Auto commit, grsecurity-3.1-4.9.16-201703180820.patch added.
authorPiotr Karbowski <piotr.karbowski@gmail.com>
Sat, 18 Mar 2017 13:00:07 +0000 (14:00 +0100)
committerPiotr Karbowski <piotr.karbowski@gmail.com>
Sat, 18 Mar 2017 13:00:07 +0000 (14:00 +0100)
test/4.9.16/grsecurity-3.1-4.9.16-201703180820.patch [new file with mode: 0644]
test/4.9.16/grsecurity-3.1-4.9.16-201703180820.patch.sig [new file with mode: 0644]
test/changelog-test.txt

diff --git a/test/4.9.16/grsecurity-3.1-4.9.16-201703180820.patch b/test/4.9.16/grsecurity-3.1-4.9.16-201703180820.patch
new file mode 100644 (file)
index 0000000..8d585e2
--- /dev/null
@@ -0,0 +1,225862 @@
+diff --git a/Documentation/dontdiff b/Documentation/dontdiff
+index 5385cba..607c6a0 100644
+--- a/Documentation/dontdiff
++++ b/Documentation/dontdiff
+@@ -7,6 +7,7 @@
+ *.cis
+ *.cpio
+ *.csp
++*.dbg
+ *.dsp
+ *.dvi
+ *.elf
+@@ -16,6 +17,7 @@
+ *.gcov
+ *.gen.S
+ *.gif
++*.gmo
+ *.grep
+ *.grp
+ *.gz
+@@ -52,14 +54,17 @@
+ *.tab.h
+ *.tex
+ *.ver
++*.vim
+ *.xml
+ *.xz
+ *_MODULES
++*_reg_safe.h
+ *_vga16.c
+ *~
+ \#*#
+ *.9
+-.*
++.[^g]*
++.gen*
+ .*.d
+ .mm
+ 53c700_d.h
+@@ -73,9 +78,11 @@ Image
+ Module.markers
+ Module.symvers
+ PENDING
++PERF*
+ SCCS
+ System.map*
+ TAGS
++TRACEEVENT-CFLAGS
+ aconf
+ af_names.h
+ aic7*reg.h*
+@@ -84,6 +91,7 @@ aic7*seq.h*
+ aicasm
+ aicdb.h*
+ altivec*.c
++ashldi3.S
+ asm-offsets.h
+ asm_offsets.h
+ autoconf.h*
+@@ -96,11 +104,14 @@ bounds.h
+ bsetup
+ btfixupprep
+ build
++builtin-policy.h
+ bvmlinux
+ bzImage*
+ capability_names.h
+ capflags.c
+ classlist.h*
++clut_vga16.c
++common-cmds.h
+ comp*.log
+ compile.h*
+ conf
+@@ -109,19 +120,23 @@ config-*
+ config_data.h*
+ config.mak
+ config.mak.autogen
++config.tmp
+ conmakehash
+ consolemap_deftbl.c*
+ cpustr.h
+ crc32table.h*
+ cscope.*
+ defkeymap.c
++devicetable-offsets.h
+ devlist.h*
+ dnotify_test
+ docproc
+ dslm
++dtc-lexer.lex.c
+ elf2ecoff
+ elfconfig.h*
+ evergreen_reg_safe.h
++exception_policy.conf
+ fixdep
+ flask.h
+ fore200e_mkfirm
+@@ -129,12 +144,15 @@ fore200e_pca_fw.c*
+ gconf
+ gconf.glade.h
+ gen-devlist
++gen-kdb_cmds.c
+ gen_crc32table
+ gen_init_cpio
+ generated
+ genheaders
+ genksyms
+ *_gray256.c
++hash
++hid-example
+ hpet_example
+ hugepage-mmap
+ hugepage-shm
+@@ -149,14 +167,14 @@ int32.c
+ int4.c
+ int8.c
+ kallsyms
+-kconfig
++kern_constants.h
+ keywords.c
+ ksym.c*
+ ksym.h*
+ kxgettext
+ lex.c
+ lex.*.c
+-linux
++lib1funcs.S
+ logo_*.c
+ logo_*_clut224.c
+ logo_*_mono.c
+@@ -167,12 +185,14 @@ machtypes.h
+ map
+ map_hugetlb
+ mconf
++mdp
+ miboot*
+ mk_elfconfig
+ mkboot
+ mkbugboot
+ mkcpustr
+ mkdep
++mkpiggy
+ mkprep
+ mkregtable
+ mktables
+@@ -188,6 +208,8 @@ oui.c*
+ page-types
+ parse.c
+ parse.h
++parse-events*
++pasyms.h
+ patches*
+ pca200e.bin
+ pca200e_ecd.bin2
+@@ -197,6 +219,7 @@ perf-archive
+ piggyback
+ piggy.gzip
+ piggy.S
++pmu-*
+ pnmtologo
+ ppc_defs.h*
+ pss_boot.h
+@@ -206,7 +229,12 @@ r200_reg_safe.h
+ r300_reg_safe.h
+ r420_reg_safe.h
+ r600_reg_safe.h
++randomize_layout_hash.h
++randomize_layout_seed.h
++realmode.lds
++realmode.relocs
+ recordmcount
++regdb.c
+ relocs
+ rlim_names.h
+ rn50_reg_safe.h
+@@ -216,8 +244,17 @@ series
+ setup
+ setup.bin
+ setup.elf
++signing_key*
++aux.h
++disable.h
++e_fields.h
++e_fns.h
++e_fptrs.h
++e_vars.h
+ sImage
++slabinfo
+ sm_tbl*
++sortextable
+ split-include
+ syscalltab.h
+ tables.c
+@@ -227,6 +264,7 @@ tftpboot.img
+ timeconst.h
+ times.h*
+ trix_boot.h
++user_constants.h
+ utsrelease.h*
+ vdso-syms.lds
+ vdso.lds
+@@ -238,13 +276,17 @@ vdso32.lds
+ vdso32.so.dbg
+ vdso64.lds
+ vdso64.so.dbg
++vdsox32.lds
++vdsox32-syms.lds
+ version.h*
+ vmImage
+ vmlinux
+ vmlinux-*
+ vmlinux.aout
+ vmlinux.bin.all
++vmlinux.bin.bz2
+ vmlinux.lds
++vmlinux.relocs
+ vmlinuz
+ voffset.h
+ vsyscall.lds
+@@ -252,9 +294,12 @@ vsyscall_32.lds
+ wanxlfw.inc
+ uImage
+ unifdef
++utsrelease.h
+ wakeup.bin
+ wakeup.elf
+ wakeup.lds
++x509*
+ zImage*
+ zconf.hash.c
++zconf.lex.c
+ zoffset.h
+diff --git a/Documentation/kbuild/makefiles.txt b/Documentation/kbuild/makefiles.txt
+index 9b9c479..5a635ff 100644
+--- a/Documentation/kbuild/makefiles.txt
++++ b/Documentation/kbuild/makefiles.txt
+@@ -23,10 +23,11 @@ This document describes the Linux kernel Makefiles.
+       === 4 Host Program support
+          --- 4.1 Simple Host Program
+          --- 4.2 Composite Host Programs
+-         --- 4.3 Using C++ for host programs
+-         --- 4.4 Controlling compiler options for host programs
+-         --- 4.5 When host programs are actually built
+-         --- 4.6 Using hostprogs-$(CONFIG_FOO)
++         --- 4.3 Defining shared libraries
++         --- 4.4 Using C++ for host programs
++         --- 4.5 Controlling compiler options for host programs
++         --- 4.6 When host programs are actually built
++         --- 4.7 Using hostprogs-$(CONFIG_FOO)
+       === 5 Kbuild clean infrastructure
+@@ -645,7 +646,29 @@ Both possibilities are described in the following.
+       Finally, the two .o files are linked to the executable, lxdialog.
+       Note: The syntax <executable>-y is not permitted for host-programs.
+---- 4.3 Using C++ for host programs
++--- 4.3 Defining shared libraries
++
++      Objects with extension .so are considered shared libraries, and
++      will be compiled as position independent objects.
++      Kbuild provides support for shared libraries, but the usage
++      shall be restricted.
++      In the following example the libkconfig.so shared library is used
++      to link the executable conf.
++
++      Example:
++              #scripts/kconfig/Makefile
++              hostprogs-y     := conf
++              conf-objs       := conf.o libkconfig.so
++              libkconfig-objs := expr.o type.o
++
++      Shared libraries always require a corresponding -objs line, and
++      in the example above the shared library libkconfig is composed by
++      the two objects expr.o and type.o.
++      expr.o and type.o will be built as position independent code and
++      linked as a shared library libkconfig.so. C++ is not supported for
++      shared libraries.
++
++--- 4.4 Using C++ for host programs
+       kbuild offers support for host programs written in C++. This was
+       introduced solely to support kconfig, and is not recommended
+@@ -668,7 +691,7 @@ Both possibilities are described in the following.
+               qconf-cxxobjs := qconf.o
+               qconf-objs    := check.o
+---- 4.4 Controlling compiler options for host programs
++--- 4.5 Controlling compiler options for host programs
+       When compiling host programs, it is possible to set specific flags.
+       The programs will always be compiled utilising $(HOSTCC) passed
+@@ -696,7 +719,7 @@ Both possibilities are described in the following.
+       When linking qconf, it will be passed the extra option
+       "-L$(QTDIR)/lib".
+---- 4.5 When host programs are actually built
++--- 4.6 When host programs are actually built
+       Kbuild will only build host-programs when they are referenced
+       as a prerequisite.
+@@ -727,7 +750,7 @@ Both possibilities are described in the following.
+       This will tell kbuild to build lxdialog even if not referenced in
+       any rule.
+---- 4.6 Using hostprogs-$(CONFIG_FOO)
++--- 4.7 Using hostprogs-$(CONFIG_FOO)
+       A typical pattern in a Kbuild file looks like this:
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
+index 65b05ba..725a42a 100644
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -1426,6 +1426,12 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+                       [KNL] Should the hard-lockup detector generate
+                       backtraces on all cpus.
+                       Format: <integer>
++      grsec_proc_gid= [GRKERNSEC_PROC_USERGROUP] Chooses GID to
++                      ignore grsecurity's /proc restrictions
++
++      grsec_sysfs_restrict= Format: 0 | 1
++                      Default: 1
++                      Disables GRKERNSEC_SYSFS_RESTRICT if enabled in config
+       hashdist=       [KNL,NUMA] Large hashes allocated during boot
+                       are distributed across NUMA nodes.  Defaults on
+@@ -2655,6 +2661,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+                       noexec=on: enable non-executable mappings (default)
+                       noexec=off: disable non-executable mappings
++      nopcid          [X86-64]
++                      Disable PCID (Process-Context IDentifier) even if it
++                      is supported by the processor.
++
+       nosmap          [X86]
+                       Disable SMAP (Supervisor Mode Access Prevention)
+                       even if it is supported by processor.
+@@ -2963,6 +2973,35 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+                       the specified number of seconds.  This is to be used if
+                       your oopses keep scrolling off the screen.
++      pax_nouderef    [X86] disables UDEREF.  Most likely needed under certain
++                      virtualization environments that don't cope well with the
++                      expand down segment used by UDEREF on X86-32 or the frequent
++                      page table updates on X86-64.
++
++      pax_sanitize_slab=
++                      Format: { 0 | 1 | off | fast | full }
++                      Options '0' and '1' are only provided for backward
++                      compatibility, 'off' or 'fast' should be used instead.
++                      0|off : disable slab object sanitization
++                      1|fast: enable slab object sanitization excluding
++                              whitelisted slabs (default)
++                      full  : sanitize all slabs, even the whitelisted ones
++
++      pax_softmode=   0/1 to disable/enable PaX softmode on boot already.
++
++      pax_extra_latent_entropy
++                      Enable a very simple form of latent entropy extraction
++                      from the first 4GB of memory as the bootmem allocator
++                      passes the memory pages to the buddy allocator.
++
++      pax_size_overflow_report_only
++                      Enables rate-limited logging of size_overflow plugin
++                      violations while disabling killing of the violating
++                      task.
++
++      pax_weakuderef  [X86-64] enables the weaker but faster form of UDEREF
++                      when the processor supports PCID.
++
+       pcbit=          [HW,ISDN]
+       pcd.            [PARIDE]
+diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
+index ffab8b5..b8fcd61 100644
+--- a/Documentation/sysctl/kernel.txt
++++ b/Documentation/sysctl/kernel.txt
+@@ -42,6 +42,7 @@ show up in /proc/sys/kernel:
+ - kptr_restrict
+ - kstack_depth_to_print       [ X86 only ]
+ - l2cr                        [ PPC only ]
++- modify_ldt                  [ X86 only ]
+ - modprobe                    ==> Documentation/debugging-modules.txt
+ - modules_disabled
+ - msg_next_id               [ sysv ipc ]
+@@ -409,6 +410,20 @@ This flag controls the L2 cache of G3 processor boards. If
+ ==============================================================
++modify_ldt: (X86 only)
++
++Enables (1) or disables (0) the modify_ldt syscall. Modifying the LDT
++(Local Descriptor Table) may be needed to run a 16-bit or segmented code
++such as Dosemu or Wine. This is done via a system call which is not needed
++to run portable applications, and which can sometimes be abused to exploit
++some weaknesses of the architecture, opening new vulnerabilities.
++
++This sysctl allows one to increase the system's security by disabling the
++system call, or to restore compatibility with specific applications when it
++was already disabled.
++
++==============================================================
++
+ modules_disabled:
+ A toggle value indicating if modules are allowed to be loaded
+diff --git a/Kbuild b/Kbuild
+index 3d0ae15..84e5412 100644
+--- a/Kbuild
++++ b/Kbuild
+@@ -91,6 +91,7 @@ $(obj)/$(offsets-file): arch/$(SRCARCH)/kernel/asm-offsets.s FORCE
+ always += missing-syscalls
+ targets += missing-syscalls
++GCC_PLUGINS_missing-syscalls := n
+ quiet_cmd_syscalls = CALL    $<
+       cmd_syscalls = $(CONFIG_SHELL) $< $(CC) $(c_flags) $(missing_syscalls_flags)
+diff --git a/Makefile b/Makefile
+index 4e0f962..202756a 100644
+--- a/Makefile
++++ b/Makefile
+@@ -302,7 +302,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
+ HOSTCC       = gcc
+ HOSTCXX      = g++
+ HOSTCFLAGS   = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89
+-HOSTCXXFLAGS = -O2
++HOSTCFLAGS   = -W -Wno-unused-parameter -Wno-missing-field-initializers -fno-delete-null-pointer-checks
++HOSTCFLAGS  += $(call cc-option, -Wno-empty-body)
++HOSTCXXFLAGS = -O2 -Wall -W -Wno-array-bounds
+ ifeq ($(shell $(HOSTCC) -v 2>&1 | grep -c "clang version"), 1)
+ HOSTCFLAGS  += -Wno-unused-value -Wno-unused-parameter \
+@@ -731,7 +733,7 @@ KBUILD_CFLAGS   += $(call cc-option, -gsplit-dwarf, -g)
+ else
+ KBUILD_CFLAGS += -g
+ endif
+-KBUILD_AFLAGS += -Wa,-gdwarf-2
++KBUILD_AFLAGS += -Wa,--gdwarf-2
+ endif
+ ifdef CONFIG_DEBUG_INFO_DWARF4
+ KBUILD_CFLAGS += $(call cc-option, -gdwarf-4,)
+@@ -910,7 +912,7 @@ export mod_sign_cmd
+ ifeq ($(KBUILD_EXTMOD),)
+-core-y                += kernel/ certs/ mm/ fs/ ipc/ security/ crypto/ block/
++core-y                += kernel/ certs/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
+ vmlinux-dirs  := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
+                    $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
+@@ -1274,7 +1276,10 @@ MRPROPER_FILES += .config .config.old .version .old_version \
+                 Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
+                 signing_key.pem signing_key.priv signing_key.x509     \
+                 x509.genkey extra_certificates signing_key.x509.keyid \
+-                signing_key.x509.signer vmlinux-gdb.py
++                signing_key.x509.signer vmlinux-gdb.py \
++                scripts/gcc-plugins/size_overflow_plugin/e_*.h \
++                scripts/gcc-plugins/size_overflow_plugin/disable.h \
++                scripts/gcc-plugins/randomize_layout_seed.h
+ # clean - Delete most, but leave enough to build external modules
+ #
+@@ -1314,7 +1319,7 @@ distclean: mrproper
+       @find $(srctree) $(RCS_FIND_IGNORE) \
+               \( -name '*.orig' -o -name '*.rej' -o -name '*~' \
+               -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
+-              -o -name '.*.rej' -o -name '*%'  -o -name 'core' \) \
++              -o -name '.*.rej' -o -name '*.so' -o -name '*%' -o -name 'core' \) \
+               -type f -print | xargs rm -f
+diff --git a/arch/Kconfig b/arch/Kconfig
+index 659bdd0..4179181 100644
+--- a/arch/Kconfig
++++ b/arch/Kconfig
+@@ -164,6 +164,7 @@ config ARCH_USE_BUILTIN_BSWAP
+ config KRETPROBES
+       def_bool y
+       depends on KPROBES && HAVE_KRETPROBES
++      depends on !PAX_RAP
+ config USER_RETURN_NOTIFIER
+       bool
+@@ -355,7 +356,7 @@ config HAVE_GCC_PLUGINS
+ menuconfig GCC_PLUGINS
+       bool "GCC plugins"
+       depends on HAVE_GCC_PLUGINS
+-      depends on !COMPILE_TEST
++      default y
+       help
+         GCC plugins are loadable modules that provide extra features to the
+         compiler. They are useful for runtime instrumentation and static analysis.
+@@ -759,6 +760,7 @@ config VMAP_STACK
+       default y
+       bool "Use a virtually-mapped stack"
+       depends on HAVE_ARCH_VMAP_STACK && !KASAN
++      depends on !GRKERNSEC_KSTACKOVERFLOW
+       ---help---
+         Enable this if you want the use virtually-mapped kernel stacks
+         with guard pages.  This causes kernel stack overflows to be
+diff --git a/arch/alpha/include/asm/atomic.h b/arch/alpha/include/asm/atomic.h
+index 498933a..78d2b22 100644
+--- a/arch/alpha/include/asm/atomic.h
++++ b/arch/alpha/include/asm/atomic.h
+@@ -308,4 +308,14 @@ static inline long atomic64_dec_if_positive(atomic64_t *v)
+ #define atomic_dec(v) atomic_sub(1,(v))
+ #define atomic64_dec(v) atomic64_sub(1,(v))
++#define atomic64_read_unchecked(v)            atomic64_read(v)
++#define atomic64_set_unchecked(v, i)          atomic64_set((v), (i))
++#define atomic64_add_unchecked(a, v)          atomic64_add((a), (v))
++#define atomic64_add_return_unchecked(a, v)   atomic64_add_return((a), (v))
++#define atomic64_sub_unchecked(a, v)          atomic64_sub((a), (v))
++#define atomic64_inc_unchecked(v)             atomic64_inc(v)
++#define atomic64_inc_return_unchecked(v)      atomic64_inc_return(v)
++#define atomic64_dec_unchecked(v)             atomic64_dec(v)
++#define atomic64_cmpxchg_unchecked(v, o, n)   atomic64_cmpxchg((v), (o), (n))
++
+ #endif /* _ALPHA_ATOMIC_H */
+diff --git a/arch/alpha/include/asm/cache.h b/arch/alpha/include/asm/cache.h
+index ad368a9..fbe0f25 100644
+--- a/arch/alpha/include/asm/cache.h
++++ b/arch/alpha/include/asm/cache.h
+@@ -4,19 +4,19 @@
+ #ifndef __ARCH_ALPHA_CACHE_H
+ #define __ARCH_ALPHA_CACHE_H
++#include <linux/const.h>
+ /* Bytes per L1 (data) cache line. */
+ #if defined(CONFIG_ALPHA_GENERIC) || defined(CONFIG_ALPHA_EV6)
+-# define L1_CACHE_BYTES     64
+ # define L1_CACHE_SHIFT     6
+ #else
+ /* Both EV4 and EV5 are write-through, read-allocate,
+    direct-mapped, physical.
+ */
+-# define L1_CACHE_BYTES     32
+ # define L1_CACHE_SHIFT     5
+ #endif
++#define L1_CACHE_BYTES     (_AC(1,UL) << L1_CACHE_SHIFT)
+ #define SMP_CACHE_BYTES    L1_CACHE_BYTES
+ #endif
+diff --git a/arch/alpha/include/asm/elf.h b/arch/alpha/include/asm/elf.h
+index 968d999..d36b2df 100644
+--- a/arch/alpha/include/asm/elf.h
++++ b/arch/alpha/include/asm/elf.h
+@@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
+ #define ELF_ET_DYN_BASE               (TASK_UNMAPPED_BASE + 0x1000000)
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE   (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
++
++#define PAX_DELTA_MMAP_LEN    (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
++#define PAX_DELTA_STACK_LEN   (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
++#endif
++
+ /* $0 is set by ld.so to a pointer to a function which might be 
+    registered using atexit.  This provides a mean for the dynamic
+    linker to call DT_FINI functions for shared libraries that have
+diff --git a/arch/alpha/include/asm/pgalloc.h b/arch/alpha/include/asm/pgalloc.h
+index c2ebb6f..93a0613 100644
+--- a/arch/alpha/include/asm/pgalloc.h
++++ b/arch/alpha/include/asm/pgalloc.h
+@@ -29,6 +29,12 @@ pgd_populate(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
+       pgd_set(pgd, pmd);
+ }
++static inline void
++pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
++{
++      pgd_populate(mm, pgd, pmd);
++}
++
+ extern pgd_t *pgd_alloc(struct mm_struct *mm);
+ static inline void
+diff --git a/arch/alpha/include/asm/pgtable.h b/arch/alpha/include/asm/pgtable.h
+index a9a1195..e9b8417 100644
+--- a/arch/alpha/include/asm/pgtable.h
++++ b/arch/alpha/include/asm/pgtable.h
+@@ -101,6 +101,17 @@ struct vm_area_struct;
+ #define PAGE_SHARED   __pgprot(_PAGE_VALID | __ACCESS_BITS)
+ #define PAGE_COPY     __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
+ #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
++
++#ifdef CONFIG_PAX_PAGEEXEC
++# define PAGE_SHARED_NOEXEC   __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
++# define PAGE_COPY_NOEXEC     __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
++#else
++# define PAGE_SHARED_NOEXEC   PAGE_SHARED
++# define PAGE_COPY_NOEXEC     PAGE_COPY
++# define PAGE_READONLY_NOEXEC PAGE_READONLY
++#endif
++
+ #define PAGE_KERNEL   __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
+ #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
+diff --git a/arch/alpha/kernel/module.c b/arch/alpha/kernel/module.c
+index 936bc8f..bb1859f 100644
+--- a/arch/alpha/kernel/module.c
++++ b/arch/alpha/kernel/module.c
+@@ -160,7 +160,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs, const char *strtab,
+       /* The small sections were sorted to the end of the segment.
+          The following should definitely cover them.  */
+-      gp = (u64)me->core_layout.base + me->core_layout.size - 0x8000;
++      gp = (u64)me->core_layout.base_rw + me->core_layout.size_rw - 0x8000;
+       got = sechdrs[me->arch.gotsecindex].sh_addr;
+       for (i = 0; i < n; i++) {
+diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c
+index ffb93f49..ced8233 100644
+--- a/arch/alpha/kernel/osf_sys.c
++++ b/arch/alpha/kernel/osf_sys.c
+@@ -1300,10 +1300,11 @@ SYSCALL_DEFINE1(old_adjtimex, struct timex32 __user *, txc_p)
+    generic version except that we know how to honor ADDR_LIMIT_32BIT.  */
+ static unsigned long
+-arch_get_unmapped_area_1(unsigned long addr, unsigned long len,
+-                       unsigned long limit)
++arch_get_unmapped_area_1(struct file *filp, unsigned long addr, unsigned long len,
++                       unsigned long limit, unsigned long flags)
+ {
+       struct vm_unmapped_area_info info;
++      unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
+       info.flags = 0;
+       info.length = len;
+@@ -1311,6 +1312,7 @@ arch_get_unmapped_area_1(unsigned long addr, unsigned long len,
+       info.high_limit = limit;
+       info.align_mask = 0;
+       info.align_offset = 0;
++      info.threadstack_offset = offset;
+       return vm_unmapped_area(&info);
+ }
+@@ -1343,20 +1345,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+          merely specific addresses, but regions of memory -- perhaps
+          this feature should be incorporated into all ports?  */
++#ifdef CONFIG_PAX_RANDMMAP
++      if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
++#endif
++
+       if (addr) {
+-              addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
++              addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(addr), len, limit, flags);
+               if (addr != (unsigned long) -ENOMEM)
+                       return addr;
+       }
+       /* Next, try allocating at TASK_UNMAPPED_BASE.  */
+-      addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
+-                                       len, limit);
++      addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(current->mm->mmap_base), len, limit, flags);
++
+       if (addr != (unsigned long) -ENOMEM)
+               return addr;
+       /* Finally, try allocating in low memory.  */
+-      addr = arch_get_unmapped_area_1 (PAGE_SIZE, len, limit);
++      addr = arch_get_unmapped_area_1 (filp, PAGE_SIZE, len, limit, flags);
+       return addr;
+ }
+diff --git a/arch/alpha/mm/fault.c b/arch/alpha/mm/fault.c
+index 83e9eee..db02682 100644
+--- a/arch/alpha/mm/fault.c
++++ b/arch/alpha/mm/fault.c
+@@ -52,6 +52,124 @@ __load_new_mm_context(struct mm_struct *next_mm)
+       __reload_thread(pcb);
+ }
++#ifdef CONFIG_PAX_PAGEEXEC
++/*
++ * PaX: decide what to do with offenders (regs->pc = fault address)
++ *
++ * returns 1 when task should be killed
++ *         2 when patched PLT trampoline was detected
++ *         3 when unpatched PLT trampoline was detected
++ */
++static int pax_handle_fetch_fault(struct pt_regs *regs)
++{
++
++#ifdef CONFIG_PAX_EMUPLT
++      int err;
++
++      do { /* PaX: patched PLT emulation #1 */
++              unsigned int ldah, ldq, jmp;
++
++              err = get_user(ldah, (unsigned int *)regs->pc);
++              err |= get_user(ldq, (unsigned int *)(regs->pc+4));
++              err |= get_user(jmp, (unsigned int *)(regs->pc+8));
++
++              if (err)
++                      break;
++
++              if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
++                  (ldq & 0xFFFF0000U) == 0xA77B0000U &&
++                  jmp == 0x6BFB0000U)
++              {
++                      unsigned long r27, addr;
++                      unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
++                      unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
++
++                      addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
++                      err = get_user(r27, (unsigned long *)addr);
++                      if (err)
++                              break;
++
++                      regs->r27 = r27;
++                      regs->pc = r27;
++                      return 2;
++              }
++      } while (0);
++
++      do { /* PaX: patched PLT emulation #2 */
++              unsigned int ldah, lda, br;
++
++              err = get_user(ldah, (unsigned int *)regs->pc);
++              err |= get_user(lda, (unsigned int *)(regs->pc+4));
++              err |= get_user(br, (unsigned int *)(regs->pc+8));
++
++              if (err)
++                      break;
++
++              if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
++                  (lda & 0xFFFF0000U) == 0xA77B0000U &&
++                  (br & 0xFFE00000U) == 0xC3E00000U)
++              {
++                      unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
++                      unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
++                      unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
++
++                      regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
++                      regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
++                      return 2;
++              }
++      } while (0);
++
++      do { /* PaX: unpatched PLT emulation */
++              unsigned int br;
++
++              err = get_user(br, (unsigned int *)regs->pc);
++
++              if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
++                      unsigned int br2, ldq, nop, jmp;
++                      unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
++
++                      addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
++                      err = get_user(br2, (unsigned int *)addr);
++                      err |= get_user(ldq, (unsigned int *)(addr+4));
++                      err |= get_user(nop, (unsigned int *)(addr+8));
++                      err |= get_user(jmp, (unsigned int *)(addr+12));
++                      err |= get_user(resolver, (unsigned long *)(addr+16));
++
++                      if (err)
++                              break;
++
++                      if (br2 == 0xC3600000U &&
++                          ldq == 0xA77B000CU &&
++                          nop == 0x47FF041FU &&
++                          jmp == 0x6B7B0000U)
++                      {
++                              regs->r28 = regs->pc+4;
++                              regs->r27 = addr+16;
++                              regs->pc = resolver;
++                              return 3;
++                      }
++              }
++      } while (0);
++#endif
++
++      return 1;
++}
++
++void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
++{
++      unsigned long i;
++
++      printk(KERN_ERR "PAX: bytes at PC: ");
++      for (i = 0; i < 5; i++) {
++              unsigned int c;
++              if (get_user(c, (unsigned int *)pc+i))
++                      printk(KERN_CONT "???????? ");
++              else
++                      printk(KERN_CONT "%08x ", c);
++      }
++      printk("\n");
++}
++#endif
+ /*
+  * This routine handles page faults.  It determines the address,
+@@ -132,8 +250,29 @@ do_page_fault(unsigned long address, unsigned long mmcsr,
+  good_area:
+       si_code = SEGV_ACCERR;
+       if (cause < 0) {
+-              if (!(vma->vm_flags & VM_EXEC))
++              if (!(vma->vm_flags & VM_EXEC)) {
++
++#ifdef CONFIG_PAX_PAGEEXEC
++                      if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
++                              goto bad_area;
++
++                      up_read(&mm->mmap_sem);
++                      switch (pax_handle_fetch_fault(regs)) {
++
++#ifdef CONFIG_PAX_EMUPLT
++                      case 2:
++                      case 3:
++                              return;
++#endif
++
++                      }
++                      pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
++                      do_group_exit(SIGKILL);
++#else
+                       goto bad_area;
++#endif
++
++              }
+       } else if (!cause) {
+               /* Allow reads even for write-only mappings */
+               if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
+diff --git a/arch/arc/kernel/kprobes.c b/arch/arc/kernel/kprobes.c
+index 42b0504..6013221 100644
+--- a/arch/arc/kernel/kprobes.c
++++ b/arch/arc/kernel/kprobes.c
+@@ -424,6 +424,7 @@ static void __used kretprobe_trampoline_holder(void)
+                            "kretprobe_trampoline:\n" "nop\n");
+ }
++#ifdef CONFIG_KRETPROBES
+ void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
+                                     struct pt_regs *regs)
+ {
+@@ -433,6 +434,7 @@ void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
+       /* Replace the return addr with trampoline addr */
+       regs->blink = (unsigned long)&kretprobe_trampoline;
+ }
++#endif
+ static int __kprobes trampoline_probe_handler(struct kprobe *p,
+                                             struct pt_regs *regs)
+@@ -509,6 +511,7 @@ int __init arch_init_kprobes(void)
+       return register_kprobe(&trampoline_p);
+ }
++#ifdef CONFIG_KRETPROBES
+ int __kprobes arch_trampoline_kprobe(struct kprobe *p)
+ {
+       if (p->addr == (kprobe_opcode_t *) &kretprobe_trampoline)
+@@ -516,6 +519,7 @@ int __kprobes arch_trampoline_kprobe(struct kprobe *p)
+       return 0;
+ }
++#endif
+ void trap_is_kprobe(unsigned long address, struct pt_regs *regs)
+ {
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index b5d529f..0bb4d4f 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1622,6 +1622,7 @@ config AEABI
+ config OABI_COMPAT
+       bool "Allow old ABI binaries to run with this kernel (EXPERIMENTAL)"
+       depends on AEABI && !THUMB2_KERNEL
++      depends on !GRKERNSEC
+       help
+         This option preserves the old syscall interface along with the
+         new (ARM EABI) one. It also provides a compatibility layer to
+@@ -1690,6 +1691,7 @@ config HIGHPTE
+ config CPU_SW_DOMAIN_PAN
+       bool "Enable use of CPU domains to implement privileged no-access"
+       depends on MMU && !ARM_LPAE
++      depends on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
+       default y
+       help
+         Increase kernel security by ensuring that normal kernel accesses
+@@ -1766,7 +1768,7 @@ config ALIGNMENT_TRAP
+ config UACCESS_WITH_MEMCPY
+       bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()"
+-      depends on MMU
++      depends on MMU && !PAX_MEMORY_UDEREF
+       default y if CPU_FEROCEON
+       help
+         Implement faster copy_to_user and clear_user methods for CPU
+@@ -2021,6 +2023,7 @@ config KEXEC
+       depends on (!SMP || PM_SLEEP_SMP)
+       depends on !CPU_V7M
+       select KEXEC_CORE
++      depends on !GRKERNSEC_KMEM
+       help
+         kexec is a system call that implements the ability to shutdown your
+         current kernel, and to start another kernel.  It is like a reboot
+@@ -2065,7 +2068,7 @@ config EFI_STUB
+ config EFI
+       bool "UEFI runtime support"
+-      depends on OF && !CPU_BIG_ENDIAN && MMU && AUTO_ZRELADDR && !XIP_KERNEL
++      depends on OF && !CPU_BIG_ENDIAN && MMU && AUTO_ZRELADDR && !XIP_KERNEL && !PAX_KERNEXEC
+       select UCS2_STRING
+       select EFI_PARAMS_FROM_FDT
+       select EFI_STUB
+diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug
+index d83f7c3..a6aba4c 100644
+--- a/arch/arm/Kconfig.debug
++++ b/arch/arm/Kconfig.debug
+@@ -7,6 +7,7 @@ config ARM_PTDUMP
+       depends on DEBUG_KERNEL
+       depends on MMU
+       select DEBUG_FS
++      depends on !GRKERNSEC_KMEM
+       ---help---
+         Say Y here if you want to show the kernel pagetable layout in a
+         debugfs file. This information is only useful for kernel developers
+diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile
+index d50430c..39509a6 100644
+--- a/arch/arm/boot/compressed/Makefile
++++ b/arch/arm/boot/compressed/Makefile
+@@ -24,6 +24,8 @@ endif
+ GCOV_PROFILE          := n
++GCC_PLUGINS           := n
++
+ #
+ # Architecture dependencies
+ #
+diff --git a/arch/arm/crypto/sha1_glue.c b/arch/arm/crypto/sha1_glue.c
+index 6fc73bf..d0af3c7b 100644
+--- a/arch/arm/crypto/sha1_glue.c
++++ b/arch/arm/crypto/sha1_glue.c
+@@ -27,8 +27,8 @@
+ #include "sha1.h"
+-asmlinkage void sha1_block_data_order(u32 *digest,
+-              const unsigned char *data, unsigned int rounds);
++asmlinkage void sha1_block_data_order(struct sha1_state *digest,
++              const u8 *data, int rounds);
+ int sha1_update_arm(struct shash_desc *desc, const u8 *data,
+                   unsigned int len)
+@@ -36,22 +36,20 @@ int sha1_update_arm(struct shash_desc *desc, const u8 *data,
+       /* make sure casting to sha1_block_fn() is safe */
+       BUILD_BUG_ON(offsetof(struct sha1_state, state) != 0);
+-      return sha1_base_do_update(desc, data, len,
+-                                 (sha1_block_fn *)sha1_block_data_order);
++      return sha1_base_do_update(desc, data, len, sha1_block_data_order);
+ }
+ EXPORT_SYMBOL_GPL(sha1_update_arm);
+ static int sha1_final(struct shash_desc *desc, u8 *out)
+ {
+-      sha1_base_do_finalize(desc, (sha1_block_fn *)sha1_block_data_order);
++      sha1_base_do_finalize(desc, sha1_block_data_order);
+       return sha1_base_finish(desc, out);
+ }
+ int sha1_finup_arm(struct shash_desc *desc, const u8 *data,
+                  unsigned int len, u8 *out)
+ {
+-      sha1_base_do_update(desc, data, len,
+-                          (sha1_block_fn *)sha1_block_data_order);
++      sha1_base_do_update(desc, data, len, sha1_block_data_order);
+       return sha1_final(desc, out);
+ }
+ EXPORT_SYMBOL_GPL(sha1_finup_arm);
+diff --git a/arch/arm/crypto/sha1_neon_glue.c b/arch/arm/crypto/sha1_neon_glue.c
+index 4e22f12..49902aa 100644
+--- a/arch/arm/crypto/sha1_neon_glue.c
++++ b/arch/arm/crypto/sha1_neon_glue.c
+@@ -31,8 +31,8 @@
+ #include "sha1.h"
+-asmlinkage void sha1_transform_neon(void *state_h, const char *data,
+-                                  unsigned int rounds);
++asmlinkage void sha1_transform_neon(struct sha1_state *state_h, const u8 *data,
++                                  int rounds);
+ static int sha1_neon_update(struct shash_desc *desc, const u8 *data,
+                         unsigned int len)
+@@ -45,7 +45,7 @@ static int sha1_neon_update(struct shash_desc *desc, const u8 *data,
+       kernel_neon_begin();
+       sha1_base_do_update(desc, data, len,
+-                          (sha1_block_fn *)sha1_transform_neon);
++                          sha1_transform_neon);
+       kernel_neon_end();
+       return 0;
+@@ -60,8 +60,8 @@ static int sha1_neon_finup(struct shash_desc *desc, const u8 *data,
+       kernel_neon_begin();
+       if (len)
+               sha1_base_do_update(desc, data, len,
+-                                  (sha1_block_fn *)sha1_transform_neon);
+-      sha1_base_do_finalize(desc, (sha1_block_fn *)sha1_transform_neon);
++                                  sha1_transform_neon);
++      sha1_base_do_finalize(desc, sha1_transform_neon);
+       kernel_neon_end();
+       return sha1_base_finish(desc, out);
+diff --git a/arch/arm/crypto/sha256_glue.c b/arch/arm/crypto/sha256_glue.c
+index a84e869..53a0c61 100644
+--- a/arch/arm/crypto/sha256_glue.c
++++ b/arch/arm/crypto/sha256_glue.c
+@@ -30,8 +30,8 @@
+ #include "sha256_glue.h"
+-asmlinkage void sha256_block_data_order(u32 *digest, const void *data,
+-                                      unsigned int num_blks);
++asmlinkage void sha256_block_data_order(struct sha256_state *digest, const u8 *data,
++                                      int num_blks);
+ int crypto_sha256_arm_update(struct shash_desc *desc, const u8 *data,
+                            unsigned int len)
+@@ -39,23 +39,20 @@ int crypto_sha256_arm_update(struct shash_desc *desc, const u8 *data,
+       /* make sure casting to sha256_block_fn() is safe */
+       BUILD_BUG_ON(offsetof(struct sha256_state, state) != 0);
+-      return sha256_base_do_update(desc, data, len,
+-                              (sha256_block_fn *)sha256_block_data_order);
++      return sha256_base_do_update(desc, data, len, sha256_block_data_order);
+ }
+ EXPORT_SYMBOL(crypto_sha256_arm_update);
+ static int sha256_final(struct shash_desc *desc, u8 *out)
+ {
+-      sha256_base_do_finalize(desc,
+-                              (sha256_block_fn *)sha256_block_data_order);
++      sha256_base_do_finalize(desc, sha256_block_data_order);
+       return sha256_base_finish(desc, out);
+ }
+ int crypto_sha256_arm_finup(struct shash_desc *desc, const u8 *data,
+                           unsigned int len, u8 *out)
+ {
+-      sha256_base_do_update(desc, data, len,
+-                            (sha256_block_fn *)sha256_block_data_order);
++      sha256_base_do_update(desc, data, len, sha256_block_data_order);
+       return sha256_final(desc, out);
+ }
+ EXPORT_SYMBOL(crypto_sha256_arm_finup);
+diff --git a/arch/arm/crypto/sha256_neon_glue.c b/arch/arm/crypto/sha256_neon_glue.c
+index 39ccd65..f9511cb 100644
+--- a/arch/arm/crypto/sha256_neon_glue.c
++++ b/arch/arm/crypto/sha256_neon_glue.c
+@@ -26,8 +26,8 @@
+ #include "sha256_glue.h"
+-asmlinkage void sha256_block_data_order_neon(u32 *digest, const void *data,
+-                                           unsigned int num_blks);
++asmlinkage void sha256_block_data_order_neon(struct sha256_state *digest, const u8 *data,
++                                           int num_blks);
+ static int sha256_update(struct shash_desc *desc, const u8 *data,
+                        unsigned int len)
+@@ -39,8 +39,7 @@ static int sha256_update(struct shash_desc *desc, const u8 *data,
+               return crypto_sha256_arm_update(desc, data, len);
+       kernel_neon_begin();
+-      sha256_base_do_update(desc, data, len,
+-                      (sha256_block_fn *)sha256_block_data_order_neon);
++      sha256_base_do_update(desc, data, len, sha256_block_data_order_neon);
+       kernel_neon_end();
+       return 0;
+@@ -54,10 +53,8 @@ static int sha256_finup(struct shash_desc *desc, const u8 *data,
+       kernel_neon_begin();
+       if (len)
+-              sha256_base_do_update(desc, data, len,
+-                      (sha256_block_fn *)sha256_block_data_order_neon);
+-      sha256_base_do_finalize(desc,
+-                      (sha256_block_fn *)sha256_block_data_order_neon);
++              sha256_base_do_update(desc, data, len, sha256_block_data_order_neon);
++      sha256_base_do_finalize(desc, sha256_block_data_order_neon);
+       kernel_neon_end();
+       return sha256_base_finish(desc, out);
+diff --git a/arch/arm/crypto/sha512-glue.c b/arch/arm/crypto/sha512-glue.c
+index 269a394..c7a91f1 100644
+--- a/arch/arm/crypto/sha512-glue.c
++++ b/arch/arm/crypto/sha512-glue.c
+@@ -28,27 +28,24 @@ MODULE_ALIAS_CRYPTO("sha512");
+ MODULE_ALIAS_CRYPTO("sha384-arm");
+ MODULE_ALIAS_CRYPTO("sha512-arm");
+-asmlinkage void sha512_block_data_order(u64 *state, u8 const *src, int blocks);
++asmlinkage void sha512_block_data_order(struct sha512_state *state, u8 const *src, int blocks);
+ int sha512_arm_update(struct shash_desc *desc, const u8 *data,
+                     unsigned int len)
+ {
+-      return sha512_base_do_update(desc, data, len,
+-              (sha512_block_fn *)sha512_block_data_order);
++      return sha512_base_do_update(desc, data, len, sha512_block_data_order);
+ }
+ int sha512_arm_final(struct shash_desc *desc, u8 *out)
+ {
+-      sha512_base_do_finalize(desc,
+-              (sha512_block_fn *)sha512_block_data_order);
++      sha512_base_do_finalize(desc, sha512_block_data_order);
+       return sha512_base_finish(desc, out);
+ }
+ int sha512_arm_finup(struct shash_desc *desc, const u8 *data,
+                    unsigned int len, u8 *out)
+ {
+-      sha512_base_do_update(desc, data, len,
+-              (sha512_block_fn *)sha512_block_data_order);
++      sha512_base_do_update(desc, data, len, sha512_block_data_order);
+       return sha512_arm_final(desc, out);
+ }
+diff --git a/arch/arm/crypto/sha512-neon-glue.c b/arch/arm/crypto/sha512-neon-glue.c
+index 3269368..9fcbc00 100644
+--- a/arch/arm/crypto/sha512-neon-glue.c
++++ b/arch/arm/crypto/sha512-neon-glue.c
+@@ -22,7 +22,7 @@
+ MODULE_ALIAS_CRYPTO("sha384-neon");
+ MODULE_ALIAS_CRYPTO("sha512-neon");
+-asmlinkage void sha512_block_data_order_neon(u64 *state, u8 const *src,
++asmlinkage void sha512_block_data_order_neon(struct sha512_state *state, u8 const *src,
+                                            int blocks);
+ static int sha512_neon_update(struct shash_desc *desc, const u8 *data,
+@@ -35,8 +35,7 @@ static int sha512_neon_update(struct shash_desc *desc, const u8 *data,
+               return sha512_arm_update(desc, data, len);
+       kernel_neon_begin();
+-      sha512_base_do_update(desc, data, len,
+-              (sha512_block_fn *)sha512_block_data_order_neon);
++      sha512_base_do_update(desc, data, len, sha512_block_data_order_neon);
+       kernel_neon_end();
+       return 0;
+@@ -50,10 +49,8 @@ static int sha512_neon_finup(struct shash_desc *desc, const u8 *data,
+       kernel_neon_begin();
+       if (len)
+-              sha512_base_do_update(desc, data, len,
+-                      (sha512_block_fn *)sha512_block_data_order_neon);
+-      sha512_base_do_finalize(desc,
+-              (sha512_block_fn *)sha512_block_data_order_neon);
++              sha512_base_do_update(desc, data, len, sha512_block_data_order_neon);
++      sha512_base_do_finalize(desc, sha512_block_data_order_neon);
+       kernel_neon_end();
+       return sha512_base_finish(desc, out);
+diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h
+index 66d0e21..8fa3237 100644
+--- a/arch/arm/include/asm/atomic.h
++++ b/arch/arm/include/asm/atomic.h
+@@ -18,17 +18,41 @@
+ #include <asm/barrier.h>
+ #include <asm/cmpxchg.h>
++#ifdef CONFIG_GENERIC_ATOMIC64
++#include <asm-generic/atomic64.h>
++#endif
++
+ #define ATOMIC_INIT(i)        { (i) }
+ #ifdef __KERNEL__
++#ifdef CONFIG_THUMB2_KERNEL
++#define REFCOUNT_TRAP_INSN "bkpt      0xf1"
++#else
++#define REFCOUNT_TRAP_INSN "bkpt      0xf103"
++#endif
++
++#define _ASM_EXTABLE(from, to)                \
++"     .pushsection __ex_table,\"a\"\n"\
++"     .align  3\n"                    \
++"     .long   " #from ", " #to"\n"    \
++"     .popsection"
++
+ /*
+  * On ARM, ordinary assignment (str instruction) doesn't clear the local
+  * strex/ldrex monitor on some implementations. The reason we can use it for
+  * atomic_set() is the clrex or dummy strex done on every exception return.
