commit: 5c8fe786238039dc02cd80652dbe1265adbf1f6d
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Wed Sep 10 01:02:06 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Wed Sep 10 01:02:06 2014 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=5c8fe786
Grsec/PaX: 3.0-{3.2.62,3.14.18,3.16.2}-201409082129
---
3.14.18/0000_README | 2 +-
...4420_grsecurity-3.0-3.14.18-201409082127.patch} | 498 ++++++++++++++++++-
3.16.2/0000_README | 2 +-
... 4420_grsecurity-3.0-3.16.2-201409082129.patch} | 549 ++++++++++++++++++++-
3.16.2/4427_force_XATTR_PAX_tmpfs.patch | 4 +-
3.16.2/4435_grsec-mute-warnings.patch | 2 +-
3.16.2/4465_selinux-avc_audit-log-curr_ip.patch | 2 +-
3.16.2/4470_disable-compat_vdso.patch | 2 +-
3.2.62/0000_README | 2 +-
... 4420_grsecurity-3.0-3.2.62-201409082124.patch} | 478 +++++++++++++++++-
10 files changed, 1458 insertions(+), 83 deletions(-)
diff --git a/3.14.18/0000_README b/3.14.18/0000_README
index e496f22..58616e9 100644
--- a/3.14.18/0000_README
+++ b/3.14.18/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.14.18-201409060013.patch
+Patch: 4420_grsecurity-3.0-3.14.18-201409082127.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.14.18/4420_grsecurity-3.0-3.14.18-201409060013.patch
b/3.14.18/4420_grsecurity-3.0-3.14.18-201409082127.patch
similarity index 99%
rename from 3.14.18/4420_grsecurity-3.0-3.14.18-201409060013.patch
rename to 3.14.18/4420_grsecurity-3.0-3.14.18-201409082127.patch
index 2207958..2a00986 100644
--- a/3.14.18/4420_grsecurity-3.0-3.14.18-201409060013.patch
+++ b/3.14.18/4420_grsecurity-3.0-3.14.18-201409082127.patch
@@ -22894,7 +22894,7 @@ index c5a9cb9..228d280 100644
/*
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index 03cd2a8..05a9aed 100644
+index 03cd2a8..d236ccb 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -60,6 +60,8 @@
@@ -23815,7 +23815,7 @@ index 03cd2a8..05a9aed 100644
je retint_kernel
/* Interrupt came from user space */
-@@ -1027,12 +1500,16 @@ retint_swapgs: /* return to user-space */
+@@ -1027,12 +1500,35 @@ retint_swapgs: /* return to user-space */
* The iretq could re-enable interrupts:
*/
DISABLE_INTERRUPTS(CLBR_ANY)
@@ -23828,11 +23828,30 @@ index 03cd2a8..05a9aed 100644
retint_restore_args: /* return to kernel space */
DISABLE_INTERRUPTS(CLBR_ANY)
+ pax_exit_kernel
++
++#if defined(CONFIG_EFI) && defined(CONFIG_PAX_KERNEXEC)
++ /* This is a quirk to allow IRQs/NMIs/MCEs during early EFI setup,
++ * namely calling EFI runtime services with a phys mapping. We're
++ * starting off with NOPs and patch in the real instrumentation
++ * (BTS/OR) before starting any userland process; even before starting
++ * up the APs.
++ */
++ .pushsection .altinstr_replacement, "a"
++ 601: pax_force_retaddr (RIP-ARGOFFSET)
++ 602:
++ .popsection
++ 603: .fill 602b-601b, 1, 0x90
++ .pushsection .altinstructions, "a"
++ altinstruction_entry 603b, 601b, X86_FEATURE_ALWAYS, 602b-601b,
602b-601b
++ .popsection
++#else
+ pax_force_retaddr (RIP-ARGOFFSET)
++#endif
++
/*
* The iretq could re-enable interrupts:
*/
-@@ -1145,7 +1622,7 @@ ENTRY(retint_kernel)
+@@ -1145,7 +1641,7 @@ ENTRY(retint_kernel)
jmp exit_intr
#endif
CFI_ENDPROC
@@ -23841,7 +23860,7 @@ index 03cd2a8..05a9aed 100644
/*
* If IRET takes a fault on the espfix stack, then we
-@@ -1167,13 +1644,13 @@ __do_double_fault:
+@@ -1167,13 +1663,13 @@ __do_double_fault:
cmpq $native_irq_return_iret,%rax
jne do_double_fault /* This shouldn't happen... */
movq PER_CPU_VAR(kernel_stack),%rax
@@ -23857,7 +23876,7 @@ index 03cd2a8..05a9aed 100644
#else
# define __do_double_fault do_double_fault
#endif
-@@ -1195,7 +1672,7 @@ ENTRY(\sym)
+@@ -1195,7 +1691,7 @@ ENTRY(\sym)
interrupt \do_sym
jmp ret_from_intr
CFI_ENDPROC
@@ -23866,7 +23885,7 @@ index 03cd2a8..05a9aed 100644
.endm
#ifdef CONFIG_TRACING
-@@ -1283,7 +1760,7 @@ ENTRY(\sym)
+@@ -1283,7 +1779,7 @@ ENTRY(\sym)
call \do_sym
jmp error_exit /* %ebx: no swapgs flag */
CFI_ENDPROC
@@ -23875,7 +23894,7 @@ index 03cd2a8..05a9aed 100644
.endm
.macro paranoidzeroentry sym do_sym
-@@ -1301,10 +1778,10 @@ ENTRY(\sym)
+@@ -1301,10 +1797,10 @@ ENTRY(\sym)
call \do_sym
jmp paranoid_exit /* %ebx: no swapgs flag */
CFI_ENDPROC
@@ -23888,7 +23907,7 @@ index 03cd2a8..05a9aed 100644
.macro paranoidzeroentry_ist sym do_sym ist
ENTRY(\sym)
INTR_FRAME
-@@ -1317,12 +1794,18 @@ ENTRY(\sym)
+@@ -1317,12 +1813,18 @@ ENTRY(\sym)
TRACE_IRQS_OFF_DEBUG
movq %rsp,%rdi /* pt_regs pointer */
xorl %esi,%esi /* no error code */
@@ -23908,7 +23927,7 @@ index 03cd2a8..05a9aed 100644
.endm
.macro errorentry sym do_sym
-@@ -1340,7 +1823,7 @@ ENTRY(\sym)
+@@ -1340,7 +1842,7 @@ ENTRY(\sym)
call \do_sym
jmp error_exit /* %ebx: no swapgs flag */
CFI_ENDPROC
@@ -23917,7 +23936,7 @@ index 03cd2a8..05a9aed 100644
.endm
#ifdef CONFIG_TRACING
-@@ -1371,7 +1854,7 @@ ENTRY(\sym)
+@@ -1371,7 +1873,7 @@ ENTRY(\sym)
call \do_sym
jmp paranoid_exit /* %ebx: no swapgs flag */
CFI_ENDPROC
@@ -23926,7 +23945,7 @@ index 03cd2a8..05a9aed 100644
.endm
zeroentry divide_error do_divide_error
-@@ -1401,9 +1884,10 @@ gs_change:
+@@ -1401,9 +1903,10 @@ gs_change:
2: mfence /* workaround */
SWAPGS
popfq_cfi
@@ -23938,7 +23957,7 @@ index 03cd2a8..05a9aed 100644
_ASM_EXTABLE(gs_change,bad_gs)
.section .fixup,"ax"
-@@ -1431,9 +1915,10 @@ ENTRY(do_softirq_own_stack)
+@@ -1431,9 +1934,10 @@ ENTRY(do_softirq_own_stack)
CFI_DEF_CFA_REGISTER rsp
CFI_ADJUST_CFA_OFFSET -8
decl PER_CPU_VAR(irq_count)
@@ -23950,7 +23969,7 @@ index 03cd2a8..05a9aed 100644
#ifdef CONFIG_XEN
zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
-@@ -1471,7 +1956,7 @@ ENTRY(xen_do_hypervisor_callback) #
do_hypervisor_callback(struct *pt_regs)
+@@ -1471,7 +1975,7 @@ ENTRY(xen_do_hypervisor_callback) #
do_hypervisor_callback(struct *pt_regs)
decl PER_CPU_VAR(irq_count)
jmp error_exit
CFI_ENDPROC
@@ -23959,7 +23978,7 @@ index 03cd2a8..05a9aed 100644
/*
* Hypervisor uses this for application faults while it executes.
-@@ -1530,7 +2015,7 @@ ENTRY(xen_failsafe_callback)
+@@ -1530,7 +2034,7 @@ ENTRY(xen_failsafe_callback)
SAVE_ALL
jmp error_exit
CFI_ENDPROC
@@ -23968,7 +23987,7 @@ index 03cd2a8..05a9aed 100644
apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
xen_hvm_callback_vector xen_evtchn_do_upcall
-@@ -1582,18 +2067,33 @@ ENTRY(paranoid_exit)
+@@ -1582,18 +2086,33 @@ ENTRY(paranoid_exit)
DEFAULT_FRAME
DISABLE_INTERRUPTS(CLBR_NONE)
TRACE_IRQS_OFF_DEBUG
@@ -24004,7 +24023,7 @@ index 03cd2a8..05a9aed 100644
jmp irq_return
paranoid_userspace:
GET_THREAD_INFO(%rcx)
-@@ -1622,7 +2122,7 @@ paranoid_schedule:
+@@ -1622,7 +2141,7 @@ paranoid_schedule:
TRACE_IRQS_OFF
jmp paranoid_userspace
CFI_ENDPROC
@@ -24013,7 +24032,7 @@ index 03cd2a8..05a9aed 100644
/*
* Exception entry point. This expects an error code/orig_rax on the stack.
