Merge remote branch 'alpine/master'; fixes for build problems.

Conflicts:
	main/abuild/APKBUILD

41 files changed, 745 insertions, 402 deletions

diff --git a/main/abuild/APKBUILD b/main/abuild/APKBUILD
index 8c684d6b93..4ad26188c4 100644
--- a/main/abuild/APKBUILD
+++ b/main/abuild/APKBUILD
@@ -2,13 +2,27 @@
 pkgdesc="Script to build Alpine Packages"
 pkgname=abuild
 pkgver=2.3
-pkgrel=0
+pkgrel=1
 url=http://git.alpinelinux.org/cgit/abuild/
-source="http://git.alpinelinux.org/cgit/abuild/snapshot/abuild-$pkgver.tar.bz2"
-depends="fakeroot file sudo pax-utils apk-tools"
+source="http://git.alpinelinux.org/cgit/abuild/snapshot/abuild-$pkgver.tar.bz2
+        abuild-conflict-message.patch
+        "
+depends="fakeroot file sudo pax-utils openssl apk-tools"
 makedepends="openssl-dev pkgconfig"
 license=GPL-2
 
+prepare() {
+        cd "$srcdir/$pkgname-$pkgver"
+        for i in $source; do
+                case $i in
+                *.patch)
+                        msg "Applying $i"
+                        patch -p1 -i "$srcdir"/$i || return 1
+                        ;;
+                esac
+        done
+}
+
 build() {
         cd "$srcdir/$pkgname-$pkgver"
         make
@@ -19,4 +33,6 @@ package() {
         make install DESTDIR="$pkgdir"
         install -m 644 abuild.conf "$pkgdir"/etc/abuild.conf
 }
-md5sums="7c738e0018202160366b8329ec693502  abuild-2.3.tar.bz2"
+
+md5sums="7c738e0018202160366b8329ec693502  abuild-2.3.tar.bz2
+45ee7aa6e00732a8c36d7740fb8d2aeb  abuild-conflict-message.patch"
diff --git a/main/abuild/abuild-conflict-message.patch b/main/abuild/abuild-conflict-message.patch
new file mode 100644
index 0000000000..b560634adb
--- /dev/null
+++ b/main/abuild/abuild-conflict-message.patch
@@ -0,0 +1,30 @@
+commit c30c346362223658980275d54d5b7911a3a7486c
+Author: Natanael Copa <ncopa@alpinelinux.org>
+Date:   Wed Jun 30 14:59:07 2010 +0000
+
+    abuild: detect and report conflicting dependencies properly
+
+diff --git a/abuild.in b/abuild.in
+index 0c94653..4034a86 100755
+--- a/abuild.in
++++ b/abuild.in
+@@ -841,15 +841,16 @@ builddeps() {
+        # find which deps are missing
+        for i in $deps; do
+                if [ "${i#\!}" != "$i" ]; then
+-                       list_has ${i#\!} $installed_deps \
++                       $APK info -q -e "${i#\!}" \
+                                && conflicts="$conflicts ${i#\!}"
+                elif ! deplist_has $i $installed_deps || [ -n "$upgrade" ]; then
+                        missing="$missing $i"
+                fi
+        done
+-
++       
+        if [ -n "$conflicts" ]; then
+-               die "Conflicting package(s) installed:$conflics"
++               error "Conflicting package(s) installed:$conflicts"
++               return 1
+        fi
+        
+        if [ -z "$install_deps" ] && [ -z "$recursive" ]; then
diff --git a/main/apk-tools/APKBUILD b/main/apk-tools/APKBUILD
index 2c96805b48..90cff68dc2 100644
--- a/main/apk-tools/APKBUILD
+++ b/main/apk-tools/APKBUILD
@@ -1,13 +1,14 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=apk-tools
 pkgver=2.0.5
-pkgrel=0
+pkgrel=1
 pkgdesc="Alpine Package Keeper - package manager for alpine"
 subpackages="$pkgname-static"
 depends=
 makedepends="zlib-dev openssl-dev pkgconfig"
 source="http://git.alpinelinux.org/cgit/$pkgname/snapshot/$pkgname-$pkgver.tar.bz2
         0001-Makefile-do-not-require-lua-pkgconfig-unless-you-int.patch
+        apk-tools-static.patch
         "
 
 url="http://git.alpinelinux.org/cgit/apk-tools/"
@@ -21,6 +22,9 @@ prepare() {
                 *.patch) patch -p1 -i "$srcdir"/$i || return 1
                 esac
         done
+        # the patch includes a symlink
+        rm -f src/apk-static.c
+        ln -s apk.c src/apk-static.c
 }
 
 build() {
@@ -49,4 +53,5 @@ static() {
 }
 
 md5sums="7f9234ab210557b064d7bd9b42833f0a  apk-tools-2.0.5.tar.bz2
-f63d483b724e8e9344ce8cb965d5ed22  0001-Makefile-do-not-require-lua-pkgconfig-unless-you-int.patch"
+f63d483b724e8e9344ce8cb965d5ed22  0001-Makefile-do-not-require-lua-pkgconfig-unless-you-int.patch
+3c1f21719a6c4aba51333cf0d88c5600  apk-tools-static.patch"
diff --git a/main/apk-tools/apk-tools-static.patch b/main/apk-tools/apk-tools-static.patch
new file mode 100644
index 0000000000..c122964b45
--- /dev/null
+++ b/main/apk-tools/apk-tools-static.patch
@@ -0,0 +1,65 @@
+commit dd6008995a8e8509d71ffa906c837e7a320e8a15
+Author: Timo Teräs <timo.teras@iki.fi>
+Date:   Wed Jun 30 16:53:56 2010 +0300
+
+    static build: do not use openssl engines
+    
+    We want minimal static build. And this now also breaks with our openssl
+    since it tries to automatically dlopen some of the engine modules.
+
+diff --git a/.gitignore b/.gitignore
+index f6f9cf6..2b22f52 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -1,4 +1,5 @@
+ apk
++apk.static
+ *.o
+ *.d
+ *.cmd
+diff --git a/src/Makefile b/src/Makefile
+index bea288e..c9cda6a 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -41,9 +41,10 @@ endif
+ 
+ CFLAGS_ALL             += -D_ATFILE_SOURCE
+ CFLAGS_apk.o           := -DAPK_VERSION=\"$(FULL_VERSION)\"
++CFLAGS_apk-static.o    := -DAPK_VERSION=\"$(FULL_VERSION)\" -DOPENSSL_NO_ENGINE
+ 
+ progs-$(STATIC)                += apk.static
+-apk.static-objs                := $(apk-objs)
++apk.static-objs                := $(filter-out apk.o,$(apk-objs)) apk-static.o
+ LDFLAGS_apk.static     := -static
+ LDFLAGS_apk            += -nopie -L$(obj)
+ 
+diff --git a/src/apk-static.c b/src/apk-static.c
+new file mode 120000
+index 0000000..bf745af
+--- /dev/null
++++ b/src/apk-static.c
+@@ -0,0 +1 @@
++apk.c
+\ No newline at end of file
+diff --git a/src/apk.c b/src/apk.c
+index 81bb950..4196f74 100644
+--- a/src/apk.c
++++ b/src/apk.c
+@@ -12,13 +12,17 @@
+ #include <stdio.h>
+ #include <fcntl.h>
+ #include <ctype.h>
++#include <errno.h>
+ #include <stdarg.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <getopt.h>
+ #include <sys/stat.h>
+ 
++#include <openssl/crypto.h>
++#ifndef OPENSSL_NO_ENGINE
+ #include <openssl/engine.h>
++#endif
+ 
+ #include "apk_defines.h"
+ #include "apk_database.h"
diff --git a/main/apr-util/APKBUILD b/main/apr-util/APKBUILD
index 45133a2c29..8730607a5c 100644
--- a/main/apr-util/APKBUILD
+++ b/main/apr-util/APKBUILD
@@ -7,7 +7,7 @@ url="http://apr.apache.org/"
 license="APACHE"
 depends=
 subpackages="$pkgname-dev"
-makedepends="apr-dev expat-dev e2fsprogs-dev"
+makedepends="apr-dev expat-dev e2fsprogs-dev bash"
 source="http://www.apache.org/dist/apr/$pkgname-$pkgver.tar.bz2"
 
 build() {
diff --git a/main/cmake/APKBUILD b/main/cmake/APKBUILD
index bbd1b5885d..64faab3cf5 100644
--- a/main/cmake/APKBUILD
+++ b/main/cmake/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=cmake
-pkgver=2.8.1
-pkgrel=1
+pkgver=2.8.2
+pkgrel=0
 pkgdesc="CMake is a cross-platform open-source make system"
 url="http://www.cmake.org"
 license="CMake"
@@ -42,4 +42,4 @@ package() {
         make DESTDIR="$pkgdir" install
 }
 
-md5sums="a92ad653f9ccc1595d16cd9707f49acc  cmake-2.8.1.tar.gz"
+md5sums="8c967d5264657a798f22ee23976ff0d9  cmake-2.8.2.tar.gz"
diff --git a/main/cracklib/APKBUILD b/main/cracklib/APKBUILD
index f7fda7960c..c82e9038f3 100644
--- a/main/cracklib/APKBUILD
+++ b/main/cracklib/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Michael Mason <ms13sp@gmail.com>
 # Maintainer: Michael Mason <ms13sp@gmail.com>
 pkgname=cracklib
-pkgver=2.8.13
-pkgrel=1
+pkgver=2.8.16
+pkgrel=0
 pkgdesc="A library used to enforce strong passwords"
 url="http://sourceforge.net/projects/cracklib"
 license="GPL"
@@ -11,7 +11,14 @@ makedepends=""
 install=
 subpackages="$pkgname-dev"
 source="http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz
+        cracklib-nls.patch
         "
+
+prepare() {
+        cd "$srcdir"/$pkgname-$pkgver
+        patch -p1 -i "$srcdir"/cracklib-nls.patch
+}
+
 build() {
 
         cd "$srcdir/$pkgname-$pkgver"
@@ -24,8 +31,13 @@ build() {
                 --disable-nls \
                 --with-default-dict
         make -j1 all || return 1
+}
+
+package() {
+        cd "$srcdir/$pkgname-$pkgver"
         make -j1 DESTDIR="$pkgdir" install
 
 }
 
-md5sums="5beb4c6b3c31c83fc98c4c225b25cd94  cracklib-2.8.13.tar.gz"
+md5sums="3bfb22db8fcffd019463ee415a1b25b7  cracklib-2.8.16.tar.gz
+239b1b7b59bee4dee7577aa9df18ba46  cracklib-nls.patch"
diff --git a/main/cracklib/cracklib-nls.patch b/main/cracklib/cracklib-nls.patch
new file mode 100644
index 0000000000..3792b741c4
--- /dev/null
+++ b/main/cracklib/cracklib-nls.patch
@@ -0,0 +1,12 @@
+--- ./util/check.c.orig
++++ ./util/check.c
+@@ -22,7 +22,9 @@
+        int i;
+ 
+        setlocale(LC_ALL, "");
++#if defined(ENABLE_NLS)        
+        textdomain(PACKAGE);
++#endif
+ 
+        while (fgets(buf, sizeof(buf), stdin) != NULL) {
+                while (((i = strlen(buf)) > 0) && (i > 0)) {
diff --git a/main/dialog/APKBUILD b/main/dialog/APKBUILD
index b17527f69a..1035f0d442 100644
--- a/main/dialog/APKBUILD
+++ b/main/dialog/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Michael Mason <ms13sp@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=dialog
-pkgver=1.1.20100119
-_ver=${pkgver%.*}-${pkgver##*.}
+pkgver=1.1.20100428
+_pkgver=1.1-20100428
 pkgrel=1
 pkgdesc="A script-interpreter which provides a set of curses"
 url="http://invisible-island.net/dialog/dialog.html"
@@ -11,10 +11,10 @@ depends=
 makedepends="ncurses-dev"
 install=
 subpackages="$pkgname-doc"
-source="ftp://invisible-island.net/dialog/$pkgname.tar.gz"
+source="ftp://ftp.us.debian.org/debian/pool/main/d/$pkgname/dialog_$_pkgver.orig.tar.gz"
 
 build() {
-        cd "$srcdir/$pkgname-$_ver"
+        cd "$srcdir/$pkgname-$_pkgver"
         ./configure --prefix=/usr \
                 --sysconfdir=/etc \
                 --mandir=/usr/share/man \
@@ -23,8 +23,8 @@ build() {
 }
 
 package() {
-        cd "$srcdir/$pkgname-$_ver"
+        cd "$srcdir/$pkgname-$_pkgver"
         make DESTDIR="$pkgdir" install
 }
 
-md5sums="3d62219658fdddf3c6247fb45831a5d0  dialog.tar.gz"
+md5sums="519c0a0cbac28ddb992111ec2c3f82aa  dialog_1.1-20100428.orig.tar.gz"
diff --git a/main/gcc/APKBUILD b/main/gcc/APKBUILD
index a5fb49a921..da7f662485 100644
--- a/main/gcc/APKBUILD
+++ b/main/gcc/APKBUILD
@@ -6,12 +6,12 @@ _specsver=0.1.7
 _espfver=0.3.6
 _uclibc_abiver=0.9.32
 