+  */
+ #define atomic_read(v)        READ_ONCE((v)->counter)
++static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
++{
++      return READ_ONCE(v->counter);
++}
+ #define atomic_set(v,i)       WRITE_ONCE(((v)->counter), (i))
++static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
++{
++      WRITE_ONCE(v->counter, i);
++}
+ #if __LINUX_ARM_ARCH__ >= 6
+@@ -38,45 +62,74 @@
+  * to ensure that the update happens.
+  */
+-#define ATOMIC_OP(op, c_op, asm_op)                                   \
+-static inline void atomic_##op(int i, atomic_t *v)                    \
++#ifdef CONFIG_PAX_REFCOUNT
++#define __OVERFLOW_POST                       \
++      "       bvc     3f\n"           \
++      "2:     " REFCOUNT_TRAP_INSN "\n"\
++      "3:\n"
++#define __OVERFLOW_POST_RETURN                \
++      "       bvc     3f\n"           \
++      "       mov     %1, %0\n"       \
++      "2:     " REFCOUNT_TRAP_INSN "\n"\
++      "3:\n"
++#define __OVERFLOW_EXTABLE            \
++      "4:\n"                          \
++      _ASM_EXTABLE(2b, 4b)
++#else
++#define __OVERFLOW_POST
++#define __OVERFLOW_POST_RETURN
++#define __OVERFLOW_EXTABLE
++#endif
++
++#define __ATOMIC_OP(op, suffix, c_op, asm_op)                         \
++static inline void atomic_##op##suffix(int i, atomic##suffix##_t *v)  \
+ {                                                                     \
+       unsigned long tmp;                                              \
+       int result;                                                     \
+                                                                       \
+       prefetchw(&v->counter);                                         \
+-      __asm__ __volatile__("@ atomic_" #op "\n"                       \
++      __asm__ __volatile__("@ atomic_" #op #suffix "\n"               \
+ "1:   ldrex   %0, [%3]\n"                                             \
+ "     " #asm_op "     %0, %0, %4\n"                                   \
++      __OVERFLOW_POST                                                 \
+ "     strex   %1, %0, [%3]\n"                                         \
+ "     teq     %1, #0\n"                                               \
+-"     bne     1b"                                                     \
++"     bne     1b\n"                                                   \
++      __OVERFLOW_EXTABLE                                              \
+       : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)               \
+       : "r" (&v->counter), "Ir" (i)                                   \
+       : "cc");                                                        \
+ }                                                                     \
+-#define ATOMIC_OP_RETURN(op, c_op, asm_op)                            \
+-static inline int atomic_##op##_return_relaxed(int i, atomic_t *v)    \
++#define ATOMIC_OP(op, c_op, asm_op) __ATOMIC_OP(op, _unchecked, c_op, asm_op)\
++                                  __ATOMIC_OP(op, , c_op, asm_op##s)
++
++#define __ATOMIC_OP_RETURN(op, suffix, c_op, asm_op)                  \
++static inline int atomic_##op##_return##suffix##_relaxed(int i, atomic##suffix##_t *v)\
+ {                                                                     \
+-      unsigned long tmp;                                              \
++      int tmp;                                                        \
+       int result;                                                     \
+                                                                       \
+       prefetchw(&v->counter);                                         \
+                                                                       \
+-      __asm__ __volatile__("@ atomic_" #op "_return\n"                \
++      __asm__ __volatile__("@ atomic_" #op "_return" #suffix "\n"     \
+ "1:   ldrex   %0, [%3]\n"                                             \
+-"     " #asm_op "     %0, %0, %4\n"                                   \
+-"     strex   %1, %0, [%3]\n"                                         \
+-"     teq     %1, #0\n"                                               \
+-"     bne     1b"                                                     \
+-      : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)               \
++"     " #asm_op "     %1, %0, %4\n"                                   \
++      __OVERFLOW_POST_RETURN                                          \
++"     strex   %0, %1, [%3]\n"                                         \
++"     teq     %0, #0\n"                                               \
++"     bne     1b\n"                                                   \
++      __OVERFLOW_EXTABLE                                              \
++      : "=&r" (tmp), "=&r" (result), "+Qo" (v->counter)               \
+       : "r" (&v->counter), "Ir" (i)                                   \
+       : "cc");                                                        \
+                                                                       \
+       return result;                                                  \
+ }
++#define ATOMIC_OP_RETURN(op, c_op, asm_op) __ATOMIC_OP_RETURN(op, _unchecked, c_op, asm_op)\
++                                         __ATOMIC_OP_RETURN(op, , c_op, asm_op##s)
++
+ #define ATOMIC_FETCH_OP(op, c_op, asm_op)                             \
+ static inline int atomic_fetch_##op##_relaxed(int i, atomic_t *v)     \
+ {                                                                     \
+@@ -99,6 +152,7 @@ static inline int atomic_fetch_##op##_relaxed(int i, atomic_t *v)   \
+ }
+ #define atomic_add_return_relaxed     atomic_add_return_relaxed
++#define atomic_add_return_unchecked_relaxed   atomic_add_return_unchecked_relaxed
+ #define atomic_sub_return_relaxed     atomic_sub_return_relaxed
+ #define atomic_fetch_add_relaxed      atomic_fetch_add_relaxed
+ #define atomic_fetch_sub_relaxed      atomic_fetch_sub_relaxed
+@@ -141,12 +195,17 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
+       __asm__ __volatile__ ("@ atomic_add_unless\n"
+ "1:   ldrex   %0, [%4]\n"
+ "     teq     %0, %5\n"
+-"     beq     2f\n"
+-"     add     %1, %0, %6\n"
++"     beq     4f\n"
++"     adds    %1, %0, %6\n"
++
++      __OVERFLOW_POST
++
+ "     strex   %2, %1, [%4]\n"
+ "     teq     %2, #0\n"
+ "     bne     1b\n"
+-"2:"
++
++      __OVERFLOW_EXTABLE
++
+       : "=&r" (oldval), "=&r" (newval), "=&r" (tmp), "+Qo" (v->counter)
+       : "r" (&v->counter), "r" (u), "r" (a)
+       : "cc");
+@@ -157,14 +216,36 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
+       return oldval;
+ }
++static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *ptr, int old, int new)
++{
++      unsigned long oldval, res;
++
++      smp_mb();
++
++      do {
++              __asm__ __volatile__("@ atomic_cmpxchg_unchecked\n"
++              "ldrex  %1, [%3]\n"
++              "mov    %0, #0\n"
++              "teq    %1, %4\n"
++              "strexeq %0, %5, [%3]\n"
++                  : "=&r" (res), "=&r" (oldval), "+Qo" (ptr->counter)
++                  : "r" (&ptr->counter), "Ir" (old), "r" (new)
++                  : "cc");
++      } while (res);
++
++      smp_mb();
++
++      return oldval;
++}
++
+ #else /* ARM_ARCH_6 */
+ #ifdef CONFIG_SMP
+ #error SMP not supported on pre-ARMv6 CPUs
+ #endif
+-#define ATOMIC_OP(op, c_op, asm_op)                                   \
+-static inline void atomic_##op(int i, atomic_t *v)                    \
++#define __ATOMIC_OP(op, suffix, c_op, asm_op)                         \
++static inline void atomic_##op##suffix(int i, atomic##suffix##_t *v)  \
+ {                                                                     \
+       unsigned long flags;                                            \
+                                                                       \
+@@ -173,8 +254,11 @@ static inline void atomic_##op(int i, atomic_t *v)                        \
+       raw_local_irq_restore(flags);                                   \
+ }                                                                     \
+-#define ATOMIC_OP_RETURN(op, c_op, asm_op)                            \
+-static inline int atomic_##op##_return(int i, atomic_t *v)            \
++#define ATOMIC_OP(op, c_op, asm_op) __ATOMIC_OP(op, , c_op, asm_op)   \
++                                  __ATOMIC_OP(op, _unchecked, c_op, asm_op)
++
++#define __ATOMIC_OP_RETURN(op, suffix, c_op, asm_op)                  \
++static inline int atomic_##op##_return##suffix(int i, atomic##suffix##_t *v)\
+ {                                                                     \
+       unsigned long flags;                                            \
+       int val;                                                        \
+@@ -201,6 +285,9 @@ static inline int atomic_fetch_##op(int i, atomic_t *v)                    \
+       return val;                                                     \
+ }
++#define ATOMIC_OP_RETURN(op, c_op, asm_op) __ATOMIC_OP_RETURN(op, , c_op, asm_op)\
++                                         __ATOMIC_OP_RETURN(op, _unchecked, c_op, asm_op)
++
+ static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
+ {
+       int ret;
+@@ -215,6 +302,11 @@ static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
+       return ret;
+ }
++static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
++{
++      return atomic_cmpxchg((atomic_t *)v, old, new);
++}
++
+ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
+ {
+       int c, old;
+@@ -250,16 +342,29 @@ ATOMIC_OPS(xor, ^=, eor)
+ #undef ATOMIC_OPS
+ #undef ATOMIC_FETCH_OP
+ #undef ATOMIC_OP_RETURN
++#undef __ATOMIC_OP_RETURN
+ #undef ATOMIC_OP
++#undef __ATOMIC_OP
+ #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
++#define atomic_xchg_unchecked(v, new) (xchg_unchecked(&((v)->counter), new))
+ #define atomic_inc(v)         atomic_add(1, v)
++static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
++{
++      atomic_add_unchecked(1, v);
++}
+ #define atomic_dec(v)         atomic_sub(1, v)
++static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
++{
++      atomic_sub_unchecked(1, v);
++}
+ #define atomic_inc_and_test(v)        (atomic_add_return(1, v) == 0)
++#define atomic_inc_and_test_unchecked(v)      (atomic_add_return_unchecked(1, v) == 0)
+ #define atomic_dec_and_test(v)        (atomic_sub_return(1, v) == 0)
+ #define atomic_inc_return_relaxed(v)    (atomic_add_return_relaxed(1, v))
++#define atomic_inc_return_unchecked_relaxed(v)    (atomic_add_return_unchecked_relaxed(1, v))
+ #define atomic_dec_return_relaxed(v)    (atomic_sub_return_relaxed(1, v))
+ #define atomic_sub_and_test(i, v) (atomic_sub_return(i, v) == 0)
+@@ -270,6 +375,14 @@ typedef struct {
+       long long counter;
+ } atomic64_t;
++#ifdef CONFIG_PAX_REFCOUNT
++typedef struct {
++      long long counter;
++} atomic64_unchecked_t;
++#else
++typedef atomic64_t atomic64_unchecked_t;
++#endif
++
+ #define ATOMIC64_INIT(i) { (i) }
+ #ifdef CONFIG_ARM_LPAE
+@@ -286,6 +399,19 @@ static inline long long atomic64_read(const atomic64_t *v)
+       return result;
+ }
++static inline long long atomic64_read_unchecked(const atomic64_unchecked_t *v)
++{
++      long long result;
++
++      __asm__ __volatile__("@ atomic64_read_unchecked\n"
++"     ldrd    %0, %H0, [%1]"
++      : "=&r" (result)
++      : "r" (&v->counter), "Qo" (v->counter)
++      );
++
++      return result;
++}
++
+ static inline void atomic64_set(atomic64_t *v, long long i)
+ {
+       __asm__ __volatile__("@ atomic64_set\n"
+@@ -294,6 +420,15 @@ static inline void atomic64_set(atomic64_t *v, long long i)
+       : "r" (&v->counter), "r" (i)
+       );
+ }
++
++static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
++{
++      __asm__ __volatile__("@ atomic64_set_unchecked\n"
++"     strd    %2, %H2, [%1]"
++      : "=Qo" (v->counter)
++      : "r" (&v->counter), "r" (i)
++      );
++}
+ #else
+ static inline long long atomic64_read(const atomic64_t *v)
+ {
+@@ -308,6 +443,19 @@ static inline long long atomic64_read(const atomic64_t *v)
+       return result;
+ }
++static inline long long atomic64_read_unchecked(const atomic64_unchecked_t *v)
++{
++      long long result;
++
++      __asm__ __volatile__("@ atomic64_read_unchecked\n"
++"     ldrexd  %0, %H0, [%1]"
++      : "=&r" (result)
++      : "r" (&v->counter), "Qo" (v->counter)
++      );
++
++      return result;
++}
++
+ static inline void atomic64_set(atomic64_t *v, long long i)
+ {
+       long long tmp;
+@@ -322,50 +470,82 @@ static inline void atomic64_set(atomic64_t *v, long long i)
+       : "r" (&v->counter), "r" (i)
+       : "cc");
+ }
++
++static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
++{
++      long long tmp;
++
++      prefetchw(&v->counter);
++      __asm__ __volatile__("@ atomic64_set_unchecked\n"
++"1:   ldrexd  %0, %H0, [%2]\n"
++"     strexd  %0, %3, %H3, [%2]\n"
++"     teq     %0, #0\n"
++"     bne     1b"
++      : "=&r" (tmp), "=Qo" (v->counter)
++      : "r" (&v->counter), "r" (i)
++      : "cc");
++}
+ #endif
+-#define ATOMIC64_OP(op, op1, op2)                                     \
+-static inline void atomic64_##op(long long i, atomic64_t *v)          \
++#define __OVERFLOW_POST_RETURN64      \
++      "       bvc     3f\n"           \
++"     mov     %Q1, %Q0\n"             \
++"     mov     %R1, %R0\n"             \
++      "2:     " REFCOUNT_TRAP_INSN "\n"\
++      "3:\n"
++
++#define __ATOMIC64_OP(op, suffix, op1, op2)                           \
++static inline void atomic64_##op##suffix(long long i, atomic64##suffix##_t *v)\
+ {                                                                     \
+       long long result;                                               \
+       unsigned long tmp;                                              \
+                                                                       \
+       prefetchw(&v->counter);                                         \
+-      __asm__ __volatile__("@ atomic64_" #op "\n"                     \
++      __asm__ __volatile__("@ atomic64_" #op #suffix "\n"             \
+ "1:   ldrexd  %0, %H0, [%3]\n"                                        \
+ "     " #op1 " %Q0, %Q0, %Q4\n"                                       \
+ "     " #op2 " %R0, %R0, %R4\n"                                       \
++      __OVERFLOW_POST                                                 \
+ "     strexd  %1, %0, %H0, [%3]\n"                                    \
+ "     teq     %1, #0\n"                                               \
+-"     bne     1b"                                                     \
++"     bne     1b\n"                                                   \
++      __OVERFLOW_EXTABLE                                              \
+       : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)               \
+       : "r" (&v->counter), "r" (i)                                    \
+       : "cc");                                                        \
+ }                                                                     \
+-#define ATOMIC64_OP_RETURN(op, op1, op2)                              \
++#define ATOMIC64_OP(op, op1, op2) __ATOMIC64_OP(op, _unchecked, op1, op2) \
++                                __ATOMIC64_OP(op, , op1, op2##s)
++
++#define __ATOMIC64_OP_RETURN(op, suffix, op1, op2)                    \
+ static inline long long                                                       \
+-atomic64_##op##_return_relaxed(long long i, atomic64_t *v)            \
++atomic64_##op##_return##suffix##_relaxed(long long i, atomic64##suffix##_t *v) \
+ {                                                                     \
+       long long result;                                               \
+-      unsigned long tmp;                                              \
++      long long tmp;                                                  \
+                                                                       \
+       prefetchw(&v->counter);                                         \
+                                                                       \
+-      __asm__ __volatile__("@ atomic64_" #op "_return\n"              \
++      __asm__ __volatile__("@ atomic64_" #op "_return" #suffix "\n"   \
+ "1:   ldrexd  %0, %H0, [%3]\n"                                        \
+-"     " #op1 " %Q0, %Q0, %Q4\n"                                       \
+-"     " #op2 " %R0, %R0, %R4\n"                                       \
+-"     strexd  %1, %0, %H0, [%3]\n"                                    \
+-"     teq     %1, #0\n"                                               \
+-"     bne     1b"                                                     \
+-      : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)               \
++"     " #op1 " %Q1, %Q0, %Q4\n"                                       \
++"     " #op2 " %R1, %R0, %R4\n"                                       \
++      __OVERFLOW_POST_RETURN64                                        \
++"     strexd  %0, %1, %H1, [%3]\n"                                    \
++"     teq     %0, #0\n"                                               \
++"     bne     1b\n"                                                   \
++      __OVERFLOW_EXTABLE                                              \
++      : "=&r" (tmp), "=&r" (result), "+Qo" (v->counter)               \
+       : "r" (&v->counter), "r" (i)                                    \
+       : "cc");                                                        \
+                                                                       \
+       return result;                                                  \
+ }
++#define ATOMIC64_OP_RETURN(op, op1, op2) __ATOMIC64_OP_RETURN(op, _unchecked, op1, op2) \
++                                       __ATOMIC64_OP_RETURN(op, , op1, op2##s)
++
+ #define ATOMIC64_FETCH_OP(op, op1, op2)                                       \
+ static inline long long                                                       \
+ atomic64_fetch_##op##_relaxed(long long i, atomic64_t *v)             \
+@@ -398,6 +578,7 @@ ATOMIC64_OPS(add, adds, adc)
+ ATOMIC64_OPS(sub, subs, sbc)
+ #define atomic64_add_return_relaxed   atomic64_add_return_relaxed
++#define atomic64_add_return_unchecked_relaxed atomic64_add_return_unchecked_relaxed
+ #define atomic64_sub_return_relaxed   atomic64_sub_return_relaxed
+ #define atomic64_fetch_add_relaxed    atomic64_fetch_add_relaxed
+ #define atomic64_fetch_sub_relaxed    atomic64_fetch_sub_relaxed
+@@ -422,7 +603,10 @@ ATOMIC64_OPS(xor, eor, eor)
+ #undef ATOMIC64_OPS
+ #undef ATOMIC64_FETCH_OP
+ #undef ATOMIC64_OP_RETURN
++#undef __ATOMIC64_OP_RETURN
+ #undef ATOMIC64_OP
++#undef __ATOMIC64_OP
++#undef __OVERFLOW_POST_RETURN
+ static inline long long
+ atomic64_cmpxchg_relaxed(atomic64_t *ptr, long long old, long long new)
+@@ -448,6 +632,13 @@ atomic64_cmpxchg_relaxed(atomic64_t *ptr, long long old, long long new)
+ }
+ #define atomic64_cmpxchg_relaxed      atomic64_cmpxchg_relaxed
++static inline long long
++atomic64_cmpxchg_unchecked_relaxed(atomic64_unchecked_t *ptr, long long old, long long new)
++{
++      return atomic64_cmpxchg_relaxed((atomic64_t *)ptr, old, new);
++}
++#define atomic64_cmpxchg_unchecked_relaxed    atomic64_cmpxchg_unchecked_relaxed
++
+ static inline long long atomic64_xchg_relaxed(atomic64_t *ptr, long long new)
+ {
+       long long result;
+@@ -468,25 +659,36 @@ static inline long long atomic64_xchg_relaxed(atomic64_t *ptr, long long new)
+ }
+ #define atomic64_xchg_relaxed         atomic64_xchg_relaxed
++static inline long long atomic64_xchg_unchecked_relaxed(atomic64_unchecked_t *ptr, long long new)
++{
++      return atomic64_xchg_relaxed((atomic64_t *)ptr, new);
++}
++#define atomic64_xchg_unchecked_relaxed               atomic64_xchg_unchecked_relaxed
++
+ static inline long long atomic64_dec_if_positive(atomic64_t *v)
+ {
+       long long result;
+-      unsigned long tmp;
++      u64 tmp;
+       smp_mb();
+       prefetchw(&v->counter);
+       __asm__ __volatile__("@ atomic64_dec_if_positive\n"
+ "1:   ldrexd  %0, %H0, [%3]\n"
+-"     subs    %Q0, %Q0, #1\n"
+-"     sbc     %R0, %R0, #0\n"
+-"     teq     %R0, #0\n"
+-"     bmi     2f\n"
+-"     strexd  %1, %0, %H0, [%3]\n"
+-"     teq     %1, #0\n"
++"     subs    %Q1, %Q0, #1\n"
++"     sbcs    %R1, %R0, #0\n"
++
++      __OVERFLOW_POST_RETURN64
++
++"     teq     %R1, #0\n"
++"     bmi     4f\n"
++"     strexd  %0, %1, %H1, [%3]\n"
++"     teq     %0, #0\n"
+ "     bne     1b\n"
+-"2:"
+-      : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)
++
++      __OVERFLOW_EXTABLE
++
++      : "=&r" (tmp), "=&r" (result), "+Qo" (v->counter)
+       : "r" (&v->counter)
+       : "cc");
+@@ -509,13 +711,18 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u)
+ "     teq     %0, %5\n"
+ "     teqeq   %H0, %H5\n"
+ "     moveq   %1, #0\n"
+-"     beq     2f\n"
++"     beq     4f\n"
+ "     adds    %Q0, %Q0, %Q6\n"
+-"     adc     %R0, %R0, %R6\n"
++"     adcs    %R0, %R0, %R6\n"
++
++      __OVERFLOW_POST
++
+ "     strexd  %2, %0, %H0, [%4]\n"
+ "     teq     %2, #0\n"
+ "     bne     1b\n"
+-"2:"
++
++      __OVERFLOW_EXTABLE
++
+       : "=&r" (val), "+r" (ret), "=&r" (tmp), "+Qo" (v->counter)
+       : "r" (&v->counter), "r" (u), "r" (a)
+       : "cc");
+@@ -526,12 +733,19 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u)
+       return ret;
+ }
++#undef __OVERFLOW_EXTABLE
++#undef __OVERFLOW_POST_RETURN64
++#undef __OVERFLOW_POST
++
+ #define atomic64_add_negative(a, v)   (atomic64_add_return((a), (v)) < 0)
+ #define atomic64_inc(v)                       atomic64_add(1LL, (v))
++#define atomic64_inc_unchecked(v)     atomic64_add_unchecked(1LL, (v))
+ #define atomic64_inc_return_relaxed(v)        atomic64_add_return_relaxed(1LL, (v))
++#define atomic64_inc_return_unchecked_relaxed(v)      atomic64_add_return_unchecked_relaxed(1LL, (v))
+ #define atomic64_inc_and_test(v)      (atomic64_inc_return(v) == 0)
+ #define atomic64_sub_and_test(a, v)   (atomic64_sub_return((a), (v)) == 0)
+ #define atomic64_dec(v)                       atomic64_sub(1LL, (v))
++#define atomic64_dec_unchecked(v)     atomic64_sub_unchecked(1LL, (v))
+ #define atomic64_dec_return_relaxed(v)        atomic64_sub_return_relaxed(1LL, (v))
+ #define atomic64_dec_and_test(v)      (atomic64_dec_return((v)) == 0)
+ #define atomic64_inc_not_zero(v)      atomic64_add_unless((v), 1LL, 0LL)
+diff --git a/arch/arm/include/asm/cache.h b/arch/arm/include/asm/cache.h
+index 75fe66b..2255c86 100644
+--- a/arch/arm/include/asm/cache.h
++++ b/arch/arm/include/asm/cache.h
+@@ -4,8 +4,10 @@
+ #ifndef __ASMARM_CACHE_H
+ #define __ASMARM_CACHE_H
++#include <linux/const.h>
++
+ #define L1_CACHE_SHIFT                CONFIG_ARM_L1_CACHE_SHIFT
+-#define L1_CACHE_BYTES                (1 << L1_CACHE_SHIFT)
++#define L1_CACHE_BYTES                (_AC(1,UL) << L1_CACHE_SHIFT)
+ /*
+  * Memory returned by kmalloc() may be used for DMA, so we must make
+diff --git a/arch/arm/include/asm/cacheflush.h b/arch/arm/include/asm/cacheflush.h
+index bdd283b..e66fb83 100644
+--- a/arch/arm/include/asm/cacheflush.h
++++ b/arch/arm/include/asm/cacheflush.h
+@@ -116,7 +116,7 @@ struct cpu_cache_fns {
+       void (*dma_unmap_area)(const void *, size_t, int);
+       void (*dma_flush_range)(const void *, const void *);
+-};
++} __no_const __no_randomize_layout;
+ /*
+  * Select the calling method
+diff --git a/arch/arm/include/asm/checksum.h b/arch/arm/include/asm/checksum.h
+index 524692f..a8871ec 100644
+--- a/arch/arm/include/asm/checksum.h
++++ b/arch/arm/include/asm/checksum.h
+@@ -37,7 +37,19 @@ __wsum
+ csum_partial_copy_nocheck(const void *src, void *dst, int len, __wsum sum);
+ __wsum
+-csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr);
++__csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr);
++
++static inline __wsum
++csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr)
++{
++      __wsum ret;
++      pax_open_userland();
++      ret = __csum_partial_copy_from_user(src, dst, len, sum, err_ptr);
++      pax_close_userland();
++      return ret;
++}
++
++
+ /*
+  *    Fold a partial checksum without adding pseudo headers
+diff --git a/arch/arm/include/asm/cmpxchg.h b/arch/arm/include/asm/cmpxchg.h
+index 97882f9..ff9d6ac 100644
+--- a/arch/arm/include/asm/cmpxchg.h
++++ b/arch/arm/include/asm/cmpxchg.h
+@@ -117,6 +117,10 @@ static inline unsigned long __xchg(unsigned long x, volatile void *ptr, int size
+       (__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr),           \
+                                  sizeof(*(ptr)));                     \
+ })
++#define xchg_unchecked_relaxed(ptr, x) ({                             \
++      (__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr),           \
++                                 sizeof(*(ptr)));                     \
++})
+ #include <asm-generic/cmpxchg-local.h>
+@@ -128,6 +132,7 @@ static inline unsigned long __xchg(unsigned long x, volatile void *ptr, int size
+ #endif
+ #define xchg xchg_relaxed
++#define xchg_unchecked xchg_unchecked_relaxed
+ /*
+  * cmpxchg_local and cmpxchg64_local are atomic wrt current CPU. Always make
+diff --git a/arch/arm/include/asm/cpuidle.h b/arch/arm/include/asm/cpuidle.h
+index baefe1d..29cb35a 100644
+--- a/arch/arm/include/asm/cpuidle.h
++++ b/arch/arm/include/asm/cpuidle.h
+@@ -32,7 +32,7 @@ struct device_node;
+ struct cpuidle_ops {
+       int (*suspend)(unsigned long arg);
+       int (*init)(struct device_node *, int cpu);
+-};
++} __no_const;
+ struct of_cpuidle_method {
+       const char *method;
+diff --git a/arch/arm/include/asm/domain.h b/arch/arm/include/asm/domain.h
+index 99d9f63..ec44cb5 100644
+--- a/arch/arm/include/asm/domain.h
++++ b/arch/arm/include/asm/domain.h
+@@ -42,7 +42,6 @@
+ #define DOMAIN_USER   1
+ #define DOMAIN_IO     0
+ #endif
+-#define DOMAIN_VECTORS        3
+ /*
+  * Domain types
+@@ -51,9 +50,28 @@
+ #define DOMAIN_CLIENT 1
+ #ifdef CONFIG_CPU_USE_DOMAINS
+ #define DOMAIN_MANAGER        3
++#define DOMAIN_VECTORS        3
++#define DOMAIN_USERCLIENT     DOMAIN_CLIENT
+ #else
++
++#ifdef CONFIG_PAX_KERNEXEC
+ #define DOMAIN_MANAGER        1
++#define DOMAIN_KERNEXEC       3
++#else
++#define DOMAIN_MANAGER        1
++#endif
++
++#ifdef CONFIG_PAX_MEMORY_UDEREF
++#define DOMAIN_USERCLIENT     0
++#define DOMAIN_UDEREF         1
++#define DOMAIN_VECTORS                DOMAIN_KERNEL
++#else
++#define DOMAIN_USERCLIENT     1
++#define DOMAIN_VECTORS                DOMAIN_USER
++#endif
++
+ #endif
++#define DOMAIN_KERNELCLIENT   1
+ #define domain_mask(dom)      ((3) << (2 * (dom)))
+ #define domain_val(dom,type)  ((type) << (2 * (dom)))
+@@ -62,13 +80,19 @@
+ #define DACR_INIT \
+       (domain_val(DOMAIN_USER, DOMAIN_NOACCESS) | \
+        domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \
+-       domain_val(DOMAIN_IO, DOMAIN_CLIENT) | \
++       domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT) | \
+        domain_val(DOMAIN_VECTORS, DOMAIN_CLIENT))
++#elif defined(CONFIG_PAX_MEMORY_UDEREF)
++      /* DOMAIN_VECTORS is defined to DOMAIN_KERNEL */
++#define DACR_INIT \
++      (domain_val(DOMAIN_USER, DOMAIN_USERCLIENT) | \
++       domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \
++       domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT))
+ #else
+ #define DACR_INIT \
+-      (domain_val(DOMAIN_USER, DOMAIN_CLIENT) | \
++      (domain_val(DOMAIN_USER, DOMAIN_USERCLIENT) | \
+        domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \
+-       domain_val(DOMAIN_IO, DOMAIN_CLIENT) | \
++       domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT) | \
+        domain_val(DOMAIN_VECTORS, DOMAIN_CLIENT))
+ #endif
+@@ -124,6 +148,17 @@ static inline void set_domain(unsigned val)
+               set_domain(domain);                             \
+       } while (0)
++#elif defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
++#define modify_domain(dom,type)                                       \
++      do {                                                    \
++              struct thread_info *thread = current_thread_info(); \
++              unsigned int domain = get_domain();             \
++              domain &= ~domain_mask(dom);                    \
++              domain = domain | domain_val(dom, type);        \
++              thread->cpu_domain = domain;                    \
++              set_domain(domain);                             \
++      } while (0)
++
+ #else
+ static inline void modify_domain(unsigned dom, unsigned type) { }
+ #endif
+diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h
+index d2315ff..f60b47b 100644
+--- a/arch/arm/include/asm/elf.h
++++ b/arch/arm/include/asm/elf.h
+@@ -117,7 +117,14 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs);
+    the loader.  We need to make sure that it is out of the way of the program
+    that it will "exec", and that there is sufficient room for the brk.  */
+-#define ELF_ET_DYN_BASE       (TASK_SIZE / 3 * 2)
++#define ELF_ET_DYN_BASE               (TASK_SIZE / 3 * 2)
++
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE   0x00008000UL
++
++#define PAX_DELTA_MMAP_LEN    ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
++#define PAX_DELTA_STACK_LEN   ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
++#endif
+ /* When the program starts, a1 contains a pointer to a function to be 
+    registered with atexit, as per the SVR4 ABI.  A value of 0 means we 
+diff --git a/arch/arm/include/asm/fncpy.h b/arch/arm/include/asm/fncpy.h
+index de53547..52b9a28 100644
+--- a/arch/arm/include/asm/fncpy.h
++++ b/arch/arm/include/asm/fncpy.h
+@@ -81,7 +81,9 @@
+       BUG_ON((uintptr_t)(dest_buf) & (FNCPY_ALIGN - 1) ||             \
+               (__funcp_address & ~(uintptr_t)1 & (FNCPY_ALIGN - 1))); \
+                                                                       \
++      pax_open_kernel();                                              \
+       memcpy(dest_buf, (void const *)(__funcp_address & ~1), size);   \
++      pax_close_kernel();                                             \
+       flush_icache_range((unsigned long)(dest_buf),                   \
+               (unsigned long)(dest_buf) + (size));                    \
+                                                                       \
+diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h
+index 6795368..6c4d749 100644
+--- a/arch/arm/include/asm/futex.h
++++ b/arch/arm/include/asm/futex.h
+@@ -107,6 +107,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
+               return -EFAULT;
+       preempt_disable();
++
+       __ua_flags = uaccess_save_and_enable();
+       __asm__ __volatile__("@futex_atomic_cmpxchg_inatomic\n"
+       "1:     " TUSER(ldr) "  %1, [%4]\n"
+diff --git a/arch/arm/include/asm/kmap_types.h b/arch/arm/include/asm/kmap_types.h
+index 83eb2f7..ed77159 100644
+--- a/arch/arm/include/asm/kmap_types.h
++++ b/arch/arm/include/asm/kmap_types.h
+@@ -4,6 +4,6 @@
+ /*
+  * This is the "bare minimum".  AIO seems to require this.
+  */
+-#define KM_TYPE_NR 16
++#define KM_TYPE_NR 17
+ #endif
+diff --git a/arch/arm/include/asm/mach/dma.h b/arch/arm/include/asm/mach/dma.h
+index 9e614a1..3302cca 100644
+--- a/arch/arm/include/asm/mach/dma.h
++++ b/arch/arm/include/asm/mach/dma.h
+@@ -22,7 +22,7 @@ struct dma_ops {
+       int     (*residue)(unsigned int, dma_t *);              /* optional */
+       int     (*setspeed)(unsigned int, dma_t *, int);        /* optional */
+       const char *type;
+-};
++} __do_const;
+ struct dma_struct {
+       void            *addr;          /* single DMA address           */
+diff --git a/arch/arm/include/asm/mach/map.h b/arch/arm/include/asm/mach/map.h
+index 9b7c328..2dfe68b 100644
+--- a/arch/arm/include/asm/mach/map.h
++++ b/arch/arm/include/asm/mach/map.h
+@@ -23,17 +23,19 @@ struct map_desc {
+ /* types 0-3 are defined in asm/io.h */
+ enum {
+-      MT_UNCACHED = 4,
+-      MT_CACHECLEAN,
+-      MT_MINICLEAN,
++      MT_UNCACHED_RW = 4,
++      MT_CACHECLEAN_RO,
++      MT_MINICLEAN_RO,
+       MT_LOW_VECTORS,
+       MT_HIGH_VECTORS,
+-      MT_MEMORY_RWX,
++      __MT_MEMORY_RWX,
+       MT_MEMORY_RW,
+-      MT_ROM,
+-      MT_MEMORY_RWX_NONCACHED,
++      MT_MEMORY_RX,
++      MT_ROM_RX,
++      MT_MEMORY_RW_NONCACHED,
++      MT_MEMORY_RX_NONCACHED,
+       MT_MEMORY_RW_DTCM,
+-      MT_MEMORY_RWX_ITCM,
++      MT_MEMORY_RX_ITCM,
+       MT_MEMORY_RW_SO,
+       MT_MEMORY_DMA_READY,
+ };
+diff --git a/arch/arm/include/asm/outercache.h b/arch/arm/include/asm/outercache.h
+index c2bf24f..69e437c 100644
+--- a/arch/arm/include/asm/outercache.h
++++ b/arch/arm/include/asm/outercache.h
+@@ -39,7 +39,7 @@ struct outer_cache_fns {
+       /* This is an ARM L2C thing */
+       void (*write_sec)(unsigned long, unsigned);
+       void (*configure)(const struct l2x0_regs *);
+-};
++} __no_const;
+ extern struct outer_cache_fns outer_cache;
+diff --git a/arch/arm/include/asm/page.h b/arch/arm/include/asm/page.h
+index 4355f0e..cd9168e 100644
+--- a/arch/arm/include/asm/page.h
++++ b/arch/arm/include/asm/page.h
+@@ -23,6 +23,7 @@
+ #else
++#include <linux/compiler.h>
+ #include <asm/glue.h>
+ /*
+@@ -114,7 +115,7 @@ struct cpu_user_fns {
+       void (*cpu_clear_user_highpage)(struct page *page, unsigned long vaddr);
+       void (*cpu_copy_user_highpage)(struct page *to, struct page *from,
+                       unsigned long vaddr, struct vm_area_struct *vma);
+-};
++} __no_const;
+ #ifdef MULTI_USER
+ extern struct cpu_user_fns cpu_user;
+diff --git a/arch/arm/include/asm/pgalloc.h b/arch/arm/include/asm/pgalloc.h
+index b2902a5..da11e4d 100644
+--- a/arch/arm/include/asm/pgalloc.h
++++ b/arch/arm/include/asm/pgalloc.h
+@@ -17,6 +17,7 @@
+ #include <asm/processor.h>
+ #include <asm/cacheflush.h>
+ #include <asm/tlbflush.h>
++#include <asm/system_info.h>
+ #define check_pgt_cache()             do { } while (0)
+@@ -43,6 +44,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
+       set_pud(pud, __pud(__pa(pmd) | PMD_TYPE_TABLE));
+ }
++static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
++{
++      pud_populate(mm, pud, pmd);
++}
++
+ #else /* !CONFIG_ARM_LPAE */
+ /*
+@@ -51,6 +57,7 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
+ #define pmd_alloc_one(mm,addr)                ({ BUG(); ((pmd_t *)2); })
+ #define pmd_free(mm, pmd)             do { } while (0)
+ #define pud_populate(mm,pmd,pte)      BUG()
++#define pud_populate_kernel(mm,pmd,pte)       BUG()
+ #endif        /* CONFIG_ARM_LPAE */
+@@ -128,6 +135,19 @@ static inline void pte_free(struct mm_struct *mm, pgtable_t pte)
+       __free_page(pte);
+ }
++static inline void __section_update(pmd_t *pmdp, unsigned long addr, pmdval_t prot)
++{
++#ifdef CONFIG_ARM_LPAE
++      pmdp[0] = __pmd(pmd_val(pmdp[0]) | prot);
++#else
++      if (addr & SECTION_SIZE)
++              pmdp[1] = __pmd(pmd_val(pmdp[1]) | prot);
++      else
++              pmdp[0] = __pmd(pmd_val(pmdp[0]) | prot);
++#endif
++      flush_pmd_entry(pmdp);
++}
++
+ static inline void __pmd_populate(pmd_t *pmdp, phys_addr_t pte,
+                                 pmdval_t prot)
+ {
+diff --git a/arch/arm/include/asm/pgtable-2level-hwdef.h b/arch/arm/include/asm/pgtable-2level-hwdef.h
+index 3f82e9d..2a85e8b 100644
+--- a/arch/arm/include/asm/pgtable-2level-hwdef.h
++++ b/arch/arm/include/asm/pgtable-2level-hwdef.h
+@@ -28,7 +28,7 @@
+ /*
+  *   - section
+  */
+-#define PMD_SECT_PXN    (_AT(pmdval_t, 1) << 0)     /* v7 */
++#define PMD_SECT_PXN          (_AT(pmdval_t, 1) << 0)     /* v7 */
+ #define PMD_SECT_BUFFERABLE   (_AT(pmdval_t, 1) << 2)
+ #define PMD_SECT_CACHEABLE    (_AT(pmdval_t, 1) << 3)
+ #define PMD_SECT_XN           (_AT(pmdval_t, 1) << 4)         /* v6 */
+@@ -40,6 +40,7 @@
+ #define PMD_SECT_nG           (_AT(pmdval_t, 1) << 17)        /* v6 */
+ #define PMD_SECT_SUPER                (_AT(pmdval_t, 1) << 18)        /* v6 */
+ #define PMD_SECT_AF           (_AT(pmdval_t, 0))
++#define PMD_SECT_RDONLY               (_AT(pmdval_t, 0))
+ #define PMD_SECT_UNCACHED     (_AT(pmdval_t, 0))
+ #define PMD_SECT_BUFFERED     (PMD_SECT_BUFFERABLE)
+@@ -70,6 +71,7 @@
+  *   - extended small page/tiny page
+  */
+ #define PTE_EXT_XN            (_AT(pteval_t, 1) << 0)         /* v6 */
++#define PTE_EXT_PXN           (_AT(pteval_t, 1) << 2)         /* v7 */
+ #define PTE_EXT_AP_MASK               (_AT(pteval_t, 3) << 4)
+ #define PTE_EXT_AP0           (_AT(pteval_t, 1) << 4)
+ #define PTE_EXT_AP1           (_AT(pteval_t, 2) << 4)
+diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h
+index 92fd2c8..061dae1 100644
+--- a/arch/arm/include/asm/pgtable-2level.h
++++ b/arch/arm/include/asm/pgtable-2level.h
+@@ -127,6 +127,9 @@
+ #define L_PTE_SHARED          (_AT(pteval_t, 1) << 10)        /* shared(v6), coherent(xsc3) */
+ #define L_PTE_NONE            (_AT(pteval_t, 1) << 11)
++/* Two-level page tables only have PXN in the PGD, not in the PTE. */
++#define L_PTE_PXN             (_AT(pteval_t, 0))
++
+ /*
+  * These are the memory types, defined to be compatible with
+  * pre-ARMv6 CPUs cacheable and bufferable bits: n/a,n/a,C,B
+diff --git a/arch/arm/include/asm/pgtable-3level.h b/arch/arm/include/asm/pgtable-3level.h
+index 2a029bc..a0524c7 100644
+--- a/arch/arm/include/asm/pgtable-3level.h
++++ b/arch/arm/include/asm/pgtable-3level.h
+@@ -80,6 +80,7 @@
+ #define L_PTE_USER            (_AT(pteval_t, 1) << 6)         /* AP[1] */
+ #define L_PTE_SHARED          (_AT(pteval_t, 3) << 8)         /* SH[1:0], inner shareable */
+ #define L_PTE_YOUNG           (_AT(pteval_t, 1) << 10)        /* AF */
++#define L_PTE_PXN             (_AT(pteval_t, 1) << 53)        /* PXN */
+ #define L_PTE_XN              (_AT(pteval_t, 1) << 54)        /* XN */
+ #define L_PTE_DIRTY           (_AT(pteval_t, 1) << 55)
+ #define L_PTE_SPECIAL         (_AT(pteval_t, 1) << 56)
+@@ -90,10 +91,12 @@
+ #define L_PMD_SECT_DIRTY      (_AT(pmdval_t, 1) << 55)
+ #define L_PMD_SECT_NONE               (_AT(pmdval_t, 1) << 57)
+ #define L_PMD_SECT_RDONLY     (_AT(pteval_t, 1) << 58)
++#define PMD_SECT_RDONLY               PMD_SECT_AP2
+ /*
+  * To be used in assembly code with the upper page attributes.
