Grsec/PaX: 2.9.1-{2.6.32.59,3.2.28,3.5.2}-20120824194320120824

6 files changed, 351 insertions, 172 deletions

diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 24bc841..9c19fa1 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -30,7 +30,7 @@ Patch:	1058_linux-2.6.32.59.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.59
 
-Patch:	4420_grsecurity-2.9.1-2.6.32.59-201208222030.patch
+Patch:	4420_grsecurity-2.9.1-2.6.32.59-201208232048.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208222030.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208232048.patch
index a4b7131..da02455 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208222030.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201208232048.patch
@@ -55117,6 +55117,23 @@ index b38d3b7..b1cff23 100644
  	{ 				/* Sometime a Level-One switch card. */
  	  "Winbond W89c840",	CanHaveMII | HasBrokenTx | FDXOnNoMII},
  	{ "Winbond W89c840",	CanHaveMII | HasBrokenTx},
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 0f77aca..a69420d 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1121,9 +1121,11 @@ static long tun_chr_ioctl(struct file *file, unsigned int cmd,
+ 	int sndbuf;
+ 	int ret;
+ 
+-	if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89)
++	if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) {
+ 		if (copy_from_user(&ifr, argp, sizeof ifr))
+ 			return -EFAULT;
++	} else
++		memset(&ifr, 0, sizeof(ifr));
+ 
+ 	if (cmd == TUNGETFEATURES) {
+ 		/* Currently this just means: "what IFF flags are valid?".
 diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
 index f450bc9..2b747c8 100644
 --- a/drivers/net/usb/hso.c
@@ -72050,6 +72067,18 @@ index 6c75110..19d2c3c 100644
  		error = -EFAULT;
  
  	return error;
+diff --git a/fs/isofs/export.c b/fs/isofs/export.c
+index e81a305..caec670 100644
+--- a/fs/isofs/export.c
++++ b/fs/isofs/export.c
+@@ -131,6 +131,7 @@ isofs_export_encode_fh(struct dentry *dentry,
+ 	len = 3;
+ 	fh32[0] = ei->i_iget5_block;
+  	fh16[2] = (__u16)ei->i_iget5_offset;  /* fh16 [sic] */
++	fh16[3] = 0;  /* avoid leaking uninitialized data */
+ 	fh32[2] = inode->i_generation;
+ 	if (connectable && !S_ISDIR(inode->i_mode)) {
+ 		struct inode *parent;
 diff --git a/fs/jbd/checkpoint.c b/fs/jbd/checkpoint.c
 index b0435dd..81ee0be 100644
 --- a/fs/jbd/checkpoint.c
@@ -75925,6 +75954,18 @@ index 9215700..bf1f68e 100644
  	u8 checksum = 0;
  	int i;
  	for (i = 0; i < sizeof(struct tag); ++i)
+diff --git a/fs/udf/namei.c b/fs/udf/namei.c
+index 21dad8c..b754151 100644
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -1331,6 +1331,7 @@ static int udf_encode_fh(struct dentry *de, __u32 *fh, int *lenp,
+ 	*lenp = 3;
+ 	fid->udf.block = location.logicalBlockNum;
+ 	fid->udf.partref = location.partitionReferenceNum;
++	fid->udf.parent_partref = 0;
+ 	fid->udf.generation = inode->i_generation;
+ 
+ 	if (connectable && !S_ISDIR(inode->i_mode)) {
 diff --git a/fs/udf/super.c b/fs/udf/super.c
 index ee6b3af..ab17bcd 100644
 --- a/fs/udf/super.c
@@ -91431,6 +91472,18 @@ index 0000000..3891139
 +int do_syslog(int type, char __user *buf, int count, bool from_file);
 +
 +#endif /* _LINUX_SYSLOG_H */
+diff --git a/include/linux/tfrc.h b/include/linux/tfrc.h
+index 8a8462b..097fe78 100644
+--- a/include/linux/tfrc.h
++++ b/include/linux/tfrc.h
+@@ -50,6 +50,7 @@ struct tfrc_tx_info {
+ 	__u32 tfrctx_p;
+ 	__u32 tfrctx_rto;
+ 	__u32 tfrctx_ipi;
++	__u32 padding;
+ };
+ 
+ #endif /* _LINUX_TFRC_H_ */
 diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
 index a8cc4e1..98d3b85 100644
 --- a/include/linux/thread_info.h
@@ -103710,6 +103763,18 @@ index facedd2..ab260b0 100644
  		rc = ccid->ccid_ops->ccid_hc_tx_getsockopt(sk, optname, len,
  						 optval, optlen);
  	return rc;
+diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c
+index 34dcc79..ca75875 100644
+--- a/net/dccp/ccids/ccid3.c
++++ b/net/dccp/ccids/ccid3.c
+@@ -618,6 +618,7 @@ static int ccid3_hc_tx_getsockopt(struct sock *sk, const int optname, int len,
+ 			return -EINVAL;
+ 		len = sizeof(hctx->ccid3hctx_tfrc);
+ 		val = &hctx->ccid3hctx_tfrc;
++		hctx->ccid3hctx_tfrc.padding = 0;
+ 		break;
+ 	default:
+ 		return -ENOPROTOOPT;
 diff --git a/net/decnet/sysctl_net_decnet.c b/net/decnet/sysctl_net_decnet.c
 index 2036568..c55883d 100644
 --- a/net/decnet/sysctl_net_decnet.c
@@ -107019,7 +107084,7 @@ index cb81ca3..e15d49a 100644
  					goto restart;
  				}
 diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
-index b95a2d6..85c4d78 100644
+index b95a2d6..53a422d 100644
 --- a/net/xfrm/xfrm_user.c
 +++ b/net/xfrm/xfrm_user.c
 @@ -1169,6 +1169,8 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
@@ -107031,7 +107096,15 @@ index b95a2d6..85c4d78 100644
  	if (xp->xfrm_nr == 0)
  		return 0;
  
-@@ -1784,6 +1786,8 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
+@@ -1176,6 +1178,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
+ 		struct xfrm_user_tmpl *up = &vec[i];
+ 		struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
+ 
++		memset(up, 0, sizeof(*up));
+ 		memcpy(&up->id, &kp->id, sizeof(up->id));
+ 		up->family = kp->encap_family;
+ 		memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));
+@@ -1784,6 +1787,8 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
  	int err;
  	int n = 0;
  
diff --git a/3.2.28/0000_README b/3.2.28/0000_README
index c88942b..af762d4 100644
--- a/3.2.28/0000_README
+++ b/3.2.28/0000_README
@@ -30,7 +30,7 @@ Patch:	1027_linux-3.2.28.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.28
 
-Patch:	4420_grsecurity-2.9.1-3.2.28-201208222030.patch
+Patch:	4420_grsecurity-2.9.1-3.2.28-201208232048.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.28/4420_grsecurity-2.9.1-3.2.28-201208222030.patch b/3.2.28/4420_grsecurity-2.9.1-3.2.28-201208232048.patch
index 0f3c55e..3457f14 100644
--- a/3.2.28/4420_grsecurity-2.9.1-3.2.28-201208222030.patch
+++ b/3.2.28/4420_grsecurity-2.9.1-3.2.28-201208232048.patch
@@ -47355,6 +47355,18 @@ index ee4e66b..9a39f9c 100644
  	wake_up_bit(&inode->i_state, __I_NEW);
  	spin_unlock(&inode->i_lock);
  }
+diff --git a/fs/isofs/export.c b/fs/isofs/export.c
+index dd4687f..e9b81e0 100644
+--- a/fs/isofs/export.c
++++ b/fs/isofs/export.c
+@@ -135,6 +135,7 @@ isofs_export_encode_fh(struct dentry *dentry,
+ 	len = 3;
+ 	fh32[0] = ei->i_iget5_block;
+  	fh16[2] = (__u16)ei->i_iget5_offset;  /* fh16 [sic] */
++	fh16[3] = 0;  /* avoid leaking uninitialized data */
+ 	fh32[2] = inode->i_generation;
+ 	if (connectable && !S_ISDIR(inode->i_mode)) {
+ 		struct inode *parent;
 diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c
 index e513f19..2ab1351 100644
 --- a/fs/jffs2/erase.c
@@ -50547,6 +50559,18 @@ index c175b4d..8f36a16 100644
  	u8 checksum = 0;
  	int i;
  	for (i = 0; i < sizeof(struct tag); ++i)
+diff --git a/fs/udf/namei.c b/fs/udf/namei.c
+index 4639e13..71c97fb 100644
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -1293,6 +1293,7 @@ static int udf_encode_fh(struct dentry *de, __u32 *fh, int *lenp,
+ 	*lenp = 3;
+ 	fid->udf.block = location.logicalBlockNum;
+ 	fid->udf.partref = location.partitionReferenceNum;
++	fid->udf.parent_partref = 0;
+ 	fid->udf.generation = inode->i_generation;
+ 
+ 	if (connectable && !S_ISDIR(inode->i_mode)) {
 diff --git a/fs/utimes.c b/fs/utimes.c
 index ba653f3..06ea4b1 100644
 --- a/fs/utimes.c
@@ -80463,6 +80487,18 @@ index 0174034..65eaf78 100644
  		}
  	}
  
