main/linux-grsec: upgrade to grsecurity-2.2.2-3.0.3-201108251825

2 files changed, 263 insertions, 151 deletions

diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 985985988d..60813e21fe 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
 pkgname=linux-${_flavor}
 pkgver=3.0.3
 _kernver=3.0
-pkgrel=0
+pkgrel=1
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}}
 install=
 source="ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-$_kernver.tar.bz2
         ftp://ftp.kernel.org/pub/linux/kernel/v3.0/patch-$pkgver.bz2
-        grsecurity-2.2.2-3.0.3-201108241901.patch
+        grsecurity-2.2.2-3.0.3-201108251825.patch
         
         0004-arp-flush-arp-cache-on-device-change.patch
 
@@ -138,7 +138,7 @@ dev() {
 
 md5sums="398e95866794def22b12dfbc15ce89c0  linux-3.0.tar.bz2
 1757786b9a9ffbd48ad9642199ff5bd7  patch-3.0.3.bz2
-9709493d471fc64e342345c1bb5b082b  grsecurity-2.2.2-3.0.3-201108241901.patch
+dbf71c02960bdb9e047ed6ccd61e108e  grsecurity-2.2.2-3.0.3-201108251825.patch
 776adeeb5272093574f8836c5037dd7d  0004-arp-flush-arp-cache-on-device-change.patch
 406e62e430cee7ba3bb37be341d9ff3e  kernelconfig.x86
 6957efc9f017c59b05aa0a2e4167255e  kernelconfig.x86_64"
diff --git a/main/linux-grsec/grsecurity-2.2.2-3.0.3-201108241901.patch b/main/linux-grsec/grsecurity-2.2.2-3.0.3-201108251825.patch
index a30bf0fd50..04ec669e61 100644
--- a/main/linux-grsec/grsecurity-2.2.2-3.0.3-201108241901.patch
+++ b/main/linux-grsec/grsecurity-2.2.2-3.0.3-201108251825.patch
@@ -5603,7 +5603,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32_aout.c linux-3.0.3/arch/x86/ia32/ia32_
         has_dumped = 1;
 diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32entry.S
 --- linux-3.0.3/arch/x86/ia32/ia32entry.S       2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/arch/x86/ia32/ia32entry.S       2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.3/arch/x86/ia32/ia32entry.S       2011-08-25 17:36:37.000000000 -0400
 @@ -13,6 +13,7 @@
  #include <asm/thread_info.h>   
  #include <asm/segment.h>
@@ -5612,7 +5612,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
  #include <linux/linkage.h>
  
  /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
-@@ -95,6 +96,32 @@ ENTRY(native_irq_enable_sysexit)
+@@ -95,6 +96,29 @@ ENTRY(native_irq_enable_sysexit)
  ENDPROC(native_irq_enable_sysexit)
  #endif
  
@@ -5631,9 +5631,6 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
 +       call pax_randomize_kstack
 +       popq %rax
 +#endif
-+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
-+       call pax_erase_kstack
-+#endif
 +       .endm
 +
 +       .macro pax_erase_kstack
@@ -5645,7 +5642,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
  /*
   * 32bit SYSENTER instruction entry.
   *
-@@ -121,7 +148,7 @@ ENTRY(ia32_sysenter_target)
+@@ -121,7 +145,7 @@ ENTRY(ia32_sysenter_target)
         CFI_REGISTER    rsp,rbp
         SWAPGS_UNSAFE_STACK
         movq    PER_CPU_VAR(kernel_stack), %rsp
@@ -5654,7 +5651,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
         /*
          * No need to follow this irqs on/off section: the syscall
          * disabled irqs, here we enable it straight after entry:
-@@ -134,7 +161,8 @@ ENTRY(ia32_sysenter_target)
+@@ -134,7 +158,8 @@ ENTRY(ia32_sysenter_target)
         CFI_REL_OFFSET rsp,0
         pushfq_cfi
         /*CFI_REL_OFFSET rflags,0*/
@@ -5664,7 +5661,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
         CFI_REGISTER rip,r10
         pushq_cfi $__USER32_CS
         /*CFI_REL_OFFSET cs,0*/
-@@ -146,6 +174,12 @@ ENTRY(ia32_sysenter_target)
+@@ -146,6 +171,12 @@ ENTRY(ia32_sysenter_target)
         SAVE_ARGS 0,0,1
         /* no need to do an access_ok check here because rbp has been
            32bit zero extended */ 
@@ -5677,15 +5674,16 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
  1:     movl    (%rbp),%ebp
         .section __ex_table,"a"
         .quad 1b,ia32_badarg
-@@ -168,6 +202,7 @@ sysenter_dispatch:
+@@ -168,6 +199,8 @@ sysenter_dispatch:
         testl   $_TIF_ALLWORK_MASK,TI_flags(%r10)
         jnz     sysexit_audit
  sysexit_from_sys_call:
 +       pax_exit_kernel_user
++       pax_erase_kstack
         andl    $~TS_COMPAT,TI_status(%r10)
         /* clear IF, that popfq doesn't enable interrupts early */
         andl  $~0x200,EFLAGS-R11(%rsp) 
-@@ -194,6 +229,9 @@ sysexit_from_sys_call:
+@@ -194,6 +227,9 @@ sysexit_from_sys_call:
         movl %eax,%esi                  /* 2nd arg: syscall number */
         movl $AUDIT_ARCH_I386,%edi      /* 1st arg: audit arch */
         call audit_syscall_entry
@@ -5695,7 +5693,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
         movl RAX-ARGOFFSET(%rsp),%eax   /* reload syscall number */
         cmpq $(IA32_NR_syscalls-1),%rax
         ja ia32_badsys
-@@ -246,6 +284,9 @@ sysenter_tracesys:
+@@ -246,6 +282,9 @@ sysenter_tracesys:
         movq    $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
         movq    %rsp,%rdi        /* &pt_regs -> arg1 */
         call    syscall_trace_enter
@@ -5705,7 +5703,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
         LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
         RESTORE_REST
         cmpq    $(IA32_NR_syscalls-1),%rax
-@@ -277,19 +318,24 @@ ENDPROC(ia32_sysenter_target)
+@@ -277,19 +316,24 @@ ENDPROC(ia32_sysenter_target)
  ENTRY(ia32_cstar_target)
         CFI_STARTPROC32 simple
         CFI_SIGNAL_FRAME
@@ -5732,7 +5730,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
         movl    %eax,%eax       /* zero extension */
         movq    %rax,ORIG_RAX-ARGOFFSET(%rsp)
         movq    %rcx,RIP-ARGOFFSET(%rsp)
-@@ -305,6 +351,12 @@ ENTRY(ia32_cstar_target)
+@@ -305,6 +349,12 @@ ENTRY(ia32_cstar_target)
         /* no need to do an access_ok check here because r8 has been
            32bit zero extended */ 
         /* hardware stack frame is complete now */      
@@ -5745,15 +5743,16 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
  1:     movl    (%r8),%r9d
         .section __ex_table,"a"
         .quad 1b,ia32_badarg
-@@ -327,6 +379,7 @@ cstar_dispatch:
+@@ -327,6 +377,8 @@ cstar_dispatch:
         testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
         jnz sysretl_audit
  sysretl_from_sys_call:
 +       pax_exit_kernel_user
++       pax_erase_kstack
         andl $~TS_COMPAT,TI_status(%r10)
         RESTORE_ARGS 1,-ARG_SKIP,1,1,1
         movl RIP-ARGOFFSET(%rsp),%ecx
-@@ -364,6 +417,9 @@ cstar_tracesys:
+@@ -364,6 +416,9 @@ cstar_tracesys:
         movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
         movq %rsp,%rdi        /* &pt_regs -> arg1 */
         call syscall_trace_enter
@@ -5763,7 +5762,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
         LOAD_ARGS32 ARGOFFSET, 1  /* reload args from stack in case ptrace changed it */
         RESTORE_REST
         xchgl %ebp,%r9d
-@@ -409,6 +465,7 @@ ENTRY(ia32_syscall)
+@@ -409,6 +464,7 @@ ENTRY(ia32_syscall)
         CFI_REL_OFFSET  rip,RIP-RIP
         PARAVIRT_ADJUST_EXCEPTION_FRAME
         SWAPGS
@@ -5771,7 +5770,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
         /*
          * No need to follow this irqs on/off section: the syscall
          * disabled irqs and here we enable it straight after entry:
-@@ -441,6 +498,9 @@ ia32_tracesys:                       
+@@ -441,6 +497,9 @@ ia32_tracesys:                       
         movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
         movq %rsp,%rdi        /* &pt_regs -> arg1 */
         call syscall_trace_enter
@@ -11740,7 +11739,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_32.S linux-3.0.3/arch/x86/kernel/en
         CFI_ADJUST_CFA_OFFSET -24
 diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/entry_64.S
 --- linux-3.0.3/arch/x86/kernel/entry_64.S      2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/arch/x86/kernel/entry_64.S      2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.3/arch/x86/kernel/entry_64.S      2011-08-25 17:38:59.000000000 -0400
 @@ -53,6 +53,7 @@
  #include <asm/paravirt.h>
  #include <asm/ftrace.h>
@@ -11749,7 +11748,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  
  /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
  #include <linux/elf-em.h>
-@@ -176,6 +177,259 @@ ENTRY(native_usergs_sysret64)
+@@ -176,6 +177,262 @@ ENTRY(native_usergs_sysret64)
  ENDPROC(native_usergs_sysret64)
  #endif /* CONFIG_PARAVIRT */
  