-pkgrel=2
+pkgrel=3
 pkgdesc="The GNU Compiler Collection"
 url="http://gcc.gnu.org"
 license="GPL LGPL"
 depends="binutils libgcc libgomp"
-makedepends="bison flex gmp5-dev mpfr-dev texinfo"
+makedepends="bison flex gmp-dev mpfr-dev texinfo"
 subpackages="$pkgname-doc libstdc++:libcxx g++:gpp libgcc libgomp"
 source="ftp://gcc.gnu.org/pub/gcc/releases/gcc-$pkgver/gcc-core-$pkgver.tar.bz2
         ftp://gcc.gnu.org/pub/gcc/releases/gcc-$pkgver/gcc-g++-$pkgver.tar.bz2
@@ -21,6 +21,7 @@ source="ftp://gcc.gnu.org/pub/gcc/releases/gcc-$pkgver/gcc-core-$pkgver.tar.bz2
         pt_gnu_eh_frame.patch
         uclibc-getipinfo.patch
         gcc-dynamic-linker.patch
+        PR32219.patch
         "
 #       ftp://gcc.gnu.org/pub/gcc/releases/gcc-$pkgver/gcc-objc-$pkgver.tar.bz2
 build ()
@@ -133,4 +134,5 @@ d51a6ec3eac1a90e7fc280d976ce7f80  gcc-g++-4.4.4.tar.bz2
 c4045bfa85d8be780affd465be9d8ca8  gcc-spec-env.patch
 2db1e3482c5dd59dab70f701afa2ca80  pt_gnu_eh_frame.patch
 6cc2385c5bbd6d0da6eaedd53c8bf547  uclibc-getipinfo.patch
-6db5c87887beee75cde3cce86625b9ed  gcc-dynamic-linker.patch"
+6db5c87887beee75cde3cce86625b9ed  gcc-dynamic-linker.patch
+6c866c7fb8d56deb8f6d652bee64e228  PR32219.patch"
diff --git a/main/gcc/PR32219.patch b/main/gcc/PR32219.patch
new file mode 100644
index 0000000000..b926e941fc
--- /dev/null
+++ b/main/gcc/PR32219.patch
@@ -0,0 +1,101 @@
+From gcc-patches-return-258497-listarch-gcc-patches=gcc dot gnu dot org at gcc dot gnu dot org Tue Mar 16 13:32:55 2010
+Return-Path: <gcc-patches-return-258497-listarch-gcc-patches=gcc dot gnu dot org at gcc dot gnu dot org>
+Delivered-To: listarch-gcc-patches at gcc dot gnu dot org
+Received: (qmail 25550 invoked by alias); 16 Mar 2010 13:32:54 -0000
+Received: (qmail 25534 invoked by uid 22791); 16 Mar 2010 13:32:53 -0000
+X-SWARE-Spam-Status: No, hits=-1.1 required=5.0         tests=AWL,BAYES_00,SUBJ_ALL_CAPS
+X-Spam-Check-By: sourceware.org
+Received: from mail-bw0-f210.google.com (HELO mail-bw0-f210.google.com) (209.85.218.210)     by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Tue, 16 Mar 2010 13:32:48 +0000
+Received: by bwz2 with SMTP id 2so4002140bwz.30         for <multiple recipients>; Tue, 16 Mar 2010 06:32:45 -0700 (PDT)
+Received: by 10.204.14.84 with SMTP id f20mr2900449bka.209.1268746365293;         Tue, 16 Mar 2010 06:32:45 -0700 (PDT)
+Received: from s42.loc (85-127-85-230.dynamic.xdsl-line.inode.at [85.127.85.230])         by mx.google.com with ESMTPS id 14sm3626793bwz.14.2010.03.16.06.32.43         (version=TLSv1/SSLv3 cipher=RC4-MD5);         Tue, 16 Mar 2010 06:32:44 -0700 (PDT)
+Received: from cow by s42.loc with local (Exim 4.71)    (envelope-from <rep.dot.nop@gmail.com>)         id 1NrX2W-0008Nj-5o; Tue, 16 Mar 2010 14:42:32 +0100
+From: Bernhard Reutner-Fischer <rep dot dot dot nop at gmail dot com>
+To: gcc-patches at gcc dot gnu dot org
+Cc: rguenth at gcc dot gnu dot org,     Bernhard Reutner-Fischer <rep dot dot dot nop at gmail dot com>
+Subject: [PATCH] PR32219
+Date: Tue, 16 Mar 2010 14:42:27 +0100
+Message-Id: <1268746947-32108-1-git-send-email-rep.dot.nop@gmail.com>
+Mailing-List: contact gcc-patches-help at gcc dot gnu dot org; run by ezmlm
+Precedence: bulk
+List-Id: <gcc-patches.gcc.gnu.org>
+List-Archive: <http://gcc.gnu.org/ml/gcc-patches/>
+List-Post: <mailto:gcc-patches at gcc dot gnu dot org>
+List-Help: <mailto:gcc-patches-help at gcc dot gnu dot org>
+Sender: gcc-patches-owner at gcc dot gnu dot org
+Delivered-To: mailing list gcc-patches at gcc dot gnu dot org
+
+Hi,
+
+As suggested by richi.
+regtested on i686-linux-gnu with all default languages and no regressions.
+Ok for trunk?
+
+gcc/ChangeLog
+2010-03-15  Bernhard Reutner-Fischer  <aldot@gcc.gnu.org>
+
+        PR target/32219
+        * varasm.c (default_binds_local_p_1): Weak data is not local.
+
+gcc/testsuite/ChangeLog
+2010-03-15  Bernhard Reutner-Fischer  <aldot@gcc.gnu.org>
+
+        PR target/32219
+        * gcc.dg/visibility-21.c: New test.
+
+Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
+---
+ gcc/testsuite/gcc.dg/visibility-21.c |   14 ++++++++++++++
+ gcc/varasm.c                         |    8 ++++----
+ 2 files changed, 18 insertions(+), 4 deletions(-)
+ create mode 100644 gcc/testsuite/gcc.dg/visibility-21.c
+
+diff --git a/gcc/testsuite/gcc.dg/visibility-21.c b/gcc/testsuite/gcc.dg/visibility-21.c
+new file mode 100644
+index 0000000..be7deda
+--- /dev/null
++++ b/gcc/testsuite/gcc.dg/visibility-21.c
+@@ -0,0 +1,14 @@
++/* PR target/32219 */
++/* { dg-do run } */
++/* { dg-require-visibility "" } */
++/* { dg-options "-fPIC" { target fpic } } */
++
++extern void f() __attribute__((weak,visibility("hidden")));
++extern int puts( char const* );
++int main()
++{
++       if (f)
++               f();
++       return 0;
++}
++
+diff --git a/gcc/varasm.c b/gcc/varasm.c
+index 6b8222f..6b9269a 100644
+--- a/gcc/varasm.c
++++ b/gcc/varasm.c
+@@ -6613,6 +6613,10 @@ default_binds_local_p_1 (const_tree exp, int shlib)
+   /* Static variables are always local.  */
+   else if (! TREE_PUBLIC (exp))
+     local_p = true;
++  /* Weak data can be overridden by a strong symbol
++     in another module and so are not local.  */
++  else if (DECL_WEAK (exp))
++    local_p = false;
+   /* A variable is local if the user has said explicitly that it will
+      be.  */
+   else if (DECL_VISIBILITY_SPECIFIED (exp)
+@@ -6625,10 +6629,6 @@ default_binds_local_p_1 (const_tree exp, int shlib)
+      local.  */
+   else if (DECL_VISIBILITY (exp) != VISIBILITY_DEFAULT)
+     local_p = true;
+-  /* Default visibility weak data can be overridden by a strong symbol
+-     in another module and so are not local.  */
+-  else if (DECL_WEAK (exp))
+-    local_p = false;
+   /* If PIC, then assume that any global name can be overridden by
+      symbols resolved from other modules, unless we are compiling with
+      -fwhole-program, which assumes that names are local.  */
+-- 
+1.7.0
+
diff --git a/main/git/APKBUILD b/main/git/APKBUILD
index f8d9e8bb0d..0e2b7e1ef9 100644
--- a/main/git/APKBUILD
+++ b/main/git/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=git
-pkgver=1.7.1
-pkgrel=2
+pkgver=1.7.1.1
+pkgrel=0
 pkgdesc="GIT - the stupid content tracker"
 url="http://git.or.cz/"
 license="GPL2"
@@ -10,7 +10,6 @@ subpackages="$pkgname-doc $pkgname-perl"
 makedepends="zlib-dev openssl-dev curl-dev expat-dev perl-dev python-dev"
 source="http://kernel.org/pub/software/scm/git/git-$pkgver.tar.bz2
         bb-tar.patch
-        git-do-not-dump-core-when-iconv-fails.patch
         "
 
 _makeopts="NO_ICONV=YesPlease
@@ -21,8 +20,6 @@ _makeopts="NO_ICONV=YesPlease
 build() {
         cd "$srcdir"/$pkgname-$pkgver
         patch -p1 -i "$srcdir"/bb-tar.patch || return 1
-        patch -p1 -i "$srcdir"/git-do-not-dump-core-when-iconv-fails.patch  \
-                || return 1
         make prefix=/usr DESTDIR="$pkgdir" $_makeopts || return 1
 }
 
@@ -45,6 +42,5 @@ perl() {
 }
 
 
-md5sums="3da231dbe82ad103373cb530ae7475d5  git-1.7.1.tar.bz2
-e63a201556c4f089de790805c09a2e5b  bb-tar.patch
-7c660517316261b383a094ef03aad0aa  git-do-not-dump-core-when-iconv-fails.patch"
+md5sums="1b116a3e2ecce46a89e4272abf0de955  git-1.7.1.1.tar.bz2
+e63a201556c4f089de790805c09a2e5b  bb-tar.patch"
diff --git a/main/git/git-do-not-dump-core-when-iconv-fails.patch b/main/git/git-do-not-dump-core-when-iconv-fails.patch
deleted file mode 100644
index b338ee4809..0000000000
--- a/main/git/git-do-not-dump-core-when-iconv-fails.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-commit 43acff34b902c38808ac0f326090f2516250e1f0
-Author: Jonathan Nieder <jrnieder@gmail.com>
-Date:   Sat May 8 18:17:29 2010 -0500
-
-    cherry-pick: do not dump core when iconv fails
-    
-    When cherry-picking, usually the new and old commit encodings are both
-    UTF-8.  Most old iconv implementations do not support this trivial
-    conversion, so on old platforms, out->message remains NULL, and later
-    attempts to read it segfault.
-    
-    Fix this by noticing the input and output encodings match and skipping
-    the iconv step, like the other reencode_string() call sites already do.
-    Also stop segfaulting on other iconv failures: if iconv fails for some
-    other reason, the best we can do is to pass the old message through.
-    
-    This fixes a regression introduced in v1.7.1-rc0~15^2~2 (revert:
-    clarify label on conflict hunks, 2010-03-20).
-    
-    Reported-by: Andreas Krey <a.krey@gmx.de>
-    Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
-    Signed-off-by: Junio C Hamano <gitster@pobox.com>
-
-diff --git a/builtin/revert.c b/builtin/revert.c
-index 778a56e..7d68ef7 100644
---- a/builtin/revert.c
-+++ b/builtin/revert.c
-@@ -109,8 +109,13 @@ static int get_message(const char *raw_message, struct commit_message *out)
-                encoding = "UTF-8";
-        if (!git_commit_encoding)
-                git_commit_encoding = "UTF-8";
--       if ((out->reencoded_message = reencode_string(raw_message,
--                                       git_commit_encoding, encoding)))
-+
-+       out->reencoded_message = NULL;
-+       out->message = raw_message;
-+       if (strcmp(encoding, git_commit_encoding))
-+               out->reencoded_message = reencode_string(raw_message,
-+                                       git_commit_encoding, encoding);
-+       if (out->reencoded_message)
-                out->message = out->reencoded_message;
- 
-        abbrev = find_unique_abbrev(commit->object.sha1, DEFAULT_ABBREV);
diff --git a/main/gmp/APKBUILD b/main/gmp/APKBUILD
deleted file mode 100644
index 36ad708d4b..0000000000
--- a/main/gmp/APKBUILD
+++ /dev/null
@@ -1,39 +0,0 @@
-# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
-pkgname=gmp
-pkgver=4.3.2
-pkgrel=1
-pkgdesc="A free library for arbitrary precision arithmetic"
-url="http://gmplib.org/"
-license="LGPL3"
-makedepends="m4 texinfo"
-depends=
-subpackages="$pkgname-doc $pkgname-dev"
-source="ftp://ftp.gnu.org/gnu/gmp/gmp-$pkgver.tar.bz2
-        gmp-4.1.4-noexecstack.patch
-        "
-
-_builddir="$srcdir"/$pkgname-$pkgver
-build() {
-        cd "$_builddir"
-        patch -p1 < ../gmp-4.1.4-noexecstack.patch || return 1 
-
-        ABI="32" ./configure --prefix=/usr \
-                --build=${CHOST} \
-                --infodir=/usr/share/info \
-                --mandir=/usr/share/man \
-                --localstatedir=/var/state/gmp \
-                --disable-mpfr \
-                --disable-mpbsd \
-                --disable-cxx  \
-                --with-pic \
-                || return 1
-
-        make || return 1
-}
-
-package() {
-        cd "$_builddir"
-        make -j1 DESTDIR="${pkgdir}" install || return 1
-}
-md5sums="dd60683d7057917e34630b4a787932e8  gmp-4.3.2.tar.bz2
-13c34f00e77ded6673270cfea06c35c3  gmp-4.1.4-noexecstack.patch"
diff --git a/main/gmp/gmp-4.1.4-noexecstack.patch b/main/gmp/gmp-4.1.4-noexecstack.patch
deleted file mode 100644
index 093bec1a5d..0000000000
--- a/main/gmp/gmp-4.1.4-noexecstack.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-fixed executable stack
-
-http://bugs.gentoo.org/115038
-
---- gmp-4.1.4/configure
-+++ gmp-4.1.4/configure
-@@ -21689,6 +21689,13 @@
- fi
- echo "')" >> $gmp_configm4
- echo "define(\`__CONFIG_M4_INCLUDED__')" >> $gmp_configm4
-+# Gentoo hack
-+case $host_os in
-+       *linux*)
-+               echo '.section .note.GNU-stack,"",%progbits' >> $gmp_configm4
-+               echo '.previous' >> $gmp_configm4
-+               ;;
-+esac
- 
- # Create Makefiles
- # FIXME: Upcoming version of autoconf/automake may not like broken lines.
diff --git a/main/gmp5/APKBUILD b/main/gmp5/APKBUILD
index c2a4ad6f45..e07bff62c7 100644
--- a/main/gmp5/APKBUILD
+++ b/main/gmp5/APKBUILD
@@ -3,13 +3,13 @@ _name=gmp
 pkgname=${_name}5
 
 pkgver=5.0.1
-pkgrel=0
+pkgrel=1
 pkgdesc="A free library for arbitrary precision arithmetic"
 url="http://gmplib.org/"
 license="LGPL3"
 makedepends="m4 texinfo"
 depends=
-subpackages="$pkgname-doc $pkgname-dev"
+subpackages="$pkgname-doc gmp-dev:dev"
 source="ftp://ftp.gnu.org/gnu/gmp/gmp-$pkgver.tar.bz2
         gmp-4.1.4-noexecstack.patch
         "
@@ -39,7 +39,7 @@ package() {
 }
 
 dev() {
-        replaces="gmp"
+        replaces="gmp gmp5-dev"
         default_dev
 }
 
diff --git a/main/guile/APKBUILD b/main/guile/APKBUILD
index 8850b0f1fa..6283d7e341 100644
--- a/main/guile/APKBUILD
+++ b/main/guile/APKBUILD
@@ -1,12 +1,12 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=guile
 pkgver=1.8.7
-pkgrel=2
+pkgrel=3
 pkgdesc="Guile is a portable, embeddable Scheme implementation written in C"
 url="http://www.gnu.org/software/guile/"
 license="GPL"
 subpackages="$pkgname-dev $pkgname-doc"
-makedepends="gmp5-dev libtool ncurses-dev texinfo"
+makedepends="gmp-dev libtool ncurses-dev texinfo"
 depends=
 install=
 source="ftp://ftp.gnu.org/pub/gnu/$pkgname/$pkgname-$pkgver.tar.gz"
diff --git a/main/iscsitarget-grsec/APKBUILD b/main/iscsitarget-grsec/APKBUILD
index b593044200..184f8701bb 100644
--- a/main/iscsitarget-grsec/APKBUILD
+++ b/main/iscsitarget-grsec/APKBUILD
@@ -27,6 +27,7 @@ subpackages=
 source="http://downloads.sourceforge.net/$_realname/$_realname-$_iscsiver.tar.gz
         iscsitarget-1.4.18+linux-2.6.32.patch
         "
+_ksrc=/usr/src/linux-headers-${_abi_release}
 
 prepare() {
         cd "$srcdir"/$_realname-$_iscsiver
@@ -39,14 +40,12 @@ prepare() {
 build() {
         cd "$srcdir"/$_realname-$_iscsiver
         unset ARCH
-        local ksrc=/usr/src/linux-headers-${_abi_release}
-        make KSRC="$ksrc" kernel || return 1
+        make KSRC="$_ksrc" kernel || return 1
 }
 
 package() {
         cd "$srcdir"/$_realname-$_iscsiver
-        local ksrc=/usr/src/linux-headers-${_abi_release}
-        make KSRC="$ksrc" DISTDIR="$pkgdir" install-kernel || return 1
+        make KSRC="$_ksrc" DISTDIR="$pkgdir" install-kernel || return 1
 }
 
 md5sums="9beca214c28949cce1716b49fec57de4  iscsitarget-1.4.19.tar.gz
diff --git a/main/libc0.9.32/APKBUILD b/main/libc0.9.32/APKBUILD
index accdcaf3af..328368895b 100644
--- a/main/libc0.9.32/APKBUILD
+++ b/main/libc0.9.32/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 _abiver=0.9.32
 pkgname=libc$_abiver
-_gitver=1006041126
+_gitver=1006300816
 pkgver=${_abiver}_alpha0_git$_gitver
 pkgrel=1
 pkgdesc="C library for developing embedded Linux systems"
@@ -20,6 +20,7 @@ source="http://build.alpinelinux.org:8010/distfiles/$_snapfile
         uclibc-libm-pic.patch
         uclibc-lutimes.patch
         uclibc-resolv-tls.patch
+        uclibc-gcc-workaround.patch
         uclibcconfig.x86
         uclibcconfig.i486
         "
@@ -96,10 +97,11 @@ utils() {
         mv "$pkgdir"/usr/bin/* "$subpkgdir"/usr/bin/
 }
 