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 7cae73e..fe80421 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1401,6 +1401,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
+ 		struct xfrm_user_tmpl *up = &vec[i];
+ 		struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
+ 
++		memset(up, 0, sizeof(*up));
+ 		memcpy(&up->id, &kp->id, sizeof(up->id));
+ 		up->family = kp->encap_family;
+ 		memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));
 diff --git a/scripts/Makefile.build b/scripts/Makefile.build
 index d2b366c..2d5a6f8 100644
 --- a/scripts/Makefile.build
diff --git a/3.5.2/0000_README b/3.5.2/0000_README
index 268fe76..1900e0a 100644
--- a/3.5.2/0000_README
+++ b/3.5.2/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.9.1-3.5.2-201208222031.patch
+Patch:	4420_grsecurity-2.9.1-3.5.2-201208241943.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.5.2/4420_grsecurity-2.9.1-3.5.2-201208222031.patch b/3.5.2/4420_grsecurity-2.9.1-3.5.2-201208241943.patch
index f04a5aa..8f28b61 100644
--- a/3.5.2/4420_grsecurity-2.9.1-3.5.2-201208222031.patch
+++ b/3.5.2/4420_grsecurity-2.9.1-3.5.2-201208241943.patch
@@ -8606,7 +8606,7 @@ index 673ac9b..7a8c5df 100644
  
  	if (err)
 diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
-index 20e5f7b..eab8751 100644
+index 20e5f7b..f33c779 100644
 --- a/arch/x86/ia32/ia32entry.S
 +++ b/arch/x86/ia32/ia32entry.S
 @@ -14,8 +14,10 @@
@@ -8666,7 +8666,7 @@ index 20e5f7b..eab8751 100644
   	movl	%ebp,%ebp		/* zero extension */
  	pushq_cfi $__USER32_DS
  	/*CFI_REL_OFFSET ss,0*/
-@@ -134,22 +156,37 @@ ENTRY(ia32_sysenter_target)
+@@ -134,22 +156,42 @@ ENTRY(ia32_sysenter_target)
  	CFI_REL_OFFSET rsp,0
  	pushfq_cfi
  	/*CFI_REL_OFFSET rflags,0*/
@@ -8686,6 +8686,11 @@ index 20e5f7b..eab8751 100644
  	cld
  	SAVE_ARGS 0,1,0
 +	pax_enter_kernel_user
++
++#ifdef CONFIG_PAX_RANDKSTACK
++	pax_erase_kstack
++#endif
++
 +	/*
 +	 * No need to follow this irqs on/off section: the syscall
 +	 * disabled irqs, here we enable it straight after entry:
@@ -8709,7 +8714,7 @@ index 20e5f7b..eab8751 100644
  	CFI_REMEMBER_STATE
  	jnz  sysenter_tracesys
  	cmpq	$(IA32_NR_syscalls-1),%rax
-@@ -159,12 +196,15 @@ sysenter_do_call:
+@@ -159,12 +201,15 @@ sysenter_do_call:
  sysenter_dispatch:
  	call	*ia32_sys_call_table(,%rax,8)
  	movq	%rax,RAX-ARGOFFSET(%rsp)
@@ -8727,7 +8732,7 @@ index 20e5f7b..eab8751 100644
  	/* clear IF, that popfq doesn't enable interrupts early */
  	andl  $~0x200,EFLAGS-R11(%rsp) 
  	movl	RIP-R11(%rsp),%edx		/* User %eip */
-@@ -190,6 +230,9 @@ sysexit_from_sys_call:
+@@ -190,6 +235,9 @@ sysexit_from_sys_call:
  	movl %eax,%esi			/* 2nd arg: syscall number */
  	movl $AUDIT_ARCH_I386,%edi	/* 1st arg: audit arch */
  	call __audit_syscall_entry
@@ -8737,7 +8742,7 @@ index 20e5f7b..eab8751 100644
  	movl RAX-ARGOFFSET(%rsp),%eax	/* reload syscall number */
  	cmpq $(IA32_NR_syscalls-1),%rax
  	ja ia32_badsys
-@@ -201,7 +244,7 @@ sysexit_from_sys_call:
+@@ -201,7 +249,7 @@ sysexit_from_sys_call:
  	.endm
  
  	.macro auditsys_exit exit
@@ -8746,7 +8751,7 @@ index 20e5f7b..eab8751 100644
  	jnz ia32_ret_from_sys_call
  	TRACE_IRQS_ON
  	sti
-@@ -212,11 +255,12 @@ sysexit_from_sys_call:
+@@ -212,11 +260,12 @@ sysexit_from_sys_call:
  1:	setbe %al		/* 1 if error, 0 if not */
  	movzbl %al,%edi		/* zero-extend that into %edi */
  	call __audit_syscall_exit
@@ -8760,7 +8765,7 @@ index 20e5f7b..eab8751 100644
  	jz \exit
  	CLEAR_RREGS -ARGOFFSET
  	jmp int_with_check
-@@ -234,7 +278,7 @@ sysexit_audit:
+@@ -234,7 +283,7 @@ sysexit_audit:
  
  sysenter_tracesys:
  #ifdef CONFIG_AUDITSYSCALL
@@ -8769,17 +8774,17 @@ index 20e5f7b..eab8751 100644
  	jz	sysenter_auditsys
  #endif
  	SAVE_REST
-@@ -242,6 +286,9 @@ sysenter_tracesys:
- 	movq	$-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
- 	movq	%rsp,%rdi        /* &pt_regs -> arg1 */
- 	call	syscall_trace_enter
+@@ -246,6 +295,9 @@ sysenter_tracesys:
+ 	RESTORE_REST
+ 	cmpq	$(IA32_NR_syscalls-1),%rax
+ 	ja	int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
 +
 +	pax_erase_kstack
 +
- 	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
- 	RESTORE_REST
- 	cmpq	$(IA32_NR_syscalls-1),%rax
-@@ -273,19 +320,20 @@ ENDPROC(ia32_sysenter_target)
+ 	jmp	sysenter_do_call
+ 	CFI_ENDPROC
+ ENDPROC(ia32_sysenter_target)
+@@ -273,19 +325,25 @@ ENDPROC(ia32_sysenter_target)
  ENTRY(ia32_cstar_target)
  	CFI_STARTPROC32	simple
  	CFI_SIGNAL_FRAME
@@ -8793,6 +8798,11 @@ index 20e5f7b..eab8751 100644
  	movq	PER_CPU_VAR(kernel_stack),%rsp
 +	SAVE_ARGS 8*6,0,0
 +	pax_enter_kernel_user
++
++#ifdef CONFIG_PAX_RANDKSTACK
++	pax_erase_kstack
++#endif
++
  	/*
  	 * No need to follow this irqs on/off section: the syscall
  	 * disabled irqs and here we enable it straight after entry:
@@ -8802,7 +8812,7 @@ index 20e5f7b..eab8751 100644
  	movl 	%eax,%eax	/* zero extension */
  	movq	%rax,ORIG_RAX-ARGOFFSET(%rsp)
  	movq	%rcx,RIP-ARGOFFSET(%rsp)
-@@ -301,10 +349,17 @@ ENTRY(ia32_cstar_target)
+@@ -301,10 +359,17 @@ ENTRY(ia32_cstar_target)
  	/* no need to do an access_ok check here because r8 has been
  	   32bit zero extended */ 
  	/* hardware stack frame is complete now */	
@@ -8822,7 +8832,7 @@ index 20e5f7b..eab8751 100644
  	CFI_REMEMBER_STATE
  	jnz   cstar_tracesys
  	cmpq $IA32_NR_syscalls-1,%rax
-@@ -314,12 +369,15 @@ cstar_do_call:
+@@ -314,12 +379,15 @@ cstar_do_call:
  cstar_dispatch:
  	call *ia32_sys_call_table(,%rax,8)
  	movq %rax,RAX-ARGOFFSET(%rsp)
@@ -8840,7 +8850,7 @@ index 20e5f7b..eab8751 100644
  	RESTORE_ARGS 0,-ARG_SKIP,0,0,0
  	movl RIP-ARGOFFSET(%rsp),%ecx
  	CFI_REGISTER rip,rcx
-@@ -347,7 +405,7 @@ sysretl_audit:
+@@ -347,7 +415,7 @@ sysretl_audit:
  