@@ -11846,9 +11845,6 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
 +       call pax_randomize_kstack
 +       pop %rax
 +#endif
-+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
-+       call pax_erase_kstack
-+#endif
 +       .endm
 +
 +#ifdef CONFIG_PAX_MEMORY_UDEREF
@@ -11994,6 +11990,12 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
 +2:     cld
 +       mov %esp, %ecx
 +       sub %edi, %ecx
++
++       cmp $THREAD_SIZE_asm, %rcx
++       jb 3f
++       ud2
++3:
++
 +       shr $3, %ecx
 +       rep stosq
 +
@@ -12009,7 +12011,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  
  .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
  #ifdef CONFIG_TRACE_IRQFLAGS
-@@ -318,7 +572,7 @@ ENTRY(save_args)
+@@ -318,7 +575,7 @@ ENTRY(save_args)
         leaq -RBP+8(%rsp),%rdi  /* arg1 for handler */
         movq_cfi rbp, 8         /* push %rbp */
         leaq 8(%rsp), %rbp              /* mov %rsp, %ebp */
@@ -12018,7 +12020,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         je 1f
         SWAPGS
         /*
-@@ -409,7 +663,7 @@ ENTRY(ret_from_fork)
+@@ -409,7 +666,7 @@ ENTRY(ret_from_fork)
  
         RESTORE_REST
  
@@ -12027,7 +12029,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         je   int_ret_from_sys_call
  
         testl $_TIF_IA32, TI_flags(%rcx)        # 32-bit compat task needs IRET
-@@ -455,7 +709,7 @@ END(ret_from_fork)
+@@ -455,7 +712,7 @@ END(ret_from_fork)
  ENTRY(system_call)
         CFI_STARTPROC   simple
         CFI_SIGNAL_FRAME
@@ -12036,7 +12038,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         CFI_REGISTER    rip,rcx
         /*CFI_REGISTER  rflags,r11*/
         SWAPGS_UNSAFE_STACK
-@@ -468,12 +722,13 @@ ENTRY(system_call_after_swapgs)
+@@ -468,12 +725,13 @@ ENTRY(system_call_after_swapgs)
  
         movq    %rsp,PER_CPU_VAR(old_rsp)
         movq    PER_CPU_VAR(kernel_stack),%rsp
@@ -12051,15 +12053,16 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         movq  %rax,ORIG_RAX-ARGOFFSET(%rsp)
         movq  %rcx,RIP-ARGOFFSET(%rsp)
         CFI_REL_OFFSET rip,RIP-ARGOFFSET
-@@ -502,6 +757,7 @@ sysret_check:
+@@ -502,6 +760,8 @@ sysret_check:
         andl %edi,%edx
         jnz  sysret_careful
         CFI_REMEMBER_STATE
 +       pax_exit_kernel_user
++       pax_erase_kstack
         /*
          * sysretq will re-enable interrupts:
          */
-@@ -560,6 +816,9 @@ auditsys:
+@@ -560,6 +820,9 @@ auditsys:
         movq %rax,%rsi                  /* 2nd arg: syscall number */
         movl $AUDIT_ARCH_X86_64,%edi    /* 1st arg: audit arch */
         call audit_syscall_entry
@@ -12069,7 +12072,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         LOAD_ARGS 0             /* reload call-clobbered registers */
         jmp system_call_fastpath
  
-@@ -590,6 +849,9 @@ tracesys:
+@@ -590,6 +853,9 @@ tracesys:
         FIXUP_TOP_OF_STACK %rdi
         movq %rsp,%rdi
         call syscall_trace_enter
@@ -12079,7 +12082,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         /*
          * Reload arg registers from stack in case ptrace changed them.
          * We don't reload %rax because syscall_trace_enter() returned
-@@ -611,7 +873,7 @@ tracesys:
+@@ -611,7 +877,7 @@ tracesys:
  GLOBAL(int_ret_from_sys_call)
         DISABLE_INTERRUPTS(CLBR_NONE)
         TRACE_IRQS_OFF
@@ -12088,7 +12091,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         je retint_restore_args
         movl $_TIF_ALLWORK_MASK,%edi
         /* edi: mask to check */
-@@ -793,6 +1055,16 @@ END(interrupt)
+@@ -793,6 +1059,16 @@ END(interrupt)
         CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
         call save_args
         PARTIAL_FRAME 0
@@ -12105,7 +12108,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         call \func
         .endm
  
-@@ -825,7 +1097,7 @@ ret_from_intr:
+@@ -825,7 +1101,7 @@ ret_from_intr:
         CFI_ADJUST_CFA_OFFSET   -8
  exit_intr:
         GET_THREAD_INFO(%rcx)
@@ -12114,11 +12117,12 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         je retint_kernel
  
