Grsec/PaX: 2.2.2-2.6.32.45-201108251825 + 2.2.2-3.0.3-20110825182520110825

author: Anthony G. Basile <blueness@gentoo.org> 2011-08-26 08:33:16 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2011-08-26 08:33:16 -0400
commit: d76ce4b3334f86cde43185da95b542aa906cde5c (patch)
tree: 4a65620f891bbe3ffa1193a84755da09d911374d
parent: EOL 2.6.39 (diff)
download: hardened-patchset-d76ce4b3334f86cde43185da95b542aa906cde5c.tar.gz
hardened-patchset-d76ce4b3334f86cde43185da95b542aa906cde5c.tar.bz2
hardened-patchset-d76ce4b3334f86cde43185da95b542aa906cde5c.zip
12 files changed, 390 insertions, 207 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 7e4facf..75f57cf 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -11,7 +11,7 @@ Patch:	1044_linux-2.6.32.45.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.39.45
 
-Patch:	4420_grsecurity-2.2.2-2.6.32.45-201108241901.patch
+Patch:	4420_grsecurity-2.2.2-2.6.32.45-201108251825.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.45-201108241901.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.45-201108251825.patch
index 04d05d6..9336af8 100644
--- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.45-201108241901.patch
+++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.45-201108251825.patch
@@ -6754,7 +6754,7 @@ diff -urNp linux-2.6.32.45/arch/x86/ia32/ia32_aout.c linux-2.6.32.45/arch/x86/ia
  	return has_dumped;
 diff -urNp linux-2.6.32.45/arch/x86/ia32/ia32entry.S linux-2.6.32.45/arch/x86/ia32/ia32entry.S
 --- linux-2.6.32.45/arch/x86/ia32/ia32entry.S	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.45/arch/x86/ia32/ia32entry.S	2011-06-04 20:29:52.000000000 -0400
++++ linux-2.6.32.45/arch/x86/ia32/ia32entry.S	2011-08-25 17:42:18.000000000 -0400
 @@ -13,6 +13,7 @@
  #include <asm/thread_info.h>	
  #include <asm/segment.h>
@@ -6763,7 +6763,7 @@ diff -urNp linux-2.6.32.45/arch/x86/ia32/ia32entry.S linux-2.6.32.45/arch/x86/ia
  #include <linux/linkage.h>
  
  /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
-@@ -93,6 +94,30 @@ ENTRY(native_irq_enable_sysexit)
+@@ -93,6 +94,29 @@ ENTRY(native_irq_enable_sysexit)
  ENDPROC(native_irq_enable_sysexit)
  #endif
  
@@ -6782,7 +6782,6 @@ diff -urNp linux-2.6.32.45/arch/x86/ia32/ia32entry.S linux-2.6.32.45/arch/x86/ia
 +	call pax_randomize_kstack
 +	popq %rax
 +#endif
-+	pax_erase_kstack
 +	.endm
 +
 +.macro pax_erase_kstack
@@ -6794,7 +6793,7 @@ diff -urNp linux-2.6.32.45/arch/x86/ia32/ia32entry.S linux-2.6.32.45/arch/x86/ia
  /*
   * 32bit SYSENTER instruction entry.
   *
-@@ -119,7 +144,7 @@ ENTRY(ia32_sysenter_target)
+@@ -119,7 +143,7 @@ ENTRY(ia32_sysenter_target)
  	CFI_REGISTER	rsp,rbp
  	SWAPGS_UNSAFE_STACK
  	movq	PER_CPU_VAR(kernel_stack), %rsp
@@ -6803,7 +6802,7 @@ diff -urNp linux-2.6.32.45/arch/x86/ia32/ia32entry.S linux-2.6.32.45/arch/x86/ia
  	/*
  	 * No need to follow this irqs on/off section: the syscall
  	 * disabled irqs, here we enable it straight after entry:
-@@ -135,7 +160,8 @@ ENTRY(ia32_sysenter_target)
+@@ -135,7 +159,8 @@ ENTRY(ia32_sysenter_target)
  	pushfq
  	CFI_ADJUST_CFA_OFFSET 8
  	/*CFI_REL_OFFSET rflags,0*/
@@ -6813,7 +6812,7 @@ diff -urNp linux-2.6.32.45/arch/x86/ia32/ia32entry.S linux-2.6.32.45/arch/x86/ia
  	CFI_REGISTER rip,r10
  	pushq	$__USER32_CS
  	CFI_ADJUST_CFA_OFFSET 8
-@@ -150,6 +176,12 @@ ENTRY(ia32_sysenter_target)
+@@ -150,6 +175,12 @@ ENTRY(ia32_sysenter_target)
  	SAVE_ARGS 0,0,1
   	/* no need to do an access_ok check here because rbp has been
   	   32bit zero extended */ 
@@ -6826,11 +6825,12 @@ diff -urNp linux-2.6.32.45/arch/x86/ia32/ia32entry.S linux-2.6.32.45/arch/x86/ia
  1:	movl	(%rbp),%ebp
   	.section __ex_table,"a"
   	.quad 1b,ia32_badarg
-@@ -172,6 +204,7 @@ sysenter_dispatch:
+@@ -172,6 +203,8 @@ sysenter_dispatch:
  	testl	$_TIF_ALLWORK_MASK,TI_flags(%r10)
  	jnz	sysexit_audit
  sysexit_from_sys_call:
 +	pax_exit_kernel_user
++	pax_erase_kstack
  	andl    $~TS_COMPAT,TI_status(%r10)
  	/* clear IF, that popfq doesn't enable interrupts early */
  	andl  $~0x200,EFLAGS-R11(%rsp) 
@@ -6894,15 +6894,16 @@ diff -urNp linux-2.6.32.45/arch/x86/ia32/ia32entry.S linux-2.6.32.45/arch/x86/ia
  1:	movl	(%r8),%r9d
  	.section __ex_table,"a"
  	.quad 1b,ia32_badarg
-@@ -333,6 +383,7 @@ cstar_dispatch:
+@@ -333,6 +383,8 @@ cstar_dispatch:
  	testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
  	jnz sysretl_audit
  sysretl_from_sys_call:
 +	pax_exit_kernel_user
++	pax_erase_kstack
  	andl $~TS_COMPAT,TI_status(%r10)
  	RESTORE_ARGS 1,-ARG_SKIP,1,1,1
  	movl RIP-ARGOFFSET(%rsp),%ecx
-@@ -370,6 +421,9 @@ cstar_tracesys:
+@@ -370,6 +422,9 @@ cstar_tracesys:
  	movq $-ENOSYS,RAX(%rsp)	/* ptrace can change this for a bad syscall */
  	movq %rsp,%rdi        /* &pt_regs -> arg1 */
  	call syscall_trace_enter
@@ -6912,7 +6913,7 @@ diff -urNp linux-2.6.32.45/arch/x86/ia32/ia32entry.S linux-2.6.32.45/arch/x86/ia
  	LOAD_ARGS32 ARGOFFSET, 1  /* reload args from stack in case ptrace changed it */
  	RESTORE_REST
  	xchgl %ebp,%r9d
-@@ -415,6 +469,7 @@ ENTRY(ia32_syscall)
+@@ -415,6 +470,7 @@ ENTRY(ia32_syscall)
  	CFI_REL_OFFSET	rip,RIP-RIP
  	PARAVIRT_ADJUST_EXCEPTION_FRAME
  	SWAPGS
@@ -6920,7 +6921,7 @@ diff -urNp linux-2.6.32.45/arch/x86/ia32/ia32entry.S linux-2.6.32.45/arch/x86/ia
  	/*
  	 * No need to follow this irqs on/off section: the syscall
  	 * disabled irqs and here we enable it straight after entry:
-@@ -448,6 +503,9 @@ ia32_tracesys:			 
+@@ -448,6 +504,9 @@ ia32_tracesys:			 
  	movq $-ENOSYS,RAX(%rsp)	/* ptrace can change this for a bad syscall */
  	movq %rsp,%rdi        /* &pt_regs -> arg1 */
  	call syscall_trace_enter
@@ -13756,7 +13757,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_32.S linux-2.6.32.45/arch/x86/k
  	CFI_ADJUST_CFA_OFFSET -24
 diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/kernel/entry_64.S
 --- linux-2.6.32.45/arch/x86/kernel/entry_64.S	2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.45/arch/x86/kernel/entry_64.S	2011-08-23 20:24:19.000000000 -0400
++++ linux-2.6.32.45/arch/x86/kernel/entry_64.S	2011-08-25 17:42:18.000000000 -0400
 @@ -53,6 +53,7 @@
  #include <asm/paravirt.h>
  #include <asm/ftrace.h>
@@ -13765,7 +13766,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  
  /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
  #include <linux/elf-em.h>
-@@ -174,6 +175,257 @@ ENTRY(native_usergs_sysret64)
+@@ -174,6 +175,262 @@ ENTRY(native_usergs_sysret64)
  ENDPROC(native_usergs_sysret64)
  #endif /* CONFIG_PARAVIRT */
  
@@ -13862,7 +13863,6 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
 +	call pax_randomize_kstack
 +	pop %rax
 +#endif
-+	pax_erase_kstack
 +	.endm
 +
 +#ifdef CONFIG_PAX_MEMORY_UDEREF
@@ -14008,6 +14008,12 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
 +2:	cld
 +	mov %esp, %ecx
 +	sub %edi, %ecx
++
++	cmp $THREAD_SIZE_asm, %rcx
++	jb 3f
++	ud2
++3:
++
 +	shr $3, %ecx
 +	rep stosq
 +
@@ -14023,7 +14029,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  
  .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
  #ifdef CONFIG_TRACE_IRQFLAGS
-@@ -317,7 +569,7 @@ ENTRY(save_args)
+@@ -317,7 +574,7 @@ ENTRY(save_args)
  	leaq -ARGOFFSET+16(%rsp),%rdi	/* arg1 for handler */
  	movq_cfi rbp, 8		/* push %rbp */
  	leaq 8(%rsp), %rbp		/* mov %rsp, %ebp */
@@ -14032,7 +14038,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	je 1f
  	SWAPGS
  	/*
-@@ -409,7 +661,7 @@ ENTRY(ret_from_fork)
+@@ -409,7 +666,7 @@ ENTRY(ret_from_fork)
  
  	RESTORE_REST
  
@@ -14041,7 +14047,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	je   int_ret_from_sys_call
  
  	testl $_TIF_IA32, TI_flags(%rcx)	# 32-bit compat task needs IRET
-@@ -455,7 +707,7 @@ END(ret_from_fork)
+@@ -455,7 +712,7 @@ END(ret_from_fork)
  ENTRY(system_call)
  	CFI_STARTPROC	simple
  	CFI_SIGNAL_FRAME
@@ -14050,7 +14056,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	CFI_REGISTER	rip,rcx
  	/*CFI_REGISTER	rflags,r11*/
  	SWAPGS_UNSAFE_STACK
-@@ -468,12 +720,13 @@ ENTRY(system_call_after_swapgs)
+@@ -468,12 +725,13 @@ ENTRY(system_call_after_swapgs)
  
  	movq	%rsp,PER_CPU_VAR(old_rsp)
  	movq	PER_CPU_VAR(kernel_stack),%rsp
@@ -14065,15 +14071,16 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	movq  %rax,ORIG_RAX-ARGOFFSET(%rsp)
  	movq  %rcx,RIP-ARGOFFSET(%rsp)
  	CFI_REL_OFFSET rip,RIP-ARGOFFSET
-@@ -502,6 +755,7 @@ sysret_check:
+@@ -502,6 +760,8 @@ sysret_check:
  	andl %edi,%edx
  	jnz  sysret_careful
  	CFI_REMEMBER_STATE
 +	pax_exit_kernel_user
++	pax_erase_kstack
  	/*
  	 * sysretq will re-enable interrupts:
  	 */
-@@ -562,6 +816,9 @@ auditsys:
+@@ -562,6 +822,9 @@ auditsys:
  	movq %rax,%rsi			/* 2nd arg: syscall number */
  	movl $AUDIT_ARCH_X86_64,%edi	/* 1st arg: audit arch */
  	call audit_syscall_entry
@@ -14083,7 +14090,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	LOAD_ARGS 0		/* reload call-clobbered registers */
  	jmp system_call_fastpath
  