-md5sums="048f92606460621d9402c43417392992  libc0.9.32-0.9.32_alpha0_git1006041126.tar.bz2
+md5sums="b7af86c013378888fbd345c47ad21c3a  libc0.9.32-0.9.32_alpha0_git1006300816.tar.bz2
 4d408f72142ce55a0754948cc9cfe447  compat-stack-guard.patch
 2f9739a980be24a842c57516155c7885  uclibc-libm-pic.patch
 4d0b8170e6580b47bf5775e65a6f081e  uclibc-lutimes.patch
 d08831b452acdeaa3037525ee617edab  uclibc-resolv-tls.patch
+a88b7f394c86dc7aa606c9e338e35515  uclibc-gcc-workaround.patch
 e2eb3bb00a0fe4d6f3d5b5c56b027bab  uclibcconfig.x86
 e2eb3bb00a0fe4d6f3d5b5c56b027bab  uclibcconfig.i486"
diff --git a/main/libc0.9.32/uclibc-gcc-workaround.patch b/main/libc0.9.32/uclibc-gcc-workaround.patch
new file mode 100644
index 0000000000..f698ecb79e
--- /dev/null
+++ b/main/libc0.9.32/uclibc-gcc-workaround.patch
@@ -0,0 +1,58 @@
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+To: uclibc@uclibc.org
+Subject: [PATCH] more workarounds for GCC PR32219
+Date: Wed, 30 Jun 2010 14:46:37 +0300
+Message-Id: <1277898397-10643-1-git-send-email-timo.teras@iki.fi>
+X-Mailer: git-send-email 1.7.0.4
+MIME-Version: 1.0
+X-BeenThere: uclibc@uclibc.org
+X-Mailman-Version: 2.1.12
+Precedence: list
+List-Id: "Discussion and development of uClibc \(the embedded C library\)"
+        <uclibc.uclibc.org>
+List-Unsubscribe: <http://lists.busybox.net/mailman/options/uclibc>,
+        <mailto:uclibc-request@uclibc.org?subject=unsubscribe>
+List-Archive: <http://lists.busybox.net/pipermail/uclibc>
+List-Post: <mailto:uclibc@uclibc.org>
+List-Help: <mailto:uclibc-request@uclibc.org?subject=help>
+List-Subscribe: <http://lists.busybox.net/mailman/listinfo/uclibc>,
+        <mailto:uclibc-request@uclibc.org?subject=subscribe>
+Content-Type: text/plain; charset="utf-8"
+Sender: uclibc-bounces@uclibc.org
+Errors-To: uclibc-bounces@uclibc.org
+
+Commit 2e53dd645d5348f207cec7f8595969dc566c5a55 workarounds GCC
+bug when accessing _locale_init and _stdio_init. We need the same
+fix for __errno_location and __h_errno_location otherwise we crash
+calling null with static and non-threaded builds.
+
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+---
+ libc/misc/internals/__uClibc_main.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libc/misc/internals/__uClibc_main.c b/libc/misc/internals/__uClibc_main.c
+index 44d1620..e8c470b 100644
+--- a/libc/misc/internals/__uClibc_main.c
++++ b/libc/misc/internals/__uClibc_main.c
+@@ -447,11 +447,11 @@ void __uClibc_main(int (*main)(int, char **, char **), int argc,
+      * have resulted in errno being set nonzero, so set it to 0 before
+      * we call main.
+      */
+-    if (likely(__errno_location!=NULL))
++    if (likely(not_null_ptr(__errno_location)))
+        *(__errno_location()) = 0;
+ 
+     /* Set h_errno to 0 as well */
+-    if (likely(__h_errno_location!=NULL))
++    if (likely(not_null_ptr(__h_errno_location)))
+        *(__h_errno_location()) = 0;
+ 
+ #if defined HAVE_CLEANUP_JMP_BUF && defined __UCLIBC_HAS_THREADS_NATIVE__
+-- 
+1.7.0.4
+
+_______________________________________________
+uClibc mailing list
+uClibc@uclibc.org
+http://lists.busybox.net/mailman/listinfo/uclibc
diff --git a/main/libconfig/APKBUILD b/main/libconfig/APKBUILD
index e4bf50072a..db88ca1ca7 100644
--- a/main/libconfig/APKBUILD
+++ b/main/libconfig/APKBUILD
@@ -1,6 +1,6 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libconfig
-pkgver=1.4.3
+pkgver=1.4.5
 pkgrel=0
 pkgdesc="a simple library for manipulating structured configuration files"
 url="http://www.hyperrealm.com/libconfig/"
@@ -24,4 +24,4 @@ package() {
         make -j1 DESTDIR="$pkgdir/" install
 }
 
-md5sums="295f580a7bc3a03a44d520d6ace55ee6  libconfig-1.4.3.tar.gz"
+md5sums="f2219e1b2501e7296a7d3e971c63666a  libconfig-1.4.5.tar.gz"
diff --git a/main/libevent/APKBUILD b/main/libevent/APKBUILD
index f744779856..4a627408f6 100644
--- a/main/libevent/APKBUILD
+++ b/main/libevent/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libevent
-pkgver=1.4.13
-pkgrel=1
+pkgver=1.4.14b
+pkgrel=0
 pkgdesc="An event notification library"
 url="http://www.monkey.org/~provos/libevent/"
 license="GPL-2"
@@ -20,4 +20,4 @@ package() {
         cd $srcdir/$pkgname-$pkgver-stable
         make -j1 DESTDIR=$pkgdir install || return 1
 }
-md5sums="0b3ea18c634072d12b3c1ee734263664  libevent-1.4.13-stable.tar.gz"
+md5sums="a00e037e4d3f9e4fe9893e8a2d27918c  libevent-1.4.14b-stable.tar.gz"
diff --git a/testing/libowfat/APKBUILD b/main/libowfat/APKBUILD
index 8e3ee0eca0..8e3ee0eca0 100644
--- a/testing/libowfat/APKBUILD
+++ b/main/libowfat/APKBUILD
diff --git a/main/libpng/APKBUILD b/main/libpng/APKBUILD
index 39a12f7cdf..db52574fbc 100644
--- a/main/libpng/APKBUILD
+++ b/main/libpng/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Carlo Landmeter <clandmeter at gmail>
 # Maintainer: Carlo Landmeter <clandmeter at gmail>
 pkgname=libpng
-pkgver=1.4.2
+pkgver=1.4.3
 pkgrel=0
 pkgdesc="Portable Network Graphics library"
 url="http://www.libpng.org/"
@@ -27,4 +27,4 @@ package() {
         install -Dm644 LICENSE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE || return 1
 }
 
-md5sums="89fd334dc5fc84ff146b9269c4fa452f  libpng-1.4.2.tar.gz"
+md5sums="df3521f61a1b8b69489d297c0ca8c1f8  libpng-1.4.3.tar.gz"
diff --git a/main/lighttpd/APKBUILD b/main/lighttpd/APKBUILD
index 5c03ed55a0..f229887b25 100644
--- a/main/lighttpd/APKBUILD
+++ b/main/lighttpd/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=lighttpd
 pkgver=1.4.26
 _streamver=2.2.0
-pkgrel=4
+pkgrel=5
 pkgdesc="a secure, fast, compliant and very flexible web-server"
 url="http://www.lighttpd.net/"
 license="custom"
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index cb94b01364..ef73e4958c 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
 pkgname=linux-${_flavor}
 pkgver=2.6.32.15
 _kernver=2.6.32
-pkgrel=8
+pkgrel=9
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH:-x86}}
 install=
 source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2
         ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2
-        grsecurity-2.1.14-2.6.32.15-201006011506.patch
+        grsecurity-2.2.0-2.6.32.15-201006271253.patch
         0001-grsec-revert-conflicting-flow-cache-changes.patch
         0002-gre-fix-hard-header-destination-address-checking.patch
         0003-ip_gre-include-route-header_len-in-max_headroom-calc.patch
@@ -148,7 +148,7 @@ firmware() {
 
 md5sums="260551284ac224c3a43c4adac7df4879  linux-2.6.32.tar.bz2
 5c9251844c2819eddee4dba1293bd46d  patch-2.6.32.15.bz2
-7f61d0de3d703c465bff03a20b2dbd30  grsecurity-2.1.14-2.6.32.15-201006011506.patch
+98a8ab1e328d67e40657ef5e4b9d1b37  grsecurity-2.2.0-2.6.32.15-201006271253.patch
 1d247140abec49b96250aec9aa59b324  0001-grsec-revert-conflicting-flow-cache-changes.patch
 437317f88ec13ace8d39c31983a41696  0002-gre-fix-hard-header-destination-address-checking.patch
 151b29a161178ed39d62a08f21f3484d  0003-ip_gre-include-route-header_len-in-max_headroom-calc.patch
diff --git a/main/linux-grsec/grsecurity-2.1.14-2.6.32.15-201006011506.patch b/main/linux-grsec/grsecurity-2.2.0-2.6.32.15-201006271253.patch
index 215c62b4e2..722e01f379 100644
--- a/main/linux-grsec/grsecurity-2.1.14-2.6.32.15-201006011506.patch
+++ b/main/linux-grsec/grsecurity-2.2.0-2.6.32.15-201006271253.patch
@@ -7562,7 +7562,7 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/page_64_types.h linux-2.6.32.15/
  #define __VIRTUAL_MASK_SHIFT   47
 diff -urNp linux-2.6.32.15/arch/x86/include/asm/paravirt.h linux-2.6.32.15/arch/x86/include/asm/paravirt.h
 --- linux-2.6.32.15/arch/x86/include/asm/paravirt.h     2010-03-15 11:52:04.000000000 -0400
-+++ linux-2.6.32.15/arch/x86/include/asm/paravirt.h     2010-05-28 21:27:14.915041226 -0400
++++ linux-2.6.32.15/arch/x86/include/asm/paravirt.h     2010-06-19 10:03:50.008525890 -0400
 @@ -729,6 +729,21 @@ static inline void __set_fixmap(unsigned
         pv_mmu_ops.set_fixmap(idx, phys, flags);
  }
@@ -7765,7 +7765,7 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable_32_types.h linux-2.6.32.
  #define MODULES_LEN    (MODULES_VADDR - MODULES_END)
 diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable-3level.h linux-2.6.32.15/arch/x86/include/asm/pgtable-3level.h
 --- linux-2.6.32.15/arch/x86/include/asm/pgtable-3level.h       2010-03-15 11:52:04.000000000 -0400
-+++ linux-2.6.32.15/arch/x86/include/asm/pgtable-3level.h       2010-05-28 21:27:14.915041226 -0400
++++ linux-2.6.32.15/arch/x86/include/asm/pgtable-3level.h       2010-06-19 10:03:50.008525890 -0400
 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
  
  static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
@@ -7785,7 +7785,7 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable-3level.h linux-2.6.32.15
  /*
 diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable_64.h linux-2.6.32.15/arch/x86/include/asm/pgtable_64.h
 --- linux-2.6.32.15/arch/x86/include/asm/pgtable_64.h   2010-03-15 11:52:04.000000000 -0400
-+++ linux-2.6.32.15/arch/x86/include/asm/pgtable_64.h   2010-05-28 21:27:14.915041226 -0400
++++ linux-2.6.32.15/arch/x86/include/asm/pgtable_64.h   2010-06-19 10:03:50.008525890 -0400
 @@ -16,10 +16,13 @@
  
  extern pud_t level3_kernel_pgt[512];
@@ -7812,7 +7812,7 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable_64.h linux-2.6.32.15/arc
  }
  
  static inline void native_pmd_clear(pmd_t *pmd)
-@@ -94,12 +99,18 @@ static inline void native_pud_clear(pud_
+@@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
  
  static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
  {
@@ -7822,15 +7822,6 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable_64.h linux-2.6.32.15/arc
  }
  
  static inline void native_pgd_clear(pgd_t *pgd)
- {
-+
-+#ifndef CONFIG_PAX_PER_CPU_PGD
-        native_set_pgd(pgd, native_make_pgd(0));
-+#endif
-+
- }
- 
- /*
 diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable_64_types.h linux-2.6.32.15/arch/x86/include/asm/pgtable_64_types.h
 --- linux-2.6.32.15/arch/x86/include/asm/pgtable_64_types.h     2010-03-15 11:52:04.000000000 -0400
 +++ linux-2.6.32.15/arch/x86/include/asm/pgtable_64_types.h     2010-05-28 21:27:14.915041226 -0400
@@ -7844,7 +7835,7 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable_64_types.h linux-2.6.32.
  #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
 diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable.h linux-2.6.32.15/arch/x86/include/asm/pgtable.h
 --- linux-2.6.32.15/arch/x86/include/asm/pgtable.h      2010-03-15 11:52:04.000000000 -0400
-+++ linux-2.6.32.15/arch/x86/include/asm/pgtable.h      2010-05-28 21:27:14.918896182 -0400
++++ linux-2.6.32.15/arch/x86/include/asm/pgtable.h      2010-06-19 10:03:50.008525890 -0400
 @@ -74,12 +74,51 @@ extern struct list_head pgd_list;
  
  #define arch_end_context_switch(prev)  do {} while(0)
@@ -7988,7 +7979,7 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable.h linux-2.6.32.15/arch/x
  #ifndef __ASSEMBLY__
  
  extern int direct_gbpages;
-@@ -611,11 +698,18 @@ static inline void ptep_set_wrprotect(st
+@@ -611,11 +698,23 @@ static inline void ptep_set_wrprotect(st
   * dst and src can be on the same page, but the range must not overlap,
   * and must not cross a page boundary.
   */
@@ -8004,7 +7995,12 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable.h linux-2.6.32.15/arch/x
  
 +#ifdef CONFIG_PAX_PER_CPU_PGD
 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
++#endif
++
++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
++#else
++static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
 +#endif
  
  #include <asm-generic/pgtable.h>
@@ -9301,16 +9297,8 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/xsave.h linux-2.6.32.15/arch/x86
                              ".section .fixup,\"ax\"\n"
 diff -urNp linux-2.6.32.15/arch/x86/Kconfig linux-2.6.32.15/arch/x86/Kconfig
 --- linux-2.6.32.15/arch/x86/Kconfig    2010-05-15 13:20:18.407099662 -0400
-+++ linux-2.6.32.15/arch/x86/Kconfig    2010-05-28 21:27:14.922894828 -0400
-@@ -531,6 +531,7 @@ source "arch/x86/lguest/Kconfig"
- 
- config PARAVIRT
-        bool "Enable paravirtualization code"
-+       depends on !PAX_PER_CPU_PGD
-        ---help---
-          This changes the kernel so it can modify itself when it is run
-          under a hypervisor, potentially improving performance significantly
-@@ -1083,7 +1084,7 @@ config PAGE_OFFSET
++++ linux-2.6.32.15/arch/x86/Kconfig    2010-06-19 11:15:06.486972627 -0400
+@@ -1083,7 +1083,7 @@ config PAGE_OFFSET
         hex
         default 0xB0000000 if VMSPLIT_3G_OPT
         default 0x80000000 if VMSPLIT_2G
@@ -9319,7 +9307,7 @@ diff -urNp linux-2.6.32.15/arch/x86/Kconfig linux-2.6.32.15/arch/x86/Kconfig
         default 0x40000000 if VMSPLIT_1G
         default 0xC0000000
         depends on X86_32
-@@ -1414,7 +1415,7 @@ config ARCH_USES_PG_UNCACHED
+@@ -1414,7 +1414,7 @@ config ARCH_USES_PG_UNCACHED
  
  config EFI
         bool "EFI runtime service support"
@@ -9328,7 +9316,7 @@ diff -urNp linux-2.6.32.15/arch/x86/Kconfig linux-2.6.32.15/arch/x86/Kconfig
         ---help---
           This enables the kernel to use EFI runtime services that are
           available (such as the EFI variable services).
-@@ -1501,6 +1502,7 @@ config KEXEC_JUMP
+@@ -1501,6 +1501,7 @@ config KEXEC_JUMP
  config PHYSICAL_START
         hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
         default "0x1000000"
@@ -9336,7 +9324,7 @@ diff -urNp linux-2.6.32.15/arch/x86/Kconfig linux-2.6.32.15/arch/x86/Kconfig
         ---help---
           This gives the physical address where the kernel is loaded.
  
