.viterbi_error_rate);
++	*ber = le32_to_cpu(status->viterbi_error_rate);
++out:
++	kfree(cmd);
++	kfree(status);
+ 	return 0;
+ }
+ 
+ static int cinergyt2_fe_read_unc_blocks(struct dvb_frontend *fe, u32 *unc)
+ {
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_get_status_msg status;
+-	u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++	struct dvbt_get_status_msg *status;
++	u8 *cmd;
+ 	int ret;
+ 
+-	ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&status,
+-				sizeof(status), 0);
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -ENOMEM;
++	status = kmalloc(sizeof(*status), GFP_KERNEL);
++	if (status == NULL) {
++		kfree(cmd);
++		return -ENOMEM;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++	ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)status,
++				sizeof(*status), 0);
+ 	if (ret < 0) {
+ 		err("cinergyt2_fe_read_unc_blocks() Failed! (Error=%d)\n",
+ 			ret);
+-		return ret;
++		goto out;
+ 	}
+-	*unc = le32_to_cpu(status.uncorrected_block_count);
+-	return 0;
++	*unc = le32_to_cpu(status->uncorrected_block_count);
++
++out:
++	kfree(cmd);
++	kfree(status);
++	return ret;
+ }
+ 
+ static int cinergyt2_fe_read_signal_strength(struct dvb_frontend *fe,
+ 						u16 *strength)
+ {
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_get_status_msg status;
+-	char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++	struct dvbt_get_status_msg *status;
++	char *cmd;
+ 	int ret;
+ 
+-	ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+-				sizeof(status), 0);
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -ENOMEM;
++	status = kmalloc(sizeof(*status), GFP_KERNEL);
++	if (status == NULL) {
++		kfree(cmd);
++		return -ENOMEM;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++	ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++				sizeof(*status), 0);
+ 	if (ret < 0) {
+ 		err("cinergyt2_fe_read_signal_strength() Failed!"
+ 			" (Error=%d)\n", ret);
+-		return ret;
++		goto out;
+ 	}
+-	*strength = (0xffff - le16_to_cpu(status.gain));
++	*strength = (0xffff - le16_to_cpu(status->gain));
++
++out:
++	kfree(cmd);
++	kfree(status);
+ 	return 0;
+ }
+ 
+ static int cinergyt2_fe_read_snr(struct dvb_frontend *fe, u16 *snr)
+ {
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_get_status_msg status;
+-	char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++	struct dvbt_get_status_msg *status;
++	char *cmd;
+ 	int ret;
+ 
+-	ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+-				sizeof(status), 0);
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -ENOMEM;
++	status = kmalloc(sizeof(*status), GFP_KERNEL);
++	if (status == NULL) {
++		kfree(cmd);
++		return -ENOMEM;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++	ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++				sizeof(*status), 0);
+ 	if (ret < 0) {
+ 		err("cinergyt2_fe_read_snr() Failed! (Error=%d)\n", ret);
+-		return ret;
++		goto out;
+ 	}
+-	*snr = (status.snr << 8) | status.snr;
+-	return 0;
++	*snr = (status->snr << 8) | status->snr;
++
++out:
++	kfree(cmd);
++	kfree(status);
++	return ret;
+ }
+ 
+ static int cinergyt2_fe_init(struct dvb_frontend *fe)
+@@ -266,35 +339,46 @@ static int cinergyt2_fe_set_frontend(struct dvb_frontend *fe)
+ {
+ 	struct dtv_frontend_properties *fep = &fe->dtv_property_cache;
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_set_parameters_msg param;
+-	char result[2];
++	struct dvbt_set_parameters_msg *param;
++	char *result;
+ 	int err;
+ 
+-	param.cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
+-	param.tps = cpu_to_le16(compute_tps(fep));
+-	param.freq = cpu_to_le32(fep->frequency / 1000);
+-	param.flags = 0;
++	result = kmalloc(2, GFP_KERNEL);
++	if (result == NULL)
++		return -ENOMEM;
++	param = kmalloc(sizeof(*param), GFP_KERNEL);
++	if (param == NULL) {
++		kfree(result);
++		return -ENOMEM;
++	}
++
++	param->cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
++	param->tps = cpu_to_le16(compute_tps(fep));
++	param->freq = cpu_to_le32(fep->frequency / 1000);
++	param->flags = 0;
+ 
+ 	switch (fep->bandwidth_hz) {
+ 	default:
+ 	case 8000000:
+-		param.bandwidth = 8;
++		param->bandwidth = 8;
+ 		break;
+ 	case 7000000:
+-		param.bandwidth = 7;
++		param->bandwidth = 7;
+ 		break;
+ 	case 6000000:
+-		param.bandwidth = 6;
++		param->bandwidth = 6;
+ 		break;
+ 	}
+ 
+ 	err = dvb_usb_generic_rw(state->d,
+-			(char *)&param, sizeof(param),
+-			result, sizeof(result), 0);
++			(char *)param, sizeof(*param),
++			result, 2, 0);
+ 	if (err < 0)
+ 		err("cinergyt2_fe_set_frontend() Failed! err=%d\n", err);
+ 
+-	return (err < 0) ? err : 0;
++	kfree(result);
++	kfree(param);
++	return err;
+ }
+ 
+ static void cinergyt2_fe_release(struct dvb_frontend *fe)
 diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c
 index a1c641e..3007da9 100644
 --- a/drivers/media/usb/dvb-usb/cxusb.c
diff --git a/3.16.2/0000_README b/3.16.2/0000_README
index 7c596e8..d3923e5 100644
--- a/3.16.2/0000_README
+++ b/3.16.2/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.0-3.16.2-201409060014.patch
+Patch:	4420_grsecurity-3.0-3.16.2-201409082129.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.16.2/4420_grsecurity-3.0-3.16.2-201409060014.patch b/3.16.2/4420_grsecurity-3.0-3.16.2-201409082129.patch
index 83965d3..809c459 100644
--- a/3.16.2/4420_grsecurity-3.0-3.16.2-201409060014.patch
+++ b/3.16.2/4420_grsecurity-3.0-3.16.2-201409082129.patch
@@ -23283,7 +23283,7 @@ index 0d0c9d4..f65b4f6 100644
  #endif
  
 diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index c844f08..b07ea0e 100644
+index c844f08..966a50e 100644
 --- a/arch/x86/kernel/entry_64.S
 +++ b/arch/x86/kernel/entry_64.S
 @@ -59,6 +59,8 @@
@@ -24129,7 +24129,7 @@ index c844f08..b07ea0e 100644
  	je retint_kernel
  
  	/* Interrupt came from user space */
-@@ -816,12 +1282,16 @@ retint_swapgs:		/* return to user-space */
+@@ -816,12 +1282,35 @@ retint_swapgs:		/* return to user-space */
  	 * The iretq could re-enable interrupts:
  	 */
  	DISABLE_INTERRUPTS(CLBR_ANY)
@@ -24142,11 +24142,30 @@ index c844f08..b07ea0e 100644
  retint_restore_args:	/* return to kernel space */
  	DISABLE_INTERRUPTS(CLBR_ANY)
 +	pax_exit_kernel
++
++#if defined(CONFIG_EFI) && defined(CONFIG_PAX_KERNEXEC)
++	/* This is a quirk to allow IRQs/NMIs/MCEs during early EFI setup,
++	 * namely calling EFI runtime services with a phys mapping. We're
++	 * starting off with NOPs and patch in the real instrumentation
++	 * (BTS/OR) before starting any userland process; even before starting
++	 * up the APs.
++	 */
++	.pushsection .altinstr_replacement, "a"
++	601: pax_force_retaddr (RIP-ARGOFFSET)
++	602:
++	.popsection
++	603: .fill 602b-601b, 1, 0x90
++	.pushsection .altinstructions, "a"
++	altinstruction_entry 603b, 601b, X86_FEATURE_ALWAYS, 602b-601b, 602b-601b
++	.popsection
++#else
 +	pax_force_retaddr (RIP-ARGOFFSET)
++#endif
++
  	/*
  	 * The iretq could re-enable interrupts:
  	 */
-@@ -934,7 +1404,7 @@ ENTRY(retint_kernel)
+@@ -934,7 +1423,7 @@ ENTRY(retint_kernel)
  	jmp exit_intr
  #endif
  	CFI_ENDPROC
@@ -24155,7 +24174,7 @@ index c844f08..b07ea0e 100644
  