-@@ -1649,12 +2149,23 @@ ENTRY(error_entry)
+@@ -1649,12 +2168,23 @@ ENTRY(error_entry)
movq_cfi r14, R14+8
movq_cfi r15, R15+8
xorl %ebx,%ebx
@@ -24038,7 +24057,7 @@ index 03cd2a8..05a9aed 100644
ret
/*
-@@ -1681,7 +2192,7 @@ bstep_iret:
+@@ -1681,7 +2211,7 @@ bstep_iret:
movq %rcx,RIP+8(%rsp)
jmp error_swapgs
CFI_ENDPROC
@@ -24047,7 +24066,7 @@ index 03cd2a8..05a9aed 100644
/* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */
-@@ -1692,7 +2203,7 @@ ENTRY(error_exit)
+@@ -1692,7 +2222,7 @@ ENTRY(error_exit)
DISABLE_INTERRUPTS(CLBR_NONE)
TRACE_IRQS_OFF
GET_THREAD_INFO(%rcx)
@@ -24056,7 +24075,7 @@ index 03cd2a8..05a9aed 100644
jne retint_kernel
LOCKDEP_SYS_EXIT_IRQ
movl TI_flags(%rcx),%edx
-@@ -1701,7 +2212,7 @@ ENTRY(error_exit)
+@@ -1701,7 +2231,7 @@ ENTRY(error_exit)
jnz retint_careful
jmp retint_swapgs
CFI_ENDPROC
@@ -24065,7 +24084,7 @@ index 03cd2a8..05a9aed 100644
/*
* Test if a given stack is an NMI stack or not.
-@@ -1759,9 +2270,11 @@ ENTRY(nmi)
+@@ -1759,9 +2289,11 @@ ENTRY(nmi)
* If %cs was not the kernel segment, then the NMI triggered in user
* space, which means it is definitely not nested.
*/
@@ -24078,7 +24097,7 @@ index 03cd2a8..05a9aed 100644
/*
* Check the special variable on the stack to see if NMIs are
* executing.
-@@ -1795,8 +2308,7 @@ nested_nmi:
+@@ -1795,8 +2327,7 @@ nested_nmi:
1:
/* Set up the interrupted NMIs stack to jump to repeat_nmi */
@@ -24088,7 +24107,7 @@ index 03cd2a8..05a9aed 100644
CFI_ADJUST_CFA_OFFSET 1*8
leaq -10*8(%rsp), %rdx
pushq_cfi $__KERNEL_DS
-@@ -1814,6 +2326,7 @@ nested_nmi_out:
+@@ -1814,6 +2345,7 @@ nested_nmi_out:
CFI_RESTORE rdx
/* No need to check faults here */
@@ -24096,7 +24115,7 @@ index 03cd2a8..05a9aed 100644
INTERRUPT_RETURN
CFI_RESTORE_STATE
-@@ -1910,13 +2423,13 @@ end_repeat_nmi:
+@@ -1910,13 +2442,13 @@ end_repeat_nmi:
subq $ORIG_RAX-R15, %rsp
CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
/*
@@ -24112,7 +24131,7 @@ index 03cd2a8..05a9aed 100644
DEFAULT_FRAME 0
/*
-@@ -1926,9 +2439,9 @@ end_repeat_nmi:
+@@ -1926,9 +2458,9 @@ end_repeat_nmi:
* NMI itself takes a page fault, the page fault that was preempted
* will read the information from the NMI page fault and not the
* origin fault. Save it off and restore it if it changes.
@@ -24124,7 +24143,7 @@ index 03cd2a8..05a9aed 100644
/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
movq %rsp,%rdi
-@@ -1937,31 +2450,36 @@ end_repeat_nmi:
+@@ -1937,31 +2469,36 @@ end_repeat_nmi:
/* Did the NMI take a page fault? Restore cr2 if it did */
movq %cr2, %rcx
@@ -44946,6 +44965,433 @@ index 2fd9009..278cc1e 100644
radio = devm_kzalloc(&pdev->dev, sizeof(*radio), GFP_KERNEL);
if (!radio)
+diff --git a/drivers/media/usb/dvb-usb/cinergyT2-core.c
b/drivers/media/usb/dvb-usb/cinergyT2-core.c
+index 9fd1527..8927230 100644
+--- a/drivers/media/usb/dvb-usb/cinergyT2-core.c
++++ b/drivers/media/usb/dvb-usb/cinergyT2-core.c
+@@ -50,29 +50,73 @@ static struct dvb_usb_device_properties
cinergyt2_properties;
+
+ static int cinergyt2_streaming_ctrl(struct dvb_usb_adapter *adap, int enable)
+ {
+- char buf[] = { CINERGYT2_EP1_CONTROL_STREAM_TRANSFER, enable ? 1 : 0 };
+- char result[64];
+- return dvb_usb_generic_rw(adap->dev, buf, sizeof(buf), result,
+- sizeof(result), 0);
++ char *buf;
++ char *result;
++ int retval;
++
++ buf = kmalloc(2, GFP_KERNEL);
++ if (buf == NULL)
++ return -ENOMEM;
++ result = kmalloc(64, GFP_KERNEL);
++ if (result == NULL) {
++ kfree(buf);
++ return -ENOMEM;
++ }
++
++ buf[0] = CINERGYT2_EP1_CONTROL_STREAM_TRANSFER;
++ buf[1] = enable ? 1 : 0;
++
++ retval = dvb_usb_generic_rw(adap->dev, buf, 2, result, 64, 0);
++
++ kfree(buf);
++ kfree(result);
++ return retval;
+ }
+
+ static int cinergyt2_power_ctrl(struct dvb_usb_device *d, int enable)
+ {
+- char buf[] = { CINERGYT2_EP1_SLEEP_MODE, enable ? 0 : 1 };
+- char state[3];
+- return dvb_usb_generic_rw(d, buf, sizeof(buf), state, sizeof(state), 0);
++ char *buf;
++ char *state;
++ int retval;
++
++ buf = kmalloc(2, GFP_KERNEL);
++ if (buf == NULL)
++ return -ENOMEM;
++ state = kmalloc(3, GFP_KERNEL);
++ if (state == NULL) {
++ kfree(buf);
++ return -ENOMEM;
++ }
++
++ buf[0] = CINERGYT2_EP1_SLEEP_MODE;
++ buf[1] = enable ? 1 : 0;
++
++ retval = dvb_usb_generic_rw(d, buf, 2, state, 3, 0);
++
++ kfree(buf);
++ kfree(state);
++ return retval;
+ }
+
+ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
+ {
+- char query[] = { CINERGYT2_EP1_GET_FIRMWARE_VERSION };
+- char state[3];
++ char *query;
++ char *state;
+ int ret;
++ query = kmalloc(1, GFP_KERNEL);
++ if (query == NULL)
++ return -ENOMEM;
++ state = kmalloc(3, GFP_KERNEL);
++ if (state == NULL) {
++ kfree(query);
++ return -ENOMEM;
++ }
++
++ query[0] = CINERGYT2_EP1_GET_FIRMWARE_VERSION;
+
+ adap->fe_adap[0].fe = cinergyt2_fe_attach(adap->dev);
+
+- ret = dvb_usb_generic_rw(adap->dev, query, sizeof(query), state,
+- sizeof(state), 0);
++ ret = dvb_usb_generic_rw(adap->dev, query, 1, state, 3, 0);
+ if (ret < 0) {
+ deb_rc("cinergyt2_power_ctrl() Failed to retrieve sleep "
+ "state info\n");
+@@ -80,7 +124,8 @@ static int cinergyt2_frontend_attach(struct dvb_usb_adapter
*adap)
+
+ /* Copy this pointer as we are gonna need it in the release phase */
+ cinergyt2_usb_device = adap->dev;
+-
++ kfree(query);
++ kfree(state);
+ return 0;
+ }
+
+@@ -141,12 +186,23 @@ static int repeatable_keys[] = {
+ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int
*state)
+ {
+ struct cinergyt2_state *st = d->priv;
+- u8 key[5] = {0, 0, 0, 0, 0}, cmd = CINERGYT2_EP1_GET_RC_EVENTS;
++ u8 *key, *cmd;
+ int i;
+
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -EINVAL;
++ key = kzalloc(5, GFP_KERNEL);
++ if (key == NULL) {
++ kfree(cmd);
++ return -EINVAL;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_RC_EVENTS;
++
+ *state = REMOTE_NO_KEY_PRESSED;
+
+- dvb_usb_generic_rw(d, &cmd, 1, key, sizeof(key), 0);
++ dvb_usb_generic_rw(d, cmd, 1, key, 5, 0);
+ if (key[4] == 0xff) {
+ /* key repeat */
+ st->rc_counter++;
+@@ -157,12 +213,12 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d,
u32 *event, int *state)
+ *event = d->last_event;
+ deb_rc("repeat key, event %x\n",
+ *event);
+- return 0;
++ goto out;
+ }
+ }
+ deb_rc("repeated key (non repeatable)\n");
+ }
+- return 0;
++ goto out;
+ }
+
+ /* hack to pass checksum on the custom field */
+@@ -174,6 +230,9 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d,
u32 *event, int *state)
+
+ deb_rc("key: %*ph\n", 5, key);
+ }
++out:
++ kfree(cmd);
++ kfree(key);
+ return 0;
+ }
+
+diff --git a/drivers/media/usb/dvb-usb/cinergyT2-fe.c
b/drivers/media/usb/dvb-usb/cinergyT2-fe.c
+index c890fe4..f9b2ae6 100644
+--- a/drivers/media/usb/dvb-usb/cinergyT2-fe.c
++++ b/drivers/media/usb/dvb-usb/cinergyT2-fe.c
+@@ -145,103 +145,176 @@ static int cinergyt2_fe_read_status(struct
dvb_frontend *fe,
+ fe_status_t *status)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg result;
+- u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *result;
++ u8 *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&result,
+- sizeof(result), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ result = kmalloc(sizeof(*result), GFP_KERNEL);
++ if (result == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)result,
++ sizeof(*result), 0);
+ if (ret < 0)
+- return ret;
++ goto out;
+
+ *status = 0;
+
+- if (0xffff - le16_to_cpu(result.gain) > 30)
++ if (0xffff - le16_to_cpu(result->gain) > 30)
+ *status |= FE_HAS_SIGNAL;
+- if (result.lock_bits & (1 << 6))
++ if (result->lock_bits & (1 << 6))
+ *status |= FE_HAS_LOCK;
+- if (result.lock_bits & (1 << 5))
++ if (result->lock_bits & (1 << 5))
+ *status |= FE_HAS_SYNC;
+- if (result.lock_bits & (1 << 4))
++ if (result->lock_bits & (1 << 4))
+ *status |= FE_HAS_CARRIER;
+- if (result.lock_bits & (1 << 1))
++ if (result->lock_bits & (1 << 1))
+ *status |= FE_HAS_VITERBI;
+
+ if ((*status & (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC)) !=
+ (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC))
+ *status &= ~FE_HAS_LOCK;
+
+- return 0;
++out:
++ kfree(cmd);
++ kfree(result);
++ return ret;
+ }
+
+ static int cinergyt2_fe_read_ber(struct dvb_frontend *fe, u32 *ber)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg status;
+- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *status;
++ char *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+- sizeof(status), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ status = kmalloc(sizeof(*status), GFP_KERNEL);
++ if (status == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++ sizeof(*status), 0);
+ if (ret < 0)
+- return ret;
++ goto out;
+
+- *ber = le32_to_cpu(status.viterbi_error_rate);
++ *ber = le32_to_cpu(status->viterbi_error_rate);
++out:
++ kfree(cmd);
++ kfree(status);
+ return 0;
+ }
+
+ static int cinergyt2_fe_read_unc_blocks(struct dvb_frontend *fe, u32 *unc)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg status;
+- u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *status;
++ u8 *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&status,
+- sizeof(status), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ status = kmalloc(sizeof(*status), GFP_KERNEL);
++ if (status == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)status,
++ sizeof(*status), 0);
+ if (ret < 0) {
+ err("cinergyt2_fe_read_unc_blocks() Failed! (Error=%d)\n",
+ ret);
+- return ret;
++ goto out;
+ }
+- *unc = le32_to_cpu(status.uncorrected_block_count);
+- return 0;
++ *unc = le32_to_cpu(status->uncorrected_block_count);
++
++out:
++ kfree(cmd);
++ kfree(status);
++ return ret;
+ }
+
+ static int cinergyt2_fe_read_signal_strength(struct dvb_frontend *fe,
+ u16 *strength)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg status;
+- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *status;
++ char *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+- sizeof(status), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ status = kmalloc(sizeof(*status), GFP_KERNEL);
++ if (status == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++ sizeof(*status), 0);
+ if (ret < 0) {
+ err("cinergyt2_fe_read_signal_strength() Failed!"