  cstar_tracesys:
  #ifdef CONFIG_AUDITSYSCALL
@@ -8849,17 +8859,17 @@ index 20e5f7b..eab8751 100644
  	jz cstar_auditsys
  #endif
  	xchgl %r9d,%ebp
-@@ -356,6 +414,9 @@ cstar_tracesys:
- 	movq $-ENOSYS,RAX(%rsp)	/* ptrace can change this for a bad syscall */
- 	movq %rsp,%rdi        /* &pt_regs -> arg1 */
- 	call syscall_trace_enter
+@@ -361,6 +429,9 @@ cstar_tracesys:
+ 	xchgl %ebp,%r9d
+ 	cmpq $(IA32_NR_syscalls-1),%rax
+ 	ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
 +
 +	pax_erase_kstack
 +
- 	LOAD_ARGS32 ARGOFFSET, 1  /* reload args from stack in case ptrace changed it */
- 	RESTORE_REST
- 	xchgl %ebp,%r9d
-@@ -401,19 +462,21 @@ ENTRY(ia32_syscall)
+ 	jmp cstar_do_call
+ END(ia32_cstar_target)
+ 				
+@@ -401,19 +472,26 @@ ENTRY(ia32_syscall)
  	CFI_REL_OFFSET	rip,RIP-RIP
  	PARAVIRT_ADJUST_EXCEPTION_FRAME
  	SWAPGS
@@ -8877,6 +8887,11 @@ index 20e5f7b..eab8751 100644
 -	orl $TS_COMPAT,TI_status+THREAD_INFO(%rsp,RIP-ARGOFFSET)
 -	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
 +	pax_enter_kernel_user
++
++#ifdef CONFIG_PAX_RANDKSTACK
++	pax_erase_kstack
++#endif
++
 +	/*
 +	 * No need to follow this irqs on/off section: the syscall
 +	 * disabled irqs and here we enable it straight after entry:
@@ -8888,16 +8903,16 @@ index 20e5f7b..eab8751 100644
  	jnz ia32_tracesys
  	cmpq $(IA32_NR_syscalls-1),%rax
  	ja ia32_badsys
-@@ -432,6 +495,9 @@ ia32_tracesys:
- 	movq $-ENOSYS,RAX(%rsp)	/* ptrace can change this for a bad syscall */
- 	movq %rsp,%rdi        /* &pt_regs -> arg1 */
- 	call syscall_trace_enter
+@@ -436,6 +514,9 @@ ia32_tracesys:
+ 	RESTORE_REST
+ 	cmpq $(IA32_NR_syscalls-1),%rax
+ 	ja  int_ret_from_sys_call	/* ia32_tracesys has set RAX(%rsp) */
 +
 +	pax_erase_kstack
 +
- 	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
- 	RESTORE_REST
- 	cmpq $(IA32_NR_syscalls-1),%rax
+ 	jmp ia32_do_call
+ END(ia32_syscall)
+ 
 diff --git a/arch/x86/ia32/sys_ia32.c b/arch/x86/ia32/sys_ia32.c
 index 4540bec..714d913 100644
 --- a/arch/x86/ia32/sys_ia32.c
@@ -14825,10 +14840,10 @@ index 9b9f18b..9fcaa04 100644
  #include <asm/processor.h>
  #include <asm/fcntl.h>
 diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
-index 623f288..0683156 100644
+index 623f288..8bdd78a 100644
 --- a/arch/x86/kernel/entry_32.S
 +++ b/arch/x86/kernel/entry_32.S
-@@ -176,13 +176,146 @@
+@@ -176,13 +176,153 @@
  	/*CFI_REL_OFFSET gs, PT_GS*/
  .endm
  .macro SET_KERNEL_GS reg
@@ -14932,10 +14947,10 @@ index 623f288..0683156 100644
 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
 +/*
 + * ebp: thread_info
-+ * ecx, edx: can be clobbered
 + */
 +ENTRY(pax_erase_kstack)
 +	pushl %edi
++	pushl %ecx
 +	pushl %eax
 +
 +	mov TI_lowest_stack(%ebp), %edi
@@ -14959,6 +14974,12 @@ index 623f288..0683156 100644
 +2:	cld
 +	mov %esp, %ecx
 +	sub %edi, %ecx
++
++	cmp $THREAD_SIZE_asm, %ecx
++	jb 3f
++	ud2
++3:
++
 +	shr $2, %ecx
 +	rep stosl
 +
@@ -14967,6 +14988,7 @@ index 623f288..0683156 100644
 +	mov %edi, TI_lowest_stack(%ebp)
 +
 +	popl %eax
++	popl %ecx
 +	popl %edi
 +	ret
 +ENDPROC(pax_erase_kstack)
@@ -14976,7 +14998,7 @@ index 623f288..0683156 100644
  	cld
  	PUSH_GS
  	pushl_cfi %fs
-@@ -205,7 +338,7 @@
+@@ -205,7 +345,7 @@
  	CFI_REL_OFFSET ecx, 0
  	pushl_cfi %ebx
  	CFI_REL_OFFSET ebx, 0
@@ -14985,7 +15007,7 @@ index 623f288..0683156 100644
  	movl %edx, %ds
  	movl %edx, %es
  	movl $(__KERNEL_PERCPU), %edx
-@@ -213,6 +346,15 @@
+@@ -213,6 +353,15 @@
  	SET_KERNEL_GS %edx
  .endm
  
@@ -15001,7 +15023,7 @@ index 623f288..0683156 100644
  .macro RESTORE_INT_REGS
  	popl_cfi %ebx
  	CFI_RESTORE ebx
-@@ -296,7 +438,7 @@ ENTRY(ret_from_fork)
+@@ -296,7 +445,7 @@ ENTRY(ret_from_fork)
  	popfl_cfi
  	jmp syscall_exit
  	CFI_ENDPROC
@@ -15010,7 +15032,7 @@ index 623f288..0683156 100644
  
  /*
   * Interrupt exit functions should be protected against kprobes
-@@ -329,7 +471,15 @@ ret_from_intr:
+@@ -329,7 +478,15 @@ ret_from_intr:
  	andl $SEGMENT_RPL_MASK, %eax
  #endif
  	cmpl $USER_RPL, %eax
@@ -15026,7 +15048,7 @@ index 623f288..0683156 100644
  
  ENTRY(resume_userspace)
  	LOCKDEP_SYS_EXIT
-@@ -341,8 +491,8 @@ ENTRY(resume_userspace)
+@@ -341,8 +498,8 @@ ENTRY(resume_userspace)
  	andl $_TIF_WORK_MASK, %ecx	# is there any work to be done on
  					# int/exception return?
  	jne work_pending
@@ -15037,7 +15059,7 @@ index 623f288..0683156 100644
  
  #ifdef CONFIG_PREEMPT
  ENTRY(resume_kernel)
-@@ -357,7 +507,7 @@ need_resched:
+@@ -357,7 +514,7 @@ need_resched:
  	jz restore_all
  	call preempt_schedule_irq
  	jmp need_resched
@@ -15046,7 +15068,7 @@ index 623f288..0683156 100644
  #endif
  	CFI_ENDPROC
  /*
-@@ -391,23 +541,34 @@ sysenter_past_esp:
+@@ -391,28 +548,43 @@ sysenter_past_esp:
  	/*CFI_REL_OFFSET cs, 0*/
  	/*
  	 * Push current_thread_info()->sysenter_return to the stack.
@@ -15084,7 +15106,16 @@ index 623f288..0683156 100644
  	movl %ebp,PT_EBP(%esp)
  	_ASM_EXTABLE(1b,syscall_fault)
  