+  */
++#define L_PTE_PXN_HIGH                (1 << (53 - 32))
+ #define L_PTE_XN_HIGH         (1 << (54 - 32))
+ #define L_PTE_DIRTY_HIGH      (1 << (55 - 32))
+diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h
+index a8d656d..2febb8a 100644
+--- a/arch/arm/include/asm/pgtable.h
++++ b/arch/arm/include/asm/pgtable.h
+@@ -33,6 +33,9 @@
+ #include <asm/pgtable-2level.h>
+ #endif
++#define ktla_ktva(addr)               (addr)
++#define ktva_ktla(addr)               (addr)
++
+ /*
+  * Just any arbitrary offset to the start of the vmalloc VM area: the
+  * current 8MB value just means that there will be a 8MB "hole" after the
+@@ -48,6 +51,9 @@
+ #define LIBRARY_TEXT_START    0x0c000000
+ #ifndef __ASSEMBLY__
++extern pteval_t __supported_pte_mask;
++extern pmdval_t __supported_pmd_mask;
++
+ extern void __pte_error(const char *file, int line, pte_t);
+ extern void __pmd_error(const char *file, int line, pmd_t);
+ extern void __pgd_error(const char *file, int line, pgd_t);
+@@ -56,6 +62,48 @@ extern void __pgd_error(const char *file, int line, pgd_t);
+ #define pmd_ERROR(pmd)                __pmd_error(__FILE__, __LINE__, pmd)
+ #define pgd_ERROR(pgd)                __pgd_error(__FILE__, __LINE__, pgd)
++#define  __HAVE_ARCH_PAX_OPEN_KERNEL
++#define  __HAVE_ARCH_PAX_CLOSE_KERNEL
++
++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
++#include <asm/domain.h>
++#include <linux/thread_info.h>
++#include <linux/preempt.h>
++
++static inline int test_domain(int domain, int domaintype)
++{
++      return ((current_thread_info()->cpu_domain) & domain_val(domain, 3)) == domain_val(domain, domaintype);
++}
++#endif
++
++#ifdef CONFIG_PAX_KERNEXEC
++static inline unsigned long pax_open_kernel(void) {
++#ifdef CONFIG_ARM_LPAE
++      /* TODO */
++#else
++      preempt_disable();
++      BUG_ON(test_domain(DOMAIN_KERNEL, DOMAIN_KERNEXEC));
++      modify_domain(DOMAIN_KERNEL, DOMAIN_KERNEXEC);
++#endif
++      return 0;
++}
++
++static inline unsigned long pax_close_kernel(void) {
++#ifdef CONFIG_ARM_LPAE
++      /* TODO */
++#else
++      BUG_ON(test_domain(DOMAIN_KERNEL, DOMAIN_MANAGER));
++      /* DOMAIN_MANAGER = "client" under KERNEXEC */
++      modify_domain(DOMAIN_KERNEL, DOMAIN_MANAGER);
++      preempt_enable_no_resched();
++#endif
++      return 0;
++}
++#else
++static inline unsigned long pax_open_kernel(void) { return 0; }
++static inline unsigned long pax_close_kernel(void) { return 0; }
++#endif
++
+ /*
+  * This is the lowest virtual address we can permit any user space
+  * mapping to be mapped at.  This is particularly important for
+@@ -75,8 +123,8 @@ extern void __pgd_error(const char *file, int line, pgd_t);
+ /*
+  * The pgprot_* and protection_map entries will be fixed up in runtime
+  * to include the cachable and bufferable bits based on memory policy,
+- * as well as any architecture dependent bits like global/ASID and SMP
+- * shared mapping bits.
++ * as well as any architecture dependent bits like global/ASID, PXN,
++ * and SMP shared mapping bits.
+  */
+ #define _L_PTE_DEFAULT        L_PTE_PRESENT | L_PTE_YOUNG
+@@ -308,7 +356,7 @@ static inline pte_t pte_mknexec(pte_t pte)
+ static inline pte_t pte_modify(pte_t pte, pgprot_t newprot)
+ {
+       const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER |
+-              L_PTE_NONE | L_PTE_VALID;
++              L_PTE_NONE | L_PTE_VALID | __supported_pte_mask;
+       pte_val(pte) = (pte_val(pte) & ~mask) | (pgprot_val(newprot) & mask);
+       return pte;
+ }
+diff --git a/arch/arm/include/asm/smp.h b/arch/arm/include/asm/smp.h
+index 3d6dc8b..1262ad3 100644
+--- a/arch/arm/include/asm/smp.h
++++ b/arch/arm/include/asm/smp.h
+@@ -108,7 +108,7 @@ struct smp_operations {
+       int  (*cpu_disable)(unsigned int cpu);
+ #endif
+ #endif
+-};
++} __no_const;
+ struct of_cpu_method {
+       const char *method;
+diff --git a/arch/arm/include/asm/string.h b/arch/arm/include/asm/string.h
+index cf4f3aa..8f2f2d9 100644
+--- a/arch/arm/include/asm/string.h
++++ b/arch/arm/include/asm/string.h
+@@ -7,19 +7,19 @@
+  */
+ #define __HAVE_ARCH_STRRCHR
+-extern char * strrchr(const char * s, int c);
++extern char * strrchr(const char * s, int c) __nocapture(-1);
+ #define __HAVE_ARCH_STRCHR
+-extern char * strchr(const char * s, int c);
++extern char * strchr(const char * s, int c) __nocapture(-1);
+ #define __HAVE_ARCH_MEMCPY
+-extern void * memcpy(void *, const void *, __kernel_size_t);
++extern void * memcpy(void *, const void *, __kernel_size_t) __nocapture(2);
+ #define __HAVE_ARCH_MEMMOVE
+-extern void * memmove(void *, const void *, __kernel_size_t);
++extern void * memmove(void *, const void *, __kernel_size_t) __nocapture(2);
+ #define __HAVE_ARCH_MEMCHR
+-extern void * memchr(const void *, int, __kernel_size_t);
++extern void * memchr(const void *, int, __kernel_size_t) __nocapture(-1);
+ #define __HAVE_ARCH_MEMSET
+ extern void * memset(void *, int, __kernel_size_t);
+diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
+index 776757d..a552c1d 100644
+--- a/arch/arm/include/asm/thread_info.h
++++ b/arch/arm/include/asm/thread_info.h
+@@ -73,6 +73,9 @@ struct thread_info {
+       .flags          = 0,                                            \
+       .preempt_count  = INIT_PREEMPT_COUNT,                           \
+       .addr_limit     = KERNEL_DS,                                    \
++      .cpu_domain     = domain_val(DOMAIN_USER, DOMAIN_USERCLIENT) |  \
++                        domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT) | \
++                        domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT),   \
+ }
+ #define init_thread_info      (init_thread_union.thread_info)
+@@ -143,6 +146,10 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
+ #define TIF_SYSCALL_AUDIT     5       /* syscall auditing active */
+ #define TIF_SYSCALL_TRACEPOINT        6       /* syscall tracepoint instrumentation */
+ #define TIF_SECCOMP           7       /* seccomp syscall filtering active */
++/* within 8 bits of TIF_SYSCALL_TRACE
++ *  to meet flexible second operand requirements
++ */
++#define TIF_GRSEC_SETXID      8
+ #define TIF_NOHZ              12      /* in adaptive nohz mode */
+ #define TIF_USING_IWMMXT      17
+@@ -158,10 +165,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
+ #define _TIF_SYSCALL_TRACEPOINT       (1 << TIF_SYSCALL_TRACEPOINT)
+ #define _TIF_SECCOMP          (1 << TIF_SECCOMP)
+ #define _TIF_USING_IWMMXT     (1 << TIF_USING_IWMMXT)
++#define _TIF_GRSEC_SETXID     (1 << TIF_GRSEC_SETXID)
+ /* Checks for any syscall work in entry-common.S */
+ #define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
+-                         _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
++                         _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP | _TIF_GRSEC_SETXID)
+ /*
+  * Change these and you break ASM code in entry-common.S
+diff --git a/arch/arm/include/asm/timex.h b/arch/arm/include/asm/timex.h
+index f6fcc67..5895d62 100644
+--- a/arch/arm/include/asm/timex.h
++++ b/arch/arm/include/asm/timex.h
+@@ -13,6 +13,7 @@
+ #define _ASMARM_TIMEX_H
+ typedef unsigned long cycles_t;
++extern int read_current_timer(unsigned long *timer_val);
+ #define get_cycles()  ({ cycles_t c; read_current_timer(&c) ? 0 : c; })
+ #endif
+diff --git a/arch/arm/include/asm/tls.h b/arch/arm/include/asm/tls.h
+index 5f833f7..76e6644 100644
+--- a/arch/arm/include/asm/tls.h
++++ b/arch/arm/include/asm/tls.h
+@@ -3,6 +3,7 @@
+ #include <linux/compiler.h>
+ #include <asm/thread_info.h>
++#include <asm/pgtable.h>
+ #ifdef __ASSEMBLY__
+ #include <asm/asm-offsets.h>
+@@ -89,7 +90,9 @@ static inline void set_tls(unsigned long val)
+                        * at 0xffff0fe0 must be used instead.  (see
+                        * entry-armv.S for details)
+                        */
++                      pax_open_kernel();
+                       *((unsigned int *)0xffff0ff0) = val;
++                      pax_close_kernel();
+ #endif
+               }
+diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
+index 1f59ea05..81245f0 100644
+--- a/arch/arm/include/asm/uaccess.h
++++ b/arch/arm/include/asm/uaccess.h
+@@ -18,6 +18,7 @@
+ #include <asm/domain.h>
+ #include <asm/unified.h>
+ #include <asm/compiler.h>
++#include <asm/pgtable.h>
+ #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+ #include <asm-generic/uaccess-unaligned.h>
+@@ -50,6 +51,59 @@ struct exception_table_entry
+ extern int fixup_exception(struct pt_regs *regs);
+ /*
++ * These two are intentionally not defined anywhere - if the kernel
++ * code generates any references to them, that's a bug.
++ */
++extern int __get_user_bad(void);
++extern int __put_user_bad(void);
++
++/*
++ * Note that this is actually 0x1,0000,0000
++ */
++#define KERNEL_DS     0x00000000
++#define get_ds()      (KERNEL_DS)
++
++#ifdef CONFIG_MMU
++
++#define USER_DS               TASK_SIZE
++#define get_fs()      (current_thread_info()->addr_limit)
++
++static inline void set_fs(mm_segment_t fs)
++{
++      current_thread_info()->addr_limit = fs;
++      modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_KERNELCLIENT : DOMAIN_MANAGER);
++}
++
++#define segment_eq(a, b)      ((a) == (b))
++
++#define __HAVE_ARCH_PAX_OPEN_USERLAND
++#define __HAVE_ARCH_PAX_CLOSE_USERLAND
++
++static inline void pax_open_userland(void)
++{
++
++#ifdef CONFIG_PAX_MEMORY_UDEREF
++      if (segment_eq(get_fs(), USER_DS)) {
++              BUG_ON(test_domain(DOMAIN_USER, DOMAIN_UDEREF));
++              modify_domain(DOMAIN_USER, DOMAIN_UDEREF);
++      }
++#endif
++
++}
++
++static inline void pax_close_userland(void)
++{
++
++#ifdef CONFIG_PAX_MEMORY_UDEREF
++      if (segment_eq(get_fs(), USER_DS)) {
++              BUG_ON(test_domain(DOMAIN_USER, DOMAIN_NOACCESS));
++              modify_domain(DOMAIN_USER, DOMAIN_NOACCESS);
++      }
++#endif
++
++}
++
++/*
+  * These two functions allow hooking accesses to userspace to increase
+  * system integrity by ensuring that the kernel can not inadvertantly
+  * perform such accesses (eg, via list poison values) which could then
+@@ -66,6 +120,7 @@ static inline unsigned int uaccess_save_and_enable(void)
+       return old_domain;
+ #else
++      pax_open_userland();
+       return 0;
+ #endif
+ }
+@@ -75,35 +130,11 @@ static inline void uaccess_restore(unsigned int flags)
+ #ifdef CONFIG_CPU_SW_DOMAIN_PAN
+       /* Restore the user access mask */
+       set_domain(flags);
++#else
++      pax_close_userland();
+ #endif
+ }
+-/*
+- * These two are intentionally not defined anywhere - if the kernel
+- * code generates any references to them, that's a bug.
+- */
+-extern int __get_user_bad(void);
+-extern int __put_user_bad(void);
+-
+-/*
+- * Note that this is actually 0x1,0000,0000
+- */
+-#define KERNEL_DS     0x00000000
+-#define get_ds()      (KERNEL_DS)
+-
+-#ifdef CONFIG_MMU
+-
+-#define USER_DS               TASK_SIZE
+-#define get_fs()      (current_thread_info()->addr_limit)
+-
+-static inline void set_fs(mm_segment_t fs)
+-{
+-      current_thread_info()->addr_limit = fs;
+-      modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER);
+-}
+-
+-#define segment_eq(a, b)      ((a) == (b))
+-
+ /* We use 33-bit arithmetic here... */
+ #define __range_ok(addr, size) ({ \
+       unsigned long flag, roksum; \
+@@ -268,6 +299,7 @@ static inline void set_fs(mm_segment_t fs)
+ #endif /* CONFIG_MMU */
++#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
+ #define access_ok(type, addr, size)   (__range_ok(addr, size) == 0)
+ #define user_addr_max() \
+@@ -474,10 +506,10 @@ do {                                                                     \
+ #ifdef CONFIG_MMU
+-extern unsigned long __must_check
++extern unsigned long __must_check __size_overflow(3)
+ arm_copy_from_user(void *to, const void __user *from, unsigned long n);
+-static inline unsigned long __must_check
++static inline unsigned long __must_check __size_overflow(3)
+ __copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
+       unsigned int __ua_flags;
+@@ -489,9 +521,9 @@ __copy_from_user(void *to, const void __user *from, unsigned long n)
+       return n;
+ }
+-extern unsigned long __must_check
++extern unsigned long __must_check __size_overflow(3)
+ arm_copy_to_user(void __user *to, const void *from, unsigned long n);
+-extern unsigned long __must_check
++extern unsigned long __must_check __size_overflow(3)
+ __copy_to_user_std(void __user *to, const void *from, unsigned long n);
+ static inline unsigned long __must_check
+@@ -511,9 +543,9 @@ __copy_to_user(void __user *to, const void *from, unsigned long n)
+ #endif
+ }
+-extern unsigned long __must_check
++extern unsigned long __must_check __size_overflow(2)
+ arm_clear_user(void __user *addr, unsigned long n);
+-extern unsigned long __must_check
++extern unsigned long __must_check __size_overflow(2)
+ __clear_user_std(void __user *addr, unsigned long n);
+ static inline unsigned long __must_check
+@@ -534,6 +566,10 @@ __clear_user(void __user *addr, unsigned long n)
+ static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
+       unsigned long res = n;
++
++      if ((long)n < 0)
++              return n;
++
+       if (likely(access_ok(VERIFY_READ, from, n)))
+               res = __copy_from_user(to, from, n);
+       if (unlikely(res))
+@@ -543,6 +579,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u
+ static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
+ {
++      if ((long)n < 0)
++              return n;
++
+       if (access_ok(VERIFY_WRITE, to, n))
+               n = __copy_to_user(to, from, n);
+       return n;
+diff --git a/arch/arm/include/uapi/asm/ptrace.h b/arch/arm/include/uapi/asm/ptrace.h
+index 5af0ed1..cea83883 100644
+--- a/arch/arm/include/uapi/asm/ptrace.h
++++ b/arch/arm/include/uapi/asm/ptrace.h
+@@ -92,7 +92,7 @@
+  * ARMv7 groups of PSR bits
+  */
+ #define APSR_MASK     0xf80f0000      /* N, Z, C, V, Q and GE flags */
+-#define PSR_ISET_MASK 0x01000010      /* ISA state (J, T) mask */
++#define PSR_ISET_MASK 0x01000020      /* ISA state (J, T) mask */
+ #define PSR_IT_MASK   0x0600fc00      /* If-Then execution state mask */
+ #define PSR_ENDIAN_MASK       0x00000200      /* Endianness state mask */
+diff --git a/arch/arm/kernel/armksyms.c b/arch/arm/kernel/armksyms.c
+index 7e45f69..2c047db 100644
+--- a/arch/arm/kernel/armksyms.c
++++ b/arch/arm/kernel/armksyms.c
+@@ -59,7 +59,7 @@ EXPORT_SYMBOL(arm_delay_ops);
+       /* networking */
+ EXPORT_SYMBOL(csum_partial);
+-EXPORT_SYMBOL(csum_partial_copy_from_user);
++EXPORT_SYMBOL(__csum_partial_copy_from_user);
+ EXPORT_SYMBOL(csum_partial_copy_nocheck);
+ EXPORT_SYMBOL(__csum_ipv6_magic);
+diff --git a/arch/arm/kernel/efi.c b/arch/arm/kernel/efi.c
+index 9f43ba0..1cee475 100644
+--- a/arch/arm/kernel/efi.c
++++ b/arch/arm/kernel/efi.c
+@@ -60,9 +60,9 @@ int __init efi_create_mapping(struct mm_struct *mm, efi_memory_desc_t *md)
+        * preference.
+        */
+       if (md->attribute & EFI_MEMORY_WB)
+-              desc.type = MT_MEMORY_RWX;
++              desc.type = __MT_MEMORY_RWX;
+       else if (md->attribute & EFI_MEMORY_WT)
+-              desc.type = MT_MEMORY_RWX_NONCACHED;
++              desc.type = MT_MEMORY_RW_NONCACHED;
+       else if (md->attribute & EFI_MEMORY_WC)
+               desc.type = MT_DEVICE_WC;
+       else
+diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
+index 9f157e7..8e3f857 100644
+--- a/arch/arm/kernel/entry-armv.S
++++ b/arch/arm/kernel/entry-armv.S
+@@ -50,6 +50,87 @@
+ 9997:
+       .endm
++      .macro  pax_enter_kernel
++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
++      @ make aligned space for saved DACR
++      sub     sp, sp, #8
++      @ save regs
++      stmdb   sp!, {r1, r2}
++      @ read DACR from cpu_domain into r1
++      mov     r2, sp
++      @ assume 8K pages, since we have to split the immediate in two
++      bic     r2, r2, #(0x1fc0)
++      bic     r2, r2, #(0x3f)
++      ldr     r1, [r2, #TI_CPU_DOMAIN]
++      @ store old DACR on stack
++      str     r1, [sp, #8]
++#ifdef CONFIG_PAX_KERNEXEC
++      @ set type of DOMAIN_KERNEL to DOMAIN_KERNELCLIENT
++      bic     r1, r1, #(domain_val(DOMAIN_KERNEL, 3))
++      orr     r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT))
++#endif
++#ifdef CONFIG_PAX_MEMORY_UDEREF
++      @ set current DOMAIN_USER to DOMAIN_NOACCESS
++      bic     r1, r1, #(domain_val(DOMAIN_USER, 3))
++#endif
++      @ write r1 to current_thread_info()->cpu_domain
++      str     r1, [r2, #TI_CPU_DOMAIN]
++      @ write r1 to DACR
++      mcr     p15, 0, r1, c3, c0, 0
++      @ instruction sync
++      instr_sync
++      @ restore regs
++      ldmia   sp!, {r1, r2}
++#endif
++      .endm
++
++      .macro  pax_open_userland
++#ifdef CONFIG_PAX_MEMORY_UDEREF
++      @ save regs
++      stmdb   sp!, {r0, r1}
++      @ read DACR from cpu_domain into r1
++      mov     r0, sp
++      @ assume 8K pages, since we have to split the immediate in two
++      bic     r0, r0, #(0x1fc0)
++      bic     r0, r0, #(0x3f)
++      ldr     r1, [r0, #TI_CPU_DOMAIN]
++      @ set current DOMAIN_USER to DOMAIN_CLIENT
++      bic     r1, r1, #(domain_val(DOMAIN_USER, 3))
++      orr     r1, r1, #(domain_val(DOMAIN_USER, DOMAIN_UDEREF))
++      @ write r1 to current_thread_info()->cpu_domain
++      str     r1, [r0, #TI_CPU_DOMAIN]
++      @ write r1 to DACR
++      mcr     p15, 0, r1, c3, c0, 0
++      @ instruction sync
++      instr_sync
++      @ restore regs
++      ldmia   sp!, {r0, r1}
++#endif
++      .endm
++
++      .macro  pax_close_userland
++#ifdef CONFIG_PAX_MEMORY_UDEREF
++      @ save regs
++      stmdb   sp!, {r0, r1}
++      @ read DACR from cpu_domain into r1
++      mov     r0, sp
++      @ assume 8K pages, since we have to split the immediate in two
++      bic     r0, r0, #(0x1fc0)
++      bic     r0, r0, #(0x3f)
++      ldr     r1, [r0, #TI_CPU_DOMAIN]
++      @ set current DOMAIN_USER to DOMAIN_NOACCESS
++      bic     r1, r1, #(domain_val(DOMAIN_USER, 3))
++      @ write r1 to current_thread_info()->cpu_domain
++      str     r1, [r0, #TI_CPU_DOMAIN]
++      @ write r1 to DACR
++      mcr     p15, 0, r1, c3, c0, 0
++      @ instruction sync
++      instr_sync
++      @ restore regs
++      ldmia   sp!, {r0, r1}
++#endif
++      .endm
++
+       .macro  pabt_helper
+       @ PABORT handler takes pt_regs in r2, fault address in r4 and psr in r5
+ #ifdef MULTI_PABORT
+@@ -92,11 +173,15 @@
+  * Invalid mode handlers
+  */
+       .macro  inv_entry, reason
++
++      pax_enter_kernel
++
+       sub     sp, sp, #PT_REGS_SIZE
+  ARM( stmib   sp, {r1 - lr}           )
+  THUMB(       stmia   sp, {r0 - r12}          )
+  THUMB(       str     sp, [sp, #S_SP]         )
+  THUMB(       str     lr, [sp, #S_LR]         )
++
+       mov     r1, #\reason
+       .endm
+@@ -152,6 +237,9 @@ ENDPROC(__und_invalid)
+       .macro  svc_entry, stack_hole=0, trace=1, uaccess=1
+  UNWIND(.fnstart              )
+  UNWIND(.save {r0 - pc}               )
++
++      pax_enter_kernel
++
+       sub     sp, sp, #(SVC_REGS_SIZE + \stack_hole - 4)
+ #ifdef CONFIG_THUMB2_KERNEL
+  SPFIX(       str     r0, [sp]        )       @ temporarily saved
+@@ -167,7 +255,12 @@ ENDPROC(__und_invalid)
+       ldmia   r0, {r3 - r5}
+       add     r7, sp, #S_SP - 4       @ here for interlock avoidance
+       mov     r6, #-1                 @  ""  ""      ""       ""
++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
++      @ offset sp by 8 as done in pax_enter_kernel
++      add     r2, sp, #(SVC_REGS_SIZE + \stack_hole + 4)
++#else
+       add     r2, sp, #(SVC_REGS_SIZE + \stack_hole - 4)
++#endif
+  SPFIX(       addeq   r2, r2, #4      )
+       str     r3, [sp, #-4]!          @ save the "real" r0 copied
+                                       @ from the exception stack
+@@ -382,6 +475,9 @@ ENDPROC(__fiq_abt)
+       .macro  usr_entry, trace=1, uaccess=1
+  UNWIND(.fnstart      )
+  UNWIND(.cantunwind   )       @ don't unwind the user space
++
++      pax_enter_kernel_user
++
+       sub     sp, sp, #PT_REGS_SIZE
+  ARM( stmib   sp, {r1 - r12}  )
+  THUMB(       stmia   sp, {r0 - r12}  )
+@@ -495,7 +591,9 @@ __und_usr:
+       tst     r3, #PSR_T_BIT                  @ Thumb mode?
+       bne     __und_usr_thumb
+       sub     r4, r2, #4                      @ ARM instr at LR - 4
++      pax_open_userland
+ 1:    ldrt    r0, [r4]
++      pax_close_userland
+  ARM_BE8(rev  r0, r0)                         @ little endian instruction
+       uaccess_disable ip
+@@ -531,11 +629,15 @@ __und_usr_thumb:
+  */
+       .arch   armv6t2
+ #endif
++      pax_open_userland
+ 2:    ldrht   r5, [r4]
++      pax_close_userland
+ ARM_BE8(rev16 r5, r5)                         @ little endian instruction
+       cmp     r5, #0xe800                     @ 32bit instruction if xx != 0
+       blo     __und_usr_fault_16_pan          @ 16bit undefined instruction
++      pax_open_userland
+ 3:    ldrht   r0, [r2]
++      pax_close_userland
+ ARM_BE8(rev16 r0, r0)                         @ little endian instruction
+       uaccess_disable ip
+       add     r2, r2, #2                      @ r2 is PC + 2, make it PC + 4
+@@ -566,7 +668,8 @@ ENDPROC(__und_usr)
+  */
+       .pushsection .text.fixup, "ax"
+       .align  2
+-4:    str     r4, [sp, #S_PC]                 @ retry current instruction
++4:    pax_close_userland
++      str     r4, [sp, #S_PC]                 @ retry current instruction
+       ret     r9
+       .popsection
+       .pushsection __ex_table,"a"
+@@ -788,7 +891,7 @@ ENTRY(__switch_to)
+  THUMB(       str     lr, [ip], #4               )
+       ldr     r4, [r2, #TI_TP_VALUE]
+       ldr     r5, [r2, #TI_TP_VALUE + 4]
+-#ifdef CONFIG_CPU_USE_DOMAINS
++#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
+       mrc     p15, 0, r6, c3, c0, 0           @ Get domain register
+       str     r6, [r1, #TI_CPU_DOMAIN]        @ Save old domain register
+       ldr     r6, [r2, #TI_CPU_DOMAIN]
+@@ -799,7 +902,7 @@ ENTRY(__switch_to)
+       ldr     r8, =__stack_chk_guard
+       ldr     r7, [r7, #TSK_STACK_CANARY]
+ #endif
+-#ifdef CONFIG_CPU_USE_DOMAINS
++#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
+       mcr     p15, 0, r6, c3, c0, 0           @ Set domain register
+ #endif
+       mov     r5, r0
+diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
+index 10c3283..c47cdf5 100644
+--- a/arch/arm/kernel/entry-common.S
++++ b/arch/arm/kernel/entry-common.S
+@@ -11,18 +11,46 @@
+ #include <asm/assembler.h>
+ #include <asm/unistd.h>
+ #include <asm/ftrace.h>
++#include <asm/domain.h>
+ #include <asm/unwind.h>
++#include "entry-header.S"
++
+ #ifdef CONFIG_NEED_RET_TO_USER
+ #include <mach/entry-macro.S>
+ #else
+       .macro  arch_ret_to_user, tmp1, tmp2
++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
++      @ save regs
++      stmdb   sp!, {r1, r2}
++      @ read DACR from cpu_domain into r1
++      mov     r2, sp
++      @ assume 8K pages, since we have to split the immediate in two
++      bic     r2, r2, #(0x1fc0)
++      bic     r2, r2, #(0x3f)
++      ldr     r1, [r2, #TI_CPU_DOMAIN]
++#ifdef CONFIG_PAX_KERNEXEC
++      @ set type of DOMAIN_KERNEL to DOMAIN_KERNELCLIENT
++      bic     r1, r1, #(domain_val(DOMAIN_KERNEL, 3))
++      orr     r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT))
++#endif
++#ifdef CONFIG_PAX_MEMORY_UDEREF
++      @ set current DOMAIN_USER to DOMAIN_UDEREF
++      bic     r1, r1, #(domain_val(DOMAIN_USER, 3))
++      orr     r1, r1, #(domain_val(DOMAIN_USER, DOMAIN_UDEREF))
++#endif
++      @ write r1 to current_thread_info()->cpu_domain
++      str     r1, [r2, #TI_CPU_DOMAIN]
++      @ write r1 to DACR
++      mcr     p15, 0, r1, c3, c0, 0
++      @ instruction sync
++      instr_sync
++      @ restore regs
++      ldmia   sp!, {r1, r2}
++#endif
+       .endm
+ #endif
+-#include "entry-header.S"
+-
+-
+       .align  5
+ #if !(IS_ENABLED(CONFIG_TRACE_IRQFLAGS) || IS_ENABLED(CONFIG_CONTEXT_TRACKING))
+ /*
+@@ -36,7 +64,9 @@ ret_fast_syscall:
+  UNWIND(.cantunwind   )
+       disable_irq_notrace                     @ disable interrupts
+       ldr     r1, [tsk, #TI_FLAGS]            @ re-check for syscall tracing
+-      tst     r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
++      tst     r1, #_TIF_SYSCALL_WORK
++      bne     fast_work_pending
++      tst     r1, #_TIF_WORK_MASK
+       bne     fast_work_pending
+       /* perform architecture specific actions before user return */
+@@ -62,7 +92,9 @@ ret_fast_syscall:
+       str     r0, [sp, #S_R0 + S_OFF]!        @ save returned r0
+       disable_irq_notrace                     @ disable interrupts
+       ldr     r1, [tsk, #TI_FLAGS]            @ re-check for syscall tracing
+-      tst     r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
++      tst     r1, #_TIF_SYSCALL_WORK
++      bne     __sys_trace_return_nosave
++      tst     r1, #_TIF_WORK_MASK
+       beq     no_work_pending
+  UNWIND(.fnend                )
+ ENDPROC(ret_fast_syscall)
+@@ -199,6 +231,12 @@ ENTRY(vector_swi)
+       uaccess_disable tbl
++      /*
++       * do this here to avoid a performance hit of wrapping the code above
++       * that directly dereferences userland to parse the SWI instruction
++       */
++      pax_enter_kernel_user
++
+       adr     tbl, sys_call_table             @ load syscall table pointer
+ #if defined(CONFIG_OABI_COMPAT)
+diff --git a/arch/arm/kernel/entry-header.S b/arch/arm/kernel/entry-header.S
+index 6391728..6bf90b8 100644
+--- a/arch/arm/kernel/entry-header.S
++++ b/arch/arm/kernel/entry-header.S
+@@ -196,6 +196,59 @@
+       msr     cpsr_c, \rtemp                  @ switch back to the SVC mode
+       .endm
++      .macro  pax_enter_kernel_user
++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
++      @ save regs
++      stmdb   sp!, {r0, r1}
++      @ read DACR from cpu_domain into r1
++      mov     r0, sp
++      @ assume 8K pages, since we have to split the immediate in two
++      bic     r0, r0, #(0x1fc0)
++      bic     r0, r0, #(0x3f)
++      ldr     r1, [r0, #TI_CPU_DOMAIN]
++#ifdef CONFIG_PAX_MEMORY_UDEREF
++      @ set current DOMAIN_USER to DOMAIN_NOACCESS
++      bic     r1, r1, #(domain_val(DOMAIN_USER, 3))
++#endif
++#ifdef CONFIG_PAX_KERNEXEC
++      @ set current DOMAIN_KERNEL to DOMAIN_KERNELCLIENT
++      bic     r1, r1, #(domain_val(DOMAIN_KERNEL, 3))
++      orr     r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT))
++#endif
++      @ write r1 to current_thread_info()->cpu_domain
++      str     r1, [r0, #TI_CPU_DOMAIN]
++      @ write r1 to DACR
++      mcr     p15, 0, r1, c3, c0, 0
++      @ instruction sync
++      instr_sync
++      @ restore regs
++      ldmia   sp!, {r0, r1}
++#endif
++      .endm
++
++      .macro  pax_exit_kernel
++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
++      @ save regs
++      stmdb   sp!, {r0, r1}
++      @ read old DACR from stack into r1
++      ldr     r1, [sp, #(8 + S_SP)]
++      sub     r1, r1, #8
++      ldr     r1, [r1]
++
++      @ write r1 to current_thread_info()->cpu_domain
++      mov     r0, sp
++      @ assume 8K pages, since we have to split the immediate in two
++      bic     r0, r0, #(0x1fc0)
++      bic     r0, r0, #(0x3f)
++      str     r1, [r0, #TI_CPU_DOMAIN]
++      @ write r1 to DACR
++      mcr     p15, 0, r1, c3, c0, 0
++      @ instruction sync
++      instr_sync
++      @ restore regs
++      ldmia   sp!, {r0, r1}
++#endif
++      .endm
+       .macro  svc_exit, rpsr, irq = 0
+       .if     \irq != 0
+@@ -219,6 +272,8 @@
+       uaccess_restore
+       str     r1, [tsk, #TI_ADDR_LIMIT]
++      pax_exit_kernel
++
+ #ifndef CONFIG_THUMB2_KERNEL
+       @ ARM mode SVC restore
+       msr     spsr_cxsf, \rpsr
+diff --git a/arch/arm/kernel/fiq.c b/arch/arm/kernel/fiq.c
+index 059c3da..8e45cfc 100644
+--- a/arch/arm/kernel/fiq.c
++++ b/arch/arm/kernel/fiq.c
+@@ -95,7 +95,10 @@ void set_fiq_handler(void *start, unsigned int length)
+       void *base = vectors_page;
+       unsigned offset = FIQ_OFFSET;
++      pax_open_kernel();
+       memcpy(base + offset, start, length);
++      pax_close_kernel();
++
+       if (!cache_is_vipt_nonaliasing())
+               flush_icache_range((unsigned long)base + offset, offset +
+                                  length);
+diff --git a/arch/arm/kernel/module.c b/arch/arm/kernel/module.c
+index 4f14b5c..91ff261 100644
+--- a/arch/arm/kernel/module.c
++++ b/arch/arm/kernel/module.c
+@@ -38,17 +38,47 @@
+ #endif
+ #ifdef CONFIG_MMU
+-void *module_alloc(unsigned long size)
++static inline void *__module_alloc(unsigned long size, pgprot_t prot)
+ {
+-      void *p = __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
+-                              GFP_KERNEL, PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
++      void *p;
++
++      if (!size || (!IS_ENABLED(CONFIG_ARM_MODULE_PLTS) && PAGE_ALIGN(size) > MODULES_END - MODULES_VADDR))
++              return NULL;
++
++      p = __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
++                              GFP_KERNEL, prot, 0, NUMA_NO_NODE,
+                               __builtin_return_address(0));
+       if (!IS_ENABLED(CONFIG_ARM_MODULE_PLTS) || p)
+               return p;
+       return __vmalloc_node_range(size, 1,  VMALLOC_START, VMALLOC_END,
+-                              GFP_KERNEL, PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
++                              GFP_KERNEL, prot, 0, NUMA_NO_NODE,
+                               __builtin_return_address(0));
+ }
++
++void *module_alloc(unsigned long size)
++{
++
++#ifdef CONFIG_PAX_KERNEXEC
++      return __module_alloc(size, PAGE_KERNEL);
++#else
++      return __module_alloc(size, PAGE_KERNEL_EXEC);
++#endif
++
++}
++
++#ifdef CONFIG_PAX_KERNEXEC
++void module_memfree_exec(void *module_region)
++{
++      module_memfree(module_region);
++}
++EXPORT_SYMBOL(module_memfree_exec);
++
++void *module_alloc_exec(unsigned long size)
++{
++      return __module_alloc(size, PAGE_KERNEL_EXEC);
++}
++EXPORT_SYMBOL(module_alloc_exec);
++#endif
+ #endif
+ int
+diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c
+index 69bda1a..755113a 100644
+--- a/arch/arm/kernel/patch.c
++++ b/arch/arm/kernel/patch.c
+@@ -66,6 +66,7 @@ void __kprobes __patch_text_real(void *addr, unsigned int insn, bool remap)
+       else
+               __acquire(&patch_lock);
++      pax_open_kernel();
+       if (thumb2 && __opcode_is_thumb16(insn)) {
+               *(u16 *)waddr = __opcode_to_mem_thumb16(insn);
+               size = sizeof(u16);
+@@ -97,6 +98,7 @@ void __kprobes __patch_text_real(void *addr, unsigned int insn, bool remap)
+               *(u32 *)waddr = insn;
+               size = sizeof(u32);
+       }
++      pax_close_kernel();
+       if (waddr != addr) {
+               flush_kernel_vmap_range(waddr, twopage ? size / 2 : size);
+diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
+index 91d2d5b..042c26e 100644
+--- a/arch/arm/kernel/process.c
++++ b/arch/arm/kernel/process.c
+@@ -118,8 +118,8 @@ void __show_regs(struct pt_regs *regs)
+       show_regs_print_info(KERN_DEFAULT);
+-      print_symbol("PC is at %s\n", instruction_pointer(regs));
+-      print_symbol("LR is at %s\n", regs->ARM_lr);
++      printk("PC is at %pA\n", (void *)instruction_pointer(regs));
++      printk("LR is at %pA\n", (void *)regs->ARM_lr);
+       printk("pc : [<%08lx>]    lr : [<%08lx>]    psr: %08lx\n"
+              "sp : %08lx  ip : %08lx  fp : %08lx\n",
+               regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr,
+@@ -233,7 +233,7 @@ copy_thread(unsigned long clone_flags, unsigned long stack_start,
+       memset(&thread->cpu_context, 0, sizeof(struct cpu_context_save));
+-#ifdef CONFIG_CPU_USE_DOMAINS
++#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
+       /*
+        * Copy the initial value of the domain access control register
+        * from the current thread: thread->addr_limit will have been
+@@ -336,7 +336,7 @@ static struct vm_area_struct gate_vma = {
+ static int __init gate_vma_init(void)
+ {
+-      gate_vma.vm_page_prot = PAGE_READONLY_EXEC;
++      gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
+       return 0;
+ }
+ arch_initcall(gate_vma_init);
+@@ -365,92 +365,14 @@ const char *arch_vma_name(struct vm_area_struct *vma)
+       return is_gate_vma(vma) ? "[vectors]" : NULL;
+ }
+-/* If possible, provide a placement hint at a random offset from the
+- * stack for the sigpage and vdso pages.
+- */
+-static unsigned long sigpage_addr(const struct mm_struct *mm,
+-                                unsigned int npages)
+-{
+-      unsigned long offset;
+-      unsigned long first;
+-      unsigned long last;
+-      unsigned long addr;
+-      unsigned int slots;
+-
+-      first = PAGE_ALIGN(mm->start_stack);
+-
+-      last = TASK_SIZE - (npages << PAGE_SHIFT);
+-
+-      /* No room after stack? */
+-      if (first > last)
+-              return 0;
+-
+-      /* Just enough room? */
+-      if (first == last)
+-              return first;
+-
+-      slots = ((last - first) >> PAGE_SHIFT) + 1;
+-
+-      offset = get_random_int() % slots;
+-
+-      addr = first + (offset << PAGE_SHIFT);
+-
+-      return addr;
+-}
+-
+-static struct page *signal_page;
+-extern struct page *get_signal_page(void);
+-
+-static const struct vm_special_mapping sigpage_mapping = {
+-      .name = "[sigpage]",
+-      .pages = &signal_page,
+-};
+-
+ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
+ {
+       struct mm_struct *mm = current->mm;
+-      struct vm_area_struct *vma;
+-      unsigned long npages;
+-      unsigned long addr;
+-      unsigned long hint;
+-      int ret = 0;
+-
+-      if (!signal_page)
+-              signal_page = get_signal_page();
+-      if (!signal_page)
+-              return -ENOMEM;
+-
+-      npages = 1; /* for sigpage */
+-      npages += vdso_total_pages;
+       if (down_write_killable(&mm->mmap_sem))
+               return -EINTR;
+-      hint = sigpage_addr(mm, npages);
+-      addr = get_unmapped_area(NULL, hint, npages << PAGE_SHIFT, 0, 0);
+-      if (IS_ERR_VALUE(addr)) {
+-              ret = addr;
+-              goto up_fail;
+-      }
+-
+-      vma = _install_special_mapping(mm, addr, PAGE_SIZE,
+-              VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
+-              &sigpage_mapping);
+-
+-      if (IS_ERR(vma)) {
+-              ret = PTR_ERR(vma);
+-              goto up_fail;
+-      }
+-
+-      mm->context.sigpage = addr;
+-
+-      /* Unlike the sigpage, failure to install the vdso is unlikely
+-       * to be fatal to the process, so no error check needed
+-       * here.
+-       */
+-      arm_install_vdso(mm, addr + PAGE_SIZE);
+-
+- up_fail:
++      mm->context.sigpage = (PAGE_OFFSET + (get_random_int() % 0x3FFEFFE0)) & 0xFFFFFFFC;
+       up_write(&mm->mmap_sem);
+-      return ret;
++      return 0;
+ }
+ #endif
+diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
+index ae738a6..ee4d46f 100644
+--- a/arch/arm/kernel/ptrace.c
++++ b/arch/arm/kernel/ptrace.c
+@@ -928,10 +928,19 @@ static void tracehook_report_syscall(struct pt_regs *regs,
+       regs->ARM_ip = ip;
+ }
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
+ {
+       current_thread_info()->syscall = scno;
++#ifdef CONFIG_GRKERNSEC_SETXID
++      if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++              gr_delayed_cred_worker();
++#endif
++
+       if (test_thread_flag(TIF_SYSCALL_TRACE))
+               tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
+diff --git a/arch/arm/kernel/reboot.c b/arch/arm/kernel/reboot.c
+index 3fa867a..d610607 100644
+--- a/arch/arm/kernel/reboot.c
++++ b/arch/arm/kernel/reboot.c
+@@ -120,6 +120,7 @@ void machine_power_off(void)
+       if (pm_power_off)
+               pm_power_off();
++      while (1);
+ }
+ /*
+diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
+index 34e3f3c..3d2dada 100644
+--- a/arch/arm/kernel/setup.c
++++ b/arch/arm/kernel/setup.c
+@@ -112,6 +112,8 @@ EXPORT_SYMBOL(elf_hwcap);
+ unsigned int elf_hwcap2 __read_mostly;
+ EXPORT_SYMBOL(elf_hwcap2);
++pteval_t __supported_pte_mask __read_only;
++pmdval_t __supported_pmd_mask __read_only;
+ #ifdef MULTI_CPU
+ struct processor processor __ro_after_init;
+@@ -257,9 +259,13 @@ static int __get_cpu_architecture(void)
+                * Register 0 and check for VMSAv7 or PMSAv7 */
+               unsigned int mmfr0 = read_cpuid_ext(CPUID_EXT_MMFR0);
+               if ((mmfr0 & 0x0000000f) >= 0x00000003 ||
+-                  (mmfr0 & 0x000000f0) >= 0x00000030)
++                  (mmfr0 & 0x000000f0) >= 0x00000030) {
+                       cpu_arch = CPU_ARCH_ARMv7;
+-              else if ((mmfr0 & 0x0000000f) == 0x00000002 ||
++                      if ((mmfr0 & 0x0000000f) == 0x00000005 || (mmfr0 & 0x0000000f) == 0x00000004) {
++                              __supported_pte_mask |= L_PTE_PXN;
++                              __supported_pmd_mask |= PMD_PXNTABLE;
++                      }
++              } else if ((mmfr0 & 0x0000000f) == 0x00000002 ||
+                        (mmfr0 & 0x000000f0) == 0x00000020)
+                       cpu_arch = CPU_ARCH_ARMv6;
+               else
+diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
+index 7b8f214..ece8e28 100644
+--- a/arch/arm/kernel/signal.c
++++ b/arch/arm/kernel/signal.c
+@@ -24,8 +24,6 @@
+ extern const unsigned long sigreturn_codes[7];
+-static unsigned long signal_return_offset;
+-
+ #ifdef CONFIG_CRUNCH
+ static int preserve_crunch_context(struct crunch_sigframe __user *frame)
+ {
+@@ -388,8 +386,7 @@ setup_return(struct pt_regs *regs, struct ksignal *ksig,
+                        * except when the MPU has protected the vectors
+                        * page from PL0
+                        */
+-                      retcode = mm->context.sigpage + signal_return_offset +
+-                                (idx << 2) + thumb;
++                      retcode = mm->context.sigpage + (idx << 2) + thumb;
+               } else
+ #endif
+               {
+@@ -601,33 +598,3 @@ do_work_pending(struct pt_regs *regs, unsigned int thread_flags, int syscall)
+       } while (thread_flags & _TIF_WORK_MASK);
+       return 0;
+ }
+-
+-struct page *get_signal_page(void)
+-{
+-      unsigned long ptr;
+-      unsigned offset;
+-      struct page *page;
+-      void *addr;
+-
+-      page = alloc_pages(GFP_KERNEL, 0);
+-
+-      if (!page)
+-              return NULL;
+-
+-      addr = page_address(page);
+-
+-      /* Give the signal return code some randomness */
+-      offset = 0x200 + (get_random_int() & 0x7fc);
+-      signal_return_offset = offset;
+-
+-      /*
+-       * Copy signal return handlers into the vector page, and
+-       * set sigreturn to be a pointer to these.
