commit: a6229b99579efd5285746356612b4c3e70b6c407
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Wed Jul 1 22:16:19 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Wed Jul 1 22:16:19 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=a6229b99
Grsec/PaX: 3.1-{3.2.69,3.14.46,4.0.7}-201506300712
{4.0.6 => 3.14.46}/0000_README | 6 +-
3.14.46/1045_linux-3.14.46.patch | 829 +++++++++++++++++++++
.../4420_grsecurity-3.1-3.14.46-201506300711.patch | 270 ++-----
{4.0.6 => 3.14.46}/4425_grsec_remove_EI_PAX.patch | 0
.../4427_force_XATTR_PAX_tmpfs.patch | 0
.../4430_grsec-remove-localversion-grsec.patch | 0
.../4435_grsec-mute-warnings.patch | 0
.../4440_grsec-remove-protected-paths.patch | 0
.../4450_grsec-kconfig-default-gids.patch | 0
.../4465_selinux-avc_audit-log-curr_ip.patch | 0
.../4470_disable-compat_vdso.patch | 0
{4.0.6 => 3.14.46}/4475_emutramp_default_on.patch | 0
3.2.69/0000_README | 2 +-
... 4420_grsecurity-3.1-3.2.69-201506300708.patch} | 69 +-
{3.14.45 => 4.0.7}/0000_README | 6 +-
4.0.7/1006_linux-4.0.7.patch | 707 ++++++++++++++++++
.../4420_grsecurity-3.1-4.0.7-201506300712.patch | 235 ++----
{3.14.45 => 4.0.7}/4425_grsec_remove_EI_PAX.patch | 0
{4.0.6 => 4.0.7}/4427_force_XATTR_PAX_tmpfs.patch | 0
.../4430_grsec-remove-localversion-grsec.patch | 0
{4.0.6 => 4.0.7}/4435_grsec-mute-warnings.patch | 0
.../4440_grsec-remove-protected-paths.patch | 0
.../4450_grsec-kconfig-default-gids.patch | 0
.../4465_selinux-avc_audit-log-curr_ip.patch | 0
{4.0.6 => 4.0.7}/4470_disable-compat_vdso.patch | 0
{3.14.45 => 4.0.7}/4475_emutramp_default_on.patch | 0
26 files changed, 1725 insertions(+), 399 deletions(-)
diff --git a/4.0.6/0000_README b/3.14.46/0000_README
similarity index 92%
rename from 4.0.6/0000_README
rename to 3.14.46/0000_README
index 67f188e..de59c28 100644
--- a/4.0.6/0000_README
+++ b/3.14.46/0000_README
@@ -2,7 +2,11 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.0.6-201506272327.patch
+Patch: 1045_linux-3.14.46.patch
+From: http://www.kernel.org
+Desc: Linux 3.14.46
+
+Patch: 4420_grsecurity-3.1-3.14.46-201506300711.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.14.46/1045_linux-3.14.46.patch b/3.14.46/1045_linux-3.14.46.patch
new file mode 100644
index 0000000..12790dc
--- /dev/null
+++ b/3.14.46/1045_linux-3.14.46.patch
@@ -0,0 +1,829 @@
+diff --git a/Makefile b/Makefile
+index c92186c..def39fd 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 14
+-SUBLEVEL = 45
++SUBLEVEL = 46
+ EXTRAVERSION =
+ NAME = Remembering Coco
+
+diff --git a/arch/arm/include/asm/kvm_host.h b/arch/arm/include/asm/kvm_host.h
+index 09af149..530f56e 100644
+--- a/arch/arm/include/asm/kvm_host.h
++++ b/arch/arm/include/asm/kvm_host.h
+@@ -42,7 +42,7 @@
+
+ struct kvm_vcpu;
+ u32 *kvm_vcpu_reg(struct kvm_vcpu *vcpu, u8 reg_num, u32 mode);
+-int kvm_target_cpu(void);
++int __attribute_const__ kvm_target_cpu(void);
+ int kvm_reset_vcpu(struct kvm_vcpu *vcpu);
+ void kvm_reset_coprocs(struct kvm_vcpu *vcpu);
+
+diff --git a/arch/arm/include/asm/kvm_mmu.h b/arch/arm/include/asm/kvm_mmu.h
+index 7b362bc..0cbdb8e 100644
+--- a/arch/arm/include/asm/kvm_mmu.h
++++ b/arch/arm/include/asm/kvm_mmu.h
+@@ -127,6 +127,18 @@ static inline void kvm_set_s2pmd_writable(pmd_t *pmd)
+ (__boundary - 1 < (end) - 1)? __boundary: (end); \
+ })
+
++static inline bool kvm_page_empty(void *ptr)
++{
++ struct page *ptr_page = virt_to_page(ptr);
++ return page_count(ptr_page) == 1;
++}
++
++
++#define kvm_pte_table_empty(ptep) kvm_page_empty(ptep)
++#define kvm_pmd_table_empty(pmdp) kvm_page_empty(pmdp)
++#define kvm_pud_table_empty(pudp) (0)
++
++
+ struct kvm;
+
+ #define kvm_flush_dcache_to_poc(a,l) __cpuc_flush_dcache_area((a), (l))
+diff --git a/arch/arm/kernel/hyp-stub.S b/arch/arm/kernel/hyp-stub.S
+index 797b1a6..7e666cf 100644
+--- a/arch/arm/kernel/hyp-stub.S
++++ b/arch/arm/kernel/hyp-stub.S
+@@ -134,9 +134,7 @@ ENTRY(__hyp_stub_install_secondary)
+ mcr p15, 4, r7, c1, c1, 3 @ HSTR
+
+ THUMB( orr r7, #(1 << 30) ) @ HSCTLR.TE
+-#ifdef CONFIG_CPU_BIG_ENDIAN
+- orr r7, #(1 << 9) @ HSCTLR.EE
+-#endif
++ARM_BE8(orr r7, r7, #(1 << 25)) @ HSCTLR.EE
+ mcr p15, 4, r7, c1, c0, 0 @ HSCTLR
+
+ mrc p15, 4, r7, c1, c1, 1 @ HDCR
+diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
+index bd18bb8..df6e75e 100644
+--- a/arch/arm/kvm/arm.c
++++ b/arch/arm/kvm/arm.c
+@@ -82,7 +82,7 @@ struct kvm_vcpu *kvm_arm_get_running_vcpu(void)
+ /**
+ * kvm_arm_get_running_vcpus - get the per-CPU array of currently running
vcpus.
+ */
+-struct kvm_vcpu __percpu **kvm_get_running_vcpus(void)
++struct kvm_vcpu * __percpu *kvm_get_running_vcpus(void)
+ {
+ return &kvm_arm_running_vcpu;
+ }
+@@ -155,16 +155,6 @@ int kvm_arch_vcpu_fault(struct kvm_vcpu *vcpu, struct
vm_fault *vmf)
+ return VM_FAULT_SIGBUS;
+ }
+
+-void kvm_arch_free_memslot(struct kvm *kvm, struct kvm_memory_slot *free,
+- struct kvm_memory_slot *dont)
+-{
+-}
+-
+-int kvm_arch_create_memslot(struct kvm *kvm, struct kvm_memory_slot *slot,
+- unsigned long npages)
+-{
+- return 0;
+-}
+
+ /**
+ * kvm_arch_destroy_vm - destroy the VM data structure
+@@ -224,33 +214,6 @@ long kvm_arch_dev_ioctl(struct file *filp,
+ return -EINVAL;
+ }
+
+-void kvm_arch_memslots_updated(struct kvm *kvm)
+-{
+-}
+-
+-int kvm_arch_prepare_memory_region(struct kvm *kvm,
+- struct kvm_memory_slot *memslot,
+- struct kvm_userspace_memory_region *mem,
+- enum kvm_mr_change change)
+-{
+- return 0;
+-}
+-
+-void kvm_arch_commit_memory_region(struct kvm *kvm,
+- struct kvm_userspace_memory_region *mem,
+- const struct kvm_memory_slot *old,
+- enum kvm_mr_change change)
+-{
+-}
+-
+-void kvm_arch_flush_shadow_all(struct kvm *kvm)
+-{
+-}
+-
+-void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
+- struct kvm_memory_slot *slot)
+-{
+-}
+
+ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id)
+ {
+diff --git a/arch/arm/kvm/coproc.c b/arch/arm/kvm/coproc.c
+index c58a351..7c73290 100644
+--- a/arch/arm/kvm/coproc.c
++++ b/arch/arm/kvm/coproc.c
+@@ -742,7 +742,7 @@ static bool is_valid_cache(u32 val)
+ u32 level, ctype;
+
+ if (val >= CSSELR_MAX)
+- return -ENOENT;
++ return false;
+
+ /* Bottom bit is Instruction or Data bit. Next 3 bits are level. */
+ level = (val >> 1);
+diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
+index c93ef38..70ed2c1 100644
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -90,103 +90,115 @@ static void *mmu_memory_cache_alloc(struct
kvm_mmu_memory_cache *mc)
+ return p;
+ }
+
+-static bool page_empty(void *ptr)
++static void clear_pgd_entry(struct kvm *kvm, pgd_t *pgd, phys_addr_t addr)
+ {
+- struct page *ptr_page = virt_to_page(ptr);
+- return page_count(ptr_page) == 1;
++ pud_t *pud_table __maybe_unused = pud_offset(pgd, 0);
++ pgd_clear(pgd);
++ kvm_tlb_flush_vmid_ipa(kvm, addr);
++ pud_free(NULL, pud_table);
++ put_page(virt_to_page(pgd));
+ }
+
+ static void clear_pud_entry(struct kvm *kvm, pud_t *pud, phys_addr_t addr)
+ {
+- if (pud_huge(*pud)) {
+- pud_clear(pud);
+- kvm_tlb_flush_vmid_ipa(kvm, addr);
+- } else {
+- pmd_t *pmd_table = pmd_offset(pud, 0);
+- pud_clear(pud);
+- kvm_tlb_flush_vmid_ipa(kvm, addr);
+- pmd_free(NULL, pmd_table);
+- }
++ pmd_t *pmd_table = pmd_offset(pud, 0);
++ VM_BUG_ON(pud_huge(*pud));
++ pud_clear(pud);
++ kvm_tlb_flush_vmid_ipa(kvm, addr);
++ pmd_free(NULL, pmd_table);
+ put_page(virt_to_page(pud));
+ }
+
+ static void clear_pmd_entry(struct kvm *kvm, pmd_t *pmd, phys_addr_t addr)
+ {
+- if (kvm_pmd_huge(*pmd)) {
+- pmd_clear(pmd);
+- kvm_tlb_flush_vmid_ipa(kvm, addr);
+- } else {
+- pte_t *pte_table = pte_offset_kernel(pmd, 0);
+- pmd_clear(pmd);
+- kvm_tlb_flush_vmid_ipa(kvm, addr);
+- pte_free_kernel(NULL, pte_table);
+- }
++ pte_t *pte_table = pte_offset_kernel(pmd, 0);
++ VM_BUG_ON(kvm_pmd_huge(*pmd));
++ pmd_clear(pmd);
++ kvm_tlb_flush_vmid_ipa(kvm, addr);
++ pte_free_kernel(NULL, pte_table);
+ put_page(virt_to_page(pmd));
+ }
+
+-static void clear_pte_entry(struct kvm *kvm, pte_t *pte, phys_addr_t addr)
++static void unmap_ptes(struct kvm *kvm, pmd_t *pmd,
++ phys_addr_t addr, phys_addr_t end)
+ {
+- if (pte_present(*pte)) {
+- kvm_set_pte(pte, __pte(0));
+- put_page(virt_to_page(pte));
+- kvm_tlb_flush_vmid_ipa(kvm, addr);
++ phys_addr_t start_addr = addr;
++ pte_t *pte, *start_pte;
++
++ start_pte = pte = pte_offset_kernel(pmd, addr);
++ do {
++ if (!pte_none(*pte)) {
++ kvm_set_pte(pte, __pte(0));
++ put_page(virt_to_page(pte));
++ kvm_tlb_flush_vmid_ipa(kvm, addr);
++ }
++ } while (pte++, addr += PAGE_SIZE, addr != end);
++
++ if (kvm_pte_table_empty(start_pte))
++ clear_pmd_entry(kvm, pmd, start_addr);
+ }
+-}
+
+-static void unmap_range(struct kvm *kvm, pgd_t *pgdp,
+- unsigned long long start, u64 size)
++static void unmap_pmds(struct kvm *kvm, pud_t *pud,
++ phys_addr_t addr, phys_addr_t end)
+ {
+- pgd_t *pgd;
+- pud_t *pud;
+- pmd_t *pmd;
+- pte_t *pte;
+- unsigned long long addr = start, end = start + size;
+- u64 next;
+-
+- while (addr < end) {
+- pgd = pgdp + pgd_index(addr);
+- pud = pud_offset(pgd, addr);
+- if (pud_none(*pud)) {
+- addr = kvm_pud_addr_end(addr, end);
+- continue;
+- }
++ phys_addr_t next, start_addr = addr;
++ pmd_t *pmd, *start_pmd;
+
+- if (pud_huge(*pud)) {
+- /*
+- * If we are dealing with a huge pud, just clear it and
+- * move on.