-@@ -427,12 +588,24 @@ sysenter_do_call:
+ 	GET_THREAD_INFO(%ebp)
+ 
++#ifdef CONFIG_PAX_RANDKSTACK
++	pax_erase_kstack
++#endif
++
+ 	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp)
+ 	jnz sysenter_audit
+ sysenter_do_call:
+@@ -427,12 +599,24 @@ sysenter_do_call:
  	testl $_TIF_ALLWORK_MASK, %ecx
  	jne sysexit_audit
  sysenter_exit:
@@ -15109,7 +15140,7 @@ index 623f288..0683156 100644
  	PTGS_TO_GS
  	ENABLE_INTERRUPTS_SYSEXIT
  
-@@ -449,6 +622,9 @@ sysenter_audit:
+@@ -449,6 +633,9 @@ sysenter_audit:
  	movl %eax,%edx			/* 2nd arg: syscall number */
  	movl $AUDIT_ARCH_I386,%eax	/* 1st arg: audit arch */
  	call __audit_syscall_entry
@@ -15119,7 +15150,7 @@ index 623f288..0683156 100644
  	pushl_cfi %ebx
  	movl PT_EAX(%esp),%eax		/* reload syscall number */
  	jmp sysenter_do_call
-@@ -474,10 +650,16 @@ sysexit_audit:
+@@ -474,10 +661,16 @@ sysexit_audit:
  
  	CFI_ENDPROC
  .pushsection .fixup,"ax"
@@ -15138,7 +15169,19 @@ index 623f288..0683156 100644
  	PTGS_TO_GS_EX
  ENDPROC(ia32_sysenter_target)
  
-@@ -509,6 +691,15 @@ syscall_exit:
+@@ -491,6 +684,11 @@ ENTRY(system_call)
+ 	pushl_cfi %eax			# save orig_eax
+ 	SAVE_ALL
+ 	GET_THREAD_INFO(%ebp)
++
++#ifdef CONFIG_PAX_RANDKSTACK
++	pax_erase_kstack
++#endif
++
+ 					# system call tracing in operation / emulation
+ 	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp)
+ 	jnz syscall_trace_entry
+@@ -509,6 +707,15 @@ syscall_exit:
  	testl $_TIF_ALLWORK_MASK, %ecx	# current->work
  	jne syscall_exit_work
  
@@ -15154,7 +15197,7 @@ index 623f288..0683156 100644
  restore_all:
  	TRACE_IRQS_IRET
  restore_all_notrace:
-@@ -565,14 +756,34 @@ ldt_ss:
+@@ -565,14 +772,34 @@ ldt_ss:
   * compensating for the offset by changing to the ESPFIX segment with
   * a base address that matches for the difference.
   */
@@ -15192,7 +15235,7 @@ index 623f288..0683156 100644
  	pushl_cfi $__ESPFIX_SS
  	pushl_cfi %eax			/* new kernel esp */
  	/* Disable interrupts, but do not irqtrace this section: we
-@@ -601,35 +812,23 @@ work_resched:
+@@ -601,35 +828,23 @@ work_resched:
  	movl TI_flags(%ebp), %ecx
  	andl $_TIF_WORK_MASK, %ecx	# is there any work to be done other
  					# than syscall tracing?
@@ -15232,7 +15275,7 @@ index 623f288..0683156 100644
  #endif
  	TRACE_IRQS_ON
  	ENABLE_INTERRUPTS(CLBR_NONE)
-@@ -640,7 +839,7 @@ work_notifysig_v86:
+@@ -640,7 +855,7 @@ work_notifysig_v86:
  	xorl %edx, %edx
  	call do_notify_resume
  	jmp resume_userspace
@@ -15241,7 +15284,7 @@ index 623f288..0683156 100644
  
  	# perform syscall exit tracing
  	ALIGN
-@@ -648,11 +847,14 @@ syscall_trace_entry:
+@@ -648,11 +863,14 @@ syscall_trace_entry:
  	movl $-ENOSYS,PT_EAX(%esp)
  	movl %esp, %eax
  	call syscall_trace_enter
@@ -15257,7 +15300,7 @@ index 623f288..0683156 100644
  
  	# perform syscall exit tracing
  	ALIGN
-@@ -665,20 +867,24 @@ syscall_exit_work:
+@@ -665,20 +883,24 @@ syscall_exit_work:
  	movl %esp, %eax
  	call syscall_trace_leave
  	jmp resume_userspace
@@ -15285,7 +15328,7 @@ index 623f288..0683156 100644
  	CFI_ENDPROC
  /*
   * End of kprobes section
-@@ -750,6 +956,36 @@ ENTRY(ptregs_clone)
+@@ -750,6 +972,36 @@ ENTRY(ptregs_clone)
  	CFI_ENDPROC
  ENDPROC(ptregs_clone)
  
@@ -15322,7 +15365,7 @@ index 623f288..0683156 100644
  .macro FIXUP_ESPFIX_STACK
  /*
   * Switch back for ESPFIX stack to the normal zerobased stack
-@@ -759,8 +995,15 @@ ENDPROC(ptregs_clone)
+@@ -759,8 +1011,15 @@ ENDPROC(ptregs_clone)
   * normal stack and adjusts ESP with the matching offset.
   */
  	/* fixup the stack */
@@ -15340,7 +15383,7 @@ index 623f288..0683156 100644
  	shl $16, %eax
  	addl %esp, %eax			/* the adjusted stack pointer */
  	pushl_cfi $__KERNEL_DS
-@@ -813,7 +1056,7 @@ vector=vector+1
+@@ -813,7 +1072,7 @@ vector=vector+1
    .endr
  2:	jmp common_interrupt
  .endr
@@ -15349,7 +15392,7 @@ index 623f288..0683156 100644
  
  .previous
  END(interrupt)
-@@ -861,7 +1104,7 @@ ENTRY(coprocessor_error)
+@@ -861,7 +1120,7 @@ ENTRY(coprocessor_error)
  	pushl_cfi $do_coprocessor_error
  	jmp error_code
  	CFI_ENDPROC
@@ -15358,7 +15401,7 @@ index 623f288..0683156 100644
  
  ENTRY(simd_coprocessor_error)
  	RING0_INT_FRAME
-@@ -882,7 +1125,7 @@ ENTRY(simd_coprocessor_error)
+@@ -882,7 +1141,7 @@ ENTRY(simd_coprocessor_error)
  #endif
  	jmp error_code
  	CFI_ENDPROC
@@ -15367,7 +15410,7 @@ index 623f288..0683156 100644
  
  ENTRY(device_not_available)
  	RING0_INT_FRAME
-@@ -890,18 +1133,18 @@ ENTRY(device_not_available)
+@@ -890,18 +1149,18 @@ ENTRY(device_not_available)
  	pushl_cfi $do_device_not_available
  	jmp error_code
  	CFI_ENDPROC
@@ -15389,7 +15432,7 @@ index 623f288..0683156 100644
  #endif
  
  ENTRY(overflow)
-@@ -910,7 +1153,7 @@ ENTRY(overflow)
+@@ -910,7 +1169,7 @@ ENTRY(overflow)
  	pushl_cfi $do_overflow
  	jmp error_code
  	CFI_ENDPROC
@@ -15398,7 +15441,7 @@ index 623f288..0683156 100644
  
  ENTRY(bounds)
  	RING0_INT_FRAME
-@@ -918,7 +1161,7 @@ ENTRY(bounds)
+@@ -918,7 +1177,7 @@ ENTRY(bounds)
  	pushl_cfi $do_bounds
  	jmp error_code
  	CFI_ENDPROC
@@ -15407,7 +15450,7 @@ index 623f288..0683156 100644
  
  ENTRY(invalid_op)
  	RING0_INT_FRAME
-@@ -926,7 +1169,7 @@ ENTRY(invalid_op)
+@@ -926,7 +1185,7 @@ ENTRY(invalid_op)
  	pushl_cfi $do_invalid_op
  	jmp error_code
  	CFI_ENDPROC
@@ -15416,7 +15459,7 @@ index 623f288..0683156 100644
  
  ENTRY(coprocessor_segment_overrun)
  	RING0_INT_FRAME
-@@ -934,35 +1177,35 @@ ENTRY(coprocessor_segment_overrun)
+@@ -934,35 +1193,35 @@ ENTRY(coprocessor_segment_overrun)
  	pushl_cfi $do_coprocessor_segment_overrun
  	jmp error_code
  	CFI_ENDPROC
@@ -15457,7 +15500,7 @@ index 623f288..0683156 100644
  
  ENTRY(divide_error)
  	RING0_INT_FRAME
-@@ -970,7 +1213,7 @@ ENTRY(divide_error)
+@@ -970,7 +1229,7 @@ ENTRY(divide_error)
  	pushl_cfi $do_divide_error
  	jmp error_code
  	CFI_ENDPROC
@@ -15466,7 +15509,7 @@ index 623f288..0683156 100644
  