+-       */
+-      memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes));
+-
+-      ptr = (unsigned long)addr + offset;
+-      flush_icache_range(ptr, ptr + sizeof(sigreturn_codes));
+-
+-      return page;
+-}
+diff --git a/arch/arm/kernel/tcm.c b/arch/arm/kernel/tcm.c
+index b10e136..cb5edf9 100644
+--- a/arch/arm/kernel/tcm.c
++++ b/arch/arm/kernel/tcm.c
+@@ -64,7 +64,7 @@ static struct map_desc itcm_iomap[] __initdata = {
+               .virtual        = ITCM_OFFSET,
+               .pfn            = __phys_to_pfn(ITCM_OFFSET),
+               .length         = 0,
+-              .type           = MT_MEMORY_RWX_ITCM,
++              .type           = MT_MEMORY_RX_ITCM,
+       }
+ };
+@@ -362,7 +362,9 @@ void __init tcm_init(void)
+               start = &__sitcm_text;
+               end   = &__eitcm_text;
+               ram   = &__itcm_start;
++              pax_open_kernel();
+               memcpy(start, ram, itcm_code_sz);
++              pax_close_kernel();
+               pr_debug("CPU ITCM: copied code from %p - %p\n",
+                        start, end);
+               itcm_present = true;
+diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
+index 9688ec0..dd072c0 100644
+--- a/arch/arm/kernel/traps.c
++++ b/arch/arm/kernel/traps.c
+@@ -65,7 +65,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long);
+ void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame)
+ {
+ #ifdef CONFIG_KALLSYMS
+-      printk("[<%08lx>] (%ps) from [<%08lx>] (%pS)\n", where, (void *)where, from, (void *)from);
++      printk("[<%08lx>] (%pA) from [<%08lx>] (%pA)\n", where, (void *)where, from, (void *)from);
+ #else
+       printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from);
+ #endif
+@@ -287,6 +287,8 @@ static arch_spinlock_t die_lock = __ARCH_SPIN_LOCK_UNLOCKED;
+ static int die_owner = -1;
+ static unsigned int die_nest_count;
++extern void gr_handle_kernel_exploit(void);
++
+ static unsigned long oops_begin(void)
+ {
+       int cpu;
+@@ -329,6 +331,9 @@ static void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
+               panic("Fatal exception in interrupt");
+       if (panic_on_oops)
+               panic("Fatal exception");
++
++      gr_handle_kernel_exploit();
++
+       if (signr)
+               do_exit(signr);
+ }
+diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
+index f7f55df..49c9f9e 100644
+--- a/arch/arm/kernel/vmlinux.lds.S
++++ b/arch/arm/kernel/vmlinux.lds.S
+@@ -44,7 +44,8 @@
+ #endif
+ #if (defined(CONFIG_SMP_ON_UP) && !defined(CONFIG_DEBUG_SPINLOCK)) || \
+-      defined(CONFIG_GENERIC_BUG) || defined(CONFIG_JUMP_LABEL)
++      defined(CONFIG_GENERIC_BUG) || defined(CONFIG_JUMP_LABEL) || \
++      defined(CONFIG_PAX_REFCOUNT)
+ #define ARM_EXIT_KEEP(x)      x
+ #define ARM_EXIT_DISCARD(x)
+ #else
+diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
+index 19b5f5c..9aa8e58 100644
+--- a/arch/arm/kvm/arm.c
++++ b/arch/arm/kvm/arm.c
+@@ -59,7 +59,7 @@ static unsigned long hyp_default_vectors;
+ static DEFINE_PER_CPU(struct kvm_vcpu *, kvm_arm_running_vcpu);
+ /* The VMID used in the VTTBR */
+-static atomic64_t kvm_vmid_gen = ATOMIC64_INIT(1);
++static atomic64_unchecked_t kvm_vmid_gen = ATOMIC64_INIT(1);
+ static u32 kvm_next_vmid;
+ static unsigned int kvm_vmid_bits __read_mostly;
+ static DEFINE_SPINLOCK(kvm_vmid_lock);
+@@ -423,7 +423,7 @@ void force_vm_exit(const cpumask_t *mask)
+  */
+ static bool need_new_vmid_gen(struct kvm *kvm)
+ {
+-      return unlikely(kvm->arch.vmid_gen != atomic64_read(&kvm_vmid_gen));
++      return unlikely(kvm->arch.vmid_gen != atomic64_read_unchecked(&kvm_vmid_gen));
+ }
+ /**
+@@ -456,7 +456,7 @@ static void update_vttbr(struct kvm *kvm)
+       /* First user of a new VMID generation? */
+       if (unlikely(kvm_next_vmid == 0)) {
+-              atomic64_inc(&kvm_vmid_gen);
++              atomic64_inc_unchecked(&kvm_vmid_gen);
+               kvm_next_vmid = 1;
+               /*
+@@ -473,7 +473,7 @@ static void update_vttbr(struct kvm *kvm)
+               kvm_call_hyp(__kvm_flush_vm_context);
+       }
+-      kvm->arch.vmid_gen = atomic64_read(&kvm_vmid_gen);
++      kvm->arch.vmid_gen = atomic64_read_unchecked(&kvm_vmid_gen);
+       kvm->arch.vmid = kvm_next_vmid;
+       kvm_next_vmid++;
+       kvm_next_vmid &= (1 << kvm_vmid_bits) - 1;
+diff --git a/arch/arm/lib/copy_page.S b/arch/arm/lib/copy_page.S
+index 6ee2f67..d1cce76 100644
+--- a/arch/arm/lib/copy_page.S
++++ b/arch/arm/lib/copy_page.S
+@@ -10,6 +10,7 @@
+  *  ASM optimised string functions
+  */
+ #include <linux/linkage.h>
++#include <linux/const.h>
+ #include <asm/assembler.h>
+ #include <asm/asm-offsets.h>
+ #include <asm/cache.h>
+diff --git a/arch/arm/lib/csumpartialcopyuser.S b/arch/arm/lib/csumpartialcopyuser.S
+index 1712f13..a3165dc 100644
+--- a/arch/arm/lib/csumpartialcopyuser.S
++++ b/arch/arm/lib/csumpartialcopyuser.S
+@@ -71,8 +71,8 @@
+  *  Returns : r0 = checksum, [[sp, #0], #0] = 0 or -EFAULT
+  */
+-#define FN_ENTRY      ENTRY(csum_partial_copy_from_user)
+-#define FN_EXIT               ENDPROC(csum_partial_copy_from_user)
++#define FN_ENTRY      ENTRY(__csum_partial_copy_from_user)
++#define FN_EXIT               ENDPROC(__csum_partial_copy_from_user)
+ #include "csumpartialcopygeneric.S"
+diff --git a/arch/arm/lib/uaccess_with_memcpy.c b/arch/arm/lib/uaccess_with_memcpy.c
+index 6bd1089..e999400 100644
+--- a/arch/arm/lib/uaccess_with_memcpy.c
++++ b/arch/arm/lib/uaccess_with_memcpy.c
+@@ -84,7 +84,7 @@ pin_page_for_write(const void __user *_addr, pte_t **ptep, spinlock_t **ptlp)
+       return 1;
+ }
+-static unsigned long noinline
++static unsigned long noinline __size_overflow(3)
+ __copy_to_user_memcpy(void __user *to, const void *from, unsigned long n)
+ {
+       unsigned long ua_flags;
+@@ -157,7 +157,7 @@ arm_copy_to_user(void __user *to, const void *from, unsigned long n)
+       return n;
+ }
+       
+-static unsigned long noinline
++static unsigned long noinline __size_overflow(2)
+ __clear_user_memset(void __user *addr, unsigned long n)
+ {
+       unsigned long ua_flags;
+diff --git a/arch/arm/mach-exynos/suspend.c b/arch/arm/mach-exynos/suspend.c
+index 06332f6..1fa0c71 100644
+--- a/arch/arm/mach-exynos/suspend.c
++++ b/arch/arm/mach-exynos/suspend.c
+@@ -724,8 +724,10 @@ void __init exynos_pm_init(void)
+       tmp |= pm_data->wake_disable_mask;
+       pmu_raw_writel(tmp, S5P_WAKEUP_MASK);
+-      exynos_pm_syscore_ops.suspend   = pm_data->pm_suspend;
+-      exynos_pm_syscore_ops.resume    = pm_data->pm_resume;
++      pax_open_kernel();
++      const_cast(exynos_pm_syscore_ops.suspend)       = pm_data->pm_suspend;
++      const_cast(exynos_pm_syscore_ops.resume)        = pm_data->pm_resume;
++      pax_close_kernel();
+       register_syscore_ops(&exynos_pm_syscore_ops);
+       suspend_set_ops(&exynos_suspend_ops);
+diff --git a/arch/arm/mach-mmp/mmp2.c b/arch/arm/mach-mmp/mmp2.c
+index afba546..9e5403d 100644
+--- a/arch/arm/mach-mmp/mmp2.c
++++ b/arch/arm/mach-mmp/mmp2.c
+@@ -98,7 +98,9 @@ void __init mmp2_init_irq(void)
+ {
+       mmp2_init_icu();
+ #ifdef CONFIG_PM
+-      icu_irq_chip.irq_set_wake = mmp2_set_wake;
++      pax_open_kernel();
++      const_cast(icu_irq_chip.irq_set_wake) = mmp2_set_wake;
++      pax_close_kernel();
+ #endif
+ }
+diff --git a/arch/arm/mach-mmp/pxa910.c b/arch/arm/mach-mmp/pxa910.c
+index 1ccbba9..7a95c29 100644
+--- a/arch/arm/mach-mmp/pxa910.c
++++ b/arch/arm/mach-mmp/pxa910.c
+@@ -84,7 +84,9 @@ void __init pxa910_init_irq(void)
+ {
+       icu_init_irq();
+ #ifdef CONFIG_PM
+-      icu_irq_chip.irq_set_wake = pxa910_set_wake;
++      pax_open_kernel();
++      const_cast(icu_irq_chip.irq_set_wake) = pxa910_set_wake;
++      pax_close_kernel();
+ #endif
+ }
+diff --git a/arch/arm/mach-mvebu/coherency.c b/arch/arm/mach-mvebu/coherency.c
+index ae2a018..297ad08 100644
+--- a/arch/arm/mach-mvebu/coherency.c
++++ b/arch/arm/mach-mvebu/coherency.c
+@@ -156,7 +156,7 @@ static void __init armada_370_coherency_init(struct device_node *np)
+ /*
+  * This ioremap hook is used on Armada 375/38x to ensure that all MMIO
+- * areas are mapped as MT_UNCACHED instead of MT_DEVICE. This is
++ * areas are mapped as MT_UNCACHED_RW instead of MT_DEVICE. This is
+  * needed for the HW I/O coherency mechanism to work properly without
+  * deadlock.
+  */
+@@ -164,7 +164,7 @@ static void __iomem *
+ armada_wa_ioremap_caller(phys_addr_t phys_addr, size_t size,
+                        unsigned int mtype, void *caller)
+ {
+-      mtype = MT_UNCACHED;
++      mtype = MT_UNCACHED_RW;
+       return __arm_ioremap_caller(phys_addr, size, mtype, caller);
+ }
+@@ -174,7 +174,7 @@ static void __init armada_375_380_coherency_init(struct device_node *np)
+       coherency_cpu_base = of_iomap(np, 0);
+       arch_ioremap_caller = armada_wa_ioremap_caller;
+-      pci_ioremap_set_mem_type(MT_UNCACHED);
++      pci_ioremap_set_mem_type(MT_UNCACHED_RW);
+       /*
+        * We should switch the PL310 to I/O coherency mode only if
+diff --git a/arch/arm/mach-mvebu/pmsu.c b/arch/arm/mach-mvebu/pmsu.c
+index f39bd51..866c780 100644
+--- a/arch/arm/mach-mvebu/pmsu.c
++++ b/arch/arm/mach-mvebu/pmsu.c
+@@ -93,7 +93,7 @@
+ #define ARMADA_370_CRYPT0_ENG_ATTR     0x1
+ extern void ll_disable_coherency(void);
+-extern void ll_enable_coherency(void);
++extern int ll_enable_coherency(void);
+ extern void armada_370_xp_cpu_resume(void);
+ extern void armada_38x_cpu_resume(void);
+diff --git a/arch/arm/mach-omap2/board-n8x0.c b/arch/arm/mach-omap2/board-n8x0.c
+index 6b6fda6..232df1e 100644
+--- a/arch/arm/mach-omap2/board-n8x0.c
++++ b/arch/arm/mach-omap2/board-n8x0.c
+@@ -568,7 +568,7 @@ static int n8x0_menelaus_late_init(struct device *dev)
+ }
+ #endif
+-struct menelaus_platform_data n8x0_menelaus_platform_data __initdata = {
++struct menelaus_platform_data n8x0_menelaus_platform_data __initconst = {
+       .late_init = n8x0_menelaus_late_init,
+ };
+diff --git a/arch/arm/mach-omap2/omap-mpuss-lowpower.c b/arch/arm/mach-omap2/omap-mpuss-lowpower.c
+index 7d62ad4..97774b1 100644
+--- a/arch/arm/mach-omap2/omap-mpuss-lowpower.c
++++ b/arch/arm/mach-omap2/omap-mpuss-lowpower.c
+@@ -89,7 +89,7 @@ struct cpu_pm_ops {
+       void (*resume)(void);
+       void (*scu_prepare)(unsigned int cpu_id, unsigned int cpu_state);
+       void (*hotplug_restart)(void);
+-};
++} __no_const;
+ static DEFINE_PER_CPU(struct omap4_cpu_pm_info, omap4_pm_info);
+ static struct powerdomain *mpuss_pd;
+@@ -107,7 +107,7 @@ static void dummy_cpu_resume(void)
+ static void dummy_scu_prepare(unsigned int cpu_id, unsigned int cpu_state)
+ {}
+-static struct cpu_pm_ops omap_pm_ops = {
++static struct cpu_pm_ops omap_pm_ops __read_only = {
+       .finish_suspend         = default_finish_suspend,
+       .resume                 = dummy_cpu_resume,
+       .scu_prepare            = dummy_scu_prepare,
+diff --git a/arch/arm/mach-omap2/omap-smp.c b/arch/arm/mach-omap2/omap-smp.c
+index b4de3da..e027393 100644
+--- a/arch/arm/mach-omap2/omap-smp.c
++++ b/arch/arm/mach-omap2/omap-smp.c
+@@ -19,6 +19,7 @@
+ #include <linux/device.h>
+ #include <linux/smp.h>
+ #include <linux/io.h>
++#include <linux/irq.h>
+ #include <linux/irqchip/arm-gic.h>
+ #include <asm/smp_scu.h>
+diff --git a/arch/arm/mach-omap2/omap_device.c b/arch/arm/mach-omap2/omap_device.c
+index e920dd8..ef999171 100644
+--- a/arch/arm/mach-omap2/omap_device.c
++++ b/arch/arm/mach-omap2/omap_device.c
+@@ -530,7 +530,7 @@ void omap_device_delete(struct omap_device *od)
+ struct platform_device __init *omap_device_build(const char *pdev_name,
+                                                int pdev_id,
+                                                struct omap_hwmod *oh,
+-                                               void *pdata, int pdata_len)
++                                               const void *pdata, int pdata_len)
+ {
+       struct omap_hwmod *ohs[] = { oh };
+@@ -558,7 +558,7 @@ struct platform_device __init *omap_device_build(const char *pdev_name,
+ struct platform_device __init *omap_device_build_ss(const char *pdev_name,
+                                                   int pdev_id,
+                                                   struct omap_hwmod **ohs,
+-                                                  int oh_cnt, void *pdata,
++                                                  int oh_cnt, const void *pdata,
+                                                   int pdata_len)
+ {
+       int ret = -ENOMEM;
+diff --git a/arch/arm/mach-omap2/omap_device.h b/arch/arm/mach-omap2/omap_device.h
+index 78c02b3..c94109a 100644
+--- a/arch/arm/mach-omap2/omap_device.h
++++ b/arch/arm/mach-omap2/omap_device.h
+@@ -72,12 +72,12 @@ int omap_device_idle(struct platform_device *pdev);
+ /* Core code interface */
+ struct platform_device *omap_device_build(const char *pdev_name, int pdev_id,
+-                                        struct omap_hwmod *oh, void *pdata,
++                                        struct omap_hwmod *oh, const void *pdata,
+                                         int pdata_len);
+ struct platform_device *omap_device_build_ss(const char *pdev_name, int pdev_id,
+                                        struct omap_hwmod **oh, int oh_cnt,
+-                                       void *pdata, int pdata_len);
++                                       const void *pdata, int pdata_len);
+ struct omap_device *omap_device_alloc(struct platform_device *pdev,
+                                     struct omap_hwmod **ohs, int oh_cnt);
+diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
+index 1052b29..54669b0 100644
+--- a/arch/arm/mach-omap2/omap_hwmod.c
++++ b/arch/arm/mach-omap2/omap_hwmod.c
+@@ -206,10 +206,10 @@ struct omap_hwmod_soc_ops {
+       void (*update_context_lost)(struct omap_hwmod *oh);
+       int (*get_context_lost)(struct omap_hwmod *oh);
+       int (*disable_direct_prcm)(struct omap_hwmod *oh);
+-};
++} __no_const;
+ /* soc_ops: adapts the omap_hwmod code to the currently-booted SoC */
+-static struct omap_hwmod_soc_ops soc_ops;
++static struct omap_hwmod_soc_ops soc_ops __read_only;
+ /* omap_hwmod_list contains all registered struct omap_hwmods */
+ static LIST_HEAD(omap_hwmod_list);
+diff --git a/arch/arm/mach-omap2/powerdomains43xx_data.c b/arch/arm/mach-omap2/powerdomains43xx_data.c
+index 95fee54..b5dd79d 100644
+--- a/arch/arm/mach-omap2/powerdomains43xx_data.c
++++ b/arch/arm/mach-omap2/powerdomains43xx_data.c
+@@ -10,6 +10,7 @@
+ #include <linux/kernel.h>
+ #include <linux/init.h>
++#include <asm/pgtable.h>
+ #include "powerdomain.h"
+@@ -129,7 +130,9 @@ static int am43xx_check_vcvp(void)
+ void __init am43xx_powerdomains_init(void)
+ {
+-      omap4_pwrdm_operations.pwrdm_has_voltdm = am43xx_check_vcvp;
++      pax_open_kernel();
++      const_cast(omap4_pwrdm_operations.pwrdm_has_voltdm) = am43xx_check_vcvp;
++      pax_close_kernel();
+       pwrdm_register_platform_funcs(&omap4_pwrdm_operations);
+       pwrdm_register_pwrdms(powerdomains_am43xx);
+       pwrdm_complete_init();
+diff --git a/arch/arm/mach-omap2/wd_timer.c b/arch/arm/mach-omap2/wd_timer.c
+index ff0a68c..b312aa0 100644
+--- a/arch/arm/mach-omap2/wd_timer.c
++++ b/arch/arm/mach-omap2/wd_timer.c
+@@ -110,7 +110,9 @@ static int __init omap_init_wdt(void)
+       struct omap_hwmod *oh;
+       char *oh_name = "wd_timer2";
+       char *dev_name = "omap_wdt";
+-      struct omap_wd_timer_platform_data pdata;
++      static struct omap_wd_timer_platform_data pdata = {
++              .read_reset_sources = prm_read_reset_sources
++      };
+       if (!cpu_class_is_omap2() || of_have_populated_dt())
+               return 0;
+@@ -121,8 +123,6 @@ static int __init omap_init_wdt(void)
+               return -EINVAL;
+       }
+-      pdata.read_reset_sources = prm_read_reset_sources;
+-
+       pdev = omap_device_build(dev_name, id, oh, &pdata,
+                                sizeof(struct omap_wd_timer_platform_data));
+       WARN(IS_ERR(pdev), "Can't build omap_device for %s:%s.\n",
+diff --git a/arch/arm/mach-s3c64xx/mach-smdk6410.c b/arch/arm/mach-s3c64xx/mach-smdk6410.c
+index 92ec8c3..3b09472 100644
+--- a/arch/arm/mach-s3c64xx/mach-smdk6410.c
++++ b/arch/arm/mach-s3c64xx/mach-smdk6410.c
+@@ -240,7 +240,7 @@ static struct platform_device smdk6410_b_pwr_5v = {
+ };
+ #endif
+-static struct s3c_ide_platdata smdk6410_ide_pdata __initdata = {
++static const struct s3c_ide_platdata smdk6410_ide_pdata __initconst = {
+       .setup_gpio     = s3c64xx_ide_setup_gpio,
+ };
+diff --git a/arch/arm/mach-shmobile/platsmp-apmu.c b/arch/arm/mach-shmobile/platsmp-apmu.c
+index 0c6bb45..0f18d70 100644
+--- a/arch/arm/mach-shmobile/platsmp-apmu.c
++++ b/arch/arm/mach-shmobile/platsmp-apmu.c
+@@ -22,6 +22,7 @@
+ #include <asm/proc-fns.h>
+ #include <asm/smp_plat.h>
+ #include <asm/suspend.h>
++#include <asm/pgtable.h>
+ #include "common.h"
+ #include "platsmp-apmu.h"
+ #include "rcar-gen2.h"
+@@ -316,6 +317,8 @@ static int shmobile_smp_apmu_enter_suspend(suspend_state_t state)
+ void __init shmobile_smp_apmu_suspend_init(void)
+ {
+-      shmobile_suspend_ops.enter = shmobile_smp_apmu_enter_suspend;
++      pax_open_kernel();
++      const_cast(shmobile_suspend_ops.enter) = shmobile_smp_apmu_enter_suspend;
++      pax_close_kernel();
+ }
+ #endif
+diff --git a/arch/arm/mach-tegra/cpuidle-tegra20.c b/arch/arm/mach-tegra/cpuidle-tegra20.c
+index afcee04..63e52ac 100644
+--- a/arch/arm/mach-tegra/cpuidle-tegra20.c
++++ b/arch/arm/mach-tegra/cpuidle-tegra20.c
+@@ -178,7 +178,7 @@ static int tegra20_idle_lp2_coupled(struct cpuidle_device *dev,
+       bool entered_lp2 = false;
+       if (tegra_pending_sgi())
+-              ACCESS_ONCE(abort_flag) = true;
++              ACCESS_ONCE_RW(abort_flag) = true;
+       cpuidle_coupled_parallel_barrier(dev, &abort_barrier);
+diff --git a/arch/arm/mach-tegra/irq.c b/arch/arm/mach-tegra/irq.c
+index a69b22d..8523a03 100644
+--- a/arch/arm/mach-tegra/irq.c
++++ b/arch/arm/mach-tegra/irq.c
+@@ -20,6 +20,7 @@
+ #include <linux/cpu_pm.h>
+ #include <linux/interrupt.h>
+ #include <linux/io.h>
++#include <linux/irq.h>
+ #include <linux/irqchip/arm-gic.h>
+ #include <linux/irq.h>
+ #include <linux/kernel.h>
+diff --git a/arch/arm/mach-ux500/pm.c b/arch/arm/mach-ux500/pm.c
+index a970e7f..6f2bf9a 100644
+--- a/arch/arm/mach-ux500/pm.c
++++ b/arch/arm/mach-ux500/pm.c
+@@ -10,6 +10,7 @@
+  */
+ #include <linux/kernel.h>
++#include <linux/irq.h>
+ #include <linux/irqchip/arm-gic.h>
+ #include <linux/delay.h>
+ #include <linux/io.h>
+diff --git a/arch/arm/mach-zynq/platsmp.c b/arch/arm/mach-zynq/platsmp.c
+index 7cd9865..a00b6ab 100644
+--- a/arch/arm/mach-zynq/platsmp.c
++++ b/arch/arm/mach-zynq/platsmp.c
+@@ -24,6 +24,7 @@
+ #include <linux/io.h>
+ #include <asm/cacheflush.h>
+ #include <asm/smp_scu.h>
++#include <linux/irq.h>
+ #include <linux/irqchip/arm-gic.h>
+ #include "common.h"
+diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
+index c1799dd..9111dcc 100644
+--- a/arch/arm/mm/Kconfig
++++ b/arch/arm/mm/Kconfig
+@@ -446,6 +446,7 @@ config CPU_32v5
+ config CPU_32v6
+       bool
++      select CPU_USE_DOMAINS if CPU_V6 && MMU && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
+       select TLS_REG_EMUL if !CPU_32v6K && !MMU
+ config CPU_32v6K
+@@ -603,6 +604,7 @@ config CPU_CP15_MPU
+ config CPU_USE_DOMAINS
+       bool
++      depends on !ARM_LPAE && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
+       help
+         This option enables or disables the use of domain switching
+         via the set_fs() function.
+@@ -813,7 +815,7 @@ config NEED_KUSER_HELPERS
+ config KUSER_HELPERS
+       bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS
+-      depends on MMU
++      depends on MMU && (!(CPU_V6 || CPU_V6K || CPU_V7) || GRKERNSEC_OLD_ARM_USERLAND)
+       default y
+       help
+         Warning: disabling this option may break user programs.
+@@ -827,7 +829,7 @@ config KUSER_HELPERS
+         See Documentation/arm/kernel_user_helpers.txt for details.
+         However, the fixed address nature of these helpers can be used
+-        by ROP (return orientated programming) authors when creating
++        by ROP (Return Oriented Programming) authors when creating
+         exploits.
+         If all of the binaries and libraries which run on your platform
+@@ -842,7 +844,7 @@ config KUSER_HELPERS
+ config VDSO
+       bool "Enable VDSO for acceleration of some system calls"
+-      depends on AEABI && MMU && CPU_V7
++      depends on AEABI && MMU && CPU_V7 && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
+       default y if ARM_ARCH_TIMER
+       select GENERIC_TIME_VSYSCALL
+       help
+diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c
+index 7d5f4c7..c6a0816 100644
+--- a/arch/arm/mm/alignment.c
++++ b/arch/arm/mm/alignment.c
+@@ -778,6 +778,7 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+       u16 tinstr = 0;
+       int isize = 4;
+       int thumb2_32b = 0;
++      bool is_user_mode = user_mode(regs);
+       if (interrupts_enabled(regs))
+               local_irq_enable();
+@@ -786,14 +787,24 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+       if (thumb_mode(regs)) {
+               u16 *ptr = (u16 *)(instrptr & ~1);
+-              fault = probe_kernel_address(ptr, tinstr);
++              if (is_user_mode) {
++                      pax_open_userland();
++                      fault = probe_kernel_address(ptr, tinstr);
++                      pax_close_userland();
++              } else
++                      fault = probe_kernel_address(ptr, tinstr);
+               tinstr = __mem_to_opcode_thumb16(tinstr);
+               if (!fault) {
+                       if (cpu_architecture() >= CPU_ARCH_ARMv7 &&
+                           IS_T32(tinstr)) {
+                               /* Thumb-2 32-bit */
+                               u16 tinst2 = 0;
+-                              fault = probe_kernel_address(ptr + 1, tinst2);
++                              if (is_user_mode) {
++                                      pax_open_userland();
++                                      fault = probe_kernel_address(ptr + 1, tinst2);
++                                      pax_close_userland();
++                              } else
++                                      fault = probe_kernel_address(ptr + 1, tinst2);
+                               tinst2 = __mem_to_opcode_thumb16(tinst2);
+                               instr = __opcode_thumb32_compose(tinstr, tinst2);
+                               thumb2_32b = 1;
+@@ -803,7 +814,12 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+                       }
+               }
+       } else {
+-              fault = probe_kernel_address((void *)instrptr, instr);
++              if (is_user_mode) {
++                      pax_open_userland();
++                      fault = probe_kernel_address((void *)instrptr, instr);
++                      pax_close_userland();
++              } else
++                      fault = probe_kernel_address((void *)instrptr, instr);
+               instr = __mem_to_opcode_arm(instr);
+       }
+@@ -812,7 +828,7 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+               goto bad_or_fault;
+       }
+-      if (user_mode(regs))
++      if (is_user_mode)
+               goto user;
+       ai_sys += 1;
+diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c
+index d1870c7..36d500f 100644
+--- a/arch/arm/mm/cache-l2x0.c
++++ b/arch/arm/mm/cache-l2x0.c
+@@ -44,7 +44,7 @@ struct l2c_init_data {
+       void (*configure)(void __iomem *);
+       void (*unlock)(void __iomem *, unsigned);
+       struct outer_cache_fns outer_cache;
+-};
++} __do_const;
+ #define CACHE_LINE_SIZE               32
+diff --git a/arch/arm/mm/context.c b/arch/arm/mm/context.c
+index c8c8b9e..c55cc79 100644
+--- a/arch/arm/mm/context.c
++++ b/arch/arm/mm/context.c
+@@ -43,7 +43,7 @@
+ #define NUM_USER_ASIDS                ASID_FIRST_VERSION
+ static DEFINE_RAW_SPINLOCK(cpu_asid_lock);
+-static atomic64_t asid_generation = ATOMIC64_INIT(ASID_FIRST_VERSION);
++static atomic64_unchecked_t asid_generation = ATOMIC64_INIT(ASID_FIRST_VERSION);
+ static DECLARE_BITMAP(asid_map, NUM_USER_ASIDS);
+ static DEFINE_PER_CPU(atomic64_t, active_asids);
+@@ -193,7 +193,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
+ {
+       static u32 cur_idx = 1;
+       u64 asid = atomic64_read(&mm->context.id);
+-      u64 generation = atomic64_read(&asid_generation);
++      u64 generation = atomic64_read_unchecked(&asid_generation);
+       if (asid != 0) {
+               u64 newasid = generation | (asid & ~ASID_MASK);
+@@ -225,7 +225,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
+        */
+       asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, cur_idx);
+       if (asid == NUM_USER_ASIDS) {
+-              generation = atomic64_add_return(ASID_FIRST_VERSION,
++              generation = atomic64_add_return_unchecked(ASID_FIRST_VERSION,
+                                                &asid_generation);
+               flush_context(cpu);
+               asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, 1);
+@@ -254,14 +254,14 @@ void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk)
+       cpu_set_reserved_ttbr0();
+       asid = atomic64_read(&mm->context.id);
+-      if (!((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS)
++      if (!((asid ^ atomic64_read_unchecked(&asid_generation)) >> ASID_BITS)
+           && atomic64_xchg(&per_cpu(active_asids, cpu), asid))
+               goto switch_mm_fastpath;
+       raw_spin_lock_irqsave(&cpu_asid_lock, flags);
+       /* Check that our ASID belongs to the current generation. */
+       asid = atomic64_read(&mm->context.id);
+-      if ((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS) {
++      if ((asid ^ atomic64_read_unchecked(&asid_generation)) >> ASID_BITS) {
+               asid = new_context(mm, cpu);
+               atomic64_set(&mm->context.id, asid);
+       }
+diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
+index 0122ad1..1aae1cb 100644
+--- a/arch/arm/mm/fault.c
++++ b/arch/arm/mm/fault.c
+@@ -25,6 +25,7 @@
+ #include <asm/system_misc.h>
+ #include <asm/system_info.h>
+ #include <asm/tlbflush.h>
++#include <asm/sections.h>
+ #include "fault.h"
+@@ -138,6 +139,31 @@ __do_kernel_fault(struct mm_struct *mm, unsigned long addr, unsigned int fsr,
+       if (fixup_exception(regs))
+               return;
++#ifdef CONFIG_PAX_MEMORY_UDEREF
++      if (addr < TASK_SIZE) {
++              if (current->signal->curr_ip)
++                      printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
++                                      from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
++              else
++                      printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", current->comm, task_pid_nr(current),
++                                      from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
++      }
++#endif
++
++#ifdef CONFIG_PAX_KERNEXEC
++      if ((fsr & FSR_WRITE) &&
++          (((unsigned long)_stext <= addr && addr < init_mm.end_code) ||
++           (MODULES_VADDR <= addr && addr < MODULES_END)))
++      {
++              if (current->signal->curr_ip)
++                      printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
++                                      from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
++              else
++                      printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current),
++                                      from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
++      }
++#endif
++
+       /*
+        * No handler, we'll have to terminate things with extreme prejudice.
+        */
+@@ -173,6 +199,13 @@ __do_user_fault(struct task_struct *tsk, unsigned long addr,
+       }
+ #endif
++#ifdef CONFIG_PAX_PAGEEXEC
++      if ((tsk->mm->pax_flags & MF_PAX_PAGEEXEC) && (fsr & FSR_LNX_PF)) {
++              pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
++              do_group_exit(SIGKILL);
++      }
++#endif
++
+       tsk->thread.address = addr;
+       tsk->thread.error_code = fsr;
+       tsk->thread.trap_no = 14;
+@@ -400,6 +433,33 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+ }
+ #endif                                        /* CONFIG_MMU */
++#ifdef CONFIG_PAX_PAGEEXEC
++void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
++{
++      long i;
++
++      printk(KERN_ERR "PAX: bytes at PC: ");
++      for (i = 0; i < 20; i++) {
++              unsigned char c;
++              if (get_user(c, (__force unsigned char __user *)pc+i))
++                      printk(KERN_CONT "?? ");
++              else
++                      printk(KERN_CONT "%02x ", c);
++      }
++      printk("\n");
++
++      printk(KERN_ERR "PAX: bytes at SP-4: ");
++      for (i = -1; i < 20; i++) {
++              unsigned long c;
++              if (get_user(c, (__force unsigned long __user *)sp+i))
++                      printk(KERN_CONT "???????? ");
++              else
++                      printk(KERN_CONT "%08lx ", c);
++      }
++      printk("\n");
++}
++#endif
++
+ /*
+  * First Level Translation Fault Handler
+  *
+@@ -547,9 +607,22 @@ do_DataAbort(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
+       const struct fsr_info *inf = fsr_info + fsr_fs(fsr);
+       struct siginfo info;
++#ifdef CONFIG_PAX_MEMORY_UDEREF
++      if (addr < TASK_SIZE && is_domain_fault(fsr)) {
++              if (current->signal->curr_ip)
++                      printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
++                                      from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
++              else
++                      printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", current->comm, task_pid_nr(current),
++                                      from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
++              goto die;
++      }
++#endif
++
+       if (!inf->fn(addr, fsr & ~FSR_LNX_PF, regs))
+               return;
++die:
+       pr_alert("Unhandled fault: %s (0x%03x) at 0x%08lx\n",
+               inf->name, fsr, addr);
+       show_pte(current->mm, addr);
+@@ -574,15 +647,118 @@ hook_ifault_code(int nr, int (*fn)(unsigned long, unsigned int, struct pt_regs *
+       ifsr_info[nr].name = name;
+ }
++asmlinkage int sys_sigreturn(struct pt_regs *regs);
++asmlinkage int sys_rt_sigreturn(struct pt_regs *regs);
++
+ asmlinkage void __exception
+ do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs)
+ {
+       const struct fsr_info *inf = ifsr_info + fsr_fs(ifsr);
+       struct siginfo info;
++      unsigned long pc = instruction_pointer(regs);
++
++      if (user_mode(regs)) {
++              unsigned long sigpage = current->mm->context.sigpage;
++
++              if (sigpage <= pc && pc < sigpage + 7*4) {
++                      if (pc < sigpage + 3*4)
++                              sys_sigreturn(regs);
++                      else
++                              sys_rt_sigreturn(regs);
++                      return;
++              }
++              if (pc == 0xffff0f60UL) {
++                      /*
++                       * PaX: __kuser_cmpxchg64 emulation
++                       */
++                      // TODO
++                      //regs->ARM_pc = regs->ARM_lr;
++                      //return;
++              }
++              if (pc == 0xffff0fa0UL) {
++                      /*
++                       * PaX: __kuser_memory_barrier emulation
++                       */
++                      // dmb(); implied by the exception
++                      regs->ARM_pc = regs->ARM_lr;
++#ifdef CONFIG_ARM_THUMB
++                      if (regs->ARM_lr & 1) {
++                              regs->ARM_cpsr |= PSR_T_BIT;
++                              regs->ARM_pc &= ~0x1U;
++                      } else
++                              regs->ARM_cpsr &= ~PSR_T_BIT;
++#endif
++                      return;
++              }
++              if (pc == 0xffff0fc0UL) {
++                      /*
++                       * PaX: __kuser_cmpxchg emulation
++                       */
++                      // TODO
++                      //long new;
++                      //int op;
++
++                      //op = FUTEX_OP_SET << 28;
++                      //new = futex_atomic_op_inuser(op, regs->ARM_r2);
++                      //regs->ARM_r0 = old != new;
++                      //regs->ARM_pc = regs->ARM_lr;
++                      //return;
++              }
++              if (pc == 0xffff0fe0UL) {
++                      /*
++                       * PaX: __kuser_get_tls emulation
++                       */
++                      regs->ARM_r0 = current_thread_info()->tp_value[0];
++                      regs->ARM_pc = regs->ARM_lr;
++#ifdef CONFIG_ARM_THUMB
++                      if (regs->ARM_lr & 1) {
++                              regs->ARM_cpsr |= PSR_T_BIT;
++                              regs->ARM_pc &= ~0x1U;
++                      } else
++                              regs->ARM_cpsr &= ~PSR_T_BIT;
++#endif
++                      return;
++              }
++      }
++
++#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
++      else if (is_domain_fault(ifsr) || is_xn_fault(ifsr)) {
++              if (current->signal->curr_ip)
++                      printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
++                                      from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()),
++                                      pc >= TASK_SIZE ? "non-executable kernel" : "userland", pc);
++              else
++                      printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", current->comm, task_pid_nr(current),
++                                      from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()),
++                                      pc >= TASK_SIZE ? "non-executable kernel" : "userland", pc);
++              goto die;
++      }
++#endif
++
++#ifdef CONFIG_PAX_REFCOUNT
++      if (fsr_fs(ifsr) == FAULT_CODE_DEBUG) {
++#ifdef CONFIG_THUMB2_KERNEL
++              unsigned short bkpt;
++
++              if (!probe_kernel_address((const unsigned short *)pc, bkpt) && cpu_to_le16(bkpt) == 0xbef1) {
++#else
++              unsigned int bkpt;
++
++              if (!probe_kernel_address((const unsigned int *)pc, bkpt) && cpu_to_le32(bkpt) == 0xe12f1073) {
++#endif
++                      current->thread.error_code = ifsr;
++                      current->thread.trap_no = 0;
++                      pax_report_refcount_error(regs, NULL);
++                      fixup_exception(regs);
++                      return;
++              }
++      }
++#endif
+       if (!inf->fn(addr, ifsr | FSR_LNX_PF, regs))
+               return;
++die:
+       pr_alert("Unhandled prefetch abort: %s (0x%03x) at 0x%08lx\n",
+               inf->name, ifsr, addr);
+diff --git a/arch/arm/mm/fault.h b/arch/arm/mm/fault.h
+index afc1f84..b1daab5 100644
+--- a/arch/arm/mm/fault.h
++++ b/arch/arm/mm/fault.h
+@@ -3,6 +3,7 @@
+ /*
+  * Fault status register encodings.  We steal bit 31 for our own purposes.
++ * Set when the FSR value is from an instruction fault.
