summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2015-05-19 18:32:57 -0400
committerAnthony G. Basile <blueness@gentoo.org>2015-05-19 18:32:57 -0400
commit12a8a929cf98bbbf36cb9288eb3e03583ebc83e2 (patch)
treef239b9d543005b1181ca009f4a564b62d6e9c7b1
parentGrsec/PaX: 3.1-{3.2.69,3.14.43,4.0.4}-201505171737 (diff)
downloadhardened-patchset-12a8a929cf98bbbf36cb9288eb3e03583ebc83e2.tar.gz
hardened-patchset-12a8a929cf98bbbf36cb9288eb3e03583ebc83e2.tar.bz2
hardened-patchset-12a8a929cf98bbbf36cb9288eb3e03583ebc83e2.zip
Grsec/PaX: 3.1-{3.2.69,3.14.43,4.0.4}-20150519173720150519
-rw-r--r--3.14.43/0000_README2
-rw-r--r--3.14.43/4420_grsecurity-3.1-3.14.43-201505191737.patch (renamed from 3.14.43/4420_grsecurity-3.1-3.14.43-201505171736.patch)69
-rw-r--r--3.2.69/0000_README2
-rw-r--r--3.2.69/4420_grsecurity-3.1-3.2.69-201505181926.patch (renamed from 3.2.69/4420_grsecurity-3.1-3.2.69-201505171733.patch)45
-rw-r--r--4.0.4/0000_README2
-rw-r--r--4.0.4/4420_grsecurity-3.1-4.0.4-201505182014.patch (renamed from 4.0.4/4420_grsecurity-3.1-4.0.4-201505171737.patch)67
6 files changed, 105 insertions, 82 deletions
diff --git a/3.14.43/0000_README b/3.14.43/0000_README
index 4d622d2..7c172ce 100644
--- a/3.14.43/0000_README
+++ b/3.14.43/0000_README
@@ -10,7 +10,7 @@ Patch: 1042_linux-3.14.43.patch
From: http://www.kernel.org
Desc: Linux 3.14.43
-Patch: 4420_grsecurity-3.1-3.14.43-201505171736.patch
+Patch: 4420_grsecurity-3.1-3.14.43-201505191737.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.14.43/4420_grsecurity-3.1-3.14.43-201505171736.patch b/3.14.43/4420_grsecurity-3.1-3.14.43-201505191737.patch
index ed7265a..b7de7fd 100644
--- a/3.14.43/4420_grsecurity-3.1-3.14.43-201505171736.patch
+++ b/3.14.43/4420_grsecurity-3.1-3.14.43-201505191737.patch
@@ -18148,7 +18148,7 @@ index ed5903b..c7fe163 100644
#define MODULES_END VMALLOC_END
#define MODULES_LEN (MODULES_VADDR - MODULES_END)
diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
-index d869931..aeba032 100644
+index d869931..9aff880 100644
--- a/arch/x86/include/asm/pgtable_64.h
+++ b/arch/x86/include/asm/pgtable_64.h
@@ -16,11 +16,16 @@
@@ -18162,9 +18162,10 @@ index d869931..aeba032 100644
extern pmd_t level2_kernel_pgt[512];
extern pmd_t level2_fixmap_pgt[512];
-extern pmd_t level2_ident_pgt[512];
-+extern pmd_t level2_ident_pgt[512*2];
- extern pte_t level1_fixmap_pgt[512];
+-extern pte_t level1_fixmap_pgt[512];
-extern pgd_t init_level4_pgt[];
++extern pmd_t level2_ident_pgt[2][512];
++extern pte_t level1_fixmap_pgt[3][512];
+extern pte_t level1_vsyscall_pgt[512];
+extern pgd_t init_level4_pgt[512];
@@ -36361,7 +36362,7 @@ index 201d09a..2302db1 100644
#ifdef CONFIG_ACPI_NUMA
diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
-index c83da6f..9d019b4 100644
+index c83da6f..7dd4fbc 100644
--- a/arch/x86/xen/mmu.c
+++ b/arch/x86/xen/mmu.c
@@ -379,7 +379,7 @@ static pteval_t pte_mfn_to_pfn(pteval_t val)
@@ -36386,7 +36387,7 @@ index c83da6f..9d019b4 100644
convert_pfn_mfn(level2_fixmap_pgt);
}
/* We get [511][511] and have Xen's version of level2_kernel_pgt */