  #ifdef CONFIG_X86_MCE
  ENTRY(machine_check)
-@@ -979,7 +1222,7 @@ ENTRY(machine_check)
+@@ -979,7 +1238,7 @@ ENTRY(machine_check)
  	pushl_cfi machine_check_vector
  	jmp error_code
  	CFI_ENDPROC
@@ -15475,7 +15518,7 @@ index 623f288..0683156 100644
  #endif
  
  ENTRY(spurious_interrupt_bug)
-@@ -988,7 +1231,7 @@ ENTRY(spurious_interrupt_bug)
+@@ -988,7 +1247,7 @@ ENTRY(spurious_interrupt_bug)
  	pushl_cfi $do_spurious_interrupt_bug
  	jmp error_code
  	CFI_ENDPROC
@@ -15484,7 +15527,7 @@ index 623f288..0683156 100644
  /*
   * End of kprobes section
   */
-@@ -1100,7 +1343,7 @@ BUILD_INTERRUPT3(xen_hvm_callback_vector, XEN_HVM_EVTCHN_CALLBACK,
+@@ -1100,7 +1359,7 @@ BUILD_INTERRUPT3(xen_hvm_callback_vector, XEN_HVM_EVTCHN_CALLBACK,
  
  ENTRY(mcount)
  	ret
@@ -15493,7 +15536,7 @@ index 623f288..0683156 100644
  
  ENTRY(ftrace_caller)
  	cmpl $0, function_trace_stop
-@@ -1129,7 +1372,7 @@ ftrace_graph_call:
+@@ -1129,7 +1388,7 @@ ftrace_graph_call:
  .globl ftrace_stub
  ftrace_stub:
  	ret
@@ -15502,7 +15545,7 @@ index 623f288..0683156 100644
  
  #else /* ! CONFIG_DYNAMIC_FTRACE */
  
-@@ -1165,7 +1408,7 @@ trace:
+@@ -1165,7 +1424,7 @@ trace:
  	popl %ecx
  	popl %eax
  	jmp ftrace_stub
@@ -15511,7 +15554,7 @@ index 623f288..0683156 100644
  #endif /* CONFIG_DYNAMIC_FTRACE */
  #endif /* CONFIG_FUNCTION_TRACER */
  
-@@ -1186,7 +1429,7 @@ ENTRY(ftrace_graph_caller)
+@@ -1186,7 +1445,7 @@ ENTRY(ftrace_graph_caller)
  	popl %ecx
  	popl %eax
  	ret
@@ -15520,7 +15563,7 @@ index 623f288..0683156 100644
  
  .globl return_to_handler
  return_to_handler:
-@@ -1241,15 +1484,18 @@ error_code:
+@@ -1241,15 +1500,18 @@ error_code:
  	movl $-1, PT_ORIG_EAX(%esp)	# no syscall to restart
  	REG_TO_PTGS %ecx
  	SET_KERNEL_GS %ecx
@@ -15541,7 +15584,7 @@ index 623f288..0683156 100644
  
  /*
   * Debug traps and NMI can happen at the one SYSENTER instruction
-@@ -1291,7 +1537,7 @@ debug_stack_correct:
+@@ -1291,7 +1553,7 @@ debug_stack_correct:
  	call do_debug
  	jmp ret_from_exception
  	CFI_ENDPROC
@@ -15550,7 +15593,7 @@ index 623f288..0683156 100644
  
  /*
   * NMI is doubly nasty. It can happen _while_ we're handling
-@@ -1328,6 +1574,9 @@ nmi_stack_correct:
+@@ -1328,6 +1590,9 @@ nmi_stack_correct:
  	xorl %edx,%edx		# zero error code
  	movl %esp,%eax		# pt_regs pointer
  	call do_nmi
@@ -15560,7 +15603,7 @@ index 623f288..0683156 100644
  	jmp restore_all_notrace
  	CFI_ENDPROC
  
-@@ -1364,12 +1613,15 @@ nmi_espfix_stack:
+@@ -1364,12 +1629,15 @@ nmi_espfix_stack:
  	FIXUP_ESPFIX_STACK		# %eax == %esp
  	xorl %edx,%edx			# zero error code
  	call do_nmi
@@ -15577,7 +15620,7 @@ index 623f288..0683156 100644
  
  ENTRY(int3)
  	RING0_INT_FRAME
-@@ -1381,14 +1633,14 @@ ENTRY(int3)
+@@ -1381,14 +1649,14 @@ ENTRY(int3)
  	call do_int3
  	jmp ret_from_exception
  	CFI_ENDPROC
@@ -15594,7 +15637,7 @@ index 623f288..0683156 100644
  
  #ifdef CONFIG_KVM_GUEST
  ENTRY(async_page_fault)
-@@ -1396,7 +1648,7 @@ ENTRY(async_page_fault)
+@@ -1396,7 +1664,7 @@ ENTRY(async_page_fault)
  	pushl_cfi $do_async_page_fault
  	jmp error_code
  	CFI_ENDPROC
@@ -15604,7 +15647,7 @@ index 623f288..0683156 100644
  
  /*
 diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index 7d65133..27bce5b 100644
+index 7d65133..c888d5f 100644
 --- a/arch/x86/kernel/entry_64.S
 +++ b/arch/x86/kernel/entry_64.S
 @@ -57,6 +57,8 @@
@@ -15680,7 +15723,7 @@ index 7d65133..27bce5b 100644
  	jmp *%rdi
  #endif
  
-@@ -180,6 +188,282 @@ ENTRY(native_usergs_sysret64)
+@@ -180,6 +188,280 @@ ENTRY(native_usergs_sysret64)
  ENDPROC(native_usergs_sysret64)
  #endif /* CONFIG_PARAVIRT */
  
@@ -15909,12 +15952,9 @@ index 7d65133..27bce5b 100644
 +.endm
 +
 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
-+/*
-+ * r11: thread_info
-+ * rcx, rdx: can be clobbered
-+ */
 +ENTRY(pax_erase_kstack)
 +	pushq %rdi
++	pushq %rcx
 +	pushq %rax
 +	pushq %r11
 +
@@ -15955,6 +15995,7 @@ index 7d65133..27bce5b 100644
 +
 +	popq %r11
 +	popq %rax
++	popq %rcx
 +	popq %rdi
 +	pax_force_retaddr
 +	ret
@@ -15963,7 +16004,7 @@ index 7d65133..27bce5b 100644
  
  .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
  #ifdef CONFIG_TRACE_IRQFLAGS
-@@ -271,8 +555,8 @@ ENDPROC(native_usergs_sysret64)
+@@ -271,8 +553,8 @@ ENDPROC(native_usergs_sysret64)
  	.endm
  
  	.macro UNFAKE_STACK_FRAME
@@ -15974,7 +16015,7 @@ index 7d65133..27bce5b 100644
  	.endm
  
  /*
-@@ -359,7 +643,7 @@ ENDPROC(native_usergs_sysret64)
+@@ -359,7 +641,7 @@ ENDPROC(native_usergs_sysret64)
  	movq %rsp, %rsi
  
  	leaq -RBP(%rsp),%rdi	/* arg1 for handler */
@@ -15983,7 +16024,7 @@ index 7d65133..27bce5b 100644
  	je 1f
  	SWAPGS
  	/*
-@@ -394,9 +678,10 @@ ENTRY(save_rest)
+@@ -394,9 +676,10 @@ ENTRY(save_rest)
  	movq_cfi r15, R15+16
  	movq %r11, 8(%rsp)	/* return address */
  	FIXUP_TOP_OF_STACK %r11, 16
@@ -15995,7 +16036,7 @@ index 7d65133..27bce5b 100644
  
  /* save complete stack frame */
  	.pushsection .kprobes.text, "ax"
-@@ -425,9 +710,10 @@ ENTRY(save_paranoid)
+@@ -425,9 +708,10 @@ ENTRY(save_paranoid)
  	js 1f	/* negative -> in kernel */
  	SWAPGS
  	xorl %ebx,%ebx
@@ -16008,7 +16049,7 @@ index 7d65133..27bce5b 100644
  	.popsection
  
  /*
-@@ -449,7 +735,7 @@ ENTRY(ret_from_fork)
+@@ -449,7 +733,7 @@ ENTRY(ret_from_fork)
  
