summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2016-07-07 03:56:33 -0400
committerAnthony G. Basile <blueness@gentoo.org>2016-07-07 03:56:33 -0400
commit1fcb85d82cad5b7b799e05df97d774548925a2e2 (patch)
tree69f28d5cf78b0addaed61d66f7b9ffc622be8755
parentgrsecurity-3.1-4.6.3-201607060823 (diff)
downloadhardened-patchset-1fcb85d82cad5b7b799e05df97d774548925a2e2.tar.gz
hardened-patchset-1fcb85d82cad5b7b799e05df97d774548925a2e2.tar.bz2
hardened-patchset-1fcb85d82cad5b7b799e05df97d774548925a2e2.zip
grsecurity-3.1-4.6.3-201607062159201607062
-rw-r--r--4.6.3/0000_README2
-rw-r--r--4.6.3/4420_grsecurity-3.1-4.6.3-201607062159.patch (renamed from 4.6.3/4420_grsecurity-3.1-4.6.3-201607060823.patch)546
2 files changed, 413 insertions, 135 deletions
diff --git a/4.6.3/0000_README b/4.6.3/0000_README
index a40de90..00f1875 100644
--- a/4.6.3/0000_README
+++ b/4.6.3/0000_README
@@ -6,7 +6,7 @@ Patch: 1002_linux-4.6.3.patch
From: http://www.kernel.org
Desc: Linux 4.6.3
-Patch: 4420_grsecurity-3.1-4.6.3-201607060823.patch
+Patch: 4420_grsecurity-3.1-4.6.3-201607062159.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/4.6.3/4420_grsecurity-3.1-4.6.3-201607060823.patch b/4.6.3/4420_grsecurity-3.1-4.6.3-201607062159.patch
index 92e7d0d..169d0af 100644
--- a/4.6.3/4420_grsecurity-3.1-4.6.3-201607060823.patch
+++ b/4.6.3/4420_grsecurity-3.1-4.6.3-201607062159.patch
@@ -3541,7 +3541,7 @@ index ff0a68c..b312aa0 100644
sizeof(struct omap_wd_timer_platform_data));
WARN(IS_ERR(pdev), "Can't build omap_device for %s:%s.\n",
diff --git a/arch/arm/mach-s3c64xx/mach-smdk6410.c b/arch/arm/mach-s3c64xx/mach-smdk6410.c
-index 92ec8c3..3df2546 100644
+index 92ec8c3..3b09472 100644
--- a/arch/arm/mach-s3c64xx/mach-smdk6410.c
+++ b/arch/arm/mach-s3c64xx/mach-smdk6410.c
@@ -240,7 +240,7 @@ static struct platform_device smdk6410_b_pwr_5v = {
@@ -3549,7 +3549,7 @@ index 92ec8c3..3df2546 100644
#endif
-static struct s3c_ide_platdata smdk6410_ide_pdata __initdata = {
-+static struct s3c_ide_platdata smdk6410_ide_pdata __initconst = {
++static const struct s3c_ide_platdata smdk6410_ide_pdata __initconst = {
.setup_gpio = s3c64xx_ide_setup_gpio,
};
@@ -3795,7 +3795,7 @@ index c8c8b9e..c55cc79 100644
atomic64_set(&mm->context.id, asid);
}
diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
-index ad58418..c0349f4 100644
+index ad58418..8267ca5 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -25,6 +25,7 @@
@@ -4010,7 +4010,7 @@ index ad58418..c0349f4 100644
+#else
+ unsigned int bkpt;
+
-+ if (!probe_kernel_address((const void *)pc, bkpt) && cpu_to_le32(bkpt) == 0xe12f1073) {
++ if (!probe_kernel_address((const unsigned int *)pc, bkpt) && cpu_to_le32(bkpt) == 0xe12f1073) {
+#endif
+ current->thread.error_code = ifsr;
+ current->thread.trap_no = 0;
@@ -20635,6 +20635,22 @@ index fe884e1..46149ae 100644
static inline void release_dma_lock(unsigned long flags)
{
spin_unlock_irqrestore(&dma_spin_lock, flags);
+diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h
+index 53748c4..283147d 100644
+--- a/arch/x86/include/asm/efi.h
++++ b/arch/x86/include/asm/efi.h
+@@ -168,6 +168,11 @@ static inline bool efi_is_native(void)
+
+ static inline bool efi_runtime_supported(void)
+ {
++
++#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
++ return false;
++#endif
++
+ if (efi_is_native())
+ return true;
+
diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
index 15340e3..f338653 100644
--- a/arch/x86/include/asm/elf.h
@@ -22128,7 +22144,7 @@ index cdaa58c..ae30f0d 100644
static inline void pud_clear(pud_t *pudp)
diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
-index 97f3242..0d17a84 100644
+index 97f3242..2603a59 100644
--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -54,6 +54,7 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page);
@@ -22236,6 +22252,15 @@ index 97f3242..0d17a84 100644
}
static inline pte_t pte_mkdirty(pte_t pte)
+@@ -430,7 +497,7 @@ static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
+
+ #define canon_pgprot(p) __pgprot(massage_pgprot(p))
+
+-static inline int is_new_memtype_allowed(u64 paddr, unsigned long size,
++static inline int is_new_memtype_allowed(u64 paddr, u64 size,
+ enum page_cache_mode pcm,
+ enum page_cache_mode new_pcm)
+ {
@@ -473,6 +540,16 @@ pte_t *populate_extra_pte(unsigned long vaddr);
#endif
@@ -34983,6 +35008,103 @@ index f989132..7c590d6 100644
+quote:="
+obj-$(CONFIG_X86_64) += uderef_64.o
+CFLAGS_uderef_64.o := $(subst $(quote),,$(CONFIG_ARCH_HWEIGHT_CFLAGS)) -fcall-saved-rax
+diff --git a/arch/x86/mm/dump_pagetables.c b/arch/x86/mm/dump_pagetables.c
+index 99bfb19..237fb1d 100644
+--- a/arch/x86/mm/dump_pagetables.c
++++ b/arch/x86/mm/dump_pagetables.c
+@@ -27,6 +27,7 @@
+ struct pg_state {
+ int level;
+ pgprot_t current_prot;
++ pgprot_t current_prots[5];
+ unsigned long start_address;
+ unsigned long current_address;
+ const struct addr_marker *marker;
+@@ -184,6 +185,23 @@ static unsigned long normalize_addr(unsigned long u)
+ #endif
+ }
+
++static pgprot_t merge_prot(pgprot_t old_prot, pgprot_t new_prot)
++{
++ if (!(pgprot_val(new_prot) & _PAGE_PRESENT))
++ return new_prot;
++
++ if (!(pgprot_val(old_prot) & _PAGE_PRESENT))
++ return new_prot;
++
++ if (pgprot_val(old_prot) & _PAGE_NX)
++ pgprot_val(new_prot) |= _PAGE_NX;
++
++ if (!(pgprot_val(old_prot) & _PAGE_RW))
++ pgprot_val(new_prot) &= ~_PAGE_RW;
++
++ return new_prot;
++}
++
+ /*
+ * This function gets called on a break in a continuous series
+ * of PTE entries; the next one is different so we need to
+@@ -200,11 +218,13 @@ static void note_page(struct seq_file *m, struct pg_state *st,
+ * we have now. "break" is either changing perms, levels or
+ * address space marker.
