Grsec/PaX: 3.1-{3.2.69,3.14.46,4.0.7}-20150630071220150630

26 files changed, 1725 insertions, 399 deletions

diff --git a/4.0.6/0000_README b/3.14.46/0000_README
index 67f188e..de59c28 100644
--- a/4.0.6/0000_README
+++ b/3.14.46/0000_README
@@ -2,7 +2,11 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.1-4.0.6-201506272327.patch
+Patch:	1045_linux-3.14.46.patch
+From:	http://www.kernel.org
+Desc:	Linux 3.14.46
+
+Patch:	4420_grsecurity-3.1-3.14.46-201506300711.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.14.46/1045_linux-3.14.46.patch b/3.14.46/1045_linux-3.14.46.patch
new file mode 100644
index 0000000..12790dc
--- /dev/null
+++ b/3.14.46/1045_linux-3.14.46.patch
@@ -0,0 +1,829 @@
+diff --git a/Makefile b/Makefile
+index c92186c..def39fd 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 14
+-SUBLEVEL = 45
++SUBLEVEL = 46
+ EXTRAVERSION =
+ NAME = Remembering Coco
+ 
+diff --git a/arch/arm/include/asm/kvm_host.h b/arch/arm/include/asm/kvm_host.h
+index 09af149..530f56e 100644
+--- a/arch/arm/include/asm/kvm_host.h
++++ b/arch/arm/include/asm/kvm_host.h
+@@ -42,7 +42,7 @@
+ 
+ struct kvm_vcpu;
+ u32 *kvm_vcpu_reg(struct kvm_vcpu *vcpu, u8 reg_num, u32 mode);
+-int kvm_target_cpu(void);
++int __attribute_const__ kvm_target_cpu(void);
+ int kvm_reset_vcpu(struct kvm_vcpu *vcpu);
+ void kvm_reset_coprocs(struct kvm_vcpu *vcpu);
+ 
+diff --git a/arch/arm/include/asm/kvm_mmu.h b/arch/arm/include/asm/kvm_mmu.h
+index 7b362bc..0cbdb8e 100644
+--- a/arch/arm/include/asm/kvm_mmu.h
++++ b/arch/arm/include/asm/kvm_mmu.h
+@@ -127,6 +127,18 @@ static inline void kvm_set_s2pmd_writable(pmd_t *pmd)
+ 	(__boundary - 1 < (end) - 1)? __boundary: (end);		\
+ })
+ 
++static inline bool kvm_page_empty(void *ptr)
++{
++	struct page *ptr_page = virt_to_page(ptr);
++	return page_count(ptr_page) == 1;
++}
++
++
++#define kvm_pte_table_empty(ptep) kvm_page_empty(ptep)
++#define kvm_pmd_table_empty(pmdp) kvm_page_empty(pmdp)
++#define kvm_pud_table_empty(pudp) (0)
++
++
+ struct kvm;
+ 
+ #define kvm_flush_dcache_to_poc(a,l)	__cpuc_flush_dcache_area((a), (l))
+diff --git a/arch/arm/kernel/hyp-stub.S b/arch/arm/kernel/hyp-stub.S
+index 797b1a6..7e666cf 100644
+--- a/arch/arm/kernel/hyp-stub.S
++++ b/arch/arm/kernel/hyp-stub.S
+@@ -134,9 +134,7 @@ ENTRY(__hyp_stub_install_secondary)
+ 	mcr	p15, 4, r7, c1, c1, 3	@ HSTR
+ 
+ THUMB(	orr	r7, #(1 << 30)	)	@ HSCTLR.TE
+-#ifdef CONFIG_CPU_BIG_ENDIAN
+-	orr	r7, #(1 << 9)		@ HSCTLR.EE
+-#endif
++ARM_BE8(orr	r7, r7, #(1 << 25))     @ HSCTLR.EE
+ 	mcr	p15, 4, r7, c1, c0, 0	@ HSCTLR
+ 
+ 	mrc	p15, 4, r7, c1, c1, 1	@ HDCR
+diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
+index bd18bb8..df6e75e 100644
+--- a/arch/arm/kvm/arm.c
++++ b/arch/arm/kvm/arm.c
+@@ -82,7 +82,7 @@ struct kvm_vcpu *kvm_arm_get_running_vcpu(void)
+ /**
+  * kvm_arm_get_running_vcpus - get the per-CPU array of currently running vcpus.
+  */
+-struct kvm_vcpu __percpu **kvm_get_running_vcpus(void)
++struct kvm_vcpu * __percpu *kvm_get_running_vcpus(void)
+ {
+ 	return &kvm_arm_running_vcpu;
+ }
+@@ -155,16 +155,6 @@ int kvm_arch_vcpu_fault(struct kvm_vcpu *vcpu, struct vm_fault *vmf)
+ 	return VM_FAULT_SIGBUS;
+ }
+ 
+-void kvm_arch_free_memslot(struct kvm *kvm, struct kvm_memory_slot *free,
+-			   struct kvm_memory_slot *dont)
+-{
+-}
+-
+-int kvm_arch_create_memslot(struct kvm *kvm, struct kvm_memory_slot *slot,
+-			    unsigned long npages)
+-{
+-	return 0;
+-}
+ 
+ /**
+  * kvm_arch_destroy_vm - destroy the VM data structure
+@@ -224,33 +214,6 @@ long kvm_arch_dev_ioctl(struct file *filp,
+ 	return -EINVAL;
+ }
+ 
+-void kvm_arch_memslots_updated(struct kvm *kvm)
+-{
+-}
+-
+-int kvm_arch_prepare_memory_region(struct kvm *kvm,
+-				   struct kvm_memory_slot *memslot,
+-				   struct kvm_userspace_memory_region *mem,
+-				   enum kvm_mr_change change)
+-{
+-	return 0;
+-}
+-
+-void kvm_arch_commit_memory_region(struct kvm *kvm,
+-				   struct kvm_userspace_memory_region *mem,
+-				   const struct kvm_memory_slot *old,
+-				   enum kvm_mr_change change)
+-{
+-}
+-
+-void kvm_arch_flush_shadow_all(struct kvm *kvm)
+-{
+-}
+-
+-void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
+-				   struct kvm_memory_slot *slot)
+-{
+-}
+ 
+ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id)
+ {
+diff --git a/arch/arm/kvm/coproc.c b/arch/arm/kvm/coproc.c
+index c58a351..7c73290 100644
+--- a/arch/arm/kvm/coproc.c
++++ b/arch/arm/kvm/coproc.c
+@@ -742,7 +742,7 @@ static bool is_valid_cache(u32 val)
+ 	u32 level, ctype;
+ 
+ 	if (val >= CSSELR_MAX)
+-		return -ENOENT;
++		return false;
+ 
+ 	/* Bottom bit is Instruction or Data bit.  Next 3 bits are level. */
+         level = (val >> 1);
+diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
+index c93ef38..70ed2c1 100644
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -90,103 +90,115 @@ static void *mmu_memory_cache_alloc(struct kvm_mmu_memory_cache *mc)
+ 	return p;
+ }
+ 
+-static bool page_empty(void *ptr)
++static void clear_pgd_entry(struct kvm *kvm, pgd_t *pgd, phys_addr_t addr)
+ {
+-	struct page *ptr_page = virt_to_page(ptr);
+-	return page_count(ptr_page) == 1;
++	pud_t *pud_table __maybe_unused = pud_offset(pgd, 0);
++	pgd_clear(pgd);
++	kvm_tlb_flush_vmid_ipa(kvm, addr);
++	pud_free(NULL, pud_table);
++	put_page(virt_to_page(pgd));
+ }
+ 
+ static void clear_pud_entry(struct kvm *kvm, pud_t *pud, phys_addr_t addr)
+ {
+-	if (pud_huge(*pud)) {
+-		pud_clear(pud);
+-		kvm_tlb_flush_vmid_ipa(kvm, addr);
+-	} else {
+-		pmd_t *pmd_table = pmd_offset(pud, 0);
+-		pud_clear(pud);
+-		kvm_tlb_flush_vmid_ipa(kvm, addr);
+-		pmd_free(NULL, pmd_table);
+-	}
++	pmd_t *pmd_table = pmd_offset(pud, 0);
++	VM_BUG_ON(pud_huge(*pud));
++	pud_clear(pud);
++	kvm_tlb_flush_vmid_ipa(kvm, addr);
++	pmd_free(NULL, pmd_table);
+ 	put_page(virt_to_page(pud));
+ }
+ 
+ static void clear_pmd_entry(struct kvm *kvm, pmd_t *pmd, phys_addr_t addr)
+ {
+-	if (kvm_pmd_huge(*pmd)) {
+-		pmd_clear(pmd);
+-		kvm_tlb_flush_vmid_ipa(kvm, addr);
+-	} else {
+-		pte_t *pte_table = pte_offset_kernel(pmd, 0);
+-		pmd_clear(pmd);
+-		kvm_tlb_flush_vmid_ipa(kvm, addr);
+-		pte_free_kernel(NULL, pte_table);
+-	}
++	pte_t *pte_table = pte_offset_kernel(pmd, 0);
++	VM_BUG_ON(kvm_pmd_huge(*pmd));
++	pmd_clear(pmd);
++	kvm_tlb_flush_vmid_ipa(kvm, addr);
++	pte_free_kernel(NULL, pte_table);
+ 	put_page(virt_to_page(pmd));
+ }
+ 
+-static void clear_pte_entry(struct kvm *kvm, pte_t *pte, phys_addr_t addr)
++static void unmap_ptes(struct kvm *kvm, pmd_t *pmd,
++		      phys_addr_t addr, phys_addr_t end)
+ {
+-	if (pte_present(*pte)) {
+-		kvm_set_pte(pte, __pte(0));
+-		put_page(virt_to_page(pte));
+-		kvm_tlb_flush_vmid_ipa(kvm, addr);
++	phys_addr_t start_addr = addr;
++	pte_t *pte, *start_pte;
++
++	start_pte = pte = pte_offset_kernel(pmd, addr);
++	do {
++		if (!pte_none(*pte)) {
++			kvm_set_pte(pte, __pte(0));
++			put_page(virt_to_page(pte));
++			kvm_tlb_flush_vmid_ipa(kvm, addr);
++		}
++	} while (pte++, addr += PAGE_SIZE, addr != end);
++
++	if (kvm_pte_table_empty(start_pte))
++		clear_pmd_entry(kvm, pmd, start_addr);
+ 	}
+-}
+ 
+-static void unmap_range(struct kvm *kvm, pgd_t *pgdp,
+-			unsigned long long start, u64 size)
++static void unmap_pmds(struct kvm *kvm, pud_t *pud,
++		      phys_addr_t addr, phys_addr_t end)
+ {
+-	pgd_t *pgd;
+-	pud_t *pud;
+-	pmd_t *pmd;
+-	pte_t *pte;
+-	unsigned long long addr = start, end = start + size;
+-	u64 next;
+-
+-	while (addr < end) {
+-		pgd = pgdp + pgd_index(addr);
+-		pud = pud_offset(pgd, addr);
+-		if (pud_none(*pud)) {
+-			addr = kvm_pud_addr_end(addr, end);
+-			continue;
+-		}
++	phys_addr_t next, start_addr = addr;
++	pmd_t *pmd, *start_pmd;
+ 
+-		if (pud_huge(*pud)) {
+-			/*
+-			 * If we are dealing with a huge pud, just clear it and
+-			 * move on.
+-			 */
+-			clear_pud_entry(kvm, pud, addr);
+-			addr = kvm_pud_addr_end(addr, end);
+-			continue;
++	start_pmd = pmd = pmd_offset(pud, addr);
++	do {
++		next = kvm_pmd_addr_end(addr, end);
++		if (!pmd_none(*pmd)) {
++			if (kvm_pmd_huge(*pmd)) {
++				pmd_clear(pmd);
++				kvm_tlb_flush_vmid_ipa(kvm, addr);
++				put_page(virt_to_page(pmd));
++			} else {
++				unmap_ptes(kvm, pmd, addr, next);
++			}
+ 		}
++	} while (pmd++, addr = next, addr != end);
+ 
+-		pmd = pmd_offset(pud, addr);
+-		if (pmd_none(*pmd)) {
+-			addr = kvm_pmd_addr_end(addr, end);
+-			continue;
+-		}
++	if (kvm_pmd_table_empty(start_pmd))
++		clear_pud_entry(kvm, pud, start_addr);
++}
+ 
+-		if (!kvm_pmd_huge(*pmd)) {
+-			pte = pte_offset_kernel(pmd, addr);
+-			clear_pte_entry(kvm, pte, addr);
+-			next = addr + PAGE_SIZE;
+-		}
++static void unmap_puds(struct kvm *kvm, pgd_t *pgd,
++		      phys_addr_t addr, phys_addr_t end)
++{
++	phys_addr_t next, start_addr = addr;
++	pud_t *pud, *start_pud;
+ 
+-		/*
+-		 * If the pmd entry is to be cleared, walk back up the ladder
+-		 */
+-		if (kvm_pmd_huge(*pmd) || page_empty(pte)) {
+-			clear_pmd_entry(kvm, pmd, addr);
+-			next = kvm_pmd_addr_end(addr, end);
+-			if (page_empty(pmd) && !page_empty(pud)) {
+-				clear_pud_entry(kvm, pud, addr);
+-				next = kvm_pud_addr_end(addr, end);
++	start_pud = pud = pud_offset(pgd, addr);
++	do {
++		next = kvm_pud_addr_end(addr, end);
++		if (!pud_none(*pud)) {
++			if (pud_huge(*pud)) {
++				pud_clear(pud);
++				kvm_tlb_flush_vmid_ipa(kvm, addr);
++				put_page(virt_to_page(pud));
++			} else {
++				unmap_pmds(kvm, pud, addr, next);
+ 			}
+ 		}
++	} while (pud++, addr = next, addr != end);
+ 
+-		addr = next;
+-	}
++	if (kvm_pud_table_empty(start_pud))
++		clear_pgd_entry(kvm, pgd, start_addr);
++}
++
++
++static void unmap_range(struct kvm *kvm, pgd_t *pgdp,
++		       phys_addr_t start, u64 size)
++{
++	pgd_t *pgd;
++	phys_addr_t addr = start, end = start + size;
++	phys_addr_t next;
++
++	pgd = pgdp + pgd_index(addr);
++	do {
++		next = kvm_pgd_addr_end(addr, end);
++		unmap_puds(kvm, pgd, addr, next);
++	} while (pgd++, addr = next, addr != end);
+ }
+ 
+ static void stage2_flush_ptes(struct kvm *kvm, pmd_t *pmd,
+@@ -747,6 +759,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
+ 	struct kvm_mmu_memory_cache *memcache = &vcpu->arch.mmu_page_cache;
+ 	struct vm_area_struct *vma;
+ 	pfn_t pfn;
++	pgprot_t mem_type = PAGE_S2;
+ 
+ 	write_fault = kvm_is_write_fault(kvm_vcpu_get_hsr(vcpu));
+ 	if (fault_status == FSC_PERM && !write_fault) {
+@@ -797,6 +810,9 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
+ 	if (is_error_pfn(pfn))
+ 		return -EFAULT;
+ 
++	if (kvm_is_mmio_pfn(pfn))
++		mem_type = PAGE_S2_DEVICE;
++
+ 	spin_lock(&kvm->mmu_lock);
+ 	if (mmu_notifier_retry(kvm, mmu_seq))
+ 		goto out_unlock;
+@@ -804,7 +820,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
+ 		hugetlb = transparent_hugepage_adjust(&pfn, &fault_ipa);
+ 
+ 	if (hugetlb) {
+-		pmd_t new_pmd = pfn_pmd(pfn, PAGE_S2);
++		pmd_t new_pmd = pfn_pmd(pfn, mem_type);
+ 		new_pmd = pmd_mkhuge(new_pmd);
+ 		if (writable) {
+ 			kvm_set_s2pmd_writable(&new_pmd);
+@@ -813,13 +829,14 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
+ 		coherent_cache_guest_page(vcpu, hva & PMD_MASK, PMD_SIZE);
+ 		ret = stage2_set_pmd_huge(kvm, memcache, fault_ipa, &new_pmd);
+ 	} else {
+-		pte_t new_pte = pfn_pte(pfn, PAGE_S2);
++		pte_t new_pte = pfn_pte(pfn, mem_type);
+ 		if (writable) {
+ 			kvm_set_s2pte_writable(&new_pte);
+ 			kvm_set_pfn_dirty(pfn);
+ 		}
+ 		coherent_cache_guest_page(vcpu, hva, PAGE_SIZE);
+-		ret = stage2_set_pte(kvm, memcache, fault_ipa, &new_pte, false);
++		ret = stage2_set_pte(kvm, memcache, fault_ipa, &new_pte,
++				     mem_type == PAGE_S2_DEVICE);
+ 	}
+ 
+ 
+@@ -1099,3 +1116,49 @@ out:
+ 	free_hyp_pgds();
+ 	return err;
+ }
++
++void kvm_arch_commit_memory_region(struct kvm *kvm,
++				   struct kvm_userspace_memory_region *mem,
++				   const struct kvm_memory_slot *old,
++				   enum kvm_mr_change change)
++{
++	gpa_t gpa = old->base_gfn << PAGE_SHIFT;
++	phys_addr_t size = old->npages << PAGE_SHIFT;
++	if (change == KVM_MR_DELETE || change == KVM_MR_MOVE) {
++		spin_lock(&kvm->mmu_lock);
++		unmap_stage2_range(kvm, gpa, size);
++		spin_unlock(&kvm->mmu_lock);
++	}
++}
++
++int kvm_arch_prepare_memory_region(struct kvm *kvm,
++				   struct kvm_memory_slot *memslot,
++				   struct kvm_userspace_memory_region *mem,
++				   enum kvm_mr_change change)
++{
++	return 0;
++}
++
++void kvm_arch_free_memslot(struct kvm *kvm, struct kvm_memory_slot *free,
++			   struct kvm_memory_slot *dont)
++{
++}
++
++int kvm_arch_create_memslot(struct kvm *kvm, struct kvm_memory_slot *slot,
++			    unsigned long npages)
++{
++	return 0;
++}
++
++void kvm_arch_memslots_updated(struct kvm *kvm)
++{
++}
++
++void kvm_arch_flush_shadow_all(struct kvm *kvm)
++{
++}
++