-@@ -592,6 +849,9 @@ tracesys:
+@@ -592,6 +855,9 @@ tracesys:
  	FIXUP_TOP_OF_STACK %rdi
  	movq %rsp,%rdi
  	call syscall_trace_enter
@@ -14093,7 +14100,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	/*
  	 * Reload arg registers from stack in case ptrace changed them.
  	 * We don't reload %rax because syscall_trace_enter() returned
-@@ -613,7 +873,7 @@ tracesys:
+@@ -613,7 +879,7 @@ tracesys:
  GLOBAL(int_ret_from_sys_call)
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	TRACE_IRQS_OFF
@@ -14102,7 +14109,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	je retint_restore_args
  	movl $_TIF_ALLWORK_MASK,%edi
  	/* edi:	mask to check */
-@@ -800,6 +1060,16 @@ END(interrupt)
+@@ -800,6 +1066,16 @@ END(interrupt)
  	CFI_ADJUST_CFA_OFFSET 10*8
  	call save_args
  	PARTIAL_FRAME 0
@@ -14119,7 +14126,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	call \func
  	.endm
  
-@@ -822,7 +1092,7 @@ ret_from_intr:
+@@ -822,7 +1098,7 @@ ret_from_intr:
  	CFI_ADJUST_CFA_OFFSET	-8
  exit_intr:
  	GET_THREAD_INFO(%rcx)
@@ -14128,11 +14135,12 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	je retint_kernel
  
  	/* Interrupt came from user space */
-@@ -844,12 +1114,14 @@ retint_swapgs:		/* return to user-space 
+@@ -844,12 +1120,15 @@ retint_swapgs:		/* return to user-space 
  	 * The iretq could re-enable interrupts:
  	 */
  	DISABLE_INTERRUPTS(CLBR_ANY)
 +	pax_exit_kernel_user
++	pax_erase_kstack
  	TRACE_IRQS_IRETQ
  	SWAPGS
  	jmp restore_args
@@ -14143,7 +14151,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	/*
  	 * The iretq could re-enable interrupts:
  	 */
-@@ -1032,6 +1304,16 @@ ENTRY(\sym)
+@@ -1032,6 +1311,16 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET 15*8
  	call error_entry
  	DEFAULT_FRAME 0
@@ -14160,7 +14168,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	movq %rsp,%rdi		/* pt_regs pointer */
  	xorl %esi,%esi		/* no error code */
  	call \do_sym
-@@ -1049,6 +1331,16 @@ ENTRY(\sym)
+@@ -1049,6 +1338,16 @@ ENTRY(\sym)
  	subq $15*8, %rsp
  	call save_paranoid
  	TRACE_IRQS_OFF
@@ -14177,7 +14185,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	movq %rsp,%rdi		/* pt_regs pointer */
  	xorl %esi,%esi		/* no error code */
  	call \do_sym
-@@ -1066,9 +1358,24 @@ ENTRY(\sym)
+@@ -1066,9 +1365,24 @@ ENTRY(\sym)
  	subq $15*8, %rsp
  	call save_paranoid
  	TRACE_IRQS_OFF
@@ -14203,7 +14211,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
  	call \do_sym
  	addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
-@@ -1085,6 +1392,16 @@ ENTRY(\sym)
+@@ -1085,6 +1399,16 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET 15*8
  	call error_entry
  	DEFAULT_FRAME 0
@@ -14220,7 +14228,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	movq %rsp,%rdi			/* pt_regs pointer */
  	movq ORIG_RAX(%rsp),%rsi	/* get error code */
  	movq $-1,ORIG_RAX(%rsp)		/* no syscall to restart */
-@@ -1104,6 +1421,16 @@ ENTRY(\sym)
+@@ -1104,6 +1428,16 @@ ENTRY(\sym)
  	call save_paranoid
  	DEFAULT_FRAME 0
  	TRACE_IRQS_OFF
@@ -14237,7 +14245,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	movq %rsp,%rdi			/* pt_regs pointer */
  	movq ORIG_RAX(%rsp),%rsi	/* get error code */
  	movq $-1,ORIG_RAX(%rsp)		/* no syscall to restart */
-@@ -1405,14 +1732,27 @@ ENTRY(paranoid_exit)
+@@ -1405,14 +1739,27 @@ ENTRY(paranoid_exit)
  	TRACE_IRQS_OFF
  	testl %ebx,%ebx				/* swapgs needed? */
  	jnz paranoid_restore
@@ -14266,7 +14274,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	TRACE_IRQS_IRETQ 0
  	RESTORE_ALL 8
  	jmp irq_return
-@@ -1470,7 +1810,7 @@ ENTRY(error_entry)
+@@ -1470,7 +1817,7 @@ ENTRY(error_entry)
  	movq_cfi r14, R14+8
  	movq_cfi r15, R15+8
  	xorl %ebx,%ebx
@@ -14275,7 +14283,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	je error_kernelspace
  error_swapgs:
  	SWAPGS
-@@ -1529,6 +1869,16 @@ ENTRY(nmi)
+@@ -1529,6 +1876,16 @@ ENTRY(nmi)
  	CFI_ADJUST_CFA_OFFSET 15*8
  	call save_paranoid
  	DEFAULT_FRAME 0
@@ -14292,7 +14300,7 @@ diff -urNp linux-2.6.32.45/arch/x86/kernel/entry_64.S linux-2.6.32.45/arch/x86/k
  	/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
  	movq %rsp,%rdi
  	movq $-1,%rsi
-@@ -1539,11 +1889,25 @@ ENTRY(nmi)
+@@ -1539,11 +1896,25 @@ ENTRY(nmi)
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	testl %ebx,%ebx				/* swapgs needed? */
  	jnz nmi_restore
@@ -40036,9 +40044,41 @@ diff -urNp linux-2.6.32.45/fs/cifs/cifs_debug.c linux-2.6.32.45/fs/cifs/cifs_deb
  			}
  		}
  	}
+diff -urNp linux-2.6.32.45/fs/cifs/cifsfs.c linux-2.6.32.45/fs/cifs/cifsfs.c
+--- linux-2.6.32.45/fs/cifs/cifsfs.c	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.45/fs/cifs/cifsfs.c	2011-08-25 17:17:57.000000000 -0400
+@@ -869,7 +869,7 @@ cifs_init_request_bufs(void)
+ 	cifs_req_cachep = kmem_cache_create("cifs_request",
+ 					    CIFSMaxBufSize +
+ 					    MAX_CIFS_HDR_SIZE, 0,
+-					    SLAB_HWCACHE_ALIGN, NULL);
++					    SLAB_HWCACHE_ALIGN | SLAB_USERCOPY, NULL);
+ 	if (cifs_req_cachep == NULL)
+ 		return -ENOMEM;
+ 
+@@ -896,7 +896,7 @@ cifs_init_request_bufs(void)
+ 	efficient to alloc 1 per page off the slab compared to 17K (5page)
+ 	alloc of large cifs buffers even when page debugging is on */
+ 	cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
+-			MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,
++			MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN | SLAB_USERCOPY,
+ 			NULL);
+ 	if (cifs_sm_req_cachep == NULL) {
+ 		mempool_destroy(cifs_req_poolp);
+@@ -991,8 +991,8 @@ init_cifs(void)
+ 	atomic_set(&bufAllocCount, 0);
+ 	atomic_set(&smBufAllocCount, 0);
+ #ifdef CONFIG_CIFS_STATS2
+-	atomic_set(&totBufAllocCount, 0);
+-	atomic_set(&totSmBufAllocCount, 0);
++	atomic_set_unchecked(&totBufAllocCount, 0);
++	atomic_set_unchecked(&totSmBufAllocCount, 0);
+ #endif /* CONFIG_CIFS_STATS2 */
+ 
+ 	atomic_set(&midCount, 0);
 diff -urNp linux-2.6.32.45/fs/cifs/cifsglob.h linux-2.6.32.45/fs/cifs/cifsglob.h
 --- linux-2.6.32.45/fs/cifs/cifsglob.h	2011-08-09 18:35:29.000000000 -0400
-+++ linux-2.6.32.45/fs/cifs/cifsglob.h	2011-08-09 18:34:00.000000000 -0400
++++ linux-2.6.32.45/fs/cifs/cifsglob.h	2011-08-25 17:17:57.000000000 -0400
 @@ -252,28 +252,28 @@ struct cifsTconInfo {
  	__u16 Flags;		/* optional support bits */
  	enum statusEnum tidStatus;
@@ -40099,6 +40139,17 @@ diff -urNp linux-2.6.32.45/fs/cifs/cifsglob.h linux-2.6.32.45/fs/cifs/cifsglob.h
  
