main/linux-grsec: upgrade to 3.9.5

(cherry picked from commit 26c4e189e825d62d0249fb5f499bcb545d40e1ab)

fixes #2078

6 files changed, 386 insertions, 616 deletions

diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index fc6b18a8da..997d1d4726 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -2,12 +2,12 @@
 
 _flavor=grsec
 pkgname=linux-${_flavor}
-pkgver=3.9.4
+pkgver=3.9.5
 case $pkgver in
 *.*.*)  _kernver=${pkgver%.*};;
 *.*)    _kernver=${pkgver};;
 esac
-pkgrel=1
+pkgrel=0
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -17,10 +17,7 @@ _config=${config:-kernelconfig.${CARCH}}
 install=
 source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
         http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
-        grsecurity-2.9.1-3.9.4-201306011536.patch
-
-        leds-leds-gpio-reserve-gpio-before-using-it.patch
-        ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+        grsecurity-2.9.1-3.9.5-201306102218.patch
 
         0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
         0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
@@ -152,41 +149,35 @@ dev() {
 }
 
 md5sums="4348c9b6b2eb3144d601e87c19d5d909  linux-3.9.tar.xz
-922c4553299e6692a28761d3032fc012  patch-3.9.4.xz
-08c33c99cb779ebd296d2b274c2deeda  grsecurity-2.9.1-3.9.4-201306011536.patch
-83db7136608d8101ae130728539dc376  leds-leds-gpio-reserve-gpio-before-using-it.patch
-ac9a50bdbe91ba6e5205e83f7e734ff5  ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+aa22187ae5cd482a69097e9e59244491  patch-3.9.5.xz
+58dec4906c5abc6dc29355eb31816933  grsecurity-2.9.1-3.9.5-201306102218.patch
 a16f11b12381efb3bec79b9bfb329836  0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 656ae7b10dd2f18dbfa1011041d08d60  0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 aa454ffb96428586447775c21449e284  0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
 2a12a3717052e878c0cd42aa935bfcf4  0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch
 6ce5fed63aad3f1a1ff1b9ba7b741822  0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
 1a5800a2122ba0cc0d06733cb3bb8b8f  0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
-fd6fd35309c0e8c1f05cb725df958f22  kernelconfig.x86
-fd61ff58d25155997c0d6f73e7ca7a7d  kernelconfig.x86_64"
+3e219a1f25136b204d00865939532fe9  kernelconfig.x86
+1d057c89927a68e5f44896887ad3e379  kernelconfig.x86_64"
 sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541  linux-3.9.tar.xz
-694ea0d527556c5a214597596f37cdb598d2a0652d6f5e86b8c0de718990ccec  patch-3.9.4.xz
-3bf95754ba94f3dfa7a91d92726e83c9092feab9e990f70d31bc52974bff27b0  grsecurity-2.9.1-3.9.4-201306011536.patch
-13676bc5610a8d03e788ac76734babd1338b023bb39559452ee54652b046e6f4  leds-leds-gpio-reserve-gpio-before-using-it.patch
-ab0dcb52342990ad05af5ce21acd1e95fb65cc7e76ec98e45c7ece7433bc9f23  ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+f25145ff6ddde7a633839aabfd97b0d8239e14c494fd16210871229a35c1c0de  patch-3.9.5.xz
+196ee8f6b9fc368ac7c09dc6f929e947f4a02b7ef66c2f84f00fa7f682774604  grsecurity-2.9.1-3.9.5-201306102218.patch
 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3  0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0  0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892  0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
 260fd1807838b68305a96992bf7d3302a2a8ef3a3b08fe079ba9a07e6422f736  0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch
 ae32bb72afa170e6c3788c564b342763aba5945afacc1e2ebfc096adf50d77a3  0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
 fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e  0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
-b44c6671b344ddae1da94e6c051a0e708af8609c1f2ff40d962301ed5023c83a  kernelconfig.x86
-7a6700a6db89f8c2c7f8cce7d77f4ddb3fcad889d72c709c2833af795ef1bc79  kernelconfig.x86_64"
+cc3bd3d23f6a73ea6488c158de9d195ad5e3d87859ce02d92a04f0e08c9503d3  kernelconfig.x86
+b780ef646b3b30a5b0307102367e17d45bb3a0ab7e37cf92a1ce783c3149243a  kernelconfig.x86_64"
 sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790  linux-3.9.tar.xz
-2a2eb511a610e8e3ddbc38b8bce0b96e60875009b7981542c98f0de3a601632a205fa9f90c6912094196dbda6536083b3990b28204c243a406f5595c40df0965  patch-3.9.4.xz
-eb326ded756cbe086c7999c5a982b6b695ae8ee3c25523a22acd480d97de0603d86eeef5252fe957ed5ccd4e7736db271a253264108e757b23a9bd3e82b32529  grsecurity-2.9.1-3.9.4-201306011536.patch
-10d2cf4fb308d1bc8cb5b9df3f9a6d7b9cef453244673bcbe66bd9b64af410a498e203d4dfa51f53461362ad981736eadc46537616b2c0514f57f4d8864c830d  leds-leds-gpio-reserve-gpio-before-using-it.patch
-769291e92f2f5ae5375d98b80bf8790b089c87437f1660cf8d5e9d45d7221280b6824bcb1d2564cbe12310a88df48443c56ecc9ce5468858829088221aa80327  ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+8e9a064adadd062c7ca52c44de19dfd46b029e60f2832988a606e086b669ea699861ec57732d4abfb16e486f767d123fcfd66da7c2ddde380b7c13582bb44983  patch-3.9.5.xz
+704f65e048888c64aa02214e80103745f16f2ddebe9e8304331208436481ca6b1fcadc2e862203142ac98b6d5f7c409ba542b68c11775c4e7ba765a63b3ab2a6  grsecurity-2.9.1-3.9.5-201306102218.patch
 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02  0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c  0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e  0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
 d2f578ad1d6e1fe52b55863e5bf338ae8201b828a498ec3e42e549c55295d3d1c6c3adfa9e226d711e3486628ed56ab996484e219d79ac4b0c0ec684ebd380aa  0004-ipv4-rate-limit-updating-of-next-hop-exceptions-with.patch
 28a33e644bf2faf99c8dd6dbccfe14e140dfdd8824a8fb2d58aa7deb9e572f130d92b6b35ee181084050d82166bdf2e498a451a2a538a67b7ab84204405d2d87  0005-ipv4-use-separate-genid-for-next-hop-exceptions.patch
 249140374c19a5599876268ff5b3cda2e136681aee103b4a9fff5d7d346f8e3295a907fb43db0701b8a9fece64c299ad2abac0434259cce6631307ce84090205  0006-ipv4-use-next-hop-exceptions-also-for-input-routes.patch
-2516c47145f53cfa5624a9a8839b3590fd16a980aa4c8c48af4db025960d33abe855a5c698ee701a0d3704a96a9a3f93cd6c3cc8c9b8fdf73f230c15ad2f7611  kernelconfig.x86
-0a3739e5e1fe29fcce8c686d8ac223316467a2efaaa18cb3d1abf6c7a66dc86be12c26755dff1aef6d0f5a028ce4f6dfc5664ab42b484046949f401f3b9198f9  kernelconfig.x86_64"
+00fd8694455935f96e46b6624388b8c04af27ce4295040362da78c34bf9f08382bc69c1b8b273145573a59e3b4eecfa251119560da19ab390f171a8a6da18298  kernelconfig.x86
+6276f503f9dd7ea228b1661f9a36edcf18d2c4cfb6d9c4e3e1496a4f70709cc693fc8498186d86dd3f303c909c50e478cb95e08a05f50bda77c9cf165aca1ba1  kernelconfig.x86_64"
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.9.4-201306011536.patch b/main/linux-grsec/grsecurity-2.9.1-3.9.5-201306102218.patch
index 9a1a55c812..49e438f1bb 100644
--- a/main/linux-grsec/grsecurity-2.9.1-3.9.4-201306011536.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.9.5-201306102218.patch
@@ -259,7 +259,7 @@ index 8ccbf27..afffeb4 100644
  
         pcd.            [PARIDE]
 diff --git a/Makefile b/Makefile
-index bfbfaf9..d0b1bb8 100644
+index 8818c95..ced0bb1 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -3390,7 +3390,7 @@ index 044c31d..2ee0861 100644
  struct omap_device *omap_device_alloc(struct platform_device *pdev,
                                       struct omap_hwmod **ohs, int oh_cnt);
 diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
-index a202a47..c430564 100644
+index 3a750de..4c9b88f 100644
 --- a/arch/arm/mach-omap2/omap_hwmod.c
 +++ b/arch/arm/mach-omap2/omap_hwmod.c
 @@ -191,10 +191,10 @@ struct omap_hwmod_soc_ops {
@@ -5763,6 +5763,19 @@ index e0a8235..ce2f1e1 100644
                  ret = __copy_from_user(to, from, n);
          else
                  copy_from_user_overflow();
+diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c
+index 5709c5e..14285ca 100644
+--- a/arch/parisc/kernel/drivers.c
++++ b/arch/parisc/kernel/drivers.c
+@@ -394,7 +394,7 @@ EXPORT_SYMBOL(print_pci_hwpath);
+ static void setup_bus_id(struct parisc_device *padev)
+ {
+        struct hardware_path path;
+-       char name[20];
++       char name[28];
+        char *output = name;
+        int i;
+ 
 diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c
 index 2a625fb..9908930 100644
 --- a/arch/parisc/kernel/module.c
@@ -5866,6 +5879,20 @@ index 2a625fb..9908930 100644
  
         DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
                me->arch.unwind_section, table, end, gp);
+diff --git a/arch/parisc/kernel/setup.c b/arch/parisc/kernel/setup.c
+index a3328c2..3b812eb 100644
+--- a/arch/parisc/kernel/setup.c
++++ b/arch/parisc/kernel/setup.c
+@@ -69,7 +69,8 @@ void __init setup_cmdline(char **cmdline_p)
+                /* called from hpux boot loader */
+                boot_command_line[0] = '\0';
+        } else {
+-               strcpy(boot_command_line, (char *)__va(boot_args[1]));
++               strlcpy(boot_command_line, (char *)__va(boot_args[1]),
++                       COMMAND_LINE_SIZE);
+ 
+ #ifdef CONFIG_BLK_DEV_INITRD
+                if (boot_args[2] != 0) /* did palo pass us a ramdisk? */
 diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c
 index 5dfd248..64914ac 100644
 --- a/arch/parisc/kernel/sys_parisc.c
@@ -6353,10 +6380,10 @@ index 4aad413..85d86bf 100644
  #define _PAGE_NO_CACHE 0x020   /* I: cache inhibit */
  #define _PAGE_WRITETHRU        0x040   /* W: cache write-through */
 diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
-index c9c67fc..e10c012 100644
+index 3b097a8..8f8c774 100644
 --- a/arch/powerpc/include/asm/reg.h
 +++ b/arch/powerpc/include/asm/reg.h
-@@ -245,6 +245,7 @@
+@@ -234,6 +234,7 @@
  #define SPRN_DBCR      0x136   /* e300 Data Breakpoint Control Reg */
  #define SPRN_DSISR     0x012   /* Data Storage Interrupt Status Register */
  #define   DSISR_NOHPTE         0x40000000      /* no translation found */
@@ -6790,10 +6817,10 @@ index f9b30c6..d72e7a3 100644
  
         if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
 diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
-index 95068bf..9ba1814 100644
+index 201385c..0f01828 100644
 --- a/arch/powerpc/kernel/signal_32.c
 +++ b/arch/powerpc/kernel/signal_32.c
-@@ -982,7 +982,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka,
+@@ -976,7 +976,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka,
         /* Save user registers on the stack */
         frame = &rt_sf->uc.uc_mcontext;
         addr = frame;
@@ -6803,10 +6830,10 @@ index 95068bf..9ba1814 100644
                 tramp = current->mm->context.vdso_base + vdso32_rt_sigtramp;
         } else {
 diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
-index c179428..58acdaa 100644
+index 3459473..2d40783 100644
 --- a/arch/powerpc/kernel/signal_64.c
 +++ b/arch/powerpc/kernel/signal_64.c
-@@ -758,7 +758,7 @@ int handle_rt_signal64(int signr, struct k_sigaction *ka, siginfo_t *info,
+@@ -749,7 +749,7 @@ int handle_rt_signal64(int signr, struct k_sigaction *ka, siginfo_t *info,
  #endif
  