++void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
++				   struct kvm_memory_slot *slot)
++{
++}
+diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h
+index 0a1d697..3fb0946 100644
+--- a/arch/arm64/include/asm/kvm_host.h
++++ b/arch/arm64/include/asm/kvm_host.h
+@@ -42,7 +42,7 @@
+ #define KVM_VCPU_MAX_FEATURES 2
+ 
+ struct kvm_vcpu;
+-int kvm_target_cpu(void);
++int __attribute_const__ kvm_target_cpu(void);
+ int kvm_reset_vcpu(struct kvm_vcpu *vcpu);
+ int kvm_arch_dev_ioctl_check_extension(long ext);
+ 
+@@ -177,7 +177,7 @@ static inline int kvm_test_age_hva(struct kvm *kvm, unsigned long hva)
+ }
+ 
+ struct kvm_vcpu *kvm_arm_get_running_vcpu(void);
+-struct kvm_vcpu __percpu **kvm_get_running_vcpus(void);
++struct kvm_vcpu * __percpu *kvm_get_running_vcpus(void);
+ 
+ u64 kvm_call_hyp(void *hypfn, ...);
+ 
+diff --git a/arch/arm64/include/asm/kvm_mmu.h b/arch/arm64/include/asm/kvm_mmu.h
+index 7d29847..8e138c7 100644
+--- a/arch/arm64/include/asm/kvm_mmu.h
++++ b/arch/arm64/include/asm/kvm_mmu.h
+@@ -125,6 +125,21 @@ static inline void kvm_set_s2pmd_writable(pmd_t *pmd)
+ #define kvm_pud_addr_end(addr, end)	pud_addr_end(addr, end)
+ #define kvm_pmd_addr_end(addr, end)	pmd_addr_end(addr, end)
+ 
++static inline bool kvm_page_empty(void *ptr)
++{
++	struct page *ptr_page = virt_to_page(ptr);
++	return page_count(ptr_page) == 1;
++}
++
++#define kvm_pte_table_empty(ptep) kvm_page_empty(ptep)
++#ifndef CONFIG_ARM64_64K_PAGES
++#define kvm_pmd_table_empty(pmdp) kvm_page_empty(pmdp)
++#else
++#define kvm_pmd_table_empty(pmdp) (0)
++#endif
++#define kvm_pud_table_empty(pudp) (0)
++
++
+ struct kvm;
+ 
+ #define kvm_flush_dcache_to_poc(a,l)	__flush_dcache_area((a), (l))
+diff --git a/arch/arm64/kvm/hyp.S b/arch/arm64/kvm/hyp.S
+index b0d1512..5dfc8331 100644
+--- a/arch/arm64/kvm/hyp.S
++++ b/arch/arm64/kvm/hyp.S
+@@ -830,7 +830,7 @@ el1_trap:
+ 	mrs	x2, far_el2
+ 
+ 2:	mrs	x0, tpidr_el2
+-	str	x1, [x0, #VCPU_ESR_EL2]
++	str	w1, [x0, #VCPU_ESR_EL2]
+ 	str	x2, [x0, #VCPU_FAR_EL2]
+ 	str	x3, [x0, #VCPU_HPFAR_EL2]
+ 
+diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
+index 0324458..7691b25 100644
+--- a/arch/arm64/kvm/sys_regs.c
++++ b/arch/arm64/kvm/sys_regs.c
+@@ -836,7 +836,7 @@ static bool is_valid_cache(u32 val)
+ 	u32 level, ctype;
+ 
+ 	if (val >= CSSELR_MAX)
+-		return -ENOENT;
++		return false;
+ 
+ 	/* Bottom bit is Instruction or Data bit.  Next 3 bits are level. */
+ 	level = (val >> 1);
+@@ -962,7 +962,7 @@ static unsigned int num_demux_regs(void)
+ 
+ static int write_demux_regids(u64 __user *uindices)
+ {
+-	u64 val = KVM_REG_ARM | KVM_REG_SIZE_U32 | KVM_REG_ARM_DEMUX;
++	u64 val = KVM_REG_ARM64 | KVM_REG_SIZE_U32 | KVM_REG_ARM_DEMUX;
+ 	unsigned int i;
+ 
+ 	val |= KVM_REG_ARM_DEMUX_ID_CCSIDR;
+diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
+index 26b03e1..8ff2b3c 100644
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -79,6 +79,7 @@ static const struct usb_device_id ath3k_table[] = {
+ 	{ USB_DEVICE(0x0489, 0xe057) },
+ 	{ USB_DEVICE(0x0489, 0xe056) },
+ 	{ USB_DEVICE(0x0489, 0xe05f) },
++	{ USB_DEVICE(0x0489, 0xe076) },
+ 	{ USB_DEVICE(0x0489, 0xe078) },
+ 	{ USB_DEVICE(0x04c5, 0x1330) },
+ 	{ USB_DEVICE(0x04CA, 0x3004) },
+@@ -109,6 +110,7 @@ static const struct usb_device_id ath3k_table[] = {
+ 	{ USB_DEVICE(0x13d3, 0x3402) },
+ 	{ USB_DEVICE(0x13d3, 0x3408) },
+ 	{ USB_DEVICE(0x13d3, 0x3432) },
++	{ USB_DEVICE(0x13d3, 0x3474) },
+ 
+ 	/* Atheros AR5BBU12 with sflash firmware */
+ 	{ USB_DEVICE(0x0489, 0xE02C) },
+@@ -133,6 +135,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
+ 	{ USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
+@@ -163,6 +166,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
+ 	{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ 
+ 	/* Atheros AR5BBU22 with sflash firmware */
+ 	{ USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 9eb1669..c0e7a9aa9 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -157,6 +157,7 @@ static const struct usb_device_id blacklist_table[] = {
+ 	{ USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
+@@ -187,6 +188,7 @@ static const struct usb_device_id blacklist_table[] = {
+ 	{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ 
+ 	/* Atheros AR5BBU12 with sflash firmware */
+ 	{ USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
+diff --git a/drivers/crypto/caam/caamrng.c b/drivers/crypto/caam/caamrng.c
+index 28486b1..ae6dae8 100644
+--- a/drivers/crypto/caam/caamrng.c
++++ b/drivers/crypto/caam/caamrng.c
+@@ -56,7 +56,7 @@
+ 
+ /* Buffer, its dma address and lock */
+ struct buf_data {
+-	u8 buf[RN_BUF_SIZE];
++	u8 buf[RN_BUF_SIZE] ____cacheline_aligned;
+ 	dma_addr_t addr;
+ 	struct completion filled;
+ 	u32 hw_desc[DESC_JOB_O_LEN];
+diff --git a/drivers/gpu/drm/mgag200/mgag200_mode.c b/drivers/gpu/drm/mgag200/mgag200_mode.c
+index 9683747..f2511a0 100644
+--- a/drivers/gpu/drm/mgag200/mgag200_mode.c
++++ b/drivers/gpu/drm/mgag200/mgag200_mode.c
+@@ -1529,6 +1529,11 @@ static int mga_vga_mode_valid(struct drm_connector *connector,
+ 		return MODE_BANDWIDTH;
+ 	}
+ 
++	if ((mode->hdisplay % 8) != 0 || (mode->hsync_start % 8) != 0 ||
++	    (mode->hsync_end % 8) != 0 || (mode->htotal % 8) != 0) {
++		return MODE_H_ILLEGAL;
++	}
++
+ 	if (mode->crtc_hdisplay > 2048 || mode->crtc_hsync_start > 4096 ||
+ 	    mode->crtc_hsync_end > 4096 || mode->crtc_htotal > 4096 ||
+ 	    mode->crtc_vdisplay > 2048 || mode->crtc_vsync_start > 4096 ||
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 8f580fd..ce21132 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -265,6 +265,16 @@ lpfc_sli4_eq_get(struct lpfc_queue *q)
+ 		return NULL;
+ 
+ 	q->hba_index = idx;
++
++	/*
++	 * insert barrier for instruction interlock : data from the hardware
++	 * must have the valid bit checked before it can be copied and acted
++	 * upon. Given what was seen in lpfc_sli4_cq_get() of speculative
++	 * instructions allowing action on content before valid bit checked,
++	 * add barrier here as well. May not be needed as "content" is a
++	 * single 32-bit entity here (vs multi word structure for cq's).
++	 */
++	mb();
+ 	return eqe;
+ }
+ 
+@@ -370,6 +380,17 @@ lpfc_sli4_cq_get(struct lpfc_queue *q)
+ 
+ 	cqe = q->qe[q->hba_index].cqe;
+ 	q->hba_index = idx;
++
++	/*
++	 * insert barrier for instruction interlock : data from the hardware
++	 * must have the valid bit checked before it can be copied and acted
++	 * upon. Speculative instructions were allowing a bcopy at the start
++	 * of lpfc_sli4_fp_handle_wcqe(), which is called immediately
++	 * after our return, to copy data before the valid bit check above
++	 * was done. As such, some of the copied data was stale. The barrier
++	 * ensures the check is before any data is copied.
++	 */
++	mb();
+ 	return cqe;
+ }
+ 
+diff --git a/fs/pipe.c b/fs/pipe.c
+index 78fd0d0..46f1ab2 100644
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -117,25 +117,27 @@ void pipe_wait(struct pipe_inode_info *pipe)
+ }
+ 
+ static int
+-pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
+-			int atomic)
++pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
++			size_t *remaining, int atomic)
+ {
+ 	unsigned long copy;
+ 
+-	while (len > 0) {
++	while (*remaining > 0) {
+ 		while (!iov->iov_len)
+ 			iov++;
+-		copy = min_t(unsigned long, len, iov->iov_len);
++		copy = min_t(unsigned long, *remaining, iov->iov_len);
+ 
+ 		if (atomic) {
+-			if (__copy_from_user_inatomic(to, iov->iov_base, copy))
++			if (__copy_from_user_inatomic(addr + *offset,
++						      iov->iov_base, copy))
+ 				return -EFAULT;
+ 		} else {
+-			if (copy_from_user(to, iov->iov_base, copy))
++			if (copy_from_user(addr + *offset,
++					   iov->iov_base, copy))
+ 				return -EFAULT;
+ 		}
+-		to += copy;
+-		len -= copy;
++		*offset += copy;
++		*remaining -= copy;
+ 		iov->iov_base += copy;
+ 		iov->iov_len -= copy;
+ 	}
+@@ -143,25 +145,27 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
+ }
+ 
+ static int
+-pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
+-		      int atomic)
++pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
++		      size_t *remaining, int atomic)
+ {
+ 	unsigned long copy;
+ 
+-	while (len > 0) {
++	while (*remaining > 0) {
+ 		while (!iov->iov_len)
+ 			iov++;
+-		copy = min_t(unsigned long, len, iov->iov_len);
++		copy = min_t(unsigned long, *remaining, iov->iov_len);
+ 
+ 		if (atomic) {
+-			if (__copy_to_user_inatomic(iov->iov_base, from, copy))
++			if (__copy_to_user_inatomic(iov->iov_base,
++						    addr + *offset, copy))
+ 				return -EFAULT;
+ 		} else {
+-			if (copy_to_user(iov->iov_base, from, copy))
++			if (copy_to_user(iov->iov_base,
++					 addr + *offset, copy))
+ 				return -EFAULT;
+ 		}
+-		from += copy;
+-		len -= copy;
++		*offset += copy;
++		*remaining -= copy;
+ 		iov->iov_base += copy;
+ 		iov->iov_len -= copy;
+ 	}
+@@ -395,7 +399,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
+ 			struct pipe_buffer *buf = pipe->bufs + curbuf;
+ 			const struct pipe_buf_operations *ops = buf->ops;
+ 			void *addr;
+-			size_t chars = buf->len;
++			size_t chars = buf->len, remaining;
+ 			int error, atomic;
+ 
+ 			if (chars > total_len)
+@@ -409,9 +413,11 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
+ 			}
+ 
+ 			atomic = !iov_fault_in_pages_write(iov, chars);
++			remaining = chars;
+ redo:
+ 			addr = ops->map(pipe, buf, atomic);
+-			error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
++			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
++						      &remaining, atomic);
+ 			ops->unmap(pipe, buf, addr);
+ 			if (unlikely(error)) {
+ 				/*
+@@ -426,7 +432,6 @@ redo:
+ 				break;
+ 			}
+ 			ret += chars;
+-			buf->offset += chars;
+ 			buf->len -= chars;
+ 
+ 			/* Was it a packet buffer? Clean up and exit */
+@@ -531,6 +536,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+ 		if (ops->can_merge && offset + chars <= PAGE_SIZE) {
+ 			int error, atomic = 1;
+ 			void *addr;
++			size_t remaining = chars;
+ 
+ 			error = ops->confirm(pipe, buf);
+ 			if (error)
+@@ -539,8 +545,8 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+ 			iov_fault_in_pages_read(iov, chars);
+ redo1:
+ 			addr = ops->map(pipe, buf, atomic);
+-			error = pipe_iov_copy_from_user(offset + addr, iov,
+-							chars, atomic);
++			error = pipe_iov_copy_from_user(addr, &offset, iov,
++							&remaining, atomic);
+ 			ops->unmap(pipe, buf, addr);
+ 			ret = error;
+ 			do_wakeup = 1;
+@@ -575,6 +581,8 @@ redo1:
+ 			struct page *page = pipe->tmp_page;
+ 			char *src;
+ 			int error, atomic = 1;
++			int offset = 0;
++			size_t remaining;
+ 
+ 			if (!page) {
+ 				page = alloc_page(GFP_HIGHUSER);
+@@ -595,14 +603,15 @@ redo1:
+ 				chars = total_len;
+ 
+ 			iov_fault_in_pages_read(iov, chars);
++			remaining = chars;
+ redo2:
+ 			if (atomic)
+ 				src = kmap_atomic(page);
+ 			else
+ 				src = kmap(page);
+ 
+-			error = pipe_iov_copy_from_user(src, iov, chars,
+-							atomic);
++			error = pipe_iov_copy_from_user(src, &offset, iov,
++							&remaining, atomic);
+ 			if (atomic)
+ 				kunmap_atomic(src);
+ 			else
+diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
+index 8a86319..cb347e8 100644
+--- a/kernel/trace/trace_events_filter.c
++++ b/kernel/trace/trace_events_filter.c
+@@ -1399,19 +1399,24 @@ static int check_preds(struct filter_parse_state *ps)
+ {
+ 	int n_normal_preds = 0, n_logical_preds = 0;
+ 	struct postfix_elt *elt;
++	int cnt = 0;
+ 
+ 	list_for_each_entry(elt, &ps->postfix, list) {
+-		if (elt->op == OP_NONE)
++		if (elt->op == OP_NONE) {
++			cnt++;
+ 			continue;
++		}
+ 
++		cnt--;
+ 		if (elt->op == OP_AND || elt->op == OP_OR) {
+ 			n_logical_preds++;
+ 			continue;
+ 		}
+ 		n_normal_preds++;
++		WARN_ON_ONCE(cnt < 0);
+ 	}
+ 
+-	if (!n_normal_preds || n_logical_preds >= n_normal_preds) {
++	if (cnt != 1 || !n_normal_preds || n_logical_preds >= n_normal_preds) {
+ 		parse_error(ps, FILT_ERR_INVALID_FILTER, 0);
+ 		return -EINVAL;
+ 	}
+diff --git a/virt/kvm/arm/vgic.c b/virt/kvm/arm/vgic.c
+index 4eec2d4..1316e55 100644
+--- a/virt/kvm/arm/vgic.c
++++ b/virt/kvm/arm/vgic.c
+@@ -1654,7 +1654,7 @@ out:
+ 	return ret;
+ }
+ 
+-static bool vgic_ioaddr_overlap(struct kvm *kvm)
++static int vgic_ioaddr_overlap(struct kvm *kvm)
+ {
+ 	phys_addr_t dist = kvm->arch.vgic.vgic_dist_base;
+ 	phys_addr_t cpu = kvm->arch.vgic.vgic_cpu_base;
diff --git a/3.14.45/4420_grsecurity-3.1-3.14.45-201506262046.patch b/3.14.46/4420_grsecurity-3.1-3.14.46-201506300711.patch
index 47c91dd..008971f 100644
--- a/3.14.45/4420_grsecurity-3.1-3.14.45-201506262046.patch
+++ b/3.14.46/4420_grsecurity-3.1-3.14.46-201506300711.patch
@@ -295,7 +295,7 @@ index 5d91ba1..ef1d374 100644
  