  static inline void cifs_stats_bytes_written(struct cifsTconInfo *tcon,
  					    unsigned int bytes)
+@@ -701,8 +701,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnect
+ /* Various Debug counters */
+ GLOBAL_EXTERN atomic_t bufAllocCount;    /* current number allocated  */
+ #ifdef CONFIG_CIFS_STATS2
+-GLOBAL_EXTERN atomic_t totBufAllocCount; /* total allocated over all time */
+-GLOBAL_EXTERN atomic_t totSmBufAllocCount;
++GLOBAL_EXTERN atomic_unchecked_t totBufAllocCount; /* total allocated over all time */
++GLOBAL_EXTERN atomic_unchecked_t totSmBufAllocCount;
+ #endif
+ GLOBAL_EXTERN atomic_t smBufAllocCount;
+ GLOBAL_EXTERN atomic_t midCount;
 diff -urNp linux-2.6.32.45/fs/cifs/link.c linux-2.6.32.45/fs/cifs/link.c
 --- linux-2.6.32.45/fs/cifs/link.c	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.45/fs/cifs/link.c	2011-04-17 15:56:46.000000000 -0400
@@ -40111,6 +40162,27 @@ diff -urNp linux-2.6.32.45/fs/cifs/link.c linux-2.6.32.45/fs/cifs/link.c
  	if (!IS_ERR(p))
  		kfree(p);
  }
+diff -urNp linux-2.6.32.45/fs/cifs/misc.c linux-2.6.32.45/fs/cifs/misc.c
+--- linux-2.6.32.45/fs/cifs/misc.c	2011-03-27 14:31:47.000000000 -0400
++++ linux-2.6.32.45/fs/cifs/misc.c	2011-08-25 17:17:57.000000000 -0400
+@@ -155,7 +155,7 @@ cifs_buf_get(void)
+ 		memset(ret_buf, 0, sizeof(struct smb_hdr) + 3);
+ 		atomic_inc(&bufAllocCount);
+ #ifdef CONFIG_CIFS_STATS2
+-		atomic_inc(&totBufAllocCount);
++		atomic_inc_unchecked(&totBufAllocCount);
+ #endif /* CONFIG_CIFS_STATS2 */
+ 	}
+ 
+@@ -190,7 +190,7 @@ cifs_small_buf_get(void)
+ 	/*	memset(ret_buf, 0, sizeof(struct smb_hdr) + 27);*/
+ 		atomic_inc(&smBufAllocCount);
+ #ifdef CONFIG_CIFS_STATS2
+-		atomic_inc(&totSmBufAllocCount);
++		atomic_inc_unchecked(&totSmBufAllocCount);
+ #endif /* CONFIG_CIFS_STATS2 */
+ 
+ 	}
 diff -urNp linux-2.6.32.45/fs/coda/cache.c linux-2.6.32.45/fs/coda/cache.c
 --- linux-2.6.32.45/fs/coda/cache.c	2011-03-27 14:31:47.000000000 -0400
 +++ linux-2.6.32.45/fs/coda/cache.c	2011-05-04 17:56:28.000000000 -0400
@@ -58473,8 +58545,8 @@ diff -urNp linux-2.6.32.45/include/linux/grinternal.h linux-2.6.32.45/include/li
 +#endif
 diff -urNp linux-2.6.32.45/include/linux/grmsg.h linux-2.6.32.45/include/linux/grmsg.h
 --- linux-2.6.32.45/include/linux/grmsg.h	1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.45/include/linux/grmsg.h	2011-04-17 15:56:46.000000000 -0400
-@@ -0,0 +1,108 @@
++++ linux-2.6.32.45/include/linux/grmsg.h	2011-08-25 17:28:11.000000000 -0400
+@@ -0,0 +1,107 @@
 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -58508,7 +58580,6 @@ diff -urNp linux-2.6.32.45/include/linux/grmsg.h linux-2.6.32.45/include/linux/g
 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
-+#define GR_NPROC_MSG "denied overstep of process limit by "
 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
diff --git a/2.6.32/4423_grsec-remove-protected-paths.patch b/2.6.32/4423_grsec-remove-protected-paths.patch
index 1dd1ffb..da4c861 100644
--- a/2.6.32/4423_grsec-remove-protected-paths.patch
+++ b/2.6.32/4423_grsec-remove-protected-paths.patch
@@ -5,7 +5,7 @@ paths in the filesystem.
 
 --- a/grsecurity/Makefile	2010-05-21 06:52:24.000000000 -0400
 +++ b/grsecurity/Makefile	2010-05-21 06:54:54.000000000 -0400
-@@ -26,8 +26,8 @@
+@@ -27,8 +27,8 @@
  ifdef CONFIG_GRKERNSEC_HIDESYM
  extra-y := grsec_hidesym.o
  $(obj)/grsec_hidesym.o:
diff --git a/2.6.32/4430_grsec-kconfig-default-gids.patch b/2.6.32/4430_grsec-kconfig-default-gids.patch
index e77d871..b173bab 100644
--- a/2.6.32/4430_grsec-kconfig-default-gids.patch
+++ b/2.6.32/4430_grsec-kconfig-default-gids.patch
@@ -48,7 +48,7 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *disabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -914,7 +914,7 @@
+@@ -916,7 +916,7 @@
  config GRKERNSEC_SOCKET_ALL_GID
  	int "GID to deny all sockets for"
  	depends on GRKERNSEC_SOCKET_ALL
@@ -57,7 +57,7 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
  	help
  	  Here you can choose the GID to disable socket access for. Remember to
  	  add the users you want socket access disabled for to the GID
-@@ -935,7 +935,7 @@
+@@ -937,7 +937,7 @@
  config GRKERNSEC_SOCKET_CLIENT_GID
  	int "GID to deny client sockets for"
  	depends on GRKERNSEC_SOCKET_CLIENT
@@ -66,7 +66,7 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
  	help
  	  Here you can choose the GID to disable client socket access for.
  	  Remember to add the users you want client socket access disabled for to
-@@ -953,7 +953,7 @@
+@@ -955,7 +955,7 @@
  config GRKERNSEC_SOCKET_SERVER_GID
  	int "GID to deny server sockets for"
  	depends on GRKERNSEC_SOCKET_SERVER
diff --git a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
index feb171c..b582401 100644
--- a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
+++ b/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-hardened-r44/grsecurity/Kconfig
 --- linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig	2011-04-17 18:47:02.000000000 -0400
 +++ linux-2.6.32-hardened-r44/grsecurity/Kconfig	2011-04-17 18:51:15.000000000 -0400
-@@ -1265,6 +1265,27 @@
+@@ -1267,6 +1267,27 @@
  menu "Logging Options"
  depends on GRKERNSEC
  
diff --git a/3.0.3/0000_README b/3.0.3/0000_README
index de82649..b76e6ac 100644
--- a/3.0.3/0000_README
+++ b/3.0.3/0000_README
@@ -3,7 +3,7 @@ README
 
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.2.2-3.0.3-201108241901.patch
+Patch:	4420_grsecurity-2.2.2-3.0.3-201108251825.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.0.3/4420_grsecurity-2.2.2-3.0.3-201108241901.patch b/3.0.3/4420_grsecurity-2.2.2-3.0.3-201108251825.patch
index a30bf0f..04ec669 100644
--- a/3.0.3/4420_grsecurity-2.2.2-3.0.3-201108241901.patch
+++ b/3.0.3/4420_grsecurity-2.2.2-3.0.3-201108251825.patch
@@ -5603,7 +5603,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32_aout.c linux-3.0.3/arch/x86/ia32/ia32_
  	has_dumped = 1;
 diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32entry.S
 --- linux-3.0.3/arch/x86/ia32/ia32entry.S	2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/arch/x86/ia32/ia32entry.S	2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.3/arch/x86/ia32/ia32entry.S	2011-08-25 17:36:37.000000000 -0400
 @@ -13,6 +13,7 @@
  #include <asm/thread_info.h>	
  #include <asm/segment.h>
@@ -5612,7 +5612,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
  #include <linux/linkage.h>
  
  /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
-@@ -95,6 +96,32 @@ ENTRY(native_irq_enable_sysexit)
+@@ -95,6 +96,29 @@ ENTRY(native_irq_enable_sysexit)
  ENDPROC(native_irq_enable_sysexit)
  #endif
  
@@ -5631,9 +5631,6 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
 +	call pax_randomize_kstack
 +	popq %rax
 +#endif
-+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
-+	call pax_erase_kstack
-+#endif
 +	.endm
 +
 +	.macro pax_erase_kstack
@@ -5645,7 +5642,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
  /*
   * 32bit SYSENTER instruction entry.
   *
-@@ -121,7 +148,7 @@ ENTRY(ia32_sysenter_target)
+@@ -121,7 +145,7 @@ ENTRY(ia32_sysenter_target)
  	CFI_REGISTER	rsp,rbp
  	SWAPGS_UNSAFE_STACK
  	movq	PER_CPU_VAR(kernel_stack), %rsp
@@ -5654,7 +5651,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
  	/*
  	 * No need to follow this irqs on/off section: the syscall
  	 * disabled irqs, here we enable it straight after entry:
-@@ -134,7 +161,8 @@ ENTRY(ia32_sysenter_target)
+@@ -134,7 +158,8 @@ ENTRY(ia32_sysenter_target)
  	CFI_REL_OFFSET rsp,0
  	pushfq_cfi
  	/*CFI_REL_OFFSET rflags,0*/
@@ -5664,7 +5661,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
  	CFI_REGISTER rip,r10
  	pushq_cfi $__USER32_CS
  	/*CFI_REL_OFFSET cs,0*/
-@@ -146,6 +174,12 @@ ENTRY(ia32_sysenter_target)
+@@ -146,6 +171,12 @@ ENTRY(ia32_sysenter_target)
  	SAVE_ARGS 0,0,1
   	/* no need to do an access_ok check here because rbp has been
   	   32bit zero extended */ 
@@ -5677,15 +5674,16 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
  1:	movl	(%rbp),%ebp
   	.section __ex_table,"a"
   	.quad 1b,ia32_badarg
-@@ -168,6 +202,7 @@ sysenter_dispatch:
+@@ -168,6 +199,8 @@ sysenter_dispatch:
  	testl	$_TIF_ALLWORK_MASK,TI_flags(%r10)
  	jnz	sysexit_audit
  sysexit_from_sys_call:
 +	pax_exit_kernel_user
++	pax_erase_kstack
  	andl    $~TS_COMPAT,TI_status(%r10)
  	/* clear IF, that popfq doesn't enable interrupts early */
  	andl  $~0x200,EFLAGS-R11(%rsp) 
-@@ -194,6 +229,9 @@ sysexit_from_sys_call:
+@@ -194,6 +227,9 @@ sysexit_from_sys_call:
  	movl %eax,%esi			/* 2nd arg: syscall number */
  	movl $AUDIT_ARCH_I386,%edi	/* 1st arg: audit arch */
  	call audit_syscall_entry
@@ -5695,7 +5693,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
  	movl RAX-ARGOFFSET(%rsp),%eax	/* reload syscall number */
  	cmpq $(IA32_NR_syscalls-1),%rax
  	ja ia32_badsys
-@@ -246,6 +284,9 @@ sysenter_tracesys:
+@@ -246,6 +282,9 @@ sysenter_tracesys:
  	movq	$-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
  	movq	%rsp,%rdi        /* &pt_regs -> arg1 */
  	call	syscall_trace_enter
@@ -5705,7 +5703,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
  	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
  	RESTORE_REST
  	cmpq	$(IA32_NR_syscalls-1),%rax
-@@ -277,19 +318,24 @@ ENDPROC(ia32_sysenter_target)
+@@ -277,19 +316,24 @@ ENDPROC(ia32_sysenter_target)
  ENTRY(ia32_cstar_target)
  	CFI_STARTPROC32	simple
  	CFI_SIGNAL_FRAME
@@ -5732,7 +5730,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
  	movl 	%eax,%eax	/* zero extension */
  	movq	%rax,ORIG_RAX-ARGOFFSET(%rsp)
  	movq	%rcx,RIP-ARGOFFSET(%rsp)
-@@ -305,6 +351,12 @@ ENTRY(ia32_cstar_target)
+@@ -305,6 +349,12 @@ ENTRY(ia32_cstar_target)
  	/* no need to do an access_ok check here because r8 has been
  	   32bit zero extended */ 
  	/* hardware stack frame is complete now */	
@@ -5745,15 +5743,16 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
  1:	movl	(%r8),%r9d
  	.section __ex_table,"a"
  	.quad 1b,ia32_badarg
-@@ -327,6 +379,7 @@ cstar_dispatch:
+@@ -327,6 +377,8 @@ cstar_dispatch:
  	testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
  	jnz sysretl_audit
  sysretl_from_sys_call:
 +	pax_exit_kernel_user
++	pax_erase_kstack
  	andl $~TS_COMPAT,TI_status(%r10)
  	RESTORE_ARGS 1,-ARG_SKIP,1,1,1
  	movl RIP-ARGOFFSET(%rsp),%ecx
-@@ -364,6 +417,9 @@ cstar_tracesys:
+@@ -364,6 +416,9 @@ cstar_tracesys:
  	movq $-ENOSYS,RAX(%rsp)	/* ptrace can change this for a bad syscall */
  	movq %rsp,%rdi        /* &pt_regs -> arg1 */
  	call syscall_trace_enter
@@ -5763,7 +5762,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
  	LOAD_ARGS32 ARGOFFSET, 1  /* reload args from stack in case ptrace changed it */
  	RESTORE_REST
  	xchgl %ebp,%r9d
-@@ -409,6 +465,7 @@ ENTRY(ia32_syscall)
+@@ -409,6 +464,7 @@ ENTRY(ia32_syscall)
  	CFI_REL_OFFSET	rip,RIP-RIP
  	PARAVIRT_ADJUST_EXCEPTION_FRAME
  	SWAPGS
@@ -5771,7 +5770,7 @@ diff -urNp linux-3.0.3/arch/x86/ia32/ia32entry.S linux-3.0.3/arch/x86/ia32/ia32e
  	/*
  	 * No need to follow this irqs on/off section: the syscall
  	 * disabled irqs and here we enable it straight after entry:
-@@ -441,6 +498,9 @@ ia32_tracesys:			 
+@@ -441,6 +497,9 @@ ia32_tracesys:			 
  	movq $-ENOSYS,RAX(%rsp)	/* ptrace can change this for a bad syscall */
  	movq %rsp,%rdi        /* &pt_regs -> arg1 */
  	call syscall_trace_enter
@@ -11740,7 +11739,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_32.S linux-3.0.3/arch/x86/kernel/en
  	CFI_ADJUST_CFA_OFFSET -24
 diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/entry_64.S
 --- linux-3.0.3/arch/x86/kernel/entry_64.S	2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/arch/x86/kernel/entry_64.S	2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.3/arch/x86/kernel/entry_64.S	2011-08-25 17:38:59.000000000 -0400
 @@ -53,6 +53,7 @@
  #include <asm/paravirt.h>
  #include <asm/ftrace.h>
@@ -11749,7 +11748,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  
  /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
  #include <linux/elf-em.h>
-@@ -176,6 +177,259 @@ ENTRY(native_usergs_sysret64)
+@@ -176,6 +177,262 @@ ENTRY(native_usergs_sysret64)
  ENDPROC(native_usergs_sysret64)
  #endif /* CONFIG_PARAVIRT */
  