         /* Set up to return from userspace. */
@@ -6829,10 +6856,10 @@ index 3ce1f86..c30e629 100644
  };
  
 diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
-index 83efa2f..6bb5839 100644
+index 1c22b2d..3b56e67 100644
 --- a/arch/powerpc/kernel/traps.c
 +++ b/arch/powerpc/kernel/traps.c
-@@ -141,6 +141,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs)
+@@ -142,6 +142,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs)
         return flags;
  }
  
@@ -6841,7 +6868,7 @@ index 83efa2f..6bb5839 100644
  static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs,
                                int signr)
  {
-@@ -190,6 +192,9 @@ static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs,
+@@ -191,6 +193,9 @@ static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs,
                 panic("Fatal exception in interrupt");
         if (panic_on_oops)
                 panic("Fatal exception");
@@ -20475,7 +20502,7 @@ index 73afd11..d1670f5 100644
 +       .fill PAGE_SIZE_asm - GDT_SIZE,1,0
 +       .endr
 diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
-index 08f7e80..40cbed5 100644
+index 321d65e..e9437f7 100644
 --- a/arch/x86/kernel/head_64.S
 +++ b/arch/x86/kernel/head_64.S
 @@ -20,6 +20,8 @@
@@ -20516,7 +20543,7 @@ index 08f7e80..40cbed5 100644
  
         /*
          * Set up the identity mapping for the switchover.  These
-@@ -175,8 +187,8 @@ ENTRY(secondary_startup_64)
+@@ -177,8 +189,8 @@ ENTRY(secondary_startup_64)
         movq    $(init_level4_pgt - __START_KERNEL_map), %rax
  1:
  
@@ -20527,7 +20554,7 @@ index 08f7e80..40cbed5 100644
         movq    %rcx, %cr4
  
         /* Setup early boot stage 4 level pagetables. */
-@@ -197,10 +209,18 @@ ENTRY(secondary_startup_64)
+@@ -199,10 +211,18 @@ ENTRY(secondary_startup_64)
         movl    $MSR_EFER, %ecx
         rdmsr
         btsl    $_EFER_SCE, %eax        /* Enable System Call */
@@ -20547,7 +20574,7 @@ index 08f7e80..40cbed5 100644
  1:     wrmsr                           /* Make changes effective */
  
         /* Setup cr0 */
-@@ -280,6 +300,7 @@ ENTRY(secondary_startup_64)
+@@ -282,6 +302,7 @@ ENTRY(secondary_startup_64)
          *      REX.W + FF /5 JMP m16:64 Jump far, absolute indirect,
          *              address given in m16:64.
          */
@@ -20555,7 +20582,7 @@ index 08f7e80..40cbed5 100644
         movq    initial_code(%rip),%rax
         pushq   $0              # fake return address to stop unwinder
         pushq   $__KERNEL_CS    # set correct cs
-@@ -386,7 +407,7 @@ ENTRY(early_idt_handler)
+@@ -388,7 +409,7 @@ ENTRY(early_idt_handler)
         call dump_stack
  #ifdef CONFIG_KALLSYMS 
         leaq early_idt_ripmsg(%rip),%rdi
@@ -20564,7 +20591,7 @@ index 08f7e80..40cbed5 100644
         call __print_symbol
  #endif
  #endif /* EARLY_PRINTK */
-@@ -414,6 +435,7 @@ ENDPROC(early_idt_handler)
+@@ -416,6 +437,7 @@ ENDPROC(early_idt_handler)
  early_recursion_flag:
         .long 0
  
@@ -20572,7 +20599,7 @@ index 08f7e80..40cbed5 100644
  #ifdef CONFIG_EARLY_PRINTK
  early_idt_msg:
         .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
-@@ -443,27 +465,50 @@ NEXT_PAGE(early_dynamic_pgts)
+@@ -445,27 +467,50 @@ NEXT_PAGE(early_dynamic_pgts)
  
         .data
  
@@ -20631,7 +20658,7 @@ index 08f7e80..40cbed5 100644
  
  NEXT_PAGE(level3_kernel_pgt)
         .fill   L3_START_KERNEL,8,0
-@@ -471,6 +516,9 @@ NEXT_PAGE(level3_kernel_pgt)
+@@ -473,6 +518,9 @@ NEXT_PAGE(level3_kernel_pgt)
         .quad   level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
         .quad   level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
  
@@ -20641,7 +20668,7 @@ index 08f7e80..40cbed5 100644
  NEXT_PAGE(level2_kernel_pgt)
         /*
          * 512 MB kernel mapping. We spend a full page on this pagetable
-@@ -486,38 +534,64 @@ NEXT_PAGE(level2_kernel_pgt)
+@@ -488,38 +536,64 @@ NEXT_PAGE(level2_kernel_pgt)
                 KERNEL_IMAGE_SIZE/PMD_SIZE)
  
  NEXT_PAGE(level2_fixmap_pgt)
@@ -20743,10 +20770,10 @@ index 0fa6912..37fce70 100644
 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
 +#endif
 diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c
-index 245a71d..89d9ce4 100644
+index cb33909..1163b40 100644
 --- a/arch/x86/kernel/i387.c
 +++ b/arch/x86/kernel/i387.c
-@@ -55,7 +55,7 @@ static inline bool interrupted_kernel_fpu_idle(void)
+@@ -51,7 +51,7 @@ static inline bool interrupted_kernel_fpu_idle(void)
  static inline bool interrupted_user_mode(void)
  {
         struct pt_regs *regs = get_irq_regs();
@@ -23943,7 +23970,7 @@ index a20ecb5..d0e2194 100644
  
  out:
 diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 59622c9..f338414 100644
+index 698eece..776b682 100644
 --- a/arch/x86/kvm/emulate.c
 +++ b/arch/x86/kvm/emulate.c
 @@ -328,6 +328,7 @@ static void invalidate_registers(struct x86_emulate_ctxt *ctxt)
@@ -31882,10 +31909,10 @@ index 34c8216..f56c828 100644
                                 unsigned long timeout_msec)
  {
 diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
-index 63c743b..0422dc6 100644
+index cf15aee..e0b7078 100644
 --- a/drivers/ata/libata-core.c
 +++ b/drivers/ata/libata-core.c
-@@ -4786,7 +4786,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
+@@ -4792,7 +4792,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
         struct ata_port *ap;
         unsigned int tag;
  
@@ -31894,7 +31921,7 @@ index 63c743b..0422dc6 100644
         ap = qc->ap;
  
         qc->flags = 0;
-@@ -4802,7 +4802,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
+@@ -4808,7 +4808,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
         struct ata_port *ap;
         struct ata_link *link;
  
@@ -31903,7 +31930,7 @@ index 63c743b..0422dc6 100644
         WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
         ap = qc->ap;
         link = qc->dev->link;
-@@ -5920,6 +5920,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
+@@ -5926,6 +5926,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
                 return;
  
         spin_lock(&lock);
@@ -31911,7 +31938,7 @@ index 63c743b..0422dc6 100644
  
         for (cur = ops->inherits; cur; cur = cur->inherits) {
                 void **inherit = (void **)cur;
-@@ -5933,8 +5934,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
+@@ -5939,8 +5940,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
                 if (IS_ERR(*pp))
                         *pp = NULL;
  
@@ -31951,7 +31978,7 @@ index f9b983a..887b9d8 100644
         return 0;
  }
 diff --git a/drivers/atm/ambassador.c b/drivers/atm/ambassador.c
-index 77a7480..05cde58 100644
+index 77a7480d..05cde58 100644
 --- a/drivers/atm/ambassador.c
 +++ b/drivers/atm/ambassador.c
 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev, tx_out * tx) {
@@ -33220,7 +33247,7 @@ index 7fda30e..eb5dfe0 100644
         /* queue and queue Info */ 
         struct list_head reqQ;
 diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c
-index 3f08713..56a586a 100644
+index 3f08713..87d4b4a 100644
 --- a/drivers/block/cpqarray.c
 +++ b/drivers/block/cpqarray.c
 @@ -404,7 +404,7 @@ static int cpqarray_register_ctlr(int i, struct pci_dev *pdev)
@@ -33295,7 +33322,15 @@ index 3f08713..56a586a 100644
                         a1 = a; a &= ~3;
                         if ((c = h->cmpQ) == NULL)
                         {  
-@@ -1449,11 +1449,11 @@ static int sendcmd(
+@@ -1195,6 +1195,7 @@ out_passthru:
+                ida_pci_info_struct pciinfo;
+ 
+                if (!arg) return -EINVAL;
++               memset(&pciinfo, 0, sizeof(pciinfo));
+                pciinfo.bus = host->pci_dev->bus->number;
+                pciinfo.dev_fn = host->pci_dev->devfn;
+                pciinfo.board_id = host->board_id;
+@@ -1449,11 +1450,11 @@ static int sendcmd(
         /*
          * Disable interrupt
          */
@@ -33309,7 +33344,7 @@ index 3f08713..56a586a 100644
                 if (temp != 0) {
                         break;
                 }
-@@ -1466,7 +1466,7 @@ DBG(
+@@ -1466,7 +1467,7 @@ DBG(
         /*
          * Send the cmd
          */
@@ -33318,7 +33353,7 @@ index 3f08713..56a586a 100644
         complete = pollcomplete(ctlr);
         
         pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr, 
-@@ -1549,9 +1549,9 @@ static int revalidate_allvol(ctlr_info_t *host)
+@@ -1549,9 +1550,9 @@ static int revalidate_allvol(ctlr_info_t *host)
          * we check the new geometry.  Then turn interrupts back on when
          * we're done.
          */
@@ -33330,7 +33365,7 @@ index 3f08713..56a586a 100644
  
         for(i=0; i<NWD; i++) {
                 struct gendisk *disk = ida_gendisk[ctlr][i];
-@@ -1591,7 +1591,7 @@ static int pollcomplete(int ctlr)
+@@ -1591,7 +1592,7 @@ static int pollcomplete(int ctlr)
         /* Wait (up to 2 seconds) for a command to complete */
  
         for (i = 200000; i > 0; i--) {
@@ -33542,7 +33577,7 @@ index 2e7de7a..ed86dc0 100644
  static DEFINE_MUTEX(pktcdvd_mutex);
  static struct pktcdvd_device *pkt_devs[MAX_WRITERS];
 diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
-index d620b44..587561e 100644
+index d620b44..e9abc80 100644
 --- a/drivers/cdrom/cdrom.c
 +++ b/drivers/cdrom/cdrom.c
 @@ -416,7 +416,6 @@ int register_cdrom(struct cdrom_device_info *cdi)
@@ -33575,6 +33610,24 @@ index d620b44..587561e 100644
         cdinfo(CD_REG_UNREG, "drive \"/dev/%s\" unregistered\n", cdi->name);
  }
  