  	pcd.		[PARIDE]
 diff --git a/Makefile b/Makefile
-index c92186c..34822ca 100644
+index def39fd..4636aea 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -244,8 +244,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -3307,7 +3307,7 @@ index 7bcee5c..e2f3249 100644
  	__data_loc = .;
  #endif
 diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
-index bd18bb8..2bf342f 100644
+index df6e75e..1858aa0 100644
 --- a/arch/arm/kvm/arm.c
 +++ b/arch/arm/kvm/arm.c
 @@ -57,7 +57,7 @@ static unsigned long hyp_default_vectors;
@@ -3319,7 +3319,7 @@ index bd18bb8..2bf342f 100644
  static u8 kvm_next_vmid;
  static DEFINE_SPINLOCK(kvm_vmid_lock);
  
-@@ -408,7 +408,7 @@ void force_vm_exit(const cpumask_t *mask)
+@@ -371,7 +371,7 @@ void force_vm_exit(const cpumask_t *mask)
   */
  static bool need_new_vmid_gen(struct kvm *kvm)
  {
@@ -3328,7 +3328,7 @@ index bd18bb8..2bf342f 100644
  }
  
  /**
-@@ -441,7 +441,7 @@ static void update_vttbr(struct kvm *kvm)
+@@ -404,7 +404,7 @@ static void update_vttbr(struct kvm *kvm)
  
  	/* First user of a new VMID generation? */
  	if (unlikely(kvm_next_vmid == 0)) {
@@ -3337,7 +3337,7 @@ index bd18bb8..2bf342f 100644
  		kvm_next_vmid = 1;
  
  		/*
-@@ -458,7 +458,7 @@ static void update_vttbr(struct kvm *kvm)
+@@ -421,7 +421,7 @@ static void update_vttbr(struct kvm *kvm)
  		kvm_call_hyp(__kvm_flush_vm_context);
  	}
  
@@ -3346,7 +3346,7 @@ index bd18bb8..2bf342f 100644
  	kvm->arch.vmid = kvm_next_vmid;
  	kvm_next_vmid++;
  
-@@ -1033,7 +1033,7 @@ static void check_kvm_target_cpu(void *ret)
+@@ -996,7 +996,7 @@ static void check_kvm_target_cpu(void *ret)
  /**
   * Initialize Hyp-mode and memory mappings on all CPUs.
   */
@@ -17263,7 +17263,7 @@ index 5f55e69..e20bfb1 100644
  
  #ifdef CONFIG_SMP
 diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
-index be12c53..4d24039 100644
+index be12c53..e1f11c6 100644
 --- a/arch/x86/include/asm/mmu_context.h
 +++ b/arch/x86/include/asm/mmu_context.h
 @@ -24,6 +24,20 @@ void destroy_context(struct mm_struct *mm);
@@ -17355,9 +17355,9 @@ index be12c53..4d24039 100644
 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
 +		if (!(__supported_pte_mask & _PAGE_NX)) {
 +			smp_mb__before_clear_bit();
-+			cpu_clear(cpu, prev->context.cpu_user_cs_mask);
++			cpumask_clear_cpu(cpu, &prev->context.cpu_user_cs_mask);
 +			smp_mb__after_clear_bit();
-+			cpu_set(cpu, next->context.cpu_user_cs_mask);
++			cpumask_set_cpu(cpu, &next->context.cpu_user_cs_mask);
 +		}
 +#endif
 +
@@ -17429,7 +17429,7 @@ index be12c53..4d24039 100644
 +
 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
 +			if (!(__supported_pte_mask & _PAGE_NX))
-+				cpu_set(cpu, next->context.cpu_user_cs_mask);
++				cpumask_set_cpu(cpu, &next->context.cpu_user_cs_mask);
 +#endif
 +
 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
@@ -26015,7 +26015,7 @@ index c2bedae..25e7ab60 100644
  		.name = "data",
  		.mode = S_IRUGO,
 diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
-index c37886d..d851d32 100644
+index c37886d..3f425e3 100644
 --- a/arch/x86/kernel/ldt.c
 +++ b/arch/x86/kernel/ldt.c
 @@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int reload)
@@ -26057,7 +26057,7 @@ index c37886d..d851d32 100644
 +		mm->context.user_cs_limit = ~0UL;
 +
 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
-+		cpus_clear(mm->context.cpu_user_cs_mask);
++		cpumask_clear(&mm->context.cpu_user_cs_mask);
 +#endif
 +
 +#endif
@@ -31983,7 +31983,7 @@ index 903ec1e..c4166b2 100644
  }
  
 diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
-index ebc551c..40d1269 100644
+index ebc551c..bb37882 100644
 --- a/arch/x86/mm/fault.c
 +++ b/arch/x86/mm/fault.c
 @@ -14,11 +14,18 @@
@@ -32288,7 +32288,7 @@ index ebc551c..40d1269 100644
 +	}
 +
 +#ifdef CONFIG_SMP
-+	if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
++	if (likely(address > get_limit(regs->cs) && cpumask_test_cpu(smp_processor_id(), &mm->context.cpu_user_cs_mask)))
 +#else
 +	if (likely(address > get_limit(regs->cs)))
 +#endif
@@ -40653,19 +40653,6 @@ index d97a03d..acf64bb 100644
  
  	return 0;
  }
-diff --git a/drivers/crypto/caam/caamrng.c b/drivers/crypto/caam/caamrng.c
-index 28486b1..ae6dae8 100644
---- a/drivers/crypto/caam/caamrng.c
-+++ b/drivers/crypto/caam/caamrng.c
-@@ -56,7 +56,7 @@
- 
- /* Buffer, its dma address and lock */
- struct buf_data {
--	u8 buf[RN_BUF_SIZE];
-+	u8 buf[RN_BUF_SIZE] ____cacheline_aligned;
- 	dma_addr_t addr;
- 	struct completion filled;
- 	u32 hw_desc[DESC_JOB_O_LEN];
 diff --git a/drivers/crypto/hifn_795x.c b/drivers/crypto/hifn_795x.c
 index 12fea3e2..1e28f47 100644
 --- a/drivers/crypto/hifn_795x.c
@@ -73032,7 +73019,7 @@ index 17679f2..85f4981 100644
  	}
  	putname(tmp);
 diff --git a/fs/pipe.c b/fs/pipe.c
-index 78fd0d0..e829d3e 100644
+index 46f1ab2..e829d3e 100644
 --- a/fs/pipe.c
 +++ b/fs/pipe.c
 @@ -37,7 +37,7 @@ unsigned int pipe_max_size = 1048576;
@@ -73062,109 +73049,7 @@ index 78fd0d0..e829d3e 100644
  		mutex_unlock(&pipe->mutex);
  }
  EXPORT_SYMBOL(pipe_unlock);
-@@ -117,25 +117,27 @@ void pipe_wait(struct pipe_inode_info *pipe)
- }
- 
- static int
--pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
--			int atomic)
-+pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
-+			size_t *remaining, int atomic)
- {
- 	unsigned long copy;
- 
--	while (len > 0) {
-+	while (*remaining > 0) {
- 		while (!iov->iov_len)
- 			iov++;
--		copy = min_t(unsigned long, len, iov->iov_len);
-+		copy = min_t(unsigned long, *remaining, iov->iov_len);
- 
- 		if (atomic) {
--			if (__copy_from_user_inatomic(to, iov->iov_base, copy))
-+			if (__copy_from_user_inatomic(addr + *offset,
-+						      iov->iov_base, copy))
- 				return -EFAULT;
- 		} else {
--			if (copy_from_user(to, iov->iov_base, copy))
-+			if (copy_from_user(addr + *offset,
-+					   iov->iov_base, copy))
- 				return -EFAULT;
- 		}
--		to += copy;
--		len -= copy;
-+		*offset += copy;
-+		*remaining -= copy;
- 		iov->iov_base += copy;
- 		iov->iov_len -= copy;
- 	}
-@@ -143,25 +145,27 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
- }
- 
- static int
--pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
--		      int atomic)
-+pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
-+		      size_t *remaining, int atomic)
- {
- 	unsigned long copy;
- 
--	while (len > 0) {
-+	while (*remaining > 0) {
- 		while (!iov->iov_len)
- 			iov++;
--		copy = min_t(unsigned long, len, iov->iov_len);
-+		copy = min_t(unsigned long, *remaining, iov->iov_len);
- 
- 		if (atomic) {
--			if (__copy_to_user_inatomic(iov->iov_base, from, copy))
-+			if (__copy_to_user_inatomic(iov->iov_base,
-+						    addr + *offset, copy))
- 				return -EFAULT;
- 		} else {
--			if (copy_to_user(iov->iov_base, from, copy))
-+			if (copy_to_user(iov->iov_base,
-+					 addr + *offset, copy))
- 				return -EFAULT;
- 		}
--		from += copy;
--		len -= copy;
-+		*offset += copy;
-+		*remaining -= copy;
- 		iov->iov_base += copy;
- 		iov->iov_len -= copy;
- 	}
-@@ -395,7 +399,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- 			struct pipe_buffer *buf = pipe->bufs + curbuf;
- 			const struct pipe_buf_operations *ops = buf->ops;
- 			void *addr;
--			size_t chars = buf->len;
-+			size_t chars = buf->len, remaining;
- 			int error, atomic;
- 
- 			if (chars > total_len)
-@@ -409,9 +413,11 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- 			}
- 
- 			atomic = !iov_fault_in_pages_write(iov, chars);
-+			remaining = chars;
- redo:
- 			addr = ops->map(pipe, buf, atomic);
--			error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
-+			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
-+						      &remaining, atomic);
- 			ops->unmap(pipe, buf, addr);
- 			if (unlikely(error)) {
- 				/*
-@@ -426,7 +432,6 @@ redo:
- 				break;
- 			}
- 			ret += chars;
--			buf->offset += chars;
- 			buf->len -= chars;
- 
- 			/* Was it a packet buffer? Clean up and exit */
-@@ -449,9 +454,9 @@ redo:
+@@ -454,9 +454,9 @@ redo:
  		}
  		if (bufs)	/* More to do? */
  			continue;
@@ -73176,7 +73061,7 @@ index 78fd0d0..e829d3e 100644
  			/* syscall merging: Usually we must not sleep
  			 * if O_NONBLOCK is set, or if we got some data.
  			 * But if a writer sleeps in kernel space, then
-@@ -513,7 +518,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+@@ -518,7 +518,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
  	ret = 0;
  	__pipe_lock(pipe);
  
@@ -73185,26 +73070,7 @@ index 78fd0d0..e829d3e 100644
  		send_sig(SIGPIPE, current, 0);
  		ret = -EPIPE;
  		goto out;
-@@ -531,6 +536,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
- 		if (ops->can_merge && offset + chars <= PAGE_SIZE) {
- 			int error, atomic = 1;
- 			void *addr;
-+			size_t remaining = chars;
- 
- 			error = ops->confirm(pipe, buf);
- 			if (error)
-@@ -539,8 +545,8 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
- 			iov_fault_in_pages_read(iov, chars);
- redo1:
- 			addr = ops->map(pipe, buf, atomic);
--			error = pipe_iov_copy_from_user(offset + addr, iov,
--							chars, atomic);
-+			error = pipe_iov_copy_from_user(addr, &offset, iov,
-+							&remaining, atomic);
- 			ops->unmap(pipe, buf, addr);
- 			ret = error;
- 			do_wakeup = 1;
-@@ -562,7 +568,7 @@ redo1:
+@@ -568,7 +568,7 @@ redo1:
  	for (;;) {
  		int bufs;
  
@@ -73213,34 +73079,7 @@ index 78fd0d0..e829d3e 100644
  			send_sig(SIGPIPE, current, 0);
  			if (!ret)
  				ret = -EPIPE;
-@@ -575,6 +581,8 @@ redo1:
- 			struct page *page = pipe->tmp_page;
- 			char *src;
- 			int error, atomic = 1;
-+			int offset = 0;
-+			size_t remaining;
- 
- 			if (!page) {
- 				page = alloc_page(GFP_HIGHUSER);
-@@ -595,14 +603,15 @@ redo1:
- 				chars = total_len;
- 
- 			iov_fault_in_pages_read(iov, chars);
-+			remaining = chars;
- redo2:
- 			if (atomic)
- 				src = kmap_atomic(page);
- 			else
- 				src = kmap(page);
- 
--			error = pipe_iov_copy_from_user(src, iov, chars,
--							atomic);
-+			error = pipe_iov_copy_from_user(src, &offset, iov,
-+							&remaining, atomic);
- 			if (atomic)
- 				kunmap_atomic(src);
- 			else
-@@ -653,9 +662,9 @@ redo2:
+@@ -662,9 +662,9 @@ redo2:
  			kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
  			do_wakeup = 0;
  		}
@@ -73252,7 +73091,7 @@ index 78fd0d0..e829d3e 100644
  	}
  out:
  	__pipe_unlock(pipe);
-@@ -710,7 +719,7 @@ pipe_poll(struct file *filp, poll_table *wait)
+@@ -719,7 +719,7 @@ pipe_poll(struct file *filp, poll_table *wait)
  	mask = 0;
  	if (filp->f_mode & FMODE_READ) {
  		mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
@@ -73261,7 +73100,7 @@ index 78fd0d0..e829d3e 100644
  			mask |= POLLHUP;
  	}
  