+ */
++ new_prot = merge_prot(st->current_prots[level - 1], new_prot);
+ prot = pgprot_val(new_prot);
+ cur = pgprot_val(st->current_prot);
+
+ if (!st->level) {
+ /* First entry */
++ st->current_prots[0] = __pgprot(_PAGE_RW);
+ st->current_prot = new_prot;
+ st->level = level;
+ st->marker = address_markers;
+@@ -216,9 +236,8 @@ static void note_page(struct seq_file *m, struct pg_state *st,
+ const char *unit = units;
+ unsigned long delta;
+ int width = sizeof(unsigned long) * 2;
+- pgprotval_t pr = pgprot_val(st->current_prot);
+
+- if (st->check_wx && (pr & _PAGE_RW) && !(pr & _PAGE_NX)) {
++ if (st->check_wx && (cur & _PAGE_RW) && !(cur & _PAGE_NX)) {
+ WARN_ONCE(1,
+ "x86/mm: Found insecure W+X mapping at address %p/%pS\n",
+ (void *)st->start_address,
+@@ -304,9 +323,10 @@ static void walk_pmd_level(struct seq_file *m, struct pg_state *st, pud_t addr,
+ start = (pmd_t *) pud_page_vaddr(addr);
+ for (i = 0; i < PTRS_PER_PMD; i++) {
+ st->current_address = normalize_addr(P + i * PMD_LEVEL_MULT);
++ prot = pmd_flags(*start);
++ st->current_prots[3] = merge_prot(st->current_prots[2], __pgprot(prot));
+ if (!pmd_none(*start)) {
+ if (pmd_large(*start) || !pmd_present(*start)) {
+- prot = pmd_flags(*start);
+ note_page(m, st, __pgprot(prot), 3);
+ } else {
+ walk_pte_level(m, st, *start,
+@@ -337,9 +357,10 @@ static void walk_pud_level(struct seq_file *m, struct pg_state *st, pgd_t addr,
+
+ for (i = 0; i < PTRS_PER_PUD; i++) {
+ st->current_address = normalize_addr(P + i * PUD_LEVEL_MULT);
++ prot = pud_flags(*start);
++ st->current_prots[2] = merge_prot(st->current_prots[1], __pgprot(start->pud));
+ if (!pud_none(*start)) {
+ if (pud_large(*start) || !pud_present(*start)) {
+- prot = pud_flags(*start);
+ note_page(m, st, __pgprot(prot), 2);
+ } else {
+ walk_pmd_level(m, st, *start,
+@@ -395,9 +416,10 @@ static void ptdump_walk_pgd_level_core(struct seq_file *m, pgd_t *pgd,
+
+ for (i = 0; i < PTRS_PER_PGD; i++) {
+ st.current_address = normalize_addr(i * PGD_LEVEL_MULT);
++ prot = pgd_flags(*start);
++ st.current_prots[1] = __pgprot(prot);
+ if (!pgd_none(*start) && !is_hypervisor_range(i)) {
+ if (pgd_large(*start) || !pgd_present(*start)) {
+- prot = pgd_flags(*start);
+ note_page(m, &st, __pgprot(prot), 1);
+ } else {
+ walk_pud_level(m, &st, *start,
diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
index 82447b3..95c2b03 100644
--- a/arch/x86/mm/extable.c
@@ -36034,7 +36156,7 @@ index 9d56f27..0d15fff 100644
(unsigned long)(&__init_begin),
(unsigned long)(&__init_end));
diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c
-index bd7a9b9..2cc3f46 100644
+index bd7a9b9..94d80a5 100644
--- a/arch/x86/mm/init_32.c
+++ b/arch/x86/mm/init_32.c
@@ -62,33 +62,6 @@ static noinline int do_test_wp_bit(void);
@@ -36262,6 +36384,15 @@ index bd7a9b9..2cc3f46 100644
((unsigned long)&_etext - (unsigned long)&_text) >> 10);
/*
+@@ -871,7 +873,7 @@ static noinline int do_test_wp_bit(void)
+ const int rodata_test_data = 0xC3;
+ EXPORT_SYMBOL_GPL(rodata_test_data);
+
+-int kernel_set_to_readonly __read_mostly;
++int kernel_set_to_readonly __read_only;
+
+ void set_kernel_text_rw(void)
+ {
@@ -881,6 +883,7 @@ void set_kernel_text_rw(void)
if (!kernel_set_to_readonly)
return;
@@ -36287,7 +36418,7 @@ index bd7a9b9..2cc3f46 100644
/*
* This comes from is_kernel_text upper limit. Also HPAGE where used:
*/
-@@ -923,26 +927,49 @@ void mark_rodata_ro(void)
+@@ -923,26 +927,52 @@ void mark_rodata_ro(void)
unsigned long start = PFN_ALIGN(_text);
unsigned long size = PFN_ALIGN(_etext) - start;
@@ -36295,49 +36426,48 @@ index bd7a9b9..2cc3f46 100644
- printk(KERN_INFO "Write protecting the kernel text: %luk\n",
- size >> 10);
+#ifdef CONFIG_PAX_KERNEXEC
-+ {
-+ /* PaX: limit KERNEL_CS to actual size */
-+ unsigned long limit;
-+ struct desc_struct d;
-+ int cpu;
++ /* PaX: limit KERNEL_CS to actual size */
++ unsigned long limit;
++ struct desc_struct d;
++ int cpu;
-- kernel_set_to_readonly = 1;
-+ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
-+ limit = (limit - 1UL) >> PAGE_SHIFT;
++ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
++ limit = (limit - 1UL) >> PAGE_SHIFT;
+
-+ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