  	/*
  	 * If IRET takes a fault on the espfix stack, then we
-@@ -956,13 +1426,13 @@ __do_double_fault:
+@@ -956,13 +1445,13 @@ __do_double_fault:
  	cmpq $native_irq_return_iret,%rax
  	jne do_double_fault		/* This shouldn't happen... */
  	movq PER_CPU_VAR(kernel_stack),%rax
@@ -24171,7 +24190,7 @@ index c844f08..b07ea0e 100644
  #else
  # define __do_double_fault do_double_fault
  #endif
-@@ -979,7 +1449,7 @@ ENTRY(\sym)
+@@ -979,7 +1468,7 @@ ENTRY(\sym)
  	interrupt \do_sym
  	jmp ret_from_intr
  	CFI_ENDPROC
@@ -24180,7 +24199,7 @@ index c844f08..b07ea0e 100644
  .endm
  
  #ifdef CONFIG_TRACING
-@@ -1052,7 +1522,7 @@ apicinterrupt IRQ_WORK_VECTOR \
+@@ -1052,7 +1541,7 @@ apicinterrupt IRQ_WORK_VECTOR \
  /*
   * Exception entry points.
   */
@@ -24189,7 +24208,7 @@ index c844f08..b07ea0e 100644
  
  .macro idtentry sym do_sym has_error_code:req paranoid=0 shift_ist=-1
  ENTRY(\sym)
-@@ -1103,6 +1573,12 @@ ENTRY(\sym)
+@@ -1103,6 +1592,12 @@ ENTRY(\sym)
  	.endif
  
  	.if \shift_ist != -1
@@ -24202,7 +24221,7 @@ index c844f08..b07ea0e 100644
  	subq $EXCEPTION_STKSZ, INIT_TSS_IST(\shift_ist)
  	.endif
  
-@@ -1119,7 +1595,7 @@ ENTRY(\sym)
+@@ -1119,7 +1614,7 @@ ENTRY(\sym)
  	.endif
  
  	CFI_ENDPROC
@@ -24211,7 +24230,7 @@ index c844f08..b07ea0e 100644
  .endm
  
  #ifdef CONFIG_TRACING
-@@ -1160,9 +1636,10 @@ gs_change:
+@@ -1160,9 +1655,10 @@ gs_change:
  2:	mfence		/* workaround */
  	SWAPGS
  	popfq_cfi
@@ -24223,7 +24242,7 @@ index c844f08..b07ea0e 100644
  
  	_ASM_EXTABLE(gs_change,bad_gs)
  	.section .fixup,"ax"
-@@ -1190,9 +1667,10 @@ ENTRY(do_softirq_own_stack)
+@@ -1190,9 +1686,10 @@ ENTRY(do_softirq_own_stack)
  	CFI_DEF_CFA_REGISTER	rsp
  	CFI_ADJUST_CFA_OFFSET   -8
  	decl PER_CPU_VAR(irq_count)
@@ -24235,7 +24254,7 @@ index c844f08..b07ea0e 100644
  
  #ifdef CONFIG_XEN
  idtentry xen_hypervisor_callback xen_do_hypervisor_callback has_error_code=0
-@@ -1230,7 +1708,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
+@@ -1230,7 +1727,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
  	decl PER_CPU_VAR(irq_count)
  	jmp  error_exit
  	CFI_ENDPROC
@@ -24244,7 +24263,7 @@ index c844f08..b07ea0e 100644
  
  /*
   * Hypervisor uses this for application faults while it executes.
-@@ -1289,7 +1767,7 @@ ENTRY(xen_failsafe_callback)
+@@ -1289,7 +1786,7 @@ ENTRY(xen_failsafe_callback)
  	SAVE_ALL
  	jmp error_exit
  	CFI_ENDPROC
@@ -24253,7 +24272,7 @@ index c844f08..b07ea0e 100644
  
  apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
  	xen_hvm_callback_vector xen_evtchn_do_upcall
-@@ -1336,18 +1814,33 @@ ENTRY(paranoid_exit)
+@@ -1336,18 +1833,33 @@ ENTRY(paranoid_exit)
  	DEFAULT_FRAME
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	TRACE_IRQS_OFF_DEBUG
@@ -24289,7 +24308,7 @@ index c844f08..b07ea0e 100644
  	jmp irq_return
  paranoid_userspace:
  	GET_THREAD_INFO(%rcx)
-@@ -1376,7 +1869,7 @@ paranoid_schedule:
+@@ -1376,7 +1888,7 @@ paranoid_schedule:
  	TRACE_IRQS_OFF
  	jmp paranoid_userspace
  	CFI_ENDPROC
@@ -24298,7 +24317,7 @@ index c844f08..b07ea0e 100644
  
  /*
   * Exception entry point. This expects an error code/orig_rax on the stack.
-@@ -1403,12 +1896,23 @@ ENTRY(error_entry)
+@@ -1403,12 +1915,23 @@ ENTRY(error_entry)
  	movq_cfi r14, R14+8
  	movq_cfi r15, R15+8
  	xorl %ebx,%ebx
@@ -24323,7 +24342,7 @@ index c844f08..b07ea0e 100644
  	ret
  
  /*
-@@ -1435,7 +1939,7 @@ bstep_iret:
+@@ -1435,7 +1958,7 @@ bstep_iret:
  	movq %rcx,RIP+8(%rsp)
  	jmp error_swapgs
  	CFI_ENDPROC
@@ -24332,7 +24351,7 @@ index c844f08..b07ea0e 100644
  
  
  /* ebx:	no swapgs flag (1: don't need swapgs, 0: need it) */
-@@ -1446,7 +1950,7 @@ ENTRY(error_exit)
+@@ -1446,7 +1969,7 @@ ENTRY(error_exit)
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	TRACE_IRQS_OFF
  	GET_THREAD_INFO(%rcx)
@@ -24341,7 +24360,7 @@ index c844f08..b07ea0e 100644
  	jne retint_kernel
  	LOCKDEP_SYS_EXIT_IRQ
  	movl TI_flags(%rcx),%edx
-@@ -1455,7 +1959,7 @@ ENTRY(error_exit)
+@@ -1455,7 +1978,7 @@ ENTRY(error_exit)
  	jnz retint_careful
  	jmp retint_swapgs
  	CFI_ENDPROC
@@ -24350,7 +24369,7 @@ index c844f08..b07ea0e 100644
  
  /*
   * Test if a given stack is an NMI stack or not.
-@@ -1513,9 +2017,11 @@ ENTRY(nmi)
+@@ -1513,9 +2036,11 @@ ENTRY(nmi)
  	 * If %cs was not the kernel segment, then the NMI triggered in user
  	 * space, which means it is definitely not nested.
  	 */
@@ -24363,7 +24382,7 @@ index c844f08..b07ea0e 100644
  	/*
  	 * Check the special variable on the stack to see if NMIs are
  	 * executing.
-@@ -1549,8 +2055,7 @@ nested_nmi:
+@@ -1549,8 +2074,7 @@ nested_nmi:
  
  1:
  	/* Set up the interrupted NMIs stack to jump to repeat_nmi */
@@ -24373,7 +24392,7 @@ index c844f08..b07ea0e 100644
  	CFI_ADJUST_CFA_OFFSET 1*8
  	leaq -10*8(%rsp), %rdx
  	pushq_cfi $__KERNEL_DS
-@@ -1568,6 +2073,7 @@ nested_nmi_out:
+@@ -1568,6 +2092,7 @@ nested_nmi_out:
  	CFI_RESTORE rdx
  