+@@ -2107,7 +2108,7 @@ static int cdrom_read_cdda_old(struct cdrom_device_info *cdi, __u8 __user *ubuf,
+         */
+        nr = nframes;
+        do {
+-               cgc.buffer = kmalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL);
++               cgc.buffer = kzalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL);
+                if (cgc.buffer)
+                        break;
+ 
+@@ -2882,7 +2883,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi,
+        if (lba < 0)
+                return -EINVAL;
+ 
+-       cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
++       cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
+        if (cgc->buffer == NULL)
+                return -ENOMEM;
+ 
 diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c
 index d59cdcb..11afddf 100644
 --- a/drivers/cdrom/gdrom.c
@@ -33882,6 +33935,18 @@ index 2c644af..d4d7f17 100644
  };
  
  static int memory_open(struct inode *inode, struct file *filp)
+diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c
+index c689697..04e6d6a 100644
+--- a/drivers/char/mwave/tp3780i.c
++++ b/drivers/char/mwave/tp3780i.c
+@@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities
+        PRINTK_2(TRACE_TP3780I,
+                "tp3780i::tp3780I_QueryAbilities entry pBDData %p\n", pBDData);
+ 
++       memset(pAbilities, 0, sizeof(*pAbilities));
+        /* fill out standard constant fields */
+        pAbilities->instr_per_sec = pBDData->rDspSettings.uIps;
+        pAbilities->data_size = pBDData->rDspSettings.uDStoreSize;
 diff --git a/drivers/char/nvram.c b/drivers/char/nvram.c
 index 9df78e2..01ba9ae 100644
 --- a/drivers/char/nvram.c
@@ -33971,7 +34036,7 @@ index 5c5cc00..ac9edb7 100644
  
         if (cmd != SIOCWANDEV)
 diff --git a/drivers/char/random.c b/drivers/char/random.c
-index 32a6c57..98038d5 100644
+index eccd7cc..98038d5 100644
 --- a/drivers/char/random.c
 +++ b/drivers/char/random.c
 @@ -272,8 +272,13 @@
@@ -34017,85 +34082,7 @@ index 32a6c57..98038d5 100644
         smp_wmb();
  
         if (out)
-@@ -865,16 +877,24 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
-        if (r->entropy_count / 8 < min + reserved) {
-                nbytes = 0;
-        } else {
-+               int entropy_count, orig;
-+retry:
-+               entropy_count = orig = ACCESS_ONCE(r->entropy_count);
-                /* If limited, never pull more than available */
--               if (r->limit && nbytes + reserved >= r->entropy_count / 8)
--                       nbytes = r->entropy_count/8 - reserved;
-+               if (r->limit && nbytes + reserved >= entropy_count / 8)
-+                       nbytes = entropy_count/8 - reserved;
- 
--               if (r->entropy_count / 8 >= nbytes + reserved)
--                       r->entropy_count -= nbytes*8;
--               else
--                       r->entropy_count = reserved;
-+               if (entropy_count / 8 >= nbytes + reserved) {
-+                       entropy_count -= nbytes*8;
-+                       if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
-+                               goto retry;
-+               } else {
-+                       entropy_count = reserved;
-+                       if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
-+                               goto retry;
-+               }
- 
--               if (r->entropy_count < random_write_wakeup_thresh)
-+               if (entropy_count < random_write_wakeup_thresh)
-                        wakeup_write = 1;
-        }
- 
-@@ -957,10 +977,23 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
- {
-        ssize_t ret = 0, i;
-        __u8 tmp[EXTRACT_SIZE];
-+       unsigned long flags;
- 
-        /* if last_data isn't primed, we need EXTRACT_SIZE extra bytes */
--       if (fips_enabled && !r->last_data_init)
--               nbytes += EXTRACT_SIZE;
-+       if (fips_enabled) {
-+               spin_lock_irqsave(&r->lock, flags);
-+               if (!r->last_data_init) {
-+                       r->last_data_init = true;
-+                       spin_unlock_irqrestore(&r->lock, flags);
-+                       trace_extract_entropy(r->name, EXTRACT_SIZE,
-+                                             r->entropy_count, _RET_IP_);
-+                       xfer_secondary_pool(r, EXTRACT_SIZE);
-+                       extract_buf(r, tmp);
-+                       spin_lock_irqsave(&r->lock, flags);
-+                       memcpy(r->last_data, tmp, EXTRACT_SIZE);
-+               }
-+               spin_unlock_irqrestore(&r->lock, flags);
-+       }
- 
-        trace_extract_entropy(r->name, nbytes, r->entropy_count, _RET_IP_);
-        xfer_secondary_pool(r, nbytes);
-@@ -970,19 +1003,6 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
-                extract_buf(r, tmp);
- 
-                if (fips_enabled) {
--                       unsigned long flags;
--
--
--                       /* prime last_data value if need be, per fips 140-2 */
--                       if (!r->last_data_init) {
--                               spin_lock_irqsave(&r->lock, flags);
--                               memcpy(r->last_data, tmp, EXTRACT_SIZE);
--                               r->last_data_init = true;
--                               nbytes -= EXTRACT_SIZE;
--                               spin_unlock_irqrestore(&r->lock, flags);
--                               extract_buf(r, tmp);
--                       }
--
-                        spin_lock_irqsave(&r->lock, flags);
-                        if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
-                                panic("Hardware RNG duplicated output!\n");
-@@ -1024,7 +1044,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+@@ -1032,7 +1044,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
  
                 extract_buf(r, tmp);
                 i = min_t(int, nbytes, EXTRACT_SIZE);
@@ -34104,7 +34091,7 @@ index 32a6c57..98038d5 100644
                         ret = -EFAULT;
                         break;
                 }
-@@ -1360,7 +1380,7 @@ EXPORT_SYMBOL(generate_random_uuid);
+@@ -1368,7 +1380,7 @@ EXPORT_SYMBOL(generate_random_uuid);
  #include <linux/sysctl.h>
  
  static int min_read_thresh = 8, min_write_thresh;
@@ -34113,7 +34100,7 @@ index 32a6c57..98038d5 100644
  static int max_write_thresh = INPUT_POOL_WORDS * 32;
  static char sysctl_bootid[16];
  
-@@ -1376,7 +1396,7 @@ static char sysctl_bootid[16];
+@@ -1384,7 +1396,7 @@ static char sysctl_bootid[16];
  static int proc_do_uuid(ctl_table *table, int write,
                         void __user *buffer, size_t *lenp, loff_t *ppos)
  {
@@ -35743,10 +35730,10 @@ index 5a82b6b..9e69c73 100644
         if (regcomp
             (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
 diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
-index 44b8034..cc722fd 100644
+index 5073665..31d15a6 100644
 --- a/drivers/gpu/drm/radeon/radeon_device.c
 +++ b/drivers/gpu/drm/radeon/radeon_device.c
-@@ -977,7 +977,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
+@@ -976,7 +976,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
         bool can_switch;
  
         spin_lock(&dev->count_lock);
@@ -37505,6 +37492,37 @@ index 89562a8..218999b 100644
                 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
                 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
                 capimsg_setu16(skb->data, 16, len);     /* Data length */
+diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c
+index 9b1b274..c123709 100644
+--- a/drivers/isdn/capi/kcapi.c
++++ b/drivers/isdn/capi/kcapi.c
+@@ -93,7 +93,7 @@ capi_ctr_put(struct capi_ctr *ctr)
+ 
+ static inline struct capi_ctr *get_capi_ctr_by_nr(u16 contr)
+ {
+-       if (contr - 1 >= CAPI_MAXCONTR)
++       if (contr < 1 || contr - 1 >= CAPI_MAXCONTR)
+                return NULL;
+ 
+        return capi_controller[contr - 1];
+@@ -103,7 +103,7 @@ static inline struct capi20_appl *__get_capi_appl_by_nr(u16 applid)
+ {
+        lockdep_assert_held(&capi_controller_lock);
+ 
+-       if (applid - 1 >= CAPI_MAXAPPL)
++       if (applid < 1 || applid - 1 >= CAPI_MAXAPPL)
+                return NULL;
+ 
+        return capi_applications[applid - 1];
+@@ -111,7 +111,7 @@ static inline struct capi20_appl *__get_capi_appl_by_nr(u16 applid)
+ 
+ static inline struct capi20_appl *get_capi_appl_by_nr(u16 applid)
+ {
+-       if (applid - 1 >= CAPI_MAXAPPL)
++       if (applid < 1 || applid - 1 >= CAPI_MAXAPPL)
+                return NULL;
+ 
+        return rcu_dereference(capi_applications[applid - 1]);
 diff --git a/drivers/isdn/gigaset/interface.c b/drivers/isdn/gigaset/interface.c
 index e2b5396..c5486dc 100644
 --- a/drivers/isdn/gigaset/interface.c
@@ -39597,7 +39615,7 @@ index ff90760..08d8aed 100644
  /**
   * bnx2x_config_rx_mode - Send and RX_MODE ramrod according to the provided parameters.
 diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h
-index 8d7d4c2..95f7681 100644
+index 25309bf..fcfd54c 100644
 --- a/drivers/net/ethernet/broadcom/tg3.h
 +++ b/drivers/net/ethernet/broadcom/tg3.h
 @@ -147,6 +147,7 @@
@@ -40506,10 +40524,10 @@ index 12c4f31..484d948 100644
  
         memset(buf, 0, sizeof(buf));
 diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
-index cffdf4f..7cefb69 100644
+index 2b49f48..14fc244 100644
 --- a/drivers/net/wireless/mac80211_hwsim.c
 +++ b/drivers/net/wireless/mac80211_hwsim.c
-@@ -2144,25 +2144,19 @@ static int __init init_mac80211_hwsim(void)
+@@ -2143,25 +2143,19 @@ static int __init init_mac80211_hwsim(void)
  
         if (channels > 1) {
                 hwsim_if_comb.num_different_channels = channels;
@@ -42680,7 +42698,7 @@ index 5f13890..36a044b 100644
  
         pDevice->apdev->type = ARPHRD_IEEE80211;
 diff --git a/drivers/staging/vt6656/hostap.c b/drivers/staging/vt6656/hostap.c
-index bc5e9da..dacd556 100644
+index a94e66f..31984d0 100644
 --- a/drivers/staging/vt6656/hostap.c
 +++ b/drivers/staging/vt6656/hostap.c
 @@ -60,14 +60,13 @@ static int          msglevel                =MSG_LEVEL_INFO;
@@ -42751,48 +42769,6 @@ index adbe5a8..d387359 100644
  extern void tmem_register_hostops(struct tmem_hostops *m);
  