-+ for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
-+ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
-+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
-+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEXEC_KERNEL_CS, &d, DESCTYPE_S);
-+ }
-+
-+ if (config_enabled(CONFIG_MODULES))
-+ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
++ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
++ for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
++ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEXEC_KERNEL_CS, &d, DESCTYPE_S);
+ }
++
++#ifdef CONFIG_MODULES
++ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
++#endif
+#endif
+
+ start = ktla_ktva(start);
++#ifdef CONFIG_PAX_KERNEXEC
+ /* PaX: make KERNEL_CS read-only */
-+ if (config_enabled(CONFIG_PAX_KERNEXEC) && !paravirt_enabled()) {
-+ set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
-+ printk(KERN_INFO "Write protecting the kernel text: %luk\n", size >> 10);
-+
-+ kernel_set_to_readonly = 1;
++ if (!paravirt_enabled()) {
++#endif
+ kernel_set_to_readonly = 1;
++ set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
++ printk(KERN_INFO "Write protecting the kernel text: %luk\n", size >> 10);
++
#ifdef CONFIG_CPA_DEBUG
- printk(KERN_INFO "Testing CPA: Reverting %lx-%lx\n",
- start, start+size);
-- set_pages_rw(virt_to_page(start), size>>PAGE_SHIFT);
-+ printk(KERN_INFO "Testing CPA: Reverting %lx-%lx\n", start, start+size);
-+ set_pages_rw(virt_to_page(start), size>>PAGE_SHIFT);
++ printk(KERN_INFO "Testing CPA: Reverting %lx-%lx\n", start, start+size);
+ set_pages_rw(virt_to_page(start), size>>PAGE_SHIFT);
-- printk(KERN_INFO "Testing CPA: write protecting again\n");
-- set_pages_ro(virt_to_page(start), size>>PAGE_SHIFT);
-+ printk(KERN_INFO "Testing CPA: write protecting again\n");
-+ set_pages_ro(virt_to_page(start), size>>PAGE_SHIFT);
+ printk(KERN_INFO "Testing CPA: write protecting again\n");
+ set_pages_ro(virt_to_page(start), size>>PAGE_SHIFT);
#endif
++#ifdef CONFIG_PAX_KERNEXEC
+ }
++#endif
start += size;
- size = (unsigned long)__end_rodata - start;
@@ -36350,7 +36480,7 @@ index bd7a9b9..2cc3f46 100644
#ifdef CONFIG_CPA_DEBUG
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
-index 214afda..444aa18 100644
+index 214afda..7fd6c3f 100644
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -138,7 +138,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page,
@@ -36483,6 +36613,15 @@ index 214afda..444aa18 100644
spin_unlock(&init_mm.page_table_lock);
pgd_changed = true;
}
+@@ -1078,7 +1106,7 @@ void __init mem_init(void)
+ const int rodata_test_data = 0xC3;
+ EXPORT_SYMBOL_GPL(rodata_test_data);
+
+-int kernel_set_to_readonly;
++int kernel_set_to_readonly __read_only;
+
+ void set_kernel_text_rw(void)
+ {
@@ -1107,8 +1135,7 @@ void set_kernel_text_ro(void)
if (!kernel_set_to_readonly)
return;
@@ -36493,29 +36632,34 @@ index 214afda..444aa18 100644
/*
* Set the kernel identity mapping for text RO.
-@@ -1118,15 +1145,20 @@ void set_kernel_text_ro(void)
-
+@@ -1119,18 +1146,23 @@ void set_kernel_text_ro(void)
void mark_rodata_ro(void)
{
-+ unsigned long addr;
unsigned long start = PFN_ALIGN(_text);
- unsigned long rodata_start = PFN_ALIGN(__start_rodata);
+#ifdef CONFIG_PAX_KERNEXEC
++ unsigned long addr;
+ unsigned long end = PFN_ALIGN(_sdata);
+ unsigned long text_end = end;
+#else
+ unsigned long rodata_start = PFN_ALIGN(__start_rodata);
unsigned long end = (unsigned long) &__end_rodata_hpage_align;
unsigned long text_end = PFN_ALIGN(&__stop___ex_table);
-+#endif
unsigned long rodata_end = PFN_ALIGN(&__end_rodata);
++#endif
unsigned long all_end;
- printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n",
- (end - start) >> 10);
-+ printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", (end - start) >> 10);
- set_memory_ro(start, (end - start) >> PAGE_SHIFT);
-
+- set_memory_ro(start, (end - start) >> PAGE_SHIFT);
+-
kernel_set_to_readonly = 1;
+
++ printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", (end - start) >> 10);
++ set_memory_ro(start, (end - start) >> PAGE_SHIFT);
++
+ /*
+ * The rodata/data/bss/brk section (but not the kernel text!)