  	/* No need to check faults here */
@@ -24381,7 +24400,7 @@ index c844f08..b07ea0e 100644
  	INTERRUPT_RETURN
  
  	CFI_RESTORE_STATE
-@@ -1664,13 +2170,13 @@ end_repeat_nmi:
+@@ -1664,13 +2189,13 @@ end_repeat_nmi:
  	subq $ORIG_RAX-R15, %rsp
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	/*
@@ -24397,7 +24416,7 @@ index c844f08..b07ea0e 100644
  	DEFAULT_FRAME 0
  
  	/*
-@@ -1680,9 +2186,9 @@ end_repeat_nmi:
+@@ -1680,9 +2205,9 @@ end_repeat_nmi:
  	 * NMI itself takes a page fault, the page fault that was preempted
  	 * will read the information from the NMI page fault and not the
  	 * origin fault. Save it off and restore it if it changes.
@@ -24409,7 +24428,7 @@ index c844f08..b07ea0e 100644
  
  	/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
  	movq %rsp,%rdi
-@@ -1691,29 +2197,34 @@ end_repeat_nmi:
+@@ -1691,29 +2216,34 @@ end_repeat_nmi:
  
  	/* Did the NMI take a page fault? Restore cr2 if it did */
  	movq %cr2, %rcx
@@ -46710,6 +46729,433 @@ index 2fd9009..278cc1e 100644
  