+ " (Error=%d)\n", ret);
+- return ret;
++ goto out;
+ }
+- *strength = (0xffff - le16_to_cpu(status.gain));
++ *strength = (0xffff - le16_to_cpu(status->gain));
++
++out:
++ kfree(cmd);
++ kfree(status);
+ return 0;
+ }
+
+ static int cinergyt2_fe_read_snr(struct dvb_frontend *fe, u16 *snr)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg status;
+- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *status;
++ char *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+- sizeof(status), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ status = kmalloc(sizeof(*status), GFP_KERNEL);
++ if (status == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++ sizeof(*status), 0);
+ if (ret < 0) {
+ err("cinergyt2_fe_read_snr() Failed! (Error=%d)\n", ret);
+- return ret;
++ goto out;
+ }
+- *snr = (status.snr << 8) | status.snr;
+- return 0;
++ *snr = (status->snr << 8) | status->snr;
++
++out:
++ kfree(cmd);
++ kfree(status);
++ return ret;
+ }
+
+ static int cinergyt2_fe_init(struct dvb_frontend *fe)
+@@ -266,35 +339,46 @@ static int cinergyt2_fe_set_frontend(struct dvb_frontend
*fe)
+ {
+ struct dtv_frontend_properties *fep = &fe->dtv_property_cache;
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_set_parameters_msg param;
+- char result[2];
++ struct dvbt_set_parameters_msg *param;
++ char *result;
+ int err;
+
+- param.cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
+- param.tps = cpu_to_le16(compute_tps(fep));
+- param.freq = cpu_to_le32(fep->frequency / 1000);
+- param.flags = 0;
++ result = kmalloc(2, GFP_KERNEL);
++ if (result == NULL)
++ return -ENOMEM;
++ param = kmalloc(sizeof(*param), GFP_KERNEL);
++ if (param == NULL) {
++ kfree(result);
++ return -ENOMEM;
++ }
++
++ param->cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
++ param->tps = cpu_to_le16(compute_tps(fep));
++ param->freq = cpu_to_le32(fep->frequency / 1000);
++ param->flags = 0;
+
+ switch (fep->bandwidth_hz) {
+ default:
+ case 8000000:
+- param.bandwidth = 8;
++ param->bandwidth = 8;
+ break;
+ case 7000000:
+- param.bandwidth = 7;
++ param->bandwidth = 7;
+ break;
+ case 6000000:
+- param.bandwidth = 6;
++ param->bandwidth = 6;
+ break;
+ }
+
+ err = dvb_usb_generic_rw(state->d,
+- (char *)¶m, sizeof(param),
+- result, sizeof(result), 0);
++ (char *)param, sizeof(*param),
++ result, 2, 0);
+ if (err < 0)
+ err("cinergyt2_fe_set_frontend() Failed! err=%d\n", err);
+
+- return (err < 0) ? err : 0;
++ kfree(result);
++ kfree(param);
++ return err;
+ }
+
+ static void cinergyt2_fe_release(struct dvb_frontend *fe)
diff --git a/drivers/media/usb/dvb-usb/cxusb.c
b/drivers/media/usb/dvb-usb/cxusb.c
index a1c641e..3007da9 100644
--- a/drivers/media/usb/dvb-usb/cxusb.c
diff --git a/3.16.2/0000_README b/3.16.2/0000_README
index 7c596e8..d3923e5 100644
--- a/3.16.2/0000_README
+++ b/3.16.2/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.16.2-201409060014.patch
+Patch: 4420_grsecurity-3.0-3.16.2-201409082129.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.16.2/4420_grsecurity-3.0-3.16.2-201409060014.patch
b/3.16.2/4420_grsecurity-3.0-3.16.2-201409082129.patch
similarity index 99%
rename from 3.16.2/4420_grsecurity-3.0-3.16.2-201409060014.patch
rename to 3.16.2/4420_grsecurity-3.0-3.16.2-201409082129.patch
index 83965d3..809c459 100644
--- a/3.16.2/4420_grsecurity-3.0-3.16.2-201409060014.patch
+++ b/3.16.2/4420_grsecurity-3.0-3.16.2-201409082129.patch
@@ -23283,7 +23283,7 @@ index 0d0c9d4..f65b4f6 100644
#endif
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index c844f08..b07ea0e 100644
+index c844f08..966a50e 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -59,6 +59,8 @@
@@ -24129,7 +24129,7 @@ index c844f08..b07ea0e 100644
je retint_kernel
/* Interrupt came from user space */
-@@ -816,12 +1282,16 @@ retint_swapgs: /* return to user-space */
+@@ -816,12 +1282,35 @@ retint_swapgs: /* return to user-space */
* The iretq could re-enable interrupts:
*/
DISABLE_INTERRUPTS(CLBR_ANY)
@@ -24142,11 +24142,30 @@ index c844f08..b07ea0e 100644
retint_restore_args: /* return to kernel space */
DISABLE_INTERRUPTS(CLBR_ANY)
+ pax_exit_kernel
++
++#if defined(CONFIG_EFI) && defined(CONFIG_PAX_KERNEXEC)
++ /* This is a quirk to allow IRQs/NMIs/MCEs during early EFI setup,
++ * namely calling EFI runtime services with a phys mapping. We're
++ * starting off with NOPs and patch in the real instrumentation
++ * (BTS/OR) before starting any userland process; even before starting
++ * up the APs.
++ */
++ .pushsection .altinstr_replacement, "a"
++ 601: pax_force_retaddr (RIP-ARGOFFSET)
++ 602:
++ .popsection
++ 603: .fill 602b-601b, 1, 0x90
++ .pushsection .altinstructions, "a"
++ altinstruction_entry 603b, 601b, X86_FEATURE_ALWAYS, 602b-601b,
602b-601b
++ .popsection
++#else
+ pax_force_retaddr (RIP-ARGOFFSET)
++#endif
++
/*
* The iretq could re-enable interrupts:
*/
-@@ -934,7 +1404,7 @@ ENTRY(retint_kernel)
+@@ -934,7 +1423,7 @@ ENTRY(retint_kernel)
jmp exit_intr
#endif
CFI_ENDPROC
@@ -24155,7 +24174,7 @@ index c844f08..b07ea0e 100644
/*
* If IRET takes a fault on the espfix stack, then we
-@@ -956,13 +1426,13 @@ __do_double_fault:
+@@ -956,13 +1445,13 @@ __do_double_fault:
cmpq $native_irq_return_iret,%rax
jne do_double_fault /* This shouldn't happen... */
movq PER_CPU_VAR(kernel_stack),%rax
@@ -24171,7 +24190,7 @@ index c844f08..b07ea0e 100644
#else
# define __do_double_fault do_double_fault
#endif
-@@ -979,7 +1449,7 @@ ENTRY(\sym)
+@@ -979,7 +1468,7 @@ ENTRY(\sym)
interrupt \do_sym
jmp ret_from_intr
CFI_ENDPROC
@@ -24180,7 +24199,7 @@ index c844f08..b07ea0e 100644
.endm
#ifdef CONFIG_TRACING
-@@ -1052,7 +1522,7 @@ apicinterrupt IRQ_WORK_VECTOR \
+@@ -1052,7 +1541,7 @@ apicinterrupt IRQ_WORK_VECTOR \
/*
* Exception entry points.