+ * should also be not-executable.
@@ -1156,12 +1188,54 @@ void mark_rodata_ro(void)
set_memory_ro(start, (end-start) >> PAGE_SHIFT);
#endif
@@ -36588,7 +36732,7 @@ index 9c0ff04..9020d5f 100644
return (void *)vaddr;
diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
-index 0d8d53d..5f7315c 100644
+index 0d8d53d..74815a4 100644
--- a/arch/x86/mm/ioremap.c
+++ b/arch/x86/mm/ioremap.c
@@ -59,8 +59,8 @@ static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages,
@@ -36602,6 +36746,15 @@ index 0d8d53d..5f7315c 100644
return 1;
return 0;
+@@ -81,7 +81,7 @@ static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages,
+ * caller shouldn't need to know that small detail.
+ */
+ static void __iomem *__ioremap_caller(resource_size_t phys_addr,
+- unsigned long size, enum page_cache_mode pcm, void *caller)
++ resource_size_t size, enum page_cache_mode pcm, void *caller)
+ {
+ unsigned long offset, vaddr;
+ resource_size_t pfn, last_pfn, last_addr;
@@ -332,7 +332,7 @@ EXPORT_SYMBOL(ioremap_prot);
*
* Caller must ensure there is only one unmapping for the same pointer.
@@ -36876,7 +37029,7 @@ index f70c1ff..fdb449c 100644
unsigned long uninitialized_var(pfn_align);
int i, nid;
diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
-index 01be9ec..f4643d7 100644
+index 01be9ec..2b8c8c7 100644
--- a/arch/x86/mm/pageattr.c
+++ b/arch/x86/mm/pageattr.c
@@ -258,7 +258,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
@@ -36888,7 +37041,7 @@ index 01be9ec..f4643d7 100644
#endif
/*
-@@ -266,8 +266,8 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
+@@ -266,14 +266,14 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
* Does not cover __inittext since that is gone later on. On
* 64bit we do not enforce !NX on the low mapping
*/
@@ -36899,6 +37052,13 @@ index 01be9ec..f4643d7 100644
/*
* The .rodata section needs to be read-only. Using the pfn
+ * catches all aliases.
+ */
+- if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
++ if (kernel_set_to_readonly && within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
+ __pa_symbol(__end_rodata) >> PAGE_SHIFT))
+ pgprot_val(forbidden) |= _PAGE_RW;
+
@@ -314,6 +314,13 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
}
#endif
@@ -48037,7 +48197,7 @@ index 93ad8a5..48f0a57 100644
-int sis_max_ioctl = ARRAY_SIZE(sis_ioctls);
+const int sis_max_ioctl = ARRAY_SIZE(sis_ioctls);
diff --git a/drivers/gpu/drm/sti/sti_cursor.c b/drivers/gpu/drm/sti/sti_cursor.c
-index 3abb400..4fd8a65 100644
+index 3abb400..47ff1c9 100644
--- a/drivers/gpu/drm/sti/sti_cursor.c
+++ b/drivers/gpu/drm/sti/sti_cursor.c
@@ -131,7 +131,7 @@ static int cursor_dbg_show(struct seq_file *s, void *data)
@@ -48045,7 +48205,7 @@ index 3abb400..4fd8a65 100644
}
-static struct drm_info_list cursor_debugfs_files[] = {
-+static struct drm_info_list cursor_debugfs_files[] __read_only = {
++static drm_info_list_no_const cursor_debugfs_files[] __read_only = {
{ "cursor", cursor_dbg_show, 0, NULL },
};
@@ -48055,14 +48215,13 @@ index 3abb400..4fd8a65 100644
+ pax_open_kernel();
for (i = 0; i < ARRAY_SIZE(cursor_debugfs_files); i++)
-- cursor_debugfs_files[i].data = cursor;
-+ const_cast(cursor_debugfs_files[i].data) = cursor;
+ cursor_debugfs_files[i].data = cursor;
+ pax_close_kernel();
return drm_debugfs_create_files(cursor_debugfs_files,
ARRAY_SIZE(cursor_debugfs_files),
diff --git a/drivers/gpu/drm/sti/sti_dvo.c b/drivers/gpu/drm/sti/sti_dvo.c
-index 25f7663..7ea4bf9 100644
+index 25f7663..db8f927 100644
--- a/drivers/gpu/drm/sti/sti_dvo.c
+++ b/drivers/gpu/drm/sti/sti_dvo.c
@@ -197,7 +197,7 @@ static int dvo_dbg_show(struct seq_file *s, void *data)
@@ -48080,16 +48239,42 @@ index 25f7663..7ea4bf9 100644
+ pax_open_kernel();
for (i = 0; i < ARRAY_SIZE(dvo_debugfs_files); i++)
-- dvo_debugfs_files[i].data = dvo;
-+ const_cast(dvo_debugfs_files[i].data) = dvo;
+ dvo_debugfs_files[i].data = dvo;
+ pax_close_kernel();
return drm_debugfs_create_files(dvo_debugfs_files,
ARRAY_SIZE(dvo_debugfs_files),
diff --git a/drivers/gpu/drm/sti/sti_gdp.c b/drivers/gpu/drm/sti/sti_gdp.c
-index ff3d3e7..be8c837 100644
+index ff3d3e7..da4db0f 100644
--- a/drivers/gpu/drm/sti/sti_gdp.c
+++ b/drivers/gpu/drm/sti/sti_gdp.c
+@@ -297,22 +297,22 @@ static int gdp_node_dbg_show(struct seq_file *s, void *arg)
+ return 0;
+ }
+
+-static struct drm_info_list gdp0_debugfs_files[] = {
++static drm_info_list_no_const gdp0_debugfs_files[] __read_only = {
+ { "gdp0", gdp_dbg_show, 0, NULL },
+ { "gdp0_node", gdp_node_dbg_show, 0, NULL },
+ };
+
+-static struct drm_info_list gdp1_debugfs_files[] = {
++static drm_info_list_no_const gdp1_debugfs_files[] __read_only = {