+  */
+ #define FSR_LNX_PF            (1 << 31)
+ #define FSR_WRITE             (1 << 11)
+@@ -26,6 +27,17 @@ static inline int fsr_fs(unsigned int fsr)
+ }
+ #endif
++/* valid for LPAE and !LPAE */
++static inline int is_xn_fault(unsigned int fsr)
++{
++      return ((fsr_fs(fsr) & 0x3c) == 0xc);
++}
++
++static inline int is_domain_fault(unsigned int fsr)
++{
++      return ((fsr_fs(fsr) & 0xD) == 0x9);
++}
++
+ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs);
+ void early_abt_enable(void);
+diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c
+index 370581a..b985cc1 100644
+--- a/arch/arm/mm/init.c
++++ b/arch/arm/mm/init.c
+@@ -747,7 +747,46 @@ void free_tcmmem(void)
+ {
+ #ifdef CONFIG_HAVE_TCM
+       extern char __tcm_start, __tcm_end;
++#endif
++#ifdef CONFIG_PAX_KERNEXEC
++      unsigned long addr;
++      pgd_t *pgd;
++      pud_t *pud;
++      pmd_t *pmd;
++      int cpu_arch = cpu_architecture();
++      unsigned int cr = get_cr();
++
++      if (cpu_arch >= CPU_ARCH_ARMv6 && (cr & CR_XP)) {
++              /* make pages tables, etc before .text NX */
++              for (addr = PAGE_OFFSET; addr < (unsigned long)_stext; addr += SECTION_SIZE) {
++                      pgd = pgd_offset_k(addr);
++                      pud = pud_offset(pgd, addr);
++                      pmd = pmd_offset(pud, addr);
++                      __section_update(pmd, addr, PMD_SECT_XN);
++              }
++              /* make init NX */
++              for (addr = (unsigned long)__init_begin; addr < (unsigned long)_sdata; addr += SECTION_SIZE) {
++                      pgd = pgd_offset_k(addr);
++                      pud = pud_offset(pgd, addr);
++                      pmd = pmd_offset(pud, addr);
++                      __section_update(pmd, addr, PMD_SECT_XN);
++              }
++              /* make kernel code/rodata RX */
++              for (addr = (unsigned long)_stext; addr < (unsigned long)__init_begin; addr += SECTION_SIZE) {
++                      pgd = pgd_offset_k(addr);
++                      pud = pud_offset(pgd, addr);
++                      pmd = pmd_offset(pud, addr);
++#ifdef CONFIG_ARM_LPAE
++                      __section_update(pmd, addr, PMD_SECT_RDONLY);
++#else
++                      __section_update(pmd, addr, PMD_SECT_APX|PMD_SECT_AP_WRITE);
++#endif
++              }
++      }
++#endif
++
++#ifdef CONFIG_HAVE_TCM
+       poison_init_mem(&__tcm_start, &__tcm_end - &__tcm_start);
+       free_reserved_area(&__tcm_start, &__tcm_end, -1, "TCM link");
+ #endif
+diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c
+index ff0eed2..f17f1c9 100644
+--- a/arch/arm/mm/ioremap.c
++++ b/arch/arm/mm/ioremap.c
+@@ -411,9 +411,9 @@ __arm_ioremap_exec(phys_addr_t phys_addr, size_t size, bool cached)
+       unsigned int mtype;
+       if (cached)
+-              mtype = MT_MEMORY_RWX;
++              mtype = MT_MEMORY_RX;
+       else
+-              mtype = MT_MEMORY_RWX_NONCACHED;
++              mtype = MT_MEMORY_RX_NONCACHED;
+       return __arm_ioremap_caller(phys_addr, size, mtype,
+                       __builtin_return_address(0));
+diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
+index 66353ca..8aad9f8 100644
+--- a/arch/arm/mm/mmap.c
++++ b/arch/arm/mm/mmap.c
+@@ -59,6 +59,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+       struct vm_area_struct *vma;
+       int do_align = 0;
+       int aliasing = cache_is_vipt_aliasing();
++      unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
+       struct vm_unmapped_area_info info;
+       /*
+@@ -81,6 +82,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+       if (len > TASK_SIZE)
+               return -ENOMEM;
++#ifdef CONFIG_PAX_RANDMMAP
++      if (!(mm->pax_flags & MF_PAX_RANDMMAP))
++#endif
++
+       if (addr) {
+               if (do_align)
+                       addr = COLOUR_ALIGN(addr, pgoff);
+@@ -88,8 +93,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+                       addr = PAGE_ALIGN(addr);
+               vma = find_vma(mm, addr);
+-              if (TASK_SIZE - len >= addr &&
+-                  (!vma || addr + len <= vma->vm_start))
++              if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
+                       return addr;
+       }
+@@ -99,19 +103,21 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+       info.high_limit = TASK_SIZE;
+       info.align_mask = do_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
+       info.align_offset = pgoff << PAGE_SHIFT;
++      info.threadstack_offset = offset;
+       return vm_unmapped_area(&info);
+ }
+ unsigned long
+-arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+-                      const unsigned long len, const unsigned long pgoff,
+-                      const unsigned long flags)
++arch_get_unmapped_area_topdown(struct file *filp, unsigned long addr0,
++                      unsigned long len, unsigned long pgoff,
++                      unsigned long flags)
+ {
+       struct vm_area_struct *vma;
+       struct mm_struct *mm = current->mm;
+       unsigned long addr = addr0;
+       int do_align = 0;
+       int aliasing = cache_is_vipt_aliasing();
++      unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
+       struct vm_unmapped_area_info info;
+       /*
+@@ -132,6 +138,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+               return addr;
+       }
++#ifdef CONFIG_PAX_RANDMMAP
++      if (!(mm->pax_flags & MF_PAX_RANDMMAP))
++#endif
++
+       /* requesting a specific address */
+       if (addr) {
+               if (do_align)
+@@ -139,8 +149,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+               else
+                       addr = PAGE_ALIGN(addr);
+               vma = find_vma(mm, addr);
+-              if (TASK_SIZE - len >= addr &&
+-                              (!vma || addr + len <= vma->vm_start))
++              if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
+                       return addr;
+       }
+@@ -150,6 +159,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+       info.high_limit = mm->mmap_base;
+       info.align_mask = do_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
+       info.align_offset = pgoff << PAGE_SHIFT;
++      info.threadstack_offset = offset;
+       addr = vm_unmapped_area(&info);
+       /*
+@@ -182,14 +192,30 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
+ {
+       unsigned long random_factor = 0UL;
++#ifdef CONFIG_PAX_RANDMMAP
++      if (!(mm->pax_flags & MF_PAX_RANDMMAP))
++#endif
++
+       if (current->flags & PF_RANDOMIZE)
+               random_factor = arch_mmap_rnd();
+       if (mmap_is_legacy()) {
+               mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
++
++#ifdef CONFIG_PAX_RANDMMAP
++              if (mm->pax_flags & MF_PAX_RANDMMAP)
++                      mm->mmap_base += mm->delta_mmap;
++#endif
++
+               mm->get_unmapped_area = arch_get_unmapped_area;
+       } else {
+               mm->mmap_base = mmap_base(random_factor);
++
++#ifdef CONFIG_PAX_RANDMMAP
++              if (mm->pax_flags & MF_PAX_RANDMMAP)
++                      mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
++#endif
++
+               mm->get_unmapped_area = arch_get_unmapped_area_topdown;
+       }
+ }
+diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
+index 4001dd1..c6dce7b 100644
+--- a/arch/arm/mm/mmu.c
++++ b/arch/arm/mm/mmu.c
+@@ -243,6 +243,14 @@ __setup("noalign", noalign_setup);
+ #define PROT_PTE_S2_DEVICE    PROT_PTE_DEVICE
+ #define PROT_SECT_DEVICE      PMD_TYPE_SECT|PMD_SECT_AP_WRITE
++#ifdef CONFIG_PAX_KERNEXEC
++#define L_PTE_KERNEXEC                L_PTE_RDONLY
++#define PMD_SECT_KERNEXEC     PMD_SECT_RDONLY
++#else
++#define L_PTE_KERNEXEC                L_PTE_DIRTY
++#define PMD_SECT_KERNEXEC     PMD_SECT_AP_WRITE
++#endif
++
+ static struct mem_type mem_types[] __ro_after_init = {
+       [MT_DEVICE] = {           /* Strongly ordered / ARMv6 shared device */
+               .prot_pte       = PROT_PTE_DEVICE | L_PTE_MT_DEV_SHARED |
+@@ -272,19 +280,19 @@ static struct mem_type mem_types[] __ro_after_init = {
+               .prot_sect      = PROT_SECT_DEVICE,
+               .domain         = DOMAIN_IO,
+       },
+-      [MT_UNCACHED] = {
++      [MT_UNCACHED_RW] = {
+               .prot_pte       = PROT_PTE_DEVICE,
+               .prot_l1        = PMD_TYPE_TABLE,
+               .prot_sect      = PMD_TYPE_SECT | PMD_SECT_XN,
+               .domain         = DOMAIN_IO,
+       },
+-      [MT_CACHECLEAN] = {
+-              .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN,
++      [MT_CACHECLEAN_RO] = {
++              .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN | PMD_SECT_RDONLY,
+               .domain    = DOMAIN_KERNEL,
+       },
+ #ifndef CONFIG_ARM_LPAE
+-      [MT_MINICLEAN] = {
+-              .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN | PMD_SECT_MINICACHE,
++      [MT_MINICLEAN_RO] = {
++              .prot_sect = PMD_TYPE_SECT | PMD_SECT_MINICACHE | PMD_SECT_XN | PMD_SECT_RDONLY,
+               .domain    = DOMAIN_KERNEL,
+       },
+ #endif
+@@ -300,7 +308,7 @@ static struct mem_type mem_types[] __ro_after_init = {
+               .prot_l1   = PMD_TYPE_TABLE,
+               .domain    = DOMAIN_VECTORS,
+       },
+-      [MT_MEMORY_RWX] = {
++      [__MT_MEMORY_RWX] = {
+               .prot_pte  = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY,
+               .prot_l1   = PMD_TYPE_TABLE,
+               .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE,
+@@ -313,17 +321,30 @@ static struct mem_type mem_types[] __ro_after_init = {
+               .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE,
+               .domain    = DOMAIN_KERNEL,
+       },
+-      [MT_ROM] = {
+-              .prot_sect = PMD_TYPE_SECT,
++      [MT_MEMORY_RX] = {
++              .prot_pte  = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC,
++              .prot_l1   = PMD_TYPE_TABLE,
++              .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC,
++              .domain    = DOMAIN_KERNEL,
++      },
++      [MT_ROM_RX] = {
++              .prot_sect = PMD_TYPE_SECT | PMD_SECT_RDONLY,
+               .domain    = DOMAIN_KERNEL,
+       },
+-      [MT_MEMORY_RWX_NONCACHED] = {
++      [MT_MEMORY_RW_NONCACHED] = {
+               .prot_pte  = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
+                               L_PTE_MT_BUFFERABLE,
+               .prot_l1   = PMD_TYPE_TABLE,
+               .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE,
+               .domain    = DOMAIN_KERNEL,
+       },
++      [MT_MEMORY_RX_NONCACHED] = {
++              .prot_pte  = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC |
++                              L_PTE_MT_BUFFERABLE,
++              .prot_l1   = PMD_TYPE_TABLE,
++              .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC,
++              .domain    = DOMAIN_KERNEL,
++      },
+       [MT_MEMORY_RW_DTCM] = {
+               .prot_pte  = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
+                               L_PTE_XN,
+@@ -331,9 +352,10 @@ static struct mem_type mem_types[] __ro_after_init = {
+               .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN,
+               .domain    = DOMAIN_KERNEL,
+       },
+-      [MT_MEMORY_RWX_ITCM] = {
+-              .prot_pte  = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY,
++      [MT_MEMORY_RX_ITCM] = {
++              .prot_pte  = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC,
+               .prot_l1   = PMD_TYPE_TABLE,
++              .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC,
+               .domain    = DOMAIN_KERNEL,
+       },
+       [MT_MEMORY_RW_SO] = {
+@@ -586,9 +608,14 @@ static void __init build_mem_type_table(void)
+                * Mark cache clean areas and XIP ROM read only
+                * from SVC mode and no access from userspace.
+                */
+-              mem_types[MT_ROM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
+-              mem_types[MT_MINICLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
+-              mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
++              mem_types[MT_ROM_RX].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
++#ifdef CONFIG_PAX_KERNEXEC
++              mem_types[MT_MEMORY_RX].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
++              mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
++              mem_types[MT_MEMORY_RX_ITCM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
++#endif
++              mem_types[MT_MINICLEAN_RO].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
++              mem_types[MT_CACHECLEAN_RO].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
+ #endif
+               /*
+@@ -605,13 +632,17 @@ static void __init build_mem_type_table(void)
+                       mem_types[MT_DEVICE_WC].prot_pte |= L_PTE_SHARED;
+                       mem_types[MT_DEVICE_CACHED].prot_sect |= PMD_SECT_S;
+                       mem_types[MT_DEVICE_CACHED].prot_pte |= L_PTE_SHARED;
+-                      mem_types[MT_MEMORY_RWX].prot_sect |= PMD_SECT_S;
+-                      mem_types[MT_MEMORY_RWX].prot_pte |= L_PTE_SHARED;
++                      mem_types[__MT_MEMORY_RWX].prot_sect |= PMD_SECT_S;
++                      mem_types[__MT_MEMORY_RWX].prot_pte |= L_PTE_SHARED;
+                       mem_types[MT_MEMORY_RW].prot_sect |= PMD_SECT_S;
+                       mem_types[MT_MEMORY_RW].prot_pte |= L_PTE_SHARED;
++                      mem_types[MT_MEMORY_RX].prot_sect |= PMD_SECT_S;
++                      mem_types[MT_MEMORY_RX].prot_pte |= L_PTE_SHARED;
+                       mem_types[MT_MEMORY_DMA_READY].prot_pte |= L_PTE_SHARED;
+-                      mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= PMD_SECT_S;
+-                      mem_types[MT_MEMORY_RWX_NONCACHED].prot_pte |= L_PTE_SHARED;
++                      mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= PMD_SECT_S;
++                      mem_types[MT_MEMORY_RW_NONCACHED].prot_pte |= L_PTE_SHARED;
++                      mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= PMD_SECT_S;
++                      mem_types[MT_MEMORY_RX_NONCACHED].prot_pte |= L_PTE_SHARED;
+               }
+       }
+@@ -622,15 +653,20 @@ static void __init build_mem_type_table(void)
+       if (cpu_arch >= CPU_ARCH_ARMv6) {
+               if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) {
+                       /* Non-cacheable Normal is XCB = 001 */
+-                      mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |=
++                      mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |=
++                              PMD_SECT_BUFFERED;
++                      mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |=
+                               PMD_SECT_BUFFERED;
+               } else {
+                       /* For both ARMv6 and non-TEX-remapping ARMv7 */
+-                      mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |=
++                      mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |=
++                              PMD_SECT_TEX(1);
++                      mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |=
+                               PMD_SECT_TEX(1);
+               }
+       } else {
+-              mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= PMD_SECT_BUFFERABLE;
++              mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= PMD_SECT_BUFFERABLE;
++              mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= PMD_SECT_BUFFERABLE;
+       }
+ #ifdef CONFIG_ARM_LPAE
+@@ -651,6 +687,8 @@ static void __init build_mem_type_table(void)
+       user_pgprot |= PTE_EXT_PXN;
+ #endif
++      user_pgprot |= __supported_pte_mask;
++
+       for (i = 0; i < 16; i++) {
+               pteval_t v = pgprot_val(protection_map[i]);
+               protection_map[i] = __pgprot(v | user_pgprot);
+@@ -668,21 +706,24 @@ static void __init build_mem_type_table(void)
+       mem_types[MT_LOW_VECTORS].prot_l1 |= ecc_mask;
+       mem_types[MT_HIGH_VECTORS].prot_l1 |= ecc_mask;
+-      mem_types[MT_MEMORY_RWX].prot_sect |= ecc_mask | cp->pmd;
+-      mem_types[MT_MEMORY_RWX].prot_pte |= kern_pgprot;
++      mem_types[__MT_MEMORY_RWX].prot_sect |= ecc_mask | cp->pmd;
++      mem_types[__MT_MEMORY_RWX].prot_pte |= kern_pgprot;
+       mem_types[MT_MEMORY_RW].prot_sect |= ecc_mask | cp->pmd;
+       mem_types[MT_MEMORY_RW].prot_pte |= kern_pgprot;
++      mem_types[MT_MEMORY_RX].prot_sect |= ecc_mask | cp->pmd;
++      mem_types[MT_MEMORY_RX].prot_pte |= kern_pgprot;
+       mem_types[MT_MEMORY_DMA_READY].prot_pte |= kern_pgprot;
+-      mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= ecc_mask;
+-      mem_types[MT_ROM].prot_sect |= cp->pmd;
++      mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= ecc_mask;
++      mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= ecc_mask;
++      mem_types[MT_ROM_RX].prot_sect |= cp->pmd;
+       switch (cp->pmd) {
+       case PMD_SECT_WT:
+-              mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_WT;
++              mem_types[MT_CACHECLEAN_RO].prot_sect |= PMD_SECT_WT;
+               break;
+       case PMD_SECT_WB:
+       case PMD_SECT_WBWA:
+-              mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_WB;
++              mem_types[MT_CACHECLEAN_RO].prot_sect |= PMD_SECT_WB;
+               break;
+       }
+       pr_info("Memory policy: %sData cache %s\n",
+@@ -959,7 +1000,7 @@ static void __init create_mapping(struct map_desc *md)
+               return;
+       }
+-      if ((md->type == MT_DEVICE || md->type == MT_ROM) &&
++      if ((md->type == MT_DEVICE || md->type == MT_ROM_RX) &&
+           md->virtual >= PAGE_OFFSET && md->virtual < FIXADDR_START &&
+           (md->virtual < VMALLOC_START || md->virtual >= VMALLOC_END)) {
+               pr_warn("BUG: mapping for 0x%08llx at 0x%08lx out of vmalloc space\n",
+@@ -1320,18 +1361,15 @@ void __init arm_mm_memblock_reserve(void)
+  * Any other function or debugging method which may touch any device _will_
+  * crash the kernel.
+  */
++
++static char vectors[PAGE_SIZE * 2] __read_only __aligned(PAGE_SIZE);
++
+ static void __init devicemaps_init(const struct machine_desc *mdesc)
+ {
+       struct map_desc map;
+       unsigned long addr;
+-      void *vectors;
+-      /*
+-       * Allocate the vector page early.
+-       */
+-      vectors = early_alloc(PAGE_SIZE * 2);
+-
+-      early_trap_init(vectors);
++      early_trap_init(&vectors);
+       /*
+        * Clear page table except top pmd used by early fixmaps
+@@ -1347,7 +1385,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
+       map.pfn = __phys_to_pfn(CONFIG_XIP_PHYS_ADDR & SECTION_MASK);
+       map.virtual = MODULES_VADDR;
+       map.length = ((unsigned long)_exiprom - map.virtual + ~SECTION_MASK) & SECTION_MASK;
+-      map.type = MT_ROM;
++      map.type = MT_ROM_RX;
+       create_mapping(&map);
+ #endif
+@@ -1358,14 +1396,14 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
+       map.pfn = __phys_to_pfn(FLUSH_BASE_PHYS);
+       map.virtual = FLUSH_BASE;
+       map.length = SZ_1M;
+-      map.type = MT_CACHECLEAN;
++      map.type = MT_CACHECLEAN_RO;
+       create_mapping(&map);
+ #endif
+ #ifdef FLUSH_BASE_MINICACHE
+       map.pfn = __phys_to_pfn(FLUSH_BASE_PHYS + SZ_1M);
+       map.virtual = FLUSH_BASE_MINICACHE;
+       map.length = SZ_1M;
+-      map.type = MT_MINICLEAN;
++      map.type = MT_MINICLEAN_RO;
+       create_mapping(&map);
+ #endif
+@@ -1374,7 +1412,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
+        * location (0xffff0000).  If we aren't using high-vectors, also
+        * create a mapping at the low-vectors virtual address.
+        */
+-      map.pfn = __phys_to_pfn(virt_to_phys(vectors));
++      map.pfn = __phys_to_pfn(virt_to_phys(&vectors));
+       map.virtual = 0xffff0000;
+       map.length = PAGE_SIZE;
+ #ifdef CONFIG_KUSER_HELPERS
+@@ -1437,12 +1475,14 @@ static void __init kmap_init(void)
+ static void __init map_lowmem(void)
+ {
+       struct memblock_region *reg;
++#ifndef CONFIG_PAX_KERNEXEC
+ #ifdef CONFIG_XIP_KERNEL
+       phys_addr_t kernel_x_start = round_down(__pa(_sdata), SECTION_SIZE);
+ #else
+       phys_addr_t kernel_x_start = round_down(__pa(_stext), SECTION_SIZE);
+ #endif
+       phys_addr_t kernel_x_end = round_up(__pa(__init_end), SECTION_SIZE);
++#endif
+       /* Map all the lowmem memory banks. */
+       for_each_memblock(memory, reg) {
+@@ -1458,11 +1498,48 @@ static void __init map_lowmem(void)
+               if (start >= end)
+                       break;
++#ifdef CONFIG_PAX_KERNEXEC
++              map.pfn = __phys_to_pfn(start);
++              map.virtual = __phys_to_virt(start);
++              map.length = end - start;
++
++              if (map.virtual <= (unsigned long)_stext && ((unsigned long)_end < (map.virtual + map.length))) {
++                      struct map_desc kernel;
++                      struct map_desc initmap;
++
++                      /* when freeing initmem we will make this RW */
++                      initmap.pfn = __phys_to_pfn(__pa(__init_begin));
++                      initmap.virtual = (unsigned long)__init_begin;
++                      initmap.length = _sdata - __init_begin;
++                      initmap.type = __MT_MEMORY_RWX;
++                      create_mapping(&initmap);
++
++                      /* when freeing initmem we will make this RX */
++                      kernel.pfn = __phys_to_pfn(__pa(_stext));
++                      kernel.virtual = (unsigned long)_stext;
++                      kernel.length = __init_begin - _stext;
++                      kernel.type = __MT_MEMORY_RWX;
++                      create_mapping(&kernel);
++
++                      if (map.virtual < (unsigned long)_stext) {
++                              map.length = (unsigned long)_stext - map.virtual;
++                              map.type = __MT_MEMORY_RWX;
++                              create_mapping(&map);
++                      }
++
++                      map.pfn = __phys_to_pfn(__pa(_sdata));
++                      map.virtual = (unsigned long)_sdata;
++                      map.length = end - __pa(_sdata);
++              }
++
++              map.type = MT_MEMORY_RW;
++              create_mapping(&map);
++#else
+               if (end < kernel_x_start) {
+                       map.pfn = __phys_to_pfn(start);
+                       map.virtual = __phys_to_virt(start);
+                       map.length = end - start;
+-                      map.type = MT_MEMORY_RWX;
++                      map.type = __MT_MEMORY_RWX;
+                       create_mapping(&map);
+               } else if (start >= kernel_x_end) {
+@@ -1486,7 +1563,7 @@ static void __init map_lowmem(void)
+                       map.pfn = __phys_to_pfn(kernel_x_start);
+                       map.virtual = __phys_to_virt(kernel_x_start);
+                       map.length = kernel_x_end - kernel_x_start;
+-                      map.type = MT_MEMORY_RWX;
++                      map.type = __MT_MEMORY_RWX;
+                       create_mapping(&map);
+@@ -1499,6 +1576,7 @@ static void __init map_lowmem(void)
+                               create_mapping(&map);
+                       }
+               }
++#endif
+       }
+ }
+diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
+index 93d0b6d..2db6d99 100644
+--- a/arch/arm/net/bpf_jit_32.c
++++ b/arch/arm/net/bpf_jit_32.c
+@@ -20,6 +20,7 @@
+ #include <asm/cacheflush.h>
+ #include <asm/hwcap.h>
+ #include <asm/opcodes.h>
++#include <asm/pgtable.h>
+ #include "bpf_jit_32.h"
+@@ -72,54 +73,38 @@ struct jit_ctx {
+ #endif
+ };
++#ifdef CONFIG_GRKERNSEC_BPF_HARDEN
++int bpf_jit_enable __read_only;
++#else
+ int bpf_jit_enable __read_mostly;
++#endif
+-static inline int call_neg_helper(struct sk_buff *skb, int offset, void *ret,
+-                    unsigned int size)
+-{
+-      void *ptr = bpf_internal_load_pointer_neg_helper(skb, offset, size);
+-
+-      if (!ptr)
+-              return -EFAULT;
+-      memcpy(ret, ptr, size);
+-      return 0;
+-}
+-
+-static u64 jit_get_skb_b(struct sk_buff *skb, int offset)
++static u64 jit_get_skb_b(struct sk_buff *skb, unsigned offset)
+ {
+       u8 ret;
+       int err;
+-      if (offset < 0)
+-              err = call_neg_helper(skb, offset, &ret, 1);
+-      else
+-              err = skb_copy_bits(skb, offset, &ret, 1);
++      err = skb_copy_bits(skb, offset, &ret, 1);
+       return (u64)err << 32 | ret;
+ }
+-static u64 jit_get_skb_h(struct sk_buff *skb, int offset)
++static u64 jit_get_skb_h(struct sk_buff *skb, unsigned offset)
+ {
+       u16 ret;
+       int err;
+-      if (offset < 0)
+-              err = call_neg_helper(skb, offset, &ret, 2);
+-      else
+-              err = skb_copy_bits(skb, offset, &ret, 2);
++      err = skb_copy_bits(skb, offset, &ret, 2);
+       return (u64)err << 32 | ntohs(ret);
+ }
+-static u64 jit_get_skb_w(struct sk_buff *skb, int offset)
++static u64 jit_get_skb_w(struct sk_buff *skb, unsigned offset)
+ {
+       u32 ret;
+       int err;
+-      if (offset < 0)
+-              err = call_neg_helper(skb, offset, &ret, 4);
+-      else
+-              err = skb_copy_bits(skb, offset, &ret, 4);
++      err = skb_copy_bits(skb, offset, &ret, 4);
+       return (u64)err << 32 | ntohl(ret);
+ }
+@@ -191,8 +176,10 @@ static void jit_fill_hole(void *area, unsigned int size)
+ {
+       u32 *ptr;
+       /* We are guaranteed to have aligned memory. */
++      pax_open_kernel();
+       for (ptr = area; size >= sizeof(u32); size -= sizeof(u32))
+               *ptr++ = __opcode_to_mem_arm(ARM_INST_UDF);
++      pax_close_kernel();
+ }
+ static void build_prologue(struct jit_ctx *ctx)
+@@ -554,6 +541,9 @@ static int build_body(struct jit_ctx *ctx)
+               case BPF_LD | BPF_B | BPF_ABS:
+                       load_order = 0;
+ load:
++                      /* the interpreter will deal with the negative K */
++                      if ((int)k < 0)
++                              return -ENOTSUPP;
+                       emit_mov_i(r_off, k, ctx);
+ load_common:
+                       ctx->seen |= SEEN_DATA | SEEN_CALL;
+@@ -568,18 +558,6 @@ static int build_body(struct jit_ctx *ctx)
+                               condt = ARM_COND_HI;
+                       }
+-                      /*
+-                       * test for negative offset, only if we are
+-                       * currently scheduled to take the fast
+-                       * path. this will update the flags so that
+-                       * the slowpath instruction are ignored if the
+-                       * offset is negative.
+-                       *
+-                       * for loard_order == 0 the HI condition will
+-                       * make loads at offset 0 take the slow path too.
+-                       */
+-                      _emit(condt, ARM_CMP_I(r_off, 0), ctx);
+-
+                       _emit(condt, ARM_ADD_R(r_scratch, r_off, r_skb_data),
+                             ctx);
+diff --git a/arch/arm/plat-iop/setup.c b/arch/arm/plat-iop/setup.c
+index 8151bde..9be301f 100644
+--- a/arch/arm/plat-iop/setup.c
++++ b/arch/arm/plat-iop/setup.c
+@@ -24,7 +24,7 @@ static struct map_desc iop3xx_std_desc[] __initdata = {
+               .virtual        = IOP3XX_PERIPHERAL_VIRT_BASE,
+               .pfn            = __phys_to_pfn(IOP3XX_PERIPHERAL_PHYS_BASE),
+               .length         = IOP3XX_PERIPHERAL_SIZE,
+-              .type           = MT_UNCACHED,
++              .type           = MT_UNCACHED_RW,
+       },
+ };
+diff --git a/arch/arm/plat-omap/sram.c b/arch/arm/plat-omap/sram.c
+index a5bc92d..0bb4730 100644
+--- a/arch/arm/plat-omap/sram.c
++++ b/arch/arm/plat-omap/sram.c
+@@ -93,6 +93,8 @@ void __init omap_map_sram(unsigned long start, unsigned long size,
+        * Looks like we need to preserve some bootloader code at the
+        * beginning of SRAM for jumping to flash for reboot to work...
+        */
++      pax_open_kernel();
+       memset_io(omap_sram_base + omap_sram_skip, 0,
+                 omap_sram_size - omap_sram_skip);
++      pax_close_kernel();
+ }
+diff --git a/arch/arm/probes/kprobes/core.c b/arch/arm/probes/kprobes/core.c
+index a4ec240..96faf9b 100644
+--- a/arch/arm/probes/kprobes/core.c
++++ b/arch/arm/probes/kprobes/core.c
+@@ -485,6 +485,7 @@ static __used __kprobes void *trampoline_handler(struct pt_regs *regs)
+       return (void *)orig_ret_address;
+ }
++#ifdef CONFIG_KRETPROBES
+ void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
+                                     struct pt_regs *regs)
+ {
+@@ -493,6 +494,7 @@ void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
+       /* Replace the return addr with trampoline addr. */
+       regs->ARM_lr = (unsigned long)&kretprobe_trampoline;
+ }
++#endif
+ int __kprobes setjmp_pre_handler(struct kprobe *p, struct pt_regs *regs)
+ {
+@@ -605,10 +607,12 @@ int __kprobes longjmp_break_handler(struct kprobe *p, struct pt_regs *regs)
+       return 0;
+ }
++#ifdef CONFIG_KRETPROBES
+ int __kprobes arch_trampoline_kprobe(struct kprobe *p)
+ {
+       return 0;
+ }
++#endif
+ #ifdef CONFIG_THUMB2_KERNEL
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index 969ef88..305b856 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -896,6 +896,7 @@ config RELOCATABLE
+ config RANDOMIZE_BASE
+       bool "Randomize the address of the kernel image"
++      depends on BROKEN_SECURITY
+       select ARM64_MODULE_PLTS if MODULES
+       select RELOCATABLE
+       help
+diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
+index b661fe7..6d124fc 100644
+--- a/arch/arm64/Kconfig.debug
++++ b/arch/arm64/Kconfig.debug
+@@ -6,6 +6,7 @@ config ARM64_PTDUMP
+       bool "Export kernel pagetable layout to userspace via debugfs"
+       depends on DEBUG_KERNEL
+       select DEBUG_FS
++      depends on !GRKERNSEC_KMEM
+         help
+         Say Y here if you want to show the kernel pagetable layout in a
+         debugfs file. This information is only useful for kernel developers
+diff --git a/arch/arm64/crypto/sha1-ce-glue.c b/arch/arm64/crypto/sha1-ce-glue.c
+index aefda98..2937874 100644
+--- a/arch/arm64/crypto/sha1-ce-glue.c
++++ b/arch/arm64/crypto/sha1-ce-glue.c
+@@ -29,7 +29,7 @@ struct sha1_ce_state {
+       u32                     finalize;
+ };
+-asmlinkage void sha1_ce_transform(struct sha1_ce_state *sst, u8 const *src,
++asmlinkage void sha1_ce_transform(struct sha1_state *sst, u8 const *src,
+                                 int blocks);
+ static int sha1_ce_update(struct shash_desc *desc, const u8 *data,
+@@ -39,8 +39,7 @@ static int sha1_ce_update(struct shash_desc *desc, const u8 *data,
+       sctx->finalize = 0;
+       kernel_neon_begin_partial(16);
+-      sha1_base_do_update(desc, data, len,
+-                          (sha1_block_fn *)sha1_ce_transform);
++      sha1_base_do_update(desc, data, len, sha1_ce_transform);
+       kernel_neon_end();
+       return 0;
+@@ -64,10 +63,9 @@ static int sha1_ce_finup(struct shash_desc *desc, const u8 *data,
+       sctx->finalize = finalize;
+       kernel_neon_begin_partial(16);
+-      sha1_base_do_update(desc, data, len,
+-                          (sha1_block_fn *)sha1_ce_transform);
++      sha1_base_do_update(desc, data, len, sha1_ce_transform);
+       if (!finalize)
+-              sha1_base_do_finalize(desc, (sha1_block_fn *)sha1_ce_transform);
++              sha1_base_do_finalize(desc, sha1_ce_transform);
+       kernel_neon_end();
+       return sha1_base_finish(desc, out);
+ }
+@@ -78,7 +76,7 @@ static int sha1_ce_final(struct shash_desc *desc, u8 *out)
+       sctx->finalize = 0;
+       kernel_neon_begin_partial(16);
+-      sha1_base_do_finalize(desc, (sha1_block_fn *)sha1_ce_transform);
++      sha1_base_do_finalize(desc, sha1_ce_transform);
+       kernel_neon_end();
+       return sha1_base_finish(desc, out);
+ }
+diff --git a/arch/arm64/include/asm/atomic.h b/arch/arm64/include/asm/atomic.h
+index c0235e0..86eb684 100644
+--- a/arch/arm64/include/asm/atomic.h
++++ b/arch/arm64/include/asm/atomic.h
+@@ -57,11 +57,13 @@
+ #define atomic_set(v, i)              WRITE_ONCE(((v)->counter), (i))
+ #define atomic_add_return_relaxed     atomic_add_return_relaxed
++#define atomic_add_return_unchecked_relaxed   atomic_add_return_relaxed
+ #define atomic_add_return_acquire     atomic_add_return_acquire
+ #define atomic_add_return_release     atomic_add_return_release
+ #define atomic_add_return             atomic_add_return
+ #define atomic_inc_return_relaxed(v)  atomic_add_return_relaxed(1, (v))
++#define atomic_inc_return_unchecked_relaxed(v)        atomic_add_return_relaxed(1, (v))
+ #define atomic_inc_return_acquire(v)  atomic_add_return_acquire(1, (v))
+ #define atomic_inc_return_release(v)  atomic_add_return_release(1, (v))
+ #define atomic_inc_return(v)          atomic_add_return(1, (v))
+@@ -128,6 +130,8 @@
+ #define __atomic_add_unless(v, a, u)  ___atomic_add_unless(v, a, u,)
+ #define atomic_andnot                 atomic_andnot
++#define atomic_inc_return_unchecked_relaxed(v)        atomic_add_return_relaxed(1, (v))
++
+ /*
+  * 64-bit atomic operations.
+  */
+@@ -206,5 +210,16 @@
+ #define atomic64_inc_not_zero(v)      atomic64_add_unless((v), 1, 0)
++#define atomic64_read_unchecked(v)            atomic64_read(v)
++#define atomic64_set_unchecked(v, i)          atomic64_set((v), (i))
++#define atomic64_add_unchecked(a, v)          atomic64_add((a), (v))
++#define atomic64_add_return_unchecked(a, v)   atomic64_add_return((a), (v))
++#define atomic64_sub_unchecked(a, v)          atomic64_sub((a), (v))
++#define atomic64_inc_unchecked(v)             atomic64_inc(v)
++#define atomic64_inc_return_unchecked(v)      atomic64_inc_return(v)
++#define atomic64_dec_unchecked(v)             atomic64_dec(v)
++#define atomic64_cmpxchg_unchecked(v, o, n)   atomic64_cmpxchg((v), (o), (n))
++#define atomic64_xchg_unchecked(v, n)         atomic64_xchg((v), (n))
++
+ #endif
+ #endif
+diff --git a/arch/arm64/include/asm/cache.h b/arch/arm64/include/asm/cache.h
+index 5082b30..9ef38c2 100644
+--- a/arch/arm64/include/asm/cache.h
++++ b/arch/arm64/include/asm/cache.h
+@@ -16,10 +16,14 @@
+ #ifndef __ASM_CACHE_H
+ #define __ASM_CACHE_H
++#include <linux/const.h>
++
+ #include <asm/cachetype.h>
++#include <linux/const.h>
++
+ #define L1_CACHE_SHIFT                7
+-#define L1_CACHE_BYTES                (1 << L1_CACHE_SHIFT)
++#define L1_CACHE_BYTES                (_AC(1,UL) << L1_CACHE_SHIFT)
+ /*
+  * Memory returned by kmalloc() may be used for DMA, so we must make
+diff --git a/arch/arm64/include/asm/percpu.h b/arch/arm64/include/asm/percpu.h
+index 5394c84..05e5a95 100644
+--- a/arch/arm64/include/asm/percpu.h
++++ b/arch/arm64/include/asm/percpu.h
+@@ -123,16 +123,16 @@ static inline void __percpu_write(void *ptr, unsigned long val, int size)
+ {
+       switch (size) {
+       case 1:
+-              ACCESS_ONCE(*(u8 *)ptr) = (u8)val;
++              ACCESS_ONCE_RW(*(u8 *)ptr) = (u8)val;
+               break;
+       case 2:
+-              ACCESS_ONCE(*(u16 *)ptr) = (u16)val;
++              ACCESS_ONCE_RW(*(u16 *)ptr) = (u16)val;
+               break;
+       case 4:
+-              ACCESS_ONCE(*(u32 *)ptr) = (u32)val;
++              ACCESS_ONCE_RW(*(u32 *)ptr) = (u32)val;
+               break;
+       case 8:
+-              ACCESS_ONCE(*(u64 *)ptr) = (u64)val;
++              ACCESS_ONCE_RW(*(u64 *)ptr) = (u64)val;
+               break;
+       default:
+               BUILD_BUG();
+diff --git a/arch/arm64/include/asm/pgalloc.h b/arch/arm64/include/asm/pgalloc.h
+index d25f4f1..61d52da 100644
+--- a/arch/arm64/include/asm/pgalloc.h
++++ b/arch/arm64/include/asm/pgalloc.h
+@@ -51,6 +51,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
+ {
+       __pud_populate(pud, __pa(pmd), PMD_TYPE_TABLE);
+ }
++
++static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
++{
++      pud_populate(mm, pud, pmd);
++}
+ #else
+ static inline void __pud_populate(pud_t *pud, phys_addr_t pmd, pudval_t prot)
+ {
+@@ -80,6 +85,11 @@ static inline void pgd_populate(struct mm_struct *mm, pgd_t *pgd, pud_t *pud)
+ {
+       __pgd_populate(pgd, __pa(pud), PUD_TYPE_TABLE);
+ }
++
++static inline void pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pud_t *pud)
++{
++      pgd_populate(mm, pgd, pud);
++}
+ #else
+ static inline void __pgd_populate(pgd_t *pgdp, phys_addr_t pud, pgdval_t prot)
+ {
+diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h
+index ffbb9a5..d8b49ff 100644
+--- a/arch/arm64/include/asm/pgtable.h
++++ b/arch/arm64/include/asm/pgtable.h
+@@ -23,6 +23,9 @@
+ #include <asm/pgtable-hwdef.h>
+ #include <asm/pgtable-prot.h>
++#define ktla_ktva(addr)               (addr)
++#define ktva_ktla(addr)               (addr)
++
+ /*
+  * VMALLOC range.
+  *
+@@ -728,6 +731,9 @@ static inline void update_mmu_cache(struct vm_area_struct *vma,
+ #define kc_vaddr_to_offset(v) ((v) & ~VA_START)
+ #define kc_offset_to_vaddr(o) ((o) | VA_START)
++#define ktla_ktva(addr)               (addr)
++#define ktva_ktla(addr)               (addr)
++
+ #endif /* !__ASSEMBLY__ */
+ #endif /* __ASM_PGTABLE_H */
+diff --git a/arch/arm64/include/asm/string.h b/arch/arm64/include/asm/string.h
+index 2eb714c..3a10471 100644
+--- a/arch/arm64/include/asm/string.h
++++ b/arch/arm64/include/asm/string.h
+@@ -17,40 +17,40 @@
+ #define __ASM_STRING_H
+ #define __HAVE_ARCH_STRRCHR
+-extern char *strrchr(const char *, int c);
++extern char *strrchr(const char *, int c) __nocapture(-1);
+ #define __HAVE_ARCH_STRCHR
+-extern char *strchr(const char *, int c);
++extern char *strchr(const char *, int c) __nocapture(-1);
+ #define __HAVE_ARCH_STRCMP
+-extern int strcmp(const char *, const char *);
++extern int strcmp(const char *, const char *) __nocapture();
+ #define __HAVE_ARCH_STRNCMP
+-extern int strncmp(const char *, const char *, __kernel_size_t);
++extern int strncmp(const char *, const char *, __kernel_size_t) __nocapture(1, 2);
+ #define __HAVE_ARCH_STRLEN
+-extern __kernel_size_t strlen(const char *);
++extern __kernel_size_t strlen(const char *) __nocapture(1);
+ #define __HAVE_ARCH_STRNLEN
+-extern __kernel_size_t strnlen(const char *, __kernel_size_t);
++extern __kernel_size_t strnlen(const char *, __kernel_size_t) __nocapture(1);
+ #define __HAVE_ARCH_MEMCPY
+-extern void *memcpy(void *, const void *, __kernel_size_t);
+-extern void *__memcpy(void *, const void *, __kernel_size_t);
++extern void *memcpy(void *, const void *, __kernel_size_t) __nocapture(2);
++extern void *__memcpy(void *, const void *, __kernel_size_t) __nocapture(2);
+ #define __HAVE_ARCH_MEMMOVE
+-extern void *memmove(void *, const void *, __kernel_size_t);
+-extern void *__memmove(void *, const void *, __kernel_size_t);
++extern void *memmove(void *, const void *, __kernel_size_t) __nocapture(2);
++extern void *__memmove(void *, const void *, __kernel_size_t) __nocapture(2);
+ #define __HAVE_ARCH_MEMCHR
+-extern void *memchr(const void *, int, __kernel_size_t);
++extern void *memchr(const void *, int, __kernel_size_t) __nocapture(-1);
+ #define __HAVE_ARCH_MEMSET
+ extern void *memset(void *, int, __kernel_size_t);
+ extern void *__memset(void *, int, __kernel_size_t);
+ #define __HAVE_ARCH_MEMCMP
+-extern int memcmp(const void *, const void *, size_t);
++extern int memcmp(const void *, const void *, size_t) __nocapture(1, 2);
+ #if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)
+diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
+index 55d0adb..b986918 100644
+--- a/arch/arm64/include/asm/uaccess.h
++++ b/arch/arm64/include/asm/uaccess.h
+@@ -110,6 +110,7 @@ static inline void set_fs(mm_segment_t fs)
+  */
+ #define untagged_addr(addr)           sign_extend64(addr, 55)
++#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
+ #define access_ok(type, addr, size)   __range_ok(addr, size)
+ #define user_addr_max                 get_fs
+@@ -279,6 +280,9 @@ static inline unsigned long __must_check __copy_from_user(void *to, const void _
+ static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
+ {
++      if ((long)n < 0)
++              return n;
++
+       kasan_check_read(from, n);
+       check_object_size(from, n, true);
+       return __arch_copy_to_user(to, from, n);
+@@ -287,6 +291,10 @@ static inline unsigned long __must_check __copy_to_user(void __user *to, const v
+ static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
+       unsigned long res = n;
++
++      if ((long)n < 0)
++              return n;
++
+       kasan_check_write(to, n);
+       if (access_ok(VERIFY_READ, from, n)) {
+@@ -300,6 +308,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u
+ static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
+ {
++      if ((long)n < 0)
++              return n;
++
+       kasan_check_read(from, n);
+       if (access_ok(VERIFY_WRITE, to, n)) {
+diff --git a/arch/arm64/kernel/hibernate.c b/arch/arm64/kernel/hibernate.c
+index d55a7b0..d8dbd8a 100644
+--- a/arch/arm64/kernel/hibernate.c
++++ b/arch/arm64/kernel/hibernate.c
+@@ -198,7 +198,7 @@ EXPORT_SYMBOL(arch_hibernation_header_restore);
+ static int create_safe_exec_page(void *src_start, size_t length,
+                                unsigned long dst_addr,
+                                phys_addr_t *phys_dst_addr,
+-                               void *(*allocator)(gfp_t mask),
++                               unsigned long (*allocator)(gfp_t mask),
+                                gfp_t mask)
+ {
+       int rc = 0;
+@@ -206,7 +206,7 @@ static int create_safe_exec_page(void *src_start, size_t length,
+       pud_t *pud;
+       pmd_t *pmd;
+       pte_t *pte;
+-      unsigned long dst = (unsigned long)allocator(mask);
++      unsigned long dst = allocator(mask);
+       if (!dst) {
+               rc = -ENOMEM;
+@@ -216,9 +216,9 @@ static int create_safe_exec_page(void *src_start, size_t length,
+       memcpy((void *)dst, src_start, length);
+       flush_icache_range(dst, dst + length);
+-      pgd = pgd_offset_raw(allocator(mask), dst_addr);
++      pgd = pgd_offset_raw((pgd_t *)allocator(mask), dst_addr);
+       if (pgd_none(*pgd)) {
+-              pud = allocator(mask);
++              pud = (pud_t *)allocator(mask);
+               if (!pud) {
+                       rc = -ENOMEM;
+                       goto out;
+@@ -228,7 +228,7 @@ static int create_safe_exec_page(void *src_start, size_t length,
+       pud = pud_offset(pgd, dst_addr);
+       if (pud_none(*pud)) {
+-              pmd = allocator(mask);
++              pmd = (pmd_t *)allocator(mask);
+               if (!pmd) {
+                       rc = -ENOMEM;
+                       goto out;
+@@ -238,7 +238,7 @@ static int create_safe_exec_page(void *src_start, size_t length,
+       pmd = pmd_offset(pud, dst_addr);
+       if (pmd_none(*pmd)) {
+-              pte = allocator(mask);
++              pte = (pte_t *)allocator(mask);
+               if (!pte) {
+                       rc = -ENOMEM;
+                       goto out;
+@@ -510,7 +510,7 @@ int swsusp_arch_resume(void)
+       rc = create_safe_exec_page(__hibernate_exit_text_start, exit_size,
+                                  (unsigned long)hibernate_exit,
+                                  &phys_hibernate_exit,
+-                                 (void *)get_safe_page, GFP_ATOMIC);
++                                 get_safe_page, GFP_ATOMIC);
+       if (rc) {
+               pr_err("Failed to create safe executable page for hibernate_exit code.");
+               goto out;
+diff --git a/arch/arm64/kernel/probes/kprobes.c b/arch/arm64/kernel/probes/kprobes.c
+index f5077ea..46b4664 100644
+--- a/arch/arm64/kernel/probes/kprobes.c
++++ b/arch/arm64/kernel/probes/kprobes.c
+@@ -639,6 +639,7 @@ void __kprobes __used *trampoline_probe_handler(struct pt_regs *regs)
+       return (void *)orig_ret_address;
+ }
++#ifdef CONFIG_KRETPROBES
+ void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
+                                     struct pt_regs *regs)
+ {
+@@ -652,6 +653,7 @@ int __kprobes arch_trampoline_kprobe(struct kprobe *p)
+ {
+       return 0;
+ }
++#endif
+ int __init arch_init_kprobes(void)
+ {
+diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
+index 01753cd..b65d17a 100644
+--- a/arch/arm64/kernel/process.c
++++ b/arch/arm64/kernel/process.c
+@@ -64,7 +64,7 @@ EXPORT_SYMBOL(__stack_chk_guard);
+ /*
+  * Function pointers to optional machine specific functions
+  */
+-void (*pm_power_off)(void);
++void (* pm_power_off)(void);
+ EXPORT_SYMBOL_GPL(pm_power_off);
+ void (*arm_pm_restart)(enum reboot_mode reboot_mode, const char *cmd);
+@@ -110,7 +110,7 @@ void machine_shutdown(void)
+  * activity (executing tasks, handling interrupts). smp_send_stop()
+  * achieves this.