-@@ -1565,6 +1567,7 @@ config PHYSICAL_ALIGN
+@@ -1565,6 +1566,7 @@ config PHYSICAL_ALIGN
         hex
         prompt "Alignment value to which kernel should be aligned" if X86_32
         default "0x1000000"
@@ -9344,7 +9332,7 @@ diff -urNp linux-2.6.32.15/arch/x86/Kconfig linux-2.6.32.15/arch/x86/Kconfig
         range 0x2000 0x1000000
         ---help---
           This value puts the alignment restrictions on physical address
-@@ -1596,9 +1599,10 @@ config HOTPLUG_CPU
+@@ -1596,9 +1598,10 @@ config HOTPLUG_CPU
           Say N if you want to disable CPU hotplug.
  
  config COMPAT_VDSO
@@ -10503,7 +10491,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/efi_stub_32.S linux-2.6.32.15/arch/x8
  efi_rt_function_ptr:
 diff -urNp linux-2.6.32.15/arch/x86/kernel/entry_32.S linux-2.6.32.15/arch/x86/kernel/entry_32.S
 --- linux-2.6.32.15/arch/x86/kernel/entry_32.S  2010-03-15 11:52:04.000000000 -0400
-+++ linux-2.6.32.15/arch/x86/kernel/entry_32.S  2010-05-28 21:27:15.031137412 -0400
++++ linux-2.6.32.15/arch/x86/kernel/entry_32.S  2010-06-19 10:03:50.008525890 -0400
 @@ -191,7 +191,67 @@
  
  #endif /* CONFIG_X86_32_LAZY_GS */
@@ -10780,15 +10768,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/entry_32.S linux-2.6.32.15/arch/x86/k
  #include "syscall_table_32.S"
  
  syscall_table_size=(.-sys_call_table)
-@@ -1250,12 +1366,15 @@ error_code:
-        movl %ecx, %fs
-        UNWIND_ESPFIX_STACK
-        GS_TO_REG %ecx
-+
-+       PAX_ENTER_KERNEL
-+
-        movl PT_GS(%esp), %edi          # get the function address
-        movl PT_ORIG_EAX(%esp), %edx    # get the error code
+@@ -1255,9 +1371,12 @@ error_code:
         movl $-1, PT_ORIG_EAX(%esp)     # no syscall to restart
         REG_TO_PTGS %ecx
         SET_KERNEL_GS %ecx
@@ -10796,7 +10776,12 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/entry_32.S linux-2.6.32.15/arch/x86/k
 +       movl $(__KERNEL_DS), %ecx
         movl %ecx, %ds
         movl %ecx, %es
++
++       PAX_ENTER_KERNEL
++
         TRACE_IRQS_OFF
+        movl %esp,%eax                  # pt_regs pointer
+        call *%edi
 @@ -1351,6 +1470,9 @@ nmi_stack_correct:
         xorl %edx,%edx          # zero error code
         movl %esp,%eax          # pt_regs pointer
@@ -11367,7 +11352,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/head32.c linux-2.6.32.15/arch/x86/ker
         /* Reserve INITRD */
 diff -urNp linux-2.6.32.15/arch/x86/kernel/head_32.S linux-2.6.32.15/arch/x86/kernel/head_32.S
 --- linux-2.6.32.15/arch/x86/kernel/head_32.S   2010-03-15 11:52:04.000000000 -0400
-+++ linux-2.6.32.15/arch/x86/kernel/head_32.S   2010-05-28 21:27:15.039159907 -0400
++++ linux-2.6.32.15/arch/x86/kernel/head_32.S   2010-06-19 10:03:50.008525890 -0400
 @@ -19,10 +19,17 @@
  #include <asm/setup.h>
  #include <asm/processor-flags.h>
@@ -11658,7 +11643,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/head_32.S linux-2.6.32.15/arch/x86/ke
         pushl 16(%esp)
         pushl 24(%esp)
         pushl 32(%esp)
-@@ -608,27 +679,45 @@ ENTRY(initial_code)
+@@ -608,27 +679,38 @@ ENTRY(initial_code)
  /*
   * BSS section
   */
@@ -11699,17 +11684,22 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/head_32.S linux-2.6.32.15/arch/x86/ke
 -       .align PAGE_SIZE_asm
 +.section .swapper_pg_dir,"a",@progbits
 +
+ ENTRY(swapper_pg_dir)
+        .long   pa(swapper_pg_pmd+PGD_IDENT_ATTR),0     /* low identity map */
+ # if KPMDS == 3
+@@ -647,15 +729,24 @@ ENTRY(swapper_pg_dir)
+ #  error "Kernel PMDs should be 1, 2 or 3"
+ # endif
+        .align PAGE_SIZE_asm            /* needs to be page-sized too */
++
 +#ifdef CONFIG_PAX_PER_CPU_PGD
 +ENTRY(cpu_pgd)
 +       .rept NR_CPUS
-+       .fill   512,8,0
++       .fill   4,8,0
 +       .endr
 +#endif
 +
- ENTRY(swapper_pg_dir)
-        .long   pa(swapper_pg_pmd+PGD_IDENT_ATTR),0     /* low identity map */
- # if KPMDS == 3
-@@ -651,11 +740,12 @@ ENTRY(swapper_pg_dir)
+ #endif
  
  .data
  ENTRY(stack_start)
@@ -11723,7 +11713,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/head_32.S linux-2.6.32.15/arch/x86/ke
  early_recursion_flag:
         .long 0
  
-@@ -691,7 +781,7 @@ fault_msg:
+@@ -691,7 +782,7 @@ fault_msg:
         .word 0                         # 32 bit align gdt_desc.address
  boot_gdt_descr:
         .word __BOOT_DS+7
@@ -11732,7 +11722,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/head_32.S linux-2.6.32.15/arch/x86/ke
  
         .word 0                         # 32-bit align idt_desc.address
  idt_descr:
-@@ -702,7 +792,7 @@ idt_descr:
+@@ -702,7 +793,7 @@ idt_descr:
         .word 0                         # 32 bit align gdt_desc.address
  ENTRY(early_gdt_descr)
         .word GDT_ENTRIES*8-1
@@ -11741,7 +11731,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/head_32.S linux-2.6.32.15/arch/x86/ke
  
  /*
   * The boot_gdt must mirror the equivalent in setup.S and is
-@@ -711,5 +801,65 @@ ENTRY(early_gdt_descr)
+@@ -711,5 +802,65 @@ ENTRY(early_gdt_descr)
         .align L1_CACHE_BYTES
  ENTRY(boot_gdt)
         .fill GDT_ENTRY_BOOT_CS,8,0
@@ -11809,23 +11799,6 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/head_32.S linux-2.6.32.15/arch/x86/ke
 +       /* Be sure this is zeroed to avoid false validations in Xen */
 +       .fill PAGE_SIZE_asm - GDT_SIZE,1,0
 +       .endr
-diff -urNp linux-2.6.32.15/arch/x86/kernel/head64.c linux-2.6.32.15/arch/x86/kernel/head64.c
---- linux-2.6.32.15/arch/x86/kernel/head64.c    2010-03-15 11:52:04.000000000 -0400
-+++ linux-2.6.32.15/arch/x86/kernel/head64.c    2010-05-28 21:27:15.039159907 -0400
-@@ -29,7 +29,13 @@
- static void __init zap_identity_mappings(void)
- {
-        pgd_t *pgd = pgd_offset_k(0UL);
-+
-+#ifdef CONFIG_PAX_PER_CPU_PGD
-+       set_pgd(pgd, native_make_pgd(0));
-+#else
-        pgd_clear(pgd);
-+#endif
-+
-        __flush_tlb_all();
- }
- 
 diff -urNp linux-2.6.32.15/arch/x86/kernel/head_64.S linux-2.6.32.15/arch/x86/kernel/head_64.S
 --- linux-2.6.32.15/arch/x86/kernel/head_64.S   2010-03-15 11:52:04.000000000 -0400
 +++ linux-2.6.32.15/arch/x86/kernel/head_64.S   2010-05-28 21:27:15.039159907 -0400
@@ -12136,7 +12109,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/init_task.c linux-2.6.32.15/arch/x86/
 +EXPORT_SYMBOL(init_tss);
 diff -urNp linux-2.6.32.15/arch/x86/kernel/ioport.c linux-2.6.32.15/arch/x86/kernel/ioport.c
 --- linux-2.6.32.15/arch/x86/kernel/ioport.c    2010-03-15 11:52:04.000000000 -0400
-+++ linux-2.6.32.15/arch/x86/kernel/ioport.c    2010-05-28 21:27:15.039159907 -0400
++++ linux-2.6.32.15/arch/x86/kernel/ioport.c    2010-06-19 21:48:03.327550760 -0400
 @@ -6,6 +6,7 @@
  #include <linux/sched.h>
  #include <linux/kernel.h>
@@ -12150,7 +12123,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/ioport.c linux-2.6.32.15/arch/x86/ker
         if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
                 return -EINVAL;
 +#ifdef CONFIG_GRKERNSEC_IO
-+       if (turn_on) {
++       if (turn_on && grsec_disable_privio) {
 +               gr_handle_ioperm();
 +               return -EPERM;
 +       }
@@ -12167,20 +12140,19 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/ioport.c linux-2.6.32.15/arch/x86/ker
  
         set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
  
-@@ -111,8 +118,13 @@ static int do_iopl(unsigned int level, s
+@@ -111,6 +118,12 @@ static int do_iopl(unsigned int level, s
                 return -EINVAL;
         /* Trying to gain more privileges? */
         if (level > old) {
 +#ifdef CONFIG_GRKERNSEC_IO
-+               gr_handle_iopl();
-+               return -EPERM;
-+#else
++               if (grsec_disable_privio) {
++                       gr_handle_iopl();
++                       return -EPERM;
++               }
++#endif
                 if (!capable(CAP_SYS_RAWIO))
                         return -EPERM;
-+#endif
         }
-        regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
- 
 diff -urNp linux-2.6.32.15/arch/x86/kernel/irq_32.c linux-2.6.32.15/arch/x86/kernel/irq_32.c
 --- linux-2.6.32.15/arch/x86/kernel/irq_32.c    2010-03-15 11:52:04.000000000 -0400
 +++ linux-2.6.32.15/arch/x86/kernel/irq_32.c    2010-05-28 21:27:15.039159907 -0400
@@ -12406,23 +12378,6 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/machine_kexec_32.c linux-2.6.32.15/ar
  
         relocate_kernel_ptr = control_page;
         page_list[PA_CONTROL_PAGE] = __pa(control_page);
-diff -urNp linux-2.6.32.15/arch/x86/kernel/machine_kexec_64.c linux-2.6.32.15/arch/x86/kernel/machine_kexec_64.c
---- linux-2.6.32.15/arch/x86/kernel/machine_kexec_64.c  2010-03-15 11:52:04.000000000 -0400
-+++ linux-2.6.32.15/arch/x86/kernel/machine_kexec_64.c  2010-05-28 21:27:15.043064911 -0400
-@@ -126,7 +126,13 @@ static int init_level4_page(struct kimag
-        }
-        /* clear the unused entries */
-        while (addr < end_addr) {
-+
-+#ifdef CONFIG_PAX_PER_CPU_PGD
-+               set_pgd(level4p++, native_make_pgd(0));
-+#else
-                pgd_clear(level4p++);
-+#endif
-+
-                addr += PGDIR_SIZE;
-        }
- out:
 diff -urNp linux-2.6.32.15/arch/x86/kernel/microcode_amd.c linux-2.6.32.15/arch/x86/kernel/microcode_amd.c
 --- linux-2.6.32.15/arch/x86/kernel/microcode_amd.c     2010-03-15 11:52:04.000000000 -0400
 +++ linux-2.6.32.15/arch/x86/kernel/microcode_amd.c     2010-05-28 21:27:15.043064911 -0400
@@ -16982,7 +16937,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/extable.c linux-2.6.32.15/arch/x86/mm/ext
                 pnp_bios_is_utter_crap = 1;
 diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault.c
 --- linux-2.6.32.15/arch/x86/mm/fault.c 2010-03-15 11:52:04.000000000 -0400
-+++ linux-2.6.32.15/arch/x86/mm/fault.c 2010-05-28 21:27:15.107152206 -0400
++++ linux-2.6.32.15/arch/x86/mm/fault.c 2010-06-19 10:03:50.012498759 -0400
 @@ -11,10 +11,19 @@
  #include <linux/kprobes.h>             /* __kprobes, ...               */
  #include <linux/mmiotrace.h>           /* kmmio_handler, ...           */
@@ -17069,17 +17024,19 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault
                                 break;
                 }
                 spin_unlock_irqrestore(&pgd_lock, flags);
-@@ -257,6 +303,9 @@ static noinline int vmalloc_fault(unsign
-         * Do _not_ use "current" here. We might be inside
+@@ -258,6 +304,11 @@ static noinline int vmalloc_fault(unsign
          * an interrupt in the middle of a task switch..
          */
+        pgd_paddr = read_cr3();
++
 +#ifdef CONFIG_PAX_PER_CPU_PGD
-+       BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
++       BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
 +#endif
-        pgd_paddr = read_cr3();
++
         pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
         if (!pmd_k)
-@@ -332,15 +381,27 @@ void vmalloc_sync_all(void)
+                return -1;
+@@ -332,15 +383,27 @@ void vmalloc_sync_all(void)
  
                 const pgd_t *pgd_ref = pgd_offset_k(address);
                 unsigned long flags;
@@ -17107,7 +17064,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault
                         if (pgd_none(*pgd))
                                 set_pgd(pgd, *pgd_ref);
                         else
-@@ -373,7 +434,14 @@ static noinline int vmalloc_fault(unsign
+@@ -373,7 +436,14 @@ static noinline int vmalloc_fault(unsign
          * happen within a race in page table update. In the later
          * case just flush:
          */
@@ -17122,7 +17079,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault
         pgd_ref = pgd_offset_k(address);
         if (pgd_none(*pgd_ref))
                 return -1;
-@@ -535,7 +603,7 @@ static int is_errata93(struct pt_regs *r
+@@ -535,7 +605,7 @@ static int is_errata93(struct pt_regs *r
  static int is_errata100(struct pt_regs *regs, unsigned long address)
  {
  #ifdef CONFIG_X86_64
@@ -17131,7 +17088,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault
                 return 1;
  #endif
         return 0;
-@@ -562,7 +630,7 @@ static int is_f00f_bug(struct pt_regs *r
+@@ -562,7 +632,7 @@ static int is_f00f_bug(struct pt_regs *r
  }
  
  static const char nx_warning[] = KERN_CRIT
@@ -17140,7 +17097,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault
  
  static void
  show_fault_oops(struct pt_regs *regs, unsigned long error_code,
-@@ -571,15 +639,26 @@ show_fault_oops(struct pt_regs *regs, un
+@@ -571,15 +641,26 @@ show_fault_oops(struct pt_regs *regs, un
         if (!oops_may_print())
                 return;
  