  	RESTORE_REST
  
@@ -16017,7 +16058,7 @@ index 7d65133..27bce5b 100644
  	jz   retint_restore_args
  
  	testl $_TIF_IA32, TI_flags(%rcx)	# 32-bit compat task needs IRET
-@@ -459,7 +745,7 @@ ENTRY(ret_from_fork)
+@@ -459,7 +743,7 @@ ENTRY(ret_from_fork)
  	jmp ret_from_sys_call			# go to the SYSRET fastpath
  
  	CFI_ENDPROC
@@ -16026,7 +16067,7 @@ index 7d65133..27bce5b 100644
  
  /*
   * System call entry. Up to 6 arguments in registers are supported.
-@@ -495,7 +781,7 @@ END(ret_from_fork)
+@@ -495,7 +779,7 @@ END(ret_from_fork)
  ENTRY(system_call)
  	CFI_STARTPROC	simple
  	CFI_SIGNAL_FRAME
@@ -16035,12 +16076,17 @@ index 7d65133..27bce5b 100644
  	CFI_REGISTER	rip,rcx
  	/*CFI_REGISTER	rflags,r11*/
  	SWAPGS_UNSAFE_STACK
-@@ -508,16 +794,18 @@ GLOBAL(system_call_after_swapgs)
+@@ -508,16 +792,23 @@ GLOBAL(system_call_after_swapgs)
  
  	movq	%rsp,PER_CPU_VAR(old_rsp)
  	movq	PER_CPU_VAR(kernel_stack),%rsp
 +	SAVE_ARGS 8*6,0
 +	pax_enter_kernel_user
++
++#ifdef CONFIG_PAX_RANDKSTACK
++	pax_erase_kstack
++#endif
++
  	/*
  	 * No need to follow this irqs off/on section - it's straight
  	 * and short:
@@ -16056,7 +16102,7 @@ index 7d65133..27bce5b 100644
  	jnz tracesys
  system_call_fastpath:
  #if __SYSCALL_MASK == ~0
-@@ -527,7 +815,7 @@ system_call_fastpath:
+@@ -527,7 +818,7 @@ system_call_fastpath:
  	cmpl $__NR_syscall_max,%eax
  #endif
  	ja badsys
@@ -16065,7 +16111,7 @@ index 7d65133..27bce5b 100644
  	call *sys_call_table(,%rax,8)  # XXX:	 rip relative
  	movq %rax,RAX-ARGOFFSET(%rsp)
  /*
-@@ -541,10 +829,13 @@ sysret_check:
+@@ -541,10 +832,13 @@ sysret_check:
  	LOCKDEP_SYS_EXIT
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	TRACE_IRQS_OFF
@@ -16080,7 +16126,7 @@ index 7d65133..27bce5b 100644
  	/*
  	 * sysretq will re-enable interrupts:
  	 */
-@@ -596,14 +887,18 @@ badsys:
+@@ -596,14 +890,18 @@ badsys:
  	 * jump back to the normal fast path.
  	 */
  auditsys:
@@ -16100,7 +16146,7 @@ index 7d65133..27bce5b 100644
  	jmp system_call_fastpath
  
  	/*
-@@ -624,7 +919,7 @@ sysret_audit:
+@@ -624,7 +922,7 @@ sysret_audit:
  	/* Do syscall tracing */
  tracesys:
  #ifdef CONFIG_AUDITSYSCALL
@@ -16109,7 +16155,7 @@ index 7d65133..27bce5b 100644
  	jz auditsys
  #endif
  	SAVE_REST
-@@ -632,12 +927,16 @@ tracesys:
+@@ -632,12 +930,16 @@ tracesys:
  	FIXUP_TOP_OF_STACK %rdi
  	movq %rsp,%rdi
  	call syscall_trace_enter
@@ -16126,7 +16172,7 @@ index 7d65133..27bce5b 100644
  	RESTORE_REST
  #if __SYSCALL_MASK == ~0
  	cmpq $__NR_syscall_max,%rax
-@@ -646,7 +945,7 @@ tracesys:
+@@ -646,7 +948,7 @@ tracesys:
  	cmpl $__NR_syscall_max,%eax
  #endif
  	ja   int_ret_from_sys_call	/* RAX(%rsp) set to -ENOSYS above */
@@ -16135,15 +16181,18 @@ index 7d65133..27bce5b 100644
  	call *sys_call_table(,%rax,8)
  	movq %rax,RAX-ARGOFFSET(%rsp)
  	/* Use IRET because user could have changed frame */
-@@ -667,6 +966,7 @@ GLOBAL(int_with_check)
+@@ -667,7 +969,9 @@ GLOBAL(int_with_check)
  	andl %edi,%edx
  	jnz   int_careful
  	andl    $~TS_COMPAT,TI_status(%rcx)
+-	jmp   retint_swapgs
++	pax_exit_kernel_user
 +	pax_erase_kstack
- 	jmp   retint_swapgs
++	jmp   retint_swapgs_pax
  
  	/* Either reschedule or signal or syscall exit tracking needed. */
-@@ -713,7 +1013,7 @@ int_restore_rest:
+ 	/* First do a reschedule test. */
+@@ -713,7 +1017,7 @@ int_restore_rest:
  	TRACE_IRQS_OFF
  	jmp int_with_check
  	CFI_ENDPROC
@@ -16152,7 +16201,7 @@ index 7d65133..27bce5b 100644
  
  /*
   * Certain special system calls that need to save a complete full stack frame.
-@@ -729,7 +1029,7 @@ ENTRY(\label)
+@@ -729,7 +1033,7 @@ ENTRY(\label)
  	call \func
  	jmp ptregscall_common
  	CFI_ENDPROC
@@ -16161,7 +16210,7 @@ index 7d65133..27bce5b 100644
  	.endm
  
  	PTREGSCALL stub_clone, sys_clone, %r8
-@@ -747,9 +1047,10 @@ ENTRY(ptregscall_common)
+@@ -747,9 +1051,10 @@ ENTRY(ptregscall_common)
  	movq_cfi_restore R12+8, r12
  	movq_cfi_restore RBP+8, rbp
  	movq_cfi_restore RBX+8, rbx
@@ -16173,7 +16222,7 @@ index 7d65133..27bce5b 100644
  
  ENTRY(stub_execve)
  	CFI_STARTPROC
-@@ -764,7 +1065,7 @@ ENTRY(stub_execve)
+@@ -764,7 +1069,7 @@ ENTRY(stub_execve)
  	RESTORE_REST
  	jmp int_ret_from_sys_call
  	CFI_ENDPROC
@@ -16182,7 +16231,7 @@ index 7d65133..27bce5b 100644
  
  /*
   * sigreturn is special because it needs to restore all registers on return.
-@@ -782,7 +1083,7 @@ ENTRY(stub_rt_sigreturn)
+@@ -782,7 +1087,7 @@ ENTRY(stub_rt_sigreturn)
  	RESTORE_REST
  	jmp int_ret_from_sys_call
  	CFI_ENDPROC
@@ -16191,7 +16240,7 @@ index 7d65133..27bce5b 100644
  
  #ifdef CONFIG_X86_X32_ABI
  	PTREGSCALL stub_x32_sigaltstack, sys32_sigaltstack, %rdx
-@@ -851,7 +1152,7 @@ vector=vector+1
+@@ -851,7 +1156,7 @@ vector=vector+1
  2:	jmp common_interrupt
  .endr
  	CFI_ENDPROC
@@ -16200,7 +16249,7 @@ index 7d65133..27bce5b 100644
  
  .previous
  END(interrupt)
-@@ -871,6 +1172,16 @@ END(interrupt)
+@@ -871,6 +1176,16 @@ END(interrupt)
  	subq $ORIG_RAX-RBP, %rsp
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
  	SAVE_ARGS_IRQ
@@ -16217,7 +16266,7 @@ index 7d65133..27bce5b 100644
  	call \func
  	.endm
  
-@@ -902,7 +1213,7 @@ ret_from_intr:
+@@ -902,7 +1217,7 @@ ret_from_intr:
  
  exit_intr:
  	GET_THREAD_INFO(%rcx)
@@ -16226,11 +16275,12 @@ index 7d65133..27bce5b 100644
  	je retint_kernel
  