  /* core tmem accessor functions */
-diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
-index ca2be40..93ae910 100644
---- a/drivers/target/iscsi/iscsi_target_parameters.c
-+++ b/drivers/target/iscsi/iscsi_target_parameters.c
-@@ -712,9 +712,9 @@ static int iscsi_add_notunderstood_response(
-        }
-        INIT_LIST_HEAD(&extra_response->er_list);
- 
--       strncpy(extra_response->key, key, strlen(key) + 1);
--       strncpy(extra_response->value, NOTUNDERSTOOD,
--                       strlen(NOTUNDERSTOOD) + 1);
-+       strlcpy(extra_response->key, key, sizeof(extra_response->key));
-+       strlcpy(extra_response->value, NOTUNDERSTOOD,
-+               sizeof(extra_response->value));
- 
-        list_add_tail(&extra_response->er_list,
-                        &param_list->extra_response_list);
-@@ -1583,8 +1583,6 @@ int iscsi_decode_text_input(
- 
-                if (phase & PHASE_SECURITY) {
-                        if (iscsi_check_for_auth_key(key) > 0) {
--                               char *tmpptr = key + strlen(key);
--                               *tmpptr = '=';
-                                kfree(tmpbuf);
-                                return 1;
-                        }
-diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
-index 1e1b750..2c536a0 100644
---- a/drivers/target/iscsi/iscsi_target_parameters.h
-+++ b/drivers/target/iscsi/iscsi_target_parameters.h
-@@ -1,8 +1,10 @@
- #ifndef ISCSI_PARAMETERS_H
- #define ISCSI_PARAMETERS_H
- 
-+#include <scsi/iscsi_proto.h>
-+
- struct iscsi_extra_response {
--       char key[64];
-+       char key[KEY_MAXLEN];
-        char value[32];
-        struct list_head er_list;
- } ____cacheline_aligned;
 diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
 index 2e4d655..fd72e68 100644
 --- a/drivers/target/target_core_device.c
@@ -42807,10 +42783,10 @@ index 2e4d655..fd72e68 100644
         spin_lock_init(&dev->t10_wwn.t10_vpd_lock);
         INIT_LIST_HEAD(&dev->t10_pr.registration_list);
 diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
-index 0d46276..f327cab5 100644
+index fc9a5a0..1d5975e 100644
 --- a/drivers/target/target_core_transport.c
 +++ b/drivers/target/target_core_transport.c
-@@ -1080,7 +1080,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd)
+@@ -1081,7 +1081,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd)
          * Used to determine when ORDERED commands should go from
          * Dormant to Active status.
          */
@@ -43153,10 +43129,10 @@ index 4a43ef5d7..aa71f27 100644
         dlci_get(dlci->gsm->dlci[0]);
         mux_get(dlci->gsm);
 diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
-index 05e72be..67f6a0f 100644
+index 1f8cba6..47b06c2 100644
 --- a/drivers/tty/n_tty.c
 +++ b/drivers/tty/n_tty.c
-@@ -2197,6 +2197,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
+@@ -2205,6 +2205,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
  {
         *ops = tty_ldisc_N_TTY;
         ops->owner = NULL;
@@ -44078,7 +44054,7 @@ index c8b9262..7e824e6 100644
         ret = uio_get_minor(idev);
         if (ret)
 diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c
-index b7eb86a..c00402f 100644
+index 8a7eb77..c00402f 100644
 --- a/drivers/usb/atm/cxacru.c
 +++ b/drivers/usb/atm/cxacru.c
 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_config(struct device *dev,
@@ -44090,16 +44066,6 @@ index b7eb86a..c00402f 100644
                         return -EINVAL;
                 pos += tmp;
  
-@@ -686,7 +686,8 @@ static int cxacru_cm_get_array(struct cxacru_data *instance, enum cxacru_cm_requ
- {
-        int ret, len;
-        __le32 *buf;
--       int offb, offd;
-+       int offb;
-+       unsigned int offd;
-        const int stride = CMD_PACKET_SIZE / (4 * 2) - 1;
-        int buflen =  ((size - 1) / stride + 1 + size * 2) * 4;
- 
 diff --git a/drivers/usb/atm/usbatm.c b/drivers/usb/atm/usbatm.c
 index 35f10bf..6a38a0b 100644
 --- a/drivers/usb/atm/usbatm.c
@@ -51161,39 +51127,6 @@ index febbe0e..782c4fd 100644
  
  static int parse_strtoul(const char *buf,
                 unsigned long max, unsigned long *value)
-diff --git a/fs/fat/inode.c b/fs/fat/inode.c
-index acf6e47..e7a7fde 100644
---- a/fs/fat/inode.c
-+++ b/fs/fat/inode.c
-@@ -1223,6 +1223,19 @@ static int fat_read_root(struct inode *inode)
-        return 0;
- }
- 
-+static unsigned long calc_fat_clusters(struct super_block *sb)
-+{
-+       struct msdos_sb_info *sbi = MSDOS_SB(sb);
-+
-+       /* Divide first to avoid overflow */
-+       if (sbi->fat_bits != 12) {
-+               unsigned long ent_per_sec = sb->s_blocksize * 8 / sbi->fat_bits;
-+               return ent_per_sec * sbi->fat_length;
-+       }
-+
-+       return sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits;
-+}
-+
- /*
-  * Read the super block of an MS-DOS FS.
-  */
-@@ -1427,7 +1440,7 @@ int fat_fill_super(struct super_block *sb, void *data, int silent, int isvfat,
-                sbi->dirty = b->fat16.state & FAT_STATE_DIRTY;
- 
-        /* check that FAT table does not overflow */
--       fat_clusters = sbi->fat_length * sb->s_blocksize * 8 / sbi->fat_bits;
-+       fat_clusters = calc_fat_clusters(sb);
-        total_clusters = min(total_clusters, fat_clusters - FAT_START_ENT);
-        if (total_clusters > MAX_FAT(sb)) {
-                if (!silent)
 diff --git a/fs/fcntl.c b/fs/fcntl.c
 index 6599222..e7bf0de 100644
 --- a/fs/fcntl.c
@@ -52844,10 +52777,10 @@ index 11dfa0c..6f64416 100644
                 if (!ret)
                         ret = -EPIPE;
 diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
-index ff15522..092a0f6 100644
+index 185c479..51b9986 100644
 --- a/fs/fuse/dir.c
 +++ b/fs/fuse/dir.c
-@@ -1409,7 +1409,7 @@ static char *read_link(struct dentry *dentry)
+@@ -1415,7 +1415,7 @@ static char *read_link(struct dentry *dentry)
         return link;
  }
  
@@ -53940,10 +53873,18 @@ index e7bc1d7..06bd4bb 100644
         }
  
 diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
-index 5d84442..bf24453 100644
+index 5d84442..2c034ba 100644
 --- a/fs/notify/fanotify/fanotify_user.c
 +++ b/fs/notify/fanotify/fanotify_user.c
-@@ -251,8 +251,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group,
+@@ -121,6 +121,7 @@ static int fill_event_metadata(struct fsnotify_group *group,
+        metadata->event_len = FAN_EVENT_METADATA_LEN;
+        metadata->metadata_len = FAN_EVENT_METADATA_LEN;
+        metadata->vers = FANOTIFY_METADATA_VERSION;
++       metadata->reserved = 0;
+        metadata->mask = event->mask & FAN_ALL_OUTGOING_EVENTS;
+        metadata->pid = pid_vnr(event->tgid);
+        if (unlikely(event->mask & FAN_Q_OVERFLOW))
+@@ -251,8 +252,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group,
  
         fd = fanotify_event_metadata.fd;
         ret = -EFAULT;
@@ -56526,7 +56467,7 @@ index d681e34..2a3f5ab 100644
                 goto out_put;
  
 diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
-index d82efaa..0904a8e 100644
+index ca9ecaa..60100c7 100644
 --- a/fs/xfs/xfs_iops.c
 +++ b/fs/xfs/xfs_iops.c
 @@ -395,7 +395,7 @@ xfs_vn_put_link(
@@ -56540,10 +56481,10 @@ index d82efaa..0904a8e 100644
                 kfree(s);
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..7174794
+index 0000000..ba9c5e3
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1031 @@
+@@ -0,0 +1,1053 @@
 +#
 +# grecurity configuration
 +#
@@ -56629,6 +56570,25 @@ index 0000000..7174794
 +         If you're using KERNEXEC, it's recommended that you enable this option
 +         to supplement the hardening of the kernel.
 +  
++config GRKERNSEC_PERF_HARDEN
++       bool "Disable unprivileged PERF_EVENTS usage by default"
++       default y if GRKERNSEC_CONFIG_AUTO
++       depends on PERF_EVENTS
++       help
++         If you say Y here, the range of acceptable values for the
++         /proc/sys/kernel/perf_event_paranoid sysctl will be expanded to allow and
++         default to a new value: 3.  When the sysctl is set to this value, no
++         unprivileged use of the PERF_EVENTS syscall interface will be permitted.
++
++         Though PERF_EVENTS can be used legitimately for performance monitoring
++         and low-level application profiling, it is forced on regardless of
++         configuration, has been at fault for several vulnerabilities, and
++         creates new opportunities for side channels and other information leaks.
++
++         This feature puts PERF_EVENTS into a secure default state and permits
++         the administrator to change out of it temporarily if unprivileged
++         application profiling is needed.
++
 +config GRKERNSEC_RAND_THREADSTACK
 +       bool "Insert random gaps between thread stacks"
 +       default y if GRKERNSEC_CONFIG_AUTO
@@ -56739,6 +56699,9 @@ index 0000000..7174794
 +         useful protection against local kernel exploitation of overflows
 +         and arbitrary read/write vulnerabilities.
 +
++         It is highly recommended that you enable GRKERNSEC_PERF_HARDEN
++         in addition to this feature.
++
 +config GRKERNSEC_KERN_LOCKOUT
 +       bool "Active kernel exploit response"
 +       default y if GRKERNSEC_CONFIG_AUTO
@@ -70441,7 +70404,7 @@ index 45fc162..01a4068 100644
  /**
   * struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot
 diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
-index 1d795df..727aa7b 100644
+index 1d795df..b0a6449 100644
 --- a/include/linux/perf_event.h
 +++ b/include/linux/perf_event.h
 @@ -333,8 +333,8 @@ struct perf_event {
@@ -70475,8 +70438,15 @@ index 1d795df..727aa7b 100644
  extern int sysctl_perf_event_mlock;
  extern int sysctl_perf_event_sample_rate;
  
-@@ -714,17 +714,17 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write,
+@@ -712,19 +712,24 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write,
+                void __user *buffer, size_t *lenp,
+                loff_t *ppos);
  