         /* Interrupt came from user space */
-@@ -847,12 +1119,14 @@ retint_swapgs:           /* return to user-space 
+@@ -847,12 +1123,15 @@ retint_swapgs:           /* return to user-space 
          * The iretq could re-enable interrupts:
          */
         DISABLE_INTERRUPTS(CLBR_ANY)
 +       pax_exit_kernel_user
++       pax_erase_kstack
         TRACE_IRQS_IRETQ
         SWAPGS
         jmp restore_args
@@ -12129,7 +12133,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         /*
          * The iretq could re-enable interrupts:
          */
-@@ -1027,6 +1301,16 @@ ENTRY(\sym)
+@@ -1027,6 +1306,16 @@ ENTRY(\sym)
         CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
         call error_entry
         DEFAULT_FRAME 0
@@ -12146,7 +12150,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         movq %rsp,%rdi          /* pt_regs pointer */
         xorl %esi,%esi          /* no error code */
         call \do_sym
-@@ -1044,6 +1328,16 @@ ENTRY(\sym)
+@@ -1044,6 +1333,16 @@ ENTRY(\sym)
         CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
         call save_paranoid
         TRACE_IRQS_OFF
@@ -12163,7 +12167,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         movq %rsp,%rdi          /* pt_regs pointer */
         xorl %esi,%esi          /* no error code */
         call \do_sym
-@@ -1052,7 +1346,7 @@ ENTRY(\sym)
+@@ -1052,7 +1351,7 @@ ENTRY(\sym)
  END(\sym)
  .endm
  
@@ -12172,7 +12176,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  .macro paranoidzeroentry_ist sym do_sym ist
  ENTRY(\sym)
         INTR_FRAME
-@@ -1062,8 +1356,24 @@ ENTRY(\sym)
+@@ -1062,8 +1361,24 @@ ENTRY(\sym)
         CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
         call save_paranoid
         TRACE_IRQS_OFF
@@ -12197,7 +12201,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
         call \do_sym
         addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
-@@ -1080,6 +1390,16 @@ ENTRY(\sym)
+@@ -1080,6 +1395,16 @@ ENTRY(\sym)
         CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
         call error_entry
         DEFAULT_FRAME 0
@@ -12214,7 +12218,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         movq %rsp,%rdi                  /* pt_regs pointer */
         movq ORIG_RAX(%rsp),%rsi        /* get error code */
         movq $-1,ORIG_RAX(%rsp)         /* no syscall to restart */
-@@ -1099,6 +1419,16 @@ ENTRY(\sym)
+@@ -1099,6 +1424,16 @@ ENTRY(\sym)
         call save_paranoid
         DEFAULT_FRAME 0
         TRACE_IRQS_OFF
@@ -12231,7 +12235,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         movq %rsp,%rdi                  /* pt_regs pointer */
         movq ORIG_RAX(%rsp),%rsi        /* get error code */
         movq $-1,ORIG_RAX(%rsp)         /* no syscall to restart */
-@@ -1361,14 +1691,27 @@ ENTRY(paranoid_exit)
+@@ -1361,14 +1696,27 @@ ENTRY(paranoid_exit)
         TRACE_IRQS_OFF
         testl %ebx,%ebx                         /* swapgs needed? */
         jnz paranoid_restore
@@ -12260,7 +12264,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         TRACE_IRQS_IRETQ 0
         RESTORE_ALL 8
         jmp irq_return
-@@ -1426,7 +1769,7 @@ ENTRY(error_entry)
+@@ -1426,7 +1774,7 @@ ENTRY(error_entry)
         movq_cfi r14, R14+8
         movq_cfi r15, R15+8
         xorl %ebx,%ebx
@@ -12269,7 +12273,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         je error_kernelspace
  error_swapgs:
         SWAPGS
-@@ -1490,6 +1833,16 @@ ENTRY(nmi)
+@@ -1490,6 +1838,16 @@ ENTRY(nmi)
         CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
         call save_paranoid
         DEFAULT_FRAME 0
@@ -12286,7 +12290,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
         /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
         movq %rsp,%rdi
         movq $-1,%rsi
-@@ -1500,11 +1853,25 @@ ENTRY(nmi)
+@@ -1500,11 +1858,25 @@ ENTRY(nmi)
         DISABLE_INTERRUPTS(CLBR_NONE)
         testl %ebx,%ebx                         /* swapgs needed? */
         jnz nmi_restore
@@ -35002,7 +35006,18 @@ diff -urNp linux-3.0.3/fs/ceph/dir.c linux-3.0.3/fs/ceph/dir.c
         struct ceph_mds_reply_info_parsed *rinfo;
 diff -urNp linux-3.0.3/fs/cifs/cifs_debug.c linux-3.0.3/fs/cifs/cifs_debug.c
 --- linux-3.0.3/fs/cifs/cifs_debug.c    2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/fs/cifs/cifs_debug.c    2011-08-23 21:47:56.000000000 -0400
++++ linux-3.0.3/fs/cifs/cifs_debug.c    2011-08-25 17:18:05.000000000 -0400
+@@ -265,8 +265,8 @@ static ssize_t cifs_stats_proc_write(str
+ 
+        if (c == '1' || c == 'y' || c == 'Y' || c == '0') {
+ #ifdef CONFIG_CIFS_STATS2
+-               atomic_set(&totBufAllocCount, 0);
+-               atomic_set(&totSmBufAllocCount, 0);
++               atomic_set_unchecked(&totBufAllocCount, 0);
++               atomic_set_unchecked(&totSmBufAllocCount, 0);
+ #endif /* CONFIG_CIFS_STATS2 */
+                spin_lock(&cifs_tcp_ses_lock);
+                list_for_each(tmp1, &cifs_tcp_ses_list) {
 @@ -279,25 +279,25 @@ static ssize_t cifs_stats_proc_write(str
                                         tcon = list_entry(tmp3,
                                                           struct cifs_tcon,
@@ -35048,6 +35063,17 @@ diff -urNp linux-3.0.3/fs/cifs/cifs_debug.c linux-3.0.3/fs/cifs/cifs_debug.c
                                 }
                         }
                 }
+@@ -327,8 +327,8 @@ static int cifs_stats_proc_show(struct s
+                        smBufAllocCount.counter, cifs_min_small);
+ #ifdef CONFIG_CIFS_STATS2
+        seq_printf(m, "Total Large %d Small %d Allocations\n",
+-                               atomic_read(&totBufAllocCount),
+-                               atomic_read(&totSmBufAllocCount));
++                               atomic_read_unchecked(&totBufAllocCount),
++                               atomic_read_unchecked(&totSmBufAllocCount));
+ #endif /* CONFIG_CIFS_STATS2 */
+ 
+        seq_printf(m, "Operations (MIDs): %d\n", atomic_read(&midCount));
 @@ -357,41 +357,41 @@ static int cifs_stats_proc_show(struct s
                                 if (tcon->need_reconnect)
                                         seq_puts(m, "\tDISCONNECTED ");
@@ -35110,9 +35136,41 @@ diff -urNp linux-3.0.3/fs/cifs/cifs_debug.c linux-3.0.3/fs/cifs/cifs_debug.c
                         }
                 }
         }
+diff -urNp linux-3.0.3/fs/cifs/cifsfs.c linux-3.0.3/fs/cifs/cifsfs.c
+--- linux-3.0.3/fs/cifs/cifsfs.c        2011-08-23 21:44:40.000000000 -0400
++++ linux-3.0.3/fs/cifs/cifsfs.c        2011-08-25 17:18:05.000000000 -0400
+@@ -994,7 +994,7 @@ cifs_init_request_bufs(void)
+        cifs_req_cachep = kmem_cache_create("cifs_request",
+                                            CIFSMaxBufSize +
+                                            MAX_CIFS_HDR_SIZE, 0,
+-                                           SLAB_HWCACHE_ALIGN, NULL);
++                                           SLAB_HWCACHE_ALIGN | SLAB_USERCOPY, NULL);
+        if (cifs_req_cachep == NULL)
+                return -ENOMEM;
+ 
+@@ -1021,7 +1021,7 @@ cifs_init_request_bufs(void)
+        efficient to alloc 1 per page off the slab compared to 17K (5page)
+        alloc of large cifs buffers even when page debugging is on */
+        cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
+-                       MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,
++                       MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN | SLAB_USERCOPY,
+                        NULL);
+        if (cifs_sm_req_cachep == NULL) {
+                mempool_destroy(cifs_req_poolp);
+@@ -1106,8 +1106,8 @@ init_cifs(void)
+        atomic_set(&bufAllocCount, 0);
+        atomic_set(&smBufAllocCount, 0);
+ #ifdef CONFIG_CIFS_STATS2
+-       atomic_set(&totBufAllocCount, 0);
+-       atomic_set(&totSmBufAllocCount, 0);
++       atomic_set_unchecked(&totBufAllocCount, 0);
++       atomic_set_unchecked(&totSmBufAllocCount, 0);
+ #endif /* CONFIG_CIFS_STATS2 */
+ 
+        atomic_set(&midCount, 0);
 diff -urNp linux-3.0.3/fs/cifs/cifsglob.h linux-3.0.3/fs/cifs/cifsglob.h
 --- linux-3.0.3/fs/cifs/cifsglob.h      2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/fs/cifs/cifsglob.h      2011-08-23 21:47:56.000000000 -0400
++++ linux-3.0.3/fs/cifs/cifsglob.h      2011-08-25 17:18:05.000000000 -0400
 @@ -381,28 +381,28 @@ struct cifs_tcon {
         __u16 Flags;            /* optional support bits */
         enum statusEnum tidStatus;
@@ -35173,6 +35231,17 @@ diff -urNp linux-3.0.3/fs/cifs/cifsglob.h linux-3.0.3/fs/cifs/cifsglob.h
  