-@@ -1929,11 +1933,16 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
+@@ -1929,11 +1933,18 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
@@ -36398,12 +36399,15 @@ index c83da6f..9d019b4 100644
+ set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
- set_page_prot(level1_fixmap_pgt, PAGE_KERNEL_RO);
+- set_page_prot(level1_fixmap_pgt, PAGE_KERNEL_RO);
++ set_page_prot(level1_fixmap_pgt[0], PAGE_KERNEL_RO);
++ set_page_prot(level1_fixmap_pgt[1], PAGE_KERNEL_RO);
++ set_page_prot(level1_fixmap_pgt[2], PAGE_KERNEL_RO);
+ set_page_prot(level1_vsyscall_pgt, PAGE_KERNEL_RO);
/* Pin down new L4 */
pin_pagetable_pfn(MMUEXT_PIN_L4_TABLE,
-@@ -2120,6 +2129,7 @@ static void __init xen_post_allocator_init(void)
+@@ -2120,6 +2131,7 @@ static void __init xen_post_allocator_init(void)
pv_mmu_ops.set_pud = xen_set_pud;
#if PAGETABLE_LEVELS == 4
pv_mmu_ops.set_pgd = xen_set_pgd;
@@ -36411,7 +36415,7 @@ index c83da6f..9d019b4 100644
#endif
/* This will work as long as patching hasn't happened yet
-@@ -2198,6 +2208,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = {
+@@ -2198,6 +2210,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = {
.pud_val = PV_CALLEE_SAVE(xen_pud_val),
.make_pud = PV_CALLEE_SAVE(xen_make_pud),
.set_pgd = xen_set_pgd_hyper,
@@ -71412,7 +71416,7 @@ index 0000000..30ababb
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..6d31b72
+index 0000000..d03be1d
--- /dev/null
+++ b/grsecurity/gracl.c
@@ -0,0 +1,2725 @@
@@ -71566,7 +71570,7 @@ index 0000000..6d31b72
+ return gr_task_roletype_to_char(current);
+}
+
-+__inline__ int
++int
+gr_acl_tpe_check(void)
+{
+ if (unlikely(!(gr_status & GR_READY)))
@@ -71797,7 +71801,7 @@ index 0000000..6d31b72
+ PAGE_SIZE);
+}
+
-+__inline__ __u32
++__u32
+to_gr_audit(const __u32 reqmode)
+{
+ /* masks off auditable permission flags, then shifts them to create
@@ -72272,7 +72276,7 @@ index 0000000..6d31b72
+ return retval;
+}
+
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
+ struct dentry *curr_dentry,
+ const struct acl_subject_label *subj, char **path, const int checkglob)
@@ -72377,7 +72381,7 @@ index 0000000..6d31b72
+ return retval;
+}
+
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
+ const struct acl_subject_label *subj)
+{
@@ -72385,7 +72389,7 @@ index 0000000..6d31b72
+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
+}
+
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
+chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
+ const struct acl_subject_label *subj)
+{
@@ -72393,7 +72397,7 @@ index 0000000..6d31b72
+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
+}
+
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
+ const struct acl_subject_label *subj, char *path)
+{
@@ -74143,7 +74147,7 @@ index 0000000..6d31b72
+
diff --git a/grsecurity/gracl_alloc.c b/grsecurity/gracl_alloc.c
new file mode 100644
-index 0000000..18ffbbd
+index 0000000..9adc75c
--- /dev/null
+++ b/grsecurity/gracl_alloc.c
@@ -0,0 +1,105 @@
@@ -74157,7 +74161,7 @@ index 0000000..18ffbbd
+static struct gr_alloc_state __current_alloc_state = { 1, 1, NULL };
+struct gr_alloc_state *current_alloc_state = &__current_alloc_state;