-@@ -720,7 +729,7 @@ pipe_poll(struct file *filp, poll_table *wait)
+@@ -729,7 +729,7 @@ pipe_poll(struct file *filp, poll_table *wait)
  		 * Most Unices do not set POLLERR for FIFOs but on Linux they
  		 * behave exactly like pipes for poll().
  		 */
@@ -73270,7 +73109,7 @@ index 78fd0d0..e829d3e 100644
  			mask |= POLLERR;
  	}
  
-@@ -732,7 +741,7 @@ static void put_pipe_info(struct inode *inode, struct pipe_inode_info *pipe)
+@@ -741,7 +741,7 @@ static void put_pipe_info(struct inode *inode, struct pipe_inode_info *pipe)
  	int kill = 0;
  
  	spin_lock(&inode->i_lock);
@@ -73279,7 +73118,7 @@ index 78fd0d0..e829d3e 100644
  		inode->i_pipe = NULL;
  		kill = 1;
  	}
-@@ -749,11 +758,11 @@ pipe_release(struct inode *inode, struct file *file)
+@@ -758,11 +758,11 @@ pipe_release(struct inode *inode, struct file *file)
  
  	__pipe_lock(pipe);
  	if (file->f_mode & FMODE_READ)
@@ -73294,7 +73133,7 @@ index 78fd0d0..e829d3e 100644
  		wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
  		kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
  		kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
-@@ -818,7 +827,7 @@ void free_pipe_info(struct pipe_inode_info *pipe)
+@@ -827,7 +827,7 @@ void free_pipe_info(struct pipe_inode_info *pipe)
  	kfree(pipe);
  }
  
@@ -73303,7 +73142,7 @@ index 78fd0d0..e829d3e 100644
  
  /*
   * pipefs_dname() is called from d_path().
-@@ -848,8 +857,9 @@ static struct inode * get_pipe_inode(void)
+@@ -857,8 +857,9 @@ static struct inode * get_pipe_inode(void)
  		goto fail_iput;
  
  	inode->i_pipe = pipe;
@@ -73315,7 +73154,7 @@ index 78fd0d0..e829d3e 100644
  	inode->i_fop = &pipefifo_fops;
  
  	/*
-@@ -1028,17 +1038,17 @@ static int fifo_open(struct inode *inode, struct file *filp)
+@@ -1037,17 +1038,17 @@ static int fifo_open(struct inode *inode, struct file *filp)
  	spin_lock(&inode->i_lock);
  	if (inode->i_pipe) {
  		pipe = inode->i_pipe;
@@ -73336,7 +73175,7 @@ index 78fd0d0..e829d3e 100644
  			spin_unlock(&inode->i_lock);
  			free_pipe_info(pipe);
  			pipe = inode->i_pipe;
-@@ -1063,10 +1073,10 @@ static int fifo_open(struct inode *inode, struct file *filp)
+@@ -1072,10 +1073,10 @@ static int fifo_open(struct inode *inode, struct file *filp)
  	 *  opened, even when there is no process writing the FIFO.
  	 */
  		pipe->r_counter++;
@@ -73349,7 +73188,7 @@ index 78fd0d0..e829d3e 100644
  			if ((filp->f_flags & O_NONBLOCK)) {
  				/* suppress POLLHUP until we have
  				 * seen a writer */
-@@ -1085,14 +1095,14 @@ static int fifo_open(struct inode *inode, struct file *filp)
+@@ -1094,14 +1095,14 @@ static int fifo_open(struct inode *inode, struct file *filp)
  	 *  errno=ENXIO when there is no process reading the FIFO.
  	 */
  		ret = -ENXIO;
@@ -73367,7 +73206,7 @@ index 78fd0d0..e829d3e 100644
  			if (wait_for_partner(pipe, &pipe->r_counter))
  				goto err_wr;
  		}
-@@ -1106,11 +1116,11 @@ static int fifo_open(struct inode *inode, struct file *filp)
+@@ -1115,11 +1116,11 @@ static int fifo_open(struct inode *inode, struct file *filp)
  	 *  the process can at least talk to itself.
  	 */
  
@@ -73382,7 +73221,7 @@ index 78fd0d0..e829d3e 100644
  			wake_up_partner(pipe);
  		break;
  
-@@ -1124,13 +1134,13 @@ static int fifo_open(struct inode *inode, struct file *filp)
+@@ -1133,13 +1134,13 @@ static int fifo_open(struct inode *inode, struct file *filp)
  	return 0;
  
  err_rd:
@@ -73398,7 +73237,7 @@ index 78fd0d0..e829d3e 100644
  		wake_up_interruptible(&pipe->wait);
  	ret = -ERESTARTSYS;
  	goto err;
-@@ -1208,7 +1218,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages)
+@@ -1217,7 +1218,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages)
   * Currently we rely on the pipe array holding a power-of-2 number
   * of pages.
   */
@@ -73407,7 +73246,7 @@ index 78fd0d0..e829d3e 100644
  {
  	unsigned long nr_pages;
  
-@@ -1256,13 +1266,16 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
+@@ -1265,13 +1266,16 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
  
  	switch (cmd) {
  	case F_SETPIPE_SZ: {
@@ -103316,22 +103155,31 @@ index c6646a5..574b47c 100644
  
  /* Add an additional event_call dynamically */
 diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
-index 8a86319..32ef21b 100644
+index cb347e8..0adf74e 100644
 --- a/kernel/trace/trace_events_filter.c
 +++ b/kernel/trace/trace_events_filter.c
-@@ -1399,19 +1399,27 @@ static int check_preds(struct filter_parse_state *ps)
+@@ -1086,6 +1086,9 @@ static void parse_init(struct filter_parse_state *ps,
+ 
+ static char infix_next(struct filter_parse_state *ps)
  {
- 	int n_normal_preds = 0, n_logical_preds = 0;
- 	struct postfix_elt *elt;
-+	int cnt = 0;
++	if (!ps->infix.cnt)
++		return 0;
++
+ 	ps->infix.cnt--;
  
- 	list_for_each_entry(elt, &ps->postfix, list) {
--		if (elt->op == OP_NONE)
-+		if (elt->op == OP_NONE) {
-+			cnt++;
- 			continue;
-+		}
+ 	return ps->infix.string[ps->infix.tail++];
+@@ -1101,6 +1104,9 @@ static char infix_peek(struct filter_parse_state *ps)
  
+ static void infix_advance(struct filter_parse_state *ps)
+ {
++	if (!ps->infix.cnt)
++		return;
++
+ 	ps->infix.cnt--;
+ 	ps->infix.tail++;
+ }
+@@ -1410,8 +1416,12 @@ static int check_preds(struct filter_parse_state *ps)
+ 		cnt--;
  		if (elt->op == OP_AND || elt->op == OP_OR) {
  			n_logical_preds++;
 +			cnt--;
@@ -103341,13 +103189,7 @@ index 8a86319..32ef21b 100644
 +		// a reject here when it's backported
 +		cnt--;
  		n_normal_preds++;
-+		WARN_ON_ONCE(cnt < 0);
- 	}
- 
--	if (!n_normal_preds || n_logical_preds >= n_normal_preds) {
-+	if (cnt != 1 || !n_normal_preds || n_logical_preds >= n_normal_preds) {
- 		parse_error(ps, FILT_ERR_INVALID_FILTER, 0);
- 		return -EINVAL;
+ 		WARN_ON_ONCE(cnt < 0);
  	}
 diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
 index 0b99120..881174f 100644
@@ -107266,7 +107108,7 @@ index d4c97ba..916b1d4 100644
  	vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
  
 diff --git a/mm/mprotect.c b/mm/mprotect.c
-index 769a67a..414d24f 100644
+index 769a67a..c99f865 100644
 --- a/mm/mprotect.c
 +++ b/mm/mprotect.c
 @@ -24,10 +24,18 @@
@@ -107315,8 +107157,8 @@ index 769a67a..414d24f 100644
 +
 +#ifdef CONFIG_SMP
 +		wmb();
-+		cpus_clear(mm->context.cpu_user_cs_mask);
-+		cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
++		cpumask_clear(&mm->context.cpu_user_cs_mask);
++		cpumask_set_cpu(smp_processor_id(), &mm->context.cpu_user_cs_mask);
 +#endif
 +
 +		set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
diff --git a/3.14.45/4425_grsec_remove_EI_PAX.patch b/3.14.46/4425_grsec_remove_EI_PAX.patch
index a80a5d7..a80a5d7 100644
--- a/3.14.45/4425_grsec_remove_EI_PAX.patch
+++ b/3.14.46/4425_grsec_remove_EI_PAX.patch
diff --git a/3.14.45/4427_force_XATTR_PAX_tmpfs.patch b/3.14.46/4427_force_XATTR_PAX_tmpfs.patch
index 4c236cc..4c236cc 100644
--- a/3.14.45/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.14.46/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.14.45/4430_grsec-remove-localversion-grsec.patch b/3.14.46/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.14.45/4430_grsec-remove-localversion-grsec.patch
+++ b/3.14.46/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.14.45/4435_grsec-mute-warnings.patch b/3.14.46/4435_grsec-mute-warnings.patch
index 2c2d463..2c2d463 100644
--- a/3.14.45/4435_grsec-mute-warnings.patch
+++ b/3.14.46/4435_grsec-mute-warnings.patch
diff --git a/3.14.45/4440_grsec-remove-protected-paths.patch b/3.14.46/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/3.14.45/4440_grsec-remove-protected-paths.patch
+++ b/3.14.46/4440_grsec-remove-protected-paths.patch
diff --git a/3.14.45/4450_grsec-kconfig-default-gids.patch b/3.14.46/4450_grsec-kconfig-default-gids.patch
index b96defc..b96defc 100644
--- a/3.14.45/4450_grsec-kconfig-default-gids.patch
+++ b/3.14.46/4450_grsec-kconfig-default-gids.patch
diff --git a/3.14.45/4465_selinux-avc_audit-log-curr_ip.patch b/3.14.46/4465_selinux-avc_audit-log-curr_ip.patch
index bba906e..bba906e 100644
--- a/3.14.45/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.14.46/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.14.45/4470_disable-compat_vdso.patch b/3.14.46/4470_disable-compat_vdso.patch
index 3b3953b..3b3953b 100644
--- a/3.14.45/4470_disable-compat_vdso.patch
+++ b/3.14.46/4470_disable-compat_vdso.patch
diff --git a/3.14.45/4475_emutramp_default_on.patch b/3.14.46/4475_emutramp_default_on.patch
index a128205..a128205 100644
--- a/3.14.45/4475_emutramp_default_on.patch
+++ b/3.14.46/4475_emutramp_default_on.patch
diff --git a/3.2.69/0000_README b/3.2.69/0000_README
index 05b7791..d006716 100644
--- a/3.2.69/0000_README
+++ b/3.2.69/0000_README
@@ -194,7 +194,7 @@ Patch:	1068_linux-3.2.69.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.69
 
-Patch:	4420_grsecurity-3.1-3.2.69-201506262041.patch
+Patch:	4420_grsecurity-3.1-3.2.69-201506300708.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.69/4420_grsecurity-3.1-3.2.69-201506262041.patch b/3.2.69/4420_grsecurity-3.1-3.2.69-201506300708.patch
index ce279a5..e8aabfa 100644
--- a/3.2.69/4420_grsecurity-3.1-3.2.69-201506262041.patch
+++ b/3.2.69/4420_grsecurity-3.1-3.2.69-201506300708.patch
@@ -14572,7 +14572,7 @@ index 5f55e69..e20bfb1 100644
  
  #ifdef CONFIG_SMP
 diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
-index 6902152..da4283a 100644
+index 6902152..737f889 100644
 --- a/arch/x86/include/asm/mmu_context.h
 +++ b/arch/x86/include/asm/mmu_context.h
 @@ -24,6 +24,18 @@ void destroy_context(struct mm_struct *mm);
@@ -14634,9 +14634,9 @@ index 6902152..da4283a 100644
 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
 +		if (!(__supported_pte_mask & _PAGE_NX)) {
 +			smp_mb__before_clear_bit();
-+			cpu_clear(cpu, prev->context.cpu_user_cs_mask);
++			cpumask_clear_cpu(cpu, &prev->context.cpu_user_cs_mask);
 +			smp_mb__after_clear_bit();
-+			cpu_set(cpu, next->context.cpu_user_cs_mask);
++			cpumask_set_cpu(cpu, &next->context.cpu_user_cs_mask);
 +		}
 +#endif
 +
@@ -14678,7 +14678,7 @@ index 6902152..da4283a 100644
 +
 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
 +			if (!(__supported_pte_mask & _PAGE_NX))
-+				cpu_set(cpu, next->context.cpu_user_cs_mask);
++				cpumask_set_cpu(cpu, &next->context.cpu_user_cs_mask);
 +#endif
 +
 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
@@ -22436,7 +22436,7 @@ index 4b6701e..1a3dcdb 100644
  };
  #endif
 diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
-index 0a8e65e..288a4b0 100644
+index 0a8e65e..6e8de34 100644
 --- a/arch/x86/kernel/ldt.c
 +++ b/arch/x86/kernel/ldt.c
 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int reload)
@@ -22478,7 +22478,7 @@ index 0a8e65e..288a4b0 100644
 +		mm->context.user_cs_limit = ~0UL;
 +
 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
-+		cpus_clear(mm->context.cpu_user_cs_mask);
++		cpumask_clear(&mm->context.cpu_user_cs_mask);
 +#endif
 +
 +#endif
@@ -28430,7 +28430,7 @@ index d0474ad..36e9257 100644
  		extern u32 pnp_bios_is_utter_crap;
  		pnp_bios_is_utter_crap = 1;
 diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
-index 351590e..825bba9 100644
+index 351590e..ad0d399 100644
 --- a/arch/x86/mm/fault.c
 +++ b/arch/x86/mm/fault.c
 @@ -13,11 +13,18 @@
@@ -28716,7 +28716,7 @@ index 351590e..825bba9 100644
 +	}
 +
 +#ifdef CONFIG_SMP
-+	if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
++	if (likely(address > get_limit(regs->cs) && cpumask_test_cpu(smp_processor_id(), &mm->context.cpu_user_cs_mask)))
 +#else
 +	if (likely(address > get_limit(regs->cs)))
 +#endif
@@ -29896,7 +29896,7 @@ index 29f7c6d9..5122941 100644
  	printk(KERN_INFO "Write protecting the kernel text: %luk\n",
  		size >> 10);
 diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
-index 44b93da..5a0b3ee 100644
+index 44b93da..79d59f5 100644
 --- a/arch/x86/mm/init_64.c
 +++ b/arch/x86/mm/init_64.c
 @@ -75,7 +75,7 @@ early_param("gbpages", parse_direct_gbpages_on);
@@ -30013,6 +30013,15 @@ index 44b93da..5a0b3ee 100644
  	adr = (void *)(((unsigned long)adr) | left);
  
  	return adr;
+@@ -413,7 +427,7 @@ phys_pmd_init(pmd_t *pmd_page, unsigned long address, unsigned long end,
+ 
+ 	int i = pmd_index(address);
+ 
+-	for (; i < PTRS_PER_PMD; i++, address += PMD_SIZE) {
++	for (; i < PTRS_PER_PMD; i++, address = (address & PMD_MASK) + PMD_SIZE) {
+ 		unsigned long pte_phys;
+ 		pmd_t *pmd = pmd_page + pmd_index(address);
+ 		pte_t *pte;
 @@ -546,7 +560,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end,
  		unmap_low_page(pmd);
  