+ { "gdp1", gdp_dbg_show, 0, NULL },
+ { "gdp1_node", gdp_node_dbg_show, 0, NULL },
+ };
+
+-static struct drm_info_list gdp2_debugfs_files[] = {
++static drm_info_list_no_const gdp2_debugfs_files[] __read_only = {
+ { "gdp2", gdp_dbg_show, 0, NULL },
+ { "gdp2_node", gdp_node_dbg_show, 0, NULL },
+ };
+
+-static struct drm_info_list gdp3_debugfs_files[] = {
++static drm_info_list_no_const gdp3_debugfs_files[] __read_only = {
+ { "gdp3", gdp_dbg_show, 0, NULL },
+ { "gdp3_node", gdp_node_dbg_show, 0, NULL },
+ };
@@ -320,7 +320,7 @@ static struct drm_info_list gdp3_debugfs_files[] = {
static int gdp_debugfs_init(struct sti_gdp *gdp, struct drm_minor *minor)
{
@@ -48105,8 +48290,7 @@ index ff3d3e7..be8c837 100644
+ pax_open_kernel();
for (i = 0; i < nb_files; i++)
-- gdp_debugfs_files[i].data = gdp;
-+ const_cast(gdp_debugfs_files[i].data) = gdp;
+ gdp_debugfs_files[i].data = gdp;
+ pax_close_kernel();
return drm_debugfs_create_files(gdp_debugfs_files,
@@ -48137,7 +48321,7 @@ index ec0d017..0fe03fd 100644
return drm_debugfs_create_files(hda_debugfs_files,
ARRAY_SIZE(hda_debugfs_files),
diff --git a/drivers/gpu/drm/sti/sti_hdmi.c b/drivers/gpu/drm/sti/sti_hdmi.c
-index 6ef0715..b5a9e51 100644
+index 6ef0715..dbc27b0 100644
--- a/drivers/gpu/drm/sti/sti_hdmi.c
+++ b/drivers/gpu/drm/sti/sti_hdmi.c
@@ -694,7 +694,7 @@ static int hdmi_dbg_show(struct seq_file *s, void *data)
@@ -48155,8 +48339,7 @@ index 6ef0715..b5a9e51 100644
+ pax_open_kernel();
for (i = 0; i < ARRAY_SIZE(hdmi_debugfs_files); i++)
-- hdmi_debugfs_files[i].data = hdmi;
-+ const_cast(hdmi_debugfs_files[i].data) = hdmi;
+ hdmi_debugfs_files[i].data = hdmi;
+ pax_close_kernel();
return drm_debugfs_create_files(hdmi_debugfs_files,
@@ -48187,10 +48370,23 @@ index e05b0dc..a40a642 100644
return drm_debugfs_create_files(hqvdp_debugfs_files,
ARRAY_SIZE(hqvdp_debugfs_files),
diff --git a/drivers/gpu/drm/sti/sti_mixer.c b/drivers/gpu/drm/sti/sti_mixer.c
-index e7425c3..ce9dada 100644
+index e7425c3..d53380c 100644
--- a/drivers/gpu/drm/sti/sti_mixer.c
+++ b/drivers/gpu/drm/sti/sti_mixer.c
-@@ -190,7 +190,7 @@ static struct drm_info_list mixer1_debugfs_files[] = {
+@@ -179,18 +179,18 @@ static int mixer_dbg_show(struct seq_file *s, void *arg)
+ return 0;
+ }
+
+-static struct drm_info_list mixer0_debugfs_files[] = {
++static drm_info_list_no_const mixer0_debugfs_files[] __read_only = {
+ { "mixer_main", mixer_dbg_show, 0, NULL },
+ };
+
+-static struct drm_info_list mixer1_debugfs_files[] = {
++static drm_info_list_no_const mixer1_debugfs_files[] __read_only = {
+ { "mixer_aux", mixer_dbg_show, 0, NULL },
+ };
+
static int mixer_debugfs_init(struct sti_mixer *mixer, struct drm_minor *minor)
{
unsigned int i;
@@ -48205,8 +48401,7 @@ index e7425c3..ce9dada 100644
+ pax_open_kernel();
for (i = 0; i < nb_files; i++)
-- mixer_debugfs_files[i].data = mixer;
-+ const_cast(mixer_debugfs_files[i].data) = mixer;
+ mixer_debugfs_files[i].data = mixer;
+ pax_close_kernel();
return drm_debugfs_create_files(mixer_debugfs_files,
@@ -48237,7 +48432,7 @@ index 2c99016..62597fd 100644
return drm_debugfs_create_files(tvout_debugfs_files,
ARRAY_SIZE(tvout_debugfs_files),
diff --git a/drivers/gpu/drm/sti/sti_vid.c b/drivers/gpu/drm/sti/sti_vid.c
-index 5a2c5dc..315979b0 100644
+index 5a2c5dc..c4f2be6 100644
--- a/drivers/gpu/drm/sti/sti_vid.c
+++ b/drivers/gpu/drm/sti/sti_vid.c
@@ -125,7 +125,7 @@ static int vid_dbg_show(struct seq_file *s, void *arg)
@@ -48255,8 +48450,7 @@ index 5a2c5dc..315979b0 100644
+ pax_open_kernel();
for (i = 0; i < ARRAY_SIZE(vid_debugfs_files); i++)
-- vid_debugfs_files[i].data = vid;
-+ const_cast(vid_debugfs_files[i].data) = vid;
+ vid_debugfs_files[i].data = vid;
+ pax_close_kernel();
return drm_debugfs_create_files(vid_debugfs_files,
@@ -51999,7 +52193,7 @@ index 6b304eb..6e3a1413 100644
* Theoretically we do not have to handle this IRQ,
* but in Linux this does not cause problems and is
diff --git a/drivers/irqchip/irq-mmp.c b/drivers/irqchip/irq-mmp.c
-index 013fc96..756ae4a 100644
+index 013fc96..36a9a97 100644
--- a/drivers/irqchip/irq-mmp.c
+++ b/drivers/irqchip/irq-mmp.c
@@ -122,7 +122,7 @@ static void icu_unmask_irq(struct irq_data *d)
@@ -52007,7 +52201,7 @@ index 013fc96..756ae4a 100644
}
-struct irq_chip icu_irq_chip = {
-+struct irq_chip icu_irq_chip __read_only = {
++irq_chip_no_const icu_irq_chip __read_only = {
.name = "icu_irq",
.irq_mask = icu_mask_irq,
.irq_mask_ack = icu_mask_ack_irq,
@@ -60975,6 +61169,19 @@ index 4048fc5..333809f 100644
/**
* bnx2x_config_rx_mode - Send and RX_MODE ramrod according to the provided parameters.