@@ -11846,9 +11845,6 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
 +	call pax_randomize_kstack
 +	pop %rax
 +#endif
-+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
-+	call pax_erase_kstack
-+#endif
 +	.endm
 +
 +#ifdef CONFIG_PAX_MEMORY_UDEREF
@@ -11994,6 +11990,12 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
 +2:	cld
 +	mov %esp, %ecx
 +	sub %edi, %ecx
++
++	cmp $THREAD_SIZE_asm, %rcx
++	jb 3f
++	ud2
++3:
++
 +	shr $3, %ecx
 +	rep stosq
 +
@@ -12009,7 +12011,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  
  .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
  #ifdef CONFIG_TRACE_IRQFLAGS
-@@ -318,7 +572,7 @@ ENTRY(save_args)
+@@ -318,7 +575,7 @@ ENTRY(save_args)
  	leaq -RBP+8(%rsp),%rdi	/* arg1 for handler */
  	movq_cfi rbp, 8		/* push %rbp */
  	leaq 8(%rsp), %rbp		/* mov %rsp, %ebp */
@@ -12018,7 +12020,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	je 1f
  	SWAPGS
  	/*
-@@ -409,7 +663,7 @@ ENTRY(ret_from_fork)
+@@ -409,7 +666,7 @@ ENTRY(ret_from_fork)
  
  	RESTORE_REST
  
@@ -12027,7 +12029,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	je   int_ret_from_sys_call
  
  	testl $_TIF_IA32, TI_flags(%rcx)	# 32-bit compat task needs IRET
-@@ -455,7 +709,7 @@ END(ret_from_fork)
+@@ -455,7 +712,7 @@ END(ret_from_fork)
  ENTRY(system_call)
  	CFI_STARTPROC	simple
  	CFI_SIGNAL_FRAME
@@ -12036,7 +12038,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	CFI_REGISTER	rip,rcx
  	/*CFI_REGISTER	rflags,r11*/
  	SWAPGS_UNSAFE_STACK
-@@ -468,12 +722,13 @@ ENTRY(system_call_after_swapgs)
+@@ -468,12 +725,13 @@ ENTRY(system_call_after_swapgs)
  
  	movq	%rsp,PER_CPU_VAR(old_rsp)
  	movq	PER_CPU_VAR(kernel_stack),%rsp
@@ -12051,15 +12053,16 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	movq  %rax,ORIG_RAX-ARGOFFSET(%rsp)
  	movq  %rcx,RIP-ARGOFFSET(%rsp)
  	CFI_REL_OFFSET rip,RIP-ARGOFFSET
-@@ -502,6 +757,7 @@ sysret_check:
+@@ -502,6 +760,8 @@ sysret_check:
  	andl %edi,%edx
  	jnz  sysret_careful
  	CFI_REMEMBER_STATE
 +	pax_exit_kernel_user
++	pax_erase_kstack
  	/*
  	 * sysretq will re-enable interrupts:
  	 */
-@@ -560,6 +816,9 @@ auditsys:
+@@ -560,6 +820,9 @@ auditsys:
  	movq %rax,%rsi			/* 2nd arg: syscall number */
  	movl $AUDIT_ARCH_X86_64,%edi	/* 1st arg: audit arch */
  	call audit_syscall_entry
@@ -12069,7 +12072,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	LOAD_ARGS 0		/* reload call-clobbered registers */
  	jmp system_call_fastpath
  
-@@ -590,6 +849,9 @@ tracesys:
+@@ -590,6 +853,9 @@ tracesys:
  	FIXUP_TOP_OF_STACK %rdi
  	movq %rsp,%rdi
  	call syscall_trace_enter
@@ -12079,7 +12082,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	/*
  	 * Reload arg registers from stack in case ptrace changed them.
  	 * We don't reload %rax because syscall_trace_enter() returned
-@@ -611,7 +873,7 @@ tracesys:
+@@ -611,7 +877,7 @@ tracesys:
  GLOBAL(int_ret_from_sys_call)
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	TRACE_IRQS_OFF
@@ -12088,7 +12091,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	je retint_restore_args
  	movl $_TIF_ALLWORK_MASK,%edi
  	/* edi:	mask to check */
-@@ -793,6 +1055,16 @@ END(interrupt)
+@@ -793,6 +1059,16 @@ END(interrupt)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
  	call save_args
  	PARTIAL_FRAME 0
@@ -12105,7 +12108,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	call \func
  	.endm
  
-@@ -825,7 +1097,7 @@ ret_from_intr:
+@@ -825,7 +1101,7 @@ ret_from_intr:
  	CFI_ADJUST_CFA_OFFSET	-8
  exit_intr:
  	GET_THREAD_INFO(%rcx)
@@ -12114,11 +12117,12 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	je retint_kernel
  
  	/* Interrupt came from user space */
-@@ -847,12 +1119,14 @@ retint_swapgs:		/* return to user-space 
+@@ -847,12 +1123,15 @@ retint_swapgs:		/* return to user-space 
  	 * The iretq could re-enable interrupts:
  	 */
  	DISABLE_INTERRUPTS(CLBR_ANY)
 +	pax_exit_kernel_user
++	pax_erase_kstack
  	TRACE_IRQS_IRETQ
  	SWAPGS
  	jmp restore_args
@@ -12129,7 +12133,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	/*
  	 * The iretq could re-enable interrupts:
  	 */
-@@ -1027,6 +1301,16 @@ ENTRY(\sym)
+@@ -1027,6 +1306,16 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call error_entry
  	DEFAULT_FRAME 0
@@ -12146,7 +12150,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	movq %rsp,%rdi		/* pt_regs pointer */
  	xorl %esi,%esi		/* no error code */
  	call \do_sym
-@@ -1044,6 +1328,16 @@ ENTRY(\sym)
+@@ -1044,6 +1333,16 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call save_paranoid
  	TRACE_IRQS_OFF
@@ -12163,7 +12167,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	movq %rsp,%rdi		/* pt_regs pointer */
  	xorl %esi,%esi		/* no error code */
  	call \do_sym
-@@ -1052,7 +1346,7 @@ ENTRY(\sym)
+@@ -1052,7 +1351,7 @@ ENTRY(\sym)
  END(\sym)
  .endm
  