  static inline void cifs_stats_bytes_written(struct cifs_tcon *tcon,
                                             unsigned int bytes)
+@@ -911,8 +911,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnect
+ /* Various Debug counters */
+ GLOBAL_EXTERN atomic_t bufAllocCount;    /* current number allocated  */
+ #ifdef CONFIG_CIFS_STATS2
+-GLOBAL_EXTERN atomic_t totBufAllocCount; /* total allocated over all time */
+-GLOBAL_EXTERN atomic_t totSmBufAllocCount;
++GLOBAL_EXTERN atomic_unchecked_t totBufAllocCount; /* total allocated over all time */
++GLOBAL_EXTERN atomic_unchecked_t totSmBufAllocCount;
+ #endif
+ GLOBAL_EXTERN atomic_t smBufAllocCount;
+ GLOBAL_EXTERN atomic_t midCount;
 diff -urNp linux-3.0.3/fs/cifs/link.c linux-3.0.3/fs/cifs/link.c
 --- linux-3.0.3/fs/cifs/link.c  2011-07-21 22:17:23.000000000 -0400
 +++ linux-3.0.3/fs/cifs/link.c  2011-08-23 21:47:56.000000000 -0400
@@ -35185,6 +35254,27 @@ diff -urNp linux-3.0.3/fs/cifs/link.c linux-3.0.3/fs/cifs/link.c
         if (!IS_ERR(p))
                 kfree(p);
  }
+diff -urNp linux-3.0.3/fs/cifs/misc.c linux-3.0.3/fs/cifs/misc.c
+--- linux-3.0.3/fs/cifs/misc.c  2011-07-21 22:17:23.000000000 -0400
++++ linux-3.0.3/fs/cifs/misc.c  2011-08-25 17:18:05.000000000 -0400
+@@ -156,7 +156,7 @@ cifs_buf_get(void)
+                memset(ret_buf, 0, sizeof(struct smb_hdr) + 3);
+                atomic_inc(&bufAllocCount);
+ #ifdef CONFIG_CIFS_STATS2
+-               atomic_inc(&totBufAllocCount);
++               atomic_inc_unchecked(&totBufAllocCount);
+ #endif /* CONFIG_CIFS_STATS2 */
+        }
+ 
+@@ -191,7 +191,7 @@ cifs_small_buf_get(void)
+        /*      memset(ret_buf, 0, sizeof(struct smb_hdr) + 27);*/
+                atomic_inc(&smBufAllocCount);
+ #ifdef CONFIG_CIFS_STATS2
+-               atomic_inc(&totSmBufAllocCount);
++               atomic_inc_unchecked(&totSmBufAllocCount);
+ #endif /* CONFIG_CIFS_STATS2 */
+ 
+        }
 diff -urNp linux-3.0.3/fs/coda/cache.c linux-3.0.3/fs/coda/cache.c
 --- linux-3.0.3/fs/coda/cache.c 2011-07-21 22:17:23.000000000 -0400
 +++ linux-3.0.3/fs/coda/cache.c 2011-08-23 21:47:56.000000000 -0400
@@ -35457,7 +35547,7 @@ diff -urNp linux-3.0.3/fs/ecryptfs/miscdev.c linux-3.0.3/fs/ecryptfs/miscdev.c
                 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
 diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
 --- linux-3.0.3/fs/exec.c       2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/fs/exec.c       2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.3/fs/exec.c       2011-08-25 17:26:58.000000000 -0400
 @@ -55,12 +55,24 @@
  #include <linux/pipe_fs_i.h>
  #include <linux/oom.h>
@@ -35680,7 +35770,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
                 bprm->unsafe |= LSM_UNSAFE_SHARE;
         } else {
                 res = -EAGAIN;
-@@ -1428,6 +1445,11 @@ static int do_execve_common(const char *
+@@ -1428,11 +1445,35 @@ static int do_execve_common(const char *
                                 struct user_arg_ptr envp,
                                 struct pt_regs *regs)
  {
@@ -35692,7 +35782,31 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
         struct linux_binprm *bprm;
         struct file *file;
         struct files_struct *displaced;
-@@ -1464,6 +1486,23 @@ static int do_execve_common(const char *
+        bool clear_in_exec;
+        int retval;
++       const struct cred *cred = current_cred();
++
++       gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
++
++       /*
++        * We move the actual failure in case of RLIMIT_NPROC excess from
++        * set*uid() to execve() because too many poorly written programs
++        * don't check setuid() return code.  Here we additionally recheck
++        * whether NPROC limit is still exceeded.
++        */
++       if ((current->flags & PF_NPROC_EXCEEDED) &&
++           atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) {
++               retval = -EAGAIN;
++               goto out_ret;
++       }
++
++       /* We're below the limit (still or again), so we don't want to make
++        * further execve() calls fail. */
++       current->flags &= ~PF_NPROC_EXCEEDED;
+ 
+        retval = unshare_files(&displaced);
+        if (retval)
+@@ -1464,6 +1505,16 @@ static int do_execve_common(const char *
         bprm->filename = filename;
         bprm->interp = filename;
  