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index c39a7f5..f145270 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -6149,7 +6149,7 @@ init_err_free:
+ * this device has been detected.
+ */
+ static pci_ers_result_t bnxt_io_error_detected(struct pci_dev *pdev,
+- pci_channel_state_t state)
++ enum pci_channel_state state)
+ {
+ struct net_device *netdev = pci_get_drvdata(pdev);
+
diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
index 3010080..49824f1 100644
--- a/drivers/net/ethernet/broadcom/tg3.c
@@ -112642,10 +112849,48 @@ index cc514da..2895466 100644
if (res < 0) {
free_page((unsigned long) buf);
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
-index a4ff5d0..6034cb5 100644
+index a4ff5d0..43d5748 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
-@@ -347,6 +347,9 @@ struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned file_flags)
+@@ -59,16 +59,37 @@ int ovl_setattr(struct dentry *dentry, struct iattr *attr)
+ if (err)
+ goto out;
+
++ if (attr->ia_valid & ATTR_SIZE) {
++ struct inode *realinode = d_inode(ovl_dentry_real(dentry));
++
++ err = -ETXTBSY;
++ if (atomic_read(&realinode->i_writecount) < 0)
++ goto out_drop_write;
++ }
++
+ err = ovl_copy_up(dentry);
+ if (!err) {
++ struct inode *winode = NULL;
++
+ upperdentry = ovl_dentry_upper(dentry);
+
++ if (attr->ia_valid & ATTR_SIZE) {
++ winode = d_inode(upperdentry);
++ err = get_write_access(winode);
++ if (err)
++ goto out_drop_write;
++ }
++
+ inode_lock(upperdentry->d_inode);
+ err = notify_change(upperdentry, attr, NULL);
+ if (!err)
+ ovl_copyattr(upperdentry->d_inode, dentry->d_inode);
+ inode_unlock(upperdentry->d_inode);
++
++ if (winode)
++ put_write_access(winode);
+ }
++out_drop_write:
+ ovl_drop_write(dentry);
+ out:
+ return err;
+@@ -347,6 +368,9 @@ struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned file_flags)
if (d_is_dir(dentry))
return d_backing_inode(dentry);
@@ -112656,7 +112901,7 @@ index a4ff5d0..6034cb5 100644
if (ovl_open_need_copy_up(file_flags, type, realpath.dentry)) {
err = ovl_want_write(dentry);
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
-index 791235e..46ecd93 100644
+index 791235e..f6aecf4 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -194,7 +194,7 @@ void ovl_path_lower(struct dentry *dentry, struct path *path)
@@ -112679,6 +112924,25 @@ index 791235e..46ecd93 100644
struct dentry *root_dentry;
struct ovl_entry *oe;
struct ovl_fs *ufs;
+@@ -1070,11 +1070,13 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
+ if (err < 0)
+ goto out_put_workdir;
+
+- if (!err) {
+- pr_err("overlayfs: upper fs needs to support d_type.\n");
+- err = -EINVAL;
+- goto out_put_workdir;
+- }
++ /*
++ * We allowed this configuration and don't want to
++ * break users over kernel upgrade. So warn instead
++ * of erroring out.
++ */
++ if (!err)
++ pr_warn("overlayfs: upper fs needs to support d_type.\n");
+ }
+
+ err = -ENOMEM;
diff --git a/fs/pipe.c b/fs/pipe.c
index 0d3f516..91735ad 100644
--- a/fs/pipe.c
@@ -120479,10 +120743,10 @@ index 0000000..9adc75c
+}
diff --git a/grsecurity/gracl_cap.c b/grsecurity/gracl_cap.c
new file mode 100644
-index 0000000..1a94c11
+index 0000000..8747091
--- /dev/null
+++ b/grsecurity/gracl_cap.c
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,96 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -120493,7 +120757,7 @@ index 0000000..1a94c11
+extern const char *captab_log[];
+extern int captab_log_entries;
+
-+int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap)
++int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap, bool log)
+{
+ struct acl_subject_label *curracl;
+
@@ -120503,7 +120767,8 @@ index 0000000..1a94c11
+ curracl = task->acl;
+
+ if (curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
-+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
++ if (log)
++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
+ task->role->roletype, GR_GLOBAL_UID(cred->uid),
+ GR_GLOBAL_GID(cred->gid), task->exec_file ?