+
-+static __inline__ int
++static int
+alloc_pop(void)
+{
+ if (current_alloc_state->alloc_stack_next == 1)
@@ -74170,7 +74174,7 @@ index 0000000..18ffbbd
+ return 1;
+}
+
-+static __inline__ int
++static int
+alloc_push(void *buf)
+{
+ if (current_alloc_state->alloc_stack_next >= current_alloc_state->alloc_stack_size)
@@ -77573,7 +77577,7 @@ index 0000000..39645c9
+}
diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c
new file mode 100644
-index 0000000..218b66b
+index 0000000..35d9e65
--- /dev/null
+++ b/grsecurity/gracl_segv.c
@@ -0,0 +1,324 @@
@@ -77678,7 +77682,7 @@ index 0000000..218b66b
+ return -1;
+}
+
-+static __inline__ void
++static void
+gr_insertsort(void)
+{
+ unsigned short i, j;
@@ -77697,7 +77701,7 @@ index 0000000..218b66b
+ return;
+}
+
-+static __inline__ void
++static void
+gr_insert_uid(const kuid_t kuid, const unsigned long expires)
+{
+ int loc;
@@ -77763,7 +77767,7 @@ index 0000000..218b66b
+ return ret;
+}
+
-+static __inline__ int
++static int
+proc_is_setxid(const struct cred *cred)
+{
+ if (!uid_eq(cred->uid, cred->euid) || !uid_eq(cred->uid, cred->suid) ||
@@ -80393,7 +80397,7 @@ index 0000000..3860c7e
+}
diff --git a/grsecurity/grsec_sock.c b/grsecurity/grsec_sock.c
new file mode 100644
-index 0000000..e3650b6
+index 0000000..a523bd2
--- /dev/null
+++ b/grsecurity/grsec_sock.c
@@ -0,0 +1,244 @@
@@ -80437,13 +80441,13 @@ index 0000000..e3650b6
+extern const char * gr_proto_to_name(unsigned char proto);
+extern const char * gr_sockfamily_to_name(unsigned char family);
+
-+static __inline__ int
++static int
+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
+{
+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
+}
+
-+static __inline__ int
++static int
+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
+ __u16 sport, __u16 dport)
+{
@@ -82462,10 +82466,10 @@ index 2507fd2..55203f8 100644
* Mark a position in code as unreachable. This can be used to
* suppress control flow warnings after asm blocks that transfer
diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h
-index cdd1cc2..2401b2e 100644
+index cdd1cc2..9c1ee22 100644
--- a/include/linux/compiler-gcc5.h
+++ b/include/linux/compiler-gcc5.h
-@@ -28,6 +28,26 @@
+@@ -28,6 +28,31 @@
# define __compiletime_error(message) __attribute__((error(message)))
#endif /* __CHECKER__ */
@@ -82474,6 +82478,11 @@ index cdd1cc2..2401b2e 100644
+#define __bos0(ptr) __bos((ptr), 0)
+#define __bos1(ptr) __bos((ptr), 1)
+
++#ifdef RANDSTRUCT_PLUGIN
++#define __randomize_layout __attribute__((randomize_layout))
++#define __no_randomize_layout __attribute__((no_randomize_layout))
++#endif
++
+#ifdef CONSTIFY_PLUGIN
+#define __no_const __attribute__((no_const))
+#define __do_const __attribute__((do_const))
@@ -82492,7 +82501,7 @@ index cdd1cc2..2401b2e 100644
/*
* Mark a position in code as unreachable. This can be used to
* suppress control flow warnings after asm blocks that transfer
-@@ -53,7 +73,6 @@
+@@ -53,7 +78,6 @@
* http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670
*
* Work it around via a compiler barrier quirk suggested by Jakub Jelinek.