+- */
+- clear_pud_entry(kvm, pud, addr);
+- addr = kvm_pud_addr_end(addr, end);
+- continue;
++ start_pmd = pmd = pmd_offset(pud, addr);
++ do {
++ next = kvm_pmd_addr_end(addr, end);
++ if (!pmd_none(*pmd)) {
++ if (kvm_pmd_huge(*pmd)) {
++ pmd_clear(pmd);
++ kvm_tlb_flush_vmid_ipa(kvm, addr);
++ put_page(virt_to_page(pmd));
++ } else {
++ unmap_ptes(kvm, pmd, addr, next);
++ }
+ }
++ } while (pmd++, addr = next, addr != end);
+
+- pmd = pmd_offset(pud, addr);
+- if (pmd_none(*pmd)) {
+- addr = kvm_pmd_addr_end(addr, end);
+- continue;
+- }
++ if (kvm_pmd_table_empty(start_pmd))
++ clear_pud_entry(kvm, pud, start_addr);
++}
+
+- if (!kvm_pmd_huge(*pmd)) {
+- pte = pte_offset_kernel(pmd, addr);
+- clear_pte_entry(kvm, pte, addr);
+- next = addr + PAGE_SIZE;
+- }
++static void unmap_puds(struct kvm *kvm, pgd_t *pgd,
++ phys_addr_t addr, phys_addr_t end)
++{
++ phys_addr_t next, start_addr = addr;
++ pud_t *pud, *start_pud;
+
+- /*
+- * If the pmd entry is to be cleared, walk back up the ladder
+- */
+- if (kvm_pmd_huge(*pmd) || page_empty(pte)) {
+- clear_pmd_entry(kvm, pmd, addr);
+- next = kvm_pmd_addr_end(addr, end);
+- if (page_empty(pmd) && !page_empty(pud)) {
+- clear_pud_entry(kvm, pud, addr);
+- next = kvm_pud_addr_end(addr, end);
++ start_pud = pud = pud_offset(pgd, addr);
++ do {
++ next = kvm_pud_addr_end(addr, end);
++ if (!pud_none(*pud)) {
++ if (pud_huge(*pud)) {
++ pud_clear(pud);
++ kvm_tlb_flush_vmid_ipa(kvm, addr);
++ put_page(virt_to_page(pud));
++ } else {
++ unmap_pmds(kvm, pud, addr, next);
+ }
+ }
++ } while (pud++, addr = next, addr != end);
+
+- addr = next;
+- }
++ if (kvm_pud_table_empty(start_pud))
++ clear_pgd_entry(kvm, pgd, start_addr);
++}
++
++
++static void unmap_range(struct kvm *kvm, pgd_t *pgdp,
++ phys_addr_t start, u64 size)
++{
++ pgd_t *pgd;
++ phys_addr_t addr = start, end = start + size;
++ phys_addr_t next;
++
++ pgd = pgdp + pgd_index(addr);
++ do {
++ next = kvm_pgd_addr_end(addr, end);
++ unmap_puds(kvm, pgd, addr, next);
++ } while (pgd++, addr = next, addr != end);
+ }
+
+ static void stage2_flush_ptes(struct kvm *kvm, pmd_t *pmd,
+@@ -747,6 +759,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu,
phys_addr_t fault_ipa,
+ struct kvm_mmu_memory_cache *memcache = &vcpu->arch.mmu_page_cache;
+ struct vm_area_struct *vma;
+ pfn_t pfn;
++ pgprot_t mem_type = PAGE_S2;
+
+ write_fault = kvm_is_write_fault(kvm_vcpu_get_hsr(vcpu));
+ if (fault_status == FSC_PERM && !write_fault) {
+@@ -797,6 +810,9 @@ static int user_mem_abort(struct kvm_vcpu *vcpu,
phys_addr_t fault_ipa,
+ if (is_error_pfn(pfn))
+ return -EFAULT;
+
++ if (kvm_is_mmio_pfn(pfn))
++ mem_type = PAGE_S2_DEVICE;
++
+ spin_lock(&kvm->mmu_lock);
+ if (mmu_notifier_retry(kvm, mmu_seq))
+ goto out_unlock;
+@@ -804,7 +820,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu,
phys_addr_t fault_ipa,
+ hugetlb = transparent_hugepage_adjust(&pfn, &fault_ipa);
+
+ if (hugetlb) {
+- pmd_t new_pmd = pfn_pmd(pfn, PAGE_S2);
++ pmd_t new_pmd = pfn_pmd(pfn, mem_type);
+ new_pmd = pmd_mkhuge(new_pmd);
+ if (writable) {
+ kvm_set_s2pmd_writable(&new_pmd);
+@@ -813,13 +829,14 @@ static int user_mem_abort(struct kvm_vcpu *vcpu,
phys_addr_t fault_ipa,
+ coherent_cache_guest_page(vcpu, hva & PMD_MASK, PMD_SIZE);
+ ret = stage2_set_pmd_huge(kvm, memcache, fault_ipa, &new_pmd);
+ } else {
+- pte_t new_pte = pfn_pte(pfn, PAGE_S2);
++ pte_t new_pte = pfn_pte(pfn, mem_type);
+ if (writable) {
+ kvm_set_s2pte_writable(&new_pte);
+ kvm_set_pfn_dirty(pfn);
+ }
+ coherent_cache_guest_page(vcpu, hva, PAGE_SIZE);
+- ret = stage2_set_pte(kvm, memcache, fault_ipa, &new_pte, false);
++ ret = stage2_set_pte(kvm, memcache, fault_ipa, &new_pte,
++ mem_type == PAGE_S2_DEVICE);
+ }
+
+
+@@ -1099,3 +1116,49 @@ out:
+ free_hyp_pgds();
+ return err;
+ }
++
++void kvm_arch_commit_memory_region(struct kvm *kvm,
++ struct kvm_userspace_memory_region *mem,
++ const struct kvm_memory_slot *old,
++ enum kvm_mr_change change)
++{
++ gpa_t gpa = old->base_gfn << PAGE_SHIFT;
++ phys_addr_t size = old->npages << PAGE_SHIFT;
++ if (change == KVM_MR_DELETE || change == KVM_MR_MOVE) {
++ spin_lock(&kvm->mmu_lock);
++ unmap_stage2_range(kvm, gpa, size);
++ spin_unlock(&kvm->mmu_lock);
++ }
++}
++
++int kvm_arch_prepare_memory_region(struct kvm *kvm,
++ struct kvm_memory_slot *memslot,
++ struct kvm_userspace_memory_region *mem,
++ enum kvm_mr_change change)
++{
++ return 0;
++}
++
++void kvm_arch_free_memslot(struct kvm *kvm, struct kvm_memory_slot *free,
++ struct kvm_memory_slot *dont)
++{
++}
++
++int kvm_arch_create_memslot(struct kvm *kvm, struct kvm_memory_slot *slot,
++ unsigned long npages)
++{
++ return 0;
++}
++
++void kvm_arch_memslots_updated(struct kvm *kvm)
++{
++}
++
++void kvm_arch_flush_shadow_all(struct kvm *kvm)
++{
++}
++
++void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
++ struct kvm_memory_slot *slot)
++{
++}
+diff --git a/arch/arm64/include/asm/kvm_host.h
b/arch/arm64/include/asm/kvm_host.h
+index 0a1d697..3fb0946 100644
+--- a/arch/arm64/include/asm/kvm_host.h
++++ b/arch/arm64/include/asm/kvm_host.h
+@@ -42,7 +42,7 @@
+ #define KVM_VCPU_MAX_FEATURES 2
+
+ struct kvm_vcpu;
+-int kvm_target_cpu(void);
++int __attribute_const__ kvm_target_cpu(void);
+ int kvm_reset_vcpu(struct kvm_vcpu *vcpu);
+ int kvm_arch_dev_ioctl_check_extension(long ext);
+
+@@ -177,7 +177,7 @@ static inline int kvm_test_age_hva(struct kvm *kvm,
unsigned long hva)
+ }
+
+ struct kvm_vcpu *kvm_arm_get_running_vcpu(void);
+-struct kvm_vcpu __percpu **kvm_get_running_vcpus(void);
++struct kvm_vcpu * __percpu *kvm_get_running_vcpus(void);
+
+ u64 kvm_call_hyp(void *hypfn, ...);
+
+diff --git a/arch/arm64/include/asm/kvm_mmu.h
b/arch/arm64/include/asm/kvm_mmu.h
+index 7d29847..8e138c7 100644
+--- a/arch/arm64/include/asm/kvm_mmu.h
++++ b/arch/arm64/include/asm/kvm_mmu.h
+@@ -125,6 +125,21 @@ static inline void kvm_set_s2pmd_writable(pmd_t *pmd)
+ #define kvm_pud_addr_end(addr, end) pud_addr_end(addr, end)
+ #define kvm_pmd_addr_end(addr, end) pmd_addr_end(addr, end)
+
++static inline bool kvm_page_empty(void *ptr)
++{
++ struct page *ptr_page = virt_to_page(ptr);
++ return page_count(ptr_page) == 1;
++}
++
++#define kvm_pte_table_empty(ptep) kvm_page_empty(ptep)
++#ifndef CONFIG_ARM64_64K_PAGES
++#define kvm_pmd_table_empty(pmdp) kvm_page_empty(pmdp)
++#else
++#define kvm_pmd_table_empty(pmdp) (0)
++#endif
++#define kvm_pud_table_empty(pudp) (0)
++
++
+ struct kvm;
+
+ #define kvm_flush_dcache_to_poc(a,l) __flush_dcache_area((a), (l))
+diff --git a/arch/arm64/kvm/hyp.S b/arch/arm64/kvm/hyp.S
+index b0d1512..5dfc8331 100644
+--- a/arch/arm64/kvm/hyp.S
++++ b/arch/arm64/kvm/hyp.S
+@@ -830,7 +830,7 @@ el1_trap:
+ mrs x2, far_el2
+
+ 2: mrs x0, tpidr_el2
+- str x1, [x0, #VCPU_ESR_EL2]
++ str w1, [x0, #VCPU_ESR_EL2]
+ str x2, [x0, #VCPU_FAR_EL2]
+ str x3, [x0, #VCPU_HPFAR_EL2]
+
+diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
+index 0324458..7691b25 100644
+--- a/arch/arm64/kvm/sys_regs.c
++++ b/arch/arm64/kvm/sys_regs.c
+@@ -836,7 +836,7 @@ static bool is_valid_cache(u32 val)
+ u32 level, ctype;
+
+ if (val >= CSSELR_MAX)
+- return -ENOENT;
++ return false;
+
+ /* Bottom bit is Instruction or Data bit. Next 3 bits are level. */
+ level = (val >> 1);
+@@ -962,7 +962,7 @@ static unsigned int num_demux_regs(void)
+
+ static int write_demux_regids(u64 __user *uindices)
+ {
+- u64 val = KVM_REG_ARM | KVM_REG_SIZE_U32 | KVM_REG_ARM_DEMUX;
++ u64 val = KVM_REG_ARM64 | KVM_REG_SIZE_U32 | KVM_REG_ARM_DEMUX;
+ unsigned int i;
+
+ val |= KVM_REG_ARM_DEMUX_ID_CCSIDR;
+diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
+index 26b03e1..8ff2b3c 100644
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -79,6 +79,7 @@ static const struct usb_device_id ath3k_table[] = {
+ { USB_DEVICE(0x0489, 0xe057) },
+ { USB_DEVICE(0x0489, 0xe056) },
+ { USB_DEVICE(0x0489, 0xe05f) },
++ { USB_DEVICE(0x0489, 0xe076) },
+ { USB_DEVICE(0x0489, 0xe078) },
+ { USB_DEVICE(0x04c5, 0x1330) },
+ { USB_DEVICE(0x04CA, 0x3004) },
+@@ -109,6 +110,7 @@ static const struct usb_device_id ath3k_table[] = {
+ { USB_DEVICE(0x13d3, 0x3402) },
+ { USB_DEVICE(0x13d3, 0x3408) },
+ { USB_DEVICE(0x13d3, 0x3432) },
++ { USB_DEVICE(0x13d3, 0x3474) },
+
+ /* Atheros AR5BBU12 with sflash firmware */
+ { USB_DEVICE(0x0489, 0xE02C) },
+@@ -133,6 +135,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
+ { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
+@@ -163,6 +166,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
+ { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+
+ /* Atheros AR5BBU22 with sflash firmware */
+ { USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 9eb1669..c0e7a9aa9 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -157,6 +157,7 @@ static const struct usb_device_id blacklist_table[] = {
+ { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
+@@ -187,6 +188,7 @@ static const struct usb_device_id blacklist_table[] = {
+ { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+
+ /* Atheros AR5BBU12 with sflash firmware */
+ { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
+diff --git a/drivers/crypto/caam/caamrng.c b/drivers/crypto/caam/caamrng.c
+index 28486b1..ae6dae8 100644
+--- a/drivers/crypto/caam/caamrng.c
++++ b/drivers/crypto/caam/caamrng.c
+@@ -56,7 +56,7 @@
+
+ /* Buffer, its dma address and lock */
+ struct buf_data {
+- u8 buf[RN_BUF_SIZE];
++ u8 buf[RN_BUF_SIZE] ____cacheline_aligned;
+ dma_addr_t addr;
+ struct completion filled;
+ u32 hw_desc[DESC_JOB_O_LEN];
+diff --git a/drivers/gpu/drm/mgag200/mgag200_mode.c
b/drivers/gpu/drm/mgag200/mgag200_mode.c
+index 9683747..f2511a0 100644
+--- a/drivers/gpu/drm/mgag200/mgag200_mode.c
++++ b/drivers/gpu/drm/mgag200/mgag200_mode.c
+@@ -1529,6 +1529,11 @@ static int mga_vga_mode_valid(struct drm_connector
*connector,
+ return MODE_BANDWIDTH;
+ }
+
++ if ((mode->hdisplay % 8) != 0 || (mode->hsync_start % 8) != 0 ||
++ (mode->hsync_end % 8) != 0 || (mode->htotal % 8) != 0) {
++ return MODE_H_ILLEGAL;
++ }
++
+ if (mode->crtc_hdisplay > 2048 || mode->crtc_hsync_start > 4096 ||
+ mode->crtc_hsync_end > 4096 || mode->crtc_htotal > 4096 ||
+ mode->crtc_vdisplay > 2048 || mode->crtc_vsync_start > 4096 ||
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 8f580fd..ce21132 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -265,6 +265,16 @@ lpfc_sli4_eq_get(struct lpfc_queue *q)
+ return NULL;
+
+ q->hba_index = idx;
++
++ /*
++ * insert barrier for instruction interlock : data from the hardware
++ * must have the valid bit checked before it can be copied and acted
++ * upon. Given what was seen in lpfc_sli4_cq_get() of speculative
++ * instructions allowing action on content before valid bit checked,
++ * add barrier here as well. May not be needed as "content" is a
++ * single 32-bit entity here (vs multi word structure for cq's).
++ */
++ mb();
+ return eqe;
+ }
+
+@@ -370,6 +380,17 @@ lpfc_sli4_cq_get(struct lpfc_queue *q)
+
+ cqe = q->qe[q->hba_index].cqe;
+ q->hba_index = idx;
++
++ /*
++ * insert barrier for instruction interlock : data from the hardware
++ * must have the valid bit checked before it can be copied and acted
++ * upon. Speculative instructions were allowing a bcopy at the start
++ * of lpfc_sli4_fp_handle_wcqe(), which is called immediately
++ * after our return, to copy data before the valid bit check above
++ * was done. As such, some of the copied data was stale. The barrier
++ * ensures the check is before any data is copied.