+  */
+-void machine_halt(void)
++void __noreturn machine_halt(void)
+ {
+       local_irq_disable();
+       smp_send_stop();
+@@ -123,12 +123,13 @@ void machine_halt(void)
+  * achieves this. When the system power is turned off, it will take all CPUs
+  * with it.
+  */
+-void machine_power_off(void)
++void __noreturn machine_power_off(void)
+ {
+       local_irq_disable();
+       smp_send_stop();
+       if (pm_power_off)
+               pm_power_off();
++      while(1);
+ }
+ /*
+@@ -140,7 +141,7 @@ void machine_power_off(void)
+  * executing pre-reset code, and using RAM that the primary CPU's code wishes
+  * to use. Implementing such co-ordination would be essentially impossible.
+  */
+-void machine_restart(char *cmd)
++void __noreturn machine_restart(char *cmd)
+ {
+       /* Disable interrupts first */
+       local_irq_disable();
+diff --git a/arch/arm64/kernel/stacktrace.c b/arch/arm64/kernel/stacktrace.c
+index c2efddf..c58e0a2 100644
+--- a/arch/arm64/kernel/stacktrace.c
++++ b/arch/arm64/kernel/stacktrace.c
+@@ -95,8 +95,8 @@ int notrace unwind_frame(struct task_struct *tsk, struct stackframe *frame)
+               struct pt_regs *irq_args;
+               unsigned long orig_sp = IRQ_STACK_TO_TASK_STACK(irq_stack_ptr);
+-              if (object_is_on_stack((void *)orig_sp) &&
+-                 object_is_on_stack((void *)frame->fp)) {
++              if (object_starts_on_stack((void *)orig_sp) &&
++                 object_starts_on_stack((void *)frame->fp)) {
+                       frame->sp = orig_sp;
+                       /* orig_sp is the saved pt_regs, find the elr */
+diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
+index 11e5eae..d8cdfa7 100644
+--- a/arch/arm64/kernel/traps.c
++++ b/arch/arm64/kernel/traps.c
+@@ -547,7 +547,7 @@ asmlinkage long do_ni_syscall(struct pt_regs *regs)
+                       __show_regs(regs);
+       }
+-      return sys_ni_syscall();
++      return -ENOSYS;
+ }
+ static const char *esr_class_str[] = {
+diff --git a/arch/avr32/include/asm/cache.h b/arch/avr32/include/asm/cache.h
+index c3a58a1..78fbf54 100644
+--- a/arch/avr32/include/asm/cache.h
++++ b/arch/avr32/include/asm/cache.h
+@@ -1,8 +1,10 @@
+ #ifndef __ASM_AVR32_CACHE_H
+ #define __ASM_AVR32_CACHE_H
++#include <linux/const.h>
++
+ #define L1_CACHE_SHIFT 5
+-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
+ /*
+  * Memory returned by kmalloc() may be used for DMA, so we must make
+diff --git a/arch/avr32/include/asm/elf.h b/arch/avr32/include/asm/elf.h
+index 0388ece..87c8df1 100644
+--- a/arch/avr32/include/asm/elf.h
++++ b/arch/avr32/include/asm/elf.h
+@@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpregset_t;
+    the loader.  We need to make sure that it is out of the way of the program
+    that it will "exec", and that there is sufficient room for the brk.  */
+-#define ELF_ET_DYN_BASE         (TASK_SIZE / 3 * 2)
++#define ELF_ET_DYN_BASE               (TASK_SIZE / 3 * 2)
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE   0x00001000UL
++
++#define PAX_DELTA_MMAP_LEN    15
++#define PAX_DELTA_STACK_LEN   15
++#endif
+ /* This yields a mask that user programs can use to figure out what
+    instruction set this CPU supports.  This could be done in user space,
+diff --git a/arch/avr32/include/asm/kmap_types.h b/arch/avr32/include/asm/kmap_types.h
+index 479330b..53717a8 100644
+--- a/arch/avr32/include/asm/kmap_types.h
++++ b/arch/avr32/include/asm/kmap_types.h
+@@ -2,9 +2,9 @@
+ #define __ASM_AVR32_KMAP_TYPES_H
+ #ifdef CONFIG_DEBUG_HIGHMEM
+-# define KM_TYPE_NR 29
++# define KM_TYPE_NR 30
+ #else
+-# define KM_TYPE_NR 14
++# define KM_TYPE_NR 15
+ #endif
+ #endif /* __ASM_AVR32_KMAP_TYPES_H */
+diff --git a/arch/avr32/mm/fault.c b/arch/avr32/mm/fault.c
+index b3977e9..4230c51a 100644
+--- a/arch/avr32/mm/fault.c
++++ b/arch/avr32/mm/fault.c
+@@ -41,6 +41,23 @@ static inline int notify_page_fault(struct pt_regs *regs, int trap)
+ int exception_trace = 1;
++#ifdef CONFIG_PAX_PAGEEXEC
++void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
++{
++      unsigned long i;
++
++      printk(KERN_ERR "PAX: bytes at PC: ");
++      for (i = 0; i < 20; i++) {
++              unsigned char c;
++              if (get_user(c, (unsigned char *)pc+i))
++                      printk(KERN_CONT "???????? ");
++              else
++                      printk(KERN_CONT "%02x ", c);
++      }
++      printk("\n");
++}
++#endif
++
+ /*
+  * This routine handles page faults. It determines the address and the
+  * problem, and then passes it off to one of the appropriate routines.
+@@ -178,6 +195,16 @@ asmlinkage void do_page_fault(unsigned long ecr, struct pt_regs *regs)
+       up_read(&mm->mmap_sem);
+       if (user_mode(regs)) {
++
++#ifdef CONFIG_PAX_PAGEEXEC
++              if (mm->pax_flags & MF_PAX_PAGEEXEC) {
++                      if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
++                              pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
++                              do_group_exit(SIGKILL);
++                      }
++              }
++#endif
++
+               if (exception_trace && printk_ratelimit())
+                       printk("%s%s[%d]: segfault at %08lx pc %08lx "
+                              "sp %08lx ecr %lu\n",
+diff --git a/arch/blackfin/Kconfig.debug b/arch/blackfin/Kconfig.debug
+index f3337ee..15b6f8d 100644
+--- a/arch/blackfin/Kconfig.debug
++++ b/arch/blackfin/Kconfig.debug
+@@ -18,6 +18,7 @@ config DEBUG_VERBOSE
+ config DEBUG_MMRS
+       tristate "Generate Blackfin MMR tree"
+       select DEBUG_FS
++      depends on !GRKERNSEC_KMEM
+       help
+         Create a tree of Blackfin MMRs via the debugfs tree.  If
+         you enable this, you will find all MMRs laid out in the
+diff --git a/arch/blackfin/include/asm/cache.h b/arch/blackfin/include/asm/cache.h
+index 568885a..f8008df 100644
+--- a/arch/blackfin/include/asm/cache.h
++++ b/arch/blackfin/include/asm/cache.h
+@@ -7,6 +7,7 @@
+ #ifndef __ARCH_BLACKFIN_CACHE_H
+ #define __ARCH_BLACKFIN_CACHE_H
++#include <linux/const.h>
+ #include <linux/linkage.h>    /* for asmlinkage */
+ /*
+@@ -14,7 +15,7 @@
+  * Blackfin loads 32 bytes for cache
+  */
+ #define L1_CACHE_SHIFT        5
+-#define L1_CACHE_BYTES        (1 << L1_CACHE_SHIFT)
++#define L1_CACHE_BYTES        (_AC(1,UL) << L1_CACHE_SHIFT)
+ #define SMP_CACHE_BYTES       L1_CACHE_BYTES
+ #define ARCH_DMA_MINALIGN     L1_CACHE_BYTES
+diff --git a/arch/cris/include/arch-v10/arch/cache.h b/arch/cris/include/arch-v10/arch/cache.h
+index aea2718..3639a60 100644
+--- a/arch/cris/include/arch-v10/arch/cache.h
++++ b/arch/cris/include/arch-v10/arch/cache.h
+@@ -1,8 +1,9 @@
+ #ifndef _ASM_ARCH_CACHE_H
+ #define _ASM_ARCH_CACHE_H
++#include <linux/const.h>
+ /* Etrax 100LX have 32-byte cache-lines. */
+-#define L1_CACHE_BYTES 32
+ #define L1_CACHE_SHIFT 5
++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
+ #endif /* _ASM_ARCH_CACHE_H */
+diff --git a/arch/cris/include/arch-v32/arch/cache.h b/arch/cris/include/arch-v32/arch/cache.h
+index 7caf25d..ee65ac5 100644
+--- a/arch/cris/include/arch-v32/arch/cache.h
++++ b/arch/cris/include/arch-v32/arch/cache.h
+@@ -1,11 +1,12 @@
+ #ifndef _ASM_CRIS_ARCH_CACHE_H
+ #define _ASM_CRIS_ARCH_CACHE_H
++#include <linux/const.h>
+ #include <arch/hwregs/dma.h>
+ /* A cache-line is 32 bytes. */
+-#define L1_CACHE_BYTES 32
+ #define L1_CACHE_SHIFT 5
++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
+ #define __read_mostly __attribute__((__section__(".data..read_mostly")))
+diff --git a/arch/frv/include/asm/atomic.h b/arch/frv/include/asm/atomic.h
+index 1c2a5e2..2579e5f 100644
+--- a/arch/frv/include/asm/atomic.h
++++ b/arch/frv/include/asm/atomic.h
+@@ -146,6 +146,16 @@ static inline void atomic64_dec(atomic64_t *v)
+ #define atomic64_cmpxchg(v, old, new) (__cmpxchg_64(old, new, &(v)->counter))
+ #define atomic64_xchg(v, new)         (__xchg_64(new, &(v)->counter))
++#define atomic64_read_unchecked(v)            atomic64_read(v)
++#define atomic64_set_unchecked(v, i)          atomic64_set((v), (i))
++#define atomic64_add_unchecked(a, v)          atomic64_add((a), (v))
++#define atomic64_add_return_unchecked(a, v)   atomic64_add_return((a), (v))
++#define atomic64_sub_unchecked(a, v)          atomic64_sub((a), (v))
++#define atomic64_inc_unchecked(v)             atomic64_inc(v)
++#define atomic64_inc_return_unchecked(v)      atomic64_inc_return(v)
++#define atomic64_dec_unchecked(v)             atomic64_dec(v)
++#define atomic64_cmpxchg_unchecked(v, o, n)   atomic64_cmpxchg((v), (o), (n))
++
+ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
+ {
+       int c, old;
+diff --git a/arch/frv/include/asm/cache.h b/arch/frv/include/asm/cache.h
+index 2797163..c2a401df9 100644
+--- a/arch/frv/include/asm/cache.h
++++ b/arch/frv/include/asm/cache.h
+@@ -12,10 +12,11 @@
+ #ifndef __ASM_CACHE_H
+ #define __ASM_CACHE_H
++#include <linux/const.h>
+ /* bytes per L1 cache line */
+ #define L1_CACHE_SHIFT                (CONFIG_FRV_L1_CACHE_SHIFT)
+-#define L1_CACHE_BYTES                (1 << L1_CACHE_SHIFT)
++#define L1_CACHE_BYTES                (_AC(1,UL) << L1_CACHE_SHIFT)
+ #define __cacheline_aligned   __attribute__((aligned(L1_CACHE_BYTES)))
+ #define ____cacheline_aligned __attribute__((aligned(L1_CACHE_BYTES)))
+diff --git a/arch/frv/include/asm/kmap_types.h b/arch/frv/include/asm/kmap_types.h
+index 43901f2..0d8b865 100644
+--- a/arch/frv/include/asm/kmap_types.h
++++ b/arch/frv/include/asm/kmap_types.h
+@@ -2,6 +2,6 @@
+ #ifndef _ASM_KMAP_TYPES_H
+ #define _ASM_KMAP_TYPES_H
+-#define KM_TYPE_NR 17
++#define KM_TYPE_NR 18
+ #endif
+diff --git a/arch/frv/mm/elf-fdpic.c b/arch/frv/mm/elf-fdpic.c
+index 836f1470..4cf23f5 100644
+--- a/arch/frv/mm/elf-fdpic.c
++++ b/arch/frv/mm/elf-fdpic.c
+@@ -61,6 +61,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
+ {
+       struct vm_area_struct *vma;
+       struct vm_unmapped_area_info info;
++      unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
+       if (len > TASK_SIZE)
+               return -ENOMEM;
+@@ -73,8 +74,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
+       if (addr) {
+               addr = PAGE_ALIGN(addr);
+               vma = find_vma(current->mm, addr);
+-              if (TASK_SIZE - len >= addr &&
+-                  (!vma || addr + len <= vma->vm_start))
++              if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
+                       goto success;
+       }
+@@ -85,6 +85,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
+       info.high_limit = (current->mm->start_stack - 0x00200000);
+       info.align_mask = 0;
+       info.align_offset = 0;
++      info.threadstack_offset = offset;
+       addr = vm_unmapped_area(&info);
+       if (!(addr & ~PAGE_MASK))
+               goto success;
+diff --git a/arch/hexagon/include/asm/cache.h b/arch/hexagon/include/asm/cache.h
+index 69952c18..4fa2908 100644
+--- a/arch/hexagon/include/asm/cache.h
++++ b/arch/hexagon/include/asm/cache.h
+@@ -21,9 +21,11 @@
+ #ifndef __ASM_CACHE_H
+ #define __ASM_CACHE_H
++#include <linux/const.h>
++
+ /* Bytes per L1 cache line */
+-#define L1_CACHE_SHIFT                (5)
+-#define L1_CACHE_BYTES                (1 << L1_CACHE_SHIFT)
++#define L1_CACHE_SHIFT                5
++#define L1_CACHE_BYTES                (_AC(1,UL) << L1_CACHE_SHIFT)
+ #define ARCH_DMA_MINALIGN     L1_CACHE_BYTES
+diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
+index 18ca6a9..77b0e0d 100644
+--- a/arch/ia64/Kconfig
++++ b/arch/ia64/Kconfig
+@@ -519,6 +519,7 @@ config KEXEC
+       bool "kexec system call"
+       depends on !IA64_HP_SIM && (!SMP || HOTPLUG_CPU)
+       select KEXEC_CORE
++      depends on !GRKERNSEC_KMEM
+       help
+         kexec is a system call that implements the ability to shutdown your
+         current kernel, and to start another kernel.  It is like a reboot
+diff --git a/arch/ia64/Makefile b/arch/ia64/Makefile
+index c100d78..c44d46d 100644
+--- a/arch/ia64/Makefile
++++ b/arch/ia64/Makefile
+@@ -98,5 +98,6 @@ endef
+ archprepare: make_nr_irqs_h
+ PHONY += make_nr_irqs_h
++GCC_PLUGINS_make_nr_irqs_h := n
+ make_nr_irqs_h:
+       $(Q)$(MAKE) $(build)=arch/ia64/kernel include/generated/nr-irqs.h
+diff --git a/arch/ia64/include/asm/atomic.h b/arch/ia64/include/asm/atomic.h
+index 65d4bb2..8b2e661 100644
+--- a/arch/ia64/include/asm/atomic.h
++++ b/arch/ia64/include/asm/atomic.h
+@@ -323,4 +323,14 @@ atomic64_add_negative (__s64 i, atomic64_t *v)
+ #define atomic64_inc(v)                       atomic64_add(1, (v))
+ #define atomic64_dec(v)                       atomic64_sub(1, (v))
++#define atomic64_read_unchecked(v)            atomic64_read(v)
++#define atomic64_set_unchecked(v, i)          atomic64_set((v), (i))
++#define atomic64_add_unchecked(a, v)          atomic64_add((a), (v))
++#define atomic64_add_return_unchecked(a, v)   atomic64_add_return((a), (v))
++#define atomic64_sub_unchecked(a, v)          atomic64_sub((a), (v))
++#define atomic64_inc_unchecked(v)             atomic64_inc(v)
++#define atomic64_inc_return_unchecked(v)      atomic64_inc_return(v)
++#define atomic64_dec_unchecked(v)             atomic64_dec(v)
++#define atomic64_cmpxchg_unchecked(v, o, n)   atomic64_cmpxchg((v), (o), (n))
++
+ #endif /* _ASM_IA64_ATOMIC_H */
+diff --git a/arch/ia64/include/asm/cache.h b/arch/ia64/include/asm/cache.h
+index 988254a..e1ee885 100644
+--- a/arch/ia64/include/asm/cache.h
++++ b/arch/ia64/include/asm/cache.h
+@@ -1,6 +1,7 @@
+ #ifndef _ASM_IA64_CACHE_H
+ #define _ASM_IA64_CACHE_H
++#include <linux/const.h>
+ /*
+  * Copyright (C) 1998-2000 Hewlett-Packard Co
+@@ -9,7 +10,7 @@
+ /* Bytes per L1 (data) cache line.  */
+ #define L1_CACHE_SHIFT                CONFIG_IA64_L1_CACHE_SHIFT
+-#define L1_CACHE_BYTES                (1 << L1_CACHE_SHIFT)
++#define L1_CACHE_BYTES                (_AC(1,UL) << L1_CACHE_SHIFT)
+ #ifdef CONFIG_SMP
+ # define SMP_CACHE_SHIFT      L1_CACHE_SHIFT
+diff --git a/arch/ia64/include/asm/elf.h b/arch/ia64/include/asm/elf.h
+index 5a83c5c..4d7f553 100644
+--- a/arch/ia64/include/asm/elf.h
++++ b/arch/ia64/include/asm/elf.h
+@@ -42,6 +42,13 @@
+  */
+ #define ELF_ET_DYN_BASE               (TASK_UNMAPPED_BASE + 0x800000000UL)
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE   (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
++
++#define PAX_DELTA_MMAP_LEN    (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
++#define PAX_DELTA_STACK_LEN   (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
++#endif
++
+ #define PT_IA_64_UNWIND               0x70000001
+ /* IA-64 relocations: */
+diff --git a/arch/ia64/include/asm/pgalloc.h b/arch/ia64/include/asm/pgalloc.h
+index f5e70e9..624fad5 100644
+--- a/arch/ia64/include/asm/pgalloc.h
++++ b/arch/ia64/include/asm/pgalloc.h
+@@ -39,6 +39,12 @@ pgd_populate(struct mm_struct *mm, pgd_t * pgd_entry, pud_t * pud)
+       pgd_val(*pgd_entry) = __pa(pud);
+ }
++static inline void
++pgd_populate_kernel(struct mm_struct *mm, pgd_t * pgd_entry, pud_t * pud)
++{
++      pgd_populate(mm, pgd_entry, pud);
++}
++
+ static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
+ {
+       return quicklist_alloc(0, GFP_KERNEL, NULL);
+@@ -57,6 +63,12 @@ pud_populate(struct mm_struct *mm, pud_t * pud_entry, pmd_t * pmd)
+       pud_val(*pud_entry) = __pa(pmd);
+ }
++static inline void
++pud_populate_kernel(struct mm_struct *mm, pud_t * pud_entry, pmd_t * pmd)
++{
++      pud_populate(mm, pud_entry, pmd);
++}
++
+ static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long addr)
+ {
+       return quicklist_alloc(0, GFP_KERNEL, NULL);
+diff --git a/arch/ia64/include/asm/pgtable.h b/arch/ia64/include/asm/pgtable.h
+index 9f3ed9e..c99b418 100644
+--- a/arch/ia64/include/asm/pgtable.h
++++ b/arch/ia64/include/asm/pgtable.h
+@@ -12,7 +12,7 @@
+  *    David Mosberger-Tang <davidm@hpl.hp.com>
+  */
+-
++#include <linux/const.h>
+ #include <asm/mman.h>
+ #include <asm/page.h>
+ #include <asm/processor.h>
+@@ -139,6 +139,17 @@
+ #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
+ #define PAGE_COPY     __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
+ #define PAGE_COPY_EXEC        __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
++
++#ifdef CONFIG_PAX_PAGEEXEC
++# define PAGE_SHARED_NOEXEC   __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
++# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
++# define PAGE_COPY_NOEXEC     __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
++#else
++# define PAGE_SHARED_NOEXEC   PAGE_SHARED
++# define PAGE_READONLY_NOEXEC PAGE_READONLY
++# define PAGE_COPY_NOEXEC     PAGE_COPY
++#endif
++
+ #define PAGE_GATE     __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
+ #define PAGE_KERNEL   __pgprot(__DIRTY_BITS  | _PAGE_PL_0 | _PAGE_AR_RWX)
+ #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
+diff --git a/arch/ia64/include/asm/spinlock.h b/arch/ia64/include/asm/spinlock.h
+index ca9e761..40dffaf 100644
+--- a/arch/ia64/include/asm/spinlock.h
++++ b/arch/ia64/include/asm/spinlock.h
+@@ -73,7 +73,7 @@ static __always_inline void __ticket_spin_unlock(arch_spinlock_t *lock)
+       unsigned short  *p = (unsigned short *)&lock->lock + 1, tmp;
+       asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
+-      ACCESS_ONCE(*p) = (tmp + 2) & ~1;
++      ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
+ }
+ static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
+diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h
+index bfe1319..da0014b 100644
+--- a/arch/ia64/include/asm/uaccess.h
++++ b/arch/ia64/include/asm/uaccess.h
+@@ -70,6 +70,7 @@
+        && ((segment).seg == KERNEL_DS.seg                                             \
+            || likely(REGION_OFFSET((unsigned long) (addr)) < RGN_MAP_LIMIT)));        \
+ })
++#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
+ #define access_ok(type, addr, size)   __access_ok((addr), (size), get_fs())
+ /*
+@@ -241,17 +242,23 @@ extern unsigned long __must_check __copy_user (void __user *to, const void __use
+ static inline unsigned long
+ __copy_to_user (void __user *to, const void *from, unsigned long count)
+ {
++      if (count > INT_MAX)
++              return count;
++
+       check_object_size(from, count, true);
+-      return __copy_user(to, (__force void __user *) from, count);
++      return __copy_user(to, (void __force_user *) from, count);
+ }
+ static inline unsigned long
+ __copy_from_user (void *to, const void __user *from, unsigned long count)
+ {
++      if (count > INT_MAX)
++              return count;
++
+       check_object_size(to, count, false);
+-      return __copy_user((__force void __user *) to, from, count);
++      return __copy_user((void __force_user *) to, from, count);
+ }
+ #define __copy_to_user_inatomic               __copy_to_user
+@@ -260,11 +267,11 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
+ ({                                                                                    \
+       void __user *__cu_to = (to);                                                    \
+       const void *__cu_from = (from);                                                 \
+-      long __cu_len = (n);                                                            \
++      unsigned long __cu_len = (n);                                                   \
+                                                                                       \
+-      if (__access_ok(__cu_to, __cu_len, get_fs())) {                                 \
+-              check_object_size(__cu_from, __cu_len, true);                   \
+-              __cu_len = __copy_user(__cu_to, (__force void __user *)  __cu_from, __cu_len);  \
++      if (__cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) {          \
++              check_object_size(__cu_from, __cu_len, true);                           \
++              __cu_len = __copy_user(__cu_to, (void __force_user *)  __cu_from, __cu_len);    \
+       }                                                                               \
+       __cu_len;                                                                       \
+ })
+@@ -272,10 +279,10 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
+ static inline unsigned long
+ copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
+-      check_object_size(to, n, false);
+-      if (likely(__access_ok(from, n, get_fs())))
+-              n = __copy_user((__force void __user *) to, from, n);
+-      else
++      if (likely(__access_ok(from, n, get_fs()))) {
++              check_object_size(to, n, false);
++              n = __copy_user((void __force_user *) to, from, n);
++      } else if ((long)n > 0)
+               memset(to, 0, n);
+       return n;
+ }
+diff --git a/arch/ia64/kernel/kprobes.c b/arch/ia64/kernel/kprobes.c
+index c7c5144..7e31461 100644
+--- a/arch/ia64/kernel/kprobes.c
++++ b/arch/ia64/kernel/kprobes.c
+@@ -499,6 +499,7 @@ int __kprobes trampoline_probe_handler(struct kprobe *p, struct pt_regs *regs)
+       return 1;
+ }
++#ifdef CONFIG_KRETPROBES
+ void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
+                                     struct pt_regs *regs)
+ {
+@@ -507,6 +508,7 @@ void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
+       /* Replace the return addr with trampoline addr */
+       regs->b0 = ((struct fnptr *)kretprobe_trampoline)->ip;
+ }
++#endif
+ /* Check the instruction in the slot is break */
+ static int __kprobes __is_ia64_break_inst(bundle_t *bundle, uint slot)
+@@ -1119,6 +1121,7 @@ int __init arch_init_kprobes(void)
+       return register_kprobe(&trampoline_p);
+ }
++#ifdef CONFIG_KRETPROBES
+ int __kprobes arch_trampoline_kprobe(struct kprobe *p)
+ {
+       if (p->addr ==
+@@ -1127,3 +1130,4 @@ int __kprobes arch_trampoline_kprobe(struct kprobe *p)
+       return 0;
+ }
++#endif
+diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c
+index 6ab0ae7..88f1b60 100644
+--- a/arch/ia64/kernel/module.c
++++ b/arch/ia64/kernel/module.c
+@@ -486,13 +486,13 @@ module_frob_arch_sections (Elf_Ehdr *ehdr, Elf_Shdr *sechdrs, char *secstrings,
+ static inline int
+ in_init (const struct module *mod, uint64_t addr)
+ {
+-      return addr - (uint64_t) mod->init_layout.base < mod->init_layout.size;
++      return within_module_init(addr, mod);
+ }
+ static inline int
+ in_core (const struct module *mod, uint64_t addr)
+ {
+-      return addr - (uint64_t) mod->core_layout.base < mod->core_layout.size;
++      return within_module_core(addr, mod);
+ }
+ static inline int
+@@ -676,6 +676,14 @@ do_reloc (struct module *mod, uint8_t r_type, Elf64_Sym *sym, uint64_t addend,
+             case RV_BDREL:
+               val -= (uint64_t) (in_init(mod, val) ? mod->init_layout.base : mod->core_layout.base);
++              if (within_module_rx(val, &mod->init_layout))
++                      val -= mod->init_layout.base_rx;
++              else if (within_module_rw(val, &mod->init_layout))
++                      val -= mod->init_layout.base_rw;
++              else if (within_module_rx(val, &mod->core_layout))
++                      val -= mod->core_layout.base_rx;
++              else if (within_module_rw(val, &mod->core_layout))
++                      val -= mod->core_layout.base_rw;
+               break;
+             case RV_LTV:
+@@ -810,15 +818,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs, const char *strtab, unsigned int symind
+                *     addresses have been selected...
+                */
+               uint64_t gp;
+-              if (mod->core_layout.size > MAX_LTOFF)
++              if (mod->core_layout.size_rx + mod->core_layout.size_rw > MAX_LTOFF)
+                       /*
+                        * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
+                        * at the end of the module.
+                        */
+-                      gp = mod->core_layout.size - MAX_LTOFF / 2;
++                      gp = mod->core_layout.size_rx + mod->core_layout.size_rw - MAX_LTOFF / 2;
+               else
+-                      gp = mod->core_layout.size / 2;
+-              gp = (uint64_t) mod->core_layout.base + ((gp + 7) & -8);
++                      gp = (mod->core_layout.size_rx + mod->core_layout.size_rw) / 2;
++              gp = (uint64_t) mod->core_layout.base_rx + ((gp + 7) & -8);
+               mod->arch.gp = gp;
+               DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
+       }
+diff --git a/arch/ia64/kernel/palinfo.c b/arch/ia64/kernel/palinfo.c
+index c39c3cd..3c77738 100644
+--- a/arch/ia64/kernel/palinfo.c
++++ b/arch/ia64/kernel/palinfo.c
+@@ -980,7 +980,7 @@ static int palinfo_cpu_callback(struct notifier_block *nfb,
+       return NOTIFY_OK;
+ }
+-static struct notifier_block __refdata palinfo_cpu_notifier =
++static struct notifier_block palinfo_cpu_notifier =
+ {
+       .notifier_call = palinfo_cpu_callback,
+       .priority = 0,
+diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c
+index 41e33f8..65180b2a 100644
+--- a/arch/ia64/kernel/sys_ia64.c
++++ b/arch/ia64/kernel/sys_ia64.c
+@@ -28,6 +28,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
+       unsigned long align_mask = 0;
+       struct mm_struct *mm = current->mm;
+       struct vm_unmapped_area_info info;
++      unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
+       if (len > RGN_MAP_LIMIT)
+               return -ENOMEM;
+@@ -43,6 +44,13 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
+       if (REGION_NUMBER(addr) == RGN_HPAGE)
+               addr = 0;
+ #endif
++
++#ifdef CONFIG_PAX_RANDMMAP
++      if (mm->pax_flags & MF_PAX_RANDMMAP)
++              addr = mm->free_area_cache;
++      else
++#endif
++
+       if (!addr)
+               addr = TASK_UNMAPPED_BASE;
+@@ -61,6 +69,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
+       info.high_limit = TASK_SIZE;
+       info.align_mask = align_mask;
+       info.align_offset = 0;
++      info.threadstack_offset = offset;
+       return vm_unmapped_area(&info);
+ }
+diff --git a/arch/ia64/kernel/vmlinux.lds.S b/arch/ia64/kernel/vmlinux.lds.S
+index f89d20c..410a1b1 100644
+--- a/arch/ia64/kernel/vmlinux.lds.S
++++ b/arch/ia64/kernel/vmlinux.lds.S
+@@ -172,7 +172,7 @@ SECTIONS {
+       /* Per-cpu data: */
+       . = ALIGN(PERCPU_PAGE_SIZE);
+       PERCPU_VADDR(SMP_CACHE_BYTES, PERCPU_ADDR, :percpu)
+-      __phys_per_cpu_start = __per_cpu_load;
++      __phys_per_cpu_start = per_cpu_load;
+       /*
+        * ensure percpu data fits
+        * into percpu page size
+diff --git a/arch/ia64/mm/fault.c b/arch/ia64/mm/fault.c
+index fa6ad95..b46bd89 100644
+--- a/arch/ia64/mm/fault.c
++++ b/arch/ia64/mm/fault.c
+@@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned long address)
+       return pte_present(pte);
+ }
++#ifdef CONFIG_PAX_PAGEEXEC
++void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
++{
++      unsigned long i;
++
++      printk(KERN_ERR "PAX: bytes at PC: ");
++      for (i = 0; i < 8; i++) {
++              unsigned int c;
++              if (get_user(c, (unsigned int *)pc+i))
++                      printk(KERN_CONT "???????? ");
++              else
++                      printk(KERN_CONT "%08x ", c);
++      }
++      printk("\n");
++}
++#endif
++
+ #     define VM_READ_BIT      0
+ #     define VM_WRITE_BIT     1
+ #     define VM_EXEC_BIT      2
+@@ -151,8 +168,21 @@ ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *re
+       if (((isr >> IA64_ISR_R_BIT) & 1UL) && (!(vma->vm_flags & (VM_READ | VM_WRITE))))
+               goto bad_area;
+-      if ((vma->vm_flags & mask) != mask)
++      if ((vma->vm_flags & mask) != mask) {
++
++#ifdef CONFIG_PAX_PAGEEXEC
++              if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
++                      if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
++                              goto bad_area;
++
++                      up_read(&mm->mmap_sem);
++                      pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
++                      do_group_exit(SIGKILL);
++              }
++#endif
++
+               goto bad_area;
++      }
+       /*
+        * If for any reason at all we couldn't handle the fault, make
+diff --git a/arch/ia64/mm/hugetlbpage.c b/arch/ia64/mm/hugetlbpage.c
+index 85de86d..db7f6b8 100644
+--- a/arch/ia64/mm/hugetlbpage.c
++++ b/arch/ia64/mm/hugetlbpage.c
+@@ -138,6 +138,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u
+               unsigned long pgoff, unsigned long flags)
+ {
+       struct vm_unmapped_area_info info;
++      unsigned long offset = gr_rand_threadstack_offset(current->mm, file, flags);
+       if (len > RGN_MAP_LIMIT)
+               return -ENOMEM;
+@@ -161,6 +162,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u
+       info.high_limit = HPAGE_REGION_BASE + RGN_MAP_LIMIT;
+       info.align_mask = PAGE_MASK & (HPAGE_SIZE - 1);
+       info.align_offset = 0;
++      info.threadstack_offset = offset;
+       return vm_unmapped_area(&info);
+ }
+diff --git a/arch/ia64/mm/init.c b/arch/ia64/mm/init.c
+index 1841ef6..74d8330 100644
+--- a/arch/ia64/mm/init.c
++++ b/arch/ia64/mm/init.c
+@@ -119,6 +119,19 @@ ia64_init_addr_space (void)
+               vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
+               vma->vm_end = vma->vm_start + PAGE_SIZE;
+               vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
++
++#ifdef CONFIG_PAX_PAGEEXEC
++              if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
++                      vma->vm_flags &= ~VM_EXEC;
++
++#ifdef CONFIG_PAX_MPROTECT
++                      if (current->mm->pax_flags & MF_PAX_MPROTECT)
++                              vma->vm_flags &= ~VM_MAYEXEC;
++#endif
++
++              }
++#endif
++
+               vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
+               down_write(&current->mm->mmap_sem);
+               if (insert_vm_struct(current->mm, vma)) {
+@@ -279,7 +292,7 @@ static int __init gate_vma_init(void)
+       gate_vma.vm_start = FIXADDR_USER_START;
+       gate_vma.vm_end = FIXADDR_USER_END;
+       gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
+-      gate_vma.vm_page_prot = __P101;
++      gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
+       return 0;
+ }
+diff --git a/arch/m32r/include/asm/cache.h b/arch/m32r/include/asm/cache.h
+index 40b3ee98..8c2c112 100644
+--- a/arch/m32r/include/asm/cache.h
++++ b/arch/m32r/include/asm/cache.h
+@@ -1,8 +1,10 @@
+ #ifndef _ASM_M32R_CACHE_H
+ #define _ASM_M32R_CACHE_H
++#include <linux/const.h>
++
+ /* L1 cache line size */
+ #define L1_CACHE_SHIFT                4
+-#define L1_CACHE_BYTES                (1 << L1_CACHE_SHIFT)
++#define L1_CACHE_BYTES                (_AC(1,UL) << L1_CACHE_SHIFT)
+ #endif  /* _ASM_M32R_CACHE_H */
+diff --git a/arch/m32r/lib/usercopy.c b/arch/m32r/lib/usercopy.c
+index 82abd15..d95ae5d 100644
+--- a/arch/m32r/lib/usercopy.c
++++ b/arch/m32r/lib/usercopy.c
+@@ -14,6 +14,9 @@
+ unsigned long
+ __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
+ {
++      if ((long)n < 0)
++              return n;
++
+       prefetch(from);
+       if (access_ok(VERIFY_WRITE, to, n))
+               __copy_user(to,from,n);
+@@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
+ unsigned long
+ __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
++      if ((long)n < 0)
++              return n;
++
+       prefetchw(to);
+       if (access_ok(VERIFY_READ, from, n))
+               __copy_user_zeroing(to,from,n);
+diff --git a/arch/m68k/include/asm/cache.h b/arch/m68k/include/asm/cache.h
+index 0395c51..5f26031 100644
+--- a/arch/m68k/include/asm/cache.h
++++ b/arch/m68k/include/asm/cache.h
+@@ -4,9 +4,11 @@
+ #ifndef __ARCH_M68K_CACHE_H
+ #define __ARCH_M68K_CACHE_H
++#include <linux/const.h>
++
+ /* bytes per L1 cache line */
+ #define        L1_CACHE_SHIFT  4
+-#define        L1_CACHE_BYTES  (1<< L1_CACHE_SHIFT)
++#define        L1_CACHE_BYTES  (_AC(1,UL) << L1_CACHE_SHIFT)
+ #define ARCH_DMA_MINALIGN     L1_CACHE_BYTES
+diff --git a/arch/m68k/kernel/time.c b/arch/m68k/kernel/time.c
+index 4e5aa2f..172c469 100644
+--- a/arch/m68k/kernel/time.c
++++ b/arch/m68k/kernel/time.c
+@@ -107,6 +107,7 @@ static int rtc_ioctl(struct device *dev, unsigned int cmd, unsigned long arg)
+       switch (cmd) {
+       case RTC_PLL_GET:
++              memset(&pll, 0, sizeof(pll));
+               if (!mach_get_rtc_pll || mach_get_rtc_pll(&pll))
+                       return -EINVAL;
+               return copy_to_user(argp, &pll, sizeof pll) ? -EFAULT : 0;
+diff --git a/arch/metag/mm/hugetlbpage.c b/arch/metag/mm/hugetlbpage.c
+index db1b7da..8e13684 100644
+--- a/arch/metag/mm/hugetlbpage.c
++++ b/arch/metag/mm/hugetlbpage.c
+@@ -189,6 +189,7 @@ hugetlb_get_unmapped_area_new_pmd(unsigned long len)
+       info.high_limit = TASK_SIZE;
+       info.align_mask = PAGE_MASK & HUGEPT_MASK;
+       info.align_offset = 0;
++      info.threadstack_offset = 0;
+       return vm_unmapped_area(&info);
+ }
+diff --git a/arch/microblaze/include/asm/cache.h b/arch/microblaze/include/asm/cache.h
+index 4efe96a..60e8699 100644
+--- a/arch/microblaze/include/asm/cache.h
++++ b/arch/microblaze/include/asm/cache.h
+@@ -13,11 +13,12 @@
+ #ifndef _ASM_MICROBLAZE_CACHE_H
+ #define _ASM_MICROBLAZE_CACHE_H
++#include <linux/const.h>
+ #include <asm/registers.h>
+ #define L1_CACHE_SHIFT 5
+ /* word-granular cache in microblaze */
+-#define L1_CACHE_BYTES        (1 << L1_CACHE_SHIFT)
++#define L1_CACHE_BYTES        (_AC(1,UL) << L1_CACHE_SHIFT)
+ #define SMP_CACHE_BYTES       L1_CACHE_BYTES
+diff --git a/arch/mips/Kbuild b/arch/mips/Kbuild
+index 5c3f688..f8cc1b3 100644
+--- a/arch/mips/Kbuild
++++ b/arch/mips/Kbuild
+@@ -1,7 +1,7 @@
+ # Fail on warnings - also for files referenced in subdirs
+ # -Werror can be disabled for specific files using:
+ # CFLAGS_<file.o> := -Wno-error
+-subdir-ccflags-y := -Werror
++# subdir-ccflags-y := -Werror
+ # platform specific definitions
+ include arch/mips/Kbuild.platforms
+diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
+index b3c5bde..d6b5104 100644
+--- a/arch/mips/Kconfig
++++ b/arch/mips/Kconfig
+@@ -49,6 +49,7 @@ config MIPS
+       select HAVE_MOD_ARCH_SPECIFIC
+       select HAVE_NMI
+       select VIRT_TO_BUS
++      select HAVE_GCC_PLUGINS
+       select MODULES_USE_ELF_REL if MODULES
+       select MODULES_USE_ELF_RELA if MODULES && 64BIT
+       select CLONE_BACKWARDS
+@@ -2595,7 +2596,7 @@ config RELOCATION_TABLE_SIZE
+ config RANDOMIZE_BASE
+       bool "Randomize the address of the kernel image"
+-      depends on RELOCATABLE
++      depends on RELOCATABLE && BROKEN_SECURITY
+       ---help---
+          Randomizes the physical and virtual address at which the
+          kernel image is loaded, as a security feature that
+@@ -2811,6 +2812,7 @@ source "kernel/Kconfig.preempt"
+ config KEXEC
+       bool "Kexec system call"
+       select KEXEC_CORE
++      depends on !GRKERNSEC_KMEM
+       help
+         kexec is a system call that implements the ability to shutdown your
+         current kernel, and to start another kernel.  It is like a reboot
+diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h
+index 0ab176b..c4469a4 100644
+--- a/arch/mips/include/asm/atomic.h
++++ b/arch/mips/include/asm/atomic.h
+@@ -22,15 +22,39 @@
+ #include <asm/cmpxchg.h>
+ #include <asm/war.h>
++#ifdef CONFIG_GENERIC_ATOMIC64
++#include <asm-generic/atomic64.h>
++#endif
++
+ #define ATOMIC_INIT(i)          { (i) }
++#ifdef CONFIG_64BIT
++#define _ASM_EXTABLE(from, to)                \
++"     .section __ex_table,\"a\"\n"    \
++"     .dword  " #from ", " #to"\n"    \
++"     .previous\n"
++#else
++#define _ASM_EXTABLE(from, to)                \
++"     .section __ex_table,\"a\"\n"    \
++"     .word   " #from ", " #to"\n"    \
++"     .previous\n"
++#endif
++
+ /*
+  * atomic_read - read atomic variable
+  * @v: pointer of type atomic_t
+  *
+  * Atomically reads the value of @v.
+  */
+-#define atomic_read(v)                READ_ONCE((v)->counter)
++static inline int atomic_read(const atomic_t *v)
++{
++      return READ_ONCE(v->counter);
++}
++
++static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
++{
++      return READ_ONCE(v->counter);
++}
+ /*
+  * atomic_set - set atomic variable
+@@ -39,47 +63,77 @@
+  *
+  * Atomically sets the value of @v to @i.