+ gr_to_filename(task->exec_file->f_path.dentry,
@@ -120516,7 +120781,7 @@ index 0000000..1a94c11
+ return 0;
+}
+
-+int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
++int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap, bool log)
+{
+ struct acl_subject_label *curracl;
+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
@@ -120547,7 +120812,7 @@ index 0000000..1a94c11
+ }
+
+ if (!cap_raised(cap_drop, cap)) {
-+ if (cap_raised(cap_audit, cap))
++ if (log && cap_raised(cap_audit, cap))
+ gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
+ return 1;
+ }
@@ -120557,10 +120822,10 @@ index 0000000..1a94c11
+ to this rule to ensure any role transition involves what the full-learned
+ policy believes in a privileged process
+ */
-+ if (cap_raised(cred->cap_effective, cap) && gr_learn_cap(task, cred, cap))
++ if (cap_raised(cred->cap_effective, cap) && gr_learn_cap(task, cred, cap, log))
+ return 1;
+
-+ if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
++ if (log && (cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
+
+ return 0;
@@ -120569,45 +120834,13 @@ index 0000000..1a94c11
+int
+gr_acl_is_capable(const int cap)
+{
-+ return gr_task_acl_is_capable(current, current_cred(), cap);
-+}
-+
-+int gr_task_acl_is_capable_nolog(const struct task_struct *task, const int cap)
-+{
-+ struct acl_subject_label *curracl;
-+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
-+
-+ if (!gr_acl_is_enabled())
-+ return 1;
-+
-+ curracl = task->acl;
-+
-+ cap_drop = curracl->cap_lower;
-+ cap_mask = curracl->cap_mask;
-+
-+ while ((curracl = curracl->parent_subject)) {
-+ /* if the cap isn't specified in the current computed mask but is specified in the
-+ current level subject, and is lowered in the current level subject, then add
-+ it to the set of dropped capabilities
-+ otherwise, add the current level subject's mask to the current computed mask
-+ */
-+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
-+ cap_raise(cap_mask, cap);
-+ if (cap_raised(curracl->cap_lower, cap))
-+ cap_raise(cap_drop, cap);
-+ }
-+ }
-+
-+ if (!cap_raised(cap_drop, cap))
-+ return 1;
-+
-+ return 0;
++ return gr_task_acl_is_capable(current, current_cred(), cap, true);
+}
+
+int
+gr_acl_is_capable_nolog(const int cap)
+{
-+ return gr_task_acl_is_capable_nolog(current, cap);
++ return gr_task_acl_is_capable(current, current_cred(), cap, false);
+}
+
diff --git a/grsecurity/gracl_compat.c b/grsecurity/gracl_compat.c
@@ -124706,7 +124939,7 @@ index 0000000..1964ab1c
+}
diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c
new file mode 100644
-index 0000000..0589fe2
+index 0000000..ba8d997
--- /dev/null
+++ b/grsecurity/grsec_disabled.c
@@ -0,0 +1,445 @@
@@ -124752,7 +124985,7 @@ index 0000000..0589fe2
+}
+
+int
-+gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap)
++gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap, bool log)
+{
+ return 0;
+}
@@ -125157,10 +125390,10 @@ index 0000000..0589fe2
+#endif
diff --git a/grsecurity/grsec_exec.c b/grsecurity/grsec_exec.c
new file mode 100644
-index 0000000..fb7531e
+index 0000000..808006e
--- /dev/null
+++ b/grsecurity/grsec_exec.c
-@@ -0,0 +1,189 @@
+@@ -0,0 +1,188 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/file.h>
@@ -125251,8 +125484,7 @@ index 0000000..fb7531e
+#ifdef CONFIG_GRKERNSEC
+extern int gr_acl_is_capable(const int cap);
+extern int gr_acl_is_capable_nolog(const int cap);
-+extern int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
-+extern int gr_task_acl_is_capable_nolog(const struct task_struct *task, const int cap);
++extern int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap, bool log);
+extern int gr_chroot_is_capable(const int cap);
+extern int gr_chroot_is_capable_nolog(const int cap);
+extern int gr_task_chroot_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
@@ -125316,7 +125548,7 @@ index 0000000..fb7531e
+int gr_task_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
+{
+#ifdef CONFIG_GRKERNSEC
-+ if (gr_task_acl_is_capable(task, cred, cap) && gr_task_chroot_is_capable(task, cred, cap))
++ if (gr_task_acl_is_capable(task, cred, cap, true) && gr_task_chroot_is_capable(task, cred, cap))
+ return 1;
+ return 0;
+#else
@@ -125335,10 +125567,10 @@ index 0000000..fb7531e
+#endif
+}
+
-+int gr_task_is_capable_nolog(const struct task_struct *task, const int cap)
++int gr_task_is_capable_nolog(const struct task_struct *task, const struct cred *cred, const int cap)
+{
+#ifdef CONFIG_GRKERNSEC
-+ if (gr_task_acl_is_capable_nolog(task, cap) && gr_task_chroot_is_capable_nolog(task, cap))
++ if (gr_task_acl_is_capable(task, cred, cap, false) && gr_task_chroot_is_capable_nolog(task, cap))
+ return 1;
+ return 0;
+#else
@@ -131130,7 +131362,7 @@ index 0000000..94ac4d2
+#define GR_MSRWRITE_MSG "denied write to CPU MSR by "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..4d5dae0
+index 0000000..749b915
--- /dev/null
+++ b/include/linux/grsecurity.h
@@ -0,0 +1,259 @@
@@ -131180,7 +131412,7 @@ index 0000000..4d5dae0
+int gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs);
+int gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs);
+
-+int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap);
++int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap, bool log);
+
+void gr_del_task_from_ip_table(struct task_struct *p);
+
@@ -131247,7 +131479,7 @@ index 0000000..4d5dae0
+int gr_is_capable(const int cap);
+int gr_is_capable_nolog(const int cap);
+int gr_task_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
-+int gr_task_is_capable_nolog(const struct task_struct *task, const int cap);
++int gr_task_is_capable_nolog(const struct task_struct *task, const struct cred *cred, const int cap);
+
+void gr_copy_label(struct task_struct *tsk);
+void gr_handle_crash(struct task_struct *task, const int sig);
@@ -131686,6 +131918,18 @@ index c4de623..8f0044f 100644
/*
* irq_chip specific flags
+diff --git a/include/linux/irqchip/mmp.h b/include/linux/irqchip/mmp.h
+index c78a892..124e0b7 100644
+--- a/include/linux/irqchip/mmp.h
++++ b/include/linux/irqchip/mmp.h
+@@ -1,6 +1,6 @@
+ #ifndef __IRQCHIP_MMP_H
+ #define __IRQCHIP_MMP_H
+
+-extern struct irq_chip icu_irq_chip;
++extern irq_chip_no_const icu_irq_chip;
+
+ #endif /* __IRQCHIP_MMP_H */
diff --git a/include/linux/irqdesc.h b/include/linux/irqdesc.h
index dcca77c..8503b4f 100644
--- a/include/linux/irqdesc.h
@@ -137723,7 +137967,7 @@ index 30f5362..8ed8ac9 100644
void *pmi_pal;
u8 *vbe_state_orig; /*
diff --git a/init/Kconfig b/init/Kconfig
-index 0dfd09d..c18a0e0 100644
+index 0dfd09d..177e567 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -286,7 +286,8 @@ config FHANDLE
@@ -137752,7 +137996,15 @@ index 0dfd09d..c18a0e0 100644
default n
help
Enables additional kernel features in a sake of checkpoint/restore.