++ */
++ mb();
+ return cqe;
+ }
+
+diff --git a/fs/pipe.c b/fs/pipe.c
+index 78fd0d0..46f1ab2 100644
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -117,25 +117,27 @@ void pipe_wait(struct pipe_inode_info *pipe)
+ }
+
+ static int
+-pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
+- int atomic)
++pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
++ size_t *remaining, int atomic)
+ {
+ unsigned long copy;
+
+- while (len > 0) {
++ while (*remaining > 0) {
+ while (!iov->iov_len)
+ iov++;
+- copy = min_t(unsigned long, len, iov->iov_len);
++ copy = min_t(unsigned long, *remaining, iov->iov_len);
+
+ if (atomic) {
+- if (__copy_from_user_inatomic(to, iov->iov_base, copy))
++ if (__copy_from_user_inatomic(addr + *offset,
++ iov->iov_base, copy))
+ return -EFAULT;
+ } else {
+- if (copy_from_user(to, iov->iov_base, copy))
++ if (copy_from_user(addr + *offset,
++ iov->iov_base, copy))
+ return -EFAULT;
+ }
+- to += copy;
+- len -= copy;
++ *offset += copy;
++ *remaining -= copy;
+ iov->iov_base += copy;
+ iov->iov_len -= copy;
+ }
+@@ -143,25 +145,27 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov,
unsigned long len,
+ }
+
+ static int
+-pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
+- int atomic)
++pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
++ size_t *remaining, int atomic)
+ {
+ unsigned long copy;
+
+- while (len > 0) {
++ while (*remaining > 0) {
+ while (!iov->iov_len)
+ iov++;
+- copy = min_t(unsigned long, len, iov->iov_len);
++ copy = min_t(unsigned long, *remaining, iov->iov_len);
+
+ if (atomic) {
+- if (__copy_to_user_inatomic(iov->iov_base, from, copy))
++ if (__copy_to_user_inatomic(iov->iov_base,
++ addr + *offset, copy))
+ return -EFAULT;
+ } else {
+- if (copy_to_user(iov->iov_base, from, copy))
++ if (copy_to_user(iov->iov_base,
++ addr + *offset, copy))
+ return -EFAULT;
+ }
+- from += copy;
+- len -= copy;
++ *offset += copy;
++ *remaining -= copy;
+ iov->iov_base += copy;
+ iov->iov_len -= copy;
+ }
+@@ -395,7 +399,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
+ struct pipe_buffer *buf = pipe->bufs + curbuf;
+ const struct pipe_buf_operations *ops = buf->ops;
+ void *addr;
+- size_t chars = buf->len;
++ size_t chars = buf->len, remaining;
+ int error, atomic;
+
+ if (chars > total_len)
+@@ -409,9 +413,11 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
+ }
+
+ atomic = !iov_fault_in_pages_write(iov, chars);
++ remaining = chars;
+ redo:
+ addr = ops->map(pipe, buf, atomic);
+- error = pipe_iov_copy_to_user(iov, addr + buf->offset,
chars, atomic);
++ error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
++ &remaining, atomic);
+ ops->unmap(pipe, buf, addr);
+ if (unlikely(error)) {
+ /*
+@@ -426,7 +432,6 @@ redo:
+ break;
+ }
+ ret += chars;
+- buf->offset += chars;
+ buf->len -= chars;
+
+ /* Was it a packet buffer? Clean up and exit */
+@@ -531,6 +536,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+ if (ops->can_merge && offset + chars <= PAGE_SIZE) {
+ int error, atomic = 1;
+ void *addr;
++ size_t remaining = chars;
+
+ error = ops->confirm(pipe, buf);
+ if (error)
+@@ -539,8 +545,8 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+ iov_fault_in_pages_read(iov, chars);
+ redo1:
+ addr = ops->map(pipe, buf, atomic);
+- error = pipe_iov_copy_from_user(offset + addr, iov,
+- chars, atomic);
++ error = pipe_iov_copy_from_user(addr, &offset, iov,
++ &remaining, atomic);
+ ops->unmap(pipe, buf, addr);
+ ret = error;
+ do_wakeup = 1;
+@@ -575,6 +581,8 @@ redo1:
+ struct page *page = pipe->tmp_page;
+ char *src;
+ int error, atomic = 1;
++ int offset = 0;
++ size_t remaining;
+
+ if (!page) {
+ page = alloc_page(GFP_HIGHUSER);
+@@ -595,14 +603,15 @@ redo1:
+ chars = total_len;
+
+ iov_fault_in_pages_read(iov, chars);
++ remaining = chars;
+ redo2:
+ if (atomic)
+ src = kmap_atomic(page);
+ else
+ src = kmap(page);
+
+- error = pipe_iov_copy_from_user(src, iov, chars,
+- atomic);
++ error = pipe_iov_copy_from_user(src, &offset, iov,
++ &remaining, atomic);
+ if (atomic)
+ kunmap_atomic(src);
+ else
+diff --git a/kernel/trace/trace_events_filter.c
b/kernel/trace/trace_events_filter.c
+index 8a86319..cb347e8 100644
+--- a/kernel/trace/trace_events_filter.c
++++ b/kernel/trace/trace_events_filter.c
+@@ -1399,19 +1399,24 @@ static int check_preds(struct filter_parse_state *ps)
+ {
+ int n_normal_preds = 0, n_logical_preds = 0;
+ struct postfix_elt *elt;
++ int cnt = 0;
+
+ list_for_each_entry(elt, &ps->postfix, list) {
+- if (elt->op == OP_NONE)
++ if (elt->op == OP_NONE) {
++ cnt++;
+ continue;
++ }
+
++ cnt--;
+ if (elt->op == OP_AND || elt->op == OP_OR) {
+ n_logical_preds++;
+ continue;
+ }
+ n_normal_preds++;
++ WARN_ON_ONCE(cnt < 0);
+ }
+
+- if (!n_normal_preds || n_logical_preds >= n_normal_preds) {
++ if (cnt != 1 || !n_normal_preds || n_logical_preds >= n_normal_preds) {
+ parse_error(ps, FILT_ERR_INVALID_FILTER, 0);
+ return -EINVAL;
+ }
+diff --git a/virt/kvm/arm/vgic.c b/virt/kvm/arm/vgic.c
+index 4eec2d4..1316e55 100644
+--- a/virt/kvm/arm/vgic.c
++++ b/virt/kvm/arm/vgic.c
+@@ -1654,7 +1654,7 @@ out:
+ return ret;
+ }
+
+-static bool vgic_ioaddr_overlap(struct kvm *kvm)
++static int vgic_ioaddr_overlap(struct kvm *kvm)
+ {
+ phys_addr_t dist = kvm->arch.vgic.vgic_dist_base;
+ phys_addr_t cpu = kvm->arch.vgic.vgic_cpu_base;
diff --git a/3.14.45/4420_grsecurity-3.1-3.14.45-201506262046.patch
b/3.14.46/4420_grsecurity-3.1-3.14.46-201506300711.patch
similarity index 99%
rename from 3.14.45/4420_grsecurity-3.1-3.14.45-201506262046.patch
rename to 3.14.46/4420_grsecurity-3.1-3.14.46-201506300711.patch
index 47c91dd..008971f 100644
--- a/3.14.45/4420_grsecurity-3.1-3.14.45-201506262046.patch
+++ b/3.14.46/4420_grsecurity-3.1-3.14.46-201506300711.patch
@@ -295,7 +295,7 @@ index 5d91ba1..ef1d374 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index c92186c..34822ca 100644
+index def39fd..4636aea 100644
--- a/Makefile
+++ b/Makefile
@@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo
$$BASH; \
@@ -3307,7 +3307,7 @@ index 7bcee5c..e2f3249 100644
__data_loc = .;
#endif
diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
-index bd18bb8..2bf342f 100644
+index df6e75e..1858aa0 100644
--- a/arch/arm/kvm/arm.c
+++ b/arch/arm/kvm/arm.c
@@ -57,7 +57,7 @@ static unsigned long hyp_default_vectors;
@@ -3319,7 +3319,7 @@ index bd18bb8..2bf342f 100644
static u8 kvm_next_vmid;
static DEFINE_SPINLOCK(kvm_vmid_lock);
-@@ -408,7 +408,7 @@ void force_vm_exit(const cpumask_t *mask)
+@@ -371,7 +371,7 @@ void force_vm_exit(const cpumask_t *mask)
*/
static bool need_new_vmid_gen(struct kvm *kvm)
{
@@ -3328,7 +3328,7 @@ index bd18bb8..2bf342f 100644
}
/**
-@@ -441,7 +441,7 @@ static void update_vttbr(struct kvm *kvm)
+@@ -404,7 +404,7 @@ static void update_vttbr(struct kvm *kvm)
/* First user of a new VMID generation? */
if (unlikely(kvm_next_vmid == 0)) {
@@ -3337,7 +3337,7 @@ index bd18bb8..2bf342f 100644
kvm_next_vmid = 1;
/*
-@@ -458,7 +458,7 @@ static void update_vttbr(struct kvm *kvm)
+@@ -421,7 +421,7 @@ static void update_vttbr(struct kvm *kvm)
kvm_call_hyp(__kvm_flush_vm_context);
}
@@ -3346,7 +3346,7 @@ index bd18bb8..2bf342f 100644
kvm->arch.vmid = kvm_next_vmid;
kvm_next_vmid++;
-@@ -1033,7 +1033,7 @@ static void check_kvm_target_cpu(void *ret)
+@@ -996,7 +996,7 @@ static void check_kvm_target_cpu(void *ret)
/**
* Initialize Hyp-mode and memory mappings on all CPUs.
*/
@@ -17263,7 +17263,7 @@ index 5f55e69..e20bfb1 100644
#ifdef CONFIG_SMP
diff --git a/arch/x86/include/asm/mmu_context.h
b/arch/x86/include/asm/mmu_context.h
-index be12c53..4d24039 100644
+index be12c53..e1f11c6 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -24,6 +24,20 @@ void destroy_context(struct mm_struct *mm);
@@ -17355,9 +17355,9 @@ index be12c53..4d24039 100644
+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) &&
defined(CONFIG_SMP)
+ if (!(__supported_pte_mask & _PAGE_NX)) {
+ smp_mb__before_clear_bit();
-+ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
++ cpumask_clear_cpu(cpu, &prev->context.cpu_user_cs_mask);
+ smp_mb__after_clear_bit();
-+ cpu_set(cpu, next->context.cpu_user_cs_mask);
++ cpumask_set_cpu(cpu, &next->context.cpu_user_cs_mask);
+ }
+#endif
+
@@ -17429,7 +17429,7 @@ index be12c53..4d24039 100644
+
+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
+ if (!(__supported_pte_mask & _PAGE_NX))
-+ cpu_set(cpu, next->context.cpu_user_cs_mask);
++ cpumask_set_cpu(cpu,
&next->context.cpu_user_cs_mask);
+#endif
+
+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) ||
defined(CONFIG_PAX_SEGMEXEC))
@@ -26015,7 +26015,7 @@ index c2bedae..25e7ab60 100644
.name = "data",
.mode = S_IRUGO,
diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
-index c37886d..d851d32 100644
+index c37886d..3f425e3 100644
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int
reload)
@@ -26057,7 +26057,7 @@ index c37886d..d851d32 100644
+ mm->context.user_cs_limit = ~0UL;
+
+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
-+ cpus_clear(mm->context.cpu_user_cs_mask);
++ cpumask_clear(&mm->context.cpu_user_cs_mask);
+#endif
+
+#endif
@@ -31983,7 +31983,7 @@ index 903ec1e..c4166b2 100644
}
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
-index ebc551c..40d1269 100644
+index ebc551c..bb37882 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -14,11 +14,18 @@
@@ -32288,7 +32288,7 @@ index ebc551c..40d1269 100644
+ }
+
+#ifdef CONFIG_SMP
-+ if (likely(address > get_limit(regs->cs) &&
cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
++ if (likely(address > get_limit(regs->cs) &&
cpumask_test_cpu(smp_processor_id(), &mm->context.cpu_user_cs_mask)))
+#else
+ if (likely(address > get_limit(regs->cs)))
+#endif
@@ -40653,19 +40653,6 @@ index d97a03d..acf64bb 100644
return 0;
}
-diff --git a/drivers/crypto/caam/caamrng.c b/drivers/crypto/caam/caamrng.c
-index 28486b1..ae6dae8 100644
---- a/drivers/crypto/caam/caamrng.c
-+++ b/drivers/crypto/caam/caamrng.c
-@@ -56,7 +56,7 @@
-
- /* Buffer, its dma address and lock */
- struct buf_data {
-- u8 buf[RN_BUF_SIZE];
-+ u8 buf[RN_BUF_SIZE] ____cacheline_aligned;
- dma_addr_t addr;
- struct completion filled;
- u32 hw_desc[DESC_JOB_O_LEN];
diff --git a/drivers/crypto/hifn_795x.c b/drivers/crypto/hifn_795x.c
index 12fea3e2..1e28f47 100644
--- a/drivers/crypto/hifn_795x.c
@@ -73032,7 +73019,7 @@ index 17679f2..85f4981 100644
}
putname(tmp);
diff --git a/fs/pipe.c b/fs/pipe.c
-index 78fd0d0..e829d3e 100644
+index 46f1ab2..e829d3e 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -37,7 +37,7 @@ unsigned int pipe_max_size = 1048576;
@@ -73062,109 +73049,7 @@ index 78fd0d0..e829d3e 100644
mutex_unlock(&pipe->mutex);
}
EXPORT_SYMBOL(pipe_unlock);
-@@ -117,25 +117,27 @@ void pipe_wait(struct pipe_inode_info *pipe)
- }
-
- static int
--pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
-- int atomic)
-+pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
-+ size_t *remaining, int atomic)
- {
- unsigned long copy;
-
-- while (len > 0) {
-+ while (*remaining > 0) {
- while (!iov->iov_len)
- iov++;
-- copy = min_t(unsigned long, len, iov->iov_len);
-+ copy = min_t(unsigned long, *remaining, iov->iov_len);
-
- if (atomic) {
-- if (__copy_from_user_inatomic(to, iov->iov_base, copy))
-+ if (__copy_from_user_inatomic(addr + *offset,
-+ iov->iov_base, copy))
- return -EFAULT;
- } else {
-- if (copy_from_user(to, iov->iov_base, copy))
-+ if (copy_from_user(addr + *offset,
-+ iov->iov_base, copy))
- return -EFAULT;
- }
-- to += copy;
-- len -= copy;
-+ *offset += copy;
-+ *remaining -= copy;
- iov->iov_base += copy;
- iov->iov_len -= copy;
- }
-@@ -143,25 +145,27 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov,
unsigned long len,
- }
-
- static int
--pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
-- int atomic)
-+pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
-+ size_t *remaining, int atomic)
- {
- unsigned long copy;
-
-- while (len > 0) {
-+ while (*remaining > 0) {
- while (!iov->iov_len)
- iov++;
-- copy = min_t(unsigned long, len, iov->iov_len);
-+ copy = min_t(unsigned long, *remaining, iov->iov_len);
-
- if (atomic) {
-- if (__copy_to_user_inatomic(iov->iov_base, from, copy))
-+ if (__copy_to_user_inatomic(iov->iov_base,
-+ addr + *offset, copy))
- return -EFAULT;
- } else {
-- if (copy_to_user(iov->iov_base, from, copy))
-+ if (copy_to_user(iov->iov_base,
-+ addr + *offset, copy))
- return -EFAULT;
- }
-- from += copy;
-- len -= copy;
-+ *offset += copy;
-+ *remaining -= copy;
- iov->iov_base += copy;
- iov->iov_len -= copy;
- }
-@@ -395,7 +399,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- struct pipe_buffer *buf = pipe->bufs + curbuf;
- const struct pipe_buf_operations *ops = buf->ops;
- void *addr;
-- size_t chars = buf->len;
-+ size_t chars = buf->len, remaining;
- int error, atomic;
-
- if (chars > total_len)
-@@ -409,9 +413,11 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- }
-
- atomic = !iov_fault_in_pages_write(iov, chars);
-+ remaining = chars;
- redo:
- addr = ops->map(pipe, buf, atomic);
-- error = pipe_iov_copy_to_user(iov, addr + buf->offset,
chars, atomic);
-+ error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
-+ &remaining, atomic);
- ops->unmap(pipe, buf, addr);
- if (unlikely(error)) {
- /*
-@@ -426,7 +432,6 @@ redo:
- break;
- }
- ret += chars;
-- buf->offset += chars;
- buf->len -= chars;
-
- /* Was it a packet buffer? Clean up and exit */
-@@ -449,9 +454,9 @@ redo:
+@@ -454,9 +454,9 @@ redo:
}
if (bufs) /* More to do? */
continue;
@@ -73176,7 +73061,7 @@ index 78fd0d0..e829d3e 100644
/* syscall merging: Usually we must not sleep
* if O_NONBLOCK is set, or if we got some data.