@@ -96101,10 +96110,30 @@ index 875fed4..7a76cbb 100644
  }
  
 diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
-index b0996c1..7e5c12f 100644
+index b0996c1..9c39703 100644
 --- a/kernel/trace/trace_events_filter.c
 +++ b/kernel/trace/trace_events_filter.c
-@@ -1343,19 +1343,27 @@ static int check_preds(struct filter_parse_state *ps)
+@@ -1027,6 +1027,9 @@ static void parse_init(struct filter_parse_state *ps,
+ 
+ static char infix_next(struct filter_parse_state *ps)
+ {
++	if (!ps->infix.cnt)
++		return 0;
++
+ 	ps->infix.cnt--;
+ 
+ 	return ps->infix.string[ps->infix.tail++];
+@@ -1042,6 +1045,9 @@ static char infix_peek(struct filter_parse_state *ps)
+ 
+ static void infix_advance(struct filter_parse_state *ps)
+ {
++	if (!ps->infix.cnt)
++		return;
++
+ 	ps->infix.cnt--;
+ 	ps->infix.tail++;
+ }
+@@ -1343,19 +1349,27 @@ static int check_preds(struct filter_parse_state *ps)
  {
  	int n_normal_preds = 0, n_logical_preds = 0;
  	struct postfix_elt *elt;
@@ -97671,6 +97700,18 @@ index 011b110..05d1b6f 100644
  	select PROC_PAGE_MONITOR
  
  config NOMMU_INITIAL_TRIM_EXCESS
+diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug
+index 8b1a477..f3a339f 100644
+--- a/mm/Kconfig.debug
++++ b/mm/Kconfig.debug
+@@ -1,6 +1,7 @@
+ config DEBUG_PAGEALLOC
+ 	bool "Debug page memory allocations"
+ 	depends on DEBUG_KERNEL
++	depends on !PAX_MEMORY_SANITIZE
+ 	depends on !HIBERNATION || ARCH_SUPPORTS_DEBUG_PAGEALLOC && !PPC && !SPARC
+ 	depends on !KMEMCHECK
+ 	select PAGE_POISONING if !ARCH_SUPPORTS_DEBUG_PAGEALLOC
 diff --git a/mm/backing-dev.c b/mm/backing-dev.c
 index 2b49dd2..0527d62 100644
 --- a/mm/backing-dev.c
@@ -100638,7 +100679,7 @@ index cf332bc..add7e3a 100644
  