*/
@@ -24189,7 +24208,7 @@ index c844f08..b07ea0e 100644
.macro idtentry sym do_sym has_error_code:req paranoid=0 shift_ist=-1
ENTRY(\sym)
-@@ -1103,6 +1573,12 @@ ENTRY(\sym)
+@@ -1103,6 +1592,12 @@ ENTRY(\sym)
.endif
.if \shift_ist != -1
@@ -24202,7 +24221,7 @@ index c844f08..b07ea0e 100644
subq $EXCEPTION_STKSZ, INIT_TSS_IST(\shift_ist)
.endif
-@@ -1119,7 +1595,7 @@ ENTRY(\sym)
+@@ -1119,7 +1614,7 @@ ENTRY(\sym)
.endif
CFI_ENDPROC
@@ -24211,7 +24230,7 @@ index c844f08..b07ea0e 100644
.endm
#ifdef CONFIG_TRACING
-@@ -1160,9 +1636,10 @@ gs_change:
+@@ -1160,9 +1655,10 @@ gs_change:
2: mfence /* workaround */
SWAPGS
popfq_cfi
@@ -24223,7 +24242,7 @@ index c844f08..b07ea0e 100644
_ASM_EXTABLE(gs_change,bad_gs)
.section .fixup,"ax"
-@@ -1190,9 +1667,10 @@ ENTRY(do_softirq_own_stack)
+@@ -1190,9 +1686,10 @@ ENTRY(do_softirq_own_stack)
CFI_DEF_CFA_REGISTER rsp
CFI_ADJUST_CFA_OFFSET -8
decl PER_CPU_VAR(irq_count)
@@ -24235,7 +24254,7 @@ index c844f08..b07ea0e 100644
#ifdef CONFIG_XEN
idtentry xen_hypervisor_callback xen_do_hypervisor_callback has_error_code=0
-@@ -1230,7 +1708,7 @@ ENTRY(xen_do_hypervisor_callback) #
do_hypervisor_callback(struct *pt_regs)
+@@ -1230,7 +1727,7 @@ ENTRY(xen_do_hypervisor_callback) #
do_hypervisor_callback(struct *pt_regs)
decl PER_CPU_VAR(irq_count)
jmp error_exit
CFI_ENDPROC
@@ -24244,7 +24263,7 @@ index c844f08..b07ea0e 100644
/*
* Hypervisor uses this for application faults while it executes.
-@@ -1289,7 +1767,7 @@ ENTRY(xen_failsafe_callback)
+@@ -1289,7 +1786,7 @@ ENTRY(xen_failsafe_callback)
SAVE_ALL
jmp error_exit
CFI_ENDPROC
@@ -24253,7 +24272,7 @@ index c844f08..b07ea0e 100644
apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
xen_hvm_callback_vector xen_evtchn_do_upcall
-@@ -1336,18 +1814,33 @@ ENTRY(paranoid_exit)
+@@ -1336,18 +1833,33 @@ ENTRY(paranoid_exit)
DEFAULT_FRAME
DISABLE_INTERRUPTS(CLBR_NONE)
TRACE_IRQS_OFF_DEBUG
@@ -24289,7 +24308,7 @@ index c844f08..b07ea0e 100644
jmp irq_return
paranoid_userspace:
GET_THREAD_INFO(%rcx)
-@@ -1376,7 +1869,7 @@ paranoid_schedule:
+@@ -1376,7 +1888,7 @@ paranoid_schedule:
TRACE_IRQS_OFF
jmp paranoid_userspace
CFI_ENDPROC
@@ -24298,7 +24317,7 @@ index c844f08..b07ea0e 100644
/*
* Exception entry point. This expects an error code/orig_rax on the stack.
-@@ -1403,12 +1896,23 @@ ENTRY(error_entry)
+@@ -1403,12 +1915,23 @@ ENTRY(error_entry)
movq_cfi r14, R14+8
movq_cfi r15, R15+8
xorl %ebx,%ebx
@@ -24323,7 +24342,7 @@ index c844f08..b07ea0e 100644
ret
/*
-@@ -1435,7 +1939,7 @@ bstep_iret:
+@@ -1435,7 +1958,7 @@ bstep_iret:
movq %rcx,RIP+8(%rsp)
jmp error_swapgs
CFI_ENDPROC
@@ -24332,7 +24351,7 @@ index c844f08..b07ea0e 100644
/* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */
-@@ -1446,7 +1950,7 @@ ENTRY(error_exit)
+@@ -1446,7 +1969,7 @@ ENTRY(error_exit)
DISABLE_INTERRUPTS(CLBR_NONE)
TRACE_IRQS_OFF
GET_THREAD_INFO(%rcx)
@@ -24341,7 +24360,7 @@ index c844f08..b07ea0e 100644
jne retint_kernel
LOCKDEP_SYS_EXIT_IRQ
movl TI_flags(%rcx),%edx
-@@ -1455,7 +1959,7 @@ ENTRY(error_exit)
+@@ -1455,7 +1978,7 @@ ENTRY(error_exit)
jnz retint_careful
jmp retint_swapgs
CFI_ENDPROC
@@ -24350,7 +24369,7 @@ index c844f08..b07ea0e 100644
/*
* Test if a given stack is an NMI stack or not.
-@@ -1513,9 +2017,11 @@ ENTRY(nmi)
+@@ -1513,9 +2036,11 @@ ENTRY(nmi)
* If %cs was not the kernel segment, then the NMI triggered in user
* space, which means it is definitely not nested.
*/
@@ -24363,7 +24382,7 @@ index c844f08..b07ea0e 100644
/*
* Check the special variable on the stack to see if NMIs are
* executing.
-@@ -1549,8 +2055,7 @@ nested_nmi:
+@@ -1549,8 +2074,7 @@ nested_nmi:
1:
/* Set up the interrupted NMIs stack to jump to repeat_nmi */
@@ -24373,7 +24392,7 @@ index c844f08..b07ea0e 100644
CFI_ADJUST_CFA_OFFSET 1*8
leaq -10*8(%rsp), %rdx
pushq_cfi $__KERNEL_DS
-@@ -1568,6 +2073,7 @@ nested_nmi_out:
+@@ -1568,6 +2092,7 @@ nested_nmi_out:
CFI_RESTORE rdx
/* No need to check faults here */
@@ -24381,7 +24400,7 @@ index c844f08..b07ea0e 100644
INTERRUPT_RETURN
CFI_RESTORE_STATE
-@@ -1664,13 +2170,13 @@ end_repeat_nmi:
+@@ -1664,13 +2189,13 @@ end_repeat_nmi:
subq $ORIG_RAX-R15, %rsp
CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
/*
@@ -24397,7 +24416,7 @@ index c844f08..b07ea0e 100644
DEFAULT_FRAME 0
/*
-@@ -1680,9 +2186,9 @@ end_repeat_nmi:
+@@ -1680,9 +2205,9 @@ end_repeat_nmi:
* NMI itself takes a page fault, the page fault that was preempted
* will read the information from the NMI page fault and not the
* origin fault. Save it off and restore it if it changes.