@@ -128553,7 +128562,7 @@ index 0000000..1d296ce
+}
diff --git a/tools/gcc/structleak_plugin.c b/tools/gcc/structleak_plugin.c
new file mode 100644
-index 0000000..4436cbe
+index 0000000..e9dbd4b
--- /dev/null
+++ b/tools/gcc/structleak_plugin.c
@@ -0,0 +1,287 @@
@@ -128822,7 +128831,7 @@ index 0000000..4436cbe
+ return 1;
+ }
+
-+ if (strncmp(lang_hooks.name, "GNU C", 5) || !strncmp(lang_hooks.name, "GNU C+", 6)) {
++ if (strncmp(lang_hooks.name, "GNU C", 5) && !strncmp(lang_hooks.name, "GNU C+", 6)) {
+ inform(UNKNOWN_LOCATION, G_("%s supports C only"), plugin_name);
+ enable = false;
+ }
diff --git a/3.2.69/0000_README b/3.2.69/0000_README
index f609422..8bf4976 100644
--- a/3.2.69/0000_README
+++ b/3.2.69/0000_README
@@ -194,7 +194,7 @@ Patch: 1068_linux-3.2.69.patch
From: http://www.kernel.org
Desc: Linux 3.2.69
-Patch: 4420_grsecurity-3.1-3.2.69-201505171733.patch
+Patch: 4420_grsecurity-3.1-3.2.69-201505181926.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.69/4420_grsecurity-3.1-3.2.69-201505171733.patch b/3.2.69/4420_grsecurity-3.1-3.2.69-201505181926.patch
index 93f7def..b43610c 100644
--- a/3.2.69/4420_grsecurity-3.1-3.2.69-201505171733.patch
+++ b/3.2.69/4420_grsecurity-3.1-3.2.69-201505181926.patch
@@ -69240,7 +69240,7 @@ index 0000000..30ababb
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..1b75b8a
+index 0000000..18911e9
--- /dev/null
+++ b/grsecurity/gracl.c
@@ -0,0 +1,2873 @@
@@ -69398,7 +69398,7 @@ index 0000000..1b75b8a
+ return gr_task_roletype_to_char(current);
+}
+
-+__inline__ int
++int
+gr_acl_tpe_check(void)
+{
+ if (unlikely(!(gr_status & GR_READY)))
@@ -69627,7 +69627,7 @@ index 0000000..1b75b8a
+ PAGE_SIZE);
+}
+
-+__inline__ __u32
++__u32
+to_gr_audit(const __u32 reqmode)
+{
+ /* masks off auditable permission flags, then shifts them to create
@@ -70102,7 +70102,7 @@ index 0000000..1b75b8a
+ return retval;
+}
+
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
+ struct dentry *curr_dentry,
+ const struct acl_subject_label *subj, char **path, const int checkglob)
@@ -70191,7 +70191,7 @@ index 0000000..1b75b8a
+ return retval;
+}
+
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
+ const struct acl_subject_label *subj)
+{
@@ -70199,7 +70199,7 @@ index 0000000..1b75b8a
+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
+}
+
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
+chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
+ const struct acl_subject_label *subj)
+{
@@ -70207,7 +70207,7 @@ index 0000000..1b75b8a
+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
+}
+
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
+ const struct acl_subject_label *subj, char *path)
+{
@@ -72119,7 +72119,7 @@ index 0000000..1b75b8a
+
diff --git a/grsecurity/gracl_alloc.c b/grsecurity/gracl_alloc.c
new file mode 100644
-index 0000000..18ffbbd
+index 0000000..9adc75c
--- /dev/null
+++ b/grsecurity/gracl_alloc.c
@@ -0,0 +1,105 @@
@@ -72133,7 +72133,7 @@ index 0000000..18ffbbd
+static struct gr_alloc_state __current_alloc_state = { 1, 1, NULL };
+struct gr_alloc_state *current_alloc_state = &__current_alloc_state;
+
-+static __inline__ int
++static int
+alloc_pop(void)
+{
+ if (current_alloc_state->alloc_stack_next == 1)
@@ -72146,7 +72146,7 @@ index 0000000..18ffbbd
+ return 1;
+}
+
-+static __inline__ int
++static int
+alloc_push(void *buf)
+{
+ if (current_alloc_state->alloc_stack_next >= current_alloc_state->alloc_stack_size)
@@ -75539,7 +75539,7 @@ index 0000000..39645c9
+}
diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c
new file mode 100644
-index 0000000..275df2d
+index 0000000..8769655
--- /dev/null
+++ b/grsecurity/gracl_segv.c