++static inline bool perf_paranoid_any(void)
++{
++       return sysctl_perf_event_legitimately_concerned > 2;
++}
++
  static inline bool perf_paranoid_tracepoint_raw(void)
  {
 -       return sysctl_perf_event_paranoid > -1;
@@ -70496,7 +70466,7 @@ index 1d795df..727aa7b 100644
  }
  
  extern void perf_event_init(void);
-@@ -812,7 +812,7 @@ static inline void perf_restore_debug_store(void)                   { }
+@@ -812,7 +817,7 @@ static inline void perf_restore_debug_store(void)                   { }
   */
  #define perf_cpu_notifier(fn)                                          \
  do {                                                                   \
@@ -70505,7 +70475,7 @@ index 1d795df..727aa7b 100644
                 { .notifier_call = fn, .priority = CPU_PRI_PERF };      \
         unsigned long cpu = smp_processor_id();                         \
         unsigned long flags;                                            \
-@@ -831,7 +831,7 @@ do {                                                                        \
+@@ -831,7 +836,7 @@ do {                                                                        \
  struct perf_pmu_events_attr {
         struct device_attribute attr;
         u64 id;
@@ -72906,10 +72876,10 @@ index a6a059c..2243336 100644
  struct snd_soc_platform {
         const char *name;
 diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
-index c4af592..20c52d2 100644
+index f8640f3..b72d113 100644
 --- a/include/target/target_core_base.h
 +++ b/include/target/target_core_base.h
-@@ -657,7 +657,7 @@ struct se_device {
+@@ -658,7 +658,7 @@ struct se_device {
         spinlock_t              stats_lock;
         /* Active commands on this virtual SE device */
         atomic_t                simple_cmds;
@@ -74209,10 +74179,10 @@ index f6c2ce5..982c0f9 100644
 +       return ns_capable_nolog(ns, cap) && kuid_has_mapping(ns, inode->i_uid);
 +}
 diff --git a/kernel/cgroup.c b/kernel/cgroup.c
-index ba1f977..f840d9c 100644
+index a48de6a..df24bfe 100644
 --- a/kernel/cgroup.c
 +++ b/kernel/cgroup.c
-@@ -5569,7 +5569,7 @@ static int cgroup_css_links_read(struct cgroup *cont,
+@@ -5567,7 +5567,7 @@ static int cgroup_css_links_read(struct cgroup *cont,
                 struct css_set *cg = link->cg;
                 struct task_struct *task;
                 int count = 0;
@@ -74632,15 +74602,19 @@ index 00eb8f7..d7e3244 100644
  #ifdef CONFIG_MODULE_UNLOAD
                 {
 diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 9fcb094..fd68c54 100644
+index 9fcb094..8370228 100644
 --- a/kernel/events/core.c
 +++ b/kernel/events/core.c
-@@ -155,7 +155,11 @@ static struct srcu_struct pmus_srcu;
+@@ -154,8 +154,15 @@ static struct srcu_struct pmus_srcu;
+  *   0 - disallow raw tracepoint access for unpriv
   *   1 - disallow cpu events for unpriv
   *   2 - disallow kernel profiling for unpriv
++ *   3 - disallow all unpriv perf event use
   */
 -int sysctl_perf_event_paranoid __read_mostly = 1;
-+#ifdef CONFIG_GRKERNSEC_HIDESYM
++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
++int sysctl_perf_event_legitimately_concerned __read_mostly = 3;
++#elif CONFIG_GRKERNSEC_HIDESYM
 +int sysctl_perf_event_legitimately_concerned __read_mostly = 2;
 +#else
 +int sysctl_perf_event_legitimately_concerned __read_mostly = 1;
@@ -74648,7 +74622,7 @@ index 9fcb094..fd68c54 100644
  
  /* Minimum for 512 kiB + 1 user control page */
  int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
-@@ -182,7 +186,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write,
+@@ -182,7 +189,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write,
         return 0;
  }
  
@@ -74657,7 +74631,7 @@ index 9fcb094..fd68c54 100644
  
  static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
                               enum event_type_t event_type);
-@@ -2677,7 +2681,7 @@ static void __perf_event_read(void *info)
+@@ -2677,7 +2684,7 @@ static void __perf_event_read(void *info)
  
  static inline u64 perf_event_count(struct perf_event *event)
  {
@@ -74666,7 +74640,7 @@ index 9fcb094..fd68c54 100644
  }
  
  static u64 perf_event_read(struct perf_event *event)
-@@ -3007,9 +3011,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
+@@ -3007,9 +3014,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
         mutex_lock(&event->child_mutex);
         total += perf_event_read(event);
         *enabled += event->total_time_enabled +
@@ -74678,7 +74652,7 @@ index 9fcb094..fd68c54 100644
  
         list_for_each_entry(child, &event->child_list, child_list) {
                 total += perf_event_read(child);
-@@ -3412,10 +3416,10 @@ void perf_event_update_userpage(struct perf_event *event)
+@@ -3412,10 +3419,10 @@ void perf_event_update_userpage(struct perf_event *event)
                 userpg->offset -= local64_read(&event->hw.prev_count);
  
         userpg->time_enabled = enabled +
@@ -74691,7 +74665,7 @@ index 9fcb094..fd68c54 100644
  
         arch_perf_update_userpage(userpg, now);
  
-@@ -3886,7 +3890,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size,
+@@ -3886,7 +3893,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size,
  
                 /* Data. */
                 sp = perf_user_stack_pointer(regs);
@@ -74700,7 +74674,7 @@ index 9fcb094..fd68c54 100644
                 dyn_size = dump_size - rem;
  
                 perf_output_skip(handle, rem);
-@@ -3974,11 +3978,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
+@@ -3974,11 +3981,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
         values[n++] = perf_event_count(event);
         if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
                 values[n++] = enabled +
@@ -74714,7 +74688,7 @@ index 9fcb094..fd68c54 100644
         }
         if (read_format & PERF_FORMAT_ID)
                 values[n++] = primary_event_id(event);
-@@ -4726,12 +4730,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
+@@ -4726,12 +4733,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
                  * need to add enough zero bytes after the string to handle
                  * the 64bit alignment we do later.
                  */
@@ -74729,7 +74703,7 @@ index 9fcb094..fd68c54 100644
                 if (IS_ERR(name)) {
                         name = strncpy(tmp, "//toolong", sizeof(tmp));
                         goto got_name;
-@@ -6167,7 +6171,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
+@@ -6167,7 +6174,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
         event->parent           = parent_event;
  
         event->ns               = get_pid_ns(task_active_pid_ns(current));
@@ -74738,7 +74712,19 @@ index 9fcb094..fd68c54 100644
  
         event->state            = PERF_EVENT_STATE_INACTIVE;
  
-@@ -6795,10 +6799,10 @@ static void sync_child_event(struct perf_event *child_event,
+@@ -6463,6 +6470,11 @@ SYSCALL_DEFINE5(perf_event_open,
+        if (flags & ~PERF_FLAG_ALL)
+                return -EINVAL;
+ 
++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
++       if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
++               return -EACCES;
++#endif
++
+        err = perf_copy_attr(attr_uptr, &attr);
+        if (err)
+                return err;
+@@ -6795,10 +6807,10 @@ static void sync_child_event(struct perf_event *child_event,
         /*
          * Add back the child's count to the parent's count:
          */
@@ -75791,7 +75777,7 @@ index b2c71c5..7b88d63 100644
                 seq_printf(m, "%40s %14lu %29s %pS\n",
                            name, stats->contending_point[i],
 diff --git a/kernel/module.c b/kernel/module.c
-index 0925c9a..6b044ac 100644
+index 97f202c..109575f 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
 @@ -61,6 +61,7 @@
@@ -75956,7 +75942,7 @@ index 0925c9a..6b044ac 100644
                                                 set_memory_ro);
                 }
         }
-@@ -1881,16 +1883,19 @@ static void free_module(struct module *mod)
+@@ -1886,16 +1888,19 @@ static void free_module(struct module *mod)
  
         /* This may be NULL, but that's OK */
         unset_module_init_ro_nx(mod);
@@ -75979,7 +75965,7 @@ index 0925c9a..6b044ac 100644
  
  #ifdef CONFIG_MPU
         update_protections(current->mm);
-@@ -1960,9 +1965,31 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
+@@ -1965,9 +1970,31 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
         int ret = 0;
         const struct kernel_symbol *ksym;
  
@@ -76011,7 +75997,7 @@ index 0925c9a..6b044ac 100644
                 switch (sym[i].st_shndx) {
                 case SHN_COMMON:
                         /* We compiled with -fno-common.  These are not
-@@ -1983,7 +2010,9 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
+@@ -1988,7 +2015,9 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
                         ksym = resolve_symbol_wait(mod, info, name);
                         /* Ok if resolved.  */
                         if (ksym && !IS_ERR(ksym)) {
@@ -76021,7 +76007,7 @@ index 0925c9a..6b044ac 100644
                                 break;
                         }
  
-@@ -2002,11 +2031,20 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
+@@ -2007,11 +2036,20 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
                                 secbase = (unsigned long)mod_percpu(mod);
                         else
                                 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
@@ -76042,7 +76028,7 @@ index 0925c9a..6b044ac 100644
         return ret;
  }
  
-@@ -2090,22 +2128,12 @@ static void layout_sections(struct module *mod, struct load_info *info)
+@@ -2095,22 +2133,12 @@ static void layout_sections(struct module *mod, struct load_info *info)
                             || s->sh_entsize != ~0UL
                             || strstarts(sname, ".init"))
                                 continue;
@@ -76069,7 +76055,7 @@ index 0925c9a..6b044ac 100644
         }
  
         pr_debug("Init section allocation order:\n");
-@@ -2119,23 +2147,13 @@ static void layout_sections(struct module *mod, struct load_info *info)
+@@ -2124,23 +2152,13 @@ static void layout_sections(struct module *mod, struct load_info *info)
                             || s->sh_entsize != ~0UL
                             || !strstarts(sname, ".init"))
                                 continue;
@@ -76098,7 +76084,7 @@ index 0925c9a..6b044ac 100644
         }
  }
  
-@@ -2308,7 +2326,7 @@ static void layout_symtab(struct module *mod, struct load_info *info)
+@@ -2313,7 +2331,7 @@ static void layout_symtab(struct module *mod, struct load_info *info)
  
         /* Put symbol section at end of init part of module. */
         symsect->sh_flags |= SHF_ALLOC;
@@ -76107,7 +76093,7 @@ index 0925c9a..6b044ac 100644
                                          info->index.sym) | INIT_OFFSET_MASK;
         pr_debug("\t%s\n", info->secstrings + symsect->sh_name);
  
-@@ -2325,13 +2343,13 @@ static void layout_symtab(struct module *mod, struct load_info *info)
+@@ -2330,13 +2348,13 @@ static void layout_symtab(struct module *mod, struct load_info *info)
         }
  
         /* Append room for core symbols at end of core part. */
@@ -76125,7 +76111,7 @@ index 0925c9a..6b044ac 100644
                                          info->index.str) | INIT_OFFSET_MASK;
         pr_debug("\t%s\n", info->secstrings + strsect->sh_name);
  }
-@@ -2349,12 +2367,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
+@@ -2354,12 +2372,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
         /* Make sure we get permanent strtab: don't use info->strtab. */
         mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
  
@@ -76142,7 +76128,7 @@ index 0925c9a..6b044ac 100644
         src = mod->symtab;
         for (ndst = i = 0; i < mod->num_symtab; i++) {
                 if (i == 0 ||
-@@ -2366,6 +2386,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
+@@ -2371,6 +2391,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
                 }
         }
         mod->core_num_syms = ndst;
@@ -76151,7 +76137,7 @@ index 0925c9a..6b044ac 100644
  }
  #else
  static inline void layout_symtab(struct module *mod, struct load_info *info)
-@@ -2399,17 +2421,33 @@ void * __weak module_alloc(unsigned long size)
+@@ -2404,17 +2426,33 @@ void * __weak module_alloc(unsigned long size)
         return vmalloc_exec(size);
  }
  
@@ -76190,7 +76176,7 @@ index 0925c9a..6b044ac 100644
                 mutex_unlock(&module_mutex);
         }
         return ret;
-@@ -2685,8 +2723,14 @@ static struct module *setup_load_info(struct load_info *info, int flags)
+@@ -2690,8 +2728,14 @@ static struct module *setup_load_info(struct load_info *info, int flags)
  static int check_modinfo(struct module *mod, struct load_info *info, int flags)
  {
         const char *modmagic = get_modinfo(info, "vermagic");
@@ -76205,7 +76191,7 @@ index 0925c9a..6b044ac 100644
         if (flags & MODULE_INIT_IGNORE_VERMAGIC)
                 modmagic = NULL;
  
-@@ -2712,7 +2756,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
+@@ -2717,7 +2761,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
         }
  