@@ -24409,7 +24428,7 @@ index c844f08..b07ea0e 100644
/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
movq %rsp,%rdi
-@@ -1691,29 +2197,34 @@ end_repeat_nmi:
+@@ -1691,29 +2216,34 @@ end_repeat_nmi:
/* Did the NMI take a page fault? Restore cr2 if it did */
movq %cr2, %rcx
@@ -46710,6 +46729,433 @@ index 2fd9009..278cc1e 100644
radio = devm_kzalloc(&pdev->dev, sizeof(*radio), GFP_KERNEL);
if (!radio)
+diff --git a/drivers/media/usb/dvb-usb/cinergyT2-core.c
b/drivers/media/usb/dvb-usb/cinergyT2-core.c
+index 9fd1527..8927230 100644
+--- a/drivers/media/usb/dvb-usb/cinergyT2-core.c
++++ b/drivers/media/usb/dvb-usb/cinergyT2-core.c
+@@ -50,29 +50,73 @@ static struct dvb_usb_device_properties
cinergyt2_properties;
+
+ static int cinergyt2_streaming_ctrl(struct dvb_usb_adapter *adap, int enable)
+ {
+- char buf[] = { CINERGYT2_EP1_CONTROL_STREAM_TRANSFER, enable ? 1 : 0 };
+- char result[64];
+- return dvb_usb_generic_rw(adap->dev, buf, sizeof(buf), result,
+- sizeof(result), 0);
++ char *buf;
++ char *result;
++ int retval;
++
++ buf = kmalloc(2, GFP_KERNEL);
++ if (buf == NULL)
++ return -ENOMEM;
++ result = kmalloc(64, GFP_KERNEL);
++ if (result == NULL) {
++ kfree(buf);
++ return -ENOMEM;
++ }
++
++ buf[0] = CINERGYT2_EP1_CONTROL_STREAM_TRANSFER;
++ buf[1] = enable ? 1 : 0;
++
++ retval = dvb_usb_generic_rw(adap->dev, buf, 2, result, 64, 0);
++
++ kfree(buf);
++ kfree(result);
++ return retval;
+ }
+
+ static int cinergyt2_power_ctrl(struct dvb_usb_device *d, int enable)
+ {
+- char buf[] = { CINERGYT2_EP1_SLEEP_MODE, enable ? 0 : 1 };
+- char state[3];
+- return dvb_usb_generic_rw(d, buf, sizeof(buf), state, sizeof(state), 0);
++ char *buf;
++ char *state;
++ int retval;
++
++ buf = kmalloc(2, GFP_KERNEL);
++ if (buf == NULL)
++ return -ENOMEM;
++ state = kmalloc(3, GFP_KERNEL);
++ if (state == NULL) {
++ kfree(buf);
++ return -ENOMEM;
++ }
++
++ buf[0] = CINERGYT2_EP1_SLEEP_MODE;
++ buf[1] = enable ? 1 : 0;
++
++ retval = dvb_usb_generic_rw(d, buf, 2, state, 3, 0);
++
++ kfree(buf);
++ kfree(state);
++ return retval;
+ }
+
+ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
+ {
+- char query[] = { CINERGYT2_EP1_GET_FIRMWARE_VERSION };
+- char state[3];
++ char *query;
++ char *state;
+ int ret;
++ query = kmalloc(1, GFP_KERNEL);
++ if (query == NULL)
++ return -ENOMEM;
++ state = kmalloc(3, GFP_KERNEL);
++ if (state == NULL) {
++ kfree(query);
++ return -ENOMEM;
++ }
++
++ query[0] = CINERGYT2_EP1_GET_FIRMWARE_VERSION;
+
+ adap->fe_adap[0].fe = cinergyt2_fe_attach(adap->dev);
+
+- ret = dvb_usb_generic_rw(adap->dev, query, sizeof(query), state,
+- sizeof(state), 0);
++ ret = dvb_usb_generic_rw(adap->dev, query, 1, state, 3, 0);
+ if (ret < 0) {
+ deb_rc("cinergyt2_power_ctrl() Failed to retrieve sleep "
+ "state info\n");
+@@ -80,7 +124,8 @@ static int cinergyt2_frontend_attach(struct dvb_usb_adapter
*adap)
+
+ /* Copy this pointer as we are gonna need it in the release phase */
+ cinergyt2_usb_device = adap->dev;
+-
++ kfree(query);
++ kfree(state);
+ return 0;
+ }
+
+@@ -141,12 +186,23 @@ static int repeatable_keys[] = {
+ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int
*state)
+ {
+ struct cinergyt2_state *st = d->priv;
+- u8 key[5] = {0, 0, 0, 0, 0}, cmd = CINERGYT2_EP1_GET_RC_EVENTS;
++ u8 *key, *cmd;
+ int i;
+
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -EINVAL;
++ key = kzalloc(5, GFP_KERNEL);
++ if (key == NULL) {
++ kfree(cmd);
++ return -EINVAL;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_RC_EVENTS;
++
+ *state = REMOTE_NO_KEY_PRESSED;
+
+- dvb_usb_generic_rw(d, &cmd, 1, key, sizeof(key), 0);
++ dvb_usb_generic_rw(d, cmd, 1, key, 5, 0);
+ if (key[4] == 0xff) {
+ /* key repeat */
+ st->rc_counter++;
+@@ -157,12 +213,12 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d,
u32 *event, int *state)
+ *event = d->last_event;
+ deb_rc("repeat key, event %x\n",
+ *event);
+- return 0;
++ goto out;
+ }
+ }
+ deb_rc("repeated key (non repeatable)\n");
+ }
+- return 0;
++ goto out;
+ }
+
+ /* hack to pass checksum on the custom field */
+@@ -174,6 +230,9 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d,
u32 *event, int *state)
+
+ deb_rc("key: %*ph\n", 5, key);
+ }
++out:
++ kfree(cmd);
++ kfree(key);
+ return 0;
+ }
+
+diff --git a/drivers/media/usb/dvb-usb/cinergyT2-fe.c
b/drivers/media/usb/dvb-usb/cinergyT2-fe.c
+index c890fe4..f9b2ae6 100644
+--- a/drivers/media/usb/dvb-usb/cinergyT2-fe.c
++++ b/drivers/media/usb/dvb-usb/cinergyT2-fe.c
+@@ -145,103 +145,176 @@ static int cinergyt2_fe_read_status(struct
dvb_frontend *fe,
+ fe_status_t *status)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg result;
+- u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *result;
++ u8 *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&result,
+- sizeof(result), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ result = kmalloc(sizeof(*result), GFP_KERNEL);
++ if (result == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)result,
++ sizeof(*result), 0);
+ if (ret < 0)
+- return ret;
++ goto out;
+
+ *status = 0;
+
+- if (0xffff - le16_to_cpu(result.gain) > 30)
++ if (0xffff - le16_to_cpu(result->gain) > 30)
+ *status |= FE_HAS_SIGNAL;
+- if (result.lock_bits & (1 << 6))
++ if (result->lock_bits & (1 << 6))
+ *status |= FE_HAS_LOCK;
+- if (result.lock_bits & (1 << 5))
++ if (result->lock_bits & (1 << 5))
+ *status |= FE_HAS_SYNC;
+- if (result.lock_bits & (1 << 4))
++ if (result->lock_bits & (1 << 4))
+ *status |= FE_HAS_CARRIER;
+- if (result.lock_bits & (1 << 1))
++ if (result->lock_bits & (1 << 1))
+ *status |= FE_HAS_VITERBI;
+
+ if ((*status & (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC)) !=
+ (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC))
+ *status &= ~FE_HAS_LOCK;
+
+- return 0;
++out:
++ kfree(cmd);
++ kfree(result);
++ return ret;
+ }
+
+ static int cinergyt2_fe_read_ber(struct dvb_frontend *fe, u32 *ber)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg status;
+- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *status;
++ char *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+- sizeof(status), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ status = kmalloc(sizeof(*status), GFP_KERNEL);
++ if (status == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++ sizeof(*status), 0);
+ if (ret < 0)
+- return ret;
++ goto out;
+
+- *ber = le32_to_cpu(status.viterbi_error_rate);
++ *ber = le32_to_cpu(status->viterbi_error_rate);
++out:
++ kfree(cmd);
++ kfree(status);
+ return 0;
+ }
+
+ static int cinergyt2_fe_read_unc_blocks(struct dvb_frontend *fe, u32 *unc)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg status;
+- u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *status;
++ u8 *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&status,
+- sizeof(status), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ status = kmalloc(sizeof(*status), GFP_KERNEL);
++ if (status == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)status,
++ sizeof(*status), 0);
+ if (ret < 0) {
+ err("cinergyt2_fe_read_unc_blocks() Failed! (Error=%d)\n",
+ ret);
+- return ret;
++ goto out;
+ }
+- *unc = le32_to_cpu(status.uncorrected_block_count);
+- return 0;
++ *unc = le32_to_cpu(status->uncorrected_block_count);
++
++out:
++ kfree(cmd);
++ kfree(status);
++ return ret;
+ }
+
+ static int cinergyt2_fe_read_signal_strength(struct dvb_frontend *fe,
+ u16 *strength)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg status;
+- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *status;
++ char *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+- sizeof(status), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ status = kmalloc(sizeof(*status), GFP_KERNEL);
++ if (status == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++ sizeof(*status), 0);
+ if (ret < 0) {
+ err("cinergyt2_fe_read_signal_strength() Failed!"
+ " (Error=%d)\n", ret);
+- return ret;
++ goto out;
+ }
+- *strength = (0xffff - le16_to_cpu(status.gain));
++ *strength = (0xffff - le16_to_cpu(status->gain));
++
++out:
++ kfree(cmd);
++ kfree(status);
+ return 0;
+ }
+
+ static int cinergyt2_fe_read_snr(struct dvb_frontend *fe, u16 *snr)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg status;
+- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *status;
++ char *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+- sizeof(status), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ status = kmalloc(sizeof(*status), GFP_KERNEL);
++ if (status == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++ sizeof(*status), 0);
+ if (ret < 0) {
+ err("cinergyt2_fe_read_snr() Failed! (Error=%d)\n", ret);
+- return ret;
++ goto out;
+ }
+- *snr = (status.snr << 8) | status.snr;
+- return 0;
++ *snr = (status->snr << 8) | status->snr;
++
++out:
++ kfree(cmd);
++ kfree(status);
++ return ret;
+ }
+
+ static int cinergyt2_fe_init(struct dvb_frontend *fe)
+@@ -266,35 +339,46 @@ static int cinergyt2_fe_set_frontend(struct dvb_frontend
*fe)
+ {
+ struct dtv_frontend_properties *fep = &fe->dtv_property_cache;
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_set_parameters_msg param;
+- char result[2];
++ struct dvbt_set_parameters_msg *param;
++ char *result;
+ int err;
+
+- param.cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
+- param.tps = cpu_to_le16(compute_tps(fep));
+- param.freq = cpu_to_le32(fep->frequency / 1000);
+- param.flags = 0;
++ result = kmalloc(2, GFP_KERNEL);
++ if (result == NULL)
++ return -ENOMEM;
++ param = kmalloc(sizeof(*param), GFP_KERNEL);
++ if (param == NULL) {
++ kfree(result);
++ return -ENOMEM;
++ }
++
++ param->cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
++ param->tps = cpu_to_le16(compute_tps(fep));
++ param->freq = cpu_to_le32(fep->frequency / 1000);
++ param->flags = 0;
+
+ switch (fep->bandwidth_hz) {
+ default:
+ case 8000000:
+- param.bandwidth = 8;
++ param->bandwidth = 8;
+ break;
+ case 7000000:
+- param.bandwidth = 7;
++ param->bandwidth = 7;
+ break;
+ case 6000000:
+- param.bandwidth = 6;
++ param->bandwidth = 6;
+ break;
+ }
+
+ err = dvb_usb_generic_rw(state->d,
+- (char *)¶m, sizeof(param),
+- result, sizeof(result), 0);
++ (char *)param, sizeof(*param),
++ result, 2, 0);
+ if (err < 0)
+ err("cinergyt2_fe_set_frontend() Failed! err=%d\n", err);
+
+- return (err < 0) ? err : 0;
++ kfree(result);
++ kfree(param);
++ return err;
+ }
+
+ static void cinergyt2_fe_release(struct dvb_frontend *fe)
diff --git a/drivers/media/usb/dvb-usb/cxusb.c
b/drivers/media/usb/dvb-usb/cxusb.c
index a1c641e..3007da9 100644
--- a/drivers/media/usb/dvb-usb/cxusb.c
@@ -61596,7 +62042,7 @@ index a93f7e6..d58bcbe 100644
return 0;
while (nr) {
diff --git a/fs/dcache.c b/fs/dcache.c
-index 06f6585..f95a6d1 100644
+index 06f6585..65499d1 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1445,7 +1445,7 @@ struct dentry *__d_alloc(struct super_block *sb, const
struct qstr *name)
@@ -61608,7 +62054,58 @@ index 06f6585..f95a6d1 100644
if (!dname) {
kmem_cache_free(dentry_cache, dentry);
return NULL;
-@@ -3413,7 +3413,8 @@ void __init vfs_caches_init(unsigned long mempages)
+@@ -2402,7 +2402,7 @@ void dentry_update_name_case(struct dentry *dentry,
struct qstr *name)
+ }
+ EXPORT_SYMBOL(dentry_update_name_case);
+
+-static void switch_names(struct dentry *dentry, struct dentry *target)
++static void switch_names(struct dentry *dentry, struct dentry *target, bool
exchange)
+ {
+ if (dname_external(target)) {
+ if (dname_external(dentry)) {
+@@ -2430,7 +2430,7 @@ static void switch_names(struct dentry *dentry, struct
dentry *target)
+ target->d_name.len + 1);
+ target->d_name.name = dentry->d_name.name;
+ dentry->d_name.name = dentry->d_iname;
+- } else {
++ } else if (exchange) {
+ /*
+ * Both are internal.