@@ -0,0 +1,320 @@
@@ -75644,7 +75644,7 @@ index 0000000..275df2d
+ return -1;
+}
+
-+static __inline__ void
++static void
+gr_insertsort(void)
+{
+ unsigned short i, j;
@@ -75663,7 +75663,7 @@ index 0000000..275df2d
+ return;
+}
+
-+static __inline__ void
++static void
+gr_insert_uid(const uid_t uid, const unsigned long expires)
+{
+ int loc;
@@ -75725,7 +75725,7 @@ index 0000000..275df2d
+ return ret;
+}
+
-+static __inline__ int
++static int
+proc_is_setxid(const struct cred *cred)
+{
+ if (cred->uid != cred->euid || cred->uid != cred->suid ||
@@ -78325,7 +78325,7 @@ index 0000000..c6a07aa
+}
diff --git a/grsecurity/grsec_sock.c b/grsecurity/grsec_sock.c
new file mode 100644
-index 0000000..e3650b6
+index 0000000..a523bd2
--- /dev/null
+++ b/grsecurity/grsec_sock.c
@@ -0,0 +1,244 @@
@@ -78369,13 +78369,13 @@ index 0000000..e3650b6
+extern const char * gr_proto_to_name(unsigned char proto);
+extern const char * gr_sockfamily_to_name(unsigned char family);
+
-+static __inline__ int
++static int
+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
+{
+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
+}
+
-+static __inline__ int
++static int
+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
+ __u16 sport, __u16 dport)
+{
@@ -80559,10 +80559,10 @@ index 59a7e4c..8feb590 100644
#if __GNUC_MINOR__ > 0
diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h
-index cdd1cc2..2401b2e 100644
+index cdd1cc2..9c1ee22 100644
--- a/include/linux/compiler-gcc5.h
+++ b/include/linux/compiler-gcc5.h
-@@ -28,6 +28,26 @@
+@@ -28,6 +28,31 @@
# define __compiletime_error(message) __attribute__((error(message)))
#endif /* __CHECKER__ */
@@ -80571,6 +80571,11 @@ index cdd1cc2..2401b2e 100644
+#define __bos0(ptr) __bos((ptr), 0)
+#define __bos1(ptr) __bos((ptr), 1)
+
++#ifdef RANDSTRUCT_PLUGIN
++#define __randomize_layout __attribute__((randomize_layout))
++#define __no_randomize_layout __attribute__((no_randomize_layout))
++#endif
++
+#ifdef CONSTIFY_PLUGIN
+#define __no_const __attribute__((no_const))
+#define __do_const __attribute__((do_const))
@@ -80589,7 +80594,7 @@ index cdd1cc2..2401b2e 100644
/*
* Mark a position in code as unreachable. This can be used to
* suppress control flow warnings after asm blocks that transfer
-@@ -53,7 +73,6 @@
+@@ -53,7 +78,6 @@
* http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670
*
* Work it around via a compiler barrier quirk suggested by Jakub Jelinek.
diff --git a/4.0.4/0000_README b/4.0.4/0000_README
index a4f7b92..cb9fc17 100644
--- a/4.0.4/0000_README
+++ b/4.0.4/0000_README
@@ -6,7 +6,7 @@ Patch: 1003_linux-4.0.4.patch
From: http://www.kernel.org
Desc: Linux 4.0.4
-Patch: 4420_grsecurity-3.1-4.0.4-201505171737.patch
+Patch: 4420_grsecurity-3.1-4.0.4-201505182014.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.0.4/4420_grsecurity-3.1-4.0.4-201505171737.patch b/4.0.4/4420_grsecurity-3.1-4.0.4-201505182014.patch
index 6314571..55969fb 100644
--- a/4.0.4/4420_grsecurity-3.1-4.0.4-201505171737.patch
+++ b/4.0.4/4420_grsecurity-3.1-4.0.4-201505182014.patch
@@ -18252,7 +18252,7 @@ index 9fb2f2b..b04b4bf 100644
#define MODULES_END VMALLOC_END
#define MODULES_LEN (MODULES_VADDR - MODULES_END)
diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
-index 2ee7811..db41d8c 100644
+index 2ee7811..55aca24 100644
--- a/arch/x86/include/asm/pgtable_64.h
+++ b/arch/x86/include/asm/pgtable_64.h
@@ -16,11 +16,16 @@
@@ -18266,9 +18266,10 @@ index 2ee7811..db41d8c 100644
extern pmd_t level2_kernel_pgt[512];
extern pmd_t level2_fixmap_pgt[512];
-extern pmd_t level2_ident_pgt[512];
-+extern pmd_t level2_ident_pgt[512*2];