@@ -17169,7 +17126,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault
         printk(KERN_ALERT "BUG: unable to handle kernel ");
         if (address < PAGE_SIZE)
                 printk(KERN_CONT "NULL pointer dereference");
-@@ -704,6 +783,68 @@ __bad_area_nosemaphore(struct pt_regs *r
+@@ -704,6 +785,68 @@ __bad_area_nosemaphore(struct pt_regs *r
                        unsigned long address, int si_code)
  {
         struct task_struct *tsk = current;
@@ -17238,7 +17195,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault
  
         /* User mode accesses just cause a SIGSEGV */
         if (error_code & PF_USER) {
-@@ -848,6 +989,106 @@ static int spurious_fault_check(unsigned
+@@ -848,6 +991,106 @@ static int spurious_fault_check(unsigned
         return 1;
  }
  
@@ -17345,7 +17302,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault
  /*
   * Handle a spurious fault caused by a stale TLB entry.
   *
-@@ -914,6 +1155,9 @@ int show_unhandled_signals = 1;
+@@ -914,6 +1157,9 @@ int show_unhandled_signals = 1;
  static inline int
  access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
  {
@@ -17355,7 +17312,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault
         if (write) {
                 /* write, present and write, not present: */
                 if (unlikely(!(vma->vm_flags & VM_WRITE)))
-@@ -947,17 +1191,31 @@ do_page_fault(struct pt_regs *regs, unsi
+@@ -947,17 +1193,31 @@ do_page_fault(struct pt_regs *regs, unsi
  {
         struct vm_area_struct *vma;
         struct task_struct *tsk;
@@ -17391,7 +17348,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault
         /*
          * Detect and handle instructions that would cause a page fault for
          * both a tracked kernel page and a userspace page.
-@@ -1017,7 +1275,7 @@ do_page_fault(struct pt_regs *regs, unsi
+@@ -1017,7 +1277,7 @@ do_page_fault(struct pt_regs *regs, unsi
          * User-mode registers count as a user access even for any
          * potential system fault or CPU buglet:
          */
@@ -17400,7 +17357,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault
                 local_irq_enable();
                 error_code |= PF_USER;
         } else {
-@@ -1071,6 +1329,11 @@ do_page_fault(struct pt_regs *regs, unsi
+@@ -1071,6 +1331,11 @@ do_page_fault(struct pt_regs *regs, unsi
                 might_sleep();
         }
  
@@ -17412,7 +17369,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault
         vma = find_vma(mm, address);
         if (unlikely(!vma)) {
                 bad_area(regs, error_code, address);
-@@ -1082,18 +1345,24 @@ do_page_fault(struct pt_regs *regs, unsi
+@@ -1082,18 +1347,24 @@ do_page_fault(struct pt_regs *regs, unsi
                 bad_area(regs, error_code, address);
                 return;
         }
@@ -17436,19 +17393,19 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault
 +       if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
 +               bad_area(regs, error_code, address);
 +               return;
-+       }
+        }
 +
 +#ifdef CONFIG_PAX_SEGMEXEC
 +       if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
 +               bad_area(regs, error_code, address);
 +               return;
-        }
++       }
 +#endif
 +
         if (unlikely(expand_stack(vma, address))) {
                 bad_area(regs, error_code, address);
                 return;
-@@ -1137,3 +1406,199 @@ good_area:
+@@ -1137,3 +1408,199 @@ good_area:
  
         up_read(&mm->mmap_sem);
  }
@@ -18182,7 +18139,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/init_64.c linux-2.6.32.15/arch/x86/mm/ini
                 return "[vsyscall]";
 diff -urNp linux-2.6.32.15/arch/x86/mm/init.c linux-2.6.32.15/arch/x86/mm/init.c
 --- linux-2.6.32.15/arch/x86/mm/init.c  2010-03-15 11:52:04.000000000 -0400
-+++ linux-2.6.32.15/arch/x86/mm/init.c  2010-05-28 21:27:15.114903294 -0400
++++ linux-2.6.32.15/arch/x86/mm/init.c  2010-06-19 10:03:50.012498759 -0400
 @@ -69,11 +69,7 @@ static void __init find_early_table_spac
          * cause a hotspot and fill up ZONE_DMA. The page tables
          * need roughly 0.5KB per GB.
@@ -18211,7 +18168,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/init.c linux-2.6.32.15/arch/x86/mm/init.c
                 return 1;
         if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
                 return 0;
-@@ -379,6 +381,87 @@ void free_init_pages(char *what, unsigne
+@@ -379,6 +381,89 @@ void free_init_pages(char *what, unsigne
  
  void free_initmem(void)
  {
@@ -18250,12 +18207,14 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/init.c linux-2.6.32.15/arch/x86/mm/init.c
 +*/
 +#ifdef CONFIG_X86_PAE
 +       set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
++/*
 +       for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
 +               pgd = pgd_offset_k(addr);
 +               pud = pud_offset(pgd, addr);
 +               pmd = pmd_offset(pud, addr);
 +               set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
 +       }
++*/
 +#endif
 +
 +#ifdef CONFIG_MODULES
@@ -18475,38 +18434,83 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/numa_32.c linux-2.6.32.15/arch/x86/mm/num
  #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
 diff -urNp linux-2.6.32.15/arch/x86/mm/pageattr.c linux-2.6.32.15/arch/x86/mm/pageattr.c
 --- linux-2.6.32.15/arch/x86/mm/pageattr.c      2010-03-15 11:52:04.000000000 -0400
-+++ linux-2.6.32.15/arch/x86/mm/pageattr.c      2010-05-28 21:27:15.118897735 -0400
-@@ -268,9 +268,10 @@ static inline pgprot_t static_protection
++++ linux-2.6.32.15/arch/x86/mm/pageattr.c      2010-06-19 10:03:50.012498759 -0400
+@@ -261,16 +261,17 @@ static inline pgprot_t static_protection
+         * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
+         */
+        if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
+-               pgprot_val(forbidden) |= _PAGE_NX;
++               pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
+ 
+        /*
+         * The kernel text needs to be executable for obvious reasons
          * Does not cover __inittext since that is gone later on. On
          * 64bit we do not enforce !NX on the low mapping
          */
 -       if (within(address, (unsigned long)_text, (unsigned long)_etext))
+-               pgprot_val(forbidden) |= _PAGE_NX;
 +       if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
-                pgprot_val(forbidden) |= _PAGE_NX;
++               pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
  
 +#ifdef CONFIG_DEBUG_RODATA
         /*
          * The .rodata section needs to be read-only. Using the pfn
          * catches all aliases.
-@@ -278,6 +279,7 @@ static inline pgprot_t static_protection
+@@ -278,6 +279,14 @@ static inline pgprot_t static_protection
         if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
                    __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
                 pgprot_val(forbidden) |= _PAGE_RW;
 +#endif
++
++#ifdef CONFIG_PAX_KERNEXEC
++       if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
++               pgprot_val(forbidden) |= _PAGE_RW;
++               pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
++       }
++#endif
  
         prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
  
-@@ -331,7 +333,10 @@ EXPORT_SYMBOL_GPL(lookup_address);
+@@ -331,23 +340,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
  static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
  {
         /* change init_mm */
 +       pax_open_kernel();
         set_pte_atomic(kpte, pte);
-+       pax_close_kernel();
 +
  #ifdef CONFIG_X86_32
         if (!SHARED_KERNEL_PMD) {
++
++#ifdef CONFIG_PAX_PER_CPU_PGD
++               unsigned long cpu;
++#else
                 struct page *page;
++#endif
+ 
++#ifdef CONFIG_PAX_PER_CPU_PGD
++               for (cpu = 0; cpu < NR_CPUS; ++cpu) {
++                       pgd_t *pgd = get_cpu_pgd(cpu);
++#else
+                list_for_each_entry(page, &pgd_list, lru) {
+-                       pgd_t *pgd;
++                       pgd_t *pgd = (pgd_t *)page_address(page);;
++#endif
++
+                        pud_t *pud;
+                        pmd_t *pmd;
+ 
+-                       pgd = (pgd_t *)page_address(page) + pgd_index(address);
++                       pgd += pgd_index(address);
+                        pud = pud_offset(pgd, address);
+                        pmd = pmd_offset(pud, address);
+                        set_pte_atomic((pte_t *)pmd, pte);
+                }
+        }
+ #endif
++       pax_close_kernel();
+ }
+ 
+ static int
 diff -urNp linux-2.6.32.15/arch/x86/mm/pageattr-test.c linux-2.6.32.15/arch/x86/mm/pageattr-test.c
 --- linux-2.6.32.15/arch/x86/mm/pageattr-test.c 2010-03-15 11:52:04.000000000 -0400
 +++ linux-2.6.32.15/arch/x86/mm/pageattr-test.c 2010-05-28 21:27:15.118897735 -0400
@@ -18577,28 +18581,22 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable_32.c linux-2.6.32.15/arch/x86/mm/
          * It's enough to flush this one mapping.
 diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgtable.c
 --- linux-2.6.32.15/arch/x86/mm/pgtable.c       2010-03-15 11:52:04.000000000 -0400
-+++ linux-2.6.32.15/arch/x86/mm/pgtable.c       2010-05-28 21:27:15.118897735 -0400
-@@ -63,8 +63,12 @@ void ___pmd_free_tlb(struct mmu_gather *
- #if PAGETABLE_LEVELS > 3
- void ___pud_free_tlb(struct mmu_gather *tlb, pud_t *pud)
- {
-+
-+#ifndef CONFIG_PAX_PER_CPU_PGD
-        paravirt_release_pud(__pa(pud) >> PAGE_SHIFT);
-        tlb_remove_page(tlb, virt_to_page(pud));
-+#endif
-+
- }
- #endif /* PAGETABLE_LEVELS > 3 */
- #endif /* PAGETABLE_LEVELS > 2 */
-@@ -83,8 +87,62 @@ static inline void pgd_list_del(pgd_t *p
++++ linux-2.6.32.15/arch/x86/mm/pgtable.c       2010-06-19 10:03:50.012498759 -0400
+@@ -83,8 +83,59 @@ static inline void pgd_list_del(pgd_t *p
         list_del(&page->lru);
  }
  
 -#define UNSHARED_PTRS_PER_PGD                          \
 -       (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
-+pteval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
++pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
++
++void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
++{
++       while (count--)
++               *dst++ = __pgd((pgd_val(*src++) | _PAGE_NX) & ~_PAGE_USER);
++
++}
 +#endif
 +
 +#ifdef CONFIG_PAX_PER_CPU_PGD
@@ -18613,16 +18611,6 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt
 +#endif
 +
 +}
-+
-+void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
-+{
-+
-+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
-+       while (count--)
-+               *dst++ = __pgd((pgd_val(*src++) | _PAGE_NX) & ~_PAGE_USER);
-+#endif
-+
-+}
 +#endif
 +
 +#ifdef CONFIG_PAX_PER_CPU_PGD
@@ -18656,7 +18644,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt
  
  static void pgd_ctor(pgd_t *pgd)
  {
-@@ -119,6 +177,7 @@ static void pgd_dtor(pgd_t *pgd)
+@@ -119,6 +170,7 @@ static void pgd_dtor(pgd_t *pgd)
         pgd_list_del(pgd);
         spin_unlock_irqrestore(&pgd_lock, flags);
  }
@@ -18664,7 +18652,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt
  
  /*
   * List of all pgd's needed for non-PAE so it can invalidate entries
-@@ -131,7 +190,7 @@ static void pgd_dtor(pgd_t *pgd)
+@@ -131,7 +183,7 @@ static void pgd_dtor(pgd_t *pgd)
   * -- wli
   */
  
@@ -18673,7 +18661,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt
  /*
   * In PAE mode, we need to do a cr3 reload (=tlb flush) when
   * updating the top-level pagetable entries to guarantee the
-@@ -143,7 +202,7 @@ static void pgd_dtor(pgd_t *pgd)
+@@ -143,7 +195,7 @@ static void pgd_dtor(pgd_t *pgd)
   * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
   * and initialize the kernel pmds here.
   */
@@ -18682,7 +18670,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt
  
  void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
  {
-@@ -162,36 +221,38 @@ void pud_populate(struct mm_struct *mm, 
+@@ -162,36 +214,38 @@ void pud_populate(struct mm_struct *mm, 
         if (mm == current->active_mm)
                 write_cr3(read_cr3());
  }
@@ -18732,7 +18720,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt
                 return -ENOMEM;
         }
  
-@@ -204,51 +265,56 @@ static int preallocate_pmds(pmd_t *pmds[
+@@ -204,51 +258,56 @@ static int preallocate_pmds(pmd_t *pmds[
   * preallocate which never got a corresponding vma will need to be
   * freed manually.
   */
@@ -18806,7 +18794,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt
         unsigned long flags;
  
         pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
-@@ -258,11 +324,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+@@ -258,11 +317,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
  
         mm->pgd = pgd;
  