* But if a writer sleeps in kernel space, then
-@@ -513,7 +518,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+@@ -518,7 +518,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
ret = 0;
__pipe_lock(pipe);
@@ -73185,26 +73070,7 @@ index 78fd0d0..e829d3e 100644
send_sig(SIGPIPE, current, 0);
ret = -EPIPE;
goto out;
-@@ -531,6 +536,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
- if (ops->can_merge && offset + chars <= PAGE_SIZE) {
- int error, atomic = 1;
- void *addr;
-+ size_t remaining = chars;
-
- error = ops->confirm(pipe, buf);
- if (error)
-@@ -539,8 +545,8 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
- iov_fault_in_pages_read(iov, chars);
- redo1:
- addr = ops->map(pipe, buf, atomic);
-- error = pipe_iov_copy_from_user(offset + addr, iov,
-- chars, atomic);
-+ error = pipe_iov_copy_from_user(addr, &offset, iov,
-+ &remaining, atomic);
- ops->unmap(pipe, buf, addr);
- ret = error;
- do_wakeup = 1;
-@@ -562,7 +568,7 @@ redo1:
+@@ -568,7 +568,7 @@ redo1:
for (;;) {
int bufs;
@@ -73213,34 +73079,7 @@ index 78fd0d0..e829d3e 100644
send_sig(SIGPIPE, current, 0);
if (!ret)
ret = -EPIPE;
-@@ -575,6 +581,8 @@ redo1:
- struct page *page = pipe->tmp_page;
- char *src;
- int error, atomic = 1;
-+ int offset = 0;
-+ size_t remaining;
-
- if (!page) {
- page = alloc_page(GFP_HIGHUSER);
-@@ -595,14 +603,15 @@ redo1:
- chars = total_len;
-
- iov_fault_in_pages_read(iov, chars);
-+ remaining = chars;
- redo2:
- if (atomic)
- src = kmap_atomic(page);
- else
- src = kmap(page);
-
-- error = pipe_iov_copy_from_user(src, iov, chars,
-- atomic);
-+ error = pipe_iov_copy_from_user(src, &offset, iov,
-+ &remaining, atomic);
- if (atomic)
- kunmap_atomic(src);
- else
-@@ -653,9 +662,9 @@ redo2:
+@@ -662,9 +662,9 @@ redo2:
kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
do_wakeup = 0;
}
@@ -73252,7 +73091,7 @@ index 78fd0d0..e829d3e 100644
}
out:
__pipe_unlock(pipe);
-@@ -710,7 +719,7 @@ pipe_poll(struct file *filp, poll_table *wait)
+@@ -719,7 +719,7 @@ pipe_poll(struct file *filp, poll_table *wait)
mask = 0;
if (filp->f_mode & FMODE_READ) {
mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
@@ -73261,7 +73100,7 @@ index 78fd0d0..e829d3e 100644
mask |= POLLHUP;
}
-@@ -720,7 +729,7 @@ pipe_poll(struct file *filp, poll_table *wait)
+@@ -729,7 +729,7 @@ pipe_poll(struct file *filp, poll_table *wait)
* Most Unices do not set POLLERR for FIFOs but on Linux they
* behave exactly like pipes for poll().
*/
@@ -73270,7 +73109,7 @@ index 78fd0d0..e829d3e 100644
mask |= POLLERR;
}
-@@ -732,7 +741,7 @@ static void put_pipe_info(struct inode *inode, struct
pipe_inode_info *pipe)
+@@ -741,7 +741,7 @@ static void put_pipe_info(struct inode *inode, struct
pipe_inode_info *pipe)
int kill = 0;
spin_lock(&inode->i_lock);
@@ -73279,7 +73118,7 @@ index 78fd0d0..e829d3e 100644
inode->i_pipe = NULL;
kill = 1;
}
-@@ -749,11 +758,11 @@ pipe_release(struct inode *inode, struct file *file)
+@@ -758,11 +758,11 @@ pipe_release(struct inode *inode, struct file *file)
__pipe_lock(pipe);
if (file->f_mode & FMODE_READ)
@@ -73294,7 +73133,7 @@ index 78fd0d0..e829d3e 100644
wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT |
POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
-@@ -818,7 +827,7 @@ void free_pipe_info(struct pipe_inode_info *pipe)
+@@ -827,7 +827,7 @@ void free_pipe_info(struct pipe_inode_info *pipe)
kfree(pipe);
}
@@ -73303,7 +73142,7 @@ index 78fd0d0..e829d3e 100644
/*
* pipefs_dname() is called from d_path().
-@@ -848,8 +857,9 @@ static struct inode * get_pipe_inode(void)
+@@ -857,8 +857,9 @@ static struct inode * get_pipe_inode(void)
goto fail_iput;
inode->i_pipe = pipe;
@@ -73315,7 +73154,7 @@ index 78fd0d0..e829d3e 100644
inode->i_fop = &pipefifo_fops;
/*
-@@ -1028,17 +1038,17 @@ static int fifo_open(struct inode *inode, struct file
*filp)
+@@ -1037,17 +1038,17 @@ static int fifo_open(struct inode *inode, struct file
*filp)
spin_lock(&inode->i_lock);
if (inode->i_pipe) {
pipe = inode->i_pipe;
@@ -73336,7 +73175,7 @@ index 78fd0d0..e829d3e 100644
spin_unlock(&inode->i_lock);
free_pipe_info(pipe);
pipe = inode->i_pipe;
-@@ -1063,10 +1073,10 @@ static int fifo_open(struct inode *inode, struct file
*filp)
+@@ -1072,10 +1073,10 @@ static int fifo_open(struct inode *inode, struct file
*filp)
* opened, even when there is no process writing the FIFO.
*/
pipe->r_counter++;
@@ -73349,7 +73188,7 @@ index 78fd0d0..e829d3e 100644
if ((filp->f_flags & O_NONBLOCK)) {
/* suppress POLLHUP until we have
* seen a writer */
-@@ -1085,14 +1095,14 @@ static int fifo_open(struct inode *inode, struct file
*filp)
+@@ -1094,14 +1095,14 @@ static int fifo_open(struct inode *inode, struct file
*filp)
* errno=ENXIO when there is no process reading the FIFO.
*/
ret = -ENXIO;
@@ -73367,7 +73206,7 @@ index 78fd0d0..e829d3e 100644
if (wait_for_partner(pipe, &pipe->r_counter))
goto err_wr;
}
-@@ -1106,11 +1116,11 @@ static int fifo_open(struct inode *inode, struct file
*filp)
+@@ -1115,11 +1116,11 @@ static int fifo_open(struct inode *inode, struct file
*filp)
* the process can at least talk to itself.
*/
@@ -73382,7 +73221,7 @@ index 78fd0d0..e829d3e 100644
wake_up_partner(pipe);
break;
-@@ -1124,13 +1134,13 @@ static int fifo_open(struct inode *inode, struct file
*filp)
+@@ -1133,13 +1134,13 @@ static int fifo_open(struct inode *inode, struct file
*filp)
return 0;
err_rd:
@@ -73398,7 +73237,7 @@ index 78fd0d0..e829d3e 100644
wake_up_interruptible(&pipe->wait);
ret = -ERESTARTSYS;
goto err;
-@@ -1208,7 +1218,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe,
unsigned long nr_pages)
+@@ -1217,7 +1218,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe,
unsigned long nr_pages)
* Currently we rely on the pipe array holding a power-of-2 number
* of pages.
*/
@@ -73407,7 +73246,7 @@ index 78fd0d0..e829d3e 100644
{
unsigned long nr_pages;
-@@ -1256,13 +1266,16 @@ long pipe_fcntl(struct file *file, unsigned int cmd,
unsigned long arg)
+@@ -1265,13 +1266,16 @@ long pipe_fcntl(struct file *file, unsigned int cmd,
unsigned long arg)
switch (cmd) {
case F_SETPIPE_SZ: {
@@ -103316,22 +103155,31 @@ index c6646a5..574b47c 100644
/* Add an additional event_call dynamically */
diff --git a/kernel/trace/trace_events_filter.c
b/kernel/trace/trace_events_filter.c
-index 8a86319..32ef21b 100644
+index cb347e8..0adf74e 100644
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
-@@ -1399,19 +1399,27 @@ static int check_preds(struct filter_parse_state *ps)
+@@ -1086,6 +1086,9 @@ static void parse_init(struct filter_parse_state *ps,
+
+ static char infix_next(struct filter_parse_state *ps)
{
- int n_normal_preds = 0, n_logical_preds = 0;
- struct postfix_elt *elt;
-+ int cnt = 0;
++ if (!ps->infix.cnt)
++ return 0;
++
+ ps->infix.cnt--;
- list_for_each_entry(elt, &ps->postfix, list) {
-- if (elt->op == OP_NONE)
-+ if (elt->op == OP_NONE) {
-+ cnt++;
- continue;
-+ }
+ return ps->infix.string[ps->infix.tail++];
+@@ -1101,6 +1104,9 @@ static char infix_peek(struct filter_parse_state *ps)
+ static void infix_advance(struct filter_parse_state *ps)
+ {
++ if (!ps->infix.cnt)
++ return;
++
+ ps->infix.cnt--;
+ ps->infix.tail++;
+ }
+@@ -1410,8 +1416,12 @@ static int check_preds(struct filter_parse_state *ps)
+ cnt--;
if (elt->op == OP_AND || elt->op == OP_OR) {
n_logical_preds++;
+ cnt--;
@@ -103341,13 +103189,7 @@ index 8a86319..32ef21b 100644
+ // a reject here when it's backported
+ cnt--;
n_normal_preds++;
-+ WARN_ON_ONCE(cnt < 0);
- }
-
-- if (!n_normal_preds || n_logical_preds >= n_normal_preds) {
-+ if (cnt != 1 || !n_normal_preds || n_logical_preds >= n_normal_preds) {
- parse_error(ps, FILT_ERR_INVALID_FILTER, 0);
- return -EINVAL;
+ WARN_ON_ONCE(cnt < 0);
}
diff --git a/kernel/trace/trace_functions_graph.c
b/kernel/trace/trace_functions_graph.c
index 0b99120..881174f 100644
@@ -107266,7 +107108,7 @@ index d4c97ba..916b1d4 100644
vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
diff --git a/mm/mprotect.c b/mm/mprotect.c
-index 769a67a..414d24f 100644
+index 769a67a..c99f865 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -24,10 +24,18 @@
@@ -107315,8 +107157,8 @@ index 769a67a..414d24f 100644
+
+#ifdef CONFIG_SMP
+ wmb();
-+ cpus_clear(mm->context.cpu_user_cs_mask);
-+ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
++ cpumask_clear(&mm->context.cpu_user_cs_mask);
++ cpumask_set_cpu(smp_processor_id(),
&mm->context.cpu_user_cs_mask);
+#endif
+
+ set_user_cs(mm->context.user_cs_base,
mm->context.user_cs_limit, smp_processor_id());
diff --git a/4.0.6/4425_grsec_remove_EI_PAX.patch
b/3.14.46/4425_grsec_remove_EI_PAX.patch
similarity index 100%
rename from 4.0.6/4425_grsec_remove_EI_PAX.patch
rename to 3.14.46/4425_grsec_remove_EI_PAX.patch
diff --git a/3.14.45/4427_force_XATTR_PAX_tmpfs.patch
b/3.14.46/4427_force_XATTR_PAX_tmpfs.patch
similarity index 100%
rename from 3.14.45/4427_force_XATTR_PAX_tmpfs.patch
rename to 3.14.46/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.0.6/4430_grsec-remove-localversion-grsec.patch
b/3.14.46/4430_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 4.0.6/4430_grsec-remove-localversion-grsec.patch
rename to 3.14.46/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.14.45/4435_grsec-mute-warnings.patch
b/3.14.46/4435_grsec-mute-warnings.patch
similarity index 100%
rename from 3.14.45/4435_grsec-mute-warnings.patch
rename to 3.14.46/4435_grsec-mute-warnings.patch
diff --git a/4.0.6/4440_grsec-remove-protected-paths.patch
b/3.14.46/4440_grsec-remove-protected-paths.patch
similarity index 100%
rename from 4.0.6/4440_grsec-remove-protected-paths.patch
rename to 3.14.46/4440_grsec-remove-protected-paths.patch
diff --git a/3.14.45/4450_grsec-kconfig-default-gids.patch
b/3.14.46/4450_grsec-kconfig-default-gids.patch
similarity index 100%
rename from 3.14.45/4450_grsec-kconfig-default-gids.patch
rename to 3.14.46/4450_grsec-kconfig-default-gids.patch
diff --git a/3.14.45/4465_selinux-avc_audit-log-curr_ip.patch
b/3.14.46/4465_selinux-avc_audit-log-curr_ip.patch
similarity index 100%
rename from 3.14.45/4465_selinux-avc_audit-log-curr_ip.patch
rename to 3.14.46/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.14.45/4470_disable-compat_vdso.patch
b/3.14.46/4470_disable-compat_vdso.patch
similarity index 100%
rename from 3.14.45/4470_disable-compat_vdso.patch
rename to 3.14.46/4470_disable-compat_vdso.patch
diff --git a/4.0.6/4475_emutramp_default_on.patch
b/3.14.46/4475_emutramp_default_on.patch
similarity index 100%
rename from 4.0.6/4475_emutramp_default_on.patch
rename to 3.14.46/4475_emutramp_default_on.patch
diff --git a/3.2.69/0000_README b/3.2.69/0000_README
index 05b7791..d006716 100644
--- a/3.2.69/0000_README
+++ b/3.2.69/0000_README
@@ -194,7 +194,7 @@ Patch: 1068_linux-3.2.69.patch
From: http://www.kernel.org
Desc: Linux 3.2.69
-Patch: 4420_grsecurity-3.1-3.2.69-201506262041.patch
+Patch: 4420_grsecurity-3.1-3.2.69-201506300708.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.69/4420_grsecurity-3.1-3.2.69-201506262041.patch
b/3.2.69/4420_grsecurity-3.1-3.2.69-201506300708.patch
similarity index 99%
rename from 3.2.69/4420_grsecurity-3.1-3.2.69-201506262041.patch
rename to 3.2.69/4420_grsecurity-3.1-3.2.69-201506300708.patch
index ce279a5..e8aabfa 100644