@@ -12172,7 +12176,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  .macro paranoidzeroentry_ist sym do_sym ist
  ENTRY(\sym)
  	INTR_FRAME
-@@ -1062,8 +1356,24 @@ ENTRY(\sym)
+@@ -1062,8 +1361,24 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call save_paranoid
  	TRACE_IRQS_OFF
@@ -12197,7 +12201,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
  	call \do_sym
  	addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
-@@ -1080,6 +1390,16 @@ ENTRY(\sym)
+@@ -1080,6 +1395,16 @@ ENTRY(\sym)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call error_entry
  	DEFAULT_FRAME 0
@@ -12214,7 +12218,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	movq %rsp,%rdi			/* pt_regs pointer */
  	movq ORIG_RAX(%rsp),%rsi	/* get error code */
  	movq $-1,ORIG_RAX(%rsp)		/* no syscall to restart */
-@@ -1099,6 +1419,16 @@ ENTRY(\sym)
+@@ -1099,6 +1424,16 @@ ENTRY(\sym)
  	call save_paranoid
  	DEFAULT_FRAME 0
  	TRACE_IRQS_OFF
@@ -12231,7 +12235,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	movq %rsp,%rdi			/* pt_regs pointer */
  	movq ORIG_RAX(%rsp),%rsi	/* get error code */
  	movq $-1,ORIG_RAX(%rsp)		/* no syscall to restart */
-@@ -1361,14 +1691,27 @@ ENTRY(paranoid_exit)
+@@ -1361,14 +1696,27 @@ ENTRY(paranoid_exit)
  	TRACE_IRQS_OFF
  	testl %ebx,%ebx				/* swapgs needed? */
  	jnz paranoid_restore
@@ -12260,7 +12264,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	TRACE_IRQS_IRETQ 0
  	RESTORE_ALL 8
  	jmp irq_return
-@@ -1426,7 +1769,7 @@ ENTRY(error_entry)
+@@ -1426,7 +1774,7 @@ ENTRY(error_entry)
  	movq_cfi r14, R14+8
  	movq_cfi r15, R15+8
  	xorl %ebx,%ebx
@@ -12269,7 +12273,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	je error_kernelspace
  error_swapgs:
  	SWAPGS
-@@ -1490,6 +1833,16 @@ ENTRY(nmi)
+@@ -1490,6 +1838,16 @@ ENTRY(nmi)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call save_paranoid
  	DEFAULT_FRAME 0
@@ -12286,7 +12290,7 @@ diff -urNp linux-3.0.3/arch/x86/kernel/entry_64.S linux-3.0.3/arch/x86/kernel/en
  	/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
  	movq %rsp,%rdi
  	movq $-1,%rsi
-@@ -1500,11 +1853,25 @@ ENTRY(nmi)
+@@ -1500,11 +1858,25 @@ ENTRY(nmi)
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	testl %ebx,%ebx				/* swapgs needed? */
  	jnz nmi_restore
@@ -35002,7 +35006,18 @@ diff -urNp linux-3.0.3/fs/ceph/dir.c linux-3.0.3/fs/ceph/dir.c
  	struct ceph_mds_reply_info_parsed *rinfo;
 diff -urNp linux-3.0.3/fs/cifs/cifs_debug.c linux-3.0.3/fs/cifs/cifs_debug.c
 --- linux-3.0.3/fs/cifs/cifs_debug.c	2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/fs/cifs/cifs_debug.c	2011-08-23 21:47:56.000000000 -0400
++++ linux-3.0.3/fs/cifs/cifs_debug.c	2011-08-25 17:18:05.000000000 -0400
+@@ -265,8 +265,8 @@ static ssize_t cifs_stats_proc_write(str
+ 
+ 	if (c == '1' || c == 'y' || c == 'Y' || c == '0') {
+ #ifdef CONFIG_CIFS_STATS2
+-		atomic_set(&totBufAllocCount, 0);
+-		atomic_set(&totSmBufAllocCount, 0);
++		atomic_set_unchecked(&totBufAllocCount, 0);
++		atomic_set_unchecked(&totSmBufAllocCount, 0);
+ #endif /* CONFIG_CIFS_STATS2 */
+ 		spin_lock(&cifs_tcp_ses_lock);
+ 		list_for_each(tmp1, &cifs_tcp_ses_list) {
 @@ -279,25 +279,25 @@ static ssize_t cifs_stats_proc_write(str
  					tcon = list_entry(tmp3,
  							  struct cifs_tcon,
@@ -35048,6 +35063,17 @@ diff -urNp linux-3.0.3/fs/cifs/cifs_debug.c linux-3.0.3/fs/cifs/cifs_debug.c
  				}
  			}
  		}
+@@ -327,8 +327,8 @@ static int cifs_stats_proc_show(struct s
+ 			smBufAllocCount.counter, cifs_min_small);
+ #ifdef CONFIG_CIFS_STATS2
+ 	seq_printf(m, "Total Large %d Small %d Allocations\n",
+-				atomic_read(&totBufAllocCount),
+-				atomic_read(&totSmBufAllocCount));
++				atomic_read_unchecked(&totBufAllocCount),
++				atomic_read_unchecked(&totSmBufAllocCount));
+ #endif /* CONFIG_CIFS_STATS2 */
+ 
+ 	seq_printf(m, "Operations (MIDs): %d\n", atomic_read(&midCount));
 @@ -357,41 +357,41 @@ static int cifs_stats_proc_show(struct s
  				if (tcon->need_reconnect)
  					seq_puts(m, "\tDISCONNECTED ");
@@ -35110,9 +35136,41 @@ diff -urNp linux-3.0.3/fs/cifs/cifs_debug.c linux-3.0.3/fs/cifs/cifs_debug.c
  			}
  		}
  	}
+diff -urNp linux-3.0.3/fs/cifs/cifsfs.c linux-3.0.3/fs/cifs/cifsfs.c
+--- linux-3.0.3/fs/cifs/cifsfs.c	2011-08-23 21:44:40.000000000 -0400
++++ linux-3.0.3/fs/cifs/cifsfs.c	2011-08-25 17:18:05.000000000 -0400
+@@ -994,7 +994,7 @@ cifs_init_request_bufs(void)
+ 	cifs_req_cachep = kmem_cache_create("cifs_request",
+ 					    CIFSMaxBufSize +
+ 					    MAX_CIFS_HDR_SIZE, 0,
+-					    SLAB_HWCACHE_ALIGN, NULL);
++					    SLAB_HWCACHE_ALIGN | SLAB_USERCOPY, NULL);
+ 	if (cifs_req_cachep == NULL)
+ 		return -ENOMEM;
+ 
+@@ -1021,7 +1021,7 @@ cifs_init_request_bufs(void)
+ 	efficient to alloc 1 per page off the slab compared to 17K (5page)
+ 	alloc of large cifs buffers even when page debugging is on */
+ 	cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
+-			MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,
++			MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN | SLAB_USERCOPY,
+ 			NULL);
+ 	if (cifs_sm_req_cachep == NULL) {
+ 		mempool_destroy(cifs_req_poolp);
+@@ -1106,8 +1106,8 @@ init_cifs(void)
+ 	atomic_set(&bufAllocCount, 0);
+ 	atomic_set(&smBufAllocCount, 0);
+ #ifdef CONFIG_CIFS_STATS2
+-	atomic_set(&totBufAllocCount, 0);
+-	atomic_set(&totSmBufAllocCount, 0);
++	atomic_set_unchecked(&totBufAllocCount, 0);
++	atomic_set_unchecked(&totSmBufAllocCount, 0);
+ #endif /* CONFIG_CIFS_STATS2 */
+ 
+ 	atomic_set(&midCount, 0);
 diff -urNp linux-3.0.3/fs/cifs/cifsglob.h linux-3.0.3/fs/cifs/cifsglob.h
 --- linux-3.0.3/fs/cifs/cifsglob.h	2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/fs/cifs/cifsglob.h	2011-08-23 21:47:56.000000000 -0400
++++ linux-3.0.3/fs/cifs/cifsglob.h	2011-08-25 17:18:05.000000000 -0400
 @@ -381,28 +381,28 @@ struct cifs_tcon {
  	__u16 Flags;		/* optional support bits */
  	enum statusEnum tidStatus;
@@ -35173,6 +35231,17 @@ diff -urNp linux-3.0.3/fs/cifs/cifsglob.h linux-3.0.3/fs/cifs/cifsglob.h
  
  static inline void cifs_stats_bytes_written(struct cifs_tcon *tcon,
  					    unsigned int bytes)
+@@ -911,8 +911,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnect
+ /* Various Debug counters */
+ GLOBAL_EXTERN atomic_t bufAllocCount;    /* current number allocated  */
+ #ifdef CONFIG_CIFS_STATS2
+-GLOBAL_EXTERN atomic_t totBufAllocCount; /* total allocated over all time */
+-GLOBAL_EXTERN atomic_t totSmBufAllocCount;
++GLOBAL_EXTERN atomic_unchecked_t totBufAllocCount; /* total allocated over all time */
++GLOBAL_EXTERN atomic_unchecked_t totSmBufAllocCount;
+ #endif
+ GLOBAL_EXTERN atomic_t smBufAllocCount;
+ GLOBAL_EXTERN atomic_t midCount;
 diff -urNp linux-3.0.3/fs/cifs/link.c linux-3.0.3/fs/cifs/link.c
 --- linux-3.0.3/fs/cifs/link.c	2011-07-21 22:17:23.000000000 -0400
 +++ linux-3.0.3/fs/cifs/link.c	2011-08-23 21:47:56.000000000 -0400
@@ -35185,6 +35254,27 @@ diff -urNp linux-3.0.3/fs/cifs/link.c linux-3.0.3/fs/cifs/link.c
  	if (!IS_ERR(p))
  		kfree(p);
  }
+diff -urNp linux-3.0.3/fs/cifs/misc.c linux-3.0.3/fs/cifs/misc.c
+--- linux-3.0.3/fs/cifs/misc.c	2011-07-21 22:17:23.000000000 -0400
++++ linux-3.0.3/fs/cifs/misc.c	2011-08-25 17:18:05.000000000 -0400
+@@ -156,7 +156,7 @@ cifs_buf_get(void)
+ 		memset(ret_buf, 0, sizeof(struct smb_hdr) + 3);
+ 		atomic_inc(&bufAllocCount);
+ #ifdef CONFIG_CIFS_STATS2
+-		atomic_inc(&totBufAllocCount);
++		atomic_inc_unchecked(&totBufAllocCount);
+ #endif /* CONFIG_CIFS_STATS2 */
+ 	}
+ 
+@@ -191,7 +191,7 @@ cifs_small_buf_get(void)
+ 	/*	memset(ret_buf, 0, sizeof(struct smb_hdr) + 27);*/
+ 		atomic_inc(&smBufAllocCount);
+ #ifdef CONFIG_CIFS_STATS2
+-		atomic_inc(&totSmBufAllocCount);
++		atomic_inc_unchecked(&totSmBufAllocCount);
+ #endif /* CONFIG_CIFS_STATS2 */
+ 
+ 	}
 diff -urNp linux-3.0.3/fs/coda/cache.c linux-3.0.3/fs/coda/cache.c
 --- linux-3.0.3/fs/coda/cache.c	2011-07-21 22:17:23.000000000 -0400
 +++ linux-3.0.3/fs/coda/cache.c	2011-08-23 21:47:56.000000000 -0400
@@ -35457,7 +35547,7 @@ diff -urNp linux-3.0.3/fs/ecryptfs/miscdev.c linux-3.0.3/fs/ecryptfs/miscdev.c
  		if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
 diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
 --- linux-3.0.3/fs/exec.c	2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/fs/exec.c	2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.3/fs/exec.c	2011-08-25 17:26:58.000000000 -0400
 @@ -55,12 +55,24 @@
  #include <linux/pipe_fs_i.h>
  #include <linux/oom.h>
@@ -35680,7 +35770,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
  		bprm->unsafe |= LSM_UNSAFE_SHARE;
  	} else {
  		res = -EAGAIN;
-@@ -1428,6 +1445,11 @@ static int do_execve_common(const char *
+@@ -1428,11 +1445,35 @@ static int do_execve_common(const char *
  				struct user_arg_ptr envp,
  				struct pt_regs *regs)
  {
@@ -35692,7 +35782,31 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
  	struct linux_binprm *bprm;
  	struct file *file;
  	struct files_struct *displaced;
-@@ -1464,6 +1486,23 @@ static int do_execve_common(const char *
+ 	bool clear_in_exec;
+ 	int retval;
++	const struct cred *cred = current_cred();
++
++	gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
++
++	/*
++	 * We move the actual failure in case of RLIMIT_NPROC excess from
++	 * set*uid() to execve() because too many poorly written programs
++	 * don't check setuid() return code.  Here we additionally recheck
++	 * whether NPROC limit is still exceeded.
++	 */
++	if ((current->flags & PF_NPROC_EXCEEDED) &&
++	    atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) {
++		retval = -EAGAIN;
++		goto out_ret;
++	}
++
++	/* We're below the limit (still or again), so we don't want to make
++	 * further execve() calls fail. */
++	current->flags &= ~PF_NPROC_EXCEEDED;
+ 
+ 	retval = unshare_files(&displaced);
+ 	if (retval)
+@@ -1464,6 +1505,16 @@ static int do_execve_common(const char *
  	bprm->filename = filename;
  	bprm->interp = filename;
  
@@ -35701,13 +35815,6 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
 +		goto out_file;
 +	}
 +
-+	gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
-+
-+	if (gr_handle_nproc()) {
-+		retval = -EAGAIN;
-+		goto out_file;
-+	}
-+
 +	if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
 +		retval = -EACCES;
 +		goto out_file;
@@ -35716,7 +35823,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
  	retval = bprm_mm_init(bprm);
  	if (retval)
  		goto out_file;
-@@ -1493,9 +1532,40 @@ static int do_execve_common(const char *
+@@ -1493,9 +1544,40 @@ static int do_execve_common(const char *
  	if (retval < 0)
  		goto out;
  
@@ -35758,7 +35865,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
  
  	/* execve succeeded */
  	current->fs->in_exec = 0;
-@@ -1506,6 +1576,14 @@ static int do_execve_common(const char *
+@@ -1506,6 +1588,14 @@ static int do_execve_common(const char *
  		put_files_struct(displaced);
  	return retval;
  
@@ -35773,7 +35880,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
  out:
  	if (bprm->mm) {
  		acct_arg_size(bprm, 0);
-@@ -1579,7 +1657,7 @@ static int expand_corename(struct core_n
+@@ -1579,7 +1669,7 @@ static int expand_corename(struct core_n
  {
  	char *old_corename = cn->corename;
  