  	radio = devm_kzalloc(&pdev->dev, sizeof(*radio), GFP_KERNEL);
  	if (!radio)
+diff --git a/drivers/media/usb/dvb-usb/cinergyT2-core.c b/drivers/media/usb/dvb-usb/cinergyT2-core.c
+index 9fd1527..8927230 100644
+--- a/drivers/media/usb/dvb-usb/cinergyT2-core.c
++++ b/drivers/media/usb/dvb-usb/cinergyT2-core.c
+@@ -50,29 +50,73 @@ static struct dvb_usb_device_properties cinergyt2_properties;
+ 
+ static int cinergyt2_streaming_ctrl(struct dvb_usb_adapter *adap, int enable)
+ {
+-	char buf[] = { CINERGYT2_EP1_CONTROL_STREAM_TRANSFER, enable ? 1 : 0 };
+-	char result[64];
+-	return dvb_usb_generic_rw(adap->dev, buf, sizeof(buf), result,
+-				sizeof(result), 0);
++	char *buf;
++	char *result;
++	int retval;
++
++	buf = kmalloc(2, GFP_KERNEL);
++	if (buf == NULL)
++		return -ENOMEM;
++	result = kmalloc(64, GFP_KERNEL);
++	if (result == NULL) {
++		kfree(buf);
++		return -ENOMEM;
++	}
++
++	buf[0] = CINERGYT2_EP1_CONTROL_STREAM_TRANSFER;
++	buf[1] = enable ? 1 : 0;
++
++	retval = dvb_usb_generic_rw(adap->dev, buf, 2, result, 64, 0);
++
++	kfree(buf);
++	kfree(result);
++	return retval;
+ }
+ 
+ static int cinergyt2_power_ctrl(struct dvb_usb_device *d, int enable)
+ {
+-	char buf[] = { CINERGYT2_EP1_SLEEP_MODE, enable ? 0 : 1 };
+-	char state[3];
+-	return dvb_usb_generic_rw(d, buf, sizeof(buf), state, sizeof(state), 0);
++	char *buf;
++	char *state;
++	int retval;
++
++	buf = kmalloc(2, GFP_KERNEL);
++	if (buf == NULL)
++		return -ENOMEM;
++	state = kmalloc(3, GFP_KERNEL);
++	if (state == NULL) {
++		kfree(buf);
++		return -ENOMEM;
++	}
++
++	buf[0] = CINERGYT2_EP1_SLEEP_MODE;
++	buf[1] = enable ? 1 : 0;
++
++	retval = dvb_usb_generic_rw(d, buf, 2, state, 3, 0);
++
++	kfree(buf);
++	kfree(state);
++	return retval;
+ }
+ 
+ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
+ {
+-	char query[] = { CINERGYT2_EP1_GET_FIRMWARE_VERSION };
+-	char state[3];
++	char *query;
++	char *state;
+ 	int ret;
++	query = kmalloc(1, GFP_KERNEL);
++	if (query == NULL)
++		return -ENOMEM;
++	state = kmalloc(3, GFP_KERNEL);
++	if (state == NULL) {
++		kfree(query);
++		return -ENOMEM;
++	}
++
++	query[0] = CINERGYT2_EP1_GET_FIRMWARE_VERSION;
+ 
+ 	adap->fe_adap[0].fe = cinergyt2_fe_attach(adap->dev);
+ 
+-	ret = dvb_usb_generic_rw(adap->dev, query, sizeof(query), state,
+-				sizeof(state), 0);
++	ret = dvb_usb_generic_rw(adap->dev, query, 1, state, 3, 0);
+ 	if (ret < 0) {
+ 		deb_rc("cinergyt2_power_ctrl() Failed to retrieve sleep "
+ 			"state info\n");
+@@ -80,7 +124,8 @@ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
+ 
+ 	/* Copy this pointer as we are gonna need it in the release phase */
+ 	cinergyt2_usb_device = adap->dev;
+-
++	kfree(query);
++	kfree(state);
+ 	return 0;
+ }
+ 
+@@ -141,12 +186,23 @@ static int repeatable_keys[] = {
+ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ {
+ 	struct cinergyt2_state *st = d->priv;
+-	u8 key[5] = {0, 0, 0, 0, 0}, cmd = CINERGYT2_EP1_GET_RC_EVENTS;
++	u8 *key, *cmd;
+ 	int i;
+ 
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -EINVAL;
++	key = kzalloc(5, GFP_KERNEL);
++	if (key == NULL) {
++		kfree(cmd);
++		return -EINVAL;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_RC_EVENTS;
++
+ 	*state = REMOTE_NO_KEY_PRESSED;
+ 
+-	dvb_usb_generic_rw(d, &cmd, 1, key, sizeof(key), 0);
++	dvb_usb_generic_rw(d, cmd, 1, key, 5, 0);
+ 	if (key[4] == 0xff) {
+ 		/* key repeat */
+ 		st->rc_counter++;
+@@ -157,12 +213,12 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ 					*event = d->last_event;
+ 					deb_rc("repeat key, event %x\n",
+ 						   *event);
+-					return 0;
++					goto out;
+ 				}
+ 			}
+ 			deb_rc("repeated key (non repeatable)\n");
+ 		}
+-		return 0;
++		goto out;
+ 	}
+ 
+ 	/* hack to pass checksum on the custom field */
+@@ -174,6 +230,9 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ 
+ 		deb_rc("key: %*ph\n", 5, key);
+ 	}
++out:
++	kfree(cmd);
++	kfree(key);
+ 	return 0;
+ }
+ 
+diff --git a/drivers/media/usb/dvb-usb/cinergyT2-fe.c b/drivers/media/usb/dvb-usb/cinergyT2-fe.c
+index c890fe4..f9b2ae6 100644
+--- a/drivers/media/usb/dvb-usb/cinergyT2-fe.c
++++ b/drivers/media/usb/dvb-usb/cinergyT2-fe.c
+@@ -145,103 +145,176 @@ static int cinergyt2_fe_read_status(struct dvb_frontend *fe,
+ 					fe_status_t *status)
+ {
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_get_status_msg result;
+-	u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++	struct dvbt_get_status_msg *result;
++	u8 *cmd;
+ 	int ret;
+ 
+-	ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&result,
+-			sizeof(result), 0);
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -ENOMEM;
++	result = kmalloc(sizeof(*result), GFP_KERNEL);
++	if (result == NULL) {
++		kfree(cmd);
++		return -ENOMEM;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++	ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)result,
++			sizeof(*result), 0);
+ 	if (ret < 0)
+-		return ret;
++		goto out;
+ 
+ 	*status = 0;
+ 
+-	if (0xffff - le16_to_cpu(result.gain) > 30)
++	if (0xffff - le16_to_cpu(result->gain) > 30)
+ 		*status |= FE_HAS_SIGNAL;
+-	if (result.lock_bits & (1 << 6))
++	if (result->lock_bits & (1 << 6))
+ 		*status |= FE_HAS_LOCK;
+-	if (result.lock_bits & (1 << 5))
++	if (result->lock_bits & (1 << 5))
+ 		*status |= FE_HAS_SYNC;
+-	if (result.lock_bits & (1 << 4))
++	if (result->lock_bits & (1 << 4))
+ 		*status |= FE_HAS_CARRIER;
+-	if (result.lock_bits & (1 << 1))
++	if (result->lock_bits & (1 << 1))
+ 		*status |= FE_HAS_VITERBI;
+ 
+ 	if ((*status & (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC)) !=
+ 			(FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC))
+ 		*status &= ~FE_HAS_LOCK;
+ 
+-	return 0;
++out:
++	kfree(cmd);
++	kfree(result);
++	return ret;
+ }
+ 
+ static int cinergyt2_fe_read_ber(struct dvb_frontend *fe, u32 *ber)
+ {
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_get_status_msg status;
+-	char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++	struct dvbt_get_status_msg *status;
++	char *cmd;
+ 	int ret;
+ 
+-	ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+-				sizeof(status), 0);
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -ENOMEM;
++	status = kmalloc(sizeof(*status), GFP_KERNEL);
++	if (status == NULL) {
++		kfree(cmd);
++		return -ENOMEM;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++	ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++				sizeof(*status), 0);
+ 	if (ret < 0)
+-		return ret;
++		goto out;
+ 
+-	*ber = le32_to_cpu(status.viterbi_error_rate);
++	*ber = le32_to_cpu(status->viterbi_error_rate);
++out:
++	kfree(cmd);
++	kfree(status);
+ 	return 0;
+ }
+ 
+ static int cinergyt2_fe_read_unc_blocks(struct dvb_frontend *fe, u32 *unc)
+ {
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_get_status_msg status;
+-	u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++	struct dvbt_get_status_msg *status;