--- a/3.2.69/4420_grsecurity-3.1-3.2.69-201506262041.patch
+++ b/3.2.69/4420_grsecurity-3.1-3.2.69-201506300708.patch
@@ -14572,7 +14572,7 @@ index 5f55e69..e20bfb1 100644
#ifdef CONFIG_SMP
diff --git a/arch/x86/include/asm/mmu_context.h
b/arch/x86/include/asm/mmu_context.h
-index 6902152..da4283a 100644
+index 6902152..737f889 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -24,6 +24,18 @@ void destroy_context(struct mm_struct *mm);
@@ -14634,9 +14634,9 @@ index 6902152..da4283a 100644
+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) &&
defined(CONFIG_SMP)
+ if (!(__supported_pte_mask & _PAGE_NX)) {
+ smp_mb__before_clear_bit();
-+ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
++ cpumask_clear_cpu(cpu, &prev->context.cpu_user_cs_mask);
+ smp_mb__after_clear_bit();
-+ cpu_set(cpu, next->context.cpu_user_cs_mask);
++ cpumask_set_cpu(cpu, &next->context.cpu_user_cs_mask);
+ }
+#endif
+
@@ -14678,7 +14678,7 @@ index 6902152..da4283a 100644
+
+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
+ if (!(__supported_pte_mask & _PAGE_NX))
-+ cpu_set(cpu, next->context.cpu_user_cs_mask);
++ cpumask_set_cpu(cpu,
&next->context.cpu_user_cs_mask);
+#endif
+
+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) ||
defined(CONFIG_PAX_SEGMEXEC))
@@ -22436,7 +22436,7 @@ index 4b6701e..1a3dcdb 100644
};
#endif
diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
-index 0a8e65e..288a4b0 100644
+index 0a8e65e..6e8de34 100644
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int
reload)
@@ -22478,7 +22478,7 @@ index 0a8e65e..288a4b0 100644
+ mm->context.user_cs_limit = ~0UL;
+
+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
-+ cpus_clear(mm->context.cpu_user_cs_mask);
++ cpumask_clear(&mm->context.cpu_user_cs_mask);
+#endif
+
+#endif
@@ -28430,7 +28430,7 @@ index d0474ad..36e9257 100644
extern u32 pnp_bios_is_utter_crap;
pnp_bios_is_utter_crap = 1;
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
-index 351590e..825bba9 100644
+index 351590e..ad0d399 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -13,11 +13,18 @@
@@ -28716,7 +28716,7 @@ index 351590e..825bba9 100644
+ }
+
+#ifdef CONFIG_SMP
-+ if (likely(address > get_limit(regs->cs) &&
cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
++ if (likely(address > get_limit(regs->cs) &&
cpumask_test_cpu(smp_processor_id(), &mm->context.cpu_user_cs_mask)))
+#else
+ if (likely(address > get_limit(regs->cs)))
+#endif
@@ -29896,7 +29896,7 @@ index 29f7c6d9..5122941 100644
printk(KERN_INFO "Write protecting the kernel text: %luk\n",
size >> 10);
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
-index 44b93da..5a0b3ee 100644
+index 44b93da..79d59f5 100644
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -75,7 +75,7 @@ early_param("gbpages", parse_direct_gbpages_on);
@@ -30013,6 +30013,15 @@ index 44b93da..5a0b3ee 100644
adr = (void *)(((unsigned long)adr) | left);
return adr;
+@@ -413,7 +427,7 @@ phys_pmd_init(pmd_t *pmd_page, unsigned long address,
unsigned long end,
+
+ int i = pmd_index(address);
+
+- for (; i < PTRS_PER_PMD; i++, address += PMD_SIZE) {
++ for (; i < PTRS_PER_PMD; i++, address = (address & PMD_MASK) +
PMD_SIZE) {
+ unsigned long pte_phys;
+ pmd_t *pmd = pmd_page + pmd_index(address);
+ pte_t *pte;
@@ -546,7 +560,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr,
unsigned long end,
unmap_low_page(pmd);
@@ -96101,10 +96110,30 @@ index 875fed4..7a76cbb 100644
}
diff --git a/kernel/trace/trace_events_filter.c
b/kernel/trace/trace_events_filter.c
-index b0996c1..7e5c12f 100644
+index b0996c1..9c39703 100644
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
-@@ -1343,19 +1343,27 @@ static int check_preds(struct filter_parse_state *ps)
+@@ -1027,6 +1027,9 @@ static void parse_init(struct filter_parse_state *ps,
+
+ static char infix_next(struct filter_parse_state *ps)
+ {
++ if (!ps->infix.cnt)
++ return 0;
++
+ ps->infix.cnt--;
+
+ return ps->infix.string[ps->infix.tail++];
+@@ -1042,6 +1045,9 @@ static char infix_peek(struct filter_parse_state *ps)
+
+ static void infix_advance(struct filter_parse_state *ps)
+ {
++ if (!ps->infix.cnt)
++ return;
++
+ ps->infix.cnt--;
+ ps->infix.tail++;
+ }
+@@ -1343,19 +1349,27 @@ static int check_preds(struct filter_parse_state *ps)
{
int n_normal_preds = 0, n_logical_preds = 0;
struct postfix_elt *elt;
@@ -97671,6 +97700,18 @@ index 011b110..05d1b6f 100644
select PROC_PAGE_MONITOR
config NOMMU_INITIAL_TRIM_EXCESS
+diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug
+index 8b1a477..f3a339f 100644
+--- a/mm/Kconfig.debug
++++ b/mm/Kconfig.debug
+@@ -1,6 +1,7 @@
+ config DEBUG_PAGEALLOC
+ bool "Debug page memory allocations"
+ depends on DEBUG_KERNEL
++ depends on !PAX_MEMORY_SANITIZE
+ depends on !HIBERNATION || ARCH_SUPPORTS_DEBUG_PAGEALLOC && !PPC &&
!SPARC
+ depends on !KMEMCHECK
+ select PAGE_POISONING if !ARCH_SUPPORTS_DEBUG_PAGEALLOC
diff --git a/mm/backing-dev.c b/mm/backing-dev.c
index 2b49dd2..0527d62 100644
--- a/mm/backing-dev.c
@@ -100638,7 +100679,7 @@ index cf332bc..add7e3a 100644
if (active_mm != mm)
diff --git a/mm/mprotect.c b/mm/mprotect.c
-index 5a688a2..fffb9f6 100644
+index 5a688a2..fa006d9 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -23,10 +23,16 @@
@@ -100685,8 +100726,8 @@ index 5a688a2..fffb9f6 100644
+
+#ifdef CONFIG_SMP
+ wmb();
-+ cpus_clear(mm->context.cpu_user_cs_mask);
-+ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
++ cpumask_clear(&mm->context.cpu_user_cs_mask);
++ cpumask_set_cpu(smp_processor_id(),
&mm->context.cpu_user_cs_mask);
+#endif
+
+ set_user_cs(mm->context.user_cs_base,
mm->context.user_cs_limit, smp_processor_id());
diff --git a/3.14.45/0000_README b/4.0.7/0000_README
similarity index 92%
rename from 3.14.45/0000_README
rename to 4.0.7/0000_README
index b4be2cb..1c85007 100644
--- a/3.14.45/0000_README
+++ b/4.0.7/0000_README
@@ -2,7 +2,11 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-3.14.45-201506262046.patch
+Patch: 1006_linux-4.0.7.patch
+From: http://www.kernel.org
+Desc: Linux 4.0.7
+
+Patch: 4420_grsecurity-3.1-4.0.7-201506300712.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.0.7/1006_linux-4.0.7.patch b/4.0.7/1006_linux-4.0.7.patch
new file mode 100644
index 0000000..0b9b646
--- /dev/null
+++ b/4.0.7/1006_linux-4.0.7.patch
@@ -0,0 +1,707 @@
+diff --git a/Makefile b/Makefile
+index af6da04..bd76a8e 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 0
+-SUBLEVEL = 6
++SUBLEVEL = 7
+ EXTRAVERSION =
+ NAME = Hurr durr I'ma sheep
+
+diff --git a/arch/arm/mach-exynos/common.h b/arch/arm/mach-exynos/common.h
+index f70eca7..0ef8d4b 100644
+--- a/arch/arm/mach-exynos/common.h
++++ b/arch/arm/mach-exynos/common.h
+@@ -153,6 +153,8 @@ extern void exynos_enter_aftr(void);
+
+ extern struct cpuidle_exynos_data cpuidle_coupled_exynos_data;
+
++extern void exynos_set_delayed_reset_assertion(bool enable);
++
+ extern void s5p_init_cpu(void __iomem *cpuid_addr);
+ extern unsigned int samsung_rev(void);
+ extern void __iomem *cpu_boot_reg_base(void);
+diff --git a/arch/arm/mach-exynos/exynos.c b/arch/arm/mach-exynos/exynos.c
+index 9e9dfdf..1081ff1 100644
+--- a/arch/arm/mach-exynos/exynos.c
++++ b/arch/arm/mach-exynos/exynos.c
+@@ -166,6 +166,33 @@ static void __init exynos_init_io(void)
+ exynos_map_io();
+ }
+
++/*
++ * Set or clear the USE_DELAYED_RESET_ASSERTION option. Used by smp code
++ * and suspend.
++ *
++ * This is necessary only on Exynos4 SoCs. When system is running
++ * USE_DELAYED_RESET_ASSERTION should be set so the ARM CLK clock down
++ * feature could properly detect global idle state when secondary CPU is
++ * powered down.
++ *
++ * However this should not be set when such system is going into suspend.
++ */
++void exynos_set_delayed_reset_assertion(bool enable)
++{
++ if (soc_is_exynos4()) {
++ unsigned int tmp, core_id;
++
++ for (core_id = 0; core_id < num_possible_cpus(); core_id++) {
++ tmp = pmu_raw_readl(EXYNOS_ARM_CORE_OPTION(core_id));
++ if (enable)
++ tmp |= S5P_USE_DELAYED_RESET_ASSERTION;
++ else
++ tmp &= ~(S5P_USE_DELAYED_RESET_ASSERTION);
++ pmu_raw_writel(tmp, EXYNOS_ARM_CORE_OPTION(core_id));
++ }
++ }
++}
++
+ static const struct of_device_id exynos_dt_pmu_match[] = {
+ { .compatible = "samsung,exynos3250-pmu" },
+ { .compatible = "samsung,exynos4210-pmu" },
+diff --git a/arch/arm/mach-exynos/platsmp.c b/arch/arm/mach-exynos/platsmp.c
+index d2e9f12..d45e8cd 100644
+--- a/arch/arm/mach-exynos/platsmp.c
++++ b/arch/arm/mach-exynos/platsmp.c
+@@ -34,30 +34,6 @@
+
+ extern void exynos4_secondary_startup(void);
+
+-/*
+- * Set or clear the USE_DELAYED_RESET_ASSERTION option, set on Exynos4 SoCs
+- * during hot-(un)plugging CPUx.
+- *
+- * The feature can be cleared safely during first boot of secondary CPU.
+- *
+- * Exynos4 SoCs require setting USE_DELAYED_RESET_ASSERTION during powering
+- * down a CPU so the CPU idle clock down feature could properly detect global
+- * idle state when CPUx is off.
+- */
+-static void exynos_set_delayed_reset_assertion(u32 core_id, bool enable)
+-{
+- if (soc_is_exynos4()) {
+- unsigned int tmp;
+-
+- tmp = pmu_raw_readl(EXYNOS_ARM_CORE_OPTION(core_id));
+- if (enable)
+- tmp |= S5P_USE_DELAYED_RESET_ASSERTION;
+- else
+- tmp &= ~(S5P_USE_DELAYED_RESET_ASSERTION);
+- pmu_raw_writel(tmp, EXYNOS_ARM_CORE_OPTION(core_id));
+- }
+-}
+-
+ #ifdef CONFIG_HOTPLUG_CPU
+ static inline void cpu_leave_lowpower(u32 core_id)
+ {
+@@ -73,8 +49,6 @@ static inline void cpu_leave_lowpower(u32 core_id)
+ : "=&r" (v)
+ : "Ir" (CR_C), "Ir" (0x40)
+ : "cc");
+-
+- exynos_set_delayed_reset_assertion(core_id, false);
+ }
+
+ static inline void platform_do_lowpower(unsigned int cpu, int *spurious)
+@@ -87,14 +61,6 @@ static inline void platform_do_lowpower(unsigned int cpu,
int *spurious)
+ /* Turn the CPU off on next WFI instruction. */
+ exynos_cpu_power_down(core_id);
+
+- /*
+- * Exynos4 SoCs require setting
+- * USE_DELAYED_RESET_ASSERTION so the CPU idle
+- * clock down feature could properly detect
+- * global idle state when CPUx is off.
+- */
+- exynos_set_delayed_reset_assertion(core_id, true);
+-
+ wfi();
+
+ if (pen_release == core_id) {
+@@ -354,9 +320,6 @@ static int exynos_boot_secondary(unsigned int cpu, struct
task_struct *idle)
+ udelay(10);
+ }
+
+- /* No harm if this is called during first boot of secondary CPU */
+- exynos_set_delayed_reset_assertion(core_id, false);
+-
+ /*
+ * now the secondary core is starting up let it run its
+ * calibrations, then wait for it to finish
+@@ -403,6 +366,8 @@ static void __init exynos_smp_prepare_cpus(unsigned int
max_cpus)
+
+ exynos_sysram_init();
+
++ exynos_set_delayed_reset_assertion(true);
++
+ if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9)
+ scu_enable(scu_base_addr());
+
+diff --git a/arch/arm/mach-exynos/suspend.c b/arch/arm/mach-exynos/suspend.c
+index 318d127..582ef2d 100644
+--- a/arch/arm/mach-exynos/suspend.c
++++ b/arch/arm/mach-exynos/suspend.c
+@@ -235,6 +235,8 @@ static void exynos_pm_enter_sleep_mode(void)
+
+ static void exynos_pm_prepare(void)
+ {
++ exynos_set_delayed_reset_assertion(false);
++
+ /* Set wake-up mask registers */
+ exynos_pm_set_wakeup_mask();
+
+@@ -383,6 +385,7 @@ early_wakeup:
+
+ /* Clear SLEEP mode set in INFORM1 */