@@ -35782,7 +35889,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
  	cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
  
  	if (!cn->corename) {
-@@ -1667,7 +1745,7 @@ static int format_corename(struct core_n
+@@ -1667,7 +1757,7 @@ static int format_corename(struct core_n
  	int pid_in_pattern = 0;
  	int err = 0;
  
@@ -35791,7 +35898,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
  	cn->corename = kmalloc(cn->size, GFP_KERNEL);
  	cn->used = 0;
  
-@@ -1758,6 +1836,219 @@ out:
+@@ -1758,6 +1848,219 @@ out:
  	return ispipe;
  }
  
@@ -36011,7 +36118,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
  static int zap_process(struct task_struct *start, int exit_code)
  {
  	struct task_struct *t;
-@@ -1969,17 +2260,17 @@ static void wait_for_dump_helpers(struct
+@@ -1969,17 +2272,17 @@ static void wait_for_dump_helpers(struct
  	pipe = file->f_path.dentry->d_inode->i_pipe;
  
  	pipe_lock(pipe);
@@ -36034,7 +36141,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
  	pipe_unlock(pipe);
  
  }
-@@ -2040,7 +2331,7 @@ void do_coredump(long signr, int exit_co
+@@ -2040,7 +2343,7 @@ void do_coredump(long signr, int exit_co
  	int retval = 0;
  	int flag = 0;
  	int ispipe;
@@ -36043,7 +36150,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
  	struct coredump_params cprm = {
  		.signr = signr,
  		.regs = regs,
-@@ -2055,6 +2346,9 @@ void do_coredump(long signr, int exit_co
+@@ -2055,6 +2358,9 @@ void do_coredump(long signr, int exit_co
  
  	audit_core_dumps(signr);
  
@@ -36053,7 +36160,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
  	binfmt = mm->binfmt;
  	if (!binfmt || !binfmt->core_dump)
  		goto fail;
-@@ -2095,6 +2389,8 @@ void do_coredump(long signr, int exit_co
+@@ -2095,6 +2401,8 @@ void do_coredump(long signr, int exit_co
  		goto fail_corename;
  	}
  
@@ -36062,7 +36169,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
   	if (ispipe) {
  		int dump_count;
  		char **helper_argv;
-@@ -2122,7 +2418,7 @@ void do_coredump(long signr, int exit_co
+@@ -2122,7 +2430,7 @@ void do_coredump(long signr, int exit_co
  		}
  		cprm.limit = RLIM_INFINITY;
  
@@ -36071,7 +36178,7 @@ diff -urNp linux-3.0.3/fs/exec.c linux-3.0.3/fs/exec.c
  		if (core_pipe_limit && (core_pipe_limit < dump_count)) {
  			printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
  			       task_tgid_vnr(current), current->comm);
-@@ -2192,7 +2488,7 @@ close_fail:
+@@ -2192,7 +2500,7 @@ close_fail:
  		filp_close(cprm.file, NULL);
  fail_dropcount:
  	if (ispipe)
@@ -47792,8 +47899,8 @@ diff -urNp linux-3.0.3/grsecurity/grsec_disabled.c linux-3.0.3/grsecurity/grsec_
 +#endif
 diff -urNp linux-3.0.3/grsecurity/grsec_exec.c linux-3.0.3/grsecurity/grsec_exec.c
 --- linux-3.0.3/grsecurity/grsec_exec.c	1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.3/grsecurity/grsec_exec.c	2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,87 @@
++++ linux-3.0.3/grsecurity/grsec_exec.c	2011-08-25 17:25:59.000000000 -0400
+@@ -0,0 +1,72 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/file.h>
@@ -47812,21 +47919,6 @@ diff -urNp linux-3.0.3/grsecurity/grsec_exec.c linux-3.0.3/grsecurity/grsec_exec
 +static DEFINE_MUTEX(gr_exec_arg_mutex);
 +#endif
 +
-+int
-+gr_handle_nproc(void)
-+{
-+#ifdef CONFIG_GRKERNSEC_EXECVE
-+	const struct cred *cred = current_cred();
-+	if (grsec_enable_execve && cred->user &&
-+	    (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
-+	    !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
-+		gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
-+		return -EAGAIN;
-+	}
-+#endif
-+	return 0;
-+}
-+
 +extern const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr);
 +
 +void
@@ -47938,8 +48030,8 @@ diff -urNp linux-3.0.3/grsecurity/grsec_fork.c linux-3.0.3/grsecurity/grsec_fork
 +}
 diff -urNp linux-3.0.3/grsecurity/grsec_init.c linux-3.0.3/grsecurity/grsec_init.c
 --- linux-3.0.3/grsecurity/grsec_init.c	1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.3/grsecurity/grsec_init.c	2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,273 @@
++++ linux-3.0.3/grsecurity/grsec_init.c	2011-08-25 17:25:12.000000000 -0400
+@@ -0,0 +1,269 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/mm.h>
@@ -47954,7 +48046,6 @@ diff -urNp linux-3.0.3/grsecurity/grsec_init.c linux-3.0.3/grsecurity/grsec_init
 +int grsec_enable_dmesg;
 +int grsec_enable_harden_ptrace;
 +int grsec_enable_fifo;
-+int grsec_enable_execve;
 +int grsec_enable_execlog;
 +int grsec_enable_signal;
 +int grsec_enable_forkfail;
@@ -48127,9 +48218,6 @@ diff -urNp linux-3.0.3/grsecurity/grsec_init.c linux-3.0.3/grsecurity/grsec_init
 +#ifdef CONFIG_GRKERNSEC_FIFO
 +	grsec_enable_fifo = 1;
 +#endif
-+#ifdef CONFIG_GRKERNSEC_EXECVE
-+	grsec_enable_execve = 1;
-+#endif
 +#ifdef CONFIG_GRKERNSEC_EXECLOG
 +	grsec_enable_execlog = 1;
 +#endif
@@ -49195,8 +49283,8 @@ diff -urNp linux-3.0.3/grsecurity/grsec_sock.c linux-3.0.3/grsecurity/grsec_sock
 +}
 diff -urNp linux-3.0.3/grsecurity/grsec_sysctl.c linux-3.0.3/grsecurity/grsec_sysctl.c
 --- linux-3.0.3/grsecurity/grsec_sysctl.c	1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.3/grsecurity/grsec_sysctl.c	2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,442 @@
++++ linux-3.0.3/grsecurity/grsec_sysctl.c	2011-08-25 17:26:15.000000000 -0400
+@@ -0,0 +1,433 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/sysctl.h>
@@ -49260,15 +49348,6 @@ diff -urNp linux-3.0.3/grsecurity/grsec_sysctl.c linux-3.0.3/grsecurity/grsec_sy
 +		.proc_handler	= &proc_dointvec,
 +	},
 +#endif
-+#ifdef CONFIG_GRKERNSEC_EXECVE
-+	{
-+		.procname	= "execve_limiting",
-+		.data		= &grsec_enable_execve,
-+		.maxlen		= sizeof(int),
-+		.mode		= 0600,
-+		.proc_handler	= &proc_dointvec,
-+	},
-+#endif
 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
 +	{
 +		.procname	= "ip_blackhole",
@@ -49769,8 +49848,8 @@ diff -urNp linux-3.0.3/grsecurity/grsum.c linux-3.0.3/grsecurity/grsum.c
 +}
 diff -urNp linux-3.0.3/grsecurity/Kconfig linux-3.0.3/grsecurity/Kconfig
 --- linux-3.0.3/grsecurity/Kconfig	1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.3/grsecurity/Kconfig	2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,1050 @@
++++ linux-3.0.3/grsecurity/Kconfig	2011-08-25 17:25:34.000000000 -0400
+@@ -0,0 +1,1038 @@
 +#
 +# grecurity configuration
 +#
@@ -49797,7 +49876,6 @@ diff -urNp linux-3.0.3/grsecurity/Kconfig linux-3.0.3/grsecurity/Kconfig
 +	bool "Low"
 +	select GRKERNSEC_LINK
 +	select GRKERNSEC_FIFO
-+	select GRKERNSEC_EXECVE
 +	select GRKERNSEC_RANDNET
 +	select GRKERNSEC_DMESG
 +	select GRKERNSEC_CHROOT
@@ -49814,7 +49892,6 @@ diff -urNp linux-3.0.3/grsecurity/Kconfig linux-3.0.3/grsecurity/Kconfig
 +
 +	  - Linking restrictions
 +	  - FIFO restrictions
-+	  - Enforcing RLIMIT_NPROC on execve
 +	  - Restricted dmesg
 +	  - Enforced chdir("/") on chroot
 +	  - Runtime module disabling
@@ -49830,7 +49907,6 @@ diff -urNp linux-3.0.3/grsecurity/Kconfig linux-3.0.3/grsecurity/Kconfig
 +	select GRKERNSEC_CHROOT_SYSCTL
 +	select GRKERNSEC_LINK
 +	select GRKERNSEC_FIFO
-+	select GRKERNSEC_EXECVE
 +	select GRKERNSEC_DMESG
 +	select GRKERNSEC_RANDNET
 +	select GRKERNSEC_FORKFAIL
@@ -49880,7 +49956,6 @@ diff -urNp linux-3.0.3/grsecurity/Kconfig linux-3.0.3/grsecurity/Kconfig
 +	bool "High"
 +	select GRKERNSEC_LINK
 +	select GRKERNSEC_FIFO
-+	select GRKERNSEC_EXECVE
 +	select GRKERNSEC_DMESG
 +	select GRKERNSEC_FORKFAIL
 +	select GRKERNSEC_TIME
@@ -50548,14 +50623,6 @@ diff -urNp linux-3.0.3/grsecurity/Kconfig linux-3.0.3/grsecurity/Kconfig
 +menu "Executable Protections"
 +depends on GRKERNSEC
 +
-+config GRKERNSEC_EXECVE
-+	bool "Enforce RLIMIT_NPROC on execs"
-+	help
-+	  If you say Y here, users with a resource limit on processes will
-+	  have the value checked during execve() calls.  The current system
-+	  only checks the system limit during fork() calls.  If the sysctl option
-+	  is enabled, a sysctl option with name "execve_limiting" is created.
-+
 +config GRKERNSEC_DMESG
 +	bool "Dmesg(8) restriction"
 +	help
@@ -52631,8 +52698,8 @@ diff -urNp linux-3.0.3/include/linux/grinternal.h linux-3.0.3/include/linux/grin
 +#endif
 diff -urNp linux-3.0.3/include/linux/grmsg.h linux-3.0.3/include/linux/grmsg.h
 --- linux-3.0.3/include/linux/grmsg.h	1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.3/include/linux/grmsg.h	2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,108 @@
++++ linux-3.0.3/include/linux/grmsg.h	2011-08-25 17:27:26.000000000 -0400
+@@ -0,0 +1,107 @@
 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -52666,7 +52733,6 @@ diff -urNp linux-3.0.3/include/linux/grmsg.h linux-3.0.3/include/linux/grmsg.h
 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
-+#define GR_NPROC_MSG "denied overstep of process limit by "
 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
@@ -52743,8 +52809,8 @@ diff -urNp linux-3.0.3/include/linux/grmsg.h linux-3.0.3/include/linux/grmsg.h
 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
 diff -urNp linux-3.0.3/include/linux/grsecurity.h linux-3.0.3/include/linux/grsecurity.h
 --- linux-3.0.3/include/linux/grsecurity.h	1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.3/include/linux/grsecurity.h	2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,228 @@
++++ linux-3.0.3/include/linux/grsecurity.h	2011-08-25 17:27:36.000000000 -0400
+@@ -0,0 +1,227 @@
 +#ifndef GR_SECURITY_H
 +#define GR_SECURITY_H
 +#include <linux/fs.h>
@@ -52822,7 +52888,6 @@ diff -urNp linux-3.0.3/include/linux/grsecurity.h linux-3.0.3/include/linux/grse
 +int gr_handle_chroot_unix(const pid_t pid);
 +
 +int gr_handle_rawio(const struct inode *inode);
-+int gr_handle_nproc(void);
 +
 +void gr_handle_ioperm(void);
 +void gr_handle_iopl(void);
@@ -53970,7 +54035,7 @@ diff -urNp linux-3.0.3/include/linux/rmap.h linux-3.0.3/include/linux/rmap.h
  static inline void anon_vma_merge(struct vm_area_struct *vma,
 diff -urNp linux-3.0.3/include/linux/sched.h linux-3.0.3/include/linux/sched.h
 --- linux-3.0.3/include/linux/sched.h	2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/include/linux/sched.h	2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.3/include/linux/sched.h	2011-08-25 17:22:27.000000000 -0400
 @@ -100,6 +100,7 @@ struct bio_list;
  struct fs_struct;
  struct perf_event_context;
@@ -54157,7 +54222,15 @@ diff -urNp linux-3.0.3/include/linux/sched.h linux-3.0.3/include/linux/sched.h
  /* Future-safe accessor for struct task_struct's cpus_allowed. */
  #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
  