  	if (active_mm != mm)
 diff --git a/mm/mprotect.c b/mm/mprotect.c
-index 5a688a2..fffb9f6 100644
+index 5a688a2..fa006d9 100644
 --- a/mm/mprotect.c
 +++ b/mm/mprotect.c
 @@ -23,10 +23,16 @@
@@ -100685,8 +100726,8 @@ index 5a688a2..fffb9f6 100644
 +
 +#ifdef CONFIG_SMP
 +		wmb();
-+		cpus_clear(mm->context.cpu_user_cs_mask);
-+		cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
++		cpumask_clear(&mm->context.cpu_user_cs_mask);
++		cpumask_set_cpu(smp_processor_id(), &mm->context.cpu_user_cs_mask);
 +#endif
 +
 +		set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
diff --git a/3.14.45/0000_README b/4.0.7/0000_README
index b4be2cb..1c85007 100644
--- a/3.14.45/0000_README
+++ b/4.0.7/0000_README
@@ -2,7 +2,11 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.1-3.14.45-201506262046.patch
+Patch:	1006_linux-4.0.7.patch
+From:	http://www.kernel.org
+Desc:	Linux 4.0.7
+
+Patch:	4420_grsecurity-3.1-4.0.7-201506300712.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/4.0.7/1006_linux-4.0.7.patch b/4.0.7/1006_linux-4.0.7.patch
new file mode 100644
index 0000000..0b9b646
--- /dev/null
+++ b/4.0.7/1006_linux-4.0.7.patch
@@ -0,0 +1,707 @@
+diff --git a/Makefile b/Makefile
+index af6da04..bd76a8e 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 0
+-SUBLEVEL = 6
++SUBLEVEL = 7
+ EXTRAVERSION =
+ NAME = Hurr durr I'ma sheep
+ 
+diff --git a/arch/arm/mach-exynos/common.h b/arch/arm/mach-exynos/common.h
+index f70eca7..0ef8d4b 100644
+--- a/arch/arm/mach-exynos/common.h
++++ b/arch/arm/mach-exynos/common.h
+@@ -153,6 +153,8 @@ extern void exynos_enter_aftr(void);
+ 
+ extern struct cpuidle_exynos_data cpuidle_coupled_exynos_data;
+ 
++extern void exynos_set_delayed_reset_assertion(bool enable);
++
+ extern void s5p_init_cpu(void __iomem *cpuid_addr);
+ extern unsigned int samsung_rev(void);
+ extern void __iomem *cpu_boot_reg_base(void);
+diff --git a/arch/arm/mach-exynos/exynos.c b/arch/arm/mach-exynos/exynos.c
+index 9e9dfdf..1081ff1 100644
+--- a/arch/arm/mach-exynos/exynos.c
++++ b/arch/arm/mach-exynos/exynos.c
+@@ -166,6 +166,33 @@ static void __init exynos_init_io(void)
+ 	exynos_map_io();
+ }
+ 
++/*
++ * Set or clear the USE_DELAYED_RESET_ASSERTION option. Used by smp code
++ * and suspend.
++ *
++ * This is necessary only on Exynos4 SoCs. When system is running
++ * USE_DELAYED_RESET_ASSERTION should be set so the ARM CLK clock down
++ * feature could properly detect global idle state when secondary CPU is
++ * powered down.
++ *
++ * However this should not be set when such system is going into suspend.
++ */
++void exynos_set_delayed_reset_assertion(bool enable)
++{
++	if (soc_is_exynos4()) {
++		unsigned int tmp, core_id;
++
++		for (core_id = 0; core_id < num_possible_cpus(); core_id++) {
++			tmp = pmu_raw_readl(EXYNOS_ARM_CORE_OPTION(core_id));
++			if (enable)
++				tmp |= S5P_USE_DELAYED_RESET_ASSERTION;
++			else
++				tmp &= ~(S5P_USE_DELAYED_RESET_ASSERTION);
++			pmu_raw_writel(tmp, EXYNOS_ARM_CORE_OPTION(core_id));
++		}
++	}
++}
++
+ static const struct of_device_id exynos_dt_pmu_match[] = {
+ 	{ .compatible = "samsung,exynos3250-pmu" },
+ 	{ .compatible = "samsung,exynos4210-pmu" },
+diff --git a/arch/arm/mach-exynos/platsmp.c b/arch/arm/mach-exynos/platsmp.c
+index d2e9f12..d45e8cd 100644
+--- a/arch/arm/mach-exynos/platsmp.c
++++ b/arch/arm/mach-exynos/platsmp.c
+@@ -34,30 +34,6 @@
+ 
+ extern void exynos4_secondary_startup(void);
+ 
+-/*
+- * Set or clear the USE_DELAYED_RESET_ASSERTION option, set on Exynos4 SoCs
+- * during hot-(un)plugging CPUx.
+- *
+- * The feature can be cleared safely during first boot of secondary CPU.
+- *
+- * Exynos4 SoCs require setting USE_DELAYED_RESET_ASSERTION during powering
+- * down a CPU so the CPU idle clock down feature could properly detect global
+- * idle state when CPUx is off.
+- */
+-static void exynos_set_delayed_reset_assertion(u32 core_id, bool enable)
+-{
+-	if (soc_is_exynos4()) {
+-		unsigned int tmp;
+-
+-		tmp = pmu_raw_readl(EXYNOS_ARM_CORE_OPTION(core_id));
+-		if (enable)
+-			tmp |= S5P_USE_DELAYED_RESET_ASSERTION;
+-		else
+-			tmp &= ~(S5P_USE_DELAYED_RESET_ASSERTION);
+-		pmu_raw_writel(tmp, EXYNOS_ARM_CORE_OPTION(core_id));
+-	}
+-}
+-
+ #ifdef CONFIG_HOTPLUG_CPU
+ static inline void cpu_leave_lowpower(u32 core_id)
+ {
+@@ -73,8 +49,6 @@ static inline void cpu_leave_lowpower(u32 core_id)
+ 	  : "=&r" (v)
+ 	  : "Ir" (CR_C), "Ir" (0x40)
+ 	  : "cc");
+-
+-	 exynos_set_delayed_reset_assertion(core_id, false);
+ }
+ 
+ static inline void platform_do_lowpower(unsigned int cpu, int *spurious)
+@@ -87,14 +61,6 @@ static inline void platform_do_lowpower(unsigned int cpu, int *spurious)
+ 		/* Turn the CPU off on next WFI instruction. */
+ 		exynos_cpu_power_down(core_id);
+ 
+-		/*
+-		 * Exynos4 SoCs require setting
+-		 * USE_DELAYED_RESET_ASSERTION so the CPU idle
+-		 * clock down feature could properly detect
+-		 * global idle state when CPUx is off.
+-		 */
+-		exynos_set_delayed_reset_assertion(core_id, true);
+-
+ 		wfi();
+ 
+ 		if (pen_release == core_id) {
+@@ -354,9 +320,6 @@ static int exynos_boot_secondary(unsigned int cpu, struct task_struct *idle)
+ 		udelay(10);
+ 	}
+ 
+-	/* No harm if this is called during first boot of secondary CPU */
+-	exynos_set_delayed_reset_assertion(core_id, false);
+-
+ 	/*
+ 	 * now the secondary core is starting up let it run its
+ 	 * calibrations, then wait for it to finish
+@@ -403,6 +366,8 @@ static void __init exynos_smp_prepare_cpus(unsigned int max_cpus)
+ 
+ 	exynos_sysram_init();
+ 
++	exynos_set_delayed_reset_assertion(true);
++
+ 	if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9)
+ 		scu_enable(scu_base_addr());
+ 
+diff --git a/arch/arm/mach-exynos/suspend.c b/arch/arm/mach-exynos/suspend.c
+index 318d127..582ef2d 100644
+--- a/arch/arm/mach-exynos/suspend.c
++++ b/arch/arm/mach-exynos/suspend.c
+@@ -235,6 +235,8 @@ static void exynos_pm_enter_sleep_mode(void)
+ 
+ static void exynos_pm_prepare(void)
+ {
++	exynos_set_delayed_reset_assertion(false);
++
+ 	/* Set wake-up mask registers */
+ 	exynos_pm_set_wakeup_mask();
+ 
+@@ -383,6 +385,7 @@ early_wakeup:
+ 
+ 	/* Clear SLEEP mode set in INFORM1 */
+ 	pmu_raw_writel(0x0, S5P_INFORM1);
++	exynos_set_delayed_reset_assertion(true);
+ }
+ 
+ static void exynos3250_pm_resume(void)
+diff --git a/arch/powerpc/kernel/idle_power7.S b/arch/powerpc/kernel/idle_power7.S
+index 05adc8b..401d8d0 100644
+--- a/arch/powerpc/kernel/idle_power7.S
++++ b/arch/powerpc/kernel/idle_power7.S
+@@ -500,9 +500,11 @@ BEGIN_FTR_SECTION
+ 	CHECK_HMI_INTERRUPT
+ END_FTR_SECTION_IFSET(CPU_FTR_HVMODE)
+ 	ld	r1,PACAR1(r13)
++	ld	r6,_CCR(r1)
+ 	ld	r4,_MSR(r1)
+ 	ld	r5,_NIP(r1)
+ 	addi	r1,r1,INT_FRAME_SIZE
++	mtcr	r6
+ 	mtspr	SPRN_SRR1,r4
+ 	mtspr	SPRN_SRR0,r5
+ 	rfid
+diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
+index 4e3d5a9..03189d8 100644
+--- a/arch/x86/kernel/kprobes/core.c
++++ b/arch/x86/kernel/kprobes/core.c
+@@ -354,6 +354,7 @@ int __copy_instruction(u8 *dest, u8 *src)
+ {
+ 	struct insn insn;
+ 	kprobe_opcode_t buf[MAX_INSN_SIZE];
++	int length;
+ 	unsigned long recovered_insn =
+ 		recover_probed_instruction(buf, (unsigned long)src);
+ 
+@@ -361,16 +362,18 @@ int __copy_instruction(u8 *dest, u8 *src)
+ 		return 0;
+ 	kernel_insn_init(&insn, (void *)recovered_insn, MAX_INSN_SIZE);
+ 	insn_get_length(&insn);
++	length = insn.length;
++
+ 	/* Another subsystem puts a breakpoint, failed to recover */
+ 	if (insn.opcode.bytes[0] == BREAKPOINT_INSTRUCTION)
+ 		return 0;
+-	memcpy(dest, insn.kaddr, insn.length);
++	memcpy(dest, insn.kaddr, length);
+ 
+ #ifdef CONFIG_X86_64
+ 	if (insn_rip_relative(&insn)) {
+ 		s64 newdisp;
+ 		u8 *disp;
+-		kernel_insn_init(&insn, dest, insn.length);
++		kernel_insn_init(&insn, dest, length);
+ 		insn_get_displacement(&insn);
+ 		/*
+ 		 * The copied instruction uses the %rip-relative addressing
+@@ -394,7 +397,7 @@ int __copy_instruction(u8 *dest, u8 *src)
+ 		*(s32 *) disp = (s32) newdisp;
+ 	}
+ #endif
+-	return insn.length;
++	return length;
+ }
+ 
+ static int arch_copy_kprobe(struct kprobe *p)
+diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
+index 4ee827d..3cb2b58 100644
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -1064,6 +1064,17 @@ static void update_divide_count(struct kvm_lapic *apic)
+ 				   apic->divide_count);
+ }
+ 
++static void apic_update_lvtt(struct kvm_lapic *apic)
++{
++	u32 timer_mode = kvm_apic_get_reg(apic, APIC_LVTT) &
++			apic->lapic_timer.timer_mode_mask;
++
++	if (apic->lapic_timer.timer_mode != timer_mode) {
++		apic->lapic_timer.timer_mode = timer_mode;
++		hrtimer_cancel(&apic->lapic_timer.timer);
++	}
++}
++
+ static void apic_timer_expired(struct kvm_lapic *apic)
+ {
+ 	struct kvm_vcpu *vcpu = apic->vcpu;
+@@ -1272,6 +1283,7 @@ static int apic_reg_write(struct kvm_lapic *apic, u32 reg, u32 val)
+ 				apic_set_reg(apic, APIC_LVTT + 0x10 * i,
+ 					     lvt_val | APIC_LVT_MASKED);
+ 			}
++			apic_update_lvtt(apic);
+ 			atomic_set(&apic->lapic_timer.pending, 0);
+ 
+ 		}
+@@ -1304,20 +1316,13 @@ static int apic_reg_write(struct kvm_lapic *apic, u32 reg, u32 val)
+ 
+ 		break;
+ 
+-	case APIC_LVTT: {
+-		u32 timer_mode = val & apic->lapic_timer.timer_mode_mask;
+-
+-		if (apic->lapic_timer.timer_mode != timer_mode) {
+-			apic->lapic_timer.timer_mode = timer_mode;
+-			hrtimer_cancel(&apic->lapic_timer.timer);
+-		}
+-
++	case APIC_LVTT:
+ 		if (!kvm_apic_sw_enabled(apic))
+ 			val |= APIC_LVT_MASKED;
+ 		val &= (apic_lvt_mask[0] | apic->lapic_timer.timer_mode_mask);
+ 		apic_set_reg(apic, APIC_LVTT, val);
++		apic_update_lvtt(apic);
+ 		break;
+-	}
+ 
+ 	case APIC_TMICT:
+ 		if (apic_lvtt_tscdeadline(apic))
+@@ -1552,7 +1557,7 @@ void kvm_lapic_reset(struct kvm_vcpu *vcpu)
+ 
+ 	for (i = 0; i < APIC_LVT_NUM; i++)
+ 		apic_set_reg(apic, APIC_LVTT + 0x10 * i, APIC_LVT_MASKED);
+-	apic->lapic_timer.timer_mode = 0;
++	apic_update_lvtt(apic);
+ 	apic_set_reg(apic, APIC_LVT0,
+ 		     SET_APIC_DELIVERY_MODE(0, APIC_MODE_EXTINT));
+ 
+@@ -1778,6 +1783,7 @@ void kvm_apic_post_state_restore(struct kvm_vcpu *vcpu,
+ 
+ 	apic_update_ppr(apic);
+ 	hrtimer_cancel(&apic->lapic_timer.timer);
++	apic_update_lvtt(apic);
+ 	update_divide_count(apic);
+ 	start_apic_timer(apic);
+ 	apic->irr_pending = true;
+diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
+index 288547a..f26ebc5 100644
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -80,6 +80,7 @@ static const struct usb_device_id ath3k_table[] = {
+ 	{ USB_DEVICE(0x0489, 0xe057) },
+ 	{ USB_DEVICE(0x0489, 0xe056) },
+ 	{ USB_DEVICE(0x0489, 0xe05f) },
++	{ USB_DEVICE(0x0489, 0xe076) },
+ 	{ USB_DEVICE(0x0489, 0xe078) },
+ 	{ USB_DEVICE(0x04c5, 0x1330) },
+ 	{ USB_DEVICE(0x04CA, 0x3004) },
+@@ -111,6 +112,7 @@ static const struct usb_device_id ath3k_table[] = {
+ 	{ USB_DEVICE(0x13d3, 0x3408) },
+ 	{ USB_DEVICE(0x13d3, 0x3423) },
+ 	{ USB_DEVICE(0x13d3, 0x3432) },
++	{ USB_DEVICE(0x13d3, 0x3474) },
+ 
+ 	/* Atheros AR5BBU12 with sflash firmware */
+ 	{ USB_DEVICE(0x0489, 0xE02C) },
+@@ -135,6 +137,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
+ 	{ USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
+@@ -166,6 +169,7 @@ static const struct usb_device_id ath3k_blist_tbl[] = {
+ 	{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ 
+ 	/* Atheros AR5BBU22 with sflash firmware */
+ 	{ USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 2c527da..4fc4157 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -174,6 +174,7 @@ static const struct usb_device_id blacklist_table[] = {
+ 	{ USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
+@@ -205,6 +206,7 @@ static const struct usb_device_id blacklist_table[] = {
+ 	{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ 
+ 	/* Atheros AR5BBU12 with sflash firmware */
+ 	{ USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
+diff --git a/drivers/clk/at91/clk-pll.c b/drivers/clk/at91/clk-pll.c
+index 6ec79db..cbbe403 100644
+--- a/drivers/clk/at91/clk-pll.c
++++ b/drivers/clk/at91/clk-pll.c
+@@ -173,8 +173,7 @@ static long clk_pll_get_best_div_mul(struct clk_pll *pll, unsigned long rate,
+ 	int i = 0;
+ 
+ 	/* Check if parent_rate is a valid input rate */
+-	if (parent_rate < characteristics->input.min ||
+-	    parent_rate > characteristics->input.max)
++	if (parent_rate < characteristics->input.min)
+ 		return -ERANGE;
+ 
+ 	/*
+@@ -187,6 +186,15 @@ static long clk_pll_get_best_div_mul(struct clk_pll *pll, unsigned long rate,
+ 	if (!mindiv)
+ 		mindiv = 1;
+ 
++	if (parent_rate > characteristics->input.max) {
++		tmpdiv = DIV_ROUND_UP(parent_rate, characteristics->input.max);
++		if (tmpdiv > PLL_DIV_MAX)
++			return -ERANGE;
++
++		if (tmpdiv > mindiv)
++			mindiv = tmpdiv;
++	}
++
+ 	/*
+ 	 * Calculate the maximum divider which is limited by PLL register
+ 	 * layout (limited by the MUL or DIV field size).
+diff --git a/drivers/clk/at91/pmc.h b/drivers/clk/at91/pmc.h
+index 69abb08..eb8e5dc 100644
+--- a/drivers/clk/at91/pmc.h
++++ b/drivers/clk/at91/pmc.h
+@@ -121,7 +121,7 @@ extern void __init of_at91sam9x5_clk_smd_setup(struct device_node *np,
+ 					       struct at91_pmc *pmc);
+ #endif
+ 
+-#if defined(CONFIG_HAVE_AT91_SMD)
++#if defined(CONFIG_HAVE_AT91_H32MX)
+ extern void __init of_sama5d4_clk_h32mx_setup(struct device_node *np,
+ 					      struct at91_pmc *pmc);
+ #endif
+diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c
+index f347ab7..08b0da2 100644
+--- a/drivers/crypto/caam/caamhash.c
++++ b/drivers/crypto/caam/caamhash.c
+@@ -1543,6 +1543,8 @@ static int ahash_init(struct ahash_request *req)
+ 
+ 	state->current_buf = 0;
+ 	state->buf_dma = 0;
++	state->buflen_0 = 0;
++	state->buflen_1 = 0;
+ 
+ 	return 0;
+ }
+diff --git a/drivers/crypto/caam/caamrng.c b/drivers/crypto/caam/caamrng.c
+index ae31e55..a48dc25 100644
+--- a/drivers/crypto/caam/caamrng.c
++++ b/drivers/crypto/caam/caamrng.c
+@@ -56,7 +56,7 @@
+ 
+ /* Buffer, its dma address and lock */
+ struct buf_data {
+-	u8 buf[RN_BUF_SIZE];
++	u8 buf[RN_BUF_SIZE] ____cacheline_aligned;
+ 	dma_addr_t addr;
+ 	struct completion filled;
+ 	u32 hw_desc[DESC_JOB_O_LEN];
+diff --git a/drivers/gpu/drm/i915/i915_drv.c b/drivers/gpu/drm/i915/i915_drv.c
+index ec4d932..169123a 100644
+--- a/drivers/gpu/drm/i915/i915_drv.c
++++ b/drivers/gpu/drm/i915/i915_drv.c
+@@ -693,6 +693,16 @@ static int i915_drm_resume(struct drm_device *dev)
+ 		intel_init_pch_refclk(dev);
+ 		drm_mode_config_reset(dev);
+ 
++		/*
++		 * Interrupts have to be enabled before any batches are run.
++		 * If not the GPU will hang. i915_gem_init_hw() will initiate
++		 * batches to update/restore the context.
++		 *
++		 * Modeset enabling in intel_modeset_init_hw() also needs
++		 * working interrupts.
++		 */
++		intel_runtime_pm_enable_interrupts(dev_priv);
++
+ 		mutex_lock(&dev->struct_mutex);
+ 		if (i915_gem_init_hw(dev)) {
+ 			DRM_ERROR("failed to re-initialize GPU, declaring wedged!\n");
+@@ -700,9 +710,6 @@ static int i915_drm_resume(struct drm_device *dev)
+ 		}
+ 		mutex_unlock(&dev->struct_mutex);
+ 
+-		/* We need working interrupts for modeset enabling ... */
+-		intel_runtime_pm_enable_interrupts(dev_priv);
+-
+ 		intel_modeset_init_hw(dev);
+ 
+ 		spin_lock_irq(&dev_priv->irq_lock);
+diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
+index 7a628e4..9536ec3 100644
+--- a/drivers/gpu/drm/i915/i915_gem.c
++++ b/drivers/gpu/drm/i915/i915_gem.c
+@@ -2732,6 +2732,9 @@ void i915_gem_reset(struct drm_device *dev)
+ void
+ i915_gem_retire_requests_ring(struct intel_engine_cs *ring)
+ {
++	if (list_empty(&ring->request_list))
++		return;
++
+ 	WARN_ON(i915_verify_lists(ring->dev));
+ 
+ 	/* Retire requests first as we use it above for the early return.
+@@ -3088,8 +3091,8 @@ int i915_vma_unbind(struct i915_vma *vma)
+ 		} else if (vma->ggtt_view.pages) {
+ 			sg_free_table(vma->ggtt_view.pages);
+ 			kfree(vma->ggtt_view.pages);
+-			vma->ggtt_view.pages = NULL;
+ 		}
++		vma->ggtt_view.pages = NULL;
+ 	}
+ 
+ 	drm_mm_remove_node(&vma->node);
+diff --git a/drivers/gpu/drm/mgag200/mgag200_mode.c b/drivers/gpu/drm/mgag200/mgag200_mode.c
+index 9872ba9..2ffeda3 100644
+--- a/drivers/gpu/drm/mgag200/mgag200_mode.c
++++ b/drivers/gpu/drm/mgag200/mgag200_mode.c
+@@ -1526,6 +1526,11 @@ static int mga_vga_mode_valid(struct drm_connector *connector,
+ 		return MODE_BANDWIDTH;
+ 	}
+ 
++	if ((mode->hdisplay % 8) != 0 || (mode->hsync_start % 8) != 0 ||
++	    (mode->hsync_end % 8) != 0 || (mode->htotal % 8) != 0) {
++		return MODE_H_ILLEGAL;
++	}
++
+ 	if (mode->crtc_hdisplay > 2048 || mode->crtc_hsync_start > 4096 ||
+ 	    mode->crtc_hsync_end > 4096 || mode->crtc_htotal > 4096 ||
+ 	    mode->crtc_vdisplay > 2048 || mode->crtc_vsync_start > 4096 ||
+diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
+index 686411e..b82f2dd 100644
+--- a/drivers/gpu/drm/radeon/radeon_kms.c
++++ b/drivers/gpu/drm/radeon/radeon_kms.c
+@@ -547,6 +547,9 @@ static int radeon_info_ioctl(struct drm_device *dev, void *data, struct drm_file
+ 		else
+ 			*value = 1;
+ 		break;
++	case RADEON_INFO_VA_UNMAP_WORKING:
++		*value = true;
++		break;
+ 	default:
+ 		DRM_DEBUG_KMS("Invalid request %d\n", info->request);
+ 		return -EINVAL;
+diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c
+index 147029a..ac72ece 100644
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -2316,7 +2316,6 @@ isert_build_rdma_wr(struct isert_conn *isert_conn, struct isert_cmd *isert_cmd,
+ 	page_off = offset % PAGE_SIZE;
+ 
+ 	send_wr->sg_list = ib_sge;
+-	send_wr->num_sge = sg_nents;
+ 	send_wr->wr_id = (uintptr_t)&isert_cmd->tx_desc;
+ 	/*
+ 	 * Perform mapping of TCM scatterlist memory ib_sge dma_addr.
+@@ -2336,14 +2335,17 @@ isert_build_rdma_wr(struct isert_conn *isert_conn, struct isert_cmd *isert_cmd,
+ 			  ib_sge->addr, ib_sge->length, ib_sge->lkey);
+ 		page_off = 0;
+ 		data_left -= ib_sge->length;
++		if (!data_left)
++			break;
+ 		ib_sge++;
+ 		isert_dbg("Incrementing ib_sge pointer to %p\n", ib_sge);
+ 	}
+ 
++	send_wr->num_sge = ++i;
+ 	isert_dbg("Set outgoing sg_list: %p num_sg: %u from TCM SGLs\n",
+ 		  send_wr->sg_list, send_wr->num_sge);
+ 
+-	return sg_nents;
++	return send_wr->num_sge;
+ }
+ 
+ static int
+@@ -3311,6 +3313,7 @@ static void isert_free_conn(struct iscsi_conn *conn)
+ {
+ 	struct isert_conn *isert_conn = conn->context;
+ 
++	isert_wait4flush(isert_conn);
+ 	isert_put_conn(isert_conn);
+ }
+ 
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 9b4e30a..beda011 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -1889,8 +1889,8 @@ static int map_request(struct dm_target *ti, struct request *rq,
+ 			dm_kill_unmapped_request(rq, r);
+ 			return r;
+ 		}
+-		if (IS_ERR(clone))
+-			return DM_MAPIO_REQUEUE;
++		if (r != DM_MAPIO_REMAPPED)
++			return r;
+ 		if (setup_clone(clone, rq, tio, GFP_KERNEL)) {
+ 			/* -ENOMEM */
+ 			ti->type->release_clone_rq(clone);
+diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
+index 75345c1..5c91df5 100644
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -5365,6 +5365,10 @@ static void b43_supported_bands(struct b43_wldev *dev, bool *have_2ghz_phy,
+ 		*have_5ghz_phy = true;
+ 		return;
+ 	case 0x4321: /* BCM4306 */
++		/* There are 14e4:4321 PCI devs with 2.4 GHz BCM4321 (N-PHY) */
++		if (dev->phy.type != B43_PHYTYPE_G)
++			break;
++		/* fall through */
+ 	case 0x4313: /* BCM4311 */
+ 	case 0x431a: /* BCM4318 */
+ 	case 0x432a: /* BCM4321 */
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index 220c0fd..50faef4 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1468,6 +1468,11 @@ skip_countries:
+ 		goto alloc_fail8;
+ 	}
+ 
++	if (quirks & CLEAR_HALT_CONDITIONS) {
++		usb_clear_halt(usb_dev, usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress));
++		usb_clear_halt(usb_dev, usb_sndbulkpipe(usb_dev, epwrite->bEndpointAddress));
++	}
++
+ 	return 0;
+ alloc_fail8:
+ 	if (acm->country_codes) {
+@@ -1747,6 +1752,10 @@ static const struct usb_device_id acm_ids[] = {
+ 	.driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */
+ 	},
+ 
++	{ USB_DEVICE(0x2912, 0x0001), /* ATOL FPrint */
++	.driver_info = CLEAR_HALT_CONDITIONS,
++	},
++
+ 	/* Nokia S60 phones expose two ACM channels. The first is
+ 	 * a modem and is picked up by the standard AT-command
+ 	 * information below. The second is 'vendor-specific' but
+diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h
+index ffeb3c8..b3b6c9d 100644
+--- a/drivers/usb/class/cdc-acm.h
++++ b/drivers/usb/class/cdc-acm.h
+@@ -133,3 +133,4 @@ struct acm {
+ #define NO_DATA_INTERFACE		BIT(4)
+ #define IGNORE_DEVICE			BIT(5)
+ #define QUIRK_CONTROL_LINE_STATE	BIT(6)
++#define CLEAR_HALT_CONDITIONS		BIT(7)
+diff --git a/include/uapi/drm/radeon_drm.h b/include/uapi/drm/radeon_drm.h
+index 50d0fb4..76d2ede 100644
+--- a/include/uapi/drm/radeon_drm.h
++++ b/include/uapi/drm/radeon_drm.h
+@@ -1034,6 +1034,7 @@ struct drm_radeon_cs {
+ #define RADEON_INFO_VRAM_USAGE		0x1e
+ #define RADEON_INFO_GTT_USAGE		0x1f
+ #define RADEON_INFO_ACTIVE_CU_COUNT	0x20
++#define RADEON_INFO_VA_UNMAP_WORKING	0x25
+ 
+ struct drm_radeon_info {
+ 	uint32_t		request;
+diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
+index ced69da..7f2e97c 100644
+--- a/kernel/trace/trace_events_filter.c
++++ b/kernel/trace/trace_events_filter.c
+@@ -1369,19 +1369,26 @@ static int check_preds(struct filter_parse_state *ps)
+ {
+ 	int n_normal_preds = 0, n_logical_preds = 0;
+ 	struct postfix_elt *elt;
++	int cnt = 0;
+ 
+ 	list_for_each_entry(elt, &ps->postfix, list) {
+-		if (elt->op == OP_NONE)
++		if (elt->op == OP_NONE) {
++			cnt++;
+ 			continue;
++		}
+ 
+ 		if (elt->op == OP_AND || elt->op == OP_OR) {
+ 			n_logical_preds++;
++			cnt--;
+ 			continue;
+ 		}
++		if (elt->op != OP_NOT)
++			cnt--;
+ 		n_normal_preds++;
++		WARN_ON_ONCE(cnt < 0);
+ 	}
+ 
+-	if (!n_normal_preds || n_logical_preds >= n_normal_preds) {
++	if (cnt != 1 || !n_normal_preds || n_logical_preds >= n_normal_preds) {
+ 		parse_error(ps, FILT_ERR_INVALID_FILTER, 0);
+ 		return -EINVAL;
+ 	}
+diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c
+index 87eff31..60b3100 100644
+--- a/sound/pci/hda/patch_sigmatel.c
++++ b/sound/pci/hda/patch_sigmatel.c
+@@ -100,6 +100,7 @@ enum {
+ 	STAC_HP_ENVY_BASS,
+ 	STAC_HP_BNB13_EQ,
+ 	STAC_HP_ENVY_TS_BASS,
++	STAC_HP_ENVY_TS_DAC_BIND,
+ 	STAC_92HD83XXX_GPIO10_EAPD,
+ 	STAC_92HD83XXX_MODELS
+ };
+@@ -2170,6 +2171,22 @@ static void stac92hd83xxx_fixup_gpio10_eapd(struct hda_codec *codec,
+ 	spec->eapd_switch = 0;
+ }
+ 
++static void hp_envy_ts_fixup_dac_bind(struct hda_codec *codec,
++					    const struct hda_fixup *fix,
++					    int action)
++{
++	struct sigmatel_spec *spec = codec->spec;
++	static hda_nid_t preferred_pairs[] = {
++		0xd, 0x13,
++		0
++	};
++
++	if (action != HDA_FIXUP_ACT_PRE_PROBE)
++		return;
++
++	spec->gen.preferred_dacs = preferred_pairs;
++}
++
+ static const struct hda_verb hp_bnb13_eq_verbs[] = {
+ 	/* 44.1KHz base */
+ 	{ 0x22, 0x7A6, 0x3E },
+@@ -2685,6 +2702,12 @@ static const struct hda_fixup stac92hd83xxx_fixups[] = {
+ 			{}
+ 		},
+ 	},
++	[STAC_HP_ENVY_TS_DAC_BIND] = {
++		.type = HDA_FIXUP_FUNC,
++		.v.func = hp_envy_ts_fixup_dac_bind,
++		.chained = true,
++		.chain_id = STAC_HP_ENVY_TS_BASS,
++	},
+ 	[STAC_92HD83XXX_GPIO10_EAPD] = {
+ 		.type = HDA_FIXUP_FUNC,
+ 		.v.func = stac92hd83xxx_fixup_gpio10_eapd,
+@@ -2763,6 +2786,8 @@ static const struct snd_pci_quirk stac92hd83xxx_fixup_tbl[] = {
+ 			  "HP bNB13", STAC_HP_BNB13_EQ),
+ 	SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x190e,
+ 			  "HP ENVY TS", STAC_HP_ENVY_TS_BASS),
++	SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x1967,
++			  "HP ENVY TS", STAC_HP_ENVY_TS_DAC_BIND),
+ 	SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x1940,
+ 			  "HP bNB13", STAC_HP_BNB13_EQ),
+ 	SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x1941,
diff --git a/4.0.6/4420_grsecurity-3.1-4.0.6-201506272327.patch b/4.0.7/4420_grsecurity-3.1-4.0.7-201506300712.patch
index 01515b8..37bee2c 100644
--- a/4.0.6/4420_grsecurity-3.1-4.0.6-201506272327.patch
+++ b/4.0.7/4420_grsecurity-3.1-4.0.7-201506300712.patch
@@ -373,7 +373,7 @@ index 4d68ec8..9546b75 100644
  