++	u8 *cmd;
+ 	int ret;
+ 
+-	ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&status,
+-				sizeof(status), 0);
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -ENOMEM;
++	status = kmalloc(sizeof(*status), GFP_KERNEL);
++	if (status == NULL) {
++		kfree(cmd);
++		return -ENOMEM;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++	ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)status,
++				sizeof(*status), 0);
+ 	if (ret < 0) {
+ 		err("cinergyt2_fe_read_unc_blocks() Failed! (Error=%d)\n",
+ 			ret);
+-		return ret;
++		goto out;
+ 	}
+-	*unc = le32_to_cpu(status.uncorrected_block_count);
+-	return 0;
++	*unc = le32_to_cpu(status->uncorrected_block_count);
++
++out:
++	kfree(cmd);
++	kfree(status);
++	return ret;
+ }
+ 
+ static int cinergyt2_fe_read_signal_strength(struct dvb_frontend *fe,
+ 						u16 *strength)
+ {
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_get_status_msg status;
+-	char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++	struct dvbt_get_status_msg *status;
++	char *cmd;
+ 	int ret;
+ 
+-	ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+-				sizeof(status), 0);
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -ENOMEM;
++	status = kmalloc(sizeof(*status), GFP_KERNEL);
++	if (status == NULL) {
++		kfree(cmd);
++		return -ENOMEM;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++	ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++				sizeof(*status), 0);
+ 	if (ret < 0) {
+ 		err("cinergyt2_fe_read_signal_strength() Failed!"
+ 			" (Error=%d)\n", ret);
+-		return ret;
++		goto out;
+ 	}
+-	*strength = (0xffff - le16_to_cpu(status.gain));
++	*strength = (0xffff - le16_to_cpu(status->gain));
++
++out:
++	kfree(cmd);
++	kfree(status);
+ 	return 0;
+ }
+ 
+ static int cinergyt2_fe_read_snr(struct dvb_frontend *fe, u16 *snr)
+ {
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_get_status_msg status;
+-	char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++	struct dvbt_get_status_msg *status;
++	char *cmd;
+ 	int ret;
+ 
+-	ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+-				sizeof(status), 0);
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -ENOMEM;
++	status = kmalloc(sizeof(*status), GFP_KERNEL);
++	if (status == NULL) {
++		kfree(cmd);
++		return -ENOMEM;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++	ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++				sizeof(*status), 0);
+ 	if (ret < 0) {
+ 		err("cinergyt2_fe_read_snr() Failed! (Error=%d)\n", ret);
+-		return ret;
++		goto out;
+ 	}
+-	*snr = (status.snr << 8) | status.snr;
+-	return 0;
++	*snr = (status->snr << 8) | status->snr;
++
++out:
++	kfree(cmd);
++	kfree(status);
++	return ret;
+ }
+ 
+ static int cinergyt2_fe_init(struct dvb_frontend *fe)
+@@ -266,35 +339,46 @@ static int cinergyt2_fe_set_frontend(struct dvb_frontend *fe)
+ {
+ 	struct dtv_frontend_properties *fep = &fe->dtv_property_cache;
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_set_parameters_msg param;
+-	char result[2];
++	struct dvbt_set_parameters_msg *param;
++	char *result;
+ 	int err;
+ 
+-	param.cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
+-	param.tps = cpu_to_le16(compute_tps(fep));
+-	param.freq = cpu_to_le32(fep->frequency / 1000);
+-	param.flags = 0;
++	result = kmalloc(2, GFP_KERNEL);
++	if (result == NULL)
++		return -ENOMEM;
++	param = kmalloc(sizeof(*param), GFP_KERNEL);
++	if (param == NULL) {
++		kfree(result);
++		return -ENOMEM;
++	}
++
++	param->cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
++	param->tps = cpu_to_le16(compute_tps(fep));
++	param->freq = cpu_to_le32(fep->frequency / 1000);
++	param->flags = 0;
+ 
+ 	switch (fep->bandwidth_hz) {
+ 	default:
+ 	case 8000000:
+-		param.bandwidth = 8;
++		param->bandwidth = 8;
+ 		break;
+ 	case 7000000:
+-		param.bandwidth = 7;
++		param->bandwidth = 7;
+ 		break;
+ 	case 6000000:
+-		param.bandwidth = 6;
++		param->bandwidth = 6;
+ 		break;
+ 	}
+ 
+ 	err = dvb_usb_generic_rw(state->d,
+-			(char *)&param, sizeof(param),
+-			result, sizeof(result), 0);
++			(char *)param, sizeof(*param),
++			result, 2, 0);
+ 	if (err < 0)
+ 		err("cinergyt2_fe_set_frontend() Failed! err=%d\n", err);
+ 
+-	return (err < 0) ? err : 0;
++	kfree(result);
++	kfree(param);
++	return err;
+ }
+ 
+ static void cinergyt2_fe_release(struct dvb_frontend *fe)
 diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c
 index a1c641e..3007da9 100644
 --- a/drivers/media/usb/dvb-usb/cxusb.c
@@ -61596,7 +62042,7 @@ index a93f7e6..d58bcbe 100644
  		return 0;
  	while (nr) {
 diff --git a/fs/dcache.c b/fs/dcache.c
-index 06f6585..f95a6d1 100644
+index 06f6585..65499d1 100644
 --- a/fs/dcache.c
 +++ b/fs/dcache.c
 @@ -1445,7 +1445,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
@@ -61608,7 +62054,58 @@ index 06f6585..f95a6d1 100644
  		if (!dname) {
  			kmem_cache_free(dentry_cache, dentry); 
  			return NULL;
-@@ -3413,7 +3413,8 @@ void __init vfs_caches_init(unsigned long mempages)
+@@ -2402,7 +2402,7 @@ void dentry_update_name_case(struct dentry *dentry, struct qstr *name)
+ }
+ EXPORT_SYMBOL(dentry_update_name_case);
+ 
+-static void switch_names(struct dentry *dentry, struct dentry *target)
++static void switch_names(struct dentry *dentry, struct dentry *target, bool exchange)
+ {
+ 	if (dname_external(target)) {
+ 		if (dname_external(dentry)) {
+@@ -2430,7 +2430,7 @@ static void switch_names(struct dentry *dentry, struct dentry *target)
+ 					target->d_name.len + 1);
+ 			target->d_name.name = dentry->d_name.name;
+ 			dentry->d_name.name = dentry->d_iname;
+-		} else {
++		} else if (exchange) {
+ 			/*
+ 			 * Both are internal.
+ 			 */
+@@ -2440,6 +2440,14 @@ static void switch_names(struct dentry *dentry, struct dentry *target)
+ 				swap(((long *) &dentry->d_iname)[i],
+ 				     ((long *) &target->d_iname)[i]);
+ 			}
++		} else {
++			/*
++			 * Both are internal.  Just copy target to dentry
++			 */
++			memcpy(dentry->d_iname, target->d_name.name,
++				target->d_name.len + 1);
++			dentry->d_name.len = target->d_name.len;
++			return;
+ 		}
+ 	}
+ 	swap(dentry->d_name.len, target->d_name.len);
+@@ -2540,7 +2548,7 @@ static void __d_move(struct dentry *dentry, struct dentry *target,
+ 	list_del(&target->d_u.d_child);
+ 
+ 	/* Switch the names.. */
+-	switch_names(dentry, target);
++	switch_names(dentry, target, exchange);
+ 	swap(dentry->d_name.hash, target->d_name.hash);
+ 
+ 	/* ... and switch the parents */
+@@ -2679,7 +2687,7 @@ static void __d_materialise_dentry(struct dentry *dentry, struct dentry *anon)
+ 
+ 	dparent = dentry->d_parent;
+ 
+-	switch_names(dentry, anon);
++	switch_names(dentry, anon, false);
+ 	swap(dentry->d_name.hash, anon->d_name.hash);
+ 
+ 	dentry->d_parent = dentry;
+@@ -3413,7 +3421,8 @@ void __init vfs_caches_init(unsigned long mempages)
  	mempages -= reserve;
  