+ pmu_raw_writel(0x0, S5P_INFORM1);
++ exynos_set_delayed_reset_assertion(true);
+ }
+
+ static void exynos3250_pm_resume(void)
+diff --git a/arch/powerpc/kernel/idle_power7.S
b/arch/powerpc/kernel/idle_power7.S
+index 05adc8b..401d8d0 100644
+--- a/arch/powerpc/kernel/idle_power7.S
++++ b/arch/powerpc/kernel/idle_power7.S
+@@ -500,9 +500,11 @@ BEGIN_FTR_SECTION
+ CHECK_HMI_INTERRUPT
+ END_FTR_SECTION_IFSET(CPU_FTR_HVMODE)
+ ld r1,PACAR1(r13)
++ ld r6,_CCR(r1)
+ ld r4,_MSR(r1)
+ ld r5,_NIP(r1)
+ addi r1,r1,INT_FRAME_SIZE
++ mtcr r6
+ mtspr SPRN_SRR1,r4
+ mtspr SPRN_SRR0,r5
+ rfid
+diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
+index 4e3d5a9..03189d8 100644
+--- a/arch/x86/kernel/kprobes/core.c
++++ b/arch/x86/kernel/kprobes/core.c
+@@ -354,6 +354,7 @@ int __copy_instruction(u8 *dest, u8 *src)
+ {
+ struct insn insn;
+ kprobe_opcode_t buf[MAX_INSN_SIZE];
++ int length;
+ unsigned long recovered_insn =
+ recover_probed_instruction(buf, (unsigned long)src);
+
+@@ -361,16 +362,18 @@ int __copy_instruction(u8 *dest, u8 *src)
+ return 0;
+ kernel_insn_init(&insn, (void *)recovered_insn, MAX_INSN_SIZE);
+ insn_get_length(&insn);
++ length = insn.length;
++
+ /* Another subsystem puts a breakpoint, failed to recover */
+ if (insn.opcode.bytes[0] == BREAKPOINT_INSTRUCTION)
+ return 0;
+- memcpy(dest, insn.kaddr, insn.length);
++ memcpy(dest, insn.kaddr, length);
+
+ #ifdef CONFIG_X86_64
+ if (insn_rip_relative(&insn)) {
+ s64 newdisp;
+ u8 *disp;
+- kernel_insn_init(&insn, dest, insn.length);
++ kernel_insn_init(&insn, dest, length);
+ insn_get_displacement(&insn);
+ /*
+ * The copied instruction uses the %rip-relative addressing
+@@ -394,7 +397,7 @@ int __copy_instruction(u8 *dest, u8 *src)
+ *(s32 *) disp = (s32) newdisp;
+ }
+ #endif
+- return insn.length;
++ return length;
+ }
+
+ static int arch_copy_kprobe(struct kprobe *p)
+diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
+index 4ee827d..3cb2b58 100644
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -1064,6 +1064,17 @@ static void update_divide_count(struct kvm_lapic *apic)
+ apic->divide_count);
+ }
+
++static void apic_update_lvtt(struct kvm_lapic *apic)
++{
++ u32 timer_mode = kvm_apic_get_reg(apic, APIC_LVTT) &
++ apic->lapic_timer.timer_mode_mask;
++
++ if (apic->lapic_timer.timer_mode != timer_mode) {
++ apic->lapic_timer.timer_mode = timer_mode;
++ hrtimer_cancel(&apic->lapic_timer.timer);
++ }
++}
++
+ static void apic_timer_expired(struct kvm_lapic *apic)
+ {
+ struct kvm_vcpu *vcpu = apic->vcpu;
+@@ -1272,6 +1283,7 @@ static int apic_reg_write(struct kvm_lapic *apic, u32
reg, u32 val)
+ apic_set_reg(apic, APIC_LVTT + 0x10 * i,
+ lvt_val | APIC_LVT_MASKED);
+ }
++ apic_update_lvtt(apic);
+ atomic_set(&apic->lapic_timer.pending, 0);
+
+ }
+@@ -1304,20 +1316,13 @@ static int apic_reg_write(struct kvm_lapic *apic, u32
reg, u32 val)
+
+ break;
+
+- case APIC_LVTT: {
+- u32 timer_mode = val & apic->lapic_timer.timer_mode_mask;
+-
+- if (apic->lapic_timer.timer_mode != timer_mode) {
+- apic->lapic_timer.timer_mode = timer_mode;
+- hrtimer_cancel(&apic->lapic_timer.timer);
+- }
+-
++ case APIC_LVTT:
+ if (!kvm_apic_sw_enabled(apic))
+ val |= APIC_LVT_MASKED;
+ val &= (apic_lvt_mask[0] | apic->lapic_timer.timer_mode_mask);
+ apic_set_reg(apic, APIC_LVTT, val);
++ apic_update_lvtt(apic);
+ break;
+- }
+
+ case APIC_TMICT:
+ if (apic_lvtt_tscdeadline(apic))
+@@ -1552,7 +1557,7 @@ void kvm_lapic_reset(struct kvm_vcpu *vcpu)
+
+ for (i = 0; i < APIC_LVT_NUM; i++)
+ apic_set_reg(apic, APIC_LVTT + 0x10 * i, APIC_LVT_MASKED);
+- apic->lapic_timer.timer_mode = 0;
++ apic_update_lvtt(apic);
+ apic_set_reg(apic, APIC_LVT0,
+ SET_APIC_DELIVERY_MODE(0, APIC_MODE_EXTINT));
+
+@@ -1778,6 +1783,7 @@ void kvm_apic_post_state_restore(struct kvm_vcpu *vcpu,
+
+ apic_update_ppr(apic);
+ hrtimer_cancel(&apic->lapic_timer.timer);
++ apic_update_lvtt(apic);
+ update_divide_count(apic);
+ start_apic_timer(apic);
+ apic->irr_pending = true;
+diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
+index 288547a..f26ebc5 100644
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -80,6 +80,7 @@ static const struct usb_device_id ath3k_table[] = {
+ { USB_DEVICE(0x0489, 0xe057) },
+ { USB_DEVICE(0x0489, 0xe056) },
+ { USB_DEVICE(0x0489, 0xe05f) },
++ { USB_DEVICE(0x0489, 0xe076) },
+ { USB_DEVICE(0x0489, 0xe078) },
+ { USB_DEVICE(0x04c5, 0x1330) },
+ { USB_DEVICE(0x04CA, 0x3004) },
+@@ -111,6 +112,7 @@ static const struct usb_device_id ath3k_table[] = {
+ { USB_DEVICE(0x13d3, 0x3408) },
+ { USB_DEVICE(0x13d3, 0x3423) },
+ { USB_DEVICE(0x13d3, 0x3432) },
++ { USB_DEVICE(0x13d3, 0x3474) },
+
+ /* Atheros AR5BBU12 with sflash firmware */
+ { USB_DEVICE(0x0489, 0xE02C) },
+@@ -135,6 +137,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
+ { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
+@@ -166,6 +169,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
+ { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+
+ /* Atheros AR5BBU22 with sflash firmware */
+ { USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 2c527da..4fc4157 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -174,6 +174,7 @@ static const struct usb_device_id blacklist_table[] = {
+ { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
+@@ -205,6 +206,7 @@ static const struct usb_device_id blacklist_table[] = {
+ { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+
+ /* Atheros AR5BBU12 with sflash firmware */
+ { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
+diff --git a/drivers/clk/at91/clk-pll.c b/drivers/clk/at91/clk-pll.c
+index 6ec79db..cbbe403 100644
+--- a/drivers/clk/at91/clk-pll.c
++++ b/drivers/clk/at91/clk-pll.c
+@@ -173,8 +173,7 @@ static long clk_pll_get_best_div_mul(struct clk_pll *pll,
unsigned long rate,
+ int i = 0;
+
+ /* Check if parent_rate is a valid input rate */
+- if (parent_rate < characteristics->input.min ||
+- parent_rate > characteristics->input.max)
++ if (parent_rate < characteristics->input.min)
+ return -ERANGE;
+
+ /*
+@@ -187,6 +186,15 @@ static long clk_pll_get_best_div_mul(struct clk_pll *pll,
unsigned long rate,
+ if (!mindiv)
+ mindiv = 1;
+
++ if (parent_rate > characteristics->input.max) {
++ tmpdiv = DIV_ROUND_UP(parent_rate, characteristics->input.max);
++ if (tmpdiv > PLL_DIV_MAX)
++ return -ERANGE;
++
++ if (tmpdiv > mindiv)
++ mindiv = tmpdiv;
++ }
++
+ /*
+ * Calculate the maximum divider which is limited by PLL register
+ * layout (limited by the MUL or DIV field size).
+diff --git a/drivers/clk/at91/pmc.h b/drivers/clk/at91/pmc.h
+index 69abb08..eb8e5dc 100644
+--- a/drivers/clk/at91/pmc.h
++++ b/drivers/clk/at91/pmc.h
+@@ -121,7 +121,7 @@ extern void __init of_at91sam9x5_clk_smd_setup(struct
device_node *np,
+ struct at91_pmc *pmc);
+ #endif
+
+-#if defined(CONFIG_HAVE_AT91_SMD)
++#if defined(CONFIG_HAVE_AT91_H32MX)
+ extern void __init of_sama5d4_clk_h32mx_setup(struct device_node *np,
+ struct at91_pmc *pmc);
+ #endif
+diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c
+index f347ab7..08b0da2 100644
+--- a/drivers/crypto/caam/caamhash.c
++++ b/drivers/crypto/caam/caamhash.c
+@@ -1543,6 +1543,8 @@ static int ahash_init(struct ahash_request *req)
+
+ state->current_buf = 0;
+ state->buf_dma = 0;
++ state->buflen_0 = 0;
++ state->buflen_1 = 0;
+
+ return 0;
+ }
+diff --git a/drivers/crypto/caam/caamrng.c b/drivers/crypto/caam/caamrng.c
+index ae31e55..a48dc25 100644
+--- a/drivers/crypto/caam/caamrng.c
++++ b/drivers/crypto/caam/caamrng.c
+@@ -56,7 +56,7 @@
+
+ /* Buffer, its dma address and lock */
+ struct buf_data {
+- u8 buf[RN_BUF_SIZE];
++ u8 buf[RN_BUF_SIZE] ____cacheline_aligned;
+ dma_addr_t addr;
+ struct completion filled;
+ u32 hw_desc[DESC_JOB_O_LEN];
+diff --git a/drivers/gpu/drm/i915/i915_drv.c b/drivers/gpu/drm/i915/i915_drv.c
+index ec4d932..169123a 100644
+--- a/drivers/gpu/drm/i915/i915_drv.c
++++ b/drivers/gpu/drm/i915/i915_drv.c
+@@ -693,6 +693,16 @@ static int i915_drm_resume(struct drm_device *dev)
+ intel_init_pch_refclk(dev);
+ drm_mode_config_reset(dev);
+
++ /*
++ * Interrupts have to be enabled before any batches are run.
++ * If not the GPU will hang. i915_gem_init_hw() will initiate
++ * batches to update/restore the context.
++ *
++ * Modeset enabling in intel_modeset_init_hw() also needs
++ * working interrupts.
++ */
++ intel_runtime_pm_enable_interrupts(dev_priv);
++
+ mutex_lock(&dev->struct_mutex);
+ if (i915_gem_init_hw(dev)) {
+ DRM_ERROR("failed to re-initialize GPU, declaring
wedged!\n");
+@@ -700,9 +710,6 @@ static int i915_drm_resume(struct drm_device *dev)
+ }
+ mutex_unlock(&dev->struct_mutex);
+
+- /* We need working interrupts for modeset enabling ... */
+- intel_runtime_pm_enable_interrupts(dev_priv);
+-
+ intel_modeset_init_hw(dev);
+
+ spin_lock_irq(&dev_priv->irq_lock);
+diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
+index 7a628e4..9536ec3 100644
+--- a/drivers/gpu/drm/i915/i915_gem.c
++++ b/drivers/gpu/drm/i915/i915_gem.c
+@@ -2732,6 +2732,9 @@ void i915_gem_reset(struct drm_device *dev)
+ void
+ i915_gem_retire_requests_ring(struct intel_engine_cs *ring)
+ {
++ if (list_empty(&ring->request_list))
++ return;
++
+ WARN_ON(i915_verify_lists(ring->dev));
+
+ /* Retire requests first as we use it above for the early return.
+@@ -3088,8 +3091,8 @@ int i915_vma_unbind(struct i915_vma *vma)
+ } else if (vma->ggtt_view.pages) {
+ sg_free_table(vma->ggtt_view.pages);
+ kfree(vma->ggtt_view.pages);
+- vma->ggtt_view.pages = NULL;
+ }
++ vma->ggtt_view.pages = NULL;
+ }
+
+ drm_mm_remove_node(&vma->node);
+diff --git a/drivers/gpu/drm/mgag200/mgag200_mode.c
b/drivers/gpu/drm/mgag200/mgag200_mode.c
+index 9872ba9..2ffeda3 100644
+--- a/drivers/gpu/drm/mgag200/mgag200_mode.c
++++ b/drivers/gpu/drm/mgag200/mgag200_mode.c
+@@ -1526,6 +1526,11 @@ static int mga_vga_mode_valid(struct drm_connector
*connector,
+ return MODE_BANDWIDTH;
+ }
+
++ if ((mode->hdisplay % 8) != 0 || (mode->hsync_start % 8) != 0 ||
++ (mode->hsync_end % 8) != 0 || (mode->htotal % 8) != 0) {
++ return MODE_H_ILLEGAL;
++ }
++
+ if (mode->crtc_hdisplay > 2048 || mode->crtc_hsync_start > 4096 ||
+ mode->crtc_hsync_end > 4096 || mode->crtc_htotal > 4096 ||
+ mode->crtc_vdisplay > 2048 || mode->crtc_vsync_start > 4096 ||
+diff --git a/drivers/gpu/drm/radeon/radeon_kms.c
b/drivers/gpu/drm/radeon/radeon_kms.c
+index 686411e..b82f2dd 100644
+--- a/drivers/gpu/drm/radeon/radeon_kms.c
++++ b/drivers/gpu/drm/radeon/radeon_kms.c
+@@ -547,6 +547,9 @@ static int radeon_info_ioctl(struct drm_device *dev, void
*data, struct drm_file
+ else
+ *value = 1;
+ break;
++ case RADEON_INFO_VA_UNMAP_WORKING:
++ *value = true;
++ break;
+ default:
+ DRM_DEBUG_KMS("Invalid request %d\n", info->request);
+ return -EINVAL;
+diff --git a/drivers/infiniband/ulp/isert/ib_isert.c
b/drivers/infiniband/ulp/isert/ib_isert.c
+index 147029a..ac72ece 100644
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -2316,7 +2316,6 @@ isert_build_rdma_wr(struct isert_conn *isert_conn,
struct isert_cmd *isert_cmd,
+ page_off = offset % PAGE_SIZE;
+
+ send_wr->sg_list = ib_sge;
+- send_wr->num_sge = sg_nents;
+ send_wr->wr_id = (uintptr_t)&isert_cmd->tx_desc;
+ /*
+ * Perform mapping of TCM scatterlist memory ib_sge dma_addr.