         /* Set up license info based on the info section */
@@ -76214,7 +76200,7 @@ index 0925c9a..6b044ac 100644
  
         return 0;
  }
-@@ -2806,7 +2850,7 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -2811,7 +2855,7 @@ static int move_module(struct module *mod, struct load_info *info)
         void *ptr;
  
         /* Do the allocs. */
@@ -76223,7 +76209,7 @@ index 0925c9a..6b044ac 100644
         /*
          * The pointer to this block is stored in the module structure
          * which is inside the block. Just mark it as not being a
-@@ -2816,11 +2860,11 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -2821,11 +2865,11 @@ static int move_module(struct module *mod, struct load_info *info)
         if (!ptr)
                 return -ENOMEM;
  
@@ -76239,7 +76225,7 @@ index 0925c9a..6b044ac 100644
                 /*
                  * The pointer to this block is stored in the module structure
                  * which is inside the block. This block doesn't need to be
-@@ -2829,13 +2873,45 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -2834,13 +2878,45 @@ static int move_module(struct module *mod, struct load_info *info)
                  */
                 kmemleak_ignore(ptr);
                 if (!ptr) {
@@ -76289,7 +76275,7 @@ index 0925c9a..6b044ac 100644
  
         /* Transfer each section which specifies SHF_ALLOC */
         pr_debug("final section addresses:\n");
-@@ -2846,16 +2922,45 @@ static int move_module(struct module *mod, struct load_info *info)
+@@ -2851,16 +2927,45 @@ static int move_module(struct module *mod, struct load_info *info)
                 if (!(shdr->sh_flags & SHF_ALLOC))
                         continue;
  
@@ -76342,7 +76328,7 @@ index 0925c9a..6b044ac 100644
                 pr_debug("\t0x%lx %s\n",
                          (long)shdr->sh_addr, info->secstrings + shdr->sh_name);
         }
-@@ -2912,12 +3017,12 @@ static void flush_module_icache(const struct module *mod)
+@@ -2917,12 +3022,12 @@ static void flush_module_icache(const struct module *mod)
          * Do it before processing of module parameters, so the module
          * can provide parameter accessor functions of its own.
          */
@@ -76361,7 +76347,7 @@ index 0925c9a..6b044ac 100644
  
         set_fs(old_fs);
  }
-@@ -2987,8 +3092,10 @@ out:
+@@ -2992,8 +3097,10 @@ out:
  static void module_deallocate(struct module *mod, struct load_info *info)
  {
         percpu_modfree(mod);
@@ -76374,7 +76360,7 @@ index 0925c9a..6b044ac 100644
  }
  
  int __weak module_finalize(const Elf_Ehdr *hdr,
-@@ -3001,7 +3108,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr,
+@@ -3006,7 +3113,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr,
  static int post_relocation(struct module *mod, const struct load_info *info)
  {
         /* Sort exception table now relocations are done. */
@@ -76384,7 +76370,7 @@ index 0925c9a..6b044ac 100644
  
         /* Copy relocated percpu area over. */
         percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr,
-@@ -3055,16 +3164,16 @@ static int do_init_module(struct module *mod)
+@@ -3060,16 +3169,16 @@ static int do_init_module(struct module *mod)
                         MODULE_STATE_COMING, mod);
  
         /* Set RO and NX regions for core */
@@ -76409,7 +76395,7 @@ index 0925c9a..6b044ac 100644
  
         do_mod_ctors(mod);
         /* Start the module */
-@@ -3126,11 +3235,12 @@ static int do_init_module(struct module *mod)
+@@ -3131,11 +3240,12 @@ static int do_init_module(struct module *mod)
         mod->strtab = mod->core_strtab;
  #endif
         unset_module_init_ro_nx(mod);
@@ -76427,7 +76413,7 @@ index 0925c9a..6b044ac 100644
         mutex_unlock(&module_mutex);
         wake_up_all(&module_wq);
  
-@@ -3257,9 +3367,38 @@ static int load_module(struct load_info *info, const char __user *uargs,
+@@ -3262,9 +3372,38 @@ static int load_module(struct load_info *info, const char __user *uargs,
         if (err)
                 goto free_unload;
  
@@ -76466,7 +76452,7 @@ index 0925c9a..6b044ac 100644
         /* Fix up syms, so that st_value is a pointer to location. */
         err = simplify_symbols(mod, info);
         if (err < 0)
-@@ -3275,13 +3414,6 @@ static int load_module(struct load_info *info, const char __user *uargs,
+@@ -3280,13 +3419,6 @@ static int load_module(struct load_info *info, const char __user *uargs,
  
         flush_module_icache(mod);
  
@@ -76480,7 +76466,7 @@ index 0925c9a..6b044ac 100644
         dynamic_debug_setup(info->debug, info->num_debug);
  
         /* Finally it's fully formed, ready to start executing. */
-@@ -3316,11 +3448,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
+@@ -3321,11 +3453,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
   ddebug_cleanup:
         dynamic_debug_remove(info->debug);
         synchronize_sched();
@@ -76493,7 +76479,7 @@ index 0925c9a..6b044ac 100644
   free_unload:
         module_unload_free(mod);
   unlink_mod:
-@@ -3403,10 +3534,16 @@ static const char *get_ksymbol(struct module *mod,
+@@ -3408,10 +3539,16 @@ static const char *get_ksymbol(struct module *mod,
         unsigned long nextval;
  
         /* At worse, next value is at end of module */
@@ -76513,7 +76499,7 @@ index 0925c9a..6b044ac 100644
  
         /* Scan for closest preceding symbol, and next symbol. (ELF
            starts real symbols at 1). */
-@@ -3659,7 +3796,7 @@ static int m_show(struct seq_file *m, void *p)
+@@ -3664,7 +3801,7 @@ static int m_show(struct seq_file *m, void *p)
                 return 0;
  
         seq_printf(m, "%s %u",
@@ -76522,7 +76508,7 @@ index 0925c9a..6b044ac 100644
         print_unload_info(m, mod);
  
         /* Informative for users. */
-@@ -3668,7 +3805,7 @@ static int m_show(struct seq_file *m, void *p)
+@@ -3673,7 +3810,7 @@ static int m_show(struct seq_file *m, void *p)
                    mod->state == MODULE_STATE_COMING ? "Loading":
                    "Live");
         /* Used by oprofile and other similar tools. */
@@ -76531,7 +76517,7 @@ index 0925c9a..6b044ac 100644
  
         /* Taints info */
         if (mod->taints)
-@@ -3704,7 +3841,17 @@ static const struct file_operations proc_modules_operations = {
+@@ -3709,7 +3846,17 @@ static const struct file_operations proc_modules_operations = {
  
  static int __init proc_modules_init(void)
  {
@@ -76549,7 +76535,7 @@ index 0925c9a..6b044ac 100644
         return 0;
  }
  module_init(proc_modules_init);
-@@ -3765,14 +3912,14 @@ struct module *__module_address(unsigned long addr)
+@@ -3770,14 +3917,14 @@ struct module *__module_address(unsigned long addr)
  {
         struct module *mod;
  
@@ -76567,7 +76553,7 @@ index 0925c9a..6b044ac 100644
                         return mod;
         }
         return NULL;
-@@ -3807,11 +3954,20 @@ bool is_module_text_address(unsigned long addr)
+@@ -3812,11 +3959,20 @@ bool is_module_text_address(unsigned long addr)
   */
  struct module *__module_text_address(unsigned long addr)
  {
@@ -78585,7 +78571,7 @@ index 0da73cf..5c2af3c 100644
         if (!retval) {
                 if (old_rlim)
 diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index afc1dc6..5e28bbf 100644
+index afc1dc6..f6cf355 100644
 --- a/kernel/sysctl.c
 +++ b/kernel/sysctl.c
 @@ -93,7 +93,6 @@
@@ -78596,6 +78582,34 @@ index afc1dc6..5e28bbf 100644
  /* External variables not in a header file. */
  extern int sysctl_overcommit_memory;
  extern int sysctl_overcommit_ratio;
+@@ -120,18 +119,18 @@ extern int blk_iopoll_enabled;
+ 
+ /* Constants used for minimum and  maximum */
+ #ifdef CONFIG_LOCKUP_DETECTOR
+-static int sixty = 60;
+-static int neg_one = -1;
++static int sixty __read_only = 60;
+ #endif
+ 
+-static int zero;
+-static int __maybe_unused one = 1;
+-static int __maybe_unused two = 2;
+-static int __maybe_unused three = 3;
+-static unsigned long one_ul = 1;
+-static int one_hundred = 100;
++static int neg_one __read_only = -1;
++static int zero __read_only = 0;
++static int __maybe_unused one __read_only = 1;
++static int __maybe_unused two __read_only = 2;
++static int __maybe_unused three __read_only = 3;
++static unsigned long one_ul __read_only = 1;
++static int one_hundred __read_only = 100;
+ #ifdef CONFIG_PRINTK
+-static int ten_thousand = 10000;
++static int ten_thousand __read_only = 10000;
+ #endif
+ 
+ /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */
 @@ -178,10 +177,8 @@ static int proc_taint(struct ctl_table *table, int write,
                                void __user *buffer, size_t *lenp, loff_t *ppos);
  #endif
@@ -78691,7 +78705,7 @@ index afc1dc6..5e28bbf 100644
         {
                 .procname       = "ngroups_max",
                 .data           = &ngroups_max,
-@@ -1026,8 +1059,8 @@ static struct ctl_table kern_table[] = {
+@@ -1026,10 +1059,17 @@ static struct ctl_table kern_table[] = {
          */
         {
                 .procname       = "perf_event_paranoid",
@@ -78700,9 +78714,19 @@ index afc1dc6..5e28bbf 100644
 +               .data           = &sysctl_perf_event_legitimately_concerned,
 +               .maxlen         = sizeof(sysctl_perf_event_legitimately_concerned),
                 .mode           = 0644,
-                .proc_handler   = proc_dointvec,
+-               .proc_handler   = proc_dointvec,
++               /* go ahead, be a hero */
++               .proc_handler   = proc_dointvec_minmax_sysadmin,
++               .extra1         = &neg_one,
++#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
++               .extra2         = &three,
++#else
++               .extra2         = &two,
++#endif
         },
-@@ -1283,6 +1316,13 @@ static struct ctl_table vm_table[] = {
+        {
+                .procname       = "perf_event_mlock_kb",
+@@ -1283,6 +1323,13 @@ static struct ctl_table vm_table[] = {
                 .proc_handler   = proc_dointvec_minmax,
                 .extra1         = &zero,
         },
@@ -78716,7 +78740,7 @@ index afc1dc6..5e28bbf 100644
  #else
         {
                 .procname       = "nr_trim_pages",
-@@ -1733,6 +1773,16 @@ int proc_dostring(struct ctl_table *table, int write,
+@@ -1733,6 +1780,16 @@ int proc_dostring(struct ctl_table *table, int write,
                                buffer, lenp, ppos);
  }
  
@@ -78733,7 +78757,7 @@ index afc1dc6..5e28bbf 100644
  static size_t proc_skip_spaces(char **buf)
  {
         size_t ret;
-@@ -1838,6 +1888,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
+@@ -1838,6 +1895,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
         len = strlen(tmp);
         if (len > *size)
                 len = *size;
@@ -78742,7 +78766,7 @@ index afc1dc6..5e28bbf 100644
         if (copy_to_user(*buf, tmp, len))
                 return -EFAULT;
         *size -= len;
-@@ -2002,7 +2054,7 @@ int proc_dointvec(struct ctl_table *table, int write,
+@@ -2002,7 +2061,7 @@ int proc_dointvec(struct ctl_table *table, int write,
  static int proc_taint(struct ctl_table *table, int write,
                                void __user *buffer, size_t *lenp, loff_t *ppos)
  {
@@ -78751,7 +78775,7 @@ index afc1dc6..5e28bbf 100644
         unsigned long tmptaint = get_taint();
         int err;
  