  	names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
diff --git a/3.16.2/4427_force_XATTR_PAX_tmpfs.patch b/3.16.2/4427_force_XATTR_PAX_tmpfs.patch
index bbcef41..2f1d3b4 100644
--- a/3.16.2/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.16.2/4427_force_XATTR_PAX_tmpfs.patch
@@ -6,7 +6,7 @@ namespace supported on tmpfs so that the PaX markings survive emerge.
 diff -Naur a/mm/shmem.c b/mm/shmem.c
 --- a/mm/shmem.c	2013-06-11 21:00:18.000000000 -0400
 +++ b/mm/shmem.c	2013-06-11 21:08:18.000000000 -0400
-@@ -2218,11 +2218,7 @@
+@@ -2219,11 +2219,7 @@
  static int shmem_xattr_validate(const char *name)
  {
  	struct { const char *prefix; size_t len; } arr[] = {
@@ -18,7 +18,7 @@ diff -Naur a/mm/shmem.c b/mm/shmem.c
  		{ XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
  		{ XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
  	};
-@@ -2278,14 +2274,12 @@
+@@ -2279,14 +2275,12 @@
  	if (err)
  		return err;
  
diff --git a/3.16.2/4435_grsec-mute-warnings.patch b/3.16.2/4435_grsec-mute-warnings.patch
index 41d43d5..4a959cc 100644
--- a/3.16.2/4435_grsec-mute-warnings.patch
+++ b/3.16.2/4435_grsec-mute-warnings.patch
@@ -31,7 +31,7 @@ Acked-by: Christian Heim <phreak@gentoo.org>
 
 --- a/Makefile	2014-07-25 11:37:45.206051736 -0400
 +++ b/Makefile	2014-07-25 11:38:13.786050367 -0400
-@@ -245,7 +245,7 @@
+@@ -303,7 +303,7 @@
  
  HOSTCC       = gcc
  HOSTCXX      = g++
diff --git a/3.16.2/4465_selinux-avc_audit-log-curr_ip.patch b/3.16.2/4465_selinux-avc_audit-log-curr_ip.patch
index fb528d0..747ac53 100644
--- a/3.16.2/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.16.2/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400
 +++ b/grsecurity/Kconfig	2011-04-17 19:32:53.000000000 -0400
-@@ -1147,6 +1147,27 @@
+@@ -1137,6 +1137,27 @@
  menu "Logging Options"
  depends on GRKERNSEC
  
diff --git a/3.16.2/4470_disable-compat_vdso.patch b/3.16.2/4470_disable-compat_vdso.patch
index 0215f1e..fd9ab60 100644
--- a/3.16.2/4470_disable-compat_vdso.patch
+++ b/3.16.2/4470_disable-compat_vdso.patch
@@ -26,7 +26,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
 diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig
 --- a/arch/x86/Kconfig	2009-07-31 01:36:57.323857684 +0100
 +++ b/arch/x86/Kconfig	2009-07-31 01:51:39.395749681 +0100
-@@ -1811,29 +1811,8 @@
+@@ -1814,29 +1814,8 @@
  
  config COMPAT_VDSO
  	def_bool n
diff --git a/3.2.62/0000_README b/3.2.62/0000_README
index 6c4c3cc..5f9fd24 100644
--- a/3.2.62/0000_README
+++ b/3.2.62/0000_README
@@ -166,7 +166,7 @@ Patch:	1061_linux-3.2.62.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.62
 
-Patch:	4420_grsecurity-3.0-3.2.62-201408312002.patch
+Patch:	4420_grsecurity-3.0-3.2.62-201409082124.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.62/4420_grsecurity-3.0-3.2.62-201408312002.patch b/3.2.62/4420_grsecurity-3.0-3.2.62-201409082124.patch
index ad26b87..fda4aaa 100644
--- a/3.2.62/4420_grsecurity-3.0-3.2.62-201408312002.patch
+++ b/3.2.62/4420_grsecurity-3.0-3.2.62-201409082124.patch
@@ -19231,7 +19231,7 @@ index dd52355..371d3b9 100644
  
  /*
 diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index 6274f5f..7b23dca 100644
+index 6274f5f..60c83a1 100644
 --- a/arch/x86/kernel/entry_64.S
 +++ b/arch/x86/kernel/entry_64.S
 @@ -55,6 +55,8 @@
@@ -19917,7 +19917,7 @@ index 6274f5f..7b23dca 100644
  	je retint_kernel
  
  	/* Interrupt came from user space */
-@@ -846,12 +1179,16 @@ retint_swapgs:		/* return to user-space */
+@@ -846,12 +1179,35 @@ retint_swapgs:		/* return to user-space */
  	 * The iretq could re-enable interrupts:
  	 */
  	DISABLE_INTERRUPTS(CLBR_ANY)
@@ -19930,11 +19930,30 @@ index 6274f5f..7b23dca 100644
  retint_restore_args:	/* return to kernel space */
  	DISABLE_INTERRUPTS(CLBR_ANY)
 +	pax_exit_kernel
++
++#if defined(CONFIG_EFI) && defined(CONFIG_PAX_KERNEXEC)
++	/* This is a quirk to allow IRQs/NMIs/MCEs during early EFI setup,
++	 * namely calling EFI runtime services with a phys mapping. We're
++	 * starting off with NOPs and patch in the real instrumentation
++	 * (BTS/OR) before starting any userland process; even before starting
++	 * up the APs.
++	 */
++	.pushsection .altinstr_replacement, "a"
++	601: pax_force_retaddr (RIP-ARGOFFSET)
++	602:
++	.popsection
++	603: .fill 602b-601b, 1, 0x90
++	.pushsection .altinstructions, "a"
++	altinstruction_entry 603b, 601b, X86_FEATURE_ALWAYS, 602b-601b, 602b-601b
++	.popsection
++#else
 +	pax_force_retaddr (RIP-ARGOFFSET)
++#endif
++
  	/*
  	 * The iretq could re-enable interrupts:
  	 */
-@@ -940,7 +1277,7 @@ ENTRY(retint_kernel)
+@@ -940,7 +1296,7 @@ ENTRY(retint_kernel)
  #endif
  