- extern pte_t level1_fixmap_pgt[512];
+-extern pte_t level1_fixmap_pgt[512];
-extern pgd_t init_level4_pgt[];
++extern pmd_t level2_ident_pgt[2][512];
++extern pte_t level1_fixmap_pgt[3][512];
+extern pte_t level1_vsyscall_pgt[512];
+extern pgd_t init_level4_pgt[512];
@@ -35907,7 +35908,7 @@ index 5240f56..0c12163 100644
#ifdef CONFIG_ACPI_NUMA
diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
-index adca9e2..35d6a98 100644
+index adca9e2..cdba9d1 100644
--- a/arch/x86/xen/mmu.c
+++ b/arch/x86/xen/mmu.c
@@ -379,7 +379,7 @@ static pteval_t pte_mfn_to_pfn(pteval_t val)
@@ -35931,7 +35932,7 @@ index adca9e2..35d6a98 100644
convert_pfn_mfn(level2_fixmap_pgt);
}
/* We get [511][511] and have Xen's version of level2_kernel_pgt */
-@@ -1860,11 +1864,16 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
+@@ -1860,11 +1864,18 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
@@ -35943,12 +35944,15 @@ index adca9e2..35d6a98 100644
+ set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
- set_page_prot(level1_fixmap_pgt, PAGE_KERNEL_RO);
+- set_page_prot(level1_fixmap_pgt, PAGE_KERNEL_RO);
++ set_page_prot(level1_fixmap_pgt[0], PAGE_KERNEL_RO);
++ set_page_prot(level1_fixmap_pgt[1], PAGE_KERNEL_RO);
++ set_page_prot(level1_fixmap_pgt[2], PAGE_KERNEL_RO);
+ set_page_prot(level1_vsyscall_pgt, PAGE_KERNEL_RO);
/* Pin down new L4 */
pin_pagetable_pfn(MMUEXT_PIN_L4_TABLE,
-@@ -2048,6 +2057,7 @@ static void __init xen_post_allocator_init(void)
+@@ -2048,6 +2059,7 @@ static void __init xen_post_allocator_init(void)
pv_mmu_ops.set_pud = xen_set_pud;
#if PAGETABLE_LEVELS == 4
pv_mmu_ops.set_pgd = xen_set_pgd;
@@ -35956,7 +35960,7 @@ index adca9e2..35d6a98 100644
#endif
/* This will work as long as patching hasn't happened yet
-@@ -2126,6 +2136,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = {
+@@ -2126,6 +2138,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = {
.pud_val = PV_CALLEE_SAVE(xen_pud_val),
.make_pud = PV_CALLEE_SAVE(xen_make_pud),
.set_pgd = xen_set_pgd_hyper,
@@ -70792,7 +70796,7 @@ index 0000000..30ababb
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..f83bf15
+index 0000000..811af1f
--- /dev/null
+++ b/grsecurity/gracl.c
@@ -0,0 +1,2749 @@
@@ -70946,7 +70950,7 @@ index 0000000..f83bf15
+ return gr_task_roletype_to_char(current);
+}
+
-+__inline__ int
++int
+gr_acl_tpe_check(void)
+{
+ if (unlikely(!(gr_status & GR_READY)))
@@ -71177,7 +71181,7 @@ index 0000000..f83bf15
+ PAGE_SIZE);
+}
+
-+__inline__ __u32
++__u32
+to_gr_audit(const __u32 reqmode)
+{
+ /* masks off auditable permission flags, then shifts them to create
@@ -71652,7 +71656,7 @@ index 0000000..f83bf15
+ return retval;
+}
+
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
+ struct dentry *curr_dentry,
+ const struct acl_subject_label *subj, char **path, const int checkglob)
@@ -71757,7 +71761,7 @@ index 0000000..f83bf15
+ return retval;
+}
+
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
+ const struct acl_subject_label *subj)
+{
@@ -71765,7 +71769,7 @@ index 0000000..f83bf15
+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
+}
+
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
+chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
+ const struct acl_subject_label *subj)
+{
@@ -71773,7 +71777,7 @@ index 0000000..f83bf15
+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
+}
+
-+static __inline__ struct acl_object_label *
++static struct acl_object_label *
+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
+ const struct acl_subject_label *subj, char *path)
+{
@@ -73547,7 +73551,7 @@ index 0000000..f83bf15
+
diff --git a/grsecurity/gracl_alloc.c b/grsecurity/gracl_alloc.c