  	pcd.		[PARIDE]
 diff --git a/Makefile b/Makefile
-index af6da04..22820aa 100644
+index bd76a8e..ed02758 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -3437,7 +3437,7 @@ index 3e58d71..029817c 100644
  	/* See rational for this in __copy_to_user() above. */
  	if (n < 64)
 diff --git a/arch/arm/mach-exynos/suspend.c b/arch/arm/mach-exynos/suspend.c
-index 318d127..9aab0d1 100644
+index 582ef2d..d314e82 100644
 --- a/arch/arm/mach-exynos/suspend.c
 +++ b/arch/arm/mach-exynos/suspend.c
 @@ -18,6 +18,7 @@
@@ -3448,7 +3448,7 @@ index 318d127..9aab0d1 100644
  #include <linux/irqchip/arm-gic.h>
  #include <linux/err.h>
  #include <linux/regulator/machine.h>
-@@ -632,8 +633,10 @@ void __init exynos_pm_init(void)
+@@ -635,8 +636,10 @@ void __init exynos_pm_init(void)
  	tmp |= pm_data->wake_disable_mask;
  	pmu_raw_writel(tmp, S5P_WAKEUP_MASK);
  
@@ -17369,7 +17369,7 @@ index 09b9620..923aecd 100644
  	atomic_t perf_rdpmc_allowed;	/* nonzero if rdpmc is allowed */
  } mm_context_t;
 diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
-index 883f6b93..6869d96 100644
+index 883f6b93..bb405b5 100644
 --- a/arch/x86/include/asm/mmu_context.h
 +++ b/arch/x86/include/asm/mmu_context.h
 @@ -42,6 +42,20 @@ void destroy_context(struct mm_struct *mm);
@@ -17461,9 +17461,9 @@ index 883f6b93..6869d96 100644
 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
 +		if (!(__supported_pte_mask & _PAGE_NX)) {
 +			smp_mb__before_atomic();
-+			cpu_clear(cpu, prev->context.cpu_user_cs_mask);
++			cpumask_clear_cpu(cpu, &prev->context.cpu_user_cs_mask);
 +			smp_mb__after_atomic();
-+			cpu_set(cpu, next->context.cpu_user_cs_mask);
++			cpumask_set_cpu(cpu, &next->context.cpu_user_cs_mask);
 +		}
 +#endif
 +
@@ -17537,7 +17537,7 @@ index 883f6b93..6869d96 100644
 +
 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
 +			if (!(__supported_pte_mask & _PAGE_NX))
-+				cpu_set(cpu, next->context.cpu_user_cs_mask);
++				cpumask_set_cpu(cpu, &next->context.cpu_user_cs_mask);
 +#endif
 +
 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
@@ -22048,7 +22048,7 @@ index cf3df1d..b637d9a 100644
  
  	if (__die(str, regs, err))
 diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c
-index 5abd4cd..c65733b 100644
+index 5abd4cd..ca97162 100644
 --- a/arch/x86/kernel/dumpstack_32.c
 +++ b/arch/x86/kernel/dumpstack_32.c
 @@ -61,15 +61,14 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
@@ -22125,7 +22125,7 @@ index 5abd4cd..c65733b 100644
  }
 +
 +#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
-+void pax_check_alloca(unsigned long size)
++void __used pax_check_alloca(unsigned long size)
 +{
 +	unsigned long sp = (unsigned long)&sp, stack_left;
 +
@@ -22136,7 +22136,7 @@ index 5abd4cd..c65733b 100644
 +EXPORT_SYMBOL(pax_check_alloca);
 +#endif
 diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
-index ff86f19..73eabf4 100644
+index ff86f19..a2efee8 100644
 --- a/arch/x86/kernel/dumpstack_64.c
 +++ b/arch/x86/kernel/dumpstack_64.c
 @@ -153,12 +153,12 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
@@ -22211,7 +22211,7 @@ index ff86f19..73eabf4 100644
  }
 +
 +#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
-+void pax_check_alloca(unsigned long size)
++void __used pax_check_alloca(unsigned long size)
 +{
 +	unsigned long sp = (unsigned long)&sp, stack_start, stack_end;
 +	unsigned cpu, used;
@@ -23060,7 +23060,7 @@ index 31e2d5b..b31c76d 100644
  #endif
  
 diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index f0095a7..ec77893 100644
+index f0095a7..7ece039 100644
 --- a/arch/x86/kernel/entry_64.S
 +++ b/arch/x86/kernel/entry_64.S
 @@ -59,6 +59,8 @@
@@ -23114,7 +23114,7 @@ index f0095a7..ec77893 100644
 +
 +#ifdef CONFIG_PAX_KERNEXEC
 +	GET_CR0_INTO_RDI
-+	bts $16,%rdi
++	bts $X86_CR0_WP_BIT,%rdi
 +	jnc 3f
 +	mov %cs,%edi
 +	cmp $__KERNEL_CS,%edi
@@ -23175,7 +23175,7 @@ index f0095a7..ec77893 100644
 +	cmp $__KERNEXEC_KERNEL_CS,%edi
 +	jz 2f
 +	GET_CR0_INTO_RDI
-+	bts $16,%rdi
++	bts $X86_CR0_WP_BIT,%rdi
 +	jnc 4f
 +1:
 +#endif
@@ -23213,7 +23213,7 @@ index f0095a7..ec77893 100644
 +
 +#ifdef CONFIG_PAX_KERNEXEC
 +2:	GET_CR0_INTO_RDI
-+	btr $16,%rdi
++	btr $X86_CR0_WP_BIT,%rdi
 +	jnc 4f
 +	ljmpq __KERNEL_CS,3f
 +3:	SET_RDI_INTO_CR0
@@ -23301,7 +23301,7 @@ index f0095a7..ec77893 100644
 +
 +#ifdef CONFIG_PAX_KERNEXEC
 +	GET_CR0_INTO_RDI
-+	bts $16,%rdi
++	bts $X86_CR0_WP_BIT,%rdi
 +	SET_RDI_INTO_CR0
 +#endif
 +
@@ -23346,7 +23346,7 @@ index f0095a7..ec77893 100644
 +
 +#ifdef CONFIG_PAX_KERNEXEC
 +	GET_CR0_INTO_RDI
-+	btr $16,%rdi
++	btr $X86_CR0_WP_BIT,%rdi
 +	jnc 3f
 +	SET_RDI_INTO_CR0
 +#endif
@@ -23393,7 +23393,7 @@ index f0095a7..ec77893 100644
 +
 +#ifdef CONFIG_PAX_KERNEXEC
 +	GET_CR0_INTO_RDI
-+	bts $16,%rdi
++	bts $X86_CR0_WP_BIT,%rdi
 +	jc 110f
 +	SET_RDI_INTO_CR0
 +	or $2,%ebx
@@ -23426,7 +23426,7 @@ index f0095a7..ec77893 100644
 +	btr $1,%ebx
 +	jnc 110f
 +	GET_CR0_INTO_RDI
-+	btr $16,%rdi
++	btr $X86_CR0_WP_BIT,%rdi
 +	SET_RDI_INTO_CR0
 +110:
 +#endif
@@ -25578,7 +25578,7 @@ index 25ecd56..e12482f 100644
  }
  
 diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
-index 4e3d5a9..03fffd8 100644
+index 03189d8..4705700 100644
 --- a/arch/x86/kernel/kprobes/core.c
 +++ b/arch/x86/kernel/kprobes/core.c
 @@ -120,9 +120,12 @@ __synthesize_relative_insn(void *from, void *to, u8 op)
@@ -25619,17 +25619,17 @@ index 4e3d5a9..03fffd8 100644
  }
  
  /*
-@@ -364,7 +367,9 @@ int __copy_instruction(u8 *dest, u8 *src)
+@@ -367,7 +370,9 @@ int __copy_instruction(u8 *dest, u8 *src)
  	/* Another subsystem puts a breakpoint, failed to recover */
  	if (insn.opcode.bytes[0] == BREAKPOINT_INSTRUCTION)
  		return 0;
 +	pax_open_kernel();
- 	memcpy(dest, insn.kaddr, insn.length);
+ 	memcpy(dest, insn.kaddr, length);
 +	pax_close_kernel();
  
  #ifdef CONFIG_X86_64
  	if (insn_rip_relative(&insn)) {
-@@ -391,7 +396,9 @@ int __copy_instruction(u8 *dest, u8 *src)
+@@ -394,7 +399,9 @@ int __copy_instruction(u8 *dest, u8 *src)
  			return 0;
  		}
  		disp = (u8 *) dest + insn_offset_displacement(&insn);
@@ -25638,8 +25638,8 @@ index 4e3d5a9..03fffd8 100644
 +		pax_close_kernel();
  	}
  #endif
- 	return insn.length;
-@@ -533,7 +540,7 @@ static void setup_singlestep(struct kprobe *p, struct pt_regs *regs,
+ 	return length;
+@@ -536,7 +543,7 @@ static void setup_singlestep(struct kprobe *p, struct pt_regs *regs,
  		 * nor set current_kprobe, because it doesn't use single
  		 * stepping.
  		 */
@@ -25648,7 +25648,7 @@ index 4e3d5a9..03fffd8 100644
  		preempt_enable_no_resched();
  		return;
  	}
-@@ -550,9 +557,9 @@ static void setup_singlestep(struct kprobe *p, struct pt_regs *regs,
+@@ -553,9 +560,9 @@ static void setup_singlestep(struct kprobe *p, struct pt_regs *regs,
  	regs->flags &= ~X86_EFLAGS_IF;
  	/* single step inline if the instruction is an int3 */
  	if (p->opcode == BREAKPOINT_INSTRUCTION)
@@ -25660,7 +25660,7 @@ index 4e3d5a9..03fffd8 100644
  }
  NOKPROBE_SYMBOL(setup_singlestep);
  
-@@ -602,7 +609,7 @@ int kprobe_int3_handler(struct pt_regs *regs)
+@@ -605,7 +612,7 @@ int kprobe_int3_handler(struct pt_regs *regs)
  	struct kprobe *p;
  	struct kprobe_ctlblk *kcb;
  
@@ -25669,7 +25669,7 @@ index 4e3d5a9..03fffd8 100644
  		return 0;
  
  	addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
-@@ -637,7 +644,7 @@ int kprobe_int3_handler(struct pt_regs *regs)
+@@ -640,7 +647,7 @@ int kprobe_int3_handler(struct pt_regs *regs)
  				setup_singlestep(p, regs, kcb, 0);
  			return 1;
  		}
@@ -25678,7 +25678,7 @@ index 4e3d5a9..03fffd8 100644
  		/*
  		 * The breakpoint instruction was removed right
  		 * after we hit it.  Another cpu has removed
-@@ -684,6 +691,9 @@ static void __used kretprobe_trampoline_holder(void)
+@@ -687,6 +694,9 @@ static void __used kretprobe_trampoline_holder(void)
  			"	movq %rax, 152(%rsp)\n"
  			RESTORE_REGS_STRING
  			"	popfq\n"
@@ -25688,7 +25688,7 @@ index 4e3d5a9..03fffd8 100644
  #else
  			"	pushf\n"
  			SAVE_REGS_STRING
-@@ -824,7 +834,7 @@ static void resume_execution(struct kprobe *p, struct pt_regs *regs,
+@@ -827,7 +837,7 @@ static void resume_execution(struct kprobe *p, struct pt_regs *regs,
  			     struct kprobe_ctlblk *kcb)
  {
  	unsigned long *tos = stack_addr(regs);
@@ -25697,7 +25697,7 @@ index 4e3d5a9..03fffd8 100644
  	unsigned long orig_ip = (unsigned long)p->addr;
  	kprobe_opcode_t *insn = p->ainsn.insn;
  