@@ -18820,7 +18808,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt
  
         /*
          * Make sure that pre-populating the pmds is atomic with
-@@ -272,14 +338,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+@@ -272,14 +331,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
         spin_lock_irqsave(&pgd_lock, flags);
  
         pgd_ctor(pgd);
@@ -18838,7 +18826,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt
  out_free_pgd:
         free_page((unsigned long)pgd);
  out:
-@@ -288,7 +354,7 @@ out:
+@@ -288,7 +347,7 @@ out:
  
  void pgd_free(struct mm_struct *mm, pgd_t *pgd)
  {
@@ -20109,6 +20097,18 @@ diff -urNp linux-2.6.32.15/Documentation/kernel-parameters.txt linux-2.6.32.15/D
         pcbit=          [HW,ISDN]
  
         pcd.            [PARIDE]
+diff -urNp linux-2.6.32.15/drivers/acpi/acpi_pad.c linux-2.6.32.15/drivers/acpi/acpi_pad.c
+--- linux-2.6.32.15/drivers/acpi/acpi_pad.c     2010-03-15 11:52:04.000000000 -0400
++++ linux-2.6.32.15/drivers/acpi/acpi_pad.c     2010-06-19 10:03:45.704801524 -0400
+@@ -30,7 +30,7 @@
+ #include <acpi/acpi_bus.h>
+ #include <acpi/acpi_drivers.h>
+ 
+-#define ACPI_PROCESSOR_AGGREGATOR_CLASS        "processor_aggregator"
++#define ACPI_PROCESSOR_AGGREGATOR_CLASS        "acpi_pad"
+ #define ACPI_PROCESSOR_AGGREGATOR_DEVICE_NAME "Processor Aggregator"
+ #define ACPI_PROCESSOR_AGGREGATOR_NOTIFY 0x80
+ static DEFINE_MUTEX(isolated_cpus_lock);
 diff -urNp linux-2.6.32.15/drivers/acpi/battery.c linux-2.6.32.15/drivers/acpi/battery.c
 --- linux-2.6.32.15/drivers/acpi/battery.c      2010-03-15 11:52:04.000000000 -0400
 +++ linux-2.6.32.15/drivers/acpi/battery.c      2010-05-28 21:27:15.179152446 -0400
@@ -27801,6 +27801,18 @@ diff -urNp linux-2.6.32.15/drivers/staging/hv/blkvsc_drv.c linux-2.6.32.15/drive
         .owner = THIS_MODULE,
         .open = blkvsc_open,
         .release = blkvsc_release,
+diff -urNp linux-2.6.32.15/drivers/staging/hv/Hv.c linux-2.6.32.15/drivers/staging/hv/Hv.c
+--- linux-2.6.32.15/drivers/staging/hv/Hv.c     2010-05-15 13:20:18.963900073 -0400
++++ linux-2.6.32.15/drivers/staging/hv/Hv.c     2010-06-19 10:03:50.012498759 -0400
+@@ -161,7 +161,7 @@ static u64 HvDoHypercall(u64 Control, vo
+        u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
+        u32 outputAddressHi = outputAddress >> 32;
+        u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
+-       volatile void *hypercallPage = gHvContext.HypercallPage;
++       volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
+ 
+        DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
+                   Control, Input, Output);
 diff -urNp linux-2.6.32.15/drivers/staging/panel/panel.c linux-2.6.32.15/drivers/staging/panel/panel.c
 --- linux-2.6.32.15/drivers/staging/panel/panel.c       2010-03-15 11:52:04.000000000 -0400
 +++ linux-2.6.32.15/drivers/staging/panel/panel.c       2010-05-28 21:27:15.842942312 -0400
@@ -34413,8 +34425,8 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl_alloc.c linux-2.6.32.15/grsecurity/g
 +}
 diff -urNp linux-2.6.32.15/grsecurity/gracl.c linux-2.6.32.15/grsecurity/gracl.c
 --- linux-2.6.32.15/grsecurity/gracl.c  1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.15/grsecurity/gracl.c  2010-05-28 21:27:16.327077893 -0400
-@@ -0,0 +1,3897 @@
++++ linux-2.6.32.15/grsecurity/gracl.c  2010-06-26 14:00:02.982610280 -0400
+@@ -0,0 +1,3899 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -38202,6 +38214,7 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl.c linux-2.6.32.15/grsecurity/gracl.c
 +          who have the 'view' subject flag if the RBAC system is enabled
 +       */
 +
++       rcu_read_lock();
 +       read_lock(&tasklist_lock);
 +       task = find_task_by_vpid(pid);
 +       if (task) {
@@ -38230,6 +38243,7 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl.c linux-2.6.32.15/grsecurity/gracl.c
 +               ret = -ENOENT;
 +
 +       read_unlock(&tasklist_lock);
++       rcu_read_unlock();
 +
 +       return ret;
 +}
@@ -38314,8 +38328,8 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl.c linux-2.6.32.15/grsecurity/gracl.c
 +
 diff -urNp linux-2.6.32.15/grsecurity/gracl_cap.c linux-2.6.32.15/grsecurity/gracl_cap.c
 --- linux-2.6.32.15/grsecurity/gracl_cap.c      1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.15/grsecurity/gracl_cap.c      2010-05-28 21:27:16.327077893 -0400
-@@ -0,0 +1,131 @@
++++ linux-2.6.32.15/grsecurity/gracl_cap.c      2010-06-19 21:06:17.097881201 -0400
+@@ -0,0 +1,138 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -38370,6 +38384,7 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl_cap.c linux-2.6.32.15/grsecurity/gra
 +       const struct cred *cred = current_cred();
 +       struct acl_subject_label *curracl;
 +       kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
++       kernel_cap_t cap_audit = __cap_empty_set;
 +
 +       if (!gr_acl_is_enabled())
 +               return 1;
@@ -38378,6 +38393,7 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl_cap.c linux-2.6.32.15/grsecurity/gra
 +
 +       cap_drop = curracl->cap_lower;
 +       cap_mask = curracl->cap_mask;
++       cap_audit = curracl->cap_invert_audit;
 +
 +       while ((curracl = curracl->parent_subject)) {
 +               /* if the cap isn't specified in the current computed mask but is specified in the
@@ -38389,11 +38405,16 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl_cap.c linux-2.6.32.15/grsecurity/gra
 +                       cap_raise(cap_mask, cap);
 +                       if (cap_raised(curracl->cap_lower, cap))
 +                               cap_raise(cap_drop, cap);
++                       if (cap_raised(curracl->cap_invert_audit, cap))
++                               cap_raise(cap_audit, cap);
 +               }
 +       }
 +
-+       if (!cap_raised(cap_drop, cap))
++       if (!cap_raised(cap_drop, cap)) {
++               if (cap_raised(cap_audit, cap))
++                       gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
 +               return 1;
++       }
 +
 +       curracl = task->acl;
 +
@@ -38409,7 +38430,7 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl_cap.c linux-2.6.32.15/grsecurity/gra
 +               return 1;
 +       }
 +
-+       if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap))
++       if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
 +               gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
 +       return 0;
 +}
@@ -39818,8 +39839,8 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl_segv.c linux-2.6.32.15/grsecurity/gr
 +}
 diff -urNp linux-2.6.32.15/grsecurity/gracl_shm.c linux-2.6.32.15/grsecurity/gracl_shm.c
 --- linux-2.6.32.15/grsecurity/gracl_shm.c      1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.15/grsecurity/gracl_shm.c      2010-05-28 21:27:16.331240103 -0400
-@@ -0,0 +1,37 @@
++++ linux-2.6.32.15/grsecurity/gracl_shm.c      2010-06-26 14:01:55.746591444 -0400
+@@ -0,0 +1,40 @@
 +#include <linux/kernel.h>
 +#include <linux/mm.h>
 +#include <linux/sched.h>
@@ -39838,6 +39859,7 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl_shm.c linux-2.6.32.15/grsecurity/gra
 +       if (!gr_acl_is_enabled())
 +               return 1;
 +
++       rcu_read_lock();
 +       read_lock(&tasklist_lock);
 +
 +       task = find_task_by_vpid(shm_cprid);
@@ -39850,10 +39872,12 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl_shm.c linux-2.6.32.15/grsecurity/gra
 +                    (task->acl->mode & GR_PROTSHM) &&
 +                    (task->acl != current->acl))) {
 +               read_unlock(&tasklist_lock);
++               rcu_read_unlock();
 +               gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
 +               return 0;
 +       }
 +       read_unlock(&tasklist_lock);
++       rcu_read_unlock();
 +
 +       return 1;
 +}
@@ -39882,8 +39906,8 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_chdir.c linux-2.6.32.15/grsecurity/g
 +}
 diff -urNp linux-2.6.32.15/grsecurity/grsec_chroot.c linux-2.6.32.15/grsecurity/grsec_chroot.c
 --- linux-2.6.32.15/grsecurity/grsec_chroot.c   1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.15/grsecurity/grsec_chroot.c   2010-05-28 21:27:16.331240103 -0400
-@@ -0,0 +1,348 @@
++++ linux-2.6.32.15/grsecurity/grsec_chroot.c   2010-06-26 14:05:26.054819575 -0400
+@@ -0,0 +1,355 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -39907,6 +39931,7 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_chroot.c linux-2.6.32.15/grsecurity/
 +       if (likely(!proc_is_chrooted(current)))
 +               return 1;
 +
++       rcu_read_lock();
 +       read_lock(&tasklist_lock);
 +
 +       spid = find_vpid(pid);
@@ -39917,12 +39942,14 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_chroot.c linux-2.6.32.15/grsecurity/
 +               if (unlikely(!have_same_root(current, p))) {
 +                       gr_fs_read_unlock(p);
 +                       read_unlock(&tasklist_lock);
++                       rcu_read_unlock();
 +                       gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
 +                       return 0;
 +               }
 +               gr_fs_read_unlock(p);
 +       }
 +       read_unlock(&tasklist_lock);
++       rcu_read_unlock();
 +#endif
 +       return 1;
 +}
@@ -40065,6 +40092,7 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_chroot.c linux-2.6.32.15/grsecurity/
 +       if (likely(!proc_is_chrooted(current)))
 +               return 1;
 +
++       rcu_read_lock();
 +       read_lock(&tasklist_lock);
 +
 +       pid = find_vpid(shm_cprid);
@@ -40077,6 +40105,7 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_chroot.c linux-2.6.32.15/grsecurity/
 +                            time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
 +                       gr_fs_read_unlock(p);
 +                       read_unlock(&tasklist_lock);
++                       rcu_read_unlock();
 +                       gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
 +                       return 0;
 +               }
@@ -40090,6 +40119,7 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_chroot.c linux-2.6.32.15/grsecurity/
 +                       if (unlikely(!have_same_root(current, p))) {
 +                               gr_fs_read_unlock(p);
 +                               read_unlock(&tasklist_lock);
++                               rcu_read_unlock();
 +                               gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
 +                               return 0;
 +                       }
@@ -40098,6 +40128,7 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_chroot.c linux-2.6.32.15/grsecurity/
 +       }
 +
 +       read_unlock(&tasklist_lock);
++       rcu_read_unlock();
 +#endif
 +       return 1;
 +}
@@ -40804,8 +40835,8 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_fork.c linux-2.6.32.15/grsecurity/gr
 +}
 diff -urNp linux-2.6.32.15/grsecurity/grsec_init.c linux-2.6.32.15/grsecurity/grsec_init.c
 --- linux-2.6.32.15/grsecurity/grsec_init.c     1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.15/grsecurity/grsec_init.c     2010-05-28 21:27:16.331240103 -0400
-@@ -0,0 +1,241 @@
++++ linux-2.6.32.15/grsecurity/grsec_init.c     2010-06-27 12:52:54.615758098 -0400
+@@ -0,0 +1,258 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/mm.h>
@@ -40814,6 +40845,7 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_init.c linux-2.6.32.15/grsecurity/gr
 +#include <linux/slab.h>
 +#include <linux/vmalloc.h>
 +#include <linux/percpu.h>
++#include <linux/module.h>
 +
 +int grsec_enable_link;
 +int grsec_enable_dmesg;
@@ -40848,6 +40880,9 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_init.c linux-2.6.32.15/grsecurity/gr
 +int grsec_enable_tpe;
 +int grsec_tpe_gid;
 +int grsec_enable_blackhole;
++#ifdef CONFIG_IPV6_MODULE
++EXPORT_SYMBOL(grsec_enable_blackhole);
++#endif
 +int grsec_lastack_retries;
 +int grsec_enable_tpe_all;
 +int grsec_enable_socket_all;
@@ -40857,6 +40892,7 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_init.c linux-2.6.32.15/grsecurity/gr
 +int grsec_enable_socket_server;
 +int grsec_socket_server_gid;
 +int grsec_resource_logging;
++int grsec_disable_privio;
 +int grsec_lock;
 +
 +DEFINE_SPINLOCK(grsec_alert_lock);
@@ -40928,10 +40964,22 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_init.c linux-2.6.32.15/grsecurity/gr
 +               return;
 +       }
 +
++
++#ifdef CONFIG_GRKERNSEC_IO
++#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
++       grsec_disable_privio = 1;
++#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
++       grsec_disable_privio = 1;
++#else
++       grsec_disable_privio = 0;
++#endif
++#endif
++
 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
 +#ifndef CONFIG_GRKERNSEC_SYSCTL
 +       grsec_lock = 1;
 +#endif
++
 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
 +       grsec_enable_audit_textrel = 1;
 +#endif
@@ -41913,8 +41961,8 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_sock.c linux-2.6.32.15/grsecurity/gr
 +}
 diff -urNp linux-2.6.32.15/grsecurity/grsec_sysctl.c linux-2.6.32.15/grsecurity/grsec_sysctl.c
 --- linux-2.6.32.15/grsecurity/grsec_sysctl.c   1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.15/grsecurity/grsec_sysctl.c   2010-05-28 21:27:16.331240103 -0400
-@@ -0,0 +1,447 @@
++++ linux-2.6.32.15/grsecurity/grsec_sysctl.c   2010-06-19 21:32:37.093947224 -0400
+@@ -0,0 +1,459 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/sysctl.h>
@@ -41940,6 +41988,18 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_sysctl.c linux-2.6.32.15/grsecurity/
 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
 +ctl_table grsecurity_table[] = {
 +#ifdef CONFIG_GRKERNSEC_SYSCTL
++#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
++#ifdef CONFIG_GRKERNSEC_IO
++       {
++               .ctl_name       = CTL_UNNUMBERED,
++               .procname       = "disable_priv_io",
++               .data           = &grsec_disable_privio,
++               .maxlen         = sizeof(int),
++               .mode           = 0600,
++               .proc_handler   = &proc_dointvec,
++       },
++#endif
++#endif
 +#ifdef CONFIG_GRKERNSEC_LINK
 +       {
 +               .ctl_name       = CTL_UNNUMBERED,
@@ -42443,8 +42503,8 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_tpe.c linux-2.6.32.15/grsecurity/grs
 +}
 diff -urNp linux-2.6.32.15/grsecurity/grsum.c linux-2.6.32.15/grsecurity/grsum.c
 --- linux-2.6.32.15/grsecurity/grsum.c  1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.15/grsecurity/grsum.c  2010-05-28 21:27:16.331240103 -0400
-@@ -0,0 +1,59 @@
++++ linux-2.6.32.15/grsecurity/grsum.c  2010-06-26 13:55:39.510774424 -0400
+@@ -0,0 +1,61 @@
 +#include <linux/err.h>
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
@@ -42470,6 +42530,8 @@ diff -urNp linux-2.6.32.15/grsecurity/grsum.c linux-2.6.32.15/grsecurity/grsum.c
 +       volatile int dummy = 0;
 +       unsigned int i;
 +
++       sg_init_table(&sg, 1);
++
 +       tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
 +       if (IS_ERR(tfm)) {
 +               /* should never happen, since sha256 should be built in */
@@ -42506,8 +42568,8 @@ diff -urNp linux-2.6.32.15/grsecurity/grsum.c linux-2.6.32.15/grsecurity/grsum.c
 +}
 diff -urNp linux-2.6.32.15/grsecurity/Kconfig linux-2.6.32.15/grsecurity/Kconfig
 --- linux-2.6.32.15/grsecurity/Kconfig  1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.15/grsecurity/Kconfig  2010-05-28 21:27:16.331240103 -0400
-@@ -0,0 +1,965 @@
++++ linux-2.6.32.15/grsecurity/Kconfig  2010-06-26 14:17:55.584309817 -0400
+@@ -0,0 +1,981 @@
 +#
 +# grecurity configuration
 +#
@@ -43342,7 +43404,7 @@ diff -urNp linux-2.6.32.15/grsecurity/Kconfig linux-2.6.32.15/grsecurity/Kconfig
 +         all servers it connects to have this option enabled, consider
 +         disabling this feature on the haproxy host.
 +
-+         If this option is enabled, two sysctl options with names
++         If the sysctl option is enabled, two sysctl options with names
 +         "ip_blackhole" and "lastack_retries" will be created.
 +         While "ip_blackhole" takes the standard zero/non-zero on/off
 +         toggle, "lastack_retries" uses the same kinds of values as
@@ -43434,6 +43496,22 @@ diff -urNp linux-2.6.32.15/grsecurity/Kconfig linux-2.6.32.15/grsecurity/Kconfig
 +         be set to a non-zero value after all the options are set.
 +         *THIS IS EXTREMELY IMPORTANT*
 +
++config GRKERNSEC_SYSCTL_DISTRO
++       bool "Extra sysctl support for distro makers (READ HELP)"
++       depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
++       help
++         If you say Y here, additional sysctl options will be created
++         for features that affect processes running as root.  Therefore,
++         it is critical when using this option that the grsec_lock entry be
++         enabled after boot.  Only distros with prebuilt kernel packages
++         with this option enabled that can ensure grsec_lock is enabled
++         after boot should use this option.
++         *Failure to set grsec_lock after boot makes all grsec features
++         this option covers useless*
++
++         Currently this option creates the following sysctl entries:
++         "Disable Privileged I/O": "disable_priv_io"   
++
 +config GRKERNSEC_SYSCTL_ON
 +       bool "Turn on features by default"
 +       depends on GRKERNSEC_SYSCTL
@@ -44679,8 +44757,8 @@ diff -urNp linux-2.6.32.15/include/linux/genhd.h linux-2.6.32.15/include/linux/g
         struct blk_integrity *integrity;
 diff -urNp linux-2.6.32.15/include/linux/gracl.h linux-2.6.32.15/include/linux/gracl.h
 --- linux-2.6.32.15/include/linux/gracl.h       1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.15/include/linux/gracl.h       2010-05-28 21:27:16.355225759 -0400
-@@ -0,0 +1,309 @@
++++ linux-2.6.32.15/include/linux/gracl.h       2010-06-19 21:06:17.097881201 -0400
+@@ -0,0 +1,310 @@
 +#ifndef GR_ACL_H
 +#define GR_ACL_H
 +
@@ -44692,8 +44770,8 @@ diff -urNp linux-2.6.32.15/include/linux/gracl.h linux-2.6.32.15/include/linux/g
 +
 +/* Major status information */
 +
-+#define GR_VERSION  "grsecurity 2.1.14"
-+#define GRSECURITY_VERSION 0x2114
++#define GR_VERSION  "grsecurity 2.2.0"
++#define GRSECURITY_VERSION 0x2200
 +
 +enum {
 +       GR_SHUTDOWN = 0,
@@ -44784,6 +44862,7 @@ diff -urNp linux-2.6.32.15/include/linux/gracl.h linux-2.6.32.15/include/linux/g
 +       __u32 mode;
 +       kernel_cap_t cap_mask;
 +       kernel_cap_t cap_lower;
++       kernel_cap_t cap_invert_audit;
 +
 +       struct rlimit res[GR_NLIMITS];
 +       __u32 resmask;
@@ -45145,7 +45224,7 @@ diff -urNp linux-2.6.32.15/include/linux/grdefs.h linux-2.6.32.15/include/linux/
 +#endif
 diff -urNp linux-2.6.32.15/include/linux/grinternal.h linux-2.6.32.15/include/linux/grinternal.h
 --- linux-2.6.32.15/include/linux/grinternal.h  1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.15/include/linux/grinternal.h  2010-05-28 21:27:16.355225759 -0400
++++ linux-2.6.32.15/include/linux/grinternal.h  2010-06-19 21:46:05.111766483 -0400
 @@ -0,0 +1,215 @@
 +#ifndef __GRINTERNAL_H
 +#define __GRINTERNAL_H
@@ -45364,8 +45443,8 @@ diff -urNp linux-2.6.32.15/include/linux/grinternal.h linux-2.6.32.15/include/li
 +#endif
 diff -urNp linux-2.6.32.15/include/linux/grmsg.h linux-2.6.32.15/include/linux/grmsg.h
 --- linux-2.6.32.15/include/linux/grmsg.h       1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.15/include/linux/grmsg.h       2010-05-28 21:27:16.355225759 -0400
-@@ -0,0 +1,107 @@
++++ linux-2.6.32.15/include/linux/grmsg.h       2010-06-19 21:06:17.097881201 -0400
+@@ -0,0 +1,108 @@
 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -45461,6 +45540,7 @@ diff -urNp linux-2.6.32.15/include/linux/grmsg.h linux-2.6.32.15/include/linux/g
 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
 +#define GR_CAP_ACL_MSG "use of %s denied for "
++#define GR_CAP_ACL_MSG2 "use of %s permitted for "
 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
@@ -45475,8 +45555,8 @@ diff -urNp linux-2.6.32.15/include/linux/grmsg.h linux-2.6.32.15/include/linux/g
 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
 diff -urNp linux-2.6.32.15/include/linux/grsecurity.h linux-2.6.32.15/include/linux/grsecurity.h
 --- linux-2.6.32.15/include/linux/grsecurity.h  1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.15/include/linux/grsecurity.h  2010-05-28 21:27:16.355225759 -0400
-@@ -0,0 +1,199 @@
++++ linux-2.6.32.15/include/linux/grsecurity.h  2010-06-19 21:45:41.506145931 -0400
+@@ -0,0 +1,200 @@
 +#ifndef GR_SECURITY_H
 +#define GR_SECURITY_H
 +#include <linux/fs.h>
@@ -45673,6 +45753,7 @@ diff -urNp linux-2.6.32.15/include/linux/grsecurity.h linux-2.6.32.15/include/li
 +                             struct vm_area_struct *vma);
 +
 +extern int grsec_enable_dmesg;
++extern int grsec_disable_privio;
 +#endif
 +
 +#endif
@@ -47637,7 +47718,7 @@ diff -urNp linux-2.6.32.15/init/Kconfig linux-2.6.32.15/init/Kconfig
           also breaks ancient binaries (including anything libc5 based).
 diff -urNp linux-2.6.32.15/init/main.c linux-2.6.32.15/init/main.c
 --- linux-2.6.32.15/init/main.c 2010-04-04 20:41:50.060586306 -0400
-+++ linux-2.6.32.15/init/main.c 2010-05-28 21:27:16.427051097 -0400
++++ linux-2.6.32.15/init/main.c 2010-06-19 10:03:39.368801195 -0400
 @@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void) 
  #ifdef CONFIG_TC
  extern void tc_init(void);
@@ -47653,7 +47734,7 @@ diff -urNp linux-2.6.32.15/init/main.c linux-2.6.32.15/init/main.c
 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
 +extern void pax_enter_kernel_user(void);
 +extern void pax_exit_kernel_user(void);
-+extern pteval_t clone_pgd_mask;
++extern pgdval_t clone_pgd_mask;
 +#endif
 +
 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
@@ -47675,7 +47756,7 @@ diff -urNp linux-2.6.32.15/init/main.c linux-2.6.32.15/init/main.c
 +       *p = 0xc3;
 +       p = (char *)pax_exit_kernel_user;
 +       *p = 0xc3;
-+       clone_pgd_mask = ~(pteval_t)0UL;
++       clone_pgd_mask = ~(pgdval_t)0UL;
 +#endif
 +
 +       return 0;
@@ -50620,7 +50701,7 @@ diff -urNp linux-2.6.32.15/mm/madvise.c linux-2.6.32.15/mm/madvise.c
                 goto out;
 diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
 --- linux-2.6.32.15/mm/memory.c 2010-03-15 11:52:04.000000000 -0400
-+++ linux-2.6.32.15/mm/memory.c 2010-05-28 21:27:16.487251224 -0400
++++ linux-2.6.32.15/mm/memory.c 2010-06-19 10:03:50.012498759 -0400
 @@ -48,6 +48,7 @@
  #include <linux/ksm.h>
  #include <linux/rmap.h>
@@ -50629,7 +50710,33 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
  #include <linux/delayacct.h>
  #include <linux/init.h>
  #include <linux/writeback.h>
-@@ -1251,10 +1252,10 @@ int __get_user_pages(struct task_struct 
+@@ -187,8 +188,12 @@ static inline void free_pmd_range(struct
+                return;
+ 
+        pmd = pmd_offset(pud, start);
++
++#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
+        pud_clear(pud);
+        pmd_free_tlb(tlb, pmd, start);
++#endif
++
+ }
+ 
+ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
+@@ -220,8 +225,12 @@ static inline void free_pud_range(struct
+                return;
+ 
+        pud = pud_offset(pgd, start);
++
++#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
+        pgd_clear(pgd);
+        pud_free_tlb(tlb, pud, start);
++#endif
++
+ }
+ 
+ /*
+@@ -1251,10 +1260,10 @@ int __get_user_pages(struct task_struct 
                         (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
         i = 0;
  