+@@ -2336,14 +2335,17 @@ isert_build_rdma_wr(struct isert_conn *isert_conn,
struct isert_cmd *isert_cmd,
+ ib_sge->addr, ib_sge->length, ib_sge->lkey);
+ page_off = 0;
+ data_left -= ib_sge->length;
++ if (!data_left)
++ break;
+ ib_sge++;
+ isert_dbg("Incrementing ib_sge pointer to %p\n", ib_sge);
+ }
+
++ send_wr->num_sge = ++i;
+ isert_dbg("Set outgoing sg_list: %p num_sg: %u from TCM SGLs\n",
+ send_wr->sg_list, send_wr->num_sge);
+
+- return sg_nents;
++ return send_wr->num_sge;
+ }
+
+ static int
+@@ -3311,6 +3313,7 @@ static void isert_free_conn(struct iscsi_conn *conn)
+ {
+ struct isert_conn *isert_conn = conn->context;
+
++ isert_wait4flush(isert_conn);
+ isert_put_conn(isert_conn);
+ }
+
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 9b4e30a..beda011 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -1889,8 +1889,8 @@ static int map_request(struct dm_target *ti, struct
request *rq,
+ dm_kill_unmapped_request(rq, r);
+ return r;
+ }
+- if (IS_ERR(clone))
+- return DM_MAPIO_REQUEUE;
++ if (r != DM_MAPIO_REMAPPED)
++ return r;
+ if (setup_clone(clone, rq, tio, GFP_KERNEL)) {
+ /* -ENOMEM */
+ ti->type->release_clone_rq(clone);
+diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
+index 75345c1..5c91df5 100644
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -5365,6 +5365,10 @@ static void b43_supported_bands(struct b43_wldev *dev,
bool *have_2ghz_phy,
+ *have_5ghz_phy = true;
+ return;
+ case 0x4321: /* BCM4306 */
++ /* There are 14e4:4321 PCI devs with 2.4 GHz BCM4321 (N-PHY) */
++ if (dev->phy.type != B43_PHYTYPE_G)
++ break;
++ /* fall through */
+ case 0x4313: /* BCM4311 */
+ case 0x431a: /* BCM4318 */
+ case 0x432a: /* BCM4321 */
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index 220c0fd..50faef4 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1468,6 +1468,11 @@ skip_countries:
+ goto alloc_fail8;
+ }
+
++ if (quirks & CLEAR_HALT_CONDITIONS) {
++ usb_clear_halt(usb_dev, usb_rcvbulkpipe(usb_dev,
epread->bEndpointAddress));
++ usb_clear_halt(usb_dev, usb_sndbulkpipe(usb_dev,
epwrite->bEndpointAddress));
++ }
++
+ return 0;
+ alloc_fail8:
+ if (acm->country_codes) {
+@@ -1747,6 +1752,10 @@ static const struct usb_device_id acm_ids[] = {
+ .driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */
+ },
+
++ { USB_DEVICE(0x2912, 0x0001), /* ATOL FPrint */
++ .driver_info = CLEAR_HALT_CONDITIONS,
++ },
++
+ /* Nokia S60 phones expose two ACM channels. The first is
+ * a modem and is picked up by the standard AT-command
+ * information below. The second is 'vendor-specific' but
+diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h
+index ffeb3c8..b3b6c9d 100644
+--- a/drivers/usb/class/cdc-acm.h
++++ b/drivers/usb/class/cdc-acm.h
+@@ -133,3 +133,4 @@ struct acm {
+ #define NO_DATA_INTERFACE BIT(4)
+ #define IGNORE_DEVICE BIT(5)
+ #define QUIRK_CONTROL_LINE_STATE BIT(6)
++#define CLEAR_HALT_CONDITIONS BIT(7)
+diff --git a/include/uapi/drm/radeon_drm.h b/include/uapi/drm/radeon_drm.h
+index 50d0fb4..76d2ede 100644
+--- a/include/uapi/drm/radeon_drm.h
++++ b/include/uapi/drm/radeon_drm.h
+@@ -1034,6 +1034,7 @@ struct drm_radeon_cs {
+ #define RADEON_INFO_VRAM_USAGE 0x1e
+ #define RADEON_INFO_GTT_USAGE 0x1f
+ #define RADEON_INFO_ACTIVE_CU_COUNT 0x20
++#define RADEON_INFO_VA_UNMAP_WORKING 0x25
+
+ struct drm_radeon_info {
+ uint32_t request;
+diff --git a/kernel/trace/trace_events_filter.c
b/kernel/trace/trace_events_filter.c
+index ced69da..7f2e97c 100644
+--- a/kernel/trace/trace_events_filter.c
++++ b/kernel/trace/trace_events_filter.c
+@@ -1369,19 +1369,26 @@ static int check_preds(struct filter_parse_state *ps)
+ {
+ int n_normal_preds = 0, n_logical_preds = 0;
+ struct postfix_elt *elt;
++ int cnt = 0;
+
+ list_for_each_entry(elt, &ps->postfix, list) {
+- if (elt->op == OP_NONE)
++ if (elt->op == OP_NONE) {
++ cnt++;
+ continue;
++ }
+
+ if (elt->op == OP_AND || elt->op == OP_OR) {
+ n_logical_preds++;
++ cnt--;
+ continue;
+ }
++ if (elt->op != OP_NOT)
++ cnt--;
+ n_normal_preds++;
++ WARN_ON_ONCE(cnt < 0);
+ }
+
+- if (!n_normal_preds || n_logical_preds >= n_normal_preds) {
++ if (cnt != 1 || !n_normal_preds || n_logical_preds >= n_normal_preds) {
+ parse_error(ps, FILT_ERR_INVALID_FILTER, 0);
+ return -EINVAL;
+ }
+diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c
+index 87eff31..60b3100 100644
+--- a/sound/pci/hda/patch_sigmatel.c
++++ b/sound/pci/hda/patch_sigmatel.c
+@@ -100,6 +100,7 @@ enum {
+ STAC_HP_ENVY_BASS,
+ STAC_HP_BNB13_EQ,
+ STAC_HP_ENVY_TS_BASS,
++ STAC_HP_ENVY_TS_DAC_BIND,
+ STAC_92HD83XXX_GPIO10_EAPD,
+ STAC_92HD83XXX_MODELS
+ };
+@@ -2170,6 +2171,22 @@ static void stac92hd83xxx_fixup_gpio10_eapd(struct
hda_codec *codec,
+ spec->eapd_switch = 0;
+ }
+
++static void hp_envy_ts_fixup_dac_bind(struct hda_codec *codec,
++ const struct hda_fixup *fix,
++ int action)
++{
++ struct sigmatel_spec *spec = codec->spec;
++ static hda_nid_t preferred_pairs[] = {
++ 0xd, 0x13,
++ 0
++ };
++
++ if (action != HDA_FIXUP_ACT_PRE_PROBE)
++ return;
++
++ spec->gen.preferred_dacs = preferred_pairs;
++}
++
+ static const struct hda_verb hp_bnb13_eq_verbs[] = {
+ /* 44.1KHz base */
+ { 0x22, 0x7A6, 0x3E },
+@@ -2685,6 +2702,12 @@ static const struct hda_fixup stac92hd83xxx_fixups[] = {
+ {}
+ },
+ },
++ [STAC_HP_ENVY_TS_DAC_BIND] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = hp_envy_ts_fixup_dac_bind,
++ .chained = true,
++ .chain_id = STAC_HP_ENVY_TS_BASS,
++ },
+ [STAC_92HD83XXX_GPIO10_EAPD] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = stac92hd83xxx_fixup_gpio10_eapd,
+@@ -2763,6 +2786,8 @@ static const struct snd_pci_quirk
stac92hd83xxx_fixup_tbl[] = {
+ "HP bNB13", STAC_HP_BNB13_EQ),
+ SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x190e,
+ "HP ENVY TS", STAC_HP_ENVY_TS_BASS),
++ SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x1967,
++ "HP ENVY TS", STAC_HP_ENVY_TS_DAC_BIND),
+ SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x1940,
+ "HP bNB13", STAC_HP_BNB13_EQ),
+ SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x1941,
diff --git a/4.0.6/4420_grsecurity-3.1-4.0.6-201506272327.patch
b/4.0.7/4420_grsecurity-3.1-4.0.7-201506300712.patch
similarity index 99%
rename from 4.0.6/4420_grsecurity-3.1-4.0.6-201506272327.patch
rename to 4.0.7/4420_grsecurity-3.1-4.0.7-201506300712.patch
index 01515b8..37bee2c 100644
--- a/4.0.6/4420_grsecurity-3.1-4.0.6-201506272327.patch
+++ b/4.0.7/4420_grsecurity-3.1-4.0.7-201506300712.patch
@@ -373,7 +373,7 @@ index 4d68ec8..9546b75 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index af6da04..22820aa 100644
+index bd76a8e..ed02758 100644
--- a/Makefile
+++ b/Makefile
@@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo
$$BASH; \
@@ -3437,7 +3437,7 @@ index 3e58d71..029817c 100644
/* See rational for this in __copy_to_user() above. */
if (n < 64)
diff --git a/arch/arm/mach-exynos/suspend.c b/arch/arm/mach-exynos/suspend.c
-index 318d127..9aab0d1 100644
+index 582ef2d..d314e82 100644
--- a/arch/arm/mach-exynos/suspend.c
+++ b/arch/arm/mach-exynos/suspend.c
@@ -18,6 +18,7 @@
@@ -3448,7 +3448,7 @@ index 318d127..9aab0d1 100644
#include <linux/irqchip/arm-gic.h>
#include <linux/err.h>
#include <linux/regulator/machine.h>
-@@ -632,8 +633,10 @@ void __init exynos_pm_init(void)
+@@ -635,8 +636,10 @@ void __init exynos_pm_init(void)
tmp |= pm_data->wake_disable_mask;
pmu_raw_writel(tmp, S5P_WAKEUP_MASK);
@@ -17369,7 +17369,7 @@ index 09b9620..923aecd 100644
atomic_t perf_rdpmc_allowed; /* nonzero if rdpmc is allowed */
} mm_context_t;
diff --git a/arch/x86/include/asm/mmu_context.h
b/arch/x86/include/asm/mmu_context.h
-index 883f6b93..6869d96 100644
+index 883f6b93..bb405b5 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -42,6 +42,20 @@ void destroy_context(struct mm_struct *mm);
@@ -17461,9 +17461,9 @@ index 883f6b93..6869d96 100644
+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) &&
defined(CONFIG_SMP)
+ if (!(__supported_pte_mask & _PAGE_NX)) {
+ smp_mb__before_atomic();
-+ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
++ cpumask_clear_cpu(cpu, &prev->context.cpu_user_cs_mask);
+ smp_mb__after_atomic();
-+ cpu_set(cpu, next->context.cpu_user_cs_mask);
++ cpumask_set_cpu(cpu, &next->context.cpu_user_cs_mask);
+ }
+#endif
+
@@ -17537,7 +17537,7 @@ index 883f6b93..6869d96 100644
+
+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
+ if (!(__supported_pte_mask & _PAGE_NX))
-+ cpu_set(cpu, next->context.cpu_user_cs_mask);
++ cpumask_set_cpu(cpu,
&next->context.cpu_user_cs_mask);
+#endif
+
+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) ||
defined(CONFIG_PAX_SEGMEXEC))
@@ -22048,7 +22048,7 @@ index cf3df1d..b637d9a 100644
if (__die(str, regs, err))
diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c
-index 5abd4cd..c65733b 100644
+index 5abd4cd..ca97162 100644
--- a/arch/x86/kernel/dumpstack_32.c
+++ b/arch/x86/kernel/dumpstack_32.c
@@ -61,15 +61,14 @@ void dump_trace(struct task_struct *task, struct pt_regs
*regs,
@@ -22125,7 +22125,7 @@ index 5abd4cd..c65733b 100644
}
+
+#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
-+void pax_check_alloca(unsigned long size)
++void __used pax_check_alloca(unsigned long size)
+{
+ unsigned long sp = (unsigned long)&sp, stack_left;
+
@@ -22136,7 +22136,7 @@ index 5abd4cd..c65733b 100644
+EXPORT_SYMBOL(pax_check_alloca);
+#endif
diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
-index ff86f19..73eabf4 100644
+index ff86f19..a2efee8 100644
--- a/arch/x86/kernel/dumpstack_64.c
+++ b/arch/x86/kernel/dumpstack_64.c
@@ -153,12 +153,12 @@ void dump_trace(struct task_struct *task, struct pt_regs
*regs,
@@ -22211,7 +22211,7 @@ index ff86f19..73eabf4 100644
}
+
+#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
-+void pax_check_alloca(unsigned long size)
++void __used pax_check_alloca(unsigned long size)
+{
+ unsigned long sp = (unsigned long)&sp, stack_start, stack_end;
+ unsigned cpu, used;
@@ -23060,7 +23060,7 @@ index 31e2d5b..b31c76d 100644
#endif
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index f0095a7..ec77893 100644
+index f0095a7..7ece039 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -59,6 +59,8 @@
@@ -23114,7 +23114,7 @@ index f0095a7..ec77893 100644
+
+#ifdef CONFIG_PAX_KERNEXEC
+ GET_CR0_INTO_RDI
-+ bts $16,%rdi
++ bts $X86_CR0_WP_BIT,%rdi
+ jnc 3f
+ mov %cs,%edi
+ cmp $__KERNEL_CS,%edi
@@ -23175,7 +23175,7 @@ index f0095a7..ec77893 100644
+ cmp $__KERNEXEC_KERNEL_CS,%edi
+ jz 2f
+ GET_CR0_INTO_RDI
-+ bts $16,%rdi
++ bts $X86_CR0_WP_BIT,%rdi
+ jnc 4f
+1:
+#endif
@@ -23213,7 +23213,7 @@ index f0095a7..ec77893 100644
+
+#ifdef CONFIG_PAX_KERNEXEC
+2: GET_CR0_INTO_RDI
-+ btr $16,%rdi
++ btr $X86_CR0_WP_BIT,%rdi
+ jnc 4f
+ ljmpq __KERNEL_CS,3f
+3: SET_RDI_INTO_CR0
@@ -23301,7 +23301,7 @@ index f0095a7..ec77893 100644
+
+#ifdef CONFIG_PAX_KERNEXEC
+ GET_CR0_INTO_RDI
-+ bts $16,%rdi
++ bts $X86_CR0_WP_BIT,%rdi
+ SET_RDI_INTO_CR0
+#endif
+
@@ -23346,7 +23346,7 @@ index f0095a7..ec77893 100644
+
+#ifdef CONFIG_PAX_KERNEXEC
+ GET_CR0_INTO_RDI
-+ btr $16,%rdi
++ btr $X86_CR0_WP_BIT,%rdi
+ jnc 3f
+ SET_RDI_INTO_CR0
+#endif
@@ -23393,7 +23393,7 @@ index f0095a7..ec77893 100644
+
+#ifdef CONFIG_PAX_KERNEXEC
+ GET_CR0_INTO_RDI
-+ bts $16,%rdi
++ bts $X86_CR0_WP_BIT,%rdi
+ jc 110f
+ SET_RDI_INTO_CR0
+ or $2,%ebx
@@ -23426,7 +23426,7 @@ index f0095a7..ec77893 100644
+ btr $1,%ebx
+ jnc 110f
+ GET_CR0_INTO_RDI
-+ btr $16,%rdi
++ btr $X86_CR0_WP_BIT,%rdi
+ SET_RDI_INTO_CR0
+110:
+#endif
@@ -25578,7 +25578,7 @@ index 25ecd56..e12482f 100644
}
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
-index 4e3d5a9..03fffd8 100644
+index 03189d8..4705700 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -120,9 +120,12 @@ __synthesize_relative_insn(void *from, void *to, u8 op)
@@ -25619,17 +25619,17 @@ index 4e3d5a9..03fffd8 100644
}
/*
-@@ -364,7 +367,9 @@ int __copy_instruction(u8 *dest, u8 *src)
+@@ -367,7 +370,9 @@ int __copy_instruction(u8 *dest, u8 *src)
/* Another subsystem puts a breakpoint, failed to recover */
if (insn.opcode.bytes[0] == BREAKPOINT_INSTRUCTION)
return 0;
+ pax_open_kernel();
- memcpy(dest, insn.kaddr, insn.length);
+ memcpy(dest, insn.kaddr, length);
+ pax_close_kernel();
#ifdef CONFIG_X86_64
if (insn_rip_relative(&insn)) {
-@@ -391,7 +396,9 @@ int __copy_instruction(u8 *dest, u8 *src)
+@@ -394,7 +399,9 @@ int __copy_instruction(u8 *dest, u8 *src)
return 0;
}
disp = (u8 *) dest + insn_offset_displacement(&insn);
@@ -25638,8 +25638,8 @@ index 4e3d5a9..03fffd8 100644
+ pax_close_kernel();
}
#endif
- return insn.length;
-@@ -533,7 +540,7 @@ static void setup_singlestep(struct kprobe *p, struct
pt_regs *regs,
+ return length;
+@@ -536,7 +543,7 @@ static void setup_singlestep(struct kprobe *p, struct
pt_regs *regs,
* nor set current_kprobe, because it doesn't use single
* stepping.