@@ -35701,13 +35815,6 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
 +               goto out_file;
 +       }
 +
-+       gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
-+
-+       if (gr_handle_nproc()) {
-+               retval = -EAGAIN;
-+               goto out_file;
-+       }
-+
 +       if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
 +               retval = -EACCES;
 +               goto out_file;
@@ -35716,7 +35823,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
         retval = bprm_mm_init(bprm);
         if (retval)
                 goto out_file;
-@@ -1493,9 +1532,40 @@ static int do_execve_common(const char *
+@@ -1493,9 +1544,40 @@ static int do_execve_common(const char *
         if (retval < 0)
                 goto out;
  
@@ -35758,7 +35865,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
  
         /* execve succeeded */
         current->fs->in_exec = 0;
-@@ -1506,6 +1576,14 @@ static int do_execve_common(const char *
+@@ -1506,6 +1588,14 @@ static int do_execve_common(const char *
                 put_files_struct(displaced);
         return retval;
  
@@ -35773,7 +35880,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
  out:
         if (bprm->mm) {
                 acct_arg_size(bprm, 0);
-@@ -1579,7 +1657,7 @@ static int expand_corename(struct core_n
+@@ -1579,7 +1669,7 @@ static int expand_corename(struct core_n
  {
         char *old_corename = cn->corename;
  
@@ -35782,7 +35889,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
         cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
  
         if (!cn->corename) {
-@@ -1667,7 +1745,7 @@ static int format_corename(struct core_n
+@@ -1667,7 +1757,7 @@ static int format_corename(struct core_n
         int pid_in_pattern = 0;
         int err = 0;
  
@@ -35791,7 +35898,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
         cn->corename = kmalloc(cn->size, GFP_KERNEL);
         cn->used = 0;
  
-@@ -1758,6 +1836,219 @@ out:
+@@ -1758,6 +1848,219 @@ out:
         return ispipe;
  }
  
@@ -36011,7 +36118,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
  static int zap_process(struct task_struct *start, int exit_code)
  {
         struct task_struct *t;
-@@ -1969,17 +2260,17 @@ static void wait_for_dump_helpers(struct
+@@ -1969,17 +2272,17 @@ static void wait_for_dump_helpers(struct
         pipe = file->f_path.dentry->d_inode->i_pipe;
  
         pipe_lock(pipe);
@@ -36034,7 +36141,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
         pipe_unlock(pipe);
  
  }
-@@ -2040,7 +2331,7 @@ void do_coredump(long signr, int exit_co
+@@ -2040,7 +2343,7 @@ void do_coredump(long signr, int exit_co
         int retval = 0;
         int flag = 0;
         int ispipe;
@@ -36043,7 +36150,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
         struct coredump_params cprm = {
                 .signr = signr,
                 .regs = regs,
-@@ -2055,6 +2346,9 @@ void do_coredump(long signr, int exit_co
+@@ -2055,6 +2358,9 @@ void do_coredump(long signr, int exit_co
  
         audit_core_dumps(signr);
  
@@ -36053,7 +36160,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
         binfmt = mm->binfmt;
         if (!binfmt || !binfmt->core_dump)
                 goto fail;
-@@ -2095,6 +2389,8 @@ void do_coredump(long signr, int exit_co
+@@ -2095,6 +2401,8 @@ void do_coredump(long signr, int exit_co
                 goto fail_corename;
         }
  
@@ -36062,7 +36169,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
         if (ispipe) {
                 int dump_count;
                 char **helper_argv;
-@@ -2122,7 +2418,7 @@ void do_coredump(long signr, int exit_co
+@@ -2122,7 +2430,7 @@ void do_coredump(long signr, int exit_co
                 }
                 cprm.limit = RLIM_INFINITY;
  