-@@ -2056,7 +2148,9 @@ void yield(void);
+@@ -1768,6 +1860,7 @@ extern void thread_group_times(struct ta
+ #define PF_DUMPCORE	0x00000200	/* dumped core */
+ #define PF_SIGNALED	0x00000400	/* killed by a signal */
+ #define PF_MEMALLOC	0x00000800	/* Allocating memory */
++#define PF_NPROC_EXCEEDED 0x00001000	/* set_user noticed that RLIMIT_NPROC was exceeded */
+ #define PF_USED_MATH	0x00002000	/* if unset the fpu must be initialized before use */
+ #define PF_FREEZING	0x00004000	/* freeze in progress. do not account to load */
+ #define PF_NOFREEZE	0x00008000	/* this thread should not be frozen */
+@@ -2056,7 +2149,9 @@ void yield(void);
  extern struct exec_domain	default_exec_domain;
  
  union thread_union {
@@ -54167,7 +54240,7 @@ diff -urNp linux-3.0.3/include/linux/sched.h linux-3.0.3/include/linux/sched.h
  	unsigned long stack[THREAD_SIZE/sizeof(long)];
  };
  
-@@ -2089,6 +2183,7 @@ extern struct pid_namespace init_pid_ns;
+@@ -2089,6 +2184,7 @@ extern struct pid_namespace init_pid_ns;
   */
  
  extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -54175,7 +54248,7 @@ diff -urNp linux-3.0.3/include/linux/sched.h linux-3.0.3/include/linux/sched.h
  extern struct task_struct *find_task_by_pid_ns(pid_t nr,
  		struct pid_namespace *ns);
  
-@@ -2225,7 +2320,7 @@ extern void __cleanup_sighand(struct sig
+@@ -2225,7 +2321,7 @@ extern void __cleanup_sighand(struct sig
  extern void exit_itimers(struct signal_struct *);
  extern void flush_itimer_signals(void);
  
@@ -54184,7 +54257,7 @@ diff -urNp linux-3.0.3/include/linux/sched.h linux-3.0.3/include/linux/sched.h
  
  extern void daemonize(const char *, ...);
  extern int allow_signal(int);
-@@ -2393,13 +2488,17 @@ static inline unsigned long *end_of_stac
+@@ -2393,13 +2489,17 @@ static inline unsigned long *end_of_stac
  
  #endif
  
@@ -56173,7 +56246,7 @@ diff -urNp linux-3.0.3/kernel/configs.c linux-3.0.3/kernel/configs.c
  
 diff -urNp linux-3.0.3/kernel/cred.c linux-3.0.3/kernel/cred.c
 --- linux-3.0.3/kernel/cred.c	2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/kernel/cred.c	2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.3/kernel/cred.c	2011-08-25 17:23:03.000000000 -0400
 @@ -158,6 +158,8 @@ static void put_cred_rcu(struct rcu_head
   */
  void __put_cred(struct cred *cred)
@@ -56255,7 +56328,20 @@ diff -urNp linux-3.0.3/kernel/cred.c linux-3.0.3/kernel/cred.c
  	/* dumpability changes */
  	if (old->euid != new->euid ||
  	    old->egid != new->egid ||
-@@ -551,6 +569,8 @@ EXPORT_SYMBOL(commit_creds);
+@@ -508,10 +526,8 @@ int commit_creds(struct cred *new)
+ 		key_fsgid_changed(task);
+ 
+ 	/* do it
+-	 * - What if a process setreuid()'s and this brings the
+-	 *   new uid over his NPROC rlimit?  We can check this now
+-	 *   cheaply with the new uid cache, so if it matters
+-	 *   we should be checking for it.  -DaveM
++	 * RLIMIT_NPROC limits on user->processes have already been checked
++	 * in set_user().
+ 	 */
+ 	alter_cred_subscribers(new, 2);
+ 	if (new->user != old->user)
+@@ -551,6 +567,8 @@ EXPORT_SYMBOL(commit_creds);
   */
  void abort_creds(struct cred *new)
  {
@@ -56264,7 +56350,7 @@ diff -urNp linux-3.0.3/kernel/cred.c linux-3.0.3/kernel/cred.c
  	kdebug("abort_creds(%p{%d,%d})", new,
  	       atomic_read(&new->usage),
  	       read_cred_subscribers(new));
-@@ -574,6 +594,8 @@ const struct cred *override_creds(const 
+@@ -574,6 +592,8 @@ const struct cred *override_creds(const 
  {
  	const struct cred *old = current->cred;
  
@@ -56273,7 +56359,7 @@ diff -urNp linux-3.0.3/kernel/cred.c linux-3.0.3/kernel/cred.c
  	kdebug("override_creds(%p{%d,%d})", new,
  	       atomic_read(&new->usage),
  	       read_cred_subscribers(new));
-@@ -603,6 +625,8 @@ void revert_creds(const struct cred *old
+@@ -603,6 +623,8 @@ void revert_creds(const struct cred *old
  {
  	const struct cred *override = current->cred;
  
@@ -56282,7 +56368,7 @@ diff -urNp linux-3.0.3/kernel/cred.c linux-3.0.3/kernel/cred.c
  	kdebug("revert_creds(%p{%d,%d})", old,
  	       atomic_read(&old->usage),
  	       read_cred_subscribers(old));
-@@ -649,6 +673,8 @@ struct cred *prepare_kernel_cred(struct 
+@@ -649,6 +671,8 @@ struct cred *prepare_kernel_cred(struct 
  	const struct cred *old;
  	struct cred *new;
  
@@ -56291,7 +56377,7 @@ diff -urNp linux-3.0.3/kernel/cred.c linux-3.0.3/kernel/cred.c
  	new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
  	if (!new)
  		return NULL;
-@@ -703,6 +729,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
+@@ -703,6 +727,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
   */
  int set_security_override(struct cred *new, u32 secid)
  {
@@ -56300,7 +56386,7 @@ diff -urNp linux-3.0.3/kernel/cred.c linux-3.0.3/kernel/cred.c
  	return security_kernel_act_as(new, secid);
  }
  EXPORT_SYMBOL(set_security_override);
-@@ -722,6 +750,8 @@ int set_security_override_from_ctx(struc
+@@ -722,6 +748,8 @@ int set_security_override_from_ctx(struc
  	u32 secid;
  	int ret;
  
@@ -56594,7 +56680,7 @@ diff -urNp linux-3.0.3/kernel/exit.c linux-3.0.3/kernel/exit.c
  	if (group_dead)
 diff -urNp linux-3.0.3/kernel/fork.c linux-3.0.3/kernel/fork.c
 --- linux-3.0.3/kernel/fork.c	2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/kernel/fork.c	2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.3/kernel/fork.c	2011-08-25 17:23:36.000000000 -0400
 @@ -286,7 +286,7 @@ static struct task_struct *dup_task_stru
  	*stackend = STACK_END_MAGIC;	/* for overflow detection */
  
@@ -56827,7 +56913,7 @@ diff -urNp linux-3.0.3/kernel/fork.c linux-3.0.3/kernel/fork.c
  	return 0;
  }
  
-@@ -1104,10 +1142,13 @@ static struct task_struct *copy_process(
+@@ -1104,12 +1142,16 @@ static struct task_struct *copy_process(
  	DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
  #endif
  	retval = -EAGAIN;
@@ -56842,8 +56928,11 @@ diff -urNp linux-3.0.3/kernel/fork.c linux-3.0.3/kernel/fork.c
 +		    !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
  			goto bad_fork_free;
  	}
++	current->flags &= ~PF_NPROC_EXCEEDED;
  
-@@ -1250,6 +1291,8 @@ static struct task_struct *copy_process(
+ 	retval = copy_creds(p, clone_flags);
+ 	if (retval < 0)
+@@ -1250,6 +1292,8 @@ static struct task_struct *copy_process(
  	if (clone_flags & CLONE_THREAD)
  		p->tgid = current->tgid;
  
@@ -56852,7 +56941,7 @@ diff -urNp linux-3.0.3/kernel/fork.c linux-3.0.3/kernel/fork.c
  	p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
  	/*
  	 * Clear TID on mm_release()?
-@@ -1414,6 +1457,8 @@ bad_fork_cleanup_count:
+@@ -1414,6 +1458,8 @@ bad_fork_cleanup_count:
  bad_fork_free:
  	free_task(p);
  fork_out:
@@ -56861,7 +56950,7 @@ diff -urNp linux-3.0.3/kernel/fork.c linux-3.0.3/kernel/fork.c
  	return ERR_PTR(retval);
  }
  
-@@ -1502,6 +1547,8 @@ long do_fork(unsigned long clone_flags,
+@@ -1502,6 +1548,8 @@ long do_fork(unsigned long clone_flags,
  		if (clone_flags & CLONE_PARENT_SETTID)
  			put_user(nr, parent_tidptr);
  
@@ -56870,7 +56959,7 @@ diff -urNp linux-3.0.3/kernel/fork.c linux-3.0.3/kernel/fork.c
  		if (clone_flags & CLONE_VFORK) {
  			p->vfork_done = &vfork;
  			init_completion(&vfork);
-@@ -1610,7 +1657,7 @@ static int unshare_fs(unsigned long unsh
+@@ -1610,7 +1658,7 @@ static int unshare_fs(unsigned long unsh
  		return 0;
  
  	/* don't need lock here; in the worst case we'll do useless copy */
@@ -56879,7 +56968,7 @@ diff -urNp linux-3.0.3/kernel/fork.c linux-3.0.3/kernel/fork.c
  		return 0;
  