@@ -50642,7 +50749,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
                 if (!vma && in_gate_area(tsk, start)) {
                         unsigned long pg = start & PAGE_MASK;
                         struct vm_area_struct *gate_vma = get_gate_vma(tsk);
-@@ -1296,7 +1297,7 @@ int __get_user_pages(struct task_struct 
+@@ -1296,7 +1305,7 @@ int __get_user_pages(struct task_struct 
                         continue;
                 }
  
@@ -50651,7 +50758,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
                     (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
                     !(vm_flags & vma->vm_flags))
                         return i ? : -EFAULT;
-@@ -1371,7 +1372,7 @@ int __get_user_pages(struct task_struct 
+@@ -1371,7 +1380,7 @@ int __get_user_pages(struct task_struct 
                         start += PAGE_SIZE;
                         nr_pages--;
                 } while (nr_pages && start < vma->vm_end);
@@ -50660,7 +50767,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
         return i;
  }
  
-@@ -1967,6 +1968,186 @@ static inline void cow_user_page(struct 
+@@ -1967,6 +1976,186 @@ static inline void cow_user_page(struct 
                 copy_user_highpage(dst, src, va, vma);
  }
  
@@ -50847,7 +50954,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
  /*
   * This routine handles present pages, when users try to write
   * to a shared page. It is done by copying the page to a new address
-@@ -2146,6 +2327,12 @@ gotten:
+@@ -2146,6 +2335,12 @@ gotten:
          */
         page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
         if (likely(pte_same(*page_table, orig_pte))) {
@@ -50860,7 +50967,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
                 if (old_page) {
                         if (!PageAnon(old_page)) {
                                 dec_mm_counter(mm, file_rss);
-@@ -2197,6 +2384,10 @@ gotten:
+@@ -2197,6 +2392,10 @@ gotten:
                         page_remove_rmap(old_page);
                 }
  
@@ -50871,7 +50978,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
                 /* Free the old page.. */
                 new_page = old_page;
                 ret |= VM_FAULT_WRITE;
-@@ -2594,6 +2785,11 @@ static int do_swap_page(struct mm_struct
+@@ -2594,6 +2793,11 @@ static int do_swap_page(struct mm_struct
         swap_free(entry);
         if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
                 try_to_free_swap(page);
@@ -50883,7 +50990,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
         unlock_page(page);
  
         if (flags & FAULT_FLAG_WRITE) {
-@@ -2605,6 +2801,11 @@ static int do_swap_page(struct mm_struct
+@@ -2605,6 +2809,11 @@ static int do_swap_page(struct mm_struct
  
         /* No need to invalidate - it was non-present before */
         update_mmu_cache(vma, address, pte);
@@ -50895,7 +51002,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
  unlock:
         pte_unmap_unlock(page_table, ptl);
  out:
-@@ -2628,7 +2829,7 @@ static int do_anonymous_page(struct mm_s
+@@ -2628,7 +2837,7 @@ static int do_anonymous_page(struct mm_s
                 unsigned long address, pte_t *page_table, pmd_t *pmd,
                 unsigned int flags)
  {
@@ -50904,7 +51011,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
         spinlock_t *ptl;
         pte_t entry;
  
-@@ -2663,6 +2864,11 @@ static int do_anonymous_page(struct mm_s
+@@ -2663,6 +2872,11 @@ static int do_anonymous_page(struct mm_s
         if (!pte_none(*page_table))
                 goto release;
  
@@ -50916,7 +51023,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
         inc_mm_counter(mm, anon_rss);
         page_add_new_anon_rmap(page, vma, address);
  setpte:
-@@ -2670,6 +2876,12 @@ setpte:
+@@ -2670,6 +2884,12 @@ setpte:
  
         /* No need to invalidate - it was non-present before */
         update_mmu_cache(vma, address, entry);
@@ -50929,7 +51036,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
  unlock:
         pte_unmap_unlock(page_table, ptl);
         return 0;
-@@ -2812,6 +3024,12 @@ static int __do_fault(struct mm_struct *
+@@ -2812,6 +3032,12 @@ static int __do_fault(struct mm_struct *
          */
         /* Only go through if we didn't race with anybody else... */
         if (likely(pte_same(*page_table, orig_pte))) {
@@ -50942,7 +51049,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
                 flush_icache_page(vma, page);
                 entry = mk_pte(page, vma->vm_page_prot);
                 if (flags & FAULT_FLAG_WRITE)
-@@ -2831,6 +3049,14 @@ static int __do_fault(struct mm_struct *
+@@ -2831,6 +3057,14 @@ static int __do_fault(struct mm_struct *
  
                 /* no need to invalidate: a not-present page won't be cached */
                 update_mmu_cache(vma, address, entry);
@@ -50957,7 +51064,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
         } else {
                 if (charged)
                         mem_cgroup_uncharge_page(page);
-@@ -2978,6 +3204,12 @@ static inline int handle_pte_fault(struc
+@@ -2978,6 +3212,12 @@ static inline int handle_pte_fault(struc
                 if (flags & FAULT_FLAG_WRITE)
                         flush_tlb_page(vma, address);
         }
@@ -50970,7 +51077,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
  unlock:
         pte_unmap_unlock(pte, ptl);
         return 0;
-@@ -2994,6 +3226,10 @@ int handle_mm_fault(struct mm_struct *mm
+@@ -2994,6 +3234,10 @@ int handle_mm_fault(struct mm_struct *mm
         pmd_t *pmd;
         pte_t *pte;
  
@@ -50981,7 +51088,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
         __set_current_state(TASK_RUNNING);
  
         count_vm_event(PGFAULT);
-@@ -3001,6 +3237,34 @@ int handle_mm_fault(struct mm_struct *mm
+@@ -3001,6 +3245,34 @@ int handle_mm_fault(struct mm_struct *mm
         if (unlikely(is_vm_hugetlb_page(vma)))
                 return hugetlb_fault(mm, vma, address, flags);
  