  	/* Interrupt came from user space */
-@@ -924,12 +1235,15 @@ retint_swapgs:		/* return to user-space */
+@@ -924,12 +1239,16 @@ retint_swapgs:		/* return to user-space */
  	 * The iretq could re-enable interrupts:
  	 */
  	DISABLE_INTERRUPTS(CLBR_ANY)
 +	pax_exit_kernel_user
++retint_swapgs_pax:
  	TRACE_IRQS_IRETQ
  	SWAPGS
  	jmp restore_args
@@ -16242,7 +16292,7 @@ index 7d65133..27bce5b 100644
  	/*
  	 * The iretq could re-enable interrupts:
  	 */
-@@ -1012,7 +1326,7 @@ ENTRY(retint_kernel)
+@@ -1012,7 +1331,7 @@ ENTRY(retint_kernel)
  #endif
  
  	CFI_ENDPROC
@@ -16251,7 +16301,7 @@ index 7d65133..27bce5b 100644
  /*
   * End of kprobes section
   */
-@@ -1029,7 +1343,7 @@ ENTRY(\sym)
+@@ -1029,7 +1348,7 @@ ENTRY(\sym)
  	interrupt \do_sym
  	jmp ret_from_intr
  	CFI_ENDPROC
@@ -16260,7 +16310,7 @@ index 7d65133..27bce5b 100644
  .endm
  
  #ifdef CONFIG_SMP
-@@ -1102,12 +1416,22 @@ ENTRY(\sym)
+@@ -1102,12 +1421,22 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call error_entry
  	DEFAULT_FRAME 0
@@ -16284,7 +16334,7 @@ index 7d65133..27bce5b 100644
  .endm
  
  .macro paranoidzeroentry sym do_sym
-@@ -1119,15 +1443,25 @@ ENTRY(\sym)
+@@ -1119,15 +1448,25 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call save_paranoid
  	TRACE_IRQS_OFF
@@ -16312,7 +16362,7 @@ index 7d65133..27bce5b 100644
  .macro paranoidzeroentry_ist sym do_sym ist
  ENTRY(\sym)
  	INTR_FRAME
-@@ -1137,14 +1471,30 @@ ENTRY(\sym)
+@@ -1137,14 +1476,30 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call save_paranoid
  	TRACE_IRQS_OFF_DEBUG
@@ -16344,7 +16394,7 @@ index 7d65133..27bce5b 100644
  .endm
  
  .macro errorentry sym do_sym
-@@ -1155,13 +1505,23 @@ ENTRY(\sym)
+@@ -1155,13 +1510,23 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call error_entry
  	DEFAULT_FRAME 0
@@ -16369,7 +16419,7 @@ index 7d65133..27bce5b 100644
  .endm
  
  	/* error code is on the stack already */
-@@ -1174,13 +1534,23 @@ ENTRY(\sym)
+@@ -1174,13 +1539,23 @@ ENTRY(\sym)
  	call save_paranoid
  	DEFAULT_FRAME 0
  	TRACE_IRQS_OFF
@@ -16394,7 +16444,7 @@ index 7d65133..27bce5b 100644
  .endm
  
  zeroentry divide_error do_divide_error
-@@ -1210,9 +1580,10 @@ gs_change:
+@@ -1210,9 +1585,10 @@ gs_change:
  2:	mfence		/* workaround */
  	SWAPGS
  	popfq_cfi
@@ -16406,7 +16456,7 @@ index 7d65133..27bce5b 100644
  
  	_ASM_EXTABLE(gs_change,bad_gs)
  	.section .fixup,"ax"
-@@ -1231,13 +1602,14 @@ ENTRY(kernel_thread_helper)
+@@ -1231,13 +1607,14 @@ ENTRY(kernel_thread_helper)
  	 * Here we are in the child and the registers are set as they were
  	 * at kernel_thread() invocation in the parent.
  	 */
@@ -16422,7 +16472,7 @@ index 7d65133..27bce5b 100644
  
  /*
   * execve(). This function needs to use IRET, not SYSRET, to set up all state properly.
-@@ -1264,11 +1636,11 @@ ENTRY(kernel_execve)
+@@ -1264,11 +1641,11 @@ ENTRY(kernel_execve)
  	RESTORE_REST
  	testq %rax,%rax
  	je int_ret_from_sys_call
@@ -16436,7 +16486,7 @@ index 7d65133..27bce5b 100644
  
  /* Call softirq on interrupt stack. Interrupts are off. */
  ENTRY(call_softirq)
-@@ -1286,9 +1658,10 @@ ENTRY(call_softirq)
+@@ -1286,9 +1663,10 @@ ENTRY(call_softirq)
  	CFI_DEF_CFA_REGISTER	rsp
  	CFI_ADJUST_CFA_OFFSET   -8
  	decl PER_CPU_VAR(irq_count)
@@ -16448,7 +16498,7 @@ index 7d65133..27bce5b 100644
  
  #ifdef CONFIG_XEN
  zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
-@@ -1326,7 +1699,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
+@@ -1326,7 +1704,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
  	decl PER_CPU_VAR(irq_count)
  	jmp  error_exit
  	CFI_ENDPROC
@@ -16457,7 +16507,7 @@ index 7d65133..27bce5b 100644
  
  /*
   * Hypervisor uses this for application faults while it executes.
-@@ -1385,7 +1758,7 @@ ENTRY(xen_failsafe_callback)
+@@ -1385,7 +1763,7 @@ ENTRY(xen_failsafe_callback)
  	SAVE_ALL
  	jmp error_exit
  	CFI_ENDPROC
@@ -16466,7 +16516,7 @@ index 7d65133..27bce5b 100644
  
  apicinterrupt XEN_HVM_EVTCHN_CALLBACK \
  	xen_hvm_callback_vector xen_evtchn_do_upcall
-@@ -1434,16 +1807,31 @@ ENTRY(paranoid_exit)
+@@ -1434,16 +1812,31 @@ ENTRY(paranoid_exit)
  	TRACE_IRQS_OFF_DEBUG
  	testl %ebx,%ebx				/* swapgs needed? */
  	jnz paranoid_restore
@@ -16499,7 +16549,7 @@ index 7d65133..27bce5b 100644
  	jmp irq_return
  paranoid_userspace:
  	GET_THREAD_INFO(%rcx)
-@@ -1472,7 +1860,7 @@ paranoid_schedule:
+@@ -1472,7 +1865,7 @@ paranoid_schedule:
  	TRACE_IRQS_OFF
  	jmp paranoid_userspace
  	CFI_ENDPROC
@@ -16508,7 +16558,7 @@ index 7d65133..27bce5b 100644
  
  /*
   * Exception entry point. This expects an error code/orig_rax on the stack.
-@@ -1499,12 +1887,13 @@ ENTRY(error_entry)
+@@ -1499,12 +1892,13 @@ ENTRY(error_entry)
  	movq_cfi r14, R14+8
  	movq_cfi r15, R15+8
  	xorl %ebx,%ebx
@@ -16523,7 +16573,7 @@ index 7d65133..27bce5b 100644
  	ret
  
  /*
-@@ -1531,7 +1920,7 @@ bstep_iret:
+@@ -1531,7 +1925,7 @@ bstep_iret:
  	movq %rcx,RIP+8(%rsp)
  	jmp error_swapgs
  	CFI_ENDPROC
@@ -16532,7 +16582,7 @@ index 7d65133..27bce5b 100644
  
  
  /* ebx:	no swapgs flag (1: don't need swapgs, 0: need it) */
-@@ -1551,7 +1940,7 @@ ENTRY(error_exit)
+@@ -1551,7 +1945,7 @@ ENTRY(error_exit)
  	jnz retint_careful
  	jmp retint_swapgs
  	CFI_ENDPROC
@@ -16541,7 +16591,7 @@ index 7d65133..27bce5b 100644
  