  	CFI_ENDPROC
@@ -19943,7 +19962,7 @@ index 6274f5f..7b23dca 100644
  /*
   * End of kprobes section
   */
-@@ -956,7 +1293,7 @@ ENTRY(\sym)
+@@ -956,7 +1312,7 @@ ENTRY(\sym)
  	interrupt \do_sym
  	jmp ret_from_intr
  	CFI_ENDPROC
@@ -19952,7 +19971,7 @@ index 6274f5f..7b23dca 100644
  .endm
  
  #ifdef CONFIG_SMP
-@@ -1026,7 +1363,7 @@ ENTRY(\sym)
+@@ -1026,7 +1382,7 @@ ENTRY(\sym)
  	call \do_sym
  	jmp error_exit		/* %ebx: no swapgs flag */
  	CFI_ENDPROC
@@ -19961,7 +19980,7 @@ index 6274f5f..7b23dca 100644
  .endm
  
  .macro paranoidzeroentry sym do_sym
-@@ -1043,10 +1380,10 @@ ENTRY(\sym)
+@@ -1043,10 +1399,10 @@ ENTRY(\sym)
  	call \do_sym
  	jmp paranoid_exit	/* %ebx: no swapgs flag */
  	CFI_ENDPROC
@@ -19974,7 +19993,7 @@ index 6274f5f..7b23dca 100644
  .macro paranoidzeroentry_ist sym do_sym ist
  ENTRY(\sym)
  	INTR_FRAME
-@@ -1058,12 +1395,18 @@ ENTRY(\sym)
+@@ -1058,12 +1414,18 @@ ENTRY(\sym)
  	TRACE_IRQS_OFF
  	movq %rsp,%rdi		/* pt_regs pointer */
  	xorl %esi,%esi		/* no error code */
@@ -19994,7 +20013,7 @@ index 6274f5f..7b23dca 100644
  .endm
  
  .macro errorentry sym do_sym
-@@ -1080,7 +1423,7 @@ ENTRY(\sym)
+@@ -1080,7 +1442,7 @@ ENTRY(\sym)
  	call \do_sym
  	jmp error_exit			/* %ebx: no swapgs flag */
  	CFI_ENDPROC
@@ -20003,7 +20022,7 @@ index 6274f5f..7b23dca 100644
  .endm
  
  	/* error code is on the stack already */
-@@ -1099,7 +1442,7 @@ ENTRY(\sym)
+@@ -1099,7 +1461,7 @@ ENTRY(\sym)
  	call \do_sym
  	jmp paranoid_exit		/* %ebx: no swapgs flag */
  	CFI_ENDPROC
@@ -20012,7 +20031,7 @@ index 6274f5f..7b23dca 100644
  .endm
  
  zeroentry divide_error do_divide_error
-@@ -1129,9 +1472,10 @@ gs_change:
+@@ -1129,9 +1491,10 @@ gs_change:
  2:	mfence		/* workaround */
  	SWAPGS
  	popfq_cfi
@@ -20024,7 +20043,7 @@ index 6274f5f..7b23dca 100644
  
  	.section __ex_table,"a"
  	.align 8
-@@ -1153,13 +1497,14 @@ ENTRY(kernel_thread_helper)
+@@ -1153,13 +1516,14 @@ ENTRY(kernel_thread_helper)
  	 * Here we are in the child and the registers are set as they were
  	 * at kernel_thread() invocation in the parent.
  	 */
@@ -20040,7 +20059,7 @@ index 6274f5f..7b23dca 100644
  
  /*
   * execve(). This function needs to use IRET, not SYSRET, to set up all state properly.
-@@ -1186,11 +1531,11 @@ ENTRY(kernel_execve)
+@@ -1186,11 +1550,11 @@ ENTRY(kernel_execve)
  	RESTORE_REST
  	testq %rax,%rax
  	je int_ret_from_sys_call
@@ -20054,7 +20073,7 @@ index 6274f5f..7b23dca 100644
  
  /* Call softirq on interrupt stack. Interrupts are off. */
  ENTRY(call_softirq)
-@@ -1208,9 +1553,10 @@ ENTRY(call_softirq)
+@@ -1208,9 +1572,10 @@ ENTRY(call_softirq)
  	CFI_DEF_CFA_REGISTER	rsp
  	CFI_ADJUST_CFA_OFFSET   -8
  	decl PER_CPU_VAR(irq_count)
@@ -20066,7 +20085,7 @@ index 6274f5f..7b23dca 100644
  
  #ifdef CONFIG_XEN
  zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
-@@ -1248,7 +1594,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
+@@ -1248,7 +1613,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
  	decl PER_CPU_VAR(irq_count)
  	jmp  error_exit
  	CFI_ENDPROC
@@ -20075,7 +20094,7 @@ index 6274f5f..7b23dca 100644
  
  /*
   * Hypervisor uses this for application faults while it executes.
-@@ -1307,7 +1653,7 @@ ENTRY(xen_failsafe_callback)
+@@ -1307,7 +1672,7 @@ ENTRY(xen_failsafe_callback)
  	SAVE_ALL
  	jmp error_exit
  	CFI_ENDPROC
@@ -20084,7 +20103,7 @@ index 6274f5f..7b23dca 100644
  
  apicinterrupt XEN_HVM_EVTCHN_CALLBACK \
  	xen_hvm_callback_vector xen_evtchn_do_upcall
-@@ -1356,16 +1702,31 @@ ENTRY(paranoid_exit)
+@@ -1356,16 +1721,31 @@ ENTRY(paranoid_exit)
  	TRACE_IRQS_OFF
  	testl %ebx,%ebx				/* swapgs needed? */
  	jnz paranoid_restore
@@ -20117,7 +20136,7 @@ index 6274f5f..7b23dca 100644
  	jmp irq_return
  paranoid_userspace:
  	GET_THREAD_INFO(%rcx)
-@@ -1394,7 +1755,7 @@ paranoid_schedule:
+@@ -1394,7 +1774,7 @@ paranoid_schedule:
  	TRACE_IRQS_OFF
  	jmp paranoid_userspace
  	CFI_ENDPROC
@@ -20126,7 +20145,7 @@ index 6274f5f..7b23dca 100644
  
  /*
   * Exception entry point. This expects an error code/orig_rax on the stack.
-@@ -1421,12 +1782,23 @@ ENTRY(error_entry)
+@@ -1421,12 +1801,23 @@ ENTRY(error_entry)
  	movq_cfi r14, R14+8
  	movq_cfi r15, R15+8
  	xorl %ebx,%ebx
@@ -20151,7 +20170,7 @@ index 6274f5f..7b23dca 100644
  	ret
  
  /*
-@@ -1453,7 +1825,7 @@ bstep_iret:
+@@ -1453,7 +1844,7 @@ bstep_iret:
  	movq %rcx,RIP+8(%rsp)
  	jmp error_swapgs
  	CFI_ENDPROC
@@ -20160,7 +20179,7 @@ index 6274f5f..7b23dca 100644
  
  
  /* ebx:	no swapgs flag (1: don't need swapgs, 0: need it) */
-@@ -1473,7 +1845,7 @@ ENTRY(error_exit)
+@@ -1473,7 +1864,7 @@ ENTRY(error_exit)
  	jnz retint_careful
  	jmp retint_swapgs
  	CFI_ENDPROC
@@ -20169,7 +20188,7 @@ index 6274f5f..7b23dca 100644
  