@@ -36071,7 +36178,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
                 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
                         printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
                                task_tgid_vnr(current), current->comm);
-@@ -2192,7 +2488,7 @@ close_fail:
+@@ -2192,7 +2500,7 @@ close_fail:
                 filp_close(cprm.file, NULL);
  fail_dropcount:
         if (ispipe)
@@ -47792,8 +47899,8 @@ diff -urNp linux-3.0.3/grsecurity/grsec_disabled.c linux-3.0.3/grsecurity/grsec_
 +#endif
 diff -urNp linux-3.0.3/grsecurity/grsec_exec.c linux-3.0.3/grsecurity/grsec_exec.c
 --- linux-3.0.3/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.3/grsecurity/grsec_exec.c 2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,87 @@
++++ linux-3.0.3/grsecurity/grsec_exec.c 2011-08-25 17:25:59.000000000 -0400
+@@ -0,0 +1,72 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/file.h>
@@ -47812,21 +47919,6 @@ diff -urNp linux-3.0.3/grsecurity/grsec_exec.c linux-3.0.3/grsecurity/grsec_exec
 +static DEFINE_MUTEX(gr_exec_arg_mutex);
 +#endif
 +
-+int
-+gr_handle_nproc(void)
-+{
-+#ifdef CONFIG_GRKERNSEC_EXECVE
-+       const struct cred *cred = current_cred();
-+       if (grsec_enable_execve && cred->user &&
-+           (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
-+           !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
-+               gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
-+               return -EAGAIN;
-+       }
-+#endif
-+       return 0;
-+}
-+
 +extern const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr);
 +
 +void
@@ -47938,8 +48030,8 @@ diff -urNp linux-3.0.3/grsecurity/grsec_fork.c linux-3.0.3/grsecurity/grsec_fork
 +}
 diff -urNp linux-3.0.3/grsecurity/grsec_init.c linux-3.0.3/grsecurity/grsec_init.c
 --- linux-3.0.3/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.3/grsecurity/grsec_init.c 2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,273 @@
++++ linux-3.0.3/grsecurity/grsec_init.c 2011-08-25 17:25:12.000000000 -0400
+@@ -0,0 +1,269 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/mm.h>
@@ -47954,7 +48046,6 @@ diff -urNp linux-3.0.3/grsecurity/grsec_init.c linux-3.0.3/grsecurity/grsec_init
 +int grsec_enable_dmesg;
 +int grsec_enable_harden_ptrace;
 +int grsec_enable_fifo;
-+int grsec_enable_execve;
 +int grsec_enable_execlog;
 +int grsec_enable_signal;
 +int grsec_enable_forkfail;
@@ -48127,9 +48218,6 @@ diff -urNp linux-3.0.3/grsecurity/grsec_init.c linux-3.0.3/grsecurity/grsec_init
 +#ifdef CONFIG_GRKERNSEC_FIFO
 +       grsec_enable_fifo = 1;
 +#endif
-+#ifdef CONFIG_GRKERNSEC_EXECVE
-+       grsec_enable_execve = 1;
-+#endif
 +#ifdef CONFIG_GRKERNSEC_EXECLOG
 +       grsec_enable_execlog = 1;
 +#endif
@@ -49195,8 +49283,8 @@ diff -urNp linux-3.0.3/grsecurity/grsec_sock.c linux-3.0.3/grsecurity/grsec_sock
 +}
 diff -urNp linux-3.0.3/grsecurity/grsec_sysctl.c linux-3.0.3/grsecurity/grsec_sysctl.c
 --- linux-3.0.3/grsecurity/grsec_sysctl.c       1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.3/grsecurity/grsec_sysctl.c       2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,442 @@
++++ linux-3.0.3/grsecurity/grsec_sysctl.c       2011-08-25 17:26:15.000000000 -0400
+@@ -0,0 +1,433 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/sysctl.h>
@@ -49260,15 +49348,6 @@ diff -urNp linux-3.0.3/grsecurity/grsec_sysctl.c linux-3.0.3/grsecurity/grsec_sy
 +               .proc_handler   = &proc_dointvec,
 +       },
 +#endif
-+#ifdef CONFIG_GRKERNSEC_EXECVE
-+       {
-+               .procname       = "execve_limiting",
-+               .data           = &grsec_enable_execve,
-+               .maxlen         = sizeof(int),
-+               .mode           = 0600,
-+               .proc_handler   = &proc_dointvec,
-+       },
-+#endif
 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
 +       {
 +               .procname       = "ip_blackhole",
@@ -49769,8 +49848,8 @@ diff -urNp linux-3.0.3/grsecurity/grsum.c linux-3.0.3/grsecurity/grsum.c
 +}
 diff -urNp linux-3.0.3/grsecurity/Kconfig linux-3.0.3/grsecurity/Kconfig
 --- linux-3.0.3/grsecurity/Kconfig      1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.3/grsecurity/Kconfig      2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,1050 @@
++++ linux-3.0.3/grsecurity/Kconfig      2011-08-25 17:25:34.000000000 -0400
+@@ -0,0 +1,1038 @@
 +#
 +# grecurity configuration
 +#
@@ -49797,7 +49876,6 @@ diff -urNp linux-3.0.3/grsecurity/Kconfig linux-3.0.3/grsecurity/Kconfig
 +       bool "Low"
 +       select GRKERNSEC_LINK
 +       select GRKERNSEC_FIFO
-+       select GRKERNSEC_EXECVE
 +       select GRKERNSEC_RANDNET
 +       select GRKERNSEC_DMESG
 +       select GRKERNSEC_CHROOT
@@ -49814,7 +49892,6 @@ diff -urNp linux-3.0.3/grsecurity/Kconfig linux-3.0.3/grsecurity/Kconfig
 +
 +         - Linking restrictions
 +         - FIFO restrictions
-+         - Enforcing RLIMIT_NPROC on execve
 +         - Restricted dmesg
 +         - Enforced chdir("/") on chroot
 +         - Runtime module disabling
@@ -49830,7 +49907,6 @@ diff -urNp linux-3.0.3/grsecurity/Kconfig linux-3.0.3/grsecurity/Kconfig
 +       select GRKERNSEC_CHROOT_SYSCTL
 +       select GRKERNSEC_LINK
 +       select GRKERNSEC_FIFO
-+       select GRKERNSEC_EXECVE
 +       select GRKERNSEC_DMESG
 +       select GRKERNSEC_RANDNET
 +       select GRKERNSEC_FORKFAIL
@@ -49880,7 +49956,6 @@ diff -urNp linux-3.0.3/grsecurity/Kconfig linux-3.0.3/grsecurity/Kconfig
 +       bool "High"
 +       select GRKERNSEC_LINK
 +       select GRKERNSEC_FIFO
-+       select GRKERNSEC_EXECVE
 +       select GRKERNSEC_DMESG
 +       select GRKERNSEC_FORKFAIL
 +       select GRKERNSEC_TIME
@@ -50548,14 +50623,6 @@ diff -urNp linux-3.0.3/grsecurity/Kconfig linux-3.0.3/grsecurity/Kconfig
 +menu "Executable Protections"
 +depends on GRKERNSEC
 +
-+config GRKERNSEC_EXECVE
-+       bool "Enforce RLIMIT_NPROC on execs"
-+       help
-+         If you say Y here, users with a resource limit on processes will
-+         have the value checked during execve() calls.  The current system
-+         only checks the system limit during fork() calls.  If the sysctl option
-+         is enabled, a sysctl option with name "execve_limiting" is created.
-+
 +config GRKERNSEC_DMESG
 +       bool "Dmesg(8) restriction"
 +       help
@@ -52631,8 +52698,8 @@ diff -urNp linux-3.0.3/include/linux/grinternal.h linux-3.0.3/include/linux/grin
 +#endif
 diff -urNp linux-3.0.3/include/linux/grmsg.h linux-3.0.3/include/linux/grmsg.h
 --- linux-3.0.3/include/linux/grmsg.h   1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.3/include/linux/grmsg.h   2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,108 @@
++++ linux-3.0.3/include/linux/grmsg.h   2011-08-25 17:27:26.000000000 -0400
+@@ -0,0 +1,107 @@
 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -52666,7 +52733,6 @@ diff -urNp linux-3.0.3/include/linux/grmsg.h linux-3.0.3/include/linux/grmsg.h
 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
-+#define GR_NPROC_MSG "denied overstep of process limit by "
 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
@@ -52743,8 +52809,8 @@ diff -urNp linux-3.0.3/include/linux/grmsg.h linux-3.0.3/include/linux/grmsg.h
 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
 diff -urNp linux-3.0.3/include/linux/grsecurity.h linux-3.0.3/include/linux/grsecurity.h
 --- linux-3.0.3/include/linux/grsecurity.h      1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.3/include/linux/grsecurity.h      2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,228 @@
++++ linux-3.0.3/include/linux/grsecurity.h      2011-08-25 17:27:36.000000000 -0400
+@@ -0,0 +1,227 @@
 +#ifndef GR_SECURITY_H
 +#define GR_SECURITY_H
 +#include <linux/fs.h>
@@ -52822,7 +52888,6 @@ diff -urNp linux-3.0.3/include/linux/grsecurity.h linux-3.0.3/include/linux/grse
 +int gr_handle_chroot_unix(const pid_t pid);
 +
 +int gr_handle_rawio(const struct inode *inode);
-+int gr_handle_nproc(void);
 +
 +void gr_handle_ioperm(void);
 +void gr_handle_iopl(void);
@@ -53970,7 +54035,7 @@ diff -urNp linux-3.0.3/include/linux/rmap.h linux-3.0.3/include/linux/rmap.h
  static inline void anon_vma_merge(struct vm_area_struct *vma,
 diff -urNp linux-3.0.3/include/linux/sched.h linux-3.0.3/include/linux/sched.h
 --- linux-3.0.3/include/linux/sched.h   2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/include/linux/sched.h   2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.3/include/linux/sched.h   2011-08-25 17:22:27.000000000 -0400
 @@ -100,6 +100,7 @@ struct bio_list;
  struct fs_struct;
  struct perf_event_context;
@@ -54157,7 +54222,15 @@ diff -urNp linux-3.0.3/include/linux/sched.h linux-3.0.3/include/linux/sched.h
  /* Future-safe accessor for struct task_struct's cpus_allowed. */
  #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
  