  /*
   * Test if a given stack is an NMI stack or not.
-@@ -1609,9 +1998,11 @@ ENTRY(nmi)
+@@ -1609,9 +2003,11 @@ ENTRY(nmi)
  	 * If %cs was not the kernel segment, then the NMI triggered in user
  	 * space, which means it is definitely not nested.
  	 */
@@ -16554,7 +16604,7 @@ index 7d65133..27bce5b 100644
  	/*
  	 * Check the special variable on the stack to see if NMIs are
  	 * executing.
-@@ -1758,6 +2149,16 @@ end_repeat_nmi:
+@@ -1758,6 +2154,16 @@ end_repeat_nmi:
  	 */
  	call save_paranoid
  	DEFAULT_FRAME 0
@@ -16571,7 +16621,7 @@ index 7d65133..27bce5b 100644
  	/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
  	movq %rsp,%rdi
  	movq $-1,%rsi
-@@ -1765,21 +2166,32 @@ end_repeat_nmi:
+@@ -1765,21 +2171,32 @@ end_repeat_nmi:
  	testl %ebx,%ebx				/* swapgs needed? */
  	jnz nmi_restore
  nmi_swapgs:
@@ -46919,6 +46969,18 @@ index c99163b..a11ad40 100644
  
  		res = next - LAST_INO_BATCH;
  	}
+diff --git a/fs/isofs/export.c b/fs/isofs/export.c
+index aa4356d..1d38044 100644
+--- a/fs/isofs/export.c
++++ b/fs/isofs/export.c
+@@ -134,6 +134,7 @@ isofs_export_encode_fh(struct inode *inode,
+ 	len = 3;
+ 	fh32[0] = ei->i_iget5_block;
+  	fh16[2] = (__u16)ei->i_iget5_offset;  /* fh16 [sic] */
++	fh16[3] = 0;  /* avoid leaking uninitialized data */
+ 	fh32[2] = inode->i_generation;
+ 	if (parent) {
+ 		struct iso_inode_info *eparent;
 diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c
 index 4a6cf28..d3a29d3 100644
 --- a/fs/jffs2/erase.c
@@ -49908,6 +49970,18 @@ index c175b4d..8f36a16 100644
  	u8 checksum = 0;
  	int i;
  	for (i = 0; i < sizeof(struct tag); ++i)
+diff --git a/fs/udf/namei.c b/fs/udf/namei.c
+index 1802417..c31deb3 100644
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -1279,6 +1279,7 @@ static int udf_encode_fh(struct inode *inode, __u32 *fh, int *lenp,
+ 	*lenp = 3;
+ 	fid->udf.block = location.logicalBlockNum;
+ 	fid->udf.partref = location.partitionReferenceNum;
++	fid->udf.parent_partref = 0;
+ 	fid->udf.generation = inode->i_generation;
+ 
+ 	if (parent) {
 diff --git a/fs/utimes.c b/fs/utimes.c
 index fa4dbe4..e12d1b9 100644
 --- a/fs/utimes.c
@@ -62371,7 +62445,7 @@ index 8185f57..7b2d222 100644
  };
  
 diff --git a/include/linux/init.h b/include/linux/init.h
-index 6b95109..bcbdd68 100644
+index 6b95109..7616d09 100644
 --- a/include/linux/init.h
 +++ b/include/linux/init.h
 @@ -39,9 +39,15 @@
@@ -62418,22 +62492,6 @@ index 6b95109..bcbdd68 100644
  #define __meminitdata    __section(.meminit.data)
  #define __meminitconst   __section(.meminit.rodata)
  #define __memexit        __section(.memexit.text) __exitused __cold notrace
-@@ -294,13 +300,13 @@ void __init parse_early_options(char *cmdline);
- 
- /* Each module must use one module_init(). */
- #define module_init(initfn)					\
--	static inline initcall_t __inittest(void)		\
-+	static inline __used initcall_t __inittest(void)	\
- 	{ return initfn; }					\
- 	int init_module(void) __attribute__((alias(#initfn)));
- 
- /* This is only required if you want to be unloadable. */
- #define module_exit(exitfn)					\
--	static inline exitcall_t __exittest(void)		\
-+	static inline __used exitcall_t __exittest(void)	\
- 	{ return exitfn; }					\
- 	void cleanup_module(void) __attribute__((alias(#exitfn)));
- 
 diff --git a/include/linux/init_task.h b/include/linux/init_task.h
 index 9e65eff..b131e8b 100644
 --- a/include/linux/init_task.h
@@ -70525,18 +70583,6 @@ index 66ce414..6f0a0dd 100644
  		err_printk(dev, NULL, "DMA-API: device driver maps memory from"
  				"stack [addr=%p]\n", addr);
  }
-diff --git a/lib/extable.c b/lib/extable.c
-index 4cac81e..4d66cfc 100644
---- a/lib/extable.c
-+++ b/lib/extable.c
-@@ -13,6 +13,7 @@
- #include <linux/init.h>
- #include <linux/sort.h>
- #include <asm/uaccess.h>
-+#include <asm/pgtable.h>
- 
- #ifndef ARCH_HAS_SORT_EXTABLE
- /*
 diff --git a/lib/inflate.c b/lib/inflate.c
 index 013a761..c28f3fc 100644
 --- a/lib/inflate.c
@@ -78991,6 +79037,18 @@ index ccfbd32..9b61cf9f 100644
  		}
  	}
  
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 44293b3..be1d3e58 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1413,6 +1413,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
+ 		struct xfrm_user_tmpl *up = &vec[i];
+ 		struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
+ 
++		memset(up, 0, sizeof(*up));
+ 		memcpy(&up->id, &kp->id, sizeof(up->id));
+ 		up->family = kp->encap_family;
+ 		memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));
 diff --git a/scripts/Makefile.build b/scripts/Makefile.build
 index ff1720d..ed8475e 100644
 --- a/scripts/Makefile.build
@@ -79386,10 +79444,10 @@ index 5c11312..72742b5 100644
      write_hex_cnt = 0;
      for (i = 0; i < logo_clutsize; i++) {
 diff --git a/security/Kconfig b/security/Kconfig
-index e9c6ac7..4349785 100644
+index e9c6ac7..58348f4 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -4,6 +4,876 @@
+@@ -4,6 +4,888 @@
  
  menu "Security options"
  
@@ -79975,6 +80033,10 @@ index e9c6ac7..4349785 100644
 +	  Select the method used to instrument function pointer dereferences.
 +	  Note that binary modules cannot be instrumented by this approach.
 +
++	  Note that the implementation requires a gcc with plugin support,
++	  i.e., gcc 4.5 or newer.  You may need to install the supporting
++	  headers explicitly in addition to the normal gcc package.
++
 +	config PAX_KERNEXEC_PLUGIN_METHOD_BTS
 +		bool "bts"
 +		help
@@ -80148,11 +80210,12 @@ index e9c6ac7..4349785 100644
 +	  and you are advised to test this feature on your expected workload
 +	  before deploying it.
 +
-+	  Note: full support for this feature requires gcc with plugin support
-+	  so make sure your compiler is at least gcc 4.5.0.  Using older gcc
-+	  versions means that functions with large enough stack frames may
-+	  leave uninitialized memory behind that may be exposed to a later
-+	  syscall leaking the stack.
++	  Note that the full feature requires a gcc with plugin support,
++	  i.e., gcc 4.5 or newer.  You may need to install the supporting
++	  headers explicitly in addition to the normal gcc package.  Using
++	  older gcc versions means that functions with large enough stack
++	  frames may leave uninitialized memory behind that may be exposed
++	  to a later syscall leaking the stack.
 +
 +config PAX_MEMORY_UDEREF
 +	bool "Prevent invalid userland pointer dereference"
@@ -80234,11 +80297,14 @@ index e9c6ac7..4349785 100644
 +	  arguments marked by a size_overflow attribute with double integer
 +	  precision (DImode/TImode for 32/64 bit integer types).
 +
-+	  The recomputed argument is checked against INT_MAX and an event
++	  The recomputed argument is checked against TYPE_MAX and an event
 +	  is logged on overflow and the triggering process is killed.
 +
-+	  Homepage:
-+	  http://www.grsecurity.net/~ephox/overflow_plugin/
++	  Homepage: http://www.grsecurity.net/~ephox/overflow_plugin/
++
++	  Note that the implementation requires a gcc with plugin support,
++	  i.e., gcc 4.5 or newer.  You may need to install the supporting
++	  headers explicitly in addition to the normal gcc package.
 +
 +config PAX_LATENT_ENTROPY
 +	bool "Generate some entropy during boot"
@@ -80250,6 +80316,10 @@ index e9c6ac7..4349785 100644
 +	  there is little 'natural' source of entropy normally.  The cost
 +	  is some slowdown of the boot process.
 +
++	  Note that the implementation requires a gcc with plugin support,
++	  i.e., gcc 4.5 or newer.  You may need to install the supporting
++	  headers explicitly in addition to the normal gcc package.
++
 +	  Note that entropy extracted this way is not cryptographically
 +	  secure!
 +
@@ -80266,7 +80336,7 @@ index e9c6ac7..4349785 100644
  source security/keys/Kconfig
  
  config SECURITY_DMESG_RESTRICT
-@@ -103,7 +973,7 @@ config INTEL_TXT
+@@ -103,7 +985,7 @@ config INTEL_TXT
  config LSM_MMAP_MIN_ADDR
  	int "Low address space for LSM to protect from user allocation"
  	depends on SECURITY && SECURITY_SELINUX