-@@ -1007,7 +1017,7 @@ int kprobe_exceptions_notify(struct notifier_block *self, unsigned long val,
+@@ -1010,7 +1020,7 @@ int kprobe_exceptions_notify(struct notifier_block *self, unsigned long val,
  	struct die_args *args = data;
  	int ret = NOTIFY_DONE;
  
@@ -25789,7 +25789,7 @@ index c2bedae..25e7ab60 100644
  		.name = "data",
  		.mode = S_IRUGO,
 diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
-index c37886d..d851d32 100644
+index c37886d..3f425e3 100644
 --- a/arch/x86/kernel/ldt.c
 +++ b/arch/x86/kernel/ldt.c
 @@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, int mincount, int reload)
@@ -25831,7 +25831,7 @@ index c37886d..d851d32 100644
 +		mm->context.user_cs_limit = ~0UL;
 +
 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
-+		cpus_clear(mm->context.cpu_user_cs_mask);
++		cpumask_clear(&mm->context.cpu_user_cs_mask);
 +#endif
 +
 +#endif
@@ -28771,7 +28771,7 @@ index 106c015..2db7161 100644
  		0, 0, 0, /* CR3 checked later */
  		CR4_RESERVED_BITS,
 diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
-index 4ee827d..83c8e31 100644
+index 3cb2b58..83c8e31 100644
 --- a/arch/x86/kvm/lapic.c
 +++ b/arch/x86/kvm/lapic.c
 @@ -56,7 +56,7 @@
@@ -28783,72 +28783,6 @@ index 4ee827d..83c8e31 100644
  
  #define APIC_LVT_NUM			6
  /* 14 is the version for Xeon and Pentium 8.4.8*/
-@@ -1064,6 +1064,17 @@ static void update_divide_count(struct kvm_lapic *apic)
- 				   apic->divide_count);
- }
- 
-+static void apic_update_lvtt(struct kvm_lapic *apic)
-+{
-+	u32 timer_mode = kvm_apic_get_reg(apic, APIC_LVTT) &
-+			apic->lapic_timer.timer_mode_mask;
-+
-+	if (apic->lapic_timer.timer_mode != timer_mode) {
-+		apic->lapic_timer.timer_mode = timer_mode;
-+		hrtimer_cancel(&apic->lapic_timer.timer);
-+	}
-+}
-+
- static void apic_timer_expired(struct kvm_lapic *apic)
- {
- 	struct kvm_vcpu *vcpu = apic->vcpu;
-@@ -1272,6 +1283,7 @@ static int apic_reg_write(struct kvm_lapic *apic, u32 reg, u32 val)
- 				apic_set_reg(apic, APIC_LVTT + 0x10 * i,
- 					     lvt_val | APIC_LVT_MASKED);
- 			}
-+			apic_update_lvtt(apic);
- 			atomic_set(&apic->lapic_timer.pending, 0);
- 
- 		}
-@@ -1304,20 +1316,13 @@ static int apic_reg_write(struct kvm_lapic *apic, u32 reg, u32 val)
- 
- 		break;
- 
--	case APIC_LVTT: {
--		u32 timer_mode = val & apic->lapic_timer.timer_mode_mask;
--
--		if (apic->lapic_timer.timer_mode != timer_mode) {
--			apic->lapic_timer.timer_mode = timer_mode;
--			hrtimer_cancel(&apic->lapic_timer.timer);
--		}
--
-+	case APIC_LVTT:
- 		if (!kvm_apic_sw_enabled(apic))
- 			val |= APIC_LVT_MASKED;
- 		val &= (apic_lvt_mask[0] | apic->lapic_timer.timer_mode_mask);
- 		apic_set_reg(apic, APIC_LVTT, val);
-+		apic_update_lvtt(apic);
- 		break;
--	}
- 
- 	case APIC_TMICT:
- 		if (apic_lvtt_tscdeadline(apic))
-@@ -1552,7 +1557,7 @@ void kvm_lapic_reset(struct kvm_vcpu *vcpu)
- 
- 	for (i = 0; i < APIC_LVT_NUM; i++)
- 		apic_set_reg(apic, APIC_LVTT + 0x10 * i, APIC_LVT_MASKED);
--	apic->lapic_timer.timer_mode = 0;
-+	apic_update_lvtt(apic);
- 	apic_set_reg(apic, APIC_LVT0,
- 		     SET_APIC_DELIVERY_MODE(0, APIC_MODE_EXTINT));
- 
-@@ -1778,6 +1783,7 @@ void kvm_apic_post_state_restore(struct kvm_vcpu *vcpu,
- 
- 	apic_update_ppr(apic);
- 	hrtimer_cancel(&apic->lapic_timer.timer);
-+	apic_update_lvtt(apic);
- 	update_divide_count(apic);
- 	start_apic_timer(apic);
- 	apic->irr_pending = true;
 diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h
 index 0bc6c65..ca4f92d 100644
 --- a/arch/x86/kvm/lapic.h
@@ -31924,7 +31858,7 @@ index 903ec1e..c4166b2 100644
  }
  
 diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
-index ede025f..1ef909b 100644
+index ede025f..ecc2d96 100644
 --- a/arch/x86/mm/fault.c
 +++ b/arch/x86/mm/fault.c
 @@ -13,12 +13,19 @@
@@ -32240,7 +32174,7 @@ index ede025f..1ef909b 100644
 +	}
 +
 +#ifdef CONFIG_SMP
-+	if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
++	if (likely(address > get_limit(regs->cs) && cpumask_test_cpu(smp_processor_id(), &mm->context.cpu_user_cs_mask)))
 +#else
 +	if (likely(address > get_limit(regs->cs)))
 +#endif
@@ -34266,7 +34200,7 @@ index 3250f23..7a97ba2 100644
  		 * functions differently.  Tracing normally
 diff --git a/arch/x86/mm/uderef_64.c b/arch/x86/mm/uderef_64.c
 new file mode 100644
-index 0000000..dace51c
+index 0000000..3fda3f3
 --- /dev/null
 +++ b/arch/x86/mm/uderef_64.c
 @@ -0,0 +1,37 @@
@@ -34279,7 +34213,7 @@ index 0000000..dace51c
 + * - remain leaf functions under all configurations,
 + * - never be called directly, only dereferenced from the wrappers.
 + */
-+void __pax_open_userland(void)
++void __used __pax_open_userland(void)
 +{
 +	unsigned int cpu;
 +
@@ -34288,12 +34222,12 @@ index 0000000..dace51c
 +
 +	cpu = raw_get_cpu();
 +	BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_KERNEL);
-+	write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH);
++	write_cr3(__pa_nodebug(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH);
 +	raw_put_cpu_no_resched();
 +}
 +EXPORT_SYMBOL(__pax_open_userland);
 +
-+void __pax_close_userland(void)
++void __used __pax_close_userland(void)
 +{
 +	unsigned int cpu;
 +
@@ -34302,7 +34236,7 @@ index 0000000..dace51c
 +
 +	cpu = raw_get_cpu();
 +	BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_USER);
-+	write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
++	write_cr3(__pa_nodebug(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
 +	raw_put_cpu_no_resched();
 +}
 +EXPORT_SYMBOL(__pax_close_userland);
@@ -40248,32 +40182,6 @@ index 832a2c3..1794080 100644
  	.attrs = cpuidle_default_attrs,
  	.name = "cpuidle",
  };
-diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c
-index f347ab7..08b0da2 100644
---- a/drivers/crypto/caam/caamhash.c
-+++ b/drivers/crypto/caam/caamhash.c
-@@ -1543,6 +1543,8 @@ static int ahash_init(struct ahash_request *req)
- 
- 	state->current_buf = 0;
- 	state->buf_dma = 0;
-+	state->buflen_0 = 0;
-+	state->buflen_1 = 0;
- 
- 	return 0;
- }
-diff --git a/drivers/crypto/caam/caamrng.c b/drivers/crypto/caam/caamrng.c
-index ae31e55..a48dc25 100644
---- a/drivers/crypto/caam/caamrng.c
-+++ b/drivers/crypto/caam/caamrng.c
-@@ -56,7 +56,7 @@
- 
- /* Buffer, its dma address and lock */
- struct buf_data {
--	u8 buf[RN_BUF_SIZE];
-+	u8 buf[RN_BUF_SIZE] ____cacheline_aligned;
- 	dma_addr_t addr;
- 	struct completion filled;
- 	u32 hw_desc[DESC_JOB_O_LEN];
 diff --git a/drivers/crypto/hifn_795x.c b/drivers/crypto/hifn_795x.c
 index 8d2a772..33826c9 100644
 --- a/drivers/crypto/hifn_795x.c
@@ -45724,7 +45632,7 @@ index 79f6941..b33b4e0 100644
  	pmd->bl_info.value_type.inc = data_block_inc;
  	pmd->bl_info.value_type.dec = data_block_dec;
 diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index 9b4e30a..83c927d 100644
+index beda011..de57372 100644
 --- a/drivers/md/dm.c
 +++ b/drivers/md/dm.c
 @@ -188,9 +188,9 @@ struct mapped_device {
@@ -67579,7 +67487,7 @@ index 8c52472..c4e3a69 100644
  
  #else
 diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
-index 1e51714..411eded 100644
+index 1e51714e..411eded 100644
 --- a/fs/cachefiles/namei.c
 +++ b/fs/cachefiles/namei.c
 @@ -309,7 +309,7 @@ try_again:
@@ -68764,7 +68672,7 @@ index e4141f2..d8263e8 100644
  		i += packet_length_size;
  		if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
 diff --git a/fs/exec.c b/fs/exec.c
-index 1202445..7a6fde9 100644
+index 1202445..620c98e 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -56,8 +56,20 @@
@@ -69568,7 +69476,7 @@ index 1202445..7a6fde9 100644
 +EXPORT_SYMBOL(__check_object_size);
 +
 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
-+void pax_track_stack(void)
++void __used pax_track_stack(void)
 +{
 +	unsigned long sp = (unsigned long)&sp;
 +	if (sp < current_thread_info()->lowest_stack &&
@@ -69581,7 +69489,7 @@ index 1202445..7a6fde9 100644
 +#endif
 +
 +#ifdef CONFIG_PAX_SIZE_OVERFLOW
-+void __nocapture(1, 3, 4) report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
++void __nocapture(1, 3, 4) __used report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
 +{
 +	printk(KERN_EMERG "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
 +	dump_stack();
@@ -103116,38 +103024,29 @@ index a9c10a3..1864f6b 100644
  
  /* Add an additional event_call dynamically */
 diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
-index ced69da..7f2e97c 100644
+index 7f2e97c..085a257 100644
 --- a/kernel/trace/trace_events_filter.c
 +++ b/kernel/trace/trace_events_filter.c
-@@ -1369,19 +1369,26 @@ static int check_preds(struct filter_parse_state *ps)
- {
- 	int n_normal_preds = 0, n_logical_preds = 0;
- 	struct postfix_elt *elt;
-+	int cnt = 0;
+@@ -1056,6 +1056,9 @@ static void parse_init(struct filter_parse_state *ps,
  
- 	list_for_each_entry(elt, &ps->postfix, list) {
--		if (elt->op == OP_NONE)
-+		if (elt->op == OP_NONE) {
-+			cnt++;
- 			continue;
-+		}
+ static char infix_next(struct filter_parse_state *ps)
+ {
++	if (!ps->infix.cnt)
++		return 0;
++
+ 	ps->infix.cnt--;
  
- 		if (elt->op == OP_AND || elt->op == OP_OR) {
- 			n_logical_preds++;
-+			cnt--;
- 			continue;
- 		}
-+		if (elt->op != OP_NOT)
-+			cnt--;
- 		n_normal_preds++;
-+		WARN_ON_ONCE(cnt < 0);
- 	}
+ 	return ps->infix.string[ps->infix.tail++];
+@@ -1071,6 +1074,9 @@ static char infix_peek(struct filter_parse_state *ps)
  
--	if (!n_normal_preds || n_logical_preds >= n_normal_preds) {
-+	if (cnt != 1 || !n_normal_preds || n_logical_preds >= n_normal_preds) {
- 		parse_error(ps, FILT_ERR_INVALID_FILTER, 0);
- 		return -EINVAL;
- 	}
+ static void infix_advance(struct filter_parse_state *ps)
+ {
++	if (!ps->infix.cnt)
++		return;
++
+ 	ps->infix.cnt--;
+ 	ps->infix.tail++;
+ }
 diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
 index b6fce36..d9f11a3 100644
 --- a/kernel/trace/trace_functions_graph.c
@@ -107036,7 +106935,7 @@ index 9ec50a3..0476e2d 100644
  	vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
  
 diff --git a/mm/mprotect.c b/mm/mprotect.c
-index 8858483..8145fa5 100644
+index 8858483..72f2464 100644
 --- a/mm/mprotect.c
 +++ b/mm/mprotect.c
 @@ -24,10 +24,18 @@
@@ -107085,8 +106984,8 @@ index 8858483..8145fa5 100644
 +
 +#ifdef CONFIG_SMP
 +		wmb();
-+		cpus_clear(mm->context.cpu_user_cs_mask);
-+		cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
++		cpumask_clear(&mm->context.cpu_user_cs_mask);
++		cpumask_set_cpu(smp_processor_id(), &mm->context.cpu_user_cs_mask);
 +#endif
 +
 +		set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
diff --git a/4.0.6/4425_grsec_remove_EI_PAX.patch b/4.0.7/4425_grsec_remove_EI_PAX.patch
index a80a5d7..a80a5d7 100644
--- a/4.0.6/4425_grsec_remove_EI_PAX.patch
+++ b/4.0.7/4425_grsec_remove_EI_PAX.patch
diff --git a/4.0.6/4427_force_XATTR_PAX_tmpfs.patch b/4.0.7/4427_force_XATTR_PAX_tmpfs.patch
index a789f0b..a789f0b 100644
--- a/4.0.6/4427_force_XATTR_PAX_tmpfs.patch
+++ b/4.0.7/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.0.6/4430_grsec-remove-localversion-grsec.patch b/4.0.7/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/4.0.6/4430_grsec-remove-localversion-grsec.patch
+++ b/4.0.7/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.0.6/4435_grsec-mute-warnings.patch b/4.0.7/4435_grsec-mute-warnings.patch
index b7564e4..b7564e4 100644
--- a/4.0.6/4435_grsec-mute-warnings.patch
+++ b/4.0.7/4435_grsec-mute-warnings.patch
diff --git a/4.0.6/4440_grsec-remove-protected-paths.patch b/4.0.7/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/4.0.6/4440_grsec-remove-protected-paths.patch
+++ b/4.0.7/4440_grsec-remove-protected-paths.patch
diff --git a/4.0.6/4450_grsec-kconfig-default-gids.patch b/4.0.7/4450_grsec-kconfig-default-gids.patch
index 61d903e..61d903e 100644
--- a/4.0.6/4450_grsec-kconfig-default-gids.patch
+++ b/4.0.7/4450_grsec-kconfig-default-gids.patch
diff --git a/4.0.6/4465_selinux-avc_audit-log-curr_ip.patch b/4.0.7/4465_selinux-avc_audit-log-curr_ip.patch
index ba89596..ba89596 100644
--- a/4.0.6/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/4.0.7/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/4.0.6/4470_disable-compat_vdso.patch b/4.0.7/4470_disable-compat_vdso.patch
index 7aefa02..7aefa02 100644
--- a/4.0.6/4470_disable-compat_vdso.patch
+++ b/4.0.7/4470_disable-compat_vdso.patch
diff --git a/4.0.6/4475_emutramp_default_on.patch b/4.0.7/4475_emutramp_default_on.patch
index a128205..a128205 100644
--- a/4.0.6/4475_emutramp_default_on.patch
+++ b/4.0.7/4475_emutramp_default_on.patch