*/
@@ -25648,7 +25648,7 @@ index 4e3d5a9..03fffd8 100644
preempt_enable_no_resched();
return;
}
-@@ -550,9 +557,9 @@ static void setup_singlestep(struct kprobe *p, struct
pt_regs *regs,
+@@ -553,9 +560,9 @@ static void setup_singlestep(struct kprobe *p, struct
pt_regs *regs,
regs->flags &= ~X86_EFLAGS_IF;
/* single step inline if the instruction is an int3 */
if (p->opcode == BREAKPOINT_INSTRUCTION)
@@ -25660,7 +25660,7 @@ index 4e3d5a9..03fffd8 100644
}
NOKPROBE_SYMBOL(setup_singlestep);
-@@ -602,7 +609,7 @@ int kprobe_int3_handler(struct pt_regs *regs)
+@@ -605,7 +612,7 @@ int kprobe_int3_handler(struct pt_regs *regs)
struct kprobe *p;
struct kprobe_ctlblk *kcb;
@@ -25669,7 +25669,7 @@ index 4e3d5a9..03fffd8 100644
return 0;
addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
-@@ -637,7 +644,7 @@ int kprobe_int3_handler(struct pt_regs *regs)
+@@ -640,7 +647,7 @@ int kprobe_int3_handler(struct pt_regs *regs)
setup_singlestep(p, regs, kcb, 0);
return 1;
}
@@ -25678,7 +25678,7 @@ index 4e3d5a9..03fffd8 100644
/*
* The breakpoint instruction was removed right
* after we hit it. Another cpu has removed
-@@ -684,6 +691,9 @@ static void __used kretprobe_trampoline_holder(void)
+@@ -687,6 +694,9 @@ static void __used kretprobe_trampoline_holder(void)
" movq %rax, 152(%rsp)\n"
RESTORE_REGS_STRING
" popfq\n"
@@ -25688,7 +25688,7 @@ index 4e3d5a9..03fffd8 100644
#else
" pushf\n"
SAVE_REGS_STRING
-@@ -824,7 +834,7 @@ static void resume_execution(struct kprobe *p, struct
pt_regs *regs,
+@@ -827,7 +837,7 @@ static void resume_execution(struct kprobe *p, struct
pt_regs *regs,
struct kprobe_ctlblk *kcb)
{
unsigned long *tos = stack_addr(regs);
@@ -25697,7 +25697,7 @@ index 4e3d5a9..03fffd8 100644
unsigned long orig_ip = (unsigned long)p->addr;
kprobe_opcode_t *insn = p->ainsn.insn;
-@@ -1007,7 +1017,7 @@ int kprobe_exceptions_notify(struct notifier_block
*self, unsigned long val,
+@@ -1010,7 +1020,7 @@ int kprobe_exceptions_notify(struct notifier_block
*self, unsigned long val,
struct die_args *args = data;
int ret = NOTIFY_DONE;
@@ -25789,7 +25789,7 @@ index c2bedae..25e7ab60 100644
.name = "data",
.mode = S_IRUGO,
diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
-index c37886d..d851d32 100644
+index c37886d..3f425e3 100644
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int
reload)
@@ -25831,7 +25831,7 @@ index c37886d..d851d32 100644
+ mm->context.user_cs_limit = ~0UL;
+
+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
-+ cpus_clear(mm->context.cpu_user_cs_mask);
++ cpumask_clear(&mm->context.cpu_user_cs_mask);
+#endif
+
+#endif
@@ -28771,7 +28771,7 @@ index 106c015..2db7161 100644
0, 0, 0, /* CR3 checked later */
CR4_RESERVED_BITS,
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
-index 4ee827d..83c8e31 100644
+index 3cb2b58..83c8e31 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -56,7 +56,7 @@
@@ -28783,72 +28783,6 @@ index 4ee827d..83c8e31 100644
#define APIC_LVT_NUM 6
/* 14 is the version for Xeon and Pentium 8.4.8*/
-@@ -1064,6 +1064,17 @@ static void update_divide_count(struct kvm_lapic *apic)
- apic->divide_count);
- }
-
-+static void apic_update_lvtt(struct kvm_lapic *apic)
-+{
-+ u32 timer_mode = kvm_apic_get_reg(apic, APIC_LVTT) &
-+ apic->lapic_timer.timer_mode_mask;
-+
-+ if (apic->lapic_timer.timer_mode != timer_mode) {
-+ apic->lapic_timer.timer_mode = timer_mode;
-+ hrtimer_cancel(&apic->lapic_timer.timer);
-+ }
-+}
-+
- static void apic_timer_expired(struct kvm_lapic *apic)
- {
- struct kvm_vcpu *vcpu = apic->vcpu;
-@@ -1272,6 +1283,7 @@ static int apic_reg_write(struct kvm_lapic *apic, u32
reg, u32 val)
- apic_set_reg(apic, APIC_LVTT + 0x10 * i,
- lvt_val | APIC_LVT_MASKED);
- }
-+ apic_update_lvtt(apic);
- atomic_set(&apic->lapic_timer.pending, 0);
-
- }
-@@ -1304,20 +1316,13 @@ static int apic_reg_write(struct kvm_lapic *apic, u32
reg, u32 val)
-
- break;
-
-- case APIC_LVTT: {
-- u32 timer_mode = val & apic->lapic_timer.timer_mode_mask;
--
-- if (apic->lapic_timer.timer_mode != timer_mode) {
-- apic->lapic_timer.timer_mode = timer_mode;
-- hrtimer_cancel(&apic->lapic_timer.timer);
-- }
--
-+ case APIC_LVTT:
- if (!kvm_apic_sw_enabled(apic))
- val |= APIC_LVT_MASKED;
- val &= (apic_lvt_mask[0] | apic->lapic_timer.timer_mode_mask);
- apic_set_reg(apic, APIC_LVTT, val);
-+ apic_update_lvtt(apic);
- break;
-- }
-
- case APIC_TMICT:
- if (apic_lvtt_tscdeadline(apic))
-@@ -1552,7 +1557,7 @@ void kvm_lapic_reset(struct kvm_vcpu *vcpu)
-
- for (i = 0; i < APIC_LVT_NUM; i++)
- apic_set_reg(apic, APIC_LVTT + 0x10 * i, APIC_LVT_MASKED);
-- apic->lapic_timer.timer_mode = 0;
-+ apic_update_lvtt(apic);
- apic_set_reg(apic, APIC_LVT0,
- SET_APIC_DELIVERY_MODE(0, APIC_MODE_EXTINT));
-
-@@ -1778,6 +1783,7 @@ void kvm_apic_post_state_restore(struct kvm_vcpu *vcpu,
-
- apic_update_ppr(apic);
- hrtimer_cancel(&apic->lapic_timer.timer);
-+ apic_update_lvtt(apic);
- update_divide_count(apic);
- start_apic_timer(apic);
- apic->irr_pending = true;
diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h
index 0bc6c65..ca4f92d 100644
--- a/arch/x86/kvm/lapic.h
@@ -31924,7 +31858,7 @@ index 903ec1e..c4166b2 100644
}
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
-index ede025f..1ef909b 100644
+index ede025f..ecc2d96 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -13,12 +13,19 @@
@@ -32240,7 +32174,7 @@ index ede025f..1ef909b 100644
+ }
+
+#ifdef CONFIG_SMP
-+ if (likely(address > get_limit(regs->cs) &&
cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
++ if (likely(address > get_limit(regs->cs) &&
cpumask_test_cpu(smp_processor_id(), &mm->context.cpu_user_cs_mask)))
+#else
+ if (likely(address > get_limit(regs->cs)))
+#endif
@@ -34266,7 +34200,7 @@ index 3250f23..7a97ba2 100644
* functions differently. Tracing normally
diff --git a/arch/x86/mm/uderef_64.c b/arch/x86/mm/uderef_64.c
new file mode 100644
-index 0000000..dace51c
+index 0000000..3fda3f3
--- /dev/null
+++ b/arch/x86/mm/uderef_64.c
@@ -0,0 +1,37 @@
@@ -34279,7 +34213,7 @@ index 0000000..dace51c
+ * - remain leaf functions under all configurations,
+ * - never be called directly, only dereferenced from the wrappers.
+ */
-+void __pax_open_userland(void)
++void __used __pax_open_userland(void)
+{
+ unsigned int cpu;
+
@@ -34288,12 +34222,12 @@ index 0000000..dace51c
+
+ cpu = raw_get_cpu();
+ BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_KERNEL);
-+ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH);
++ write_cr3(__pa_nodebug(get_cpu_pgd(cpu, user)) | PCID_USER |
PCID_NOFLUSH);
+ raw_put_cpu_no_resched();
+}
+EXPORT_SYMBOL(__pax_open_userland);
+
-+void __pax_close_userland(void)
++void __used __pax_close_userland(void)
+{
+ unsigned int cpu;
+
@@ -34302,7 +34236,7 @@ index 0000000..dace51c
+
+ cpu = raw_get_cpu();
+ BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_USER);
-+ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
++ write_cr3(__pa_nodebug(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL |
PCID_NOFLUSH);
+ raw_put_cpu_no_resched();
+}
+EXPORT_SYMBOL(__pax_close_userland);
@@ -40248,32 +40182,6 @@ index 832a2c3..1794080 100644
.attrs = cpuidle_default_attrs,
.name = "cpuidle",
};
-diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c
-index f347ab7..08b0da2 100644
---- a/drivers/crypto/caam/caamhash.c
-+++ b/drivers/crypto/caam/caamhash.c
-@@ -1543,6 +1543,8 @@ static int ahash_init(struct ahash_request *req)
-
- state->current_buf = 0;
- state->buf_dma = 0;
-+ state->buflen_0 = 0;
-+ state->buflen_1 = 0;
-
- return 0;
- }
-diff --git a/drivers/crypto/caam/caamrng.c b/drivers/crypto/caam/caamrng.c
-index ae31e55..a48dc25 100644
---- a/drivers/crypto/caam/caamrng.c
-+++ b/drivers/crypto/caam/caamrng.c
-@@ -56,7 +56,7 @@
-
- /* Buffer, its dma address and lock */
- struct buf_data {
-- u8 buf[RN_BUF_SIZE];
-+ u8 buf[RN_BUF_SIZE] ____cacheline_aligned;
- dma_addr_t addr;
- struct completion filled;
- u32 hw_desc[DESC_JOB_O_LEN];
diff --git a/drivers/crypto/hifn_795x.c b/drivers/crypto/hifn_795x.c
index 8d2a772..33826c9 100644
--- a/drivers/crypto/hifn_795x.c
@@ -45724,7 +45632,7 @@ index 79f6941..b33b4e0 100644
pmd->bl_info.value_type.inc = data_block_inc;
pmd->bl_info.value_type.dec = data_block_dec;
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index 9b4e30a..83c927d 100644
+index beda011..de57372 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -188,9 +188,9 @@ struct mapped_device {
@@ -67579,7 +67487,7 @@ index 8c52472..c4e3a69 100644
#else
diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
-index 1e51714..411eded 100644
+index 1e51714e..411eded 100644
--- a/fs/cachefiles/namei.c
+++ b/fs/cachefiles/namei.c
@@ -309,7 +309,7 @@ try_again:
@@ -68764,7 +68672,7 @@ index e4141f2..d8263e8 100644
i += packet_length_size;
if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
diff --git a/fs/exec.c b/fs/exec.c
-index 1202445..7a6fde9 100644
+index 1202445..620c98e 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -56,8 +56,20 @@
@@ -69568,7 +69476,7 @@ index 1202445..7a6fde9 100644
+EXPORT_SYMBOL(__check_object_size);
+
+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
-+void pax_track_stack(void)
++void __used pax_track_stack(void)
+{
+ unsigned long sp = (unsigned long)&sp;
+ if (sp < current_thread_info()->lowest_stack &&
@@ -69581,7 +69489,7 @@ index 1202445..7a6fde9 100644
+#endif
+
+#ifdef CONFIG_PAX_SIZE_OVERFLOW
-+void __nocapture(1, 3, 4) report_size_overflow(const char *file, unsigned int
line, const char *func, const char *ssa_name)
++void __nocapture(1, 3, 4) __used report_size_overflow(const char *file,
unsigned int line, const char *func, const char *ssa_name)
+{
+ printk(KERN_EMERG "PAX: size overflow detected in function %s %s:%u
%s", func, file, line, ssa_name);
+ dump_stack();
@@ -103116,38 +103024,29 @@ index a9c10a3..1864f6b 100644
/* Add an additional event_call dynamically */
diff --git a/kernel/trace/trace_events_filter.c
b/kernel/trace/trace_events_filter.c
-index ced69da..7f2e97c 100644
+index 7f2e97c..085a257 100644
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
-@@ -1369,19 +1369,26 @@ static int check_preds(struct filter_parse_state *ps)
- {
- int n_normal_preds = 0, n_logical_preds = 0;
- struct postfix_elt *elt;
-+ int cnt = 0;
+@@ -1056,6 +1056,9 @@ static void parse_init(struct filter_parse_state *ps,
- list_for_each_entry(elt, &ps->postfix, list) {
-- if (elt->op == OP_NONE)
-+ if (elt->op == OP_NONE) {
-+ cnt++;
- continue;
-+ }
+ static char infix_next(struct filter_parse_state *ps)
+ {
++ if (!ps->infix.cnt)
++ return 0;
++
+ ps->infix.cnt--;
- if (elt->op == OP_AND || elt->op == OP_OR) {
- n_logical_preds++;
-+ cnt--;
- continue;
- }
-+ if (elt->op != OP_NOT)
-+ cnt--;
- n_normal_preds++;
-+ WARN_ON_ONCE(cnt < 0);
- }
+ return ps->infix.string[ps->infix.tail++];
+@@ -1071,6 +1074,9 @@ static char infix_peek(struct filter_parse_state *ps)
-- if (!n_normal_preds || n_logical_preds >= n_normal_preds) {
-+ if (cnt != 1 || !n_normal_preds || n_logical_preds >= n_normal_preds) {
- parse_error(ps, FILT_ERR_INVALID_FILTER, 0);
- return -EINVAL;
- }
+ static void infix_advance(struct filter_parse_state *ps)
+ {
++ if (!ps->infix.cnt)
++ return;
++
+ ps->infix.cnt--;
+ ps->infix.tail++;
+ }
diff --git a/kernel/trace/trace_functions_graph.c
b/kernel/trace/trace_functions_graph.c
index b6fce36..d9f11a3 100644
--- a/kernel/trace/trace_functions_graph.c
@@ -107036,7 +106935,7 @@ index 9ec50a3..0476e2d 100644
vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
diff --git a/mm/mprotect.c b/mm/mprotect.c
-index 8858483..8145fa5 100644
+index 8858483..72f2464 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -24,10 +24,18 @@
@@ -107085,8 +106984,8 @@ index 8858483..8145fa5 100644
+
+#ifdef CONFIG_SMP
+ wmb();
-+ cpus_clear(mm->context.cpu_user_cs_mask);
-+ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
++ cpumask_clear(&mm->context.cpu_user_cs_mask);
++ cpumask_set_cpu(smp_processor_id(),
&mm->context.cpu_user_cs_mask);
+#endif
+
+ set_user_cs(mm->context.user_cs_base,
mm->context.user_cs_limit, smp_processor_id());
diff --git a/3.14.45/4425_grsec_remove_EI_PAX.patch
b/4.0.7/4425_grsec_remove_EI_PAX.patch
similarity index 100%
rename from 3.14.45/4425_grsec_remove_EI_PAX.patch
rename to 4.0.7/4425_grsec_remove_EI_PAX.patch
diff --git a/4.0.6/4427_force_XATTR_PAX_tmpfs.patch
b/4.0.7/4427_force_XATTR_PAX_tmpfs.patch
similarity index 100%
rename from 4.0.6/4427_force_XATTR_PAX_tmpfs.patch
rename to 4.0.7/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.14.45/4430_grsec-remove-localversion-grsec.patch
b/4.0.7/4430_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 3.14.45/4430_grsec-remove-localversion-grsec.patch
rename to 4.0.7/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.0.6/4435_grsec-mute-warnings.patch
b/4.0.7/4435_grsec-mute-warnings.patch
similarity index 100%
rename from 4.0.6/4435_grsec-mute-warnings.patch
rename to 4.0.7/4435_grsec-mute-warnings.patch
diff --git a/3.14.45/4440_grsec-remove-protected-paths.patch
b/4.0.7/4440_grsec-remove-protected-paths.patch
similarity index 100%
rename from 3.14.45/4440_grsec-remove-protected-paths.patch
rename to 4.0.7/4440_grsec-remove-protected-paths.patch
diff --git a/4.0.6/4450_grsec-kconfig-default-gids.patch
b/4.0.7/4450_grsec-kconfig-default-gids.patch
similarity index 100%
rename from 4.0.6/4450_grsec-kconfig-default-gids.patch
rename to 4.0.7/4450_grsec-kconfig-default-gids.patch
diff --git a/4.0.6/4465_selinux-avc_audit-log-curr_ip.patch
b/4.0.7/4465_selinux-avc_audit-log-curr_ip.patch
similarity index 100%
rename from 4.0.6/4465_selinux-avc_audit-log-curr_ip.patch
rename to 4.0.7/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/4.0.6/4470_disable-compat_vdso.patch
b/4.0.7/4470_disable-compat_vdso.patch
similarity index 100%
rename from 4.0.6/4470_disable-compat_vdso.patch
rename to 4.0.7/4470_disable-compat_vdso.patch
diff --git a/3.14.45/4475_emutramp_default_on.patch
b/4.0.7/4475_emutramp_default_on.patch
similarity index 100%
rename from 3.14.45/4475_emutramp_default_on.patch
rename to 4.0.7/4475_emutramp_default_on.patch