+ */
+@@ -2440,6 +2440,14 @@ static void switch_names(struct dentry *dentry, struct
dentry *target)
+ swap(((long *) &dentry->d_iname)[i],
+ ((long *) &target->d_iname)[i]);
+ }
++ } else {
++ /*
++ * Both are internal. Just copy target to dentry
++ */
++ memcpy(dentry->d_iname, target->d_name.name,
++ target->d_name.len + 1);
++ dentry->d_name.len = target->d_name.len;
++ return;
+ }
+ }
+ swap(dentry->d_name.len, target->d_name.len);
+@@ -2540,7 +2548,7 @@ static void __d_move(struct dentry *dentry, struct
dentry *target,
+ list_del(&target->d_u.d_child);
+
+ /* Switch the names.. */
+- switch_names(dentry, target);
++ switch_names(dentry, target, exchange);
+ swap(dentry->d_name.hash, target->d_name.hash);
+
+ /* ... and switch the parents */
+@@ -2679,7 +2687,7 @@ static void __d_materialise_dentry(struct dentry
*dentry, struct dentry *anon)
+
+ dparent = dentry->d_parent;
+
+- switch_names(dentry, anon);
++ switch_names(dentry, anon, false);
+ swap(dentry->d_name.hash, anon->d_name.hash);
+
+ dentry->d_parent = dentry;
+@@ -3413,7 +3421,8 @@ void __init vfs_caches_init(unsigned long mempages)
mempages -= reserve;
names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
diff --git a/3.16.2/4427_force_XATTR_PAX_tmpfs.patch
b/3.16.2/4427_force_XATTR_PAX_tmpfs.patch
index bbcef41..2f1d3b4 100644
--- a/3.16.2/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.16.2/4427_force_XATTR_PAX_tmpfs.patch
@@ -6,7 +6,7 @@ namespace supported on tmpfs so that the PaX markings survive
emerge.
diff -Naur a/mm/shmem.c b/mm/shmem.c
--- a/mm/shmem.c 2013-06-11 21:00:18.000000000 -0400
+++ b/mm/shmem.c 2013-06-11 21:08:18.000000000 -0400
-@@ -2218,11 +2218,7 @@
+@@ -2219,11 +2219,7 @@
static int shmem_xattr_validate(const char *name)
{
struct { const char *prefix; size_t len; } arr[] = {
@@ -18,7 +18,7 @@ diff -Naur a/mm/shmem.c b/mm/shmem.c
{ XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
{ XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
};
-@@ -2278,14 +2274,12 @@
+@@ -2279,14 +2275,12 @@
if (err)
return err;
diff --git a/3.16.2/4435_grsec-mute-warnings.patch
b/3.16.2/4435_grsec-mute-warnings.patch
index 41d43d5..4a959cc 100644
--- a/3.16.2/4435_grsec-mute-warnings.patch
+++ b/3.16.2/4435_grsec-mute-warnings.patch
@@ -31,7 +31,7 @@ Acked-by: Christian Heim <[email protected]>
--- a/Makefile 2014-07-25 11:37:45.206051736 -0400
+++ b/Makefile 2014-07-25 11:38:13.786050367 -0400
-@@ -245,7 +245,7 @@
+@@ -303,7 +303,7 @@
HOSTCC = gcc
HOSTCXX = g++
diff --git a/3.16.2/4465_selinux-avc_audit-log-curr_ip.patch
b/3.16.2/4465_selinux-avc_audit-log-curr_ip.patch
index fb528d0..747ac53 100644
--- a/3.16.2/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.16.2/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro
<[email protected]>
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
+++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
-@@ -1147,6 +1147,27 @@
+@@ -1137,6 +1137,27 @@
menu "Logging Options"
depends on GRKERNSEC
diff --git a/3.16.2/4470_disable-compat_vdso.patch
b/3.16.2/4470_disable-compat_vdso.patch
index 0215f1e..fd9ab60 100644
--- a/3.16.2/4470_disable-compat_vdso.patch
+++ b/3.16.2/4470_disable-compat_vdso.patch
@@ -26,7 +26,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig
--- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100
+++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100
-@@ -1811,29 +1811,8 @@
+@@ -1814,29 +1814,8 @@
config COMPAT_VDSO
def_bool n
diff --git a/3.2.62/0000_README b/3.2.62/0000_README
index 6c4c3cc..5f9fd24 100644
--- a/3.2.62/0000_README
+++ b/3.2.62/0000_README
@@ -166,7 +166,7 @@ Patch: 1061_linux-3.2.62.patch
From: http://www.kernel.org
Desc: Linux 3.2.62
-Patch: 4420_grsecurity-3.0-3.2.62-201408312002.patch
+Patch: 4420_grsecurity-3.0-3.2.62-201409082124.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.62/4420_grsecurity-3.0-3.2.62-201408312002.patch
b/3.2.62/4420_grsecurity-3.0-3.2.62-201409082124.patch
similarity index 99%
rename from 3.2.62/4420_grsecurity-3.0-3.2.62-201408312002.patch
rename to 3.2.62/4420_grsecurity-3.0-3.2.62-201409082124.patch
index ad26b87..fda4aaa 100644
--- a/3.2.62/4420_grsecurity-3.0-3.2.62-201408312002.patch
+++ b/3.2.62/4420_grsecurity-3.0-3.2.62-201409082124.patch
@@ -19231,7 +19231,7 @@ index dd52355..371d3b9 100644
/*
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index 6274f5f..7b23dca 100644
+index 6274f5f..60c83a1 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -55,6 +55,8 @@
@@ -19917,7 +19917,7 @@ index 6274f5f..7b23dca 100644
je retint_kernel
/* Interrupt came from user space */
-@@ -846,12 +1179,16 @@ retint_swapgs: /* return to user-space */
+@@ -846,12 +1179,35 @@ retint_swapgs: /* return to user-space */
* The iretq could re-enable interrupts:
*/
DISABLE_INTERRUPTS(CLBR_ANY)
@@ -19930,11 +19930,30 @@ index 6274f5f..7b23dca 100644
retint_restore_args: /* return to kernel space */
DISABLE_INTERRUPTS(CLBR_ANY)
+ pax_exit_kernel
++
++#if defined(CONFIG_EFI) && defined(CONFIG_PAX_KERNEXEC)
++ /* This is a quirk to allow IRQs/NMIs/MCEs during early EFI setup,
++ * namely calling EFI runtime services with a phys mapping. We're
++ * starting off with NOPs and patch in the real instrumentation
++ * (BTS/OR) before starting any userland process; even before starting
++ * up the APs.