new file mode 100644
-index 0000000..18ffbbd
+index 0000000..9adc75c
--- /dev/null
+++ b/grsecurity/gracl_alloc.c
@@ -0,0 +1,105 @@
@@ -73561,7 +73565,7 @@ index 0000000..18ffbbd
+static struct gr_alloc_state __current_alloc_state = { 1, 1, NULL };
+struct gr_alloc_state *current_alloc_state = &__current_alloc_state;
+
-+static __inline__ int
++static int
+alloc_pop(void)
+{
+ if (current_alloc_state->alloc_stack_next == 1)
@@ -73574,7 +73578,7 @@ index 0000000..18ffbbd
+ return 1;
+}
+
-+static __inline__ int
++static int
+alloc_push(void *buf)
+{
+ if (current_alloc_state->alloc_stack_next >= current_alloc_state->alloc_stack_size)
@@ -76985,7 +76989,7 @@ index 0000000..39645c9
+}
diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c
new file mode 100644
-index 0000000..218b66b
+index 0000000..35d9e65
--- /dev/null
+++ b/grsecurity/gracl_segv.c
@@ -0,0 +1,324 @@
@@ -77090,7 +77094,7 @@ index 0000000..218b66b
+ return -1;
+}
+
-+static __inline__ void
++static void
+gr_insertsort(void)
+{
+ unsigned short i, j;
@@ -77109,7 +77113,7 @@ index 0000000..218b66b
+ return;
+}
+
-+static __inline__ void
++static void
+gr_insert_uid(const kuid_t kuid, const unsigned long expires)
+{
+ int loc;
@@ -77175,7 +77179,7 @@ index 0000000..218b66b
+ return ret;
+}
+
-+static __inline__ int
++static int
+proc_is_setxid(const struct cred *cred)
+{
+ if (!uid_eq(cred->uid, cred->euid) || !uid_eq(cred->uid, cred->suid) ||
@@ -79805,7 +79809,7 @@ index 0000000..3860c7e
+}
diff --git a/grsecurity/grsec_sock.c b/grsecurity/grsec_sock.c
new file mode 100644
-index 0000000..e3650b6
+index 0000000..a523bd2
--- /dev/null
+++ b/grsecurity/grsec_sock.c
@@ -0,0 +1,244 @@
@@ -79849,13 +79853,13 @@ index 0000000..e3650b6
+extern const char * gr_proto_to_name(unsigned char proto);
+extern const char * gr_sockfamily_to_name(unsigned char family);
+
-+static __inline__ int
++static int
+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
+{
+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
+}
+
-+static __inline__ int
++static int
+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
+ __u16 sport, __u16 dport)
+{
@@ -81918,10 +81922,10 @@ index 769e198..f670585 100644
* Mark a position in code as unreachable. This can be used to
* suppress control flow warnings after asm blocks that transfer
diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h
-index efee493..c388661 100644
+index efee493..06f9f63 100644
--- a/include/linux/compiler-gcc5.h
+++ b/include/linux/compiler-gcc5.h
-@@ -28,6 +28,25 @@
+@@ -28,6 +28,30 @@
# define __compiletime_error(message) __attribute__((error(message)))
#endif /* __CHECKER__ */
@@ -81930,6 +81934,11 @@ index efee493..c388661 100644
+#define __bos0(ptr) __bos((ptr), 0)
+#define __bos1(ptr) __bos((ptr), 1)
+
++#ifdef RANDSTRUCT_PLUGIN
++#define __randomize_layout __attribute__((randomize_layout))
++#define __no_randomize_layout __attribute__((no_randomize_layout))
++#endif
++
+#ifdef CONSTIFY_PLUGIN
+#define __no_const __attribute__((no_const))
+#define __do_const __attribute__((do_const))
@@ -150212,7 +150221,7 @@ index 0000000..1d296ce
+}
diff --git a/tools/gcc/structleak_plugin.c b/tools/gcc/structleak_plugin.c
new file mode 100644
-index 0000000..4436cbe
+index 0000000..e9dbd4b
--- /dev/null
+++ b/tools/gcc/structleak_plugin.c
@@ -0,0 +1,287 @@
@@ -150481,7 +150490,7 @@ index 0000000..4436cbe
+ return 1;
+ }
+
-+ if (strncmp(lang_hooks.name, "GNU C", 5) || !strncmp(lang_hooks.name, "GNU C+", 6)) {
++ if (strncmp(lang_hooks.name, "GNU C", 5) && !strncmp(lang_hooks.name, "GNU C+", 6)) {
+ inform(UNKNOWN_LOCATION, G_("%s supports C only"), plugin_name);
+ enable = false;
+ }