-@@ -2030,7 +2082,6 @@ static int proc_taint(struct ctl_table *table, int write,
+@@ -2030,7 +2089,6 @@ static int proc_taint(struct ctl_table *table, int write,
         return err;
  }
  
@@ -78759,7 +78783,7 @@ index afc1dc6..5e28bbf 100644
  static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
                                 void __user *buffer, size_t *lenp, loff_t *ppos)
  {
-@@ -2039,7 +2090,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
+@@ -2039,7 +2097,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
  
         return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
  }
@@ -78767,7 +78791,7 @@ index afc1dc6..5e28bbf 100644
  
  struct do_proc_dointvec_minmax_conv_param {
         int *min;
-@@ -2186,8 +2236,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
+@@ -2186,8 +2243,11 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
                         *i = val;
                 } else {
                         val = convdiv * (*i) / convmul;
@@ -78780,7 +78804,7 @@ index afc1dc6..5e28bbf 100644
                         err = proc_put_long(&buffer, &left, val, false);
                         if (err)
                                 break;
-@@ -2579,6 +2632,12 @@ int proc_dostring(struct ctl_table *table, int write,
+@@ -2579,6 +2639,12 @@ int proc_dostring(struct ctl_table *table, int write,
         return -ENOSYS;
  }
  
@@ -78793,7 +78817,7 @@ index afc1dc6..5e28bbf 100644
  int proc_dointvec(struct ctl_table *table, int write,
                   void __user *buffer, size_t *lenp, loff_t *ppos)
  {
-@@ -2635,5 +2694,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
+@@ -2635,5 +2701,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
  EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
  EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
  EXPORT_SYMBOL(proc_dostring);
@@ -80367,24 +80391,6 @@ index b32b70c..e512eb0 100644
         pkmap_count[last_pkmap_nr] = 1;
         set_page_address(page, (void *)vaddr);
  
-diff --git a/mm/huge_memory.c b/mm/huge_memory.c
-index e2f7f5aa..a4510d4 100644
---- a/mm/huge_memory.c
-+++ b/mm/huge_memory.c
-@@ -2318,7 +2318,12 @@ static void collapse_huge_page(struct mm_struct *mm,
-                pte_unmap(pte);
-                spin_lock(&mm->page_table_lock);
-                BUG_ON(!pmd_none(*pmd));
--               set_pmd_at(mm, address, pmd, _pmd);
-+               /*
-+                * We can only use set_pmd_at when establishing
-+                * hugepmds and never for establishing regular pmds that
-+                * points to regular pagetables. Use pmd_populate for that
-+                */
-+               pmd_populate(mm, pmd, pmd_pgtable(_pmd));
-                spin_unlock(&mm->page_table_lock);
-                anon_vma_unlock_write(vma->anon_vma);
-                goto out;
 diff --git a/mm/hugetlb.c b/mm/hugetlb.c
 index 1a12f5b..a85b8fc 100644
 --- a/mm/hugetlb.c
@@ -81553,7 +81559,7 @@ index 7431001..0f8344e 100644
                 capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
  
 diff --git a/mm/migrate.c b/mm/migrate.c
-index 3bbaf5d..299b0e9 100644
+index 22ed5c1..87c424c 100644
 --- a/mm/migrate.c
 +++ b/mm/migrate.c
 @@ -1382,8 +1382,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
@@ -82849,133 +82855,6 @@ index 0dceed8..671951c 100644
         vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
         vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
  
-diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c
-index be04122..6725ff1 100644
---- a/mm/mmu_notifier.c
-+++ b/mm/mmu_notifier.c
-@@ -40,48 +40,44 @@ void __mmu_notifier_release(struct mm_struct *mm)
-        int id;
- 
-        /*
--        * srcu_read_lock() here will block synchronize_srcu() in
--        * mmu_notifier_unregister() until all registered
--        * ->release() callouts this function makes have
--        * returned.
-+        * SRCU here will block mmu_notifier_unregister until
-+        * ->release returns.
-         */
-        id = srcu_read_lock(&srcu);
-+       hlist_for_each_entry_rcu(mn, &mm->mmu_notifier_mm->list, hlist)
-+               /*
-+                * If ->release runs before mmu_notifier_unregister it must be
-+                * handled, as it's the only way for the driver to flush all
-+                * existing sptes and stop the driver from establishing any more
-+                * sptes before all the pages in the mm are freed.
-+                */
-+               if (mn->ops->release)
-+                       mn->ops->release(mn, mm);
-+       srcu_read_unlock(&srcu, id);
-+
-        spin_lock(&mm->mmu_notifier_mm->lock);
-        while (unlikely(!hlist_empty(&mm->mmu_notifier_mm->list))) {
-                mn = hlist_entry(mm->mmu_notifier_mm->list.first,
-                                 struct mmu_notifier,
-                                 hlist);
--
-                /*
--                * Unlink.  This will prevent mmu_notifier_unregister()
--                * from also making the ->release() callout.
-+                * We arrived before mmu_notifier_unregister so
-+                * mmu_notifier_unregister will do nothing other than to wait
-+                * for ->release to finish and for mmu_notifier_unregister to
-+                * return.
-                 */
-                hlist_del_init_rcu(&mn->hlist);
--               spin_unlock(&mm->mmu_notifier_mm->lock);
--
--               /*
--                * Clear sptes. (see 'release' description in mmu_notifier.h)
--                */
--               if (mn->ops->release)
--                       mn->ops->release(mn, mm);
--
--               spin_lock(&mm->mmu_notifier_mm->lock);
-        }
-        spin_unlock(&mm->mmu_notifier_mm->lock);
- 
-        /*
--        * All callouts to ->release() which we have done are complete.
--        * Allow synchronize_srcu() in mmu_notifier_unregister() to complete
--        */
--       srcu_read_unlock(&srcu, id);
--
--       /*
--        * mmu_notifier_unregister() may have unlinked a notifier and may
--        * still be calling out to it.  Additionally, other notifiers
--        * may have been active via vmtruncate() et. al. Block here
--        * to ensure that all notifier callouts for this mm have been
--        * completed and the sptes are really cleaned up before returning
--        * to exit_mmap().
-+        * synchronize_srcu here prevents mmu_notifier_release from returning to
-+        * exit_mmap (which would proceed with freeing all pages in the mm)
-+        * until the ->release method returns, if it was invoked by
-+        * mmu_notifier_unregister.
-+        *
-+        * The mmu_notifier_mm can't go away from under us because one mm_count
-+        * is held by exit_mmap.
-         */
-        synchronize_srcu(&srcu);
- }
-@@ -292,31 +288,34 @@ void mmu_notifier_unregister(struct mmu_notifier *mn, struct mm_struct *mm)
- {
-        BUG_ON(atomic_read(&mm->mm_count) <= 0);
- 
--       spin_lock(&mm->mmu_notifier_mm->lock);
-        if (!hlist_unhashed(&mn->hlist)) {
-+               /*
-+                * SRCU here will force exit_mmap to wait for ->release to
-+                * finish before freeing the pages.
-+                */
-                int id;
- 
--               /*
--                * Ensure we synchronize up with __mmu_notifier_release().
--                */
-                id = srcu_read_lock(&srcu);
--
--               hlist_del_rcu(&mn->hlist);
--               spin_unlock(&mm->mmu_notifier_mm->lock);
--
--               if (mn->ops->release)
--                       mn->ops->release(mn, mm);
--
-                /*
--                * Allow __mmu_notifier_release() to complete.
-+                * exit_mmap will block in mmu_notifier_release to guarantee
-+                * that ->release is called before freeing the pages.
-                 */
-+               if (mn->ops->release)
-+                       mn->ops->release(mn, mm);
-                srcu_read_unlock(&srcu, id);
--       } else
-+
-+               spin_lock(&mm->mmu_notifier_mm->lock);
-+               /*
-+                * Can not use list_del_rcu() since __mmu_notifier_release
-+                * can delete it before we hold the lock.
-+                */
-+               hlist_del_init_rcu(&mn->hlist);
-                spin_unlock(&mm->mmu_notifier_mm->lock);
-+       }
- 
-        /*
--        * Wait for any running method to finish, including ->release() if it
--        * was run by __mmu_notifier_release() instead of us.
-+        * Wait for any running method to finish, of course including
-+        * ->release if it was run by mmu_notifier_relase instead of us.
-         */
-        synchronize_srcu(&srcu);
- 
 diff --git a/mm/mprotect.c b/mm/mprotect.c
 index 94722a4..07d9926 100644
 --- a/mm/mprotect.c
@@ -87120,6 +86999,24 @@ index 960fd29..d55bf64 100644
  
         hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table);
         if (hdr == NULL)
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index e220207..cdeb839 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -3383,8 +3383,11 @@ int tcp_md5_hash_skb_data(struct tcp_md5sig_pool *hp,
+ 
+        for (i = 0; i < shi->nr_frags; ++i) {
+                const struct skb_frag_struct *f = &shi->frags[i];
+-               struct page *page = skb_frag_page(f);
+-               sg_set_page(&sg, page, skb_frag_size(f), f->page_offset);
++               unsigned int offset = f->page_offset;
++               struct page *page = skb_frag_page(f) + (offset >> PAGE_SHIFT);
++
++               sg_set_page(&sg, page, skb_frag_size(f),
++                           offset_in_page(offset));
+                if (crypto_hash_update(desc, &sg, skb_frag_size(f)))
+                        return 1;
+        }
 diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
 index 13b9c08..d33a8d0 100644
 --- a/net/ipv4/tcp_input.c
@@ -87527,6 +87424,19 @@ index 95d13c7..791fe2f 100644
         .kind           = "ip6gretap",
         .maxtype        = IFLA_GRE_MAX,
         .policy         = ip6gre_policy,
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 155eccf..851fdae 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1147,7 +1147,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
+                        if (WARN_ON(np->cork.opt))
+                                return -EINVAL;
+ 
+-                       np->cork.opt = kmalloc(opt->tot_len, sk->sk_allocation);
++                       np->cork.opt = kzalloc(opt->tot_len, sk->sk_allocation);
+                        if (unlikely(np->cork.opt == NULL))
+                                return -ENOBUFS;
+ 
 diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
 index fff83cb..82d49dd 100644
 --- a/net/ipv6/ip6_tunnel.c
@@ -88061,6 +87971,19 @@ index 362ba47..66196f4 100644
         seq_printf(m, "Max data size: %d\n", self->max_data_size);
         seq_printf(m, "Max header size: %d\n", self->max_header_size);
  