++ */
++ .pushsection .altinstr_replacement, "a"
++ 601: pax_force_retaddr (RIP-ARGOFFSET)
++ 602:
++ .popsection
++ 603: .fill 602b-601b, 1, 0x90
++ .pushsection .altinstructions, "a"
++ altinstruction_entry 603b, 601b, X86_FEATURE_ALWAYS, 602b-601b,
602b-601b
++ .popsection
++#else
+ pax_force_retaddr (RIP-ARGOFFSET)
++#endif
++
/*
* The iretq could re-enable interrupts:
*/
-@@ -940,7 +1277,7 @@ ENTRY(retint_kernel)
+@@ -940,7 +1296,7 @@ ENTRY(retint_kernel)
#endif
CFI_ENDPROC
@@ -19943,7 +19962,7 @@ index 6274f5f..7b23dca 100644
/*
* End of kprobes section
*/
-@@ -956,7 +1293,7 @@ ENTRY(\sym)
+@@ -956,7 +1312,7 @@ ENTRY(\sym)
interrupt \do_sym
jmp ret_from_intr
CFI_ENDPROC
@@ -19952,7 +19971,7 @@ index 6274f5f..7b23dca 100644
.endm
#ifdef CONFIG_SMP
-@@ -1026,7 +1363,7 @@ ENTRY(\sym)
+@@ -1026,7 +1382,7 @@ ENTRY(\sym)
call \do_sym
jmp error_exit /* %ebx: no swapgs flag */
CFI_ENDPROC
@@ -19961,7 +19980,7 @@ index 6274f5f..7b23dca 100644
.endm
.macro paranoidzeroentry sym do_sym
-@@ -1043,10 +1380,10 @@ ENTRY(\sym)
+@@ -1043,10 +1399,10 @@ ENTRY(\sym)
call \do_sym
jmp paranoid_exit /* %ebx: no swapgs flag */
CFI_ENDPROC
@@ -19974,7 +19993,7 @@ index 6274f5f..7b23dca 100644
.macro paranoidzeroentry_ist sym do_sym ist
ENTRY(\sym)
INTR_FRAME
-@@ -1058,12 +1395,18 @@ ENTRY(\sym)
+@@ -1058,12 +1414,18 @@ ENTRY(\sym)
TRACE_IRQS_OFF
movq %rsp,%rdi /* pt_regs pointer */
xorl %esi,%esi /* no error code */
@@ -19994,7 +20013,7 @@ index 6274f5f..7b23dca 100644
.endm
.macro errorentry sym do_sym
-@@ -1080,7 +1423,7 @@ ENTRY(\sym)
+@@ -1080,7 +1442,7 @@ ENTRY(\sym)
call \do_sym
jmp error_exit /* %ebx: no swapgs flag */
CFI_ENDPROC
@@ -20003,7 +20022,7 @@ index 6274f5f..7b23dca 100644
.endm
/* error code is on the stack already */
-@@ -1099,7 +1442,7 @@ ENTRY(\sym)
+@@ -1099,7 +1461,7 @@ ENTRY(\sym)
call \do_sym
jmp paranoid_exit /* %ebx: no swapgs flag */
CFI_ENDPROC
@@ -20012,7 +20031,7 @@ index 6274f5f..7b23dca 100644
.endm
zeroentry divide_error do_divide_error
-@@ -1129,9 +1472,10 @@ gs_change:
+@@ -1129,9 +1491,10 @@ gs_change:
2: mfence /* workaround */
SWAPGS
popfq_cfi
@@ -20024,7 +20043,7 @@ index 6274f5f..7b23dca 100644
.section __ex_table,"a"
.align 8
-@@ -1153,13 +1497,14 @@ ENTRY(kernel_thread_helper)
+@@ -1153,13 +1516,14 @@ ENTRY(kernel_thread_helper)
* Here we are in the child and the registers are set as they were
* at kernel_thread() invocation in the parent.
*/
@@ -20040,7 +20059,7 @@ index 6274f5f..7b23dca 100644
/*
* execve(). This function needs to use IRET, not SYSRET, to set up all state
properly.
-@@ -1186,11 +1531,11 @@ ENTRY(kernel_execve)
+@@ -1186,11 +1550,11 @@ ENTRY(kernel_execve)
RESTORE_REST
testq %rax,%rax
je int_ret_from_sys_call
@@ -20054,7 +20073,7 @@ index 6274f5f..7b23dca 100644
/* Call softirq on interrupt stack. Interrupts are off. */
ENTRY(call_softirq)
-@@ -1208,9 +1553,10 @@ ENTRY(call_softirq)
+@@ -1208,9 +1572,10 @@ ENTRY(call_softirq)
CFI_DEF_CFA_REGISTER rsp
CFI_ADJUST_CFA_OFFSET -8
decl PER_CPU_VAR(irq_count)
@@ -20066,7 +20085,7 @@ index 6274f5f..7b23dca 100644
#ifdef CONFIG_XEN
zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
-@@ -1248,7 +1594,7 @@ ENTRY(xen_do_hypervisor_callback) #
do_hypervisor_callback(struct *pt_regs)
+@@ -1248,7 +1613,7 @@ ENTRY(xen_do_hypervisor_callback) #
do_hypervisor_callback(struct *pt_regs)
decl PER_CPU_VAR(irq_count)
jmp error_exit
CFI_ENDPROC
@@ -20075,7 +20094,7 @@ index 6274f5f..7b23dca 100644
/*
* Hypervisor uses this for application faults while it executes.
-@@ -1307,7 +1653,7 @@ ENTRY(xen_failsafe_callback)
+@@ -1307,7 +1672,7 @@ ENTRY(xen_failsafe_callback)
SAVE_ALL
jmp error_exit
CFI_ENDPROC
@@ -20084,7 +20103,7 @@ index 6274f5f..7b23dca 100644
apicinterrupt XEN_HVM_EVTCHN_CALLBACK \
xen_hvm_callback_vector xen_evtchn_do_upcall
-@@ -1356,16 +1702,31 @@ ENTRY(paranoid_exit)
+@@ -1356,16 +1721,31 @@ ENTRY(paranoid_exit)
TRACE_IRQS_OFF
testl %ebx,%ebx /* swapgs needed? */
jnz paranoid_restore
@@ -20117,7 +20136,7 @@ index 6274f5f..7b23dca 100644
jmp irq_return
paranoid_userspace:
GET_THREAD_INFO(%rcx)
-@@ -1394,7 +1755,7 @@ paranoid_schedule:
+@@ -1394,7 +1774,7 @@ paranoid_schedule:
TRACE_IRQS_OFF
jmp paranoid_userspace
CFI_ENDPROC
@@ -20126,7 +20145,7 @@ index 6274f5f..7b23dca 100644
/*
* Exception entry point. This expects an error code/orig_rax on the stack.
-@@ -1421,12 +1782,23 @@ ENTRY(error_entry)
+@@ -1421,12 +1801,23 @@ ENTRY(error_entry)
movq_cfi r14, R14+8
movq_cfi r15, R15+8
xorl %ebx,%ebx
@@ -20151,7 +20170,7 @@ index 6274f5f..7b23dca 100644
ret
/*
-@@ -1453,7 +1825,7 @@ bstep_iret:
+@@ -1453,7 +1844,7 @@ bstep_iret:
movq %rcx,RIP+8(%rsp)
jmp error_swapgs
CFI_ENDPROC
@@ -20160,7 +20179,7 @@ index 6274f5f..7b23dca 100644
/* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */
-@@ -1473,7 +1845,7 @@ ENTRY(error_exit)
+@@ -1473,7 +1864,7 @@ ENTRY(error_exit)
jnz retint_careful
jmp retint_swapgs
CFI_ENDPROC
@@ -20169,7 +20188,7 @@ index 6274f5f..7b23dca 100644
/* runs on exception stack */
-@@ -1485,6 +1857,7 @@ ENTRY(nmi)
+@@ -1485,6 +1876,7 @@ ENTRY(nmi)
CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
call save_paranoid
DEFAULT_FRAME 0
@@ -20177,7 +20196,7 @@ index 6274f5f..7b23dca 100644
/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
movq %rsp,%rdi
movq $-1,%rsi
-@@ -1495,12 +1868,28 @@ ENTRY(nmi)
+@@ -1495,12 +1887,28 @@ ENTRY(nmi)
DISABLE_INTERRUPTS(CLBR_NONE)
testl %ebx,%ebx /* swapgs needed? */
jnz nmi_restore
@@ -20207,7 +20226,7 @@ index 6274f5f..7b23dca 100644
jmp irq_return
nmi_userspace:
GET_THREAD_INFO(%rcx)
-@@ -1529,14 +1918,14 @@ nmi_schedule:
+@@ -1529,14 +1937,14 @@ nmi_schedule:
jmp paranoid_exit
CFI_ENDPROC
#endif
@@ -42469,6 +42488,419 @@ index d5cda35..017af46 100644
struct device *clsdev;
int minor;
int id;
+diff --git a/drivers/media/dvb/dvb-usb/cinergyT2-core.c
b/drivers/media/dvb/dvb-usb/cinergyT2-core.c
+index f9d9050..d7a9d4e 100644
+--- a/drivers/media/dvb/dvb-usb/cinergyT2-core.c
++++ b/drivers/media/dvb/dvb-usb/cinergyT2-core.c
+@@ -50,29 +50,73 @@ static struct dvb_usb_device_properties
cinergyt2_properties;
+
+ static int cinergyt2_streaming_ctrl(struct dvb_usb_adapter *adap, int enable)
+ {
+- char buf[] = { CINERGYT2_EP1_CONTROL_STREAM_TRANSFER, enable ? 1 : 0 };
+- char result[64];
+- return dvb_usb_generic_rw(adap->dev, buf, sizeof(buf), result,
+- sizeof(result), 0);
++ char *buf;
++ char *result;
++ int retval;
++
++ buf = kmalloc(2, GFP_KERNEL);
++ if (buf == NULL)
++ return -ENOMEM;
++ result = kmalloc(64, GFP_KERNEL);
++ if (result == NULL) {
++ kfree(buf);
++ return -ENOMEM;
++ }
++
++ buf[0] = CINERGYT2_EP1_CONTROL_STREAM_TRANSFER;
++ buf[1] = enable ? 1 : 0;
++
++ retval = dvb_usb_generic_rw(adap->dev, buf, 2, result, 64, 0);
++
++ kfree(buf);
++ kfree(result);
++ return retval;
+ }
+
+ static int cinergyt2_power_ctrl(struct dvb_usb_device *d, int enable)
+ {
+- char buf[] = { CINERGYT2_EP1_SLEEP_MODE, enable ? 0 : 1 };
+- char state[3];
+- return dvb_usb_generic_rw(d, buf, sizeof(buf), state, sizeof(state), 0);
++ char *buf;
++ char *state;
++ int retval;
++
++ buf = kmalloc(2, GFP_KERNEL);
++ if (buf == NULL)
++ return -ENOMEM;
++ state = kmalloc(3, GFP_KERNEL);
++ if (state == NULL) {
++ kfree(buf);
++ return -ENOMEM;
++ }
++
++ buf[0] = CINERGYT2_EP1_SLEEP_MODE;
++ buf[1] = enable ? 1 : 0;
++
++ retval = dvb_usb_generic_rw(d, buf, 2, state, 3, 0);
++
++ kfree(buf);
++ kfree(state);
++ return retval;
+ }
+
+ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
+ {
+- char query[] = { CINERGYT2_EP1_GET_FIRMWARE_VERSION };
+- char state[3];
++ char *query;
++ char *state;
+ int ret;
++ query = kmalloc(1, GFP_KERNEL);
++ if (query == NULL)
++ return -ENOMEM;
++ state = kmalloc(3, GFP_KERNEL);
++ if (state == NULL) {
++ kfree(query);
++ return -ENOMEM;
++ }
++
++ query[0] = CINERGYT2_EP1_GET_FIRMWARE_VERSION;
+
+ adap->fe_adap[0].fe = cinergyt2_fe_attach(adap->dev);
+
+- ret = dvb_usb_generic_rw(adap->dev, query, sizeof(query), state,
+- sizeof(state), 0);
++ ret = dvb_usb_generic_rw(adap->dev, query, 1, state, 3, 0);