-@@ -2056,7 +2148,9 @@ void yield(void);
+@@ -1768,6 +1860,7 @@ extern void thread_group_times(struct ta
+ #define PF_DUMPCORE    0x00000200      /* dumped core */
+ #define PF_SIGNALED    0x00000400      /* killed by a signal */
+ #define PF_MEMALLOC    0x00000800      /* Allocating memory */
++#define PF_NPROC_EXCEEDED 0x00001000   /* set_user noticed that RLIMIT_NPROC was exceeded */
+ #define PF_USED_MATH   0x00002000      /* if unset the fpu must be initialized before use */
+ #define PF_FREEZING    0x00004000      /* freeze in progress. do not account to load */
+ #define PF_NOFREEZE    0x00008000      /* this thread should not be frozen */
+@@ -2056,7 +2149,9 @@ void yield(void);
  extern struct exec_domain      default_exec_domain;
  
  union thread_union {
@@ -54167,7 +54240,7 @@ diff -urNp linux-3.0.3/include/linux/sched.h linux-3.0.3/include/linux/sched.h
         unsigned long stack[THREAD_SIZE/sizeof(long)];
  };
  
-@@ -2089,6 +2183,7 @@ extern struct pid_namespace init_pid_ns;
+@@ -2089,6 +2184,7 @@ extern struct pid_namespace init_pid_ns;
   */
  
  extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -54175,7 +54248,7 @@ diff -urNp linux-3.0.3/include/linux/sched.h linux-3.0.3/include/linux/sched.h
  extern struct task_struct *find_task_by_pid_ns(pid_t nr,
                 struct pid_namespace *ns);
  
-@@ -2225,7 +2320,7 @@ extern void __cleanup_sighand(struct sig
+@@ -2225,7 +2321,7 @@ extern void __cleanup_sighand(struct sig
  extern void exit_itimers(struct signal_struct *);
  extern void flush_itimer_signals(void);
  
@@ -54184,7 +54257,7 @@ diff -urNp linux-3.0.3/include/linux/sched.h linux-3.0.3/include/linux/sched.h
  
  extern void daemonize(const char *, ...);
  extern int allow_signal(int);
-@@ -2393,13 +2488,17 @@ static inline unsigned long *end_of_stac
+@@ -2393,13 +2489,17 @@ static inline unsigned long *end_of_stac
  
  #endif
  
@@ -56173,7 +56246,7 @@ diff -urNp linux-3.0.3/kernel/configs.c linux-3.0.3/kernel/configs.c
  
 diff -urNp linux-3.0.3/kernel/cred.c linux-3.0.3/kernel/cred.c
 --- linux-3.0.3/kernel/cred.c   2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/kernel/cred.c   2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.3/kernel/cred.c   2011-08-25 17:23:03.000000000 -0400
 @@ -158,6 +158,8 @@ static void put_cred_rcu(struct rcu_head
   */
  void __put_cred(struct cred *cred)
@@ -56255,7 +56328,20 @@ diff -urNp linux-3.0.3/kernel/cred.c linux-3.0.3/kernel/cred.c
         /* dumpability changes */
         if (old->euid != new->euid ||
             old->egid != new->egid ||
-@@ -551,6 +569,8 @@ EXPORT_SYMBOL(commit_creds);
+@@ -508,10 +526,8 @@ int commit_creds(struct cred *new)
+                key_fsgid_changed(task);
+ 
+        /* do it
+-        * - What if a process setreuid()'s and this brings the
+-        *   new uid over his NPROC rlimit?  We can check this now
+-        *   cheaply with the new uid cache, so if it matters
+-        *   we should be checking for it.  -DaveM
++        * RLIMIT_NPROC limits on user->processes have already been checked
++        * in set_user().
+         */
+        alter_cred_subscribers(new, 2);
+        if (new->user != old->user)
+@@ -551,6 +567,8 @@ EXPORT_SYMBOL(commit_creds);
   */
  void abort_creds(struct cred *new)
  {
@@ -56264,7 +56350,7 @@ diff -urNp linux-3.0.3/kernel/cred.c linux-3.0.3/kernel/cred.c
         kdebug("abort_creds(%p{%d,%d})", new,
                atomic_read(&new->usage),
                read_cred_subscribers(new));
-@@ -574,6 +594,8 @@ const struct cred *override_creds(const 
+@@ -574,6 +592,8 @@ const struct cred *override_creds(const 
  {
         const struct cred *old = current->cred;
  
@@ -56273,7 +56359,7 @@ diff -urNp linux-3.0.3/kernel/cred.c linux-3.0.3/kernel/cred.c
         kdebug("override_creds(%p{%d,%d})", new,
                atomic_read(&new->usage),
                read_cred_subscribers(new));
-@@ -603,6 +625,8 @@ void revert_creds(const struct cred *old
+@@ -603,6 +623,8 @@ void revert_creds(const struct cred *old
  {
         const struct cred *override = current->cred;
  
@@ -56282,7 +56368,7 @@ diff -urNp linux-3.0.3/kernel/cred.c linux-3.0.3/kernel/cred.c
         kdebug("revert_creds(%p{%d,%d})", old,
                atomic_read(&old->usage),
                read_cred_subscribers(old));
-@@ -649,6 +673,8 @@ struct cred *prepare_kernel_cred(struct 
+@@ -649,6 +671,8 @@ struct cred *prepare_kernel_cred(struct 
         const struct cred *old;
         struct cred *new;
  
@@ -56291,7 +56377,7 @@ diff -urNp linux-3.0.3/kernel/cred.c linux-3.0.3/kernel/cred.c
         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
         if (!new)
                 return NULL;
-@@ -703,6 +729,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
+@@ -703,6 +727,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
   */
  int set_security_override(struct cred *new, u32 secid)
  {
@@ -56300,7 +56386,7 @@ diff -urNp linux-3.0.3/kernel/cred.c linux-3.0.3/kernel/cred.c
         return security_kernel_act_as(new, secid);
  }
  EXPORT_SYMBOL(set_security_override);
-@@ -722,6 +750,8 @@ int set_security_override_from_ctx(struc
+@@ -722,6 +748,8 @@ int set_security_override_from_ctx(struc
         u32 secid;
         int ret;
  