@@ -51016,7 +51123,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c
         pgd = pgd_offset(mm, address);
         pud = pud_alloc(mm, pgd, address);
         if (!pud)
-@@ -3098,7 +3362,7 @@ static int __init gate_vma_init(void)
+@@ -3098,7 +3370,7 @@ static int __init gate_vma_init(void)
         gate_vma.vm_start = FIXADDR_USER_START;
         gate_vma.vm_end = FIXADDR_USER_END;
         gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
@@ -54054,36 +54161,72 @@ diff -urNp linux-2.6.32.15/net/ipv6/raw.c linux-2.6.32.15/net/ipv6/raw.c
  {
 diff -urNp linux-2.6.32.15/net/ipv6/tcp_ipv6.c linux-2.6.32.15/net/ipv6/tcp_ipv6.c
 --- linux-2.6.32.15/net/ipv6/tcp_ipv6.c 2010-03-15 11:52:04.000000000 -0400
-+++ linux-2.6.32.15/net/ipv6/tcp_ipv6.c 2010-05-28 21:27:16.624385427 -0400
-@@ -1578,6 +1578,9 @@ static int tcp_v6_do_rcv(struct sock *sk
-        return 0;
++++ linux-2.6.32.15/net/ipv6/tcp_ipv6.c 2010-06-26 14:14:12.642949877 -0400
+@@ -88,6 +88,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
+ }
+ #endif
  
- reset:
 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
-+       if (!skb->dev || (skb->dev->flags & IFF_LOOPBACK))
++extern int grsec_enable_blackhole;
 +#endif
-        tcp_v6_send_reset(sk, skb);
- discard:
-        if (opt_skb)
-@@ -1700,6 +1703,9 @@ no_tcp_socket:
++
+ static void tcp_v6_hash(struct sock *sk)
+ {
+        if (sk->sk_state != TCP_CLOSE) {
+@@ -1655,12 +1659,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
+        TCP_SKB_CB(skb)->sacked = 0;
+ 
+        sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
+-       if (!sk)
++       if (!sk) {
++#ifdef CONFIG_GRKERNSEC_BLACKHOLE
++               ret = 1;
++#endif
+                goto no_tcp_socket;
++       }
+ 
+ process:
+-       if (sk->sk_state == TCP_TIME_WAIT)
++       if (sk->sk_state == TCP_TIME_WAIT) {
++#ifdef CONFIG_GRKERNSEC_BLACKHOLE
++               ret = 2;
++#endif
+                goto do_time_wait;
++       }
+ 
+        if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
+                goto discard_and_relse;
+@@ -1700,6 +1712,10 @@ no_tcp_socket:
  bad_packet:
                 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
         } else {
 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
-+               if (skb->dev->flags & IFF_LOOPBACK)
++               if (!grsec_enable_blackhole || (ret == 1 &&
++                   (skb->dev->flags & IFF_LOOPBACK)))
 +#endif
                 tcp_v6_send_reset(NULL, skb);
         }
  
 diff -urNp linux-2.6.32.15/net/ipv6/udp.c linux-2.6.32.15/net/ipv6/udp.c
 --- linux-2.6.32.15/net/ipv6/udp.c      2010-03-15 11:52:04.000000000 -0400
-+++ linux-2.6.32.15/net/ipv6/udp.c      2010-05-28 21:27:16.631258014 -0400
-@@ -587,6 +587,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, 
++++ linux-2.6.32.15/net/ipv6/udp.c      2010-06-26 14:15:10.978789054 -0400
+@@ -49,6 +49,10 @@
+ #include <linux/seq_file.h>
+ #include "udp_impl.h"
+ 
++#ifdef CONFIG_GRKERNSEC_BLACKHOLE
++extern int grsec_enable_blackhole;
++#endif
++
+ int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
+ {
+        const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
+@@ -587,6 +591,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, 
                 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
                                 proto == IPPROTO_UDPLITE);
  
 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
-+               if (skb->dev->flags & IFF_LOOPBACK)
++               if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
 +#endif
                 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, dev);
  
@@ -55299,7 +55442,7 @@ diff -urNp linux-2.6.32.15/security/Kconfig linux-2.6.32.15/security/Kconfig
 +config PAX_KERNEXEC
 +       bool "Enforce non-executable kernel pages"
 +       depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
-+       select PAX_PER_CPU_PGD if X86_64
++       select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
 +       help
 +         This is the kernel land equivalent of PAGEEXEC and MPROTECT,
 +         that is, enabling this option will make it harder to inject
diff --git a/main/lua-uuid/APKBUILD b/main/lua-uuid/APKBUILD
index 6e760893c9..82f00bf3a7 100644
--- a/main/lua-uuid/APKBUILD
+++ b/main/lua-uuid/APKBUILD
@@ -28,4 +28,4 @@ package() {
         install -Dm755 uuid.so "$pkgdir"/usr/lib/lua/5.1/uuid.so
 }
 
-md5sums="e5bd7c2cf563ac4192b793934f545f49  luuid.tar.gz"
+md5sums="75f2e8c808c0fb375d9ec5255fd5d4de  luuid.tar.gz"
diff --git a/main/lvm2/APKBUILD b/main/lvm2/APKBUILD
index 4be2a3f9bb..4316aadeaa 100644
--- a/main/lvm2/APKBUILD
+++ b/main/lvm2/APKBUILD
@@ -1,6 +1,6 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=lvm2
-pkgver=2.02.66
+pkgver=2.02.68
 pkgrel=0
 pkgdesc="Logical Volume Manager 2 utilities"
 url="http://sourceware.org/lvm2/"
@@ -47,6 +47,6 @@ dm() {
         mv "$pkgdir"/sbin/dm* "$subpkgdir"/sbin/
 }
 
-md5sums="59766571610a4298f8bedf9f73839050  LVM2.2.02.66.tgz
+md5sums="20357ea7918c4e967e558de53ec74969  LVM2.2.02.68.tgz
 6f65f902cf19f144a42b8d6aceadf395  lvm.initd
 ec36d5fe4561220304e406c5c797e71f  lvm.confd"
diff --git a/main/mlmmj/APKBUILD b/main/mlmmj/APKBUILD
index 1a8e30b50e..fecf39625d 100644
--- a/main/mlmmj/APKBUILD
+++ b/main/mlmmj/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=mlmmj
-pkgver=1.2.16
-pkgrel=2
+pkgver=1.2.17
+pkgrel=0
 pkgdesc="Mailing list managing made joyful"
 url="http://mlmmj.org/"
 license="MIT"
@@ -23,4 +23,4 @@ package() {
         install -d "$pkgdir"/usr/share/mlmmj/texts
         cp -r listtexts/* "$pkgdir"/usr/share/mlmmj/texts/
 }
-md5sums="9ea7ba91ccb55b9edf3e5148537364e3  mlmmj-1.2.16.tar.bz2"
+md5sums="bff8050f14f2084d661421135be685ad  mlmmj-1.2.17.tar.bz2"
diff --git a/main/mpfr3/APKBUILD b/main/mpfr3/APKBUILD
index 54e07b2832..31d912402d 100644
--- a/main/mpfr3/APKBUILD
+++ b/main/mpfr3/APKBUILD
@@ -1,12 +1,12 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=mpfr3
 pkgver=3.0.0
-pkgrel=0
+pkgrel=1
 pkgdesc="multiple-precision floating-point library"
 url="http://www.mpfr.org/"
 license="GPL LGPL"
 depends=
-makedepends="gmp5-dev texinfo"
+makedepends="gmp-dev texinfo"
 source="http://www.mpfr.org/mpfr-current/mpfr-$pkgver.tar.bz2"
 subpackages="$pkgname-doc mpfr-dev:dev"
 
diff --git a/testing/opentracker/APKBUILD b/main/opentracker/APKBUILD
index 642b0d0b54..681d552639 100644
--- a/testing/opentracker/APKBUILD
+++ b/main/opentracker/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: 
 pkgname=opentracker
 pkgver=0_cvs20100625
-pkgrel=0
+pkgrel=1
 pkgdesc="an open and free bittorrent tracker"
 url="http://erdgeist.org/arts/software/opentracker/"
 license="GPL"
diff --git a/testing/opentracker/opentracker.initd b/main/opentracker/opentracker.initd
index 33d2817787..33d2817787 100644
--- a/testing/opentracker/opentracker.initd
+++ b/main/opentracker/opentracker.initd
diff --git a/main/opentracker/opentracker.pre-install b/main/opentracker/opentracker.pre-install
new file mode 100644
index 0000000000..c6fc95ed1b
--- /dev/null
+++ b/main/opentracker/opentracker.pre-install
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+adduser -D -S -H -h /var/empty -s /sbin/false opentracker 2>/dev/null
+exit 0
+
diff --git a/main/pax-utils/APKBUILD b/main/pax-utils/APKBUILD
index b01ea58cd6..4a7069bc0d 100644
--- a/main/pax-utils/APKBUILD
+++ b/main/pax-utils/APKBUILD
@@ -17,4 +17,4 @@ build() {
         make DESTDIR="$pkgdir/" install
 }
 
-md5sums="a2097463fd5a34dd707b2d72d84aea89  pax-utils-0.2.tar.bz2"
+md5sums="15a6f2ddadedac0ab6cd4b0683b767b9  pax-utils-0.2.tar.bz2"
diff --git a/main/php/APKBUILD b/main/php/APKBUILD
index 7c044c8c22..7078294843 100644
--- a/main/php/APKBUILD
+++ b/main/php/APKBUILD
@@ -3,7 +3,7 @@
 pkgname=php
 pkgver=5.3.2
 _suhosinver=${pkgver}-0.9.9.1
-pkgrel=6
+pkgrel=7
 pkgdesc="The PHP language runtime engine"
 url="http://www.php.net/"
 license="PHP-3"
@@ -12,7 +12,7 @@ install="$pkgname.post-upgrade"
 makedepends="pcre-dev libxml2-dev libiconv-dev openssl-dev zlib-dev bzip2-dev
         curl-dev libpng-dev jpeg-dev freetype-dev libmcrypt-dev mysql-dev
         sqlite-dev libtool libltdl postgresql-dev db-dev unixodbc-dev icu-dev
-        gd-dev gmp5-dev gettext-dev imap-dev aspell-dev
+        gd-dev gmp-dev gettext-dev imap-dev aspell-dev
         net-snmp-dev libxslt-dev cyrus-sasl-dev openldap-dev pkgconfig
         libgcrypt-dev"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-cli $pkgname-pear
diff --git a/main/syslinux/APKBUILD b/main/syslinux/APKBUILD
index d4d8ca0002..bc55a97ec0 100644
--- a/main/syslinux/APKBUILD
+++ b/main/syslinux/APKBUILD
@@ -1,21 +1,19 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=syslinux
-pkgver=3.86
-pkgrel=1
+pkgver=4.00
+pkgrel=0
 pkgdesc="a boot loader for the Linux operating system which operates off an MS-DOS/Windows FAT filesystem."
 url="http://syslinux.org"
 license="GPL"
 makedepends="nasm perl"
 depends="mtools"
-source="http://www.kernel.org/pub/linux/utils/boot/syslinux/3.xx/$pkgname-$pkgver.tar.bz2
-        $pkgname-3.86-nopie.patch
+source="http://www.kernel.org/pub/linux/utils/boot/syslinux/${pkgver%%.*}.xx/$pkgname-$pkgver.tar.bz2
         "
 subpackages="$pkgname-doc"
 
 _builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
         cd "$_builddir"
-        patch -p1 < ../$pkgname-3.86-nopie.patch || return 1
 }
 
 build() {
@@ -29,5 +27,4 @@ package() {
         make INSTALLROOT="$pkgdir" MANDIR=/usr/share/man local-install
 }
 
-md5sums="d6fb0231e82190b4932b2aa20274911a  syslinux-3.86.tar.bz2
-5852d62ba0772cf967156a75451e6066  syslinux-3.86-nopie.patch"
+md5sums="5a475dc9a37ecf7b0beec93eca474f5c  syslinux-4.00.tar.bz2"
diff --git a/main/uiconv/APKBUILD b/main/uiconv/APKBUILD
index ec563413de..1e4aac3b43 100644
--- a/main/uiconv/APKBUILD
+++ b/main/uiconv/APKBUILD
@@ -14,4 +14,4 @@ build() {
         make DESTDIR="$pkgdir" PREFIX=/usr/uiconv install
 }
 
-md5sums="de2ce8da53f32bdec578e1f0270fa15d  uiconv-0.3.tar.bz2"
+md5sums="5cd7f80085324d08cb976fec674cd98d  uiconv-0.3.tar.bz2"
diff --git a/rebuild-alpine.sh b/rebuild-alpine.sh
index a163e8a70b..5f975dd159 100755
--- a/rebuild-alpine.sh
+++ b/rebuild-alpine.sh
@@ -1,9 +1,11 @@
-rootdir=$(pwd)
+rootdir=$(pwd -P)
 
 distclean () {
+    echo "Removing traces of previous builds from $rootdir"
     local allpkgs=$(find $rootdir -maxdepth 3 -name APKBUILD -print | sed -e 's/\/APKBUILD//g' | sort)
     for p in $allpkgs ; do
         cd $p
+        pwd
         abuild clean            2>&1
         abuild cleanoldpkg      2>&1
         abuild cleanpkg         2>&1
@@ -16,7 +18,7 @@ build () {
     local maintainer
     local pkgno
     local failed
-    pkgs=$(./aport.lua deplist $rootdir $1)
+    pkgs=$($rootdir/aport.lua deplist $rootdir $1)
     pktcnt=$(echo $pkgs | wc -w)
     pkgno=0
     failed=0
@@ -42,14 +44,19 @@ build () {
 
 touch START_OF_BUILD.txt
 
-if [ "$1" != "noclean" ] ; then
-    echo "Removing traces of previous builds"
+if [ "$1" = "clean" ] ; then
+    echo "Invoked with 'clean' option. This will take a while ..."
     tmp=$(distclean)
+    echo "Done"
 fi
 
 echo "Refresh aports tree"
 git pull
 
+#cd main/build-base
+#abuild -Ru
+#cd $rootdir
+
 for s in main testing unstable ; do
     echo "Building packages in $s"
     build $s
diff --git a/testing/opentracker/opentracker.pre-install b/testing/opentracker/opentracker.pre-install
deleted file mode 100644
index 942fcd6706..0000000000
--- a/testing/opentracker/opentracker.pre-install
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-
-adduser -D -S -h /var/empty -s /sbin/false opentracker 2>/dev/null
-exit 0
-
diff --git a/testing/py-crypto/APKBUILD b/testing/py-crypto/APKBUILD
index 75f31dd658..a1beecb8fd 100644
--- a/testing/py-crypto/APKBUILD
+++ b/testing/py-crypto/APKBUILD
@@ -1,12 +1,12 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=py-crypto
 pkgver=2.0.1
-pkgrel=2
+pkgrel=3
 pkgdesc="A collection of cryptographic algorithms and protocols, implemented for use from Python."
 url="http://www.amk.ca/python/code/crypto.html"
 license="GPL"
 depends="python"
-makedepends="gmp5-dev python-dev"
+makedepends="gmp-dev python-dev"
 source="http://www.amk.ca/files/python/crypto/pycrypto-$pkgver.tar.gz"
 
 _builddir="$srcdir"/pycrypto-$pkgver