+ if (ret < 0) {
+ deb_rc("cinergyt2_power_ctrl() Failed to retrieve sleep "
+ "state info\n");
+@@ -80,7 +124,8 @@ static int cinergyt2_frontend_attach(struct dvb_usb_adapter
*adap)
+
+ /* Copy this pointer as we are gonna need it in the release phase */
+ cinergyt2_usb_device = adap->dev;
+-
++ kfree(query);
++ kfree(state);
+ return 0;
+ }
+
+@@ -141,12 +186,23 @@ static int repeatable_keys[] = {
+ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int
*state)
+ {
+ struct cinergyt2_state *st = d->priv;
+- u8 key[5] = {0, 0, 0, 0, 0}, cmd = CINERGYT2_EP1_GET_RC_EVENTS;
++ u8 *key, *cmd;
+ int i;
+
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -EINVAL;
++ key = kzalloc(5, GFP_KERNEL);
++ if (key == NULL) {
++ kfree(cmd);
++ return -EINVAL;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_RC_EVENTS;
++
+ *state = REMOTE_NO_KEY_PRESSED;
+
+- dvb_usb_generic_rw(d, &cmd, 1, key, sizeof(key), 0);
++ dvb_usb_generic_rw(d, cmd, 1, key, 5, 0);
+ if (key[4] == 0xff) {
+ /* key repeat */
+ st->rc_counter++;
+@@ -157,12 +213,12 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d,
u32 *event, int *state)
+ *event = d->last_event;
+ deb_rc("repeat key, event %x\n",
+ *event);
+- return 0;
++ goto out;
+ }
+ }
+ deb_rc("repeated key (non repeatable)\n");
+ }
+- return 0;
++ goto out;
+ }
+
+ /* hack to pass checksum on the custom field */
+@@ -175,6 +231,9 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d,
u32 *event, int *state)
+ deb_rc("key: %x %x %x %x %x\n",
+ key[0], key[1], key[2], key[3], key[4]);
+ }
++out:
++ kfree(cmd);
++ kfree(key);
+ return 0;
+ }
+
+diff --git a/drivers/media/dvb/dvb-usb/cinergyT2-fe.c
b/drivers/media/dvb/dvb-usb/cinergyT2-fe.c
+index 9cd51ac..0967e20 100644
+--- a/drivers/media/dvb/dvb-usb/cinergyT2-fe.c
++++ b/drivers/media/dvb/dvb-usb/cinergyT2-fe.c
+@@ -146,103 +146,176 @@ static int cinergyt2_fe_read_status(struct
dvb_frontend *fe,
+ fe_status_t *status)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg result;
+- u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *result;
++ u8 *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&result,
+- sizeof(result), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ result = kmalloc(sizeof(*result), GFP_KERNEL);
++ if (result == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)result,
++ sizeof(*result), 0);
+ if (ret < 0)
+- return ret;
++ goto out;
+
+ *status = 0;
+
+- if (0xffff - le16_to_cpu(result.gain) > 30)
++ if (0xffff - le16_to_cpu(result->gain) > 30)
+ *status |= FE_HAS_SIGNAL;
+- if (result.lock_bits & (1 << 6))
++ if (result->lock_bits & (1 << 6))
+ *status |= FE_HAS_LOCK;
+- if (result.lock_bits & (1 << 5))
++ if (result->lock_bits & (1 << 5))
+ *status |= FE_HAS_SYNC;
+- if (result.lock_bits & (1 << 4))
++ if (result->lock_bits & (1 << 4))
+ *status |= FE_HAS_CARRIER;
+- if (result.lock_bits & (1 << 1))
++ if (result->lock_bits & (1 << 1))
+ *status |= FE_HAS_VITERBI;
+
+ if ((*status & (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC)) !=
+ (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC))
+ *status &= ~FE_HAS_LOCK;
+
+- return 0;
++out:
++ kfree(cmd);
++ kfree(result);
++ return ret;
+ }
+
+ static int cinergyt2_fe_read_ber(struct dvb_frontend *fe, u32 *ber)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg status;
+- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *status;
++ char *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+- sizeof(status), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ status = kmalloc(sizeof(*status), GFP_KERNEL);
++ if (status == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++ sizeof(*status), 0);
+ if (ret < 0)
+- return ret;
++ goto out;
+
+- *ber = le32_to_cpu(status.viterbi_error_rate);
++ *ber = le32_to_cpu(status->viterbi_error_rate);
++out:
++ kfree(cmd);
++ kfree(status);
+ return 0;
+ }
+
+ static int cinergyt2_fe_read_unc_blocks(struct dvb_frontend *fe, u32 *unc)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg status;
+- u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *status;
++ u8 *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&status,
+- sizeof(status), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ status = kmalloc(sizeof(*status), GFP_KERNEL);
++ if (status == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)status,
++ sizeof(*status), 0);
+ if (ret < 0) {
+ err("cinergyt2_fe_read_unc_blocks() Failed! (Error=%d)\n",
+ ret);
+- return ret;
++ goto out;
+ }
+- *unc = le32_to_cpu(status.uncorrected_block_count);
+- return 0;
++ *unc = le32_to_cpu(status->uncorrected_block_count);
++
++out:
++ kfree(cmd);
++ kfree(status);
++ return ret;
+ }
+
+ static int cinergyt2_fe_read_signal_strength(struct dvb_frontend *fe,
+ u16 *strength)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg status;
+- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *status;
++ char *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+- sizeof(status), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ status = kmalloc(sizeof(*status), GFP_KERNEL);
++ if (status == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++ sizeof(*status), 0);
+ if (ret < 0) {
+ err("cinergyt2_fe_read_signal_strength() Failed!"
+ " (Error=%d)\n", ret);
+- return ret;
++ goto out;
+ }
+- *strength = (0xffff - le16_to_cpu(status.gain));
++ *strength = (0xffff - le16_to_cpu(status->gain));
++
++out:
++ kfree(cmd);
++ kfree(status);
+ return 0;
+ }
+
+ static int cinergyt2_fe_read_snr(struct dvb_frontend *fe, u16 *snr)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_get_status_msg status;
+- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
++ struct dvbt_get_status_msg *status;
++ char *cmd;
+ int ret;
+
+- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
+- sizeof(status), 0);
++ cmd = kmalloc(1, GFP_KERNEL);
++ if (cmd == NULL)
++ return -ENOMEM;
++ status = kmalloc(sizeof(*status), GFP_KERNEL);
++ if (status == NULL) {
++ kfree(cmd);
++ return -ENOMEM;
++ }
++
++ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
++
++ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
++ sizeof(*status), 0);
+ if (ret < 0) {
+ err("cinergyt2_fe_read_snr() Failed! (Error=%d)\n", ret);
+- return ret;
++ goto out;
+ }
+- *snr = (status.snr << 8) | status.snr;
+- return 0;
++ *snr = (status->snr << 8) | status->snr;
++
++out:
++ kfree(cmd);
++ kfree(status);
++ return ret;
+ }
+
+ static int cinergyt2_fe_init(struct dvb_frontend *fe)
+@@ -267,23 +340,34 @@ static int cinergyt2_fe_set_frontend(struct dvb_frontend
*fe,
+ struct dvb_frontend_parameters *fep)
+ {
+ struct cinergyt2_fe_state *state = fe->demodulator_priv;
+- struct dvbt_set_parameters_msg param;
+- char result[2];
++ struct dvbt_set_parameters_msg *param;
++ char *result;
+ int err;
+
+- param.cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
+- param.tps = cpu_to_le16(compute_tps(fep));
+- param.freq = cpu_to_le32(fep->frequency / 1000);
+- param.bandwidth = 8 - fep->u.ofdm.bandwidth - BANDWIDTH_8_MHZ;
+- param.flags = 0;
++ result = kmalloc(2, GFP_KERNEL);
++ if (result == NULL)
++ return -ENOMEM;
++ param = kmalloc(sizeof(*param), GFP_KERNEL);
++ if (param == NULL) {
++ kfree(result);
++ return -ENOMEM;
++ }
++
++ param->cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
++ param->tps = cpu_to_le16(compute_tps(fep));
++ param->freq = cpu_to_le32(fep->frequency / 1000);
++ param->bandwidth = 8 - fep->u.ofdm.bandwidth - BANDWIDTH_8_MHZ;
++ param->flags = 0;
+
+ err = dvb_usb_generic_rw(state->d,
+- (char *)¶m, sizeof(param),
+- result, sizeof(result), 0);
++ (char *)param, sizeof(*param),
++ result, 2, 0);
+ if (err < 0)
+ err("cinergyt2_fe_set_frontend() Failed! err=%d\n", err);
+
+- return (err < 0) ? err : 0;
++ kfree(result);
++ kfree(param);
++ return err;
+ }
+
+ static int cinergyt2_fe_get_frontend(struct dvb_frontend *fe,
diff --git a/drivers/media/dvb/dvb-usb/cxusb.c
b/drivers/media/dvb/dvb-usb/cxusb.c
index 9f2a02c..5920f88 100644
--- a/drivers/media/dvb/dvb-usb/cxusb.c