+  */
+-#define atomic_set(v, i)      WRITE_ONCE((v)->counter, (i))
++static inline void atomic_set(atomic_t *v, int i)
++{
++      WRITE_ONCE(v->counter, i);
++}
+-#define ATOMIC_OP(op, c_op, asm_op)                                         \
+-static __inline__ void atomic_##op(int i, atomic_t * v)                             \
++static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
++{
++      WRITE_ONCE(v->counter, i);
++}
++
++#ifdef CONFIG_PAX_REFCOUNT
++#define __OVERFLOW_POST                               \
++      "       b       4f              \n"     \
++      "       .set    noreorder       \n"     \
++      "3:     b       5f              \n"     \
++      "       move    %0, %1          \n"     \
++      "       .set    reorder         \n"
++#define __OVERFLOW_EXTABLE    \
++      "3:\n"                  \
++      _ASM_EXTABLE(2b, 3b)
++#else
++#define __OVERFLOW_POST
++#define __OVERFLOW_EXTABLE
++#endif
++
++#define __ATOMIC_OP(op, suffix, asm_op, extable)                            \
++static inline void atomic_##op##suffix(int i, atomic##suffix##_t * v)       \
+ {                                                                           \
+       if (kernel_uses_llsc && R10000_LLSC_WAR) {                            \
+               int temp;                                                     \
+                                                                             \
+               __asm__ __volatile__(                                         \
+-              "       .set    arch=r4000                              \n"   \
+-              "1:     ll      %0, %1          # atomic_" #op "        \n"   \
+-              "       " #asm_op " %0, %2                              \n"   \
++              "       .set    mips3                                   \n"   \
++              "1:     ll      %0, %1          # atomic_" #op #suffix "\n"   \
++              "2:     " #asm_op " %0, %2                              \n"   \
+               "       sc      %0, %1                                  \n"   \
+               "       beqzl   %0, 1b                                  \n"   \
++              extable                                                       \
+               "       .set    mips0                                   \n"   \
+               : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter)          \
+               : "Ir" (i));                                                  \
+       } else if (kernel_uses_llsc) {                                        \
+               int temp;                                                     \
+                                                                             \
+-              do {                                                          \
+-                      __asm__ __volatile__(                                 \
+-                      "       .set    "MIPS_ISA_LEVEL"                \n"   \
+-                      "       ll      %0, %1          # atomic_" #op "\n"   \
+-                      "       " #asm_op " %0, %2                      \n"   \
+-                      "       sc      %0, %1                          \n"   \
+-                      "       .set    mips0                           \n"   \
+-                      : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter)  \
+-                      : "Ir" (i));                                          \
+-              } while (unlikely(!temp));                                    \
++              __asm__ __volatile__(                                         \
++              "       .set    "MIPS_ISA_LEVEL"                        \n"   \
++              "1:     ll      %0, %1          # atomic_" #op #suffix "\n"   \
++              "2:     " #asm_op " %0, %2                              \n"   \
++              "       sc      %0, %1                                  \n"   \
++              "       beqz    %0, 1b                                  \n"   \
++                      extable                                               \
++              "       .set    mips0                                   \n"   \
++              : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter)          \
++              : "Ir" (i));                                                  \
+       } else {                                                              \
+               unsigned long flags;                                          \
+                                                                             \
+               raw_local_irq_save(flags);                                    \
+-              v->counter c_op i;                                            \
++              __asm__ __volatile__(                                         \
++              "2:     " #asm_op " %0, %1                              \n"   \
++              extable                                                       \
++              : "+r" (v->counter) : "Ir" (i));                              \
+               raw_local_irq_restore(flags);                                 \
+       }                                                                     \
+ }
+-#define ATOMIC_OP_RETURN(op, c_op, asm_op)                                  \
+-static __inline__ int atomic_##op##_return_relaxed(int i, atomic_t * v)             \
++#define ATOMIC_OP(op, asm_op) __ATOMIC_OP(op, _unchecked, asm_op##u, )              \
++                            __ATOMIC_OP(op, , asm_op, __OVERFLOW_EXTABLE)
++
++#define __ATOMIC_OP_RETURN(op, suffix, asm_op, post_op, extable)            \
++static inline int atomic_##op##_return##suffix##_relaxed(int i, atomic##suffix##_t * v) \
+ {                                                                           \
+       int result;                                                           \
+                                                                             \
+@@ -87,12 +141,15 @@ static __inline__ int atomic_##op##_return_relaxed(int i, atomic_t * v)         \
+               int temp;                                                     \
+                                                                             \
+               __asm__ __volatile__(                                         \
+-              "       .set    arch=r4000                              \n"   \
+-              "1:     ll      %1, %2          # atomic_" #op "_return \n"   \
+-              "       " #asm_op " %0, %1, %3                          \n"   \
++              "       .set    mips3                                   \n"   \
++              "1:     ll      %1, %2  # atomic_" #op "_return" #suffix"\n"  \
++              "2:     " #asm_op " %0, %1, %3                          \n"   \
+               "       sc      %0, %2                                  \n"   \
+               "       beqzl   %0, 1b                                  \n"   \
+-              "       " #asm_op " %0, %1, %3                          \n"   \
++              post_op                                                       \
++              extable                                                       \
++              "4:     " #asm_op " %0, %1, %3                          \n"   \
++              "5:                                                     \n"   \
+               "       .set    mips0                                   \n"   \
+               : "=&r" (result), "=&r" (temp),                               \
+                 "+" GCC_OFF_SMALL_ASM() (v->counter)                        \
+@@ -100,32 +157,40 @@ static __inline__ int atomic_##op##_return_relaxed(int i, atomic_t * v)        \
+       } else if (kernel_uses_llsc) {                                        \
+               int temp;                                                     \
+                                                                             \
+-              do {                                                          \
+-                      __asm__ __volatile__(                                 \
+-                      "       .set    "MIPS_ISA_LEVEL"                \n"   \
+-                      "       ll      %1, %2  # atomic_" #op "_return \n"   \
+-                      "       " #asm_op " %0, %1, %3                  \n"   \
+-                      "       sc      %0, %2                          \n"   \
+-                      "       .set    mips0                           \n"   \
+-                      : "=&r" (result), "=&r" (temp),                       \
+-                        "+" GCC_OFF_SMALL_ASM() (v->counter)                \
+-                      : "Ir" (i));                                          \
+-              } while (unlikely(!result));                                  \
+-                                                                            \
+-              result = temp; result c_op i;                                 \
++              __asm__ __volatile__(                                         \
++              "       .set    "MIPS_ISA_LEVEL"                        \n"   \
++              "1:     ll      %1, %2  # atomic_" #op "_return" #suffix "\n" \
++              "2:     " #asm_op " %0, %1, %3                          \n"   \
++              "       sc      %0, %2                                  \n"   \
++              post_op                                                       \
++              extable                                                       \
++              "4:     " #asm_op " %0, %1, %3                          \n"   \
++              "5:                                                     \n"   \
++              "       .set    mips0                                   \n"   \
++              : "=&r" (result), "=&r" (temp),                               \
++                "+" GCC_OFF_SMALL_ASM() (v->counter)                        \
++              : "Ir" (i));                                                  \
+       } else {                                                              \
+               unsigned long flags;                                          \
+                                                                             \
+               raw_local_irq_save(flags);                                    \
+-              result = v->counter;                                          \
+-              result c_op i;                                                \
+-              v->counter = result;                                          \
++              __asm__ __volatile__(                                         \
++              "       lw      %0, %1                                  \n"   \
++              "2:     " #asm_op " %0, %1, %2                          \n"   \
++              "       sw      %0, %1                                  \n"   \
++              "3:                                                     \n"   \
++              extable                                                       \
++              : "=&r" (result), "+" GCC_OFF_SMALL_ASM() (v->counter)        \
++              : "Ir" (i));                                                  \
+               raw_local_irq_restore(flags);                                 \
+       }                                                                     \
+                                                                             \
+       return result;                                                        \
+ }
++#define ATOMIC_OP_RETURN(op, asm_op) __ATOMIC_OP_RETURN(op, _unchecked, asm_op##u, , )        \
++                                   __ATOMIC_OP_RETURN(op, , asm_op, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
++
+ #define ATOMIC_FETCH_OP(op, c_op, asm_op)                                   \
+ static __inline__ int atomic_fetch_##op##_relaxed(int i, atomic_t * v)              \
+ {                                                                           \
+@@ -173,13 +238,13 @@ static __inline__ int atomic_fetch_##op##_relaxed(int i, atomic_t * v)         \
+       return result;                                                        \
+ }
+-#define ATOMIC_OPS(op, c_op, asm_op)                                        \
+-      ATOMIC_OP(op, c_op, asm_op)                                           \
+-      ATOMIC_OP_RETURN(op, c_op, asm_op)                                    \
+-      ATOMIC_FETCH_OP(op, c_op, asm_op)
++#define ATOMIC_OPS(op, asm_op)                                              \
++      ATOMIC_OP(op, asm_op)                                         \
++      ATOMIC_OP_RETURN(op, asm_op)                                  \
++      ATOMIC_FETCH_OP(op, asm_op)
+-ATOMIC_OPS(add, +=, addu)
+-ATOMIC_OPS(sub, -=, subu)
++ATOMIC_OPS(add, addu)
++ATOMIC_OPS(sub, subu)
+ #define atomic_add_return_relaxed     atomic_add_return_relaxed
+ #define atomic_sub_return_relaxed     atomic_sub_return_relaxed
+@@ -187,13 +252,13 @@ ATOMIC_OPS(sub, -=, subu)
+ #define atomic_fetch_sub_relaxed      atomic_fetch_sub_relaxed
+ #undef ATOMIC_OPS
+-#define ATOMIC_OPS(op, c_op, asm_op)                                        \
+-      ATOMIC_OP(op, c_op, asm_op)                                           \
+-      ATOMIC_FETCH_OP(op, c_op, asm_op)
++#define ATOMIC_OPS(op, asm_op)                                              \
++      ATOMIC_OP(op, asm_op)                                         \
++      ATOMIC_FETCH_OP(op, asm_op)
+-ATOMIC_OPS(and, &=, and)
+-ATOMIC_OPS(or, |=, or)
+-ATOMIC_OPS(xor, ^=, xor)
++ATOMIC_OPS(and, and)
++ATOMIC_OPS(or, or)
++ATOMIC_OPS(xor, xor)
+ #define atomic_fetch_and_relaxed      atomic_fetch_and_relaxed
+ #define atomic_fetch_or_relaxed               atomic_fetch_or_relaxed
+@@ -202,7 +267,9 @@ ATOMIC_OPS(xor, ^=, xor)
+ #undef ATOMIC_OPS
+ #undef ATOMIC_FETCH_OP
+ #undef ATOMIC_OP_RETURN
++#undef __ATOMIC_OP_RETURN
+ #undef ATOMIC_OP
++#undef __ATOMIC_OP
+ /*
+  * atomic_sub_if_positive - conditionally subtract integer from atomic variable
+@@ -212,7 +279,7 @@ ATOMIC_OPS(xor, ^=, xor)
+  * Atomically test @v and subtract @i if @v is greater or equal than @i.
+  * The function returns the old value of @v minus @i.
+  */
+-static __inline__ int atomic_sub_if_positive(int i, atomic_t * v)
++static __inline__ int atomic_sub_if_positive(int i, atomic_t *v)
+ {
+       int result;
+@@ -222,7 +289,7 @@ static __inline__ int atomic_sub_if_positive(int i, atomic_t * v)
+               int temp;
+               __asm__ __volatile__(
+-              "       .set    arch=r4000                              \n"
++              "       .set    "MIPS_ISA_LEVEL"                        \n"
+               "1:     ll      %1, %2          # atomic_sub_if_positive\n"
+               "       subu    %0, %1, %3                              \n"
+               "       bltz    %0, 1f                                  \n"
+@@ -271,8 +338,26 @@ static __inline__ int atomic_sub_if_positive(int i, atomic_t * v)
+       return result;
+ }
+-#define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
+-#define atomic_xchg(v, new) (xchg(&((v)->counter), (new)))
++static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
++{
++      return cmpxchg(&v->counter, old, new);
++}
++
++static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old,
++                                         int new)
++{
++      return cmpxchg(&(v->counter), old, new);
++}
++
++static inline int atomic_xchg(atomic_t *v, int new)
++{
++      return xchg(&v->counter, new);
++}
++
++static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
++{
++      return xchg(&(v->counter), new);
++}
+ /**
+  * __atomic_add_unless - add unless the number is a given value
+@@ -300,6 +385,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
+ #define atomic_dec_return(v) atomic_sub_return(1, (v))
+ #define atomic_inc_return(v) atomic_add_return(1, (v))
++static __inline__ int atomic_inc_return_unchecked(atomic_unchecked_t *v)
++{
++      return atomic_add_return_unchecked(1, v);
++}
+ /*
+  * atomic_sub_and_test - subtract value from variable and test result
+@@ -321,6 +410,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
+  * other cases.
+  */
+ #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
++static __inline__ int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
++{
++      return atomic_add_return_unchecked(1, v) == 0;
++}
+ /*
+  * atomic_dec_and_test - decrement by 1 and test
+@@ -345,6 +438,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
+  * Atomically increments @v by 1.
+  */
+ #define atomic_inc(v) atomic_add(1, (v))
++static __inline__ void atomic_inc_unchecked(atomic_unchecked_t *v)
++{
++      atomic_add_unchecked(1, v);
++}
+ /*
+  * atomic_dec - decrement and test
+@@ -353,6 +450,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
+  * Atomically decrements @v by 1.
+  */
+ #define atomic_dec(v) atomic_sub(1, (v))
++static __inline__ void atomic_dec_unchecked(atomic_unchecked_t *v)
++{
++      atomic_sub_unchecked(1, v);
++}
+ /*
+  * atomic_add_negative - add and test if negative
+@@ -374,54 +475,77 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
+  * @v: pointer of type atomic64_t
+  *
+  */
+-#define atomic64_read(v)      READ_ONCE((v)->counter)
++static inline long atomic64_read(const atomic64_t *v)
++{
++      return READ_ONCE(v->counter);
++}
++
++static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
++{
++      return READ_ONCE(v->counter);
++}
+ /*
+  * atomic64_set - set atomic variable
+  * @v: pointer of type atomic64_t
+  * @i: required value
+  */
+-#define atomic64_set(v, i)    WRITE_ONCE((v)->counter, (i))
++static inline void atomic64_set(atomic64_t *v, long i)
++{
++      WRITE_ONCE(v->counter, i);
++}
+-#define ATOMIC64_OP(op, c_op, asm_op)                                       \
+-static __inline__ void atomic64_##op(long i, atomic64_t * v)                \
++static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
++{
++      WRITE_ONCE(v->counter, i);
++}
++
++#define __ATOMIC64_OP(op, suffix, asm_op, extable)                          \
++static inline void atomic64_##op##suffix(long i, atomic64##suffix##_t * v)    \
+ {                                                                           \
+       if (kernel_uses_llsc && R10000_LLSC_WAR) {                            \
+               long temp;                                                    \
+                                                                             \
+               __asm__ __volatile__(                                         \
+-              "       .set    arch=r4000                              \n"   \
+-              "1:     lld     %0, %1          # atomic64_" #op "      \n"   \
+-              "       " #asm_op " %0, %2                              \n"   \
++              "       .set    "MIPS_ISA_LEVEL"                        \n"   \
++              "1:     lld     %0, %1          # atomic64_" #op #suffix "\n" \
++              "2:     " #asm_op " %0, %2                              \n"   \
+               "       scd     %0, %1                                  \n"   \
+               "       beqzl   %0, 1b                                  \n"   \
++              extable                                                       \
+               "       .set    mips0                                   \n"   \
+               : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter)          \
+               : "Ir" (i));                                                  \
+       } else if (kernel_uses_llsc) {                                        \
+               long temp;                                                    \
+                                                                             \
+-              do {                                                          \
+-                      __asm__ __volatile__(                                 \
+-                      "       .set    "MIPS_ISA_LEVEL"                \n"   \
+-                      "       lld     %0, %1          # atomic64_" #op "\n" \
+-                      "       " #asm_op " %0, %2                      \n"   \
+-                      "       scd     %0, %1                          \n"   \
+-                      "       .set    mips0                           \n"   \
+-                      : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter)      \
+-                      : "Ir" (i));                                          \
+-              } while (unlikely(!temp));                                    \
++              __asm__ __volatile__(                                         \
++              "       .set    "MIPS_ISA_LEVEL"                        \n"   \
++              "1:     lld     %0, %1          # atomic64_" #op #suffix "\n" \
++              "2:     " #asm_op " %0, %2                              \n"   \
++              "       scd     %0, %1                                  \n"   \
++              "       beqz    %0, 1b                                  \n"   \
++                      extable                                               \
++              "       .set    mips0                                   \n"   \
++              : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter)          \
++              : "Ir" (i));                                                  \
+       } else {                                                              \
+               unsigned long flags;                                          \
+                                                                             \
+               raw_local_irq_save(flags);                                    \
+-              v->counter c_op i;                                            \
++              __asm__ __volatile__(                                         \
++              "2:     " #asm_op " %0, %1                              \n"   \
++              extable                                                       \
++              : "+" GCC_OFF_SMALL_ASM() (v->counter) : "Ir" (i));           \
+               raw_local_irq_restore(flags);                                 \
+       }                                                                     \
+ }
+-#define ATOMIC64_OP_RETURN(op, c_op, asm_op)                                \
+-static __inline__ long atomic64_##op##_return_relaxed(long i, atomic64_t * v) \
++#define ATOMIC64_OP(op, asm_op) __ATOMIC64_OP(op, _unchecked, asm_op##u, )    \
++                              __ATOMIC64_OP(op, , asm_op, __OVERFLOW_EXTABLE)
++
++#define __ATOMIC64_OP_RETURN(op, suffix, asm_op, post_op, extable)          \
++static inline long atomic64_##op##_return##suffix##_relaxed(long i, atomic64##suffix##_t * v)\
+ {                                                                           \
+       long result;                                                          \
+                                                                             \
+@@ -429,12 +553,15 @@ static __inline__ long atomic64_##op##_return_relaxed(long i, atomic64_t * v) \
+               long temp;                                                    \
+                                                                             \
+               __asm__ __volatile__(                                         \
+-              "       .set    arch=r4000                              \n"   \
++              "       .set    mips3                                   \n"   \
+               "1:     lld     %1, %2          # atomic64_" #op "_return\n"  \
+-              "       " #asm_op " %0, %1, %3                          \n"   \
++              "2:     " #asm_op " %0, %1, %3                          \n"   \
+               "       scd     %0, %2                                  \n"   \
+               "       beqzl   %0, 1b                                  \n"   \
+-              "       " #asm_op " %0, %1, %3                          \n"   \
++              post_op                                                       \
++              extable                                                       \
++              "4:     " #asm_op " %0, %1, %3                          \n"   \
++              "5:                                                     \n"   \
+               "       .set    mips0                                   \n"   \
+               : "=&r" (result), "=&r" (temp),                               \
+                 "+" GCC_OFF_SMALL_ASM() (v->counter)                        \
+@@ -442,33 +569,42 @@ static __inline__ long atomic64_##op##_return_relaxed(long i, atomic64_t * v) \
+       } else if (kernel_uses_llsc) {                                        \
+               long temp;                                                    \
+                                                                             \
+-              do {                                                          \
+-                      __asm__ __volatile__(                                 \
+-                      "       .set    "MIPS_ISA_LEVEL"                \n"   \
+-                      "       lld     %1, %2  # atomic64_" #op "_return\n"  \
+-                      "       " #asm_op " %0, %1, %3                  \n"   \
+-                      "       scd     %0, %2                          \n"   \
+-                      "       .set    mips0                           \n"   \
+-                      : "=&r" (result), "=&r" (temp),                       \
+-                        "=" GCC_OFF_SMALL_ASM() (v->counter)                \
+-                      : "Ir" (i), GCC_OFF_SMALL_ASM() (v->counter)          \
+-                      : "memory");                                          \
+-              } while (unlikely(!result));                                  \
+-                                                                            \
+-              result = temp; result c_op i;                                 \
++              __asm__ __volatile__(                                         \
++              "       .set    "MIPS_ISA_LEVEL"                        \n"   \
++              "1:     lld     %1, %2  # atomic64_" #op "_return" #suffix "\n"\
++              "2:     " #asm_op " %0, %1, %3                          \n"   \
++              "       scd     %0, %2                                  \n"   \
++              "       beqz    %0, 1b                                  \n"   \
++              post_op                                                       \
++              extable                                                       \
++              "4:     " #asm_op " %0, %1, %3                          \n"   \
++              "5:                                                     \n"   \
++              "       .set    mips0                                   \n"   \
++              : "=&r" (result), "=&r" (temp),                               \
++                "=" GCC_OFF_SMALL_ASM() (v->counter)                        \
++              : "Ir" (i), GCC_OFF_SMALL_ASM() (v->counter)                  \
++              : "memory");                                                  \
+       } else {                                                              \
+               unsigned long flags;                                          \
+                                                                             \
+               raw_local_irq_save(flags);                                    \
+-              result = v->counter;                                          \
+-              result c_op i;                                                \
+-              v->counter = result;                                          \
++              __asm__ __volatile__(                                         \
++              "       ld      %0, %1                                  \n"   \
++              "2:     " #asm_op " %0, %1, %2                          \n"   \
++              "       sd      %0, %1                                  \n"   \
++              "3:                                                     \n"   \
++              extable                                                       \
++              : "=&r" (result), "+" GCC_OFF_SMALL_ASM() (v->counter)        \
++              : "Ir" (i));                                                  \
+               raw_local_irq_restore(flags);                                 \
+       }                                                                     \
+                                                                             \
+       return result;                                                        \
+ }
++#define ATOMIC64_OP_RETURN(op, asm_op) __ATOMIC64_OP_RETURN(op, _unchecked, asm_op##u, , )    \
++                                     __ATOMIC64_OP_RETURN(op, , asm_op, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
++
+ #define ATOMIC64_FETCH_OP(op, c_op, asm_op)                                 \
+ static __inline__ long atomic64_fetch_##op##_relaxed(long i, atomic64_t * v)  \
+ {                                                                           \
+@@ -517,13 +653,13 @@ static __inline__ long atomic64_fetch_##op##_relaxed(long i, atomic64_t * v)  \
+       return result;                                                        \
+ }
+-#define ATOMIC64_OPS(op, c_op, asm_op)                                              \
+-      ATOMIC64_OP(op, c_op, asm_op)                                         \
+-      ATOMIC64_OP_RETURN(op, c_op, asm_op)                                  \
+-      ATOMIC64_FETCH_OP(op, c_op, asm_op)
++#define ATOMIC64_OPS(op, asm_op)                                            \
++      ATOMIC64_OP(op, asm_op)                                       \
++      ATOMIC64_OP_RETURN(op, asm_op)                                \
++      ATOMIC64_FETCH_OP(op, asm_op)
+-ATOMIC64_OPS(add, +=, daddu)
+-ATOMIC64_OPS(sub, -=, dsubu)
++ATOMIC64_OPS(add, daddu)
++ATOMIC64_OPS(sub, dsubu)
+ #define atomic64_add_return_relaxed   atomic64_add_return_relaxed
+ #define atomic64_sub_return_relaxed   atomic64_sub_return_relaxed
+@@ -531,13 +667,13 @@ ATOMIC64_OPS(sub, -=, dsubu)
+ #define atomic64_fetch_sub_relaxed    atomic64_fetch_sub_relaxed
+ #undef ATOMIC64_OPS
+-#define ATOMIC64_OPS(op, c_op, asm_op)                                              \
+-      ATOMIC64_OP(op, c_op, asm_op)                                         \
+-      ATOMIC64_FETCH_OP(op, c_op, asm_op)
++#define ATOMIC64_OPS(op, asm_op)                                            \
++      ATOMIC64_OP(op, asm_op)                                       \
++      ATOMIC64_FETCH_OP(op, asm_op)
+-ATOMIC64_OPS(and, &=, and)
+-ATOMIC64_OPS(or, |=, or)
+-ATOMIC64_OPS(xor, ^=, xor)
++ATOMIC64_OPS(and, and)
++ATOMIC64_OPS(or, or)
++ATOMIC64_OPS(xor, xor)
+ #define atomic64_fetch_and_relaxed    atomic64_fetch_and_relaxed
+ #define atomic64_fetch_or_relaxed     atomic64_fetch_or_relaxed
+@@ -546,7 +682,11 @@ ATOMIC64_OPS(xor, ^=, xor)
+ #undef ATOMIC64_OPS
+ #undef ATOMIC64_FETCH_OP
+ #undef ATOMIC64_OP_RETURN
++#undef __ATOMIC64_OP_RETURN
+ #undef ATOMIC64_OP
++#undef __ATOMIC64_OP
++#undef __OVERFLOW_EXTABLE
++#undef __OVERFLOW_POST
+ /*
+  * atomic64_sub_if_positive - conditionally subtract integer from atomic
+@@ -557,7 +697,7 @@ ATOMIC64_OPS(xor, ^=, xor)
+  * Atomically test @v and subtract @i if @v is greater or equal than @i.
+  * The function returns the old value of @v minus @i.
+  */
+-static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
++static __inline__ long atomic64_sub_if_positive(long i, atomic64_t *v)
+ {
+       long result;
+@@ -567,7 +707,7 @@ static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
+               long temp;
+               __asm__ __volatile__(
+-              "       .set    arch=r4000                              \n"
++              "       .set    "MIPS_ISA_LEVEL"                        \n"
+               "1:     lld     %1, %2          # atomic64_sub_if_positive\n"
+               "       dsubu   %0, %1, %3                              \n"
+               "       bltz    %0, 1f                                  \n"
+@@ -616,9 +756,26 @@ static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
+       return result;
+ }
+-#define atomic64_cmpxchg(v, o, n) \
+-      ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
+-#define atomic64_xchg(v, new) (xchg(&((v)->counter), (new)))
++static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
++{
++      return cmpxchg(&v->counter, old, new);
++}
++
++static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old,
++                                            long new)
++{
++      return cmpxchg(&(v->counter), old, new);
++}
++
++static inline long atomic64_xchg(atomic64_t *v, long new)
++{
++      return xchg(&v->counter, new);
++}
++
++static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
++{
++      return xchg(&(v->counter), new);
++}
+ /**
+  * atomic64_add_unless - add unless the number is a given value
+@@ -648,6 +805,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
+ #define atomic64_dec_return(v) atomic64_sub_return(1, (v))
+ #define atomic64_inc_return(v) atomic64_add_return(1, (v))
++#define atomic64_inc_return_unchecked(v) atomic64_add_return_unchecked(1, (v))
+ /*
+  * atomic64_sub_and_test - subtract value from variable and test result
+@@ -669,6 +827,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
+  * other cases.
+  */
+ #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
++#define atomic64_inc_and_test_unchecked(v) atomic64_add_return_unchecked(1, (v)) == 0)
+ /*
+  * atomic64_dec_and_test - decrement by 1 and test
+@@ -693,6 +852,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
+  * Atomically increments @v by 1.
+  */
+ #define atomic64_inc(v) atomic64_add(1, (v))
++#define atomic64_inc_unchecked(v) atomic64_add_unchecked(1, (v))
+ /*
+  * atomic64_dec - decrement and test
+@@ -701,6 +861,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
+  * Atomically decrements @v by 1.
+  */
+ #define atomic64_dec(v) atomic64_sub(1, (v))
++#define atomic64_dec_unchecked(v) atomic64_sub_unchecked(1, (v))
+ /*
+  * atomic64_add_negative - add and test if negative
+diff --git a/arch/mips/include/asm/cache.h b/arch/mips/include/asm/cache.h
+index b4db69f..8f3b093 100644
+--- a/arch/mips/include/asm/cache.h
++++ b/arch/mips/include/asm/cache.h
+@@ -9,10 +9,11 @@
+ #ifndef _ASM_CACHE_H
+ #define _ASM_CACHE_H
++#include <linux/const.h>
+ #include <kmalloc.h>
+ #define L1_CACHE_SHIFT                CONFIG_MIPS_L1_CACHE_SHIFT
+-#define L1_CACHE_BYTES                (1 << L1_CACHE_SHIFT)
++#define L1_CACHE_BYTES                (_AC(1,UL) << L1_CACHE_SHIFT)
+ #define SMP_CACHE_SHIFT               L1_CACHE_SHIFT
+ #define SMP_CACHE_BYTES               L1_CACHE_BYTES
+diff --git a/arch/mips/include/asm/elf.h b/arch/mips/include/asm/elf.h
+index 2b3dc29..1f7bdc4 100644
+--- a/arch/mips/include/asm/elf.h
++++ b/arch/mips/include/asm/elf.h
+@@ -458,6 +458,13 @@ extern const char *__elf_platform;
+ #define ELF_ET_DYN_BASE               (TASK_SIZE / 3 * 2)
+ #endif
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE   (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
++
++#define PAX_DELTA_MMAP_LEN    (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
++#define PAX_DELTA_STACK_LEN   (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
++#endif
++
+ /* update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT entries changes */
+ #define ARCH_DLINFO                                                   \
+ do {                                                                  \
+diff --git a/arch/mips/include/asm/exec.h b/arch/mips/include/asm/exec.h
+index c1f6afa..38cc6e9 100644
+--- a/arch/mips/include/asm/exec.h
++++ b/arch/mips/include/asm/exec.h
+@@ -12,6 +12,6 @@
+ #ifndef _ASM_EXEC_H
+ #define _ASM_EXEC_H
+-extern unsigned long arch_align_stack(unsigned long sp);
++#define arch_align_stack(x) ((x) & ~0xfUL)
+ #endif /* _ASM_EXEC_H */
+diff --git a/arch/mips/include/asm/hw_irq.h b/arch/mips/include/asm/hw_irq.h
+index 9e8ef59..1139d6b 100644
+--- a/arch/mips/include/asm/hw_irq.h
++++ b/arch/mips/include/asm/hw_irq.h
+@@ -10,7 +10,7 @@
+ #include <linux/atomic.h>
+-extern atomic_t irq_err_count;
++extern atomic_unchecked_t irq_err_count;
+ /*
+  * interrupt-retrigger: NOP for now. This may not be appropriate for all
+diff --git a/arch/mips/include/asm/irq.h b/arch/mips/include/asm/irq.h
+index 6bf10e7..3c0b52f 100644
+--- a/arch/mips/include/asm/irq.h
++++ b/arch/mips/include/asm/irq.h
+@@ -11,7 +11,6 @@
+ #include <linux/linkage.h>
+ #include <linux/smp.h>
+-#include <linux/irqdomain.h>
+ #include <asm/mipsmtregs.h>
+diff --git a/arch/mips/include/asm/local.h b/arch/mips/include/asm/local.h
+index 8feaed6..1bd8a64 100644
+--- a/arch/mips/include/asm/local.h
++++ b/arch/mips/include/asm/local.h
+@@ -13,15 +13,25 @@ typedef struct
+       atomic_long_t a;
+ } local_t;
++typedef struct {
++      atomic_long_unchecked_t a;
++} local_unchecked_t;
++
+ #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
+ #define local_read(l) atomic_long_read(&(l)->a)
++#define local_read_unchecked(l)       atomic_long_read_unchecked(&(l)->a)
+ #define local_set(l, i) atomic_long_set(&(l)->a, (i))
++#define local_set_unchecked(l, i)     atomic_long_set_unchecked(&(l)->a, (i))
+ #define local_add(i, l) atomic_long_add((i), (&(l)->a))
++#define local_add_unchecked(i, l) atomic_long_add_unchecked((i), (&(l)->a))
+ #define local_sub(i, l) atomic_long_sub((i), (&(l)->a))
++#define local_sub_unchecked(i, l) atomic_long_sub_unchecked((i), (&(l)->a))
+ #define local_inc(l)  atomic_long_inc(&(l)->a)
++#define local_inc_unchecked(l)        atomic_long_inc_unchecked(&(l)->a)
+ #define local_dec(l)  atomic_long_dec(&(l)->a)
++#define local_dec_unchecked(l)        atomic_long_dec_unchecked(&(l)->a)
+ /*
+  * Same as above, but return the result value
+@@ -71,6 +81,51 @@ static __inline__ long local_add_return(long i, local_t * l)
+       return result;
+ }
++static __inline__ long local_add_return_unchecked(long i, local_unchecked_t * l)
++{
++      unsigned long result;
++
++      if (kernel_uses_llsc && R10000_LLSC_WAR) {
++              unsigned long temp;
++
++              __asm__ __volatile__(
++              "       .set    mips3                                   \n"
++              "1:"    __LL    "%1, %2         # local_add_return      \n"
++              "       addu    %0, %1, %3                              \n"
++                      __SC    "%0, %2                                 \n"
++              "       beqzl   %0, 1b                                  \n"
++              "       addu    %0, %1, %3                              \n"
++              "       .set    mips0                                   \n"
++              : "=&r" (result), "=&r" (temp), "=m" (l->a.counter)
++              : "Ir" (i), "m" (l->a.counter)
++              : "memory");
++      } else if (kernel_uses_llsc) {
++              unsigned long temp;
++
++              __asm__ __volatile__(
++              "       .set    mips3                                   \n"
++              "1:"    __LL    "%1, %2         # local_add_return      \n"
++              "       addu    %0, %1, %3                              \n"
++                      __SC    "%0, %2                                 \n"
++              "       beqz    %0, 1b                                  \n"
++              "       addu    %0, %1, %3                              \n"
++              "       .set    mips0                                   \n"
++              : "=&r" (result), "=&r" (temp), "=m" (l->a.counter)
++              : "Ir" (i), "m" (l->a.counter)
++              : "memory");
++      } else {
++              unsigned long flags;
++
++              local_irq_save(flags);
++              result = l->a.counter;
++              result += i;
++              l->a.counter = result;
++              local_irq_restore(flags);
++      }
++
++      return result;
++}
++
+ static __inline__ long local_sub_return(long i, local_t * l)
+ {
+       unsigned long result;
+@@ -118,6 +173,8 @@ static __inline__ long local_sub_return(long i, local_t * l)
+ #define local_cmpxchg(l, o, n) \
+       ((long)cmpxchg_local(&((l)->a.counter), (o), (n)))
++#define local_cmpxchg_unchecked(l, o, n) \
++      ((long)cmpxchg_local(&((l)->a.counter), (o), (n)))
+ #define local_xchg(l, n) (atomic_long_xchg((&(l)->a), (n)))
+ /**
+diff --git a/arch/mips/include/asm/page.h b/arch/mips/include/asm/page.h
+index 5f98759..a3a7cb2 100644
+--- a/arch/mips/include/asm/page.h
++++ b/arch/mips/include/asm/page.h
+@@ -118,7 +118,7 @@ extern void copy_user_highpage(struct page *to, struct page *from,
+   #ifdef CONFIG_CPU_MIPS32
+     typedef struct { unsigned long pte_low, pte_high; } pte_t;
+     #define pte_val(x)          ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
+-    #define __pte(x)    ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
++    #define __pte(x)    ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
+   #else
+      typedef struct { unsigned long long pte; } pte_t;
+      #define pte_val(x) ((x).pte)
+diff --git a/arch/mips/include/asm/pgalloc.h b/arch/mips/include/asm/pgalloc.h
+index a03e869..e1928f5 100644
+--- a/arch/mips/include/asm/pgalloc.h
++++ b/arch/mips/include/asm/pgalloc.h
+@@ -37,6 +37,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
+ {
+       set_pud(pud, __pud((unsigned long)pmd));
+ }
++
++static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
++{
++      pud_populate(mm, pud, pmd);
++}
+ #endif
+ /*
+diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h
+index 9e9e94415..43354f5 100644
+--- a/arch/mips/include/asm/pgtable.h
++++ b/arch/mips/include/asm/pgtable.h
+@@ -20,6 +20,9 @@
+ #include <asm/io.h>
+ #include <asm/pgtable-bits.h>
++#define ktla_ktva(addr)               (addr)
++#define ktva_ktla(addr)               (addr)
++
+ struct mm_struct;
+ struct vm_area_struct;
+diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h
+index e309d8f..20eefec 100644
+--- a/arch/mips/include/asm/thread_info.h
++++ b/arch/mips/include/asm/thread_info.h
+@@ -101,6 +101,9 @@ static inline struct thread_info *current_thread_info(void)
+ #define TIF_NOTIFY_RESUME     5       /* callback before returning to user */
+ #define TIF_UPROBE            6       /* breakpointed or singlestepping */
+ #define TIF_RESTORE_SIGMASK   9       /* restore signal mask in do_signal() */
++/* li takes a 32bit immediate */
++#define TIF_GRSEC_SETXID      10      /* update credentials on syscall entry/exit */
++
+ #define TIF_USEDFPU           16      /* FPU was used by this task this quantum (SMP) */
+ #define TIF_MEMDIE            18      /* is terminating due to OOM killer */
+ #define TIF_NOHZ              19      /* in adaptive nohz mode */
+@@ -137,14 +140,16 @@ static inline struct thread_info *current_thread_info(void)
+ #define _TIF_USEDMSA          (1<<TIF_USEDMSA)
+ #define _TIF_MSA_CTX_LIVE     (1<<TIF_MSA_CTX_LIVE)
+ #define _TIF_SYSCALL_TRACEPOINT       (1<<TIF_SYSCALL_TRACEPOINT)
++#define _TIF_GRSEC_SETXID     (1<<TIF_GRSEC_SETXID)
+ #define _TIF_WORK_SYSCALL_ENTRY       (_TIF_NOHZ | _TIF_SYSCALL_TRACE |       \
+                                _TIF_SYSCALL_AUDIT | \
+-                               _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
++                               _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP | \
++                               _TIF_GRSEC_SETXID)
+ /* work to do in syscall_trace_leave() */
+ #define _TIF_WORK_SYSCALL_EXIT        (_TIF_NOHZ | _TIF_SYSCALL_TRACE |       \
+-                               _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT)
++                               _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
+ /* work to do on interrupt/exception return */
+ #define _TIF_WORK_MASK                \
+@@ -153,7 +158,7 @@ static inline struct thread_info *current_thread_info(void)
+ /* work to do on any return to u-space */
+ #define _TIF_ALLWORK_MASK     (_TIF_NOHZ | _TIF_WORK_MASK |           \
+                                _TIF_WORK_SYSCALL_EXIT |               \
+-                               _TIF_SYSCALL_TRACEPOINT)
++                               _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
+ /*
+  * We stash processor id into a COP0 register to retrieve it fast
+diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h
+index 89fa5c0b..9409cea 100644
+--- a/arch/mips/include/asm/uaccess.h
++++ b/arch/mips/include/asm/uaccess.h
+@@ -148,6 +148,7 @@ static inline bool eva_kernel_access(void)
+       __ok == 0;                                                      \
+ })
++#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
+ #define access_ok(type, addr, size)                                   \
+       likely(__access_ok((addr), (size), __access_mask))
+diff --git a/arch/mips/kernel/binfmt_elfn32.c b/arch/mips/kernel/binfmt_elfn32.c
+index 9c7f3e1..ed42bda 100644
+--- a/arch/mips/kernel/binfmt_elfn32.c
++++ b/arch/mips/kernel/binfmt_elfn32.c
+@@ -37,6 +37,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
+ #undef ELF_ET_DYN_BASE
+ #define ELF_ET_DYN_BASE               (TASK32_SIZE / 3 * 2)
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE   (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
++
++#define PAX_DELTA_MMAP_LEN    (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
++#define PAX_DELTA_STACK_LEN   (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
++#endif
++
+ #include <asm/processor.h>
+ #include <linux/elfcore.h>
+ #include <linux/compat.h>
+diff --git a/arch/mips/kernel/binfmt_elfo32.c b/arch/mips/kernel/binfmt_elfo32.c
+index 1ab3432..0e66879 100644
+--- a/arch/mips/kernel/binfmt_elfo32.c
++++ b/arch/mips/kernel/binfmt_elfo32.c
+@@ -41,6 +41,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
+ #undef ELF_ET_DYN_BASE
+ #define ELF_ET_DYN_BASE               (TASK32_SIZE / 3 * 2)
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE   (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
++
++#define PAX_DELTA_MMAP_LEN    (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
++#define PAX_DELTA_STACK_LEN   (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
++#endif
++
+ #include <asm/processor.h>
+ #include <linux/elfcore.h>
+diff --git a/arch/mips/kernel/irq-gt641xx.c b/arch/mips/kernel/irq-gt641xx.c
+index 44a1f79..2bd6aa3 100644
+--- a/arch/mips/kernel/irq-gt641xx.c
++++ b/arch/mips/kernel/irq-gt641xx.c
+@@ -110,7 +110,7 @@ void gt641xx_irq_dispatch(void)
+               }
+       }
+-      atomic_inc(&irq_err_count);
++      atomic_inc_unchecked(&irq_err_count);
+ }
+ void __init gt641xx_irq_init(void)
+diff --git a/arch/mips/kernel/irq.c b/arch/mips/kernel/irq.c
+index f25f7ea..19e1c62 100644
+--- a/arch/mips/kernel/irq.c
++++ b/arch/mips/kernel/irq.c
+@@ -34,17 +34,17 @@ void ack_bad_irq(unsigned int irq)
+       printk("unexpected IRQ # %d\n", irq);
+ }
+-atomic_t irq_err_count;
++atomic_unchecked_t irq_err_count;
+ int arch_show_interrupts(struct seq_file *p, int prec)
+ {
+-      seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
++      seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
+       return 0;
+ }
+ asmlinkage void spurious_interrupt(void)
+ {
+-      atomic_inc(&irq_err_count);
++      atomic_inc_unchecked(&irq_err_count);
+ }
+ void __init init_IRQ(void)
+@@ -61,6 +61,8 @@ void __init init_IRQ(void)
+ }
+ #ifdef CONFIG_DEBUG_STACKOVERFLOW
++
++extern void gr_handle_kernel_exploit(void);
+ static inline void check_stack_overflow(void)
+ {
+       unsigned long sp;
+@@ -76,6 +78,7 @@ static inline void check_stack_overflow(void)
+               printk("do_IRQ: stack overflow: %ld\n",
+                      sp - sizeof(struct thread_info));
+               dump_stack();
++              gr_handle_kernel_exploit();
+       }
+ }
+ #else
+diff --git a/arch/mips/kernel/kprobes.c b/arch/mips/kernel/kprobes.c
+index f5c8bce..b06a560 100644
+--- a/arch/mips/kernel/kprobes.c
++++ b/arch/mips/kernel/kprobes.c
+@@ -535,6 +535,7 @@ static void __used kretprobe_trampoline_holder(void)
+ void kretprobe_trampoline(void);
++#ifdef CONFIG_KRETPROBES
+ void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
+                                     struct pt_regs *regs)
+ {
+@@ -543,6 +544,7 @@ void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
+       /* Replace the return addr with trampoline addr */
+       regs->regs[31] = (unsigned long)kretprobe_trampoline;
+ }
++#endif
+ /*
+  * Called when the probe at kretprobe trampoline is hit
+@@ -611,6 +613,7 @@ static int __kprobes trampoline_probe_handler(struct kprobe *p,
+       return 1;
+ }
++#ifdef CONFIG_KRETPROBES
+ int __kprobes arch_trampoline_kprobe(struct kprobe *p)
+ {
+       if (p->addr == (kprobe_opcode_t *)kretprobe_trampoline)
+@@ -618,6 +621,7 @@ int __kprobes arch_trampoline_kprobe(struct kprobe *p)
+       return 0;
+ }
++#endif
+ static struct kprobe trampoline_p = {
+       .addr = (kprobe_opcode_t *)kretprobe_trampoline,
+diff --git a/arch/mips/kernel/pm-cps.c b/arch/mips/kernel/pm-cps.c
+index 7cf653e..7df52f6 100644
+--- a/arch/mips/kernel/pm-cps.c
++++ b/arch/mips/kernel/pm-cps.c
+@@ -168,7 +168,7 @@ int cps_pm_enter_state(enum cps_pm_state state)
+       nc_core_ready_count = nc_addr;
+       /* Ensure ready_count is zero-initialised before the assembly runs */
+-      ACCESS_ONCE(*nc_core_ready_count) = 0;
++      ACCESS_ONCE_RW(*nc_core_ready_count) = 0;
+       coupled_barrier(&per_cpu(pm_barrier, core), online);
+       /* Run the generated entry code */
+diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
+index 1652f36..0e22377 100644
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -590,18 +590,6 @@ unsigned long get_wchan(struct task_struct *task)
+       return pc;
+ }
+-/*
+- * Don't forget that the stack pointer must be aligned on a 8 bytes
+- * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
+- */
+-unsigned long arch_align_stack(unsigned long sp)
+-{
+-      if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
+-              sp -= get_random_int() & ~PAGE_MASK;
+-
+-      return sp & ALMASK;
+-}
+-
+ static void arch_dump_stack(void *info)
+ {
+       struct pt_regs *regs;
+diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
+index a92994d..e389b11 100644
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -882,6 +882,10 @@ long arch_ptrace(struct task_struct *child, long request,
+       return ret;
+ }
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ /*
+  * Notification of system call entry/exit
+  * - triggered by current->work.syscall_trace
+@@ -899,6 +903,11 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall)
+       if (secure_computing(NULL) == -1)
+               return -1;
++#ifdef CONFIG_GRKERNSEC_SETXID
++      if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++              gr_delayed_cred_worker();
++#endif
++
+       if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
+               trace_sys_enter(regs, regs->regs[2]);
+diff --git a/arch/mips/kernel/sync-r4k.c b/arch/mips/kernel/sync-r4k.c
+index 4472a7f..c5905e6 100644
+--- a/arch/mips/kernel/sync-r4k.c
++++ b/arch/mips/kernel/sync-r4k.c
+@@ -18,8 +18,8 @@
+ #include <asm/mipsregs.h>
+ static unsigned int initcount = 0;
+-static atomic_t count_count_start = ATOMIC_INIT(0);
+-static atomic_t count_count_stop = ATOMIC_INIT(0);
++static atomic_unchecked_t count_count_start = ATOMIC_INIT(0);
++static atomic_unchecked_t count_count_stop = ATOMIC_INIT(0);
+ #define COUNTON 100
+ #define NR_LOOPS 3
+@@ -46,13 +46,13 @@ void synchronise_count_master(int cpu)
+       for (i = 0; i < NR_LOOPS; i++) {
+               /* slaves loop on '!= 2' */
+-              while (atomic_read(&count_count_start) != 1)
++              while (atomic_read_unchecked(&count_count_start) != 1)
+                       mb();
+-              atomic_set(&count_count_stop, 0);
++              atomic_set_unchecked(&count_count_stop, 0);
+               smp_wmb();
+               /* Let the slave writes its count register */
+-              atomic_inc(&count_count_start);
++              atomic_inc_unchecked(&count_count_start);
+               /* Count will be initialised to current timer */
+               if (i == 1)
+@@ -67,11 +67,11 @@ void synchronise_count_master(int cpu)
+               /*
+                * Wait for slave to leave the synchronization point:
+                */
+-              while (atomic_read(&count_count_stop) != 1)
++              while (atomic_read_unchecked(&count_count_stop) != 1)
+                       mb();
+-              atomic_set(&count_count_start, 0);
++              atomic_set_unchecked(&count_count_start, 0);
+               smp_wmb();
+-              atomic_inc(&count_count_stop);
++              atomic_inc_unchecked(&count_count_stop);
+       }
+       /* Arrange for an interrupt in a short while */
+       write_c0_compare(read_c0_count() + COUNTON);
+@@ -96,8 +96,8 @@ void synchronise_count_slave(int cpu)
+        */
+       for (i = 0; i < NR_LOOPS; i++) {
+-              atomic_inc(&count_count_start);
+-              while (atomic_read(&count_count_start) != 2)
++              atomic_inc_unchecked(&count_count_start);
++              while (atomic_read_unchecked(&count_count_start) != 2)
+                       mb();
+               /*
+@@ -106,8 +106,8 @@ void synchronise_count_slave(int cpu)
+               if (i == NR_LOOPS-1)
+                       write_c0_count(initcount);
+-              atomic_inc(&count_count_stop);
+-              while (atomic_read(&count_count_stop) != 2)
++              atomic_inc_unchecked(&count_count_stop);
++              while (atomic_read_unchecked(&count_count_stop) != 2)
+                       mb();
+       }
+       /* Arrange for an interrupt in a short while */
+diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
+index 3905003..7c0cc88 100644
+--- a/arch/mips/kernel/traps.c
++++ b/arch/mips/kernel/traps.c
+@@ -702,7 +702,18 @@ asmlinkage void do_ov(struct pt_regs *regs)
+       };
+       prev_state = exception_enter();
+-      die_if_kernel("Integer overflow", regs);
++      if (unlikely(!user_mode(regs))) {
++
++#ifdef CONFIG_PAX_REFCOUNT
++              if (fixup_exception(regs)) {
++                      pax_report_refcount_error(regs, NULL);
++                      exception_exit(prev_state);
++                      return;
++              }
++#endif
++
++              die("Integer overflow", regs);
++      }
+       force_sig_info(SIGFPE, &info, current);
+       exception_exit(prev_state);
+diff --git a/arch/mips/lib/ashldi3.c b/arch/mips/lib/ashldi3.c
+index c3e2205..b4302f8 100644
+--- a/arch/mips/lib/ashldi3.c
++++ b/arch/mips/lib/ashldi3.c
+@@ -2,7 +2,11 @@
+ #include "libgcc.h"
+-long long notrace __ashldi3(long long u, word_type b)
++#ifdef CONFIG_64BIT
++DWtype notrace __ashlti3(DWtype u, word_type b)
++#else
++DWtype notrace __ashldi3(DWtype u, word_type b)
++#endif
+ {
+       DWunion uu, w;
+       word_type bm;
+@@ -11,19 +15,22 @@ long long notrace __ashldi3(long long u, word_type b)
+               return u;
+       uu.ll = u;
+-      bm = 32 - b;
++      bm = BITS_PER_LONG - b;
+       if (bm <= 0) {
+               w.s.low = 0;
+-              w.s.high = (unsigned int) uu.s.low << -bm;
++              w.s.high = (unsigned long) uu.s.low << -bm;
+       } else {
+-              const unsigned int carries = (unsigned int) uu.s.low >> bm;
++              const unsigned long carries = (unsigned long) uu.s.low >> bm;
+-              w.s.low = (unsigned int) uu.s.low << b;
+-              w.s.high = ((unsigned int) uu.s.high << b) | carries;
++              w.s.low = (unsigned long) uu.s.low << b;
++              w.s.high = ((unsigned long) uu.s.high << b) | carries;
+       }
+       return w.ll;
+ }
+-
++#ifdef CONFIG_64BIT
++EXPORT_SYMBOL(__ashlti3);
++#else
+ EXPORT_SYMBOL(__ashldi3);
++#endif
+diff --git a/arch/mips/lib/ashrdi3.c b/arch/mips/lib/ashrdi3.c
+index 1745602..d20aabf 100644
+--- a/arch/mips/lib/ashrdi3.c
++++ b/arch/mips/lib/ashrdi3.c
+@@ -2,7 +2,11 @@
+ #include "libgcc.h"
+-long long notrace __ashrdi3(long long u, word_type b)
++#ifdef CONFIG_64BIT
++DWtype notrace __ashrti3(DWtype u, word_type b)
++#else
++DWtype notrace __ashrdi3(DWtype u, word_type b)
++#endif
+ {
+       DWunion uu, w;
+       word_type bm;
+@@ -11,21 +15,24 @@ long long notrace __ashrdi3(long long u, word_type b)
+               return u;
+       uu.ll = u;
+-      bm = 32 - b;
++      bm = BITS_PER_LONG - b;
+       if (bm <= 0) {
+               /* w.s.high = 1..1 or 0..0 */
+               w.s.high =
+-                  uu.s.high >> 31;
++                  uu.s.high >> (BITS_PER_LONG - 1);
+               w.s.low = uu.s.high >> -bm;
+       } else {
+-              const unsigned int carries = (unsigned int) uu.s.high << bm;
++              const unsigned long carries = (unsigned long) uu.s.high << bm;
+               w.s.high = uu.s.high >> b;
+-              w.s.low = ((unsigned int) uu.s.low >> b) | carries;
++              w.s.low = ((unsigned long) uu.s.low >> b) | carries;
+       }
+       return w.ll;
+ }
+-
++#ifdef CONFIG_64BIT
++EXPORT_SYMBOL(__ashrti3);
++#else
+ EXPORT_SYMBOL(__ashrdi3);
++#endif
+diff --git a/arch/mips/lib/libgcc.h b/arch/mips/lib/libgcc.h
+index 05909d58..b03284b 100644
+--- a/arch/mips/lib/libgcc.h
++++ b/arch/mips/lib/libgcc.h
+@@ -5,13 +5,19 @@
+ typedef int word_type __attribute__ ((mode (__word__)));
++#ifdef CONFIG_64BIT
++typedef int DWtype __attribute__((mode(TI)));
++#else
++typedef long long DWtype;
++#endif
++
+ #ifdef __BIG_ENDIAN
+ struct DWstruct {
+-      int high, low;
++      long high, low;
+ };
+ #elif defined(__LITTLE_ENDIAN)
+ struct DWstruct {
+-      int low, high;
++      long low, high;
+ };
+ #else
+ #error I feel sick.