  
  	/* runs on exception stack */
-@@ -1485,6 +1857,7 @@ ENTRY(nmi)
+@@ -1485,6 +1876,7 @@ ENTRY(nmi)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call save_paranoid
  	DEFAULT_FRAME 0
@@ -20177,7 +20196,7 @@ index 6274f5f..7b23dca 100644
  	/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
  	movq %rsp,%rdi
  	movq $-1,%rsi
-@@ -1495,12 +1868,28 @@ ENTRY(nmi)
+@@ -1495,12 +1887,28 @@ ENTRY(nmi)
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	testl %ebx,%ebx				/* swapgs needed? */
  	jnz nmi_restore
@@ -20207,7 +20226,7 @@ index 6274f5f..7b23dca 100644
  	jmp irq_return
  nmi_userspace:
  	GET_THREAD_INFO(%rcx)
-@@ -1529,14 +1918,14 @@ nmi_schedule:
+@@ -1529,14 +1937,14 @@ nmi_schedule:
  	jmp paranoid_exit
  	CFI_ENDPROC
  #endif
@@ -42469,6 +42488,419 @@ index d5cda35..017af46 100644
  	struct device *clsdev;
  	int minor;
  	int id;
+diff --git a/drivers/media/dvb/dvb-usb/cinergyT2-core.c b/drivers/media/dvb/dvb-usb/cinergyT2-core.c
+index f9d9050..d7a9d4e 100644
+--- a/drivers/media/dvb/dvb-usb/cinergyT2-core.c
++++ b/drivers/media/dvb/dvb-usb/cinergyT2-core.c
+@@ -50,29 +50,73 @@ static struct dvb_usb_device_properties cinergyt2_properties;
+ 
+ static int cinergyt2_streaming_ctrl(struct dvb_usb_adapter *adap, int enable)
+ {
+-	char buf[] = { CINERGYT2_EP1_CONTROL_STREAM_TRANSFER, enable ? 1 : 0 };
+-	char result[64];
+-	return dvb_usb_generic_rw(adap->dev, buf, sizeof(buf), result,
+-				sizeof(result), 0);
++	char *buf;
++	char *result;
++	int retval;
++
++	buf = kmalloc(2, GFP_KERNEL);
++	if (buf == NULL)
++		return -ENOMEM;
++	result = kmalloc(64, GFP_KERNEL);
++	if (result == NULL) {
++		kfree(buf);
++		return -ENOMEM;
++	}
++
++	buf[0] = CINERGYT2_EP1_CONTROL_STREAM_TRANSFER;
++	buf[1] = enable ? 1 : 0;
++
++	retval = dvb_usb_generic_rw(adap->dev, buf, 2, result, 64, 0);
++
++	kfree(buf);
++	kfree(result);
++	return retval;
+ }
+ 
+ static int cinergyt2_power_ctrl(struct dvb_usb_device *d, int enable)
+ {
+-	char buf[] = { CINERGYT2_EP1_SLEEP_MODE, enable ? 0 : 1 };
+-	char state[3];
+-	return dvb_usb_generic_rw(d, buf, sizeof(buf), state, sizeof(state), 0);
++	char *buf;
++	char *state;
++	int retval;
++
++	buf = kmalloc(2, GFP_KERNEL);
++	if (buf == NULL)
++		return -ENOMEM;
++	state = kmalloc(3, GFP_KERNEL);
++	if (state == NULL) {
++		kfree(buf);
++		return -ENOMEM;
++	}
++
++	buf[0] = CINERGYT2_EP1_SLEEP_MODE;
++	buf[1] = enable ? 1 : 0;
++
++	retval = dvb_usb_generic_rw(d, buf, 2, state, 3, 0);
++
++	kfree(buf);
++	kfree(state);
++	return retval;
+ }
+ 
+ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
+ {
+-	char query[] = { CINERGYT2_EP1_GET_FIRMWARE_VERSION };
+-	char state[3];
++	char *query;
++	char *state;
+ 	int ret;
++	query = kmalloc(1, GFP_KERNEL);
++	if (query == NULL)
++		return -ENOMEM;
++	state = kmalloc(3, GFP_KERNEL);
++	if (state == NULL) {
++		kfree(query);
++		return -ENOMEM;
++	}
++
++	query[0] = CINERGYT2_EP1_GET_FIRMWARE_VERSION;
+ 
+ 	adap->fe_adap[0].fe = cinergyt2_fe_attach(adap->dev);
+ 
+-	ret = dvb_usb_generic_rw(adap->dev, query, sizeof(query), state,
+-				sizeof(state), 0);
++	ret = dvb_usb_generic_rw(adap->dev, query, 1, state, 3, 0);
+ 	if (ret < 0) {
+ 		deb_rc("cinergyt2_power_ctrl() Failed to retrieve sleep "
+ 			"state info\n");
+@@ -80,7 +124,8 @@ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
+ 
+ 	/* Copy this pointer as we are gonna need it in the release phase */
+ 	cinergyt2_usb_device = adap->dev;
+-
++	kfree(query);
++	kfree(state);
+ 	return 0;
+ }
+ 
+@@ -141,12 +186,23 @@ static int repeatable_keys[] = {
+ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ {
+ 	struct cinergyt2_state *st = d->priv;
+-	u8 key[5] = {0, 0, 0, 0, 0}, cmd = CINERGYT2_EP1_GET_RC_EVENTS;
++	u8 *key, *cmd;
+ 	int i;
+ 
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -EINVAL;
++	key = kzalloc(5, GFP_KERNEL);
++	if (key == NULL) {
++		kfree(cmd);
++		return -EINVAL;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_RC_EVENTS;
++
+ 	*state = REMOTE_NO_KEY_PRESSED;
+ 
+-	dvb_usb_generic_rw(d, &cmd, 1, key, sizeof(key), 0);
++	dvb_usb_generic_rw(d, cmd, 1, key, 5, 0);
+ 	if (key[4] == 0xff) {
+ 		/* key repeat */
+ 		st->rc_counter++;
+@@ -157,12 +213,12 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ 					*event = d->last_event;
+ 					deb_rc("repeat key, event %x\n",
+ 						   *event);
+-					return 0;
++					goto out;
+ 				}
+ 			}
+ 			deb_rc("repeated key (non repeatable)\n");
+ 		}
+-		return 0;
++		goto out;
+ 	}
+ 
+ 	/* hack to pass checksum on the custom field */
+@@ -175,6 +231,9 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
+ 		deb_rc("key: %x %x %x %x %x\n",
+ 		       key[0], key[1], key[2], key[3], key[4]);
+ 	}
++out:
++	kfree(cmd);
++	kfree(key);
+ 	return 0;
+ }
+ 
+diff --git a/drivers/media/dvb/dvb-usb/cinergyT2-fe.c b/drivers/media/dvb/dvb-usb/cinergyT2-fe.c
+index 9cd51ac..0967e20 100644
+--- a/drivers/media/dvb/dvb-usb/cinergyT2-fe.c
++++ b/drivers/media/dvb/dvb-usb/cinergyT2-fe.c
+@@ -146,103 +146,176 @@ static int cinergyt2_fe_read_status(struct dvb_frontend *fe,
+ 					fe_status_t *status)
+ {
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_get_status_msg result;
+-	u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++	struct dvbt_get_status_msg *result;
++	u8 *cmd;
+ 	int ret;
+ 
+-	ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&result,
+-			sizeof(result), 0);
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -ENOMEM;
++	result = kmalloc(sizeof(*result), GFP_KERNEL);
++	if (result == NULL) {
++		kfree(cmd);
++		return -ENOMEM;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++	ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)result,
++			sizeof(*result), 0);
+ 	if (ret < 0)
+-		return ret;
++		goto out;
+ 
+ 	*status = 0;
+ 
+-	if (0xffff - le16_to_cpu(result.gain) > 30)
++	if (0xffff - le16_to_cpu(result->gain) > 30)
+ 		*status |= FE_HAS_SIGNAL;
+-	if (result.lock_bits & (1 << 6))
++	if (result->lock_bits & (1 << 6))
+ 		*status |= FE_HAS_LOCK;
+-	if (result.lock_bits & (1 << 5))
++	if (result->lock_bits & (1 << 5))
+ 		*status |= FE_HAS_SYNC;
+-	if (result.lock_bits & (1 << 4))
++	if (result->lock_bits & (1 << 4))
+ 		*status |= FE_HAS_CARRIER;
+-	if (result.lock_bits & (1 << 1))
++	if (result->lock_bits & (1 << 1))
+ 		*status |= FE_HAS_VITERBI;
+ 
+ 	if ((*status & (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC)) !=
+ 			(FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC))
+ 		*status &= ~FE_HAS_LOCK;
+ 
+-	return 0;
++out:
++	kfree(cmd);
++	kfree(result);
++	return ret;
+ }
+ 
+ static int cinergyt2_fe_read_ber(struct dvb_frontend *fe, u32 *ber)
+ {
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_get_status_msg status;
+-	char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++	struct dvbt_get_status_msg *status;
++	char *cmd;
+ 	int ret;
+ 
+-	ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+-				sizeof(status), 0);
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -ENOMEM;
++	status = kmalloc(sizeof(*status), GFP_KERNEL);
++	if (status == NULL) {
++		kfree(cmd);
++		return -ENOMEM;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++	ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++				sizeof(*status), 0);
+ 	if (ret < 0)
+-		return ret;
++		goto out;
+ 
+-	*ber = le32_to_cpu(status.viterbi_error_rate);
++	*ber = le32_to_cpu(status->viterbi_error_rate);
++out:
++	kfree(cmd);
++	kfree(status);
+ 	return 0;
+ }
+ 
+ static int cinergyt2_fe_read_unc_blocks(struct dvb_frontend *fe, u32 *unc)
+ {
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_get_status_msg status;
+-	u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++	struct dvbt_get_status_msg *status;
++	u8 *cmd;
+ 	int ret;
+ 
+-	ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&status,
+-				sizeof(status), 0);
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -ENOMEM;
++	status = kmalloc(sizeof(*status), GFP_KERNEL);
++	if (status == NULL) {
++		kfree(cmd);
++		return -ENOMEM;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++	ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)status,
++				sizeof(*status), 0);
+ 	if (ret < 0) {
+ 		err("cinergyt2_fe_read_unc_blocks() Failed! (Error=%d)\n",
+ 			ret);
+-		return ret;
++		goto out;
+ 	}
+-	*unc = le32_to_cpu(status.uncorrected_block_count);
+-	return 0;
++	*unc = le32_to_cpu(status->uncorrected_block_count);
++
++out:
++	kfree(cmd);
++	kfree(status);
++	return ret;
+ }
+ 
+ static int cinergyt2_fe_read_signal_strength(struct dvb_frontend *fe,
+ 						u16 *strength)
+ {
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_get_status_msg status;
+-	char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++	struct dvbt_get_status_msg *status;
++	char *cmd;
+ 	int ret;
+ 
+-	ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+-				sizeof(status), 0);
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -ENOMEM;
++	status = kmalloc(sizeof(*status), GFP_KERNEL);
++	if (status == NULL) {
++		kfree(cmd);
++		return -ENOMEM;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++	ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++				sizeof(*status), 0);
+ 	if (ret < 0) {
+ 		err("cinergyt2_fe_read_signal_strength() Failed!"
+ 			" (Error=%d)\n", ret);
+-		return ret;
++		goto out;
+ 	}
+-	*strength = (0xffff - le16_to_cpu(status.gain));
++	*strength = (0xffff - le16_to_cpu(status->gain));
++
++out:
++	kfree(cmd);
++	kfree(status);
+ 	return 0;
+ }
+ 
+ static int cinergyt2_fe_read_snr(struct dvb_frontend *fe, u16 *snr)
+ {
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_get_status_msg status;
+-	char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++	struct dvbt_get_status_msg *status;
++	char *cmd;
+ 	int ret;
+ 
+-	ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+-				sizeof(status), 0);
++	cmd = kmalloc(1, GFP_KERNEL);
++	if (cmd == NULL)
++		return -ENOMEM;
++	status = kmalloc(sizeof(*status), GFP_KERNEL);
++	if (status == NULL) {
++		kfree(cmd);
++		return -ENOMEM;
++	}
++
++	cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++	ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++				sizeof(*status), 0);
+ 	if (ret < 0) {
+ 		err("cinergyt2_fe_read_snr() Failed! (Error=%d)\n", ret);
+-		return ret;
++		goto out;
+ 	}
+-	*snr = (status.snr << 8) | status.snr;
+-	return 0;
++	*snr = (status->snr << 8) | status->snr;
++
++out:
++	kfree(cmd);
++	kfree(status);
++	return ret;
+ }
+ 
+ static int cinergyt2_fe_init(struct dvb_frontend *fe)
+@@ -267,23 +340,34 @@ static int cinergyt2_fe_set_frontend(struct dvb_frontend *fe,
+ 				  struct dvb_frontend_parameters *fep)
+ {
+ 	struct cinergyt2_fe_state *state = fe->demodulator_priv;
+-	struct dvbt_set_parameters_msg param;
+-	char result[2];
++	struct dvbt_set_parameters_msg *param;
++	char *result;
+ 	int err;
+ 
+-	param.cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
+-	param.tps = cpu_to_le16(compute_tps(fep));
+-	param.freq = cpu_to_le32(fep->frequency / 1000);
+-	param.bandwidth = 8 - fep->u.ofdm.bandwidth - BANDWIDTH_8_MHZ;
+-	param.flags = 0;
++	result = kmalloc(2, GFP_KERNEL);
++	if (result == NULL)
++		return -ENOMEM;
++	param = kmalloc(sizeof(*param), GFP_KERNEL);
++	if (param == NULL) {
++		kfree(result);
++		return -ENOMEM;
++	}
++
++	param->cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
++	param->tps = cpu_to_le16(compute_tps(fep));
++	param->freq = cpu_to_le32(fep->frequency / 1000);
++	param->bandwidth = 8 - fep->u.ofdm.bandwidth - BANDWIDTH_8_MHZ;
++	param->flags = 0;
+ 
+ 	err = dvb_usb_generic_rw(state->d,
+-			(char *)&param, sizeof(param),
+-			result, sizeof(result), 0);
++			(char *)param, sizeof(*param),
++			result, 2, 0);
+ 	if (err < 0)
+ 		err("cinergyt2_fe_set_frontend() Failed! err=%d\n", err);
+ 
+-	return (err < 0) ? err : 0;
++	kfree(result);
++	kfree(param);
++	return err;
+ }
+ 
+ static int cinergyt2_fe_get_frontend(struct dvb_frontend *fe,
 diff --git a/drivers/media/dvb/dvb-usb/cxusb.c b/drivers/media/dvb/dvb-usb/cxusb.c
 index 9f2a02c..5920f88 100644
 --- a/drivers/media/dvb/dvb-usb/cxusb.c
author	Anthony G. Basile <blueness@gentoo.org>	2014-09-09 21:02:06 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2014-09-09 21:02:06 -0400
commit	5c8fe786238039dc02cd80652dbe1265adbf1f6d (patch)
tree	0bbf78a93a977c717091b382ecce0776001cb769
parent	Grsec/PaX: 3.0-{3.14.18,3.16.2}-201409060014 (diff)
download	hardened-patchset-5c8fe786238039dc02cd80652dbe1265adbf1f6d.tar.gz hardened-patchset-5c8fe786238039dc02cd80652dbe1265adbf1f6d.tar.bz2 hardened-patchset-5c8fe786238039dc02cd80652dbe1265adbf1f6d.zip