  	*new_fsp = copy_fs_struct(fs);
-@@ -1697,7 +1744,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, 
+@@ -1697,7 +1745,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, 
  			fs = current->fs;
  			spin_lock(&fs->lock);
  			current->fs = new_fs;
@@ -59381,7 +59470,7 @@ diff -urNp linux-3.0.3/kernel/softirq.c linux-3.0.3/kernel/softirq.c
  
 diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
 --- linux-3.0.3/kernel/sys.c	2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.3/kernel/sys.c	2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.3/kernel/sys.c	2011-08-25 17:24:58.000000000 -0400
 @@ -154,6 +154,12 @@ static int set_one_prio(struct task_stru
  		error = -EACCES;
  		goto out;
@@ -59416,7 +59505,30 @@ diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
  	if (nsown_capable(CAP_SETGID))
  		new->gid = new->egid = new->sgid = new->fsgid = gid;
  	else if (gid == old->gid || gid == old->sgid)
-@@ -646,6 +659,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
+@@ -591,11 +604,18 @@ static int set_user(struct cred *new)
+ 	if (!new_user)
+ 		return -EAGAIN;
+ 
++	/*
++	 * We don't fail in case of NPROC limit excess here because too many
++	 * poorly written programs don't check set*uid() return code, assuming
++	 * it never fails if called by root.  We may still enforce NPROC limit
++	 * for programs doing set*uid()+execve() by harmlessly deferring the
++	 * failure to the execve() stage.
++	 */
+ 	if (atomic_read(&new_user->processes) >= rlimit(RLIMIT_NPROC) &&
+-			new_user != INIT_USER) {
+-		free_uid(new_user);
+-		return -EAGAIN;
+-	}
++			new_user != INIT_USER)
++		current->flags |= PF_NPROC_EXCEEDED;
++	else
++		current->flags &= ~PF_NPROC_EXCEEDED;
+ 
+ 	free_uid(new->user);
+ 	new->user = new_user;
+@@ -646,6 +666,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
  			goto error;
  	}
  
@@ -59426,7 +59538,7 @@ diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
  	if (new->uid != old->uid) {
  		retval = set_user(new);
  		if (retval < 0)
-@@ -690,6 +706,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
+@@ -690,6 +713,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
  	old = current_cred();
  
  	retval = -EPERM;
@@ -59439,7 +59551,7 @@ diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
  	if (nsown_capable(CAP_SETUID)) {
  		new->suid = new->uid = uid;
  		if (uid != old->uid) {
-@@ -744,6 +766,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, 
+@@ -744,6 +773,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, 
  			goto error;
  	}
  
@@ -59449,7 +59561,7 @@ diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
  	if (ruid != (uid_t) -1) {
  		new->uid = ruid;
  		if (ruid != old->uid) {
-@@ -808,6 +833,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, 
+@@ -808,6 +840,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, 
  			goto error;
  	}
  
@@ -59459,7 +59571,7 @@ diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
  	if (rgid != (gid_t) -1)
  		new->gid = rgid;
  	if (egid != (gid_t) -1)
-@@ -854,6 +882,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
+@@ -854,6 +889,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
  	old = current_cred();
  	old_fsuid = old->fsuid;
  
@@ -59469,7 +59581,7 @@ diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
  	if (uid == old->uid  || uid == old->euid  ||
  	    uid == old->suid || uid == old->fsuid ||
  	    nsown_capable(CAP_SETUID)) {
-@@ -864,6 +895,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
+@@ -864,6 +902,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
  		}
  	}
  
@@ -59477,7 +59589,7 @@ diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
  	abort_creds(new);
  	return old_fsuid;
  
-@@ -890,12 +922,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
+@@ -890,12 +929,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
  	if (gid == old->gid  || gid == old->egid  ||
  	    gid == old->sgid || gid == old->fsgid ||
  	    nsown_capable(CAP_SETGID)) {
@@ -59494,7 +59606,7 @@ diff -urNp linux-3.0.3/kernel/sys.c linux-3.0.3/kernel/sys.c
  	abort_creds(new);
  	return old_fsgid;
  
-@@ -1642,7 +1678,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
+@@ -1642,7 +1685,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
  			error = get_dumpable(me->mm);
  			break;
  		case PR_SET_DUMPABLE:
diff --git a/3.0.3/4425_grsec-pax-without-grsec.patch b/3.0.3/4425_grsec-pax-without-grsec.patch
index 0699b1e..cdc33f2 100644
--- a/3.0.3/4425_grsec-pax-without-grsec.patch
+++ b/3.0.3/4425_grsec-pax-without-grsec.patch
@@ -36,7 +36,7 @@ diff -Naur a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
 diff -Naur a/fs/exec.c b/fs/exec.c
 --- a/fs/exec.c	2011-04-17 19:05:03.000000000 -0400
 +++ b/fs/exec.c	2011-04-17 19:20:30.000000000 -0400
-@@ -1946,9 +1946,11 @@
+@@ -1958,9 +1958,11 @@
  		}
  		up_read(&mm->mmap_sem);
  	}
@@ -48,7 +48,7 @@ diff -Naur a/fs/exec.c b/fs/exec.c
  		printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
  	printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
  			"PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
-@@ -1963,10 +1965,12 @@
+@@ -1975,10 +1977,12 @@
  #ifdef CONFIG_PAX_REFCOUNT
  void pax_report_refcount_overflow(struct pt_regs *regs)
  {
@@ -61,7 +61,7 @@ diff -Naur a/fs/exec.c b/fs/exec.c
  		printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
  				 current->comm, task_pid_nr(current), current_uid(), current_euid());
  	print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
-@@ -2026,10 +2030,12 @@
+@@ -2038,10 +2042,12 @@
  
  NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
  {
diff --git a/3.0.3/4430_grsec-kconfig-default-gids.patch b/3.0.3/4430_grsec-kconfig-default-gids.patch
index aefb6ec..6a448bf 100644
--- a/3.0.3/4430_grsec-kconfig-default-gids.patch
+++ b/3.0.3/4430_grsec-kconfig-default-gids.patch
@@ -12,7 +12,7 @@ from shooting themselves in the foot.
 diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-hardened-r44/grsecurity/Kconfig
 --- linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig	2011-04-17 18:15:55.000000000 -0400
 +++ linux-2.6.32-hardened-r44/grsecurity/Kconfig	2011-04-17 18:37:33.000000000 -0400
-@@ -437,7 +437,7 @@
+@@ -433,7 +433,7 @@
  config GRKERNSEC_PROC_GID
  	int "GID for special group"
  	depends on GRKERNSEC_PROC_USERGROUP
@@ -21,7 +21,7 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
  
  config GRKERNSEC_PROC_ADD
  	bool "Additional restrictions"
-@@ -661,7 +661,7 @@
+@@ -657,7 +657,7 @@
  config GRKERNSEC_AUDIT_GID
  	int "GID for auditing"
  	depends on GRKERNSEC_AUDIT_GROUP
@@ -30,7 +30,7 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
  
  config GRKERNSEC_EXECLOG
  	bool "Exec logging"
-@@ -847,7 +847,7 @@
+@@ -835,7 +835,7 @@
  config GRKERNSEC_TPE_GID
  	int "GID for untrusted users"
  	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -39,7 +39,7 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *enabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -856,7 +856,7 @@
+@@ -844,7 +844,7 @@
  config GRKERNSEC_TPE_GID
  	int "GID for trusted users"
  	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -48,7 +48,7 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *disabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -929,7 +929,7 @@
+@@ -917,7 +917,7 @@
  config GRKERNSEC_SOCKET_ALL_GID
  	int "GID to deny all sockets for"
  	depends on GRKERNSEC_SOCKET_ALL
@@ -57,7 +57,7 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
  	help
  	  Here you can choose the GID to disable socket access for. Remember to
  	  add the users you want socket access disabled for to the GID
-@@ -950,7 +950,7 @@
+@@ -938,7 +938,7 @@
  config GRKERNSEC_SOCKET_CLIENT_GID
  	int "GID to deny client sockets for"
  	depends on GRKERNSEC_SOCKET_CLIENT
@@ -66,7 +66,7 @@ diff -Naur linux-2.6.32-hardened-r44.orig/grsecurity/Kconfig linux-2.6.32-harden
  	help
  	  Here you can choose the GID to disable client socket access for.
  	  Remember to add the users you want client socket access disabled for to
-@@ -968,7 +968,7 @@
+@@ -956,7 +956,7 @@
  config GRKERNSEC_SOCKET_SERVER_GID
  	int "GID to deny server sockets for"
  	depends on GRKERNSEC_SOCKET_SERVER
diff --git a/3.0.3/4435_grsec-kconfig-gentoo.patch b/3.0.3/4435_grsec-kconfig-gentoo.patch
index 5bae307..1721c9e 100644
--- a/3.0.3/4435_grsec-kconfig-gentoo.patch
+++ b/3.0.3/4435_grsec-kconfig-gentoo.patch
@@ -27,7 +27,7 @@ diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardene
  
  config GRKERNSEC_LOW
  	bool "Low"
-@@ -195,6 +195,261 @@
+@@ -191,6 +191,261 @@
  	  - Restricted sysfs/debugfs
  	  - Active kernel exploit response
  
diff --git a/3.0.3/4437-grsec-kconfig-proc-user.patch b/3.0.3/4437-grsec-kconfig-proc-user.patch
index 1af93aa..4e5acda 100644
--- a/3.0.3/4437-grsec-kconfig-proc-user.patch
+++ b/3.0.3/4437-grsec-kconfig-proc-user.patch
@@ -6,7 +6,7 @@ in a different way to avoid bug #366019.  This patch should eventually go upstre
 diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-hardened-r4/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-06-29 10:02:56.000000000 -0400
 +++ b/grsecurity/Kconfig	2011-06-29 10:08:07.000000000 -0400
-@@ -673,7 +673,7 @@
+@@ -669,7 +669,7 @@
  
  config GRKERNSEC_PROC_USER
  	bool "Restrict /proc to user only"
@@ -15,7 +15,7 @@ diff -Naur linux-2.6.39-hardened-r4.orig//grsecurity/Kconfig linux-2.6.39-harden
  	help
  	  If you say Y here, non-root users will only be able to view their own
  	  processes, and restricts them from viewing network-related information,
-@@ -681,7 +681,7 @@
+@@ -677,7 +677,7 @@
  
  config GRKERNSEC_PROC_USERGROUP
  	bool "Allow special group"
diff --git a/3.0.3/4440_selinux-avc_audit-log-curr_ip.patch b/3.0.3/4440_selinux-avc_audit-log-curr_ip.patch
index c50b9c8..3a991fb 100644
--- a/3.0.3/4440_selinux-avc_audit-log-curr_ip.patch
+++ b/3.0.3/4440_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 diff -Naur linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig linux-2.6.38-hardened-r1/grsecurity/Kconfig
 --- linux-2.6.38-hardened-r1.orig/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400
 +++ linux-2.6.38-hardened-r1/grsecurity/Kconfig	2011-04-17 19:32:53.000000000 -0400
-@@ -1280,6 +1280,27 @@
+@@ -1268,6 +1268,27 @@
  menu "Logging Options"
  depends on GRKERNSEC
author	Anthony G. Basile <blueness@gentoo.org>	2011-08-26 08:33:16 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2011-08-26 08:33:16 -0400
commit	d76ce4b3334f86cde43185da95b542aa906cde5c (patch)
tree	4a65620f891bbe3ffa1193a84755da09d911374d
parent	EOL 2.6.39 (diff)
download	hardened-patchset-d76ce4b3334f86cde43185da95b542aa906cde5c.tar.gz hardened-patchset-d76ce4b3334f86cde43185da95b542aa906cde5c.tar.bz2 hardened-patchset-d76ce4b3334f86cde43185da95b542aa906cde5c.zip