+@@ -19,7 +25,7 @@ struct DWstruct {
+ typedef union {
+       struct DWstruct s;
+-      long long ll;
++      DWtype ll;
+ } DWunion;
+ #endif /* __ASM_LIBGCC_H */
+diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c
+index 3bef306..fcec133 100644
+--- a/arch/mips/mm/fault.c
++++ b/arch/mips/mm/fault.c
+@@ -30,6 +30,23 @@
+ int show_unhandled_signals = 1;
++#ifdef CONFIG_PAX_PAGEEXEC
++void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
++{
++      unsigned long i;
++
++      printk(KERN_ERR "PAX: bytes at PC: ");
++      for (i = 0; i < 5; i++) {
++              unsigned int c;
++              if (get_user(c, (unsigned int *)pc+i))
++                      printk(KERN_CONT "???????? ");
++              else
++                      printk(KERN_CONT "%08x ", c);
++      }
++      printk("\n");
++}
++#endif
++
+ /*
+  * This routine handles page faults.  It determines the address,
+  * and the problem, and then passes it off to one of the appropriate
+@@ -204,6 +221,14 @@ static void __kprobes __do_page_fault(struct pt_regs *regs, unsigned long write,
+ bad_area_nosemaphore:
+       /* User mode accesses just cause a SIGSEGV */
+       if (user_mode(regs)) {
++
++#ifdef CONFIG_PAX_PAGEEXEC
++              if (cpu_has_rixi && (mm->pax_flags & MF_PAX_PAGEEXEC) && !write && address == instruction_pointer(regs)) {
++                      pax_report_fault(regs, (void *)address, (void *)user_stack_pointer(regs));
++                      do_group_exit(SIGKILL);
++              }
++#endif
++
+               tsk->thread.cp0_badvaddr = address;
+               tsk->thread.error_code = write;
+               if (show_unhandled_signals &&
+diff --git a/arch/mips/mm/init.c b/arch/mips/mm/init.c
+index e86ebcf..7a78a07 100644
+--- a/arch/mips/mm/init.c
++++ b/arch/mips/mm/init.c
+@@ -474,10 +474,10 @@ void __init mem_init(void)
+ #ifdef CONFIG_64BIT
+       if ((unsigned long) &_text > (unsigned long) CKSEG0)
+-              /* The -4 is a hack so that user tools don't have to handle
++              /* The -0x2000-4 is a hack so that user tools don't have to handle
+                  the overflow.  */
+               kclist_add(&kcore_kseg0, (void *) CKSEG0,
+-                              0x80000000 - 4, KCORE_TEXT);
++                              0x80000000 - 0x2000 - 4, KCORE_TEXT);
+ #endif
+ }
+ #endif /* !CONFIG_NEED_MULTIPLE_NODES */
+diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c
+index d08ea3f..66bb13d 100644
+--- a/arch/mips/mm/mmap.c
++++ b/arch/mips/mm/mmap.c
+@@ -59,6 +59,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
+       struct vm_area_struct *vma;
+       unsigned long addr = addr0;
+       int do_color_align;
++      unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
+       struct vm_unmapped_area_info info;
+       if (unlikely(len > TASK_SIZE))
+@@ -84,6 +85,11 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
+               do_color_align = 1;
+       /* requesting a specific address */
++
++#ifdef CONFIG_PAX_RANDMMAP
++      if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
++#endif
++
+       if (addr) {
+               if (do_color_align)
+                       addr = COLOUR_ALIGN(addr, pgoff);
+@@ -91,14 +97,14 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
+                       addr = PAGE_ALIGN(addr);
+               vma = find_vma(mm, addr);
+-              if (TASK_SIZE - len >= addr &&
+-                  (!vma || addr + len <= vma->vm_start))
++              if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
+                       return addr;
+       }
+       info.length = len;
+       info.align_mask = do_color_align ? (PAGE_MASK & shm_align_mask) : 0;
+       info.align_offset = pgoff << PAGE_SHIFT;
++      info.threadstack_offset = offset;
+       if (dir == DOWN) {
+               info.flags = VM_UNMAPPED_AREA_TOPDOWN;
+@@ -160,14 +166,30 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
+ {
+       unsigned long random_factor = 0UL;
++#ifdef CONFIG_PAX_RANDMMAP
++      if (!(mm->pax_flags & MF_PAX_RANDMMAP))
++#endif
++
+       if (current->flags & PF_RANDOMIZE)
+               random_factor = arch_mmap_rnd();
+       if (mmap_is_legacy()) {
+               mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
++
++#ifdef CONFIG_PAX_RANDMMAP
++              if (mm->pax_flags & MF_PAX_RANDMMAP)
++                      mm->mmap_base += mm->delta_mmap;
++#endif
++
+               mm->get_unmapped_area = arch_get_unmapped_area;
+       } else {
+               mm->mmap_base = mmap_base(random_factor);
++
++#ifdef CONFIG_PAX_RANDMMAP
++              if (mm->pax_flags & MF_PAX_RANDMMAP)
++                      mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
++#endif
++
+               mm->get_unmapped_area = arch_get_unmapped_area_topdown;
+       }
+ }
+diff --git a/arch/mips/sgi-ip27/ip27-nmi.c b/arch/mips/sgi-ip27/ip27-nmi.c
+index cfceaea..65deeb4 100644
+--- a/arch/mips/sgi-ip27/ip27-nmi.c
++++ b/arch/mips/sgi-ip27/ip27-nmi.c
+@@ -187,9 +187,9 @@ void
+ cont_nmi_dump(void)
+ {
+ #ifndef REAL_NMI_SIGNAL
+-      static atomic_t nmied_cpus = ATOMIC_INIT(0);
++      static atomic_unchecked_t nmied_cpus = ATOMIC_INIT(0);
+-      atomic_inc(&nmied_cpus);
++      atomic_inc_unchecked(&nmied_cpus);
+ #endif
+       /*
+        * Only allow 1 cpu to proceed
+@@ -233,7 +233,7 @@ cont_nmi_dump(void)
+               udelay(10000);
+       }
+ #else
+-      while (atomic_read(&nmied_cpus) != num_online_cpus());
++      while (atomic_read_unchecked(&nmied_cpus) != num_online_cpus());
+ #endif
+       /*
+diff --git a/arch/mips/sni/rm200.c b/arch/mips/sni/rm200.c
+index 160b880..3b53fdc 100644
+--- a/arch/mips/sni/rm200.c
++++ b/arch/mips/sni/rm200.c
+@@ -270,7 +270,7 @@ void sni_rm200_mask_and_ack_8259A(struct irq_data *d)
+                              "spurious RM200 8259A interrupt: IRQ%d.\n", irq);
+                       spurious_irq_mask |= irqmask;
+               }
+-              atomic_inc(&irq_err_count);
++              atomic_inc_unchecked(&irq_err_count);
+               /*
+                * Theoretically we do not have to handle this IRQ,
+                * but in Linux this does not cause problems and is
+diff --git a/arch/mips/vr41xx/common/icu.c b/arch/mips/vr41xx/common/icu.c
+index 41e873b..34d33a7 100644
+--- a/arch/mips/vr41xx/common/icu.c
++++ b/arch/mips/vr41xx/common/icu.c
+@@ -653,7 +653,7 @@ static int icu_get_irq(unsigned int irq)
+       printk(KERN_ERR "spurious ICU interrupt: %04x,%04x\n", pend1, pend2);
+-      atomic_inc(&irq_err_count);
++      atomic_inc_unchecked(&irq_err_count);
+       return -1;
+ }
+diff --git a/arch/mips/vr41xx/common/irq.c b/arch/mips/vr41xx/common/irq.c
+index ae0e4ee..e8f0692 100644
+--- a/arch/mips/vr41xx/common/irq.c
++++ b/arch/mips/vr41xx/common/irq.c
+@@ -64,7 +64,7 @@ static void irq_dispatch(unsigned int irq)
+       irq_cascade_t *cascade;
+       if (irq >= NR_IRQS) {
+-              atomic_inc(&irq_err_count);
++              atomic_inc_unchecked(&irq_err_count);
+               return;
+       }
+@@ -84,7 +84,7 @@ static void irq_dispatch(unsigned int irq)
+               ret = cascade->get_irq(irq);
+               irq = ret;
+               if (ret < 0)
+-                      atomic_inc(&irq_err_count);
++                      atomic_inc_unchecked(&irq_err_count);
+               else
+                       irq_dispatch(irq);
+               if (!irqd_irq_disabled(idata) && chip->irq_unmask)
+diff --git a/arch/mn10300/proc-mn103e010/include/proc/cache.h b/arch/mn10300/proc-mn103e010/include/proc/cache.h
+index 967d144..db12197 100644
+--- a/arch/mn10300/proc-mn103e010/include/proc/cache.h
++++ b/arch/mn10300/proc-mn103e010/include/proc/cache.h
+@@ -11,12 +11,14 @@
+ #ifndef _ASM_PROC_CACHE_H
+ #define _ASM_PROC_CACHE_H
++#include <linux/const.h>
++
+ /* L1 cache */
+ #define L1_CACHE_NWAYS                4       /* number of ways in caches */
+ #define L1_CACHE_NENTRIES     256     /* number of entries in each way */
+-#define L1_CACHE_BYTES                16      /* bytes per entry */
+ #define L1_CACHE_SHIFT                4       /* shift for bytes per entry */
++#define L1_CACHE_BYTES                (_AC(1,UL) << L1_CACHE_SHIFT)   /* bytes per entry */
+ #define L1_CACHE_WAYDISP      0x1000  /* displacement of one way from the next */
+ #define L1_CACHE_TAG_VALID    0x00000001      /* cache tag valid bit */
+diff --git a/arch/mn10300/proc-mn2ws0050/include/proc/cache.h b/arch/mn10300/proc-mn2ws0050/include/proc/cache.h
+index bcb5df2..84fabd2 100644
+--- a/arch/mn10300/proc-mn2ws0050/include/proc/cache.h
++++ b/arch/mn10300/proc-mn2ws0050/include/proc/cache.h
+@@ -16,13 +16,15 @@
+ #ifndef _ASM_PROC_CACHE_H
+ #define _ASM_PROC_CACHE_H
++#include <linux/const.h>
++
+ /*
+  * L1 cache
+  */
+ #define L1_CACHE_NWAYS                4               /* number of ways in caches */
+ #define L1_CACHE_NENTRIES     128             /* number of entries in each way */
+-#define L1_CACHE_BYTES                32              /* bytes per entry */
+ #define L1_CACHE_SHIFT                5               /* shift for bytes per entry */
++#define L1_CACHE_BYTES                (_AC(1,UL) << L1_CACHE_SHIFT)   /* bytes per entry */
+ #define L1_CACHE_WAYDISP      0x1000          /* distance from one way to the next */
+ #define L1_CACHE_TAG_VALID    0x00000001      /* cache tag valid bit */
+diff --git a/arch/openrisc/include/asm/cache.h b/arch/openrisc/include/asm/cache.h
+index 5f55da9..7ce9437 100644
+--- a/arch/openrisc/include/asm/cache.h
++++ b/arch/openrisc/include/asm/cache.h
+@@ -19,13 +19,15 @@
+ #ifndef __ASM_OPENRISC_CACHE_H
+ #define __ASM_OPENRISC_CACHE_H
++#include <linux/const.h>
++
+ /* FIXME: How can we replace these with values from the CPU...
+  * they shouldn't be hard-coded!
+  */
+ #define __ro_after_init __read_mostly
+-#define L1_CACHE_BYTES 16
+ #define L1_CACHE_SHIFT 4
++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
+ #endif /* __ASM_OPENRISC_CACHE_H */
+diff --git a/arch/parisc/include/asm/atomic.h b/arch/parisc/include/asm/atomic.h
+index 5394b9c..e77a306 100644
+--- a/arch/parisc/include/asm/atomic.h
++++ b/arch/parisc/include/asm/atomic.h
+@@ -327,6 +327,16 @@ static inline long atomic64_dec_if_positive(atomic64_t *v)
+       return dec;
+ }
++#define atomic64_read_unchecked(v)            atomic64_read(v)
++#define atomic64_set_unchecked(v, i)          atomic64_set((v), (i))
++#define atomic64_add_unchecked(a, v)          atomic64_add((a), (v))
++#define atomic64_add_return_unchecked(a, v)   atomic64_add_return((a), (v))
++#define atomic64_sub_unchecked(a, v)          atomic64_sub((a), (v))
++#define atomic64_inc_unchecked(v)             atomic64_inc(v)
++#define atomic64_inc_return_unchecked(v)      atomic64_inc_return(v)
++#define atomic64_dec_unchecked(v)             atomic64_dec(v)
++#define atomic64_cmpxchg_unchecked(v, o, n)   atomic64_cmpxchg((v), (o), (n))
++
+ #endif /* !CONFIG_64BIT */
+diff --git a/arch/parisc/include/asm/cache.h b/arch/parisc/include/asm/cache.h
+index df0f52b..810699b 100644
+--- a/arch/parisc/include/asm/cache.h
++++ b/arch/parisc/include/asm/cache.h
+@@ -5,6 +5,7 @@
+ #ifndef __ARCH_PARISC_CACHE_H
+ #define __ARCH_PARISC_CACHE_H
++#include <linux/const.h>
+ /*
+  * PA 2.0 processors have 64 and 128-byte L2 cachelines; PA 1.1 processors
+@@ -14,6 +15,8 @@
+ #define L1_CACHE_BYTES 16
+ #define L1_CACHE_SHIFT 4
++#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
++
+ #ifndef __ASSEMBLY__
+ #define SMP_CACHE_BYTES L1_CACHE_BYTES
+diff --git a/arch/parisc/include/asm/elf.h b/arch/parisc/include/asm/elf.h
+index 78c9fd3..42fa66a 100644
+--- a/arch/parisc/include/asm/elf.h
++++ b/arch/parisc/include/asm/elf.h
+@@ -342,6 +342,13 @@ struct pt_regs;   /* forward declaration... */
+ #define ELF_ET_DYN_BASE         (TASK_UNMAPPED_BASE + 0x01000000)
++#ifdef CONFIG_PAX_ASLR
++#define PAX_ELF_ET_DYN_BASE   0x10000UL
++
++#define PAX_DELTA_MMAP_LEN    16
++#define PAX_DELTA_STACK_LEN   16
++#endif
++
+ /* This yields a mask that user programs can use to figure out what
+    instruction set this CPU supports.  This could be done in user space,
+    but it's not easy, and we've already done it here.  */
+diff --git a/arch/parisc/include/asm/pgalloc.h b/arch/parisc/include/asm/pgalloc.h
+index f08dda3..ea6aa1b 100644
+--- a/arch/parisc/include/asm/pgalloc.h
++++ b/arch/parisc/include/asm/pgalloc.h
+@@ -61,6 +61,11 @@ static inline void pgd_populate(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
+                       (__u32)(__pa((unsigned long)pmd) >> PxD_VALUE_SHIFT));
+ }
++static inline void pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
++{
++      pgd_populate(mm, pgd, pmd);
++}
++
+ static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address)
+ {
+       pmd_t *pmd = (pmd_t *)__get_free_pages(GFP_KERNEL, PMD_ORDER);
+@@ -96,6 +101,7 @@ static inline void pmd_free(struct mm_struct *mm, pmd_t *pmd)
+ #define pmd_alloc_one(mm, addr)               ({ BUG(); ((pmd_t *)2); })
+ #define pmd_free(mm, x)                       do { } while (0)
+ #define pgd_populate(mm, pmd, pte)    BUG()
++#define pgd_populate_kernel(mm, pmd, pte)     BUG()
+ #endif
+diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h
+index 3a4ed9f..29b7218 100644
+--- a/arch/parisc/include/asm/pgtable.h
++++ b/arch/parisc/include/asm/pgtable.h
+@@ -236,6 +236,17 @@ static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr)
+ #define PAGE_EXECREAD   __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
+ #define PAGE_COPY       PAGE_EXECREAD
+ #define PAGE_RWX        __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
++
++#ifdef CONFIG_PAX_PAGEEXEC
++# define PAGE_SHARED_NOEXEC   __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
++# define PAGE_COPY_NOEXEC     __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
++#else
++# define PAGE_SHARED_NOEXEC   PAGE_SHARED
++# define PAGE_COPY_NOEXEC     PAGE_COPY
++# define PAGE_READONLY_NOEXEC PAGE_READONLY
++#endif
++
+ #define PAGE_KERNEL   __pgprot(_PAGE_KERNEL)
+ #define PAGE_KERNEL_EXEC      __pgprot(_PAGE_KERNEL_EXEC)
+ #define PAGE_KERNEL_RWX       __pgprot(_PAGE_KERNEL_RWX)
+diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
+index 9a2aee1..a8e588f 100644
+--- a/arch/parisc/include/asm/uaccess.h
++++ b/arch/parisc/include/asm/uaccess.h
+@@ -223,10 +223,10 @@ static inline void copy_user_overflow(int size, unsigned long count)
+ static __always_inline unsigned long __must_check
+ copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
+-      int sz = __compiletime_object_size(to);
++      size_t sz = __compiletime_object_size(to);
+       unsigned long ret = n;
+-      if (likely(sz < 0 || sz >= n)) {
++      if (likely(sz == (size_t)-1 || sz >= n)) {
+               check_object_size(to, n, false);
+               ret = __copy_from_user(to, from, n);
+       } else if (!__builtin_constant_p(n))
+@@ -234,7 +234,7 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
+       else
+               __bad_copy_user();
+-      if (unlikely(ret))
++      if (unlikely(ret && (long)ret > 0))
+               memset(to + (n - ret), 0, ret);
+       return ret;
+@@ -243,9 +243,9 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
+ static __always_inline unsigned long __must_check
+ copy_to_user(void __user *to, const void *from, unsigned long n)
+ {
+-      int sz = __compiletime_object_size(from);
++      size_t sz = __compiletime_object_size(to);
+-      if (likely(sz < 0 || sz >= n)) {
++      if (likely(sz == (size_t)-1 || sz >= n)) {
+               check_object_size(from, n, true);
+               n = __copy_to_user(to, from, n);
+       } else if (!__builtin_constant_p(n))
+diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c
+index a0ecdb4a..71d2069 100644
+--- a/arch/parisc/kernel/module.c
++++ b/arch/parisc/kernel/module.c
+@@ -100,14 +100,12 @@
+  * or init pieces the location is */
+ static inline int in_init(struct module *me, void *loc)
+ {
+-      return (loc >= me->init_layout.base &&
+-              loc <= (me->init_layout.base + me->init_layout.size));
++      within_module_init((unsigned long)loc, me);
+ }
+ static inline int in_core(struct module *me, void *loc)
+ {
+-      return (loc >= me->core_layout.base &&
+-              loc <= (me->core_layout.base + me->core_layout.size));
++      within_module_core((unsigned long)loc, me);
+ }
+ static inline int in_local(struct module *me, void *loc)
+@@ -367,13 +365,13 @@ int module_frob_arch_sections(CONST Elf_Ehdr *hdr,
+       }
+       /* align things a bit */
+-      me->core_layout.size = ALIGN(me->core_layout.size, 16);
+-      me->arch.got_offset = me->core_layout.size;
+-      me->core_layout.size += gots * sizeof(struct got_entry);
++      me->core_layout.size_rw = ALIGN(me->core_layout.size_rw, 16);
++      me->arch.got_offset = me->core_layout.size_rw;
++      me->core_layout.size_rw += gots * sizeof(struct got_entry);
+-      me->core_layout.size = ALIGN(me->core_layout.size, 16);
+-      me->arch.fdesc_offset = me->core_layout.size;
+-      me->core_layout.size += fdescs * sizeof(Elf_Fdesc);
++      me->core_layout.size_rw = ALIGN(me->core_layout.size_rw, 16);
++      me->arch.fdesc_offset = me->core_layout.size_rw;
++      me->core_layout.size_rw += fdescs * sizeof(Elf_Fdesc);
+       me->arch.got_max = gots;
+       me->arch.fdesc_max = fdescs;
+@@ -391,7 +389,7 @@ static Elf64_Word get_got(struct module *me, unsigned long value, long addend)
+       BUG_ON(value == 0);
+-      got = me->core_layout.base + me->arch.got_offset;
++      got = me->core_layout.base_rw + me->arch.got_offset;
+       for (i = 0; got[i].addr; i++)
+               if (got[i].addr == value)
+                       goto out;
+@@ -409,7 +407,7 @@ static Elf64_Word get_got(struct module *me, unsigned long value, long addend)
+ #ifdef CONFIG_64BIT
+ static Elf_Addr get_fdesc(struct module *me, unsigned long value)
+ {
+-      Elf_Fdesc *fdesc = me->core_layout.base + me->arch.fdesc_offset;
++      Elf_Fdesc *fdesc = me->core_layout.base_rw + me->arch.fdesc_offset;
+       if (!value) {
+               printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
+@@ -427,7 +425,7 @@ static Elf_Addr get_fdesc(struct module *me, unsigned long value)
+       /* Create new one */
+       fdesc->addr = value;
+-      fdesc->gp = (Elf_Addr)me->core_layout.base + me->arch.got_offset;
++      fdesc->gp = (Elf_Addr)me->core_layout.base_rw + me->arch.got_offset;
+       return (Elf_Addr)fdesc;
+ }
+ #endif /* CONFIG_64BIT */
+@@ -847,7 +845,7 @@ register_unwind_table(struct module *me,
+       table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
+       end = table + sechdrs[me->arch.unwind_section].sh_size;
+-      gp = (Elf_Addr)me->core_layout.base + me->arch.got_offset;
++      gp = (Elf_Addr)me->core_layout.base_rw + me->arch.got_offset;
+       DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
+              me->arch.unwind_section, table, end, gp);
+diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c
+index 0a393a0..5b3199e0 100644
+--- a/arch/parisc/kernel/sys_parisc.c
++++ b/arch/parisc/kernel/sys_parisc.c
+@@ -92,6 +92,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
+       unsigned long task_size = TASK_SIZE;
+       int do_color_align, last_mmap;
+       struct vm_unmapped_area_info info;
++      unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
+       if (len > task_size)
+               return -ENOMEM;
+@@ -109,6 +110,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
+               goto found_addr;
+       }
++#ifdef CONFIG_PAX_RANDMMAP
++      if (!(mm->pax_flags & MF_PAX_RANDMMAP))
++#endif
++
+       if (addr) {
+               if (do_color_align && last_mmap)
+                       addr = COLOR_ALIGN(addr, last_mmap, pgoff);
+@@ -127,6 +132,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
+       info.high_limit = mmap_upper_limit();
+       info.align_mask = last_mmap ? (PAGE_MASK & (SHM_COLOUR - 1)) : 0;
+       info.align_offset = shared_align_offset(last_mmap, pgoff);
++      info.threadstack_offset = offset;
+       addr = vm_unmapped_area(&info);
+ found_addr:
+@@ -146,6 +152,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+       unsigned long addr = addr0;
+       int do_color_align, last_mmap;
+       struct vm_unmapped_area_info info;
++      unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
+ #ifdef CONFIG_64BIT
+       /* This should only ever run for 32-bit processes.  */
+@@ -170,6 +177,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+       }
+       /* requesting a specific address */
++#ifdef CONFIG_PAX_RANDMMAP
++      if (!(mm->pax_flags & MF_PAX_RANDMMAP))
++#endif
++
+       if (addr) {
+               if (do_color_align && last_mmap)
+                       addr = COLOR_ALIGN(addr, last_mmap, pgoff);
+@@ -187,6 +198,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+       info.high_limit = mm->mmap_base;
+       info.align_mask = last_mmap ? (PAGE_MASK & (SHM_COLOUR - 1)) : 0;
+       info.align_offset = shared_align_offset(last_mmap, pgoff);
++      info.threadstack_offset = offset;
+       addr = vm_unmapped_area(&info);
+       if (!(addr & ~PAGE_MASK))
+               goto found_addr;
+@@ -252,6 +264,13 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
+       mm->mmap_legacy_base = mmap_legacy_base();
+       mm->mmap_base = mmap_upper_limit();
++#ifdef CONFIG_PAX_RANDMMAP
++      if (mm->pax_flags & MF_PAX_RANDMMAP) {
++              mm->mmap_legacy_base += mm->delta_mmap;
++              mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
++      }
++#endif
++
+       if (mmap_is_legacy()) {
+               mm->mmap_base = mm->mmap_legacy_base;
+               mm->get_unmapped_area = arch_get_unmapped_area;
+diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c
+index 378df92..9b2ab51 100644
+--- a/arch/parisc/kernel/traps.c
++++ b/arch/parisc/kernel/traps.c
+@@ -719,9 +719,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs)
+                       down_read(&current->mm->mmap_sem);
+                       vma = find_vma(current->mm,regs->iaoq[0]);
+-                      if (vma && (regs->iaoq[0] >= vma->vm_start)
+-                              && (vma->vm_flags & VM_EXEC)) {
+-
++                      if (vma && (regs->iaoq[0] >= vma->vm_start)) {
+                               fault_address = regs->iaoq[0];
+                               fault_space = regs->iasq[0];
+diff --git a/arch/parisc/mm/fault.c b/arch/parisc/mm/fault.c
+index 1a0b4f6..f9d326d 100644
+--- a/arch/parisc/mm/fault.c
++++ b/arch/parisc/mm/fault.c
+@@ -16,6 +16,7 @@
+ #include <linux/interrupt.h>
+ #include <linux/extable.h>
+ #include <linux/uaccess.h>
++#include <linux/unistd.h>
+ #include <asm/traps.h>
+@@ -50,7 +51,7 @@ int show_unhandled_signals = 1;
+ static unsigned long
+ parisc_acctyp(unsigned long code, unsigned int inst)
+ {
+-      if (code == 6 || code == 16)
++      if (code == 6 || code == 7 || code == 16)
+           return VM_EXEC;
+       switch (inst & 0xf0000000) {
+@@ -136,6 +137,116 @@ parisc_acctyp(unsigned long code, unsigned int inst)
+                       }
+ #endif
++#ifdef CONFIG_PAX_PAGEEXEC
++/*
++ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
++ *
++ * returns 1 when task should be killed
++ *         2 when rt_sigreturn trampoline was detected
++ *         3 when unpatched PLT trampoline was detected
++ */
++static int pax_handle_fetch_fault(struct pt_regs *regs)
++{
++
++#ifdef CONFIG_PAX_EMUPLT
++      int err;
++
++      do { /* PaX: unpatched PLT emulation */
++              unsigned int bl, depwi;
++
++              err = get_user(bl, (unsigned int *)instruction_pointer(regs));
++              err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
++
++              if (err)
++                      break;
++
++              if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
++                      unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
++
++                      err = get_user(ldw, (unsigned int *)addr);
++                      err |= get_user(bv, (unsigned int *)(addr+4));
++                      err |= get_user(ldw2, (unsigned int *)(addr+8));
++
++                      if (err)
++                              break;
++
++                      if (ldw == 0x0E801096U &&
++                          bv == 0xEAC0C000U &&
++                          ldw2 == 0x0E881095U)
++                      {
++                              unsigned int resolver, map;
++
++                              err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
++                              err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
++                              if (err)
++                                      break;
++
++                              regs->gr[20] = instruction_pointer(regs)+8;
++                              regs->gr[21] = map;
++                              regs->gr[22] = resolver;
++                              regs->iaoq[0] = resolver | 3UL;
++                              regs->iaoq[1] = regs->iaoq[0] + 4;
++                              return 3;
++                      }
++              }
++      } while (0);
++#endif
++
++#ifdef CONFIG_PAX_EMUTRAMP
++
++#ifndef CONFIG_PAX_EMUSIGRT
++      if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
++              return 1;
++#endif
++
++      do { /* PaX: rt_sigreturn emulation */
++              unsigned int ldi1, ldi2, bel, nop;
++
++              err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
++              err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
++              err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
++              err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
++
++              if (err)
++                      break;
++
++              if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
++                  ldi2 == 0x3414015AU &&
++                  bel == 0xE4008200U &&
++                  nop == 0x08000240U)
++              {
++                      regs->gr[25] = (ldi1 & 2) >> 1;
++                      regs->gr[20] = __NR_rt_sigreturn;
++                      regs->gr[31] = regs->iaoq[1] + 16;
++                      regs->sr[0] = regs->iasq[1];
++                      regs->iaoq[0] = 0x100UL;
++                      regs->iaoq[1] = regs->iaoq[0] + 4;
++                      regs->iasq[0] = regs->sr[2];
++                      regs->iasq[1] = regs->sr[2];
++                      return 2;
++              }
++      } while (0);
++#endif
++
++      return 1;
++}
++
++void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
++{
++      unsigned long i;
++
++      printk(KERN_ERR "PAX: bytes at PC: ");
++      for (i = 0; i < 5; i++) {
++              unsigned int c;
++              if (get_user(c, (unsigned int *)pc+i))
++                      printk(KERN_CONT "???????? ");
++              else
++                      printk(KERN_CONT "%08x ", c);
++      }
++      printk("\n");
++}
++#endif
++
+ int fixup_exception(struct pt_regs *regs)
+ {
+       const struct exception_table_entry *fix;
+@@ -281,8 +392,33 @@ void do_page_fault(struct pt_regs *regs, unsigned long code,
+ good_area:
+-      if ((vma->vm_flags & acc_type) != acc_type)
++      if ((vma->vm_flags & acc_type) != acc_type) {
++
++#ifdef CONFIG_PAX_PAGEEXEC
++              if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
++                  (address & ~3UL) == instruction_pointer(regs))
++              {
++                      up_read(&mm->mmap_sem);
++                      switch (pax_handle_fetch_fault(regs)) {
++
++#ifdef CONFIG_PAX_EMUPLT
++                      case 3:
++                              return;
++#endif
++
++#ifdef CONFIG_PAX_EMUTRAMP
++                      case 2:
++                              return;
++#endif
++
++                      }
++                      pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
++                      do_group_exit(SIGKILL);
++              }
++#endif
++
+               goto bad_area;
++      }
+       /*
+        * If for any reason at all we couldn't handle the fault, make
+diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
+index 65fba4c..3cfec12 100644
+--- a/arch/powerpc/Kconfig
++++ b/arch/powerpc/Kconfig
+@@ -140,6 +140,7 @@ config PPC
+       select ARCH_USE_BUILTIN_BSWAP
+       select OLD_SIGSUSPEND
+       select OLD_SIGACTION if PPC32
++      select HAVE_GCC_PLUGINS
+       select HAVE_DEBUG_STACKOVERFLOW
+       select HAVE_IRQ_EXIT_ON_IRQ_STACK
+       select ARCH_USE_CMPXCHG_LOCKREF if PPC64
+@@ -441,6 +442,7 @@ config KEXEC
+       bool "kexec system call"
+       depends on (PPC_BOOK3S || FSL_BOOKE || (44x && !SMP)) || PPC_BOOK3E
+       select KEXEC_CORE
++      depends on !GRKERNSEC_KMEM
+       help
+         kexec is a system call that implements the ability to shutdown your
+         current kernel, and to start another kernel.  It is like a reboot
+diff --git a/arch/powerpc/include/asm/atomic.h b/arch/powerpc/include/asm/atomic.h
+index 2b90335..5e1a3d6 100644
+--- a/arch/powerpc/include/asm/atomic.h
++++ b/arch/powerpc/include/asm/atomic.h
+@@ -12,6 +12,11 @@
+ #define ATOMIC_INIT(i)                { (i) }
++#define _ASM_EXTABLE(from, to)                        \
++"     .section        __ex_table,\"a\"\n"     \
++      PPC_LONG"       " #from ", " #to"\n"    \
++"     .previous\n"
++
+ /*
+  * Since *_return_relaxed and {cmp}xchg_relaxed are implemented with
+  * a "bne-" instruction at the end, so an isync is enough as a acquire barrier
+@@ -39,38 +44,79 @@ static __inline__ int atomic_read(const atomic_t *v)
+       return t;
+ }
++static __inline__ int atomic_read_unchecked(const atomic_unchecked_t *v)
++{
++      int t;
++
++      __asm__ __volatile__("lwz%U1%X1 %0,%1" : "=r"(t) : "m"(v->counter));
++
++      return t;
++}
++
+ static __inline__ void atomic_set(atomic_t *v, int i)
+ {
+       __asm__ __volatile__("stw%U0%X0 %1,%0" : "=m"(v->counter) : "r"(i));
+ }
+-#define ATOMIC_OP(op, asm_op)                                         \
+-static __inline__ void atomic_##op(int a, atomic_t *v)                        \
++static __inline__ void atomic_set_unchecked(atomic_unchecked_t *v, int i)
++{
++      __asm__ __volatile__("stw%U0%X0 %1,%0" : "=m"(v->counter) : "r"(i));
++}
++
++#ifdef CONFIG_PAX_REFCOUNT
++#define __REFCOUNT_OP(op) op##o.
++#define __OVERFLOW_PRE                        \
++      "       mcrxr   cr0\n"
++#define __OVERFLOW_POST                       \
++      "       bf 4*cr0+so, 3f\n"      \
++      "2:     .long 0x00c00b00\n"     \
++      "3:\n"
++#define __OVERFLOW_EXTABLE            \
++      "\n4:\n"                        \
++      _ASM_EXTABLE(2b, 4b)
++#else
++#define __REFCOUNT_OP(op) op
++#define __OVERFLOW_PRE
++#define __OVERFLOW_POST
++#define __OVERFLOW_EXTABLE
++#endif
++
++#define __ATOMIC_OP(op, suffix, pre_op, asm_op, post_op, extable)     \
++static inline void atomic_##op##suffix(int a, atomic##suffix##_t *v)  \
+ {                                                                     \
+       int t;                                                          \
+                                                                       \
+       __asm__ __volatile__(                                           \
+-"1:   lwarx   %0,0,%3         # atomic_" #op "\n"                     \
++"1:   lwarx   %0,0,%3         # atomic_" #op #suffix "\n"             \
++      pre_op                                                          \
+       #asm_op " %0,%2,%0\n"                                           \
++      post_op                                                         \
+       PPC405_ERR77(0,%3)                                              \
+ "     stwcx.  %0,0,%3 \n"                                             \
+ "     bne-    1b\n"                                                   \
++      extable                                                         \
+       : "=&r" (t), "+m" (v->counter)                                  \
+       : "r" (a), "r" (&v->counter)                                    \
+       : "cc");                                                        \
+ }                                                                     \
+-#define ATOMIC_OP_RETURN_RELAXED(op, asm_op)                          \
+-static inline int atomic_##op##_return_relaxed(int a, atomic_t *v)    \
++#define ATOMIC_OP(op, asm_op) __ATOMIC_OP(op, , , asm_op, , )         \
++                            __ATOMIC_OP(op, _unchecked, __OVERFLOW_PRE, __REFCOUNT_OP(asm_op), __OVERFLOW_POST, __OVERFLOW_EXTABLE)
++
++#define __ATOMIC_OP_RETURN(op, suffix, pre_op, asm_op, post_op, extable)\
++static inline int atomic_##op##_return##suffix##_relaxed(int a, atomic##suffix##_t *v)\
+ {                                                                     \
+       int t;                                                          \
+                                                                       \
+       __asm__ __volatile__(                                           \
+-"1:   lwarx   %0,0,%3         # atomic_" #op "_return_relaxed\n"      \
++"1:   lwarx   %0,0,%2         # atomic_" #op "_return" #suffix "_relaxed\n"\
++      pre_op                                                          \
+       #asm_op " %0,%2,%0\n"                                           \
++      post_op                                                         \
+       PPC405_ERR77(0, %3)                                             \
+ "     stwcx.  %0,0,%3\n"                                              \
+ "     bne-    1b\n"                                                   \
++      extable                                                         \
+       : "=&r" (t), "+m" (v->counter)                                  \
+       : "r" (a), "r" (&v->counter)                                    \
+       : "cc");                                                  &n