+diff --git a/net/irda/irlap_frame.c b/net/irda/irlap_frame.c
+index 8c00416..9ea0c93 100644
+--- a/net/irda/irlap_frame.c
++++ b/net/irda/irlap_frame.c
+@@ -544,7 +544,7 @@ static void irlap_recv_discovery_xid_cmd(struct irlap_cb *self,
+                /*
+                 *  We now have some discovery info to deliver!
+                 */
+-               discovery = kmalloc(sizeof(discovery_t), GFP_ATOMIC);
++               discovery = kzalloc(sizeof(discovery_t), GFP_ATOMIC);
+                if (!discovery) {
+                        IRDA_WARNING("%s: unable to malloc!\n", __func__);
+                        return;
 diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
 index 206ce6d..cfb27cd 100644
 --- a/net/iucv/af_iucv.c
@@ -88163,7 +88086,7 @@ index 5672533..6738c93 100644
         /* number of interfaces with corresponding FIF_ flags */
         int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
 diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
-index d51ca9d..042c35f 100644
+index 9cbebc2..14879bb 100644
 --- a/net/mac80211/iface.c
 +++ b/net/mac80211/iface.c
 @@ -495,7 +495,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
@@ -89949,7 +89872,7 @@ index d5f35f1..da2680b5 100644
         task->tk_action = call_reserve;
  }
 diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
-index f8529fc..ce8c643 100644
+index 5356b12..c0f4c29 100644
 --- a/net/sunrpc/sched.c
 +++ b/net/sunrpc/sched.c
 @@ -261,9 +261,9 @@ static int rpc_wait_bit_killable(void *word)
@@ -90413,6 +90336,18 @@ index c8717c1..08539f5 100644
         err = handler(dev, info, (union iwreq_data *) iwp, extra);
  
         iwp->length += essid_compat;
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index bcfda89..0cf003d 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -64,6 +64,7 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
+ 
+                if (unlikely(x->km.state != XFRM_STATE_VALID)) {
+                        XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEINVALID);
++                       err = -EINVAL;
+                        goto error;
+                }
+ 
 diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
 index 167c67d..3f2ae427 100644
 --- a/net/xfrm/xfrm_policy.c
diff --git a/main/linux-grsec/ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch b/main/linux-grsec/ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
deleted file mode 100644
index 7cb0dade7c..0000000000
--- a/main/linux-grsec/ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From patchwork Wed May 22 11:40:47 2013
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 8bit
-Subject: [ipsec] xfrm: properly handle invalid states as an error
-Date: Wed, 22 May 2013 01:40:47 -0000
-From: =?utf-8?q?Timo_Ter=C3=A4s?= <timo.teras@iki.fi>
-X-Patchwork-Id: 245594
-Message-Id: <1369222847-8542-1-git-send-email-timo.teras@iki.fi>
-To: netdev@vger.kernel.org
-Cc: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>,
- Li RongQing <roy.qing.li@gmail.com>,
- Steffen Klassert <steffen.klassert@secunet.com>
-
-The error exit path needs err explicitly set. Otherwise it
-returns success and the only caller, xfrm_output_resume(),
-would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is
-NULL.
-
-Bug introduced in commit bb65a9cb (xfrm: removes a superfluous
-check and add a statistic).
-
-Signed-off-by: Timo Teräs <timo.teras@iki.fi>
-Cc: Li RongQing <roy.qing.li@gmail.com>
-Cc: Steffen Klassert <steffen.klassert@secunet.com>
-
----
-Should go also to 3.9-stable.
-
- net/xfrm/xfrm_output.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
-index bcfda89..0cf003d 100644
---- a/net/xfrm/xfrm_output.c
-+++ b/net/xfrm/xfrm_output.c
-@@ -64,6 +64,7 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
- 
-                if (unlikely(x->km.state != XFRM_STATE_VALID)) {
-                        XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEINVALID);
-+                       err = -EINVAL;
-                        goto error;
-                }
- 
diff --git a/main/linux-grsec/kernelconfig.x86 b/main/linux-grsec/kernelconfig.x86
index e7d4331a7f..5774d1f22d 100644
--- a/main/linux-grsec/kernelconfig.x86
+++ b/main/linux-grsec/kernelconfig.x86
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.9.3 Kernel Configuration
+# Linux/x86 3.9.5 Kernel Configuration
 #
 # CONFIG_64BIT is not set
 CONFIG_X86_32=y
@@ -5522,6 +5522,7 @@ CONFIG_PAX_USERCOPY=y
 CONFIG_GRKERNSEC_KMEM=y
 # CONFIG_GRKERNSEC_VM86 is not set
 # CONFIG_GRKERNSEC_IO is not set
+CONFIG_GRKERNSEC_PERF_HARDEN=y
 CONFIG_GRKERNSEC_PROC_MEMMAP=y
 # CONFIG_GRKERNSEC_BRUTE is not set
 # CONFIG_GRKERNSEC_MODHARDEN is not set
diff --git a/main/linux-grsec/kernelconfig.x86_64 b/main/linux-grsec/kernelconfig.x86_64
index 561ab2088a..df9536d19f 100644
--- a/main/linux-grsec/kernelconfig.x86_64
+++ b/main/linux-grsec/kernelconfig.x86_64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.9.3 Kernel Configuration
+# Linux/x86 3.9.5 Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -5459,6 +5459,7 @@ CONFIG_PAX_USERCOPY=y
 CONFIG_GRKERNSEC_KMEM=y
 # CONFIG_GRKERNSEC_IO is not set
 CONFIG_GRKERNSEC_JIT_HARDEN=y
+CONFIG_GRKERNSEC_PERF_HARDEN=y
 CONFIG_GRKERNSEC_PROC_MEMMAP=y
 # CONFIG_GRKERNSEC_BRUTE is not set
 # CONFIG_GRKERNSEC_MODHARDEN is not set
diff --git a/main/linux-grsec/leds-leds-gpio-reserve-gpio-before-using-it.patch b/main/linux-grsec/leds-leds-gpio-reserve-gpio-before-using-it.patch
deleted file mode 100644
index f7af3b2a07..0000000000
--- a/main/linux-grsec/leds-leds-gpio-reserve-gpio-before-using-it.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-From 37e3042c345024aa5e39a1a28a667a00b75fd6ce Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
-Date: Fri, 17 May 2013 09:31:13 +0300
-Subject: [PATCH] leds: leds-gpio: reserve gpio before using it
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This reverts commit a99d76f (leds: leds-gpio: use gpio_request_one)
-and commit 2d7c22f (leds: leds-gpio: set devm_gpio_request_one()
-flags param correctly) which was a fix of the first one.
-
-The conversion to devm_gpio_request in commit e3b1d44c (leds:
-leds-gpio: use devm_gpio_request_one) is not reverted.
-
-The problem is that gpio_cansleep() and gpio_get_value_cansleep()
-calls can crash if the gpio is not first reserved. Incidentally this
-same bug existed earlier and was fixed similarly in commit d95cbe61
-(leds: Fix potential leds-gpio oops). But the OOPS is real. It happens
-when GPIOs are provided by module which is not yet loaded.
-
-So this fixes the following BUG during my ALIX boot (3.9.2-vanilla):
-
-BUG: unable to handle kernel NULL pointer dereference at 0000004c
-IP: [<c11287d6>] __gpio_cansleep+0xe/0x1a
-*pde = 00000000
-Oops: 0000 [#1] SMP
-Modules linked in: leds_gpio(+) via_rhine mii cs5535_mfd mfd_core
-geode_rng rng_core geode_aes isofs nls_utf8 nls_cp437 vfat fat
-ata_generic pata_amd pata_cs5536 pata_acpi libata ehci_pci ehci_hcd
-ohci_hcd usb_storage usbcore usb_common sd_mod scsi_mod squashfs loop
-Pid: 881, comm: modprobe Not tainted 3.9.2 #1-Alpine
-EIP: 0060:[<c11287d6>] EFLAGS: 00010282 CPU: 0
-EIP is at __gpio_cansleep+0xe/0x1a
-EAX: 00000000 EBX: cf364018 ECX: c132b8b9 EDX: 00000000
-ESI: c13993a4 EDI: c1399370 EBP: cded9dbc ESP: cded9dbc
- DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
-CR0: 8005003b CR2: 0000004c CR3: 0f0c4000 CR4: 00000090
-DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
-DR6: ffff0ff0 DR7: 00000400
-Process modprobe (pid: 881, ti=cded8000 task=cf094aa0 task.ti=cded8000)
-Stack:
- cded9de0 d09471cb 00000000 c1399260 cf364014 00000000 c1399260 c1399254
- d0949014 cded9df4 c118cd59 c1399260 d0949014 d0949014 cded9e08 c118ba47
- c1399260 d0949014 c1399294 cded9e1c c118bb75 cded9e24 d0949014 00000000
-Call Trace:
- [<d09471cb>] gpio_led_probe+0xba/0x203 [leds_gpio]
- [<c118cd59>] platform_drv_probe+0x26/0x48
- [<c118ba47>] driver_probe_device+0x75/0x15c
- [<c118bb75>] __driver_attach+0x47/0x63
- [<c118a727>] bus_for_each_dev+0x3c/0x66
- [<c118b6f9>] driver_attach+0x14/0x16
- [<c118bb2e>] ? driver_probe_device+0x15c/0x15c
- [<c118b3d5>] bus_add_driver+0xbd/0x1bc
- [<d08b4000>] ? 0xd08b3fff
- [<d08b4000>] ? 0xd08b3fff
- [<c118bffc>] driver_register+0x74/0xec
- [<d08b4000>] ? 0xd08b3fff
- [<c118c8e8>] platform_driver_register+0x38/0x3a
- [<d08b400d>] gpio_led_driver_init+0xd/0x1000 [leds_gpio]
- [<c100116c>] do_one_initcall+0x6b/0x10f
- [<d08b4000>] ? 0xd08b3fff
- [<c105e918>] load_module+0x1631/0x1907
- [<c10975d6>] ? insert_vmalloc_vmlist+0x14/0x43
- [<c1098d5b>] ? __vmalloc_node_range+0x13e/0x15f
- [<c105ec50>] sys_init_module+0x62/0x77
- [<c1257888>] syscall_call+0x7/0xb
-EIP: [<c11287d6>] __gpio_cansleep+0xe/0x1a SS:ESP 0068:cded9dbc
-CR2: 000000000000004c
- ---[ end trace 5308fb20d2514822 ]---
-
-Signed-off-by: Timo Teräs <timo.teras@iki.f>
-Cc: Jingoo Han <jg1.han@samsung.com>
-Cc: Sachin Kamat <sachin.kamat@linaro.org>
-Cc: Raphael Assenat <raph@8d.com>
-Cc: Trent Piepho <tpiepho@freescale.com>
-Cc: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
-Cc: Arnaud Patard <arnaud.patard@rtp-net.org>
-Cc: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
----
- drivers/leds/leds-gpio.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/leds/leds-gpio.c b/drivers/leds/leds-gpio.c
-index a0d931b..b02b679 100644
---- a/drivers/leds/leds-gpio.c
-+++ b/drivers/leds/leds-gpio.c
-@@ -107,6 +107,10 @@ static int create_gpio_led(const struct gpio_led *template,
-                return 0;
-        }
- 
-+       ret = devm_gpio_request(parent, template->gpio, template->name);
-+       if (ret < 0)
-+               return ret;
-+
-        led_dat->cdev.name = template->name;
-        led_dat->cdev.default_trigger = template->default_trigger;
-        led_dat->gpio = template->gpio;
-@@ -126,10 +130,7 @@ static int create_gpio_led(const struct gpio_led *template,
-        if (!template->retain_state_suspended)
-                led_dat->cdev.flags |= LED_CORE_SUSPENDRESUME;
- 
--       ret = devm_gpio_request_one(parent, template->gpio,
--                                   (led_dat->active_low ^ state) ?
--                                   GPIOF_OUT_INIT_HIGH : GPIOF_OUT_INIT_LOW,
--                                   template->name);
-+       ret = gpio_direction_output(led_dat->gpio, led_dat->active_low ^ state);
-        if (ret < 0)
-                return ret;
- 
--- 
-1.8.2.3
-
-