-@@ -1699,7 +1702,7 @@ config SLUB_DEBUG
+@@ -1423,6 +1426,7 @@ config KALLSYMS_ALL
+
+ config KALLSYMS_ABSOLUTE_PERCPU
+ bool
++ depends on KALLSYMS
+ default X86_64 && SMP
+
+ config KALLSYMS_BASE_RELATIVE
+@@ -1699,7 +1703,7 @@ config SLUB_DEBUG
config COMPAT_BRK
bool "Disable heap randomization"
@@ -138734,7 +138986,7 @@ index cf5e9f7..81ece72 100644
if (!access_ok(VERIFY_READ, uattr, 1))
return -EFAULT;
diff --git a/kernel/capability.c b/kernel/capability.c
-index 45432b5..988f1e4 100644
+index 45432b5..7d860f7 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -193,6 +193,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
@@ -138766,7 +139018,7 @@ index 45432b5..988f1e4 100644
rcu_read_lock();
- ret = security_capable_noaudit(__task_cred(t), ns, cap);
-+ ret = security_capable_noaudit(__task_cred(t), ns, cap) == 0 && gr_task_is_capable_nolog(t, cap);
++ ret = security_capable_noaudit(__task_cred(t), ns, cap) == 0 && gr_task_is_capable_nolog(t, __task_cred(t), cap);
rcu_read_unlock();
- return (ret == 0);
@@ -143691,7 +143943,7 @@ index a467e6c..7743481 100644
.thread_should_run = cpu_stop_should_run,
.thread_fn = cpu_stopper_thread,
diff --git a/kernel/sys.c b/kernel/sys.c
-index cf8ba54..314fca6 100644
+index cf8ba54..196a680 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -160,6 +160,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
@@ -143722,7 +143974,7 @@ index cf8ba54..314fca6 100644
+ we may not log a CAP_SETGID check above, e.g.
+ in the case where new rgid = old egid
+ */
-+ gr_learn_cap(current, new, CAP_SETGID);
++ gr_learn_cap(current, new, CAP_SETGID, true);
+ }
+
if (rgid != (gid_t) -1 ||
@@ -143763,7 +144015,7 @@ index cf8ba54..314fca6 100644
+ we may not log a CAP_SETUID check above, e.g.
+ in the case where new ruid = old euid
+ */
-+ gr_learn_cap(current, new, CAP_SETUID);
++ gr_learn_cap(current, new, CAP_SETUID, true);
retval = set_user(new);
if (retval < 0)
goto error;
@@ -156056,6 +156308,19 @@ index e9853df..4b57916 100644
}
int udp4_seq_show(struct seq_file *seq, void *v)
+diff --git a/net/ipv4/xfrm4_mode_beet.c b/net/ipv4/xfrm4_mode_beet.c
+index 71acd00..d2c74ee 100644
+--- a/net/ipv4/xfrm4_mode_beet.c
++++ b/net/ipv4/xfrm4_mode_beet.c
+@@ -36,7 +36,7 @@ static void xfrm4_beet_make_header(struct sk_buff *skb)
+ *
+ * The top IP header will be constructed per draft-nikander-esp-beet-mode-06.txt.
+ */
+-static int xfrm4_beet_output(struct xfrm_state *x, struct sk_buff *skb)
++static int __intentional_overflow(0) xfrm4_beet_output(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ struct ip_beet_phdr *ph;
+ struct iphdr *top_iph;
diff --git a/net/ipv4/xfrm4_mode_transport.c b/net/ipv4/xfrm4_mode_transport.c
index fd840c7..b517627 100644
--- a/net/ipv4/xfrm4_mode_transport.c
@@ -156970,6 +157235,19 @@ index f96831d9..dae9a77 100644
icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
kfree_skb(skb);
+diff --git a/net/ipv6/xfrm6_mode_beet.c b/net/ipv6/xfrm6_mode_beet.c
+index 1e205c3..d71b846 100644
+--- a/net/ipv6/xfrm6_mode_beet.c
++++ b/net/ipv6/xfrm6_mode_beet.c
+@@ -37,7 +37,7 @@ static void xfrm6_beet_make_header(struct sk_buff *skb)
+ *
+ * The top IP header will be constructed per draft-nikander-esp-beet-mode-06.txt.
+ */
+-static int xfrm6_beet_output(struct xfrm_state *x, struct sk_buff *skb)
++static int __intentional_overflow(0) xfrm6_beet_output(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ struct ipv6hdr *top_iph;
+ struct ip_beet_phdr *ph;
diff --git a/net/ipv6/xfrm6_mode_transport.c b/net/ipv6/xfrm6_mode_transport.c
index 4e34410..232827a 100644
--- a/net/ipv6/xfrm6_mode_transport.c