@@ -56594,7 +56680,7 @@ diff -urNp linux-3.0.3/kernel/exit.c linux-3.0.3/kernel/exit.c
         if (group_dead)
 diff -urNp linux-3.0.3/kernel/fork.c linux-3.0.3/kernel/fork.c
 --- linux-3.0.3/kernel/fork.c   2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/kernel/fork.c   2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.3/kernel/fork.c   2011-08-25 17:23:36.000000000 -0400
 @@ -286,7 +286,7 @@ static struct task_struct *dup_task_stru
         *stackend = STACK_END_MAGIC;    /* for overflow detection */
  
@@ -56827,7 +56913,7 @@ diff -urNp linux-3.0.3/kernel/fork.c linux-3.0.3/kernel/fork.c
         return 0;
  }
  
-@@ -1104,10 +1142,13 @@ static struct task_struct *copy_process(
+@@ -1104,12 +1142,16 @@ static struct task_struct *copy_process(
         DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
  #endif
         retval = -EAGAIN;
@@ -56842,8 +56928,11 @@ diff -urNp linux-3.0.3/kernel/fork.c linux-3.0.3/kernel/fork.c
 +                   !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
                         goto bad_fork_free;
         }
++       current->flags &= ~PF_NPROC_EXCEEDED;
  
-@@ -1250,6 +1291,8 @@ static struct task_struct *copy_process(
+        retval = copy_creds(p, clone_flags);
+        if (retval < 0)
+@@ -1250,6 +1292,8 @@ static struct task_struct *copy_process(
         if (clone_flags & CLONE_THREAD)
                 p->tgid = current->tgid;
  
@@ -56852,7 +56941,7 @@ diff -urNp linux-3.0.3/kernel/fork.c linux-3.0.3/kernel/fork.c
         p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
         /*
          * Clear TID on mm_release()?
-@@ -1414,6 +1457,8 @@ bad_fork_cleanup_count:
+@@ -1414,6 +1458,8 @@ bad_fork_cleanup_count:
  bad_fork_free:
         free_task(p);
  fork_out:
@@ -56861,7 +56950,7 @@ diff -urNp linux-3.0.3/kernel/fork.c linux-3.0.3/kernel/fork.c
         return ERR_PTR(retval);
  }
  
-@@ -1502,6 +1547,8 @@ long do_fork(unsigned long clone_flags,
+@@ -1502,6 +1548,8 @@ long do_fork(unsigned long clone_flags,
                 if (clone_flags & CLONE_PARENT_SETTID)
                         put_user(nr, parent_tidptr);
  
@@ -56870,7 +56959,7 @@ diff -urNp linux-3.0.3/kernel/fork.c linux-3.0.3/kernel/fork.c
                 if (clone_flags & CLONE_VFORK) {
                         p->vfork_done = &vfork;
                         init_completion(&vfork);
-@@ -1610,7 +1657,7 @@ static int unshare_fs(unsigned long unsh
+@@ -1610,7 +1658,7 @@ static int unshare_fs(unsigned long unsh
                 return 0;
  
         /* don't need lock here; in the worst case we'll do useless copy */
@@ -56879,7 +56968,7 @@ diff -urNp linux-3.0.3/kernel/fork.c linux-3.0.3/kernel/fork.c
                 return 0;
  
         *new_fsp = copy_fs_struct(fs);
-@@ -1697,7 +1744,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, 
+@@ -1697,7 +1745,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, 
                         fs = current->fs;
                         spin_lock(&fs->lock);
                         current->fs = new_fs;
@@ -59381,7 +59470,7 @@ diff -urNp linux-3.0.3/kernel/softirq.c linux-3.0.3/kernel/softirq.c
  
 diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
 --- linux-3.0.3/kernel/sys.c    2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/kernel/sys.c    2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.3/kernel/sys.c    2011-08-25 17:24:58.000000000 -0400
 @@ -154,6 +154,12 @@ static int set_one_prio(struct task_stru
                 error = -EACCES;
                 goto out;
@@ -59416,7 +59505,30 @@ diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
         if (nsown_capable(CAP_SETGID))
                 new->gid = new->egid = new->sgid = new->fsgid = gid;
         else if (gid == old->gid || gid == old->sgid)
-@@ -646,6 +659,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
+@@ -591,11 +604,18 @@ static int set_user(struct cred *new)
+        if (!new_user)
+                return -EAGAIN;
+ 
++       /*
++        * We don't fail in case of NPROC limit excess here because too many
++        * poorly written programs don't check set*uid() return code, assuming
++        * it never fails if called by root.  We may still enforce NPROC limit
++        * for programs doing set*uid()+execve() by harmlessly deferring the
++        * failure to the execve() stage.
++        */
+        if (atomic_read(&new_user->processes) >= rlimit(RLIMIT_NPROC) &&
+-                       new_user != INIT_USER) {
+-               free_uid(new_user);
+-               return -EAGAIN;
+-       }
++                       new_user != INIT_USER)
++               current->flags |= PF_NPROC_EXCEEDED;
++       else
++               current->flags &= ~PF_NPROC_EXCEEDED;
+ 
+        free_uid(new->user);
+        new->user = new_user;
+@@ -646,6 +666,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
                         goto error;
         }
  
@@ -59426,7 +59538,7 @@ diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
         if (new->uid != old->uid) {
                 retval = set_user(new);
                 if (retval < 0)
-@@ -690,6 +706,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
+@@ -690,6 +713,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
         old = current_cred();
  
         retval = -EPERM;
@@ -59439,7 +59551,7 @@ diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
         if (nsown_capable(CAP_SETUID)) {
                 new->suid = new->uid = uid;
                 if (uid != old->uid) {
-@@ -744,6 +766,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, 
+@@ -744,6 +773,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, 
                         goto error;
         }
  
@@ -59449,7 +59561,7 @@ diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
         if (ruid != (uid_t) -1) {
                 new->uid = ruid;
                 if (ruid != old->uid) {
-@@ -808,6 +833,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, 
+@@ -808,6 +840,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, 
                         goto error;
         }
  
@@ -59459,7 +59571,7 @@ diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
         if (rgid != (gid_t) -1)
                 new->gid = rgid;
         if (egid != (gid_t) -1)
-@@ -854,6 +882,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
+@@ -854,6 +889,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
         old = current_cred();
         old_fsuid = old->fsuid;
  
@@ -59469,7 +59581,7 @@ diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
         if (uid == old->uid  || uid == old->euid  ||
             uid == old->suid || uid == old->fsuid ||
             nsown_capable(CAP_SETUID)) {
-@@ -864,6 +895,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
+@@ -864,6 +902,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
                 }
         }
  
@@ -59477,7 +59589,7 @@ diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
         abort_creds(new);
         return old_fsuid;
  
-@@ -890,12 +922,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
+@@ -890,12 +929,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
         if (gid == old->gid  || gid == old->egid  ||
             gid == old->sgid || gid == old->fsgid ||
             nsown_capable(CAP_SETGID)) {
@@ -59494,7 +59606,7 @@ diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
         abort_creds(new);
         return old_fsgid;
  
-@@ -1642,7 +1678,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
+@@ -1642,7 +1685,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
                         error = get_dumpable(me->mm);
                         break;
                 case PR_SET_DUMPABLE: